upstream/knot-dns
1
0
Fork 0
mirror of https://gitlab.nic.cz/knot/knot-dns.git synced 2026-05-28 04:02:31 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

dnssec: correct policy->zone_maxlimal_ttl for use in algorithm rollover

Browse source
This commit is contained in:
Libor Peltan 2018-11-08 13:18:00 +01:00
parent 46665813de
commit d1f6d2a045
9 changed files with 63 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/knot/dnssec/policy.c
View file

@ -42,5 +42,5 @@ void update_policy_from_zone(knot_kasp_policy_t *policy,
}
policy->soa_minimal_ttl = zone_soa_min_ttl(zone);
policy->zone_maximal_ttl = 0; // TODO
policy->zone_maximal_ttl = zone->max_ttl;
}

12
src/knot/dnssec/zone-events.c
View file

@ -28,7 +28,7 @@
#include "knot/dnssec/zone-nsec.h"
#include "knot/dnssec/zone-sign.h"
static int sign_init(const zone_contents_t *zone, zone_sign_flags_t flags, zone_sign_roll_flags_t roll_flags,
static int sign_init(zone_contents_t *zone, zone_sign_flags_t flags, zone_sign_roll_flags_t roll_flags,
kdnssec_ctx_t *ctx, zone_sign_reschedule_t *reschedule)
{
assert(zone);
@ -50,16 +50,20 @@ static int sign_init(const zone_contents_t *zone, zone_sign_flags_t flags, zone_
}
}
// perform key rollover if needed
r = knot_dnssec_key_rollover(ctx, roll_flags, reschedule);
r = zone_contents_adjust_full(zone);
if (r != KNOT_EOK) {
return r;
}
// update policy based on the zone content
update_policy_from_zone(ctx->policy, zone);
// perform key rollover if needed
r = knot_dnssec_key_rollover(ctx, roll_flags, reschedule);
if (r != KNOT_EOK) {
return r;
}
// RRSIG handling
ctx->rrsig_drop_existing = flags & ZONE_SIGN_DROP_SIGNATURES;

2
src/knot/modules/onlinesign/onlinesign.c
View file

@ -25,6 +25,7 @@
// Next dependencies force static module!
#include "knot/dnssec/ds_query.h"
#include "knot/dnssec/key-events.h"
#include "knot/dnssec/policy.h"
#include "knot/dnssec/zone-events.h"
#include "knot/nameserver/query_module.h"
#include "knot/nameserver/process_query.h"
@ -536,6 +537,7 @@ static knotd_in_state_t pre_routine(knotd_in_state_t state, knot_pkt_t *pkt,
}
}
if (ret == KNOT_EOK || knot_time_cmp(ctx->event_rollover, mod->dnssec->now) <= 0) {
update_policy_from_zone(mod->dnssec->policy, qdata->extra->zone->contents);
ret = knot_dnssec_key_rollover(mod->dnssec, KEY_ROLL_ALLOW_KSK_ROLL | KEY_ROLL_ALLOW_ZSK_ROLL, &resch);
}
if (ret == KNOT_EOK) {

22
src/knot/zone/contents.c
View file

@ -280,6 +280,16 @@ static int measure_size(zone_node_t *node, void *data){
return KNOT_EOK;
}
static int measure_max_ttl(zone_node_t *node, void *data){
uint32_t *max = data;
int rrset_count = node->rrset_count;
for (int i = 0; i < rrset_count; i++) {
*max = MAX(*max, node->rrs[i].ttl);
}
return KNOT_EOK;
}
static bool nsec3_params_match(const knot_rdataset_t *rrs,
const dnssec_nsec3_params_t *params,
size_t rdata_pos)
@ -319,7 +329,9 @@ static int adjust_normal_node(zone_node_t **tnode, void *data)
return ret;
}
measure_size(*tnode, &((zone_adjust_arg_t *)data)->zone->size);
zone_adjust_arg_t *arg = data;
measure_size(*tnode, &arg->zone->size);
measure_max_ttl(*tnode, &arg->zone->max_ttl);
// Connect nodes to their NSEC3 nodes
return adjust_nsec3_pointers(tnode, data);
@ -353,6 +365,7 @@ static int adjust_nsec3_node(zone_node_t **tnode, void *data)
args->previous_node = node;
measure_size(*tnode, &args->zone->size);
measure_max_ttl(*tnode, &args->zone->max_ttl);
// check if this node belongs to correct chain
const knot_rdataset_t *nsec3_rrs = node_rdataset(node, KNOT_RRTYPE_NSEC3);
@ -1178,3 +1191,10 @@ size_t zone_contents_measure_size(zone_contents_t *zone)
zone_contents_apply(zone, measure_size, &zone->size);
return zone->size;
}
uint32_t zone_contents_max_ttl(zone_contents_t *zone)
{
zone->max_ttl = 0;
zone_contents_apply(zone, measure_max_ttl, &zone->size);
return zone->max_ttl;
}

11
src/knot/zone/contents.h
View file

@ -42,6 +42,7 @@ typedef struct zone_contents {
dnssec_nsec3_params_t nsec3_params;
size_t size;
uint32_t max_ttl;
bool dnssec;
} zone_contents_t;
@ -274,4 +275,14 @@ bool zone_contents_is_empty(const zone_contents_t *zone);
*/
size_t zone_contents_measure_size(zone_contents_t *zone);
/*!
* \brief Obtain maximal TTL above all the records in zone.
*
* The value is also stored in zone_contents structure.
*
* \param zone Zone in question.
* \return Maximal TTL.
*/
uint32_t zone_contents_max_ttl(zone_contents_t *zone);
/*! @} */

9
tests-extra/tests/dnssec/key_rollovers/data/example.com.zone Normal file
View file

@ -0,0 +1,9 @@
example.com. 3 SOA dns1.example.com. hostmaster.example.com. 2010111227 21600 3600 604800 3
example.com. 0 NS dns1.example.com.
example.com. 2 MX 10 mail.example.com.
dns1.example.com. 4 A 192.0.2.1
dns1.example.com. 3 AAAA 2001:db8::1
foo.example.com. 5 A 192.0.2.4
mail.example.com. 3 A 192.0.2.3
mail.example.com. 1 AAAA 2001:db8::3

2
tests-extra/tests/dnssec/key_rollovers/test.py
View file

@ -166,7 +166,7 @@ t.link(parent_zone, parent)
parent.dnssec(parent_zone).enable = True
child = t.server("knot")
child_zone = t.zone("example.com.")
child_zone = t.zone("example.com.", storage=".")
t.link(child_zone, child)
def cds_submission():

9
tests-extra/tests/modules/onlinesign_rollovers/data/example.com.zone Normal file
View file

@ -0,0 +1,9 @@
example.com. 3 SOA dns1.example.com. hostmaster.example.com. 2010111227 21600 3600 604800 3
example.com. 0 NS dns1.example.com.
example.com. 2 MX 10 mail.example.com.
dns1.example.com. 4 A 192.0.2.1
dns1.example.com. 3 AAAA 2001:db8::1
foo.example.com. 5 A 192.0.2.4
mail.example.com. 3 A 192.0.2.3
mail.example.com. 1 AAAA 2001:db8::3

2
tests-extra/tests/modules/onlinesign_rollovers/test.py
View file

@ -164,7 +164,7 @@ t.link(parent_zone, parent)
parent.dnssec(parent_zone).enable = True
child = t.server("knot")
child_zone = t.zone("example.com.")
child_zone = t.zone("example.com.", storage=".")
t.link(child_zone, child)
def cds_submission():