Commit 919dc53b authored by Daniel Salzman's avatar Daniel Salzman

key-events: add notice log for ksk submitted

parent d335ab78
...@@ -526,15 +526,15 @@ A submission identifier. ...@@ -526,15 +526,15 @@ A submission identifier.
.SS parent .SS parent
.sp .sp
A list of \fI\%references\fP to parent\(aqs DNS servers to be checked for A list of \fI\%references\fP to parent\(aqs DNS servers to be checked for
presence of corresponding DS records in case of KSK submission. All of them must presence of corresponding DS records in the case of KSK submission. All of them must
have corresponding DS for the rollover to continue. If none specified, the rollover have a corresponding DS for the rollover to continue. If none is specified, the
must be pushed forward manually. rollover must be pushed forward manually.
.sp .sp
\fIDefault:\fP not set \fIDefault:\fP not set
.SS check\-interval .SS check\-interval
.sp .sp
Interval for periodic checks of DS resence on parent\(aqs DNS servers, in case of Interval for periodic checks of DS presence on parent\(aqs DNS servers, in the
KSK submission. case of the KSK submission.
.sp .sp
\fIDefault:\fP 1 hour \fIDefault:\fP 1 hour
.SS timeout .SS timeout
...@@ -542,7 +542,7 @@ KSK submission. ...@@ -542,7 +542,7 @@ KSK submission.
After this period, the KSK submission is automatically considered successful, even After this period, the KSK submission is automatically considered successful, even
if all the checks were negative or no parents are configured. Set 0 for infinity. if all the checks were negative or no parents are configured. Set 0 for infinity.
.sp .sp
\fIDefault:\fP infinity \fIDefault:\fP 0
.SH POLICY SECTION .SH POLICY SECTION
.sp .sp
DNSSEC policy configuration. DNSSEC policy configuration.
......
...@@ -375,6 +375,7 @@ At this point new KSK has to be submitted to the parent zone. Knot detects the u ...@@ -375,6 +375,7 @@ At this point new KSK has to be submitted to the parent zone. Knot detects the u
record automatically if :ref:`parent DS check<Submission section>` is configured, otherwise the record automatically if :ref:`parent DS check<Submission section>` is configured, otherwise the
operator must confirm it manually with ``knotc zone-ksk-submitted``:: operator must confirm it manually with ``knotc zone-ksk-submitted``::
2017-10-24T15:41:23 notice: [example.com.] DNSSEC, KSK submission, confirmed
2017-10-24T15:41:23 info: [example.com.] DNSSEC, signing zone 2017-10-24T15:41:23 info: [example.com.] DNSSEC, signing zone
2017-10-24T15:41:23 info: [example.com.] DNSSEC, key, tag 6674, algorithm RSASHA256, KSK, public, active 2017-10-24T15:41:23 info: [example.com.] DNSSEC, key, tag 6674, algorithm RSASHA256, KSK, public, active
2017-10-24T15:41:23 info: [example.com.] DNSSEC, key, tag 4700, algorithm RSASHA256, KSK, public, active 2017-10-24T15:41:23 info: [example.com.] DNSSEC, key, tag 4700, algorithm RSASHA256, KSK, public, active
...@@ -439,7 +440,7 @@ server is reloaded, the rollover continues along the lines of :rfc:`6781#section ...@@ -439,7 +440,7 @@ server is reloaded, the rollover continues along the lines of :rfc:`6781#section
Again, KSK submission follows as in :ref:`KSK rollover example<DNSSEC ksk rollover example>`.:: Again, KSK submission follows as in :ref:`KSK rollover example<DNSSEC ksk rollover example>`.::
2017-10-24T14:54:20 info: [example.com.] control, received command 'zone-ksk-submitted' 2017-10-24T14:54:20 notice: [example.com.] DNSSEC, KSK submission, confirmed
2017-10-24T14:54:20 info: [example.com.] DNSSEC, signing zone 2017-10-24T14:54:20 info: [example.com.] DNSSEC, signing zone
2017-10-24T14:54:20 info: [example.com.] DNSSEC, key, tag 34608, algorithm ECDSAP256SHA256, KSK, public, active 2017-10-24T14:54:20 info: [example.com.] DNSSEC, key, tag 34608, algorithm ECDSAP256SHA256, KSK, public, active
2017-10-24T14:54:20 info: [example.com.] DNSSEC, key, tag 13674, algorithm ECDSAP256SHA256, public, active 2017-10-24T14:54:20 info: [example.com.] DNSSEC, key, tag 13674, algorithm ECDSAP256SHA256, public, active
......
...@@ -586,9 +586,9 @@ parent ...@@ -586,9 +586,9 @@ parent
------ ------
A list of :ref:`references<remote_id>` to parent's DNS servers to be checked for A list of :ref:`references<remote_id>` to parent's DNS servers to be checked for
presence of corresponding DS records in case of KSK submission. All of them must presence of corresponding DS records in the case of KSK submission. All of them must
have corresponding DS for the rollover to continue. If none specified, the rollover have a corresponding DS for the rollover to continue. If none is specified, the
must be pushed forward manually. rollover must be pushed forward manually.
*Default:* not set *Default:* not set
...@@ -597,8 +597,8 @@ must be pushed forward manually. ...@@ -597,8 +597,8 @@ must be pushed forward manually.
check-interval check-interval
-------------- --------------
Interval for periodic checks of DS resence on parent's DNS servers, in case of Interval for periodic checks of DS presence on parent's DNS servers, in the
KSK submission. case of the KSK submission.
*Default:* 1 hour *Default:* 1 hour
...@@ -610,7 +610,7 @@ timeout ...@@ -610,7 +610,7 @@ timeout
After this period, the KSK submission is automatically considered successful, even After this period, the KSK submission is automatically considered successful, even
if all the checks were negative or no parents are configured. Set 0 for infinity. if all the checks were negative or no parents are configured. Set 0 for infinity.
*Default:* infinity *Default:* 0
.. _Policy section: .. _Policy section:
......
...@@ -450,6 +450,10 @@ static int exec_new_signatures(kdnssec_ctx_t *ctx, knot_kasp_key_t *newkey) ...@@ -450,6 +450,10 @@ static int exec_new_signatures(kdnssec_ctx_t *ctx, knot_kasp_key_t *newkey)
{ {
uint16_t kskflag = dnssec_key_get_flags(newkey->key); uint16_t kskflag = dnssec_key_get_flags(newkey->key);
if (kskflag == DNSKEY_FLAGS_KSK) {
log_zone_notice(ctx->zone->dname, "DNSSEC, KSK submission, confirmed");
}
for (size_t i = 0; i < ctx->zone->num_keys; i++) { for (size_t i = 0; i < ctx->zone->num_keys; i++) {
knot_kasp_key_t *key = &ctx->zone->keys[i]; knot_kasp_key_t *key = &ctx->zone->keys[i];
uint16_t keyflags = dnssec_key_get_flags(key->key); uint16_t keyflags = dnssec_key_get_flags(key->key);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment