Commit b1aa5102 authored by Daniel Salzman's avatar Daniel Salzman

Merge branch 'log_ksk_subm' into 'master'

dnssec: moved 'KSK submission' to avoid repeating; little fixes

See merge request !965
parents c874e4e0 fdcf75db
......@@ -577,6 +577,7 @@ int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_roll_flags_t flags,
return KNOT_EOK;
}
int ret = KNOT_EOK;
uint16_t plan_ds_keytag = 0;
bool allowed_general_roll = ((flags & KEY_ROLL_ALLOW_KSK_ROLL) && (flags & KEY_ROLL_ALLOW_ZSK_ROLL));
// generate initial keys if missing
if (!key_present(ctx, true, false) && !key_present(ctx, true, true)) {
......@@ -586,7 +587,10 @@ int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_roll_flags_t flags,
} else {
ret = generate_key(ctx, GEN_KSK_FLAGS, ctx->now, false);
}
reschedule->plan_ds_query = true;
if (ret == KNOT_EOK) {
reschedule->plan_ds_query = true;
plan_ds_keytag = dnssec_key_get_keytag(ctx->zone->keys[0].key);
}
}
if (ret == KNOT_EOK && (flags & KEY_ROLL_ALLOW_ZSK_ROLL)) {
reschedule->keys_changed = true;
......@@ -674,7 +678,10 @@ int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_roll_flags_t flags,
break;
case SUBMIT:
ret = submit_key(ctx, next.key);
reschedule->plan_ds_query = true;
if (ret == KNOT_EOK) {
reschedule->plan_ds_query = true;
plan_ds_keytag = dnssec_key_get_keytag(next.key->key);
}
break;
case REPLACE:
ret = exec_new_signatures(ctx, next.key, 0);
......@@ -702,12 +709,20 @@ int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_roll_flags_t flags,
}
if (ret == KNOT_EOK && knot_time_cmp(reschedule->next_rollover, ctx->now) <= 0) {
return knot_dnssec_key_rollover(ctx, flags, reschedule);
ret = knot_dnssec_key_rollover(ctx, flags, reschedule);
}
if (reschedule->keys_changed) {
if (ret == KNOT_EOK && reschedule->keys_changed) {
ret = kdnssec_ctx_commit(ctx);
}
if (ret == KNOT_EOK && reschedule->plan_ds_query) {
char param[32];
(void)snprintf(param, sizeof(param), "KEY_SUBMISSION=%hu", plan_ds_keytag);
log_fmt_zone(LOG_NOTICE, LOG_SOURCE_ZONE, ctx->zone->dname, param,
"DNSSEC, KSK submission, waiting for confirmation");
}
return ret;
}
......
......@@ -14,7 +14,6 @@
along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#include "knot/common/log.h"
#include "knot/dnssec/ds_query.h"
#include "knot/zone/zone.h"
......@@ -34,18 +33,6 @@ int event_parent_ds_q(conf_t *conf, zone_t *zone)
return ret;
}
for (size_t i = 0; i < keyset.count; i++) {
zone_key_t *key = &keyset.keys[i];
if (key->is_ksk && key->cds_priority > 1) {
char param[32];
(void)snprintf(param, sizeof(param), "KEY_SUBMISSION=%hu",
dnssec_key_get_keytag(key->key));
log_fmt_zone(LOG_NOTICE, LOG_SOURCE_ZONE, zone->name, param,
"DNSSEC, KSK submission, waiting for confirmation");
}
}
ret = knot_parent_ds_query(&ctx, &keyset, conf->cache.srv_tcp_reply_timeout * 1000);
zone->timers.next_parent_ds_q = 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment