add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type,
dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
- isc_stdtime_t inception, isc_stdtime_t expire, bool check_ksk,
- bool keyset_kskonly) {
+ isc_stdtime_t now, isc_stdtime_t inception, isc_stdtime_t expire,
+ bool check_ksk, bool keyset_kskonly) {
isc_result_t result;
dns_dbnode_t *node = NULL;
dns_kasp_t *kasp = dns_zone_getkasp(zone);
continue;
} else if (zsk &&
!dst_key_is_signing(keys[i], DST_BOOL_ZSK,
- inception, &when))
+ now, &when))
{
/*
* This key is not active for zone-signing.
add_exposed_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
dns_dbversion_t *ver, dns_name_t *name, bool cut,
dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
- isc_stdtime_t inception, isc_stdtime_t expire, bool check_ksk,
- bool keyset_kskonly, unsigned int *sigs) {
+ isc_stdtime_t now, isc_stdtime_t inception,
+ isc_stdtime_t expire, bool check_ksk, bool keyset_kskonly,
+ unsigned int *sigs) {
isc_result_t result;
dns_dbnode_t *node;
dns_rdatasetiter_t *iter;
continue;
}
result = add_sigs(log, zone, db, ver, name, type, diff, keys,
- nkeys, inception, expire, check_ksk,
+ nkeys, now, inception, expire, check_ksk,
keyset_kskonly);
if (result != ISC_R_SUCCESS) {
goto cleanup_iterator;
dns_diff_t work;
dst_key_t *zone_keys[DNS_MAXZONEKEYS];
unsigned int nkeys;
- isc_stdtime_t inception, expire, soaexpire, keyexpire;
+ isc_stdtime_t now, inception, expire, soaexpire, keyexpire;
dns_ttl_t nsecttl;
bool check_ksk, keyset_kskonly, build_nsec3;
enum {
dns_difftuple_t *t, *next;
bool flag, build_nsec;
unsigned int i;
- isc_stdtime_t now;
dns_rdata_soa_t soa;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t rdataset;
goto failure;
}
- isc_stdtime_get(&now);
- state->inception = now - 3600; /* Allow for some clock skew. */
- state->expire = now +
+ isc_stdtime_get(&state->now);
+ state->inception = state->now - 3600; /* Allow for some clock
+ skew. */
+ state->expire = state->now +
dns__jitter_expire(zone, sigvalidityinterval);
- state->soaexpire = now + sigvalidityinterval;
+ state->soaexpire = state->now + sigvalidityinterval;
state->keyexpire = dns_zone_getkeyvalidityinterval(zone);
if (state->keyexpire == 0) {
state->keyexpire = state->expire;
} else {
- state->keyexpire += now;
+ state->keyexpire += state->now;
}
/*
log, zone, db, newver, name,
type, &state->sig_diff,
state->zone_keys, state->nkeys,
- state->inception, exp,
- state->check_ksk,
+ state->now, state->inception,
+ exp, state->check_ksk,
state->keyset_kskonly));
sigs++;
}
CHECK(add_exposed_sigs(
log, zone, db, newver, name, cut,
&state->sig_diff, state->zone_keys,
- state->nkeys, state->inception,
- state->expire, state->check_ksk,
- state->keyset_kskonly, &sigs));
+ state->nkeys, state->now,
+ state->inception, state->expire,
+ state->check_ksk, state->keyset_kskonly,
+ &sigs));
}
unlink:
ISC_LIST_UNLINK(state->affected.tuples, t, link);
dns_rdatatype_nsec,
&state->sig_diff,
state->zone_keys, state->nkeys,
- state->inception, state->expire,
- state->check_ksk,
+ state->now, state->inception,
+ state->expire, state->check_ksk,
state->keyset_kskonly));
sigs++;
} else {
CHECK(add_exposed_sigs(
log, zone, db, newver, name, cut,
&state->sig_diff, state->zone_keys,
- state->nkeys, state->inception,
- state->expire, state->check_ksk,
- state->keyset_kskonly, &sigs));
+ state->nkeys, state->now,
+ state->inception, state->expire,
+ state->check_ksk, state->keyset_kskonly,
+ &sigs));
CHECK(dns_nsec3_addnsec3sx(
db, newver, name, state->nsecttl,
unsecure, privatetype,
dns_rdatatype_nsec3,
&state->sig_diff,
state->zone_keys, state->nkeys,
- state->inception, state->expire,
- state->check_ksk,
+ state->now, state->inception,
+ state->expire, state->check_ksk,
state->keyset_kskonly));
sigs++;
} else {
static isc_result_t
add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
- unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
- isc_stdtime_t expire, bool check_ksk, bool keyset_kskonly) {
+ unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t now,
+ isc_stdtime_t inception, isc_stdtime_t expire, bool check_ksk,
+ bool keyset_kskonly) {
isc_result_t result;
dns_dbnode_t *node = NULL;
dns_stats_t *dnssecsignstats;
continue;
}
} else if (!dst_key_is_signing(keys[i], DST_BOOL_ZSK,
- inception, &when))
+ now, &when))
{
/*
* This key is not active for zone-signing.
*/
result = add_sigs(db, version, name, zone, covers,
zonediff.diff, zone_keys, nkeys, zone->mctx,
- inception,
+ now, inception,
resign > (now - 300) ? expire : fullexpire,
check_ksk, keyset_kskonly);
if (result != ISC_R_SUCCESS) {
* termination is sensible.
*/
result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
- zonediff.diff, zone_keys, nkeys, zone->mctx,
+ zonediff.diff, zone_keys, nkeys, zone->mctx, now,
inception, soaexpire, check_ksk, keyset_kskonly);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
static isc_result_t
sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name,
dns_dbnode_t *node, dns_dbversion_t *version, bool build_nsec3,
- bool build_nsec, dst_key_t *key, isc_stdtime_t inception,
- isc_stdtime_t expire, dns_ttl_t nsecttl, bool is_ksk, bool is_zsk,
- bool keyset_kskonly, bool is_bottom_of_zone, dns_diff_t *diff,
- int32_t *signatures, isc_mem_t *mctx) {
+ bool build_nsec, dst_key_t *key, isc_stdtime_t now,
+ isc_stdtime_t inception, isc_stdtime_t expire, dns_ttl_t nsecttl,
+ bool is_ksk, bool is_zsk, bool keyset_kskonly,
+ bool is_bottom_of_zone, dns_diff_t *diff, int32_t *signatures,
+ isc_mem_t *mctx) {
isc_result_t result;
dns_rdatasetiter_t *iterator = NULL;
dns_rdataset_t rdataset;
}
} else if (!is_zsk) {
goto next_rdataset;
- } else if (is_zsk && !dst_key_is_signing(key, DST_BOOL_ZSK,
- inception, &when))
+ } else if (is_zsk &&
+ !dst_key_is_signing(key, DST_BOOL_ZSK, now, &when))
{
/* Only applies to dnssec-policy. */
if (dns_zone_getkasp(zone) != NULL) {
}
result = add_sigs(db, version, &tuple->name, zone,
tuple->rdata.type, zonediff->diff, zone_keys,
- nkeys, zone->mctx, inception, exp, check_ksk,
- keyset_kskonly);
+ nkeys, zone->mctx, now, inception, exp,
+ check_ksk, keyset_kskonly);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
"dns__zone_updatesigs:add_sigs -> %s",
}
result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
- zonediff.diff, zone_keys, nkeys, zone->mctx,
+ zonediff.diff, zone_keys, nkeys, zone->mctx, now,
inception, soaexpire, check_ksk, keyset_kskonly);
if (result != ISC_R_SUCCESS) {
dnssec_log(zone, ISC_LOG_ERROR,
CHECK(sign_a_node(
db, zone, name, node, version, build_nsec3,
- build_nsec, zone_keys[i], inception, expire,
- zone_nsecttl(zone), is_ksk, is_zsk,
+ build_nsec, zone_keys[i], now, inception,
+ expire, zone_nsecttl(zone), is_ksk, is_zsk,
(both && keyset_kskonly), is_bottom_of_zone,
zonediff.diff, &signatures, zone->mctx));
/*
* termination is sensible.
*/
result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
- zonediff.diff, zone_keys, nkeys, zone->mctx,
+ zonediff.diff, zone_keys, nkeys, zone->mctx, now,
inception, soaexpire, check_ksk, keyset_kskonly);
if (result != ISC_R_SUCCESS) {
dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:add_sigs -> %s",
return (result);
}
result = add_sigs(db, ver, &zone->origin, zone, rrtype,
- zonediff->diff, keys, nkeys, zone->mctx,
+ zonediff->diff, keys, nkeys, zone->mctx, now,
inception, keyexpire, check_ksk,
keyset_kskonly);
if (result != ISC_R_SUCCESS) {
projects / thirdparty / bind9.git / commitdiff
