Add purge-keys config option

Add a new option 'purge-keys' to 'dnssec-policy' that will purge key
files for deleted keys. The option determines how long key files
should be retained prior to removing the corresponding files from
disk.

If set to 0, the option is disabled and 'named' will not remove key
files from disk.

(cherry picked from commit 313de3a7e2f3cb85c7c9ba4e96905aa7ea4373dc)

diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst
index c23e28bd166691718c7eec9edfec1d88fb6e2047..07d0be507ddd4484f7a6aa43d0e4ec80817f78f5 100644 (file)
--- a/bin/named/named.conf.rst
+++ b/bin/named/named.conf.rst
@@ -81,6 +81,7 @@ DNSSEC-POLICY
        parent-ds-ttl duration;
        parent-propagation-delay duration;
        publish-safety duration;
+       purge-keys duration;
        retire-safety duration;
        signatures-refresh duration;
        signatures-validity duration;

diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index e23fd25060fa8101899c2be09c6b2594751c20a9..e09b9e802b41d0063c311c5279547515150446cc 100644 (file)
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -26,6 +26,7 @@ dnssec-policy "test" {
        parent-ds-ttl 7200;
        parent-propagation-delay PT1H;
        publish-safety PT3600S;
+       purge-keys P90D;
        retire-safety PT3600S;
        signatures-refresh P3D;
        signatures-validity P2W;

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 5ebf0cc4fa1c8e136294a4337053289de7bb6b78..32ef02eaa90fc28533f930f29a46edc284715369 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -4881,6 +4881,15 @@ The following options can be specified in a ``dnssec-policy`` statement:
     bits.  If it is omitted, as shown in the example for the second and
     third keys, an appropriate default size for the algorithm is used.
 
+  ``purge-keys``
+    This is the time after when DNSSEC keys that have been deleted from
+    the zone can be removed from disk. If a key still determined to have
+    presence (for example in some resolver cache), ``named`` will not
+    remove the key files.
+
+    The default is ``P90D`` (90 days). Set this option to ``0`` to never
+    purge deleted keys.
+
   ``publish-safety``
     This is a margin that is added to the pre-publication interval in
     rollover timing calculations, to give some extra time to cover

diff --git a/doc/design/dnssec-policy b/doc/design/dnssec-policy
index cc93f85129a30a987e870e3dfc096e5fca7e3fd8..2cd7e68e4a2988159ed4b1ce4470ecd5dfdab43a 100644 (file)
--- a/doc/design/dnssec-policy
+++ b/doc/design/dnssec-policy
@@ -135,7 +135,7 @@ dnssec-policy "nsec3" {
     publish-safety PT3600S;
     retire-safety PT3600S;
     share-keys no;
-    purge-keys-after P14D;
+    purge-keys P90D;
 
     keys {
        ksk key-directory P5Y ECDSAP256SHA256;

diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst
index cf6545c126f0188a7790dd4d4e67acc57b92a3e7..c660c13a7c3745956f7d6aa4c083c747a4bc80fd 100644 (file)
--- a/doc/dnssec-guide/signing.rst
+++ b/doc/dnssec-guide/signing.rst
@@ -753,9 +753,10 @@ keys. The following is an example of such a clause:
 
 The policy has multiple parts:
 
--  The name must be specified. As each zone can use a different policy, ``named`` needs to
-   be able to distinguish between policies. This is done by giving each
-   policy a name, such as ``standard`` in the above example.
+-  The name must be specified. As each zone can use a different policy,
+   ``named`` needs to be able to distinguish between policies. This is
+   done by giving each policy a name, such as ``standard`` in the above
+   example.
 
 -  The ``keys`` clause lists all keys that should be in the zone, along
    with their associated parameters. In this example, we are using the
@@ -782,7 +783,7 @@ The policy has multiple parts:
    long the signatures on the DNSKEY and non-DNSKEY records are valid,
    and how often BIND should re-sign the zone.
 
--  Finally, the parameters ending in ``-safety`` are there to give
+-  The parameters ending in ``-safety`` are there to give
    you a bit of leeway in case a key roll doesn't go to plan. When
    introduced into the zone, the ``publish-safety`` time is the amount
    of additional time, over and above that calculated from the other
@@ -792,6 +793,11 @@ The policy has multiple parts:
    other parameters, during which the old key is retained in the zone before
    being removed.
 
+-  Finally, the ``purge-keys`` option allows you to clean up key files
+   automatically after a period of time. If a key has been removed from the
+   zone, this option will determine how long its key files will be retained
+   on disk.
+
 (You do not have to specify all the items listed above in your policy
 definition. Any that are not set simply take the default value.)
 

diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
index cb4a193d8ce19a054be675d8d82b273839650a5f..089cdb8ed28531ecaa83e1b8316c3efecafd0270 100644 (file)
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -110,6 +110,7 @@ dnssec\-policy string {
       parent\-ds\-ttl duration;
       parent\-propagation\-delay duration;
       publish\-safety duration;
+      purge\-keys duration;
       retire\-safety duration;
       signatures\-refresh duration;
       signatures\-validity duration;

diff --git a/doc/misc/dnssec-policy.default.conf b/doc/misc/dnssec-policy.default.conf
index 195516b40bcc9be93767bf4a960df3f46bc8cb16..1903c472f1faf0b66e3059998a13ab39e265d7ea 100644 (file)
--- a/doc/misc/dnssec-policy.default.conf
+++ b/doc/misc/dnssec-policy.default.conf
@@ -8,6 +8,7 @@ dnssec-policy "default" {
        dnskey-ttl 3600;
        publish-safety 1h;
        retire-safety 1h;
+        purge-keys P90D;
 
        // Signature timings
        signatures-refresh 5d;

diff --git a/doc/misc/dnssec-policy.grammar.rst b/doc/misc/dnssec-policy.grammar.rst
index e826ccab4e536f9d26be45c37f30922d80705c85..da4803c9220fe2a5fd18d100299f8b544f0def27 100644 (file)
--- a/doc/misc/dnssec-policy.grammar.rst
+++ b/doc/misc/dnssec-policy.grammar.rst
@@ -10,6 +10,7 @@
        parent-ds-ttl <duration>;
        parent-propagation-delay <duration>;
        publish-safety <duration>;
+       purge-keys <duration>;
        retire-safety <duration>;
        signatures-refresh <duration>;
        signatures-validity <duration>;

diff --git a/doc/misc/options b/doc/misc/options
index 7c3460e8def2ea078514c51dc51693654f5512dc..ff1308c2c260f5492629921b5b091d8e063ba6fe 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -32,6 +32,7 @@ dnssec-policy <string> {
         parent-propagation-delay <duration>;
         parent-registration-delay <duration>; // obsolete
         publish-safety <duration>;
+        purge-keys <duration>;
         retire-safety <duration>;
         signatures-refresh <duration>;
         signatures-validity <duration>;

diff --git a/doc/misc/options.active b/doc/misc/options.active
index 3dcba06b35f27cde77fa5ca17b0af37e4c9636b3..d20963dc75a94d6dade2361fcd6e84ac573f710f 100644 (file)
--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@@ -31,6 +31,7 @@ dnssec-policy <string> {
         parent-ds-ttl <duration>;
         parent-propagation-delay <duration>;
         publish-safety <duration>;
+        purge-keys <duration>;
         retire-safety <duration>;
         signatures-refresh <duration>;
         signatures-validity <duration>;

diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
index e49b01a1775b09a6a460dc3d5f70d0da2f5c042b..d39ad80e799347bfaf7989eb029d07c7b00eaa47 100644 (file)
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -89,6 +89,7 @@ struct dns_kasp {
        /* Configuration: Timings */
        uint32_t publish_safety;
        uint32_t retire_safety;
+       uint32_t purge_keys;
 
        /* Zone settings */
        dns_ttl_t zone_max_ttl;
@@ -109,6 +110,7 @@ struct dns_kasp {
 #define DNS_KASP_KEY_TTL            (3600)
 #define DNS_KASP_DS_TTL                     (86400)
 #define DNS_KASP_PUBLISH_SAFETY             (3600)
+#define DNS_KASP_PURGE_KEYS         (86400 * 90)
 #define DNS_KASP_RETIRE_SAFETY      (3600)
 #define DNS_KASP_ZONE_MAXTTL        (86400)
 #define DNS_KASP_ZONE_PROPDELAY             (300)
@@ -306,6 +308,30 @@ dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl);
  *\li   'kasp' is a valid, thawed kasp.
  */
 
+uint32_t
+dns_kasp_purgekeys(dns_kasp_t *kasp);
+/*%<
+ * Get purge keys interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Purge keys interval.
+ */
+
+void
+dns_kasp_setpurgekeys(dns_kasp_t *kasp, uint32_t value);
+/*%<
+ * Set purge keys interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
 uint32_t
 dns_kasp_publishsafety(dns_kasp_t *kasp);
 /*%<

diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
index 5a0cd3028687c544ab5cb7d3dd5a379b58dca8a6..177b97f289003d380ddfce9a9f47674acef381c8 100644 (file)
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -53,6 +53,7 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
        kasp->dnskey_ttl = DNS_KASP_KEY_TTL;
        kasp->publish_safety = DNS_KASP_PUBLISH_SAFETY;
        kasp->retire_safety = DNS_KASP_RETIRE_SAFETY;
+       kasp->purge_keys = DNS_KASP_PURGE_KEYS;
 
        kasp->zone_max_ttl = DNS_KASP_ZONE_MAXTTL;
        kasp->zone_propagation_delay = DNS_KASP_ZONE_PROPDELAY;
@@ -203,6 +204,22 @@ dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl) {
        kasp->dnskey_ttl = ttl;
 }
 
+uint32_t
+dns_kasp_purgekeys(dns_kasp_t *kasp) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(kasp->frozen);
+
+       return (kasp->purge_keys);
+}
+
+void
+dns_kasp_setpurgekeys(dns_kasp_t *kasp, uint32_t value) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(!kasp->frozen);
+
+       kasp->purge_keys = value;
+}
+
 uint32_t
 dns_kasp_publishsafety(dns_kasp_t *kasp) {
        REQUIRE(DNS_KASP_VALID(kasp));

diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
index 64016c0d01f8d8f5f4110f7dd64cd32a83ba6cac..2e3260dcea2266c9c39901faf5fdcf942061de2f 100644 (file)
--- a/lib/dns/win32/libdns.def.in
+++ b/lib/dns/win32/libdns.def.in
@@ -456,6 +456,7 @@ dns_kasp_nsec3iter
 dns_kasp_nsec3saltlen
 dns_kasp_parentpropagationdelay
 dns_kasp_publishsafety
+dns_kasp_purgekeys
 dns_kasp_retiresafety
 dns_kasp_setdnskeyttl
 dns_kasp_setdsttl
@@ -463,6 +464,7 @@ dns_kasp_setnsec3
 dns_kasp_setnsec3param
 dns_kasp_setparentpropagationdelay
 dns_kasp_setpublishsafety
+dns_kasp_setpurgekeys
 dns_kasp_setretiresafety
 dns_kasp_setsigrefresh
 dns_kasp_setsigvalidity

diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index 3e0e0874f4c38035e7238321a1a63919fd28095f..b8fa1f822535147c3b38f8ebee94df7266a8a6ac 100644 (file)
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -315,6 +315,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
                                                     DNS_KASP_PUBLISH_SAFETY));
        dns_kasp_setretiresafety(kasp, get_duration(maps, "retire-safety",
                                                    DNS_KASP_RETIRE_SAFETY));
+       dns_kasp_setpurgekeys(
+               kasp, get_duration(maps, "purge-keys", DNS_KASP_PURGE_KEYS));
 
        (void)confget(maps, "keys", &keys);
        if (keys != NULL) {

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 6875f6a9c1348b4a7719679f446c623ef6983b05..7e68ba6bf4ea779708f155a11f831420cf6a16ca 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2154,6 +2154,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = {
        { "parent-registration-delay", &cfg_type_duration,
          CFG_CLAUSEFLAG_OBSOLETE },
        { "publish-safety", &cfg_type_duration, 0 },
+       { "purge-keys", &cfg_type_duration, 0 },
        { "retire-safety", &cfg_type_duration, 0 },
        { "signatures-refresh", &cfg_type_duration, 0 },
        { "signatures-validity", &cfg_type_duration, 0 },