OpenDNSSEC-enforcer 2.1.10
enforcer.c
Go to the documentation of this file.
1/*
2 * Copyright (c) 2011 NLNet Labs. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
15 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
17 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
19 * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
20 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
21 * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
22 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
23 * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 *
25 */
26
27/*
28 * @section DESCRIPTION
29 *
30 * This module controls the order and time for keys to be introduced,
31 * generated and discarded. It can be called for one zone at a time. It
32 * will then manipulate its keys and bring them closer to their goal,
33 * within bounds of the zone's policy. New keys may be fetched from the
34 * HSM and old keys discarded. When done, the update function returns
35 * a time at which it need to be called again for this zone. Unless
36 * there is an unscheduled change for this zone (some user input) it
37 * should not be called sooner. Calling sooner is not harmful in any
38 * way but also not effective. Calling later does not do any harm as
39 * well, however rollovers may be delayed.
40 */
41
42#include "config.h"
43
44#include <time.h>
45
46#include "libhsm.h"
48
49#include <libhsmdns.h>
50#include <ldns/ldns.h>
51
52#include "duration.h"
53#include "log.h"
54#include "daemon/engine.h"
55
56#include "db/zone_db.h"
57#include "db/policy.h"
58#include "db/policy_key.h"
59#include "db/hsm_key.h"
60#include "db/key_data.h"
61#include "db/key_dependency.h"
62#include "db/db_error.h"
63
64#include "enforcer/enforcer.h"
65
66#define HIDDEN KEY_STATE_STATE_HIDDEN
67#define RUMOURED KEY_STATE_STATE_RUMOURED
68#define OMNIPRESENT KEY_STATE_STATE_OMNIPRESENT
69#define UNRETENTIVE KEY_STATE_STATE_UNRETENTIVE
70#define NA KEY_STATE_STATE_NA
71
72static const char *module_str = "enforcer";
73
75#define NOKEY_TIMEOUT 60
76
77struct future_key {
82};
83
84static int max(int a, int b) { return a>b?a:b; }
85static int min(int a, int b) { return a<b?a:b; }
86
96static inline void
97minTime(const time_t t, time_t* min)
98{
99 assert(min); /* TODO: proper error */
100 if ( (t < *min || *min < 0) && t >= 0 ) *min = t;
101}
102
112static time_t
113addtime(const time_t t, const int seconds)
114{
115 struct tm *tp = localtime(&t);
116 if (!tp) return -1; /* bad, but mktime also returns -1 on error */
117 tp->tm_sec += seconds;
118 return mktime(tp);
119}
120
127static inline const key_state_t*
128getRecord(key_data_t* key, key_state_type_t type)
129{
130 if (!key) {
131 return NULL;
132 }
133
134 switch (type) {
136 return key_data_cached_ds(key);
137
139 return key_data_cached_dnskey(key);
140
142 return key_data_cached_rrsig(key);
143
145 return key_data_cached_rrsigdnskey(key);
146
147 default:
148 break;
149 }
150
151 return NULL;
152}
153
159static inline key_state_state_t
160getState(key_data_t* key, key_state_type_t type, struct future_key *future_key)
161{
162 int cmp;
163
164 if (!key) {
166 }
167
168 if (future_key
170 && future_key->type == type
171 && future_key->key)
172 {
175 }
176 if (!cmp) {
177 return future_key->next_state;
178 }
179 }
180
181 return key_state_state(getRecord(key, type));
182}
183
196getDesiredState(int introducing, key_state_state_t state)
197{
198 /*
199 * Given goal and state, what will be the next state?
200 */
201 if (!introducing) {
202 /*
203 * We are outroducing this key so we would like to move rumoured and
204 * omnipresent keys to unretentive and unretentive keys to hidden.
205 */
206 switch (state) {
207 case HIDDEN:
208 break;
209
210 case RUMOURED:
211 state = UNRETENTIVE;
212 break;
213
214 case OMNIPRESENT:
215 state = UNRETENTIVE;
216 break;
217
218 case UNRETENTIVE:
219 state = HIDDEN;
220 break;
221
222 case NA:
223 break;
224
225 default:
227 break;
228 }
229 }
230 else {
231 /*
232 * We are introducing this key so we would like to move hidden and
233 * unretentive keys to rumoured and rumoured keys to omnipresent.
234 */
235 switch (state) {
236 case HIDDEN:
237 state = RUMOURED;
238 break;
239
240 case RUMOURED:
241 state = OMNIPRESENT;
242 break;
243
244 case OMNIPRESENT:
245 break;
246
247 case UNRETENTIVE:
248 state = RUMOURED;
249 break;
250
251 case NA:
252 break;
253
254 default:
256 break;
257 }
258 }
259
260 return state;
261}
262
269static int
270match(key_data_t* key, struct future_key *future_key, int same_algorithm,
271 const key_state_state_t mask[4])
272{
273 if (!key) {
274 return -1;
275 }
276 if (!future_key) {
277 return -1;
278 }
279 if (!future_key->key) {
280 return -1;
281 }
282
283 if (same_algorithm
285 {
286 return 0;
287 }
288
289 /*
290 * Check the states against the mask, for each mask that is not NA we
291 * need a match on that key state.
292 */
293 if ((mask[0] != NA
294 && getState(key, KEY_STATE_TYPE_DS, future_key) != mask[0])
295 || (mask[1] != NA
296 && getState(key, KEY_STATE_TYPE_DNSKEY, future_key) != mask[1])
297 || (mask[2] != NA
298 && getState(key, KEY_STATE_TYPE_RRSIGDNSKEY, future_key) != mask[2])
299 || (mask[3] != NA
300 && getState(key, KEY_STATE_TYPE_RRSIG, future_key) != mask[3]))
301 {
302 return 0;
303 }
304 return 1;
305}
306
313static int
314exists(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
315 int same_algorithm, const key_state_state_t mask[4])
316{
317 size_t i;
318 if (!keylist || !future_key || !future_key->key)
319 return -1;
320 /* Check the states against the mask. If we have a match we return a
321 * positive value. */
322 for (i = 0; i < keylist_size; i++) {
323 if (match(keylist[i], future_key, same_algorithm, mask) > 0)
324 return 1;
325 }
326 return 0; /* We've got no match. */
327}
328
335static int
336isPotentialSuccessor(key_data_t* successor_key, key_data_t* predecessor_key,
338{
339 if (!successor_key || !predecessor_key || !future_key)
340 return -1;
341
342 /* You can't be a successor of yourself */
343 if (!key_data_cmp(successor_key, predecessor_key)) return 0;
344
345 /*
346 * TODO
347 */
348 if (getState(successor_key, type, future_key) != RUMOURED
349 || key_data_algorithm(successor_key) != key_data_algorithm(predecessor_key))
350 {
351 return 0;
352 }
353
354 /*
355 * TODO
356 */
357 switch (type) {
358 case KEY_STATE_TYPE_DS: /* Intentional fall-through */
360 /*
361 * TODO
362 */
363 if (getState(successor_key, KEY_STATE_TYPE_DNSKEY, future_key) == OMNIPRESENT) {
364 return 1;
365 }
366 break;
367
369 /*
370 * Either both DS's should be omnipresent or both signatures, for the
371 * keys to be in a potential relationship for the DNSKEY.
372 */
373 if ((getState(predecessor_key, KEY_STATE_TYPE_DS, future_key) == OMNIPRESENT
374 && getState(successor_key, KEY_STATE_TYPE_DS, future_key) == OMNIPRESENT)
375 || (getState(predecessor_key, KEY_STATE_TYPE_RRSIG, future_key) == OMNIPRESENT
376 && getState(successor_key, KEY_STATE_TYPE_RRSIG, future_key) == OMNIPRESENT))
377 {
378 return 1;
379 }
380 break;
381
383 /*
384 * TODO
385 */
386 break;
387
388 default:
389 return -1;
390 }
391
392 return 0;
393}
394
401static int
402successor_rec(key_data_t** keylist, size_t keylist_size,
403 key_data_t* successor_key, key_data_t* predecessor_key,
404 struct future_key *future_key,
405 key_state_type_t type, key_dependency_list_t* deplist_ext)
406{
407 size_t i;
408 int cmp;
409 const key_dependency_t* dep;
410 key_data_t *from_key;
411 key_dependency_list_t* deplist;
412
413 if (!keylist) {
414 return -1;
415 }
416 if (!successor_key) {
417 return -1;
418 }
419 if (!predecessor_key) {
420 return -1;
421 }
422 if (!future_key) {
423 return -1;
424 }
425 if (!future_key->key) {
426 return -1;
427 }
428 if (!deplist_ext) {
429 return -1;
430 }
431
432 /*
433 * Make a copy of the deplist in order to preserve where we are in the list
434 * if we are calling ourselves later on.
435 *
436 * TODO: This can be optimized with the implementation of *_list_ref_t or
437 * allocating an array as with keylist.
438 */
439 if (!(deplist = key_dependency_list_new_copy(deplist_ext))) {
440 return -1;
441 }
442
443 /*
444 * Check the trivial case where the predecessor key is already a predecessor
445 * for the successor key.
446 */
447 for (dep = key_dependency_list_begin(deplist); dep; dep = key_dependency_list_next(deplist)) {
448 switch (key_dependency_type(dep)) {
450 if (type != KEY_STATE_TYPE_DS) {
451 continue;
452 }
453 break;
454
456 if (type != KEY_STATE_TYPE_RRSIG) {
457 continue;
458 }
459 break;
460
462 if (type != KEY_STATE_TYPE_DNSKEY) {
463 continue;
464 }
465 break;
466
468 if (type != KEY_STATE_TYPE_RRSIGDNSKEY) {
469 continue;
470 }
471 break;
472
473 default:
474 continue;
475 }
476
477 if (db_value_cmp(key_data_id(predecessor_key), key_dependency_from_key_data_id(dep), &cmp)) {
479 return -1;
480 }
481 if (cmp) {
482 continue;
483 }
484
485 if (db_value_cmp(key_data_id(successor_key), key_dependency_to_key_data_id(dep), &cmp)) {
487 return -1;
488 }
489 if (cmp) {
490 continue;
491 }
492
494 return 1;
495 }
496
497 /*
498 * Check the trivial case where there is a direct relationship in the future
499 */
501 if (db_value_cmp(key_data_id(future_key->key), key_data_id(predecessor_key), &cmp)) {
503 return -1;
504 }
505 if (!cmp && isPotentialSuccessor(successor_key, predecessor_key, future_key, type) > 0) {
507 return 1;
508 }
509 }
510
511 /*
512 * Check for indirect relationship where X depends on S and X is in the same
513 * state as P and X is a successor of P.
514 */
515 for (dep = key_dependency_list_begin(deplist); dep; dep = key_dependency_list_next(deplist)) {
516 switch (key_dependency_type(dep)) {
518 if (type != KEY_STATE_TYPE_DS) {
519 continue;
520 }
521 break;
522
524 if (type != KEY_STATE_TYPE_RRSIG) {
525 continue;
526 }
527 break;
528
530 if (type != KEY_STATE_TYPE_DNSKEY) {
531 continue;
532 }
533 break;
534
536 if (type != KEY_STATE_TYPE_RRSIGDNSKEY) {
537 continue;
538 }
539 break;
540
541 default:
542 continue;
543 }
544
545 if (db_value_cmp(key_data_id(successor_key), key_dependency_to_key_data_id(dep), &cmp)) {
547 return -1;
548 }
549 if (cmp) {
550 continue;
551 }
552
553 /*
554 * TODO: This may be optimized by searching for the key in the keylist
555 * first, only retrieving it from the database if needed or giving an
556 * error if it does not exist in the keylist.
557 */
558 if (!(from_key = key_dependency_get_from_key_data(dep))) {
560 return -1;
561 }
562
563 /*
564 * The RRSIGDNSKEY is not compared because TODO .
565 */
566 if (getState(predecessor_key, KEY_STATE_TYPE_DS, future_key) != getState(from_key, KEY_STATE_TYPE_DS, future_key)
567 || getState(predecessor_key, KEY_STATE_TYPE_DNSKEY, future_key) != getState(from_key, KEY_STATE_TYPE_DNSKEY, future_key)
568 || getState(predecessor_key, KEY_STATE_TYPE_RRSIG, future_key) != getState(from_key, KEY_STATE_TYPE_RRSIG, future_key))
569 {
570 key_data_free(from_key);
571 continue;
572 }
573 if (successor_rec(keylist, keylist_size, from_key, predecessor_key, future_key, type, deplist_ext) > 0) {
574 key_data_free(from_key);
576 return 1;
577 }
578 key_data_free(from_key);
579 }
581
582 /*
583 * TODO
584 */
586 for (i = 0; i < keylist_size; i++) {
587 if (db_value_cmp(key_data_id(predecessor_key), key_data_id(keylist[i]), &cmp)) {
588 return -1;
589 }
590 if (!cmp) {
591 continue;
592 }
593
594 if (isPotentialSuccessor(successor_key, keylist[i], future_key, type) > 0) {
595 /*
596 * The RRSIGDNSKEY is not compared because TODO .
597 */
598 if (getState(predecessor_key, KEY_STATE_TYPE_DS, future_key) != getState(keylist[i], KEY_STATE_TYPE_DS, future_key)
599 || getState(predecessor_key, KEY_STATE_TYPE_DNSKEY, future_key) != getState(keylist[i], KEY_STATE_TYPE_DNSKEY, future_key)
600 || getState(predecessor_key, KEY_STATE_TYPE_RRSIG, future_key) != getState(keylist[i], KEY_STATE_TYPE_RRSIG, future_key))
601 {
602 continue;
603 }
604 if (successor_rec(keylist+1, keylist_size-1, successor_key, keylist[i], future_key, type, deplist_ext) > 0) {
605 return 1;
606 }
607 }
608 }
609 }
610
611 return 0;
612}
613
620static int
621successor(key_data_t** keylist, size_t keylist_size, key_data_t* successor_key,
622 key_data_t* predecessor_key, struct future_key *future_key,
624{
625 int cmp;
626 const key_dependency_t* dep;
627
628 if (!keylist) {
629 return -1;
630 }
631 if (!successor_key) {
632 return -1;
633 }
634 if (!predecessor_key) {
635 return -1;
636 }
637 if (!future_key) {
638 return -1;
639 }
640 if (!future_key->key) {
641 return -1;
642 }
643 if (!deplist) {
644 return -1;
645 }
646
647 /*
648 * Nothing may depend on our predecessor.
649 */
650 for (dep = key_dependency_list_begin(deplist); dep; dep = key_dependency_list_next(deplist)) {
651 if (db_value_cmp(key_data_id(predecessor_key), key_dependency_to_key_data_id(dep), &cmp)) {
652 return -1;
653 }
654 if (!cmp) {
655 return 0;
656 }
657 }
658 return successor_rec(keylist, keylist_size, successor_key, predecessor_key, future_key, type, deplist);
659}
660
667static int
668exists_with_successor(key_data_t** keylist, size_t keylist_size,
669 struct future_key *future_key, int same_algorithm,
670 const key_state_state_t predecessor_mask[4],
671 const key_state_state_t successor_mask[4], key_state_type_t type,
672 key_dependency_list_t* deplist)
673{
674 size_t i, j;
675
676 if (!keylist) {
677 return -1;
678 }
679 if (!future_key) {
680 return -1;
681 }
682
683 /*
684 * Walk the list of keys, for each key that matches the successor mask we
685 * walk the list again and check that key against the keys that match the
686 * predecessor mask if has a valid successor/predecessor relationship.
687 */
688 for (i = 0; i < keylist_size; i++) {
689 if (match(keylist[i], future_key, same_algorithm, successor_mask) < 1) {
690 continue;
691 }
692
693 for (j = 0; j < keylist_size; j++) {
694 if (j == i
695 || match(keylist[j], future_key, same_algorithm, predecessor_mask) < 1)
696 {
697 continue;
698 }
699
700 if (successor(keylist, keylist_size, keylist[i], keylist[j], future_key, type, deplist) > 0) {
701 return 1;
702 }
703 }
704 }
705 return 0;
706}
707
714static int
715unsignedOk(key_data_t** keylist, size_t keylist_size,
716 struct future_key *future_key,
717 const key_state_state_t mask[4], key_state_type_t type)
718{
719 size_t i;
720 key_state_state_t cmp_mask[4];
721
722 if (!keylist) {
723 return -1;
724 }
725 if (!future_key) {
726 return -1;
727 }
728 if (!future_key->key) {
729 return -1;
730 }
731
732 for (i = 0; i < keylist_size; i++) {
734 continue;
735 }
736
737 cmp_mask[0] = type == KEY_STATE_TYPE_DS
738 ? getState(keylist[i], type, future_key)
739 : mask[0];
740 cmp_mask[1] = type == KEY_STATE_TYPE_DNSKEY
741 ? getState(keylist[i], type, future_key)
742 : mask[1];
743 cmp_mask[2] = type == KEY_STATE_TYPE_RRSIGDNSKEY
744 ? getState(keylist[i], type, future_key)
745 : mask[2];
746 cmp_mask[3] = type == KEY_STATE_TYPE_RRSIG
747 ? getState(keylist[i], type, future_key)
748 : mask[3];
749
750 /*
751 * If the state is hidden or NA for the given type this key is okay.
752 */
753 switch (type) {
755 if (cmp_mask[0] == HIDDEN || cmp_mask[0] == NA) {
756 continue;
757 }
758 break;
759
761 if (cmp_mask[1] == HIDDEN || cmp_mask[1] == NA) {
762 continue;
763 }
764 break;
765
767 if (cmp_mask[2] == HIDDEN || cmp_mask[2] == NA) {
768 continue;
769 }
770 break;
771
773 if (cmp_mask[3] == HIDDEN || cmp_mask[3] == NA) {
774 continue;
775 }
776 break;
777
778 default:
779 return -1;
780 }
781
782 if (exists(keylist, keylist_size, future_key, 1, cmp_mask) < 1) {
783 return 0;
784 }
785 }
786
787 return 1;
788}
789
790/* Check if ALL DS records for this algorithm are hidden
791 *
792 * \return 0 if !HIDDEN DS is found, 1 if no such DS where found */
793static int
794all_DS_hidden(key_data_t** keylist, size_t keylist_size,
795 struct future_key *future_key)
796{
797 size_t i;
798 key_state_state_t state;
799
800 assert(keylist);
801 assert(future_key);
802 assert(future_key->key);
803
804 for (i = 0; i < keylist_size; i++) {
805 /*If not same algorithm. Doesn't affect us.*/
806 if (key_data_algorithm(keylist[i]) != key_data_algorithm(future_key->key)) continue;
807 state = getState(keylist[i], KEY_STATE_TYPE_DS, future_key);
808 if (state != HIDDEN && state != NA) return 0; /*Test failed. Found DS.*/
809 }
810 return 1; /*No DS where found.*/
811}
812
819static int
820rule1(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
821 int pretend_update)
822{
823 static const key_state_state_t mask[2][4] = {
824 { OMNIPRESENT, NA, NA, NA },/* a good key state. */
825 { RUMOURED, NA, NA, NA } /* the DS is introducing. */
826 };
827
828 if (!keylist || !future_key || !future_key->key) {
829 return -1;
830 }
831
832 future_key->pretend_update = pretend_update;
833
834 /* Return positive value if any of the masks are found. */
835 return (exists(keylist, keylist_size, future_key, 0, mask[0]) > 0
836 || exists(keylist, keylist_size, future_key, 0, mask[1]) > 0);
837}
838
845static int
846rule2(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
847 int pretend_update, key_dependency_list_t* deplist)
848{
849 static const key_state_state_t mask[8][4] = {
850 { OMNIPRESENT, OMNIPRESENT, OMNIPRESENT, NA },/*good key state.*/
851 { RUMOURED, OMNIPRESENT, OMNIPRESENT, NA },/*introducing DS state.*/
852 { UNRETENTIVE, OMNIPRESENT, OMNIPRESENT, NA },/*outroducing DS state.*/
853 { OMNIPRESENT, RUMOURED, RUMOURED, NA },/*introducing DNSKEY state.*/
855 { OMNIPRESENT, UNRETENTIVE, UNRETENTIVE, NA },/*outroducing DNSKEY state.*/
857 { HIDDEN, OMNIPRESENT, OMNIPRESENT, NA } /*unsigned state.*/
858 };
859
860 if (!keylist || !future_key || !future_key->key) {
861 return -1;
862 }
863
864 future_key->pretend_update = pretend_update;
865
866 /* Return positive value if any of the masks are found. */
867 return (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
868 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1], KEY_STATE_TYPE_DS, deplist) > 0
869 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[5], mask[3], KEY_STATE_TYPE_DNSKEY, deplist) > 0
870 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[5], mask[4], KEY_STATE_TYPE_DNSKEY, deplist) > 0
871 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[6], mask[3], KEY_STATE_TYPE_DNSKEY, deplist) > 0
872 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[6], mask[4], KEY_STATE_TYPE_DNSKEY, deplist) > 0
873 || unsignedOk(keylist, keylist_size, future_key, mask[7], KEY_STATE_TYPE_DS) > 0);
874}
875
882static int
883rule3(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
884 int pretend_update, key_dependency_list_t* deplist)
885{
886 static const key_state_state_t mask[6][4] = {
887 { NA, OMNIPRESENT, NA, OMNIPRESENT },/* good key state. */
888 { NA, RUMOURED, NA, OMNIPRESENT },/* introducing DNSKEY state. */
889 { NA, UNRETENTIVE, NA, OMNIPRESENT },/* outroducing DNSKEY state. */
890 { NA, OMNIPRESENT, NA, RUMOURED },/* introducing RRSIG state. */
891 { NA, OMNIPRESENT, NA, UNRETENTIVE },/* outroducing RRSIG state. */
892 { NA, HIDDEN, NA, OMNIPRESENT } /* unsigned state. */
893 };
894
895 if (!keylist || !future_key || !future_key->key) {
896 return -1;
897 }
898
899 future_key->pretend_update = pretend_update;
900
901 /* Return positive value if any of the masks are found. */
902 return (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
903 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1], KEY_STATE_TYPE_DNSKEY, deplist) > 0
904 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[4], mask[3], KEY_STATE_TYPE_RRSIG, deplist) > 0
905 || unsignedOk(keylist, keylist_size, future_key, mask[5], KEY_STATE_TYPE_DNSKEY) > 0
906 || all_DS_hidden(keylist, keylist_size, future_key) > 0);
907}
908
915static int
916dnssecApproval(key_data_t** keylist, size_t keylist_size,
917 struct future_key* future_key, int allow_unsigned,
918 key_dependency_list_t* deplist)
919{
920 if (!keylist) {
921 return -1;
922 }
923 if (!future_key) {
924 return -1;
925 }
926 if (!deplist) {
927 return -1;
928 }
929
930 /*
931 * Check if DNSSEC state will be invalid by the transition by checking that
932 * all 3 DNSSEC rules apply. Rule 1 only applies if we are not allowing an
933 * unsigned state.
934 *
935 * A rule is first checked against the current state of the key_state and if
936 * the current state is not valid an transition is allowed for that rule in
937 * order to try and move out of an invalid DNSSEC state.
938 *
939 * Next the rule is checked against the desired state and if that state is a
940 * valid DNSSEC state then the transition is allowed.
941 *
942 * rule1 - Handles DS states
943 * rule2 - Handles DNSKEY states.
944 * rule3 - Handles signatures.
945 */
946 if ((allow_unsigned
947 || !rule1(keylist, keylist_size, future_key, 0)
948 || rule1(keylist, keylist_size, future_key, 1) > 0)
949 && (!rule2(keylist, keylist_size, future_key, 0, deplist)
950 || rule2(keylist, keylist_size, future_key, 1, deplist) > 0)
951 && (!rule3(keylist, keylist_size, future_key, 0, deplist)
952 || rule3(keylist, keylist_size, future_key, 1, deplist) > 0))
953 {
954 /*
955 * All rules apply, we allow transition.
956 */
957 return 1;
958 }
959
960 return 0;
961}
962
971static time_t
972minTransitionTime(policy_t const *policy, key_state_type_t type,
973 key_state_state_t next_state, const time_t lastchange, const int ttl)
974{
975 if (!policy) {
976 return -1;
977 }
978
979 /*
980 * We may freely move a record to a uncertain state.
981 */
982 if (next_state == RUMOURED || next_state == UNRETENTIVE) {
983 return lastchange;
984 }
985
986 switch (type) {
988 return addtime(lastchange, ttl
991
992 /* TODO: 5011 will create special case here */
993 case KEY_STATE_TYPE_DNSKEY: /* intentional fall-through */
995 return addtime(lastchange, ttl
997 + ( next_state == OMNIPRESENT
1000
1002 return addtime(lastchange, ttl
1004
1005 default:
1006 break;
1007 }
1008
1009 return -1;
1010}
1011
1021static int
1022policyApproval(key_data_t** keylist, size_t keylist_size,
1024{
1025 static const key_state_state_t dnskey_algorithm_rollover[4] = { OMNIPRESENT, OMNIPRESENT, OMNIPRESENT, NA };
1026 static const key_state_state_t mask[14][4] = {
1027 /*ZSK*/
1028 { NA, OMNIPRESENT, NA, OMNIPRESENT }, /*This indicates a good key state.*/
1029 { NA, RUMOURED, NA, OMNIPRESENT }, /*This indicates a introducing DNSKEY state.*/
1030 { NA, UNRETENTIVE, NA, OMNIPRESENT }, /*This indicates a outroducing DNSKEY state.*/
1031 { NA, OMNIPRESENT, NA, RUMOURED }, /*This indicates a introducing RRSIG state.*/
1032 { NA, OMNIPRESENT, NA, UNRETENTIVE }, /*This indicates a outroducing RRSIG state.*/
1033 { NA, HIDDEN, NA, OMNIPRESENT }, /*This indicates an unsigned state.*/
1034
1035 /*KSK*/
1036 { OMNIPRESENT, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates a good key state.*/
1037 { RUMOURED, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates an introducing DS state.*/
1038 { UNRETENTIVE, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates an outroducing DS state.*/
1039 { OMNIPRESENT, RUMOURED, RUMOURED, NA }, /*These indicates an introducing DNSKEY state.*/
1041 { OMNIPRESENT, UNRETENTIVE, UNRETENTIVE, NA }, /*These indicates an outroducing DNSKEY state.*/
1043 { HIDDEN, OMNIPRESENT, OMNIPRESENT, NA } /*This indicates an unsigned state.*/
1044 };
1045
1046 if (!keylist || !future_key || !future_key->key) {
1047 return -1;
1048 }
1049
1050 /*
1051 * Once the record is introduced the policy has no influence.
1052 */
1053 if (future_key->next_state != RUMOURED) {
1054 return 1;
1055 }
1056
1057 /*
1058 * Check if policy prevents transition if the next state is rumoured.
1059 */
1060 switch (future_key->type) {
1061 case KEY_STATE_TYPE_DS:
1062 /*
1063 * If we want to minimize the DS transitions make sure the DNSKEY is
1064 * fully propagated.
1065 */
1068 {
1069 /*
1070 * DNSKEY is not fully propagated so we will not do any transitions.
1071 */
1072 return 0;
1073 }
1074 break;
1075
1078 /* There are no restrictions for the DNSKEY transition so we can
1079 * just continue. */
1080 return 1;
1081 }
1082 /* Check that signatures has been propagated for CSK/ZSK. */
1086 {
1087 /* RRSIG fully propagated so we will do the transitions. */
1088 return 1;
1089 }
1090 }
1091 /* Check if the DS is introduced and continue if it is. */
1095 {
1096 return 1;
1097 }
1098 }
1099 /* We might be doing an algorithm rollover so we check if there are
1100 * no other good KSK available and ignore the minimize flag if so. */
1101 return !(exists(keylist, keylist_size, future_key, 1, mask[6]) > 0
1102 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[8], mask[7], KEY_STATE_TYPE_DS, deplist) > 0
1103 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[11], mask[9], KEY_STATE_TYPE_DNSKEY, deplist) > 0);
1104
1106 /*
1107 * The only time not to introduce RRSIG DNSKEY is when the DNSKEY is
1108 * still hidden.
1109 *
1110 * TODO: How do we know we are introducing the RRSIG DNSKEY? We might be
1111 * outroducing it.
1112 */
1114 return 0;
1115 }
1116 break;
1117
1120 /*
1121 * There are no restrictions for the RRSIG transition so we can
1122 * just continue.
1123 */
1124 break;
1125 }
1126
1127 /*
1128 * Check if the DNSKEY is introduced and continue if it is.
1129 */
1131 break;
1132 }
1133
1134 /*
1135 * We might be doing an algorithm rollover so we check if there are
1136 * no other good ZSK available and ignore the minimize flag if so.
1137 *
1138 * TODO: How is this related to ZSK/CSK? There are no check for key_data_role().
1139 */
1140 if (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
1141 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1], KEY_STATE_TYPE_DNSKEY, deplist) > 0
1142 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[4], mask[3], KEY_STATE_TYPE_RRSIG, deplist) > 0
1143 )
1144 {
1145 /*
1146 * We found a good key, so we will not do any transition.
1147 */
1148 return 0;
1149 }
1150 break;
1151
1152 default:
1153 return 0;
1154 }
1155
1156 return 1;
1157}
1158
1168static int
1169getZoneTTL(policy_t const *policy, zone_db_t* zone, key_state_type_t type,
1170 const time_t now)
1171{
1172 time_t end_date;
1173 int ttl;
1174
1175 if (!policy) {
1176 return -1;
1177 }
1178 if (!zone) {
1179 return -1;
1180 }
1181
1182 switch (type) {
1183 case KEY_STATE_TYPE_DS:
1184 end_date = zone_db_ttl_end_ds(zone);
1186 break;
1187
1188 case KEY_STATE_TYPE_DNSKEY: /* Intentional fall-through */
1190 end_date = zone_db_ttl_end_dk(zone);
1191 ttl = policy_keys_ttl(policy);
1192 break;
1193
1195 end_date = zone_db_ttl_end_rs(zone);
1202 break;
1203
1204 default:
1205 return -1;
1206 }
1207
1208 return max((int)difftime(end_date, now), ttl);
1209}
1210
1217static int
1218isSuccessable(struct future_key* future_key)
1219{
1220 if (!future_key) {
1221 return -1;
1222 }
1223
1225 return 0;
1226 }
1227
1228 switch (future_key->type) {
1229 case KEY_STATE_TYPE_DS:
1232 return 0;
1233 }
1234 break;
1235
1237 return 0;
1238
1242 {
1243 return 0;
1244 }
1245 break;
1246
1247 default:
1248 return -1;
1249 }
1250
1251 return 1;
1252}
1253
1261static int
1262markSuccessors(db_connection_t *dbconn, key_data_t** keylist,
1263 size_t keylist_size, struct future_key *future_key,
1264 key_dependency_list_t* deplist, const zone_db_t* zone)
1265{
1266 static const char *scmd = "markSuccessors";
1267 size_t i;
1270 int cmp;
1271
1272 if (!dbconn || !keylist || !future_key || !deplist || !zone) {
1273 return -1;
1274 }
1275
1276 /* If key,type in deplist and new state is omnipresent it is no
1277 * longer relevant for the dependencies */
1279 /* Remove any entries for this key,type tuple from successors */
1280 for (kd = key_dependency_list_get_begin(deplist); kd;
1282 kd = key_dependency_list_get_next(deplist))
1283 {
1285 key_dependency_to_key_data_id(kd), &cmp) == DB_OK &&
1286 !cmp && kd->type == (key_dependency_type_t)future_key->type)
1287 {
1289 }
1290
1291 }
1292 }
1293
1294 if (isSuccessable(future_key) < 1) {
1295 return 0;
1296 }
1297
1298 for (i = 0; i < keylist_size; i++) {
1299 if (isPotentialSuccessor(keylist[i], future_key->key, future_key, future_key->type) > 0) {
1300 switch (future_key->type) {
1301 case KEY_STATE_TYPE_DS:
1303 break;
1304
1307 break;
1308
1311 break;
1312
1315 break;
1316
1317 default:
1318 return -1;
1319 }
1320
1321 if (!(key_dependency = key_dependency_new(dbconn))
1327 {
1328 ods_log_error("[%s] %s: unable to create key dependency between %s and %s",
1329 module_str, scmd,
1333 return -1;
1334 }
1336 }
1337 }
1338
1339 return 1;
1340}
1341
1351static time_t
1352updateZone(db_connection_t *dbconn, policy_t const *policy, zone_db_t* zone,
1353 const time_t now, int allow_unsigned, int *zone_updated,
1354 key_data_t** keylist, size_t keylist_size, key_dependency_list_t *deplist)
1355{
1356 time_t returntime_zone = -1;
1357 unsigned int ttl;
1358 static const char *scmd = "updateZone";
1359 size_t i;
1360 unsigned int j, change;
1361 static const key_state_type_t type[] = {
1366 };
1367 struct future_key future_key;
1369 key_state_state_t state;
1370 time_t returntime_key;
1372 int key_data_updated, process, key_state_created;
1373 const db_enum_t* state_enum, *next_state_enum, *type_enum;
1374 key_dependency_list_t *deplisttmp = NULL;
1375
1376 if (!dbconn) {
1377 /* TODO: better log error */
1378 ods_log_error("[%s] %s: no dbconn", module_str, scmd);
1379 return returntime_zone;
1380 }
1381 if (!policy) {
1382 /* TODO: better log error */
1383 ods_log_error("[%s] %s: no policy", module_str, scmd);
1384 return returntime_zone;
1385 }
1386 if (!zone) {
1387 /* TODO: better log error */
1388 ods_log_error("[%s] %s: no zone", module_str, scmd);
1389 return returntime_zone;
1390 }
1391 if (!zone_updated) {
1392 /* TODO: better log error */
1393 ods_log_error("[%s] %s: no zone_updated", module_str, scmd);
1394 return returntime_zone;
1395 }
1396 if (!keylist) {
1397 /* TODO: better log error */
1398 ods_log_error("[%s] %s: no keylist", module_str, scmd);
1399 return returntime_zone;
1400 }
1401 if (!deplist) {
1402 /* TODO: better log error */
1403 ods_log_error("[%s] %s: no deplist", module_str, scmd);
1404 return returntime_zone;
1405 }
1406
1407 ods_log_verbose("[%s] %s: processing %s with policyName %s", module_str, scmd, zone_db_name(zone), policy_name(policy));
1408
1409 deplisttmp = zone_db_get_key_dependencies(zone);
1410
1411 /*
1412 * The process variable will indicate if we are processing, if something
1413 * fails and sets it to 0 then it will fall through to the end.
1414 */
1415 process = 1;
1416
1417 /*
1418 * This code keeps track of TTL changes. If in the past a large TTL is used,
1419 * our keys *may* need to transition extra careful to make sure each
1420 * resolver picks up the RRset. When this date passes we may start using the
1421 * policies TTL.
1422 */
1423 if (process && zone_db_ttl_end_ds(zone) <= now) {
1424 if (zone_db_set_ttl_end_ds(zone, addtime(now, policy_parent_ds_ttl(policy)))) {
1425 ods_log_error("[%s] %s: zone_db_set_ttl_end_ds() failed", module_str, scmd);
1426 process = 0;
1427 }
1428 else {
1429 *zone_updated = 1;
1430 }
1431 }
1432 if (process && zone_db_ttl_end_dk(zone) <= now) {
1433 /*
1434 * If no DNSKEY is currently published we must take negative caching
1435 * into account.
1436 */
1437 for (i = 0; i < keylist_size; i++) {
1439 break;
1440 }
1441 }
1442 if (keylist_size < i) {
1443 ttl = max(policy_keys_ttl(policy),
1445 }
1446 else {
1447 ttl = policy_keys_ttl(policy);
1448 }
1449 if (zone_db_set_ttl_end_dk(zone, addtime(now, ttl))) {
1450 ods_log_error("[%s] %s: zone_db_set_ttl_end_dk() failed", module_str, scmd);
1451 process = 0;
1452 }
1453 else {
1454 *zone_updated = 1;
1455 }
1456 }
1457 if (process && zone_db_ttl_end_rs(zone) <= now) {
1460 }
1461 else {
1463 }
1464 if (zone_db_set_ttl_end_rs(zone, addtime(now, max(
1466 ttl))))
1467 {
1468 ods_log_error("[%s] %s: zone_db_set_ttl_end_rs() failed", module_str, scmd);
1469 process = 0;
1470 }
1471 else {
1472 *zone_updated = 1;
1473 }
1474 }
1475
1476 /*
1477 * Create key states that do not exist.
