Updated data models and example data

parent 2f097ec5
module dns-zones {
yang-version "1.1";
namespace "http://www.nic.cz/ns/yang/dns-zones";
prefix "dnsz";
......@@ -33,7 +35,7 @@ module dns-zones {
reference
"RFC 1035: Domain Names - Implementation and Specification.";
revision 2015-08-11 {
revision 2016-08-04 {
description
"Initial revision.";
}
......@@ -256,9 +258,9 @@ module dns-zones {
/* Configuration data */
container zones {
container zone-data {
description
"Container for DNS zones.";
"Container for DNS zone data.";
list zone {
key "name class";
description
......@@ -368,7 +370,7 @@ module dns-zones {
description
"Each (shorthand) case of this choice defines the
content of a single RR type wrapped in a container
whose name is the RR type (in lowercase).
whose name is the RR type.
The SOA RR for the zone and RRSIG for the RRSet are
specified separately.
......@@ -377,7 +379,7 @@ module dns-zones {
the 'rdata-content' choice.";
/* RFC 1035 */
container A {
must "../../type = 'ianadns:A'";
when "derived-from-or-self(../../type, 'ianadns:A')";
description
"RDATA content for 'A' Resource Record.";
reference
......@@ -391,7 +393,8 @@ module dns-zones {
}
}
container CNAME {
must "../../type = 'ianadns:CNAME'";
when
"derived-from-or-self(../../type, 'ianadns:CNAME')";
description
"RDATA content for 'CNAME' Resource Record.";
reference
......@@ -405,7 +408,8 @@ module dns-zones {
}
}
container HINFO {
must "../../type = 'ianadns:HINFO'";
when
"derived-from-or-self(../../type, 'ianadns:HINFO')";
description
"RDATA content for 'HINFO' Resource Record.";
reference
......@@ -425,7 +429,7 @@ module dns-zones {
}
}
container MB {
must "../../type = 'ianadns:MB'";
when "derived-from-or-self(../../type, 'ianadns:MB')";
description
"RDATA content for 'MB' Resource Record.";
reference
......@@ -439,7 +443,7 @@ module dns-zones {
}
}
container MD {
must "../../type = 'ianadns:MD'";
when "derived-from-or-self(../../type, 'ianadns:MD')";
status "obsolete";
description
"RDATA content for 'MD' Resource Record (obsolete,
......@@ -456,7 +460,7 @@ module dns-zones {
}
}
container MF {
must "../../type = 'ianadns:MF'";
when "derived-from-or-self(../../type, 'ianadns:MF')";
status "obsolete";
description
"RDATA content for 'MF' Resource Record (obsolete,
......@@ -473,7 +477,7 @@ module dns-zones {
}
}
container MG {
must "../../type = 'ianadns:MG'";
when "derived-from-or-self(../../type, 'ianadns:MG')";
description
"RDATA content for 'MG' Resource Record.";
reference
......@@ -488,7 +492,8 @@ module dns-zones {
}
}
container MINFO {
must "../../type = 'ianadns:MINFO'";
when
"derived-from-or-self(../../type, 'ianadns:MINFO')";
description
"RDATA content for 'MINFO' Resource Record.";
reference
......@@ -511,7 +516,7 @@ module dns-zones {
}
}
container MR {
must "../../type = 'ianadns:MR'";
when "derived-from-or-self(../../type, 'ianadns:MR')";
description
"RDATA content for 'MR' Resource Record.";
reference
......@@ -526,7 +531,7 @@ module dns-zones {
}
}
container MX {
must "../../type = 'ianadns:MX'";
when "derived-from-or-self(../../type, 'ianadns:MX')";
description
"RDATA content for 'MX' Resource Record.";
reference
......@@ -548,7 +553,7 @@ module dns-zones {
}
}
container NS {
must "../../type = 'ianadns:NS'";
when "derived-from-or-self(../../type, 'ianadns:NS')";
description
"RDATA content for 'NS' Resource Record.";
reference
......@@ -563,7 +568,8 @@ module dns-zones {
}
}
container NULL {
must "../../type = 'ianadns:NULL'";
when
"derived-from-or-self(../../type, 'ianadns:NULL')";
description
"RDATA content for 'NULL' Resource Record.";
reference
......@@ -579,7 +585,8 @@ module dns-zones {
}
}
container PTR {
must "../../type = 'ianadns:PTR'";
when
"derived-from-or-self(../../type, 'ianadns:PTR')";
description
"RDATA content for 'PTR' Resource Record.";
reference
......@@ -594,7 +601,8 @@ module dns-zones {
}
}
container TXT {
must "../../type = 'ianadns:TXT'";
when
"derived-from-or-self(../../type, 'ianadns:TXT')";
description
"RDATA content for 'TXT' Resource Record.";
reference
......@@ -609,7 +617,8 @@ module dns-zones {
}
}
container WKS {
must "../../type = 'ianadns:WKS'";
when
"derived-from-or-self(../../type, 'ianadns:WKS')";
description
"RDATA content for 'WKS' Resource Record.";
reference
......@@ -637,7 +646,8 @@ module dns-zones {
}
/* RFC 3596 */
container AAAA {
must "../../type = 'ianadns:AAAA'";
when
"derived-from-or-self(../../type, 'ianadns:AAAA')";
description
"RDATA content for 'AAAA' Resource Record.";
reference
......@@ -651,7 +661,8 @@ module dns-zones {
}
/* RFC 4034 */
container DNSKEY {
must "../../type = 'ianadns:DNSKEY'";
when "derived-from-or-self(../../type, "
+ "'ianadns:DNSKEY')";
description
"RDATA content for 'DNSKEY' Resource Record.";
reference
......@@ -704,7 +715,8 @@ module dns-zones {
}
}
container NSEC {
must "../../type = 'ianadns:NSEC'";
when
"derived-from-or-self(../../type, 'ianadns:NSEC')";
description
"RDATA content for 'NSEC' Resource Record.";
reference
......@@ -722,7 +734,7 @@ module dns-zones {
uses rrset-types;
}
container DS {
must "../../type = 'ianadns:DS'";
when "derived-from-or-self(../../type, 'ianadns:DS')";
description
"RDATA content for 'DS' Resource Record.";
reference
......@@ -755,7 +767,8 @@ module dns-zones {
}
/* RFC 5155 */
container NSEC3 {
must "../../type = 'ianadns:NSEC3'";
when
"derived-from-or-self(../../type, 'ianadns:NSEC3')";
description
"RDATA content for 'NSEC3' Resource Record.";
reference
......@@ -781,7 +794,8 @@ module dns-zones {
uses rrset-types;
}
container NSEC3PARAM {
must "../../type = 'ianadns:NSEC3PARAM'";
when "derived-from-or-self(../../type, "
+ "'ianadns:NSEC3PARAM')";
description
"RDATA content for 'NSEC3PARAM' Resource Record.";
reference
......@@ -791,7 +805,8 @@ module dns-zones {
}
/* RFC 6698 */
container TLSA {
must "../../type = 'ianadns:TLSA'";
when
"derived-from-or-self(../../type, 'ianadns:TLSA')";
description
"RDATA content for 'TLSA' Resource Record.";
reference
......@@ -842,7 +857,8 @@ module dns-zones {
}
/* RFC 4025 */
container IPSECKEY {
must "../../type = 'ianadns:IPSECKEY'";
when "derived-from-or-self(../../type, "
+ "'ianadns:IPSECKEY')";
description
"RDATA content for 'IPSECKEY' Resource Record.";
reference
......@@ -906,7 +922,8 @@ module dns-zones {
}
/* RFC 2672 */
container DNAME {
must "../../type = 'ianadns:DNAME'";
when
"derived-from-or-self(../../type, 'ianadns:DNAME')";
description
"RDATA content for 'DNAME' Resource Record.";
reference
......@@ -921,7 +938,8 @@ module dns-zones {
}
/* RFC 4255 */
container SSHFP {
must "../../type = 'ianadns:SSHFP'";
when
"derived-from-or-self(../../type, 'ianadns:SSHFP')";
description
"RDATA content for 'SSHFP' Resource Record.";
reference
......
module dnssec-signing {
yang-version "1.1";
namespace "http://www.nic.cz/ns/yang/dnssec-signing";
prefix "dnssec";
import ietf-yang-types {
prefix "yang";
}
import dns-server {
prefix "dnss";
}
import dnssec-algorithms {
prefix "dsalg";
}
organization
"CZ.NIC, z. s. p. o.";
contact
"Editor:   Ladislav Lhotka
          <mailto:lhotka@nic.cz>";
description
"This YANG module defines configuration data and RPC operations
for automatic DNSSEC signatures.";
revision 2016-01-14 {
description
"Initial revision.";
reference
"TODO: put git tag here";
}
/* Typedefs */
typedef lifetime {
type uint32;
units "seconds";
description
"This type is used for the lifetime values of keys and
signatures.";
}
typedef key-id {
type string {
length "40";
}
description
"This type is used for identifiers of DNSSEC keys.";
}
/* Groupings */
grouping zone-options {
description
"Zone options that configure DNSSEC signing.";
container dnssec-signing {
presence "automatic DNSSEC signing";
description
"Configuration of automatic DNSSEC signing.";
leaf enabled {
type boolean;
default "true";
description
"This flag allows to disable automatic DNSSEC signing while
keeping its configuration in place.";
}
leaf policy {
type leafref {
path "/dnss:dns-server/dnssec:sign-policy/dnssec:name";
}
description
"Reference to a signing policy.
