From: Marek Vavrusa Date: Tue, 5 Apr 2016 22:18:20 +0000 (-0700) Subject: trust_anchors: added custom timers, limit history X-Git-Tag: v1.0.0~49^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e7591f0ddeff87aadc38125278faa0adf741982;p=thirdparty%2Fknot-resolver.git trust_anchors: added custom timers, limit history new trust anchors variables: * trust_anchors.hold_down_time = 30 * day * trust_anchors.refresh_time = nil * trust_anchors.keep_removed = 0 these could be used to control how often should root trust anchors be checked and how many removed keys should be kept in log (0 by default) --- diff --git a/daemon/README.rst b/daemon/README.rst index a802e4d83..815b243f9 100644 --- a/daemon/README.rst +++ b/daemon/README.rst @@ -506,6 +506,27 @@ For when listening on ``localhost`` just doesn't cut it. Trust anchors and DNSSEC ^^^^^^^^^^^^^^^^^^^^^^^^ +.. envvar:: trust_anchors.hold_down_time = 30 * day + + :return: int (default: 30 * day) + + Modify RFC5011 hold-down timer to given value. Example: ``30 * second`` + +.. envvar:: trust_anchors.refresh_time = nil + + :return: int (default: nil) + + Modify RFC5011 refresh timer to given value (not set by default), this will force trust anchors + to be updated every N seconds periodically instead of relying on RFC5011 logic and TTLs. + Example: ``10 * second`` + +.. envvar:: trust_anchors.keep_removed = 0 + + :return: int (default: 1) + + How many ``Removed`` keys should be held in history (and key file) before being purged. + Note: all ``Removed`` keys will be purged from key file after restarting the process. + .. function:: trust_anchors.config(keyfile) :param string keyfile: File containing DNSKEY records, should be writeable. diff --git a/daemon/lua/trust_anchors.lua b/daemon/lua/trust_anchors.lua index 13ec05255..0e249c8a3 100644 --- a/daemon/lua/trust_anchors.lua +++ b/daemon/lua/trust_anchors.lua @@ -185,7 +185,7 @@ local function refresh_plan(trust_anchors, timeout, refresh_cb, priming, bootstr -- Schedule itself with updated timeout local next_time = refresh_cb(trust_anchors, kres.pkt_t(pkt), bootstrap) if trust_anchors.refresh_time ~= nil then - next_time = math.min(next_time, trust_anchors.refresh_time) + next_time = trust_anchors.refresh_time end print('[ ta ] next refresh: '..next_time) refresh_plan(trust_anchors, next_time, refresh_cb) @@ -239,17 +239,27 @@ local trust_anchors = { keyset = {}, insecure = {}, hold_down_time = 30 * day, + keep_removed = 0, -- Update existing keyset update = function (new_keys, initial) if not new_keys then return false end -- Filter TAs to be purged from the keyset (KeyRem) local hold_down = trust_anchors.hold_down_time / 1000 local keyset = {} + local keep_removed = trust_anchors.keep_removed for i, ta in ipairs(trust_anchors.keyset) do local keep = true if not ta_find(new_keys, ta) then keep = ta_missing(ta, hold_down) end + -- Purge removed keys + if ta.state == key_state.Removed then + if keep_removed > 0 then + keep_removed = keep_removed - 1 + else + keep = false + end + end if keep then table.insert(keyset, ta) end