Commit ffa2e4a0 authored by Daniel Salzman's avatar Daniel Salzman

Merge branch 'key_log_evo' into 'master'

Key logging evolution

See merge request !852
parents 00e6b17e 663dd17d
...@@ -162,7 +162,7 @@ int knot_dnssec_zone_sign(zone_update_t *update, ...@@ -162,7 +162,7 @@ int knot_dnssec_zone_sign(zone_update_t *update,
} }
result = load_zone_keys(ctx.zone, ctx.keystore, result = load_zone_keys(ctx.zone, ctx.keystore,
ctx.policy->nsec3_enabled, ctx.now, &keyset); ctx.policy->nsec3_enabled, ctx.now, &keyset, true);
if (result != KNOT_EOK) { if (result != KNOT_EOK) {
log_zone_error(zone_name, "DNSSEC, failed to load keys (%s)", log_zone_error(zone_name, "DNSSEC, failed to load keys (%s)",
knot_strerror(result)); knot_strerror(result));
...@@ -248,7 +248,7 @@ int knot_dnssec_sign_update(zone_update_t *update, zone_sign_reschedule_t *resch ...@@ -248,7 +248,7 @@ int knot_dnssec_sign_update(zone_update_t *update, zone_sign_reschedule_t *resch
} }
result = load_zone_keys(ctx.zone, ctx.keystore, result = load_zone_keys(ctx.zone, ctx.keystore,
ctx.policy->nsec3_enabled, ctx.now, &keyset); ctx.policy->nsec3_enabled, ctx.now, &keyset, false);
if (result != KNOT_EOK) { if (result != KNOT_EOK) {
log_zone_error(zone_name, "DNSSEC, failed to load keys (%s)", log_zone_error(zone_name, "DNSSEC, failed to load keys (%s)",
knot_strerror(result)); knot_strerror(result));
......
...@@ -22,6 +22,8 @@ ...@@ -22,6 +22,8 @@
#include "knot/dnssec/zone-keys.h" #include "knot/dnssec/zone-keys.h"
#include "libknot/libknot.h" #include "libknot/libknot.h"
#define MAX_KEY_INFO 128
dynarray_define(keyptr, zone_key_t *, DYNARRAY_VISIBILITY_PUBLIC) dynarray_define(keyptr, zone_key_t *, DYNARRAY_VISIBILITY_PUBLIC)
const uint16_t DNSKEY_FLAGS_KSK = 257; const uint16_t DNSKEY_FLAGS_KSK = 257;
...@@ -381,27 +383,43 @@ static int load_private_keys(dnssec_keystore_t *keystore, zone_keyset_t *keyset) ...@@ -381,27 +383,43 @@ static int load_private_keys(dnssec_keystore_t *keystore, zone_keyset_t *keyset)
/*! /*!
* \brief Log information about zone keys. * \brief Log information about zone keys.
*/ */
static void log_key_info(const zone_key_t *key, const knot_dname_t *zone_name) static void log_key_info(const zone_key_t *key, char *out, size_t out_len)
{ {
assert(key); assert(key);
assert(zone_name); assert(out);
log_zone_info(zone_name, "DNSSEC, loaded key, tag %5d, algorithm %d, " uint8_t alg_code = dnssec_key_get_algorithm(key->key);
"KSK %s, ZSK %s, public %s, ready %s, active %s", const knot_lookup_t *alg = knot_lookup_by_id(knot_dnssec_alg_names, alg_code);
dnssec_key_get_keytag(key->key),
dnssec_key_get_algorithm(key->key), char alg_code_str[8] = "";
key->is_ksk ? "yes" : "no", if (alg == NULL) {
key->is_zsk ? "yes" : "no", (void)snprintf(alg_code_str, sizeof(alg_code_str), "%d", alg_code);
key->is_public ? "yes" : "no", }
key->cds_priority > 1 ? "yes" : "no",
key->is_active ? "yes" : "no"); (void)snprintf(out, out_len, "DNSSEC, key, tag %5d, algorithm %s%s%s%s%s",
dnssec_key_get_keytag(key->key),
(alg != NULL ? alg->name : alg_code_str),
(key->is_ksk ? ", KSK" : ""),
(key->is_public ? ", public" : ""),
(key->cds_priority > 1 ? ", ready" : ""),
(key->is_active ? ", active" : ""));
}
int log_key_sort(const void *a, const void *b)
{
const char *alg_a = strstr(a, "alg");
const char *alg_b = strstr(b, "alg");
assert(alg_a != NULL && alg_b != NULL);
return strcmp(alg_a, alg_b);
} }
/*! /*!
* \brief Load zone keys and init cryptographic context. * \brief Load zone keys and init cryptographic context.
*/ */
int load_zone_keys(knot_kasp_zone_t *zone, dnssec_keystore_t *store, int load_zone_keys(knot_kasp_zone_t *zone, dnssec_keystore_t *store,
bool nsec3_enabled, knot_time_t now, zone_keyset_t *keyset_ptr) bool nsec3_enabled, knot_time_t now, zone_keyset_t *keyset_ptr,
bool verbose)
{ {
if (!zone || !store || !keyset_ptr) { if (!zone || !store || !keyset_ptr) {
return KNOT_EINVAL; return KNOT_EINVAL;
...@@ -421,10 +439,21 @@ int load_zone_keys(knot_kasp_zone_t *zone, dnssec_keystore_t *store, ...@@ -421,10 +439,21 @@ int load_zone_keys(knot_kasp_zone_t *zone, dnssec_keystore_t *store,
return KNOT_ENOMEM; return KNOT_ENOMEM;
} }
char key_info[zone->num_keys][MAX_KEY_INFO];
for (size_t i = 0; i < zone->num_keys; i++) { for (size_t i = 0; i < zone->num_keys; i++) {
knot_kasp_key_t *kasp_key = &zone->keys[i]; knot_kasp_key_t *kasp_key = &zone->keys[i];
set_key(kasp_key, now, &keyset.keys[i]); set_key(kasp_key, now, &keyset.keys[i]);
log_key_info(&keyset.keys[i], zone->dname); if (verbose) {
log_key_info(&keyset.keys[i], key_info[i], MAX_KEY_INFO);
}
}
// Sort the keys by algorithm name.
if (verbose) {
qsort(key_info, zone->num_keys, MAX_KEY_INFO, log_key_sort);
for (size_t i = 0; i < zone->num_keys; i++) {
log_zone_info(zone->dname, "%s", key_info[i]);
}
} }
int r = prepare_and_check_keys(zone->dname, nsec3_enabled, &keyset); int r = prepare_and_check_keys(zone->dname, nsec3_enabled, &keyset);
......
...@@ -104,7 +104,8 @@ int kdnssec_delete_key(kdnssec_ctx_t *ctx, knot_kasp_key_t *key_ptr); ...@@ -104,7 +104,8 @@ int kdnssec_delete_key(kdnssec_ctx_t *ctx, knot_kasp_key_t *key_ptr);
* \return Error code, KNOT_EOK if successful. * \return Error code, KNOT_EOK if successful.
*/ */
int load_zone_keys(knot_kasp_zone_t *zone, dnssec_keystore_t *store, int load_zone_keys(knot_kasp_zone_t *zone, dnssec_keystore_t *store,
bool nsec3_enabled, knot_time_t now, zone_keyset_t *keyset_ptr); bool nsec3_enabled, knot_time_t now, zone_keyset_t *keyset_ptr,
bool verbose);
/*! /*!
* \brief Get zone keys by a keytag. * \brief Get zone keys by a keytag.
......
...@@ -200,7 +200,7 @@ int event_parent_ds_q(conf_t *conf, zone_t *zone) ...@@ -200,7 +200,7 @@ int event_parent_ds_q(conf_t *conf, zone_t *zone)
} }
zone_keyset_t keyset = { 0 }; zone_keyset_t keyset = { 0 };
ret = load_zone_keys(ctx.zone, ctx.keystore, false, ctx.now, &keyset); ret = load_zone_keys(ctx.zone, ctx.keystore, false, ctx.now, &keyset, false);
if (ret != KNOT_EOK) { if (ret != KNOT_EOK) {
kdnssec_ctx_deinit(&ctx); kdnssec_ctx_deinit(&ctx);
return ret; return ret;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment