Commit b1345cc8 authored by Daniel Salzman's avatar Daniel Salzman

key-events: improve logging, code cleanup

parent ffa2e4a0
...@@ -218,14 +218,29 @@ typedef enum { ...@@ -218,14 +218,29 @@ typedef enum {
REPLACE, REPLACE,
RETIRE, RETIRE,
REMOVE, REMOVE,
} roll_action_type; } roll_action_type_t;
typedef struct { typedef struct {
roll_action_type type; roll_action_type_t type;
bool ksk; bool ksk;
knot_time_t time; knot_time_t time;
knot_kasp_key_t *key; knot_kasp_key_t *key;
} roll_action; } roll_action_t;
static const char *roll_action_name(roll_action_type_t type)
{
switch (type) {
case GENERATE: return "generate";
case PUBLISH: return "publish";
case SUBMIT: return "submit";
case REPLACE: return "replace";
case RETIRE: return "retire";
case REMOVE: return "remove";
case INVALID:
// FALLTHROUGH
default: return "invalid";
}
}
static knot_time_t zsk_rollover_time(knot_time_t active_time, const kdnssec_ctx_t *ctx) static knot_time_t zsk_rollover_time(knot_time_t active_time, const kdnssec_ctx_t *ctx)
{ {
...@@ -310,15 +325,15 @@ static knot_time_t alg_remove_time(knot_time_t post_active_time, const kdnssec_c ...@@ -310,15 +325,15 @@ static knot_time_t alg_remove_time(knot_time_t post_active_time, const kdnssec_c
return MAX(ksk_remove_time(post_active_time, ctx), zsk_remove_time(post_active_time, ctx)); return MAX(ksk_remove_time(post_active_time, ctx), zsk_remove_time(post_active_time, ctx));
} }
static roll_action next_action(kdnssec_ctx_t *ctx) static roll_action_t next_action(kdnssec_ctx_t *ctx)
{ {
roll_action res = { 0 }; roll_action_t res = { 0 };
res.time = 0; res.time = 0;
for (size_t i = 0; i < ctx->zone->num_keys; i++) { for (size_t i = 0; i < ctx->zone->num_keys; i++) {
knot_kasp_key_t *key = &ctx->zone->keys[i]; knot_kasp_key_t *key = &ctx->zone->keys[i];
knot_time_t keytime = 0; knot_time_t keytime = 0;
roll_action_type restype = INVALID; roll_action_type_t restype = INVALID;
if (key->is_pub_only) { if (key->is_pub_only) {
continue; continue;
} }
...@@ -338,7 +353,8 @@ static roll_action next_action(kdnssec_ctx_t *ctx) ...@@ -338,7 +353,8 @@ static roll_action next_action(kdnssec_ctx_t *ctx)
restype = REPLACE; restype = REPLACE;
break; break;
case DNSSEC_KEY_STATE_ACTIVE: case DNSSEC_KEY_STATE_ACTIVE:
if (!running_rollover(ctx) && dnssec_key_get_algorithm(key->key) == ctx->policy->algorithm) { if (!running_rollover(ctx) &&
dnssec_key_get_algorithm(key->key) == ctx->policy->algorithm) {
keytime = ksk_rollover_time(key->timing.created, ctx); keytime = ksk_rollover_time(key->timing.created, ctx);
restype = GENERATE; restype = GENERATE;
} }
...@@ -353,7 +369,8 @@ static roll_action next_action(kdnssec_ctx_t *ctx) ...@@ -353,7 +369,8 @@ static roll_action next_action(kdnssec_ctx_t *ctx)
break; break;
case DNSSEC_KEY_STATE_RETIRED: case DNSSEC_KEY_STATE_RETIRED:
case DNSSEC_KEY_STATE_REMOVED: case DNSSEC_KEY_STATE_REMOVED:
// ad REMOVED state: normally this wouldn't happen (key in removed state is instantly deleted) // ad REMOVED state: normally this wouldn't happen
// (key in removed state is instantly deleted)
// but if imported keys, they can be in this state // but if imported keys, they can be in this state
keytime = knot_time_min(key->timing.retire, key->timing.remove); keytime = knot_time_min(key->timing.retire, key->timing.remove);
keytime = ksk_remove_time(keytime, ctx); keytime = ksk_remove_time(keytime, ctx);
...@@ -373,7 +390,8 @@ static roll_action next_action(kdnssec_ctx_t *ctx) ...@@ -373,7 +390,8 @@ static roll_action next_action(kdnssec_ctx_t *ctx)
restype = REPLACE; restype = REPLACE;
break; break;
case DNSSEC_KEY_STATE_ACTIVE: case DNSSEC_KEY_STATE_ACTIVE:
if (!running_rollover(ctx) && dnssec_key_get_algorithm(key->key) == ctx->policy->algorithm) { if (!running_rollover(ctx) &&
dnssec_key_get_algorithm(key->key) == ctx->policy->algorithm) {
keytime = zsk_rollover_time(key->timing.active, ctx); keytime = zsk_rollover_time(key->timing.active, ctx);
restype = GENERATE; restype = GENERATE;
} }
...@@ -387,7 +405,8 @@ static roll_action next_action(kdnssec_ctx_t *ctx) ...@@ -387,7 +405,8 @@ static roll_action next_action(kdnssec_ctx_t *ctx)
break; break;
case DNSSEC_KEY_STATE_RETIRED: case DNSSEC_KEY_STATE_RETIRED:
case DNSSEC_KEY_STATE_REMOVED: case DNSSEC_KEY_STATE_REMOVED:
// ad REMOVED state: normally this wouldn't happen (key in removed state is instantly deleted) // ad REMOVED state: normally this wouldn't happen
// (key in removed state is instantly deleted)
// but if imported keys, they can be in this state // but if imported keys, they can be in this state
keytime = knot_time_min(key->timing.retire, key->timing.remove); keytime = knot_time_min(key->timing.retire, key->timing.remove);
keytime = ksk_remove_time(keytime, ctx);; keytime = ksk_remove_time(keytime, ctx);;
...@@ -521,7 +540,8 @@ int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_reschedule_t *resched ...@@ -521,7 +540,8 @@ int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_reschedule_t *resched
reschedule->keys_changed = true; reschedule->keys_changed = true;
} }
} }
if (!ctx->policy->singe_type_signing && ret == KNOT_EOK && !key_present(ctx, DNSKEY_FLAGS_ZSK)) { if (!ctx->policy->singe_type_signing && ret == KNOT_EOK &&
!key_present(ctx, DNSKEY_FLAGS_ZSK)) {
ret = generate_key(ctx, false, ctx->now, false); ret = generate_key(ctx, false, ctx->now, false);
if (ret == KNOT_EOK) { if (ret == KNOT_EOK) {
reschedule->keys_changed = true; reschedule->keys_changed = true;
...@@ -547,7 +567,7 @@ int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_reschedule_t *resched ...@@ -547,7 +567,7 @@ int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_reschedule_t *resched
return ret; return ret;
} }
roll_action next = next_action(ctx); roll_action_t next = next_action(ctx);
reschedule->next_rollover = next.time; reschedule->next_rollover = next.time;
...@@ -560,7 +580,8 @@ int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_reschedule_t *resched ...@@ -560,7 +580,8 @@ int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_reschedule_t *resched
ret = generate_key(ctx, next.ksk, 0, false); ret = generate_key(ctx, next.ksk, 0, false);
} }
if (ret == KNOT_EOK) { if (ret == KNOT_EOK) {
log_zone_info(ctx->zone->dname, "DNSSEC, %cSK rollover started", (next.ksk ? 'K' : 'Z')); log_zone_info(ctx->zone->dname, "DNSSEC, %cSK rollover started",
(next.ksk ? 'K' : 'Z'));
} }
break; break;
case PUBLISH: case PUBLISH:
...@@ -588,8 +609,10 @@ int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_reschedule_t *resched ...@@ -588,8 +609,10 @@ int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_reschedule_t *resched
next = next_action(ctx); next = next_action(ctx);
reschedule->next_rollover = next.time; reschedule->next_rollover = next.time;
} else { } else {
log_zone_warning(ctx->zone->dname, "DNSSEC, key rollover [%d] failed (%s)", (int)next.type, knot_strerror(ret)); log_zone_warning(ctx->zone->dname, "DNSSEC, key rollover, action %s (%s)",
reschedule->next_rollover = knot_time_add(knot_time(), 10); // fail => try in 10seconds #TODO better? roll_action_name(next.type), knot_strerror(ret));
// fail => try in 10 seconds #TODO better?
reschedule->next_rollover = knot_time_add(knot_time(), 10);
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment