Commit b3ac2858 authored by Pavel Spirek's avatar Pavel Spirek

pokus2

parent d575cc42
module dns-parameters {
yang-version "1.1";
namespace "http://www.nic.cz/ns/yang/dns-parameters";
prefix "dnspars";
organization
"CZ.NIC, z. s. p. o.";
contact
"Editor:   Ladislav Lhotka
          <mailto:lhotka@nic.cz>";
description
"This module translates IANA registry of Domain Name System (DNS)
parameters to YANG enumeration types.
TODO: Complete the enumerations.";
reference
"IANA: Domain Name System (DNS) Parameters.
https://www.iana.org/assignments/dns-parameters/dns-parameters.xml";
revision 2016-01-13 {
description
"Initial revision.";
reference
"TODO: put git tag here";
}
typedef dns-class {
type enumeration {
enum IN {
value "1";
description
"Internet";
reference
"RFC 1035: Domain Names - Implementation and
Specification.";
}
enum CH {
value "3";
description
"Chaos";
reference
"D. Moon, \"Chaosnet\", A.I. Memo 628, Massachusetts
Institute of Technology Artificial Intelligence
Laboratory, June 1981.";
}
enum HS {
value "4";
description
"Hesiod";
reference
"Dyer, S., and F. Hsu, \"Hesiod\", Project Athena Technical
Plan – Name Service, April 1987.";
}
enum NONE {
value "254";
description
"QCLASS NONE";
reference
"RFC 2136: Dynamic Updates in the Domain Name System (DNS
UPDATE).";
}
enum ANY {
value "255";
description
"QCLASS *";
reference
"RFC 1035: Domain Names - Implementation and
Specification.";
}
}
description
"DNS resource record and query classes.
Values 0 and 65535 are reserved; 65280–65534 reserved for
private use; 2, 5–253, 256–65279 unassigned.";
}
typedef dns-opcode {
type enumeration {
enum query {
value "0";
description
"Query";
reference
"RFC 1035: Domain Names - Implementation and
Specification.";
}
enum iquery {
value "1";
status "obsolete";
description
"Inverse Query";
reference
"RFC 3425: Obsoleting IQUERY.";
}
enum status {
value "2";
description
"Status";
reference
"RFC 1035: Domain Names - Implementation and
Specification.";
}
enum notify {
value "4";
description
"Notify";
reference
"RFC 1996: A Mechanism for Prompt Notification of Zone
Changes (DNS NOTIFY).";
}
enum update {
value "5";
description
"Update";
reference
"RFC 2136: Dynamic Updates in the Domain Name System (DNS
UPDATE).";
}
}
description
"DNS operations codes.
Value of 3 is unassigned.";
}
typedef dns-rcode {
type enumeration {
enum noerror {
value "0";
description
"No error";
reference
"RFC 1035: Domain Names - Implementation and
Specification.";
}
enum formerr {
value "1";
description
"Format error";
reference
"RFC 1035: Domain Names - Implementation and
Specification.";
}
enum servfail {
value "2";
description
"Server failure";
reference
"RFC 1035: Domain Names - Implementation and
Specification.";
}
enum nxdomain {
value "3";
description
"Non-existent domain";
reference
"RFC 1035: Domain Names - Implementation and
Specification.";
}
enum notimp {
value "4";
description
"Not implemented";
reference
"RFC 1035: Domain Names - Implementation and
Specification.";
}
enum refused {
value "5";
description
"Query refused";
reference
"RFC 1035: Domain Names - Implementation and
Specification.";
}
enum yxdomain {
value "6";
description
"Name exists when it should not.";
reference
"- RFC 2136: Dynamic Updates in the Domain Name System (DNS
UPDATE).
- RFC 6672: DNAME Redirection in the DNS.";
}
enum yxrrset {
value "7";
description
"RR set exists when it should not.";
reference
"RFC 2136: Dynamic Updates in the Domain Name System (DNS
UPDATE).";
}
enum nxrrset {
value "8";
description
"RR set that should exist does not.";
reference
"RFC 2136: Dynamic Updates in the Domain Name System (DNS
UPDATE).";
}
enum notauth {
value "9";
description
"Not Authorized";
reference
"- RFC 2136: Dynamic Updates in the Domain Name System (DNS
UPDATE).
- RFC 2845: Secret Key Transaction Authentication for DNS
(TSIG).";
}
enum notzone {
value "10";
description
"Name not contained in zone.";
reference
"RFC 2136: Dynamic Updates in the Domain Name System (DNS
UPDATE).";
}
enum badvers {
value "16";
description
"Bad OPT version.";
reference
"RFC 6891: Extension Mechanisms for DNS (EDNS(0)).";
}
enum tsig-badsig {
description
"TSIG signature failure";
reference
"RFC 2845: Secret Key Transaction Authentication for DNS
(TSIG).";
}
enum tsig-badkey {
description
"Key not recognized";
reference
"RFC 2845: Secret Key Transaction Authentication for DNS
(TSIG).";
}
enum tsig-badtime {
description
"Signature out of time window";
reference
"RFC 2845: Secret Key Transaction Authentication for DNS
(TSIG).";
}
enum badmode {
description
"Bad TKEY mode";
reference
"RFC 2930: Secret Key Establishment for DNS (TKEY RR).";
}
enum badname {
description
"Duplicate key name";
reference
"RFC 2930: Secret Key Establishment for DNS (TKEY RR).";
}
enum badalg {
description
"Algorithm not supported";
reference
"RFC 2930: Secret Key Establishment for DNS (TKEY RR).";
}
enum badtrunc {
description
"Bad truncation";
reference
"RFC 4635: HMAC SHA TSIG Algorithm Identifiers.";
}
}
description
"DNS reply codes.
Extended rcodes (except the base 16) are not assigned numeric
values because they may be non-unique.
Values 11–15 are unassigned.";
}
}
This diff is collapsed.
module dnssec-algorithms {
yang-version "1.1";
namespace "http://www.nic.cz/ns/yang/dnssec-algorithms";
prefix "dsalg";
organization
"CZ.NIC, z. s. p. o.";
contact
"Editor:   Ladislav Lhotka
          <mailto:lhotka@nic.cz>";
description
"This module translates IANA registry for DNSSEC algorithm
numbers to a YANG enumeration type.";
reference
"IANA: Domain Name System Security (DNSSEC) Algorithm Numbers.
http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml";
revision 2016-01-13 {
description
"Initial revision.";
reference
"TODO: put git tag here";
}
typedef dnssec-algorithm {
type enumeration {
enum RSAMD5 {
value "1";
status "deprecated";
description
"RSA/MD5";
}
enum DH {
value "2";
description
"Diffie-Hellman";
}
enum DSA {
value "3";
description
"DSA/SHA1";
}
enum RSASHA1 {
value "5";
description
"RSA/SHA1";
}
enum DSA-NSEC3-SHA1 {
value "6";
description
"DSA-NSEC3-SHA1";
}
enum RSASHA1-NSEC3-SHA1 {
value "7";
description
"RSASHA1-NSEC3-SHA1";
}
enum RSASHA256 {
value "8";
description
"RSA/SHA256";
}
enum RSASHA512 {
value "10";
description
"RSA/SHA512";
}
enum ECC-GOST {
value "12";
description
"GOST R 34.10-2001";
}
enum ECDSAP256SHA256 {
value "13";
description
"ECDSA Curve P-256 with SHA-256";
}
enum ECDSAP384SHA384 {
value "14";
description
"ECDSA Curve P-384 with SHA-384";
}
}
description
"This typedef defines an enumeration of algorithms for DNSSEC
signing as defined by IANA.
The numbers defined by the 'value' statements are used in KEY,
SIG, DNSKEY, RRSIG and CERT resource records for identifying
the security algorithm.
Value 0, 4, 9 and 11 are reserved.";
}
}
module dnssec-signing {
yang-version "1.1";
namespace "http://www.nic.cz/ns/yang/dnssec-signing";
prefix "dnssec";
import ietf-yang-types {
prefix "yang";
}
import dns-server {
prefix "dnss";
}
import dnssec-algorithms {
prefix "dsalg";
}
organization
"CZ.NIC, z. s. p. o.";
contact
"Editor:   Ladislav Lhotka
          <mailto:lhotka@nic.cz>";
description
"This YANG module defines configuration data and RPC operations
for automatic DNSSEC signatures.";
revision 2016-01-14 {
description
"Initial revision.";
reference
"TODO: put git tag here";
}
/* Typedefs */
typedef lifetime {
type uint32;
units "seconds";
description
"This type is used for the lifetime values of keys and
signatures.";
}
typedef key-id {
type string {
length "40";
}
description
"This type is used for identifiers of DNSSEC keys.";
}
/* Groupings */
grouping zone-options {
description
"Zone options that configure DNSSEC signing.";
container dnssec-signing {
presence "automatic DNSSEC signing";
description
"Configuration of automatic DNSSEC signing.";
leaf enabled {
type boolean;
default "true";
description
"This flag allows to disable automatic DNSSEC signing while
keeping its configuration in place.";
}
leaf policy {
type leafref {
path "/dnss:dns-server/dnssec:sign-policy/dnssec:name";
}
description
"Reference to a signing policy.
If this leaf is present, ZSKs are generated automatically
according to the signing policy.";
}
}
}
grouping key-parameters {
description
"Common parameters of DNSSEC keys.";
leaf algorithm {
type dsalg:dnssec-algorithm;
mandatory "true";
description
"Encryption algorithm for which the key works.";
}
leaf length {
type uint16;
units "bits";
mandatory "true";
description
"Length of the key.";
}
leaf publish {
type yang:date-and-time;
description
"The time of key publication (the key appears as a DNSKEY
resource record in the zone).
Absence of this leaf means the key is published immediately
after the key is created.";
}
leaf activate {
type yang:date-and-time;
description
"Start of the time interval in which the key is used for
signing.
Absence of this leaf means the key is used for signing since
the time of publishing.";
}
leaf retire {
type yang:date-and-time;
description
"End of the time interval in which the key is used for
signing.
Absence of this leaf means the key is never retired.";
}
leaf remove {
type yang:date-and-time;
description
"The time of DNSKEY RR removal.
Absence of this leaf means the key is never removed.";
}
}
/* State data */
augment "/dnss:dns-server-state/dnss:zone" {
description
"State data for zone DNSSEC signing.";
container dnssec-signing {
description
"State data related to automatic DNSSEC signing.";
leaf enabled {
type boolean;
description
"Is DNSSEC signing is enabled for the ancestor zone?";
}
list key {
key "key-id";
description
"Parameters of a DNSSEC key.";
leaf key-id {
type key-id;
description
"Key identifier.";
}
leaf key-tag {
type uint16;
mandatory "true";
description
"Key tag.";
reference
"RFC 4034: Resource Records for the DNS Security
Extensions.";
}
uses key-parameters;
leaf created {
type yang:date-and-time;
description
"Date and time when the key was created.";
}
leaf flags {
type bits {
bit zone-key {
position "7";
description
"This flag indicates a DNS zone key.";
}
bit secure-entry-point {
position "15";
description
"This flag indicates a key intended for use as a
secure entry point, i.e., key-signing key.";
}
}
description
"Key flags.";
reference
"RFC 4034: Resource Records for the DNS Security
Extensions.";
}
}
}
}
/* Configuration data */
augment "/dnss:dns-server" {
description
"Augment DNS server configuration with a list of DNSSEC signing
policies.";
list sign-policy {
key "name";
description
"A named DNSSEC signing policy.";
uses dnss:entry-name;
leaf algorithm {
type dsalg:dnssec-algorithm;
default "RSASHA256";
description
"Algorithm used for signing keys and issued signatures.";
}
leaf ksk-length {
type uint16;
units "bits";
default "2048";
description
"Length of generated key-signing keys.";
}
leaf zsk-length {
type uint16;
units "bits";
default "1024";
description
"Length of generated zone-signing keys.";
}
leaf dnskey-ttl {
type dnss:rr-ttl;
description
"TTL value for DNSKEY records added to zone apex.";
}
leaf zsk-lifetime {
type lifetime;
default "2592000";
description
"Time interval after which ZSK rollover will be initiated.
The default value corresponds to 30 days.";
}
leaf rrsig-lifetime {
type lifetime;
default "1209600";
description
"Lifetime of newly issued signatures.
The default value corresponds to two weeks.";
}
leaf rrsig-refresh {
type uint32;
units "seconds";
default "604800";
description
"This parameter specifies how long before signature
expiration the signature will be refreshed.
The default value corresponds to one week.";
}
leaf nsec3 {
type boolean;
default "false";
description
"This flag specifies whether NSEC3 will be used instead of
NSEC.";
}
leaf soa-min-ttl {
type dnss:rr-ttl;
description
"SOA minimum TTL value.";
}
leaf zone-max-ttl {
type dnss:rr-ttl;
description
"Maximum TTL value present in the zone.";
}
leaf propagation-delay {
type uint32;
units "seconds";
default "3600";
description
"Extra delay added to every key rollover step.";
}
}
}
augment "/dnss:dns-server/dnss:zones/dnss:template" {
description
"DNSSEC signing configuration for a zone template.";
uses dnssec:zone-options;
}
augment "/dnss:dns-server/dnss:zones/dnss:zone" {
description
"DNSSEC signing configuration for a zone.";
uses dnssec:zone-options;
}
/* RPC operations */
rpc generate-key {
description
"Generate a DNSSEC signing key.";
input {
uses key-parameters;
leaf secure-entry-point {
type boolean;
default "false";
description
"This flag indicates that the key is the secure entry point
of the corresponding zone, i.e., a key-signing key.";
}
}
output {
leaf key-id {
type key-id;
mandatory "true";
description
"Identifier of the generated key.";
}
leaf key-tag {
type uint16;
mandatory "true";
description
"Tag of the generated key.";
}
}
}
rpc zone-sign {
description
"Sign specified zones with available DNSSEC keys.";
input {
leaf-list zones {
type dnss:zone-ref;
description
"Domain names of the zones to be signed.";
}
}
}
}
This diff is collapsed.
This diff is collapsed.
module ietf-yang-library {
namespace "urn:ietf:params:xml:ns:yang:ietf-yang-library";
prefix "yanglib";
import ietf-yang-types { prefix yang; }
import ietf-inet-types { prefix inet; }
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org>
WG Chair: Mehmet Ersue
<mailto:mehmet.ersue@nsn.com>
WG Chair: Mahesh Jethanandani
<mailto:mjethanandani@gmail.com>
Editor: Andy Bierman
<mailto:andy@yumaworks.com>
Editor: Martin Bjorklund
<mailto:mbj@tail-f.com>
Editor: Kent Watsen
<mailto:kwatsen@juniper.net>";
description
"This module contains monitoring information about the YANG
modules and submodules that are used within a YANG-based
server.
Copyright (c) 2015 IETF Trust and the persons identified as
authors of the code. All rights reserved.