Commit 1abc2d8d authored by Libor Peltan's avatar Libor Peltan

Merge branch 'key_roll_flags' into 'master'

Fix missing NSEC3 resalt during full refresh

See merge request !995
parents b1520570 202ef80a
...@@ -468,9 +468,7 @@ static int zone_txn_commit(zone_t *zone, ctl_args_t *args) ...@@ -468,9 +468,7 @@ static int zone_txn_commit(zone_t *zone, ctl_args_t *args)
if (dnssec_enable) { if (dnssec_enable) {
zone_sign_reschedule_t resch = { 0 }; zone_sign_reschedule_t resch = { 0 };
bool full = (zone->control_update->flags & UPDATE_FULL); bool full = (zone->control_update->flags & UPDATE_FULL);
zone_sign_roll_flags_t rflags = KEY_ROLL_ALLOW_KSK_ROLL | zone_sign_roll_flags_t rflags = KEY_ROLL_ALLOW_ALL;
KEY_ROLL_ALLOW_ZSK_ROLL |
KEY_ROLL_DO_NSEC3RESALT;
int ret = (full ? knot_dnssec_zone_sign(zone->control_update, 0, rflags, &resch) : int ret = (full ? knot_dnssec_zone_sign(zone->control_update, 0, rflags, &resch) :
knot_dnssec_sign_update(zone->control_update, &resch)); knot_dnssec_sign_update(zone->control_update, &resch));
if (ret != KNOT_EOK) { if (ret != KNOT_EOK) {
......
...@@ -44,7 +44,7 @@ static int sign_init(zone_contents_t *zone, zone_sign_flags_t flags, zone_sign_r ...@@ -44,7 +44,7 @@ static int sign_init(zone_contents_t *zone, zone_sign_flags_t flags, zone_sign_r
// perform nsec3resalt if pending // perform nsec3resalt if pending
if (roll_flags & KEY_ROLL_DO_NSEC3RESALT) { if (roll_flags & KEY_ROLL_ALLOW_NSEC3RESALT) {
r = knot_dnssec_nsec3resalt(ctx, &reschedule->last_nsec3resalt, &reschedule->next_nsec3resalt); r = knot_dnssec_nsec3resalt(ctx, &reschedule->last_nsec3resalt, &reschedule->next_nsec3resalt);
if (r != KNOT_EOK) { if (r != KNOT_EOK) {
return r; return r;
...@@ -103,8 +103,6 @@ static int generate_salt(dnssec_binary_t *salt, uint16_t length) ...@@ -103,8 +103,6 @@ static int generate_salt(dnssec_binary_t *salt, uint16_t length)
return KNOT_EOK; return KNOT_EOK;
} }
// TODO preserve the resalt timeout in timers-db instead of kasp_db
int knot_dnssec_nsec3resalt(kdnssec_ctx_t *ctx, knot_time_t *salt_changed, knot_time_t *when_resalt) int knot_dnssec_nsec3resalt(kdnssec_ctx_t *ctx, knot_time_t *salt_changed, knot_time_t *when_resalt)
{ {
int ret = KNOT_EOK; int ret = KNOT_EOK;
......
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> /* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -32,11 +32,14 @@ enum zone_sign_flags { ...@@ -32,11 +32,14 @@ enum zone_sign_flags {
typedef enum zone_sign_flags zone_sign_flags_t; typedef enum zone_sign_flags zone_sign_flags_t;
typedef enum { typedef enum {
KEY_ROLL_ALLOW_KSK_ROLL = (1 << 0), KEY_ROLL_ALLOW_KSK_ROLL = (1 << 0),
KEY_ROLL_FORCE_KSK_ROLL = (1 << 1), KEY_ROLL_FORCE_KSK_ROLL = (1 << 1),
KEY_ROLL_ALLOW_ZSK_ROLL = (1 << 2), KEY_ROLL_ALLOW_ZSK_ROLL = (1 << 2),
KEY_ROLL_FORCE_ZSK_ROLL = (1 << 3), KEY_ROLL_FORCE_ZSK_ROLL = (1 << 3),
KEY_ROLL_DO_NSEC3RESALT = (1 << 4), KEY_ROLL_ALLOW_NSEC3RESALT = (1 << 4),
KEY_ROLL_ALLOW_ALL = KEY_ROLL_ALLOW_KSK_ROLL |
KEY_ROLL_ALLOW_ZSK_ROLL |
KEY_ROLL_ALLOW_NSEC3RESALT
} zone_sign_roll_flags_t; } zone_sign_roll_flags_t;
typedef struct { typedef struct {
......
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> /* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -71,7 +71,7 @@ int event_dnssec(conf_t *conf, zone_t *zone) ...@@ -71,7 +71,7 @@ int event_dnssec(conf_t *conf, zone_t *zone)
assert(zone); assert(zone);
zone_sign_reschedule_t resch = { 0 }; zone_sign_reschedule_t resch = { 0 };
zone_sign_roll_flags_t r_flags = KEY_ROLL_ALLOW_KSK_ROLL | KEY_ROLL_ALLOW_ZSK_ROLL; zone_sign_roll_flags_t r_flags = KEY_ROLL_ALLOW_ALL;
int sign_flags = 0; int sign_flags = 0;
if (zone->flags & ZONE_FORCE_RESIGN) { if (zone->flags & ZONE_FORCE_RESIGN) {
...@@ -84,10 +84,6 @@ int event_dnssec(conf_t *conf, zone_t *zone) ...@@ -84,10 +84,6 @@ int event_dnssec(conf_t *conf, zone_t *zone)
sign_flags = 0; sign_flags = 0;
} }
if (zone_events_get_time(zone, ZONE_EVENT_NSEC3RESALT) <= time(NULL)) {
r_flags |= KEY_ROLL_DO_NSEC3RESALT;
}
if (zone->flags & ZONE_FORCE_KSK_ROLL) { if (zone->flags & ZONE_FORCE_KSK_ROLL) {
zone->flags &= ~ZONE_FORCE_KSK_ROLL; zone->flags &= ~ZONE_FORCE_KSK_ROLL;
r_flags |= KEY_ROLL_FORCE_KSK_ROLL; r_flags |= KEY_ROLL_FORCE_KSK_ROLL;
......
...@@ -228,8 +228,7 @@ int event_load(conf_t *conf, zone_t *zone) ...@@ -228,8 +228,7 @@ int event_load(conf_t *conf, zone_t *zone)
// Sign zone using DNSSEC if configured. // Sign zone using DNSSEC if configured.
zone_sign_reschedule_t dnssec_refresh = { 0 }; zone_sign_reschedule_t dnssec_refresh = { 0 };
if (dnssec_enable) { if (dnssec_enable) {
ret = knot_dnssec_zone_sign(&up, 0, KEY_ROLL_ALLOW_KSK_ROLL | KEY_ROLL_ALLOW_ZSK_ROLL | KEY_ROLL_DO_NSEC3RESALT, ret = knot_dnssec_zone_sign(&up, 0, KEY_ROLL_ALLOW_ALL, &dnssec_refresh);
&dnssec_refresh);
if (ret != KNOT_EOK) { if (ret != KNOT_EOK) {
zone_update_clear(&up); zone_update_clear(&up);
goto cleanup; goto cleanup;
......
...@@ -242,7 +242,7 @@ static int axfr_finalize(struct refresh_data *data) ...@@ -242,7 +242,7 @@ static int axfr_finalize(struct refresh_data *data)
bool dnssec_enable = conf_bool(&val); bool dnssec_enable = conf_bool(&val);
if (dnssec_enable) { if (dnssec_enable) {
zone_sign_reschedule_t resch = { 0 }; zone_sign_reschedule_t resch = { 0 };
ret = knot_dnssec_zone_sign(&up, ZONE_SIGN_KEEP_SERIAL, KEY_ROLL_ALLOW_KSK_ROLL | KEY_ROLL_ALLOW_ZSK_ROLL, &resch); ret = knot_dnssec_zone_sign(&up, ZONE_SIGN_KEEP_SERIAL, KEY_ROLL_ALLOW_ALL, &resch);
if (ret != KNOT_EOK) { if (ret != KNOT_EOK) {
zone_update_clear(&up); zone_update_clear(&up);
return ret; return ret;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment