Commit 5e7591f0 authored by Marek Vavrusa's avatar Marek Vavrusa

trust_anchors: added custom timers, limit history

new trust anchors variables:
* trust_anchors.hold_down_time = 30 * day
* trust_anchors.refresh_time = nil
* trust_anchors.keep_removed = 0

these could be used to control how often should
root trust anchors be checked and how many removed
keys should be kept in log (0 by default)
parent 79a84400
......@@ -506,6 +506,27 @@ For when listening on ``localhost`` just doesn't cut it.
Trust anchors and DNSSEC
^^^^^^^^^^^^^^^^^^^^^^^^
.. envvar:: trust_anchors.hold_down_time = 30 * day
:return: int (default: 30 * day)
Modify RFC5011 hold-down timer to given value. Example: ``30 * second``
.. envvar:: trust_anchors.refresh_time = nil
:return: int (default: nil)
Modify RFC5011 refresh timer to given value (not set by default), this will force trust anchors
to be updated every N seconds periodically instead of relying on RFC5011 logic and TTLs.
Example: ``10 * second``
.. envvar:: trust_anchors.keep_removed = 0
:return: int (default: 1)
How many ``Removed`` keys should be held in history (and key file) before being purged.
Note: all ``Removed`` keys will be purged from key file after restarting the process.
.. function:: trust_anchors.config(keyfile)
:param string keyfile: File containing DNSKEY records, should be writeable.
......
......@@ -185,7 +185,7 @@ local function refresh_plan(trust_anchors, timeout, refresh_cb, priming, bootstr
-- Schedule itself with updated timeout
local next_time = refresh_cb(trust_anchors, kres.pkt_t(pkt), bootstrap)
if trust_anchors.refresh_time ~= nil then
next_time = math.min(next_time, trust_anchors.refresh_time)
next_time = trust_anchors.refresh_time
end
print('[ ta ] next refresh: '..next_time)
refresh_plan(trust_anchors, next_time, refresh_cb)
......@@ -239,17 +239,27 @@ local trust_anchors = {
keyset = {},
insecure = {},
hold_down_time = 30 * day,
keep_removed = 0,
-- Update existing keyset
update = function (new_keys, initial)
if not new_keys then return false end
-- Filter TAs to be purged from the keyset (KeyRem)
local hold_down = trust_anchors.hold_down_time / 1000
local keyset = {}
local keep_removed = trust_anchors.keep_removed
for i, ta in ipairs(trust_anchors.keyset) do
local keep = true
if not ta_find(new_keys, ta) then
keep = ta_missing(ta, hold_down)
end
-- Purge removed keys
if ta.state == key_state.Removed then
if keep_removed > 0 then
keep_removed = keep_removed - 1
else
keep = false
end
end
if keep then
table.insert(keyset, ta)
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment