ietf-dns-zone-provisioning
HTML
ietf-dns-zone-provisioning@2020-03-09
module ietf-dns-zone-provisioning { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang" + ":ietf-dns-zone-provisioning"; prefix dnszp; import ietf-inet-types { prefix inet; } organization "IETF Domain Name System Operations Working Group (dnsop)"; contact "WG Web: <https://datatracker.ietf.org/wg/dnsop/> WG List: <mailto:dnsop@ietf.org> Editor: Willem Toorop <mailto:willem@nlnetlabs.nl>"; description "This YANG module defines a model for configuring DNS Zone provisioning on authoritative nameservers. Copyright (c) 2020 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC ????; see the RFC itself for full legal notices."; revision "2020-03-09" { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for DNS Zone provisioning configuration"; } grouping tsig-key { description "Shared key used for authenticating transactions with authoritative name servers"; reference "RFC2845: Secret Key Transaction Authentication for DNS (TSIG)"; leaf name { type inet:domain-name; mandatory true; description "The name of the key"; } leaf algorithm { type inet:domain-name; mandatory true; description "Name of the algorithm"; reference "<https://www.iana.org/assignments/tsig-algorithm-names/tsig-algorithm-names.xhtml>"; } leaf secret { type string; mandatory true; description "Shared secret in base64 format. Possible lengths are dependent on the algorithm"; } } // grouping tsig-key grouping acl-net-key { description "Access control allowing the action from IP addresses from the given subnet and tsig-key if present. Without tsig-key only the subnet needs to match. The subnet should be 0.0.0.0/0 or ::/0 to allow access from all IPv4 or all IPv6 addresses"; leaf subnet { type inet:ip-prefix; mandatory true; description "Contacting IP address must match this subnet."; } leaf tsig-key { type leafref { path "/tsig-keys/tsig-key/name"; } description "When provided all interactions to and from the contacting remote end must use this tsig-key."; } } // grouping acl-net-key grouping addr-key { description "IP address of remote party to contact, either to notify about updates in the zone, or to fetch the zone from. An optional tsig-key can be given to validate the transfer or to sign the notify."; leaf ip { type inet:ip-address; mandatory true; description "IP address to contact."; } leaf port { type inet:port-number; default '53'; description "Port to conact."; } leaf tsig-key { type leafref { path "/tsig-keys/tsig-key/name"; } description "When provided all interactions with to and from the contacted remote end must use this tsig-key."; } } // grouping addr-key container tsig-keys { description "The list of tsig-keys which are referred from acl-net-key and addr-key."; list tsig-key { key "name"; description "The tsig-key which is referred to from acl-net-key and/or addr-key."; uses tsig-key; } // list tsig-key } // container tsig-keys container zones { description "The list of DNS Zones for which the properties are defined that describe the primary/secondary relationships."; list zone { key "name"; description "A DNS Zone with properties which describe the provisioning relationships within for authoritative nameserver."; leaf name { type inet:domain-name; description "The name of the DNS Zone"; } list allow-notify { key "subnet"; description "Secondary servers allow notifies for DNS Zone updates from IP addresses from this subnet. If a tsig-key is given, the notify must be signed with that key."; uses acl-net-key; } // list allow-notify list allow-transfer { key "subnet"; description "Primary servers allow transfers to the IP addresses to the given subnet. If a tsig-key is given, the transfer request must be signed and the DNS messages used for the transfer will also be signed with that tsig-key"; uses acl-net-key; } // list allow-transfer list notify-to { key "ip port"; description "Primary servers send NOTIFY messages when the Zonne has been updated to this IP. If a tsig-key is given, it will be signed with that key."; uses addr-key; } // list notify-to list transfer-from { key "ip port"; description "Secondary servers contact the given ip-address to acquire DNS Zone content. When a tsig-key is given the request will be signed with it, and the DNS messages conveying the Zone must be signed with that tsig-key."; uses addr-key; } // list transfer-from } // list zone } // container zones } // module ietf-dns-zone-provisioning
Summary
| Organization | IETF Domain Name System Operations Working Group (dnsop) |
| Module | ietf-dns-zone-provisioning |
| Version | 2020-03-09 |
| File | ietf-dns-zone-provisioning@2020-03-09.yang |
| Prefix | dnszp |
| Namespace | urn:ietf:params:xml:ns:yang:ietf-dns-zone-provisioning |
| Cooked | /cookedmodules/ietf-dns-zone-provisioning/2020-03-09 |
| YANG | /src/ietf-dns-zone-provisioning@2020-03-09.yang |
| XSD | /xsd/ietf-dns-zone-provisioning@2020-03-09.xsd |
| Abstract | This YANG module defines a model for configuring DNS Zone provisioning on authoritative nameservers. Copyright (c) 2020 IETF Tr... |
| Contact | WG Web: <https://datatracker.ietf.org/wg/dnsop/> WG List: <mailto:dnsop@ietf.org> Editor: Willem Toorop <mailto:willem@nlnetlabs.nl> |
Description
This YANG module defines a model for configuring DNS Zone provisioning on authoritative nameservers. Copyright (c) 2020 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC ????; see the RFC itself for full legal notices. |
Groupings
| Grouping | Objects | Abstract |
| acl-net-key | subnet tsig-key | Access control allowing the action from IP addresses from the given subnet and tsig-key if present. Without tsig-key only the subnet needs to match. The subnet should be 0.0.0.0/0 or ::/0 to allow access from all IPv4 or all IPv6 addresses |
| addr-key | ip port tsig-key | IP address of remote party to contact, either to notify about updates in the zone, or to fetch the zone from. An optional tsig-key can be given to validate the transfer or to sign the notify. |
| tsig-key | name algorithm secret | Shared key used for authenticating transactions with authoritative name servers |
Objects
| Type Key |
| Mandatory config |
| Optional config |
| Not config |
| Object | Type | Abstract |
| tsig-keys | container | The list of tsig-keys which are referred from acl-net-key and addr-key. |
| tsig-key | list | The tsig-key which is referred to from acl-net-key and/or addr-key. |
| algorithm | leaf | Name of the algorithm |
| name | leaf | The name of the key |
| secret | leaf | Shared secret in base64 format. Possible lengths are dependent on the algorithm |
| zones | container | The list of DNS Zones for which the properties are defined that describe the primary/secondary relationships. |
| zone | list | A DNS Zone with properties which describe the provisioning relationships within for authoritative nameserver. |
| allow-notify | list | Secondary servers allow notifies for DNS Zone updates from IP addresses from this subnet. If a tsig-key is given, the notify must be signed with that key. |
| subnet | leaf | Contacting IP address must match this subnet. |
| tsig-key | leaf | When provided all interactions to and from the contacting remote end must use this tsig-key. |
| allow-transfer | list | Primary servers allow transfers to the IP addresses to the given subnet. If a tsig-key is given, the transfer request must be signed and the DNS messages used for the transfer will also be signed with that tsig-key |
| subnet | leaf | Contacting IP address must match this subnet. |
| tsig-key | leaf | When provided all interactions to and from the contacting remote end must use this tsig-key. |
| name | leaf | The name of the DNS Zone |
| notify-to | list | Primary servers send NOTIFY messages when the Zonne has been updated to this IP. If a tsig-key is given, it will be signed with that key. |
| ip | leaf | IP address to contact. |
| port | leaf | Port to conact. |
| tsig-key | leaf | When provided all interactions with to and from the contacted remote end must use this tsig-key. |
| transfer-from | list | Secondary servers contact the given ip-address to acquire DNS Zone content. When a tsig-key is given the request will be signed with it, and the DNS messages conveying the Zone must be signed with that tsig-key. |
| ip | leaf | IP address to contact. |
| port | leaf | Port to conact. |
| tsig-key | leaf | When provided all interactions with to and from the contacted remote end must use this tsig-key. |