Commit bf810100 authored by Libor Peltan's avatar Libor Peltan

ksk-rollover: renamed 'submittion' to either 'sbm' or 'submission'

parent ff78ede0
......@@ -363,7 +363,7 @@ desired (finite) lifetime for KSK: ::
ksk-size: 2048
zsk-size: 1024
ksk-lifetime: 365d
ksk-submittion-check: [cz_zone]
ksk-submission-check: [cz_zone]
zone:
- domain: myzone.test
......@@ -371,7 +371,7 @@ desired (finite) lifetime for KSK: ::
dnssec-policy: rsa
After the initially-generated KSK reaches its lifetime, new KSK is published and after
convenience delay the submittion is started. The server publishes CDS and CDNSKEY records
convenience delay the submission is started. The server publishes CDS and CDNSKEY records
and the user shall propagate them to the parent. The server periodically checks for
DS at the master and when positive, finishes the rollover.
......@@ -383,7 +383,7 @@ zones, but other timers (e.g. activate, retire) may get out of sync. ::
- id: sharedp
ksk-lifetime: 365d
ksk-shared: true
ksk-submittion-check: [cz_zone]
ksk-submission-check: [cz_zone]
zone:
- domain: firstzone.test
......
......@@ -522,8 +522,8 @@ policy:
nsec3\-iterations: INT
nsec3\-salt\-length: INT
nsec3\-salt\-lifetime: TIME
ksk\-submittion\-check: remote_id ...
ksk\-submittion\-check\-interval: TIME
ksk\-submission\-check: remote_id ...
ksk\-submission\-check\-interval: TIME
.ft P
.fi
.UNINDENT
......@@ -610,7 +610,7 @@ A period between KSK publication and the next rollover initiation.
.INDENT 0.0
.INDENT 3.5
KSK key lifetime is also infuenced by propagation\-delay, dnskey\-ttl,
and KSK submittion delay.
and KSK submission delay.
.sp
The default infinite value causes no KSK rollover as a result.
.UNINDENT
......@@ -659,20 +659,26 @@ name before hashing.
A validity period of newly issued salt field.
.sp
\fIDefault:\fP 30 days
.SS ksk\-submittion\-check
.SS ksk\-submission\-check
.sp
A list of \fI\%references\fP to parent\(aqs DNS servers to be checked for
presence of corresponding DS records in case of KSK submittion. All of them must
presence of corresponding DS records in case of KSK submission. All of them must
have corresponding DS for the rollover to continue. If none specified, the rollover
must be pushed forward manually.
.sp
\fIDefault:\fP not set
.SS ksk\-submittion\-check\-interval
.SS ksk\-submission\-check\-interval
.sp
Interval for periodic checks of DS resence on parent\(aqs DNS servers, in case of
KSK submittion.
KSK submission.
.sp
\fIDefault:\fP 1 hour
.SS ksk\-submission\-timeout
.sp
After this period, the KSK submission is automatically considered successful, even
if all the check were negative or no parents are configured.
.sp
\fIDefault:\fP infinity
.SH REMOTE SECTION
.sp
Definitions of remote servers for outgoing connections (source of a zone
......
......@@ -582,8 +582,8 @@ DNSSEC policy configuration.
nsec3-iterations: INT
nsec3-salt-length: INT
nsec3-salt-lifetime: TIME
ksk-submittion-check: remote_id ...
ksk-submittion-check-interval: TIME
ksk-submission-check: remote_id ...
ksk-submission-check-interval: TIME
.. _policy_id:
......@@ -694,7 +694,7 @@ A period between KSK publication and the next rollover initiation.
.. NOTE::
KSK key lifetime is also infuenced by propagation-delay, dnskey-ttl,
and KSK submittion delay.
and KSK submission delay.
The default infinite value causes no KSK rollover as a result.
......@@ -766,34 +766,34 @@ A validity period of newly issued salt field.
*Default:* 30 days
.. _policy_ksk-submittion-check:
.. _policy_ksk-submission-check:
ksk-submittion-check
ksk-submission-check
--------------------
A list of :ref:`references<remote_id>` to parent's DNS servers to be checked for
presence of corresponding DS records in case of KSK submittion. All of them must
presence of corresponding DS records in case of KSK submission. All of them must
have corresponding DS for the rollover to continue. If none specified, the rollover
must be pushed forward manually.
*Default:* not set
.. _policy_ksk-submittion-check-interval:
.. _policy_ksk-submission-check-interval:
ksk-submittion-check-interval
ksk-submission-check-interval
-----------------------------
Interval for periodic checks of DS resence on parent's DNS servers, in case of
KSK submittion.
KSK submission.
*Default:* 1 hour
.. _policy_ksk-submittion-check-max:
.. _policy_ksk-submission-timeout:
ksk-submittion-check-max
ksk-submission-timeout
------------------------
After this period, the KSK submittion is automatically considered successful, even
After this period, the KSK submission is automatically considered successful, even
if all the check were negative or no parents are configured.
*Default:* infinity
......
......@@ -204,9 +204,9 @@ static const yp_item_t desc_policy[] = {
{ C_NSEC3_SALT_LEN, YP_TINT, YP_VINT = { 0, UINT8_MAX, 8 }, CONF_IO_FRLD_ZONES },
{ C_NSEC3_SALT_LIFETIME, YP_TINT, YP_VINT = { 1, UINT32_MAX, DAYS(30), YP_STIME },
CONF_IO_FRLD_ZONES },
{ C_KSK_SUBMITTION_CHECK,YP_TREF, YP_VREF = { C_RMT }, YP_FMULTI | CONF_IO_FRLD_ZONES, { check_ref } },
{ C_KSK_SUBMITTION_CHECK_INTERVAL, YP_TINT, YP_VINT = { 1, UINT32_MAX, HOURS(1), YP_STIME }, CONF_IO_FRLD_ZONES },
{ C_KSK_SUBMITTION_CHECK_MAX, YP_TINT, YP_VINT = { 1, UINT32_MAX, UINT32_MAX, YP_STIME }, CONF_IO_FRLD_ZONES },
{ C_KSK_SBM_CHECK,YP_TREF, YP_VREF = { C_RMT }, YP_FMULTI | CONF_IO_FRLD_ZONES, { check_ref } },
{ C_KSK_SBM_CHECK_INTERVAL, YP_TINT, YP_VINT = { 1, UINT32_MAX, HOURS(1), YP_STIME }, CONF_IO_FRLD_ZONES },
{ C_KSK_SBM_TIMEOUT, YP_TINT, YP_VINT = { 1, UINT32_MAX, UINT32_MAX, YP_STIME }, CONF_IO_FRLD_ZONES },
{ C_COMMENT, YP_TSTR, YP_VNONE },
{ NULL }
};
......
......@@ -63,9 +63,9 @@
#define C_KSK_LIFETIME "\x0C""ksk-lifetime"
#define C_KSK_SHARED "\x0a""ksk-shared"
#define C_KSK_SIZE "\x08""ksk-size"
#define C_KSK_SUBMITTION_CHECK "\x14""ksk-submittion-check"
#define C_KSK_SUBMITTION_CHECK_INTERVAL "\x1D""ksk-submittion-check-interval"
#define C_KSK_SUBMITTION_CHECK_MAX "\x18""ksk-submittion-check-max"
#define C_KSK_SBM_CHECK "\x14""ksk-submission-check"
#define C_KSK_SBM_CHECK_INTERVAL "\x1D""ksk-submission-check-interval"
#define C_KSK_SBM_TIMEOUT "\x18""ksk-submission-timeout"
#define C_LISTEN "\x06""listen"
#define C_LOG "\x03""log"
#define C_MANUAL "\x06""manual"
......
......@@ -344,7 +344,7 @@ static int zone_sign(zone_t *zone, ctl_args_t *args)
return KNOT_EOK;
}
static int zone_ksk_submittion_confirm(zone_t *zone, ctl_args_t *args)
static int zone_ksk_sbm_confirm(zone_t *zone, ctl_args_t *args)
{
const char *data = args->data[KNOT_CTL_IDX_OWNER];
uint16_t keytag;
......@@ -359,7 +359,7 @@ static int zone_ksk_submittion_confirm(zone_t *zone, ctl_args_t *args)
return ret;
}
ret = knot_dnssec_ksk_submittion_confirm(&ctx, keytag);
ret = knot_dnssec_ksk_sbm_confirm(&ctx, keytag);
kdnssec_ctx_deinit(&ctx);
......@@ -1184,8 +1184,8 @@ static int ctl_zone(ctl_args_t *args, ctl_cmd_t cmd)
return zones_apply(args, zone_flush);
case CTL_ZONE_SIGN:
return zones_apply(args, zone_sign);
case CTL_ZONE_SUBMITTION_CONFIRM:
return zones_apply(args, zone_ksk_submittion_confirm);
case CTL_ZONE_SBM_CONFIRM:
return zones_apply(args, zone_ksk_sbm_confirm);
case CTL_ZONE_FREEZE:
return zones_apply(args, zone_freeze);
case CTL_ZONE_THAW:
......@@ -1614,7 +1614,7 @@ static const desc_t cmd_table[] = {
[CTL_ZONE_RETRANSFER] = { "zone-retransfer", ctl_zone },
[CTL_ZONE_FLUSH] = { "zone-flush", ctl_zone },
[CTL_ZONE_SIGN] = { "zone-sign", ctl_zone },
[CTL_ZONE_SUBMITTION_CONFIRM] = { "zone-submittion-confirm", ctl_zone },
[CTL_ZONE_SBM_CONFIRM] = { "zone-submission-confirm", ctl_zone },
[CTL_ZONE_FREEZE] = { "zone-freeze", ctl_zone },
[CTL_ZONE_THAW] = { "zone-thaw", ctl_zone },
......
......@@ -60,7 +60,7 @@ typedef enum {
CTL_ZONE_RETRANSFER,
CTL_ZONE_FLUSH,
CTL_ZONE_SIGN,
CTL_ZONE_SUBMITTION_CONFIRM,
CTL_ZONE_SBM_CONFIRM,
CTL_ZONE_FREEZE,
CTL_ZONE_THAW,
......
......@@ -82,11 +82,11 @@ static void policy_load(knot_kasp_policy_t *policy, conf_val_t *id)
val = conf_id_get(conf(), C_POLICY, C_NSEC3_SALT_LIFETIME, id);
policy->nsec3_salt_lifetime = conf_int(&val);
val = conf_id_get(conf(), C_POLICY, C_KSK_SUBMITTION_CHECK_INTERVAL, id);
policy->ksk_submittion_check_interval = conf_int(&val);
val = conf_id_get(conf(), C_POLICY, C_KSK_SBM_CHECK_INTERVAL, id);
policy->ksk_sbm_check_interval = conf_int(&val);
val = conf_id_get(conf(), C_POLICY, C_KSK_SUBMITTION_CHECK_MAX, id);
policy->ksk_submittion_check_max = conf_int(&val);
val = conf_id_get(conf(), C_POLICY, C_KSK_SBM_TIMEOUT, id);
policy->ksk_sbm_timeout = conf_int(&val);
}
int kdnssec_ctx_init(conf_t *conf, kdnssec_ctx_t *ctx, const knot_dname_t *zone_name,
......
......@@ -84,6 +84,6 @@ typedef struct {
// data propagation delay
uint32_t propagation_delay;
// various
uint32_t ksk_submittion_check_max;
uint32_t ksk_submittion_check_interval;
uint32_t ksk_sbm_timeout;
uint32_t ksk_sbm_check_interval;
} knot_kasp_policy_t;
......@@ -214,12 +214,12 @@ static time_t ksk_ready_time(time_t publish_time, const kdnssec_ctx_t *ctx)
return publish_time + ctx->policy->propagation_delay + ctx->policy->dnskey_ttl;
}
static time_t ksk_submittion_max_time(time_t ready_time, const kdnssec_ctx_t *ctx)
static time_t ksk_sbm_max_time(time_t ready_time, const kdnssec_ctx_t *ctx)
{
if (ready_time <= 0 || ready_time >= TIME_INFINITY) {
return TIME_INFINITY;
}
return ready_time + ctx->policy->ksk_submittion_check_max;
return ready_time + ctx->policy->ksk_sbm_timeout;
}
static time_t ksk_remove_time(time_t retire_time, const kdnssec_ctx_t *ctx)
......@@ -262,7 +262,7 @@ static roll_action next_action(kdnssec_ctx_t *ctx)
restype = SUBMIT;
break;
case DNSSEC_KEY_STATE_READY:
keytime = ksk_submittion_max_time(key->timing.ready, ctx);
keytime = ksk_sbm_max_time(key->timing.ready, ctx);
restype = REPLACE;
break;
case DNSSEC_KEY_STATE_ACTIVE:
......@@ -319,9 +319,9 @@ static int submit_key(kdnssec_ctx_t *ctx, knot_kasp_key_t *newkey) {
static int exec_new_signatures(kdnssec_ctx_t *ctx, knot_kasp_key_t *newkey)
{
uint16_t kskflag = dnssec_key_get_flags(newkey->key);
time_t delay = (kskflag == DNSKEY_FLAGS_KSK ? ctx->policy->ksk_submittion_check_interval : 0);
time_t delay = (kskflag == DNSKEY_FLAGS_KSK ? ctx->policy->ksk_sbm_check_interval : 0);
// a delay to avoid left-behind of behind-a-loadbalancer parent NSs
// for now we use (incorrectly) ksk_submittion_check_interval, to avoid too many conf options
// for now we use (incorrectly) ksk_sbm_check_interval, to avoid too many conf options
for (size_t i = 0; i < ctx->zone->num_keys; i++) {
knot_kasp_key_t *key = &ctx->zone->keys[i];
......@@ -422,7 +422,7 @@ int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_reschedule_t *resched
return (ret == KNOT_ESEMCHECK ? KNOT_EOK : ret);
}
int knot_dnssec_ksk_submittion_confirm(kdnssec_ctx_t *ctx, uint16_t for_key)
int knot_dnssec_ksk_sbm_confirm(kdnssec_ctx_t *ctx, uint16_t for_key)
{
for (size_t i = 0; i < ctx->zone->num_keys; i++) {
knot_kasp_key_t *key = &ctx->zone->keys[i];
......@@ -439,7 +439,7 @@ int knot_dnssec_ksk_submittion_confirm(kdnssec_ctx_t *ctx, uint16_t for_key)
return KNOT_ENOENT;
}
bool zone_has_key_submittion(const kdnssec_ctx_t *ctx)
bool zone_has_key_sbm(const kdnssec_ctx_t *ctx)
{
assert(ctx->zone);
......
......@@ -38,6 +38,6 @@
*/
int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_reschedule_t *reschedule);
int knot_dnssec_ksk_submittion_confirm(kdnssec_ctx_t *ctx, uint16_t for_key);
int knot_dnssec_ksk_sbm_confirm(kdnssec_ctx_t *ctx, uint16_t for_key);
bool zone_has_key_submittion(const kdnssec_ctx_t *ctx);
bool zone_has_key_sbm(const kdnssec_ctx_t *ctx);
......@@ -41,7 +41,7 @@ void event_dnssec_reschedule(conf_t *conf, zone_t *zone,
log_dnssec_next(zone->name, refresh_at);
if (refresh->plan_ds_query) {
log_zone_notice(zone->name, "DNSSEC, published CDS, CDNSKEY for submittion");
log_zone_notice(zone->name, "DNSSEC, published CDS, CDNSKEY for submission");
}
zone_events_schedule_at(zone,
......
......@@ -87,7 +87,7 @@ static int ds_query_consume(knot_layer_t *layer, knot_pkt_t *pkt)
}
ns_log(LOG_INFO, data->zone->name, LOG_OPERATION_PARENT,
LOG_DIRECTION_OUT, data->remote, "KSK submittion attempt: %s",
LOG_DIRECTION_OUT, data->remote, "KSK submission attempt: %s",
(match ? "positive" : "negative"));
if (match) data->ds_ok = true;
......@@ -153,7 +153,7 @@ static bool parents_have_ds(zone_t *zone, conf_t *conf, zone_key_t *key) {
conf_val_t policy = conf_zone_get(conf, C_DNSSEC_POLICY, zone->name);
uint8_t *policy_name = (uint8_t *)conf_str(&policy);
size_t policy_name_len = strlen((const char *)policy_name) + 1;
conf_val_t parents = conf_rawid_get(conf, C_POLICY, C_KSK_SUBMITTION_CHECK,
conf_val_t parents = conf_rawid_get(conf, C_POLICY, C_KSK_SBM_CHECK,
policy_name, policy_name_len);
bool success = false;
while (parents.code == KNOT_EOK) {
......@@ -199,7 +199,7 @@ int event_parent_ds_q(conf_t *conf, zone_t *zone)
if (dnssec_key_get_flags(key->key) == DNSKEY_FLAGS_KSK &&
key->is_ready && !key->is_active) {
if (parents_have_ds(zone, conf, key)) {
ret = knot_dnssec_ksk_submittion_confirm(&ctx, dnssec_key_get_keytag(key->key)); // TODO get rid of keytag
ret = knot_dnssec_ksk_sbm_confirm(&ctx, dnssec_key_get_keytag(key->key)); // TODO get rid of keytag
} else {
ret = KNOT_ENOENT;
}
......@@ -207,7 +207,7 @@ int event_parent_ds_q(conf_t *conf, zone_t *zone)
}
if (ret != KNOT_EOK) {
time_t next_check = time(NULL) + ctx.policy->ksk_submittion_check_interval;
time_t next_check = time(NULL) + ctx.policy->ksk_sbm_check_interval;
zone_events_schedule_at(zone, ZONE_EVENT_PARENT_DS_Q, next_check);
} else {
zone_events_schedule_now(zone, ZONE_EVENT_DNSSEC);
......
......@@ -46,7 +46,7 @@
#define CMD_ZONE_RETRANSFER "zone-retransfer"
#define CMD_ZONE_FLUSH "zone-flush"
#define CMD_ZONE_SIGN "zone-sign"
#define CMD_ZONE_SUBMITTION_CONFIRM "zone-submittion-confirm"
#define CMD_ZONE_SBM_CONFIRM "zone-submission-confirm"
#define CMD_ZONE_FREEZE "zone-freeze"
#define CMD_ZONE_THAW "zone-thaw"
......@@ -240,7 +240,7 @@ static void format_data(ctl_cmd_t cmd, knot_ctl_type_t data_type,
case CTL_ZONE_RETRANSFER:
case CTL_ZONE_FLUSH:
case CTL_ZONE_SIGN:
case CTL_ZONE_SUBMITTION_CONFIRM:
case CTL_ZONE_SBM_CONFIRM:
case CTL_ZONE_BEGIN:
case CTL_ZONE_COMMIT:
case CTL_ZONE_ABORT:
......@@ -360,7 +360,7 @@ static void format_block(ctl_cmd_t cmd, bool failed, bool empty)
case CTL_ZONE_RETRANSFER:
case CTL_ZONE_FLUSH:
case CTL_ZONE_SIGN:
case CTL_ZONE_SUBMITTION_CONFIRM:
case CTL_ZONE_SBM_CONFIRM:
case CTL_ZONE_FREEZE:
case CTL_ZONE_THAW:
case CTL_ZONE_BEGIN:
......@@ -826,7 +826,7 @@ static int set_node_items(cmd_args_t *args, knot_ctl_data_t *data, char *rdata,
case CTL_ZONE_READ:
case CTL_ZONE_GET: min_args = 1; max_args = 3; break;
case CTL_ZONE_STATUS: min_args = 1; max_args = 2; break;
case CTL_ZONE_SUBMITTION_CONFIRM: min_args = 2; max_args = 2; break;
case CTL_ZONE_SBM_CONFIRM: min_args = 2; max_args = 2; break;
case CTL_ZONE_DIFF: min_args = 1; max_args = 1; break;
case CTL_ZONE_SET: min_args = 3; max_args = -1; break;
case CTL_ZONE_UNSET: min_args = 2; max_args = -1; break;
......@@ -1062,7 +1062,7 @@ const cmd_desc_t cmd_table[] = {
{ CMD_ZONE_RETRANSFER, cmd_zone_ctl, CTL_ZONE_RETRANSFER, CMD_FOPT_ZONE },
{ CMD_ZONE_FLUSH, cmd_zone_filter_ctl, CTL_ZONE_FLUSH, CMD_FOPT_ZONE },
{ CMD_ZONE_SIGN, cmd_zone_ctl, CTL_ZONE_SIGN, CMD_FOPT_ZONE },
{ CMD_ZONE_SUBMITTION_CONFIRM, cmd_zone_node_ctl, CTL_ZONE_SUBMITTION_CONFIRM, CMD_FREQ_ZONE },
{ CMD_ZONE_SBM_CONFIRM, cmd_zone_node_ctl, CTL_ZONE_SBM_CONFIRM, CMD_FREQ_ZONE },
{ CMD_ZONE_FREEZE, cmd_zone_ctl, CTL_ZONE_FREEZE, CMD_FOPT_ZONE },
{ CMD_ZONE_THAW, cmd_zone_ctl, CTL_ZONE_THAW, CMD_FOPT_ZONE },
......
......@@ -61,8 +61,8 @@ child.dnssec(child_zone).manual = False
child.dnssec(child_zone).zsk_lifetime = 99999
child.dnssec(child_zone).ksk_lifetime = 300 # this can be possibly left also infinity
child.dnssec(child_zone).propagation_delay = 17
child.dnssec(child_zone).ksk_submittion_check = [ parent ]
child.dnssec(child_zone).ksk_submittion_check_interval = 2
child.dnssec(child_zone).ksk_sbm_check = [ parent ]
child.dnssec(child_zone).ksk_sbm_check_interval = 2
# install KASP db (one always enabled, one for testing)
shutil.copytree(os.path.join(t.data_dir, "keys"), child.keydir)
......
......@@ -53,8 +53,8 @@ class ZoneDnssec(object):
self.nsec3_iters = None
self.nsec3_salt_lifetime = None
self.nsec3_salt_len = None
self.ksk_submittion_check = []
self.ksk_submittion_check_interval = None
self.ksk_sbm_check = []
self.ksk_sbm_check_interval = None
class Zone(object):
'''DNS zone description'''
......@@ -1034,7 +1034,7 @@ class Knot(Server):
if slave.tsig:
s.item_str("key", slave.tsig.name)
servers.add(slave.name)
for parent in z.dnssec.ksk_submittion_check:
for parent in z.dnssec.ksk_sbm_check:
if parent.name not in servers:
if not have_remote:
s.begin("remote")
......@@ -1115,14 +1115,14 @@ class Knot(Server):
self._str(s, "nsec3-iterations", z.dnssec.nsec3_iters)
self._str(s, "nsec3-salt-lifetime", z.dnssec.nsec3_salt_lifetime)
self._str(s, "nsec3-salt-length", z.dnssec.nsec3_salt_len)
if len(z.dnssec.ksk_submittion_check) > 0:
if len(z.dnssec.ksk_sbm_check) > 0:
parents = ""
for parent in z.dnssec.ksk_submittion_check:
for parent in z.dnssec.ksk_sbm_check:
if parents:
parents += ", "
parents += parent.name
s.item("ksk-submittion-check", "[%s]" % parents)
self._str(s, "ksk-submittion-check-interval", z.dnssec.ksk_submittion_check_interval)
s.item("ksk-submission-check", "[%s]" % parents)
self._str(s, "ksk-submission-check-interval", z.dnssec.ksk_sbm_check_interval)
if have_policy:
s.end()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment