Commit 75196ced authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

timers: added nsec3resalt and parentDSquery to timers

parent c7a00f88
......@@ -46,6 +46,7 @@ void event_dnssec_reschedule(conf_t *conf, zone_t *zone,
if (refresh->plan_ds_query) {
log_zone_notice(zone->name, "DNSSEC, published CDS, CDNSKEY for submission");
zone->timers.next_parent_ds_q = now;
}
zone_events_schedule_at(zone,
......
......@@ -28,29 +28,6 @@
#include "knot/zone/zone.h"
#include "knot/zone/zonefile.h"
static int post_load_dnssec_actions(conf_t *conf, zone_t *zone)
{
kdnssec_ctx_t kctx = { 0 };
int ret = kdnssec_ctx_init(conf, &kctx, zone->name, NULL);
if (ret != KNOT_EOK) {
return ret;
}
bool ignore1 = false; knot_time_t ignore2 = 0;
ret = knot_dnssec_nsec3resalt(&kctx, &ignore1, &ignore2);
if (ret != KNOT_EOK) {
kdnssec_ctx_deinit(&kctx);
return ret;
}
if (zone_has_key_sbm(&kctx)) {
zone_events_schedule_now(zone, ZONE_EVENT_PARENT_DS_Q);
}
kdnssec_ctx_deinit(&kctx);
return KNOT_EOK;
}
int event_load(conf_t *conf, zone_t *zone)
{
zone_contents_t *journal_conts = NULL, *zf_conts = NULL;
......@@ -184,10 +161,7 @@ int event_load(conf_t *conf, zone_t *zone)
// Sign zone using DNSSEC if configured.
zone_sign_reschedule_t dnssec_refresh = { .allow_rollover = true };
if (dnssec_enable) {
ret = post_load_dnssec_actions(conf, zone);
if (ret == KNOT_EOK) {
ret = knot_dnssec_zone_sign(&up, 0, &dnssec_refresh);
}
ret = knot_dnssec_zone_sign(&up, 0, &dnssec_refresh);
if (ret != KNOT_EOK) {
zone_update_clear(&up);
goto cleanup;
......@@ -220,9 +194,6 @@ int event_load(conf_t *conf, zone_t *zone)
replan_from_timers(conf, zone);
if (dnssec_enable) {
zone_events_schedule_now(zone, ZONE_EVENT_NSEC3RESALT);
// if nothing to be done NOW for any of those, they will replan themselves for later
event_dnssec_reschedule(conf, zone, &dnssec_refresh, false); // false since we handle NOTIFY below
}
......
......@@ -30,12 +30,14 @@ int event_nsec3resalt(conf_t *conf, zone_t *zone)
}
ret = knot_dnssec_nsec3resalt(&kctx, &salt_changed, &next_resalt);
kdnssec_ctx_deinit(&kctx);
if (ret == KNOT_EOK && salt_changed) {
zone_events_schedule_now(zone, ZONE_EVENT_DNSSEC);
zone->timers.last_resalt = kctx.now;
}
kdnssec_ctx_deinit(&kctx);
if (next_resalt) {
zone_events_schedule_at(zone, ZONE_EVENT_NSEC3RESALT, next_resalt);
}
......
......@@ -159,8 +159,10 @@ static int try_ds(conf_t *conf, zone_t *zone, const conf_remote_t *parent, zone_
return ret;
}
static bool parents_have_ds(zone_t *zone, conf_t *conf, zone_key_t *key) {
static bool parents_have_ds(zone_t *zone, conf_t *conf, zone_key_t *key)
{
conf_val_t policy = conf_zone_get(conf, C_DNSSEC_POLICY, zone->name);
conf_id_fix_default(&policy);
conf_val_t ksk_sbm = conf_id_get(conf, C_POLICY, C_KSK_SBM, &policy);
assert(conf_val_count(&ksk_sbm) < 2);
if (conf_val_count(&ksk_sbm) < 1) {
......@@ -215,9 +217,11 @@ int event_parent_ds_q(conf_t *conf, zone_t *zone)
}
}
zone->timers.next_parent_ds_q = 0;
if (ret != KNOT_EOK) {
if (ctx.policy->ksk_sbm_check_interval > 0) {
time_t next_check = time(NULL) + ctx.policy->ksk_sbm_check_interval;
zone->timers.next_parent_ds_q = next_check;
zone_events_schedule_at(zone, ZONE_EVENT_PARENT_DS_Q, next_check);
}
} else {
......
/* Copyright (C) 2014 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -73,7 +73,6 @@ static void replan_dnssec(conf_t *conf, zone_t *zone)
conf_val_t val = conf_zone_get(conf, C_DNSSEC_SIGNING, zone->name);
if (conf_bool(&val)) {
zone_events_schedule_now(zone, ZONE_EVENT_NSEC3RESALT);
zone_events_schedule_now(zone, ZONE_EVENT_DNSSEC);
}
}
......@@ -84,13 +83,15 @@ static bool can_expire(const zone_t *zone)
}
/*!
* \brief Replan events that depend on zone timers (REFRESH, EXPIRE, FLUSH).
* \brief Replan events that depend on zone timers (REFRESH, EXPIRE, FLUSH, RESALT, PARENT DS QUERY).
*/
void replan_from_timers(conf_t *conf, zone_t *zone)
{
assert(conf);
assert(zone);
time_t now = time(NULL);
time_t refresh = TIME_CANCEL;
if (zone_is_slave(conf, zone)) {
refresh = zone->timers.next_refresh;
......@@ -113,11 +114,34 @@ void replan_from_timers(conf_t *conf, zone_t *zone)
}
}
time_t resalt = TIME_CANCEL;
conf_val_t val = conf_zone_get(conf, C_DNSSEC_SIGNING, zone->name);
if (conf_bool(&val)) {
conf_val_t policy = conf_zone_get(conf, C_DNSSEC_POLICY, zone->name);
conf_id_fix_default(&policy);
val = conf_id_get(conf, C_POLICY, C_NSEC3, &policy);
if (conf_bool(&val)) {
if (zone->timers.last_resalt == 0) {
resalt = now;
} else {
val = conf_id_get(conf, C_POLICY, C_NSEC3_SALT_LIFETIME, &policy);
resalt = zone->timers.last_resalt + conf_int(&val);
}
}
}
time_t ds = zone->timers.next_parent_ds_q;
if (ds == 0) {
ds = TIME_IGNORE;
}
zone_events_schedule_at(zone,
ZONE_EVENT_REFRESH, refresh,
ZONE_EVENT_EXPIRE, expire_pre,
ZONE_EVENT_EXPIRE, expire,
ZONE_EVENT_FLUSH, flush);
ZONE_EVENT_FLUSH, flush,
ZONE_EVENT_NSEC3RESALT, resalt,
ZONE_EVENT_PARENT_DS_Q, ds);
}
void replan_load_new(zone_t *zone)
......
......@@ -53,10 +53,12 @@ enum timer_id {
TIMER_SOA_EXPIRE = 0x80,
TIMER_LAST_FLUSH,
TIMER_LAST_REFRESH,
TIMER_NEXT_REFRESH
TIMER_NEXT_REFRESH,
TIMER_LAST_RESALT,
TIMER_NEXT_PARENT_DS_Q
};
#define TIMER_COUNT 4
#define TIMER_COUNT 6
#define TIMER_SIZE (sizeof(uint8_t) + sizeof(uint64_t))
#define SERIALIZED_SIZE (TIMER_COUNT * TIMER_SIZE)
......@@ -79,6 +81,10 @@ static int serialize_timers(const zone_timers_t *timers, uint8_t *data, size_t s
wire_ctx_write_u64(&wire, timers->last_refresh);
wire_ctx_write_u8(&wire, TIMER_NEXT_REFRESH);
wire_ctx_write_u64(&wire, timers->next_refresh);
wire_ctx_write_u8(&wire, TIMER_LAST_RESALT);
wire_ctx_write_u64(&wire, timers->last_resalt);
wire_ctx_write_u8(&wire, TIMER_NEXT_PARENT_DS_Q);
wire_ctx_write_u64(&wire, timers->next_parent_ds_q);
assert(wire.error == KNOT_EOK);
assert(wire_ctx_available(&wire) == 0);
......@@ -105,10 +111,12 @@ static int deserialize_timers(zone_timers_t *timers_ptr,
uint8_t id = wire_ctx_read_u8(&wire);
uint64_t value = wire_ctx_read_u64(&wire);
switch (id) {
case TIMER_SOA_EXPIRE: timers.soa_expire = value; break;
case TIMER_LAST_FLUSH: timers.last_flush = value; break;
case TIMER_LAST_REFRESH: timers.last_refresh = value; break;
case TIMER_NEXT_REFRESH: timers.next_refresh = value; break;
case TIMER_SOA_EXPIRE: timers.soa_expire = value; break;
case TIMER_LAST_FLUSH: timers.last_flush = value; break;
case TIMER_LAST_REFRESH: timers.last_refresh = value; break;
case TIMER_NEXT_REFRESH: timers.next_refresh = value; break;
case TIMER_LAST_RESALT: timers.last_resalt = value; break;
case TIMER_NEXT_PARENT_DS_Q: timers.next_parent_ds_q = value; break;
default: break; // ignore
}
}
......
......@@ -26,10 +26,12 @@
* \brief Persistent zone timers.
*/
struct zone_timers {
uint32_t soa_expire; //!< SOA expire value.
time_t last_flush; //!< Last zone file synchronization.
time_t last_refresh; //!< Last successful zone refresh attempt.
time_t next_refresh; //!< Next zone refresh attempt.
uint32_t soa_expire; //!< SOA expire value.
time_t last_flush; //!< Last zone file synchronization.
time_t last_refresh; //!< Last successful zone refresh attempt.
time_t next_refresh; //!< Next zone refresh attempt.
time_t last_resalt; //!< Last NSEC3 resalt
time_t next_parent_ds_q; //!< Next parent ds query
};
typedef struct zone_timers zone_timers_t;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment