Commit c99b99dd authored by Libor Peltan's avatar Libor Peltan

ksk-rollover: conf: separated section 'submission'

parent 03b2cee2
......@@ -357,13 +357,17 @@ desired (finite) lifetime for KSK: ::
- id: cz_zone
address: 192.168.12.1@53
submission:
- id: cz_zone_sbm
parent: [cz_zone]
policy:
- id: rsa
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 1024
ksk-lifetime: 365d
ksk-submission-check: [cz_zone]
ksk-submission: cz_zone_sbm
zone:
- domain: myzone.test
......@@ -383,7 +387,7 @@ zones, but other timers (e.g. activate, retire) may get out of sync. ::
- id: sharedp
ksk-lifetime: 365d
ksk-shared: true
ksk-submission-check: [cz_zone]
ksk-submission: cz_zone_sbm
zone:
- domain: firstzone.test
......
......@@ -495,6 +495,44 @@ Example configuration string for PKCS #11:
.UNINDENT
.sp
\fIDefault:\fP \fI\%kasp\-db\fP/keys
.SH SUBMISSION SECTION
.sp
Parameters of KSK submission checks.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
submission:
\- id: STR
parent: remote_id ...
check\-interval: TIME
timeout: TIME
.ft P
.fi
.UNINDENT
.UNINDENT
.SS id
.sp
A submission identifier.
.SS parent
.sp
A list of \fI\%references\fP to parent\(aqs DNS servers to be checked for
presence of corresponding DS records in case of KSK submission. All of them must
have corresponding DS for the rollover to continue. If none specified, the rollover
must be pushed forward manually.
.SS check\-interval
.sp
Interval for periodic checks of DS resence on parent\(aqs DNS servers, in case of
KSK submission.
.sp
\fIDefault:\fP 1 hour
.SS timeout
.sp
After this period, the KSK submission is automatically considered successful, even
if all the check were negative or no parents are configured.
.sp
\fIDefault:\fP infinity
.SH POLICY SECTION
.sp
DNSSEC policy configuration.
......@@ -522,9 +560,7 @@ policy:
nsec3\-iterations: INT
nsec3\-salt\-length: INT
nsec3\-salt\-lifetime: TIME
ksk\-submission\-check: remote_id ...
ksk\-submission\-check\-interval: TIME
ksk\-submission\-timeout: TIME
ksk\-submission: submission_id
.ft P
.fi
.UNINDENT
......@@ -660,26 +696,12 @@ name before hashing.
A validity period of newly issued salt field.
.sp
\fIDefault:\fP 30 days
.SS ksk\-submission\-check
.SS ksk\-submission
.sp
A list of \fI\%references\fP to parent\(aqs DNS servers to be checked for
presence of corresponding DS records in case of KSK submission. All of them must
have corresponding DS for the rollover to continue. If none specified, the rollover
must be pushed forward manually.
A reference to \fI\%submission\fP section holding parameters of
KSK submittion checks.
.sp
\fIDefault:\fP not set
.SS ksk\-submission\-check\-interval
.sp
Interval for periodic checks of DS resence on parent\(aqs DNS servers, in case of
KSK submission.
.sp
\fIDefault:\fP 1 hour
.SS ksk\-submission\-timeout
.sp
After this period, the KSK submission is automatically considered successful, even
if all the check were negative or no parents are configured.
.sp
\fIDefault:\fP infinity
.SH REMOTE SECTION
.sp
Definitions of remote servers for outgoing connections (source of a zone
......
......@@ -554,6 +554,58 @@ a configuration string for PKCS #11 storage.
*Default:* :ref:`kasp-db<zone_kasp-db>`/keys
.. _Submission section:
Submission section
==================
Parameters of KSK submission checks.
::
submission:
- id: STR
parent: remote_id ...
check-interval: TIME
timeout: TIME
.. _submission_id:
id
--
A submission identifier.
.. _submission_parent:
parent
------
A list of :ref:`references<remote_id>` to parent's DNS servers to be checked for
presence of corresponding DS records in case of KSK submission. All of them must
have corresponding DS for the rollover to continue. If none specified, the rollover
must be pushed forward manually.
.. _submission_check-interval:
check-interval
--------------
Interval for periodic checks of DS resence on parent's DNS servers, in case of
KSK submission.
*Default:* 1 hour
.. _submission_timeout:
timeout
-------
After this period, the KSK submission is automatically considered successful, even
if all the check were negative or no parents are configured.
*Default:* infinity
.. _Policy section:
Policy section
......@@ -582,9 +634,7 @@ DNSSEC policy configuration.
nsec3-iterations: INT
nsec3-salt-length: INT
nsec3-salt-lifetime: TIME
ksk-submission-check: remote_id ...
ksk-submission-check-interval: TIME
ksk-submission-timeout: TIME
ksk-submission: submission_id
.. _policy_id:
......@@ -769,36 +819,14 @@ A validity period of newly issued salt field.
.. _policy_ksk-submission-check:
ksk-submission-check
--------------------
ksk-submission
--------------
A list of :ref:`references<remote_id>` to parent's DNS servers to be checked for
presence of corresponding DS records in case of KSK submission. All of them must
have corresponding DS for the rollover to continue. If none specified, the rollover
must be pushed forward manually.
A reference to :ref:`submission<submission_id>` section holding parameters of
KSK submittion checks.
*Default:* not set
.. _policy_ksk-submission-check-interval:
ksk-submission-check-interval
-----------------------------
Interval for periodic checks of DS resence on parent's DNS servers, in case of
KSK submission.
*Default:* 1 hour
.. _policy_ksk-submission-timeout:
ksk-submission-timeout
----------------------
After this period, the KSK submission is automatically considered successful, even
if all the check were negative or no parents are configured.
*Default:* infinity
.. _Remote section:
Remote section
......
......@@ -204,9 +204,7 @@ static const yp_item_t desc_policy[] = {
{ C_NSEC3_SALT_LEN, YP_TINT, YP_VINT = { 0, UINT8_MAX, 8 }, CONF_IO_FRLD_ZONES },
{ C_NSEC3_SALT_LIFETIME, YP_TINT, YP_VINT = { 1, UINT32_MAX, DAYS(30), YP_STIME },
CONF_IO_FRLD_ZONES },
{ C_KSK_SBM_CHECK,YP_TREF, YP_VREF = { C_RMT }, YP_FMULTI | CONF_IO_FRLD_ZONES, { check_ref } },
{ C_KSK_SBM_CHECK_INTERVAL, YP_TINT, YP_VINT = { 1, UINT32_MAX, HOURS(1), YP_STIME }, CONF_IO_FRLD_ZONES },
{ C_KSK_SBM_TIMEOUT, YP_TINT, YP_VINT = { 1, UINT32_MAX, UINT32_MAX, YP_STIME }, CONF_IO_FRLD_ZONES },
{ C_KSK_SBM, YP_TREF, YP_VREF = { C_SBM }, CONF_IO_FRLD_ZONES, { check_ref } },
{ C_COMMENT, YP_TSTR, YP_VNONE },
{ NULL }
};
......@@ -238,6 +236,14 @@ static const yp_item_t desc_remote[] = {
{ NULL }
};
static const yp_item_t desc_submission[] = {
{ C_ID, YP_TSTR, YP_VNONE, CONF_IO_FREF },
{ C_PARENT, YP_TREF, YP_VREF = { C_RMT }, YP_FMULTI | CONF_IO_FRLD_ZONES, { check_ref } },
{ C_CHK_INTERVAL, YP_TINT, YP_VINT = { 1, UINT32_MAX, HOURS(1), YP_STIME }, CONF_IO_FRLD_ZONES },
{ C_TIMEOUT, YP_TINT, YP_VINT = { 1, UINT32_MAX, UINT32_MAX, YP_STIME }, CONF_IO_FRLD_ZONES },
{ NULL }
};
#define ZONE_ITEMS(FLAGS) \
{ C_STORAGE, YP_TSTR, YP_VSTR = { STORAGE_DIR }, FLAGS }, \
{ C_FILE, YP_TSTR, YP_VNONE, FLAGS }, \
......@@ -299,6 +305,7 @@ const yp_item_t conf_scheme[] = {
{ C_KEY, YP_TGRP, YP_VGRP = { desc_key }, YP_FMULTI, { check_key } },
{ C_ACL, YP_TGRP, YP_VGRP = { desc_acl }, YP_FMULTI, { check_acl } },
{ C_RMT, YP_TGRP, YP_VGRP = { desc_remote }, YP_FMULTI, { check_remote } },
{ C_SBM, YP_TGRP, YP_VGRP = { desc_submission }, YP_FMULTI, { check_submission } },
{ C_POLICY, YP_TGRP, YP_VGRP = { desc_policy }, YP_FMULTI, { check_policy } },
{ C_TPL, YP_TGRP, YP_VGRP = { desc_template }, YP_FMULTI, { check_template } },
{ C_ZONE, YP_TGRP, YP_VGRP = { desc_zone }, YP_FMULTI | CONF_IO_FZONE, { check_zone } },
......
