Commit 7324bcfa authored by Daniel Salzman's avatar Daniel Salzman

dnssec: add single-type-signing config option

parent a3ecb0e3
......@@ -362,8 +362,7 @@ with manual key management flag has to be set::
dnssec-policy: manual
To generate signing keys, use the :doc:`keymgr <man_keymgr>` utility.
Let's use the Single-Type Signing scheme with two algorithms, which is
a scheme currently not supported by the automatic key management. Run:
Let's use the Single-Type Signing scheme with two algorithms. Run:
.. code-block:: console
......@@ -443,7 +442,7 @@ of the limitations will be hopefully removed in the near future.
- Automatic key management:
- Only one DNSSEC algorithm can be used per zone.
- Single-Type Signing scheme is not supported.
- CSK rollover with Single-Type Signing scheme is not implemented.
- ZSK rollover always uses key pre-publish method (actually a feature).
- KSK rollover is not implemented.
......
......@@ -66,12 +66,13 @@ the following symbols:
| – Choice
.UNINDENT
.sp
There are 10 main sections (\fBserver\fP, \fBcontrol\fP, \fBlog\fP, \fBkeystore\fP,
\fBpolicy\fP, \fBkey\fP, \fBacl\fP, \fBremote\fP, \fBtemplate\fP, and \fBzone\fP) and
module sections with the \fBmod\-\fP prefix. Most of the sections (excluding
\fBserver\fP and \fBcontrol\fP) are sequences of settings blocks. Each settings block
begins with a unique identifier, which can be used as a reference from other
sections (such identifier must be defined in advance).
There are 11 main sections (\fBserver\fP, \fBcontrol\fP, \fBlog\fP, \fBstatistics\fP,
\fBkeystore\fP, \fBpolicy\fP, \fBkey\fP, \fBacl\fP, \fBremote\fP, \fBtemplate\fP, and
\fBzone\fP) and module sections with the \fBmod\-\fP prefix. Most of the sections
(excluding \fBserver\fP, \fBcontrol\fP, and \fBstatistics\fP) are sequences of
settings blocks. Each settings block begins with a unique identifier,
which can be used as a reference from other sections (such identifier
must be defined in advance).
.sp
A multi\-valued item can be specified either as a YAML sequence:
.INDENT 0.0
......@@ -466,6 +467,7 @@ policy:
\- id: STR
keystore: STR
manual: BOOL
single\-type\-signing: BOOL
algorithm: dsa | rsasha1 | dsa\-nsec3\-sha1 | rsasha1\-nsec3\-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384
ksk\-size: SIZE
zsk\-size: SIZE
......@@ -496,6 +498,20 @@ for zones. A special \fIdefault\fP value can be used for the default keystore se
If enabled, automatic key management is not used.
.sp
\fIDefault:\fP off
.SS single\-type\-signing
.sp
If enabled, Single\-Type Signing Scheme is used in the automatic key management
mode.
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
Because key rollover is not supported yet, just one combined signing key is
generated if none is available.
.UNINDENT
.UNINDENT
.sp
\fIDefault:\fP off
.SS algorithm
.sp
An algorithm of signing keys and issued signatures.
......
......@@ -31,12 +31,13 @@ the following symbols:
- [ ] – Optional value
- \| – Choice
There are 10 main sections (``server``, ``control``, ``log``, ``keystore``,
``policy``, ``key``, ``acl``, ``remote``, ``template``, and ``zone``) and
module sections with the ``mod-`` prefix. Most of the sections (excluding
``server`` and ``control``) are sequences of settings blocks. Each settings block
begins with a unique identifier, which can be used as a reference from other
sections (such identifier must be defined in advance).
There are 11 main sections (``server``, ``control``, ``log``, ``statistics``,
``keystore``, ``policy``, ``key``, ``acl``, ``remote``, ``template``, and
``zone``) and module sections with the ``mod-`` prefix. Most of the sections
(excluding ``server``, ``control``, and ``statistics``) are sequences of
settings blocks. Each settings block begins with a unique identifier,
which can be used as a reference from other sections (such identifier
must be defined in advance).
A multi-valued item can be specified either as a YAML sequence::
......@@ -528,6 +529,7 @@ DNSSEC policy configuration.
- id: STR
keystore: STR
manual: BOOL
single-type-signing: BOOL
algorithm: dsa | rsasha1 | dsa-nsec3-sha1 | rsasha1-nsec3-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384
ksk-size: SIZE
zsk-size: SIZE
......@@ -567,6 +569,20 @@ If enabled, automatic key management is not used.
*Default:* off
.. _policy_single-type-signing:
single-type-signing
-------------------
If enabled, Single-Type Signing Scheme is used in the automatic key management
mode.
.. NOTE::
Because key rollover is not supported yet, just one combined signing key is
generated if none is available.
*Default:* off
.. _policy_algorithm:
algorithm
......
/* Copyright (C) 2014 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -299,6 +299,7 @@ typedef struct dnssec_kasp_policy {
uint16_t zsk_size;
uint32_t dnskey_ttl;
uint32_t zsk_lifetime;
bool singe_type_signing;
// RRSIG
uint32_t rrsig_lifetime;
uint32_t rrsig_refresh_before;
......
/* Copyright (C) 2015 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -91,7 +91,7 @@ static int plan(dnssec_event_ctx_t *ctx, dnssec_event_t *event)
bool has_ksk, has_zsk;
scan_keys(ctx->zone, &has_ksk, &has_zsk);
if (!has_ksk || !has_zsk) {
if (!has_zsk || (!ctx->policy->singe_type_signing && !has_ksk)) {
event->type = DNSSEC_EVENT_GENERATE_INITIAL_KEY;
event->time = ctx->now;
} else {
......@@ -114,7 +114,7 @@ static int exec(dnssec_event_ctx_t *ctx, const dnssec_event_t *event)
int r = DNSSEC_EOK;
if (!has_ksk) {
if (!ctx->policy->singe_type_signing && !has_ksk) {
r = generate_initial_key(ctx, true);
}
......
/* Copyright (C) 2016 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -38,6 +38,12 @@ static int plan(dnssec_event_ctx_t *ctx, dnssec_event_t *event)
assert(ctx);
assert(event);
// Not supported with Single-Type signing.
if (ctx->policy->singe_type_signing) {
event->type = DNSSEC_EVENT_NONE;
return DNSSEC_EOK;
}
if (!ctx->policy->nsec3_enabled || ctx->policy->nsec3_salt_length == 0) {
return DNSSEC_EOK;
}
......
/* Copyright (C) 2015 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -88,6 +88,12 @@ static int plan(dnssec_event_ctx_t *ctx, dnssec_event_t *event)
assert(ctx);
assert(event);
// Not supported with Single-Type signing.
if (ctx->policy->singe_type_signing) {
event->type = DNSSEC_EVENT_NONE;
return DNSSEC_EOK;
}
/*
* We should not start another rollover, if there is a rollover
* in progress. Therefore we will check the keys in reverse order
......
......@@ -180,6 +180,7 @@ static const yp_item_t desc_policy[] = {
{ C_KEYSTORE, YP_TREF, YP_VREF = { C_KEYSTORE }, CONF_IO_FRLD_ZONES,
{ check_ref_dflt } },
{ C_MANUAL, YP_TBOOL, YP_VNONE, CONF_IO_FRLD_ZONES },
{ C_SINGLE_TYPE_SIGNING, YP_TBOOL, YP_VNONE, CONF_IO_FRLD_ZONES },
{ C_ALG, YP_TOPT, YP_VOPT = { dnssec_key_algs,
DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256 },
CONF_IO_FRLD_ZONES },
......@@ -192,7 +193,7 @@ static const yp_item_t desc_policy[] = {
{ C_ZSK_LIFETIME, YP_TINT, YP_VINT = { 1, UINT32_MAX, DAYS(30), YP_STIME },
CONF_IO_FRLD_ZONES },
{ C_PROPAG_DELAY, YP_TINT, YP_VINT = { 0, UINT32_MAX, HOURS(1), YP_STIME },
CONF_IO_FRLD_ZONES },
CONF_IO_FRLD_ZONES },
{ C_RRSIG_LIFETIME, YP_TINT, YP_VINT = { 1, UINT32_MAX, DAYS(14), YP_STIME },
CONF_IO_FRLD_ZONES },
{ C_RRSIG_REFRESH, YP_TINT, YP_VINT = { 1, UINT32_MAX, DAYS(7), YP_STIME },
......
......@@ -95,6 +95,7 @@
#define C_SEM_CHECKS "\x0F""semantic-checks"
#define C_SERIAL_POLICY "\x0D""serial-policy"
#define C_SERVER "\x06""server"
#define C_SINGLE_TYPE_SIGNING "\x13""single-type-signing"
#define C_SRV "\x06""server"
#define C_STATS "\x0A""statistics"
#define C_TIMER "\x05""timer"
......
......@@ -59,6 +59,9 @@ static int policy_load(void *ctx, dnssec_kasp_policy_t *policy)
val = conf_rawid_get(conf(), C_POLICY, C_MANUAL, id, id_len);
policy->manual = conf_bool(&val);
val = conf_rawid_get(conf(), C_POLICY, C_SINGLE_TYPE_SIGNING, id, id_len);
policy->singe_type_signing = conf_bool(&val);
val = conf_rawid_get(conf(), C_POLICY, C_ALG, id, id_len);
policy->algorithm = conf_opt(&val);
......
......@@ -8,7 +8,7 @@ from dnstest.test import Test
t = Test()
knot = t.server("knot")
zones = t.zone_rnd(4, dnssec=False, records=10)
zones = t.zone_rnd(5, dnssec=False, records=10)
t.link(zones, knot)
t.start()
......@@ -27,10 +27,14 @@ knot.gen_key(zones[3], ksk=True, alg="RSASHA256", key_len="1024")
knot.gen_key(zones[3], ksk=False, alg="RSASHA256", key_len="1024")
knot.gen_key(zones[3], ksk=False, alg="RSASHA512", key_len="1024")
for zone in zones:
for zone in zones[:-1]:
knot.dnssec(zone).enable = True
knot.dnssec(zone).manual = True
# enable automatic Single-Type signing scheme on the last zone
knot.dnssec(zones[-1]).enable = True
knot.dnssec(zones[-1]).single_type_signing = True
knot.gen_confile()
knot.reload()
t.sleep(2)
......
......@@ -37,6 +37,7 @@ class ZoneDnssec(object):
def __init__(self):
self.enable = None
self.manual = None
self.single_type_signing = None
self.alg = None
self.ksk_size = None
self.zsk_size = None
......@@ -1031,6 +1032,7 @@ class Knot(Server):
continue
s.id_item("id", z.name)
self._bool(s, "manual", z.dnssec.manual)
self._bool(s, "single-type-signing", z.dnssec.single_type_signing)
self._str(s, "algorithm", z.dnssec.alg)
self._str(s, "ksk_size", z.dnssec.ksk_size)
self._str(s, "zsk_size", z.dnssec.zsk_size)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment