Add purge-keys config option

Add a new option 'purge-keys' to 'dnssec-policy' that will purge key
files for deleted keys. The option determines how long key files
should be retained prior to removing the corresponding files from
disk.

If set to 0, the option is disabled and 'named' will not remove key
files from disk.

diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst
index 08a1476bc3c523edbd2d9398c648ac96e7833941..87a8d12cd8f5a8f97c0a92f80adad221a72b9624 100644 (file)
--- a/bin/named/named.conf.rst
+++ b/bin/named/named.conf.rst
@@ -71,6 +71,7 @@ DNSSEC-POLICY
        parent-ds-ttl duration;
        parent-propagation-delay duration;
        publish-safety duration;
+       purge-keys duration;
        retire-safety duration;
        signatures-refresh duration;
        signatures-validity duration;

diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index e23fd25060fa8101899c2be09c6b2594751c20a9..e09b9e802b41d0063c311c5279547515150446cc 100644 (file)
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -26,6 +26,7 @@ dnssec-policy "test" {
        parent-ds-ttl 7200;
        parent-propagation-delay PT1H;
        publish-safety PT3600S;
+       purge-keys P90D;
        retire-safety PT3600S;
        signatures-refresh P3D;
        signatures-validity P2W;

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 641a0054fc2d317ca8cdb5010f2bf0d173aa7c28..bb1fadeeee40d1695ac2569fc7b2b9afd93165fd 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -4980,6 +4980,15 @@ The following options can be specified in a ``dnssec-policy`` statement:
     bits.  If it is omitted, as shown in the example for the second and
     third keys, an appropriate default size for the algorithm is used.
 
+  ``purge-keys``
+    This is the time after when DNSSEC keys that have been deleted from
+    the zone can be removed from disk. If a key still determined to have
+    presence (for example in some resolver cache), ``named`` will not
+    remove the key files.
+
+    The default is ``P90D`` (90 days). Set this option to ``0`` to never
+    purge deleted keys.
+
   ``publish-safety``
     This is a margin that is added to the pre-publication interval in
     rollover timing calculations, to give some extra time to cover

diff --git a/doc/design/dnssec-policy b/doc/design/dnssec-policy
index d8457bde086dca29f0dd915e6cede20ccf1b13a9..344863e40330e182c1811f98afb10a04fa0e9230 100644 (file)
--- a/doc/design/dnssec-policy
+++ b/doc/design/dnssec-policy
@@ -135,7 +135,7 @@ dnssec-policy "nsec3" {
     publish-safety PT3600S;
     retire-safety PT3600S;
     share-keys no;
-    purge-keys-after P14D;
+    purge-keys P90D;
 
     keys {
        ksk key-directory P5Y ECDSAP256SHA256;

diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst
index cf6545c126f0188a7790dd4d4e67acc57b92a3e7..c660c13a7c3745956f7d6aa4c083c747a4bc80fd 100644 (file)
--- a/doc/dnssec-guide/signing.rst
+++ b/doc/dnssec-guide/signing.rst
@@ -753,9 +753,10 @@ keys. The following is an example of such a clause:
 
 The policy has multiple parts:
 
--  The name must be specified. As each zone can use a different policy, ``named`` needs to
-   be able to distinguish between policies. This is done by giving each
-   policy a name, such as ``standard`` in the above example.
+-  The name must be specified. As each zone can use a different policy,
+   ``named`` needs to be able to distinguish between policies. This is
+   done by giving each policy a name, such as ``standard`` in the above
+   example.
 
 -  The ``keys`` clause lists all keys that should be in the zone, along
    with their associated parameters. In this example, we are using the
@@ -782,7 +783,7 @@ The policy has multiple parts:
    long the signatures on the DNSKEY and non-DNSKEY records are valid,
    and how often BIND should re-sign the zone.
 
--  Finally, the parameters ending in ``-safety`` are there to give
+-  The parameters ending in ``-safety`` are there to give
    you a bit of leeway in case a key roll doesn't go to plan. When
    introduced into the zone, the ``publish-safety`` time is the amount
    of additional time, over and above that calculated from the other
@@ -792,6 +793,11 @@ The policy has multiple parts:
    other parameters, during which the old key is retained in the zone before
    being removed.
 
+-  Finally, the ``purge-keys`` option allows you to clean up key files
+   automatically after a period of time. If a key has been removed from the
+   zone, this option will determine how long its key files will be retained
+   on disk.
+
 (You do not have to specify all the items listed above in your policy
 definition. Any that are not set simply take the default value.)
 

diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
index a26bcf3c0bb48b20349d3c735fb2c9e8f869dc7c..41a3a112d9167eda54086bb0f44ec5f4a549fffd 100644 (file)
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -110,6 +110,7 @@ dnssec\-policy string {
       parent\-ds\-ttl duration;
       parent\-propagation\-delay duration;
       publish\-safety duration;
+      purge\-keys duration;
       retire\-safety duration;
       signatures\-refresh duration;
       signatures\-validity duration;

diff --git a/doc/misc/dnssec-policy.default.conf b/doc/misc/dnssec-policy.default.conf
index 195516b40bcc9be93767bf4a960df3f46bc8cb16..1903c472f1faf0b66e3059998a13ab39e265d7ea 100644 (file)
--- a/doc/misc/dnssec-policy.default.conf
+++ b/doc/misc/dnssec-policy.default.conf
@@ -8,6 +8,7 @@ dnssec-policy "default" {
        dnskey-ttl 3600;
        publish-safety 1h;
        retire-safety 1h;
+        purge-keys P90D;
 
        // Signature timings
        signatures-refresh 5d;

diff --git a/doc/misc/dnssec-policy.grammar.rst b/doc/misc/dnssec-policy.grammar.rst
index e826ccab4e536f9d26be45c37f30922d80705c85..da4803c9220fe2a5fd18d100299f8b544f0def27 100644 (file)
--- a/doc/misc/dnssec-policy.grammar.rst
+++ b/doc/misc/dnssec-policy.grammar.rst
@@ -10,6 +10,7 @@
        parent-ds-ttl <duration>;
        parent-propagation-delay <duration>;
        publish-safety <duration>;
+       purge-keys <duration>;
        retire-safety <duration>;
        signatures-refresh <duration>;
        signatures-validity <duration>;

diff --git a/doc/misc/options b/doc/misc/options
index 39da1adf993b6da132387934997ce25cabc39a5f..a297bf9e000607b74cc3c475d0d062bf98bea621 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -32,6 +32,7 @@ dnssec-policy <string> {
         parent-propagation-delay <duration>;
         parent-registration-delay <duration>; // obsolete
         publish-safety <duration>;
+        purge-keys <duration>;
         retire-safety <duration>;
         signatures-refresh <duration>;
         signatures-validity <duration>;

diff --git a/doc/misc/options.active b/doc/misc/options.active
index 9ac0f03351baf7f6865cfdc5faf77311a5930ad3..c103a5e4b81567989ee6da44c4aa7603b9b1a127 100644 (file)
--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@@ -31,6 +31,7 @@ dnssec-policy <string> {
         parent-ds-ttl <duration>;
         parent-propagation-delay <duration>;
         publish-safety <duration>;
+        purge-keys <duration>;
         retire-safety <duration>;
         signatures-refresh <duration>;
         signatures-validity <duration>;

diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
index e49b01a1775b09a6a460dc3d5f70d0da2f5c042b..d39ad80e799347bfaf7989eb029d07c7b00eaa47 100644 (file)
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -89,6 +89,7 @@ struct dns_kasp {
        /* Configuration: Timings */
        uint32_t publish_safety;
        uint32_t retire_safety;
+       uint32_t purge_keys;
 
        /* Zone settings */
        dns_ttl_t zone_max_ttl;
@@ -109,6 +110,7 @@ struct dns_kasp {
 #define DNS_KASP_KEY_TTL            (3600)
 #define DNS_KASP_DS_TTL                     (86400)
 #define DNS_KASP_PUBLISH_SAFETY             (3600)
+#define DNS_KASP_PURGE_KEYS         (86400 * 90)
 #define DNS_KASP_RETIRE_SAFETY      (3600)
 #define DNS_KASP_ZONE_MAXTTL        (86400)
 #define DNS_KASP_ZONE_PROPDELAY             (300)
@@ -306,6 +308,30 @@ dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl);
  *\li   'kasp' is a valid, thawed kasp.
  */
 
+uint32_t
+dns_kasp_purgekeys(dns_kasp_t *kasp);
+/*%<
+ * Get purge keys interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Purge keys interval.
+ */
+
+void
+dns_kasp_setpurgekeys(dns_kasp_t *kasp, uint32_t value);
+/*%<
+ * Set purge keys interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
 uint32_t
 dns_kasp_publishsafety(dns_kasp_t *kasp);
 /*%<

diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
index 5a0cd3028687c544ab5cb7d3dd5a379b58dca8a6..177b97f289003d380ddfce9a9f47674acef381c8 100644 (file)
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -53,6 +53,7 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
        kasp->dnskey_ttl = DNS_KASP_KEY_TTL;
        kasp->publish_safety = DNS_KASP_PUBLISH_SAFETY;
        kasp->retire_safety = DNS_KASP_RETIRE_SAFETY;
+       kasp->purge_keys = DNS_KASP_PURGE_KEYS;
 
        kasp->zone_max_ttl = DNS_KASP_ZONE_MAXTTL;
        kasp->zone_propagation_delay = DNS_KASP_ZONE_PROPDELAY;
@@ -203,6 +204,22 @@ dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl) {
        kasp->dnskey_ttl = ttl;
 }
 
+uint32_t
+dns_kasp_purgekeys(dns_kasp_t *kasp) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(kasp->frozen);
+
+       return (kasp->purge_keys);
+}
+
+void
+dns_kasp_setpurgekeys(dns_kasp_t *kasp, uint32_t value) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(!kasp->frozen);
+
+       kasp->purge_keys = value;
+}
+
 uint32_t
 dns_kasp_publishsafety(dns_kasp_t *kasp) {
        REQUIRE(DNS_KASP_VALID(kasp));

diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
index 2dce5121e87455da350a47ff0a52a4670a31d9d5..8f09bf09718ca404d162bee16d48429e0a3cba83 100644 (file)
--- a/lib/dns/win32/libdns.def.in
+++ b/lib/dns/win32/libdns.def.in
@@ -442,6 +442,7 @@ dns_kasp_nsec3iter
 dns_kasp_nsec3saltlen
 dns_kasp_parentpropagationdelay
 dns_kasp_publishsafety
+dns_kasp_purgekeys
 dns_kasp_retiresafety
 dns_kasp_setdnskeyttl
 dns_kasp_setdsttl
@@ -449,6 +450,7 @@ dns_kasp_setnsec3
 dns_kasp_setnsec3param
 dns_kasp_setparentpropagationdelay
 dns_kasp_setpublishsafety
+dns_kasp_setpurgekeys
 dns_kasp_setretiresafety
 dns_kasp_setsigrefresh
 dns_kasp_setsigvalidity

diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index 3e0e0874f4c38035e7238321a1a63919fd28095f..b8fa1f822535147c3b38f8ebee94df7266a8a6ac 100644 (file)
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -315,6 +315,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
                                                     DNS_KASP_PUBLISH_SAFETY));
        dns_kasp_setretiresafety(kasp, get_duration(maps, "retire-safety",
                                                    DNS_KASP_RETIRE_SAFETY));
+       dns_kasp_setpurgekeys(
+               kasp, get_duration(maps, "purge-keys", DNS_KASP_PURGE_KEYS));
 
        (void)confget(maps, "keys", &keys);
        if (keys != NULL) {

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 7c29970a81ae28c0aa9c2a6d5f486c8de84d3aba..56fc96b407f5901f25c6eb97a84027d355f1f869 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2131,6 +2131,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = {
        { "parent-registration-delay", &cfg_type_duration,
          CFG_CLAUSEFLAG_OBSOLETE },
        { "publish-safety", &cfg_type_duration, 0 },
+       { "purge-keys", &cfg_type_duration, 0 },
        { "retire-safety", &cfg_type_duration, 0 },
        { "signatures-refresh", &cfg_type_duration, 0 },
        { "signatures-validity", &cfg_type_duration, 0 },