Fixed SOA change check.

refs #103, #4

Fixed SOA change check.
e663ed5b · Lubos Slovak · 9ca043f8 · e663ed5b · e663ed5b · e663ed5b
Commit e663ed5b authored 11 years ago by Lubos Slovak
--- a/src/libknot/dnssec/zone-events.c
+++ b/src/libknot/dnssec/zone-events.c
@@ -96,8 +96,8 @@ int knot_dnssec_zone_load(knot_zone_t *zone)

 //	log_server_info("changeset add %zu remove %zu\n", changeset->add_count, changeset->remove_count);

-	if (!knot_zone_sign_soa_changed(zone->contents, &zone_keys, &policy)
-	    && knot_changeset_is_empty(changeset)) {
+	if (knot_changeset_is_empty(changeset) &&
+	    !knot_zone_sign_soa_expired(zone->contents, &zone_keys, &policy)) {
 //		log_server_info("No changes performed.\n");
 		knot_changesets_free(&changesets);
 		free_sign_contexts(&zone_keys);

--- a/src/libknot/dnssec/zone-events.h
+++ b/src/libknot/dnssec/zone-events.h
@@ -17,6 +17,8 @@
 * \file zone-events.h
 *
 * \author Jan Vcelak <jan.vcelak@nic.cz>
+ * \author Lubos Slovak <lubos.slovak@nic.cz>
+ * \author Jan Kadlec <jan.kadlec@nic.cz>
 *
 * \brief DNSSEC operations triggered on zone events.
 *

--- a/src/libknot/dnssec/zone-keys.h
+++ b/src/libknot/dnssec/zone-keys.h
@@ -17,6 +17,8 @@
 * \file zone-keys.h
 *
 * \author Jan Vcelak <jan.vcelak@nic.cz>
+ * \author Lubos Slovak <lubos.slovak@nic.cz>
+ * \author Jan Kadlec <jan.kadlec@nic.cz>
 *
 * \brief Loading of zone keys.
 *

--- a/src/libknot/dnssec/zone-nsec.h
+++ b/src/libknot/dnssec/zone-nsec.h
@@ -17,6 +17,8 @@
 * \file zone-sign.h
 *
 * \author Jan Vcelak <jan.vcelak@nic.cz>
+ * \author Lubos Slovak <lubos.slovak@nic.cz>
+ * \author Jan Kadlec <jan.kadlec@nic.cz>
 *
 * \brief Interface for generating of NSEC/NSEC3 records in zone.
 *

--- a/src/libknot/dnssec/zone-sign.c
+++ b/src/libknot/dnssec/zone-sign.c
@@ -209,25 +209,24 @@ static bool valid_signature_exists(const knot_rrset_t *rrsigs,
 	return false;
 }

-static bool valid_signature_exists_for_keys(const knot_rrset_t *covered,
-                                            const knot_rrset_t *rrsigs,
-                                            const knot_zone_keys_t *zone_keys,
-                                            const knot_dnssec_policy_t *policy)
+static bool all_signatures_valid(const knot_rrset_t *covered,
+                                 const knot_rrset_t *rrsigs,
+                                 const knot_zone_keys_t *zone_keys,
+                                 const knot_dnssec_policy_t *policy)
 {
 	bool use_ksk = covered->type == KNOT_RRTYPE_DNSKEY;
 	for (int i = 0; i < zone_keys->count; i++) {
-		if (use_ksk != zone_keys->is_ksk[i])
+		if (zone_keys->is_ksk[i] && !use_ksk)
 			continue;

 		const knot_dnssec_key_t *key = &zone_keys->keys[i];
-		knot_dnssec_sign_context_t *ctx = zone_keys->contexts[i];

-		if (valid_signature_exists(rrsigs, key, policy)) {
-			return true;
+		if (!valid_signature_exists(rrsigs, key, policy)) {
+			return false;
 		}
 	}

-	return false;
+	return true;
 }

 static int remove_expired_rrsigs(const knot_rrset_t *rrsigs,
@@ -509,7 +508,7 @@ int knot_zone_sign(const knot_zone_contents_t *zone,
 	return result;
 }

-bool knot_zone_sign_soa_changed(const knot_zone_contents_t *zone,
+bool knot_zone_sign_soa_expired(const knot_zone_contents_t *zone,
                                const knot_zone_keys_t *zone_keys,
                                const knot_dnssec_policy_t *policy)
 {
@@ -519,8 +518,7 @@ bool knot_zone_sign_soa_changed(const knot_zone_contents_t *zone,
 		knot_node_rrset(zone->apex, KNOT_RRTYPE_SOA);
 	assert(soa_rr);

-	return !valid_signature_exists_for_keys(soa_rr, soa_rr->rrsigs, zone_keys,
-	                                        policy);
+	return !all_signatures_valid(soa_rr, soa_rr->rrsigs, zone_keys, policy);
 }

 int knot_zone_sign_update_soa(const knot_zone_contents_t *zone,

--- a/src/libknot/dnssec/zone-sign.h
+++ b/src/libknot/dnssec/zone-sign.h
@@ -17,6 +17,8 @@
 * \file zone-sign.h
 *
 * \author Jan Vcelak <jan.vcelak@nic.cz>
+ * \author Lubos Slovak <lubos.slovak@nic.cz>
+ * \author Jan Kadlec <jan.kadlec@nic.cz>
 *
 * \brief Interface for DNSSEC signing of zones.
 *
@@ -40,9 +42,9 @@ int knot_zone_sign(const knot_zone_contents_t *zone,
 int knot_zone_sign_update_soa(const knot_zone_contents_t *zone,
                              const knot_zone_keys_t *zone_keys,
                              const knot_dnssec_policy_t *policy,
-			      knot_changeset_t *changeset);
+                              knot_changeset_t *changeset);

-bool knot_zone_sign_soa_changed(const knot_zone_contents_t *zone,
+bool knot_zone_sign_soa_expired(const knot_zone_contents_t *zone,
                                const knot_zone_keys_t *zone_keys,
                                const knot_dnssec_policy_t *policy);