Remove RrsigValidityPeriodStrategy.

NLnetLabs · Feb 6, 2025 · cdfbc54 · cdfbc54
1 parent 21cb3a8
commit cdfbc54
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 219 deletions.
diff --git a/src/dnssec/sign/config.rs b/src/dnssec/sign/config.rs
@@ -1,34 +1,18 @@
 //! Types for tuning configurable aspects of DNSSEC signing.
 use core::marker::PhantomData;
 
-use octseq::{EmptyBuilder, FromBuilder};
-
 use super::denial::config::DenialConfig;
 use super::denial::nsec3::{Nsec3HashProvider, OnDemandNsec3HashProvider};
-use super::records::{DefaultSorter, Sorter};
-use super::signatures::strategy::DefaultSigningKeyUsageStrategy;
-use super::signatures::strategy::RrsigValidityPeriodStrategy;
-use super::signatures::strategy::SigningKeyUsageStrategy;
-use crate::base::{Name, ToName};
-use crate::crypto::misc::SignRaw;
+use super::records::Sorter;
+use crate::rdata::dnssec::Timestamp;
 
 //------------ SigningConfig -------------------------------------------------
 
 /// Signing configuration for a DNSSEC signed zone.
-pub struct SigningConfig<
-    N,
-    Octs,
-    Inner,
-    KeyStrat,
-    ValidityStrat,
-    Sort,
-    HP = OnDemandNsec3HashProvider<Octs>,
-> where
+pub struct SigningConfig<N, Octs, Sort, HP = OnDemandNsec3HashProvider<Octs>>
+where
     HP: Nsec3HashProvider<N, Octs>,
     Octs: AsRef<[u8]> + From<&'static [u8]>,
-    Inner: SignRaw,
-    KeyStrat: SigningKeyUsageStrategy<Octs, Inner>,
-    ValidityStrat: RrsigValidityPeriodStrategy,
     Sort: Sorter,
 {
     /// Authenticated denial of existing mechanism configuration.
@@ -37,65 +21,31 @@ pub struct SigningConfig<
     /// Should keys used to sign the zone be added as DNSKEY RRs?
     pub add_used_dnskeys: bool,
 
-    pub rrsig_validity_period_strategy: ValidityStrat,
+    pub inception: Timestamp,
+
+    pub expiration: Timestamp,
 
-    _phantom: PhantomData<(Inner, KeyStrat, Sort)>,
+    _phantom: PhantomData<Sort>,
 }
 
-impl<N, Octs, Inner, KeyStrat, Sort, ValidityStrat, HP>
-    SigningConfig<N, Octs, Inner, KeyStrat, ValidityStrat, Sort, HP>
+impl<N, Octs, Sort, HP> SigningConfig<N, Octs, Sort, HP>
 where
     HP: Nsec3HashProvider<N, Octs>,
     Octs: AsRef<[u8]> + From<&'static [u8]>,
-    Inner: SignRaw,
-    KeyStrat: SigningKeyUsageStrategy<Octs, Inner>,
-    ValidityStrat: RrsigValidityPeriodStrategy,
     Sort: Sorter,
 {
     pub fn new(
         denial: DenialConfig<N, Octs, HP, Sort>,
         add_used_dnskeys: bool,
-        rrsig_validity_period_strategy: ValidityStrat,
+        inception: Timestamp,
+        expiration: Timestamp,
     ) -> Self {
         Self {
             denial,
             add_used_dnskeys,
-            rrsig_validity_period_strategy,
+            inception,
+            expiration,
             _phantom: PhantomData,
         }
     }
-
-    pub fn set_rrsig_validity_period_strategy(
-        &mut self,
-        rrsig_validity_period_strategy: ValidityStrat,
-    ) {
-        self.rrsig_validity_period_strategy = rrsig_validity_period_strategy;
-    }
-}
-
-impl<N, Octs, Inner, ValidityStrat>
-    SigningConfig<
-        N,
-        Octs,
-        Inner,
-        DefaultSigningKeyUsageStrategy,
-        ValidityStrat,
-        DefaultSorter,
-        OnDemandNsec3HashProvider<Octs>,
-    >
-where
-    N: ToName + From<Name<Octs>>,
-    Octs: AsRef<[u8]> + From<&'static [u8]> + FromBuilder,
-    <Octs as FromBuilder>::Builder: EmptyBuilder + AsRef<[u8]> + AsMut<[u8]>,
-    Inner: SignRaw,
-    ValidityStrat: RrsigValidityPeriodStrategy,
-{
-    pub fn default(rrsig_validity_period_strategy: ValidityStrat) -> Self {
-        Self {
-            denial: Default::default(),
-            add_used_dnskeys: true,
-            rrsig_validity_period_strategy,
-            _phantom: Default::default(),
-        }
-    }
 }
diff --git a/src/dnssec/sign/mod.rs b/src/dnssec/sign/mod.rs
@@ -146,9 +146,7 @@ use records::{RecordsIter, Sorter};
 use signatures::rrsigs::{
     generate_rrsigs, GenerateRrsigConfig, RrsigRecords,
 };
-use signatures::strategy::{
-    RrsigValidityPeriodStrategy, SigningKeyUsageStrategy,
-};
+use signatures::strategy::SigningKeyUsageStrategy;
 use traits::{SignableZone, SortedExtend};
 
