diff --git a/bin/named/config.c b/bin/named/config.c index b5548b3631..0f1d3700af 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -308,6 +308,7 @@ dnssec-policy \"default\" {\n\ };\n\ \n\ dnssec-policy \"insecure\" {\n\ + max-zone-ttl 0; \n\ keys { };\n\ inline-signing yes;\n\ };\n\ diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 1759da7837..35291d47c9 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1502,7 +1502,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } if (use_kasp) { - maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone)); + maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone), false); } else { obj = NULL; result = named_config_get(maps, "max-zone-ttl", &obj); diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h index 88b6157233..9a32f586b2 100644 --- a/lib/dns/include/dns/kasp.h +++ b/lib/dns/include/dns/kasp.h @@ -415,9 +415,11 @@ dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value); */ dns_ttl_t -dns_kasp_zonemaxttl(dns_kasp_t *kasp); +dns_kasp_zonemaxttl(dns_kasp_t *kasp, bool fallback); /*%< - * Get maximum zone TTL. + * Get maximum zone TTL. If 'fallback' is true, return a default maximum TTL + * if the maximum zone TTL is set to unlimited (value 0). Fallback should be + * used if determining key rollover timings in keymgr.c * * Requires: * diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c index c6fa9aa8ab..54fe4444f6 100644 --- a/lib/dns/kasp.c +++ b/lib/dns/kasp.c @@ -29,6 +29,9 @@ #include +/* Default TTLsig (maximum zone ttl) */ +#define DEFAULT_TTLSIG 86400 + isc_result_t dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) { dns_kasp_t *kasp; @@ -264,10 +267,13 @@ dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value) { } dns_ttl_t -dns_kasp_zonemaxttl(dns_kasp_t *kasp) { +dns_kasp_zonemaxttl(dns_kasp_t *kasp, bool fallback) { REQUIRE(DNS_KASP_VALID(kasp)); REQUIRE(kasp->frozen); + if (kasp->zone_max_ttl == 0 && fallback) { + return (DEFAULT_TTLSIG); + } return (kasp->zone_max_ttl); } diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index 5dd4e1b0ec..ea8dfb788b 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -131,11 +131,11 @@ keymgr_settime_remove(dns_dnsseckey_t *key, dns_kasp_t *kasp) { ret = dst_key_getbool(key->key, DST_BOOL_ZSK, &zsk); if (ret == ISC_R_SUCCESS && zsk) { + dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true); /* ZSK: Iret = Dsgn + Dprp + TTLsig */ - zsk_remove = retire + dns_kasp_zonemaxttl(kasp) + - dns_kasp_zonepropagationdelay(kasp) + - dns_kasp_retiresafety(kasp) + - dns_kasp_signdelay(kasp); + zsk_remove = + retire + ttlsig + dns_kasp_zonepropagationdelay(kasp) + + dns_kasp_retiresafety(kasp) + dns_kasp_signdelay(kasp); } ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk); if (ret == ISC_R_SUCCESS && ksk) { @@ -178,7 +178,8 @@ keymgr_settime_syncpublish(dns_dnsseckey_t *key, dns_kasp_t *kasp, bool first) { if (first) { /* Also need to wait until the signatures are omnipresent. */ isc_stdtime_t zrrsig_present; - zrrsig_present = published + dns_kasp_zonemaxttl(kasp) + + dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true); + zrrsig_present = published + ttlsig + dns_kasp_zonepropagationdelay(kasp) + dns_kasp_publishsafety(kasp); if (zrrsig_present > syncpublish) { @@ -259,7 +260,9 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp, * No predecessor, wait for zone to be * completely signed. */ - syncpub2 = pub + dns_kasp_zonemaxttl(kasp) + + dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, + true); + syncpub2 = pub + ttlsig + dns_kasp_publishsafety(kasp) + dns_kasp_zonepropagationdelay(kasp); } @@ -1239,6 +1242,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type, isc_stdtime_t now, isc_stdtime_t *when) { isc_result_t ret; isc_stdtime_t lastchange, dstime, nexttime = now; + dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true); /* * No need to wait if we move things into an uncertain state. @@ -1311,7 +1315,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type, * * We will also add the retire-safety interval. */ - nexttime = lastchange + dns_kasp_zonemaxttl(kasp) + + nexttime = lastchange + ttlsig + dns_kasp_zonepropagationdelay(kasp) + dns_kasp_retiresafety(kasp); /* @@ -1584,9 +1588,9 @@ keymgr_key_init(dns_dnsseckey_t *key, dns_kasp_t *kasp, isc_stdtime_t now, /* Get time metadata. */ ret = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active); if (active <= now && ret == ISC_R_SUCCESS) { - dns_ttl_t zone_ttl = dns_kasp_zonemaxttl(kasp); - zone_ttl += dns_kasp_zonepropagationdelay(kasp); - if ((active + zone_ttl) <= now) { + dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true); + ttlsig += dns_kasp_zonepropagationdelay(kasp); + if ((active + ttlsig) <= now) { zrrsig_state = OMNIPRESENT; } else { zrrsig_state = RUMOURED; @@ -1617,9 +1621,9 @@ keymgr_key_init(dns_dnsseckey_t *key, dns_kasp_t *kasp, isc_stdtime_t now, } ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire); if (retire <= now && ret == ISC_R_SUCCESS) { - dns_ttl_t zone_ttl = dns_kasp_zonemaxttl(kasp); - zone_ttl += dns_kasp_zonepropagationdelay(kasp); - if ((retire + zone_ttl) <= now) { + dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true); + ttlsig += dns_kasp_zonepropagationdelay(kasp); + if ((retire + ttlsig) <= now) { zrrsig_state = HIDDEN; } else { zrrsig_state = UNRETENTIVE;