cdnskey yes;\n\
cds-digest-types { 2; };\n\
dnskey-ttl " DNS_KASP_KEY_TTL ";\n\
+ inline-signing yes;\n\
publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\
purge-keys " DNS_KASP_PURGE_KEYS "; \n\
\n\
dnssec-policy \"insecure\" {\n\
keys { };\n\
+ inline-signing yes;\n\
};\n\
\n\
"
*/
bool
-named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig);
+named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
+ const cfg_obj_t *vconfig, const cfg_obj_t *config,
+ dns_kasplist_t *kasplist);
/*%<
* If 'zone' can be safely reconfigured according to the configuration
* data in 'zconfig', return true. If the configuration data is so
*/
bool
-named_zone_inlinesigning(const cfg_obj_t *zconfig);
+named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
+ const cfg_obj_t *config, dns_kasplist_t *kasplist);
/*%<
* Determine if zone uses inline-signing. This is true if inline-signing
- * is set to yes.
+ * is set to yes, in the zone clause or in the zone's dnssec-policy clause.
+ * By default, dnssec-policy uses inline-signing.
*/
isc_result_t
goto cleanup;
}
- if (zone != NULL && !named_zone_reusable(zone, zconfig)) {
+ if (zone != NULL &&
+ !named_zone_reusable(zone, zconfig, vconfig, config, kasplist))
+ {
dns_zone_detach(&zone);
fullsign = true;
}
strcasecmp(ztypestr, "slave") == 0));
if (zone_maybe_inline) {
- inline_signing = named_zone_inlinesigning(zconfig);
+ inline_signing = named_zone_inlinesigning(zconfig, vconfig,
+ config, kasplist);
}
if (inline_signing) {
dns_zone_getraw(zone, &raw);
}
bool
-named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
+named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
+ const cfg_obj_t *vconfig, const cfg_obj_t *config,
+ dns_kasplist_t *kasplist) {
const cfg_obj_t *zoptions = NULL;
const cfg_obj_t *obj = NULL;
const char *cfilename;
has_raw = false;
}
- inline_signing = named_zone_inlinesigning(zconfig);
+ inline_signing = named_zone_inlinesigning(zconfig, vconfig, config,
+ kasplist);
if (!inline_signing && has_raw) {
dns_zone_log(zone, ISC_LOG_DEBUG(1),
"not reusable: old zone was inline-signing");
}
bool
-named_zone_inlinesigning(const cfg_obj_t *zconfig) {
- const cfg_obj_t *zoptions = NULL;
+named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
+ const cfg_obj_t *config, dns_kasplist_t *kasplist) {
+ const cfg_obj_t *maps[4];
const cfg_obj_t *signing = NULL;
+ const cfg_obj_t *policy = NULL;
+ dns_kasp_t *kasp = NULL;
+ isc_result_t res;
bool inline_signing = false;
+ int i = 0;
- zoptions = cfg_tuple_get(zconfig, "options");
- inline_signing = (cfg_map_get(zoptions, "inline-signing", &signing) ==
- ISC_R_SUCCESS &&
- cfg_obj_asboolean(signing));
+ maps[i++] = cfg_tuple_get(zconfig, "options");
+ if (vconfig != NULL) {
+ maps[i++] = cfg_tuple_get(vconfig, "options");
+ }
+ if (config != NULL) {
+ const cfg_obj_t *options = NULL;
+ (void)cfg_map_get(config, "options", &options);
+ if (options != NULL) {
+ maps[i++] = options;
+ }
+ }
+ maps[i] = NULL;
+
+ /* "inline-signing" is a zone-only clause, so look in maps[0] only. */
+ res = cfg_map_get(maps[0], "inline-signing", &signing);
+ if (res == ISC_R_SUCCESS && cfg_obj_isboolean(signing)) {
+ return (cfg_obj_asboolean(signing));
+ }
+
+ /* If inline-signing is not set, check the value in dnssec-policy. */
+ policy = NULL;
+ res = named_config_get(maps, "dnssec-policy", &policy);
+ /* If no dnssec-policy found, then zone is not using inline-signing. */
+ if (res != ISC_R_SUCCESS ||
+ strcmp(cfg_obj_asstring(policy), "none") == 0)
+ {
+ return (false);
+ }
+
+ /* Lookup the policy. */
+ res = dns_kasplist_find(kasplist, cfg_obj_asstring(policy), &kasp);
+ if (res != ISC_R_SUCCESS) {
+ return (false);
+ }
+
+ inline_signing = dns_kasp_inlinesigning(kasp);
+ dns_kasp_detach(&kasp);
return (inline_signing);
}
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
+ inline-signing no;
dnssec-policy autosign;
sig-signing-type 65280;
};
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
+ inline-signing no;
dnssec-policy private;
};
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
+ inline-signing no;
dnssec-policy autosign;
};
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
+ inline-signing no;
dnssec-policy nsec3;
};
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
+ inline-signing no;
dnssec-policy optout;
};
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
+ inline-signing no;
dnssec-policy optout;
};
type primary;
file "secure.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy autosign;
};
type primary;
file "nsec3.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy nsec3;
};
type primary;
file "autonsec3.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy nsec3;
};
type primary;
file "optout.nsec3.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy optout;
};
type primary;
file "nsec3.nsec3.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy nsec3;
};
type primary;
file "jitter.nsec3.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy jitter-nsec3;
sig-signing-nodes 1000;
sig-signing-signatures 100;
type primary;
file "secure.nsec3.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy nsec3;
};
type primary;
file "secure.optout.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy optout;
};
type primary;
file "nsec3.optout.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy optout;
};
type primary;
file "optout.optout.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy optout;
};
type primary;
file "rsasha256.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy rsasha256;
};
type primary;
file "rsasha512.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy rsasha512;
};
type primary;
file "nsec-only.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy autosign;
};
type primary;
file "nsec3-to-nsec.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy nsec3;
};
type primary;
file "oldsigs.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy jitter;
sig-signing-nodes 1000;
sig-signing-signatures 100;
type primary;
file "prepub.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy autosign;
};
type primary;
file "ttl1.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy autosign;
};
type primary;
file "ttl2.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy autosign;
};
type primary;
file "ttl3.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy autosign;
};
type primary;
file "ttl4.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy autosign;
};
type primary;
file "nozsk.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy autosign;
};
type primary;
file "inaczsk.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy autosign;
};
type primary;
file "noksk.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy autosign;
};
type primary;
file "sync.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy sync;
};
type primary;
file "inaczsk2.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy autosign;
};
type primary;
file "delzsk.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy nsec3;
};
type primary;
file "dname-at-apex-nsec3.example.db";
allow-update { any; };
+ inline-signing no;
dnssec-policy nsec3;
};
cds-digest-types {
"sha-256";
};
+ inline-signing yes;
dnskey-ttl 3600;
keys {
ksk key-directory lifetime P1Y algorithm ecdsa256;
zone "example1" {
type primary;
file "example1.db";
- inline-signing yes;
};
zone "example2" {
type primary;
zone "example3" {
type primary;
file "example3.db";
- inline-signing yes;
dnssec-policy "default";
};
zone "dnssec-policy-none-shared-zonefile1" {
zone "dynamic.kasp" {
type primary;
file "dynamic.kasp.db";
- dnssec-policy "default";
+ dnssec-policy "default-dynamic";
allow-update { any; };
};
};
};
+dnssec-policy "default-dynamic" {
+ inline-signing no;
+};
+
dnssec-policy "manual-rollover" {
dnskey-ttl 3600;
zone "example.net" {
type primary;
+ inline-signing no;
file "example1.db";
};
};
type primary;
file "step1.going-insecure-dynamic.kasp.db";
dnssec-policy "unsigning";
+ inline-signing no;
allow-update { any; };
};
zone "step1.going-insecure-dynamic.kasp" {
type primary;
file "step1.going-insecure-dynamic.kasp.db";
+ inline-signing no;
dnssec-policy "insecure";
allow-update { any; };
};
zone "step2.going-insecure-dynamic.kasp" {
type primary;
file "step2.going-insecure-dynamic.kasp.db";
+ inline-signing no;
dnssec-policy "insecure";
allow-update { any; };
};
zone "nsec3-dynamic-change.kasp" {
type primary;
file "nsec3-dynamic-change.kasp.db";
+ inline-signing no;
dnssec-policy "nsec3";
allow-update { any; };
};
/* These zones switch from dynamic to inline-signing or vice versa. */
zone "nsec3-dynamic-to-inline.kasp" {
- type primary;
- file "nsec3-dynamic-to-inline.kasp.db";
- dnssec-policy "nsec3";
- allow-update { any; };
+ type primary;
+ file "nsec3-dynamic-to-inline.kasp.db";
+ inline-signing no;
+ dnssec-policy "nsec3";
+ allow-update { any; };
};
zone "nsec3-inline-to-dynamic.kasp" {
type primary;
file "nsec3-dynamic-change.kasp.db";
//dnssec-policy "nsec3";
+ inline-signing no;
dnssec-policy "nsec3-other";
allow-update { any; };
};
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
+dnssec-policy "default-dynamic" {
+ inline-signing no;
+};
+
zone "example" {
type primary;
allow-update { any; };
zone "multisigner.test" {
type primary;
allow-update { any; };
- dnssec-policy "default";
+ dnssec-policy "default-dynamic";
file "multisigner.test.db";
};
};
dnssec-policy "dnssec" {
+ inline-signing no;
keys {
ksk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
dnssec-policy "manykeys" {
+ inline-signing no;
keys {
ksk lifetime unlimited algorithm 8;
zsk lifetime unlimited algorithm 8;
};
dnssec-policy "manykeys" {
+ inline-signing no;
keys {
ksk lifetime unlimited algorithm 8;
zsk lifetime unlimited algorithm 8;
signatures-validity-dnskey 14d;
// Zone parameters
+ inline-signing yes;
max-zone-ttl 86400;
zone-propagation-delay 300;
cdnskey <boolean>;
cds-digest-types { <string>; ... };
dnskey-ttl <duration>;
+ inline-signing <boolean>;
keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
max-zone-ttl <duration>;
nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ];
/* Zone settings */
dns_ttl_t zone_max_ttl;
uint32_t zone_propagation_delay;
+ bool inline_signing;
/* Parent settings */
dns_ttl_t parent_ds_ttl;
*\li 'kasp' is a valid, thawed kasp.
*/
+bool
+dns_kasp_inlinesigning(dns_kasp_t *kasp);
+/*%<
+ * Should we use inline-signing for this DNSSEC policy?
+ *
+ * Requires:
+ *
+ *\li 'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li true or false.
+ */
+
+void
+dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value);
+/*%<
+ * Set inline-signing.
+ *
+ * Requires:
+ *
+ *\li 'kasp' is a valid, thawed kasp.
+ */
+
dns_ttl_t
dns_kasp_zonemaxttl(dns_kasp_t *kasp);
/*%<
kasp->retire_safety = value;
}
+bool
+dns_kasp_inlinesigning(dns_kasp_t *kasp) {
+ REQUIRE(DNS_KASP_VALID(kasp));
+ REQUIRE(kasp->frozen);
+
+ return (kasp->inline_signing);
+}
+
+void
+dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value) {
+ REQUIRE(DNS_KASP_VALID(kasp));
+ REQUIRE(!kasp->frozen);
+
+ kasp->inline_signing = value;
+}
+
dns_ttl_t
dns_kasp_zonemaxttl(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
const cfg_obj_t *koptions = NULL;
const cfg_obj_t *keys = NULL;
const cfg_obj_t *nsec3 = NULL;
+ const cfg_obj_t *inlinesigning = NULL;
+ const cfg_obj_t *cds = NULL;
const cfg_obj_t *obj = NULL;
const cfg_listelt_t *element = NULL;
const char *kaspname = NULL;
}
/* Configuration: Zone settings */
+ (void)confget(maps, "inline-signing", &inlinesigning);
+ if (inlinesigning != NULL && cfg_obj_isboolean(inlinesigning)) {
+ dns_kasp_setinlinesigning(kasp,
+ cfg_obj_asboolean(inlinesigning));
+ } else {
+ dns_kasp_setinlinesigning(kasp, true);
+ }
+
maxttl = get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL);
dns_kasp_setzonemaxttl(kasp, maxttl);
dns_kasp_setcdnskey(kasp, true);
}
- obj = NULL;
- (void)confget(maps, "cds-digest-types", &obj);
- if (obj != NULL) {
- for (element = cfg_list_first(obj); element != NULL;
+ (void)confget(maps, "cds-digest-types", &cds);
+ if (cds != NULL) {
+ for (element = cfg_list_first(cds); element != NULL;
element = cfg_list_next(element))
{
result = add_digest(kasp, cfg_listelt_value(element),
{ "cdnskey", &cfg_type_boolean, 0 },
{ "cds-digest-types", &cfg_type_algorithmlist, 0 },
{ "dnskey-ttl", &cfg_type_duration, 0 },
+ { "inline-signing", &cfg_type_boolean, 0 },
{ "keys", &cfg_type_kaspkeys, 0 },
{ "max-zone-ttl", &cfg_type_duration, 0 },
{ "nsec3param", &cfg_type_nsec3, 0 },
projects / thirdparty / bind9.git / commitdiff
