Commit 10a59d48 authored by Libor Peltan's avatar Libor Peltan

dnssec: keep track of newly added rrsig expiration

parent f5a3688b
......@@ -258,7 +258,7 @@ static int rrsigs_create_rdata(knot_rrset_t *rrsigs, dnssec_sign_ctx_t *ctx,
int knot_sign_rrset(knot_rrset_t *rrsigs, const knot_rrset_t *covered,
const dnssec_key_t *key, dnssec_sign_ctx_t *sign_ctx,
const kdnssec_ctx_t *dnssec_ctx, knot_mm_t *mm)
const kdnssec_ctx_t *dnssec_ctx, knot_mm_t *mm, knot_time_t *expires)
{
if (knot_rrset_empty(covered) || !key || !sign_ctx || !dnssec_ctx ||
rrsigs->type != KNOT_RRTYPE_RRSIG ||
......@@ -270,8 +270,12 @@ int knot_sign_rrset(knot_rrset_t *rrsigs, const knot_rrset_t *covered,
uint32_t sig_incept = dnssec_ctx->now - RRSIG_INCEPT_IN_PAST;
uint32_t sig_expire = dnssec_ctx->now + dnssec_ctx->policy->rrsig_lifetime;
return rrsigs_create_rdata(rrsigs, sign_ctx, covered, key, sig_incept,
sig_expire, mm);
int ret = rrsigs_create_rdata(rrsigs, sign_ctx, covered, key, sig_incept,
sig_expire, mm);
if (ret == KNOT_EOK && expires != NULL) {
*expires = knot_time_min(*expires, sig_expire);
}
return ret;
}
int knot_synth_rrsig(uint16_t type, const knot_rdataset_t *rrsig_rrs,
......
......@@ -30,6 +30,7 @@
* \param sign_ctx Signing context.
* \param dnssec_ctx DNSSEC context.
* \param mm Memory context.
* \param expires Out: When will the new RRSIG expire.
*
* \return Error code, KNOT_EOK if successful.
*/
......@@ -38,7 +39,8 @@ int knot_sign_rrset(knot_rrset_t *rrsigs,
const dnssec_key_t *key,
dnssec_sign_ctx_t *sign_ctx,
const kdnssec_ctx_t *dnssec_ctx,
knot_mm_t *mm);
knot_mm_t *mm,
knot_time_t *expires);
/*!
* \brief Add all data covered by signature into signing context.
......
......@@ -280,6 +280,7 @@ static int remove_expired_rrsigs(const knot_rrset_t *covered,
* \param zone_keys Zone keys.
* \param dnssec_ctx DNSSEC signing context
* \param changeset Changeset to be updated.
* \param expires_at Earliest RRSIG expiration.
*
* \return Error code, KNOT_EOK if successful.
*/
......@@ -287,7 +288,8 @@ static int add_missing_rrsigs(const knot_rrset_t *covered,
const knot_rrset_t *rrsigs,
const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *dnssec_ctx,
changeset_t *changeset)
changeset_t *changeset,
knot_time_t *expires_at)
{
assert(!knot_rrset_empty(covered));
assert(zone_keys);
......@@ -311,7 +313,8 @@ static int add_missing_rrsigs(const knot_rrset_t *covered,
to_add = create_empty_rrsigs_for(covered);
}
result = knot_sign_rrset(&to_add, covered, key->key, key->ctx, dnssec_ctx, NULL);
result = knot_sign_rrset(&to_add, covered, key->key, key->ctx,
dnssec_ctx, NULL, expires_at);
if (result != KNOT_EOK) {
break;
}
......@@ -383,7 +386,7 @@ static int force_resign_rrset(const knot_rrset_t *covered,
}
}
return add_missing_rrsigs(covered, NULL, zone_keys, dnssec_ctx, changeset);
return add_missing_rrsigs(covered, NULL, zone_keys, dnssec_ctx, changeset, NULL);
}
/*!
......@@ -414,7 +417,7 @@ static int resign_rrset(const knot_rrset_t *covered,
}
return add_missing_rrsigs(covered, rrsigs, zone_keys, dnssec_ctx,
changeset);
changeset, expires_at);
}
static int remove_standalone_rrsigs(const zone_node_t *node,
......@@ -1086,7 +1089,7 @@ int knot_zone_sign_nsecs_in_changeset(const zone_keyset_t *zone_keys,
rr.type == KNOT_RRTYPE_NSEC3 ||
rr.type == KNOT_RRTYPE_NSEC3PARAM) {
int ret = add_missing_rrsigs(&rr, NULL, zone_keys,
dnssec_ctx, changeset);
dnssec_ctx, changeset, NULL);
if (ret != KNOT_EOK) {
changeset_iter_clear(&itt);
return ret;
......
......@@ -623,7 +623,7 @@ int knotd_mod_dnssec_sign_rrset(knotd_mod_t *mod, knot_rrset_t *rrsigs,
}
int ret = knot_sign_rrset(rrsigs, rrset, key->key, key->ctx,
mod->dnssec, mm);
mod->dnssec, mm, NULL);
if (ret != KNOT_EOK) {
return ret;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment