Commit 1a6f7db4 authored by Daniel Salzman's avatar Daniel Salzman

conf: rename server.dnssec-keydir to server.kasp-db

parent 7b71a75c
......@@ -271,7 +271,7 @@ can operate in two modes:
No zone operator intervention is necessary.
The DNSSEC signing is controlled by the :ref:`template_dnssec-enable` and
:ref:`template_dnssec-keydir` configuration options. The first option states
:ref:`template_kasp_db` configuration options. The first option states
if the signing is enabled for a particular zone, the second option points to
a KASP database holding the signing configuration.
......@@ -287,7 +287,7 @@ default template, but the signing is explicitly disabled for zone
template:
- id: default
dnssec-enable: on
dnssec-keydir: /var/lib/knot/kasp
kasp-db: /var/lib/knot/kasp
zone:
- domain: example.com
......@@ -356,7 +356,7 @@ The configuration fragment might look similar to::
template:
- id: default
storage: /var/lib/knot
dnssec-keydir: kasp
kasp-db: kasp
zone:
- domain: myzone.test
......
......@@ -433,7 +433,7 @@ template:
ixfr\-from\-differences: BOOL
ixfr\-fslimit: SIZE
dnssec\-enable: BOOL
dnssec\-keydir: STR
kasp\-db: STR
signature\-lifetime: TIME
serial\-policy: increment | unixtime
module: STR/STR ...
......@@ -571,10 +571,10 @@ Default: unlimited
If enabled, automatic DNSSEC signing for the zone is turned on.
.sp
Default: off
.SS dnssec\-keydir
.SS kasp_db
.sp
A data directory for storing DNSSEC signing keys. Non absolute path is
relative to \fI\%storage\fP\&.
A KASP database path. Non absolute path is relative to
\fI\%storage\fP\&.
.sp
Default: \fI\%storage\fP/keys
.SS signature\-lifetime
......
......@@ -23,21 +23,21 @@ generated by Bind.
example.com``.
Note: If dynamic updates (DDNS) are enabled for the given zone, you
might need to freeze the zone before flushing it. That can be done
might need to freeze the zone before flushing it. That can be done
similarly: ``rndc freeze example.com``
2. Copy the fresh zone file into the zones storage directory of Knot
DNS. It's default location is ``/var/lib/knot``.
DNS. It's default location is ``/var/lib/knot``.
3. We recommend to store DNSSEC keys for each zone in a separate
directory. For this purpose, create a directory
``example.com.keys`` in zones storage directory. Then copy all
directory. For this purpose, create a directory
``example.com.keys`` in zones storage directory. Then copy all
DNSSEC keys (``*.key`` and ``*.private``) from Bind key directory
(configured as ``key-directory``) into the newly created one.
4. Add the zone into the Knot DNS configuration file. Zone
4. Add the zone into the Knot DNS configuration file. Zone
configuration should contain at least specification of the zone
file (option ``file``), key directory (option ``dnssec-keydir``),
file (option ``file``), key directory (option ``kasp-db``),
and enable automatic DNSSEC signing (option ``dnssec-enable``).
You can follow this example::
......@@ -47,6 +47,6 @@ generated by Bind.
file: "example.com.db"
storage: "/var/lib/knot"
dnssec-enable: on
dnssec-keydir: "example.com.keys"
kasp-db: "example.com.keys"
5. Start Knot DNS and check the log files to make sure that everything went right.
......@@ -512,7 +512,7 @@ configuration if a zone doesn't have a teplate specified.
ixfr-from-differences: BOOL
ixfr-fslimit: SIZE
dnssec-enable: BOOL
dnssec-keydir: STR
kasp-db: STR
signature-lifetime: TIME
serial-policy: increment | unixtime
module: STR/STR ...
......@@ -677,13 +677,13 @@ If enabled, automatic DNSSEC signing for the zone is turned on.
Default: off
.. _template_dnssec-keydir:
.. _template_kasp_db:
dnssec-keydir
-------------
kasp_db
-------
A data directory for storing DNSSEC signing keys. Non absolute path is
relative to :ref:`storage<template_storage>`.
A KASP database path. Non absolute path is relative to
:ref:`storage<template_storage>`.
Default: :ref:`storage<template_storage>`/keys
......
......@@ -143,7 +143,7 @@ static const yp_item_t desc_remote[] = {
{ C_IXFR_DIFF, YP_TBOOL, YP_VNONE }, \
{ C_IXFR_FSLIMIT, YP_TINT, YP_VINT = { 0, INT64_MAX, INT64_MAX, YP_SSIZE } }, \
{ C_DNSSEC_ENABLE, YP_TBOOL, YP_VNONE }, \
{ C_DNSSEC_KEYDIR, YP_TSTR, YP_VSTR = { "keys" } }, \
{ C_KASP_DB, YP_TSTR, YP_VSTR = { "keys" } }, \
{ C_SIG_LIFETIME, YP_TINT, YP_VINT = { 3 * 3600, INT32_MAX, 30 * 24 * 3600, YP_STIME } }, \
{ C_SERIAL_POLICY, YP_TOPT, YP_VOPT = { serial_policies, SERIAL_POLICY_INCREMENT } }, \
{ C_MODULE, YP_TDATA, YP_VDATA = { 0, NULL, mod_id_to_bin, mod_id_to_txt }, \
......
......@@ -39,13 +39,13 @@
#define C_DISABLE_ANY "\x0B""disable-any"
#define C_DOMAIN "\x06""domain"
#define C_DNSSEC_ENABLE "\x0D""dnssec-enable"
#define C_DNSSEC_KEYDIR "\x0D""dnssec-keydir"
#define C_FILE "\x04""file"
#define C_IDENT "\x08""identity"
#define C_ID "\x02""id"
#define C_INCL "\x07""include"
#define C_IXFR_DIFF "\x15""ixfr-from-differences"
#define C_IXFR_FSLIMIT "\x0C""ixfr-fslimit"
#define C_KASP_DB "\x07""kasp-db"
#define C_KEY "\x03""key"
#define C_LOG "\x03""log"
#define C_LISTEN "\x06""listen"
......
......@@ -47,19 +47,19 @@ static int sign_init(const zone_contents_t *zone, int flags, kdnssec_ctx_t *ctx)
conf_val_t val = conf_zone_get(conf(), C_STORAGE, zone_name);
char *storage = conf_abs_path(&val, NULL);
val = conf_zone_get(conf(), C_DNSSEC_KEYDIR, zone_name);
char *keydir = conf_abs_path(&val, storage);
val = conf_zone_get(conf(), C_KASP_DB, zone_name);
char *kasp_db = conf_abs_path(&val, storage);
free(storage);
char *zone_name_str = knot_dname_to_str_alloc(zone_name);
if (zone_name_str == NULL) {
free(keydir);
free(kasp_db);
return KNOT_ENOMEM;
}
int r = kdnssec_ctx_init(ctx, keydir, zone_name_str);
int r = kdnssec_ctx_init(ctx, kasp_db, zone_name_str);
free(zone_name_str);
free(keydir);
free(kasp_db);
if (r != KNOT_EOK) {
return r;
}
......
......@@ -2521,7 +2521,7 @@ yyreduce:
case 117:
#line 667 "cf-parse.y" /* yacc.c:1646 */
{ f_quote(scanner, R_ZONE, C_DNSSEC_KEYDIR, (yyvsp[-1].tok).t); free((yyvsp[-1].tok).t); }
{ f_quote(scanner, R_ZONE, C_KASP_DB, (yyvsp[-1].tok).t); free((yyvsp[-1].tok).t); }
#line 2526 "cf-parse.tab.c" /* yacc.c:1646 */
break;
......@@ -2632,7 +2632,7 @@ yyreduce:
case 139:
#line 705 "cf-parse.y" /* yacc.c:1646 */
{ f_quote(scanner, R_ZONE_TPL, C_DNSSEC_KEYDIR, (yyvsp[-1].tok).t); free((yyvsp[-1].tok).t); }
{ f_quote(scanner, R_ZONE_TPL, C_KASP_DB, (yyvsp[-1].tok).t); free((yyvsp[-1].tok).t); }
#line 2637 "cf-parse.tab.c" /* yacc.c:1646 */
break;
......
......@@ -664,7 +664,7 @@ zone:
| zone DBSYNC_TIMEOUT INTERVAL ';' { f_int(scanner, R_ZONE, C_ZONEFILE_SYNC, $3.i); }
| zone STORAGE TEXT ';' { f_quote(scanner, R_ZONE, C_STORAGE, $3.t); free($3.t); }
| zone DNSSEC_ENABLE BOOL ';' { f_bool(scanner, R_ZONE, C_DNSSEC_ENABLE, $3.i); }
| zone DNSSEC_KEYDIR TEXT ';' { f_quote(scanner, R_ZONE, C_DNSSEC_KEYDIR, $3.t); free($3.t); }
| zone DNSSEC_KEYDIR TEXT ';' { f_quote(scanner, R_ZONE, C_KASP_DB, $3.t); free($3.t); }
| zone SIGNATURE_LIFETIME NUM ';' { f_int(scanner, R_ZONE, C_SIG_LIFETIME, $3.i); }
| zone SIGNATURE_LIFETIME INTERVAL ';' { f_int(scanner, R_ZONE, C_SIG_LIFETIME, $3.i); }
| zone SERIAL_POLICY SERIAL_POLICY_VAL ';' { f_str(scanner, R_ZONE, C_SERIAL_POLICY, $3.t); }
......@@ -702,7 +702,7 @@ zones:
| zones DBSYNC_TIMEOUT INTERVAL ';' { f_int(scanner, R_ZONE_TPL, C_ZONEFILE_SYNC, $3.i); }
| zones STORAGE TEXT ';' { f_quote(scanner, R_ZONE_TPL, C_STORAGE, $3.t); free($3.t); }
| zones DNSSEC_ENABLE BOOL ';' { f_bool(scanner, R_ZONE_TPL, C_DNSSEC_ENABLE, $3.i); }
| zones DNSSEC_KEYDIR TEXT ';' { f_quote(scanner, R_ZONE_TPL, C_DNSSEC_KEYDIR, $3.t); free($3.t); }
| zones DNSSEC_KEYDIR TEXT ';' { f_quote(scanner, R_ZONE_TPL, C_KASP_DB, $3.t); free($3.t); }
| zones SIGNATURE_LIFETIME NUM ';' { f_int(scanner, R_ZONE_TPL, C_SIG_LIFETIME, $3.i); }
| zones SIGNATURE_LIFETIME INTERVAL ';' { f_int(scanner, R_ZONE_TPL, C_SIG_LIFETIME, $3.i); }
| zones SERIAL_POLICY SERIAL_POLICY_VAL ';' { f_str(scanner, R_ZONE_TPL, C_SERIAL_POLICY, $3.t); }
......
......@@ -61,13 +61,13 @@ typedef enum {
#define C_DISABLE_ANY "\x0B""disable-any"
#define C_DOMAIN "\x06""domain"
#define C_DNSSEC_ENABLE "\x0D""dnssec-enable"
#define C_DNSSEC_KEYDIR "\x0D""dnssec-keydir"
#define C_FILE "\x04""file"
#define C_IDENT "\x08""identity"
#define C_ID "\x02""id"
#define C_INCL "\x07""include"
#define C_IXFR_DIFF "\x15""ixfr-from-differences"
#define C_IXFR_FSLIMIT "\x0C""ixfr-fslimit"
#define C_KASP_DB "\x07""kasp-db"
#define C_KEY "\x03""key"
#define C_LOG "\x03""log"
#define C_LISTEN "\x06""listen"
......
......@@ -921,7 +921,7 @@ class Knot(Server):
if self.disable_any:
s.item_str("disable-any", "on")
if self.dnssec_enable:
s.item_str("dnssec-keydir", self.keydir)
s.item_str("kasp-db", self.keydir)
s.item_str("dnssec-enable", "on")
if len(self.modules) > 0:
modules = ""
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment