module ietf-dns-zone-provisioning {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang"
+ ":ietf-dns-zone-provisioning";
prefix dnszp;
import ietf-inet-types {
prefix inet;
}
organization
"IETF Domain Name System Operations Working Group (dnsop)";
contact
"WG Web:
WG List:
Editor: Willem Toorop
";
description
"This YANG module defines a model for configuring DNS Zone
provisioning on authoritative nameservers.
Copyright (c) 2020 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to
the license terms contained in, the Simplified BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC ????; see the
RFC itself for full legal notices.";
revision 2020-03-09 {
description
"Initial revision.";
reference
"RFC XXXX: A YANG Data Model for"
+ " DNS Zone provisioning configuration";
}
/* Groupings */
grouping tsig-key {
leaf name {
type inet:domain-name;
mandatory true;
description
"The name of the key";
}
leaf algorithm {
type inet:domain-name;
mandatory true;
description
"Name of the algorithm";
reference
"";
}
leaf secret {
type string;
mandatory true;
description
"Shared secret in base64 format. Possible lengths are
dependent on the algorithm";
}
description
"Shared key used for authenticating transactions with
authoritative name servers";
reference
"RFC2845: Secret Key Transaction Authentication for DNS
(TSIG)";
}
grouping acl-net-key {
leaf subnet {
type inet:ip-prefix;
mandatory true;
description
"Contacting IP address must match this subnet.";
}
leaf tsig-key {
type leafref {
path "/tsig-keys/tsig-key/name";
}
description
"When provided all interactions to and from the
contacting remote end must use this tsig-key.";
}
description
"Access control allowing the action from IP addresses from the
given subnet and tsig-key if present. Without tsig-key only
the subnet needs to match. The subnet should be 0.0.0.0/0 or
::/0 to allow access from all IPv4 or all IPv6 addresses";
}
grouping addr-key {
leaf ip {
type inet:ip-address;
mandatory true;
description
"IP address to contact.";
}
leaf port {
type inet:port-number;
default 53;
description
"Port to conact.";
}
leaf tsig-key {
type leafref {
path "/tsig-keys/tsig-key/name";
}
description
"When provided all interactions with to and from the
contacted remote end must use this tsig-key.";
}
description
"IP address of remote party to contact, either to notify about
updates in the zone, or to fetch the zone from. An optional
tsig-key can be given to validate the transfer or to sign the
notify.";
}
container tsig-keys {
list tsig-key {
key "name";
uses tsig-key;
description
"The tsig-key which is referred to from acl-net-key
and/or addr-key.";
}
description
"The list of tsig-keys which are referred from
acl-net-key and addr-key.";
}
container zones {
list zone {
key "name";
leaf name {
type inet:domain-name;
description
"The name of the DNS Zone";
}
list allow-notify {
key "subnet";
uses acl-net-key;
description
"Secondary servers allow notifies for DNS Zone updates
from IP addresses from this subnet. If a tsig-key is
given, the notify must be signed with that key.";
}
list allow-transfer {
key "subnet";
uses acl-net-key;
description
"Primary servers allow transfers to the IP addresses
to the given subnet. If a tsig-key is given, the transfer
request must be signed and the DNS messages used for the
transfer will also be signed with that tsig-key";
}
list notify-to {
key "ip port";
uses "addr-key";
description
"Primary servers send NOTIFY messages when the Zonne
has been updated to this IP. If a tsig-key is given,
it will be signed with that key.";
}
list transfer-from {
key "ip port";
uses "addr-key";
description
"Secondary servers contact the given ip-address to
acquire DNS Zone content. When a tsig-key is given
the request will be signed with it, and the DNS
messages conveying the Zone must be signed with
that tsig-key.";
}
description
"A DNS Zone with properties which describe the provisioning
relationships within for authoritative nameserver.";
}
description
"The list of DNS Zones for which the properties are defined
that describe the primary/secondary relationships.";
}
}