In-Line Signing feature automatically creates and maintains a new
dns_zone for signed data. Link between signed and unsigned zone
is stored in struct dns_zone:
struct dns_zone {
dns_zone_t *raw; /* unsigned zone (original) */
dns_zone_t *secure; /* signed zone */
};
DNS zone is unsigned if zone->raw == NULL
view->zonetable contains secure zone
DNS updates are done in raw zone:
ns_update_start() finds secure zone in zonetable and
redirects the update to raw zone.send_update_event() works on raw zone.bin/named/server.c: configure_zone() creates
to-be-secure zone (variable zone):
CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr, &zone));
CHECK(dns_zone_setorigin(zone, origin));
dns_zone_setview(zone, view);
if (view->acache != NULL)
dns_zone_setacache(zone, view->acache);
CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
dns_zone_setstats(zone, ns_g_server->zonestats);
bin/named/server.c: configure_zone() creates raw zone
later:
signing = NULL;
if ((strcasecmp(ztypestr, "master") == 0 ||
strcasecmp(ztypestr, "slave") == 0) &&
cfg_map_get(zoptions, "inline-signing", &signing) == ISC_R_SUCCESS &&
cfg_obj_asboolean(signing))
{
dns_zone_getraw(zone, &raw);
if (raw == NULL) {
CHECK(dns_zone_create(&raw, mctx));
CHECK(dns_zone_setorigin(raw, origin));
dns_zone_setview(raw, view);
if (view->acache != NULL)
dns_zone_setacache(raw, view->acache);
dns_zone_setstats(raw, ns_g_server->zonestats);
/* Following line interconnects secure and raw zone.
Secure zone has to be managed by zonemgr already. */
CHECK(dns_zone_link(zone, raw));
}
}
BIND implements zone configuration in bin/named/zoneconf.c:
ns_zone_configure().
dns_zone_master| Parameter | Zone | Function | Notes |
|---|---|---|---|
| Name checks | raw |
dns_zone_setoption |
DNS_ZONEOPT_CHECKNAMES |
| Update ACL | raw |
configure_zone_ssutable |
|
| Notify | raw |
dns_zone_setnotifytype |
dns_notifytype_no |
| Notify | secure |
dns_zone_setnotifytype |
dns_zone_setisself() |
| Journal file | raw + secure |
dns_zone_setjournal |
|
| Query ACL | secure |
configure_zone_acl |
|
| Transfer ACL | secure |
configure_zone_acl |
|
| DNSSEC options | secure |
key-directory; auto-dnssec |
|
| Statistics | secure |
dns_zone_setstatlevel |
|
| Name checks | secure |
dns_zone_setoption |
disabled |
Signing parameters have to be configured explicitly on a secure zone:
/* Magic constants are taken from zoneconf.c */
dns_zone_setsigvalidityinterval(secure, 2592000); /* sig-validity-interval */
dns_zone_setsigresigninginterval(secure, 648000); /* re-sign */
dns_zone_setsignatures(secure, 10); /* sig-signing-signatures */
dns_zone_setnodes(secure, 10); /* sig-signing-nodes */
dns_zone_setprivatetype(secure, 65534); /* sig-signing-type */
dns_zone_setoption(secure, DNS_ZONEOPT_UPDATECHECKKSK, ISC_TRUE); /* update-check-ksk */
dns_zone_setrefreshkeyinterval(secure, 60); /* dnssec-loadkeys-interval */
/* auto-dnssec = maintain */
dns_zone_setkeyopt(secure, DNS_ZONEKEY_ALLOW, ISC_TRUE);
dns_zone_setkeyopt(secure, DNS_ZONEKEY_MAINTAIN, ISC_TRUE);
dns_zone_load() has to be called only on secure zone. It will
load raw zone internally (and fail mysteriously if raw zone was
loaded manually).