dnssec/rollovers: refactoring: better detect keys to be rolled out

663782d3 · Libor Peltan · Daniel Salzman · 2084102c · 663782d3 · 663782d3
Commit 663782d3 authored 3 years ago by Libor Peltan Committed by Daniel Salzman 3 years ago
--- a/src/knot/dnssec/ds_query.c
+++ b/src/knot/dnssec/ds_query.c
@@ -250,7 +250,9 @@ int knot_parent_ds_query(conf_t *conf, kdnssec_ctx_t *kctx, size_t timeout)

 	for (size_t i = 0; i < kctx->zone->num_keys; i++) {
 		knot_kasp_key_t *key = &kctx->zone->keys[i];
-		if (!key->is_pub_only && knot_time_cmp(key->timing.ready, kctx->now) <= 0 && knot_time_cmp(key->timing.active, kctx->now) > 0) {
+		if (!key->is_pub_only &&
+		    knot_time_cmp(key->timing.ready, kctx->now) <= 0 &&
+		    knot_time_cmp(key->timing.active, kctx->now) > 0) {
 			assert(key->is_ksk);
 			if (parents_have_ds(conf, kctx, key, timeout, &max_ds_ttl)) {
 				return knot_dnssec_ksk_sbm_confirm(kctx, max_ds_ttl + kctx->policy->ksk_sbm_delay);

--- a/src/knot/dnssec/key-events.c
+++ b/src/knot/dnssec/key-events.c
@@ -517,34 +517,69 @@ static int submit_key(kdnssec_ctx_t *ctx, knot_kasp_key_t *newkey)
 	return KNOT_EOK;
 }

-static int exec_new_signatures(kdnssec_ctx_t *ctx, knot_kasp_key_t *newkey, uint32_t active_retire_delay)
+knot_kasp_key_t *knot_dnssec_key2retire(kdnssec_ctx_t *ctx, knot_kasp_key_t *newkey)
 {
-	if (newkey->is_ksk) {
-		log_zone_notice(ctx->zone->dname, "DNSSEC, KSK submission, confirmed");
+	for (size_t i = 0; i < ctx->zone->num_keys; i++) {
+		knot_kasp_key_t *key = &ctx->zone->keys[i];
+		key_state_t keystate = get_key_state(key, ctx->now);
+		if (((newkey->is_ksk && key->is_ksk) || (!newkey->is_ksk && !key->is_ksk))
+		    && (keystate == DNSSEC_KEY_STATE_ACTIVE)) {
+			return key;
+		}
 	}
+	return NULL;
+}

+static knot_kasp_key_t *zsk2retire(kdnssec_ctx_t *ctx, knot_kasp_key_t *newksk)
+{
 	for (size_t i = 0; i < ctx->zone->num_keys; i++) {
 		knot_kasp_key_t *key = &ctx->zone->keys[i];
 		key_state_t keystate = get_key_state(key, ctx->now);
 		uint8_t keyalg = dnssec_key_get_algorithm(key->key);
-		if (((newkey->is_ksk && key->is_ksk) || (newkey->is_zsk && key->is_zsk && !key->is_ksk))
-		    && keystate == DNSSEC_KEY_STATE_ACTIVE) {
-			if (key->is_ksk || keyalg != dnssec_key_get_algorithm(newkey->key)) {
-				key->timing.retire_active = ctx->now;
+		bool algdiff = (keyalg != dnssec_key_get_algorithm(newksk->key));
+
+		if (key->is_zsk && !key->is_ksk &&
+		    (algdiff || newksk->is_zsk) &&
+		    (keystate == DNSSEC_KEY_STATE_ACTIVE ||
+		     keystate == DNSSEC_KEY_STATE_RETIRE_ACTIVE)) {
+			return key;
+		}
+	}
+	return NULL;
+}
+
+static int exec_new_signatures(kdnssec_ctx_t *ctx, knot_kasp_key_t *newkey, uint32_t active_retire_delay)
+{
+	if (newkey->is_ksk) {
+		log_zone_notice(ctx->zone->dname, "DNSSEC, KSK submission, confirmed");
+	}
+
+	knot_kasp_key_t *oldkey = knot_dnssec_key2retire(ctx, newkey), *oldzsk = NULL;
+	if (oldkey != NULL) {
+		uint8_t keyalg = dnssec_key_get_algorithm(oldkey->key);
+		bool algdiff = (keyalg != dnssec_key_get_algorithm(newkey->key));
+
+		if (algdiff) {
+			oldkey->timing.retire_active = ctx->now;
+			if (oldkey->is_ksk) {
+				oldkey->timing.post_active = ctx->now + active_retire_delay;
+			}
+		} else if (oldkey->is_ksk) {
+			oldkey->timing.retire_active = ctx->now;
+			if (oldkey->is_zsk) { // CSK
+				oldkey->timing.retire = ctx->now + active_retire_delay;
 			} else {
-				key->timing.retire = ctx->now;
+				oldkey->timing.remove = ctx->now + active_retire_delay;
 			}
+		} else {
+			oldkey->timing.retire = ctx->now;
 		}
-		if (newkey->is_ksk && (keystate == DNSSEC_KEY_STATE_ACTIVE ||
-		                       keystate == DNSSEC_KEY_STATE_RETIRE_ACTIVE)) {
-			if (keyalg != dnssec_key_get_algorithm(newkey->key)) {
-				key->timing.post_active = ctx->now + active_retire_delay;
-			} else if (key->is_ksk) {
-				if (key->is_zsk) { // CSK
-					key->timing.retire = ctx->now + active_retire_delay;
-				} else {
-					key->timing.remove = ctx->now + active_retire_delay;
-				}
+
+		if (newkey->is_ksk && (oldzsk = zsk2retire(ctx, newkey)) != NULL) {
+			if (algdiff) {
+				oldzsk->timing.post_active = ctx->now + active_retire_delay;
+			} else {
+				oldzsk->timing.retire = ctx->now;
 			}
 		}
 	}

--- a/src/knot/dnssec/key-events.h
+++ b/src/knot/dnssec/key-events.h
-/*  Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/*  Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -39,6 +39,16 @@
 int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_roll_flags_t flags,
                             zone_sign_reschedule_t *reschedule);

+/*!
+ * \brief Get the key that ought to be retired by activating given new key.
+ *
+ * \param ctx       DNSSEC context.
+ * \param newkey    New key being rolled in.
+ *
+ * \return Old key being rolled out.
+ */
+knot_kasp_key_t *knot_dnssec_key2retire(kdnssec_ctx_t *ctx, knot_kasp_key_t *newkey);
+
 /*!
 * \brief Set the submitted KSK to active state and the active one to retired
 *