result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (type != dns_rdatatype_dnskey) {
+ if (type != dns_rdatatype_dnskey &&
+ type != dns_rdatatype_cds &&
+ type != dns_rdatatype_cdnskey) {
bool warn = false, deleted = false;
if (delsig_ok(&rrsig, keys, nkeys, &warn)) {
result = update_one_rr(db, ver, zonediff->diff,
}
/*
- * RRSIG(DNSKEY) requires special processing.
+ * KSK RRSIGs requires special processing.
*/
found = false;
for (i = 0; i < nkeys; i++) {
rrsig.keyid == dst_key_id(keys[i])) {
found = true;
/*
- * Mark offline RRSIG(DNSKEY).
+ * Mark offline DNSKEY.
* We want the earliest offline expire time
* iff there is a new offline signature.
*/
return (result);
}
+
+/*
+ * See if dns__zone_updatesigs() will update signature for RRset 'rrtype' at
+ * the apex, and if not tickle them and cause to sign so that newly activated
+ * keys are used.
+ */
+static isc_result_t
+tickle_apex_rrset(dns_rdatatype_t rrtype, dns_zone_t *zone, dns_db_t *db,
+ dns_dbversion_t *ver, isc_stdtime_t now, dns_diff_t *diff,
+ dns__zonediff_t *zonediff, dst_key_t **keys,
+ unsigned int nkeys, isc_stdtime_t inception,
+ isc_stdtime_t keyexpire, bool check_ksk, bool keyset_kskonly)
+{
+ dns_difftuple_t *tuple;
+ isc_result_t result;
+
+ for (tuple = ISC_LIST_HEAD(diff->tuples);
+ tuple != NULL;
+ tuple = ISC_LIST_NEXT(tuple, link))
+ {
+ if (tuple->rdata.type == rrtype &&
+ dns_name_equal(&tuple->name, &zone->origin))
+ {
+ break;
+ }
+ }
+
+ if (tuple == NULL) {
+ result = del_sigs(zone, db, ver, &zone->origin, rrtype,
+ zonediff, keys, nkeys, now, false);
+ if (result != ISC_R_SUCCESS) {
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "sign_apex:del_sigs -> %s",
+ dns_result_totext(result));
+ return (result);
+ }
+ result = add_sigs(db, ver, &zone->origin, zone, rrtype,
+ zonediff->diff, keys, nkeys, zone->mctx,
+ inception, keyexpire, check_ksk,
+ keyset_kskonly);
+ if (result != ISC_R_SUCCESS) {
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "sign_apex:add_sigs -> %s",
+ dns_result_totext(result));
+ return (result);
+ }
+ }
+
+ return (ISC_R_SUCCESS);
+}
+
static isc_result_t
sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
isc_stdtime_t now, dns_diff_t *diff, dns__zonediff_t *zonediff)
bool check_ksk, keyset_kskonly;
dst_key_t *zone_keys[DNS_MAXZONEKEYS];
unsigned int nkeys = 0, i;
- dns_difftuple_t *tuple;
result = dns__zone_findkeys(zone, db, ver, now, zone->mctx,
DNS_MAXZONEKEYS, zone_keys, &nkeys);
keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
/*
- * See if dns__zone_updatesigs() will update DNSKEY signature and if
- * not cause them to sign so that newly activated keys are used.
+ * See if dns__zone_updatesigs() will update DNSKEY/CDS/CDNSKEY
+ * signature and if not cause them to sign so that newly activated
+ * keys are used.
*/
- for (tuple = ISC_LIST_HEAD(diff->tuples);
- tuple != NULL;
- tuple = ISC_LIST_NEXT(tuple, link))
- {
- if (tuple->rdata.type == dns_rdatatype_dnskey &&
- dns_name_equal(&tuple->name, &zone->origin))
- {
- break;
- }
+ result = tickle_apex_rrset(dns_rdatatype_dnskey, zone, db, ver, now,
+ diff, zonediff, zone_keys, nkeys, inception,
+ keyexpire, check_ksk, keyset_kskonly);
+ if (result != ISC_R_SUCCESS) {
+ goto failure;
}
-
- if (tuple == NULL) {
- result = del_sigs(zone, db, ver, &zone->origin,
- dns_rdatatype_dnskey, zonediff,
- zone_keys, nkeys, now, false);
- if (result != ISC_R_SUCCESS) {
- dnssec_log(zone, ISC_LOG_ERROR,
- "sign_apex:del_sigs -> %s",
- dns_result_totext(result));
- goto failure;
- }
- result = add_sigs(db, ver, &zone->origin, zone,
- dns_rdatatype_dnskey, zonediff->diff,
- zone_keys, nkeys, zone->mctx, inception,
- keyexpire, check_ksk, keyset_kskonly);
- if (result != ISC_R_SUCCESS) {
- dnssec_log(zone, ISC_LOG_ERROR,
- "sign_apex:add_sigs -> %s",
- dns_result_totext(result));
- goto failure;
- }
+ result = tickle_apex_rrset(dns_rdatatype_cds, zone, db, ver, now,
+ diff, zonediff, zone_keys, nkeys, inception,
+ keyexpire, check_ksk, keyset_kskonly);
+ if (result != ISC_R_SUCCESS) {
+ goto failure;
+ }
+ result = tickle_apex_rrset(dns_rdatatype_cdnskey, zone, db, ver, now,
+ diff, zonediff, zone_keys, nkeys, inception,
+ keyexpire, check_ksk, keyset_kskonly);
+ if (result != ISC_R_SUCCESS) {
+ goto failure;
}
result = dns__zone_updatesigs(diff, db, ver, zone_keys, nkeys, zone,
}
if (kasp && (result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND)) {
+ ttl = dns_kasp_dnskeyttl(kasp);
+
result = dns_keymgr_run(&zone->origin, zone->rdclass, dir,
mctx, &keys, kasp, now, &nexttime);
if (result != ISC_R_SUCCESS) {
projects / thirdparty / bind9.git / commitdiff
