key management enabled. Note that complete key rollover consists of several steps
and the blocking mode relates to the initial one only! (#)
-**zone-ksk-submitted** *zone*...
+**zone-ksk-submitted** *zone*... [**+ttl** *seconds*]
Use when the zone's KSK rollover is in submission phase. By calling this command
the user confirms manually that the parent zone contains DS record for the new
- KSK in submission phase and the old KSK can be retired. (#)
+ KSK in submission phase and the old KSK can be retired. The optional **+ttl**
+ parameter specifies the parent DS's TTL and possibly other delays, with the
+ effect that the removal of old KSK is postponed by this amount of seconds. (#)
**zone-freeze** [*zone*...]
Trigger a zone freeze. All running events will be finished and all new and pending
* `zone-validate([ZONE], [FLAGS="B"])`
* `zone-keys-load([ZONE], [FLAGS="B"])`
* `zone-key-rollover([ZONE], TYPE="ksk"|"zsk", [FLAGS="B"])`
-* `zone-ksk-submitted([ZONE], [FLAGS="B"])`
+* `zone-ksk-submitted([ZONE], [FILTERS="t", DATA], [FLAGS="B"])`
+ + the **t**tl filter commands that removal of old KSK is postponed by the amount of seconds
+ stored in the `DATA` section
* `zone-freeze([ZONE], [FLAGS="B"])`
* `zone-thaw([ZONE], [FLAGS="B"])`
* `zone-xfr-freeze([ZONE], [FLAGS="B"])`
{
kdnssec_ctx_t ctx = { 0 };
- int ret = kdnssec_ctx_init(conf(), &ctx, zone->name, zone_kaspdb(zone), NULL);
+ int ret = KNOT_EOK;
+
+ uint32_t ds_ttl = 0;
+ const char *ds_ttl_s = args->data[KNOT_CTL_IDX_DATA];
+ if (MATCH_AND_FILTER(args, CTL_FILTER_KSK_SBM_TTL) && ds_ttl_s != NULL) {
+ ret = str_to_u32(ds_ttl_s, &ds_ttl);
+ if (ret != KNOT_EOK) {
+ return ret;
+ }
+ }
+
+ ret = kdnssec_ctx_init(conf(), &ctx, zone->name, zone_kaspdb(zone), NULL);
if (ret != KNOT_EOK) {
return ret;
}
- ret = knot_dnssec_ksk_sbm_confirm(&ctx, 0);
+ ret = knot_dnssec_ksk_sbm_confirm(&ctx, ds_ttl);
kdnssec_ctx_deinit(&ctx);
conf_val_t val = conf_zone_get(conf(), C_DNSSEC_SIGNING, zone->name);
#define CTL_FILTER_FLUSH_OUTDIR "d"
+#define CTL_FILTER_KSK_SBM_TTL "t"
+
#define CTL_FILTER_STATUS_LOADING "l"
#define CTL_FILTER_STATUS_ROLE "r"
{ NULL },
};
+const filter_desc_t zone_ksk_sbm_filters[] = {
+ { "+ttl", CTL_FILTER_KSK_SBM_TTL, true },
+ { NULL },
+};
+
const filter_desc_t zone_backup_filters[] = {
{ "+backupdir", CTL_FILTER_BACKUP_OUTDIR, true }, // This must be the first.
{ "+zonefile", CTL_FILTER_BACKUP_ZONEFILE, false },
case CTL_ZONE_FLUSH:
fd = zone_flush_filters;
break;
+ case CTL_ZONE_KSK_SBM:
+ fd = zone_ksk_sbm_filters;
+ break;
case CTL_ZONE_BACKUP:
case CTL_ZONE_RESTORE:
fd = zone_backup_filters;
projects / thirdparty / knot-dns.git / commitdiff
