theforeman · ekohl · Feb 22, 2022 · Feb 16, 2022
diff --git a/manifests/dnssec_policy.pp b/manifests/dnssec_policy.pp
@@ -0,0 +1,80 @@
+# Manage custom DNSSEC policies
+#
+# @param dnskey_ttl
+#   This indicates the TTL to use when generating DNSKEY resource records.
+# @param keys
+#   This is a list specifying the algorithms and roles to use when generating
+#   keys and signing the zone. Entries in this list do not represent specific
+#   DNSSEC keys, which may be changed on a regular basis, but the roles that
+#   keys play in the signing policy.
+# @param max_zone_ttl
+#   This specifies the maximum permissible TTL value in seconds for the zone.
+# @param parent_ds_ttl
+#   This is the TTL of the DS RRset that the parent zone uses.
+# @param parent_propagation_delay
+#   This is the expected propagation delay from the time when the parent zone is
+#   updated to the time when the new version is served by all of the parent
+#   zone’s name servers.
+# @param publish_safety
+#   This is a margin that is added to the pre-publication interval in rollover
+#   timing calculations, to give some extra time to cover unforeseen events.
+#   This increases the time between when keys are published and they become
+#   active.
+# @param retire_safety
+#   This is a margin that is added to the post-publication interval in rollover
+#   timing calculations, to give some extra time to cover unforeseen events.
+#   This increases the time a key remains published after it is no longer
+#   active.
+# @param signatures_refresh
+#   This determines how frequently an RRSIG record needs to be refreshed. The
+#   signature is renewed when the time until the expiration time is closer than
+#   the specified interval.
+# @param signatures_validity
+#   This indicates the validity period of an RRSIG record (subject to inception
+#   offset and jitter).
+# @param signatures_validity_dnskey
+#   This is similar to signatures-validity, but for DNSKEY records.
+# @param zone_propagation_delay
+#   This is the expected propagation delay from the time when a zone is first
+#   updated to the time when the new version of the zone is served by all
+#   secondary servers.
+define dns::dnssec_policy (
+  Optional[Integer] $dnskey_ttl                   = undef,
+  Array[Dns::Dnssec_policy_key] $keys             = [],
+  Optional[Integer] $max_zone_ttl                 = undef,
+  Optional[Integer] $parent_ds_ttl                = undef,
+  Optional[String[1]] $parent_propagation_delay   = undef,
+  Optional[String[1]] $publish_safety             = undef,
+  Optional[String[1]] $retire_safety              = undef,
+  Optional[String[1]] $signatures_refresh         = undef,
+  Optional[String[1]] $signatures_validity        = undef,
+  Optional[String[1]] $signatures_validity_dnskey = undef,
+  Optional[String[1]] $zone_propagation_delay     = undef,
+) {
+  if $name == 'none' or $name == 'default' {
+    fail("The name \"${name}\" is reserved and cannot be used")
+  }
+
+  concat::fragment { "dnssec-policy-${name}":
+    target  => $dns::publicviewpath,
+    order   => '0',
+    content => epp('dns/named.dnssec_policy.epp',
+      {
+        name    => $name,
+        keys    => $keys,
+        options => {
+          'dnskey-ttl'                 => $dnskey_ttl,
+          'max-zone-ttl'               => $max_zone_ttl,
+          'parent-ds-ttl'              => $parent_ds_ttl,
+          'parent-propagation-delay'   => $parent_propagation_delay,
+          'publish-safety'             => $publish_safety,
+          'retire-safety'              => $retire_safety,
+          'signatures-refresh'         => $signatures_refresh,
+          'signatures-validity'        => $signatures_validity,
+          'signatures-validity-dnskey' => $signatures_validity_dnskey,
+          'zone-propagation-delay'     => $zone_propagation_delay,
+        },
+      }
+    ),
+  }
+}
diff --git a/spec/defines/dns_dnssec_policy_spec.rb b/spec/defines/dns_dnssec_policy_spec.rb
@@ -0,0 +1,92 @@
+require 'spec_helper'
+
+describe 'dns::dnssec_policy' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let(:facts) { os_facts }
+      let(:title) { "standard" }
+
+      let :pre_condition do
+        'include dns'
+      end
+
+      context "without params" do
+        it { is_expected.to compile }
+
+        it "should have valid zone file contents" do
+          verify_concat_fragment_exact_contents(catalogue, 'dnssec-policy-standard', [
+            'dnssec-policy standard {',
+            '};',
+          ])
+        end
+
+        context "when using a reserved name" do
+          let(:title) { "default" }
+
+          it { is_expected.to compile.and_raise_error(/The name "default" is reserved and cannot be used/) }
+        end
+      end
+
+
+      context "with all params set" do
+        let(:params) do
+          {
+            dnskey_ttl: 600,
+            keys: [
+              {
+                type: "ksk",
+                directory: "key-directory",
+                lifetime: "unlimited",
+                algorithm: "rsasha1",
+                size: 2048,
+              },
+              {
+                type: "zsk",
+                lifetime: "P30D",
+                algorithm: 8,
+              },
+              {
+                type: "csk",
+                lifetime: "P6MT12H3M15S",
+                algorithm: "ecdsa256",
+              },
+            ],
+            max_zone_ttl: 600,
+            parent_ds_ttl: 600,
+            parent_propagation_delay: "2h",
+            publish_safety: "7d",
+            retire_safety: "7d",
+            signatures_refresh: "5d",
+            signatures_validity: "15d",
+            signatures_validity_dnskey: "15d",
+            zone_propagation_delay: "2h",
+          }
+        end
+
+        it { is_expected.to compile }
+
+        it "should have valid zone file contents" do
+          verify_concat_fragment_exact_contents(catalogue, 'dnssec-policy-standard', [
+            'dnssec-policy standard {',
+            '    dnskey-ttl 600;',
+            '    keys {',
+            '        ksk key-directory lifetime unlimited algorithm rsasha1 2048;',
+            '        zsk lifetime P30D algorithm 8;',
+            '        csk lifetime P6MT12H3M15S algorithm ecdsa256;',
+            '    };',
+            '    max-zone-ttl 600;',
+            '    parent-ds-ttl 600;',
+            '    parent-propagation-delay 2h;',
+            '    publish-safety 7d;',
+            '    retire-safety 7d;',
+            '    signatures-refresh 5d;',
+            '    signatures-validity 15d;',
+            '    signatures-validity-dnskey 15d;',
+            '    zone-propagation-delay 2h;',
+            '};',
+          ])
+        end
+      end
+    end
+  end
+end
diff --git a/templates/named.dnssec_policy.epp b/templates/named.dnssec_policy.epp
@@ -0,0 +1,12 @@
+dnssec-policy <%= $name %> {
+  <%- unless $keys.empty { -%>
+    keys {
+      <%- $keys.each |$key| { -%>
+        <%= $key['type'] %> <% if $key['directory'] { %><%= $key['directory']%> <% } %>lifetime <%= $key['lifetime'] %> algorithm <%= $key['algorithm'] %><% if $key['size'] { %> <%= $key['size'] %><% } %>;
+      <%- } -%>
+    };
+  <%- } -%>
+  <%- $options.filter |$k, $v| { $v }.each |$k, $v| { -%>
+    <%= $k %> <%= $v%>;
+  <%- } -%>
+};
diff --git a/types/dnssec_policy_key.pp b/types/dnssec_policy_key.pp
@@ -0,0 +1,10 @@
+# Validate dnssec-policy parameter
+type Dns::Dnssec_policy_key = Struct[
+  {
+    type      => Enum['csk', 'ksk', 'zsk'],
+    directory => Optional[Enum['key-directory']],
+    lifetime  => String[1],
+    algorithm => Variant[String[1], Integer],
+    size      => Optional[Integer],
+  }
+]