From 313de3a7e2f3cb85c7c9ba4e96905aa7ea4373dc Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Mon, 8 Feb 2021 12:02:19 +0100
Subject: [PATCH] Add purge-keys config option

Add a new option 'purge-keys' to 'dnssec-policy' that will purge key
files for deleted keys. The option determines how long key files
should be retained prior to removing the corresponding files from
disk.

If set to 0, the option is disabled and 'named' will not remove key
files from disk.
---
 bin/named/named.conf.rst             |  1 +
 bin/tests/system/checkconf/good.conf |  1 +
 doc/arm/reference.rst                |  9 +++++++++
 doc/design/dnssec-policy             |  2 +-
 doc/dnssec-guide/signing.rst         | 14 ++++++++++----
 doc/man/named.conf.5in               |  1 +
 doc/misc/dnssec-policy.default.conf  |  1 +
 doc/misc/dnssec-policy.grammar.rst   |  1 +
 doc/misc/options                     |  1 +
 doc/misc/options.active              |  1 +
 lib/dns/include/dns/kasp.h           | 26 ++++++++++++++++++++++++++
 lib/dns/kasp.c                       | 17 +++++++++++++++++
 lib/dns/win32/libdns.def.in          |  2 ++
 lib/isccfg/kaspconf.c                |  2 ++
 lib/isccfg/namedconf.c               |  1 +
 15 files changed, 75 insertions(+), 5 deletions(-)

diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst
index 08a1476bc3..87a8d12cd8 100644
--- a/bin/named/named.conf.rst
+++ b/bin/named/named.conf.rst
@@ -71,6 +71,7 @@ DNSSEC-POLICY
   	parent-ds-ttl duration;
   	parent-propagation-delay duration;
   	publish-safety duration;
+  	purge-keys duration;
   	retire-safety duration;
   	signatures-refresh duration;
   	signatures-validity duration;
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index e23fd25060..e09b9e802b 100644
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -26,6 +26,7 @@ dnssec-policy "test" {
 	parent-ds-ttl 7200;
 	parent-propagation-delay PT1H;
 	publish-safety PT3600S;
+	purge-keys P90D;
 	retire-safety PT3600S;
 	signatures-refresh P3D;
 	signatures-validity P2W;
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 641a0054fc..bb1fadeeee 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -4980,6 +4980,15 @@ The following options can be specified in a ``dnssec-policy`` statement:
     bits.  If it is omitted, as shown in the example for the second and
     third keys, an appropriate default size for the algorithm is used.
 
+  ``purge-keys``
+    This is the time after when DNSSEC keys that have been deleted from
+    the zone can be removed from disk. If a key still determined to have
+    presence (for example in some resolver cache), ``named`` will not
+    remove the key files.
+
+    The default is ``P90D`` (90 days). Set this option to ``0`` to never
+    purge deleted keys.
+
   ``publish-safety``
     This is a margin that is added to the pre-publication interval in
     rollover timing calculations, to give some extra time to cover
diff --git a/doc/design/dnssec-policy b/doc/design/dnssec-policy
index d8457bde08..344863e403 100644
--- a/doc/design/dnssec-policy
+++ b/doc/design/dnssec-policy
@@ -135,7 +135,7 @@ dnssec-policy "nsec3" {
     publish-safety PT3600S;
     retire-safety PT3600S;
     share-keys no;
-    purge-keys-after P14D;
+    purge-keys P90D;
 
     keys {
 	ksk key-directory P5Y ECDSAP256SHA256;
diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst
index cf6545c126..c660c13a7c 100644
--- a/doc/dnssec-guide/signing.rst
+++ b/doc/dnssec-guide/signing.rst
@@ -753,9 +753,10 @@ keys. The following is an example of such a clause:
 
 The policy has multiple parts:
 
--  The name must be specified. As each zone can use a different policy, ``named`` needs to
-   be able to distinguish between policies. This is done by giving each
-   policy a name, such as ``standard`` in the above example.
+-  The name must be specified. As each zone can use a different policy,
+   ``named`` needs to be able to distinguish between policies. This is
+   done by giving each policy a name, such as ``standard`` in the above
+   example.
 
 -  The ``keys`` clause lists all keys that should be in the zone, along
    with their associated parameters. In this example, we are using the
@@ -782,7 +783,7 @@ The policy has multiple parts:
    long the signatures on the DNSKEY and non-DNSKEY records are valid,
    and how often BIND should re-sign the zone.
 
--  Finally, the parameters ending in ``-safety`` are there to give
+-  The parameters ending in ``-safety`` are there to give
    you a bit of leeway in case a key roll doesn't go to plan. When
    introduced into the zone, the ``publish-safety`` time is the amount
    of additional time, over and above that calculated from the other
@@ -792,6 +793,11 @@ The policy has multiple parts:
    other parameters, during which the old key is retained in the zone before
    being removed.
 
+-  Finally, the ``purge-keys`` option allows you to clean up key files
+   automatically after a period of time. If a key has been removed from the
+   zone, this option will determine how long its key files will be retained
+   on disk.
+
 (You do not have to specify all the items listed above in your policy
 definition. Any that are not set simply take the default value.)
 
diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
index a26bcf3c0b..41a3a112d9 100644
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -110,6 +110,7 @@ dnssec\-policy string {
       parent\-ds\-ttl duration;
       parent\-propagation\-delay duration;
       publish\-safety duration;
+      purge\-keys duration;
       retire\-safety duration;
       signatures\-refresh duration;
       signatures\-validity duration;
diff --git a/doc/misc/dnssec-policy.default.conf b/doc/misc/dnssec-policy.default.conf
index 195516b40b..1903c472f1 100644
--- a/doc/misc/dnssec-policy.default.conf
+++ b/doc/misc/dnssec-policy.default.conf
@@ -8,6 +8,7 @@ dnssec-policy "default" {
 	dnskey-ttl 3600;
 	publish-safety 1h;
 	retire-safety 1h;
+        purge-keys P90D;
 
 	// Signature timings
 	signatures-refresh 5d;
diff --git a/doc/misc/dnssec-policy.grammar.rst b/doc/misc/dnssec-policy.grammar.rst
index e826ccab4e..da4803c922 100644
--- a/doc/misc/dnssec-policy.grammar.rst
+++ b/doc/misc/dnssec-policy.grammar.rst
@@ -10,6 +10,7 @@
   	parent-ds-ttl <duration>;
   	parent-propagation-delay <duration>;
   	publish-safety <duration>;
+  	purge-keys <duration>;
   	retire-safety <duration>;
   	signatures-refresh <duration>;
   	signatures-validity <duration>;
diff --git a/doc/misc/options b/doc/misc/options
index 39da1adf99..a297bf9e00 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -32,6 +32,7 @@ dnssec-policy <string> {
         parent-propagation-delay <duration>;
         parent-registration-delay <duration>; // obsolete
         publish-safety <duration>;
+        purge-keys <duration>;
         retire-safety <duration>;
         signatures-refresh <duration>;
         signatures-validity <duration>;
diff --git a/doc/misc/options.active b/doc/misc/options.active
index 9ac0f03351..c103a5e4b8 100644
--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@@ -31,6 +31,7 @@ dnssec-policy <string> {
         parent-ds-ttl <duration>;
         parent-propagation-delay <duration>;
         publish-safety <duration>;
+        purge-keys <duration>;
         retire-safety <duration>;
         signatures-refresh <duration>;
         signatures-validity <duration>;
diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
index e49b01a177..d39ad80e79 100644
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -89,6 +89,7 @@ struct dns_kasp {
 	/* Configuration: Timings */
 	uint32_t publish_safety;
 	uint32_t retire_safety;
+	uint32_t purge_keys;
 
 	/* Zone settings */
 	dns_ttl_t zone_max_ttl;
@@ -109,6 +110,7 @@ struct dns_kasp {
 #define DNS_KASP_KEY_TTL	     (3600)
 #define DNS_KASP_DS_TTL		     (86400)
 #define DNS_KASP_PUBLISH_SAFETY	     (3600)
+#define DNS_KASP_PURGE_KEYS	     (86400 * 90)
 #define DNS_KASP_RETIRE_SAFETY	     (3600)
 #define DNS_KASP_ZONE_MAXTTL	     (86400)
 #define DNS_KASP_ZONE_PROPDELAY	     (300)
@@ -306,6 +308,30 @@ dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl);
  *\li   'kasp' is a valid, thawed kasp.
  */
 
+uint32_t
+dns_kasp_purgekeys(dns_kasp_t *kasp);
+/*%<
+ * Get purge keys interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Purge keys interval.
+ */
+
+void
+dns_kasp_setpurgekeys(dns_kasp_t *kasp, uint32_t value);
+/*%<
+ * Set purge keys interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
 uint32_t
 dns_kasp_publishsafety(dns_kasp_t *kasp);
 /*%<
diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
index 5a0cd30286..177b97f289 100644
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -53,6 +53,7 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
 	kasp->dnskey_ttl = DNS_KASP_KEY_TTL;
 	kasp->publish_safety = DNS_KASP_PUBLISH_SAFETY;
 	kasp->retire_safety = DNS_KASP_RETIRE_SAFETY;
+	kasp->purge_keys = DNS_KASP_PURGE_KEYS;
 
 	kasp->zone_max_ttl = DNS_KASP_ZONE_MAXTTL;
 	kasp->zone_propagation_delay = DNS_KASP_ZONE_PROPDELAY;
@@ -203,6 +204,22 @@ dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl) {
 	kasp->dnskey_ttl = ttl;
 }
 
+uint32_t
+dns_kasp_purgekeys(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->purge_keys);
+}
+
+void
+dns_kasp_setpurgekeys(dns_kasp_t *kasp, uint32_t value) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->purge_keys = value;
+}
+
 uint32_t
 dns_kasp_publishsafety(dns_kasp_t *kasp) {
 	REQUIRE(DNS_KASP_VALID(kasp));
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
index 2dce5121e8..8f09bf0971 100644
--- a/lib/dns/win32/libdns.def.in
+++ b/lib/dns/win32/libdns.def.in
@@ -442,6 +442,7 @@ dns_kasp_nsec3iter
 dns_kasp_nsec3saltlen
 dns_kasp_parentpropagationdelay
 dns_kasp_publishsafety
+dns_kasp_purgekeys
 dns_kasp_retiresafety
 dns_kasp_setdnskeyttl
 dns_kasp_setdsttl
@@ -449,6 +450,7 @@ dns_kasp_setnsec3
 dns_kasp_setnsec3param
 dns_kasp_setparentpropagationdelay
 dns_kasp_setpublishsafety
+dns_kasp_setpurgekeys
 dns_kasp_setretiresafety
 dns_kasp_setsigrefresh
 dns_kasp_setsigvalidity
diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index 3e0e0874f4..b8fa1f8225 100644
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -315,6 +315,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
 						     DNS_KASP_PUBLISH_SAFETY));
 	dns_kasp_setretiresafety(kasp, get_duration(maps, "retire-safety",
 						    DNS_KASP_RETIRE_SAFETY));
+	dns_kasp_setpurgekeys(
+		kasp, get_duration(maps, "purge-keys", DNS_KASP_PURGE_KEYS));
 
 	(void)confget(maps, "keys", &keys);
 	if (keys != NULL) {
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 7c29970a81..56fc96b407 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2131,6 +2131,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = {
 	{ "parent-registration-delay", &cfg_type_duration,
 	  CFG_CLAUSEFLAG_OBSOLETE },
 	{ "publish-safety", &cfg_type_duration, 0 },
+	{ "purge-keys", &cfg_type_duration, 0 },
 	{ "retire-safety", &cfg_type_duration, 0 },
 	{ "signatures-refresh", &cfg_type_duration, 0 },
 	{ "signatures-validity", &cfg_type_duration, 0 },