Commit aa6759b4 authored by Jan Včelák's avatar Jan Včelák 🚀
Browse files

consider DNSSEC events when scheduling zone resign

parent 0b8ae2f6
......@@ -19,6 +19,7 @@
#include "dnssec/error.h"
#include "dnssec/event.h"
#include "libknot/internal/macros.h"
#include "libknot/internal/mem.h"
#include "knot/conf/conf.h"
#include "knot/dnssec/context.h"
......@@ -74,13 +75,8 @@ static int sign_init(const zone_contents_t *zone, const conf_zone_t *config,
return KNOT_EOK;
}
static int sign_process_events(const knot_dname_t *zone_name, kdnssec_ctx_t *kctx)
static dnssec_event_ctx_t kctx2ctx(const kdnssec_ctx_t *kctx)
{
if (!has_policy(kctx)) {
return KNOT_EOK;
}
dnssec_event_t event = { 0 };
dnssec_event_ctx_t ctx = {
.now = kctx->now,
.kasp = kctx->kasp,
......@@ -89,6 +85,19 @@ static int sign_process_events(const knot_dname_t *zone_name, kdnssec_ctx_t *kct
.keystore = kctx->keystore
};
return ctx;
}
static int sign_process_events(const knot_dname_t *zone_name,
const kdnssec_ctx_t *kctx)
{
if (!has_policy(kctx)) {
return KNOT_EOK;
}
dnssec_event_t event = { 0 };
dnssec_event_ctx_t ctx = kctx2ctx(kctx);
int r = dnssec_event_get_next(&ctx, &event);
if (r != DNSSEC_EOK) {
log_zone_error(zone_name, "DNSSEC, failed to get next event (%s)",
......@@ -122,6 +131,30 @@ static int sign_update_soa(const zone_contents_t *zone, changeset_t *chset,
return knot_zone_sign_update_soa(&soa, &rrsigs, keyset, ctx, chset);
}
static uint32_t schedule_next(kdnssec_ctx_t *kctx, const zone_keyset_t *keyset,
uint32_t zone_expire)
{
// signatures refresh
uint32_t zone_refresh = zone_expire - kctx->policy->rrsig_refresh_before;
assert(zone_refresh > 0);
// DNSKEY modification
uint32_t dnskey_update = knot_get_next_zone_key_event(keyset);
// zone events
dnssec_event_t event = { 0 };
event.time = UINT32_MAX;
if (has_policy(kctx)) {
dnssec_event_ctx_t ctx = kctx2ctx(kctx);
dnssec_event_get_next(&ctx, &event);
}
return MIN(MIN(zone_refresh, dnskey_update), event.time);
}
int knot_dnssec_zone_sign(zone_contents_t *zone, const conf_zone_t *config,
changeset_t *out_ch, zone_sign_flags_t flags,
......@@ -169,7 +202,8 @@ int knot_dnssec_zone_sign(zone_contents_t *zone, const conf_zone_t *config,
goto done;
}
result = knot_zone_sign(zone, &keyset, &ctx, out_ch, refresh_at);
uint32_t zone_expire = 0;
result = knot_zone_sign(zone, &keyset, &ctx, out_ch, &zone_expire);
if (result != KNOT_EOK) {
log_zone_error(zone_name, "DNSSEC, failed to sign zone content (%s)",
knot_strerror(result));
......@@ -191,6 +225,8 @@ int knot_dnssec_zone_sign(zone_contents_t *zone, const conf_zone_t *config,
goto done;
}
*refresh_at = schedule_next(&ctx, &keyset, zone_expire);
log_zone_info(zone_name, "DNSSEC, successfully signed");
done:
......
......@@ -1153,9 +1153,9 @@ int knot_zone_sign(const zone_contents_t *zone,
const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *dnssec_ctx,
changeset_t *changeset,
uint32_t *refresh_at)
uint32_t *expire_at)
{
if (!zone || !zone_keys || !dnssec_ctx || !changeset || !refresh_at) {
if (!zone || !zone_keys || !dnssec_ctx || !changeset || !expire_at) {
return KNOT_EINVAL;
}
......@@ -1180,19 +1180,7 @@ int knot_zone_sign(const zone_contents_t *zone,
return result;
}
// renew the signatures a little earlier
uint32_t expiration = MIN(normal_tree_expiration, nsec3_tree_expiration);
// DNSKEY updates
uint32_t dnskey_update = knot_get_next_zone_key_event(zone_keys);
if (expiration < dnskey_update) {
// Signatures expire before keys do
uint32_t refresh = dnssec_ctx->policy->rrsig_refresh_before;
*refresh_at = expiration > refresh ? expiration - refresh : 0;
} else {
// Keys expire before signatures
*refresh_at = dnskey_update;
}
*expire_at = MIN(normal_tree_expiration, nsec3_tree_expiration);
return KNOT_EOK;
}
......
......@@ -43,14 +43,14 @@
* \param zone_keys Zone keys.
* \param dnssec_ctx DNSSEC context.
* \param changeset Changeset to be updated.
* \param refresh_at Pointer to refresh time when the zone should be resigned.
* \param expire_at Time, when the oldest signature in the zone expires.
*
* \return Error code, KNOT_EOK if successful.
*/
int knot_zone_sign(const zone_contents_t *zone,
const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *dnssec_ctx,
changeset_t *out_ch, uint32_t *refresh_at);
changeset_t *out_ch, uint32_t *expire_at);
/*!
* \brief Update and sign SOA and store performed changes in changeset.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment