netconfcentral logo

ietf-dns-zone-provisioning@2020-03-09



  module ietf-dns-zone-provisioning {

    yang-version 1.1;

    namespace
      "urn:ietf:params:xml:ns:yang"
        + ":ietf-dns-zone-provisioning";

    prefix dnszp;

    import ietf-inet-types {
      prefix inet;
    }

    organization
      "IETF Domain Name System Operations Working Group (dnsop)";

    contact
      "WG Web:   <https://datatracker.ietf.org/wg/dnsop/>
     WG List:  <mailto:dnsop@ietf.org>

     Editor:   Willem Toorop
               <mailto:willem@nlnetlabs.nl>";

    description
      "This YANG module defines a model for configuring DNS Zone
     provisioning on authoritative nameservers.

     Copyright (c) 2020 IETF Trust and the persons identified as
     authors of the code. All rights reserved.

     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject to
     the license terms contained in, the Simplified BSD License set
     forth in Section 4.c of the IETF Trust's Legal Provisions
     Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC ????; see the
     RFC itself for full legal notices.";

    revision "2020-03-09" {
      description "Initial revision.";
      reference
        "RFC XXXX: A YANG Data Model for DNS Zone provisioning configuration";

    }


    grouping tsig-key {
      description
        "Shared key used for authenticating transactions with
       authoritative name servers";
      reference
        "RFC2845: Secret Key Transaction Authentication for DNS
        (TSIG)";

      leaf name {
        type inet:domain-name;
        mandatory true;
        description "The name of the key";
      }

      leaf algorithm {
        type inet:domain-name;
        mandatory true;
        description "Name of the algorithm";
        reference
          "<https://www.iana.org/assignments/tsig-algorithm-names/tsig-algorithm-names.xhtml>";

      }

      leaf secret {
        type string;
        mandatory true;
        description
          "Shared secret in base64 format. Possible lengths are
         dependent on the algorithm";
      }
    }  // grouping tsig-key

    grouping acl-net-key {
      description
        "Access control allowing the action from IP addresses from the
       given subnet and tsig-key if present. Without tsig-key only
       the subnet needs to match. The subnet should be 0.0.0.0/0 or
       ::/0 to allow access from all IPv4 or all IPv6 addresses";
      leaf subnet {
        type inet:ip-prefix;
        mandatory true;
        description
          "Contacting IP address must match this subnet.";
      }

      leaf tsig-key {
        type leafref {
          path "/tsig-keys/tsig-key/name";
        }
        description
          "When provided all interactions to and from the
         contacting remote end must use this tsig-key.";
      }
    }  // grouping acl-net-key

    grouping addr-key {
      description
        "IP address of remote party to contact, either to notify about
       updates in the zone, or to fetch the zone from. An optional
       tsig-key can be given to validate the transfer or to sign the
       notify.";
      leaf ip {
        type inet:ip-address;
        mandatory true;
        description "IP address to contact.";
      }

      leaf port {
        type inet:port-number;
        default '53';
        description "Port to conact.";
      }

      leaf tsig-key {
        type leafref {
          path "/tsig-keys/tsig-key/name";
        }
        description
          "When provided all interactions with to and from the
         contacted remote end must use this tsig-key.";
      }
    }  // grouping addr-key

    container tsig-keys {
      description
        "The list of tsig-keys which are referred from
       acl-net-key and addr-key.";
      list tsig-key {
        key "name";
        description
          "The tsig-key which is referred to from acl-net-key
         and/or addr-key.";
        uses tsig-key;
      }  // list tsig-key
    }  // container tsig-keys

    container zones {
      description
        "The list of DNS Zones for which the properties are defined
       that describe the primary/secondary relationships.";
      list zone {
        key "name";
        description
          "A DNS Zone with properties which describe the provisioning
         relationships within for authoritative nameserver.";
        leaf name {
          type inet:domain-name;
          description
            "The name of the DNS Zone";
        }

        list allow-notify {
          key "subnet";
          description
            "Secondary servers allow notifies for DNS Zone updates
           from IP addresses from this subnet. If a tsig-key is
           given, the notify must be signed with that key.";
          uses acl-net-key;
        }  // list allow-notify

        list allow-transfer {
          key "subnet";
          description
            "Primary servers allow transfers to the IP addresses
           to the given subnet. If a tsig-key is given, the transfer
           request must be signed and the DNS messages used for the
           transfer will also be signed with that tsig-key";
          uses acl-net-key;
        }  // list allow-transfer

        list notify-to {
          key "ip port";
          description
            "Primary servers send NOTIFY messages when the Zonne
           has been updated to this IP. If a tsig-key is given,
           it will be signed with that key.";
          uses addr-key;
        }  // list notify-to

        list transfer-from {
          key "ip port";
          description
            "Secondary servers contact the given ip-address to
           acquire DNS Zone content. When a tsig-key is given
           the request will be signed with it, and the DNS
           messages conveying the Zone must be signed with
           that tsig-key.";
          uses addr-key;
        }  // list transfer-from
      }  // list zone
    }  // container zones
  }  // module ietf-dns-zone-provisioning