zone-sign: use unified functions to sign the DNSKEY RRset

de13d788 · Jan Včelák · 812f2a2b · de13d788
Commit de13d788 authored 9 years ago by Jan Včelák
--- a/src/knot/dnssec/zone-sign.c
+++ b/src/knot/dnssec/zone-sign.c
@@ -814,20 +814,22 @@ static int add_missing_dnskeys(const knot_rrset_t *soa,
 /*!
 * \brief Refresh DNSKEY RRSIGs in the zone by updating the changeset.
 *
- * \param dnskeys    RR set with DNSKEYs.
- * \param soa        RR set with SOA.
- * \param zone_keys  Zone keys.
- * \param policy     DNSSEC policy.
- * \param changeset  Changeset to be updated.
+ * \param dnskeys     RR set with DNSKEYs.
+ * \param soa         RR set with SOA.
+ * \param zone_keys   Zone keys.
+ * \param policy      DNSSEC policy.
+ * \param changeset   Changeset to be updated.
+ * \param expires_at  Earliest RRSIG expiration.
 *
 * \return Error code, KNOT_EOK if successful.
 */
-static int update_dnskeys_rrsigs(const knot_rrset_t *dnskeys,
-                                 const knot_rrset_t *rrsigs,
-                                 const knot_rrset_t *soa,
-                                 const zone_keyset_t *zone_keys,
-                                 const kdnssec_ctx_t *dnssec_ctx,
-                                 changeset_t *changeset)
+static int update_dnskey_rrsigs(const knot_rrset_t *dnskeys,
+                                const knot_rrset_t *rrsigs,
+                                const knot_rrset_t *soa,
+                                const zone_keyset_t *zone_keys,
+                                const kdnssec_ctx_t *dnssec_ctx,
+                                changeset_t *changeset,
+                                uint32_t *expires_at)
 {
 	assert(zone_keys);
 	assert(changeset);
@@ -852,19 +854,13 @@ static int update_dnskeys_rrsigs(const knot_rrset_t *dnskeys,
 		}
 	}

-	result = add_missing_rrsigs(&new_dnskeys, NULL, zone_keys, dnssec_ctx,
-	                            changeset);
-	if (result != KNOT_EOK) {
-		goto fail;
-	}
-
-	if (!knot_rrset_empty(dnskeys)) {
-		result = remove_rrset_rrsigs(dnskeys->owner, dnskeys->type,
-		                             rrsigs, changeset);
+	if (dnssec_ctx->rrsig_drop_existing) {
+		result = force_resign_rrset(&new_dnskeys, rrsigs, zone_keys, dnssec_ctx, changeset);
+	} else {
+		result = resign_rrset(&new_dnskeys, rrsigs, zone_keys, dnssec_ctx, changeset, expires_at);
 	}

 fail:
-
 	knot_rdataset_clear(&new_dnskeys.rrs, NULL);
 	return result;
 }
@@ -872,17 +868,19 @@ fail:
 /*!
 * \brief Update DNSKEY records in the zone by updating the changeset.
 *
- * \param zone       Zone to be updated.
- * \param zone_keys  Zone keys.
- * \param policy     DNSSEC policy.
- * \param changeset  Changeset to be updated.
+ * \param zone        Zone to be updated.
+ * \param zone_keys   Zone keys.
+ * \param policy      DNSSEC policy.
+ * \param changeset   Changeset to be updated.
+ * \param expires_at  Earliest RRSIG expiration.
 *
 * \return Error code, KNOT_EOK if successful.
 */
 static int update_dnskeys(const zone_contents_t *zone,
                          const zone_keyset_t *zone_keys,
                          const kdnssec_ctx_t *dnssec_ctx,
-                          changeset_t *changeset)
+                          changeset_t *changeset,
+                          uint32_t *expires_at)
 {
 	assert(zone);
 	assert(zone->apex);
@@ -897,7 +895,6 @@ static int update_dnskeys(const zone_contents_t *zone,
 	}

 	int result;
-	size_t changes_before = changeset_size(changeset);

 	result = remove_invalid_dnskeys(&soa, &dnskeys, zone_keys, changeset);
 	if (result != KNOT_EOK) {
@@ -908,26 +905,9 @@ static int update_dnskeys(const zone_contents_t *zone,
 	if (result != KNOT_EOK) {
 		return result;
 	}
-	knot_rrset_t dnskey_rrsig = rrset_init_from(&soa, KNOT_RRTYPE_RRSIG);
-	result = knot_synth_rrsig(KNOT_RRTYPE_DNSKEY, &rrsigs.rrs,
-	                          &dnskey_rrsig.rrs, NULL);
-	if (result != KNOT_EOK) {
-		if (result != KNOT_ENOENT) {
-			return result;
-		}
-	}
-
-	bool modified = (changeset_size(changeset) != changes_before);
-	bool signatures_exist = (!knot_rrset_empty(&dnskeys) &&
-	                        all_signatures_exist(&dnskeys, &dnskey_rrsig,
-	                                             zone_keys, dnssec_ctx));
-	knot_rdataset_clear(&dnskey_rrsig.rrs, NULL);
-	if (!modified && signatures_exist) {
-		return KNOT_EOK;
-	}

-	return update_dnskeys_rrsigs(&dnskeys, &rrsigs, &soa, zone_keys,
-	                             dnssec_ctx, changeset);
+	return update_dnskey_rrsigs(&dnskeys, &rrsigs, &soa, zone_keys,
+	                            dnssec_ctx, changeset, expires_at);
 }

 /*!
@@ -1156,7 +1136,9 @@ int knot_zone_sign(const zone_contents_t *zone,

 	int result;

-	result = update_dnskeys(zone, zone_keys, dnssec_ctx, changeset);
+	uint32_t dnskey_expire = UINT32_MAX;
+	result = update_dnskeys(zone, zone_keys, dnssec_ctx, changeset,
+	                        &dnskey_expire);
 	if (result != KNOT_EOK) {
 		return result;
 	}