ÿØÿà JFIF    ÿÛ „  ( %"1!%)+...383,7(-.+  -+++--++++---+-+-----+---------------+---+-++7-----ÿÀ  ß â" ÿÄ     ÿÄ H    !1AQaq"‘¡2B±ÁÑð#R“Ò Tbr‚²á3csƒ’ÂñDS¢³$CÿÄ   ÿÄ %  !1AQa"23‘ÿÚ   ? ôÿ ¨pŸªáÿ —åYõõ\?àÒü©ŠÄï¨pŸªáÿ —åYõõ\?àÓü©ŠÄá 0Ÿªáÿ Ÿå[úƒ ú®ði~TÁbqÐ8OÕpÿ ƒOò¤Oè`–RÂáœá™êi€ßÉ< FtŸI“öÌ8úDf´°å}“¾œ6  öFá°y¥jñÇh†ˆ¢ã/ÃÐ:ªcÈ "Y¡ðÑl>ÿ ”ÏËte:qž\oäŠe÷󲍷˜HT4&ÿ ÓÐü6ö®¿øþßèô Ÿ•7Ñi’•j|“ñì>b…þS?*Óôÿ ÓÐü*h¥£ír¶ü UãSç‚Ÿ[AÐaè[ûª•õ&õj?†Éö+EzP—WeÒírJFt ‘BŒ†Ï‡%#tE Øz ¥OÛ«!1›üä±Í™%ºÍãö]°î(–:@<‹ŒÊö×òÆt¦ãº+‡¦%ÌÁ²h´OƒJŒtMÜ>ÀÜÊw3Y´•牋4ǍýʏTì>œú=Íwhyë,¾Ôò×õ¿ßÊa»«þˆѪQ|%6ž™A õ%:øj<>É—ÿ Å_ˆCbõ¥š±ý¯Ýƒï…¶|RëócÍf溪“t.СøTÿ *Ä¿-{†çàczůŽ_–^XþŒ±miB[X±d 1,é”zEù»& î9gœf™9Ð'.;—™i}!ôšåîqêÛ٤ёý£½ÆA–àôe"A$˝Úsäÿ ÷Û #°xŸëí(l »ý3—¥5m! rt`†0~'j2(]S¦¦kv,ÚÇ l¦øJA£Šƒ J3E8ÙiŽ:cÉžúeZ°€¯\®kÖ(79«Ž:¯X”¾³Š&¡* ….‰Ž(ÜíŸ2¥ª‡×Hi²TF¤ò[¨íÈRëÉ䢍mgÑ.Ÿ<öäS0í„ǹÁU´f#Vß;Õ–…P@3ío<ä-±»Ž.L|kªÀê›fÂ6@»eu‚|ÓaÞÆŸ…¨ááå>åŠ?cKü6ùTÍÆ”†sĤÚ;H2RÚ†õ\Ö·Ÿn'¾ ñ#ºI¤Å´%çÁ­‚â7›‹qT3Iï¨ÖÚ5I7Ë!ÅOóŸ¶øÝñØôת¦$Tcö‘[«Ö³šÒ';Aþ ¸èíg A2Z"i¸vdÄ÷.iõ®§)¿]¤À†–‡É&ä{V¶iŽ”.Ó×Õÿ û?h¬Mt–íª[ÿ Ñÿ ÌV(í}=ibÔ¡›¥¢±b Lô¥‡piη_Z<‡z§èŒ)iÖwiÇ 2hÙ3·=’d÷8éŽ1¦¸c¤µ€7›7Ø ð\á)} ¹fËí›pAÃL%âc2 í§æQz¿;T8sæ°qø)QFMð‰XŒÂ±N¢aF¨…8¯!U  Z©RÊ ÖPVÄÀÍin™Ì-GˆªÅËŠ›•zË}º±ŽÍFò¹}Uw×#ä5B¤{î}Ð<ÙD é©¤&‡ïDbàÁôMÁ." ¤‡ú*õ'VŽ|¼´Úgllº¼klz[Æüï÷Aób‡Eÿ dÑ»Xx9ÃÜ£ÁT/`¼¸vI±Ýµ·Ë‚“G³þ*Ÿû´r|*}<¨îºœ @¦mÄ’M¹”.œ«Y–|6ÏU¤jç¥ÕÞqO ˜kDÆÁ¨5ÿ š;Њ¦¦€GÙk \ –Þ=â¼=SͧµªS°ÚÍpÜãQűÀõ¬?ÃÁ1Ñ•õZà?hóœ€ L¦l{Y*K˜Ù›zc˜–ˆâ ø+¾ ­-Ök¥%ùEÜA'}ˆ><ÊIè“bpÍ/qÞâvoX€w,\úªò6Z[XdÒæ­@Ö—€$òJí#é>'°Ú ôª˜<)4ryÙ£|óAÅn5žêŸyÒäMÝ2{"}‰–¤l÷ûWX\l¾Á¸góÉOÔ /óñB¤f¸çñ[.P˜ZsÊË*ßT܈§QN¢’¡¨§V¼(Üù*eÕ“”5T¨‹Âê¥FŒã½Dü[8'Ò¥a…Ú¶k7a *•›¼'Ò·\8¨ª\@\õ¢¦íq+DÙrmÎ…_ªæ»ŠÓœ¡¯’Ré9MÅ×D™lælffc+ŒÑ,ý™ÿ ¯þǤ=Å’Á7µ÷ÚÛ/“Ü€ñýã¼àí¾ÕÑ+ƒ,uµMâÀÄbm:ÒÎPæ{˜Gz[ƒ¯«® KHà`ßØŠéí¯P8Aq.C‰ à€kòpj´kN¶qô€…Õ,ÜNŠª-­{Zö’æû44‰sŽè‰îVíRœÕm" 6?³D9¡ÇTíÅꋇ`4«¸ÝÁô ï’ýorqКÇZ«x4Žâéþuïf¹µö[P ,Q£éaX±`PÉÍZ ¸äYúg üAx ’6Lê‚xÝÓ*äQ  Ï’¨hÍ =²,6ï#rÃ<¯–£»ƒ‹,–ê•€ aÛsñ'%Æ"®ÛüìBᝠHÚ3ß°©$“XnœÖ’î2ËTeûìxîß ¦å¿çÉ ðK§þ{‘t‚Ϋ¬jéîZ[ ”š7L¥4VÚCE×]m¤Øy”ä4-dz£œ§¸x.*ãÊÊ b÷•h:©‡¦s`BTÁRû¾g⻩‹jø sF¢àJøFl‘È•Xᓁà~*j¯ +(ÚÕ6-£¯÷GŠØy‚<Ç’.F‹Hœw(+)ÜÜâÈzÄäT§FߘãÏ;DmVœ3Àu@mÚüXÝü•3B¨òÌÁÛ<·ÃÜ z,Ì@õÅ·d2]ü8s÷IôÞ¯^Ç9¢u„~ëAŸï4«M? K]­ÅàPl@s_ p:°¬ZR”´›JC[CS.h‹ƒïËœ«Æ]–÷ó‚wR×k7X‰k›‘´ù¦=¡«‰¨¨Â')—71ó’c‡Ðúµ `é.{§p¹ój\Ž{1h{o±Ý=áUÊïGÖŒõ–-BÄm+AZX¶¡ ïHðæ¥JmÙ;…ä¡Ÿˆ¦ ° äšiÉg«$üMk5¤L“’çÊvïâï ,=f“"íἊ5ô¬x6{ɏžID0e¸vçmi'︧ºð9$ò¹÷*£’9ÿ ²TÔ…×>JV¥}Œ}$p[bÔ®*[jzS*8 ”·T›Í–ñUîƒwo$áè=LT™ç—~ô·¤ÈÚ$榍q‰„+´kFm)ž‹©i–ËqÞŠ‰à¶ü( ‚•§ •°ò·‡#5ª•µÊ﯅¡X¨šÁ*F#TXJÊ ušJVÍ&=iÄs1‚3•'fý§5Ñ<=[íÞ­ PÚ;ѱÌ_~Ä££8rÞ ²w;’hDT°>ÈG¬8Á²ÚzŽ®ò®qZcqJêäÞ-ö[ܘbň±çb“Š¶31²n×iƒðÕ;1¶þÉ ªX‰,ßqÏ$>•î íZ¥Z 1{ç൵+ƒÕµ¥°T$§K]á»Ûï*·¤tMI’ÂZbŽÕiÒ˜}bÓ0£ª5›¨ [5Ž^ÝœWøÂÝh° ¢OWun£¤5 a2Z.G2³YL]jåtì”ä ÁÓ‘%"©<ÔúÊ°sº UZvä‡ÄiÆÒM .÷V·™ø#kèýiíÌ–ª)µT[)BˆõÑ xB¾B€ÖT¨.¥~ð@VĶr#¸ü*åZNDŽH;âi ],©£öØpù(šºãö¼T.uCê•4@ÿ GÕÛ)Cx›®0ø#:ÏðFÒbR\(€€Ä®fã4Þ‰Fä¯HXƒÅ,†öEÑÔÜ]Öv²?tLÃvBY£ú6Êu5ÅAQ³1‘’¬x–HŒÐ‡ ^ ¸KwJôÖŽ5×CÚ¨vÜ«/B0$×k°=ðbÇ(Ï)w±A†Á† 11Í=èQšµ626ŒÜ/`G«µ<}—-Ö7KEHÈÉðóȤmݱû±·ø«Snmá=“ä«šmݱŸ¡¶~ó·“äUóJæúòB|E LêŽy´jDÔ$G¢þÐñ7óR8ýÒ…Ç› WVe#·Ÿ p·Fx~•ݤF÷0Èÿ K¯æS<6’¡WШ; ´ÿ ¥Êø\Òuî†åÝ–VNœkÒ7oòX¨Á­Ø÷FÎÑä±g÷ÿ M~Çî=p,X´ ÝÌÚÅ‹’ÃjÖ.ØöÏñ qïQ¤ÓZE†° =6·]܈ s¸>v•Ž^Ý\wq9r‰Î\¸¡kURÒ$­*‹Nq?