Commit 5a242bfc authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

dnssec: child-record-publish option implemented

parent 92706244
......@@ -72,6 +72,14 @@ static const knot_lookup_t dnssec_key_algs[] = {
{ 0, NULL }
};
const knot_lookup_t child_record[] = {
{ CHILD_RECORDS_NONE, "none" },
{ CHILD_RECORDS_EMPTY, "empty" },
{ CHILD_RECORDS_ROLLOVER, "rollover" },
{ CHILD_RECORDS_ALWAYS, "always" },
{ 0, NULL }
};
const knot_lookup_t acl_actions[] = {
{ ACL_ACTION_NOTIFY, "notify" },
{ ACL_ACTION_TRANSFER, "transfer" },
......@@ -261,6 +269,7 @@ static const yp_item_t desc_policy[] = {
CONF_IO_FRLD_ZONES },
{ C_KSK_SBM, YP_TREF, YP_VREF = { C_SBM }, CONF_IO_FRLD_ZONES,
{ check_ref } },
{ C_CHILD_RECORDS, YP_TOPT, YP_VOPT = { child_record, CHILD_RECORDS_ALWAYS } },
{ C_COMMENT, YP_TSTR, YP_VNONE },
{ NULL }
};
......
......@@ -37,6 +37,7 @@
#define C_ASYNC_START "\x0B""async-start"
#define C_BACKEND "\x07""backend"
#define C_BG_WORKERS "\x12""background-workers"
#define C_CHILD_RECORDS "\x15""child-records-publish"
#define C_CHK_INTERVAL "\x0E""check-interval"
#define C_COMMENT "\x07""comment"
#define C_CONFIG "\x06""config"
......@@ -136,6 +137,13 @@ enum {
KEYSTORE_BACKEND_PKCS11 = 2
};
enum {
CHILD_RECORDS_NONE = 0,
CHILD_RECORDS_EMPTY = 1,
CHILD_RECORDS_ROLLOVER = 2,
CHILD_RECORDS_ALWAYS = 3,
};
enum {
SERIAL_POLICY_INCREMENT = 1,
SERIAL_POLICY_UNIXTIME = 2
......
......@@ -85,6 +85,9 @@ static void policy_load(knot_kasp_policy_t *policy, conf_val_t *id)
val = conf_id_get(conf(), C_POLICY, C_NSEC3_SALT_LIFETIME, id);
policy->nsec3_salt_lifetime = conf_int(&val);
val = conf_id_get(conf(), C_POLICY, C_CHILD_RECORDS, id);
policy->child_records_publish = conf_opt(&val);
conf_val_t ksk_sbm = conf_id_get(conf(), C_POLICY, C_KSK_SBM, id);
if (ksk_sbm.code == KNOT_EOK) {
val = conf_id_get(conf(), C_SBM, C_CHK_INTERVAL, &ksk_sbm);
......
......@@ -92,5 +92,6 @@ typedef struct {
// various
uint32_t ksk_sbm_timeout;
uint32_t ksk_sbm_check_interval;
unsigned child_records_publish;
} knot_kasp_policy_t;
// TODO make the time parameters knot_timediff_t ??
......@@ -946,7 +946,8 @@ int knot_zone_sign_update_dnskeys(zone_update_t *update,
ret = KNOT_ENOMEM;
}
zone_key_t *ksk_for_cds = NULL;
int kfc_prio = 0;
unsigned crp = dnssec_ctx->policy->child_records_publish;
int kfc_prio = (crp == CHILD_RECORDS_ALWAYS ? 0 : (crp == CHILD_RECORDS_ROLLOVER ? 1 : 2));
for (int i = 0; i < zone_keys->count; i++) {
zone_key_t *key = &zone_keys->keys[i];
if (key->is_public) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment