Design Document: Kasp DB, key timers refactoring
Targets
- move key metadata configuration from JSON files to LMDB (no need of consistency check since it can't be modified by user; easier deserialization)
- get rid of "keyusage"
- since policy configuration moved to conf, we're not using libdnssec effectively for KASP - move this to Knot code with less layers of abstraction
- migrate from libdnssec "events" system to Knot events system to make things more consistent
Outer design details
New LMDB database introduced. Its data and lock file reside in keydir ( = <knot_dir>/keys ). This database contains the metadata which were previously in JSON files: key ID, key tag, public key, algorithm, isKSK flag, timers (unix timestamps of key lifetime moments). Policy options had been migrated to Knot conf before.
For importing JSON configuration into this LMDB, and for manipulating the metadata stored there, pykemgr is introduced, see further chapters.
Inner design documents
Data structures for KASP remain roughly the same, simplified where possible. Substitute weird ways of handling domain names with consistent knot_dname_t. Translate libdnssec errcodes into libknot errcodes if possible. Kdnssec can call proper store functions directly.
KASP db consists of two LMDB sub-databases:
- keys-db: ( key ID -> serialized key params (tag, privkey, alg, isksk, timers) ); ( zone name + "nsec3_salt" -> nsec3 salt (+similarly its timestamp))
- zones-db: DUPSORT (= one key can have multiple values) ( zone name -> key ID ) As a consequence, one key can be owned by multiple zones, and a key is deleted after the last zone removes it (but this feature is not used in normal operation).
KASP db is one for all zones, available as a singleton (simiral like conf()
), initialized on server start but opened on-demand, closed at server deinit.
KASP zone: contains zone name, kasp keys in a simple array (inserts by re-allocating), nsec3 salt. Can be "loaded" and "stored" into KASP db.
ZSK rollover events and nsec3 resalt introduced as Knot events. The events are fail-proof in the way that if invoked too early, they simply replan themselves on proper time later, when a real action shall occur.
The ZSK rollover and nsec3 resalt procedures themselves are separated, because they must be callable from zone load event, to prevent zone load without proper key preparation and signing. The procedures logic is copied from corresponding libdnssec procedures, just with adaptation to simpler data structures.
Pykeymgr
Resides in Knot sources scripts directory.
Features:
- Import JSON configuration into newly-created LMDB in the same directory. This is mostly useful when upgrading Knot. Call just once. Warns the user and suppresses action if LMDB already exists, but force option can force action.
- Modify a key parameter in the DB. Mostly useful for changing timers of a key. Some parameters change needs "force" since the change makes no sense (e.g. key tag).
- TODO: more features
Usage can be obtained with -h
option. Better help provided in a man page.
Trash:
- the rest of subsumodules shall be copied to
src/libknot/ksec
: binary, crypto, key(id, tag), nsec, random, sign, tsig
Comments: (possibly unuseful)
- TODO keymgr: import keys in PEM format
- TODO generally: use mempool as needed