Þª*!sŠÆ:TU_u±T+øX¡ ®¹¡,ÄâÃBTsÜ$Ø›4m椴zÜK]’’›Pƒ @€#â˜`é¹=I‡fiV•Ôî“nRm+µFPOhÍ0B£ €+¬5c v•:P'ÒyÎ ‰V~‚Ó†ÖuókDoh$å\*ö%Ю=£«…aȼ½÷Û.-½VŒŠ¼'lyî±1¬3ó#ÞE¿ÔS¤gV£m›=§\û"—WU¤ÚǼÿ ÂnÁGŒÃ ‚õN D³õNÚíŒÕ;HôyÄÈ©P¹Ä{:?R‘Ô¨âF÷ø£bÅó® JS|‚R÷ivýáâ€Æé¡è³´IئÑT!§˜•Øª‚¬â@q€wnïCWÄ@JU€ê¯m6]Ï:£âx'+ÒðXvÓ¦Úm=–´7œ $ì“B£~p%ÕŸUþ« N@¼üï~w˜ñø5®—'Ôe»¤5ã//€ž~‰Tþ›Å7•#¤× Íö pÄ$ùeåì*«ÓŠEØWEÈsßg ¦ûvžSsLpºÊW–âµEWöˬH; ™!CYõZ ÃÄf æ#1W. \uWâ\,\Çf j’<qTbên›Î[vxx£ë 'ö¨1›˜ÀM¼Pÿ H)ƒêêŒA7s,|F“ 꺸k³9Ìö*ç®;Ö!Ö$Eiž•¹ÒÚ†ýóéÝû¾ÕS®ó$’NÝäŸz¤5r¦ãÄÃD÷Üø!°ø‡Ô&@m™Ì^Ãä­d q5Lnÿ N;.6½·N|#ä"1Nƒx“ã<3('&ñßt  ~ªu”1Tb㫨9ê–›–bìd$ߣ=#ÕãÒmU¯eí$EFù5ýYô櫨æ왍Ǘ±ssM]·á¿0ÕåJRÓªîiƒ+O58ÖñªŠÒx" \µâá¨i’¤i —Ö ” M+M¤ë9‚‰A¦°Qõ¾ßøK~¼Ã‘g…Ö´~÷Ï[3GUœÒ½#…kàÔ®Ò”‰³·dWV‰IP‰Ú8u¹”E ÖqLj¾êÕCBš{A^Âß;–¨`¯¬ìö ˼ ×tìø.tƐm*n¨y4o&Àx¥n¦×î‡aupáÛj8¿m›è¶ã!o½;ß0y^ý×^EÑ¿ÒjzŒ­)vÚÑnÄL …^ªô× ‡—‚3k Îý­hï]içå–îÏ*÷ñþ»Ô CÒjøjÍznˆ´ ¹#b'Fô‹ ‰v¥'’à'T´ƒHýÍ%M‰ ƒ&ÆÇŒï1 ‘ –Þ ‰i¬s žR-Ÿ kŠ¬á¬7:þ 0ŒÅÒÕ/aÙ¬ÃÝ#Úøœ ©aiVc‰. ¹¦ãµ” ›Yg¦›ÆÎýº°f³7ƒhá·¸­}&D9¡ÂsÉÙÞèŠõØàC™¨ñbFC|´Ü(ŸƒÚÒ-%»'a Ì¿)ËÇn¿úÿ ÞŽX…4ÊÅH^ôΑí@ù¹Eh¶“L8Çjù ¼ÎåVªóR©Ï5uà V4lZß®=€xÖŸ–ÑÈ ÷”¨°¾__yM1tÉ?uÆþIkÄgæ@þ[¢†°XÃJ£j·:nkÅ¢u ‘}âGzö­/IµèŠ¬¼48q¦F°ŽR¼=ûì{´¯RýicS ÕÛ íNtÍÙï£,w4rêì®»~x(©Uñ§#Ñ&œÕ¤>ÎåÍÓ9’Ö{9eV­[Öjâ²ãu]˜å2›qÑšÕJç0€sÄ|Êëè0튔bÁ>“{×_F`Ø©ºê:µä,v¤ðfc1±"«ÔÍän1#=· Âøv~H½ÐßA¾¿Ü€Óš]Õ; I¾÷ç‚Qi†î¹9ywÔKG˜áñ zQY—§ÃÕZ07§X‚ Áh;ÁM)iÌCH-¯T‘ë|A0{Ò½LÚ–TâÖkÜ’dÀ“rmm»”جPF³ÖcbE§T€ÒxKºû’Ó®7±²(\4ŽÃ¸Uu@j™yĵ;³µ!Á¢b.W¤=mõ´êµK k ¸K^ÜÛ#p*Ü14qkZç5ïë †°5Ï%ÍÛ<Õ¤×Ô¥ê†C Õ´¼ú$ƒÖ“”]Ù¬qÞÚ[4©ý!ûÏ—Áb쳐XµA¬â~`›Çr¸8ìùÝ䫦<>ä÷«?xs´ÇÑ /á;¹øüÊÈÙà{"@Žïzâ¬[âß‚ U_<ÇŸ½4èN˜ú61®qŠu ¦þF£»äJ_ˆÙÎ~ ÞAã–Ý„Ï—rŠD;xTž‘ô`É«…suãO`?³à™ô Lý#Íc5öoæØ‚y´´÷«ZR§<&JÇ+éâô´€i!Àˆ0æAoàðLèÖ-2ŸõW.’t^–(KÁmHµV@xÜÇy®Ñø­â^:Ú3w· 7½¹°ñ¸â¹®:',«Mœ—n­Á+Ãbš LÈ‘ÄnRÓÅœ%¦²‰¨ùQ:¤f‚ "PÕtô¸…cæl…&˜Ú˜Ôkv‹ž+vŠ,=¢v­6—Xy*¥t£«<™:“aîϲ=¦6rO]XI¿Œ÷¤zÚ­›¶ 6÷”w\d ü~v®ˆÌk«^m<ÿ ¢‰Õ\)ùºŽ;… lîÙÅEŠ®cѾ@vnMÏ,¼“ñ•ŽBxðÃzãÇç%3ˆ"}Ù•Åî> BÉú;Ò]V+P˜F_´ßé> Øše|ï‡ÄOmFæÇ ãqÞ$/xÐx­z`ï9"œÜij‚!7.\Td…9M‡•iŽ‹¾‘50ÞŽn¥ß4ÉôO ¹*í^QêËÜÇÌ8=Ž§s‰'ÂëÙ«á%Pú[O †ÅP¯VsŽ°.‰,kc¶ ¬A9n˜XÎ-ÞšN["¹QÕ‰ƒMýÁߺXJæÍaLj¾×Ãmã¾ãÚ uñÒþåQô¦¥ /ÄUx:‚ÍÜ’ Đ©ØÝ3V¨‰ÕnÐ6ó*óúK­«…c ¯U òhsý­jóÔj#,ímŒRµ«lbïUTŒÑ8†Ä0œÏr`ð¡¬É Ї ë"À² ™ 6¥ f¶ ¢ÚoܱԷ-<Àî)†a¶ž'Ú»¨TXqØæ¶÷YÄHy˜9ÈIW­YÀuMFë ºÏ’AqÌ4·/Ú †ô'i$øä­=Ä Ý|öK×40è|È6p‘0§)o¥ctî§H+CA-“ xØ|ÐXŠç l8íºð3Ø:³¤¬KX¯UÿÙ ############################################################################ # Copyright (C) Internet Systems Consortium, Inc. ("ISC") # # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. ############################################################################ import re import ply.lex as lex import ply.yacc as yacc from string import * from copy import copy ############################################################################ # PolicyLex: a lexer for the policy file syntax. ############################################################################ class PolicyLex: reserved = ('POLICY', 'ALGORITHM_POLICY', 'ZONE', 'ALGORITHM', 'DIRECTORY', 'KEYTTL', 'KEY_SIZE', 'ROLL_PERIOD', 'PRE_PUBLISH', 'POST_PUBLISH', 'COVERAGE', 'STANDBY', 'NONE') tokens = reserved + ('DATESUFFIX', 'KEYTYPE', 'ALGNAME', 'STR', 'QSTRING', 'NUMBER', 'LBRACE', 'RBRACE', 'SEMI') reserved_map = {} t_ignore = ' \t' t_ignore_olcomment = r'(//|\#).*' t_LBRACE = r'\{' t_RBRACE = r'\}' t_SEMI = r';'; def t_newline(self, t): r'\n+' t.lexer.lineno += t.value.count("\n") def t_comment(self, t): r'/\*(.|\n)*?\*/' t.lexer.lineno += t.value.count('\n') def t_DATESUFFIX(self, t): r'(?i)(?<=[0-9 \t])(y(?:ears|ear|ea|e)?|mo(?:nths|nth|nt|n)?|w(?:eeks|eek|ee|e)?|d(?:ays|ay|a)?|h(?:ours|our|ou|o)?|mi(?:nutes|nute|nut|nu|n)?|s(?:econds|econd|econ|eco|ec|e)?)\b' t.value = re.match(r'(?i)(y|mo|w|d|h|mi|s)([a-z]*)', t.value).group(1).lower() return t def t_KEYTYPE(self, t): r'(?i)\b(KSK|ZSK)\b' t.value = t.value.upper() return t def t_ALGNAME(self, t): r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECCGOST|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b' t.value = t.value.upper() return t def t_STR(self, t): r'[A-Za-z._-][\w._-]*' t.type = self.reserved_map.get(t.value, "STR") return t def t_QSTRING(self, t): r'"([^"\n]|(\\"))*"' t.type = self.reserved_map.get(t.value, "QSTRING") t.value = t.value[1:-1] return t def t_NUMBER(self, t): r'\d+' t.value = int(t.value) return t def t_error(self, t): print("Illegal character '%s'" % t.value[0]) t.lexer.skip(1) def __init__(self, **kwargs): if 'maketrans' in dir(str): trans = str.maketrans('_', '-') else: trans = maketrans('_', '-') for r in self.reserved: self.reserved_map[r.lower().translate(trans)] = r self.lexer = lex.lex(object=self, **kwargs) def test(self, text): self.lexer.input(text) while True: t = self.lexer.token() if not t: break print(t) ############################################################################ # Policy: this object holds a set of DNSSEC policy settings. ############################################################################ class Policy: is_zone = False is_alg = False is_constructed = False ksk_rollperiod = None zsk_rollperiod = None ksk_prepublish = None zsk_prepublish = None ksk_postpublish = None zsk_postpublish = None ksk_keysize = None zsk_keysize = None ksk_standby = None zsk_standby = None keyttl = None coverage = None directory = None valid_key_sz_per_algo = {'DSA': [512, 1024], 'NSEC3DSA': [512, 1024], 'RSAMD5': [512, 4096], 'RSASHA1': [512, 4096], 'NSEC3RSASHA1': [512, 4096], 'RSASHA256': [512, 4096], 'RSASHA512': [512, 4096], 'ECCGOST': None, 'ECDSAP256SHA256': None, 'ECDSAP384SHA384': None, 'ED25519': None, 'ED448': None} def __init__(self, name=None, algorithm=None, parent=None): self.name = name self.algorithm = algorithm self.parent = parent pass def __repr__(self): return ("%spolicy %s:\n" "\tinherits %s\n" "\tdirectory %s\n" "\talgorithm %s\n" "\tcoverage %s\n" "\tksk_keysize %s\n" "\tzsk_keysize %s\n" "\tksk_rollperiod %s\n" "\tzsk_rollperiod %s\n" "\tksk_prepublish %s\n" "\tksk_postpublish %s\n" "\tzsk_prepublish %s\n" "\tzsk_postpublish %s\n" "\tksk_standby %s\n" "\tzsk_standby %s\n" "\tkeyttl %s\n" % ((self.is_constructed and 'constructed ' or \ self.is_zone and 'zone ' or \ self.is_alg and 'algorithm ' or ''), self.name or 'UNKNOWN', self.parent and self.parent.name or 'None', self.directory and ('"' + str(self.directory) + '"') or 'None', self.algorithm or 'None', self.coverage and str(self.coverage) or 'None', self.ksk_keysize and str(self.ksk_keysize) or 'None', self.zsk_keysize and str(self.zsk_keysize) or 'None', self.ksk_rollperiod and str(self.ksk_rollperiod) or 'None', self.zsk_rollperiod and str(self.zsk_rollperiod) or 'None', self.ksk_prepublish and str(self.ksk_prepublish) or 'None', self.ksk_postpublish and str(self.ksk_postpublish) or 'None', self.zsk_prepublish and str(self.zsk_prepublish) or 'None', self.zsk_postpublish and str(self.zsk_postpublish) or 'None', self.ksk_standby and str(self.ksk_standby) or 'None', self.zsk_standby and str(self.zsk_standby) or 'None', self.keyttl and str(self.keyttl) or 'None')) def __verify_size(self, key_size, size_range): return (size_range[0] <= key_size <= size_range[1]) def get_name(self): return self.name def constructed(self): return self.is_constructed def validate(self): """ Check if the values in the policy make sense :return: True/False if the policy passes validation """ if self.ksk_rollperiod and \ self.ksk_prepublish is not None and \ self.ksk_prepublish > self.ksk_rollperiod: print(self.ksk_rollperiod) return (False, ('KSK pre-publish period (%d) exceeds rollover period %d' % (self.ksk_prepublish, self.ksk_rollperiod))) if self.ksk_rollperiod and \ self.ksk_postpublish is not None and \ self.ksk_postpublish > self.ksk_rollperiod: return (False, ('KSK post-publish period (%d) exceeds rollover period %d' % (self.ksk_postpublish, self.ksk_rollperiod))) if self.zsk_rollperiod and \ self.zsk_prepublish is not None and \ self.zsk_prepublish >= self.zsk_rollperiod: return (False, ('ZSK pre-publish period (%d) exceeds rollover period %d' % (self.zsk_prepublish, self.zsk_rollperiod))) if self.zsk_rollperiod and \ self.zsk_postpublish is not None and \ self.zsk_postpublish >= self.zsk_rollperiod: return (False, ('ZSK post-publish period (%d) exceeds rollover period %d' % (self.zsk_postpublish, self.zsk_rollperiod))) if self.ksk_rollperiod and \ self.ksk_prepublish and self.ksk_postpublish and \ self.ksk_prepublish + self.ksk_postpublish >= self.ksk_rollperiod: return (False, (('KSK pre/post-publish periods (%d/%d) ' + 'combined exceed rollover period %d') % (self.ksk_prepublish, self.ksk_postpublish, self.ksk_rollperiod))) if self.zsk_rollperiod and \ self.zsk_prepublish and self.zsk_postpublish and \ self.zsk_prepublish + self.zsk_postpublish >= self.zsk_rollperiod: return (False, (('ZSK pre/post-publish periods (%d/%d) ' + 'combined exceed rollover period %d') % (self.zsk_prepublish, self.zsk_postpublish, self.zsk_rollperiod))) if self.algorithm is not None: # Validate the key size key_sz_range = self.valid_key_sz_per_algo.get(self.algorithm) if key_sz_range is not None: # Verify KSK if not self.__verify_size(self.ksk_keysize, key_sz_range): return False, 'KSK key size %d outside valid range %s' \ % (self.ksk_keysize, key_sz_range) # Verify ZSK if not self.__verify_size(self.zsk_keysize, key_sz_range): return False, 'ZSK key size %d outside valid range %s' \ % (self.zsk_keysize, key_sz_range) # Specific check for DSA keys if self.algorithm in ['DSA', 'NSEC3DSA'] and \ self.ksk_keysize % 64 != 0: return False, \ ('KSK key size %d not divisible by 64 ' + 'as required for DSA') % self.ksk_keysize if self.algorithm in ['DSA', 'NSEC3DSA'] and \ self.zsk_keysize % 64 != 0: return False, \ ('ZSK key size %d not divisible by 64 ' + 'as required for DSA') % self.zsk_keysize if self.algorithm in ['ECCGOST', \ 'ECDSAP256SHA256', \ 'ECDSAP384SHA384', \ 'ED25519', \ 'ED448']: self.ksk_keysize = None self.zsk_keysize = None return True, '' ############################################################################ # dnssec_policy: # This class reads a dnssec.policy file and creates a dictionary of # DNSSEC policy rules from which a policy for a specific zone can # be generated. ############################################################################ class PolicyException(Exception): pass class dnssec_policy: alg_policy = {} named_policy = {} zone_policy = {} current = None filename = None initial = True def __init__(self, filename=None, **kwargs): self.plex = PolicyLex() self.tokens = self.plex.tokens if 'debug' not in kwargs: kwargs['debug'] = False if 'write_tables' not in kwargs: kwargs['write_tables'] = False self.parser = yacc.yacc(module=self, **kwargs) # set defaults self.setup('''policy global { algorithm rsasha256; key-size ksk 2048; key-size zsk 2048; roll-period ksk 0; roll-period zsk 1y; pre-publish ksk 1mo; pre-publish zsk 1mo; post-publish ksk 1mo; post-publish zsk 1mo; standby ksk 0; standby zsk 0; keyttl 1h; coverage 6mo; }; policy default { policy global; };''') p = Policy() p.algorithm = None p.is_alg = True p.ksk_keysize = 2048; p.zsk_keysize = 2048; # set default algorithm policies # these need a lower default key size: self.alg_policy['DSA'] = copy(p) self.alg_policy['DSA'].algorithm = "DSA" self.alg_policy['DSA'].name = "DSA" self.alg_policy['DSA'].ksk_keysize = 1024; self.alg_policy['NSEC3DSA'] = copy(p) self.alg_policy['NSEC3DSA'].algorithm = "NSEC3DSA" self.alg_policy['NSEC3DSA'].name = "NSEC3DSA" self.alg_policy['NSEC3DSA'].ksk_keysize = 1024; # these can use default settings self.alg_policy['RSAMD5'] = copy(p) self.alg_policy['RSAMD5'].algorithm = "RSAMD5" self.alg_policy['RSAMD5'].name = "RSAMD5" self.alg_policy['RSASHA1'] = copy(p) self.alg_policy['RSASHA1'].algorithm = "RSASHA1" self.alg_policy['RSASHA1'].name = "RSASHA1" self.alg_policy['NSEC3RSASHA1'] = copy(p) self.alg_policy['NSEC3RSASHA1'].algorithm = "NSEC3RSASHA1" self.alg_policy['NSEC3RSASHA1'].name = "NSEC3RSASHA1" self.alg_policy['RSASHA256'] = copy(p) self.alg_policy['RSASHA256'].algorithm = "RSASHA256" self.alg_policy['RSASHA256'].name = "RSASHA256" self.alg_policy['RSASHA512'] = copy(p) self.alg_policy['RSASHA512'].algorithm = "RSASHA512" self.alg_policy['RSASHA512'].name = "RSASHA512" self.alg_policy['ECCGOST'] = copy(p) self.alg_policy['ECCGOST'].algorithm = "ECCGOST" self.alg_policy['ECCGOST'].name = "ECCGOST" self.alg_policy['ECDSAP256SHA256'] = copy(p) self.alg_policy['ECDSAP256SHA256'].algorithm = "ECDSAP256SHA256" self.alg_policy['ECDSAP256SHA256'].name = "ECDSAP256SHA256" self.alg_policy['ECDSAP256SHA256'].ksk_keysize = None; self.alg_policy['ECDSAP256SHA256'].zsk_keysize = None; self.alg_policy['ECDSAP384SHA384'] = copy(p) self.alg_policy['ECDSAP384SHA384'].algorithm = "ECDSAP384SHA384" self.alg_policy['ECDSAP384SHA384'].name = "ECDSAP384SHA384" self.alg_policy['ECDSAP384SHA384'].ksk_keysize = None; self.alg_policy['ECDSAP384SHA384'].zsk_keysize = None; self.alg_policy['ED25519'] = copy(p) self.alg_policy['ED25519'].algorithm = "ED25519" self.alg_policy['ED25519'].name = "ED25519" self.alg_policy['ED25519'].ksk_keysize = None; self.alg_policy['ED25519'].zsk_keysize = None; self.alg_policy['ED448'] = copy(p) self.alg_policy['ED448'].algorithm = "ED448" self.alg_policy['ED448'].name = "ED448" self.alg_policy['ED448'].ksk_keysize = None; self.alg_policy['ED448'].zsk_keysize = None; if filename: self.load(filename) def load(self, filename): self.filename = filename self.initial = True with open(filename) as f: text = f.read() self.plex.lexer.lineno = 0 self.parser.parse(text) self.filename = None def setup(self, text): self.initial = True self.plex.lexer.lineno = 0 self.parser.parse(text) def policy(self, zone, **kwargs): z = zone.lower() p = None if z in self.zone_policy: p = self.zone_policy[z] if p is None: p = copy(self.named_policy['default']) p.name = zone p.is_constructed = True if p.algorithm is None: parent = p.parent or self.named_policy['default'] while parent and not parent.algorithm: parent = parent.parent p.algorithm = parent and parent.algorithm or None if p.algorithm in self.alg_policy: ap = self.alg_policy[p.algorithm] else: raise PolicyException('algorithm not found') if p.directory is None: parent = p.parent or self.named_policy['default'] while parent is not None and not parent.directory: parent = parent.parent p.directory = parent and parent.directory if p.coverage is None: parent = p.parent or self.named_policy['default'] while parent and not parent.coverage: parent = parent.parent p.coverage = parent and parent.coverage or ap.coverage if p.ksk_keysize is None: parent = p.parent or self.named_policy['default'] while parent.parent and not parent.ksk_keysize: parent = parent.parent p.ksk_keysize = parent and parent.ksk_keysize or ap.ksk_keysize if p.zsk_keysize is None: parent = p.parent or self.named_policy['default'] while parent.parent and not parent.zsk_keysize: parent = parent.parent p.zsk_keysize = parent and parent.zsk_keysize or ap.zsk_keysize if p.ksk_rollperiod is None: parent = p.parent or self.named_policy['default'] while parent.parent and not parent.ksk_rollperiod: parent = parent.parent p.ksk_rollperiod = parent and \ parent.ksk_rollperiod or ap.ksk_rollperiod if p.zsk_rollperiod is None: parent = p.parent or self.named_policy['default'] while parent.parent and not parent.zsk_rollperiod: parent = parent.parent p.zsk_rollperiod = parent and \ parent.zsk_rollperiod or ap.zsk_rollperiod if p.ksk_prepublish is None: parent = p.parent or self.named_policy['default'] while parent.parent and not parent.ksk_prepublish: parent = parent.parent p.ksk_prepublish = parent and \ parent.ksk_prepublish or ap.ksk_prepublish if p.zsk_prepublish is None: parent = p.parent or self.named_policy['default'] while parent.parent and not parent.zsk_prepublish: parent = parent.parent p.zsk_prepublish = parent and \ parent.zsk_prepublish or ap.zsk_prepublish if p.ksk_postpublish is None: parent = p.parent or self.named_policy['default'] while parent.parent and not parent.ksk_postpublish: parent = parent.parent p.ksk_postpublish = parent and \ parent.ksk_postpublish or ap.ksk_postpublish if p.zsk_postpublish is None: parent = p.parent or self.named_policy['default'] while parent.parent and not parent.zsk_postpublish: parent = parent.parent p.zsk_postpublish = parent and \ parent.zsk_postpublish or ap.zsk_postpublish if p.keyttl is None: parent = p.parent or self.named_policy['default'] while parent is not None and not parent.keyttl: parent = parent.parent p.keyttl = parent and parent.keyttl if 'novalidate' not in kwargs or not kwargs['novalidate']: (valid, msg) = p.validate() if not valid: raise PolicyException(msg) return None return p def p_policylist(self, p): '''policylist : init policy | policylist policy''' pass def p_init(self, p): "init :" self.initial = False def p_policy(self, p): '''policy : alg_policy | zone_policy | named_policy''' pass def p_name(self, p): '''name : STR | KEYTYPE | DATESUFFIX''' p[0] = p[1] pass def p_domain(self, p): '''domain : STR | QSTRING | KEYTYPE | DATESUFFIX''' p[0] = p[1].strip() if not re.match(r'^[\w.-][\w.-]*$', p[0]): raise PolicyException('invalid domain') pass def p_new_policy(self, p): "new_policy :" self.current = Policy() def p_alg_policy(self, p): "alg_policy : ALGORITHM_POLICY ALGNAME new_policy alg_option_group SEMI" self.current.name = p[2] self.current.is_alg = True self.alg_policy[p[2]] = self.current pass def p_zone_policy(self, p): "zone_policy : ZONE domain new_policy policy_option_group SEMI" self.current.name = p[2].rstrip('.') self.current.is_zone = True self.zone_policy[p[2].rstrip('.').lower()] = self.current pass def p_named_policy(self, p): "named_policy : POLICY name new_policy policy_option_group SEMI" self.current.name = p[2] self.named_policy[p[2].lower()] = self.current pass def p_duration_1(self, p): "duration : NUMBER" p[0] = p[1] pass def p_duration_2(self, p): "duration : NONE" p[0] = None pass def p_duration_3(self, p): "duration : NUMBER DATESUFFIX" if p[2] == "y": p[0] = p[1] * 31536000 # year elif p[2] == "mo": p[0] = p[1] * 2592000 # month elif p[2] == "w": p[0] = p[1] * 604800 # week elif p[2] == "d": p[0] = p[1] * 86400 # day elif p[2] == "h": p[0] = p[1] * 3600 # hour elif p[2] == "mi": p[0] = p[1] * 60 # minute elif p[2] == "s": p[0] = p[1] # second else: raise PolicyException('invalid duration') def p_policy_option_group(self, p): "policy_option_group : LBRACE policy_option_list RBRACE" pass def p_policy_option_list(self, p): '''policy_option_list : policy_option SEMI | policy_option_list policy_option SEMI''' pass def p_policy_option(self, p): '''policy_option : parent_option | directory_option | coverage_option | rollperiod_option | prepublish_option | postpublish_option | keysize_option | algorithm_option | keyttl_option | standby_option''' pass def p_alg_option_group(self, p): "alg_option_group : LBRACE alg_option_list RBRACE" pass def p_alg_option_list(self, p): '''alg_option_list : alg_option SEMI | alg_option_list alg_option SEMI''' pass def p_alg_option(self, p): '''alg_option : coverage_option | rollperiod_option | prepublish_option | postpublish_option | keyttl_option | keysize_option | standby_option''' pass def p_parent_option(self, p): "parent_option : POLICY name" self.current.parent = self.named_policy[p[2].lower()] def p_directory_option(self, p): "directory_option : DIRECTORY QSTRING" self.current.directory = p[2] def p_coverage_option(self, p): "coverage_option : COVERAGE duration" self.current.coverage = p[2] def p_rollperiod_option(self, p): "rollperiod_option : ROLL_PERIOD KEYTYPE duration" if p[2] == "KSK": self.current.ksk_rollperiod = p[3] else: self.current.zsk_rollperiod = p[3] def p_prepublish_option(self, p): "prepublish_option : PRE_PUBLISH KEYTYPE duration" if p[2] == "KSK": self.current.ksk_prepublish = p[3] else: self.current.zsk_prepublish = p[3] def p_postpublish_option(self, p): "postpublish_option : POST_PUBLISH KEYTYPE duration" if p[2] == "KSK": self.current.ksk_postpublish = p[3] else: self.current.zsk_postpublish = p[3] def p_keysize_option(self, p): "keysize_option : KEY_SIZE KEYTYPE NUMBER" if p[2] == "KSK": self.current.ksk_keysize = p[3] else: self.current.zsk_keysize = p[3] def p_standby_option(self, p): "standby_option : STANDBY KEYTYPE NUMBER" if p[2] == "KSK": self.current.ksk_standby = p[3] else: self.current.zsk_standby = p[3] def p_keyttl_option(self, p): "keyttl_option : KEYTTL duration" self.current.keyttl = p[2] def p_algorithm_option(self, p): "algorithm_option : ALGORITHM ALGNAME" self.current.algorithm = p[2] def p_error(self, p): if p: print("%s%s%d:syntax error near '%s'" % (self.filename or "", ":" if self.filename else "", p.lineno, p.value)) else: if not self.initial: raise PolicyException("%s%s%d:unexpected end of input" % (self.filename or "", ":" if self.filename else "", p and p.lineno or 0)) if __name__ == "__main__": import sys if sys.argv[1] == "lex": file = open(sys.argv[2]) text = file.read() file.close() plex = PolicyLex(debug=1) plex.test(text) elif sys.argv[1] == "parse": try: pp = dnssec_policy(sys.argv[2], write_tables=True, debug=True) print(pp.named_policy['default']) print(pp.policy("nonexistent.zone")) except Exception as e: print(e.args[0])