Commit 4673f262 authored by Ladislav Lhotka's avatar Ladislav Lhotka

Implement #4

parent c86d1050
......@@ -158,14 +158,14 @@ module cznic-dns-rdata {
reference
"RFC 1035: Domain Names - Implementation and Specification.";
leaf mname {
type domain-name;
type inet:domain-name;
mandatory "true";
description
"Name server that was the original or primary source of data
for this zone.";
}
leaf rname {
type domain-name;
type inet:domain-name;
mandatory "true";
description
"Mailbox of the person responsible for this zone.";
......@@ -225,7 +225,7 @@ module cznic-dns-rdata {
reference
"RFC 1035: Domain Names - Implementation and Specification.";
leaf cname {
type domain-name;
type inet:domain-name;
mandatory "true";
description
"Canonical or primary name for the owner.";
......@@ -257,7 +257,7 @@ module cznic-dns-rdata {
reference
"RFC 1035: Domain Names - Implementation and Specification.";
leaf madname {
type domain-name;
type inet:domain-name;
mandatory "true";
description
"Host which has the specified mailbox.";
......@@ -271,7 +271,7 @@ module cznic-dns-rdata {
reference
"RFC 1035: Domain Names - Implementation and Specification.";
leaf madname {
type domain-name;
type inet:domain-name;
mandatory "true";
description
"Host which has a mail agent for the domain which should be
......@@ -286,7 +286,7 @@ module cznic-dns-rdata {
reference
"RFC 1035: Domain Names - Implementation and Specification.";
leaf madname {
type domain-name;
type inet:domain-name;
mandatory "true";
description
"Host which has a mail agent for the domain which will accept
......@@ -300,7 +300,7 @@ module cznic-dns-rdata {
reference
"RFC 1035: Domain Names - Implementation and Specification.";
leaf mgmname {
type domain-name;
type inet:domain-name;
mandatory "true";
description
"Mailbox which is a member of the mail group specified by the
......@@ -314,14 +314,14 @@ module cznic-dns-rdata {
reference
"RFC 1035: Domain Names - Implementation and Specification.";
leaf rmailbx {
type domain-name;
type inet:domain-name;
mandatory "true";
description
"Mailbox which is responsible for the mailing list or
mailbox.";
}
leaf emailbx {
type domain-name;
type inet:domain-name;
mandatory "true";
description
"Mailbox which is to receive error messages related to the
......@@ -336,7 +336,7 @@ module cznic-dns-rdata {
reference
"RFC 1035: Domain Names - Implementation and Specification.";
leaf newname {
type domain-name;
type inet:domain-name;
mandatory "true";
description
"Mailbox which is the proper rename of the specified
......@@ -357,7 +357,7 @@ module cznic-dns-rdata {
Lower values are preferred.";
}
leaf exchange {
type domain-name;
type inet:domain-name;
mandatory "true";
description
"Host willing to act as a mail exchange for the owner
......@@ -371,7 +371,7 @@ module cznic-dns-rdata {
reference
"RFC 1035: Domain Names - Implementation and Specification.";
leaf nsdname {
type domain-name;
type inet:domain-name;
mandatory "true";
description
"Host which should be authoritative for the specified
......@@ -400,7 +400,7 @@ module cznic-dns-rdata {
reference
"RFC 1035: Domain Names - Implementation and Specification.";
leaf ptrdname {
type domain-name;
type inet:domain-name;
mandatory "true";
description
"A pointer to some location in the domain name space.";
......@@ -517,7 +517,7 @@ module cznic-dns-rdata {
reference
"RFC 4034: Resource Records for the DNS Security Extensions";
leaf next-domain-name {
type domain-name;
type inet:domain-name;
mandatory "true";
description
"This field contains the next owner name (in the canonical
......@@ -707,7 +707,7 @@ module cznic-dns-rdata {
reference
"RFC 2672: Non-Terminal DNS Name Redirection";
leaf target {
type domain-name;
type inet:domain-name;
mandatory "true";
description
"Target domain name that is substituted for 'owner' as a
......
......@@ -216,7 +216,7 @@
</text>
</reference>
<leaf name="mname">
<type name="domain-name"/>
<type name="inet:domain-name"/>
<mandatory value="true"/>
<description>
<text>
......@@ -226,7 +226,7 @@
</description>
</leaf>
<leaf name="rname">
<type name="domain-name"/>
<type name="inet:domain-name"/>
<mandatory value="true"/>
<description>
<text>
......@@ -321,7 +321,7 @@
</text>
</reference>
<leaf name="cname">
<type name="domain-name"/>
<type name="inet:domain-name"/>
<mandatory value="true"/>
<description>
<text>
......@@ -376,7 +376,7 @@
</text>
</reference>
<leaf name="madname">
<type name="domain-name"/>
<type name="inet:domain-name"/>
<mandatory value="true"/>
<description>
<text>
......@@ -401,7 +401,7 @@
</text>
</reference>
<leaf name="madname">
<type name="domain-name"/>
<type name="inet:domain-name"/>
<mandatory value="true"/>
<description>
<text>
......@@ -427,7 +427,7 @@
</text>
</reference>
<leaf name="madname">
<type name="domain-name"/>
<type name="inet:domain-name"/>
<mandatory value="true"/>
<description>
<text>
......@@ -451,7 +451,7 @@
</text>
</reference>
<leaf name="mgmname">
<type name="domain-name"/>
<type name="inet:domain-name"/>
<mandatory value="true"/>
<description>
<text>
......@@ -475,7 +475,7 @@
</text>
</reference>
<leaf name="rmailbx">
<type name="domain-name"/>
<type name="inet:domain-name"/>
<mandatory value="true"/>
<description>
<text>
......@@ -485,7 +485,7 @@
</description>
</leaf>
<leaf name="emailbx">
<type name="domain-name"/>
<type name="inet:domain-name"/>
<mandatory value="true"/>
<description>
<text>
......@@ -510,7 +510,7 @@
</text>
</reference>
<leaf name="newname">
<type name="domain-name"/>
<type name="inet:domain-name"/>
<mandatory value="true"/>
<description>
<text>
......@@ -544,7 +544,7 @@
</description>
</leaf>
<leaf name="exchange">
<type name="domain-name"/>
<type name="inet:domain-name"/>
<mandatory value="true"/>
<description>
<text>
......@@ -568,7 +568,7 @@
</text>
</reference>
<leaf name="nsdname">
<type name="domain-name"/>
<type name="inet:domain-name"/>
<mandatory value="true"/>
<description>
<text>
......@@ -617,7 +617,7 @@
</text>
</reference>
<leaf name="ptrdname">
<type name="domain-name"/>
<type name="inet:domain-name"/>
<mandatory value="true"/>
<description>
<text>
......@@ -810,7 +810,7 @@
</text>
</reference>
<leaf name="next-domain-name">
<type name="domain-name"/>
<type name="inet:domain-name"/>
<mandatory value="true"/>
<description>
<text>
......@@ -1090,7 +1090,7 @@
</text>
</reference>
<leaf name="target">
<type name="domain-name"/>
<type name="inet:domain-name"/>
<mandatory value="true"/>
<description>
<text>
......
......@@ -14,6 +14,10 @@ module cznic-resolver-common {
prefix "dnsct";
}
import cznic-dns-rdata {
prefix "rdata";
}
organization
"CZ.NIC, z. s. p. o.";
......@@ -25,7 +29,7 @@ module cznic-resolver-common {
"This YANG module defines the common part of a data model for DNS
resolvers.";
revision 2018-10-26 {
revision 2018-10-29 {
description
"Initial revision.";
reference
......@@ -83,6 +87,35 @@ module cznic-resolver-common {
}
}
grouping trust-anchor-spec {
description
"Specification of a trust anchor.";
leaf owner {
type inet:domain-name;
description
"The domain name to which the trust anchor applies.
It is taken relative to the domain for which the trust
anchor is specified. If the value is '.', then the trust
anchor applies to the entire domain.";
}
choice trust-anchor-rdata {
description
"A trust anchor is specified by a DS or DNSKEY resource
record data.";
container ds {
description
"A trust anchor defined using DS RDATA.";
uses rdata:ds;
}
container dnskey {
description
"A trust anchor defined using DS RDATA.";
uses rdata:dnskey;
}
}
}
/* Data definitions */
container dns-resolver {
......@@ -282,35 +315,59 @@ module cznic-resolver-common {
presence "Enable DNSSEC";
description
"DNSSEC parameters";
container trust-anchors {
list trust-anchors {
key "domain";
description
"Parameters of DNSSEC trust anchors.";
list key-files {
key "domain";
"Per-domain DNSSEC trust anchors.";
leaf domain {
type inet:domain-name;
description
"DNSSEC trust anchor files.
These files should exist and contain trust anchors (DS
or DNSKEY recors) for a single domain. The only
exception is the file for the root domain (key '.'): if
it doesn't exist, it will be populated from the IANA
website.";
leaf domain {
type inet:domain-name;
description
"The domain for which the trust anchor file is used.";
}
leaf file {
type fs-path;
description
"Name of the trust anchor file.";
}
leaf read-only {
type boolean;
default "false";
description
"Setting this flag to true blocks updates according to
RFC 5011 for this file.";
"The domain to which the trust anchors belong.";
}
leaf key-file {
type fs-path;
description
"Name of the file in which trust anchors are stored. The
file contains DS or DNSKEY records in the zone file
format.
If the file is specified, it must also exist and be
properly populated. The only exception is the file for
the root domain ('.'): if it doesn't exist, it will be
created and populated from the IANA website.
The file is used for two purposes:
- to initialize the trust anchors when the resolver
starts
- as a storage place for updates accroding to RFC 5011
(unless they are turned off using the 'auto-update'
flag).";
}
leaf auto-update {
type boolean;
default "true";
description
"Setting this flag to false blocks updates according to
RFC 5011 for the domain. By default, the updates are
enabled.";
}
list trust-anchor {
config "false";
description
"List of trust anchors that are currently in use for the
domain.";
uses trust-anchor-spec;
}
action add-trust-anchor {
description
"Specify a trust anchor explicitly.
The resolver add this item to the existing trust anchors
for the domain.";
input {
uses trust-anchor-spec;
}
}
}
......
......@@ -12,6 +12,9 @@
<import module="iana-dns-class-rr-type">
<prefix value="dnsct"/>
</import>
<import module="cznic-dns-rdata">
<prefix value="rdata"/>
</import>
<organization>
<text>CZ.NIC, z. s. p. o.</text>
</organization>
......@@ -100,6 +103,41 @@
</leaf-list>
</grouping>
<grouping name="trust-anchor-spec">
<description>
<text>Specification of a trust anchor.</text>
</description>
<leaf name="owner">
<type name="inet:domain-name"/>
<description>
<text>
<h:p>The domain name to which the trust anchor applies.</h:p>
<h:p>It is taken relative to the domain for which the trust
anchor is specified. If the value is '.', then the trust
anchor applies to the entire domain.</h:p>
</text>
</description>
</leaf>
<choice name="trust-anchor-rdata">
<description>
<text>A trust anchor is specified by a DS or DNSKEY
resource record data.</text>
</description>
<container name="ds">
<description>
<text>A trust anchor defined using DS RDATA.</text>
</description>
<uses name="rdata:ds"/>
</container>
<container name="dnskey">
<uses name="rdata:dnskey"/>
<description>
<text>A trust anchor defined using DS RDATA.</text>
</description>
</container>
</choice>
</grouping>
<!-- Data definitions -->
<container name="dns-resolver">
......@@ -338,45 +376,69 @@
<text>DNSSEC parameters</text>
</description>
<presence value="Enable DNSSEC"/>
<container name="trust-anchors">
<list name="trust-anchors">
<key value="domain"/>
<description>
<text>Parameters of DNSSEC trust anchors.</text>
<text>Per-domain DNSSEC trust anchors.</text>
</description>
<list name="key-files">
<key value="domain"/>
<leaf name="domain">
<type name="inet:domain-name"/>
<description>
<text>The domain to which the trust anchors belong.</text>
</description>
</leaf>
<action name="add-trust-anchor">
<description>
<text>
<h:p>Specify a trust anchor explicitly.</h:p>
<h:p>The resolver add this item to the existing trust
anchors for the domain.</h:p>
</text>
</description>
<input>
<uses name="trust-anchor-spec"/>
</input>
</action>
<leaf name="key-file">
<type name="fs-path"/>
<description>
<text>
<h:p>DNSSEC trust anchor files.</h:p>
<h:p>These files should exist and contain trust anchors
(DS or DNSKEY recors) for a single domain. The only
exception is the file for the root domain (key '.'): if
it doesn't exist, it will be populated from the IANA
website.</h:p>
<h:p>Name of the file in which trust anchors are
stored. The file contains DS or DNSKEY records in the
zone file format.</h:p>
<h:p>If the file is specified, it must also exist and be
properly populated. The only exception is the file for
the root domain ('.'): if it doesn't exist, it will be
created and populated from the IANA website.</h:p>
<h:p>The file is used for two purposes:</h:p>
<h:ul>
<h:li>to initialize the trust anchors when the
resolver starts</h:li>
<h:li>as a storage place for updates accroding to RFC
5011 (unless they are turned off using the
'auto-update' flag).</h:li>
</h:ul>
</text>
</description>
<leaf name="domain">
<type name="inet:domain-name"/>
<description>
<text>The domain for which the trust anchor file is
used.</text>
</description>
</leaf>
<leaf name="file">
<type name="fs-path"/>
<description>
<text>Name of the trust anchor file.</text>
</description>
</leaf>
<leaf name="read-only">
<type name="boolean"/>
<default value="false"/>
<description>
<text>Setting this flag to true blocks updates according
to RFC 5011 for this file.</text>
</description>
</leaf>
</leaf>
<leaf name="auto-update">
<type name="boolean"/>
<default value="true"/>
<description>
<text>Setting this flag to false blocks updates
according to RFC 5011 for the domain. By default, the
updates are enabled.</text>
</description>
</leaf>
<list name="trust-anchor">
<config value="false"/>
<description>
<text>List of trust anchors that are currently in use
for the domain.</text>
</description>
<uses name="trust-anchor-spec"/>
</list>
</container>
</list>
<leaf-list name="negative-trust-anchors">
<type name="inet:domain-name"/>
<description>
......
......@@ -15,11 +15,42 @@
| | +--rw prefix? <ipv6-prefix(string)>
| +--rw dnssec!
| | +--rw negative-trust-anchors* <domain-name(string)>
| | +--rw trust-anchors
| | +--rw key-files* [domain]
| | +--rw domain <domain-name(string)>
| | +--rw file? <fs-path(string)>
| | +--rw read-only? <boolean>
| | +--rw trust-anchors* [domain]
| | +---x add-trust-anchor
| | | +--ro input
| | | | +--ro owner? <domain-name(string)>
| | | | +--ro (trust-anchor-rdata)?
| | | | +--:(dnskey)
| | | | | +--ro dnskey
| | | | | +--ro algorithm <dnssec-algorithm(enumeration)>
| | | | | +--ro flags? <dnskey-flags(bits)>
| | | | | +--ro protocol? <uint8>
| | | | | +--ro public-key <binary>
| | | | +--:(ds)
| | | | +--ro ds
| | | | +--ro algorithm <dnssec-algorithm(enumeration)>
| | | | +--ro digest <hex-digits(string)>
| | | | +--ro digest-type <digest-algorithm(enumeration)>
| | | | +--ro key-tag <uint16>
| | | +--ro output
| | +--rw auto-update? <boolean>
| | +--rw domain <domain-name(string)>
| | +--rw key-file? <fs-path(string)>
| | +--ro trust-anchor*
| | +--ro owner? <domain-name(string)>
| | +--ro (trust-anchor-rdata)?
| | +--:(dnskey)
| | | +--ro dnskey
| | | +--ro algorithm <dnssec-algorithm(enumeration)>
| | | +--ro flags? <dnskey-flags(bits)>
| | | +--ro protocol? <uint8>
| | | +--ro public-key <binary>
| | +--:(ds)
| | +--ro ds
| | +--ro algorithm <dnssec-algorithm(enumeration)>
| | +--ro digest <hex-digits(string)>
| | +--ro digest-type <digest-algorithm(enumeration)>
| | +--ro key-tag <uint16>
| +--rw logging
| | +--rw verbosity? <uint8>
| +--rw network
......
......@@ -4,7 +4,7 @@
"module": [
{
"name": "cznic-resolver-common",
"revision": "2018-10-26",
"revision": "2018-10-29",
"feature": [
"set-group"
],
......@@ -29,6 +29,12 @@
"namespace": "https://www.nic.cz/ns/yang/dns-parameters",
"conformance-type": "import"
},
{
"name": "cznic-dns-rdata",
"revision": "2018-10-29",
"namespace": "https://www.nic.cz/ns/yang/dns-rdata",
"conformance-type": "import"
},
{
"name": "iana-dns-class-rr-type",
"revision": "2018-10-26",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment