Ignore max-zone-ttl on dnssec-policy insecure

Allow larger TTL values in zones that go insecure. This is necessary
because otherwise the zone will not be loaded due to the max-zone-ttl
of P1D that is part of the current insecure policy.

In the keymgr.c code, default back to P1D if the max-zone-ttl is set
to zero.

diff --git a/bin/named/config.c b/bin/named/config.c
index b5548b3631dfc6e015b1ed726cff8676de2173a8..0f1d3700af2bf7951418713b6e47d52637399d95 100644 (file)
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -308,6 +308,7 @@ dnssec-policy \"default\" {\n\
 };\n\
 \n\
 dnssec-policy \"insecure\" {\n\
+       max-zone-ttl 0; \n\
        keys { };\n\
        inline-signing yes;\n\
 };\n\

diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 1759da7837cf102bf49903952a177e04ad4514f6..35291d47c9e989e25eb54e21e49dfb0a0b914934 100644 (file)
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1502,7 +1502,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
        }
 
        if (use_kasp) {
-               maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone));
+               maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone), false);
        } else {
                obj = NULL;
                result = named_config_get(maps, "max-zone-ttl", &obj);

diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
index 88b6157233cbd36fd69f64460c21287c7d029485..9a32f586b2d3adf0f0d3d7a162cd84d7581af119 100644 (file)
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -415,9 +415,11 @@ dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value);
  */
 
 dns_ttl_t
-dns_kasp_zonemaxttl(dns_kasp_t *kasp);
+dns_kasp_zonemaxttl(dns_kasp_t *kasp, bool fallback);
 /*%<
- * Get maximum zone TTL.
+ * Get maximum zone TTL. If 'fallback' is true, return a default maximum TTL
+ * if the maximum zone TTL is set to unlimited (value 0). Fallback should be
+ * used if determining key rollover timings in keymgr.c
  *
  * Requires:
  *

diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
index c6fa9aa8ab42d07f956f50f687705d34ede7b1c5..54fe4444f64ecd43146298acbbf8057c8f9f16ee 100644 (file)
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -29,6 +29,9 @@
 
 #include <dst/dst.h>
 
+/* Default TTLsig (maximum zone ttl) */
+#define DEFAULT_TTLSIG 86400
+
 isc_result_t
 dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
        dns_kasp_t *kasp;
@@ -264,10 +267,13 @@ dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value) {
 }
 
 dns_ttl_t
-dns_kasp_zonemaxttl(dns_kasp_t *kasp) {
+dns_kasp_zonemaxttl(dns_kasp_t *kasp, bool fallback) {
        REQUIRE(DNS_KASP_VALID(kasp));
        REQUIRE(kasp->frozen);
 
+       if (kasp->zone_max_ttl == 0 && fallback) {
+               return (DEFAULT_TTLSIG);
+       }
        return (kasp->zone_max_ttl);
 }
 

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 5dd4e1b0ec7f2a0d24ec52f6abd466953f68f223..ea8dfb788bb99153aa8375674fdeb3fc1e741d5b 100644 (file)
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -131,11 +131,11 @@ keymgr_settime_remove(dns_dnsseckey_t *key, dns_kasp_t *kasp) {
 
        ret = dst_key_getbool(key->key, DST_BOOL_ZSK, &zsk);
        if (ret == ISC_R_SUCCESS && zsk) {
+               dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
                /* ZSK: Iret = Dsgn + Dprp + TTLsig */
-               zsk_remove = retire + dns_kasp_zonemaxttl(kasp) +
-                            dns_kasp_zonepropagationdelay(kasp) +
-                            dns_kasp_retiresafety(kasp) +
-                            dns_kasp_signdelay(kasp);
+               zsk_remove =
+                       retire + ttlsig + dns_kasp_zonepropagationdelay(kasp) +
+                       dns_kasp_retiresafety(kasp) + dns_kasp_signdelay(kasp);
        }
        ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk);
        if (ret == ISC_R_SUCCESS && ksk) {
@@ -178,7 +178,8 @@ keymgr_settime_syncpublish(dns_dnsseckey_t *key, dns_kasp_t *kasp, bool first) {
        if (first) {
                /* Also need to wait until the signatures are omnipresent. */
                isc_stdtime_t zrrsig_present;
-               zrrsig_present = published + dns_kasp_zonemaxttl(kasp) +
+               dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
+               zrrsig_present = published + ttlsig +
                                 dns_kasp_zonepropagationdelay(kasp) +
                                 dns_kasp_publishsafety(kasp);
                if (zrrsig_present > syncpublish) {
@@ -259,7 +260,9 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
                                 * No predecessor, wait for zone to be
                                 * completely signed.
                                 */
-                               syncpub2 = pub + dns_kasp_zonemaxttl(kasp) +
+                               dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp,
+                                                                      true);
+                               syncpub2 = pub + ttlsig +
                                           dns_kasp_publishsafety(kasp) +
                                           dns_kasp_zonepropagationdelay(kasp);
                        }
@@ -1239,6 +1242,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
                       isc_stdtime_t now, isc_stdtime_t *when) {
        isc_result_t ret;
        isc_stdtime_t lastchange, dstime, nexttime = now;
+       dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
 
        /*
         * No need to wait if we move things into an uncertain state.
@@ -1311,7 +1315,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
                         *
                         * We will also add the retire-safety interval.
                         */
-                       nexttime = lastchange + dns_kasp_zonemaxttl(kasp) +
+                       nexttime = lastchange + ttlsig +
                                   dns_kasp_zonepropagationdelay(kasp) +
                                   dns_kasp_retiresafety(kasp);
                        /*
@@ -1584,9 +1588,9 @@ keymgr_key_init(dns_dnsseckey_t *key, dns_kasp_t *kasp, isc_stdtime_t now,
        /* Get time metadata. */
        ret = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active);
        if (active <= now && ret == ISC_R_SUCCESS) {
-               dns_ttl_t zone_ttl = dns_kasp_zonemaxttl(kasp);
-               zone_ttl += dns_kasp_zonepropagationdelay(kasp);
-               if ((active + zone_ttl) <= now) {
+               dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
+               ttlsig += dns_kasp_zonepropagationdelay(kasp);
+               if ((active + ttlsig) <= now) {
                        zrrsig_state = OMNIPRESENT;
                } else {
                        zrrsig_state = RUMOURED;
@@ -1617,9 +1621,9 @@ keymgr_key_init(dns_dnsseckey_t *key, dns_kasp_t *kasp, isc_stdtime_t now,
        }
        ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire);
        if (retire <= now && ret == ISC_R_SUCCESS) {
-               dns_ttl_t zone_ttl = dns_kasp_zonemaxttl(kasp);
-               zone_ttl += dns_kasp_zonepropagationdelay(kasp);
-               if ((retire + zone_ttl) <= now) {
+               dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
+               ttlsig += dns_kasp_zonepropagationdelay(kasp);
+               if ((retire + ttlsig) <= now) {
                        zrrsig_state = HIDDEN;
                } else {
                        zrrsig_state = UNRETENTIVE;