1478 */
1479 for (i = 0; process && i < keylist_size; i++) {
1480 key_state_created = 0;
1481 if (!key_data_cached_ds(keylist[i])) {
1482 if (!(key_state = key_state_new(dbconn))
1485 || key_state_set_minimize(key_state, (key_data_minimize(keylist[i]) >> 2) & 1)
1488 || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_DS, now))
1490 {
1491 ods_log_error("[%s] %s: key state DS creation failed", module_str, scmd);
1492 process = 0;
1494 key_state = NULL;
1495 break;
1496 }
1497 key_state_created = 1;
1499 key_state = NULL;
1500
1501 if (!zone_db_signconf_needs_writing(zone)) {
1503 ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1504 process = 0;
1505 break;
1506 }
1507 else {
1508 *zone_updated = 1;
1509 }
1510 }
1511 }
1512 if (!key_data_cached_dnskey(keylist[i])) {
1513 if (!(key_state = key_state_new(dbconn))
1516 || key_state_set_minimize(key_state, (key_data_minimize(keylist[i]) >> 1) & 1)
1519 || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_DNSKEY, now))
1521 {
1522 ods_log_error("[%s] %s: key state DNSKEY creation failed", module_str, scmd);
1523 process = 0;
1525 key_state = NULL;
1526 break;
1527 }
1528 key_state_created = 1;
1530 key_state = NULL;
1531
1532 if (!zone_db_signconf_needs_writing(zone)) {
1534 ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1535 process = 0;
1536 break;
1537 }
1538 else {
1539 *zone_updated = 1;
1540 }
1541 }
1542 }
1543 if (!key_data_cached_rrsigdnskey(keylist[i])) {
1544 if (!(key_state = key_state_new(dbconn))
1551 {
1552 ods_log_error("[%s] %s: key state RRSIGDNSKEY creation failed", module_str, scmd);
1553 process = 0;
1555 key_state = NULL;
1556 break;
1557 }
1558 key_state_created = 1;
1560 key_state = NULL;
1561
1562 if (!zone_db_signconf_needs_writing(zone)) {
1564 ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1565 process = 0;
1566 break;
1567 }
1568 else {
1569 *zone_updated = 1;
1570 }
1571 }
1572 }
1573 if (!key_data_cached_rrsig(keylist[i])) {
1574 if (!(key_state = key_state_new(dbconn))
1580 || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_RRSIG, now))
1582 {
1583 ods_log_error("[%s] %s: key state RRSIG creation failed", module_str, scmd);
1584 process = 0;
1586 key_state = NULL;
1587 break;
1588 }
1589 key_state_created = 1;
1591 key_state = NULL;
1592
1593 if (!zone_db_signconf_needs_writing(zone)) {
1595 ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1596 process = 0;
1597 break;
1598 }
1599 else {
1600 *zone_updated = 1;
1601 }
1602 }
1603 }
1604 if (key_state_created) {
1605 if (key_data_cache_key_states(keylist[i])) {
1606 ods_log_error("[%s] %s: Unable to recache key states after creating some", module_str, scmd);
1607 process = 0;
1608 break;
1609 }
1610 }
1611 }
1612
1613 /*
1614 * Keep looping till there are no state changes and find the earliest update
1615 * time to return.
1616 */
1617 do {
1618 change = 0;
1619 for (i = 0; process && i < keylist_size; i++) {
1620 ods_log_verbose("[%s] %s: processing key %s %u", module_str, scmd,
1622
1623 for (j = 0; process && j < (sizeof(type) / sizeof(key_state_state_t)); j++) {
1624 /*
1625 * If the state or desired_state is invalid something went wrong
1626 * and we should return.
1627 */
1628 if ((state = getState(keylist[i], type[j], NULL)) == KEY_STATE_STATE_INVALID
1629 || (next_state = getDesiredState(key_data_introducing(keylist[i]), state)) == KEY_STATE_STATE_INVALID)
1630 {
1631 ods_log_error("[%s] %s: (state || next_state) == INVALID", module_str, scmd);
1632 process = 0;
1633 break;
1634 }
1635
1636 /*
1637 * If there is no change in key state we continue.
1638 */
1639 if (state == next_state) {
1640 continue;
1641 }
1642
1643 /*
1644 * If the key state is a DS then we need to check if we still
1645 * are waiting for user input before we can transition the key.
1646 */
1647 if (type[j] == KEY_STATE_TYPE_DS) {
1648 if ((next_state == OMNIPRESENT
1650 || (next_state == HIDDEN
1652 {
1653 continue;
1654 }
1655 }
1656
1657 for (type_enum = key_state_enum_set_type; type_enum->text; type_enum++) {
1658 if (type_enum->value == (int)type[j]) {
1659 break;
1660 }
1661 }
1662 for (state_enum = key_state_enum_set_state; state_enum->text; state_enum++) {
1663 if (state_enum->value == (int)state) {
1664 break;
1665 }
1666 }
1667 for (next_state_enum = key_state_enum_set_state; next_state_enum->text; next_state_enum++) {
1668 if (next_state_enum->value == (int)next_state) {
1669 break;
1670 }
1671 }
1672 ods_log_verbose("[%s] %s: May %s %s %s in state %s transition to %s?", module_str, scmd,
1673 key_data_role_text(keylist[i]),
1675 type_enum->text,
1676 state_enum->text,
1677 next_state_enum->text);
1678
1679 future_key.key = keylist[i];
1680 future_key.type = type[j];
1682
1683 /*
1684 * Check if policy prevents transition.
1685 */
1686 if (policyApproval(keylist, keylist_size, &future_key, deplist) < 1) {
1687 continue;
1688 }
1689 ods_log_verbose("[%s] %s Policy says we can (1/3)", module_str, scmd);
1690
1691 /*
1692 * Check if DNSSEC state prevents transition.
1693 */
1694 if (dnssecApproval(keylist, keylist_size, &future_key, allow_unsigned, deplisttmp) < 1) {
1695 continue;
1696 }
1697 ods_log_verbose("[%s] %s DNSSEC says we can (2/3)", module_str, scmd);
1698
1699 returntime_key = minTransitionTime(policy, type[j], next_state,
1700 key_state_last_change(getRecord(keylist[i], type[j])),
1701 getZoneTTL(policy, zone, type[j], now));
1702
1703 /*
1704 * If this is an RRSIG and the DNSKEY is omnipresent and next
1705 * state is a certain state, wait an additional signature
1706 * lifetime to allow for 'smooth rollover'.
1707 */
1708 static const key_state_state_t mask[2][4] = {
1711 };
1712 int zsk_out = exists(keylist, keylist_size, &future_key,
1713 1, mask[0]);
1714 int zsk_in = exists(keylist, keylist_size, &future_key,
1715 1, mask[1]);
1716
1717 if (type[j] == KEY_STATE_TYPE_RRSIG
1719 && ((next_state == OMNIPRESENT && zsk_out)
1720 || (next_state == HIDDEN && zsk_in)))
1721 {
1722 returntime_key = addtime(returntime_key,
1728 }
1729
1730 /*
1731 * It is to soon to make this change. Schedule it.
1732 */
1733 if (returntime_key > now) {
1734 minTime(returntime_key, &returntime_zone);
1735 continue;
1736 }
1737
1738 ods_log_verbose("[%s] %s Timing says we can (3/3) now: %lu key: %lu",
1739 module_str, scmd, (unsigned long)now, (unsigned long)returntime_key);
1740
1741 /*
1742 * A record can only reach Omnipresent if properly backed up.
1743 */
1744 if (next_state == OMNIPRESENT) {
1747 {
1748 ods_log_crit("[%s] %s Ready for transition but key material not backed up yet (%s)",
1749 module_str, scmd, hsm_key_locator(key_data_cached_hsm_key(keylist[i])));
1750
1751 /*
1752 * Try again in 60 seconds
1753 */
1754 returntime_key = addtime(now, 60);
1755 minTime(returntime_key, &returntime_zone);
1756 continue;
1757 }
1758 }
1759
1760 /*
1761 * If we are handling a DS we depend on the user or
1762 * some other external process. We must communicate
1763 * through the DSSeen and -submit flags.
1764 */
1765 if (type[j] == KEY_STATE_TYPE_DS) {
1766 key_data_updated = 0;
1767
1768 /*
1769 * Ask the user to submit the DS to the parent.
1770 */
1771 if (next_state == RUMOURED) {
1772 switch (key_data_ds_at_parent(keylist[i])) {
1776 break;
1777
1779 /*
1780 * Hypothetical case where we reintroduce keys.
1781 */
1783 key_data_updated = 1;
1784 break;
1785
1786 default:
1788 key_data_updated = 1;
1789 }
1790 }
1791 /*
1792 * Ask the user to remove the DS from the parent.
1793 */
1794 else if (next_state == UNRETENTIVE) {
1795 switch(key_data_ds_at_parent(keylist[i])) {
1797 /*
1798 * Never submitted.
1799 * NOTE: not safe if we support reintroducing of keys.
1800 */
1802 key_data_updated = 1;
1803 break;
1804
1808 break;
1809
1810 default:
1812 key_data_updated = 1;
1813 }
1814 }
1815
1816 /*
1817 * Save the changes made to the key data if any.
1818 */
1819 if (key_data_updated) {
1820 if (key_data_update(keylist[i])) {
1821 ods_log_error("[%s] %s: key data update failed", module_str, scmd);
1822 process = 0;
1823 break;
1824 }
1825 /*
1826 * We now need to reread the key data object.
1827 *
1828 * TODO: This needs investigation how to do better.
1829 */
1830 if (key_data_get_by_id(keylist[i], key_data_id(keylist[i]))
1831 || key_data_cache_key_states(keylist[i])
1832 || key_data_cache_hsm_key(keylist[i]))
1833 {
1834 ods_log_error("[%s] %s: key data reread failed", module_str, scmd);
1835 process = 0;
1836 break;
1837 }
1838 }
1839 }
1840
1841 /*
1842 * We've passed all tests! Make the transition.
1843 */
1844 key_state = NULL;
1845
1846 switch (future_key.type) {
1847 case KEY_STATE_TYPE_DS:
1849 break;
1850
1853 break;
1854
1857 break;
1858
1861 break;
1862
1863 default:
1864 ods_log_error("[%s] %s: future key type error", module_str, scmd);
1865 process = 0;
1866 break;
1867 }
1868
1869 for (next_state_enum = key_state_enum_set_state; next_state_enum->text; next_state_enum++) {
1870 if (next_state_enum->value == (int)next_state) {
1871 break;
1872 }
1873 }
1874 ods_log_verbose("[%s] %s: Transitioning %s %s %s from %s to %s", module_str, scmd,
1875 key_data_role_text(keylist[i]),
1879 next_state_enum->text);
1880
1883 || key_state_set_ttl(key_state, getZoneTTL(policy, zone, future_key.type, now))
1885 {
1886 ods_log_error("[%s] %s: key state transition failed", module_str, scmd);
1887 process = 0;
1889 break;
1890 }
1892
1893 if (!zone_db_signconf_needs_writing(zone)) {
1895 ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1896 process = 0;
1897 break;
1898 }
1899 else {
1900 *zone_updated = 1;
1901 }
1902 }
1903
1904 if (markSuccessors(dbconn, keylist, keylist_size, &future_key, deplisttmp, zone) < 0) {
1905 ods_log_error("[%s] %s: markSuccessors() error", module_str, scmd);
1906 process = 0;
1907 break;
1908 }
1909 /*deps have changed reload*/
1910 key_dependency_list_free(deplisttmp);
1911 deplisttmp = zone_db_get_key_dependencies(zone);
1912
1913
1914 if (key_data_cache_key_states(keylist[i])) {
1915 ods_log_error("[%s] %s: Unable to recache key states after transition", module_str, scmd);
1916 process = 0;
1917 break;
1918 }
1919
1920 change = true;
1921 }
1922 }
1923 } while (process && change);
1924 key_dependency_list_free(deplisttmp);
1925 return returntime_zone;
1926}
1927
1931static const hsm_key_t*
1932getLastReusableKey(key_data_list_t *key_list, const policy_key_t *pkey)
1933{
1934 const key_data_t *key;
1935 hsm_key_t *hkey, *hkey_young = NULL;
1936 hsm_key_list_t* hsmkeylist;
1937 int match;
1938 int cmp;
1939
1940 if (!key_list || !pkey)
1941 return NULL;
1942
1943 hsmkeylist = hsm_key_list_new_get_by_policy_key(pkey);
1944 for (hkey = hsm_key_list_get_begin(hsmkeylist); hkey;
1945 hkey = hsm_key_list_get_next(hsmkeylist))
1946 {
1948 if ((~hsm_key_role(hkey) & policy_key_role(pkey)) != 0 ||
1951 hkey->state == HSM_KEY_STATE_UNUSED )
1952 {
1953 hsm_key_free(hkey);
1954 continue;
1955 }
1956
1958 for (match = 0, key = key_data_list_begin(key_list); key; key = key_data_list_next(key_list)) {
1960 && cmp == 0)
1961 {
1963 match = 1;
1964 break;
1965 }
1966 }
1967 if (match) {
1968 hsm_key_free(hkey);
1969 continue;
1970 }
1971
1973 if (!hkey_young || hsm_key_inception(hkey_young) < hsm_key_inception(hkey)) {
1974 hsm_key_free(hkey_young);
1975 hkey_young = hkey;
1976 }
1977 }
1978
1979 hsm_key_list_free(hsmkeylist);
1980 return hkey_young;
1981}
1982
1991static int
1992existsPolicyForKey(policy_key_list_t *policykeylist, const key_data_t *key)
1993{
1994 static const char *scmd = "existsPolicyForKey";
1995 const policy_key_t *pkey;
1996 hsm_key_t *hkey;
1997
1998 if (!policykeylist) {
1999 return -1;
2000 }
2001 if (!key) {
2002 return -1;
2003 }
2004
2005 if (!(hkey = key_data_get_hsm_key(key))) {
2006 /*
2007 * This key is not associated with actual key material!
2008 * This is a bug or database corruption.
2009 * Crashing here is an option but we just return false so the
2010 * key will be thrown away in a graceful manner.
2011 */
2012 ods_log_verbose("[%s] %s no hsmkey!", module_str, scmd);
2013 return 0;
2014 }
2015 pkey = policy_key_list_begin(policykeylist);
2016 while (pkey) {
2017 if ((int)policy_key_role(pkey) == (int)key_data_role(key) &&
2019 strcmp(hsm_key_repository(hkey), policy_key_repository(pkey)) == 0 &&
2020 hsm_key_algorithm(hkey) == policy_key_algorithm(pkey) &&
2021 hsm_key_bits(hkey) == policy_key_bits(pkey))
2022 {
2023 hsm_key_free(hkey);
2024 return 1;
2025 }
2026 pkey = policy_key_list_next(policykeylist);
2027 }
2028 ods_log_verbose("[%s] %s not found such config", module_str, scmd);
2029 hsm_key_free(hkey);
2030 return 0;
2031}
2032
2033static int
2034last_inception_policy(key_data_list_t *key_list, const policy_key_t *pkey)
2035{
2036 const key_data_t *key = NULL;
2037 hsm_key_t *hsmkey = NULL;
2038 int max_inception = -1;
2039
2040 if (!key_list || !pkey) return -1;
2041
2042 /*
2043 * Must match: role, bits, algorithm and repository.
2044 */
2045 for (key = key_data_list_begin(key_list); key;
2046 key = key_data_list_next(key_list))
2047 {
2048 if ((int)policy_key_role(pkey) != (int)key_data_role(key) ||
2050 (hsmkey = key_data_get_hsm_key(key)) == NULL ||
2051 policy_key_bits(pkey) != hsm_key_bits(hsmkey) ||
2052 policy_key_algorithm(pkey) != hsm_key_algorithm(hsmkey) ||
2053 strcmp(policy_key_repository(pkey), hsm_key_repository(hsmkey)))
2054 {
2055 hsm_key_free(hsmkey);
2056 hsmkey = NULL;
2057 continue;
2058 }
2059 hsm_key_free(hsmkey);
2060 hsmkey = NULL;
2062 if (max_inception == -1 || max_inception < (signed int)key_data_inception(key))
2063 {
2064 max_inception = key_data_inception(key);
2065 }
2066 }
2067 return max_inception;
2068}
2069
2078static int
2079key_for_conf(key_data_list_t *key_list, const policy_key_t *pkey)
2080{
2081 const key_data_t *key;
2082
2083 if (!key_list) {
2084 return 0;
2085 }
2086 if (!pkey) {
2087 return 0;
2088 }
2089
2090 for (key = key_data_list_begin(key_list); key;
2091 key = key_data_list_next(key_list))
2092 {
2094 (int)policy_key_role(pkey) == (int)key_data_role(key))
2095 {
2096 return 1;
2097 }
2098 }
2099 return 0;
2100}
2101
2108static void
2109setnextroll(zone_db_t *zone, const policy_key_t *pkey, time_t t)
2110{
2111 assert(zone);
2112 assert(pkey);
2113
2114 switch(policy_key_role(pkey)) {
2116 zone->next_ksk_roll = (unsigned int)t;
2117 break;
2119 zone->next_zsk_roll = (unsigned int)t;
2120 break;
2122 zone->next_csk_roll = (unsigned int)t;
2123 break;
2124 default:
2125 assert(0);
2126 }
2127}
2128
2129static int
2130enforce_roll(const zone_db_t *zone, const policy_key_t *pkey)
2131{
2132 if (!zone) {
2133 return 0;
2134 }
2135 if (!pkey) {
2136 return 0;
2137 }
2138
2139 switch(policy_key_role(pkey)) {
2141 return zone_db_roll_ksk_now(zone);
2143 return zone_db_roll_zsk_now(zone);
2145 return zone_db_roll_csk_now(zone);
2146 default:
2147 return 0;
2148 }
2149}
2150
2151static int
2152set_roll(zone_db_t *zone, const policy_key_t *pkey, unsigned int roll)
2153{
2154 if (!zone) {
2155 return 0;
2156 }
2157 if (!pkey) {
2158 return 0;
2159 }
2160
2161 switch(policy_key_role(pkey)) {
2163 return zone_db_set_roll_ksk_now(zone, roll);
2165 return zone_db_set_roll_zsk_now(zone, roll);
2167 return zone_db_set_roll_csk_now(zone, roll);
2168 default:
2169 return 1;
2170 }
2171}
2172
2182static time_t
2183updatePolicy(engine_type *engine, db_connection_t *dbconn, policy_t const *policy,
2184 zone_db_t *zone, const time_t now, int *allow_unsigned, int *zone_updated)
2185{
2186 time_t return_at = -1;
2187 key_data_list_t *keylist;
2188 policy_key_list_t *policykeylist;
2189 const key_data_t *key;
2190 key_data_t *mutkey = NULL;
2191 key_data_t *mutkey2 = NULL;
2192 const policy_key_t *pkey;
2193 const hsm_key_t *hsmkey;
2194 hsm_key_t *hsmkey2 = NULL;
2195 hsm_key_t *newhsmkey = NULL;
2196 static const char *scmd = "updatePolicy";
2197 int force_roll;
2198 time_t t_ret;
2199 key_data_role_t key_role;
2200 int err;
2201 uint16_t tag;
2202 int ret;
2203
2204 if (!dbconn) {
2205 /* TODO: better log error */
2206 ods_log_error("[%s] %s: no dbconn", module_str, scmd);
2207 return now + 60;
2208 }
2209 if (!policy) {
2210 /* TODO: better log error */
2211 ods_log_error("[%s] %s: no policy", module_str, scmd);
2212 return now + 60;
2213 }
2214 if (!zone) {
2215 /* TODO: better log error */
2216 ods_log_error("[%s] %s: no zone", module_str, scmd);
2217 return now + 60;
2218 }
2219 if (!allow_unsigned) {
2220 /* TODO: better log error */
2221 ods_log_error("[%s] %s: no allow_unsigned", module_str, scmd);
2222 return now + 60;
2223 }
2224 if (!zone_updated) {
2225 /* TODO: better log error */
2226 ods_log_error("[%s] %s: no zone_updated", module_str, scmd);
2227 return now + 60;
2228 }
2229
2230 ods_log_verbose("[%s] %s: policyName: %s", module_str, scmd, policy_name(policy));
2231
2232 /*
2233 * Get all policy keys (configurations) for the given policy and fetch all
2234 * the policy key database objects so we can iterate over it more then once.
2235 */
2236 if (!(policykeylist = policy_get_policy_keys(policy))) {
2237 /* TODO: better log error */
2238 ods_log_error("[%s] %s: error policy_get_policy_keys()", module_str, scmd);
2239 policy_key_list_free(policykeylist);
2240 return now + 60;
2241 }
2242
2243 /*
2244 * Get all key data objects for the given zone and fetch all the objects
2245 * from the database so we can use the list again later.
2246 */
2247 if (!(keylist = zone_db_get_keys(zone))) {
2248 /* TODO: better log error */
2249 ods_log_error("[%s] %s: error zone_db_get_keys()", module_str, scmd);
2250 key_data_list_free(keylist);
2251 policy_key_list_free(policykeylist);
2252 return now + 60;
2253 }
2254
2255 /*
2256 * Decommission all key data objects without any matching policy key config.
2257 */
2258 while ((key = key_data_list_next(keylist))) {
2259 ret = existsPolicyForKey(policykeylist, key);
2260 if (ret < 0) {
2261 /* TODO: better log error */
2262 ods_log_error("[%s] %s: error existsPolicyForKey() < 0", module_str, scmd);
2263 key_data_list_free(keylist);
2264 policy_key_list_free(policykeylist);
2265 return now + 60;
2266 }
2267 if (!ret) {
2268 if (!(mutkey = key_data_new_copy(key))
2269 || key_data_set_introducing(mutkey, 0)
2270 || key_data_update(mutkey))
2271 {
2272 /* TODO: better log error */
2273 ods_log_error("[%s] %s: error update mutkey", module_str, scmd);
2274 key_data_free(mutkey);
2275 key_data_list_free(keylist);
2276 policy_key_list_free(policykeylist);
2277 return now + 60;
2278 }
2279 key_data_free(mutkey);
2280 mutkey = NULL;
2281 }
2282 }
2283
2284 pkey = policy_key_list_begin(policykeylist);
2285
2286 /*
2287 * If no keys are configured an unsigned zone is okay.
2288 */
2289 *allow_unsigned = pkey ? 0 : 1;
2290
2291 /* If there are no keys configured set 'signconf_needs_writing'
2292 * every time this function is called */
2293 if (!policy_key_list_size(policykeylist)) {
2295 ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
2296 } else {
2297 *zone_updated = 1;
2298 }
2299 }
2300
2301 for (; pkey; pkey = policy_key_list_next(policykeylist)) {
2302 newhsmkey = NULL;
2303 /*
2304 * Check if we should roll, first get the roll state from the zone then
2305 * check if the policy key is set to manual rollover and last check the
2306 * key timings.
2307 */
2308 force_roll = enforce_roll(zone, pkey);
2309 if (policy_key_manual_rollover(pkey)) {
2310 /*
2311 * If this policy key is set to manual rollover and we do not have
2312 * a key yet (for ex first run) then we should roll anyway.
2313 */
2314 if (!key_for_conf(keylist, pkey)) {
2315 force_roll = 1;
2316 }
2317 else if (!force_roll) {
2318 /*
2319 * Since this is set to manual rollover we do not want it to
2320 * roll unless we have zone state saying that we should roll.
2321 */
2322 continue;
2323 }
2324 }
2325 if (!force_roll) {
2326 int inception = -1;
2327 /*
2328 * We do not need to roll but we should check if the youngest key
2329 * needs to be replaced. If not we reschedule for later based on the
2330 * youngest key.
2331 * TODO: Describe better why the youngest?!?
2332 */
2333 inception = last_inception_policy(keylist, pkey);
2334 if (inception != -1 &&
2335 inception + policy_key_lifetime(pkey) > now)
2336 {
2337 t_ret = addtime(inception, policy_key_lifetime(pkey));
2338 minTime(t_ret, &return_at);
2339 setnextroll(zone, pkey, t_ret);
2340 *zone_updated = 1;
2341 continue;
2342 }
2343 }
2344
2345 /*
2346 * Time for a new key
2347 */
2348 ods_log_verbose("[%s] %s: New key needed for role %s",
2349 module_str, scmd, policy_key_role_text(pkey));
2350
2351 /*
2352 * Sanity check for unreasonable short key lifetime.
2353 * This would produce silly output and give the signer lots of useless
2354 * work to do otherwise.
2355 */
2356 if ((policy_key_role(pkey) == POLICY_KEY_ROLE_KSK ||
2359 policy_key_lifetime(pkey))
2360 {
2361 ods_log_error("[%s] %s: For policy %s %s key lifetime of %d "
2362 "is unreasonably short with respect to sum of parent "
2363 "TTL (%d) and key TTL (%d). Will not insert key!",
2364 module_str, scmd, policy_name(policy), policy_key_role_text(pkey),
2367 setnextroll(zone, pkey, now);
2368 *zone_updated = 1;
2369 continue;
2370 }
2371 if ((policy_key_role(pkey) == POLICY_KEY_ROLE_ZSK ||
2374 policy_key_lifetime(pkey))
2375 {
2376 ods_log_crit("[%s] %s: For policy %s %s key lifetime of %d "
2377 "is unreasonably short with respect to sum of "
2378 "MaxZoneTTL (%d) and key TTL (%d). Will not insert key!",
2379 module_str, scmd, policy_name(policy), policy_key_role_text(pkey),
2382 setnextroll(zone, pkey, now);
2383 *zone_updated = 1;
2384 continue;
2385 }
2386
2387 /*
2388 * Get a new key, either a existing/shared key if the policy is set to
2389 * share keys or create a new key.
2390 */
2392 hsmkey = getLastReusableKey(keylist, pkey);
2393
2394 if (!hsmkey) {
2395 newhsmkey = hsm_key_factory_get_key(engine, dbconn, pkey, HSM_KEY_STATE_SHARED);
2396 hsmkey = newhsmkey;
2397 }
2398 } else {
2399 newhsmkey = hsm_key_factory_get_key(engine, dbconn, pkey, HSM_KEY_STATE_PRIVATE);
2400 hsmkey = newhsmkey;
2401 }
2402
2403 if (!hsmkey) {
2404 /*
2405 * Unable to get/create a HSM key at this time, retry later.
2406 */
2407 ods_log_warning("[%s] %s: No keys available in HSM for policy %s, retry in %d seconds",
2408 module_str, scmd, policy_name(policy), NOKEY_TIMEOUT);
2409 minTime(now + NOKEY_TIMEOUT, &return_at);
2410 setnextroll(zone, pkey, now);
2411 *zone_updated = 1;
2412 continue;
2413 }
2414 ods_log_verbose("[%s] %s: got new key from HSM", module_str, scmd);
2415
2416 /*
2417 * TODO: This will be replaced once roles are global
2418 */
2419 key_role = KEY_DATA_ROLE_INVALID;
2420 switch (policy_key_role(pkey)) {
2422 key_role = KEY_DATA_ROLE_KSK;
2423 break;
2424
2426 key_role = KEY_DATA_ROLE_ZSK;
2427 break;
2428
2430 key_role = KEY_DATA_ROLE_CSK;
2431 break;
2432
2433 default:
2434 break;
2435 }
2436
2437 /*
2438 * Create a new key data object.
2439 */
2440 if (!(mutkey = key_data_new(dbconn))
2441 || key_data_set_zone_id(mutkey, zone_db_id(zone))
2442 || key_data_set_hsm_key_id(mutkey, hsm_key_id(hsmkey))
2444 || key_data_set_inception(mutkey, now)
2445 || key_data_set_role(mutkey, key_role)
2447 || key_data_set_introducing(mutkey, 1)
2449 {
2450 /* TODO: better log error */
2451 ods_log_error("[%s] %s: error new key", module_str, scmd);
2452 key_data_free(mutkey);
2453 if (newhsmkey) {
2454 hsm_key_factory_release_key(newhsmkey, dbconn);
2455 }
2456 hsm_key_free(newhsmkey);
2457 key_data_list_free(keylist);
2458 policy_key_list_free(policykeylist);
2459 return now + 60;
2460 }
2461
2462 /*
2463 * Generate keytag for the new key and set it.
2464 */
2465 err = hsm_keytag(hsm_key_locator(hsmkey), hsm_key_algorithm(hsmkey),
2466 HSM_KEY_ROLE_SEP(hsm_key_role(hsmkey)), &tag);
2467 if (err || key_data_set_keytag(mutkey, tag))
2468 {
2469 /* TODO: better log error */
2470 ods_log_error("[%s] %s: error keytag", module_str, scmd);
2471 key_data_free(mutkey);
2472 if (newhsmkey) {
2473 hsm_key_factory_release_key(newhsmkey, dbconn);
2474 }
2475 hsm_key_free(newhsmkey);
2476 key_data_list_free(keylist);
2477 policy_key_list_free(policykeylist);
2478 return now + 60;
2479 }
2480
2481 /*
2482 * Create the new key in the database, if successful we set the next
2483 * roll after the lifetime of the key.
2484 */
2485 if (key_data_create(mutkey)) {
2486 /* TODO: better log error */
2487 ods_log_error("[%s] %s: error key_data_create()", module_str, scmd);
2488 key_data_free(mutkey);
2489 if (newhsmkey) {
2490 hsm_key_factory_release_key(newhsmkey, dbconn);
2491 }
2492 hsm_key_free(newhsmkey);
2493 key_data_list_free(keylist);
2494 policy_key_list_free(policykeylist);
2495 return now + 60;
2496 }
2497 t_ret = addtime(now, policy_key_lifetime(pkey));
2498 minTime(t_ret, &return_at);
2499 setnextroll(zone, pkey, t_ret);
2500 *zone_updated = 1;
2501
2502 /*
2503 * Tell similar keys to out-troduce.
2504 * Similar keys are those that match role, algorithm, bits and repository
2505 * and are introduced.
2506 *
2507 * NOTE:
2508 * Will not work if a policy has 2 or more keys of the same role, algorithm,
2509 * bits and repository. Unclear how to fix this since keys are not directly
2510 * related to a policy key.
2511 * We currently do not allow two policy keys with the same attributes.
2512 */
2513 for (key = key_data_list_begin(keylist); key; key = key_data_list_next(keylist)) {
2515 && key_data_role(key) == key_data_role(mutkey)
2517 && (hsmkey2 = key_data_get_hsm_key(key))
2518 && hsm_key_bits(hsmkey2) == hsm_key_bits(hsmkey)
2519 && !strcmp(hsm_key_repository(hsmkey2), hsm_key_repository(hsmkey)))
2520 {
2521 if (!(mutkey2 = key_data_new_copy(key))
2522 || key_data_set_introducing(mutkey2, 0)
2523 || key_data_update(mutkey2))
2524 {
2525 /* TODO: better log error */
2526 ods_log_error("[%s] %s: error update mutkey2", module_str, scmd);
2527 key_data_free(mutkey2);
2528 hsm_key_free(hsmkey2);
2529 key_data_free(mutkey);
2530 hsm_key_free(newhsmkey);
2531 key_data_list_free(keylist);
2532 policy_key_list_free(policykeylist);
2533 return now + 60;
2534 }
2535
2536 ods_log_verbose("[%s] %s: decommissioning old key: %s", module_str, scmd, hsm_key_locator(hsmkey2));
2537
2538 key_data_free(mutkey2);
2539 mutkey2 = NULL;
2540 }
2541 hsm_key_free(hsmkey2);
2542 hsmkey2 = NULL;
2543 }
2544
2545 key_data_free(mutkey);
2546 mutkey = NULL;
2547 hsm_key_free(newhsmkey);
2548 newhsmkey = NULL;
2549
2550 /*
2551 * Clear roll now (if set) in the zone for this policy key.
2552 */
2553 if (enforce_roll(zone, pkey)) {
2554 if (set_roll(zone, pkey, 0)) {
2555 /* TODO: better log error */
2556 ods_log_error("[%s] %s: error set_roll()", module_str, scmd);
2557 key_data_list_free(keylist);
2558 policy_key_list_free(policykeylist);
2559 return now + 60;
2560 }
2561 *zone_updated = 1;
2562 }
2563 }
2564
2565 key_data_list_free(keylist);
2566 policy_key_list_free(policykeylist);
2567
2568 return return_at;
2569}
2570
2571static time_t
2572removeDeadKeys(db_connection_t *dbconn, key_data_t** keylist,
2573 size_t keylist_size, key_dependency_list_t *deplist, const time_t now,
2574 const int purgetime)
2575{
2576 static const char *scmd = "removeDeadKeys";
2577 time_t first_purge = -1, key_time;
2578 size_t i, deplist2_size = 0;
2579 int key_purgable, cmp;
2580 unsigned int j;
2581 const key_state_t* state = NULL;
2582 key_dependency_t **deplist2 = NULL;
2583
2584 assert(keylist);
2585 assert(deplist);
2586
2587 deplist2_size = key_dependency_list_size(deplist);
2588 deplist2 = (key_dependency_t**)calloc(deplist2_size, sizeof(key_dependency_t*));
2589 /* deplist might be NULL but is always freeable */
2590 if (deplist2_size > 0)
2591 deplist2[0] = key_dependency_list_get_begin(deplist);
2592 for (i = 1; i < deplist2_size; i++)
2593 deplist2[i] = key_dependency_list_get_next(deplist);
2594
2595 for (i = 0; i < keylist_size; i++) {
2596 if (key_data_introducing(keylist[i])) continue;
2597 key_time = -1;
2598 key_purgable = 1;
2599 for (j = 0; j<4; j++) {
2600 switch(j){
2601 case 0: state = key_data_cached_ds(keylist[i]); break;
2602 case 1: state = key_data_cached_dnskey(keylist[i]); break;
2603 case 2: state = key_data_cached_rrsigdnskey(keylist[i]); break;
2604 case 3: state = key_data_cached_rrsig(keylist[i]);
2605 }
2606 if (key_state_state(state) == NA) continue;
2607 if (key_state_state(state) != HIDDEN) {
2608 key_purgable = 0;
2609 break;
2610 }
2611 if (key_time == -1 || key_state_last_change(state) > (unsigned int)key_time) {
2612 key_time = key_state_last_change(state);
2613 }
2614 }
2615 if (key_time != -1) key_time = addtime(key_time, purgetime);
2616 if (key_purgable) {
2617 /* key is purgable, is it time yet? */
2618 if (now >= key_time) {
2619 key_state_t* ks_ds = key_data_get_cached_ds(keylist[i]);
2620 key_state_t* ks_dk = key_data_get_cached_dnskey(keylist[i]);
2621 key_state_t* ks_rd = key_data_get_cached_rrsigdnskey(keylist[i]);
2622 key_state_t* ks_rs = key_data_get_cached_rrsig(keylist[i]);
2623
2624 ods_log_info("[%s] %s deleting key: %s", module_str, scmd,
2626
2627 if ( key_state_delete(ks_ds) || key_state_delete(ks_dk)
2628 || key_state_delete(ks_rd) || key_state_delete(ks_rs)
2629 || key_data_delete(keylist[i])
2631 {
2632 /* TODO: better log error */
2633 ods_log_error("[%s] %s: key_state_delete() || key_data_delete() || hsm_key_factory_release_key() failed", module_str, scmd);
2634 }
2635 key_state_free(ks_ds);
2636 key_state_free(ks_dk);
2637 key_state_free(ks_rd);
2638 key_state_free(ks_rs);
2639 } else {
2640 minTime(key_time, &first_purge);
2641 }
2642 /* we can clean up dependency because key is purgable */
2643
2644 for (j = 0; j < deplist2_size; j++) {
2645 if (!deplist2[j]) continue;
2646 if (db_value_cmp(key_data_id(keylist[i]), key_dependency_from_key_data_id(deplist2[j]), &cmp)) {
2647 /* TODO: better log error */
2648 ods_log_error("[%s] %s: cmp deplist from failed", module_str, scmd);
2649 break;
2650 }
2651 if(cmp) continue;
2652
2653 if (key_dependency_delete(deplist2[j])) {
2654 /* TODO: better log error */
2655 ods_log_error("[%s] %s: key_dependency_delete() failed", module_str, scmd);
2656 break;
2657 }
2658 }
2659 }
2660 }
2661 for (i = 0; i < deplist2_size; i++){
2662 key_dependency_free(deplist2[i]);
2663 }
2664 free(deplist2);
2665
2666 int deleteCount = hsm_key_factory_delete_key(dbconn);
2667 ods_log_info("[%s] %s: keys deleted from HSM: %d", module_str, scmd, deleteCount);
2668
2669 return first_purge;
2670}
2671
2672time_t
2673update(engine_type *engine, db_connection_t *dbconn, zone_db_t *zone, policy_t const *policy, time_t now, int *zone_updated)
2674{
2675 int allow_unsigned = 0;
2676 time_t policy_return_time, zone_return_time, purge_return_time = -1, return_time;
2677 key_data_list_t *key_list;
2678 const key_data_t* key;
2679 key_data_t** keylist = NULL;
2680 size_t keylist_size, i;
2681 key_dependency_list_t *deplist;
2682 static const char *scmd = "update";
2683 int key_data_updated;
2684
2685 if (!engine) {
2686 ods_log_error("[%s] no engine", module_str);
2687 return now + 60;
2688 }
2689 if (!dbconn) {
2690 ods_log_error("[%s] no dbconn", module_str);
2691 return now + 60;
2692 }
2693 if (!zone) {
2694 ods_log_error("[%s] no zone", module_str);
2695 return now + 60;
2696 }
2697 if (!policy) {
2698 ods_log_error("[%s] no policy", module_str);
2699 return now + 60;
2700 }
2701 if (!zone_updated) {
2702 ods_log_error("[%s] no zone_updated", module_str);
2703 return now + 60;
2704 }
2705
2706 ods_log_info("[%s] update zone: %s", module_str, zone_db_name(zone));
2707
2708 if (engine->config->rollover_notification && zone_db_next_ksk_roll(zone) > 0) {
2709 if ((time_t)zone_db_next_ksk_roll(zone) - engine->config->rollover_notification <= now
2710 && (time_t)zone_db_next_ksk_roll(zone) != now) {
2711 time_t t = (time_t) zone_db_next_ksk_roll(zone);
2712 ods_log_info("[%s] KSK Rollover for zone %s is impending, "
2713 "rollover will happen at %s",
2714 module_str, zone_db_name(zone), ctime(&t));
2715 }
2716 }
2717 else if (engine->config->rollover_notification && zone_db_next_csk_roll(zone) > 0) {
2718 if ((time_t)zone_db_next_csk_roll(zone) - engine->config->rollover_notification <= now
2719 && (time_t)zone_db_next_csk_roll(zone) != now) {
2720 time_t t = (time_t) zone_db_next_csk_roll(zone);
2721 ods_log_info("[%s] CSK Rollover for zone %s is impending, "
2722 "rollover will happen at %s",
2723 module_str, zone_db_name(zone), ctime(&t));
2724 }
2725 }
2726
2727
2728 /*
2729 * Update policy.
2730 */
2731 policy_return_time = updatePolicy(engine, dbconn, policy, zone, now, &allow_unsigned, zone_updated);
2732
2733 if (allow_unsigned) {
2734 ods_log_info("[%s] No keys configured for %s, zone will become unsigned eventually",
2735 module_str, zone_db_name(zone));
2736 }
2737
2738 /*
2739 * Get all key data/state/hsm objects for later processing.
2740 */
2741 if (!(deplist = zone_db_get_key_dependencies(zone))) {
2742 /* TODO: better log error */
2743 ods_log_error("[%s] %s: error zone_db_get_key_dependencies()", module_str, scmd);
2744 key_dependency_list_free(deplist);
2745 return now + 60;
2746 }
2747 if (!(key_list = zone_db_get_keys(zone))) {
2748 /* TODO: better log error */
2749 ods_log_error("[%s] %s: error zone_db_get_keys()", module_str, scmd);
2750 key_data_list_free(key_list);
2751 key_dependency_list_free(deplist);
2752 return now + 60;
2753 }
2754 /*WTF DOES THIS CODE DO?*/
2755 if (!(keylist_size = key_data_list_size(key_list))) {
2756 if ((key = key_data_list_begin(key_list))) {
2757 while (key) {
2758 keylist_size++;
2759 key = key_data_list_next(key_list);
2760 }
2761 }
2762 }
2763 if (keylist_size) {
2764 if (!(keylist = (key_data_t**)calloc(keylist_size, sizeof(key_data_t*)))) {
2765 /* TODO: better log error */
2766 ods_log_error("[%s] %s: error calloc(keylist_size)", module_str, scmd);
2767 key_data_list_free(key_list);
2768 key_dependency_list_free(deplist);
2769 return now + 60;
2770 }
2771 for (i = 0; i < keylist_size; i++) {
2772 if (!i) {
2773 keylist[i] = key_data_list_get_begin(key_list);
2774 }
2775 else {
2776 keylist[i] = key_data_list_get_next(key_list);
2777 }
2778 if (!keylist[i]
2779 || key_data_cache_hsm_key(keylist[i])
2780 || key_data_cache_key_states(keylist[i]))
2781 {
2782 ods_log_error("[%s] %s: error key_data_list cache", module_str, scmd);
2783 for (i = 0; i < keylist_size; i++) {
2784 if (keylist[i]) {
2785 key_data_free(keylist[i]);
2786 }
2787 }
2788 free(keylist);
2789 key_data_list_free(key_list);
2790 key_dependency_list_free(deplist);
2791 return now + 60;
2792 }
2793 }
2794 }
2795 key_data_list_free(key_list);
2796
2797
2798 /*
2799 * Only purge old keys if the policy says so.
2800 */
2801 if (policy_keys_purge_after(policy) && keylist) {
2802 purge_return_time = removeDeadKeys(dbconn, keylist, keylist_size, deplist, now,
2804 }
2805
2806
2807 /*
2808 * Update zone.
2809 */
2810 zone_return_time = updateZone(dbconn, policy, zone, now, allow_unsigned, zone_updated,
2811 keylist, keylist_size, deplist);
2812
2813
2814 /*
2815 * Always set these flags. Normally this needs to be done _only_ when the
2816 * Signer config needs writing. However a previous Signer config might not
2817 * be available, we have no way of telling. :(
2818 */
2819 for (i = 0; i < keylist_size; i++) {
2820 key_data_updated = 0;
2821
2822 /* hack */
2823 key_data_set_publish(keylist[i], 0);
2824 key_data_set_active_ksk(keylist[i], 0);
2825 key_data_set_active_zsk(keylist[i], 0);
2826 key_data_updated = 1;
2827 /*
2828 * TODO: description
2829 */
2832 {
2833 if (!key_data_publish(keylist[i])) {
2834 if (key_data_set_publish(keylist[i], 1)) {
2835 ods_log_error("[%s] %s: key_data_set_publish() failed",
2836 module_str, scmd);
2837 break;
2838 }
2839
2840 key_data_updated = 1;
2841 }
2842 }
2843
2844 /*
2845 * TODO: description
2846 */
2849 {
2850 if (!key_data_active_ksk(keylist[i])) {
2851 if (key_data_set_active_ksk(keylist[i], 1)) {
2852 ods_log_error("[%s] %s: key_data_set_active_ksk() failed",
2853 module_str, scmd);
2854 break;
2855 }
2856
2857 key_data_updated = 1;
2858 }
2859 }
2860
2861 /*
2862 * TODO: description
2863 */
2866 {
2867 if (!key_data_active_zsk(keylist[i])) {
2868 if (key_data_set_active_zsk(keylist[i], 1)) {
2869 ods_log_error("[%s] %s: key_data_set_active_zsk() failed",
2870 module_str, scmd);
2871 break;
2872 }
2873
2874 key_data_updated = 1;
2875 }
2876 }
2877
2878 if (key_data_updated) {
2879 if (key_data_update(keylist[i])) {
2880 ods_log_error("[%s] %s: key_data_update() failed",
2881 module_str, scmd);
2882 break;
2883 }
2884 }
2885 }
2886
2887 /*
2888 * Release cached objects.
2889 */
2890 for (i = 0; i < keylist_size; i++) {
2891 if (keylist[i]) {
2892 key_data_free(keylist[i]);
2893 }
2894 }
2895 free(keylist);
2896 key_dependency_list_free(deplist);
2897
2898 return_time = zone_return_time;
2899 minTime(policy_return_time, &return_time);
2900 /*
2901 * Take the rollover notification time into account when scheduling
2902 * this zone. We will need to print a message at that time.
2903 */
2904 if (zone_db_next_ksk_roll(zone) > 0
2905 && (zone_db_next_ksk_roll(zone) - engine->config->rollover_notification > now)) {
2906 minTime(zone_db_next_ksk_roll(zone) - engine->config->rollover_notification, &return_time);
2907 }
2908 else if (zone_db_next_csk_roll(zone) > 0
2909 && (zone_db_next_csk_roll(zone) - engine->config->rollover_notification > now)) {
2910 minTime(zone_db_next_csk_roll(zone) - engine->config->rollover_notification, &return_time);
2911 }
2912
2913 minTime(purge_return_time, &return_time);
2914 return return_time;
2915}
#define DB_OK
Definition: db_error.h:36
int db_value_cmp(const db_value_t *value_a, const db_value_t *value_b, int *result)
Definition: db_value.c:102
#define OMNIPRESENT
Definition: enforcer.c:68
time_t update(engine_type *engine, db_connection_t *dbconn, zone_db_t *zone, policy_t const *policy, time_t now, int *zone_updated)
Definition: enforcer.c:2673
#define NOKEY_TIMEOUT
Definition: enforcer.c:75
#define NA
Definition: enforcer.c:70
#define HIDDEN
Definition: enforcer.c:66
#define RUMOURED
Definition: enforcer.c:67
#define UNRETENTIVE
Definition: enforcer.c:69
hsm_key_t * hsm_key_list_get_begin(hsm_key_list_t *hsm_key_list)
Definition: hsm_key.c:1888
void hsm_key_free(hsm_key_t *hsm_key)
Definition: hsm_key.c:286
const char * hsm_key_repository(const hsm_key_t *hsm_key)
Definition: hsm_key.c:568
const char * hsm_key_locator(const hsm_key_t *hsm_key)
Definition: hsm_key.c:520
void hsm_key_list_free(hsm_key_list_t *hsm_key_list)
Definition: hsm_key.c:1496
unsigned int hsm_key_algorithm(const hsm_key_t *hsm_key)
Definition: hsm_key.c:544
unsigned int hsm_key_bits(const hsm_key_t *hsm_key)
Definition: hsm_key.c:536
unsigned int hsm_key_inception(const hsm_key_t *hsm_key)
Definition: hsm_key.c:560
const db_value_t * hsm_key_id(const hsm_key_t *hsm_key)
Definition: hsm_key.c:504
hsm_key_t * hsm_key_list_get_next(hsm_key_list_t *hsm_key_list)
Definition: hsm_key.c:1990
@ HSM_KEY_STATE_UNUSED
Definition: hsm_key.h:42
@ HSM_KEY_STATE_PRIVATE
Definition: hsm_key.h:43
@ HSM_KEY_STATE_SHARED
Definition: hsm_key.h:44
hsm_key_backup
Definition: hsm_key.h:64
@ HSM_KEY_BACKUP_BACKUP_REQUESTED
Definition: hsm_key.h:68
@ HSM_KEY_BACKUP_BACKUP_REQUIRED
Definition: hsm_key.h:67
hsm_key_role
Definition: hsm_key.h:49
#define HSM_KEY_ROLE_SEP(role)
Definition: hsm_key.h:57
hsm_key_list_t * hsm_key_list_new_get_by_policy_key(const policy_key_t *pkey)
Definition: hsm_key_ext.c:43
int hsm_key_factory_delete_key(const db_connection_t *connection)
int hsm_key_factory_release_key_id(const db_value_t *hsm_key_id, const db_connection_t *connection)
int hsm_key_factory_release_key(hsm_key_t *hsm_key, const db_connection_t *connection)
hsm_key_t * hsm_key_factory_get_key(engine_type *engine, const db_connection_t *connection, const policy_key_t *policy_key, hsm_key_state_t hsm_key_state)
int key_data_set_minimize(key_data_t *key_data, unsigned int minimize)
Definition: key_data.c:966
int key_data_cmp(const key_data_t *key_data_a, const key_data_t *key_data_b)
Definition: key_data.c:402
unsigned int key_data_active_ksk(const key_data_t *key_data)
Definition: key_data.c:751
const db_value_t * key_data_id(const key_data_t *key_data)
Definition: key_data.c:553
size_t key_data_list_size(key_data_list_t *key_data_list)
Definition: key_data.c:2461
int key_data_get_by_id(key_data_t *key_data, const db_value_t *id)
Definition: key_data.c:1296
int key_data_update(key_data_t *key_data)
Definition: key_data.c:1349
int key_data_delete(key_data_t *key_data)
Definition: key_data.c:1587
void key_data_free(key_data_t *key_data)
Definition: key_data.c:304
int key_data_set_role(key_data_t *key_data, key_data_role_t role)
Definition: key_data.c:890
hsm_key_t * key_data_get_hsm_key(const key_data_t *key_data)
Definition: key_data.c:649
int key_data_set_introducing(key_data_t *key_data, unsigned int introducing)
Definition: key_data.c:903
int key_data_set_active_zsk(key_data_t *key_data, unsigned int active_zsk)
Definition: key_data.c:913
int key_data_set_publish(key_data_t *key_data, unsigned int publish)
Definition: key_data.c:923
int key_data_set_zone_id(key_data_t *key_data, const db_value_t *zone_id)
Definition: key_data.c:832
const char * key_data_role_text(const key_data_t *key_data)
Definition: key_data.c:711
unsigned int key_data_publish(const key_data_t *key_data)
Definition: key_data.c:743
int key_data_set_algorithm(key_data_t *key_data, unsigned int algorithm)
Definition: key_data.c:870
void key_data_list_free(key_data_list_t *key_data_list)
Definition: key_data.c:1694
int key_data_set_inception(key_data_t *key_data, unsigned int inception)
Definition: key_data.c:880
unsigned int key_data_introducing(const key_data_t *key_data)
Definition: key_data.c:727
int key_data_set_hsm_key_id(key_data_t *key_data, const db_value_t *hsm_key_id)
Definition: key_data.c:851
const key_data_t * key_data_list_begin(key_data_list_t *key_data_list)
Definition: key_data.c:2267
unsigned int key_data_inception(const key_data_t *key_data)
Definition: key_data.c:695
unsigned int key_data_active_zsk(const key_data_t *key_data)
Definition: key_data.c:735
key_data_t * key_data_list_get_next(key_data_list_t *key_data_list)
Definition: key_data.c:2425
int key_data_cache_hsm_key(key_data_t *key_data)
Definition: key_data.c:615
const db_value_t * key_data_hsm_key_id(const key_data_t *key_data)
Definition: key_data.c:607
int key_data_set_keytag(key_data_t *key_data, unsigned int keytag)
Definition: key_data.c:956
int key_data_create(key_data_t *key_data)
Definition: key_data.c:1093
int key_data_set_ds_at_parent(key_data_t *key_data, key_data_ds_at_parent_t ds_at_parent)
Definition: key_data.c:943
key_data_t * key_data_new(const db_connection_t *connection)
Definition: key_data.c:264
const key_data_t * key_data_list_next(key_data_list_t *key_data_list)
Definition: key_data.c:2359
unsigned int key_data_algorithm(const key_data_t *key_data)
Definition: key_data.c:687
unsigned int key_data_minimize(const key_data_t *key_data)
Definition: key_data.c:775
key_data_t * key_data_list_get_begin(key_data_list_t *key_data_list)
Definition: key_data.c:2323
int key_data_set_active_ksk(key_data_t *key_data, unsigned int active_ksk)
Definition: key_data.c:933
key_data_t * key_data_new_copy(const key_data_t *key_data)
Definition: key_data.c:285
key_data_role
Definition: key_data.h:40
@ KEY_DATA_ROLE_ZSK
Definition: key_data.h:43
@ KEY_DATA_ROLE_INVALID
Definition: key_data.h:41
@ KEY_DATA_ROLE_KSK
Definition: key_data.h:42
@ KEY_DATA_ROLE_CSK
Definition: key_data.h:44
enum key_data_role key_data_role_t
key_data_ds_at_parent
Definition: key_data.h:50
@ KEY_DATA_DS_AT_PARENT_SUBMITTED
Definition: key_data.h:54
@ KEY_DATA_DS_AT_PARENT_RETRACT
Definition: key_data.h:56
@ KEY_DATA_DS_AT_PARENT_UNSUBMITTED
Definition: key_data.h:52
@ KEY_DATA_DS_AT_PARENT_SEEN
Definition: key_data.h:55
@ KEY_DATA_DS_AT_PARENT_SUBMIT
Definition: key_data.h:53
@ KEY_DATA_DS_AT_PARENT_RETRACTED
Definition: key_data.h:57
key_state_t * key_data_get_cached_dnskey(key_data_t *key_data)
Definition: key_data_ext.c:92
const key_state_t * key_data_cached_rrsig(key_data_t *key_data)
Definition: key_data_ext.c:64
int key_data_cache_key_states(key_data_t *key_data)
Definition: key_data_ext.c:33
const key_state_t * key_data_cached_dnskey(key_data_t *key_data)
Definition: key_data_ext.c:68
key_state_t * key_data_get_cached_rrsig(key_data_t *key_data)
Definition: key_data_ext.c:84
key_state_t * key_data_get_cached_rrsigdnskey(key_data_t *key_data)
Definition: key_data_ext.c:100
const hsm_key_t * key_data_cached_hsm_key(const key_data_t *key_data)
Definition: key_data_ext.c:108
const key_state_t * key_data_cached_ds(key_data_t *key_data)
Definition: key_data_ext.c:60
key_state_t * key_data_get_cached_ds(key_data_t *key_data)
Definition: key_data_ext.c:76
const key_state_t * key_data_cached_rrsigdnskey(key_data_t *key_data)
Definition: key_data_ext.c:72
void key_dependency_free(key_dependency_t *key_dependency)
int key_dependency_set_zone_id(key_dependency_t *key_dependency, const db_value_t *zone_id)
key_dependency_t * key_dependency_new(const db_connection_t *connection)
key_data_t * key_dependency_get_from_key_data(const key_dependency_t *key_dependency)
const key_dependency_t * key_dependency_list_next(key_dependency_list_t *key_dependency_list)
int key_dependency_set_type(key_dependency_t *key_dependency, key_dependency_type_t type)
const key_dependency_t * key_dependency_list_begin(key_dependency_list_t *key_dependency_list)
key_dependency_t * key_dependency_list_get_next(key_dependency_list_t *key_dependency_list)
const db_value_t * key_dependency_to_key_data_id(const key_dependency_t *key_dependency)
void key_dependency_list_free(key_dependency_list_t *key_dependency_list)
const db_value_t * key_dependency_from_key_data_id(const key_dependency_t *key_dependency)
size_t key_dependency_list_size(key_dependency_list_t *key_dependency_list)
int key_dependency_set_from_key_data_id(key_dependency_t *key_dependency, const db_value_t *from_key_data_id)
int key_dependency_delete(key_dependency_t *key_dependency)
int key_dependency_create(key_dependency_t *key_dependency)
key_dependency_list_t * key_dependency_list_new_copy(const key_dependency_list_t *from_key_dependency_list)
int key_dependency_set_to_key_data_id(key_dependency_t *key_dependency, const db_value_t *to_key_data_id)
key_dependency_t * key_dependency_list_get_begin(key_dependency_list_t *key_dependency_list)
enum key_dependency_type key_dependency_type_t
key_dependency_type
@ KEY_DEPENDENCY_TYPE_DNSKEY
@ KEY_DEPENDENCY_TYPE_RRSIGDNSKEY
@ KEY_DEPENDENCY_TYPE_DS
@ KEY_DEPENDENCY_TYPE_RRSIG
unsigned int key_state_minimize(const key_state_t *key_state)
Definition: key_state.c:401
int key_state_set_minimize(key_state_t *key_state, unsigned int minimize)
Definition: key_state.c:472
int key_state_delete(const key_state_t *key_state)
Definition: key_state.c:831
const char * key_state_state_text(const key_state_t *key_state)
Definition: key_state.c:377
key_state_t * key_state_new(const db_connection_t *connection)
Definition: key_state.c:176
int key_state_set_ttl(key_state_t *key_state, unsigned int ttl)
Definition: key_state.c:482
void key_state_free(key_state_t *key_state)
Definition: key_state.c:214
int key_state_set_last_change(key_state_t *key_state, unsigned int last_change)
Definition: key_state.c:462
int key_state_set_type(key_state_t *key_state, key_state_type_t type)
Definition: key_state.c:436
int key_state_create(key_state_t *key_state)
Definition: key_state.c:519
const db_enum_t key_state_enum_set_type[]
Definition: key_state.c:36
const db_enum_t key_state_enum_set_state[]
Definition: key_state.c:44
const char * key_state_type_text(const key_state_t *key_state)
Definition: key_state.c:353
int key_state_set_key_data_id(key_state_t *key_state, const db_value_t *key_data_id)
Definition: key_state.c:417
unsigned int key_state_last_change(const key_state_t *key_state)
Definition: key_state.c:393
int key_state_set_state(key_state_t *key_state, key_state_state_t state)
Definition: key_state.c:449
int key_state_update(key_state_t *key_state)
Definition: key_state.c:684
enum key_state_state key_state_state_t
enum key_state_type key_state_type_t
@ KEY_STATE_TYPE_DNSKEY
Definition: key_state.h:44
@ KEY_STATE_TYPE_RRSIG
Definition: key_state.h:43
@ KEY_STATE_TYPE_DS
Definition: key_state.h:42
@ KEY_STATE_TYPE_RRSIGDNSKEY
Definition: key_state.h:45
key_state_state
Definition: key_state.h:49
@ KEY_STATE_STATE_INVALID
Definition: key_state.h:50
unsigned int policy_zone_propagation_delay(const policy_t *policy)
Definition: policy.c:1005
unsigned int policy_signatures_validity_denial(const policy_t *policy)
Definition: policy.c:869
unsigned int policy_keys_purge_after(const policy_t *policy)
Definition: policy.c:997
unsigned int policy_parent_ds_ttl(const policy_t *policy)
Definition: policy.c:1061
unsigned int policy_signatures_resign(const policy_t *policy)
Definition: policy.c:829
unsigned int policy_keys_ttl(const policy_t *policy)
Definition: policy.c:965
unsigned int policy_parent_propagation_delay(const policy_t *policy)
Definition: policy.c:1053
unsigned int policy_zone_soa_ttl(const policy_t *policy)
Definition: policy.c:1013
unsigned int policy_zone_soa_minimum(const policy_t *policy)
Definition: policy.c:1021
unsigned int policy_signatures_refresh(const policy_t *policy)
Definition: policy.c:837
unsigned int policy_denial_ttl(const policy_t *policy)
Definition: policy.c:909
unsigned int policy_signatures_max_zone_ttl(const policy_t *policy)
Definition: policy.c:885
const char * policy_name(const policy_t *policy)
Definition: policy.c:813
unsigned int policy_keys_shared(const policy_t *policy)
Definition: policy.c:989
unsigned int policy_signatures_jitter(const policy_t *policy)
Definition: policy.c:845
unsigned int policy_parent_registration_delay(const policy_t *policy)
Definition: policy.c:1045
unsigned int policy_signatures_validity_default(const policy_t *policy)
Definition: policy.c:861
unsigned int policy_keys_publish_safety(const policy_t *policy)
Definition: policy.c:981
unsigned int policy_keys_retire_safety(const policy_t *policy)
Definition: policy.c:973
policy_denial_type
Definition: policy.h:40
@ POLICY_DENIAL_TYPE_NSEC3
Definition: policy.h:43
policy_key_list_t * policy_get_policy_keys(const policy_t *policy)
Definition: policy_ext.c:1241
size_t policy_key_list_size(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1480
unsigned int policy_key_minimize(const policy_key_t *policy_key)
Definition: policy_key.c:566
unsigned int policy_key_lifetime(const policy_key_t *policy_key)
Definition: policy_key.c:526
const policy_key_t * policy_key_list_begin(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1322
unsigned int policy_key_manual_rollover(const policy_key_t *policy_key)
Definition: policy_key.c:550
const policy_key_t * policy_key_list_next(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1378
const char * policy_key_repository(const policy_key_t *policy_key)
Definition: policy_key.c:534
void policy_key_list_free(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1006
const char * policy_key_role_text(const policy_key_t *policy_key)
Definition: policy_key.c:494
unsigned int policy_key_algorithm(const policy_key_t *policy_key)
Definition: policy_key.c:510
unsigned int policy_key_bits(const policy_key_t *policy_key)
Definition: policy_key.c:518
policy_key_role
Definition: policy_key.h:40
@ POLICY_KEY_ROLE_KSK
Definition: policy_key.h:42
@ POLICY_KEY_ROLE_CSK
Definition: policy_key.h:44
@ POLICY_KEY_ROLE_ZSK
Definition: policy_key.h:43
int value
Definition: db_enum.h:40
const char * text
Definition: db_enum.h:39
engineconfig_type * config
Definition: engine.h:48
time_t rollover_notification
Definition: cfg.h:78
key_state_state_t next_state
Definition: enforcer.c:80
int pretend_update
Definition: enforcer.c:81
key_data_t * key
Definition: enforcer.c:78
key_state_type_t type
Definition: enforcer.c:79
hsm_key_state_t state
Definition: hsm_key.h:87
key_dependency_type_t type
Definition: policy.h:60
unsigned int next_zsk_roll
Definition: zone_db.h:68
unsigned int next_csk_roll
Definition: zone_db.h:69
unsigned int next_ksk_roll
Definition: zone_db.h:67
unsigned int zone_db_roll_zsk_now(const zone_db_t *zone)
Definition: zone_db.c:846
int zone_db_set_ttl_end_dk(zone_db_t *zone, unsigned int ttl_end_dk)
Definition: zone_db.c:1011
unsigned int zone_db_ttl_end_rs(const zone_db_t *zone)
Definition: zone_db.c:830
int zone_db_set_signconf_needs_writing(zone_db_t *zone, unsigned int signconf_needs_writing)
Definition: zone_db.c:959
unsigned int zone_db_ttl_end_ds(const zone_db_t *zone)
Definition: zone_db.c:814
int zone_db_set_roll_zsk_now(zone_db_t *zone, unsigned int roll_zsk_now)
Definition: zone_db.c:1041
int zone_db_set_roll_csk_now(zone_db_t *zone, unsigned int roll_csk_now)
Definition: zone_db.c:1051
unsigned int zone_db_roll_ksk_now(const zone_db_t *zone)
Definition: zone_db.c:838
const char * zone_db_name(const zone_db_t *zone)
Definition: zone_db.c:782
unsigned int zone_db_next_ksk_roll(const zone_db_t *zone)
Definition: zone_db.c:894
unsigned int zone_db_next_csk_roll(const zone_db_t *zone)
Definition: zone_db.c:910
int zone_db_set_ttl_end_ds(zone_db_t *zone, unsigned int ttl_end_ds)
Definition: zone_db.c:1001
int zone_db_set_roll_ksk_now(zone_db_t *zone, unsigned int roll_ksk_now)
Definition: zone_db.c:1031
unsigned int zone_db_ttl_end_dk(const zone_db_t *zone)
Definition: zone_db.c:822
const db_value_t * zone_db_id(const zone_db_t *zone)
Definition: zone_db.c:728
unsigned int zone_db_signconf_needs_writing(const zone_db_t *zone)
Definition: zone_db.c:790
unsigned int zone_db_roll_csk_now(const zone_db_t *zone)
Definition: zone_db.c:854
int zone_db_set_ttl_end_rs(zone_db_t *zone, unsigned int ttl_end_rs)
Definition: zone_db.c:1021
key_dependency_list_t * zone_db_get_key_dependencies(const zone_db_t *zone)
Definition: zone_db_ext.c:76
key_data_list_t * zone_db_get_keys(const zone_db_t *zone)
Definition: zone_db_ext.c:56