From: Matthijs Mekking Date: Thu, 11 May 2023 12:11:45 +0000 (+0200) Subject: Add configuration option 'cdnskey' X-Git-Tag: v9.19.14~58^2~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8be61d1845ed85b997340bd612a1327c8586fce5;p=thirdparty%2Fbind9.git Add configuration option 'cdnskey' Add the 'cdnskey' configuration option to 'dnssec-policy'. --- diff --git a/bin/named/config.c b/bin/named/config.c index 2149b29b859..12b00891ca7 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -296,6 +296,7 @@ dnssec-policy \"default\" {\n\ csk key-directory lifetime unlimited algorithm 13;\n\ };\n\ \n\ + cdnskey yes;\n\ cds-digest-types { 2; };\n\ dnskey-ttl " DNS_KASP_KEY_TTL ";\n\ publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\ diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf index 67f3d5d869c..384fcfe34b1 100644 --- a/bin/tests/system/checkconf/good-kasp.conf +++ b/bin/tests/system/checkconf/good-kasp.conf @@ -17,6 +17,7 @@ /* cut here */ dnssec-policy "test" { + cdnskey yes; cds-digest-types { "sha-256"; }; diff --git a/bin/tests/system/checkconf/good.conf.in b/bin/tests/system/checkconf/good.conf.in index 1e2f49f94fe..2ba4a0738e9 100644 --- a/bin/tests/system/checkconf/good.conf.in +++ b/bin/tests/system/checkconf/good.conf.in @@ -17,6 +17,7 @@ /* cut here */ dnssec-policy "test" { + cdnskey yes; cds-digest-types { "sha-256"; }; diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index b2683d84a93..62386a6106d 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6229,6 +6229,14 @@ retired when the existing key's lifetime ends. The following options can be specified in a :any:`dnssec-policy` statement: +.. namedconf:statement:: cdnskey + :tags: dnssec + :short: Specifies whether a CDNSKEY record should be published during KSK rollover. + + When set to the default value of ``yes``, a CDNSKEY record is published + during KSK rollovers when the DS of the successor key may be submitted to + the parent. + .. namedconf:statement:: cds-digest-types :tags: dnssec :short: Specifies the digest types to use for CDS resource records. diff --git a/doc/misc/dnssec-policy.default.conf b/doc/misc/dnssec-policy.default.conf index e21bb36dc9e..785a36c02eb 100644 --- a/doc/misc/dnssec-policy.default.conf +++ b/doc/misc/dnssec-policy.default.conf @@ -18,6 +18,7 @@ dnssec-policy "default" { }; // Key timings + cdnskey yes; cds-digest-types { 2; }; dnskey-ttl 3600; publish-safety 1h; diff --git a/doc/misc/options b/doc/misc/options index e55cbdd0776..dd33c52f14c 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -11,6 +11,7 @@ dlz { }; // may occur multiple times dnssec-policy { + cdnskey ; cds-digest-types { ; ... }; dnskey-ttl ; keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime algorithm [ ]; ... }; diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index e0d362870f0..03d1a1fa688 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -462,6 +462,15 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp, dns_kasp_setparentpropagationdelay(kasp, parentpropdelay); /* Configuration: Keys */ + obj = NULL; + (void)confget(maps, "cdnskey", &obj); + if (obj != NULL) { + dns_kasp_setcdnskey(kasp, cfg_obj_asboolean(obj)); + } else { + dns_kasp_setcdnskey(kasp, true); + } + + obj = NULL; (void)confget(maps, "cds-digest-types", &obj); if (obj != NULL) { for (element = cfg_list_first(obj); element != NULL; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 7239e39b16e..3d3153e3745 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2205,6 +2205,7 @@ static cfg_type_t cfg_type_checkdstype = { * Clauses that can be found in a 'dnssec-policy' statement. */ static cfg_clausedef_t dnssecpolicy_clauses[] = { + { "cdnskey", &cfg_type_boolean, 0 }, { "cds-digest-types", &cfg_type_algorithmlist, 0 }, { "dnskey-ttl", &cfg_type_duration, 0 }, { "keys", &cfg_type_kaspkeys, 0 },