offline KSK: removed in-place offline KSK setup option

doc/man/keymgr.8in

@@ -126,9 +126,6 @@ owned by both zones equally.
 \fBpregenerate\fP \fIperiod_secs\fP
 Pre\-generate ZSKs for use with offline KSK, for the specified period starting from now.
 .TP
-\fBpresign\fP \fIperiod_secs\fP
-Sign pre\-generated ZSKs, for the specified period starting from now.
-.TP
 \fBshow\-rrsig\fP \fItimestamp\fP
 Print a pre\-generated DNSKEY RRSIG for specified timestamp.
 .TP

doc/man_keymgr.rst

@@ -103,9 +103,6 @@ Commands related to Offline KSK feature
 **pregenerate** *period_secs*
   Pre-generate ZSKs for use with offline KSK, for the specified period starting from now.
 
-**presign** *period_secs*
-  Sign pre-generated ZSKs, for the specified period starting from now.
-
 **show-rrsig** *timestamp*
   Print a pre-generated DNSKEY RRSIG for specified timestamp.
 

doc/operation.rst

@@ -634,77 +634,33 @@ zone, e.g. turning off DNSSEC, removing all the keys and signatures as desired.
 DNSSEC Offline KSK
 ==================
 
-Knot DNS allows two modes of operation where the private part of Key Signing Key is
-not available all the time (rather stored securely in an offline storage). This requires
+Knot DNS allows a special mode of operation where the private part of Key Signing Key is
+not available to the daemon, rather stored securely in an offline storage. This requires
 obviously that KSK/ZSK signing scheme is used. Zone Signing Key is always fully available
 to Knot in order to sign common changes to zone contents.
 
-Offline KSK temporarily online
-------------------------------
+The server (called "ZSK side") only uses ZSK to sign zone contents and its changes. Before
+performing a ZSK rollover, the DNSKEY records will be pre-generated and signed by the
+"KSK side". Both sides exchange keys in the form of human-readable messages with the help
+of :doc:`keymgr <man_keymgr>` utility.
 
-The first possibility is that Knot operates as usual, with just one
-:abbr:`KASP (Key And Signature Policy)` database. When there are no changes
-to the zone's DNSKEY record, the private part of KSK might not be present in
-the key storage.
-
-When a ZSK rollover takes place, there is a need to sign the
-changed DNSKEY record, thus have the KSK online in precise moments.
-However, this can all be prepared and pre-signed in advance,
-using the KSK just once in arbitrary moment.
+For the "ZSK side" (i.e. the operator of the DNS server), the pre-requirements are:
+proper DNSSEC policy configuration of e.g. :ref:`zsk-lifetime <policy_zsk-lifetime>`,
+but :ref:`manual <policy_manual>` set to "on", and a complete KASP db with just ZSKs. Also
+:ref:`offline-ksk <policy_offline-ksk>` must be enabled.
 
-The pre-requisite is having automatic DNSSEC signing enabled and properly
-configured (see :ref:`Automatic DNSSEC signing <dnssec>`). The options
-shall be set up like there was automatic key management (e.g.
-:ref:`ZSK lifetime <policy_zsk-lifetime>`) but key management set to
-:ref:`manual <policy_manual>`!
+For the "KSK side" (i.e. the operator of the KSK signer), the pre-requirements are
+equal Knot configuration (at least the :ref:`Policy section` must be identical) and a KASP db
+with the KSK(s).
 
-Under those conditions, the user can call :doc:`keymgr <man_keymgr>`
-command ``pregenerate`` to prepare the ZSKs for a specified period ahead.
-This is possible since ZSK rollovers are pretty predicitble.
+The first step for the "ZSK side" is the :doc:`keymgr <man_keymgr>` command
+``keymgr pregenerate`` to prepare the ZSKs for a specified period ahead.
 For example, if he chooses *2 x zsk_lifetime + 4 x propagation_delay*, it will
 probably prepare two complete future key rollovers. The newly-generated
 ZSKs remain in non-published state until their rollover start, i.e. the time 
 they would otherwise be generated in case of automatic key management.
 
-The second step is to create signatures for all future forms of the DNSKEY
-record. This is the only moment where the presence of KSK private key is
-needed! By calling the command ``keymgr presign`` (perhaps with the same
-period length) will achieve this. The pre-generated RRSIG records are then
-serialized inside KASP db for later use.
-
-Finally, it is needed to let the running Knot know we made some changes
-insinde KASP db in the meantime! The user must call :doc:`knotc <man_knotc>`
-command ``zone-sign`` so that the future zone re-signs are properly planned
-in the event subsystem.
-
-After this, Knot can run normally. It uses ZSK to sign zone changes. When the
-lifetime of the ZSK is gone, the prepared one appears automatically (key management
-still manual!). For signing the changed DNSKEY record, Knot first checks the KASP db
-for pre-generated signature and if found and valid, it's used. The user shall take
-further action (perhaps repeating this procedure) after the period he selected is over.
-
-It is possible to actually perform the ``presign`` action on different machine
-than used for running DNS service. However, it requires to copy whole KASP db
-back and forth.
-
-Separated DNS server and KSK signer
------------------------------------
-
-To avoid this, a second option is available. It has more steps, but has also the advantage
-that the "ZSK side" doesn't have to ever see the KSK private key, and also the "KSK side"
-doesn't have to ever see the ZSK private keys. Also the exchanged messages are clear and
-human-readable.
-
-For the "ZSK side" (i.e. the operator of the DNS server), the pre-requirements are
-similar to pervious case: proper DNSSEC configuration with :ref:`zsk-lifetime <policy_zsk-lifetime>`
-but :ref:`manual <policy_manual>`, a complete KASP db with just ZSKs. Also
-:ref:`offline-ksk <policy_offline-ksk>` must be enabled.
-
-For the "KSK side" (i.e. the operator of the KSK signer), the pre-requirements are
-equal Knot configuration (at least the :ref:`Policy section` must be identical) and a KASP db
-with the KSK(s).
-
-The first step for the "ZSK side" is the same as previously: ``keymgr pregenerate``. Then,
+Then,
 the operator shall export the public parts of the future ZSKs (in facts in the form of
 future DNSKEY records) by calling ``keymgr generate-ksr``. The output
 (called Key Signing Request; perhaps redirected to a file) shall be then sent to the
@@ -717,7 +673,8 @@ creating the future RRSIGs (adding also CDNSKEYs and CDSs), which are again prin
 
 The last step is importing the signatures from SKR to the KASP db for later use,
 this is done by ``keymgr import-skr``, followed by (as previously) ``knotc zone-resign``
-command. Then the future ZSKs and DNSKEY record signatures are ready in KASP db for
+command, so that the future zone re-signs are properly planned
+in the event subsystem. Then the future ZSKs and DNSKEY record signatures are ready in KASP db for
 later usage.
 
 .. _Controlling running daemon:

src/utils/keymgr/main.c

@@ -215,9 +215,6 @@ static int key_command(int argc, char *argv[], int optind)
 	} else if (strcmp(argv[1], "pregenerate") == 0) {
 		CHECK_MISSING_ARG("Period not specified");
 		ret = keymgr_pregenerate_zsks(&kctx, knot_time() + atol(argv[2]));
-	} else if (strcmp(argv[1], "presign") == 0) {
-		CHECK_MISSING_ARG("Timestamp not specified");
-		ret = keymgr_presign_zsks(&kctx, knot_time() + atol(argv[2]));
 	} else if (strcmp(argv[1], "show-rrsig") == 0) {
 		CHECK_MISSING_ARG("Timestamp not specified");
 		ret = keymgr_print_rrsig(&kctx, atol(argv[2]));

src/utils/keymgr/offline_ksk.c

@@ -44,30 +44,6 @@ static int pregenerate_once(kdnssec_ctx_t *ctx, knot_time_t *next)
 	return KNOT_EOK;
 }
 
-static void update_next_resign(knot_time_t *next, knot_time_t now, knot_time_t key_timer)
-{
-	if (knot_time_cmp(now, key_timer) < 0) {
-		*next = knot_time_min(*next, key_timer);
-	}
-}
-
-static void next_resign(knot_time_t *next, kdnssec_ctx_t *ctx)
-{
-	// next re-sign when rrsig expire or dnskey rrset changes or set of active KSKs changes
-	*next = ctx->now + ctx->policy->rrsig_lifetime - ctx->policy->rrsig_refresh_before;
-	for (int i = 0; i < ctx->zone->num_keys; i++) {
-		knot_kasp_key_t *k = &ctx->zone->keys[i];
-		update_next_resign(next, ctx->now, k->timing.publish);
-		update_next_resign(next, ctx->now, k->timing.retire_active);
-		update_next_resign(next, ctx->now, k->timing.remove);
-		if (k->is_ksk) {
-			update_next_resign(next, ctx->now, k->timing.ready);
-			update_next_resign(next, ctx->now, k->timing.active); // needed just if the key skips ready stage
-			update_next_resign(next, ctx->now, k->timing.retire);
-		}
-	}
-}
-
 // please free *_dnskey and keyset even if returned error
 static int load_dnskey_rrset(kdnssec_ctx_t *ctx, knot_rrset_t **_dnskey, zone_keyset_t *keyset)
 {
@@ -98,48 +74,6 @@ static int load_dnskey_rrset(kdnssec_ctx_t *ctx, knot_rrset_t **_dnskey, zone_ke
 	return KNOT_EOK;
 }
 
-static int presign_once(kdnssec_ctx_t *ctx)
-{
-	knot_rrset_t *dnskey = NULL, *rrsig = NULL;
-	zone_keyset_t keyset = { 0 };
-	int ret = load_dnskey_rrset(ctx, &dnskey, &keyset);
-	if (ret != KNOT_EOK) {
-		goto done;
-	}
-
-	rrsig = knot_rrset_new(ctx->zone->dname, KNOT_RRTYPE_RRSIG, KNOT_CLASS_IN, ctx->policy->dnskey_ttl, NULL);
-	if (rrsig == NULL) {
-		ret = KNOT_ENOMEM;
-		goto done;
-	}
-
-	// sign the DNSKEY rrset
-	for (int i = 0; i < keyset.count; i++) {
-		zone_key_t *key = &keyset.keys[i];
-		if (key->is_active && key->is_ksk) {
-			ret = knot_sign_rrset(rrsig, dnskey, key->key, key->ctx, ctx, NULL);
-			if (ret != KNOT_EOK) {
-				printf("sign rrset failed\n");
-				goto done;
-			}
-		}
-	}
-
-	// store it to KASP db
-	assert(!knot_rrset_empty(rrsig));
-	ret = kasp_db_store_offline_rrsig(*ctx->kasp_db, ctx->now, rrsig, NULL, NULL, NULL); // TODO !
-	if (ret != KNOT_EOK) {
-		printf("store rrsig failed\n");
-		goto done;
-	}
-
-done:
-	knot_rrset_free(dnskey, NULL);
-	knot_rrset_free(rrsig, NULL);
-	free_zone_keys(&keyset);
-	return ret;
-}
-
 int keymgr_pregenerate_zsks(kdnssec_ctx_t *ctx, knot_time_t upto)
 {
 	knot_time_t next = ctx->now;
@@ -158,21 +92,6 @@ int keymgr_pregenerate_zsks(kdnssec_ctx_t *ctx, knot_time_t upto)
 	return ret;
 }
 
-int keymgr_presign_zsks(kdnssec_ctx_t *ctx, knot_time_t upto)
-{
-	knot_time_t next = ctx->now;
-	int ret = KNOT_EOK;
-
-	while (ret == KNOT_EOK && knot_time_cmp(next, upto) <= 0) {
-		ctx->now = next;
-		printf("presign %lu\n", ctx->now);
-		ret = presign_once(ctx);
-		next_resign(&next, ctx);
-	}
-
-	return ret;
-}
-
 static int dump_rrset_to_buf(const knot_rrset_t *rrset, char **buf, size_t *buf_size)
 {
 	if (*buf == NULL) {

src/utils/keymgr/offline_ksk.h

@@ -20,8 +20,6 @@
 
 int keymgr_pregenerate_zsks(kdnssec_ctx_t *ctx, knot_time_t upto);
 
-int keymgr_presign_zsks(kdnssec_ctx_t *ctx, knot_time_t upto);
-
 int keymgr_print_rrsig(kdnssec_ctx_t *ctx, knot_time_t when);
 
 int keymgr_delete_rrsig(kdnssec_ctx_t *ctx, knot_time_t until);