Commit cc7c66c8 authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

dnssec (also offline ksk): explicit (overriding) zone-max-ttl setting in policy

parent 1af625c2
......@@ -608,6 +608,7 @@ policy:
zsk\-size: SIZE
ksk\-shared: BOOL
dnskey\-ttl: TIME
zone\-max\-ttl: TIME
zsk\-lifetime: TIME
ksk\-lifetime: TIME
propagation\-delay: TIME
......@@ -704,6 +705,19 @@ A TTL value for DNSKEY records added into zone apex.
Has infuence over ZSK key lifetime.
.UNINDENT
.UNINDENT
.SS zone\-max\-ttl
.sp
Maximal TTL value among all the records in zone.
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
It\(aqs generally recommended to override the maximal TTL computation by setting this
explicitly whenever possible. It\(aqs required for DNSSEC Offline KSK\&.
.UNINDENT
.UNINDENT
.sp
\fIDefault:\fP computed after zone is loaded
.SS zsk\-lifetime
.sp
A period between ZSK publication and the next rollover initiation.
......
......@@ -652,6 +652,7 @@ For the ZSK side (i.e. the operator of the DNS server), the pre-requisites are:
- properly configured :ref:`DNSSEC policy <Policy section>` (e.g. :ref:`zsk-lifetime <policy_zsk-lifetime>`),
- :ref:`manual <policy_manual>` set to `on`
- :ref:`offline-ksk <policy_offline-ksk>` set to `on`
- :ref:`dnskey-ttl <policy_dnskey-ttl>` and :ref:`zone-max-ttl <policy_zone-max-ttl>` set up explicitly
- a complete KASP DB with just ZSK(s)
For the KSK side (i.e. the operator of the KSK signer), the pre-requisites are:
......
......@@ -672,6 +672,7 @@ DNSSEC policy configuration.
zsk-size: SIZE
ksk-shared: BOOL
dnskey-ttl: TIME
zone-max-ttl: TIME
zsk-lifetime: TIME
ksk-lifetime: TIME
propagation-delay: TIME
......@@ -773,6 +774,8 @@ If enabled, all zones with this policy assigned will share one KSK.
*Default:* off
.. _policy_dnskey-ttl:
dnskey-ttl
----------
......@@ -783,6 +786,19 @@ A TTL value for DNSKEY records added into zone apex.
.. NOTE::
Has infuence over ZSK key lifetime.
.. _policy_zone-max-ttl:
zone-max-ttl
------------
Maximal TTL value among all the records in zone.
.. NOTE::
It's generally recommended to override the maximal TTL computation by setting this
explicitly whenever possible. It's required for :ref:`DNSSEC Offline KSK`.
*Default:* computed after zone is loaded
.. _policy_zsk-lifetime:
zsk-lifetime
......
......@@ -249,6 +249,8 @@ static const yp_item_t desc_policy[] = {
CONF_IO_FRLD_ZONES },
{ C_DNSKEY_TTL, YP_TINT, YP_VINT = { 0, UINT32_MAX, YP_NIL, YP_STIME },
CONF_IO_FRLD_ZONES },
{ C_ZONE_MAX_TLL, YP_TINT, YP_VINT = { 0, UINT32_MAX, YP_NIL, YP_STIME },
CONF_IO_FRLD_ZONES },
{ C_ZSK_LIFETIME, YP_TINT, YP_VINT = { 0, UINT32_MAX, DAYS(30), YP_STIME },
CONF_IO_FRLD_ZONES },
{ C_KSK_LIFETIME, YP_TINT, YP_VINT = { 0, UINT32_MAX, 0, YP_STIME },
......
......@@ -116,6 +116,7 @@
#define C_ZONE "\x04""zone"
#define C_ZONEFILE_LOAD "\x0D""zonefile-load"
#define C_ZONEFILE_SYNC "\x0D""zonefile-sync"
#define C_ZONE_MAX_TLL "\x0C""zone-max-ttl"
#define C_ZSK_LIFETIME "\x0C""zsk-lifetime"
#define C_ZSK_SIZE "\x08""zsk-size"
......
......@@ -58,6 +58,10 @@ static void policy_load(knot_kasp_policy_t *policy, conf_val_t *id)
int64_t ttl = conf_int(&val);
policy->dnskey_ttl = (ttl != YP_NIL) ? ttl : UINT32_MAX;
val = conf_id_get(conf(), C_POLICY, C_ZONE_MAX_TLL, id);
ttl = conf_int(&val);
policy->zone_maximal_ttl = (ttl != YP_NIL) ? ttl : UINT32_MAX;
val = conf_id_get(conf(), C_POLICY, C_ZSK_LIFETIME, id);
policy->zsk_lifetime = conf_int(&val);
......
......@@ -107,8 +107,6 @@ typedef struct {
uint32_t nsec3_salt_lifetime;
uint16_t nsec3_iterations;
uint8_t nsec3_salt_length;
// SOA
uint32_t soa_minimal_ttl;
// zone
uint32_t zone_maximal_ttl;
// data propagation delay
......
......@@ -19,12 +19,6 @@
#include "knot/dnssec/policy.h"
#include "libknot/rrtype/soa.h"
static uint32_t zone_soa_min_ttl(const zone_contents_t *zone)
{
knot_rrset_t soa = node_rrset(zone->apex, KNOT_RRTYPE_SOA);
return knot_soa_minimum(soa.rrs.rdata);
}
static uint32_t zone_soa_ttl(const zone_contents_t *zone)
{
knot_rrset_t soa = node_rrset(zone->apex, KNOT_RRTYPE_SOA);
......@@ -37,11 +31,11 @@ void update_policy_from_zone(knot_kasp_policy_t *policy,
assert(policy);
assert(zone);
// Use SOA TTL if not configured.
if (policy->dnskey_ttl == UINT32_MAX) {
policy->dnskey_ttl = zone_soa_ttl(zone);
}
policy->soa_minimal_ttl = zone_soa_min_ttl(zone);
policy->zone_maximal_ttl = zone->max_ttl;
if (policy->zone_maximal_ttl == UINT32_MAX) {
policy->zone_maximal_ttl = zone->max_ttl;
}
}
......@@ -93,6 +93,12 @@ int keymgr_pregenerate_zsks(kdnssec_ctx_t *ctx, char *arg)
ctx->keep_deleted_keys = true;
ctx->policy->manual = false;
if (ctx->policy->dnskey_ttl == UINT32_MAX ||
ctx->policy->zone_maximal_ttl == UINT32_MAX) {
printf("Error: dnskey-ttl and zone-max-ttl not configured.\n");
return KNOT_ESEMCHECK;
}
while (ret == KNOT_EOK && knot_time_cmp(next, upto) <= 0) {
ctx->now = next;
ret = pregenerate_once(ctx, &next);
......
......@@ -91,6 +91,7 @@ knot.dnssec(zone).enable = True
knot.dnssec(zone).manual = True
knot.dnssec(zone).alg = "ECDSAP384SHA384"
knot.dnssec(zone).dnskey_ttl = 2
knot.dnssec(zone).zone_max_ttl = 3
knot.dnssec(zone).zsk_lifetime = STARTUP + 6*TICK # see ksk1 lifetime
knot.dnssec(zone).ksk_lifetime = 300 # this can be possibly left also infinity
knot.dnssec(zone).propagation_delay = TICK-2
......
......@@ -44,6 +44,7 @@ class ZoneDnssec(object):
self.ksk_size = None
self.zsk_size = None
self.dnskey_ttl = None
self.zone_max_ttl = None
self.ksk_lifetime = None
self.zsk_lifetime = None
self.propagation_delay = None
......@@ -1186,6 +1187,7 @@ class Knot(Server):
self._str(s, "ksk_size", z.dnssec.ksk_size)
self._str(s, "zsk_size", z.dnssec.zsk_size)
self._str(s, "dnskey-ttl", z.dnssec.dnskey_ttl)
self._str(s, "zone-max-ttl", z.dnssec.zone_max_ttl)
self._str(s, "ksk-lifetime", z.dnssec.ksk_lifetime)
self._str(s, "zsk-lifetime", z.dnssec.zsk_lifetime)
self._str(s, "propagation-delay", z.dnssec.propagation_delay)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment