DS query: refactoring, don't need private keyset

2084102c · Libor Peltan · Daniel Salzman · bedaeec8 · 2084102c · 2084102c
Commit 2084102c authored 3 years ago by Libor Peltan Committed by Daniel Salzman 3 years ago
--- a/src/knot/dnssec/ds_query.c
+++ b/src/knot/dnssec/ds_query.c
@@ -25,7 +25,7 @@
 #include "knot/query/query.h"
 #include "knot/query/requestor.h"

-static bool match_key_ds(zone_key_t *key, knot_rdata_t *ds)
+static bool match_key_ds(knot_kasp_key_t *key, knot_rdata_t *ds)
 {
 	assert(key);
 	assert(ds);
@@ -37,15 +37,17 @@ static bool match_key_ds(zone_key_t *key, knot_rdata_t *ds)

 	dnssec_binary_t cds_rdata = { 0 };

-	int ret = zone_key_calculate_ds(key, knot_ds_digest_type(ds), &cds_rdata);
+	int ret = dnssec_key_create_ds(key->key, knot_ds_digest_type(ds), &cds_rdata);
 	if (ret != KNOT_EOK) {
 		return false;
 	}

-	return (dnssec_binary_cmp(&cds_rdata, &ds_rdata) == 0);
+	ret = (dnssec_binary_cmp(&cds_rdata, &ds_rdata) == 0);
+	dnssec_binary_free(&cds_rdata);
+	return ret;
 }

-static bool match_key_ds_rrset(zone_key_t *key, const knot_rrset_t *rr)
+static bool match_key_ds_rrset(knot_kasp_key_t *key, const knot_rrset_t *rr)
 {
 	knot_rdata_t *rd = rr->rrs.rdata;
 	for (int i = 0; i < rr->rrs.count; i++) {
@@ -63,7 +65,7 @@ struct ds_query_data {
 	const knot_dname_t *zone_name;
 	const struct sockaddr *remote;

-	zone_key_t *key;
+	knot_kasp_key_t *key;

 	query_edns_data_t edns;

@@ -158,7 +160,7 @@ static const knot_layer_api_t ds_query_api = {
 };

 static int try_ds(conf_t *conf, const knot_dname_t *zone_name, const conf_remote_t *parent,
-                  zone_key_t *key, size_t timeout, uint32_t *ds_ttl)
+                  knot_kasp_key_t *key, size_t timeout, uint32_t *ds_ttl)
 {
 	// TODO: Abstract interface to issue DNS queries. This is almost copy-pasted.

@@ -215,7 +217,7 @@ static int try_ds(conf_t *conf, const knot_dname_t *zone_name, const conf_remote
 	return ret;
 }

-static bool parents_have_ds(conf_t *conf, kdnssec_ctx_t *kctx, zone_key_t *key,
+static bool parents_have_ds(conf_t *conf, kdnssec_ctx_t *kctx, knot_kasp_key_t *key,
                            size_t timeout, uint32_t *max_ds_ttl)
 {
 	bool success = false;
@@ -242,14 +244,13 @@ static bool parents_have_ds(conf_t *conf, kdnssec_ctx_t *kctx, zone_key_t *key,
 	return success;
 }

-int knot_parent_ds_query(conf_t *conf, kdnssec_ctx_t *kctx, zone_keyset_t *keyset,
-                         size_t timeout)
+int knot_parent_ds_query(conf_t *conf, kdnssec_ctx_t *kctx, size_t timeout)
 {
 	uint32_t max_ds_ttl = 0;

-	for (size_t i = 0; i < keyset->count; i++) {
-		zone_key_t *key = &keyset->keys[i];
-		if (key->is_ready && !key->is_pub_only) {
+	for (size_t i = 0; i < kctx->zone->num_keys; i++) {
+		knot_kasp_key_t *key = &kctx->zone->keys[i];
+		if (!key->is_pub_only && knot_time_cmp(key->timing.ready, kctx->now) <= 0 && knot_time_cmp(key->timing.active, kctx->now) > 0) {
 			assert(key->is_ksk);
 			if (parents_have_ds(conf, kctx, key, timeout, &max_ds_ttl)) {
 				return knot_dnssec_ksk_sbm_confirm(kctx, max_ds_ttl + kctx->policy->ksk_sbm_delay);

--- a/src/knot/dnssec/ds_query.h
+++ b/src/knot/dnssec/ds_query.h
@@ -19,5 +19,4 @@
 #include "knot/dnssec/zone-keys.h"
 #include "knot/dnssec/context.h"

-int knot_parent_ds_query(conf_t *conf, kdnssec_ctx_t *kctx, zone_keyset_t *keyset,
-                         size_t timeout);
+int knot_parent_ds_query(conf_t *conf, kdnssec_ctx_t *kctx, size_t timeout);
--- a/src/knot/events/handlers/ds_check.c
+++ b/src/knot/events/handlers/ds_check.c
@@ -26,14 +26,7 @@ int event_ds_check(conf_t *conf, zone_t *zone)
 		return ret;
 	}

-	zone_keyset_t keyset = { 0 };
-	ret = load_zone_keys(&ctx, &keyset, false);
-	if (ret != KNOT_EOK) {
-		kdnssec_ctx_deinit(&ctx);
-		return ret;
-	}
-
-	ret = knot_parent_ds_query(conf, &ctx, &keyset, conf->cache.srv_tcp_remote_io_timeout);
+	ret = knot_parent_ds_query(conf, &ctx, conf->cache.srv_tcp_remote_io_timeout);

 	zone->timers.next_ds_check = 0;
 	switch (ret) {
@@ -50,7 +43,6 @@ int event_ds_check(conf_t *conf, zone_t *zone)
 		}
 	}

-	free_zone_keys(&keyset);
 	kdnssec_ctx_deinit(&ctx);

 	return KNOT_EOK; // allways ok, if failure it has been rescheduled

--- a/src/knot/modules/onlinesign/onlinesign.c
+++ b/src/knot/modules/onlinesign/onlinesign.c
@@ -488,7 +488,7 @@ static knotd_in_state_t pre_routine(knotd_in_state_t state, knot_pkt_t *pkt,
 	int ret = KNOT_ESEMCHECK;
 	if (knot_time_cmp(ctx->event_parent_ds_q, mod->dnssec->now) <= 0) {
 		pthread_rwlock_rdlock(&ctx->signing_mutex);
-		ret = knot_parent_ds_query(conf(), mod->dnssec, mod->keyset, 1000);
+		ret = knot_parent_ds_query(conf(), mod->dnssec, 1000);
 		pthread_rwlock_unlock(&ctx->signing_mutex);
 		if (ret != KNOT_EOK && ret != KNOT_NO_READY_KEY && mod->dnssec->policy->ksk_sbm_check_interval > 0) {
 			ctx->event_parent_ds_q = mod->dnssec->now + mod->dnssec->policy->ksk_sbm_check_interval;