Commit 82010ed8 authored by Ladislav Lhotka's avatar Ladislav Lhotka

Use an opaque id as the key for "trust-anchor"

parent c0fd92c5
Pipeline #43277 passed with stages
in 51 seconds
...@@ -92,6 +92,7 @@ module cznic-resolver-common { ...@@ -92,6 +92,7 @@ module cznic-resolver-common {
"Specification of a trust anchor."; "Specification of a trust anchor.";
leaf owner { leaf owner {
type inet:domain-name; type inet:domain-name;
default ".";
description description
"The domain name to which the trust anchor applies. "The domain name to which the trust anchor applies.
...@@ -328,7 +329,7 @@ module cznic-resolver-common { ...@@ -328,7 +329,7 @@ module cznic-resolver-common {
type fs-path; type fs-path;
description description
"Name of the file that is used by the RFC 5011 update "Name of the file that is used by the RFC 5011 update
procedure for storing trust anchors are stored. procedure for storing trust anchors.
Usually there will be a default location, which is Usually there will be a default location, which is
however implementation- and platform-specific."; however implementation- and platform-specific.";
...@@ -342,7 +343,7 @@ module cznic-resolver-common { ...@@ -342,7 +343,7 @@ module cznic-resolver-common {
enabled."; enabled.";
} }
list trust-anchor { list trust-anchor {
key "owner"; key "id";
description description
"List of trust anchors. "List of trust anchors.
...@@ -360,19 +361,15 @@ module cznic-resolver-common { ...@@ -360,19 +361,15 @@ module cznic-resolver-common {
subsequent changes to this list shall be taken into subsequent changes to this list shall be taken into
account. account.
In the operation datastore, this list contains trust In the operational datastore, this list contains trust
anchors that are currently used by the resolver for the anchors that are currently used by the resolver for the
domain."; domain.";
uses trust-anchor-spec { leaf id {
refine "trust-anchor-rdata/dnskey/dnskey/flags" { type uint8;
must "contains(., 'SEP')" { description
error-message "Opaque numeric ID of the trust anchor.";
"Trust anchor must be a Key-Signing Key.";
description
"Trust anchor must be a Key-Signing Key.";
}
}
} }
uses trust-anchor-spec;
} }
action add-trust-anchor { action add-trust-anchor {
description description
......
...@@ -117,6 +117,7 @@ ...@@ -117,6 +117,7 @@
anchor applies to the entire domain.</h:p> anchor applies to the entire domain.</h:p>
</text> </text>
</description> </description>
<default value="."/>
</leaf> </leaf>
<choice name="trust-anchor-rdata"> <choice name="trust-anchor-rdata">
<description> <description>
...@@ -404,8 +405,7 @@ ...@@ -404,8 +405,7 @@
<description> <description>
<text> <text>
<h:p>Name of the file that is used by the RFC 5011 <h:p>Name of the file that is used by the RFC 5011
update procedure for storing trust anchors are update procedure for storing trust anchors.</h:p>
stored.</h:p>
<h:p>Usually there will be a default location, which is <h:p>Usually there will be a default location, which is
however implementation- and platform-specific.</h:p> however implementation- and platform-specific.</h:p>
</text> </text>
...@@ -421,7 +421,7 @@ ...@@ -421,7 +421,7 @@
</description> </description>
</leaf> </leaf>
<list name="trust-anchor"> <list name="trust-anchor">
<key value="owner"/> <key value="id"/>
<description> <description>
<text> <text>
<h:p>List of trust anchors.</h:p> <h:p>List of trust anchors.</h:p>
...@@ -439,27 +439,18 @@ ...@@ -439,27 +439,18 @@
subsequent changes to this list shall be taken into subsequent changes to this list shall be taken into
account.</h:li> account.</h:li>
</h:ul> </h:ul>
<h:p>In the operation datastore, this list contains <h:p>In the operational datastore, this list contains
trust anchors that are currently used by the resolver for trust anchors that are currently used by the resolver
the domain.</h:p> for the domain.</h:p>
</text> </text>
</description> </description>
<uses name="trust-anchor-spec"> <leaf name="id">
<refine target-node="trust-anchor-rdata/dnskey/dnskey/flags"> <type name="uint8"/>
<must condition="contains(., 'SEP')"> <description>
<description> <text>Opaque numeric ID of the trust anchor.</text>
<text> </description>
Trust anchor must be a Key-Signing Key. </leaf>
</text> <uses name="trust-anchor-spec"/>
</description>
<error-message>
<value>
Trust anchor must be a Key-Signing Key.
</value>
</error-message>
</must>
</refine>
</uses>
</list> </list>
</list> </list>
<leaf-list name="negative-trust-anchors"> <leaf-list name="negative-trust-anchors">
......
...@@ -36,8 +36,9 @@ ...@@ -36,8 +36,9 @@
| | +--rw auto-update? <boolean> | | +--rw auto-update? <boolean>
| | +--rw domain <domain-name(string)> | | +--rw domain <domain-name(string)>
| | +--rw key-file? <fs-path(string)> | | +--rw key-file? <fs-path(string)>
| | +--rw trust-anchor* [owner] | | +--rw trust-anchor* [id]
| | +--rw owner <domain-name(string)> | | +--rw id <uint8>
| | +--rw owner? <domain-name(string)>
| | +--rw (trust-anchor-rdata)? | | +--rw (trust-anchor-rdata)?
| | +--:(dnskey) | | +--:(dnskey)
| | | +--rw dnskey | | | +--rw dnskey
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment