local dnskey_tag = C.kr_dnssec_key_tag(ta.type, ta.rdata, #ta.rdata)
if ds_tag == dnskey_tag then
return ta
- end
+ end
end
end
end
return nil
end
--- Evaluate TA status according to RFC5011
+-- Evaluate TA status of a RR according to RFC5011
local function ta_present(keyset, rr, hold_down_time, force)
if rr.type == kres.type.DNSKEY and not C.kr_dnssec_key_ksk(rr.rdata) then
return false -- Ignore
if ta.state == key_state.Valid or ta.state == key_state.Missing then
if key_revoked then
ta.state = key_state.Revoked
- ta.timer = os.time() + hold_down_time
+ ta.timer = now + hold_down_time
end
end
-- Remove hold-down timer expires (RemTime)
return keep_ta
end
--- Plan refresh event and re-schedule itself based on the result of the callback
-local function refresh_plan(trust_anchors, timeout, refresh_cb, priming, bootstrap)
+local active_refresh -- forward
+-- Plan an event for refreshing the root DNSKEYs and re-scheduling itself
+local function refresh_plan(trust_anchors, timeout, priming, bootstrap)
trust_anchors.refresh_ev = event.after(timeout, function (ev)
resolve('.', kres.type.DNSKEY, kres.class.IN, kres.query.NO_CACHE,
function (pkt)
-- Schedule itself with updated timeout
- local next_time = refresh_cb(trust_anchors, kres.pkt_t(pkt), bootstrap)
+ local next_time = active_refresh(trust_anchors, kres.pkt_t(pkt), bootstrap)
if trust_anchors.refresh_time ~= nil then
next_time = trust_anchors.refresh_time
end
print('[ ta ] next refresh in ' .. next_time/hour .. ' hours')
- refresh_plan(trust_anchors, next_time, refresh_cb)
+ refresh_plan(trust_anchors, next_time)
-- Priming query, prime root NS next
if priming ~= nil then
resolve('.', kres.type.NS, kres.class.IN)
end)
end
--- Active refresh, return time of the next check
-local function active_refresh(trust_anchors, pkt, bootstrap)
+-- Refresh the root DNSKEYs from the packet, and return time to the next check.
+active_refresh = function (trust_anchors, pkt, bootstrap)
local retry = true
if pkt:rcode() == kres.rcode.NOERROR then
local records = pkt:section(kres.section.ANSWER)
keep_removed = 0,
bootstrap_url = 'https://data.iana.org/root-anchors/root-anchors.xml',
bootstrap_ca = '@ETCDIR@/icann-ca.pem',
- -- Update existing keyset
+
+ -- Update existing keyset; return true if successful.
+ -- Param `initial` (bool): force .NewKey states to .Valid, i.e. init empty keyset.
update = function (new_keys, initial)
if not new_keys then return false end
-- Filter TAs to be purged from the keyset (KeyRem)
trustanchor(rr)
-- Fetch DNSKEY immediately
trust_anchors.file_current = path
- refresh_plan(trust_anchors, 0, active_refresh, true, true)
+ refresh_plan(trust_anchors, 0, true, true)
return
elseif path == trust_anchors.file_current then
return
end
trust_anchors.keyset = {}
if trust_anchors.update(new_keys, true) then
- refresh_plan(trust_anchors, 10 * sec, active_refresh, true, false)
+ refresh_plan(trust_anchors, 10 * sec, true, false)
end
end,
-- Add DS/DNSKEY record(s) (unmanaged)
projects / thirdparty / knot-resolver.git / commitdiff
