[thirdparty/pdns.git] / pdns / dnsseckeeper.hh

/*
 * This file is part of PowerDNS or dnsdist.
 * Copyright -- PowerDNS.COM B.V. and its contributors
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
 * published by the Free Software Foundation.
 *
 * In addition, for the avoidance of any doubt, permission is granted to
 * link this program with OpenSSL and to (re)distribute the binaries
 * produced as the result of such linking.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
#pragma once
#include <string>
#include <string.h>
#include <vector>
#include <boost/logic/tribool.hpp>
#include <boost/multi_index_container.hpp>
#include <boost/multi_index/ordered_index.hpp>
#include <boost/tuple/tuple_comparison.hpp>
#include <boost/multi_index/key_extractors.hpp>
#include <boost/multi_index/sequenced_index.hpp>
#include "dnssecinfra.hh"
#include "dnsrecords.hh"
#include "ueberbackend.hh"

using namespace ::boost::multi_index;

class DNSSECKeeper : public boost::noncopyable
{
public:
  enum keytype_t { KSK, ZSK, CSK };
  enum keyalgorithm_t : uint8_t {
    RSAMD5=1,
    DH=2,
    DSA=3,
    RSASHA1=5,
    DSANSEC3SHA1=6,
    RSASHA1NSEC3SHA1=7,
    RSASHA256=8,
    RSASHA512=10,
    ECCGOST=12,
    ECDSA256=13,
    ECDSA384=14,
    ED25519=15,
    ED448=16
  };

  enum dsdigestalgorithm_t : uint8_t {
    SHA1=1,
    SHA256=2,
    GOST=3,
    SHA384=4
  };

  struct KeyMetaData
  {
    string fname;
    unsigned int id;
    bool active;
    keytype_t keyType;
    bool hasSEPBit;
  };
  typedef std::pair<DNSSECPrivateKey, KeyMetaData> keymeta_t;
  typedef std::vector<keymeta_t > keyset_t;

  static string keyTypeToString(const keytype_t &keyType)
  {
    switch(keyType) {
      case DNSSECKeeper::KSK:
        return("KSK");
      case DNSSECKeeper::ZSK:
        return("ZSK");
      case DNSSECKeeper::CSK:
        return("CSK");
      default:
        return("UNKNOWN");
    }
  }

  /*
   * Returns the algorithm number based on the mnemonic (or old PowerDNS value of) a string.
   * See https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml for the mapping
   */
  static int shorthand2algorithm(const string &algorithm)
  {
    if (pdns_iequals(algorithm, "rsamd5")) return RSAMD5;
    if (pdns_iequals(algorithm, "dh")) return DH;
    if (pdns_iequals(algorithm, "dsa")) return DSA;
    if (pdns_iequals(algorithm, "rsasha1")) return RSASHA1;
    if (pdns_iequals(algorithm, "dsa-nsec3-sha1")) return DSANSEC3SHA1;
    if (pdns_iequals(algorithm, "rsasha1-nsec3-sha1")) return RSASHA1NSEC3SHA1;
    if (pdns_iequals(algorithm, "rsasha256")) return RSASHA256;
    if (pdns_iequals(algorithm, "rsasha512")) return RSASHA512;
    if (pdns_iequals(algorithm, "ecc-gost")) return ECCGOST;
    if (pdns_iequals(algorithm, "gost")) return ECCGOST;
    if (pdns_iequals(algorithm, "ecdsa256")) return ECDSA256;
    if (pdns_iequals(algorithm, "ecdsap256sha256")) return ECDSA256;
    if (pdns_iequals(algorithm, "ecdsa384")) return ECDSA384;
    if (pdns_iequals(algorithm, "ecdsap384sha384")) return ECDSA384;
    if (pdns_iequals(algorithm, "ed25519")) return ED25519;
    if (pdns_iequals(algorithm, "ed448")) return ED448;
    if (pdns_iequals(algorithm, "indirect")) return 252;
    if (pdns_iequals(algorithm, "privatedns")) return 253;
    if (pdns_iequals(algorithm, "privateoid")) return 254;
    return -1;
  }

  /*
   * Returns the mnemonic from https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
   */
  static string algorithm2name(uint8_t algo) {
    switch(algo) {
      case 0:
      case 4:
      case 9:
      case 11:
        return "Reserved";
      case RSAMD5:
        return "RSAMD5";
      case DH:
        return "DH";
      case DSA:
        return "DSA";
      case RSASHA1:
        return "RSASHA1";
      case DSANSEC3SHA1:
        return "DSA-NSEC3-SHA1";
      case RSASHA1NSEC3SHA1:
        return "RSASHA1-NSEC3-SHA1";
      case RSASHA256:
        return "RSASHA256";
      case RSASHA512:
        return "RSASHA512";
      case ECCGOST:
        return "ECC-GOST";
      case ECDSA256:
        return "ECDSAP256SHA256";
      case ECDSA384:
        return "ECDSAP384SHA384";
      case ED25519:
        return "ED25519";
      case ED448:
        return "ED448";
      case 252:
        return "INDIRECT";
      case 253:
        return "PRIVATEDNS";
      case 254:
        return "PRIVATEOID";
      default:
        return "Unallocated/Reserved";
    }
  }

private:
  UeberBackend* d_keymetadb;
  bool d_ourDB;

public:
  DNSSECKeeper() : d_keymetadb( new UeberBackend("key-only")), d_ourDB(true)
  {
    
  }
  
  DNSSECKeeper(UeberBackend* db) : d_keymetadb(db), d_ourDB(false)
  {
  }
  
  ~DNSSECKeeper()
  {
    if(d_ourDB)
      delete d_keymetadb;
  }
  bool doesDNSSEC();
  bool isSecuredZone(const DNSName& zone);
  static uint64_t dbdnssecCacheSizes(const std::string& str);
  keyset_t getEntryPoints(const DNSName& zname);
  keyset_t getKeys(const DNSName& zone, bool useCache = true);
  DNSSECPrivateKey getKeyById(const DNSName& zone, unsigned int id);
  bool addKey(const DNSName& zname, bool setSEPBit, int algorithm, int64_t& id, int bits=0, bool active=true);
  bool addKey(const DNSName& zname, const DNSSECPrivateKey& dpk, int64_t& id, bool active=true);
  bool removeKey(const DNSName& zname, unsigned int id);
  bool activateKey(const DNSName& zname, unsigned int id);
  bool deactivateKey(const DNSName& zname, unsigned int id);
  bool checkKeys(const DNSName& zname, vector<string>* errorMessages = nullptr);

  bool getNSEC3PARAM(const DNSName& zname, NSEC3PARAMRecordContent* n3p=0, bool* narrow=0);
  bool checkNSEC3PARAM(const NSEC3PARAMRecordContent& ns3p, string& msg);
  bool setNSEC3PARAM(const DNSName& zname, const NSEC3PARAMRecordContent& n3p, const bool& narrow=false);
  bool unsetNSEC3PARAM(const DNSName& zname);
  void clearAllCaches();
  void clearCaches(const DNSName& name);
  bool getPreRRSIGs(UeberBackend& db, const DNSName& signer, const DNSName& qname, const DNSName& wildcardname, const QType& qtype, DNSResourceRecord::Place, vector<DNSZoneRecord>& rrsigs, uint32_t signTTL);
  bool isPresigned(const DNSName& zname);
  bool setPresigned(const DNSName& zname);
  bool unsetPresigned(const DNSName& zname);
  bool setPublishCDNSKEY(const DNSName& zname);
  bool unsetPublishCDNSKEY(const DNSName& zname);
  bool setPublishCDS(const DNSName& zname, const string& digestAlgos);
  bool unsetPublishCDS(const DNSName& zname);

  bool TSIGGrantsAccess(const DNSName& zone, const DNSName& keyname);
  bool getTSIGForAccess(const DNSName& zone, const ComboAddress& master, DNSName* keyname);
  
  void startTransaction(const DNSName& zone, int zone_id)
  {
    (*d_keymetadb->backends.begin())->startTransaction(zone, zone_id);
  }
  
  void commitTransaction()
  {
    (*d_keymetadb->backends.begin())->commitTransaction();
  }
  
  void getFromMeta(const DNSName& zname, const std::string& key, std::string& value);
  void getSoaEdit(const DNSName& zname, std::string& value);
  bool unSecureZone(const DNSName& zone, std::string& error, std::string& info);
  bool rectifyZone(const DNSName& zone, std::string& error, std::string& info, bool doTransaction);
private:


  struct KeyCacheEntry
  {
    typedef vector<DNSSECKeeper::keymeta_t> keys_t;
  
    uint32_t getTTD() const
    {
      return d_ttd;
    }
  
    DNSName d_domain;
    mutable keys_t d_keys;
    unsigned int d_ttd;
  };
  
  struct METACacheEntry
  {
    uint32_t getTTD() const
    {
      return d_ttd;
    }
  
    DNSName d_domain;
    mutable std::string d_key, d_value;
    unsigned int d_ttd;
  
  };
  
  
  typedef multi_index_container<
    KeyCacheEntry,
    indexed_by<
      ordered_unique<member<KeyCacheEntry, DNSName, &KeyCacheEntry::d_domain> >,
      sequenced<>
    >
  > keycache_t;
  typedef multi_index_container<
    METACacheEntry,
    indexed_by<
      ordered_unique<
        composite_key< 
          METACacheEntry, 
          member<METACacheEntry, DNSName, &METACacheEntry::d_domain> ,
          member<METACacheEntry, std::string, &METACacheEntry::d_key>
        >, composite_key_compare<std::less<DNSName>, CIStringCompare> >,
      sequenced<>
    >
  > metacache_t;

  void cleanup();

  static keycache_t s_keycache;
  static metacache_t s_metacache;
  static pthread_rwlock_t s_metacachelock;
  static pthread_rwlock_t s_keycachelock;
  static AtomicCounter s_ops;
  static time_t s_last_prune;

public:
  void preRemoval(const KeyCacheEntry&)
  {
  }
  void preRemoval(const METACacheEntry&)
  {
  }
};

class DNSPacket;
uint32_t localtime_format_YYYYMMDDSS(time_t t, uint32_t seq);
// for SOA-EDIT
uint32_t calculateEditSOA(uint32_t old_serial, DNSSECKeeper& dk, const DNSName& zonename);
uint32_t calculateEditSOA(uint32_t old_serial, const string& kind, const DNSName& zonename);
// for SOA-EDIT-DNSUPDATE/API
bool increaseSOARecord(DNSResourceRecord& dr, const string& increaseKind, const string& editKind);
bool makeIncreasedSOARecord(SOAData& sd, const string& increaseKind, const string& editKind, DNSResourceRecord& rrout);
Commit	Line	Data
0ea9281e	1	/*
12471842 PL	2	* This file is part of PowerDNS or dnsdist.
	3	* Copyright -- PowerDNS.COM B.V. and its contributors
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of version 2 of the GNU General Public License as
	7	* published by the Free Software Foundation.
	8	*
	9	* In addition, for the avoidance of any doubt, permission is granted to
	10	* link this program with OpenSSL and to (re)distribute the binaries
	11	* produced as the result of such linking.
	12	*
	13	* This program is distributed in the hope that it will be useful,
	14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	* GNU General Public License for more details.
	17	*
	18	* You should have received a copy of the GNU General Public License
	19	* along with this program; if not, write to the Free Software
	20	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	21	*/
	22	#pragma once
4691b2df	23	#include <string>
4691b2df BH	24	#include <string.h>
4691b2df BH	25	#include <vector>
bed962b5	26	#include <boost/logic/tribool.hpp>
d473cb9a BH	27	#include <boost/multi_index_container.hpp>
	28	#include <boost/multi_index/ordered_index.hpp>
	29	#include <boost/tuple/tuple_comparison.hpp>
	30	#include <boost/multi_index/key_extractors.hpp>
	31	#include <boost/multi_index/sequenced_index.hpp>
edca4841	32	#include "dnssecinfra.hh"
4691b2df	33	#include "dnsrecords.hh"
e0d84497	34	#include "ueberbackend.hh"
4691b2df	35
edca4841	36	using namespace ::boost::multi_index;
4691b2df	37
936eb34a	38	class DNSSECKeeper : public boost::noncopyable
4691b2df	39	{
20002664	40	public:
b6bd795c PL	41	enum keytype_t { KSK, ZSK, CSK };
	42	enum keyalgorithm_t : uint8_t {
	43	RSAMD5=1,
	44	DH=2,
	45	DSA=3,
	46	RSASHA1=5,
	47	DSANSEC3SHA1=6,
	48	RSASHA1NSEC3SHA1=7,
	49	RSASHA256=8,
	50	RSASHA512=10,
	51	ECCGOST=12,
	52	ECDSA256=13,
	53	ECDSA384=14,
21a8834a KM	54	ED25519=15,
21a8834a KM	55	ED448=16
b6bd795c PL	56	};
b6bd795c PL	57
8455425c RG	58	enum dsdigestalgorithm_t : uint8_t {
	59	SHA1=1,
	60	SHA256=2,
	61	GOST=3,
	62	SHA384=4
	63	};
	64
20002664 BH	65	struct KeyMetaData
20002664 BH	66	{
3b8256e2	67	string fname;
bed962b5	68	unsigned int id;
20002664	69	bool active;
b6bd795c PL	70	keytype_t keyType;
b6bd795c PL	71	bool hasSEPBit;
d473cb9a	72	};
b6bd795c	73	typedef std::pair<DNSSECPrivateKey, KeyMetaData> keymeta_t;
d473cb9a	74	typedef std::vector<keymeta_t > keyset_t;
dfee9ed6	75
b6bd795c PL	76	static string keyTypeToString(const keytype_t &keyType)
	77	{
	78	switch(keyType) {
	79	case DNSSECKeeper::KSK:
	80	return("KSK");
	81	case DNSSECKeeper::ZSK:
	82	return("ZSK");
	83	case DNSSECKeeper::CSK:
	84	return("CSK");
	85	default:
	86	return("UNKNOWN");
	87	}
	88	}
	89
c29d2add PL	90	/*
	91	* Returns the algorithm number based on the mnemonic (or old PowerDNS value of) a string.
	92	* See https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml for the mapping
	93	*/
b6bd795c PL	94	static int shorthand2algorithm(const string &algorithm)
b6bd795c PL	95	{
9d858a77 PL	96	if (pdns_iequals(algorithm, "rsamd5")) return RSAMD5;
	97	if (pdns_iequals(algorithm, "dh")) return DH;
	98	if (pdns_iequals(algorithm, "dsa")) return DSA;
	99	if (pdns_iequals(algorithm, "rsasha1")) return RSASHA1;
	100	if (pdns_iequals(algorithm, "dsa-nsec3-sha1")) return DSANSEC3SHA1;
	101	if (pdns_iequals(algorithm, "rsasha1-nsec3-sha1")) return RSASHA1NSEC3SHA1;
	102	if (pdns_iequals(algorithm, "rsasha256")) return RSASHA256;
	103	if (pdns_iequals(algorithm, "rsasha512")) return RSASHA512;
	104	if (pdns_iequals(algorithm, "ecc-gost")) return ECCGOST;
	105	if (pdns_iequals(algorithm, "gost")) return ECCGOST;
	106	if (pdns_iequals(algorithm, "ecdsa256")) return ECDSA256;
	107	if (pdns_iequals(algorithm, "ecdsap256sha256")) return ECDSA256;
	108	if (pdns_iequals(algorithm, "ecdsa384")) return ECDSA384;
	109	if (pdns_iequals(algorithm, "ecdsap384sha384")) return ECDSA384;
	110	if (pdns_iequals(algorithm, "ed25519")) return ED25519;
	111	if (pdns_iequals(algorithm, "ed448")) return ED448;
	112	if (pdns_iequals(algorithm, "indirect")) return 252;
	113	if (pdns_iequals(algorithm, "privatedns")) return 253;
	114	if (pdns_iequals(algorithm, "privateoid")) return 254;
b6bd795c PL	115	return -1;
	116	}
	117
c29d2add PL	118	/*
	119	* Returns the mnemonic from https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
	120	*/
b6bd795c PL	121	static string algorithm2name(uint8_t algo) {
	122	switch(algo) {
	123	case 0:
	124	case 4:
	125	case 9:
	126	case 11:
	127	return "Reserved";
	128	case RSAMD5:
	129	return "RSAMD5";
	130	case DH:
	131	return "DH";
	132	case DSA:
	133	return "DSA";
	134	case RSASHA1:
	135	return "RSASHA1";
	136	case DSANSEC3SHA1:
	137	return "DSA-NSEC3-SHA1";
	138	case RSASHA1NSEC3SHA1:
	139	return "RSASHA1-NSEC3-SHA1";
	140	case RSASHA256:
	141	return "RSASHA256";
	142	case RSASHA512:
	143	return "RSASHA512";
	144	case ECCGOST:
	145	return "ECC-GOST";
	146	case ECDSA256:
	147	return "ECDSAP256SHA256";
	148	case ECDSA384:
	149	return "ECDSAP384SHA384";
9d3727e0 KM	150	case ED25519:
9d3727e0 KM	151	return "ED25519";
21a8834a KM	152	case ED448:
21a8834a KM	153	return "ED448";
b6bd795c PL	154	case 252:
	155	return "INDIRECT";
	156	case 253:
	157	return "PRIVATEDNS";
	158	case 254:
	159	return "PRIVATEOID";
	160	default:
	161	return "Unallocated/Reserved";
	162	}
	163	}
	164
e0d84497	165	private:
936eb34a BH	166	UeberBackend* d_keymetadb;
936eb34a BH	167	bool d_ourDB;
dfee9ed6	168
4691b2df	169	public:
936eb34a	170	DNSSECKeeper() : d_keymetadb( new UeberBackend("key-only")), d_ourDB(true)
631580dd	171	{
936eb34a BH	172
	173	}
	174
	175	DNSSECKeeper(UeberBackend* db) : d_keymetadb(db), d_ourDB(false)
	176	{
	177	}
	178
	179	~DNSSECKeeper()
	180	{
	181	if(d_ourDB)
	182	delete d_keymetadb;
631580dd	183	}
7fa35c07	184	bool doesDNSSEC();
675fa24c	185	bool isSecuredZone(const DNSName& zone);
b6bd795c	186	static uint64_t dbdnssecCacheSizes(const std::string& str);
9091cf89	187	keyset_t getEntryPoints(const DNSName& zname);
b6bd795c	188	keyset_t getKeys(const DNSName& zone, bool useCache = true);
675fa24c	189	DNSSECPrivateKey getKeyById(const DNSName& zone, unsigned int id);
82cc0761 BZ	190	bool addKey(const DNSName& zname, bool setSEPBit, int algorithm, int64_t& id, int bits=0, bool active=true);
82cc0761 BZ	191	bool addKey(const DNSName& zname, const DNSSECPrivateKey& dpk, int64_t& id, bool active=true);
675fa24c PD	192	bool removeKey(const DNSName& zname, unsigned int id);
	193	bool activateKey(const DNSName& zname, unsigned int id);
	194	bool deactivateKey(const DNSName& zname, unsigned int id);
ac3f3893	195	bool checkKeys(const DNSName& zname, vector<string>* errorMessages = nullptr);
675fa24c	196
675fa24c	197	bool getNSEC3PARAM(const DNSName& zname, NSEC3PARAMRecordContent* n3p=0, bool* narrow=0);
68fd1167	198	bool checkNSEC3PARAM(const NSEC3PARAMRecordContent& ns3p, string& msg);
675fa24c PD	199	bool setNSEC3PARAM(const DNSName& zname, const NSEC3PARAMRecordContent& n3p, const bool& narrow=false);
675fa24c PD	200	bool unsetNSEC3PARAM(const DNSName& zname);
627d2ca2	201	void clearAllCaches();
675fa24c	202	void clearCaches(const DNSName& name);
90ba52e0	203	bool getPreRRSIGs(UeberBackend& db, const DNSName& signer, const DNSName& qname, const DNSName& wildcardname, const QType& qtype, DNSResourceRecord::Place, vector<DNSZoneRecord>& rrsigs, uint32_t signTTL);
675fa24c PD	204	bool isPresigned(const DNSName& zname);
	205	bool setPresigned(const DNSName& zname);
	206	bool unsetPresigned(const DNSName& zname);
088370cd PL	207	bool setPublishCDNSKEY(const DNSName& zname);
088370cd PL	208	bool unsetPublishCDNSKEY(const DNSName& zname);
ef542223 PL	209	bool setPublishCDS(const DNSName& zname, const string& digestAlgos);
ef542223 PL	210	bool unsetPublishCDS(const DNSName& zname);
675fa24c PD	211
675fa24c PD	212	bool TSIGGrantsAccess(const DNSName& zone, const DNSName& keyname);
d622042f	213	bool getTSIGForAccess(const DNSName& zone, const ComboAddress& master, DNSName* keyname);
dfee9ed6	214
7da05748	215	void startTransaction(const DNSName& zone, int zone_id)
dfee9ed6	216	{
7da05748	217	(*d_keymetadb->backends.begin())->startTransaction(zone, zone_id);
dfee9ed6 BH	218	}
	219
	220	void commitTransaction()
	221	{
627d2ca2	222	(*d_keymetadb->backends.begin())->commitTransaction();
dfee9ed6 BH	223	}
dfee9ed6 BH	224
675fa24c	225	void getFromMeta(const DNSName& zname, const std::string& key, std::string& value);
4192773a	226	void getSoaEdit(const DNSName& zname, std::string& value);
cbe8b186	227	bool unSecureZone(const DNSName& zone, std::string& error, std::string& info);
59102608	228	bool rectifyZone(const DNSName& zone, std::string& error, std::string& info, bool doTransaction);
0ea9281e BH	229	private:
0ea9281e BH	230
e903706d	231
d473cb9a BH	232	struct KeyCacheEntry
	233	{
	234	typedef vector<DNSSECKeeper::keymeta_t> keys_t;
	235
	236	uint32_t getTTD() const
	237	{
	238	return d_ttd;
	239	}
	240
675fa24c	241	DNSName d_domain;
d473cb9a	242	mutable keys_t d_keys;
1336cf9a	243	unsigned int d_ttd;
d473cb9a BH	244	};
d473cb9a BH	245
d6f3dcdc	246	struct METACacheEntry
d473cb9a	247	{
d473cb9a BH	248	uint32_t getTTD() const
	249	{
	250	return d_ttd;
	251	}
	252
675fa24c	253	DNSName d_domain;
2ae1be00	254	mutable std::string d_key, d_value;
d473cb9a BH	255	unsigned int d_ttd;
d473cb9a BH	256
d473cb9a BH	257	};
	258
	259
	260	typedef multi_index_container<
	261	KeyCacheEntry,
	262	indexed_by<
675fa24c	263	ordered_unique<member<KeyCacheEntry, DNSName, &KeyCacheEntry::d_domain> >,
d473cb9a BH	264	sequenced<>
	265	>
	266	> keycache_t;
	267	typedef multi_index_container<
d6f3dcdc	268	METACacheEntry,
d473cb9a	269	indexed_by<
d6f3dcdc BH	270	ordered_unique<
	271	composite_key<
	272	METACacheEntry,
675fa24c	273	member<METACacheEntry, DNSName, &METACacheEntry::d_domain> ,
d6f3dcdc	274	member<METACacheEntry, std::string, &METACacheEntry::d_key>
675fa24c	275	>, composite_key_compare<std::less<DNSName>, CIStringCompare> >,
d473cb9a BH	276	sequenced<>
d473cb9a BH	277	>
d6f3dcdc	278	> metacache_t;
d473cb9a	279
157f806e PD	280	void cleanup();
157f806e PD	281
40fe813d	282	static keycache_t s_keycache;
d6f3dcdc	283	static metacache_t s_metacache;
18a144ef BH	284	static pthread_rwlock_t s_metacachelock;
18a144ef BH	285	static pthread_rwlock_t s_keycachelock;
16f7d28d	286	static AtomicCounter s_ops;
157f806e	287	static time_t s_last_prune;
e74f866a RG	288
	289	public:
	290	void preRemoval(const KeyCacheEntry&)
	291	{
	292	}
	293	void preRemoval(const METACacheEntry&)
	294	{
	295	}
4691b2df BH	296	};
4691b2df BH	297
0ea9281e	298	class DNSPacket;
63347c6c	299	uint32_t localtime_format_YYYYMMDDSS(time_t t, uint32_t seq);
a6448d95	300	// for SOA-EDIT
13f9e280 CH	301	uint32_t calculateEditSOA(uint32_t old_serial, DNSSECKeeper& dk, const DNSName& zonename);
13f9e280 CH	302	uint32_t calculateEditSOA(uint32_t old_serial, const string& kind, const DNSName& zonename);
a6448d95	303	// for SOA-EDIT-DNSUPDATE/API
13f9e280 CH	304	bool increaseSOARecord(DNSResourceRecord& dr, const string& increaseKind, const string& editKind);
13f9e280 CH	305	bool makeIncreasedSOARecord(SOAData& sd, const string& increaseKind, const string& editKind, DNSResourceRecord& rrout);