If this leaf is present, ZSKs are generated automatically
according to the signing policy.";
}
}
}
grouping key-parameters {
description
"Common parameters of DNSSEC keys.";
leaf algorithm {
type dsalg:dnssec-algorithm;
mandatory "true";
description
"Encryption algorithm for which the key works.";
}
leaf length {
type uint16;
units "bits";
mandatory "true";
description
"Length of the key.";
}
leaf publish {
type yang:date-and-time;
description
"The time of key publication (the key appears as a DNSKEY
resource record in the zone).
Absence of this leaf means the key is published immediately
after the key is created.";
}
leaf activate {
type yang:date-and-time;
description
"Start of the time interval in which the key is used for
signing.
Absence of this leaf means the key is used for signing since
the time of publishing.";
}
leaf retire {
type yang:date-and-time;
description
"End of the time interval in which the key is used for
signing.
Absence of this leaf means the key is never retired.";
}
leaf remove {
type yang:date-and-time;
description
"The time of DNSKEY RR removal.
Absence of this leaf means the key is never removed.";
}
}
/* State data */
augment "/dnss:dns-server-state/dnss:zone" {
description
"State data for zone DNSSEC signing.";
container dnssec-signing {
description
"State data related to automatic DNSSEC signing.";
leaf enabled {
type boolean;
description
"Is DNSSEC signing is enabled for the ancestor zone?";
}
list key {
key "key-id";
description
"Parameters of a DNSSEC key.";
leaf key-id {
type key-id;
description
"Key identifier.";
}
leaf key-tag {
type uint16;
mandatory "true";
description
"Key tag.";
reference
"RFC 4034: Resource Records for the DNS Security
Extensions.";
}
uses key-parameters;
leaf created {
type yang:date-and-time;
description
"Date and time when the key was created.";
}
leaf flags {
type bits {
bit zone-key {
position "7";
description
"This flag indicates a DNS zone key.";
}
bit secure-entry-point {
position "15";
description
"This flag indicates a key intended for use as a
secure entry point, i.e., key-signing key.";
}
}
description
"Key flags.";
reference
"RFC 4034: Resource Records for the DNS Security
Extensions.";
}
}
}
}
/* Configuration data */
augment "/dnss:dns-server" {
description
"Augment DNS server configuration with a list of DNSSEC signing
policies.";
list sign-policy {
key "name";
description
"A named DNSSEC signing policy.";
uses dnss:entry-name;
leaf algorithm {
type dsalg:dnssec-algorithm;
default "RSASHA256";
description
"Algorithm used for signing keys and issued signatures.";
}
leaf ksk-length {
type uint16;
units "bits";
default "2048";
description
"Length of generated key-signing keys.";
}
leaf zsk-length {
type uint16;
units "bits";
default "1024";
description
"Length of generated zone-signing keys.";
}
leaf dnskey-ttl {
type dnss:rr-ttl;
description
"TTL value for DNSKEY records added to zone apex.";
}
leaf zsk-lifetime {
type lifetime;
default "2592000";
description
"Time interval after which ZSK rollover will be initiated.
The default value corresponds to 30 days.";
}
leaf rrsig-lifetime {
type lifetime;
default "1209600";
description
"Lifetime of newly issued signatures.
The default value corresponds to two weeks.";
}
leaf rrsig-refresh {
type uint32;
units "seconds";
default "604800";
description
"This parameter specifies how long before signature
expiration the signature will be refreshed.
The default value corresponds to one week.";
}
leaf nsec3 {
type boolean;
default "false";
description
"This flag specifies whether NSEC3 will be used instead of
NSEC.";
}
leaf soa-min-ttl {
type dnss:rr-ttl;
description
"SOA minimum TTL value.";
}
leaf zone-max-ttl {
type dnss:rr-ttl;
description
"Maximum TTL value present in the zone.";
}
leaf propagation-delay {
type uint32;
units "seconds";
default "3600";
description
"Extra delay added to every key rollover step.";
}
}
}
augment "/dnss:dns-server/dnss:zones/dnss:template" {
description
"DNSSEC signing configuration for a zone template.";
uses dnssec:zone-options;
}
augment "/dnss:dns-server/dnss:zones/dnss:zone" {
description
"DNSSEC signing configuration for a zone.";
uses dnssec:zone-options;
}
/* RPC operations */
rpc generate-key {
description
"Generate a DNSSEC signing key.";
input {
uses key-parameters;
leaf secure-entry-point {
type boolean;
default "false";
description
"This flag indicates that the key is the secure entry point
of the corresponding zone, i.e., a key-signing key.";
}
}
output {
leaf key-id {
type key-id;
mandatory "true";
description
"Identifier of the generated key.";
}
leaf key-tag {
type uint16;
mandatory "true";
description
"Tag of the generated key.";
}
}
}
rpc zone-sign {
description
"Sign specified zones with available DNSSEC keys.";
input {
leaf-list zones {
type dnss:zone-ref;
description
"Domain names of the zones to be signed.";
}
}
}
}
......@@ -10,6 +10,10 @@ module dnssec-signing {
prefix "yang";
}
import ietf-inet-types {
prefix "inet";
}
import dns-server {
prefix "dnss";
}
......@@ -29,7 +33,7 @@ module dnssec-signing {
"This YANG module defines configuration data and RPC operations
for automatic DNSSEC signatures.";
revision 2016-01-14 {
revision 2016-03-03 {
description
"Initial revision.";
reference
......@@ -38,12 +42,21 @@ module dnssec-signing {
/* Typedefs */
typedef lifetime {
type uint32;
typedef time-interval {
type uint32 {
range "1..max";
}
units "seconds";
description
"This type is used for the lifetime values of keys and
signatures.";
"This type is used for time intervals such as TTL of resource
records or lifetime values of keys and signatures.";
}
typedef key-size {
type uint16;
units "bits";
description
"Size of a cryptographic key.";
}
typedef key-id {
......@@ -92,12 +105,11 @@ module dnssec-signing {
description
"Encryption algorithm for which the key works.";
}
leaf length {
type uint16;
units "bits";
leaf size {
type key-size;
mandatory "true";
description
"Length of the key.";
"Size of the key.";
}
leaf publish {
type yang:date-and-time;
......@@ -212,19 +224,17 @@ module dnssec-signing {
description
"Algorithm used for signing keys and issued signatures.";
}
leaf ksk-length {
type uint16;
units "bits";
leaf ksk-size {
type key-size;
default "2048";
description
"Length of generated key-signing keys.";
"The size of generated key-signing keys.";
}
leaf zsk-length {
type uint16;
units "bits";
leaf zsk-size {
type key-size;
default "1024";
description
"Length of generated zone-signing keys.";
"The size of generated zone-signing keys.";
}
leaf dnskey-ttl {
type dnss:rr-ttl;
......@@ -232,7 +242,7 @@ module dnssec-signing {
"TTL value for DNSKEY records added to zone apex.";
}
leaf zsk-lifetime {
type lifetime;
type time-interval;
default "2592000";
description
"Time interval after which ZSK rollover will be initiated.
......@@ -240,7 +250,7 @@ module dnssec-signing {
The default value corresponds to 30 days.";
}
leaf rrsig-lifetime {
type lifetime;
type time-interval;
default "1209600";
description
"Lifetime of newly issued signatures.
......@@ -281,6 +291,77 @@ module dnssec-signing {
description
"Extra delay added to every key rollover step.";
}
leaf manual {
type boolean;
default "false";
description
"Setting this flag to true enables manual key management.
In this case, no keys will be generated or rolled out
automatically.";
}
leaf keystore {
type leafref {
path "../../keystore/name";
}
description
"Name of a keystore to be used by the policy.";
}
}
list keystore {
key "name";
description
"The list of configured stores for private key material.";
uses dnss:entry-name;
leaf backend {
type enumeration {
enum pkcs8 {
description
"This backend type stores private key material in
unencrypted X.509 PEM files.";
}
enum pkcs11 {
description
"This backend type stores private key material in a
cryptographic token accessible via the PKCS#11
interface.";
}
}
default "pkcs8";
description
"Type of the keystore backend.";
}
choice keystore-config {
description
"Additional configuration parameters for individual
backends.";
case pkcs8 {
when "../backend = 'pkcs8'";
leaf keystore-directory {
type dnss:fs-path;
description
"Absolute path to a filesystem directory where private
key material is stored.";
}
}
case pkcs11 {
when "../backend = 'pkcs11'";
leaf token-url {
type inet:uri;
description
"URI of the PKCS#11 token.
If the token is protected by a PIN, the URI must
include 'pin-value' or 'pin-source' attribute.";
reference
"RFC 7512: The PKCS #11 URI Scheme";
}
leaf module-path {
type dnss:fs-path;
description
"PKCS #11 module path.";