From: Vladimír Čunát Date: Mon, 6 Feb 2017 14:48:58 +0000 (+0100) Subject: trust anchors: nitpicks X-Git-Tag: v1.3.0~23^2~83^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d24cd449a2a8c8596e84be092d757781580e983b;p=thirdparty%2Fknot-resolver.git trust anchors: nitpicks - Remove abstraction of the refresh callback, as we always use the same function. This way the code is significantly easier to understand. - Add a couple more comments. --- diff --git a/daemon/lua/trust_anchors.lua.in b/daemon/lua/trust_anchors.lua.in index 3eb6da5c2..89a0e198d 100644 --- a/daemon/lua/trust_anchors.lua.in +++ b/daemon/lua/trust_anchors.lua.in @@ -79,14 +79,14 @@ local function ta_find(keyset, rr) local dnskey_tag = C.kr_dnssec_key_tag(ta.type, ta.rdata, #ta.rdata) if ds_tag == dnskey_tag then return ta - end + end end end end return nil end --- Evaluate TA status according to RFC5011 +-- Evaluate TA status of a RR according to RFC5011 local function ta_present(keyset, rr, hold_down_time, force) if rr.type == kres.type.DNSKEY and not C.kr_dnssec_key_ksk(rr.rdata) then return false -- Ignore @@ -106,7 +106,7 @@ local function ta_present(keyset, rr, hold_down_time, force) if ta.state == key_state.Valid or ta.state == key_state.Missing then if key_revoked then ta.state = key_state.Revoked - ta.timer = os.time() + hold_down_time + ta.timer = now + hold_down_time end end -- Remove hold-down timer expires (RemTime) @@ -164,18 +164,19 @@ local function ta_missing(ta, hold_down_time) return keep_ta end --- Plan refresh event and re-schedule itself based on the result of the callback -local function refresh_plan(trust_anchors, timeout, refresh_cb, priming, bootstrap) +local active_refresh -- forward +-- Plan an event for refreshing the root DNSKEYs and re-scheduling itself +local function refresh_plan(trust_anchors, timeout, priming, bootstrap) trust_anchors.refresh_ev = event.after(timeout, function (ev) resolve('.', kres.type.DNSKEY, kres.class.IN, kres.query.NO_CACHE, function (pkt) -- Schedule itself with updated timeout - local next_time = refresh_cb(trust_anchors, kres.pkt_t(pkt), bootstrap) + local next_time = active_refresh(trust_anchors, kres.pkt_t(pkt), bootstrap) if trust_anchors.refresh_time ~= nil then next_time = trust_anchors.refresh_time end print('[ ta ] next refresh in ' .. next_time/hour .. ' hours') - refresh_plan(trust_anchors, next_time, refresh_cb) + refresh_plan(trust_anchors, next_time) -- Priming query, prime root NS next if priming ~= nil then resolve('.', kres.type.NS, kres.class.IN) @@ -184,8 +185,8 @@ local function refresh_plan(trust_anchors, timeout, refresh_cb, priming, bootstr end) end --- Active refresh, return time of the next check -local function active_refresh(trust_anchors, pkt, bootstrap) +-- Refresh the root DNSKEYs from the packet, and return time to the next check. +active_refresh = function (trust_anchors, pkt, bootstrap) local retry = true if pkt:rcode() == kres.rcode.NOERROR then local records = pkt:section(kres.section.ANSWER) @@ -231,7 +232,9 @@ local trust_anchors = { keep_removed = 0, bootstrap_url = 'https://data.iana.org/root-anchors/root-anchors.xml', bootstrap_ca = '@ETCDIR@/icann-ca.pem', - -- Update existing keyset + + -- Update existing keyset; return true if successful. + -- Param `initial` (bool): force .NewKey states to .Valid, i.e. init empty keyset. update = function (new_keys, initial) if not new_keys then return false end -- Filter TAs to be purged from the keyset (KeyRem) @@ -292,7 +295,7 @@ local trust_anchors = { trustanchor(rr) -- Fetch DNSKEY immediately trust_anchors.file_current = path - refresh_plan(trust_anchors, 0, active_refresh, true, true) + refresh_plan(trust_anchors, 0, true, true) return elseif path == trust_anchors.file_current then return @@ -307,7 +310,7 @@ local trust_anchors = { end trust_anchors.keyset = {} if trust_anchors.update(new_keys, true) then - refresh_plan(trust_anchors, 10 * sec, active_refresh, true, false) + refresh_plan(trust_anchors, 10 * sec, true, false) end end, -- Add DS/DNSKEY record(s) (unmanaged)