status=$((status+ret))
}
+# Call rndc dnssec -status on server $1 for zone $2 and check output.
+# This is a loose verification, it just tests if the right policy
+# name is returned, and if all expected keys are listed. The rndc
+# dnssec -status output also lists whether a key is published,
+# used for signing, is retired, or is removed, and if not when
+# it is scheduled to do so, and it shows the states for the various
+# DNSSEC records.
+check_dnssecstatus() {
+ _server=$1
+ _zone=$2
+ _view=$3
+
+ n=$((n+1))
+ echo_i "check rndc dnssec -status output for ${_zone} ($n)"
+ ret=0
+
+ rndccmd $_server dnssec -status $_zone in $_view > rndc.dnssec.status.out.$_zone.$n || log_error "rndc dnssec -status zone ${_zone} failed"
+
+ if [ "$POLICY" = "none" ]; then
+ grep "zone does not have dnssec-policy" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for zone ${_zone}"
+ else
+ grep "dnssec-policy: ${POLICY}" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for zone ${_zone}"
+ if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
+ grep "key: $(key_get KEY1 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY1 ID) from dnssec status"
+ fi
+ if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
+ grep "key: $(key_get KEY2 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY2 ID) from dnssec status"
+ fi
+ if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
+ grep "key: $(key_get KEY3 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY3 ID) from dnssec status"
+ fi
+ if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
+ grep "key: $(key_get KEY4 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY4 ID) from dnssec status"
+ fi
+ fi
+
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+}
+
# Check if RRset of type $1 in file $2 is signed with the right keys.
# The right keys are the ones that expect a signature and matches the role $3.
check_signatures() {
set_keystate "KEY1" "STATE_DS" "hidden"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy
check_keytimes
check_apex
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy
check_keytimes
check_apex
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy
check_keytimes
check_apex
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy
check_keytimes
check_apex
key_clear "KEY4"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
key_clear "KEY4"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
check_apex
check_subdomain
set_keystate "KEY1" "STATE_DS" "hidden"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy
check_keytimes
check_apex
key_clear "KEY4"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
# Key properties, timings and states same as above.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
# Key properties, timings and states same as above.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy "pregenerated"
check_keytimes
check_apex
# Key properties, timings and states same as above.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
# Key properties, timings and states same as above.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy "pregenerated"
check_keytimes
check_apex
# Key properties, timings and states same as above.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy
# Activation date is a day later.
set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400
# Key properties, timings and states same as above.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
# Key timings and states same as above.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
# Key timings and states same as above.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
# Key timings and states same as above.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
# Key timings and states same as above.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
# Key timings and states same as above.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
key_clear "KEY4"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_autosign_policy
check_keytimes
check_apex
# Key properties, timings and states same as above.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_autosign_policy
check_keytimes
check_apex
# Key properties, timings and states same as above.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_autosign_policy
check_keytimes
check_apex
set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_autosign_policy
# The old ZSK is retired.
set_server "ns2" "10.53.0.2"
TSIG=""
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
check_apex
check_subdomain
set_server "ns4" "10.53.0.4"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
check_apex
check_subdomain
set_server "ns4" "10.53.0.4"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
check_apex
check_subdomain
set_server "ns4" "10.53.0.4"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
check_apex
check_subdomain
set_server "ns4" "10.53.0.4"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
check_apex
check_subdomain
set_server "ns5" "10.53.0.5"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
check_apex
check_subdomain
set_server "ns5" "10.53.0.5"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
check_apex
check_subdomain
set_server "ns5" "10.53.0.5"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
check_apex
check_subdomain
set_server "ns5" "10.53.0.5"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
check_apex
check_subdomain
set_server "ns5" "10.53.0.5"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
check_apex
check_subdomain
set_server "ns2" "10.53.0.2"
TSIG=""
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy
check_keytimes
check_apex
set_server "ns4" "10.53.0.4"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy
check_keytimes
check_apex
set_server "ns4" "10.53.0.4"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy
check_keytimes
check_apex
set_server "ns5" "10.53.0.5"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy
check_keytimes
check_apex
set_server "ns5" "10.53.0.5"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy
check_keytimes
check_apex
TSIG="hmac-sha1:sha1:$SHA1"
wait_for_nsec
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy
check_keytimes
check_apex
TSIG="hmac-sha224:sha224:$SHA224"
wait_for_nsec
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy
check_keytimes
check_apex
TSIG="hmac-sha256:sha256:$SHA256"
wait_for_nsec
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy
check_keytimes
check_apex
TSIG="hmac-sha224:sha224:$SHA224"
wait_for_nsec
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy
check_keytimes
check_apex
TSIG="hmac-sha256:sha256:$SHA256"
wait_for_nsec
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy
check_keytimes
check_apex
TSIG="hmac-sha1:keyforview1:$VIEW1"
wait_for_nsec
check_keys
+check_dnssecstatus "$SERVER" "$ZONE" "example1"
set_keytimes_csk_policy
check_keytimes
check_apex
TSIG="hmac-sha1:keyforview2:$VIEW2"
wait_for_nsec
check_keys
+check_dnssecstatus "$SERVER" "$ZONE" "example2"
check_apex
dnssec_verify
n=$((n+1))
key_clear "KEY4"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# The first key is immediately published and activated.
created=$(key_get KEY1 CREATED)
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# The key was published and activated 900 seconds ago (with settime).
created=$(key_get KEY1 CREATED)
set_keystate "KEY1" "STATE_DS" "rumoured"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# The key was published and activated 44700 seconds ago (with settime).
created=$(key_get KEY1 CREATED)
set_keystate "KEY1" "STATE_DS" "omnipresent"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# The key was published and activated 143100 seconds ago (with settime).
created=$(key_get KEY1 CREATED)
key_clear "KEY4"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# These keys are immediately published and activated.
rollover_predecessor_keytimes 0
set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 694 hours ago (2498400 seconds).
rollover_predecessor_keytimes -2498400
set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# The old keys are activated 30 days ago (2592000 seconds).
rollover_predecessor_keytimes -2592000
set_keystate "KEY3" "STATE_ZRRSIG" "omnipresent"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# The old keys are activated 961 hours ago (3459600 seconds).
rollover_predecessor_keytimes -3459600
set_keystate "KEY2" "STATE_DNSKEY" "hidden"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# The old keys are activated 962 hours ago (3463200 seconds).
rollover_predecessor_keytimes -3463200
key_clear "KEY4"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# These keys are immediately published and activated.
rollover_predecessor_keytimes 0
set_keystate "KEY3" "STATE_DS" "hidden"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 1413 hours ago (5086800 seconds).
rollover_predecessor_keytimes -5086800
set_keystate "KEY3" "STATE_DS" "rumoured"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 59 days ago (5097600 seconds).
rollover_predecessor_keytimes -5097600
set_keystate "KEY3" "STATE_DS" "omnipresent"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 1490 hours ago (5364000 seconds).
rollover_predecessor_keytimes -5364000
set_keystate "KEY1" "STATE_KRRSIG" "hidden"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# The old KSK is activated 1492 hours ago (5371200 seconds).
rollover_predecessor_keytimes -5371200
key_clear "KEY4"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# This key is immediately published and activated.
csk_rollover_predecessor_keytimes 0 0
set_keystate "KEY2" "STATE_DS" "hidden"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 4437 hours ago (15973200 seconds)
# and started signing 4461 hours ago (16059600 seconds).
set_keystate "KEY2" "STATE_DS" "rumoured"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 185 days ago (15984000 seconds)
# and started signing 186 days ago (16070400 seconds).
set_keystate "KEY2" "STATE_DS" "omnipresent"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 4468 hours ago (16084800 seconds)
# and started signing 4492 hours ago (16171200 seconds).
set_keystate "KEY1" "STATE_KRRSIG" "hidden"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 4470 hours ago (16092000 seconds)
# and started signing 4494 hours ago (16178400 seconds).
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 5067 hours ago (18241200 seconds)
# and started signing 5091 hours ago (18327600 seconds).
set_keystate "KEY1" "STATE_DNSKEY" "hidden"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 5069 hours ago (18248400 seconds)
# and started signing 5093 hours ago (18334800 seconds).
key_clear "KEY4"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# This key is immediately published and activated.
csk_rollover_predecessor_keytimes 0 0
set_keystate "KEY2" "STATE_DS" "hidden"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 4293 hours ago (15454800 seconds)
# and started signing 4461 hours ago (16059600 seconds).
set_keystate "KEY2" "STATE_DS" "rumoured"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 179 days ago (15465600 seconds)
# and started signing 186 days ago (16070400 seconds).
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 4334 hours ago (15602400 seconds)
# and started signing 4502 hours ago (16207200 seconds).
set_keystate "KEY2" "STATE_DS" "omnipresent"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 4467 hours ago (16081200 seconds)
# and started signing 4635 hours ago (16686000 seconds).
set_keystate "KEY1" "STATE_KRRSIG" "hidden"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 4469 hours ago (16088400 seconds)
# and started signing 4637 hours ago (16693200 seconds).
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# These keys are immediately published and activated.
Lksk=0
set_keystate "KEY1" "STATE_DS" "omnipresent"
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# This key is immediately published and activated.
Lcsk=0
# Make sure the zone is signed with legacy keys.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# These keys are immediately published and activated.
rollover_predecessor_keytimes 0
# Make sure the zone is signed with legacy keys.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# The KSK is immediately published and activated.
# -P : now-3900s
# Make sure the zone is signed with legacy keys.
check_keys
+check_dnssecstatus "$SERVER" "$ZONE"
# The KSK is immediately published and activated.
# -P : now-3900s
check_keys
wait_for_done_signing
+check_dnssecstatus "$SERVER" "$ZONE"
rollover_predecessor_keytimes 0
# Key now has lifetime of 60 days (5184000 seconds).
check_keys
wait_for_done_signing
+check_dnssecstatus "$SERVER" "$ZONE"
# KSK must be retired since it no longer matches the policy.
# -P : now-3900s
check_keys
wait_for_done_signing
+check_dnssecstatus "$SERVER" "$ZONE"
# KSK must be retired since it no longer matches the policy.
# -P : now-3900s
check_keys
wait_for_done_signing
+check_dnssecstatus "$SERVER" "$ZONE"
# The old keys are published and activated.
rollover_predecessor_keytimes 0
check_keys
wait_for_done_signing
+check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated three hours ago (10800 seconds).
rollover_predecessor_keytimes -10800
check_keys
wait_for_done_signing
+check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 9 hours ago (32400 seconds)
# and retired 6 hours ago (21600 seconds).
check_keys
wait_for_done_signing
+check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 38 hours ago (136800 seconds)
# and retired 35 hours ago (126000 seconds).
check_keys
wait_for_done_signing
+check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 40 hours ago (144000 seconds)
# and retired 35 hours ago (133200 seconds).
check_keys
wait_for_done_signing
+check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 47 hours ago (169200 seconds)
# and retired 34 hours ago (158400 seconds).
check_keys
wait_for_done_signing
+check_dnssecstatus "$SERVER" "$ZONE"
# CSK must be retired since it no longer matches the policy.
csk_rollover_predecessor_keytimes 0 0
check_keys
wait_for_done_signing
+check_dnssecstatus "$SERVER" "$ZONE"
# The old key was activated three hours ago (10800 seconds).
csk_rollover_predecessor_keytimes -10800 -10800
check_keys
wait_for_done_signing
+check_dnssecstatus "$SERVER" "$ZONE"
# The old key was activated 9 hours ago (10800 seconds)
# and retired 6 hours ago (21600 seconds).
check_keys
wait_for_done_signing
+check_dnssecstatus "$SERVER" "$ZONE"
# The old key was activated 38 hours ago (136800 seconds)
# and retired 35 hours ago (126000 seconds).
check_keys
wait_for_done_signing
+check_dnssecstatus "$SERVER" "$ZONE"
# The old key was activated 40 hours ago (144000 seconds)
# and retired 37 hours ago (133200 seconds).
check_keys
wait_for_done_signing
+check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 47 hours ago (169200 seconds)
# and retired 44 hours ago (158400 seconds).
return (result);
}
+
+static void
+keytime_status(dst_key_t *key, isc_stdtime_t now, isc_buffer_t *buf,
+ const char *pre, int ks, int kt) {
+ char timestr[26]; /* Minimal buf as per ctime_r() spec. */
+ isc_result_t ret;
+ isc_stdtime_t when = 0;
+ dst_key_state_t state;
+
+ isc_buffer_printf(buf, "%s", pre);
+ (void)dst_key_getstate(key, ks, &state);
+ ret = dst_key_gettime(key, kt, &when);
+ if (state == RUMOURED || state == OMNIPRESENT) {
+ isc_buffer_printf(buf, "yes - since ");
+ } else if (now < when) {
+ isc_buffer_printf(buf, "no - scheduled ");
+ } else {
+ isc_buffer_printf(buf, "no\n");
+ return;
+ }
+ if (ret == ISC_R_SUCCESS) {
+ isc_stdtime_tostring(when, timestr, sizeof(timestr));
+ isc_buffer_printf(buf, "%s\n", timestr);
+ }
+}
+
+static void
+rollover_status(dns_dnsseckey_t *dkey, dns_kasp_t *kasp, isc_stdtime_t now,
+ isc_buffer_t *buf, bool zsk) {
+ char timestr[26]; /* Minimal buf as per ctime_r() spec. */
+ isc_result_t ret = ISC_R_SUCCESS;
+ isc_stdtime_t active_time = 0;
+ dst_key_state_t state = NA, goal = NA;
+ int rrsig, active, retire;
+ dst_key_t *key = dkey->key;
+
+ if (zsk) {
+ rrsig = DST_KEY_ZRRSIG;
+ active = DST_TIME_ACTIVATE;
+ retire = DST_TIME_INACTIVE;
+ } else {
+ rrsig = DST_KEY_KRRSIG;
+ active = DST_TIME_PUBLISH;
+ retire = DST_TIME_DELETE;
+ }
+
+ isc_buffer_printf(buf, "\n");
+
+ (void)dst_key_getstate(key, DST_KEY_GOAL, &goal);
+ (void)dst_key_getstate(key, rrsig, &state);
+ (void)dst_key_gettime(key, active, &active_time);
+ if (active_time == 0) {
+ // only interested in keys that were once active.
+ return;
+ }
+
+ if (goal == HIDDEN && (state == UNRETENTIVE || state == HIDDEN)) {
+ isc_stdtime_t remove_time = 0;
+ // is the key removed yet?
+ state = NA;
+ (void)dst_key_getstate(key, DST_KEY_DNSKEY, &state);
+ if (state == RUMOURED || state == OMNIPRESENT) {
+ ret = dst_key_gettime(key, DST_TIME_DELETE,
+ &remove_time);
+ if (ret == ISC_R_SUCCESS) {
+ isc_buffer_printf(buf, " Key is retired, will "
+ "be removed on ");
+ isc_stdtime_tostring(remove_time, timestr,
+ sizeof(timestr));
+ isc_buffer_printf(buf, "%s", timestr);
+ }
+ } else {
+ isc_buffer_printf(
+ buf, " Key has been removed from the zone");
+ }
+ } else {
+ isc_stdtime_t retire_time = 0;
+ uint32_t lifetime = 0;
+ (void)dst_key_getnum(key, DST_NUM_LIFETIME, &lifetime);
+ ret = dst_key_gettime(key, retire, &retire_time);
+ if (ret == ISC_R_SUCCESS) {
+ if (now < retire_time) {
+ if (goal == OMNIPRESENT) {
+ isc_buffer_printf(buf,
+ " Next rollover "
+ "scheduled on ");
+ retire_time = keymgr_prepublication_time(
+ dkey, kasp, lifetime, now);
+ } else {
+ isc_buffer_printf(
+ buf, " Key will retire on ");
+ }
+ } else {
+ isc_buffer_printf(buf,
+ " Rollover is due since ");
+ }
+ isc_stdtime_tostring(retire_time, timestr,
+ sizeof(timestr));
+ isc_buffer_printf(buf, "%s", timestr);
+ } else {
+ isc_buffer_printf(buf, " No rollover scheduled");
+ }
+ }
+ isc_buffer_printf(buf, "\n");
+}
+
+static void
+keystate_status(dst_key_t *key, isc_buffer_t *buf, const char *pre, int ks) {
+ dst_key_state_t state = NA;
+
+ (void)dst_key_getstate(key, ks, &state);
+ switch (state) {
+ case HIDDEN:
+ isc_buffer_printf(buf, " - %shidden\n", pre);
+ break;
+ case RUMOURED:
+ isc_buffer_printf(buf, " - %srumoured\n", pre);
+ break;
+ case OMNIPRESENT:
+ isc_buffer_printf(buf, " - %somnipresent\n", pre);
+ break;
+ case UNRETENTIVE:
+ isc_buffer_printf(buf, " - %sunretentive\n", pre);
+ break;
+ case NA:
+ default:
+ /* print nothing */
+ break;
+ }
+}
+
+void
+dns_keymgr_status(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
+ isc_stdtime_t now, char *out, size_t out_len) {
+ isc_buffer_t buf;
+ char timestr[26]; /* Minimal buf as per ctime_r() spec. */
+
+ REQUIRE(DNS_KASP_VALID(kasp));
+ REQUIRE(keyring != NULL);
+ REQUIRE(out != NULL);
+
+ isc_buffer_init(&buf, out, out_len);
+
+ // policy name
+ isc_buffer_printf(&buf, "dnssec-policy: %s\n", dns_kasp_getname(kasp));
+ isc_buffer_printf(&buf, "current time: ");
+ isc_stdtime_tostring(now, timestr, sizeof(timestr));
+ isc_buffer_printf(&buf, "%s\n", timestr);
+
+ for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
+ dkey = ISC_LIST_NEXT(dkey, link))
+ {
+ char algstr[DNS_NAME_FORMATSIZE];
+ bool ksk = false, zsk = false;
+
+ if (dst_key_is_unused(dkey->key)) {
+ continue;
+ }
+
+ // key data
+ dst_key_getbool(dkey->key, DST_BOOL_KSK, &ksk);
+ dst_key_getbool(dkey->key, DST_BOOL_ZSK, &zsk);
+ dns_secalg_format((dns_secalg_t)dst_key_alg(dkey->key), algstr,
+ sizeof(algstr));
+ isc_buffer_printf(&buf, "\nkey: %d (%s), %s\n",
+ dst_key_id(dkey->key), algstr,
+ keymgr_keyrole(dkey->key));
+
+ // publish status
+ keytime_status(dkey->key, now, &buf,
+ " published: ", DST_KEY_DNSKEY,
+ DST_TIME_PUBLISH);
+
+ // signing status
+ if (ksk) {
+ keytime_status(dkey->key, now, &buf,
+ " key signing: ", DST_KEY_KRRSIG,
+ DST_TIME_PUBLISH);
+ }
+ if (zsk) {
+ keytime_status(dkey->key, now, &buf,
+ " zone signing: ", DST_KEY_ZRRSIG,
+ DST_TIME_ACTIVATE);
+ }
+
+ // rollover status
+ rollover_status(dkey, kasp, now, &buf, zsk);
+
+ // key states
+ keystate_status(dkey->key, &buf,
+ "goal: ", DST_KEY_GOAL);
+ keystate_status(dkey->key, &buf,
+ "dnskey: ", DST_KEY_DNSKEY);
+ keystate_status(dkey->key, &buf,
+ "ds: ", DST_KEY_DS);
+ keystate_status(dkey->key, &buf,
+ "zone rrsig: ", DST_KEY_ZRRSIG);
+ keystate_status(dkey->key, &buf,
+ "key rrsig: ", DST_KEY_KRRSIG);
+ }
+}
projects / thirdparty / bind9.git / commitdiff