......@@ -37,6 +37,7 @@
#define C_ASYNC_START "\x0B""async-start"
#define C_BACKEND "\x07""backend"
#define C_BG_WORKERS "\x12""background-workers"
#define C_CHK_INTERVAL "\x0E""check-interval"
#define C_COMMENT "\x07""comment"
#define C_CONFIG "\x06""config"
#define C_CTL "\x07""control"
......@@ -63,9 +64,7 @@
#define C_KSK_LIFETIME "\x0C""ksk-lifetime"
#define C_KSK_SHARED "\x0a""ksk-shared"
#define C_KSK_SIZE "\x08""ksk-size"
#define C_KSK_SBM_CHECK "\x14""ksk-submission-check"
#define C_KSK_SBM_CHECK_INTERVAL "\x1D""ksk-submission-check-interval"
#define C_KSK_SBM_TIMEOUT "\x18""ksk-submission-timeout"
#define C_KSK_SBM "\x0E""ksk-submission"
#define C_LISTEN "\x06""listen"
#define C_LOG "\x03""log"
#define C_MANUAL "\x06""manual"
......@@ -86,6 +85,7 @@
#define C_NSEC3_SALT_LEN "\x11""nsec3-salt-length"
#define C_NSEC3_SALT_LIFETIME "\x13""nsec3-salt-lifetime"
#define C_NSID "\x04""nsid"
#define C_PARENT "\x06""parent"
#define C_PIDFILE "\x07""pidfile"
#define C_POLICY "\x06""policy"
#define C_PROPAG_DELAY "\x11""propagation-delay"
......@@ -98,6 +98,7 @@
#define C_RRSIG_LIFETIME "\x0E""rrsig-lifetime"
#define C_RRSIG_REFRESH "\x0D""rrsig-refresh"
#define C_RUNDIR "\x06""rundir"
#define C_SBM "\x0A""submission"
#define C_SECRET "\x06""secret"
#define C_SEM_CHECKS "\x0F""semantic-checks"
#define C_SERIAL_POLICY "\x0D""serial-policy"
......
......@@ -322,6 +322,8 @@ int check_policy(
C_RRSIG_LIFETIME, args->id, args->id_len);
conf_val_t refresh = conf_rawid_get_txn(args->extra->conf, args->extra->txn, C_POLICY,
C_RRSIG_REFRESH, args->id, args->id_len);
conf_val_t ksk_sbm = conf_rawid_get_txn(args->extra->conf, args->extra->txn, C_POLICY,
C_KSK_SBM, args->id, args->id_len);
int64_t ksk_size = conf_int(&ksk);
if (ksk_size != YP_NIL && !dnssec_algorithm_key_size_check(conf_opt(&alg), ksk_size)) {
......@@ -342,6 +344,11 @@ int check_policy(
return KNOT_EINVAL;
}
if (conf_val_count(&ksk_sbm) > 1) {
args->err_str = "policy can have just one KSK submittion assigned";
return KNOT_EINVAL;
}
return KNOT_EOK;
}
......@@ -393,6 +400,19 @@ int check_remote(
return KNOT_EOK;
}
int check_submission(
knotd_conf_check_args_t *args)
{
conf_val_t parent = conf_rawid_get_txn(args->extra->conf, args->extra->txn, C_SBM,
C_PARENT, args->id, args->id_len);
if (conf_val_count(&parent) < 1) {
args->err_str = "no parent specified";
return KNOT_EINVAL;
}
return KNOT_EOK;
}
int check_template(
knotd_conf_check_args_t *args)
{
......
......@@ -99,6 +99,10 @@ int check_remote(
knotd_conf_check_args_t *args
);
int check_submission(
knotd_conf_check_args_t *args
);
int check_template(
knotd_conf_check_args_t *args
);
......
......@@ -82,11 +82,18 @@ static void policy_load(knot_kasp_policy_t *policy, conf_val_t *id)
val = conf_id_get(conf(), C_POLICY, C_NSEC3_SALT_LIFETIME, id);
policy->nsec3_salt_lifetime = conf_int(&val);
val = conf_id_get(conf(), C_POLICY, C_KSK_SBM_CHECK_INTERVAL, id);
policy->ksk_sbm_check_interval = conf_int(&val);
val = conf_id_get(conf(), C_POLICY, C_KSK_SBM_TIMEOUT, id);
policy->ksk_sbm_timeout = conf_int(&val);
conf_val_t ksk_sbm = conf_id_get(conf(), C_POLICY, C_KSK_SBM, id);
assert(conf_val_count(&ksk_sbm) < 2);
if (conf_val_count(&ksk_sbm) > 0) {
val = conf_id_get(conf(), C_SBM, C_CHK_INTERVAL, &ksk_sbm);
policy->ksk_sbm_check_interval = conf_int(&val);
val = conf_id_get(conf(), C_SBM, C_TIMEOUT, &ksk_sbm);
policy->ksk_sbm_timeout = conf_int(&val);
} else {
policy->ksk_sbm_check_interval = 0xfffffff0;
policy->ksk_sbm_timeout = 0xfffffff0; // uint32 "infinity"
}
}
int kdnssec_ctx_init(conf_t *conf, kdnssec_ctx_t *ctx, const knot_dname_t *zone_name,
......
......@@ -153,10 +153,13 @@ static int try_ds(conf_t *conf, zone_t *zone, const conf_remote_t *parent, zone_
static bool parents_have_ds(zone_t *zone, conf_t *conf, zone_key_t *key) {
conf_val_t policy = conf_zone_get(conf, C_DNSSEC_POLICY, zone->name);
uint8_t *policy_name = (uint8_t *)conf_str(&policy);
size_t policy_name_len = strlen((const char *)policy_name) + 1;
conf_val_t parents = conf_rawid_get(conf, C_POLICY, C_KSK_SBM_CHECK,
policy_name, policy_name_len);
conf_val_t ksk_sbm = conf_id_get(conf, C_POLICY, C_KSK_SBM, &policy);
assert(conf_val_count(&ksk_sbm) < 2);
if (conf_val_count(&ksk_sbm) < 1) {
return false;
}
conf_val_t parents = conf_id_get(conf, C_SBM, C_PARENT, &ksk_sbm);
bool success = false;
while (parents.code == KNOT_EOK) {
success = false;
......
......@@ -1091,11 +1091,33 @@ class Knot(Server):
for module in z.modules:
module.get_conf(s)
have_sbm = False
for zone in sorted(self.zones):
z = self.zones[zone]
if not z.dnssec.enable:
continue
if len(z.dnssec.ksk_sbm_check) < 1:
continue
if not have_sbm:
s.begin("submission")
have_sbm = True
s.id_item("id", z.name)
parents = ""
for parent in z.dnssec.ksk_sbm_check:
if parents:
parents += ", "
parents += parent.name
s.item("parent", "[%s]" % parents)
self._str(s, "check-interval", z.dnssec.ksk_sbm_check_interval)
if have_sbm:
s.end()
have_policy = False
for zone in sorted(self.zones):
z = self.zones[zone]
if not z.dnssec.enable:
continue
if not have_policy:
s.begin("policy")
have_policy = True
......@@ -1116,13 +1138,7 @@ class Knot(Server):
self._str(s, "nsec3-salt-lifetime", z.dnssec.nsec3_salt_lifetime)
self._str(s, "nsec3-salt-length", z.dnssec.nsec3_salt_len)
if len(z.dnssec.ksk_sbm_check) > 0:
parents = ""
for parent in z.dnssec.ksk_sbm_check:
if parents:
parents += ", "
parents += parent.name
s.item("ksk-submission-check", "[%s]" % parents)
self._str(s, "ksk-submission-check-interval", z.dnssec.ksk_sbm_check_interval)
s.item("ksk-submission", z.name)
if have_policy:
s.end()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment