Clear dnssec-sign stats for removed keys

Clear the key slots for dnssec-sign statistics for keys that are
removed. This way, the number of slots will stabilize to the maximum
key usage in a zone and will not grow every time a key rollover is
triggered.

diff --git a/lib/dns/include/dns/stats.h b/lib/dns/include/dns/stats.h
index 8a2833a7f1264c327206cca293b5bb83a3b3724a..8c973fe5e04fd2527a27c05fae2182377027b713 100644 (file)
--- a/lib/dns/include/dns/stats.h
+++ b/lib/dns/include/dns/stats.h
@@ -698,8 +698,17 @@ void
 dns_dnssecsignstats_increment(dns_stats_t *stats, dns_keytag_t id, uint8_t alg,
                              dnssecsignstats_type_t operation);
 /*%<
- * Increment the statistics counter for the DNSKEY 'id'. The 'operation'
- * determines what counter is incremented.
+ * Increment the statistics counter for the DNSKEY 'id' with algorithm 'alg'.
+ * The 'operation' determines what counter is incremented.
+ *
+ * Requires:
+ *\li  'stats' is a valid dns_stats_t created by dns_dnssecsignstats_create().
+ */
+
+void
+dns_dnssecsignstats_clear(dns_stats_t *stats, dns_keytag_t id, uint8_t alg);
+/*%<
+ * Clear the statistics counter for the DNSKEY 'id' with algorithm 'alg'.
  *
  * Requires:
  *\li  'stats' is a valid dns_stats_t created by dns_dnssecsignstats_create().

diff --git a/lib/dns/stats.c b/lib/dns/stats.c
index 40127fd3c177d926e046162212c3bade0dfa51ad..b6d0e0c188aeede8ae914afc1b1289094121265d 100644 (file)
--- a/lib/dns/stats.c
+++ b/lib/dns/stats.c
@@ -406,6 +406,33 @@ dns_dnssecsignstats_increment(dns_stats_t *stats, dns_keytag_t id, uint8_t alg,
        isc_stats_increment(stats->counters, (nidx + operation));
 }
 
+void
+dns_dnssecsignstats_clear(dns_stats_t *stats, dns_keytag_t id, uint8_t alg) {
+       uint32_t kval;
+       int num_keys = isc_stats_ncounters(stats->counters) /
+                      dnssecsign_block_size;
+
+       REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_dnssec);
+
+       /* Shift algorithm in front of key tag, which is 16 bits */
+       kval = (uint32_t)(alg << 16 | id);
+
+       /* Look up correct counter. */
+       for (int i = 0; i < num_keys; i++) {
+               int idx = i * dnssecsign_block_size;
+               uint32_t counter = isc_stats_get_counter(stats->counters, idx);
+               if (counter == kval) {
+                       /* Match */
+                       isc_stats_set(stats->counters, 0, idx);
+                       isc_stats_set(stats->counters, 0,
+                                     (idx + dns_dnssecsignstats_sign));
+                       isc_stats_set(stats->counters, 0,
+                                     (idx + dns_dnssecsignstats_refresh));
+                       return;
+               }
+       }
+}
+
 /*%
  * Dump methods
  */

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 77432951ebd822feab46cb9150d760f52ddeaa64..bca0f4dce43688a7c04628e2e196826e1bcd249b 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -21775,6 +21775,8 @@ zone_rekey(dns_zone_t *zone) {
 
        if (commit) {
                dns_difftuple_t *tuple;
+               dns_stats_t *dnssecsignstats =
+                       dns_zone_getdnssecsignstats(zone);
 
                DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
 
@@ -21795,6 +21797,22 @@ zone_rekey(dns_zone_t *zone) {
                                                   "%s",
                                                   dns_result_totext(result));
                                }
+
+                               /* Clear DNSSEC sign statistics. */
+                               if (dnssecsignstats != NULL) {
+                                       dns_dnssecsignstats_clear(
+                                               dnssecsignstats,
+                                               dst_key_id(key->key),
+                                               dst_key_alg(key->key));
+                                       /*
+                                        * Also clear the dnssec-sign
+                                        * statistics of the revoked key id.
+                                        */
+                                       dns_dnssecsignstats_clear(
+                                               dnssecsignstats,
+                                               dst_key_rid(key->key),
+                                               dst_key_alg(key->key));
+                               }
                        }
                }