Add the 'cdnskey' configuration option to 'dnssec-policy'.
csk key-directory lifetime unlimited algorithm 13;\n\
};\n\
\n\
+ cdnskey yes;\n\
cds-digest-types { 2; };\n\
dnskey-ttl " DNS_KASP_KEY_TTL ";\n\
publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
/* cut here */
dnssec-policy "test" {
+ cdnskey yes;
cds-digest-types {
"sha-256";
};
/* cut here */
dnssec-policy "test" {
+ cdnskey yes;
cds-digest-types {
"sha-256";
};
The following options can be specified in a :any:`dnssec-policy` statement:
+.. namedconf:statement:: cdnskey
+ :tags: dnssec
+ :short: Specifies whether a CDNSKEY record should be published during KSK rollover.
+
+ When set to the default value of ``yes``, a CDNSKEY record is published
+ during KSK rollovers when the DS of the successor key may be submitted to
+ the parent.
+
.. namedconf:statement:: cds-digest-types
:tags: dnssec
:short: Specifies the digest types to use for CDS resource records.
};
// Key timings
+ cdnskey yes;
cds-digest-types { 2; };
dnskey-ttl 3600;
publish-safety 1h;
}; // may occur multiple times
dnssec-policy <string> {
+ cdnskey <boolean>;
cds-digest-types { <string>; ... };
dnskey-ttl <duration>;
keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
dns_kasp_setparentpropagationdelay(kasp, parentpropdelay);
/* Configuration: Keys */
+ obj = NULL;
+ (void)confget(maps, "cdnskey", &obj);
+ if (obj != NULL) {
+ dns_kasp_setcdnskey(kasp, cfg_obj_asboolean(obj));
+ } else {
+ dns_kasp_setcdnskey(kasp, true);
+ }
+
+ obj = NULL;
(void)confget(maps, "cds-digest-types", &obj);
if (obj != NULL) {
for (element = cfg_list_first(obj); element != NULL;
* Clauses that can be found in a 'dnssec-policy' statement.
*/
static cfg_clausedef_t dnssecpolicy_clauses[] = {
+ { "cdnskey", &cfg_type_boolean, 0 },
{ "cds-digest-types", &cfg_type_algorithmlist, 0 },
{ "dnskey-ttl", &cfg_type_duration, 0 },
{ "keys", &cfg_type_kaspkeys, 0 },
projects / thirdparty / bind9.git / commitdiff
