From: Matthijs Mekking Date: Wed, 16 Oct 2019 16:36:38 +0000 (+0200) Subject: kasp: Expose more key timings X-Git-Tag: v9.15.6~26^2~21 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1f0d6296a1501e372a0abb1f1f0c76b7815d361f;p=thirdparty%2Fbind9.git kasp: Expose more key timings When doing rollover in a timely manner we need to have access to the relevant kasp configured durations. Most of these are simple get functions, but 'dns_kasp_signdelay' will calculate the maximum time that is needed with this policy to resign the complete zone (taking into account the refresh interval and signature validity). Introduce parent-propagation-delay, parent-registration-delay, parent-ds-ttl, zone-max-ttl, zone-propagation-delay. --- diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook index 8221d4cce5a..f9696fa3fa0 100644 --- a/bin/named/named.conf.docbook +++ b/bin/named/named.conf.docbook @@ -1016,11 +1016,16 @@ zone string [ class ] { dnssec-policy string { dnskey-ttl ttlval; keys { ( csk | ksk | zsk ) key-directory duration integer [ integer ] ; ... }; + parent-ds-ttl duration; + parent-propagation-delay duration; + parent-registration-delay duration; publish-safety duration; retire-safety duration; signatures-refresh duration; signatures-validity duration; signatures-validity-dnskey duration; + zone-max-ttl duration; + zone-propagation-delay duration; }; diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 47b08440ef6..d0c21560d98 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -11151,6 +11151,83 @@ example.com CNAME rpz-tcp-only. + + zone-max-ttl + + + Like max-zone-ttl, specifies the maximum + permissible TTL value in seconds. When loading a zone file + using a or + text or raw, + any record encountered with a TTL higher than + will be capped to the maximum + permissible TTL value. + + + This is needed in DNSSEC-maintained zones because when + rolling to a new DNSKEY, the old key needs to remain + available until RRSIG records have expired from + caches. The option guarantees + that the largest TTL in the zone will be no higher than the + set value. + + + (NOTE: Because map-format files + load directly into memory, this option cannot be + used with them.) + + + The default value is PT24H (24 hours). + A of zero is treated as if + the default value is in use. + + + + + + zone-propagation-delay + + + The expected propagation delay from when a zone is updated + and when the new version of the zone is served by all its + name servers. Default is PT5M (5 minutes). + + + + + + parent-ds-ttl + + + The TTL of the DS RRset that the parent uses. Default is + PT1H (1 hour). + + + + + + parent-propagation-delay + + + The expected propagation delay from when the parent zone is + updated and when the new version of the parent zone is served + by all its name servers. Default is + PT1H (1 hour). + + + + + + parent-registration-delay + + + The expected registration delay from when a DS RRset change + is requested and when the DS RRset has been updated in the + parent zone. Default is P1D (1 day). + + + + diff --git a/doc/arm/dnssec-policy.grammar.xml b/doc/arm/dnssec-policy.grammar.xml index 68e27d964c7..c7df40c4d3d 100644 --- a/doc/arm/dnssec-policy.grammar.xml +++ b/doc/arm/dnssec-policy.grammar.xml @@ -15,11 +15,16 @@ dnssec-policy string { dnskey-ttl ttlval; keys { ( csk | ksk | zsk ) key-directory duration integer [ integer ] ; ... }; + parent-ds-ttl duration; + parent-propagation-delay duration; + parent-registration-delay duration; publish-safety duration; retire-safety duration; signatures-refresh duration; signatures-validity duration; signatures-validity-dnskey duration; + zone-max-ttl duration; + zone-propagation-delay duration; }; diff --git a/doc/misc/options b/doc/misc/options index 6f5674692c7..cb00923715e 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -29,11 +29,16 @@ dnssec-policy { dnskey-ttl ; keys { ( csk | ksk | zsk ) key-directory [ ]; ... }; + parent-ds-ttl ; + parent-propagation-delay ; + parent-registration-delay ; publish-safety ; retire-safety ; signatures-refresh ; signatures-validity ; signatures-validity-dnskey ; + zone-max-ttl ; + zone-propagation-delay ; }; // may occur multiple times dyndb { diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h index 6c953a0636e..c6b156119a6 100644 --- a/lib/dns/include/dns/kasp.h +++ b/lib/dns/include/dns/kasp.h @@ -81,6 +81,15 @@ struct dns_kasp { uint32_t publish_safety; uint32_t retire_safety; + /* Zone settings */ + dns_ttl_t zone_max_ttl; + time_t zone_propagation_delay; + + /* Parent settings */ + dns_ttl_t parent_ds_ttl; + time_t parent_propagation_delay; + time_t parent_registration_delay; + // TODO: The rest of the KASP configuration }; @@ -92,8 +101,13 @@ struct dns_kasp { #define DNS_KASP_SIG_VALIDITY (86400*14) #define DNS_KASP_SIG_VALIDITY_DNSKEY (86400*14) #define DNS_KASP_KEY_TTL (3600) +#define DNS_KASP_DS_TTL (3600) #define DNS_KASP_PUBLISH_SAFETY (300) #define DNS_KASP_RETIRE_SAFETY (300) +#define DNS_KASP_ZONE_MAXTTL (86400) +#define DNS_KASP_ZONE_PROPDELAY (300) +#define DNS_KASP_PARENT_PROPDELAY (3600) +#define DNS_KASP_PARENT_REGDELAY (86400) /* Key roles */ #define DNS_KASP_KEY_ROLE_KSK 0x01 @@ -194,6 +208,53 @@ dns_kasp_getname(dns_kasp_t *kasp); *\li name of 'kasp'. */ +time_t +dns_kasp_signdelay(dns_kasp_t *kasp); +/*%< + * Get the delay that is needed to ensure that all existing RRsets have been + * re-signed with a successor key. This is the signature validity minus the + * signature refresh time (that indicates how far before signature expiry an + * RRSIG should be refreshed). + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + * + * Returns: + * + *\li signature refresh interval. + */ + +time_t +dns_kasp_sigrefresh(dns_kasp_t *kasp); +/*%< + * Get signature refresh interval. + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + * + * Returns: + * + *\li signature refresh interval. + */ + +time_t +dns_kasp_sigvalidity(dns_kasp_t *kasp); +time_t +dns_kasp_sigvalidity_dnskey(dns_kasp_t *kasp); +/*%< + * Get signature validity. + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + * + * Returns: + * + *\li signature validity. + */ + dns_ttl_t dns_kasp_dnskeyttl(dns_kasp_t *kasp); /*%< @@ -208,6 +269,104 @@ dns_kasp_dnskeyttl(dns_kasp_t *kasp); *\li DNSKEY TTL. */ +time_t +dns_kasp_publishsafety(dns_kasp_t *kasp); +/*%< + * Get publish safety interval. + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + * + * Returns: + * + *\li Publish safety interval. + */ + +time_t +dns_kasp_retiresafety(dns_kasp_t *kasp); +/*%< + * Get retire safety interval. + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + * + * Returns: + * + *\li Retire safety interval. + */ + +dns_ttl_t +dns_kasp_zonemaxttl(dns_kasp_t *kasp); +/*%< + * Get maximum zone TTL. + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + * + * Returns: + * + *\li Maximum zone TTL. + */ + +time_t +dns_kasp_zonepropagationdelay(dns_kasp_t *kasp); +/*%< + * Get zone propagation delay. + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + * + * Returns: + * + *\li Zone propagation delay. + */ + +dns_ttl_t +dns_kasp_dsttl(dns_kasp_t *kasp); +/*%< + * Get DS TTL (should match that of the parent DS record). + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + * + * Returns: + * + *\li Expected parent DS TTL. + */ + +time_t +dns_kasp_parentpropagationdelay(dns_kasp_t *kasp); +/*%< + * Get parent zone propagation delay. + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + * + * Returns: + * + *\li Parent zone propagation delay. + */ + +time_t +dns_kasp_parentregistrationdelay(dns_kasp_t *kasp); +/*%< + * Get parent registration delay for submitting new DS. + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + * + * Returns: + * + *\li Parent registration delay. + */ + isc_result_t dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp); /*%< diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c index f585129b329..6ec82367858 100644 --- a/lib/dns/kasp.c +++ b/lib/dns/kasp.c @@ -53,6 +53,13 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) kasp->publish_safety = DNS_KASP_PUBLISH_SAFETY; kasp->retire_safety = DNS_KASP_RETIRE_SAFETY; + kasp->zone_max_ttl = DNS_KASP_ZONE_MAXTTL; + kasp->zone_propagation_delay = DNS_KASP_ZONE_PROPDELAY; + + kasp->parent_ds_ttl = DNS_KASP_DS_TTL; + kasp->parent_propagation_delay = DNS_KASP_PARENT_PROPDELAY; + kasp->parent_registration_delay = DNS_KASP_PARENT_REGDELAY; + // TODO: The rest of the KASP configuration kasp->magic = DNS_KASP_MAGIC; @@ -117,6 +124,34 @@ dns_kasp_thaw(dns_kasp_t *kasp) { kasp->frozen = false; } +time_t +dns_kasp_signdelay(dns_kasp_t *kasp) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(kasp->frozen); + return (kasp->signatures_validity - kasp->signatures_refresh); +} + +time_t +dns_kasp_sigrefresh(dns_kasp_t *kasp) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(kasp->frozen); + return kasp->signatures_refresh; +} + +time_t +dns_kasp_sigvalidity(dns_kasp_t *kasp) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(kasp->frozen); + return kasp->signatures_validity; +} + +time_t +dns_kasp_sigvalidity_dnskey(dns_kasp_t *kasp) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(kasp->frozen); + return kasp->signatures_validity_dnskey; +} + dns_ttl_t dns_kasp_dnskeyttl(dns_kasp_t *kasp) { REQUIRE(DNS_KASP_VALID(kasp)); @@ -124,6 +159,55 @@ dns_kasp_dnskeyttl(dns_kasp_t *kasp) { return kasp->dnskey_ttl; } +time_t +dns_kasp_publishsafety(dns_kasp_t *kasp) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(kasp->frozen); + return kasp->publish_safety; +} + +time_t +dns_kasp_retiresafety(dns_kasp_t *kasp) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(kasp->frozen); + return kasp->retire_safety; +} + +dns_ttl_t +dns_kasp_zonemaxttl(dns_kasp_t *kasp) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(kasp->frozen); + return kasp->zone_max_ttl; +} + +time_t +dns_kasp_zonepropagationdelay(dns_kasp_t *kasp) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(kasp->frozen); + return kasp->zone_propagation_delay; +} + +dns_ttl_t +dns_kasp_dsttl(dns_kasp_t *kasp) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(kasp->frozen); + return kasp->parent_ds_ttl; +} + +time_t +dns_kasp_parentpropagationdelay(dns_kasp_t *kasp) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(kasp->frozen); + return kasp->parent_propagation_delay; +} + +time_t +dns_kasp_parentregistrationdelay(dns_kasp_t *kasp) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(kasp->frozen); + return kasp->parent_registration_delay; +} + isc_result_t dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp) { diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in index 153efc2e7b6..de79d7bfb10 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in @@ -413,10 +413,11 @@ dns_journal_rollforward dns_journal_set_sourceserial dns_journal_write_transaction dns_journal_writediff -dns_kasp_create dns_kasp_attach +dns_kasp_create dns_kasp_detach dns_kasp_dnskeyttl +dns_kasp_dsttl dns_kasp_freeze dns_kasp_getname dns_kasp_key_algorithm @@ -426,7 +427,17 @@ dns_kasp_key_ksk dns_kasp_key_lifetime dns_kasp_key_size dns_kasp_key_zsk +dns_kasp_parentpropagationdelay +dns_kasp_parentregistrationdelay +dns_kasp_publishsafety +dns_kasp_retiresafety +dns_kasp_signdelay +dns_kasp_sigrefresh +dns_kasp_sigvalidity +dns_kasp_sigvalidity_dnskey dns_kasp_thaw +dns_kasp_zonemaxttl +dns_kasp_zonepropagationdelay dns_kasplist_find dns_keydata_fromdnskey dns_keydata_todnskey diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index eafb4c3b354..37eb1e3c69f 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -192,6 +192,25 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t* mctx, } ISC_INSIST(!(ISC_LIST_EMPTY(kasp->keys))); + /* Configuration: Zone settings */ + kasp->zone_max_ttl = get_duration(maps, "zone-max-ttl", + DNS_KASP_ZONE_MAXTTL); + kasp->zone_propagation_delay = get_duration(maps, + "zone-propagation-delay", + DNS_KASP_ZONE_PROPDELAY); + + /* Configuration: Parent settings */ + kasp->parent_ds_ttl = get_duration(maps, "parent-ds-ttl", + DNS_KASP_DS_TTL); + kasp->parent_propagation_delay = get_duration( + maps, + "parent-propagation-delay", + DNS_KASP_PARENT_PROPDELAY); + kasp->parent_registration_delay = get_duration( + maps, + "parent-registration-delay", + DNS_KASP_PARENT_REGDELAY); + // TODO: Rest of the configuration /* Success: Attach the kasp to the pointer and return. */ diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 100cb0979df..7d0dd467dbf 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2068,6 +2068,11 @@ dnssecpolicy_clauses[] = { { "signatures-refresh", &cfg_type_duration, 0 }, { "signatures-validity", &cfg_type_duration, 0 }, { "signatures-validity-dnskey", &cfg_type_duration, 0 }, + { "zone-max-ttl", &cfg_type_duration, 0 }, + { "zone-propagation-delay", &cfg_type_duration, 0 }, + { "parent-ds-ttl", &cfg_type_duration, 0 }, + { "parent-propagation-delay", &cfg_type_duration, 0 }, + { "parent-registration-delay", &cfg_type_duration, 0 }, { NULL, NULL, 0 } };