 //------------ SignableZoneInOut ---------------------------------------------
@@ -364,28 +362,9 @@ where
 /// [`SignableZoneInPlace`]: crate::sign::traits::SignableZoneInPlace
 /// [`SortedRecords`]: crate::sign::records::SortedRecords
 /// [`Zone`]: crate::zonetree::Zone
-pub fn sign_zone<
-    N,
-    Octs,
-    S,
-    DSK,
-    Inner,
-    KeyStrat,
-    ValidityStrat,
-    Sort,
-    HP,
-    T,
->(
+pub fn sign_zone<N, Octs, S, DSK, Inner, KeyStrat, Sort, HP, T>(
     mut in_out: SignableZoneInOut<N, Octs, S, T, Sort>,
-    signing_config: &mut SigningConfig<
-        N,
-        Octs,
-        Inner,
-        KeyStrat,
-        ValidityStrat,
-        Sort,
-        HP,
-    >,
+    signing_config: &mut SigningConfig<N, Octs, Sort, HP>,
     signing_keys: &[DSK],
 ) -> Result<(), SigningError>
 where
@@ -404,7 +383,6 @@ where
         Truncate + EmptyBuilder + AsRef<[u8]> + AsMut<[u8]>,
     <<Octs as FromBuilder>::Builder as OctetsBuilder>::AppendError: Debug,
     KeyStrat: SigningKeyUsageStrategy<Octs, Inner>,
-    ValidityStrat: RrsigValidityPeriodStrategy + Clone,
     S: SignableZone<N, Octs, Sort>,
     Sort: Sorter,
     T: SortedExtend<N, Octs, Sort> + ?Sized,
@@ -454,10 +432,10 @@ where
     }
 
     if !signing_keys.is_empty() {
-        let mut rrsig_config =
-            GenerateRrsigConfig::<N, KeyStrat, ValidityStrat, Sort>::new(
-                signing_config.rrsig_validity_period_strategy.clone(),
-            );
+        let mut rrsig_config = GenerateRrsigConfig::<N, KeyStrat, Sort>::new(
+            signing_config.inception,
+            signing_config.expiration,
+        );
         rrsig_config.add_used_dnskeys = signing_config.add_used_dnskeys;
         rrsig_config.zone_apex = Some(&apex_owner);
 

diff --git a/src/dnssec/sign/signatures/rrsigs.rs b/src/dnssec/sign/signatures/rrsigs.rs
@@ -24,38 +24,36 @@ use crate::dnssec::sign::error::SigningError;
 use crate::dnssec::sign::keys::keymeta::DesignatedSigningKey;
 use crate::dnssec::sign::keys::signingkey::SigningKey;
 use crate::dnssec::sign::records::{
-    DefaultSorter, RecordsIter, Rrset, SortedRecords, Sorter,
+    RecordsIter, Rrset, SortedRecords, Sorter,
 };
 use crate::dnssec::sign::signatures::strategy::SigningKeyUsageStrategy;
-use crate::dnssec::sign::signatures::strategy::{
-    DefaultSigningKeyUsageStrategy, RrsigValidityPeriodStrategy,
-};
 use crate::rdata::dnssec::{ProtoRrsig, Timestamp};
 use crate::rdata::{Dnskey, Rrsig, ZoneRecordData};
 
 //------------ GenerateRrsigConfig -------------------------------------------
 
 #[derive(Copy, Clone, Debug, PartialEq)]
-pub struct GenerateRrsigConfig<'a, N, KeyStrat, ValidityStrat, Sort> {
+pub struct GenerateRrsigConfig<'a, N, KeyStrat, Sort> {
     pub add_used_dnskeys: bool,
 
     pub zone_apex: Option<&'a N>,
 
-    pub rrsig_validity_period_strategy: ValidityStrat,
+    pub inception: Timestamp,
+
+    pub expiration: Timestamp,
 
     _phantom: PhantomData<(KeyStrat, Sort)>,
 }
 
-impl<'a, N, KeyStrat, ValidityStrat, Sort>
-    GenerateRrsigConfig<'a, N, KeyStrat, ValidityStrat, Sort>
-{
+impl<'a, N, KeyStrat, Sort> GenerateRrsigConfig<'a, N, KeyStrat, Sort> {
     /// Like [`Self::default()`] but gives control over the SigningKeyStrategy
     /// and Sorter used.
-    pub fn new(rrsig_validity_period_strategy: ValidityStrat) -> Self {
+    pub fn new(inception: Timestamp, expiration: Timestamp) -> Self {
         Self {
             add_used_dnskeys: true,
             zone_apex: None,
-            rrsig_validity_period_strategy,
+            inception,
+            expiration,
             _phantom: Default::default(),
         }
     }
@@ -71,22 +69,6 @@ impl<'a, N, KeyStrat, ValidityStrat, Sort>
     }
 }
 
-impl<N, ValidityStrat>
-    GenerateRrsigConfig<
-        '_,
-        N,
-        DefaultSigningKeyUsageStrategy,
-        ValidityStrat,
-        DefaultSorter,
-    >
-where
-    ValidityStrat: RrsigValidityPeriodStrategy,
-{
-    pub fn default(rrsig_validity_period_strategy: ValidityStrat) -> Self {
-        Self::new(rrsig_validity_period_strategy)
-    }
-}
-
 //------------ RrsigRecords --------------------------------------------------
 
 #[derive(Clone, Debug)]
@@ -146,16 +128,15 @@ where
 /// subject to change.
 // TODO: Add mutable iterator based variant.
 #[allow(clippy::type_complexity)]
-pub fn generate_rrsigs<N, Octs, DSK, Inner, KeyStrat, ValidityStrat, Sort>(
+pub fn generate_rrsigs<N, Octs, DSK, Inner, KeyStrat, Sort>(
     records: RecordsIter<'_, N, ZoneRecordData<Octs, N>>,
     keys: &[DSK],
-    config: &GenerateRrsigConfig<'_, N, KeyStrat, ValidityStrat, Sort>,
+    config: &GenerateRrsigConfig<'_, N, KeyStrat, Sort>,
 ) -> Result<RrsigRecords<N, Octs>, SigningError>
 where
     DSK: DesignatedSigningKey<Octs, Inner>,
     Inner: SignRaw,
     KeyStrat: SigningKeyUsageStrategy<Octs, Inner>,
-    ValidityStrat: RrsigValidityPeriodStrategy,
     N: ToName
         + PartialEq
         + Clone
@@ -323,9 +304,8 @@ where
             for key in
                 non_dnskey_signing_key_idxs.iter().map(|&idx| &keys[idx])
             {
-                let (inception, expiration) = config
-                    .rrsig_validity_period_strategy
-                    .validity_period_for_rrset(&rrset);
+                let inception = config.inception;
+                let expiration = config.expiration;
                 let rrsig_rr = sign_rrset_in(
                     key.signing_key(),
                     &rrset,
@@ -407,9 +387,9 @@ fn log_keys_in_use<Octs, DSK, Inner>(
 }
 
 #[allow(clippy::too_many_arguments)]
-fn generate_apex_rrsigs<N, Octs, DSK, Inner, KeyStrat, ValidityStrat, Sort>(
+fn generate_apex_rrsigs<N, Octs, DSK, Inner, KeyStrat, Sort>(
     keys: &[DSK],
-    config: &GenerateRrsigConfig<'_, N, KeyStrat, ValidityStrat, Sort>,
+    config: &GenerateRrsigConfig<'_, N, KeyStrat, Sort>,
     records: &mut core::iter::Peekable<
         RecordsIter<'_, N, ZoneRecordData<Octs, N>>,
     >,
@@ -425,7 +405,6 @@ where
     DSK: DesignatedSigningKey<Octs, Inner>,
     Inner: SignRaw,
     KeyStrat: SigningKeyUsageStrategy<Octs, Inner>,
-    ValidityStrat: RrsigValidityPeriodStrategy,
     N: ToName
         + PartialEq
         + Clone
@@ -559,9 +538,8 @@ where
         };
 
         for key in signing_key_idxs.iter().map(|&idx| &keys[idx]) {
-            let (inception, expiration) = config
-                .rrsig_validity_period_strategy
-                .validity_period_for_rrset(&rrset);
+            let inception = config.inception;
+            let expiration = config.expiration;
             let rrsig_rr = sign_rrset_in(
                 key.signing_key(),
                 &rrset,

diff --git a/src/dnssec/sign/signatures/strategy.rs b/src/dnssec/sign/signatures/strategy.rs
@@ -3,8 +3,6 @@ use smallvec::SmallVec;
 use crate::base::Rtype;
 use crate::crypto::misc::SignRaw;
 use crate::dnssec::sign::keys::keymeta::DesignatedSigningKey;
-use crate::dnssec::sign::records::Rrset;
-use crate::rdata::dnssec::Timestamp;
 
 //------------ SigningKeyUsageStrategy ---------------------------------------
 
@@ -56,56 +54,3 @@ where
 {
     const NAME: &'static str = "Default key usage strategy";
 }
-
-//------------ RrsigValidityPeriodStrategy -----------------------------------
-
-/// The strategy for determining the validity period for an RRSIG for an
-/// RRSET.
-///
-/// Determining the right inception time and expiration time to use may depend
-/// for example on the RTYPE of the RRSET being signed or on whether jitter
-/// should be applied.
-///
-/// See https://datatracker.ietf.org/doc/html/rfc6781#section-4.4.2.
-pub trait RrsigValidityPeriodStrategy {
-    fn validity_period_for_rrset<N, D>(
-        &self,
-        rrset: &Rrset<'_, N, D>,
-    ) -> (Timestamp, Timestamp);
-}
-
-//------------ FixedRrsigValidityPeriodStrategy ------------------------------
-
-#[derive(Copy, Clone, Debug, PartialEq)]
-pub struct FixedRrsigValidityPeriodStrategy {
-    inception: Timestamp,
-    expiration: Timestamp,
-}
-
-impl FixedRrsigValidityPeriodStrategy {
-    pub fn new(inception: Timestamp, expiration: Timestamp) -> Self {
-        Self {
-            inception,
-            expiration,
-        }
-    }
-}
-
-//--- impl From<(u32, u32)>
-
-impl From<(u32, u32)> for FixedRrsigValidityPeriodStrategy {
-    fn from((inception, expiration): (u32, u32)) -> Self {
-        Self::new(Timestamp::from(inception), Timestamp::from(expiration))
-    }
-}
-
-//--- impl RrsigValidityPeriodStrategy
-
-impl RrsigValidityPeriodStrategy for FixedRrsigValidityPeriodStrategy {
-    fn validity_period_for_rrset<N, D>(
-        &self,
-        _rrset: &Rrset<'_, N, D>,
-    ) -> (Timestamp, Timestamp) {
-        (self.inception, self.expiration)
-    }
-}