Commit e07750ba authored by Libor Peltan's avatar Libor Peltan

dnssec: nsec3resalt forced before resign if planned on now

This avoids the situation that resign and nsec3resalt are planned on
equal time, resign goes first and following resalt immediately resigns
again.
parent 0b36426e
......@@ -43,6 +43,12 @@ static int sign_init(const zone_contents_t *zone, zone_sign_flags_t flags,
return r;
}
// perform nsec3resalt if pending
if (reschedule->allow_nsec3resalt) {
r = knot_dnssec_nsec3resalt(ctx, &reschedule->allow_nsec3resalt, &reschedule->next_nsec3resalt);
}
// perform key rollover if needed
if (reschedule->allow_rollover) {
......
......@@ -34,9 +34,11 @@ typedef enum zone_sign_flags zone_sign_flags_t;
typedef struct {
knot_time_t next_sign;
knot_time_t next_rollover;
knot_time_t next_nsec3resalt;
bool keys_changed;
bool plan_ds_query;
bool allow_rollover; // this one is set by the caller
bool allow_nsec3resalt; // this one is set by the caller and modified by the salter
} zone_sign_reschedule_t;
/*!
......
......@@ -49,9 +49,14 @@ void event_dnssec_reschedule(conf_t *conf, zone_t *zone,
zone->timers.next_parent_ds_q = now;
}
if (refresh->allow_nsec3resalt) {
zone->timers.last_resalt = time(NULL);
}
zone_events_schedule_at(zone,
ZONE_EVENT_DNSSEC, (time_t)refresh_at,
ZONE_EVENT_PARENT_DS_Q, refresh->plan_ds_query ? now : ignore,
ZONE_EVENT_NSEC3RESALT, refresh->next_nsec3resalt ? refresh->next_nsec3resalt : ignore,
ZONE_EVENT_NOTIFY, zone_changed ? now : ignore,
ZONE_EVENT_FLUSH, zone_changed && conf_int(&val) == 0 ? now : ignore
);
......@@ -75,6 +80,10 @@ int event_dnssec(conf_t *conf, zone_t *zone)
sign_flags = 0;
}
if (zone_events_get_time(zone, ZONE_EVENT_NSEC3RESALT) <= time(NULL)) {
resch.allow_nsec3resalt = true;
}
zone_update_t up;
int ret = zone_update_init(&up, zone, UPDATE_INCREMENTAL);
if (ret != KNOT_EOK) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment