Merge remote-tracking branch 'origin/ddns-sign-plan'

Conflicts:
	src/libknot/dnssec/zone-events.c

src/knot/server/zones.c

@@ -1862,6 +1862,24 @@ static int zones_update_forward(int fd, knot_ns_transport_t ttype,
 
 /*----------------------------------------------------------------------------*/
 
+static int replan_zone_sign_after_ddns(knot_zone_t *zone, zonedata_t *zd,
+                                       uint32_t used_lifetime,
+                                       uint32_t used_refresh)
+{
+	int ret = KNOT_EOK;
+	uint32_t new_expire = time(NULL) + (used_lifetime - used_refresh);
+	if (new_expire < zd->dnssec_timer->tv.tv_sec) {
+		// Drop old event, earlier signing needed
+		evsched_cancel(zd->dnssec_timer->parent, zd->dnssec_timer);
+		evsched_event_free(zd->dnssec_timer->parent, zd->dnssec_timer);
+		zd->dnssec_timer = NULL;
+		ret = zones_schedule_dnssec(zone,
+		                            expiration_to_relative(new_expire),
+		                            false);
+	}
+	return ret;
+}
+
 /*! \brief Process UPDATE query.
  *
  * Functions expects that the query is already authenticated
@@ -1963,10 +1981,13 @@ static int zones_process_update_auth(knot_zone_t *zone,
 
 	dbg_zones_verb("%s: Signing the UPDATE\n", msg);
 	// Sign the created changeset
+	uint32_t used_lifetime = 0;
+	uint32_t used_refresh = 0;
 	if (zone_config->dnssec_enable) {
 		ret = knot_dnssec_sign_changeset(new_contents,
 		                                 knot_changesets_get_last(chgsets),
-		                                 sec_ch, KNOT_SOA_SERIAL_KEEP);
+		                                 sec_ch, KNOT_SOA_SERIAL_KEEP,
+		                                 &used_lifetime, &used_refresh);
 		if (ret != KNOT_EOK) {
 			log_zone_error("%s: Failed to sign incoming update (%s)\n",
 			               msg, knot_strerror(ret));
@@ -2024,6 +2045,19 @@ static int zones_process_update_auth(knot_zone_t *zone,
 			return ret;
 		}
 		assert(dnssec_contents);
+		
+		// Plan zone resign if needed
+		zonedata_t *zd = (zonedata_t *)zone->data;
+		assert(zd && zd->dnssec_timer);
+		ret = replan_zone_sign_after_ddns(zone, zd, used_lifetime,
+		                                  used_refresh);
+		if (ret != KNOT_EOK) {
+			log_zone_error("%s: Failed to replan zone sign %s\n",
+			               msg, knot_strerror(ret));
+			zones_store_changesets_rollback(transaction);
+			zones_free_merged_changesets(chgsets, sec_chs);
+			return ret;
+		}
 	}
 
 	dbg_zones_verb("%s: DNSSEC changes applied\n", msg);

src/libknot/dnssec/policy.h

@@ -41,14 +41,17 @@ typedef struct {
 } knot_dnssec_policy_t;
 
 #define KNOT_DNSSEC_DEFAULT_LIFETIME 2592000
+#define KNOT_DNSSEC_DEFAULT_REFRESH 7200
 
 #define DEFAULT_DNSSEC_POLICY { .now = time_now(), \
 				.sign_lifetime = KNOT_DNSSEC_DEFAULT_LIFETIME, \
-				.sign_refresh = 7200, .forced_sign = false, \
+				.sign_refresh = KNOT_DNSSEC_DEFAULT_REFRESH, \
+				.forced_sign = false, \
 				.soa_up = KNOT_SOA_SERIAL_INC }
 #define FORCED_DNSSEC_POLICY {  .now = time_now(), \
 				.sign_lifetime = KNOT_DNSSEC_DEFAULT_LIFETIME, \
-				.sign_refresh = 7200, .forced_sign = true, \
+				.sign_refresh = KNOT_DNSSEC_DEFAULT_REFRESH, \
+				.forced_sign = true, \
 				.soa_up = KNOT_SOA_SERIAL_INC }
 
 #endif // _KNOT_DNSSEC_POLICY_H_

src/libknot/dnssec/zone-events.c

@@ -203,8 +203,17 @@ int knot_dnssec_zone_sign_force(knot_zone_t *zone,
 int knot_dnssec_sign_changeset(const knot_zone_contents_t *zone,
                                const knot_changeset_t *in_ch,
                                knot_changeset_t *out_ch,
-                               knot_update_serial_t soa_up)
+                               knot_update_serial_t soa_up,
+                               uint32_t *used_lifetime,
+                               uint32_t *used_refresh)
 {
+	if (!used_lifetime || !used_refresh) {
+		return KNOT_EINVAL;
+	}
+
+	*used_lifetime = 0;
+	*used_refresh = 0;
+
 	if (!conf()->dnssec_enable) {
 		return KNOT_EOK;
 	}
@@ -253,9 +262,13 @@ int knot_dnssec_sign_changeset(const knot_zone_contents_t *zone,
 	if (ret != KNOT_EOK) {
 		log_zone_error("DNSSEC: Zone %s - Failed to sign SOA RR (%s)\n",
 		               zname, knot_strerror(ret));
+		free_zone_keys(&zone_keys);
+		free(zname);
+		return ret;
 	}
-	free_zone_keys(&zone_keys);
-	free(zname);
 
-	return ret;
+	*used_lifetime = policy.sign_lifetime;
+	*used_refresh = policy.sign_refresh;
+
+	return KNOT_EOK;
 }

src/libknot/dnssec/zone-events.h

@@ -61,17 +61,21 @@ int knot_dnssec_zone_sign_force(knot_zone_t *zone, knot_changeset_t *out_ch,
 /*!
  * \brief Sign changeset created by DDNS or zone-diff.
  *
- * \param zone    Contents of the updated zone (AFTER zone is switched).
- * \param in_ch   Changeset created bvy DDNS or zone-diff
- * \param out_ch  New records will be added to this changeset.
- * \param soa_up  SOA serial update policy.
+ * \param zone           Contents of the updated zone (AFTER zone is switched).
+ * \param in_ch          Changeset created bvy DDNS or zone-diff
+ * \param out_ch         New records will be added to this changeset.
+ * \param soa_up         SOA serial update policy.
+ * \param used_lifetime  Pointer to sig lifetime used to sign the changeset.
+ * \param used_refresh   Pointer to refresh period used to sign the changeset.
  *
  * \return Error code, KNOT_EOK if successful.
  */
 int knot_dnssec_sign_changeset(const knot_zone_contents_t *zone,
                                const knot_changeset_t *in_ch,
                                knot_changeset_t *out_ch,
-                               knot_update_serial_t soa_up);
+                               knot_update_serial_t soa_up,
+                               uint32_t *used_lifetime,
+                               uint32_t *used_refresh);
 
 #endif // _KNOT_DNSSEC_ZONE_EVENTS_H_
 /*! @} */