From 5d2ef1f925fd246e8e6a0ffcb7a5f558f485c070 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Wed, 13 Oct 2010 12:04:37 +0000 Subject: [PATCH] - unbound-anchor handles ADDPEND keystate. git-svn-id: file:///svn/unbound/trunk@2281 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 1 + smallapp/unbound-anchor.c | 30 ++++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 5b57f3351..d19a03e67 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,6 @@ 13 October 2010: Wouter - Fix TCP so it uses a random outgoing-interface. + - unbound-anchor handles ADDPEND keystate. 11 October 2010: Wouter - Fix bug when DLV below a trust-anchor that uses NSEC3 optout where diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c index eae63efbc..25e2d72c9 100644 --- a/smallapp/unbound-anchor.c +++ b/smallapp/unbound-anchor.c @@ -1878,6 +1878,28 @@ prime_root_key(struct ub_ctx* ctx) return res; } +/** see if ADDPEND keys exist in autotrust file (if possible) */ +static int +read_if_pending_keys(char* file) +{ + FILE* in = fopen(file, "r"); + char line[8192]; + if(!in) { + if(verb>=2) printf("%s: %s\n", file, strerror(errno)); + return 0; + } + while(fgets(line, (int)sizeof(line), in)) { + if(line[0]==';') continue; + if(strstr(line, "[ ADDPEND ]")) { + fclose(in); + if(verb) printf("RFC5011-state has ADDPEND keys\n"); + return 1; + } + } + fclose(in); + return 0; +} + /** read last successful probe time from autotrust file (if possible) */ static int32_t read_last_success_time(char* file) @@ -1919,6 +1941,7 @@ read_last_success_time(char* file) static int probe_date_allows_certupdate(char* root_anchor_file) { + int has_pending_keys = read_if_pending_keys(root_anchor_file); int32_t last_success = read_last_success_time(root_anchor_file); int32_t now = (int32_t)time(NULL); int32_t leeway = 30 * 24 * 3600; /* 30 days leeway */ @@ -1931,6 +1954,13 @@ probe_date_allows_certupdate(char* root_anchor_file) } if(last_success == 0) return 1; /* no probe time */ + if(has_pending_keys) + return 1; /* key in ADDPEND state, a previous probe has + inserted that, and it was present in all recent probes, + but it has not become active. The 30 day timer may not have + expired, but we know(for sure) there is a rollover going on. + If we only managed to pickup the new key on its last day + of announcement (for example) this can happen. */ if(now - last_success < 0) { if(verb) printf("the last successful probe is in the future," " clock was modified\n"); -- 2.47.2