...
 
Commits (2)
......@@ -40,7 +40,7 @@ module cznic-dns-rdata {
reference
"RFC 1035: Domain Names - Implementation and Specification.";
revision 2018-10-29 {
revision 2018-12-10 {
description
"Initial revision.";
}
......@@ -467,14 +467,6 @@ module cznic-dns-rdata {
"RFC 4034: Resource Records for the DNS Security Extensions";
leaf flags {
type dnspar:dnskey-flags;
must "not(contains(., 'ZONE')) or ../../../owner = "
+ "../../../../name" {
error-message
"For a Zone Key, owner name must be the zone name.";
description
"For a Zone Key, the DNSKEY RR's owner name MUST be the
name of a zone.";
}
must "contains(., 'ZONE') or not(contains(., 'SEP'))" {
error-message
"'secure-entry-point' is set but 'zone-key' isn't";
......
......@@ -730,32 +730,17 @@
</reference>
<leaf name="flags">
<type name="dnspar:dnskey-flags"/>
<must condition="not(contains(., 'ZONE')) or
../../../owner = ../../../../name">
<description>
<text>
For a Zone Key, the DNSKEY RR's owner name MUST
be the name of a zone.
</text>
</description>
<error-message>
<value>
For a Zone Key, owner name must be the zone name.
</value>
</error-message>
</must>
<must condition="contains(., 'ZONE') or
not(contains(., 'SEP'))">
<description>
<text>
Secure Entry Point flag needs Zone Key flag.
</text>
</description>
<error-message>
<value>
'secure-entry-point' is set but 'zone-key' isn't
</value>
</error-message>
<must condition="contains(., 'ZONE') or not(contains(., 'SEP'))">
<description>
<text>
Secure Entry Point flag needs Zone Key flag.
</text>
</description>
<error-message>
<value>
'secure-entry-point' is set but 'zone-key' isn't
</value>
</error-message>
</must>
<description>
<text>DNSKEY RR flags.</text>
......
......@@ -29,7 +29,7 @@ module cznic-resolver-common {
"This YANG module defines the common part of a data model for DNS
resolvers.";
revision 2018-10-29 {
revision 2018-12-10 {
description
"Initial revision.";
reference
......@@ -354,11 +354,29 @@ module cznic-resolver-common {
enabled.";
}
list trust-anchor {
config "false";
key "owner";
description
"List of trust anchors that are currently in use for the
"List of trust anchors.
In a configuration datastore, this list specifies the
initial set of trust anchors for the domain that is used
when the server starts. If the 'auto-update' flag is
true, this set may be later rewritten with updates
according to RFC 5011.
In the operation datastore, this list contains trust
anchors that are actually used by the resolver for the
domain.";
uses trust-anchor-spec;
uses trust-anchor-spec {
refine "trust-anchor-rdata/dnskey/dnskey/flags" {
must "contains(., 'SEP')" {
error-message
"Trust anchor must be a Key-Signing Key.";
description
"Trust anchor must be a Key-Signing Key.";
}
}
}
}
action add-trust-anchor {
description
......
......@@ -431,12 +431,36 @@
</description>
</leaf>
<list name="trust-anchor">
<config value="false"/>
<key value="owner"/>
<description>
<text>List of trust anchors that are currently in use
for the domain.</text>
<text>
<h:p>List of trust anchors.</h:p>
<h:p>In a configuration datastore, this list specifies
the initial set of trust anchors for the domain that is
used when the server starts. If the 'auto-update' flag
is true, this set may be later rewritten with updates
according to RFC 5011.</h:p>
<h:p>In the operation datastore, this list contains
trust anchors that are actually used by the resolver for
the domain.</h:p>
</text>
</description>
<uses name="trust-anchor-spec"/>
<uses name="trust-anchor-spec">
<refine target-node="trust-anchor-rdata/dnskey/dnskey/flags">
<must condition="contains(., 'SEP')">
<description>
<text>
Trust anchor must be a Key-Signing Key.
</text>
</description>
<error-message>
<value>
Trust anchor must be a Key-Signing Key.
</value>
</error-message>
</must>
</refine>
</uses>
</list>
</list>
<leaf-list name="negative-trust-anchors">
......
......@@ -36,21 +36,21 @@
| | +--rw auto-update? <boolean>
| | +--rw domain <domain-name(string)>
| | +--rw key-file? <fs-path(string)>
| | +--ro trust-anchor*
| | +--ro owner? <domain-name(string)>
| | +--ro (trust-anchor-rdata)?
| | +--rw trust-anchor* [owner]
| | +--rw owner <domain-name(string)>
| | +--rw (trust-anchor-rdata)?
| | +--:(dnskey)
| | | +--ro dnskey
| | | +--ro algorithm <dnssec-algorithm(enumeration)>
| | | +--ro flags? <dnskey-flags(bits)>
| | | +--ro protocol? <uint8>
| | | +--ro public-key <binary>
| | | +--rw dnskey
| | | +--rw algorithm <dnssec-algorithm(enumeration)>
| | | +--rw flags? <dnskey-flags(bits)>
| | | +--rw protocol? <uint8>
| | | +--rw public-key <binary>
| | +--:(ds)
| | +--ro ds
| | +--ro algorithm <dnssec-algorithm(enumeration)>
| | +--ro digest <hex-digits(string)>
| | +--ro digest-type <digest-algorithm(enumeration)>
| | +--ro key-tag <uint16>
| | +--rw ds
| | +--rw algorithm <dnssec-algorithm(enumeration)>
| | +--rw digest <hex-digits(string)>
| | +--rw digest-type <digest-algorithm(enumeration)>
| | +--rw key-tag <uint16>
| +--rw logging
| | +--rw verbosity? <uint8>
| +--rw network
......
......@@ -10,7 +10,7 @@
},
{
"name": "cznic-resolver-common",
"revision": "2018-10-29",
"revision": "2018-12-10",
"feature": [
"set-group"
],
......@@ -37,7 +37,7 @@
},
{
"name": "cznic-dns-rdata",
"revision": "2018-10-29",
"revision": "2018-12-10",
"namespace": "https://www.nic.cz/ns/yang/dns-rdata",
"conformance-type": "import"
},
......@@ -61,4 +61,4 @@
}
]
}
}
\ No newline at end of file
}
......@@ -4,7 +4,7 @@
"module": [
{
"name": "cznic-resolver-common",
"revision": "2018-10-29",
"revision": "2018-12-10",
"feature": [
"set-group"
],
......@@ -31,7 +31,7 @@
},
{
"name": "cznic-dns-rdata",
"revision": "2018-10-29",
"revision": "2018-12-10",
"namespace": "https://www.nic.cz/ns/yang/dns-rdata",
"conformance-type": "import"
},
......