From 88a687106fc879d0495e7325f0dcc61bb6b3aa57 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 5 Jul 2023 10:59:24 +0200 Subject: [PATCH] Obsolete sig-validity-interval dnskey-sig-validity These two configuration options worked in conjunction with 'auto-dnssec' to set the signature validity, and thus are now obsoleted. --- bin/named/config.c | 2 - bin/named/zoneconf.c | 49 ++----------- bin/tests/system/autosign/tests.sh | 2 +- .../system/checkconf/bad-dnskey-validity.conf | 16 ----- .../system/checkconf/bad-sig-validity.conf | 16 ----- .../checkconf/good-dnskey-validity-3660.conf | 16 ----- .../checkconf/good-dnskey-validity-zero.conf | 16 ----- .../kasp-and-other-dnssec-options.conf | 2 - bin/tests/system/checkconf/tests.sh | 3 +- bin/tests/system/dnssec/ns3/sign.sh | 2 +- bin/tests/system/dnssec/tests.sh | 4 +- doc/arm/reference.rst | 41 ++--------- doc/misc/options | 8 +-- doc/misc/primary.zoneopt | 4 +- doc/misc/secondary.zoneopt | 4 +- lib/isccfg/check.c | 71 ------------------- lib/isccfg/namedconf.c | 4 +- 17 files changed, 23 insertions(+), 237 deletions(-) delete mode 100644 bin/tests/system/checkconf/bad-dnskey-validity.conf delete mode 100644 bin/tests/system/checkconf/bad-sig-validity.conf delete mode 100644 bin/tests/system/checkconf/good-dnskey-validity-3660.conf delete mode 100644 bin/tests/system/checkconf/good-dnskey-validity-zero.conf diff --git a/bin/named/config.c b/bin/named/config.c index 7e981f85d1..a13cd73844 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -240,8 +240,6 @@ options {\n\ sig-signing-nodes 100;\n\ sig-signing-signatures 10;\n\ sig-signing-type 65534;\n\ - sig-validity-interval 30; /* days */\n\ - dnskey-sig-validity 0; /* default: sig-validity-interval */\n\ transfer-source *;\n\ transfer-source-v6 *;\n\ try-tcp-refresh yes; /* BIND 8 compat */\n\ diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index ca29ebdc48..dcf4cad762 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -905,7 +905,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_stats_t *rcvquerystats; dns_stats_t *dnssecsignstats; dns_zonestat_level_t statlevel = dns_zonestat_none; - int seconds; dns_ttl_t maxttl = 0; /* unlimited */ dns_zone_t *mayberaw = (raw != NULL) ? raw : zone; bool transferinsecs = ns_server_getoption(named_g_server->sctx, @@ -1547,11 +1546,9 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, * use inline-signing (raw != NULL). */ if (ztype == dns_zone_primary || raw != NULL) { - const cfg_obj_t *validity, *resign; - bool allow = false, maint = false; - bool sigvalinsecs; - if (use_kasp) { + int seconds; + if (dns_kasp_nsec3(kasp)) { result = dns_zone_setnsec3param( zone, 1, dns_kasp_nsec3flags(kasp), @@ -1563,53 +1560,15 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, zone, 0, 0, 0, 0, NULL, true, false); } INSIST(result == ISC_R_SUCCESS); - } - if (use_kasp) { seconds = (uint32_t)dns_kasp_sigvalidity_dnskey(kasp); - } else { - obj = NULL; - result = named_config_get(maps, "dnskey-sig-validity", - &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - seconds = cfg_obj_asuint32(obj) * 86400; - } - dns_zone_setkeyvalidityinterval(zone, seconds); + dns_zone_setkeyvalidityinterval(zone, seconds); - if (use_kasp) { seconds = (uint32_t)dns_kasp_sigvalidity(kasp); dns_zone_setsigvalidityinterval(zone, seconds); + seconds = (uint32_t)dns_kasp_sigrefresh(kasp); dns_zone_setsigresigninginterval(zone, seconds); - } else { - obj = NULL; - result = named_config_get(maps, "sig-validity-interval", - &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - - sigvalinsecs = ns_server_getoption( - named_g_server->sctx, NS_SERVER_SIGVALINSECS); - validity = cfg_tuple_get(obj, "validity"); - seconds = cfg_obj_asuint32(validity); - if (!sigvalinsecs) { - seconds *= 86400; - } - dns_zone_setsigvalidityinterval(zone, seconds); - - resign = cfg_tuple_get(obj, "re-sign"); - if (cfg_obj_isvoid(resign)) { - seconds /= 4; - } else if (!sigvalinsecs) { - uint32_t r = cfg_obj_asuint32(resign); - if (seconds > 7 * 86400) { - seconds = r * 86400; - } else { - seconds = r * 3600; - } - } else { - seconds = cfg_obj_asuint32(resign); - } - dns_zone_setsigresigninginterval(zone, seconds); } obj = NULL; diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 5a31e29ee3..6d3bc27356 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -91,7 +91,7 @@ checkjitter () { _count=0 # Check if we have at least 4 days - # This number has been tuned for `sig-validity-interval 10 2`, as + # This number has been tuned for `signatures-validity 10d; signatures-refresh 2d`, as # 1 signature expiration dates should be spread out across at most 8 (10-2) days # 2. we remove first and last day to remove frequency outlier, we are left with 6 (8-2) days # 3. we subtract two more days to allow test pass on day boundaries, etc. leaving us with 4 (6-2) diff --git a/bin/tests/system/checkconf/bad-dnskey-validity.conf b/bin/tests/system/checkconf/bad-dnskey-validity.conf deleted file mode 100644 index 8c28ac5cc7..0000000000 --- a/bin/tests/system/checkconf/bad-dnskey-validity.conf +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dnskey-sig-validity 5000; /* maximum value 10 years, this is 14 */ -}; diff --git a/bin/tests/system/checkconf/bad-sig-validity.conf b/bin/tests/system/checkconf/bad-sig-validity.conf deleted file mode 100644 index 1744ebafe4..0000000000 --- a/bin/tests/system/checkconf/bad-sig-validity.conf +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - sig-validity-interval 5000; -}; diff --git a/bin/tests/system/checkconf/good-dnskey-validity-3660.conf b/bin/tests/system/checkconf/good-dnskey-validity-3660.conf deleted file mode 100644 index 4e0a7ee908..0000000000 --- a/bin/tests/system/checkconf/good-dnskey-validity-3660.conf +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dnskey-sig-validity 3660; /* maximum value 10 years */ -}; diff --git a/bin/tests/system/checkconf/good-dnskey-validity-zero.conf b/bin/tests/system/checkconf/good-dnskey-validity-zero.conf deleted file mode 100644 index 5da41b869e..0000000000 --- a/bin/tests/system/checkconf/good-dnskey-validity-zero.conf +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dnskey-sig-validity 0; /* 0 is disabled */ -}; diff --git a/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf index 3b9ad8e51f..0626afb9d4 100644 --- a/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf +++ b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf @@ -17,10 +17,8 @@ zone "nsec3.net" { type primary; file "nsec3.db"; dnssec-policy "test"; - dnskey-sig-validity 3600; dnssec-dnskey-kskonly yes; dnssec-update-mode maintain; inline-signing no; - sig-validity-interval 3600; update-check-ksk yes; }; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 0b95d7bff1..0d93b8bfae 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -490,11 +490,10 @@ echo_i "checking named-checkconf kasp errors ($n)" ret=0 $CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1 grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1 -grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 +grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 2d3b56a1ba..cf19cfc6e9 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -570,7 +570,7 @@ kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone" zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") # -# A zone which will change its sig-validity-interval +# A zone which will change its signatures-validity # zone=siginterval.example infile=siginterval.example.db.in diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index cba1089a14..38dd7e4544 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -4345,9 +4345,9 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "checking sig-validity-interval second field hours vs days ($n)" +echo_i "checking signatures-validity second field hours vs days ($n)" ret=0 -# zone configured with 'sig-validity-interval 500 499;' +# zone configured with 'signatures-validity 500 499;' # 499 days in the future w/ a 20 minute runtime to now allowance min=$(TZ=UTC $PERL -e '@lt=localtime(time() + 499*3600*24 - 20*60); printf "%.4d%0.2d%0.2d%0.2d%0.2d%0.2d\n",$lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1],$lt[0];') dig_with_opts @10.53.0.2 hours-vs-days AXFR > dig.out.ns2.test$n diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index b64235e0e8..0d5ef3d09a 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -4165,47 +4165,14 @@ Tuning This sets the base retry interval in milliseconds. The default is ``800``. .. namedconf:statement:: sig-validity-interval - :tags: dnssec - :short: Specifies the maximum number of days that RRSIGs generated by :iscman:`named` are valid. + :tags: obsolete - This specifies the upper bound of the number of days that RRSIGs - generated by :iscman:`named` are valid; the default is ``30`` days, - with a maximum of 3660 days (10 years). The optional second value - specifies the minimum bound on those RRSIGs and also determines - how long before expiry :iscman:`named` starts regenerating those RRSIGs. - The default value for the lower bound is 1/4 of the upper bound; - it is expressed in days if the upper bound is greater than 7, - and hours if it is less than or equal to 7 days. - - When new RRSIGs are generated, the length of time is randomly - chosen between these two limits, to spread out the re-signing - load. When RRSIGs are re-generated, the upper bound is used, with - a small amount of jitter added. New RRSIGs are generated by a - number of processes, including the processing of UPDATE requests - (ref:`dynamic_update`), the addition and removal of records via - in-line signing, and the initial signing of a zone. - - The signature inception time is unconditionally set to one hour - before the current time, to allow for a limited amount of clock skew. - - The :any:`sig-validity-interval` can be overridden for DNSKEY records by - setting :any:`dnskey-sig-validity`. - - The :any:`sig-validity-interval` should be at least several multiples - of the SOA expire interval, to allow for reasonable interaction - between the various timer and expiry dates. + This option no longer has any effect. .. namedconf:statement:: dnskey-sig-validity - :tags: dnssec - :short: Specifies the number of days in the future when automatically generated DNSSEC signatures expire. + :tags: obsolete - This specifies the number of days into the future when DNSSEC signatures - that are automatically generated for DNSKEY RRsets as a result of - dynamic updates (:ref:`dynamic_update`) will expire. - If set to a non-zero value, this overrides the value set by - :any:`sig-validity-interval`. The default is zero, meaning - :any:`sig-validity-interval` is used. The maximum value is 3660 days (10 - years), and higher values are rejected. + This option no longer has any effect. .. namedconf:statement:: sig-signing-nodes :tags: dnssec diff --git a/doc/misc/options b/doc/misc/options index 2a2847dd90..674ceb536f 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -110,7 +110,7 @@ options { }; // may occur multiple times dns64-contact ; dns64-server ; - dnskey-sig-validity ; + dnskey-sig-validity ; // obsolete dnsrps-enable ; // not configured dnsrps-library ; // not configured dnsrps-options { }; // not configured @@ -265,7 +265,7 @@ options { sig-signing-nodes ; sig-signing-signatures ; sig-signing-type ; - sig-validity-interval [ ]; + sig-validity-interval [ ]; // obsolete sortlist { ; ... }; stale-answer-client-timeout ( disabled | off | ); stale-answer-enable ; @@ -409,7 +409,7 @@ view [ ] { }; // may occur multiple times dns64-contact ; dns64-server ; - dnskey-sig-validity ; + dnskey-sig-validity ; // obsolete dnsrps-enable ; // not configured dnsrps-options { }; // not configured dnssec-accept-expired ; @@ -556,7 +556,7 @@ view [ ] { sig-signing-nodes ; sig-signing-signatures ; sig-signing-type ; - sig-validity-interval [ ]; + sig-validity-interval [ ]; // obsolete sortlist { ; ... }; stale-answer-client-timeout ( disabled | off | ); stale-answer-enable ; diff --git a/doc/misc/primary.zoneopt b/doc/misc/primary.zoneopt index 313ed21f8c..7f03bd6472 100644 --- a/doc/misc/primary.zoneopt +++ b/doc/misc/primary.zoneopt @@ -19,7 +19,7 @@ zone [ ] { database ; dialup ( notify | notify-passive | passive | refresh | ); dlz ; - dnskey-sig-validity ; + dnskey-sig-validity ; // obsolete dnssec-dnskey-kskonly ; dnssec-loadkeys-interval ; dnssec-policy ; @@ -53,7 +53,7 @@ zone [ ] { sig-signing-nodes ; sig-signing-signatures ; sig-signing-type ; - sig-validity-interval [ ]; + sig-validity-interval [ ]; // obsolete update-check-ksk ; update-policy ( local | { ( deny | grant ) ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | krb5-subdomain-self-rhs | ms-self | ms-selfsub | ms-subdomain | ms-subdomain-self-rhs | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ ] ; ... } ); zero-no-soa-ttl ; diff --git a/doc/misc/secondary.zoneopt b/doc/misc/secondary.zoneopt index 523dd74cc1..661d50445e 100644 --- a/doc/misc/secondary.zoneopt +++ b/doc/misc/secondary.zoneopt @@ -11,7 +11,7 @@ zone [ ] { database ; dialup ( notify | notify-passive | passive | refresh | ); dlz ; - dnskey-sig-validity ; + dnskey-sig-validity ; // obsolete dnssec-dnskey-kskonly ; dnssec-loadkeys-interval ; dnssec-policy ; @@ -52,7 +52,7 @@ zone [ ] { sig-signing-nodes ; sig-signing-signatures ; sig-signing-type ; - sig-validity-interval [ ]; + sig-validity-interval [ ]; // obsolete transfer-source ( | * ); transfer-source-v6 ( | * ); try-tcp-refresh ; diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c index d8a2fade8e..b9e0942346 100644 --- a/lib/isccfg/check.c +++ b/lib/isccfg/check.c @@ -1158,13 +1158,11 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config, isc_result_t tresult; unsigned int i; const cfg_obj_t *obj = NULL; - const cfg_obj_t *resignobj = NULL; const cfg_listelt_t *element; isc_symtab_t *symtab = NULL; const char *str; isc_buffer_t b; uint32_t lifetime = 3600; - bool has_dnssecpolicy = false; const char *ccalg = "siphash24"; cfg_aclconfctx_t *actx = NULL; static const char *sources[] = { @@ -1369,8 +1367,6 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config, if (result == ISC_R_SUCCESS) { result = ISC_R_FAILURE; } - } else { - has_dnssecpolicy = true; } } @@ -1389,73 +1385,6 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config, } } - obj = NULL; - cfg_map_get(options, "sig-validity-interval", &obj); - if (obj != NULL) { - uint32_t validity, resign = 0; - - validity = cfg_obj_asuint32(cfg_tuple_get(obj, "validity")); - resignobj = cfg_tuple_get(obj, "re-sign"); - if (!cfg_obj_isvoid(resignobj)) { - resign = cfg_obj_asuint32(resignobj); - } - - if (validity > 3660 || validity == 0) { /* 10 years */ - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "%s '%u' is out of range (1..3660)", - "sig-validity-interval", validity); - result = ISC_R_RANGE; - } - - if (!cfg_obj_isvoid(resignobj)) { - if (resign > 3660 || resign == 0) { /* 10 years */ - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "%s '%u' is out of range (1..3660)", - "sig-validity-interval (re-sign)", - validity); - result = ISC_R_RANGE; - } else if ((validity > 7 && validity < resign) || - (validity <= 7 && validity * 24 < resign)) - { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "validity interval (%u days) " - "less than re-signing interval " - "(%u %s)", - validity, resign, - (validity > 7) ? "days" : "hours"); - result = ISC_R_RANGE; - } - } - - if (has_dnssecpolicy) { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "sig-validity-interval: cannot be " - "configured if dnssec-policy is also set"); - result = ISC_R_FAILURE; - } - } - - obj = NULL; - cfg_map_get(options, "dnskey-sig-validity", &obj); - if (obj != NULL) { - uint32_t keyvalidity; - - keyvalidity = cfg_obj_asuint32(obj); - if (keyvalidity > 3660) { /* 10 years */ - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "%s '%u' is out of range (0..3660)", - "dnskey-sig-validity", keyvalidity); - result = ISC_R_RANGE; - } - - if (has_dnssecpolicy) { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "dnskey-sig-validity: cannot be " - "configured if dnssec-policy is also set"); - result = ISC_R_FAILURE; - } - } - obj = NULL; (void)cfg_map_get(options, "preferred-glue", &obj); if (obj != NULL) { diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 7a3e47869e..a6febf4023 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2355,9 +2355,9 @@ static cfg_clausedef_t zone_clauses[] = { { "sig-signing-type", &cfg_type_uint32, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY }, { "sig-validity-interval", &cfg_type_validityinterval, - CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY }, + CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_OBSOLETE }, { "dnskey-sig-validity", &cfg_type_uint32, - CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY }, + CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_OBSOLETE }, { "transfer-source", &cfg_type_sockaddr4wild, CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, { "transfer-source-v6", &cfg_type_sockaddr6wild,