Commit 1abc2d8d authored by Libor Peltan's avatar Libor Peltan

Merge branch 'key_roll_flags' into 'master'

Fix missing NSEC3 resalt during full refresh

See merge request !995
parents b1520570 202ef80a
......@@ -468,9 +468,7 @@ static int zone_txn_commit(zone_t *zone, ctl_args_t *args)
if (dnssec_enable) {
zone_sign_reschedule_t resch = { 0 };
bool full = (zone->control_update->flags & UPDATE_FULL);
zone_sign_roll_flags_t rflags = KEY_ROLL_ALLOW_KSK_ROLL |
KEY_ROLL_ALLOW_ZSK_ROLL |
KEY_ROLL_DO_NSEC3RESALT;
zone_sign_roll_flags_t rflags = KEY_ROLL_ALLOW_ALL;
int ret = (full ? knot_dnssec_zone_sign(zone->control_update, 0, rflags, &resch) :
knot_dnssec_sign_update(zone->control_update, &resch));
if (ret != KNOT_EOK) {
......
......@@ -44,7 +44,7 @@ static int sign_init(zone_contents_t *zone, zone_sign_flags_t flags, zone_sign_r
// perform nsec3resalt if pending
if (roll_flags & KEY_ROLL_DO_NSEC3RESALT) {
if (roll_flags & KEY_ROLL_ALLOW_NSEC3RESALT) {
r = knot_dnssec_nsec3resalt(ctx, &reschedule->last_nsec3resalt, &reschedule->next_nsec3resalt);
if (r != KNOT_EOK) {
return r;
......@@ -103,8 +103,6 @@ static int generate_salt(dnssec_binary_t *salt, uint16_t length)
return KNOT_EOK;
}
// TODO preserve the resalt timeout in timers-db instead of kasp_db
int knot_dnssec_nsec3resalt(kdnssec_ctx_t *ctx, knot_time_t *salt_changed, knot_time_t *when_resalt)
{
int ret = KNOT_EOK;
......
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -32,11 +32,14 @@ enum zone_sign_flags {
typedef enum zone_sign_flags zone_sign_flags_t;
typedef enum {
KEY_ROLL_ALLOW_KSK_ROLL = (1 << 0),
KEY_ROLL_FORCE_KSK_ROLL = (1 << 1),
KEY_ROLL_ALLOW_ZSK_ROLL = (1 << 2),
KEY_ROLL_FORCE_ZSK_ROLL = (1 << 3),
KEY_ROLL_DO_NSEC3RESALT = (1 << 4),
KEY_ROLL_ALLOW_KSK_ROLL = (1 << 0),
KEY_ROLL_FORCE_KSK_ROLL = (1 << 1),
KEY_ROLL_ALLOW_ZSK_ROLL = (1 << 2),
KEY_ROLL_FORCE_ZSK_ROLL = (1 << 3),
KEY_ROLL_ALLOW_NSEC3RESALT = (1 << 4),
KEY_ROLL_ALLOW_ALL = KEY_ROLL_ALLOW_KSK_ROLL |
KEY_ROLL_ALLOW_ZSK_ROLL |
KEY_ROLL_ALLOW_NSEC3RESALT
} zone_sign_roll_flags_t;
typedef struct {
......
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -71,7 +71,7 @@ int event_dnssec(conf_t *conf, zone_t *zone)
assert(zone);
zone_sign_reschedule_t resch = { 0 };
zone_sign_roll_flags_t r_flags = KEY_ROLL_ALLOW_KSK_ROLL | KEY_ROLL_ALLOW_ZSK_ROLL;
zone_sign_roll_flags_t r_flags = KEY_ROLL_ALLOW_ALL;
int sign_flags = 0;
if (zone->flags & ZONE_FORCE_RESIGN) {
......@@ -84,10 +84,6 @@ int event_dnssec(conf_t *conf, zone_t *zone)
sign_flags = 0;
}
if (zone_events_get_time(zone, ZONE_EVENT_NSEC3RESALT) <= time(NULL)) {
r_flags |= KEY_ROLL_DO_NSEC3RESALT;
}
if (zone->flags & ZONE_FORCE_KSK_ROLL) {
zone->flags &= ~ZONE_FORCE_KSK_ROLL;
r_flags |= KEY_ROLL_FORCE_KSK_ROLL;
......
......@@ -228,8 +228,7 @@ int event_load(conf_t *conf, zone_t *zone)
// Sign zone using DNSSEC if configured.
zone_sign_reschedule_t dnssec_refresh = { 0 };
if (dnssec_enable) {
ret = knot_dnssec_zone_sign(&up, 0, KEY_ROLL_ALLOW_KSK_ROLL | KEY_ROLL_ALLOW_ZSK_ROLL | KEY_ROLL_DO_NSEC3RESALT,
&dnssec_refresh);
ret = knot_dnssec_zone_sign(&up, 0, KEY_ROLL_ALLOW_ALL, &dnssec_refresh);
if (ret != KNOT_EOK) {
zone_update_clear(&up);
goto cleanup;
......
......@@ -242,7 +242,7 @@ static int axfr_finalize(struct refresh_data *data)
bool dnssec_enable = conf_bool(&val);
if (dnssec_enable) {
zone_sign_reschedule_t resch = { 0 };
ret = knot_dnssec_zone_sign(&up, ZONE_SIGN_KEEP_SERIAL, KEY_ROLL_ALLOW_KSK_ROLL | KEY_ROLL_ALLOW_ZSK_ROLL, &resch);
ret = knot_dnssec_zone_sign(&up, ZONE_SIGN_KEEP_SERIAL, KEY_ROLL_ALLOW_ALL, &resch);
if (ret != KNOT_EOK) {
zone_update_clear(&up);
return ret;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment