Commit b27974cd authored by Ladislav Lhotka's avatar Ladislav Lhotka

Fix must constraints for DNSKEY

parent ead34f2b
Pipeline #43071 passed with stages
in 54 seconds
......@@ -40,7 +40,7 @@ module cznic-dns-rdata {
reference
"RFC 1035: Domain Names - Implementation and Specification.";
revision 2018-10-29 {
revision 2018-12-10 {
description
"Initial revision.";
}
......@@ -467,14 +467,6 @@ module cznic-dns-rdata {
"RFC 4034: Resource Records for the DNS Security Extensions";
leaf flags {
type dnspar:dnskey-flags;
must "not(contains(., 'ZONE')) or ../../../owner = "
+ "../../../../name" {
error-message
"For a Zone Key, owner name must be the zone name.";
description
"For a Zone Key, the DNSKEY RR's owner name MUST be the
name of a zone.";
}
must "contains(., 'ZONE') or not(contains(., 'SEP'))" {
error-message
"'secure-entry-point' is set but 'zone-key' isn't";
......
......@@ -730,32 +730,17 @@
</reference>
<leaf name="flags">
<type name="dnspar:dnskey-flags"/>
<must condition="not(contains(., 'ZONE')) or
../../../owner = ../../../../name">
<description>
<text>
For a Zone Key, the DNSKEY RR's owner name MUST
be the name of a zone.
</text>
</description>
<error-message>
<value>
For a Zone Key, owner name must be the zone name.
</value>
</error-message>
</must>
<must condition="contains(., 'ZONE') or
not(contains(., 'SEP'))">
<description>
<text>
Secure Entry Point flag needs Zone Key flag.
</text>
</description>
<error-message>
<value>
'secure-entry-point' is set but 'zone-key' isn't
</value>
</error-message>
<must condition="contains(., 'ZONE') or not(contains(., 'SEP'))">
<description>
<text>
Secure Entry Point flag needs Zone Key flag.
</text>
</description>
<error-message>
<value>
'secure-entry-point' is set but 'zone-key' isn't
</value>
</error-message>
</must>
<description>
<text>DNSKEY RR flags.</text>
......
......@@ -367,7 +367,16 @@ module cznic-resolver-common {
In the operation datastore, this list contains trust
anchors that are actually used by the resolver for the
domain.";
uses trust-anchor-spec;
uses trust-anchor-spec {
refine "trust-anchor-rdata/dnskey/dnskey/flags" {
must "contains(., 'SEP')" {
error-message
"Trust anchor must be a Key-Signing Key.";
description
"Trust anchor must be a Key-Signing Key.";
}
}
}
}
action add-trust-anchor {
description
......
......@@ -445,7 +445,22 @@
the domain.</h:p>
</text>
</description>
<uses name="trust-anchor-spec"/>
<uses name="trust-anchor-spec">
<refine target-node="trust-anchor-rdata/dnskey/dnskey/flags">
<must condition="contains(., 'SEP')">
<description>
<text>
Trust anchor must be a Key-Signing Key.
</text>
</description>
<error-message>
<value>
Trust anchor must be a Key-Signing Key.
</value>
</error-message>
</must>
</refine>
</uses>
</list>
</list>
<leaf-list name="negative-trust-anchors">
......
......@@ -37,7 +37,7 @@
},
{
"name": "cznic-dns-rdata",
"revision": "2018-10-29",
"revision": "2018-12-10",
"namespace": "https://www.nic.cz/ns/yang/dns-rdata",
"conformance-type": "import"
},
......
......@@ -31,7 +31,7 @@
},
{
"name": "cznic-dns-rdata",
"revision": "2018-10-29",
"revision": "2018-12-10",
"namespace": "https://www.nic.cz/ns/yang/dns-rdata",
"conformance-type": "import"
},
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment