Commit de13d788 authored by Jan Včelák's avatar Jan Včelák 🚀
Browse files

zone-sign: use unified functions to sign the DNSKEY RRset

parent 812f2a2b
......@@ -814,20 +814,22 @@ static int add_missing_dnskeys(const knot_rrset_t *soa,
/*!
* \brief Refresh DNSKEY RRSIGs in the zone by updating the changeset.
*
* \param dnskeys RR set with DNSKEYs.
* \param soa RR set with SOA.
* \param zone_keys Zone keys.
* \param policy DNSSEC policy.
* \param changeset Changeset to be updated.
* \param dnskeys RR set with DNSKEYs.
* \param soa RR set with SOA.
* \param zone_keys Zone keys.
* \param policy DNSSEC policy.
* \param changeset Changeset to be updated.
* \param expires_at Earliest RRSIG expiration.
*
* \return Error code, KNOT_EOK if successful.
*/
static int update_dnskeys_rrsigs(const knot_rrset_t *dnskeys,
const knot_rrset_t *rrsigs,
const knot_rrset_t *soa,
const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *dnssec_ctx,
changeset_t *changeset)
static int update_dnskey_rrsigs(const knot_rrset_t *dnskeys,
const knot_rrset_t *rrsigs,
const knot_rrset_t *soa,
const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *dnssec_ctx,
changeset_t *changeset,
uint32_t *expires_at)
{
assert(zone_keys);
assert(changeset);
......@@ -852,19 +854,13 @@ static int update_dnskeys_rrsigs(const knot_rrset_t *dnskeys,
}
}
result = add_missing_rrsigs(&new_dnskeys, NULL, zone_keys, dnssec_ctx,
changeset);
if (result != KNOT_EOK) {
goto fail;
}
if (!knot_rrset_empty(dnskeys)) {
result = remove_rrset_rrsigs(dnskeys->owner, dnskeys->type,
rrsigs, changeset);
if (dnssec_ctx->rrsig_drop_existing) {
result = force_resign_rrset(&new_dnskeys, rrsigs, zone_keys, dnssec_ctx, changeset);
} else {
result = resign_rrset(&new_dnskeys, rrsigs, zone_keys, dnssec_ctx, changeset, expires_at);
}
fail:
knot_rdataset_clear(&new_dnskeys.rrs, NULL);
return result;
}
......@@ -872,17 +868,19 @@ fail:
/*!
* \brief Update DNSKEY records in the zone by updating the changeset.
*
* \param zone Zone to be updated.
* \param zone_keys Zone keys.
* \param policy DNSSEC policy.
* \param changeset Changeset to be updated.
* \param zone Zone to be updated.
* \param zone_keys Zone keys.
* \param policy DNSSEC policy.
* \param changeset Changeset to be updated.
* \param expires_at Earliest RRSIG expiration.
*
* \return Error code, KNOT_EOK if successful.
*/
static int update_dnskeys(const zone_contents_t *zone,
const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *dnssec_ctx,
changeset_t *changeset)
changeset_t *changeset,
uint32_t *expires_at)
{
assert(zone);
assert(zone->apex);
......@@ -897,7 +895,6 @@ static int update_dnskeys(const zone_contents_t *zone,
}
int result;
size_t changes_before = changeset_size(changeset);
result = remove_invalid_dnskeys(&soa, &dnskeys, zone_keys, changeset);
if (result != KNOT_EOK) {
......@@ -908,26 +905,9 @@ static int update_dnskeys(const zone_contents_t *zone,
if (result != KNOT_EOK) {
return result;
}
knot_rrset_t dnskey_rrsig = rrset_init_from(&soa, KNOT_RRTYPE_RRSIG);
result = knot_synth_rrsig(KNOT_RRTYPE_DNSKEY, &rrsigs.rrs,
&dnskey_rrsig.rrs, NULL);
if (result != KNOT_EOK) {
if (result != KNOT_ENOENT) {
return result;
}
}
bool modified = (changeset_size(changeset) != changes_before);
bool signatures_exist = (!knot_rrset_empty(&dnskeys) &&
all_signatures_exist(&dnskeys, &dnskey_rrsig,
zone_keys, dnssec_ctx));
knot_rdataset_clear(&dnskey_rrsig.rrs, NULL);
if (!modified && signatures_exist) {
return KNOT_EOK;
}
return update_dnskeys_rrsigs(&dnskeys, &rrsigs, &soa, zone_keys,
dnssec_ctx, changeset);
return update_dnskey_rrsigs(&dnskeys, &rrsigs, &soa, zone_keys,
dnssec_ctx, changeset, expires_at);
}
/*!
......@@ -1156,7 +1136,9 @@ int knot_zone_sign(const zone_contents_t *zone,
int result;
result = update_dnskeys(zone, zone_keys, dnssec_ctx, changeset);
uint32_t dnskey_expire = UINT32_MAX;
result = update_dnskeys(zone, zone_keys, dnssec_ctx, changeset,
&dnskey_expire);
if (result != KNOT_EOK) {
return result;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment