Commit 774d1464 authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

dnssec: refactoring: moved parent addrs to ctx->policy

parent 1a038bce
......@@ -22,6 +22,8 @@
#include "knot/dnssec/context.h"
#include "knot/dnssec/kasp/keystore.h"
dynarray_define(parent, knot_kasp_parent_t, DYNARRAY_VISIBILITY_PUBLIC)
static void policy_load(knot_kasp_policy_t *policy, conf_val_t *id)
{
if (conf_str(id) == NULL) {
......@@ -95,9 +97,20 @@ static void policy_load(knot_kasp_policy_t *policy, conf_val_t *id)
val = conf_id_get(conf(), C_SBM, C_TIMEOUT, &ksk_sbm);
policy->ksk_sbm_timeout = conf_int(&val);
} else {
policy->ksk_sbm_check_interval = 0;
policy->ksk_sbm_timeout = 0;
val = conf_id_get(conf(), C_SBM, C_PARENT, &ksk_sbm);
while (val.code == KNOT_EOK) {
conf_val_t addr = conf_id_get(conf(), C_RMT, C_ADDR, &val);
knot_kasp_parent_t p = { .addrs = conf_val_count(&addr) };
p.addr = p.addrs ? malloc(p.addrs * sizeof(*p.addr)) : NULL;
if (p.addr != NULL) {
for (size_t i = 0; i < p.addrs; i++) {
p.addr[i] = conf_remote(conf(), &val, i);
}
parent_dynarray_add(&policy->parents, &p);
}
conf_val_next(&val);
}
}
}
......@@ -191,6 +204,9 @@ void kdnssec_ctx_deinit(kdnssec_ctx_t *ctx)
if (ctx->policy != NULL) {
free(ctx->policy->string);
dynarray_foreach(parent, knot_kasp_parent_t, i, ctx->policy->parents) {
free(i->addr);
}
free(ctx->policy);
}
dnssec_keystore_deinit(ctx->keystore);
......
......@@ -20,6 +20,7 @@
#include "contrib/time.h"
#include "dnssec/lib/dnssec/key.h"
#include "knot/conf/conf.h"
/*!
* KASP key timing information.
......@@ -62,6 +63,16 @@ typedef struct {
bool is_zsk;
} knot_kasp_key_t;
/*!
* Parent for DS checks.
*/
typedef struct {
conf_remote_t *addr;
size_t addrs;
} knot_kasp_parent_t;
dynarray_declare(parent, knot_kasp_parent_t, DYNARRAY_VISIBILITY_PUBLIC, 3)
/*!
* Key and signature policy.
*/
......@@ -96,5 +107,6 @@ typedef struct {
uint32_t ksk_sbm_timeout;
uint32_t ksk_sbm_check_interval;
unsigned child_records_publish;
parent_dynarray_t parents;
} knot_kasp_policy_t;
// TODO make the time parameters knot_timediff_t ??
......@@ -174,37 +174,38 @@ static int try_ds(const knot_dname_t *zone_name, const conf_remote_t *parent, zo
return ret;
}
static bool parents_have_ds(const knot_dname_t *zone_name, conf_t *conf, zone_key_t *key, size_t timeout)
static bool parents_have_ds(kdnssec_ctx_t *kctx, const knot_dname_t *zone_name, zone_key_t *key, size_t timeout)
{
conf_val_t policy = conf_zone_get(conf, C_DNSSEC_POLICY, zone_name);
conf_id_fix_default(&policy);
conf_val_t ksk_sbm = conf_id_get(conf, C_POLICY, C_KSK_SBM, &policy);
assert(conf_val_count(&ksk_sbm) < 2);
if (conf_val_count(&ksk_sbm) < 1) {
return false;
}
conf_val_t parents = conf_id_get(conf, C_SBM, C_PARENT, &ksk_sbm);
bool success = false;
while (parents.code == KNOT_EOK) {
success = false;
conf_val_t addr = conf_id_get(conf, C_RMT, C_ADDR, &parents);
size_t addr_count = conf_val_count(&addr);
for (size_t i = 0; i < addr_count; i++) {
conf_remote_t parent = conf_remote(conf, &parents, i);
int ret = try_ds(zone_name, &parent, key, timeout);
bool success = true;
dynarray_foreach(parent, knot_kasp_parent_t, i, kctx->policy->parents) {
if ((success = !success)) return false;
for (size_t j = 0; j < i->addrs; j++) {
int ret = try_ds(zone_name, &i->addr[j], key, timeout);
if (ret == KNOT_EOK) {
success = true;
break;
}
}
conf_val_next(&parents);
}
return success;
}
int knot_parent_ds_query(kdnssec_ctx_t *kctx, zone_keyset_t *keyset, size_t timeout)
{
for (size_t i = 0; i < keyset->count; i++) {
zone_key_t *key = &keyset->keys[i];
if (dnssec_key_get_flags(key->key) == DNSKEY_FLAGS_KSK &&
key->cds_priority > 1) {
if (parents_have_ds(kctx, kctx->zone->dname, key, timeout)) {
return knot_dnssec_ksk_sbm_confirm(kctx);
} else {
return KNOT_ENOENT;
}
}
}
return KNOT_ENOENT;
}
int event_parent_ds_q(conf_t *conf, zone_t *zone)
{
kdnssec_ctx_t ctx = { 0 };
......@@ -221,17 +222,7 @@ int event_parent_ds_q(conf_t *conf, zone_t *zone)
return ret;
}
for (size_t i = 0; i < keyset.count; i++) {
zone_key_t *key = &keyset.keys[i];
if (dnssec_key_get_flags(key->key) == DNSKEY_FLAGS_KSK &&
key->cds_priority > 1) {
if (parents_have_ds(zone->name, conf, key, conf->cache.srv_tcp_reply_timeout * 1000)) {
ret = knot_dnssec_ksk_sbm_confirm(&ctx);
} else {
ret = KNOT_ENOENT;
}
}
}
ret = knot_parent_ds_query(&ctx, &keyset, conf->cache.srv_tcp_reply_timeout * 1000);
zone->timers.next_parent_ds_q = 0;
if (ret != KNOT_EOK) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment