From 09990672d9597bf7c8fa4e5d78b117944aad7cab Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 17 Oct 2019 11:38:56 +0200
Subject: [PATCH] Update zoneconf to use kasp config

If a zone has a dnssec-policy set, use signature validity,
dnskey signature validity, and signature refresh from
dnssec-policy.

Zones configured with 'dnssec-policy' will allow 'named' to create
DNSSEC keys (similar to dnssec-keymgr) if not available.
---
 bin/named/zoneconf.c | 85 +++++++++++++++++++++++++++++---------------
 1 file changed, 56 insertions(+), 29 deletions(-)

diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index d8163d5c0c..0978902573 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1500,38 +1500,52 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		bool allow = false, maint = false;
 		bool sigvalinsecs;
 
-		obj = NULL;
-		result = named_config_get(maps, "dnskey-sig-validity", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		seconds = cfg_obj_asuint32(obj) * 86400;
+		if (kasp) {
+			seconds = (uint32_t) dns_kasp_sigvalidity_dnskey(kasp);
+		} else {
+			obj = NULL;
+			result = named_config_get(maps, "dnskey-sig-validity",
+						  &obj);
+			INSIST(result == ISC_R_SUCCESS && obj != NULL);
+			seconds = cfg_obj_asuint32(obj) * 86400;
+		}
 		dns_zone_setkeyvalidityinterval(zone, seconds);
 
-		obj = NULL;
-		result = named_config_get(maps, "sig-validity-interval", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-
-		sigvalinsecs = ns_server_getoption(named_g_server->sctx,
-						   NS_SERVER_SIGVALINSECS);
-		validity = cfg_tuple_get(obj, "validity");
-		seconds = cfg_obj_asuint32(validity);
-		if (!sigvalinsecs) {
-			seconds *= 86400;
-		}
-		dns_zone_setsigvalidityinterval(zone, seconds);
-
-		resign = cfg_tuple_get(obj, "re-sign");
-		if (cfg_obj_isvoid(resign)) {
-			seconds /= 4;
-		} else if (!sigvalinsecs) {
-			if (seconds > 7 * 86400) {
-				seconds = cfg_obj_asuint32(resign) * 86400;
-			} else {
-				seconds = cfg_obj_asuint32(resign) * 3600;
-			}
+		if (kasp) {
+			seconds = (uint32_t) dns_kasp_sigvalidity(kasp);
+			dns_zone_setsigvalidityinterval(zone, seconds);
+			seconds = (uint32_t) dns_kasp_sigrefresh(kasp);
+			dns_zone_setsigresigninginterval(zone, seconds);
 		} else {
-			seconds = cfg_obj_asuint32(resign);
+			obj = NULL;
+			result = named_config_get(maps, "sig-validity-interval",
+							&obj);
+			INSIST(result == ISC_R_SUCCESS && obj != NULL);
+
+			sigvalinsecs = ns_server_getoption(named_g_server->sctx,
+							NS_SERVER_SIGVALINSECS);
+			validity = cfg_tuple_get(obj, "validity");
+			seconds = cfg_obj_asuint32(validity);
+			if (!sigvalinsecs) {
+				seconds *= 86400;
+			}
+			dns_zone_setsigvalidityinterval(zone, seconds);
+
+			resign = cfg_tuple_get(obj, "re-sign");
+			if (cfg_obj_isvoid(resign)) {
+				seconds /= 4;
+			} else if (!sigvalinsecs) {
+				seconds = cfg_obj_asuint32(resign);
+				if (seconds > 7 * 86400) {
+					seconds *= 86400;
+				} else {
+					seconds *= 3600;
+				}
+			} else {
+				seconds = cfg_obj_asuint32(resign);
+			}
+			dns_zone_setsigresigninginterval(zone, seconds);
 		}
-		dns_zone_setsigresigninginterval(zone, seconds);
 
 		obj = NULL;
 		result = named_config_get(maps, "key-directory", &obj);
@@ -1560,12 +1574,20 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
 		dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
 				   cfg_obj_asboolean(obj));
+		/*
+		 * This setting will be ignored if dnssec-policy is used.
+		 * named-checkconf will error if both are configured.
+		 */
 
 		obj = NULL;
 		result = named_config_get(maps, "dnssec-dnskey-kskonly", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
 		dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
 				   cfg_obj_asboolean(obj));
+		/*
+		 * This setting will be ignored if dnssec-policy is used.
+		 * named-checkconf will error if both are configured.
+		 */
 
 		obj = NULL;
 		result = named_config_get(maps, "dnssec-loadkeys-interval",
@@ -1576,7 +1598,11 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 
 		obj = NULL;
 		result = cfg_map_get(zoptions, "auto-dnssec", &obj);
-		if (result == ISC_R_SUCCESS) {
+		if (dns_zone_getkasp(zone) != NULL) {
+			dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true);
+			dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, true);
+			dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true);
+		} else if (result == ISC_R_SUCCESS) {
 			const char *arg = cfg_obj_asstring(obj);
 			if (strcasecmp(arg, "allow") == 0) {
 				allow = true;
@@ -1589,6 +1615,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 				ISC_UNREACHABLE();
 			}
 			dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
+			dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
 			dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
 		}
 	}