upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-24 00:29:58 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- unbound-anchor handles ADDPEND keystate.

Browse source 
git-svn-id: file:///svn/unbound/trunk@2281 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2010-10-13 12:04:37 +00:00
parent 1b773f682f
commit 5d2ef1f925
2 changed files with 31 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
doc/Changelog
View file

@ -1,5 +1,6 @@
13 October 2010: Wouter 13 October 2010: Wouter
- Fix TCP so it uses a random outgoing-interface. - Fix TCP so it uses a random outgoing-interface.
- unbound-anchor handles ADDPEND keystate.
11 October 2010: Wouter 11 October 2010: Wouter
- Fix bug when DLV below a trust-anchor that uses NSEC3 optout where - Fix bug when DLV below a trust-anchor that uses NSEC3 optout where

30
smallapp/unbound-anchor.c
View file

@ -1878,6 +1878,28 @@ prime_root_key(struct ub_ctx* ctx)
return res; return res;
} }
/** see if ADDPEND keys exist in autotrust file (if possible) */
static int
read_if_pending_keys(char* file)
{
FILE* in = fopen(file, "r");
char line[8192];
if(!in) {
if(verb>=2) printf("%s: %s\n", file, strerror(errno));
return 0;
}
while(fgets(line, (int)sizeof(line), in)) {
if(line[0]==';') continue;
if(strstr(line, "[ ADDPEND ]")) {
fclose(in);
if(verb) printf("RFC5011-state has ADDPEND keys\n");
return 1;
}
}
fclose(in);
return 0;
}
/** read last successful probe time from autotrust file (if possible) */ /** read last successful probe time from autotrust file (if possible) */
static int32_t static int32_t
read_last_success_time(char* file) read_last_success_time(char* file)
@ -1919,6 +1941,7 @@ read_last_success_time(char* file)
static int static int
probe_date_allows_certupdate(char* root_anchor_file) probe_date_allows_certupdate(char* root_anchor_file)
{ {
int has_pending_keys = read_if_pending_keys(root_anchor_file);
int32_t last_success = read_last_success_time(root_anchor_file); int32_t last_success = read_last_success_time(root_anchor_file);
int32_t now = (int32_t)time(NULL); int32_t now = (int32_t)time(NULL);
int32_t leeway = 30 * 24 * 3600; /* 30 days leeway */ int32_t leeway = 30 * 24 * 3600; /* 30 days leeway */
@ -1931,6 +1954,13 @@ probe_date_allows_certupdate(char* root_anchor_file)
} }
if(last_success == 0) if(last_success == 0)
return 1; /* no probe time */ return 1; /* no probe time */
if(has_pending_keys)
return 1; /* key in ADDPEND state, a previous probe has
inserted that, and it was present in all recent probes,
but it has not become active. The 30 day timer may not have
expired, but we know(for sure) there is a rollover going on.
If we only managed to pickup the new key on its last day
of announcement (for example) this can happen. */
if(now - last_success < 0) { if(now - last_success < 0) {
if(verb) printf("the last successful probe is in the future," if(verb) printf("the last successful probe is in the future,"
" clock was modified\n"); " clock was modified\n");