Updated data models and example data

parent 2f097ec5
module dns-zones { module dns-zones {
yang-version "1.1";
namespace "http://www.nic.cz/ns/yang/dns-zones"; namespace "http://www.nic.cz/ns/yang/dns-zones";
prefix "dnsz"; prefix "dnsz";
...@@ -33,7 +35,7 @@ module dns-zones { ...@@ -33,7 +35,7 @@ module dns-zones {
reference reference
"RFC 1035: Domain Names - Implementation and Specification."; "RFC 1035: Domain Names - Implementation and Specification.";
revision 2015-08-11 { revision 2016-08-04 {
description description
"Initial revision."; "Initial revision.";
} }
...@@ -256,9 +258,9 @@ module dns-zones { ...@@ -256,9 +258,9 @@ module dns-zones {
/* Configuration data */ /* Configuration data */
container zones { container zone-data {
description description
"Container for DNS zones."; "Container for DNS zone data.";
list zone { list zone {
key "name class"; key "name class";
description description
...@@ -368,7 +370,7 @@ module dns-zones { ...@@ -368,7 +370,7 @@ module dns-zones {
description description
"Each (shorthand) case of this choice defines the "Each (shorthand) case of this choice defines the
content of a single RR type wrapped in a container content of a single RR type wrapped in a container
whose name is the RR type (in lowercase). whose name is the RR type.
The SOA RR for the zone and RRSIG for the RRSet are The SOA RR for the zone and RRSIG for the RRSet are
specified separately. specified separately.
...@@ -377,7 +379,7 @@ module dns-zones { ...@@ -377,7 +379,7 @@ module dns-zones {
the 'rdata-content' choice."; the 'rdata-content' choice.";
/* RFC 1035 */ /* RFC 1035 */
container A { container A {
must "../../type = 'ianadns:A'"; when "derived-from-or-self(../../type, 'ianadns:A')";
description description
"RDATA content for 'A' Resource Record."; "RDATA content for 'A' Resource Record.";
reference reference
...@@ -391,7 +393,8 @@ module dns-zones { ...@@ -391,7 +393,8 @@ module dns-zones {
} }
} }
container CNAME { container CNAME {
must "../../type = 'ianadns:CNAME'"; when
"derived-from-or-self(../../type, 'ianadns:CNAME')";
description description
"RDATA content for 'CNAME' Resource Record."; "RDATA content for 'CNAME' Resource Record.";
reference reference
...@@ -405,7 +408,8 @@ module dns-zones { ...@@ -405,7 +408,8 @@ module dns-zones {
} }
} }
container HINFO { container HINFO {
must "../../type = 'ianadns:HINFO'"; when
"derived-from-or-self(../../type, 'ianadns:HINFO')";
description description
"RDATA content for 'HINFO' Resource Record."; "RDATA content for 'HINFO' Resource Record.";
reference reference
...@@ -425,7 +429,7 @@ module dns-zones { ...@@ -425,7 +429,7 @@ module dns-zones {
} }
} }
container MB { container MB {
must "../../type = 'ianadns:MB'"; when "derived-from-or-self(../../type, 'ianadns:MB')";
description description
"RDATA content for 'MB' Resource Record."; "RDATA content for 'MB' Resource Record.";
reference reference
...@@ -439,7 +443,7 @@ module dns-zones { ...@@ -439,7 +443,7 @@ module dns-zones {
} }
} }
container MD { container MD {
must "../../type = 'ianadns:MD'"; when "derived-from-or-self(../../type, 'ianadns:MD')";
status "obsolete"; status "obsolete";
description description
"RDATA content for 'MD' Resource Record (obsolete, "RDATA content for 'MD' Resource Record (obsolete,
...@@ -456,7 +460,7 @@ module dns-zones { ...@@ -456,7 +460,7 @@ module dns-zones {
} }
} }
container MF { container MF {
must "../../type = 'ianadns:MF'"; when "derived-from-or-self(../../type, 'ianadns:MF')";
status "obsolete"; status "obsolete";
description description
"RDATA content for 'MF' Resource Record (obsolete, "RDATA content for 'MF' Resource Record (obsolete,
...@@ -473,7 +477,7 @@ module dns-zones { ...@@ -473,7 +477,7 @@ module dns-zones {
} }
} }
container MG { container MG {
must "../../type = 'ianadns:MG'"; when "derived-from-or-self(../../type, 'ianadns:MG')";
description description
"RDATA content for 'MG' Resource Record."; "RDATA content for 'MG' Resource Record.";
reference reference
...@@ -488,7 +492,8 @@ module dns-zones { ...@@ -488,7 +492,8 @@ module dns-zones {
} }
} }
container MINFO { container MINFO {
must "../../type = 'ianadns:MINFO'"; when
"derived-from-or-self(../../type, 'ianadns:MINFO')";
description description
"RDATA content for 'MINFO' Resource Record."; "RDATA content for 'MINFO' Resource Record.";
reference reference
...@@ -511,7 +516,7 @@ module dns-zones { ...@@ -511,7 +516,7 @@ module dns-zones {
} }
} }
container MR { container MR {
must "../../type = 'ianadns:MR'"; when "derived-from-or-self(../../type, 'ianadns:MR')";
description description
"RDATA content for 'MR' Resource Record."; "RDATA content for 'MR' Resource Record.";
reference reference
...@@ -526,7 +531,7 @@ module dns-zones { ...@@ -526,7 +531,7 @@ module dns-zones {
} }
} }
container MX { container MX {
must "../../type = 'ianadns:MX'"; when "derived-from-or-self(../../type, 'ianadns:MX')";
description description
"RDATA content for 'MX' Resource Record."; "RDATA content for 'MX' Resource Record.";
reference reference
...@@ -548,7 +553,7 @@ module dns-zones { ...@@ -548,7 +553,7 @@ module dns-zones {
} }
} }
container NS { container NS {
must "../../type = 'ianadns:NS'"; when "derived-from-or-self(../../type, 'ianadns:NS')";
description description
"RDATA content for 'NS' Resource Record."; "RDATA content for 'NS' Resource Record.";
reference reference
...@@ -563,7 +568,8 @@ module dns-zones { ...@@ -563,7 +568,8 @@ module dns-zones {
} }
} }
container NULL { container NULL {
must "../../type = 'ianadns:NULL'"; when
"derived-from-or-self(../../type, 'ianadns:NULL')";
description description
"RDATA content for 'NULL' Resource Record."; "RDATA content for 'NULL' Resource Record.";
reference reference
...@@ -579,7 +585,8 @@ module dns-zones { ...@@ -579,7 +585,8 @@ module dns-zones {
} }
} }
container PTR { container PTR {
must "../../type = 'ianadns:PTR'"; when
"derived-from-or-self(../../type, 'ianadns:PTR')";
description description
"RDATA content for 'PTR' Resource Record."; "RDATA content for 'PTR' Resource Record.";
reference reference
...@@ -594,7 +601,8 @@ module dns-zones { ...@@ -594,7 +601,8 @@ module dns-zones {
} }
} }
container TXT { container TXT {
must "../../type = 'ianadns:TXT'"; when
"derived-from-or-self(../../type, 'ianadns:TXT')";
description description
"RDATA content for 'TXT' Resource Record."; "RDATA content for 'TXT' Resource Record.";
reference reference
...@@ -609,7 +617,8 @@ module dns-zones { ...@@ -609,7 +617,8 @@ module dns-zones {
} }
} }
container WKS { container WKS {
must "../../type = 'ianadns:WKS'"; when
"derived-from-or-self(../../type, 'ianadns:WKS')";
description description
"RDATA content for 'WKS' Resource Record."; "RDATA content for 'WKS' Resource Record.";
reference reference
...@@ -637,7 +646,8 @@ module dns-zones { ...@@ -637,7 +646,8 @@ module dns-zones {
} }
/* RFC 3596 */ /* RFC 3596 */
container AAAA { container AAAA {
must "../../type = 'ianadns:AAAA'"; when
"derived-from-or-self(../../type, 'ianadns:AAAA')";
description description
"RDATA content for 'AAAA' Resource Record."; "RDATA content for 'AAAA' Resource Record.";
reference reference
...@@ -651,7 +661,8 @@ module dns-zones { ...@@ -651,7 +661,8 @@ module dns-zones {
} }
/* RFC 4034 */ /* RFC 4034 */
container DNSKEY { container DNSKEY {
must "../../type = 'ianadns:DNSKEY'"; when "derived-from-or-self(../../type, "
+ "'ianadns:DNSKEY')";
description description
"RDATA content for 'DNSKEY' Resource Record."; "RDATA content for 'DNSKEY' Resource Record.";
reference reference
...@@ -704,7 +715,8 @@ module dns-zones { ...@@ -704,7 +715,8 @@ module dns-zones {
} }
} }
container NSEC { container NSEC {
must "../../type = 'ianadns:NSEC'"; when
"derived-from-or-self(../../type, 'ianadns:NSEC')";
description description
"RDATA content for 'NSEC' Resource Record."; "RDATA content for 'NSEC' Resource Record.";
reference reference
...@@ -722,7 +734,7 @@ module dns-zones { ...@@ -722,7 +734,7 @@ module dns-zones {
uses rrset-types; uses rrset-types;
} }
container DS { container DS {
must "../../type = 'ianadns:DS'"; when "derived-from-or-self(../../type, 'ianadns:DS')";
description description
"RDATA content for 'DS' Resource Record."; "RDATA content for 'DS' Resource Record.";
reference reference
...@@ -755,7 +767,8 @@ module dns-zones { ...@@ -755,7 +767,8 @@ module dns-zones {
} }
/* RFC 5155 */ /* RFC 5155 */
container NSEC3 { container NSEC3 {
must "../../type = 'ianadns:NSEC3'"; when
"derived-from-or-self(../../type, 'ianadns:NSEC3')";
description description
"RDATA content for 'NSEC3' Resource Record."; "RDATA content for 'NSEC3' Resource Record.";
reference reference
...@@ -781,7 +794,8 @@ module dns-zones { ...@@ -781,7 +794,8 @@ module dns-zones {
uses rrset-types; uses rrset-types;
} }
container NSEC3PARAM { container NSEC3PARAM {
must "../../type = 'ianadns:NSEC3PARAM'"; when "derived-from-or-self(../../type, "
+ "'ianadns:NSEC3PARAM')";
description description
"RDATA content for 'NSEC3PARAM' Resource Record."; "RDATA content for 'NSEC3PARAM' Resource Record.";
reference reference
...@@ -791,7 +805,8 @@ module dns-zones { ...@@ -791,7 +805,8 @@ module dns-zones {
} }
/* RFC 6698 */ /* RFC 6698 */
container TLSA { container TLSA {
must "../../type = 'ianadns:TLSA'"; when
"derived-from-or-self(../../type, 'ianadns:TLSA')";
description description
"RDATA content for 'TLSA' Resource Record."; "RDATA content for 'TLSA' Resource Record.";
reference reference
...@@ -842,7 +857,8 @@ module dns-zones { ...@@ -842,7 +857,8 @@ module dns-zones {
} }
/* RFC 4025 */ /* RFC 4025 */
container IPSECKEY { container IPSECKEY {
must "../../type = 'ianadns:IPSECKEY'"; when "derived-from-or-self(../../type, "
+ "'ianadns:IPSECKEY')";
description description
"RDATA content for 'IPSECKEY' Resource Record."; "RDATA content for 'IPSECKEY' Resource Record.";
reference reference
...@@ -906,7 +922,8 @@ module dns-zones { ...@@ -906,7 +922,8 @@ module dns-zones {
} }
/* RFC 2672 */ /* RFC 2672 */
container DNAME { container DNAME {
must "../../type = 'ianadns:DNAME'"; when
"derived-from-or-self(../../type, 'ianadns:DNAME')";
description description
"RDATA content for 'DNAME' Resource Record."; "RDATA content for 'DNAME' Resource Record.";
reference reference
...@@ -921,7 +938,8 @@ module dns-zones { ...@@ -921,7 +938,8 @@ module dns-zones {
} }
/* RFC 4255 */ /* RFC 4255 */
container SSHFP { container SSHFP {
must "../../type = 'ianadns:SSHFP'"; when
"derived-from-or-self(../../type, 'ianadns:SSHFP')";
description description
"RDATA content for 'SSHFP' Resource Record."; "RDATA content for 'SSHFP' Resource Record.";
reference reference
......
module dnssec-signing {
yang-version "1.1";
namespace "http://www.nic.cz/ns/yang/dnssec-signing";
prefix "dnssec";
import ietf-yang-types {
prefix "yang";
}
import dns-server {
prefix "dnss";
}
import dnssec-algorithms {
prefix "dsalg";
}
organization
"CZ.NIC, z. s. p. o.";
contact
"Editor:   Ladislav Lhotka
          <mailto:lhotka@nic.cz>";
description
"This YANG module defines configuration data and RPC operations
for automatic DNSSEC signatures.";
revision 2016-01-14 {
description
"Initial revision.";
reference
"TODO: put git tag here";
}
/* Typedefs */
typedef lifetime {
type uint32;
units "seconds";
description
"This type is used for the lifetime values of keys and
signatures.";
}
typedef key-id {
type string {
length "40";
}
description
"This type is used for identifiers of DNSSEC keys.";
}
/* Groupings */
grouping zone-options {
description
"Zone options that configure DNSSEC signing.";
container dnssec-signing {
presence "automatic DNSSEC signing";
description
"Configuration of automatic DNSSEC signing.";
leaf enabled {
type boolean;
default "true";
description
"This flag allows to disable automatic DNSSEC signing while
keeping its configuration in place.";
}
leaf policy {
type leafref {
path "/dnss:dns-server/dnssec:sign-policy/dnssec:name";
}
description
"Reference to a signing policy.
If this leaf is present, ZSKs are generated automatically
according to the signing policy.";
}
}
}
grouping key-parameters {
description
"Common parameters of DNSSEC keys.";
leaf algorithm {
type dsalg:dnssec-algorithm;
mandatory "true";
description
"Encryption algorithm for which the key works.";
}
leaf length {
type uint16;
units "bits";
mandatory "true";
description
"Length of the key.";
}
leaf publish {
type yang:date-and-time;
description
"The time of key publication (the key appears as a DNSKEY
resource record in the zone).
Absence of this leaf means the key is published immediately
after the key is created.";
}
leaf activate {
type yang:date-and-time;
description
"Start of the time interval in which the key is used for
signing.
Absence of this leaf means the key is used for signing since
the time of publishing.";
}
leaf retire {
type yang:date-and-time;
description
"End of the time interval in which the key is used for
signing.
Absence of this leaf means the key is never retired.";
}
leaf remove {
type yang:date-and-time;
description
"The time of DNSKEY RR removal.
Absence of this leaf means the key is never removed.";
}
}
/* State data */
augment "/dnss:dns-server-state/dnss:zone" {
description
"State data for zone DNSSEC signing.";
container dnssec-signing {
description
"State data related to automatic DNSSEC signing.";
leaf enabled {
type boolean;
description
"Is DNSSEC signing is enabled for the ancestor zone?";
}
list key {
key "key-id";
description
"Parameters of a DNSSEC key.";
leaf key-id {
type key-id;
description
"Key identifier.";
}
leaf key-tag {
type uint16;
mandatory "true";
description
"Key tag.";
reference
"RFC 4034: Resource Records for the DNS Security
Extensions.";
}
uses key-parameters;
leaf created {
type yang:date-and-time;
description
"Date and time when the key was created.";
}
leaf flags {
type bits {
bit zone-key {
position "7";
description
"This flag indicates a DNS zone key.";
}
bit secure-entry-point {
position "15";
description
"This flag indicates a key intended for use as a
secure entry point, i.e., key-signing key.";
}
}
description
"Key flags.";
reference
"RFC 4034: Resource Records for the DNS Security
Extensions.";
}
}
}
}
/* Configuration data */
augment "/dnss:dns-server" {
description
"Augment DNS server configuration with a list of DNSSEC signing
policies.";
list sign-policy {
key "name";
description
"A named DNSSEC signing policy.";
uses dnss:entry-name;
leaf algorithm {
type dsalg:dnssec-algorithm;
default "RSASHA256";
description
"Algorithm used for signing keys and issued signatures.";
}
leaf ksk-length {
type uint16;
units "bits";
default "2048";
description
"Length of generated key-signing keys.";
}
leaf zsk-length {
type uint16;
units "bits";
default "1024";
description
"Length of generated zone-signing keys.";
}
leaf dnskey-ttl {
type dnss:rr-ttl;
description
"TTL value for DNSKEY records added to zone apex.";
}
leaf zsk-lifetime {
type lifetime;
default "2592000";
description
"Time interval after which ZSK rollover will be initiated.
The default value corresponds to 30 days.";
}
leaf rrsig-lifetime {
type lifetime;
default "1209600";
description
"Lifetime of newly issued signatures.
The default value corresponds to two weeks.";
}
leaf rrsig-refresh {
type uint32;
units "seconds";
default "604800";
description
"This parameter specifies how long before signature
expiration the signature will be refreshed.
The default value corresponds to one week.";
}
leaf nsec3 {
type boolean;
default "false";
description
"This flag specifies whether NSEC3 will be used instead of
NSEC.";
}
leaf soa-min-ttl {
type dnss:rr-ttl;
description
"SOA minimum TTL value.";
}
leaf zone-max-ttl {
type dnss:rr-ttl;
description
"Maximum TTL value present in the zone.";
}
leaf propagation-delay {
type uint32;
units "seconds";
default "3600";
description
"Extra delay added to every key rollover step.";
}
}
}
augment "/dnss:dns-server/dnss:zones/dnss:template" {
description
"DNSSEC signing configuration for a zone template.";
uses dnssec:zone-options;
}
augment "/dnss:dns-server/dnss:zones/dnss:zone" {
description
"DNSSEC signing configuration for a zone.";
uses dnssec:zone-options;
}
/* RPC operations */
rpc generate-key {
description
"Generate a DNSSEC signing key.";
input {
uses key-parameters;
leaf secure-entry-point {
type boolean;
default "false";
description
"This flag indicates that the key is the secure entry point
of the corresponding zone, i.e., a key-signing key.";
}
}
output {
leaf key-id {
type key-id;
mandatory "true";
description
"Identifier of the generated key.";
}
leaf key-tag {
type uint16;
mandatory "true";
description
"Tag of the generated key.";
}
}
}
rpc zone-sign {
description
"Sign specified zones with available DNSSEC keys.";
input {
leaf-list zones {
type dnss:zone-ref;
description
"Domain names of the zones to be signed.";
}
}
}
}
...@@ -10,6 +10,10 @@ module dnssec-signing { ...@@ -10,6 +10,10 @@ module dnssec-signing {
prefix "yang"; prefix "yang";
} }
import ietf-inet-types {
prefix "inet";
}
import dns-server { import dns-server {
prefix "dnss"; prefix "dnss";
} }
...@@ -29,7 +33,7 @@ module dnssec-signing { ...@@ -29,7 +33,7 @@ module dnssec-signing {
"This YANG module defines configuration data and RPC operations "This YANG module defines configuration data and RPC operations
for automatic DNSSEC signatures."; for automatic DNSSEC signatures.";
revision 2016-01-14 { revision 2016-03-03 {
description description
"Initial revision."; "Initial revision.";
reference reference
...@@ -38,12 +42,21 @@ module dnssec-signing { ...@@ -38,12 +42,21 @@ module dnssec-signing {
/* Typedefs */ /* Typedefs */
typedef lifetime { typedef time-interval {
type uint32; type uint32 {
range "1..max";
}
units "seconds"; units "seconds";
description description
"This type is used for the lifetime values of keys and "This type is used for time intervals such as TTL of resource
signatures.";