add more key maintenance event logging

log when a key is:
- published in the DNSKEY rrset
- activated
- deactivated
- unpublished from the DNSKEY rrset
- revoked

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 6dd7a9e37fce6468a5a3225338e04468e8322fa2..437778460bc90f7c8e9be8f711cdc8709fd6b782 100644 (file)
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1826,7 +1826,7 @@ publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, const dns_name_t *origin,
        dst_key_format(key->key, keystr, sizeof(keystr));
 
        report("Fetching %s (%s) from key %s.",
-              keystr, key->ksk ?  (allzsk ?  "KSK/ZSK" : "KSK") : "ZSK",
+              keystr, key->ksk ? (allzsk ? "KSK/ZSK" : "KSK") : "ZSK",
               key->source == dns_keysource_user ?  "file" : "repository");
 
        if (key->prepublish && ttl > key->prepublish) {
@@ -2089,6 +2089,8 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
         */
        for (key1 = ISC_LIST_HEAD(*newkeys); key1 != NULL; key1 = next) {
                bool key_revoked = false;
+               char keystr1[DST_KEY_FORMATSIZE];
+               char keystr2[DST_KEY_FORMATSIZE];
 
                next = ISC_LIST_NEXT(key1, link);
 
@@ -2114,6 +2116,9 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
                        }
                }
 
+               /* Printable version of key1 (the newly aquired key) */
+               dst_key_format(key1->key, keystr1, sizeof(keystr1));
+
                /* No match found in keys; add the new key. */
                if (key2 == NULL) {
                        ISC_LIST_UNLINK(*newkeys, key1, link);
@@ -2124,21 +2129,49 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
                        {
                                RETERR(publish_key(diff, key1, origin, ttl,
                                                   mctx, allzsk, report));
+                               isc_log_write(dns_lctx,
+                                             DNS_LOGCATEGORY_DNSSEC,
+                                             DNS_LOGMODULE_DNSSEC,
+                                             ISC_LOG_INFO,
+                                             "DNSKEY %s (%s) is now published",
+                                             keystr1, key1->ksk ?
+                                             (allzsk ? "KSK/ZSK" : "KSK") :
+                                             "ZSK");
                                if (key1->hint_sign || key1->force_sign) {
                                        key1->first_sign = true;
+                                       isc_log_write(dns_lctx,
+                                                     DNS_LOGCATEGORY_DNSSEC,
+                                                     DNS_LOGMODULE_DNSSEC,
+                                                     ISC_LOG_INFO,
+                                                     "DNSKEY %s (%s) is now "
+                                                     "active",
+                                                     keystr1, key1->ksk ?
+                                                     (allzsk ? "KSK/ZSK" :
+                                                      "KSK") : "ZSK");
                                }
                        }
 
                        continue;
                }
 
+               /* Printable version of key2 (the old key, if any) */
+               dst_key_format(key2->key, keystr2, sizeof(keystr2));
+
                /* Match found: remove or update it as needed */
                if (key1->hint_remove) {
                        RETERR(remove_key(diff, key2, origin, ttl, mctx,
                                          "expired", report));
                        ISC_LIST_UNLINK(*keys, key2, link);
+
                        if (removed != NULL) {
                                ISC_LIST_APPEND(*removed, key2, link);
+                               isc_log_write(dns_lctx,
+                                             DNS_LOGCATEGORY_DNSSEC,
+                                             DNS_LOGMODULE_DNSSEC,
+                                             ISC_LOG_INFO,
+                                             "DNSKEY %s (%s) is now deleted",
+                                             keystr2, key2->ksk ? (allzsk ?
+                                             "KSK/ZSK" : "KSK") : "ZSK");
                        } else {
                                dns_dnsseckey_destroy(mctx, &key2);
                        }
@@ -2156,6 +2189,15 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
                        ISC_LIST_UNLINK(*keys, key2, link);
                        if (removed != NULL) {
                                ISC_LIST_APPEND(*removed, key2, link);
+                               isc_log_write(dns_lctx,
+                                             DNS_LOGCATEGORY_DNSSEC,
+                                             DNS_LOGMODULE_DNSSEC,
+                                             ISC_LOG_INFO,
+                                             "DNSKEY %s (%s) is now revoked; "
+                                             "new ID is %05d",
+                                             keystr2, key2->ksk ? (allzsk ?
+                                             "KSK/ZSK" : "KSK") : "ZSK",
+                                             dst_key_id(key1->key));
                        } else {
                                dns_dnsseckey_destroy(mctx, &key2);
                        }
@@ -2180,7 +2222,25 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
                            (key1->hint_sign || key1->force_sign))
                        {
                                key2->first_sign = true;
+                               isc_log_write(dns_lctx,
+                                             DNS_LOGCATEGORY_DNSSEC,
+                                             DNS_LOGMODULE_DNSSEC,
+                                             ISC_LOG_INFO,
+                                             "DNSKEY %s (%s) is now active",
+                                             keystr1, key1->ksk ? (allzsk ?
+                                             "KSK/ZSK" : "KSK") : "ZSK");
+                       } else if (key2->is_active &&
+                                  !key1->hint_sign && !key1->force_sign)
+                       {
+                               isc_log_write(dns_lctx,
+                                             DNS_LOGCATEGORY_DNSSEC,
+                                             DNS_LOGMODULE_DNSSEC,
+                                             ISC_LOG_INFO,
+                                             "DNSKEY %s (%s) is now inactive",
+                                             keystr1, key1->ksk ? (allzsk ?
+                                             "KSK/ZSK" : "KSK") : "ZSK");
                        }
+
                        key2->hint_sign = key1->hint_sign;
                        key2->hint_publish = key1->hint_publish;
                }

diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index e60375e039c9fdb5b5fccfc53cde5a6a197a05f9..a03b3e3af50b9969271ffb2a0d403d149cd384f1 100644 (file)
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -49,22 +49,22 @@ typedef enum {
  */
 struct dns_dnsseckey {
        dst_key_t *key;
-       bool hint_publish;  /*% metadata says to publish */
-       bool force_publish; /*% publish regardless of metadata */
-       bool hint_sign;     /*% metadata says to sign with this key */
-       bool force_sign;    /*% sign with key regardless of metadata */
-       bool hint_remove;   /*% metadata says *don't* publish */
-       bool is_active;     /*% key is already active */
-       bool first_sign;    /*% key is newly becoming active */
-       unsigned int prepublish;     /*% how long until active? */
-       dns_keysource_t source;      /*% how the key was found */
-       bool ksk;           /*% this is a key-signing key */
-       bool legacy;        /*% this is old-style key with no
-                                        metadata (possibly generated by
-                                        an older version of BIND9) and
-                                        should be ignored when searching
-                                        for keys to import into the zone */
-       unsigned int index;          /*% position in list */
+       bool hint_publish;        /*% metadata says to publish */
+       bool force_publish;       /*% publish regardless of metadata */
+       bool hint_sign;           /*% metadata says to sign with this key */
+       bool force_sign;          /*% sign with key regardless of metadata */
+       bool hint_remove;         /*% metadata says *don't* publish */
+       bool is_active;           /*% key is already active */
+       bool first_sign;          /*% key is newly becoming active */
+       unsigned int prepublish;  /*% how long until active? */
+       dns_keysource_t source;   /*% how the key was found */
+       bool ksk;                 /*% this is a key-signing key */
+       bool legacy;              /*% this is old-style key with no
+                                     metadata (possibly generated by
+                                     an older version of BIND9) and
+                                     should be ignored when searching
+                                     for keys to import into the zone */
+       unsigned int index;       /*% position in list */
        ISC_LINK(dns_dnsseckey_t) link;
 };