OpenDNSSEC-enforcer 2.1.13
enforcer.c
Go to the documentation of this file.
1/*
2 * Copyright (c) 2011 NLNet Labs. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
15 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
17 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
19 * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
20 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
21 * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
22 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
23 * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 *
25 */
26
27/*
28 * @section DESCRIPTION
29 *
30 * This module controls the order and time for keys to be introduced,
31 * generated and discarded. It can be called for one zone at a time. It
32 * will then manipulate its keys and bring them closer to their goal,
33 * within bounds of the zone's policy. New keys may be fetched from the
34 * HSM and old keys discarded. When done, the update function returns
35 * a time at which it need to be called again for this zone. Unless
36 * there is an unscheduled change for this zone (some user input) it
37 * should not be called sooner. Calling sooner is not harmful in any
38 * way but also not effective. Calling later does not do any harm as
39 * well, however rollovers may be delayed.
40 */
41
42#include "config.h"
43
44#include <time.h>
45
46#include "libhsm.h"
48
49#include <libhsmdns.h>
50#include <ldns/ldns.h>
51
52#include "duration.h"
53#include "log.h"
54#include "daemon/engine.h"
55
56#include "db/zone_db.h"
57#include "db/policy.h"
58#include "db/policy_key.h"
59#include "db/hsm_key.h"
60#include "db/key_data.h"
61#include "db/key_dependency.h"
62#include "db/db_error.h"
63
64#include "enforcer/enforcer.h"
65
66#define HIDDEN KEY_STATE_STATE_HIDDEN
67#define RUMOURED KEY_STATE_STATE_RUMOURED
68#define OMNIPRESENT KEY_STATE_STATE_OMNIPRESENT
69#define UNRETENTIVE KEY_STATE_STATE_UNRETENTIVE
70#define NA KEY_STATE_STATE_NA
71
72static const char *module_str = "enforcer";
73
75#define NOKEY_TIMEOUT 60
76
83
84static int max(int a, int b) { return a>b?a:b; }
85static int min(int a, int b) { return a<b?a:b; }
86
96static inline void
97minTime(const time_t t, time_t* min)
98{
99 ods_log_assert(min);
100 if ( (t < *min || *min < 0) && t >= 0 ) *min = t;
101}
102
112static time_t
113addtime(const time_t t, const int seconds)
114{
115 struct tm *tp = localtime(&t);
116 if (!tp) return -1; /* bad, but mktime also returns -1 on error */
117 tp->tm_sec += seconds;
118 return mktime(tp);
119}
120
127static inline const key_state_t*
128getRecord(key_data_t* key, key_state_type_t type)
129{
130 if (!key) {
131 return NULL;
132 }
133
134 switch (type) {
136 return key_data_cached_ds(key);
137
139 return key_data_cached_dnskey(key);
140
142 return key_data_cached_rrsig(key);
143
145 return key_data_cached_rrsigdnskey(key);
146
147 default:
148 break;
149 }
150
151 return NULL;
152}
153
159static inline key_state_state_t
160getState(key_data_t* key, key_state_type_t type, struct future_key *future_key)
161{
162 int cmp;
163
164 if (!key) {
166 }
167
168 if (future_key
170 && future_key->type == type
171 && future_key->key)
172 {
175 }
176 if (!cmp) {
177 return future_key->next_state;
178 }
179 }
180
181 return key_state_state(getRecord(key, type));
182}
183
196getDesiredState(int introducing, key_state_state_t state)
197{
198 /*
199 * Given goal and state, what will be the next state?
200 */
201 if (!introducing) {
202 /*
203 * We are outroducing this key so we would like to move rumoured and
204 * omnipresent keys to unretentive and unretentive keys to hidden.
205 */
206 switch (state) {
207 case HIDDEN:
208 break;
209
210 case RUMOURED:
211 state = UNRETENTIVE;
212 break;
213
214 case OMNIPRESENT:
215 state = UNRETENTIVE;
216 break;
217
218 case UNRETENTIVE:
219 state = HIDDEN;
220 break;
221
222 case NA:
223 break;
224
225 default:
227 break;
228 }
229 }
230 else {
231 /*
232 * We are introducing this key so we would like to move hidden and
233 * unretentive keys to rumoured and rumoured keys to omnipresent.
234 */
235 switch (state) {
236 case HIDDEN:
237 state = RUMOURED;
238 break;
239
240 case RUMOURED:
241 state = OMNIPRESENT;
242 break;
243
244 case OMNIPRESENT:
245 break;
246
247 case UNRETENTIVE:
248 state = RUMOURED;
249 break;
250
251 case NA:
252 break;
253
254 default:
256 break;
257 }
258 }
259
260 return state;
261}
262
269static int
270match(key_data_t* key, struct future_key *future_key, int same_algorithm,
271 const key_state_state_t mask[4])
272{
273 if (!key) {
274 return -1;
275 }
276 if (!future_key) {
277 return -1;
278 }
279 if (!future_key->key) {
280 return -1;
281 }
282
283 if (same_algorithm
285 {
286 return 0;
287 }
288
289 /*
290 * Check the states against the mask, for each mask that is not NA we
291 * need a match on that key state.
292 */
293 if ((mask[0] != NA
294 && getState(key, KEY_STATE_TYPE_DS, future_key) != mask[0])
295 || (mask[1] != NA
296 && getState(key, KEY_STATE_TYPE_DNSKEY, future_key) != mask[1])
297 || (mask[2] != NA
298 && getState(key, KEY_STATE_TYPE_RRSIGDNSKEY, future_key) != mask[2])
299 || (mask[3] != NA
300 && getState(key, KEY_STATE_TYPE_RRSIG, future_key) != mask[3]))
301 {
302 return 0;
303 }
304 return 1;
305}
306
313static int
314exists(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
315 int same_algorithm, const key_state_state_t mask[4])
316{
317 size_t i;
318 if (!keylist || !future_key || !future_key->key)
319 return -1;
320 /* Check the states against the mask. If we have a match we return a
321 * positive value. */
322 for (i = 0; i < keylist_size; i++) {
323 if (match(keylist[i], future_key, same_algorithm, mask) > 0)
324 return 1;
325 }
326 return 0; /* We've got no match. */
327}
328
335static int
336isPotentialSuccessor(key_data_t* successor_key, key_data_t* predecessor_key,
338{
339 if (!successor_key || !predecessor_key || !future_key)
340 return -1;
341
342 /* You can't be a successor of yourself */
343 if (!key_data_cmp(successor_key, predecessor_key)) return 0;
344
345 /*
346 * TODO
347 */
348 if (getState(successor_key, type, future_key) != RUMOURED
349 || key_data_algorithm(successor_key) != key_data_algorithm(predecessor_key))
350 {
351 return 0;
352 }
353
354 /*
355 * TODO
356 */
357 switch (type) {
358 case KEY_STATE_TYPE_DS: /* Intentional fall-through */
360 /*
361 * TODO
362 */
363 if (getState(successor_key, KEY_STATE_TYPE_DNSKEY, future_key) == OMNIPRESENT) {
364 return 1;
365 }
366 break;
367
369 /*
370 * Either both DS's should be omnipresent or both signatures, for the
371 * keys to be in a potential relationship for the DNSKEY.
372 */
373 if ((getState(predecessor_key, KEY_STATE_TYPE_DS, future_key) == OMNIPRESENT
374 && getState(successor_key, KEY_STATE_TYPE_DS, future_key) == OMNIPRESENT)
375 || (getState(predecessor_key, KEY_STATE_TYPE_RRSIG, future_key) == OMNIPRESENT
376 && getState(successor_key, KEY_STATE_TYPE_RRSIG, future_key) == OMNIPRESENT))
377 {
378 return 1;
379 }
380 break;
381
383 /*
384 * TODO
385 */
386 break;
387
388 default:
389 return -1;
390 }
391
392 return 0;
393}
394
401static int
402successor_rec(key_data_t** keylist, size_t keylist_size,
403 key_data_t* successor_key, key_data_t* predecessor_key,
404 struct future_key *future_key,
405 key_state_type_t type, key_dependency_list_t* deplist_ext)
406{
407 size_t i;
408 int cmp;
409 const key_dependency_t* dep;
410 key_data_t *from_key;
411 key_dependency_list_t* deplist;
412
413 if (!keylist) {
414 return -1;
415 }
416 if (!successor_key) {
417 return -1;
418 }
419 if (!predecessor_key) {
420 return -1;
421 }
422 if (!future_key) {
423 return -1;
424 }
425 if (!future_key->key) {
426 return -1;
427 }
428 if (!deplist_ext) {
429 return -1;
430 }
431
432 /*
433 * Make a copy of the deplist in order to preserve where we are in the list
434 * if we are calling ourselves later on.
435 *
436 * TODO: This can be optimized with the implementation of *_list_ref_t or
437 * allocating an array as with keylist.
438 */
439 if (!(deplist = key_dependency_list_new_copy(deplist_ext))) {
440 return -1;
441 }
442
443 /*
444 * Check the trivial case where the predecessor key is already a predecessor
445 * for the successor key.
446 */
447 for (dep = key_dependency_list_begin(deplist); dep; dep = key_dependency_list_next(deplist)) {
448 switch (key_dependency_type(dep)) {
450 if (type != KEY_STATE_TYPE_DS) {
451 continue;
452 }
453 break;
454
456 if (type != KEY_STATE_TYPE_RRSIG) {
457 continue;
458 }
459 break;
460
462 if (type != KEY_STATE_TYPE_DNSKEY) {
463 continue;
464 }
465 break;
466
468 if (type != KEY_STATE_TYPE_RRSIGDNSKEY) {
469 continue;
470 }
471 break;
472
473 default:
474 continue;
475 }
476
477 if (db_value_cmp(key_data_id(predecessor_key), key_dependency_from_key_data_id(dep), &cmp)) {
479 return -1;
480 }
481 if (cmp) {
482 continue;
483 }
484
485 if (db_value_cmp(key_data_id(successor_key), key_dependency_to_key_data_id(dep), &cmp)) {
487 return -1;
488 }
489 if (cmp) {
490 continue;
491 }
492
494 return 1;
495 }
496
497 /*
498 * Check the trivial case where there is a direct relationship in the future
499 */
501 if (db_value_cmp(key_data_id(future_key->key), key_data_id(predecessor_key), &cmp)) {
503 return -1;
504 }
505 if (!cmp && isPotentialSuccessor(successor_key, predecessor_key, future_key, type) > 0) {
507 return 1;
508 }
509 }
510
511 /*
512 * Check for indirect relationship where X depends on S and X is in the same
513 * state as P and X is a successor of P.
514 */
515 for (dep = key_dependency_list_begin(deplist); dep; dep = key_dependency_list_next(deplist)) {
516 switch (key_dependency_type(dep)) {
518 if (type != KEY_STATE_TYPE_DS) {
519 continue;
520 }
521 break;
522
524 if (type != KEY_STATE_TYPE_RRSIG) {
525 continue;
526 }
527 break;
528
530 if (type != KEY_STATE_TYPE_DNSKEY) {
531 continue;
532 }
533 break;
534
536 if (type != KEY_STATE_TYPE_RRSIGDNSKEY) {
537 continue;
538 }
539 break;
540
541 default:
542 continue;
543 }
544
545 if (db_value_cmp(key_data_id(successor_key), key_dependency_to_key_data_id(dep), &cmp)) {
547 return -1;
548 }
549 if (cmp) {
550 continue;
551 }
552
553 /*
554 * TODO: This may be optimized by searching for the key in the keylist
555 * first, only retrieving it from the database if needed or giving an
556 * error if it does not exist in the keylist.
557 */
558 if (!(from_key = key_dependency_get_from_key_data(dep))) {
560 return -1;
561 }
562
563 /*
564 * The RRSIGDNSKEY is not compared because TODO .
565 */
566 if (getState(predecessor_key, KEY_STATE_TYPE_DS, future_key) != getState(from_key, KEY_STATE_TYPE_DS, future_key)
567 || getState(predecessor_key, KEY_STATE_TYPE_DNSKEY, future_key) != getState(from_key, KEY_STATE_TYPE_DNSKEY, future_key)
568 || getState(predecessor_key, KEY_STATE_TYPE_RRSIG, future_key) != getState(from_key, KEY_STATE_TYPE_RRSIG, future_key))
569 {
570 key_data_free(from_key);
571 continue;
572 }
573 if (successor_rec(keylist, keylist_size, from_key, predecessor_key, future_key, type, deplist_ext) > 0) {
574 key_data_free(from_key);
576 return 1;
577 }
578 key_data_free(from_key);
579 }
581
582 /*
583 * TODO
584 */
586 for (i = 0; i < keylist_size; i++) {
587 if (db_value_cmp(key_data_id(predecessor_key), key_data_id(keylist[i]), &cmp)) {
588 return -1;
589 }
590 if (!cmp) {
591 continue;
592 }
593
594 if (isPotentialSuccessor(successor_key, keylist[i], future_key, type) > 0) {
595 /*
596 * The RRSIGDNSKEY is not compared because TODO .
597 */
598 if (getState(predecessor_key, KEY_STATE_TYPE_DS, future_key) != getState(keylist[i], KEY_STATE_TYPE_DS, future_key)
599 || getState(predecessor_key, KEY_STATE_TYPE_DNSKEY, future_key) != getState(keylist[i], KEY_STATE_TYPE_DNSKEY, future_key)
600 || getState(predecessor_key, KEY_STATE_TYPE_RRSIG, future_key) != getState(keylist[i], KEY_STATE_TYPE_RRSIG, future_key))
601 {
602 continue;
603 }
604 if (successor_rec(keylist+1, keylist_size-1, successor_key, keylist[i], future_key, type, deplist_ext) > 0) {
605 return 1;
606 }
607 }
608 }
609 }
610
611 return 0;
612}
613
620static int
621successor(key_data_t** keylist, size_t keylist_size, key_data_t* successor_key,
622 key_data_t* predecessor_key, struct future_key *future_key,
624{
625 int cmp;
626 const key_dependency_t* dep;
627
628 if (!keylist) {
629 return -1;
630 }
631 if (!successor_key) {
632 return -1;
633 }
634 if (!predecessor_key) {
635 return -1;
636 }
637 if (!future_key) {
638 return -1;
639 }
640 if (!future_key->key) {
641 return -1;
642 }
643 if (!deplist) {
644 return -1;
645 }
646
647 /*
648 * Nothing may depend on our predecessor.
649 */
650 for (dep = key_dependency_list_begin(deplist); dep; dep = key_dependency_list_next(deplist)) {
651 if (db_value_cmp(key_data_id(predecessor_key), key_dependency_to_key_data_id(dep), &cmp)) {
652 return -1;
653 }
654 if (!cmp) {
655 return 0;
656 }
657 }
658 return successor_rec(keylist, keylist_size, successor_key, predecessor_key, future_key, type, deplist);
659}
660
667static int
668exists_with_successor(key_data_t** keylist, size_t keylist_size,
669 struct future_key *future_key, int same_algorithm,
670 const key_state_state_t predecessor_mask[4],
671 const key_state_state_t successor_mask[4], key_state_type_t type,
672 key_dependency_list_t* deplist)
673{
674 size_t i, j;
675
676 if (!keylist) {
677 return -1;
678 }
679 if (!future_key) {
680 return -1;
681 }
682
683 /*
684 * Walk the list of keys, for each key that matches the successor mask we
685 * walk the list again and check that key against the keys that match the
686 * predecessor mask if has a valid successor/predecessor relationship.
687 */
688 for (i = 0; i < keylist_size; i++) {
689 if (match(keylist[i], future_key, same_algorithm, successor_mask) < 1) {
690 continue;
691 }
692
693 for (j = 0; j < keylist_size; j++) {
694 if (j == i
695 || match(keylist[j], future_key, same_algorithm, predecessor_mask) < 1)
696 {
697 continue;
698 }
699
700 if (successor(keylist, keylist_size, keylist[i], keylist[j], future_key, type, deplist) > 0) {
701 return 1;
702 }
703 }
704 }
705 return 0;
706}
707
714static int
715unsignedOk(key_data_t** keylist, size_t keylist_size,
716 struct future_key *future_key,
717 const key_state_state_t mask[4], key_state_type_t type)
718{
719 size_t i;
720 key_state_state_t cmp_mask[4];
721
722 if (!keylist) {
723 return -1;
724 }
725 if (!future_key) {
726 return -1;
727 }
728 if (!future_key->key) {
729 return -1;
730 }
731
732 for (i = 0; i < keylist_size; i++) {
734 continue;
735 }
736
737 cmp_mask[0] = type == KEY_STATE_TYPE_DS
738 ? getState(keylist[i], type, future_key)
739 : mask[0];
740 cmp_mask[1] = type == KEY_STATE_TYPE_DNSKEY
741 ? getState(keylist[i], type, future_key)
742 : mask[1];
743 cmp_mask[2] = type == KEY_STATE_TYPE_RRSIGDNSKEY
744 ? getState(keylist[i], type, future_key)
745 : mask[2];
746 cmp_mask[3] = type == KEY_STATE_TYPE_RRSIG
747 ? getState(keylist[i], type, future_key)
748 : mask[3];
749
750 /*
751 * If the state is hidden or NA for the given type this key is okay.
752 */
753 switch (type) {
755 if (cmp_mask[0] == HIDDEN || cmp_mask[0] == NA) {
756 continue;
757 }
758 break;
759
761 if (cmp_mask[1] == HIDDEN || cmp_mask[1] == NA) {
762 continue;
763 }
764 break;
765
767 if (cmp_mask[2] == HIDDEN || cmp_mask[2] == NA) {
768 continue;
769 }
770 break;
771
773 if (cmp_mask[3] == HIDDEN || cmp_mask[3] == NA) {
774 continue;
775 }
776 break;
777
778 default:
779 return -1;
780 }
781
782 if (exists(keylist, keylist_size, future_key, 1, cmp_mask) < 1) {
783 return 0;
784 }
785 }
786
787 return 1;
788}
789
790/* Check if ALL DS records for this algorithm are hidden
791 *
792 * \return 0 if !HIDDEN DS is found, 1 if no such DS where found */
793static int
794all_DS_hidden(key_data_t** keylist, size_t keylist_size,
795 struct future_key *future_key)
796{
797 size_t i;
798 key_state_state_t state;
799
800 assert(keylist);
801 assert(future_key);
802 assert(future_key->key);
803
804 for (i = 0; i < keylist_size; i++) {
805 /*If not same algorithm. Doesn't affect us.*/
806 if (key_data_algorithm(keylist[i]) != key_data_algorithm(future_key->key)) continue;
807 state = getState(keylist[i], KEY_STATE_TYPE_DS, future_key);
808 if (state != HIDDEN && state != NA) return 0; /*Test failed. Found DS.*/
809 }
810 return 1; /*No DS where found.*/
811}
812
819static int
820rule1(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
821 int pretend_update)
822{
823 static const key_state_state_t mask[2][4] = {
824 { OMNIPRESENT, NA, NA, NA },/* a good key state. */
825 { RUMOURED, NA, NA, NA } /* the DS is introducing. */
826 };
827
828 if (!keylist || !future_key || !future_key->key) {
829 return -1;
830 }
831
832 future_key->pretend_update = pretend_update;
833
834 /* Return positive value if any of the masks are found. */
835 return (exists(keylist, keylist_size, future_key, 0, mask[0]) > 0
836 || exists(keylist, keylist_size, future_key, 0, mask[1]) > 0);
837}
838
845static int
846rule2(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
847 int pretend_update, key_dependency_list_t* deplist)
848{
849 static const key_state_state_t mask[8][4] = {
850 { OMNIPRESENT, OMNIPRESENT, OMNIPRESENT, NA },/*good key state.*/
851 { RUMOURED, OMNIPRESENT, OMNIPRESENT, NA },/*introducing DS state.*/
852 { UNRETENTIVE, OMNIPRESENT, OMNIPRESENT, NA },/*outroducing DS state.*/
853 { OMNIPRESENT, RUMOURED, RUMOURED, NA },/*introducing DNSKEY state.*/
855 { OMNIPRESENT, UNRETENTIVE, UNRETENTIVE, NA },/*outroducing DNSKEY state.*/
857 { HIDDEN, OMNIPRESENT, OMNIPRESENT, NA } /*unsigned state.*/
858 };
859
860 if (!keylist || !future_key || !future_key->key) {
861 return -1;
862 }
863
864 future_key->pretend_update = pretend_update;
865
866 /* Return positive value if any of the masks are found. */
867 return (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
868 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1], KEY_STATE_TYPE_DS, deplist) > 0
869 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[5], mask[3], KEY_STATE_TYPE_DNSKEY, deplist) > 0
870 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[5], mask[4], KEY_STATE_TYPE_DNSKEY, deplist) > 0
871 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[6], mask[3], KEY_STATE_TYPE_DNSKEY, deplist) > 0
872 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[6], mask[4], KEY_STATE_TYPE_DNSKEY, deplist) > 0
873 || unsignedOk(keylist, keylist_size, future_key, mask[7], KEY_STATE_TYPE_DS) > 0);
874}
875
882static int
883rule3(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
884 int pretend_update, key_dependency_list_t* deplist)
885{
886 static const key_state_state_t mask[6][4] = {
887 { NA, OMNIPRESENT, NA, OMNIPRESENT },/* good key state. */
888 { NA, RUMOURED, NA, OMNIPRESENT },/* introducing DNSKEY state. */
889 { NA, UNRETENTIVE, NA, OMNIPRESENT },/* outroducing DNSKEY state. */
890 { NA, OMNIPRESENT, NA, RUMOURED },/* introducing RRSIG state. */
891 { NA, OMNIPRESENT, NA, UNRETENTIVE },/* outroducing RRSIG state. */
892 { NA, HIDDEN, NA, OMNIPRESENT } /* unsigned state. */
893 };
894
895 if (!keylist || !future_key || !future_key->key) {
896 return -1;
897 }
898
899 future_key->pretend_update = pretend_update;
900
901 /* Return positive value if any of the masks are found. */
902 return (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
903 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1], KEY_STATE_TYPE_DNSKEY, deplist) > 0
904 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[4], mask[3], KEY_STATE_TYPE_RRSIG, deplist) > 0
905 || unsignedOk(keylist, keylist_size, future_key, mask[5], KEY_STATE_TYPE_DNSKEY) > 0
906 || all_DS_hidden(keylist, keylist_size, future_key) > 0);
907}
908
915static int
916dnssecApproval(key_data_t** keylist, size_t keylist_size,
917 struct future_key* future_key, int allow_unsigned,
918 key_dependency_list_t* deplist)
919{
920 if (!keylist) {
921 return -1;
922 }
923 if (!future_key) {
924 return -1;
925 }
926 if (!deplist) {
927 return -1;
928 }
929
930 /*
931 * Check if DNSSEC state will be invalid by the transition by checking that
932 * all 3 DNSSEC rules apply. Rule 1 only applies if we are not allowing an
933 * unsigned state.
934 *
935 * A rule is first checked against the current state of the key_state and if
936 * the current state is not valid an transition is allowed for that rule in
937 * order to try and move out of an invalid DNSSEC state.
938 *
939 * Next the rule is checked against the desired state and if that state is a
940 * valid DNSSEC state then the transition is allowed.
941 *
942 * rule1 - Handles DS states
943 * rule2 - Handles DNSKEY states.
944 * rule3 - Handles signatures.
945 */
946 if ((allow_unsigned
947 || !rule1(keylist, keylist_size, future_key, 0)
948 || rule1(keylist, keylist_size, future_key, 1) > 0)
949 && (!rule2(keylist, keylist_size, future_key, 0, deplist)
950 || rule2(keylist, keylist_size, future_key, 1, deplist) > 0)
951 && (!rule3(keylist, keylist_size, future_key, 0, deplist)
952 || rule3(keylist, keylist_size, future_key, 1, deplist) > 0))
953 {
954 /*
955 * All rules apply, we allow transition.
956 */
957 return 1;
958 }
959
960 return 0;
961}
962
971static time_t
972minTransitionTime(policy_t const *policy, key_state_type_t type,
973 key_state_state_t next_state, const time_t lastchange, const int ttl)
974{
975 if (!policy) {
976 return -1;
977 }
978
979 /*
980 * We may freely move a record to a uncertain state.
981 */
982 if (next_state == RUMOURED || next_state == UNRETENTIVE) {
983 return lastchange;
984 }
985
986 switch (type) {
988 return addtime(lastchange, ttl
991
992 /* TODO: 5011 will create special case here */
993 case KEY_STATE_TYPE_DNSKEY: /* intentional fall-through */
995 return addtime(lastchange, ttl
997 + ( next_state == OMNIPRESENT
1000
1002 return addtime(lastchange, ttl
1004
1005 default:
1006 break;
1007 }
1008
1009 return -1;
1010}
1011
1021static int
1022policyApproval(key_data_t** keylist, size_t keylist_size,
1024{
1025 static const key_state_state_t dnskey_algorithm_rollover[4] = { OMNIPRESENT, OMNIPRESENT, OMNIPRESENT, NA };
1026 static const key_state_state_t mask[14][4] = {
1027 /*ZSK*/
1028 { NA, OMNIPRESENT, NA, OMNIPRESENT }, /*This indicates a good key state.*/
1029 { NA, RUMOURED, NA, OMNIPRESENT }, /*This indicates a introducing DNSKEY state.*/
1030 { NA, UNRETENTIVE, NA, OMNIPRESENT }, /*This indicates a outroducing DNSKEY state.*/
1031 { NA, OMNIPRESENT, NA, RUMOURED }, /*This indicates a introducing RRSIG state.*/
1032 { NA, OMNIPRESENT, NA, UNRETENTIVE }, /*This indicates a outroducing RRSIG state.*/
1033 { NA, HIDDEN, NA, OMNIPRESENT }, /*This indicates an unsigned state.*/
1034
1035 /*KSK*/
1036 { OMNIPRESENT, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates a good key state.*/
1037 { RUMOURED, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates an introducing DS state.*/
1038 { UNRETENTIVE, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates an outroducing DS state.*/
1039 { OMNIPRESENT, RUMOURED, RUMOURED, NA }, /*These indicates an introducing DNSKEY state.*/
1041 { OMNIPRESENT, UNRETENTIVE, UNRETENTIVE, NA }, /*These indicates an outroducing DNSKEY state.*/
1043 { HIDDEN, OMNIPRESENT, OMNIPRESENT, NA } /*This indicates an unsigned state.*/
1044 };
1045
1046 if (!keylist || !future_key || !future_key->key) {
1047 return -1;
1048 }
1049
1050 /*
1051 * Once the record is introduced the policy has no influence.
1052 */
1053 if (future_key->next_state != RUMOURED) {
1054 return 1;
1055 }
1056
1057 /*
1058 * Check if policy prevents transition if the next state is rumoured.
1059 */
1060 switch (future_key->type) {
1061 case KEY_STATE_TYPE_DS:
1062 /*
1063 * If we want to minimize the DS transitions make sure the DNSKEY is
1064 * fully propagated.
1065 */
1068 {
1069 /*
1070 * DNSKEY is not fully propagated so we will not do any transitions.
1071 */
1072 return 0;
1073 }
1074 break;
1075
1078 /* There are no restrictions for the DNSKEY transition so we can
1079 * just continue. */
1080 return 1;
1081 }
1082 /* Check that signatures has been propagated for CSK/ZSK. */
1086 {
1087 /* RRSIG fully propagated so we will do the transitions. */
1088 return 1;
1089 }
1090 }
1091 /* Check if the DS is introduced and continue if it is. */
1095 {
1096 return 1;
1097 }
1098 }
1099 /* We might be doing an algorithm rollover so we check if there are
1100 * no other good KSK available and ignore the minimize flag if so. */
1101 return !(exists(keylist, keylist_size, future_key, 1, mask[6]) > 0
1102 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[8], mask[7], KEY_STATE_TYPE_DS, deplist) > 0
1103 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[11], mask[9], KEY_STATE_TYPE_DNSKEY, deplist) > 0);
1104
1106 /*
1107 * The only time not to introduce RRSIG DNSKEY is when the DNSKEY is
1108 * still hidden.
1109 *
1110 * TODO: How do we know we are introducing the RRSIG DNSKEY? We might be
1111 * outroducing it.
1112 */
1114 return 0;
1115 }
1116 break;
1117
1120 /*
1121 * There are no restrictions for the RRSIG transition so we can
1122 * just continue.
1123 */
1124 break;
1125 }
1126
1127 /*
1128 * Check if the DNSKEY is introduced and continue if it is.
1129 */
1131 break;
1132 }
1133
1134 /*
1135 * We might be doing an algorithm rollover so we check if there are
1136 * no other good ZSK available and ignore the minimize flag if so.
1137 *
1138 * TODO: How is this related to ZSK/CSK? There are no check for key_data_role().
1139 */
1140 if (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
1141 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1], KEY_STATE_TYPE_DNSKEY, deplist) > 0
1142 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[4], mask[3], KEY_STATE_TYPE_RRSIG, deplist) > 0
1143 )
1144 {
1145 /*
1146 * We found a good key, so we will not do any transition.
1147 */
1148 return 0;
1149 }
1150 break;
1151
1152 default:
1153 return 0;
1154 }
1155
1156 return 1;
1157}
1158
1168static int
1169getZoneTTL(policy_t const *policy, zone_db_t* zone, key_state_type_t type,
1170 const time_t now)
1171{
1172 time_t end_date;
1173 int ttl;
1174
1175 if (!policy) {
1176 return -1;
1177 }
1178 if (!zone) {
1179 return -1;
1180 }
1181
1182 switch (type) {
1183 case KEY_STATE_TYPE_DS:
1184 end_date = zone_db_ttl_end_ds(zone);
1186 break;
1187
1188 case KEY_STATE_TYPE_DNSKEY: /* Intentional fall-through */
1190 end_date = zone_db_ttl_end_dk(zone);
1191 ttl = policy_keys_ttl(policy);
1192 break;
1193
1195 end_date = zone_db_ttl_end_rs(zone);
1202 break;
1203
1204 default:
1205 return -1;
1206 }
1207
1208 return max((int)difftime(end_date, now), ttl);
1209}
1210
1217static int
1218isSuccessable(struct future_key* future_key)
1219{
1220 if (!future_key) {
1221 return -1;
1222 }
1223
1225 return 0;
1226 }
1227
1228 switch (future_key->type) {
1229 case KEY_STATE_TYPE_DS:
1232 return 0;
1233 }
1234 break;
1235
1237 return 0;
1238
1242 {
1243 return 0;
1244 }
1245 break;
1246
1247 default:
1248 return -1;
1249 }
1250
1251 return 1;
1252}
1253
1261static int
1262markSuccessors(db_connection_t *dbconn, key_data_t** keylist,
1263 size_t keylist_size, struct future_key *future_key,
1264 key_dependency_list_t* deplist, const zone_db_t* zone)
1265{
1266 static const char *scmd = "markSuccessors";
1267 size_t i;
1270 int cmp;
1271
1272 if (!dbconn || !keylist || !future_key || !deplist || !zone) {
1273 return -1;
1274 }
1275
1276 /* If key,type in deplist and new state is omnipresent it is no
1277 * longer relevant for the dependencies */
1279 /* Remove any entries for this key,type tuple from successors */
1280 for (kd = key_dependency_list_get_begin(deplist); kd;
1282 kd = key_dependency_list_get_next(deplist))
1283 {
1285 key_dependency_to_key_data_id(kd), &cmp) == DB_OK &&
1286 !cmp && kd->type == (key_dependency_type_t)future_key->type)
1287 {
1289 }
1290
1291 }
1292 }
1293
1294 if (isSuccessable(future_key) < 1) {
1295 return 0;
1296 }
1297
1298 for (i = 0; i < keylist_size; i++) {
1299 if (isPotentialSuccessor(keylist[i], future_key->key, future_key, future_key->type) > 0) {
1300 switch (future_key->type) {
1301 case KEY_STATE_TYPE_DS:
1303 break;
1304
1307 break;
1308
1311 break;
1312
1315 break;
1316
1317 default:
1318 return -1;
1319 }
1320
1321 if (!(key_dependency = key_dependency_new(dbconn))
1327 {
1328 ods_log_error("[%s] %s: unable to create key dependency between %s and %s",
1329 module_str, scmd,
1333 return -1;
1334 }
1336 }
1337 }
1338
1339 return 1;
1340}
1341
1351static time_t
1352updateZone(db_connection_t *dbconn, policy_t const *policy, zone_db_t* zone,
1353 const time_t now, int allow_unsigned, int *zone_updated,
1354 key_data_t** keylist, size_t keylist_size, key_dependency_list_t *deplist)
1355{
1356 time_t returntime_zone = -1;
1357 unsigned int ttl;
1358 static const char *scmd = "updateZone";
1359 size_t i;
1360 unsigned int j, change;
1361 static const key_state_type_t type[] = {
1366 };
1367 struct future_key future_key;
1369 key_state_state_t state;
1370 time_t returntime_key;
1372 int key_data_updated, process, key_state_created;
1373 const db_enum_t* state_enum, *next_state_enum, *type_enum;
1374 key_dependency_list_t *deplisttmp = NULL;
1375
1376 if (!dbconn) {
1377 /* TODO: better log error */
1378 ods_log_error("[%s] %s: no dbconn", module_str, scmd);
1379 return returntime_zone;
1380 }
1381 if (!policy) {
1382 /* TODO: better log error */
1383 ods_log_error("[%s] %s: no policy", module_str, scmd);
1384 return returntime_zone;
1385 }
1386 if (!zone) {
1387 /* TODO: better log error */
1388 ods_log_error("[%s] %s: no zone", module_str, scmd);
1389 return returntime_zone;
1390 }
1391 if (!zone_updated) {
1392 /* TODO: better log error */
1393 ods_log_error("[%s] %s: no zone_updated", module_str, scmd);
1394 return returntime_zone;
1395 }
1396 if (!keylist) {
1397 /* TODO: better log error */
1398 ods_log_error("[%s] %s: no keylist", module_str, scmd);
1399 return returntime_zone;
1400 }
1401 if (!deplist) {
1402 /* TODO: better log error */
1403 ods_log_error("[%s] %s: no deplist", module_str, scmd);
1404 return returntime_zone;
1405 }
1406
1407 ods_log_verbose("[%s] %s: processing %s with policyName %s", module_str, scmd, zone_db_name(zone), policy_name(policy));
1408
1409 deplisttmp = zone_db_get_key_dependencies(zone);
1410
1411 /*
1412 * The process variable will indicate if we are processing, if something
1413 * fails and sets it to 0 then it will fall through to the end.
1414 */
1415 process = 1;
1416
1417 /*
1418 * This code keeps track of TTL changes. If in the past a large TTL is used,
1419 * our keys *may* need to transition extra careful to make sure each
1420 * resolver picks up the RRset. When this date passes we may start using the
1421 * policies TTL.
1422 */
1423 if (process && zone_db_ttl_end_ds(zone) <= now) {
1424 if (zone_db_set_ttl_end_ds(zone, addtime(now, policy_parent_ds_ttl(policy)))) {
1425 ods_log_error("[%s] %s: zone_db_set_ttl_end_ds() failed", module_str, scmd);
1426 process = 0;
1427 }
1428 else {
1429 *zone_updated = 1;
1430 }
1431 }
1432 if (process && zone_db_ttl_end_dk(zone) <= now) {
1433 /*
1434 * If no DNSKEY is currently published we must take negative caching
1435 * into account.
1436 */
1437 for (i = 0; i < keylist_size; i++) {
1439 break;
1440 }
1441 }
1442 if (keylist_size < i) {
1443 ttl = max(policy_keys_ttl(policy),
1445 }
1446 else {
1447 ttl = policy_keys_ttl(policy);
1448 }
1449 if (zone_db_set_ttl_end_dk(zone, addtime(now, ttl))) {
1450 ods_log_error("[%s] %s: zone_db_set_ttl_end_dk() failed", module_str, scmd);
1451 process = 0;
1452 }
1453 else {
1454 *zone_updated = 1;
1455 }
1456 }
1457 if (process && zone_db_ttl_end_rs(zone) <= now) {
1460 }
1461 else {
1463 }
1464 if (zone_db_set_ttl_end_rs(zone, addtime(now, max(
1466 ttl))))
1467 {
1468 ods_log_error("[%s] %s: zone_db_set_ttl_end_rs() failed", module_str, scmd);
1469 process = 0;
1470 }
1471 else {
1472 *zone_updated = 1;
1473 }
1474 }
1475
1476 /*
1477 * Create key states that do not exist.
1478 */
1479 for (i = 0; process && i < keylist_size; i++) {
1480 key_state_created = 0;
1481 if (!key_data_cached_ds(keylist[i])) {
1482 if (!(key_state = key_state_new(dbconn))
1485 || key_state_set_minimize(key_state, (key_data_minimize(keylist[i]) >> 2) & 1)
1488 || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_DS, now))
1490 {
1491 ods_log_error("[%s] %s: key state DS creation failed", module_str, scmd);
1492 process = 0;
1494 key_state = NULL;
1495 break;
1496 }
1497 key_state_created = 1;
1499 key_state = NULL;
1500
1501 if (!zone_db_signconf_needs_writing(zone)) {
1503 ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1504 process = 0;
1505 break;
1506 }
1507 else {
1508 *zone_updated = 1;
1509 }
1510 }
1511 }
1512 if (!key_data_cached_dnskey(keylist[i])) {
1513 if (!(key_state = key_state_new(dbconn))
1516 || key_state_set_minimize(key_state, (key_data_minimize(keylist[i]) >> 1) & 1)
1519 || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_DNSKEY, now))
1521 {
1522 ods_log_error("[%s] %s: key state DNSKEY creation failed", module_str, scmd);
1523 process = 0;
1525 key_state = NULL;
1526 break;
1527 }
1528 key_state_created = 1;
1530 key_state = NULL;
1531
1532 if (!zone_db_signconf_needs_writing(zone)) {
1534 ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1535 process = 0;
1536 break;
1537 }
1538 else {
1539 *zone_updated = 1;
1540 }
1541 }
1542 }
1543 if (!key_data_cached_rrsigdnskey(keylist[i])) {
1544 if (!(key_state = key_state_new(dbconn))
1551 {
1552 ods_log_error("[%s] %s: key state RRSIGDNSKEY creation failed", module_str, scmd);
1553 process = 0;
1555 key_state = NULL;
1556 break;
1557 }
1558 key_state_created = 1;
1560 key_state = NULL;
1561
1562 if (!zone_db_signconf_needs_writing(zone)) {
1564 ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1565 process = 0;
1566 break;
1567 }
1568 else {
1569 *zone_updated = 1;
1570 }
1571 }
1572 }
1573 if (!key_data_cached_rrsig(keylist[i])) {
1574 if (!(key_state = key_state_new(dbconn))
1580 || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_RRSIG, now))
1582 {
1583 ods_log_error("[%s] %s: key state RRSIG creation failed", module_str, scmd);
1584 process = 0;
1586 key_state = NULL;
1587 break;
1588 }
1589 key_state_created = 1;
1591 key_state = NULL;
1592
1593 if (!zone_db_signconf_needs_writing(zone)) {
1595 ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1596 process = 0;
1597 break;
1598 }
1599 else {
1600 *zone_updated = 1;
1601 }
1602 }
1603 }
1604 if (key_state_created) {
1605 if (key_data_cache_key_states(keylist[i])) {
1606 ods_log_error("[%s] %s: Unable to recache key states after creating some", module_str, scmd);
1607 process = 0;
1608 break;
1609 }
1610 }
1611 }
1612
1613 /*
1614 * Keep looping till there are no state changes and find the earliest update
1615 * time to return.
1616 */
1617 do {
1618 change = 0;
1619 for (i = 0; process && i < keylist_size; i++) {
1620 ods_log_verbose("[%s] %s: processing key %s %u", module_str, scmd,
1622
1623 for (j = 0; process && j < (sizeof(type) / sizeof(key_state_state_t)); j++) {
1624 /*
1625 * If the state or desired_state is invalid something went wrong
1626 * and we should return.
1627 */
1628 if ((state = getState(keylist[i], type[j], NULL)) == KEY_STATE_STATE_INVALID
1629 || (next_state = getDesiredState(key_data_introducing(keylist[i]), state)) == KEY_STATE_STATE_INVALID)
1630 {
1631 ods_log_error("[%s] %s: (state || next_state) == INVALID", module_str, scmd);
1632 process = 0;
1633 break;
1634 }
1635
1636 /*
1637 * If there is no change in key state we continue.
1638 */
1639 if (state == next_state) {
1640 continue;
1641 }
1642
1643 /*
1644 * If the key state is a DS then we need to check if we still
1645 * are waiting for user input before we can transition the key.
1646 */
1647 if (type[j] == KEY_STATE_TYPE_DS) {
1648 if ((next_state == OMNIPRESENT
1650 || (next_state == HIDDEN
1652 {
1653 continue;
1654 }
1655 }
1656
1657 for (type_enum = key_state_enum_set_type; type_enum->text; type_enum++) {
1658 if (type_enum->value == (int)type[j]) {
1659 break;
1660 }
1661 }
1662 for (state_enum = key_state_enum_set_state; state_enum->text; state_enum++) {
1663 if (state_enum->value == (int)state) {
1664 break;
1665 }
1666 }
1667 for (next_state_enum = key_state_enum_set_state; next_state_enum->text; next_state_enum++) {
1668 if (next_state_enum->value == (int)next_state) {
1669 break;
1670 }
1671 }
1672 ods_log_verbose("[%s] %s: May %s %s %s in state %s transition to %s?", module_str, scmd,
1673 key_data_role_text(keylist[i]),
1675 type_enum->text,
1676 state_enum->text,
1677 next_state_enum->text);
1678
1679 future_key.key = keylist[i];
1680 future_key.type = type[j];
1682
1683 /*
1684 * Check if policy prevents transition.
1685 */
1686 if (policyApproval(keylist, keylist_size, &future_key, deplist) < 1) {
1687 continue;
1688 }
1689 ods_log_verbose("[%s] %s Policy says we can (1/3)", module_str, scmd);
1690
1691 /*
1692 * Check if DNSSEC state prevents transition.
1693 */
1694 if (dnssecApproval(keylist, keylist_size, &future_key, allow_unsigned, deplisttmp) < 1) {
1695 continue;
1696 }
1697 ods_log_verbose("[%s] %s DNSSEC says we can (2/3)", module_str, scmd);
1698
1699 returntime_key = minTransitionTime(policy, type[j], next_state,
1700 key_state_last_change(getRecord(keylist[i], type[j])),
1701 getZoneTTL(policy, zone, type[j], now));
1702
1703 /*
1704 * If this is an RRSIG and the DNSKEY is omnipresent and next
1705 * state is a certain state, wait an additional signature
1706 * lifetime to allow for 'smooth rollover'.
1707 */
1708 static const key_state_state_t mask[2][4] = {
1711 };
1712 int zsk_out = exists(keylist, keylist_size, &future_key,
1713 1, mask[0]);
1714 int zsk_in = exists(keylist, keylist_size, &future_key,
1715 1, mask[1]);
1716
1717 if (type[j] == KEY_STATE_TYPE_RRSIG
1719 && ((next_state == OMNIPRESENT && zsk_out)
1720 || (next_state == HIDDEN && zsk_in)))
1721 {
1722 returntime_key = addtime(returntime_key,
1728 }
1729
1730 /*
1731 * It is to soon to make this change. Schedule it.
1732 */
1733 if (returntime_key > now) {
1734 minTime(returntime_key, &returntime_zone);
1735 continue;
1736 }
1737
1738 ods_log_verbose("[%s] %s Timing says we can (3/3) now: %lu key: %lu",
1739 module_str, scmd, (unsigned long)now, (unsigned long)returntime_key);
1740
1741 /*
1742 * A record can only reach Omnipresent if properly backed up.
1743 */
1744 if (next_state == OMNIPRESENT) {
1747 {
1748 ods_log_crit("[%s] %s Ready for transition but key material not backed up yet (%s)",
1749 module_str, scmd, hsm_key_locator(key_data_cached_hsm_key(keylist[i])));
1750
1751 /*
1752 * Try again in 60 seconds
1753 */
1754 returntime_key = addtime(now, 60);
1755 minTime(returntime_key, &returntime_zone);
1756 continue;
1757 }
1758 }
1759
1760 /*
1761 * If we are handling a DS we depend on the user or
1762 * some other external process. We must communicate
1763 * through the DSSeen and -submit flags.
1764 */
1765 if (type[j] == KEY_STATE_TYPE_DS) {
1766 key_data_updated = 0;
1767
1768 /*
1769 * Ask the user to submit the DS to the parent.
1770 */
1771 if (next_state == RUMOURED) {
1772 switch (key_data_ds_at_parent(keylist[i])) {
1776 break;
1777
1779 /*
1780 * Hypothetical case where we reintroduce keys.
1781 */
1783 key_data_updated = 1;
1784 break;
1785
1786 default:
1788 key_data_updated = 1;
1789 }
1790 }
1791 /*
1792 * Ask the user to remove the DS from the parent.
1793 */
1794 else if (next_state == UNRETENTIVE) {
1795 switch(key_data_ds_at_parent(keylist[i])) {
1797 /*
1798 * Never submitted.
1799 * NOTE: not safe if we support reintroducing of keys.
1800 */
1802 key_data_updated = 1;
1803 break;
1804
1808 break;
1809
1810 default:
1812 key_data_updated = 1;
1813 }
1814 }
1815
1816 /*
1817 * Save the changes made to the key data if any.
1818 */
1819 if (key_data_updated) {
1820 if (key_data_update(keylist[i])) {
1821 ods_log_info("[%s] %s: key data update failed", module_str, scmd);
1822 process = 0;
1823 break;
1824 }
1825 /*
1826 * We now need to reread the key data object.
1827 *
1828 * TODO: This needs investigation how to do better.
1829 */
1830 if (key_data_get_by_id(keylist[i], key_data_id(keylist[i]))
1831 || key_data_cache_key_states(keylist[i])
1832 || key_data_cache_hsm_key(keylist[i]))
1833 {
1834 ods_log_error("[%s] %s: key data reread failed", module_str, scmd);
1835 process = 0;
1836 break;
1837 }
1838 }
1839 }
1840
1841 /*
1842 * We've passed all tests! Make the transition.
1843 */
1844 key_state = NULL;
1845
1846 switch (future_key.type) {
1847 case KEY_STATE_TYPE_DS:
1849 break;
1850
1853 break;
1854
1857 break;
1858
1861 break;
1862
1863 default:
1864 ods_log_error("[%s] %s: future key type error", module_str, scmd);
1865 process = 0;
1866 break;
1867 }
1868
1869 for (next_state_enum = key_state_enum_set_state; next_state_enum->text; next_state_enum++) {
1870 if (next_state_enum->value == (int)next_state) {
1871 break;
1872 }
1873 }
1874 ods_log_verbose("[%s] %s: Transitioning %s %s %s from %s to %s", module_str, scmd,
1875 key_data_role_text(keylist[i]),
1879 next_state_enum->text);
1880
1883 || key_state_set_ttl(key_state, getZoneTTL(policy, zone, future_key.type, now))
1885 {
1886 ods_log_error("[%s] %s: key state transition failed", module_str, scmd);
1887 process = 0;
1889 break;
1890 }
1892
1893 if (!zone_db_signconf_needs_writing(zone)) {
1895 ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1896 process = 0;
1897 break;
1898 }
1899 else {
1900 *zone_updated = 1;
1901 }
1902 }
1903
1904 if (markSuccessors(dbconn, keylist, keylist_size, &future_key, deplisttmp, zone) < 0) {
1905 ods_log_error("[%s] %s: markSuccessors() error", module_str, scmd);
1906 process = 0;
1907 break;
1908 }
1909 /*deps have changed reload*/
1910 key_dependency_list_free(deplisttmp);
1911 deplisttmp = zone_db_get_key_dependencies(zone);
1912
1913
1914 if (key_data_cache_key_states(keylist[i])) {
1915 ods_log_error("[%s] %s: Unable to recache key states after transition", module_str, scmd);
1916 process = 0;
1917 break;
1918 }
1919
1920 change = true;
1921 }
1922 }
1923 } while (process && change);
1924 key_dependency_list_free(deplisttmp);
1925 return returntime_zone;
1926}
1927
1931static const hsm_key_t*
1932getLastReusableKey(key_data_list_t *key_list, const policy_key_t *pkey)
1933{
1934 const key_data_t *key;
1935 hsm_key_t *hkey, *hkey_young = NULL;
1936 hsm_key_list_t* hsmkeylist;
1937 int match;
1938 int cmp;
1939
1940 if (!key_list || !pkey)
1941 return NULL;
1942
1943 hsmkeylist = hsm_key_list_new_get_by_policy_key(pkey);
1944 for (hkey = hsm_key_list_get_begin(hsmkeylist); hkey;
1945 hkey = hsm_key_list_get_next(hsmkeylist))
1946 {
1948 if ((~hsm_key_role(hkey) & policy_key_role(pkey)) != 0 ||
1951 hkey->state == HSM_KEY_STATE_UNUSED ||
1952 hkey->state == HSM_KEY_STATE_DELETE )
1953 {
1954 hsm_key_free(hkey);
1955 continue;
1956 }
1957
1959 for (match = 0, key = key_data_list_begin(key_list); key; key = key_data_list_next(key_list)) {
1961 && cmp == 0)
1962 {
1964 match = 1;
1965 break;
1966 }
1967 }
1968 if (match) {
1969 hsm_key_free(hkey);
1970 continue;
1971 }
1972
1974 if (!hkey_young || hsm_key_inception(hkey_young) < hsm_key_inception(hkey)) {
1975 hsm_key_free(hkey_young);
1976 hkey_young = hkey;
1977 }
1978 }
1979
1980 hsm_key_list_free(hsmkeylist);
1981 return hkey_young;
1982}
1983
1992static int
1993existsPolicyForKey(policy_key_list_t *policykeylist, const key_data_t *key)
1994{
1995 static const char *scmd = "existsPolicyForKey";
1996 const policy_key_t *pkey;
1997 hsm_key_t *hkey;
1998
1999 if (!policykeylist) {
2000 return -1;
2001 }
2002 if (!key) {
2003 return -1;
2004 }
2005
2006 if (!(hkey = key_data_get_hsm_key(key))) {
2007 /*
2008 * This key is not associated with actual key material!
2009 * This is a bug or database corruption.
2010 * Crashing here is an option but we just return false so the
2011 * key will be thrown away in a graceful manner.
2012 */
2013 ods_log_verbose("[%s] %s no hsmkey!", module_str, scmd);
2014 return 0;
2015 }
2016 pkey = policy_key_list_begin(policykeylist);
2017 while (pkey) {
2018 if ((int)policy_key_role(pkey) == (int)key_data_role(key) &&
2020 strcmp(hsm_key_repository(hkey), policy_key_repository(pkey)) == 0 &&
2021 hsm_key_algorithm(hkey) == policy_key_algorithm(pkey) &&
2022 hsm_key_bits(hkey) == policy_key_bits(pkey))
2023 {
2024 hsm_key_free(hkey);
2025 return 1;
2026 }
2027 pkey = policy_key_list_next(policykeylist);
2028 }
2029 ods_log_verbose("[%s] %s not found such config", module_str, scmd);
2030 hsm_key_free(hkey);
2031 return 0;
2032}
2033
2034static int
2035last_inception_policy(key_data_list_t *key_list, const policy_key_t *pkey)
2036{
2037 const key_data_t *key = NULL;
2038 hsm_key_t *hsmkey = NULL;
2039 int max_inception = -1;
2040
2041 if (!key_list || !pkey) return -1;
2042
2043 /*
2044 * Must match: role, bits, algorithm and repository.
2045 */
2046 for (key = key_data_list_begin(key_list); key;
2047 key = key_data_list_next(key_list))
2048 {
2049 if ((int)policy_key_role(pkey) != (int)key_data_role(key) ||
2051 (hsmkey = key_data_get_hsm_key(key)) == NULL ||
2052 policy_key_bits(pkey) != hsm_key_bits(hsmkey) ||
2053 policy_key_algorithm(pkey) != hsm_key_algorithm(hsmkey) ||
2054 strcmp(policy_key_repository(pkey), hsm_key_repository(hsmkey)))
2055 {
2056 hsm_key_free(hsmkey);
2057 hsmkey = NULL;
2058 continue;
2059 }
2060 hsm_key_free(hsmkey);
2061 hsmkey = NULL;
2063 if (max_inception == -1 || max_inception < (signed int)key_data_inception(key))
2064 {
2065 max_inception = key_data_inception(key);
2066 }
2067 }
2068 return max_inception;
2069}
2070
2079static int
2080key_for_conf(key_data_list_t *key_list, const policy_key_t *pkey)
2081{
2082 const key_data_t *key;
2083
2084 if (!key_list) {
2085 return 0;
2086 }
2087 if (!pkey) {
2088 return 0;
2089 }
2090
2091 for (key = key_data_list_begin(key_list); key;
2092 key = key_data_list_next(key_list))
2093 {
2095 (int)policy_key_role(pkey) == (int)key_data_role(key))
2096 {
2097 return 1;
2098 }
2099 }
2100 return 0;
2101}
2102
2109static void
2110setnextroll(zone_db_t *zone, const policy_key_t *pkey, time_t t)
2111{
2112 assert(zone);
2113 assert(pkey);
2114
2115 switch(policy_key_role(pkey)) {
2117 zone->next_ksk_roll = (unsigned int)t;
2118 break;
2120 zone->next_zsk_roll = (unsigned int)t;
2121 break;
2123 zone->next_csk_roll = (unsigned int)t;
2124 break;
2125 default:
2126 assert(0);
2127 }
2128}
2129
2130static int
2131enforce_roll(const zone_db_t *zone, const policy_key_t *pkey)
2132{
2133 if (!zone) {
2134 return 0;
2135 }
2136 if (!pkey) {
2137 return 0;
2138 }
2139
2140 switch(policy_key_role(pkey)) {
2142 return zone_db_roll_ksk_now(zone);
2144 return zone_db_roll_zsk_now(zone);
2146 return zone_db_roll_csk_now(zone);
2147 default:
2148 return 0;
2149 }
2150}
2151
2152static int
2153set_roll(zone_db_t *zone, const policy_key_t *pkey, unsigned int roll)
2154{
2155 if (!zone) {
2156 return 0;
2157 }
2158 if (!pkey) {
2159 return 0;
2160 }
2161
2162 switch(policy_key_role(pkey)) {
2164 return zone_db_set_roll_ksk_now(zone, roll);
2166 return zone_db_set_roll_zsk_now(zone, roll);
2168 return zone_db_set_roll_csk_now(zone, roll);
2169 default:
2170 return 1;
2171 }
2172}
2173
2183static time_t
2184updatePolicy(engine_type *engine, db_connection_t *dbconn, policy_t const *policy,
2185 zone_db_t *zone, const time_t now, int *allow_unsigned, int *zone_updated)
2186{
2187 time_t return_at = -1;
2188 key_data_list_t *keylist;
2189 policy_key_list_t *policykeylist;
2190 const key_data_t *key;
2191 key_data_t *mutkey = NULL;
2192 key_data_t *mutkey2 = NULL;
2193 const policy_key_t *pkey;
2194 const hsm_key_t *hsmkey;
2195 hsm_key_t *hsmkey2 = NULL;
2196 hsm_key_t *newhsmkey = NULL;
2197 static const char *scmd = "updatePolicy";
2198 int force_roll;
2199 time_t t_ret;
2200 key_data_role_t key_role;
2201 int err;
2202 uint16_t tag;
2203 int ret;
2204
2205 if (!dbconn) {
2206 /* TODO: better log error */
2207 ods_log_error("[%s] %s: no dbconn", module_str, scmd);
2208 return now + 60;
2209 }
2210 if (!policy) {
2211 /* TODO: better log error */
2212 ods_log_error("[%s] %s: no policy", module_str, scmd);
2213 return now + 60;
2214 }
2215 if (!zone) {
2216 /* TODO: better log error */
2217 ods_log_error("[%s] %s: no zone", module_str, scmd);
2218 return now + 60;
2219 }
2220 if (!allow_unsigned) {
2221 /* TODO: better log error */
2222 ods_log_error("[%s] %s: no allow_unsigned", module_str, scmd);
2223 return now + 60;
2224 }
2225 if (!zone_updated) {
2226 /* TODO: better log error */
2227 ods_log_error("[%s] %s: no zone_updated", module_str, scmd);
2228 return now + 60;
2229 }
2230
2231 ods_log_verbose("[%s] %s: policyName: %s", module_str, scmd, policy_name(policy));
2232
2233 /*
2234 * Get all policy keys (configurations) for the given policy and fetch all
2235 * the policy key database objects so we can iterate over it more then once.
2236 */
2237 if (!(policykeylist = policy_get_policy_keys(policy))) {
2238 /* TODO: better log error */
2239 ods_log_error("[%s] %s: error policy_get_policy_keys()", module_str, scmd);
2240 policy_key_list_free(policykeylist);
2241 return now + 60;
2242 }
2243
2244 /*
2245 * Get all key data objects for the given zone and fetch all the objects
2246 * from the database so we can use the list again later.
2247 */
2248 if (!(keylist = zone_db_get_keys(zone))) {
2249 /* TODO: better log error */
2250 ods_log_error("[%s] %s: error zone_db_get_keys()", module_str, scmd);
2251 key_data_list_free(keylist);
2252 policy_key_list_free(policykeylist);
2253 return now + 60;
2254 }
2255
2256 /*
2257 * Decommission all key data objects without any matching policy key config.
2258 */
2259 while ((key = key_data_list_next(keylist))) {
2260 ret = existsPolicyForKey(policykeylist, key);
2261 if (ret < 0) {
2262 /* TODO: better log error */
2263 ods_log_error("[%s] %s: error existsPolicyForKey() < 0", module_str, scmd);
2264 key_data_list_free(keylist);
2265 policy_key_list_free(policykeylist);
2266 return now + 60;
2267 }
2268 if (!ret) {
2269 if (!(mutkey = key_data_new_copy(key))
2270 || key_data_set_introducing(mutkey, 0)
2271 || key_data_update(mutkey))
2272 {
2273 /* TODO: better log error */
2274 ods_log_error("[%s] %s: error update mutkey", module_str, scmd);
2275 key_data_free(mutkey);
2276 key_data_list_free(keylist);
2277 policy_key_list_free(policykeylist);
2278 return now + 60;
2279 }
2280 key_data_free(mutkey);
2281 mutkey = NULL;
2282 }
2283 }
2284
2285 pkey = policy_key_list_begin(policykeylist);
2286
2287 /*
2288 * If no keys are configured an unsigned zone is okay.
2289 */
2290 *allow_unsigned = pkey ? 0 : 1;
2291
2292 /* If there are no keys configured set 'signconf_needs_writing'
2293 * every time this function is called */
2294 if (!policy_key_list_size(policykeylist)) {
2296 ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
2297 } else {
2298 *zone_updated = 1;
2299 }
2300 }
2301
2302 for (; pkey; pkey = policy_key_list_next(policykeylist)) {
2303 newhsmkey = NULL;
2304 /*
2305 * Check if we should roll, first get the roll state from the zone then
2306 * check if the policy key is set to manual rollover and last check the
2307 * key timings.
2308 */
2309 force_roll = enforce_roll(zone, pkey);
2310 if (policy_key_manual_rollover(pkey)) {
2311 /*
2312 * If this policy key is set to manual rollover and we do not have
2313 * a key yet (for ex first run) then we should roll anyway.
2314 */
2315 if (!key_for_conf(keylist, pkey)) {
2316 force_roll = 1;
2317 }
2318 else if (!force_roll) {
2319 /*
2320 * Since this is set to manual rollover we do not want it to
2321 * roll unless we have zone state saying that we should roll.
2322 */
2323 continue;
2324 }
2325 }
2326 if (!force_roll) {
2327 int inception = -1;
2328 /*
2329 * We do not need to roll but we should check if the youngest key
2330 * needs to be replaced. If not we reschedule for later based on the
2331 * youngest key.
2332 * TODO: Describe better why the youngest?!?
2333 */
2334 inception = last_inception_policy(keylist, pkey);
2335 if (inception != -1 &&
2336 inception + policy_key_lifetime(pkey) > now)
2337 {
2338 t_ret = addtime(inception, policy_key_lifetime(pkey));
2339 minTime(t_ret, &return_at);
2340 setnextroll(zone, pkey, t_ret);
2341 *zone_updated = 1;
2342 continue;
2343 }
2344 }
2345
2346 /*
2347 * Time for a new key
2348 */
2349 ods_log_verbose("[%s] %s: New key needed for role %s",
2350 module_str, scmd, policy_key_role_text(pkey));
2351
2352 /*
2353 * Sanity check for unreasonable short key lifetime.
2354 * This would produce silly output and give the signer lots of useless
2355 * work to do otherwise.
2356 */
2357 if ((policy_key_role(pkey) == POLICY_KEY_ROLE_KSK ||
2360 policy_key_lifetime(pkey))
2361 {
2362 ods_log_error("[%s] %s: For policy %s %s key lifetime of %d "
2363 "is unreasonably short with respect to sum of parent "
2364 "TTL (%d) and key TTL (%d). Will not insert key!",
2365 module_str, scmd, policy_name(policy), policy_key_role_text(pkey),
2368 setnextroll(zone, pkey, now);
2369 *zone_updated = 1;
2370 continue;
2371 }
2372 if ((policy_key_role(pkey) == POLICY_KEY_ROLE_ZSK ||
2375 policy_key_lifetime(pkey))
2376 {
2377 ods_log_crit("[%s] %s: For policy %s %s key lifetime of %d "
2378 "is unreasonably short with respect to sum of "
2379 "MaxZoneTTL (%d) and key TTL (%d). Will not insert key!",
2380 module_str, scmd, policy_name(policy), policy_key_role_text(pkey),
2383 setnextroll(zone, pkey, now);
2384 *zone_updated = 1;
2385 continue;
2386 }
2387
2388 /*
2389 * Get a new key, either a existing/shared key if the policy is set to
2390 * share keys or create a new key.
2391 */
2393 hsmkey = getLastReusableKey(keylist, pkey);
2394
2395 if (!hsmkey) {
2396 newhsmkey = hsm_key_factory_get_key(engine, dbconn, pkey, HSM_KEY_STATE_SHARED);
2397 hsmkey = newhsmkey;
2398 }
2399 } else {
2400 newhsmkey = hsm_key_factory_get_key(engine, dbconn, pkey, HSM_KEY_STATE_PRIVATE);
2401 hsmkey = newhsmkey;
2402 }
2403
2404 if (!hsmkey) {
2405 /*
2406 * Unable to get/create a HSM key at this time, retry later.
2407 */
2408 ods_log_warning("[%s] %s: No keys available in HSM for policy %s, retry in %d seconds",
2409 module_str, scmd, policy_name(policy), NOKEY_TIMEOUT);
2410 minTime(now + NOKEY_TIMEOUT, &return_at);
2411 setnextroll(zone, pkey, now);
2412 *zone_updated = 1;
2413 continue;
2414 }
2415 ods_log_verbose("[%s] %s: got new key from HSM", module_str, scmd);
2416
2417 /*
2418 * TODO: This will be replaced once roles are global
2419 */
2420 key_role = KEY_DATA_ROLE_INVALID;
2421 switch (policy_key_role(pkey)) {
2423 key_role = KEY_DATA_ROLE_KSK;
2424 break;
2425
2427 key_role = KEY_DATA_ROLE_ZSK;
2428 break;
2429
2431 key_role = KEY_DATA_ROLE_CSK;
2432 break;
2433
2434 default:
2435 break;
2436 }
2437
2438 /*
2439 * Create a new key data object.
2440 */
2441 if (!(mutkey = key_data_new(dbconn))
2442 || key_data_set_zone_id(mutkey, zone_db_id(zone))
2443 || key_data_set_hsm_key_id(mutkey, hsm_key_id(hsmkey))
2445 || key_data_set_inception(mutkey, now)
2446 || key_data_set_role(mutkey, key_role)
2448 || key_data_set_introducing(mutkey, 1)
2450 {
2451 /* TODO: better log error */
2452 ods_log_error("[%s] %s: error new key", module_str, scmd);
2453 key_data_free(mutkey);
2454 if (newhsmkey) {
2455 hsm_key_factory_release_key(newhsmkey, dbconn);
2456 }
2457 hsm_key_free(newhsmkey);
2458 key_data_list_free(keylist);
2459 policy_key_list_free(policykeylist);
2460 return now + 60;
2461 }
2462
2463 /*
2464 * Generate keytag for the new key and set it.
2465 */
2466 err = hsm_keytag(hsm_key_locator(hsmkey), hsm_key_algorithm(hsmkey),
2467 HSM_KEY_ROLE_SEP(hsm_key_role(hsmkey)), &tag);
2468 if (err || key_data_set_keytag(mutkey, tag))
2469 {
2470 /* TODO: better log error */
2471 ods_log_error("[%s] %s: error keytag", module_str, scmd);
2472 key_data_free(mutkey);
2473 if (newhsmkey) {
2474 hsm_key_factory_release_key(newhsmkey, dbconn);
2475 }
2476 hsm_key_free(newhsmkey);
2477 key_data_list_free(keylist);
2478 policy_key_list_free(policykeylist);
2479 return now + 60;
2480 }
2481
2482 /*
2483 * Create the new key in the database, if successful we set the next
2484 * roll after the lifetime of the key.
2485 */
2486 if (key_data_create(mutkey)) {
2487 /* TODO: better log error */
2488 ods_log_error("[%s] %s: error key_data_create()", module_str, scmd);
2489 key_data_free(mutkey);
2490 if (newhsmkey) {
2491 hsm_key_factory_release_key(newhsmkey, dbconn);
2492 }
2493 hsm_key_free(newhsmkey);
2494 key_data_list_free(keylist);
2495 policy_key_list_free(policykeylist);
2496 return now + 60;
2497 }
2498 t_ret = addtime(now, policy_key_lifetime(pkey));
2499 minTime(t_ret, &return_at);
2500 setnextroll(zone, pkey, t_ret);
2501 *zone_updated = 1;
2502
2503 /*
2504 * Tell similar keys to out-troduce.
2505 * Similar keys are those that match role, algorithm, bits and repository
2506 * and are introduced.
2507 *
2508 * NOTE:
2509 * Will not work if a policy has 2 or more keys of the same role, algorithm,
2510 * bits and repository. Unclear how to fix this since keys are not directly
2511 * related to a policy key.
2512 * We currently do not allow two policy keys with the same attributes.
2513 */
2514 for (key = key_data_list_begin(keylist); key; key = key_data_list_next(keylist)) {
2516 && key_data_role(key) == key_data_role(mutkey)
2518 && (hsmkey2 = key_data_get_hsm_key(key))
2519 && hsm_key_bits(hsmkey2) == hsm_key_bits(hsmkey)
2520 && !strcmp(hsm_key_repository(hsmkey2), hsm_key_repository(hsmkey)))
2521 {
2522 if (!(mutkey2 = key_data_new_copy(key))
2523 || key_data_set_introducing(mutkey2, 0)
2524 || key_data_update(mutkey2))
2525 {
2526 /* TODO: better log error */
2527 ods_log_error("[%s] %s: error update mutkey2", module_str, scmd);
2528 key_data_free(mutkey2);
2529 hsm_key_free(hsmkey2);
2530 key_data_free(mutkey);
2531 hsm_key_free(newhsmkey);
2532 key_data_list_free(keylist);
2533 policy_key_list_free(policykeylist);
2534 return now + 60;
2535 }
2536
2537 ods_log_verbose("[%s] %s: decommissioning old key: %s", module_str, scmd, hsm_key_locator(hsmkey2));
2538
2539 key_data_free(mutkey2);
2540 mutkey2 = NULL;
2541 }
2542 hsm_key_free(hsmkey2);
2543 hsmkey2 = NULL;
2544 }
2545
2546 key_data_free(mutkey);
2547 mutkey = NULL;
2548 hsm_key_free(newhsmkey);
2549 newhsmkey = NULL;
2550
2551 /*
2552 * Clear roll now (if set) in the zone for this policy key.
2553 */
2554 if (enforce_roll(zone, pkey)) {
2555 if (set_roll(zone, pkey, 0)) {
2556 /* TODO: better log error */
2557 ods_log_error("[%s] %s: error set_roll()", module_str, scmd);
2558 key_data_list_free(keylist);
2559 policy_key_list_free(policykeylist);
2560 return now + 60;
2561 }
2562 *zone_updated = 1;
2563 }
2564 }
2565
2566 key_data_list_free(keylist);
2567 policy_key_list_free(policykeylist);
2568
2569 return return_at;
2570}
2571
2572static time_t
2573removeDeadKeys(db_connection_t *dbconn, key_data_t** keylist,
2574 size_t keylist_size, key_dependency_list_t *deplist, const time_t now,
2575 const int purgetime)
2576{
2577 static const char *scmd = "removeDeadKeys";
2578 time_t first_purge = -1, key_time;
2579 size_t i, deplist2_size = 0;
2580 int key_purgable, cmp;
2581 unsigned int j;
2582 const key_state_t* state = NULL;
2583 key_dependency_t **deplist2 = NULL;
2584
2585 assert(keylist);
2586 assert(deplist);
2587
2588 deplist2_size = key_dependency_list_size(deplist);
2589 deplist2 = (key_dependency_t**)calloc(deplist2_size, sizeof(key_dependency_t*));
2590 /* deplist might be NULL but is always freeable */
2591 if (deplist2_size > 0)
2592 deplist2[0] = key_dependency_list_get_begin(deplist);
2593 for (i = 1; i < deplist2_size; i++)
2594 deplist2[i] = key_dependency_list_get_next(deplist);
2595
2596 for (i = 0; i < keylist_size; i++) {
2597 if (key_data_introducing(keylist[i])) continue;
2598 key_time = -1;
2599 key_purgable = 1;
2600 for (j = 0; j<4; j++) {
2601 switch(j){
2602 case 0: state = key_data_cached_ds(keylist[i]); break;
2603 case 1: state = key_data_cached_dnskey(keylist[i]); break;
2604 case 2: state = key_data_cached_rrsigdnskey(keylist[i]); break;
2605 case 3: state = key_data_cached_rrsig(keylist[i]);
2606 }
2607 if (key_state_state(state) == NA) continue;
2608 if (key_state_state(state) != HIDDEN) {
2609 key_purgable = 0;
2610 break;
2611 }
2612 if (key_time == -1 || key_state_last_change(state) > (unsigned int)key_time) {
2613 key_time = key_state_last_change(state);
2614 }
2615 }
2616 if (key_time != -1) key_time = addtime(key_time, purgetime);
2617 if (key_purgable) {
2618 /* key is purgable, is it time yet? */
2619 if (now >= key_time) {
2620 key_state_t* ks_ds = key_data_get_cached_ds(keylist[i]);
2621 key_state_t* ks_dk = key_data_get_cached_dnskey(keylist[i]);
2622 key_state_t* ks_rd = key_data_get_cached_rrsigdnskey(keylist[i]);
2623 key_state_t* ks_rs = key_data_get_cached_rrsig(keylist[i]);
2624
2625 ods_log_info("[%s] %s deleting key: %s", module_str, scmd,
2627
2628 if ( key_state_delete(ks_ds) || key_state_delete(ks_dk)
2629 || key_state_delete(ks_rd) || key_state_delete(ks_rs)
2630 || key_data_delete(keylist[i])
2632 {
2633 /* TODO: better log error */
2634 ods_log_error("[%s] %s: key_state_delete() || key_data_delete() || hsm_key_factory_release_key() failed", module_str, scmd);
2635 }
2636 key_state_free(ks_ds);
2637 key_state_free(ks_dk);
2638 key_state_free(ks_rd);
2639 key_state_free(ks_rs);
2640 } else {
2641 minTime(key_time, &first_purge);
2642 }
2643 /* we can clean up dependency because key is purgable */
2644
2645 for (j = 0; j < deplist2_size; j++) {
2646 if (!deplist2[j]) continue;
2647 if (db_value_cmp(key_data_id(keylist[i]), key_dependency_from_key_data_id(deplist2[j]), &cmp)) {
2648 /* TODO: better log error */
2649 ods_log_error("[%s] %s: cmp deplist from failed", module_str, scmd);
2650 break;
2651 }
2652 if(cmp) continue;
2653
2654 if (key_dependency_delete(deplist2[j])) {
2655 /* TODO: better log error */
2656 ods_log_error("[%s] %s: key_dependency_delete() failed", module_str, scmd);
2657 break;
2658 }
2659 }
2660 }
2661 }
2662 for (i = 0; i < deplist2_size; i++){
2663 key_dependency_free(deplist2[i]);
2664 }
2665 free(deplist2);
2666
2667 int deleteCount = hsm_key_factory_delete_key(dbconn);
2668 ods_log_info("[%s] %s: keys deleted from HSM: %d", module_str, scmd, deleteCount);
2669
2670 if(deleteCount > 0) {
2671 return -1 - deleteCount;
2672 } else {
2673 return first_purge;
2674 }
2675}
2676
2677time_t
2678update(engine_type *engine, db_connection_t *dbconn, zone_db_t *zone, policy_t const *policy, time_t now, int *zone_updated)
2679{
2680 int allow_unsigned = 0;
2681 time_t policy_return_time, zone_return_time, purge_return_time = -1, return_time;
2682 key_data_list_t *key_list;
2683 const key_data_t* key;
2684 key_data_t** keylist = NULL;
2685 size_t keylist_size, i;
2686 key_dependency_list_t *deplist;
2687 static const char *scmd = "update";
2688 int key_data_updated;
2689
2690 if (!engine) {
2691 ods_log_error("[%s] no engine", module_str);
2692 return now + 60;
2693 }
2694 if (!dbconn) {
2695 ods_log_error("[%s] no dbconn", module_str);
2696 return now + 60;
2697 }
2698 if (!zone) {
2699 ods_log_error("[%s] no zone", module_str);
2700 return now + 60;
2701 }
2702 if (!policy) {
2703 ods_log_error("[%s] no policy", module_str);
2704 return now + 60;
2705 }
2706 if (!zone_updated) {
2707 ods_log_error("[%s] no zone_updated", module_str);
2708 return now + 60;
2709 }
2710
2711 ods_log_info("[%s] update zone: %s", module_str, zone_db_name(zone));
2712
2713 if (engine->config->rollover_notification && zone_db_next_ksk_roll(zone) > 0) {
2714 if ((time_t)zone_db_next_ksk_roll(zone) - engine->config->rollover_notification <= now
2715 && (time_t)zone_db_next_ksk_roll(zone) != now) {
2716 time_t t = (time_t) zone_db_next_ksk_roll(zone);
2717 ods_log_info("[%s] KSK Rollover for zone %s is impending, "
2718 "rollover will happen at %s",
2719 module_str, zone_db_name(zone), ctime(&t));
2720 }
2721 }
2722 else if (engine->config->rollover_notification && zone_db_next_csk_roll(zone) > 0) {
2723 if ((time_t)zone_db_next_csk_roll(zone) - engine->config->rollover_notification <= now
2724 && (time_t)zone_db_next_csk_roll(zone) != now) {
2725 time_t t = (time_t) zone_db_next_csk_roll(zone);
2726 ods_log_info("[%s] CSK Rollover for zone %s is impending, "
2727 "rollover will happen at %s",
2728 module_str, zone_db_name(zone), ctime(&t));
2729 }
2730 }
2731
2732
2733 /*
2734 * Update policy.
2735 */
2736 policy_return_time = updatePolicy(engine, dbconn, policy, zone, now, &allow_unsigned, zone_updated);
2737
2738 if (allow_unsigned) {
2739 ods_log_info("[%s] No keys configured for %s, zone will become unsigned eventually",
2740 module_str, zone_db_name(zone));
2741 }
2742
2743 /*
2744 * Get all key data/state/hsm objects for later processing.
2745 */
2746 if (!(deplist = zone_db_get_key_dependencies(zone))) {
2747 /* TODO: better log error */
2748 ods_log_error("[%s] %s: error zone_db_get_key_dependencies()", module_str, scmd);
2749 key_dependency_list_free(deplist);
2750 return now + 60;
2751 }
2752 if (!(key_list = zone_db_get_keys(zone))) {
2753 /* TODO: better log error */
2754 ods_log_error("[%s] %s: error zone_db_get_keys()", module_str, scmd);
2755 key_data_list_free(key_list);
2756 key_dependency_list_free(deplist);
2757 return now + 60;
2758 }
2759 /*WTF DOES THIS CODE DO?*/
2760 if (!(keylist_size = key_data_list_size(key_list))) {
2761 if ((key = key_data_list_begin(key_list))) {
2762 while (key) {
2763 keylist_size++;
2764 key = key_data_list_next(key_list);
2765 }
2766 }
2767 }
2768 if (keylist_size) {
2769 if (!(keylist = (key_data_t**)calloc(keylist_size, sizeof(key_data_t*)))) {
2770 /* TODO: better log error */
2771 ods_log_error("[%s] %s: error calloc(keylist_size)", module_str, scmd);
2772 key_data_list_free(key_list);
2773 key_dependency_list_free(deplist);
2774 return now + 60;
2775 }
2776 for (i = 0; i < keylist_size; i++) {
2777 if (!i) {
2778 keylist[i] = key_data_list_get_begin(key_list);
2779 }
2780 else {
2781 keylist[i] = key_data_list_get_next(key_list);
2782 }
2783 if (!keylist[i]
2784 || key_data_cache_hsm_key(keylist[i])
2785 || key_data_cache_key_states(keylist[i]))
2786 {
2787 ods_log_error("[%s] %s: error key_data_list cache", module_str, scmd);
2788 for (i = 0; i < keylist_size; i++) {
2789 if (keylist[i]) {
2790 key_data_free(keylist[i]);
2791 }
2792 }
2793 free(keylist);
2794 key_data_list_free(key_list);
2795 key_dependency_list_free(deplist);
2796 return now + 60;
2797 }
2798 }
2799 }
2800 key_data_list_free(key_list);
2801
2802
2803 /*
2804 * Only purge old keys if the policy says so.
2805 */
2806 if (policy_keys_purge_after(policy) && keylist) {
2807 purge_return_time = removeDeadKeys(dbconn, keylist, keylist_size, deplist, now,
2809 if(purge_return_time < -1) {
2810 ods_log_info("[%s] %s: reschedule enforcing policy due to deleting keys", module_str, scmd);
2811 /* Keys have been deleted, we cannot continue in this same session, reschedule. */
2812 return now + 60;
2813 }
2814 }
2815
2816
2817 /*
2818 * Update zone.
2819 */
2820 zone_return_time = updateZone(dbconn, policy, zone, now, allow_unsigned, zone_updated,
2821 keylist, keylist_size, deplist);
2822
2823
2824 /*
2825 * Always set these flags. Normally this needs to be done _only_ when the
2826 * Signer config needs writing. However a previous Signer config might not
2827 * be available, we have no way of telling. :(
2828 */
2829 for (i = 0; i < keylist_size; i++) {
2830 key_data_updated = 0;
2831
2832 /* hack */
2833 key_data_set_publish(keylist[i], 0);
2834 key_data_set_active_ksk(keylist[i], 0);
2835 key_data_set_active_zsk(keylist[i], 0);
2836 key_data_updated = 1;
2837 /*
2838 * TODO: description
2839 */
2842 {
2843 if (!key_data_publish(keylist[i])) {
2844 if (key_data_set_publish(keylist[i], 1)) {
2845 ods_log_error("[%s] %s: key_data_set_publish() failed",
2846 module_str, scmd);
2847 break;
2848 }
2849
2850 key_data_updated = 1;
2851 }
2852 }
2853
2854 /*
2855 * TODO: description
2856 */
2859 {
2860 if (!key_data_active_ksk(keylist[i])) {
2861 if (key_data_set_active_ksk(keylist[i], 1)) {
2862 ods_log_error("[%s] %s: key_data_set_active_ksk() failed",
2863 module_str, scmd);
2864 break;
2865 }
2866
2867 key_data_updated = 1;
2868 }
2869 }
2870
2871 /*
2872 * TODO: description
2873 */
2876 {
2877 if (!key_data_active_zsk(keylist[i])) {
2878 if (key_data_set_active_zsk(keylist[i], 1)) {
2879 ods_log_error("[%s] %s: key_data_set_active_zsk() failed",
2880 module_str, scmd);
2881 break;
2882 }
2883
2884 key_data_updated = 1;
2885 }
2886 }
2887
2888 if (key_data_updated) {
2889 if (key_data_update(keylist[i])) {
2890 ods_log_error("[%s] %s: key_data_update() failed",
2891 module_str, scmd);
2892 break;
2893 }
2894 }
2895 }
2896
2897 /*
2898 * Release cached objects.
2899 */
2900 for (i = 0; i < keylist_size; i++) {
2901 if (keylist[i]) {
2902 key_data_free(keylist[i]);
2903 }
2904 }
2905 free(keylist);
2906 key_dependency_list_free(deplist);
2907
2908 return_time = zone_return_time;
2909 minTime(policy_return_time, &return_time);
2910 /*
2911 * Take the rollover notification time into account when scheduling
2912 * this zone. We will need to print a message at that time.
2913 */
2914 if (zone_db_next_ksk_roll(zone) > 0
2915 && (zone_db_next_ksk_roll(zone) - engine->config->rollover_notification > now)) {
2916 minTime(zone_db_next_ksk_roll(zone) - engine->config->rollover_notification, &return_time);
2917 }
2918 else if (zone_db_next_csk_roll(zone) > 0
2919 && (zone_db_next_csk_roll(zone) - engine->config->rollover_notification > now)) {
2920 minTime(zone_db_next_csk_roll(zone) - engine->config->rollover_notification, &return_time);
2921 }
2922
2923 minTime(purge_return_time, &return_time);
2924 return return_time;
2925}
#define DB_OK
Definition db_error.h:36
int db_value_cmp(const db_value_t *value_a, const db_value_t *value_b, int *result)
Definition db_value.c:102
#define OMNIPRESENT
Definition enforcer.c:68
time_t update(engine_type *engine, db_connection_t *dbconn, zone_db_t *zone, policy_t const *policy, time_t now, int *zone_updated)
Definition enforcer.c:2678
#define NOKEY_TIMEOUT
Definition enforcer.c:75
#define NA
Definition enforcer.c:70
#define HIDDEN
Definition enforcer.c:66
#define RUMOURED
Definition enforcer.c:67
#define UNRETENTIVE
Definition enforcer.c:69
hsm_key_t * hsm_key_list_get_begin(hsm_key_list_t *hsm_key_list)
Definition hsm_key.c:1888
void hsm_key_free(hsm_key_t *hsm_key)
Definition hsm_key.c:286
const char * hsm_key_repository(const hsm_key_t *hsm_key)
Definition hsm_key.c:568
const char * hsm_key_locator(const hsm_key_t *hsm_key)
Definition hsm_key.c:520
void hsm_key_list_free(hsm_key_list_t *hsm_key_list)
Definition hsm_key.c:1496
unsigned int hsm_key_algorithm(const hsm_key_t *hsm_key)
Definition hsm_key.c:544
unsigned int hsm_key_bits(const hsm_key_t *hsm_key)
Definition hsm_key.c:536
unsigned int hsm_key_inception(const hsm_key_t *hsm_key)
Definition hsm_key.c:560
const db_value_t * hsm_key_id(const hsm_key_t *hsm_key)
Definition hsm_key.c:504
hsm_key_t * hsm_key_list_get_next(hsm_key_list_t *hsm_key_list)
Definition hsm_key.c:1990
@ HSM_KEY_STATE_UNUSED
Definition hsm_key.h:42
@ HSM_KEY_STATE_PRIVATE
Definition hsm_key.h:43
@ HSM_KEY_STATE_SHARED
Definition hsm_key.h:44
@ HSM_KEY_STATE_DELETE
Definition hsm_key.h:45
hsm_key_backup
Definition hsm_key.h:64
@ HSM_KEY_BACKUP_BACKUP_REQUESTED
Definition hsm_key.h:68
@ HSM_KEY_BACKUP_BACKUP_REQUIRED
Definition hsm_key.h:67
hsm_key_role
Definition hsm_key.h:49
#define HSM_KEY_ROLE_SEP(role)
Definition hsm_key.h:57
hsm_key_list_t * hsm_key_list_new_get_by_policy_key(const policy_key_t *pkey)
Definition hsm_key_ext.c:43
int hsm_key_factory_delete_key(const db_connection_t *connection)
int hsm_key_factory_release_key_id(const db_value_t *hsm_key_id, const db_connection_t *connection)
int hsm_key_factory_release_key(hsm_key_t *hsm_key, const db_connection_t *connection)
hsm_key_t * hsm_key_factory_get_key(engine_type *engine, const db_connection_t *connection, const policy_key_t *policy_key, hsm_key_state_t hsm_key_state)
int key_data_set_minimize(key_data_t *key_data, unsigned int minimize)
Definition key_data.c:966
int key_data_cmp(const key_data_t *key_data_a, const key_data_t *key_data_b)
Definition key_data.c:402
unsigned int key_data_active_ksk(const key_data_t *key_data)
Definition key_data.c:751
const db_value_t * key_data_id(const key_data_t *key_data)
Definition key_data.c:553
size_t key_data_list_size(key_data_list_t *key_data_list)
Definition key_data.c:2461
int key_data_get_by_id(key_data_t *key_data, const db_value_t *id)
Definition key_data.c:1296
int key_data_update(key_data_t *key_data)
Definition key_data.c:1349
int key_data_delete(key_data_t *key_data)
Definition key_data.c:1587
void key_data_free(key_data_t *key_data)
Definition key_data.c:304
int key_data_set_role(key_data_t *key_data, key_data_role_t role)
Definition key_data.c:890
hsm_key_t * key_data_get_hsm_key(const key_data_t *key_data)
Definition key_data.c:649
int key_data_set_introducing(key_data_t *key_data, unsigned int introducing)
Definition key_data.c:903
int key_data_set_active_zsk(key_data_t *key_data, unsigned int active_zsk)
Definition key_data.c:913
int key_data_set_publish(key_data_t *key_data, unsigned int publish)
Definition key_data.c:923
int key_data_set_zone_id(key_data_t *key_data, const db_value_t *zone_id)
Definition key_data.c:832
const char * key_data_role_text(const key_data_t *key_data)
Definition key_data.c:711
unsigned int key_data_publish(const key_data_t *key_data)
Definition key_data.c:743
int key_data_set_algorithm(key_data_t *key_data, unsigned int algorithm)
Definition key_data.c:870
void key_data_list_free(key_data_list_t *key_data_list)
Definition key_data.c:1694
int key_data_set_inception(key_data_t *key_data, unsigned int inception)
Definition key_data.c:880
unsigned int key_data_introducing(const key_data_t *key_data)
Definition key_data.c:727
int key_data_set_hsm_key_id(key_data_t *key_data, const db_value_t *hsm_key_id)
Definition key_data.c:851
const key_data_t * key_data_list_begin(key_data_list_t *key_data_list)
Definition key_data.c:2267
unsigned int key_data_inception(const key_data_t *key_data)
Definition key_data.c:695
unsigned int key_data_active_zsk(const key_data_t *key_data)
Definition key_data.c:735
key_data_t * key_data_list_get_next(key_data_list_t *key_data_list)
Definition key_data.c:2425
int key_data_cache_hsm_key(key_data_t *key_data)
Definition key_data.c:615
const db_value_t * key_data_hsm_key_id(const key_data_t *key_data)
Definition key_data.c:607
int key_data_set_keytag(key_data_t *key_data, unsigned int keytag)
Definition key_data.c:956
int key_data_create(key_data_t *key_data)
Definition key_data.c:1093
int key_data_set_ds_at_parent(key_data_t *key_data, key_data_ds_at_parent_t ds_at_parent)
Definition key_data.c:943
key_data_t * key_data_new(const db_connection_t *connection)
Definition key_data.c:264
const key_data_t * key_data_list_next(key_data_list_t *key_data_list)
Definition key_data.c:2359
unsigned int key_data_algorithm(const key_data_t *key_data)
Definition key_data.c:687
unsigned int key_data_minimize(const key_data_t *key_data)
Definition key_data.c:775
key_data_t * key_data_list_get_begin(key_data_list_t *key_data_list)
Definition key_data.c:2323
int key_data_set_active_ksk(key_data_t *key_data, unsigned int active_ksk)
Definition key_data.c:933
key_data_t * key_data_new_copy(const key_data_t *key_data)
Definition key_data.c:285
key_data_role
Definition key_data.h:40
@ KEY_DATA_ROLE_ZSK
Definition key_data.h:43
@ KEY_DATA_ROLE_INVALID
Definition key_data.h:41
@ KEY_DATA_ROLE_KSK
Definition key_data.h:42
@ KEY_DATA_ROLE_CSK
Definition key_data.h:44
enum key_data_role key_data_role_t
key_data_ds_at_parent
Definition key_data.h:50
@ KEY_DATA_DS_AT_PARENT_SUBMITTED
Definition key_data.h:54
@ KEY_DATA_DS_AT_PARENT_RETRACT
Definition key_data.h:56
@ KEY_DATA_DS_AT_PARENT_UNSUBMITTED
Definition key_data.h:52
@ KEY_DATA_DS_AT_PARENT_SEEN
Definition key_data.h:55
@ KEY_DATA_DS_AT_PARENT_SUBMIT
Definition key_data.h:53
@ KEY_DATA_DS_AT_PARENT_RETRACTED
Definition key_data.h:57
key_state_t * key_data_get_cached_dnskey(key_data_t *key_data)
const key_state_t * key_data_cached_rrsig(key_data_t *key_data)
int key_data_cache_key_states(key_data_t *key_data)
const key_state_t * key_data_cached_dnskey(key_data_t *key_data)
key_state_t * key_data_get_cached_rrsig(key_data_t *key_data)
key_state_t * key_data_get_cached_rrsigdnskey(key_data_t *key_data)
const hsm_key_t * key_data_cached_hsm_key(const key_data_t *key_data)
const key_state_t * key_data_cached_ds(key_data_t *key_data)
key_state_t * key_data_get_cached_ds(key_data_t *key_data)
const key_state_t * key_data_cached_rrsigdnskey(key_data_t *key_data)
void key_dependency_free(key_dependency_t *key_dependency)
int key_dependency_set_zone_id(key_dependency_t *key_dependency, const db_value_t *zone_id)
key_dependency_t * key_dependency_new(const db_connection_t *connection)
key_data_t * key_dependency_get_from_key_data(const key_dependency_t *key_dependency)
const key_dependency_t * key_dependency_list_next(key_dependency_list_t *key_dependency_list)
int key_dependency_set_type(key_dependency_t *key_dependency, key_dependency_type_t type)
const key_dependency_t * key_dependency_list_begin(key_dependency_list_t *key_dependency_list)
key_dependency_t * key_dependency_list_get_next(key_dependency_list_t *key_dependency_list)
const db_value_t * key_dependency_to_key_data_id(const key_dependency_t *key_dependency)
void key_dependency_list_free(key_dependency_list_t *key_dependency_list)
const db_value_t * key_dependency_from_key_data_id(const key_dependency_t *key_dependency)
size_t key_dependency_list_size(key_dependency_list_t *key_dependency_list)
int key_dependency_set_from_key_data_id(key_dependency_t *key_dependency, const db_value_t *from_key_data_id)
int key_dependency_delete(key_dependency_t *key_dependency)
int key_dependency_create(key_dependency_t *key_dependency)
key_dependency_list_t * key_dependency_list_new_copy(const key_dependency_list_t *from_key_dependency_list)
int key_dependency_set_to_key_data_id(key_dependency_t *key_dependency, const db_value_t *to_key_data_id)
key_dependency_t * key_dependency_list_get_begin(key_dependency_list_t *key_dependency_list)
enum key_dependency_type key_dependency_type_t
key_dependency_type
@ KEY_DEPENDENCY_TYPE_DNSKEY
@ KEY_DEPENDENCY_TYPE_RRSIGDNSKEY
@ KEY_DEPENDENCY_TYPE_DS
@ KEY_DEPENDENCY_TYPE_RRSIG
unsigned int key_state_minimize(const key_state_t *key_state)
Definition key_state.c:401
int key_state_set_minimize(key_state_t *key_state, unsigned int minimize)
Definition key_state.c:472
int key_state_delete(const key_state_t *key_state)
Definition key_state.c:831
const char * key_state_state_text(const key_state_t *key_state)
Definition key_state.c:377
key_state_t * key_state_new(const db_connection_t *connection)
Definition key_state.c:176
int key_state_set_ttl(key_state_t *key_state, unsigned int ttl)
Definition key_state.c:482
void key_state_free(key_state_t *key_state)
Definition key_state.c:214
int key_state_set_last_change(key_state_t *key_state, unsigned int last_change)
Definition key_state.c:462
int key_state_set_type(key_state_t *key_state, key_state_type_t type)
Definition key_state.c:436
int key_state_create(key_state_t *key_state)
Definition key_state.c:519
const db_enum_t key_state_enum_set_type[]
Definition key_state.c:36
const db_enum_t key_state_enum_set_state[]
Definition key_state.c:44
const char * key_state_type_text(const key_state_t *key_state)
Definition key_state.c:353
int key_state_set_key_data_id(key_state_t *key_state, const db_value_t *key_data_id)
Definition key_state.c:417
unsigned int key_state_last_change(const key_state_t *key_state)
Definition key_state.c:393
int key_state_set_state(key_state_t *key_state, key_state_state_t state)
Definition key_state.c:449
int key_state_update(key_state_t *key_state)
Definition key_state.c:684
enum key_state_state key_state_state_t
enum key_state_type key_state_type_t
@ KEY_STATE_TYPE_DNSKEY
Definition key_state.h:44
@ KEY_STATE_TYPE_RRSIG
Definition key_state.h:43
@ KEY_STATE_TYPE_DS
Definition key_state.h:42
@ KEY_STATE_TYPE_RRSIGDNSKEY
Definition key_state.h:45
key_state_state
Definition key_state.h:49
@ KEY_STATE_STATE_INVALID
Definition key_state.h:50
unsigned int policy_zone_propagation_delay(const policy_t *policy)
Definition policy.c:1005
unsigned int policy_signatures_validity_denial(const policy_t *policy)
Definition policy.c:869
unsigned int policy_keys_purge_after(const policy_t *policy)
Definition policy.c:997
unsigned int policy_parent_ds_ttl(const policy_t *policy)
Definition policy.c:1061
unsigned int policy_signatures_resign(const policy_t *policy)
Definition policy.c:829
unsigned int policy_keys_ttl(const policy_t *policy)
Definition policy.c:965
unsigned int policy_parent_propagation_delay(const policy_t *policy)
Definition policy.c:1053
unsigned int policy_zone_soa_ttl(const policy_t *policy)
Definition policy.c:1013
unsigned int policy_zone_soa_minimum(const policy_t *policy)
Definition policy.c:1021
unsigned int policy_signatures_refresh(const policy_t *policy)
Definition policy.c:837
unsigned int policy_denial_ttl(const policy_t *policy)
Definition policy.c:909
unsigned int policy_signatures_max_zone_ttl(const policy_t *policy)
Definition policy.c:885
const char * policy_name(const policy_t *policy)
Definition policy.c:813
unsigned int policy_keys_shared(const policy_t *policy)
Definition policy.c:989
unsigned int policy_signatures_jitter(const policy_t *policy)
Definition policy.c:845
unsigned int policy_parent_registration_delay(const policy_t *policy)
Definition policy.c:1045
unsigned int policy_signatures_validity_default(const policy_t *policy)
Definition policy.c:861
unsigned int policy_keys_publish_safety(const policy_t *policy)
Definition policy.c:981
unsigned int policy_keys_retire_safety(const policy_t *policy)
Definition policy.c:973
policy_denial_type
Definition policy.h:40
@ POLICY_DENIAL_TYPE_NSEC3
Definition policy.h:43
policy_key_list_t * policy_get_policy_keys(const policy_t *policy)
size_t policy_key_list_size(policy_key_list_t *policy_key_list)
unsigned int policy_key_minimize(const policy_key_t *policy_key)
Definition policy_key.c:566
unsigned int policy_key_lifetime(const policy_key_t *policy_key)
Definition policy_key.c:526
const policy_key_t * policy_key_list_begin(policy_key_list_t *policy_key_list)
unsigned int policy_key_manual_rollover(const policy_key_t *policy_key)
Definition policy_key.c:550
const policy_key_t * policy_key_list_next(policy_key_list_t *policy_key_list)
const char * policy_key_repository(const policy_key_t *policy_key)
Definition policy_key.c:534
void policy_key_list_free(policy_key_list_t *policy_key_list)
const char * policy_key_role_text(const policy_key_t *policy_key)
Definition policy_key.c:494
unsigned int policy_key_algorithm(const policy_key_t *policy_key)
Definition policy_key.c:510
unsigned int policy_key_bits(const policy_key_t *policy_key)
Definition policy_key.c:518
policy_key_role
Definition policy_key.h:40
@ POLICY_KEY_ROLE_KSK
Definition policy_key.h:42
@ POLICY_KEY_ROLE_CSK
Definition policy_key.h:44
@ POLICY_KEY_ROLE_ZSK
Definition policy_key.h:43
int value
Definition db_enum.h:40
const char * text
Definition db_enum.h:39
engineconfig_type * config
Definition engine.h:48
time_t rollover_notification
Definition cfg.h:78
key_state_state_t next_state
Definition enforcer.c:80
int pretend_update
Definition enforcer.c:81
key_data_t * key
Definition enforcer.c:78
key_state_type_t type
Definition enforcer.c:79
hsm_key_state_t state
Definition hsm_key.h:87
key_dependency_type_t type
unsigned int next_zsk_roll
Definition zone_db.h:68
unsigned int next_csk_roll
Definition zone_db.h:69
unsigned int next_ksk_roll
Definition zone_db.h:67
unsigned int zone_db_roll_zsk_now(const zone_db_t *zone)
Definition zone_db.c:846
int zone_db_set_ttl_end_dk(zone_db_t *zone, unsigned int ttl_end_dk)
Definition zone_db.c:1011
unsigned int zone_db_ttl_end_rs(const zone_db_t *zone)
Definition zone_db.c:830
int zone_db_set_signconf_needs_writing(zone_db_t *zone, unsigned int signconf_needs_writing)
Definition zone_db.c:959
unsigned int zone_db_ttl_end_ds(const zone_db_t *zone)
Definition zone_db.c:814
int zone_db_set_roll_zsk_now(zone_db_t *zone, unsigned int roll_zsk_now)
Definition zone_db.c:1041
int zone_db_set_roll_csk_now(zone_db_t *zone, unsigned int roll_csk_now)
Definition zone_db.c:1051
unsigned int zone_db_roll_ksk_now(const zone_db_t *zone)
Definition zone_db.c:838
const char * zone_db_name(const zone_db_t *zone)
Definition zone_db.c:782
unsigned int zone_db_next_ksk_roll(const zone_db_t *zone)
Definition zone_db.c:894
unsigned int zone_db_next_csk_roll(const zone_db_t *zone)
Definition zone_db.c:910
int zone_db_set_ttl_end_ds(zone_db_t *zone, unsigned int ttl_end_ds)
Definition zone_db.c:1001
int zone_db_set_roll_ksk_now(zone_db_t *zone, unsigned int roll_ksk_now)
Definition zone_db.c:1031
unsigned int zone_db_ttl_end_dk(const zone_db_t *zone)
Definition zone_db.c:822
const db_value_t * zone_db_id(const zone_db_t *zone)
Definition zone_db.c:728
unsigned int zone_db_signconf_needs_writing(const zone_db_t *zone)
Definition zone_db.c:790
unsigned int zone_db_roll_csk_now(const zone_db_t *zone)
Definition zone_db.c:854
int zone_db_set_ttl_end_rs(zone_db_t *zone, unsigned int ttl_end_rs)
Definition zone_db.c:1021
key_dependency_list_t * zone_db_get_key_dependencies(const zone_db_t *zone)
Definition zone_db_ext.c:76
key_data_list_t * zone_db_get_keys(const zone_db_t *zone)
Definition zone_db_ext.c:56