bind9

ComputerSurge/bind9

Fork 0

Commit Graph

Author	SHA1	Message	Date
Matthijs Mekking	5f464d15a0	dnssec-policy inheritance from options/view 'dnssec-policy' can now also be set on the options and view level and a zone that does not set 'dnssec-policy' explicitly will inherit it from the view or options level. This requires a new keyword to be introduced: 'none'. If set to 'none' the zone will not be DNSSEC maintained, in other words it will stay unsigned. You can use this to break the inheritance. Of course you can also break the inheritance by referring to a different policy. The keywords 'default' and 'none' are not allowed when configuring your own dnssec-policy statement. Add appropriate tests for checking the configuration (checkconf) and add tests to the kasp system test to verify the inheritance works. Edit the kasp system test such that it can deal with unsigned zones and views (so setting a TSIG on the query).	2019-11-06 22:36:21 +01:00
Matthijs Mekking	c9f1ec8380	Add kasp tests Add more tests for kasp: - Add tests for different algorithms. - Add a test to ensure that an edit in an unsigned zone is picked up and properly signed. - Add two tests that ensures that a zone gets signed when it is configured as so-called 'inline-signing'. In other words, a secondary zone that is configured with a 'dnssec-policy'. A zone that is transferred over AXFR or IXFR will get signed. - Add a test to ensure signatures are reused if they are still fresh enough. - Adds two more tests to verify that expired and unfresh signatures will be regenerated. - Add tests for various cases with keys already available in the key-directory.	2019-11-06 22:36:21 +01:00
Matthijs Mekking	09ac224c5c	dnssec-keygen can create keys given dnssec-policy This commit adds code for generating keys with dnssec-keygen given a specific dnssec-policy. The dnssec-policy can be set with a new option '-k'. The '-l' option can be used to set a configuration file that contains a specific dnssec-policy. Because the dnssec-policy dictates how the keys should look like, many of the existing dnssec-keygen options cannot be used together with '-k'. If the dnssec-policy lists multiple keys, dnssec-keygen has now the possibility to generate multiple keys at one run. Add two tests for creating keys with '-k': One with the default policy, one with multiple keys from the configuration.	2019-11-06 22:31:45 +01:00

Author

SHA1

Message

Date

Matthijs Mekking

5f464d15a0

dnssec-policy inheritance from options/view

'dnssec-policy' can now also be set on the options and view level and
a zone that does not set 'dnssec-policy' explicitly will inherit it
from the view or options level.

This requires a new keyword to be introduced: 'none'.  If set to
'none' the zone will not be DNSSEC maintained, in other words it will
stay unsigned.  You can use this to break the inheritance.  Of course
you can also break the inheritance by referring to a different
policy.

The keywords 'default' and 'none' are not allowed when configuring
your own dnssec-policy statement.

Add appropriate tests for checking the configuration (checkconf)
and add tests to the kasp system test to verify the inheritance
works.

Edit the kasp system test such that it can deal with unsigned zones
and views (so setting a TSIG on the query).

2019-11-06 22:36:21 +01:00

Matthijs Mekking

c9f1ec8380

Add kasp tests

Add more tests for kasp:

- Add tests for different algorithms.

- Add a test to ensure that an edit in an unsigned zone is
  picked up and properly signed.

- Add two tests that ensures that a zone gets signed when it is
  configured as so-called 'inline-signing'.  In other words, a
  secondary zone that is configured with a 'dnssec-policy'.  A zone
  that is transferred over AXFR or IXFR will get signed.

- Add a test to ensure signatures are reused if they are still
  fresh enough.

- Adds two more tests to verify that expired and unfresh signatures
  will be regenerated.

- Add tests for various cases with keys already available in the
  key-directory.

2019-11-06 22:36:21 +01:00

Matthijs Mekking

09ac224c5c

dnssec-keygen can create keys given dnssec-policy

This commit adds code for generating keys with dnssec-keygen given
a specific dnssec-policy.

The dnssec-policy can be set with a new option '-k'. The '-l'
option can be used to set a configuration file that contains a
specific dnssec-policy.

Because the dnssec-policy dictates how the keys should look like,
many of the existing dnssec-keygen options cannot be used together
with '-k'.

If the dnssec-policy lists multiple keys, dnssec-keygen has now the
possibility to generate multiple keys at one run.

Add two tests for creating keys with '-k': One with the default
policy, one with multiple keys from the configuration.

2019-11-06 22:31:45 +01:00

3 Commits