Introduce dnssec-policy configuration

This commit introduces the initial `dnssec-policy` configuration
statement. It has an initial set of options to deal with signature
and key maintenance.

Add some checks to ensure that dnssec-policy is configured at the
right locations, and that policies referenced to in zone statements
actually exist.

Add some checks that when a user adds the new `dnssec-policy`
configuration, it will no longer contain existing DNSSEC
configuration options.  Specifically: `inline-signing`,
`auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`,
`update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`,
and `sig-validity-interval`.

Test a good kasp configuration, and some bad configurations.

bin/tests/system/checkconf/bad-kasp1.conf

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-policy "notatzonelevel";
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+};
+

bin/tests/system/checkconf/bad-kasp2.conf

@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "good-kasp.conf";
+
+// Bad zone configuration because this has dnssec-policy and other DNSSEC sign
+// configuration options (auto-dnssec).
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "test";
+	auto-dnssec maintain;
+	allow-update { any; };
+};

bin/tests/system/checkconf/bad-kasp3.conf

@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "good-kasp.conf";
+
+// Bad zone configuration because this has dnssec-policy with no matching
+// dnssec-policy configuration (good-kasp.conf has "test", zone refers to
+// "nosuchpolicy".
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "nosuchpolicy";
+};
+

bin/tests/system/checkconf/bad-kasp4.conf

@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// Bad kasp configuration because this has an invalid duration for
+// signatures-refresh.
+dnssec-policy "badduration" {
+	signatures-refresh PT20Sabcd;
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "badduration";
+};
+

bin/tests/system/checkconf/clean.sh

@@ -10,6 +10,7 @@
 # information regarding copyright ownership.
 
 rm -f good.conf.in good.conf.out badzero.conf *.out
+rm -f good-kasp.conf.in
 rm -rf test.keydir
 rm -f checkconf.out*
 rm -f diff.out*

bin/tests/system/checkconf/good-kasp.conf

@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * This is just a random selection of DNSSEC configuration options.
+ */
+
+/* cut here */
+dnssec-policy "test" {
+	dnskey-ttl 3600;
+	keys {
+		ksk key-directory P1Y 13 256;
+		zsk key-directory P30D 13;
+		csk key-directory P30D 8 2048;
+	};
+	publish-safety PT3600S;
+	retire-safety PT3600S;
+	signatures-refresh P3D;
+	signatures-validity P2W;
+	signatures-validity-dnskey P14D;
+	zone-max-ttl 86400;
+	zone-propagation-delay PT5M;
+	parent-ds-ttl 7200;
+	parent-propagation-delay PT1H;
+	parent-registration-delay P1D;
+};
+options {
+	dnssec-policy "default";
+};
+zone "example1" {
+	type master;
+	dnssec-policy "test";
+	file "example1.db";
+};
+zone "example2" {
+	type master;
+	dnssec-policy "default";
+	file "example2.db";
+};

bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf

@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "good-kasp.conf";
+
+zone "nsec3.net" {
+	type master;
+	file "nsec3.db";
+	dnssec-policy "test";
+	auto-dnssec maintain;
+	dnskey-sig-validity 3600;
+	dnssec-dnskey-kskonly yes;
+	dnssec-secure-to-insecure yes;
+	dnssec-update-mode maintain;
+	inline-signing yes;
+	sig-validity-interval 3600;
+	update-check-ksk yes;
+	allow-update { any; };
+};
+

bin/tests/system/checkconf/tests.sh

@@ -466,5 +466,38 @@ grep "'geoip-use-ecs' is obsolete" < checkconf.out$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "checking named-checkconf kasp warnings ($n)"
+ret=0
+$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1
+grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "inline-signing: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that a good 'kasp' configuration is accepted ($n)"
+ret=0
+$CHECKCONF good-kasp.conf > checkconf.out$n 2>/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that named-checkconf prints a known good kasp config ($n)"
+ret=0
+awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf > good-kasp.conf.in
+[ -s good-kasp.conf.in ] || ret=1
+$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' > good-kasp.conf.out 2>&1 || ret=1
+cmp good-kasp.conf.in good-kasp.conf.out || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1