keymgr_key_rollover(dns_kasp_key_t *kaspkey, dns_dnsseckey_t *active_key,
dns_dnsseckeylist_t *keyring, dns_dnsseckeylist_t *newkeys,
const dns_name_t *origin, dns_rdataclass_t rdclass,
- dns_kasp_t *kasp, uint32_t lifetime, isc_stdtime_t now,
- isc_stdtime_t *nexttime, isc_mem_t *mctx) {
+ dns_kasp_t *kasp, uint32_t lifetime, bool rollover,
+ isc_stdtime_t now, isc_stdtime_t *nexttime,
+ isc_mem_t *mctx) {
char keystr[DST_KEY_FORMATSIZE];
isc_stdtime_t retire = 0, active = 0, prepub = 0;
dns_dnsseckey_t *new_key = NULL;
/* It is time to do key rollover, we need a new key. */
+ /*
+ * If rollover is not allowed, warn.
+ */
+ if (!rollover) {
+ dst_key_format(active_key->key, keystr, sizeof(keystr));
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+ DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
+ "keymgr: DNSKEY %s (%s) is offline in policy %s, "
+ "cannot start rollover",
+ keystr, keymgr_keyrole(active_key->key),
+ dns_kasp_getname(kasp));
+ return (ISC_R_SUCCESS);
+ }
+
/*
* Check if there is a key available in pool because keys
* may have been pregenerated with dnssec-keygen.
isc_result_t
dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
const char *directory, isc_mem_t *mctx,
- dns_dnsseckeylist_t *keyring, dns_kasp_t *kasp,
- isc_stdtime_t now, isc_stdtime_t *nexttime) {
+ dns_dnsseckeylist_t *keyring, dns_dnsseckeylist_t *dnskeys,
+ dns_kasp_t *kasp, isc_stdtime_t now, isc_stdtime_t *nexttime) {
isc_result_t result = ISC_R_SUCCESS;
dns_dnsseckeylist_t newkeys;
dns_kasp_key_t *kkey;
dst_key_format(dkey->key, keystr, sizeof(keystr));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
- "keymgr: keyring: dnskey %s (policy %s)",
- keystr, dns_kasp_getname(kasp));
+ "keymgr: keyring: %s (policy %s)", keystr,
+ dns_kasp_getname(kasp));
+ }
+ for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*dnskeys);
+ dkey != NULL; dkey = ISC_LIST_NEXT(dkey, link))
+ {
+ dst_key_format(dkey->key, keystr, sizeof(keystr));
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+ DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+ "keymgr: dnskeys: %s (policy %s)", keystr,
+ dns_kasp_getname(kasp));
}
}
{
uint32_t lifetime = dns_kasp_key_lifetime(kkey);
dns_dnsseckey_t *active_key = NULL;
+ bool rollover_allowed = true;
/* Do we have keys available for this kasp key? */
for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring);
}
}
+ if (active_key == NULL) {
+ /*
+ * We didn't found an active key, perhaps the .private
+ * key file is offline. If so, we don't want to create
+ * a successor key. Check if we have an appropriate
+ * state file.
+ */
+ for (dns_dnsseckey_t *dnskey = ISC_LIST_HEAD(*dnskeys);
+ dnskey != NULL;
+ dnskey = ISC_LIST_NEXT(dnskey, link))
+ {
+ if (keymgr_dnsseckey_kaspkey_match(dnskey,
+ kkey)) {
+ /* Found a match. */
+ dst_key_format(dnskey->key, keystr,
+ sizeof(keystr));
+ isc_log_write(
+ dns_lctx,
+ DNS_LOGCATEGORY_DNSSEC,
+ DNS_LOGMODULE_DNSSEC,
+ ISC_LOG_DEBUG(1),
+ "keymgr: DNSKEY %s (%s) "
+ "offline, policy %s",
+ keystr,
+ keymgr_keyrole(dnskey->key),
+ dns_kasp_getname(kasp));
+ rollover_allowed = false;
+ active_key = dnskey;
+ break;
+ }
+ }
+ }
+
/* See if this key requires a rollover. */
- RETERR(keymgr_key_rollover(kkey, active_key, keyring, &newkeys,
- origin, rdclass, kasp, lifetime, now,
- nexttime, mctx));
+ RETERR(keymgr_key_rollover(
+ kkey, active_key, keyring, &newkeys, origin, rdclass,
+ kasp, lifetime, rollover_allowed, now, nexttime, mctx));
}
/* Walked all kasp key configurations. Append new keys. */
projects / thirdparty / bind9.git / commitdiff
