sig-signing-nodes 100;\n\
sig-signing-signatures 10;\n\
sig-signing-type 65534;\n\
- sig-validity-interval 30; /* days */\n\
- dnskey-sig-validity 0; /* default: sig-validity-interval */\n\
transfer-source *;\n\
transfer-source-v6 *;\n\
try-tcp-refresh yes; /* BIND 8 compat */\n\
dns_stats_t *rcvquerystats;
dns_stats_t *dnssecsignstats;
dns_zonestat_level_t statlevel = dns_zonestat_none;
- int seconds;
dns_ttl_t maxttl = 0; /* unlimited */
dns_zone_t *mayberaw = (raw != NULL) ? raw : zone;
bool transferinsecs = ns_server_getoption(named_g_server->sctx,
* use inline-signing (raw != NULL).
*/
if (ztype == dns_zone_primary || raw != NULL) {
- const cfg_obj_t *validity, *resign;
- bool allow = false, maint = false;
- bool sigvalinsecs;
-
if (use_kasp) {
+ int seconds;
+
if (dns_kasp_nsec3(kasp)) {
result = dns_zone_setnsec3param(
zone, 1, dns_kasp_nsec3flags(kasp),
zone, 0, 0, 0, 0, NULL, true, false);
}
INSIST(result == ISC_R_SUCCESS);
- }
- if (use_kasp) {
seconds = (uint32_t)dns_kasp_sigvalidity_dnskey(kasp);
- } else {
- obj = NULL;
- result = named_config_get(maps, "dnskey-sig-validity",
- &obj);
- INSIST(result == ISC_R_SUCCESS && obj != NULL);
- seconds = cfg_obj_asuint32(obj) * 86400;
- }
- dns_zone_setkeyvalidityinterval(zone, seconds);
+ dns_zone_setkeyvalidityinterval(zone, seconds);
- if (use_kasp) {
seconds = (uint32_t)dns_kasp_sigvalidity(kasp);
dns_zone_setsigvalidityinterval(zone, seconds);
- seconds = (uint32_t)dns_kasp_sigrefresh(kasp);
- dns_zone_setsigresigninginterval(zone, seconds);
- } else {
- obj = NULL;
- result = named_config_get(maps, "sig-validity-interval",
- &obj);
- INSIST(result == ISC_R_SUCCESS && obj != NULL);
-
- sigvalinsecs = ns_server_getoption(
- named_g_server->sctx, NS_SERVER_SIGVALINSECS);
- validity = cfg_tuple_get(obj, "validity");
- seconds = cfg_obj_asuint32(validity);
- if (!sigvalinsecs) {
- seconds *= 86400;
- }
- dns_zone_setsigvalidityinterval(zone, seconds);
- resign = cfg_tuple_get(obj, "re-sign");
- if (cfg_obj_isvoid(resign)) {
- seconds /= 4;
- } else if (!sigvalinsecs) {
- uint32_t r = cfg_obj_asuint32(resign);
- if (seconds > 7 * 86400) {
- seconds = r * 86400;
- } else {
- seconds = r * 3600;
- }
- } else {
- seconds = cfg_obj_asuint32(resign);
- }
+ seconds = (uint32_t)dns_kasp_sigrefresh(kasp);
dns_zone_setsigresigninginterval(zone, seconds);
}
_count=0
# Check if we have at least 4 days
- # This number has been tuned for `sig-validity-interval 10 2`, as
+ # This number has been tuned for `signatures-validity 10d; signatures-refresh 2d`, as
# 1 signature expiration dates should be spread out across at most 8 (10-2) days
# 2. we remove first and last day to remove frequency outlier, we are left with 6 (8-2) days
# 3. we subtract two more days to allow test pass on day boundaries, etc. leaving us with 4 (6-2)
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- dnskey-sig-validity 5000; /* maximum value 10 years, this is 14 */
-};
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- sig-validity-interval 5000;
-};
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- dnskey-sig-validity 3660; /* maximum value 10 years */
-};
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- dnskey-sig-validity 0; /* 0 is disabled */
-};
type primary;
file "nsec3.db";
dnssec-policy "test";
- dnskey-sig-validity 3600;
dnssec-dnskey-kskonly yes;
dnssec-update-mode maintain;
inline-signing no;
- sig-validity-interval 3600;
update-check-ksk yes;
};
ret=0
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1
-grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
-grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
#
-# A zone which will change its sig-validity-interval
+# A zone which will change its signatures-validity
#
zone=siginterval.example
infile=siginterval.example.db.in
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
-echo_i "checking sig-validity-interval second field hours vs days ($n)"
+echo_i "checking signatures-validity second field hours vs days ($n)"
ret=0
-# zone configured with 'sig-validity-interval 500 499;'
+# zone configured with 'signatures-validity 500 499;'
# 499 days in the future w/ a 20 minute runtime to now allowance
min=$(TZ=UTC $PERL -e '@lt=localtime(time() + 499*3600*24 - 20*60); printf "%.4d%0.2d%0.2d%0.2d%0.2d%0.2d\n",$lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1],$lt[0];')
dig_with_opts @10.53.0.2 hours-vs-days AXFR > dig.out.ns2.test$n
This sets the base retry interval in milliseconds. The default is ``800``.
.. namedconf:statement:: sig-validity-interval
- :tags: dnssec
- :short: Specifies the maximum number of days that RRSIGs generated by :iscman:`named` are valid.
-
- This specifies the upper bound of the number of days that RRSIGs
- generated by :iscman:`named` are valid; the default is ``30`` days,
- with a maximum of 3660 days (10 years). The optional second value
- specifies the minimum bound on those RRSIGs and also determines
- how long before expiry :iscman:`named` starts regenerating those RRSIGs.
- The default value for the lower bound is 1/4 of the upper bound;
- it is expressed in days if the upper bound is greater than 7,
- and hours if it is less than or equal to 7 days.
-
- When new RRSIGs are generated, the length of time is randomly
- chosen between these two limits, to spread out the re-signing
- load. When RRSIGs are re-generated, the upper bound is used, with
- a small amount of jitter added. New RRSIGs are generated by a
- number of processes, including the processing of UPDATE requests
- (ref:`dynamic_update`), the addition and removal of records via
- in-line signing, and the initial signing of a zone.
-
- The signature inception time is unconditionally set to one hour
- before the current time, to allow for a limited amount of clock skew.
-
- The :any:`sig-validity-interval` can be overridden for DNSKEY records by
- setting :any:`dnskey-sig-validity`.
-
- The :any:`sig-validity-interval` should be at least several multiples
- of the SOA expire interval, to allow for reasonable interaction
- between the various timer and expiry dates.
+ :tags: obsolete
+
+ This option no longer has any effect.
.. namedconf:statement:: dnskey-sig-validity
- :tags: dnssec
- :short: Specifies the number of days in the future when automatically generated DNSSEC signatures expire.
-
- This specifies the number of days into the future when DNSSEC signatures
- that are automatically generated for DNSKEY RRsets as a result of
- dynamic updates (:ref:`dynamic_update`) will expire.
- If set to a non-zero value, this overrides the value set by
- :any:`sig-validity-interval`. The default is zero, meaning
- :any:`sig-validity-interval` is used. The maximum value is 3660 days (10
- years), and higher values are rejected.
+ :tags: obsolete
+
+ This option no longer has any effect.
.. namedconf:statement:: sig-signing-nodes
:tags: dnssec
}; // may occur multiple times
dns64-contact <string>;
dns64-server <string>;
- dnskey-sig-validity <integer>;
+ dnskey-sig-validity <integer>; // obsolete
dnsrps-enable <boolean>; // not configured
dnsrps-library <quoted_string>; // not configured
dnsrps-options { <unspecified-text> }; // not configured
sig-signing-nodes <integer>;
sig-signing-signatures <integer>;
sig-signing-type <integer>;
- sig-validity-interval <integer> [ <integer> ];
+ sig-validity-interval <integer> [ <integer> ]; // obsolete
sortlist { <address_match_element>; ... };
stale-answer-client-timeout ( disabled | off | <integer> );
stale-answer-enable <boolean>;
}; // may occur multiple times
dns64-contact <string>;
dns64-server <string>;
- dnskey-sig-validity <integer>;
+ dnskey-sig-validity <integer>; // obsolete
dnsrps-enable <boolean>; // not configured
dnsrps-options { <unspecified-text> }; // not configured
dnssec-accept-expired <boolean>;
sig-signing-nodes <integer>;
sig-signing-signatures <integer>;
sig-signing-type <integer>;
- sig-validity-interval <integer> [ <integer> ];
+ sig-validity-interval <integer> [ <integer> ]; // obsolete
sortlist { <address_match_element>; ... };
stale-answer-client-timeout ( disabled | off | <integer> );
stale-answer-enable <boolean>;
database <string>;
dialup ( notify | notify-passive | passive | refresh | <boolean> );
dlz <string>;
- dnskey-sig-validity <integer>;
+ dnskey-sig-validity <integer>; // obsolete
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
dnssec-policy <string>;
sig-signing-nodes <integer>;
sig-signing-signatures <integer>;
sig-signing-type <integer>;
- sig-validity-interval <integer> [ <integer> ];
+ sig-validity-interval <integer> [ <integer> ]; // obsolete
update-check-ksk <boolean>;
update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | krb5-subdomain-self-rhs | ms-self | ms-selfsub | ms-subdomain | ms-subdomain-self-rhs | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } );
zero-no-soa-ttl <boolean>;
database <string>;
dialup ( notify | notify-passive | passive | refresh | <boolean> );
dlz <string>;
- dnskey-sig-validity <integer>;
+ dnskey-sig-validity <integer>; // obsolete
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
dnssec-policy <string>;
sig-signing-nodes <integer>;
sig-signing-signatures <integer>;
sig-signing-type <integer>;
- sig-validity-interval <integer> [ <integer> ];
+ sig-validity-interval <integer> [ <integer> ]; // obsolete
transfer-source ( <ipv4_address> | * );
transfer-source-v6 ( <ipv6_address> | * );
try-tcp-refresh <boolean>;
isc_result_t tresult;
unsigned int i;
const cfg_obj_t *obj = NULL;
- const cfg_obj_t *resignobj = NULL;
const cfg_listelt_t *element;
isc_symtab_t *symtab = NULL;
const char *str;
isc_buffer_t b;
uint32_t lifetime = 3600;
- bool has_dnssecpolicy = false;
const char *ccalg = "siphash24";
cfg_aclconfctx_t *actx = NULL;
static const char *sources[] = {
if (result == ISC_R_SUCCESS) {
result = ISC_R_FAILURE;
}
- } else {
- has_dnssecpolicy = true;
}
}
}
}
- obj = NULL;
- cfg_map_get(options, "sig-validity-interval", &obj);
- if (obj != NULL) {
- uint32_t validity, resign = 0;
-
- validity = cfg_obj_asuint32(cfg_tuple_get(obj, "validity"));
- resignobj = cfg_tuple_get(obj, "re-sign");
- if (!cfg_obj_isvoid(resignobj)) {
- resign = cfg_obj_asuint32(resignobj);
- }
-
- if (validity > 3660 || validity == 0) { /* 10 years */
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "%s '%u' is out of range (1..3660)",
- "sig-validity-interval", validity);
- result = ISC_R_RANGE;
- }
-
- if (!cfg_obj_isvoid(resignobj)) {
- if (resign > 3660 || resign == 0) { /* 10 years */
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "%s '%u' is out of range (1..3660)",
- "sig-validity-interval (re-sign)",
- validity);
- result = ISC_R_RANGE;
- } else if ((validity > 7 && validity < resign) ||
- (validity <= 7 && validity * 24 < resign))
- {
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "validity interval (%u days) "
- "less than re-signing interval "
- "(%u %s)",
- validity, resign,
- (validity > 7) ? "days" : "hours");
- result = ISC_R_RANGE;
- }
- }
-
- if (has_dnssecpolicy) {
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "sig-validity-interval: cannot be "
- "configured if dnssec-policy is also set");
- result = ISC_R_FAILURE;
- }
- }
-
- obj = NULL;
- cfg_map_get(options, "dnskey-sig-validity", &obj);
- if (obj != NULL) {
- uint32_t keyvalidity;
-
- keyvalidity = cfg_obj_asuint32(obj);
- if (keyvalidity > 3660) { /* 10 years */
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "%s '%u' is out of range (0..3660)",
- "dnskey-sig-validity", keyvalidity);
- result = ISC_R_RANGE;
- }
-
- if (has_dnssecpolicy) {
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "dnskey-sig-validity: cannot be "
- "configured if dnssec-policy is also set");
- result = ISC_R_FAILURE;
- }
- }
-
obj = NULL;
(void)cfg_map_get(options, "preferred-glue", &obj);
if (obj != NULL) {
{ "sig-signing-type", &cfg_type_uint32,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
{ "sig-validity-interval", &cfg_type_validityinterval,
- CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+ CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_OBSOLETE },
{ "dnskey-sig-validity", &cfg_type_uint32,
- CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+ CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_OBSOLETE },
{ "transfer-source", &cfg_type_sockaddr4wild,
CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB },
{ "transfer-source-v6", &cfg_type_sockaddr6wild,
projects / thirdparty / bind9.git / commitdiff
