netconfcentral logo

ietf-dns-zone-provisioning

HTML

ietf-dns-zone-provisioning@2020-03-09



  module ietf-dns-zone-provisioning {

    yang-version 1.1;

    namespace
      "urn:ietf:params:xml:ns:yang"
        + ":ietf-dns-zone-provisioning";

    prefix dnszp;

    import ietf-inet-types {
      prefix inet;
    }

    organization
      "IETF Domain Name System Operations Working Group (dnsop)";

    contact
      "WG Web:   <https://datatracker.ietf.org/wg/dnsop/>
     WG List:  <mailto:dnsop@ietf.org>

     Editor:   Willem Toorop
               <mailto:willem@nlnetlabs.nl>";

    description
      "This YANG module defines a model for configuring DNS Zone
     provisioning on authoritative nameservers.

     Copyright (c) 2020 IETF Trust and the persons identified as
     authors of the code. All rights reserved.

     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject to
     the license terms contained in, the Simplified BSD License set
     forth in Section 4.c of the IETF Trust's Legal Provisions
     Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC ????; see the
     RFC itself for full legal notices.";

    revision "2020-03-09" {
      description "Initial revision.";
      reference
        "RFC XXXX: A YANG Data Model for DNS Zone provisioning configuration";

    }


    grouping tsig-key {
      description
        "Shared key used for authenticating transactions with
       authoritative name servers";
      reference
        "RFC2845: Secret Key Transaction Authentication for DNS
        (TSIG)";

      leaf name {
        type inet:domain-name;
        mandatory true;
        description "The name of the key";
      }

      leaf algorithm {
        type inet:domain-name;
        mandatory true;
        description "Name of the algorithm";
        reference
          "<https://www.iana.org/assignments/tsig-algorithm-names/tsig-algorithm-names.xhtml>";

      }

      leaf secret {
        type string;
        mandatory true;
        description
          "Shared secret in base64 format. Possible lengths are
         dependent on the algorithm";
      }
    }  // grouping tsig-key

    grouping acl-net-key {
      description
        "Access control allowing the action from IP addresses from the
       given subnet and tsig-key if present. Without tsig-key only
       the subnet needs to match. The subnet should be 0.0.0.0/0 or
       ::/0 to allow access from all IPv4 or all IPv6 addresses";
      leaf subnet {
        type inet:ip-prefix;
        mandatory true;
        description
          "Contacting IP address must match this subnet.";
      }

      leaf tsig-key {
        type leafref {
          path "/tsig-keys/tsig-key/name";
        }
        description
          "When provided all interactions to and from the
         contacting remote end must use this tsig-key.";
      }
    }  // grouping acl-net-key

    grouping addr-key {
      description
        "IP address of remote party to contact, either to notify about
       updates in the zone, or to fetch the zone from. An optional
       tsig-key can be given to validate the transfer or to sign the
       notify.";
      leaf ip {
        type inet:ip-address;
        mandatory true;
        description "IP address to contact.";
      }

      leaf port {
        type inet:port-number;
        default '53';
        description "Port to conact.";
      }

      leaf tsig-key {
        type leafref {
          path "/tsig-keys/tsig-key/name";
        }
        description
          "When provided all interactions with to and from the
         contacted remote end must use this tsig-key.";
      }
    }  // grouping addr-key

    container tsig-keys {
      description
        "The list of tsig-keys which are referred from
       acl-net-key and addr-key.";
      list tsig-key {
        key "name";
        description
          "The tsig-key which is referred to from acl-net-key
         and/or addr-key.";
        uses tsig-key;
      }  // list tsig-key
    }  // container tsig-keys

    container zones {
      description
        "The list of DNS Zones for which the properties are defined
       that describe the primary/secondary relationships.";
      list zone {
        key "name";
        description
          "A DNS Zone with properties which describe the provisioning
         relationships within for authoritative nameserver.";
        leaf name {
          type inet:domain-name;
          description
            "The name of the DNS Zone";
        }

        list allow-notify {
          key "subnet";
          description
            "Secondary servers allow notifies for DNS Zone updates
           from IP addresses from this subnet. If a tsig-key is
           given, the notify must be signed with that key.";
          uses acl-net-key;
        }  // list allow-notify

        list allow-transfer {
          key "subnet";
          description
            "Primary servers allow transfers to the IP addresses
           to the given subnet. If a tsig-key is given, the transfer
           request must be signed and the DNS messages used for the
           transfer will also be signed with that tsig-key";
          uses acl-net-key;
        }  // list allow-transfer

        list notify-to {
          key "ip port";
          description
            "Primary servers send NOTIFY messages when the Zonne
           has been updated to this IP. If a tsig-key is given,
           it will be signed with that key.";
          uses addr-key;
        }  // list notify-to

        list transfer-from {
          key "ip port";
          description
            "Secondary servers contact the given ip-address to
           acquire DNS Zone content. When a tsig-key is given
           the request will be signed with it, and the DNS
           messages conveying the Zone must be signed with
           that tsig-key.";
          uses addr-key;
        }  // list transfer-from
      }  // list zone
    }  // container zones
  }  // module ietf-dns-zone-provisioning

Summary

  
  
Organization IETF Domain Name System Operations Working Group (dnsop)
  
Module ietf-dns-zone-provisioning
Version 2020-03-09
File ietf-dns-zone-provisioning@2020-03-09.yang
  
Prefix dnszp
Namespace urn:ietf:params:xml:ns:yang:ietf-dns-zone-provisioning
  
Cooked /cookedmodules/ietf-dns-zone-provisioning/2020-03-09
YANG /src/ietf-dns-zone-provisioning@2020-03-09.yang
XSD /xsd/ietf-dns-zone-provisioning@2020-03-09.xsd
  
Abstract This YANG module defines a model for configuring DNS Zone provisioning on authoritative nameservers. Copyright (c) 2020 IETF Tr...
  
Contact
WG Web:   <https://datatracker.ietf.org/wg/dnsop/>
WG List:  <mailto:dnsop@ietf.org>

Editor:   Willem Toorop
	  <mailto:willem@nlnetlabs.nl>

Description

 
This YANG module defines a model for configuring DNS Zone
provisioning on authoritative nameservers.

Copyright (c) 2020 IETF Trust and the persons identified as
authors of the code. All rights reserved.

Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to
the license terms contained in, the Simplified BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).

This version of this YANG module is part of RFC ????; see the
RFC itself for full legal notices.

Groupings

Grouping Objects Abstract
acl-net-key subnet tsig-key Access control allowing the action from IP addresses from the given subnet and tsig-key if present. Without tsig-key only the subnet needs to match. The subnet should be 0.0.0.0/0 or ::/0 to allow access from all IPv4 or all IPv6 addresses
addr-key ip port tsig-key IP address of remote party to contact, either to notify about updates in the zone, or to fetch the zone from. An optional tsig-key can be given to validate the transfer or to sign the notify.
tsig-key name algorithm secret Shared key used for authenticating transactions with authoritative name servers

Objects

Type Key
Mandatory config
Optional config
Not config
Object Type Abstract
tsig-keys container The list of tsig-keys which are referred from acl-net-key and addr-key.
   tsig-key list The tsig-key which is referred to from acl-net-key and/or addr-key.
      algorithm leaf Name of the algorithm
      name leaf The name of the key
      secret leaf Shared secret in base64 format. Possible lengths are dependent on the algorithm
zones container The list of DNS Zones for which the properties are defined that describe the primary/secondary relationships.
   zone list A DNS Zone with properties which describe the provisioning relationships within for authoritative nameserver.
      allow-notify list Secondary servers allow notifies for DNS Zone updates from IP addresses from this subnet. If a tsig-key is given, the notify must be signed with that key.
         subnet leaf Contacting IP address must match this subnet.
         tsig-key leaf When provided all interactions to and from the contacting remote end must use this tsig-key.
      allow-transfer list Primary servers allow transfers to the IP addresses to the given subnet. If a tsig-key is given, the transfer request must be signed and the DNS messages used for the transfer will also be signed with that tsig-key
         subnet leaf Contacting IP address must match this subnet.
         tsig-key leaf When provided all interactions to and from the contacting remote end must use this tsig-key.
      name leaf The name of the DNS Zone
      notify-to list Primary servers send NOTIFY messages when the Zonne has been updated to this IP. If a tsig-key is given, it will be signed with that key.
         ip leaf IP address to contact.
         port leaf Port to conact.
         tsig-key leaf When provided all interactions with to and from the contacted remote end must use this tsig-key.
      transfer-from list Secondary servers contact the given ip-address to acquire DNS Zone content. When a tsig-key is given the request will be signed with it, and the DNS messages conveying the Zone must be signed with that tsig-key.
         ip leaf IP address to contact.
         port leaf Port to conact.
         tsig-key leaf When provided all interactions with to and from the contacted remote end must use this tsig-key.