Log when CDS/CDNSKEY is published in zone.

author Matthijs Mekking <matthijs@isc.org>

Thu, 27 Aug 2020 12:32:52 +0000 (14:32 +0200)

committer Matthijs Mekking <matthijs@isc.org>

Wed, 2 Sep 2020 10:00:16 +0000 (12:00 +0200)
author Matthijs Mekking <matthijs@isc.org>
Thu, 27 Aug 2020 12:32:52 +0000 (14:32 +0200)
committer Matthijs Mekking <matthijs@isc.org>
Wed, 2 Sep 2020 10:00:16 +0000 (12:00 +0200)
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh

index 3de31e57344dea6485e59d5ed1c1ff33d98a18f4..08691cfcfd13da9888701429335c8a7dcbb4b4dc 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -1172,6 +1172,26 @@ check_subdomain() {
         status=$((status+ret))
  }
  
+# Check if "CDS/CDNSKEY Published" is logged.
+check_cdslog() {
+       _dir=$1
+       _zone=$2
+       _key=$3
+
+       _alg=$(key_get $_key ALG_STR)
+       _id=$(key_get $_key ID)
+
+       n=$((n+1))
+       echo_i "check CDS/CDNSKEY publication is logged in ${_dir}/named.run for key ${_zone}/${_alg}/${_id} ($n)"
+       ret=0
+
+       grep "CDS for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1
+       grep "CDNSKEY for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1
+
+       test "$ret" -eq 0 || echo_i "failed"
+       status=$((status+ret))
+}
+
  #
  # rndc dnssec -checkds
  #
@@ -2720,6 +2740,8 @@ check_keytimes
  check_apex
  check_subdomain
  dnssec_verify
+# Check that CDS publication is logged.
+check_cdslog "$DIR" "$ZONE" KEY1
  
  # The DS can be introduced. We ignore any parent registration delay, so set
  # the DS publish time to now.
@@ -3150,6 +3172,8 @@ set_keystate "KEY3" "STATE_DS"     "rumoured"
  # Various signing policy checks.
  check_keys
  check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# Check that CDS publication is logged.
+check_cdslog "$DIR" "$ZONE" KEY3
  
  # Set expected key times:
  # - The old keys were activated 60 days ago (5184000 seconds).
@@ -3395,6 +3419,8 @@ set_keystate "KEY2" "STATE_DS"     "rumoured"
  # Various signing policy checks.
  check_keys
  check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# Check that CDS publication is logged.
+check_cdslog "$DIR" "$ZONE" KEY2
  
  # Set expected key times:
  # - This key was activated 186 days ago (16070400 seconds).
@@ -3713,6 +3739,8 @@ set_keystate     "KEY2" "STATE_DS" "rumoured"
  # Various signing policy checks.
  check_keys
  check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# Check that CDS publication is logged.
+check_cdslog "$DIR" "$ZONE" KEY2
  
  # Set expected key times:
  # - This key was activated 186 days ago (16070400 seconds).
@@ -4678,6 +4706,8 @@ set_keystate "KEY3" "STATE_DS"     "rumoured"
  check_keys
  wait_for_done_signing
  check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# Check that CDS publication is logged.
+check_cdslog "$DIR" "$ZONE" KEY3
  
  # Set expected key times:
  # - The old keys were activated 9 hours ago (32400 seconds).
@@ -5037,6 +5067,8 @@ set_keystate "KEY2" "STATE_DS"     "rumoured"
  check_keys
  wait_for_done_signing
  check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# Check that CDS publication is logged.
+check_cdslog "$DIR" "$ZONE" KEY2
  
  # Set expected key times:
  # - The old key was activated 9 hours ago (32400 seconds).
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c

index 4d2f864bfa85bc445b7acae457dfee5b8cf19a81..4b26e65606a15c382c2a9d96cf8006881bcd18af 100644 (file)
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1984,14 +1984,27 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
                 cds_sha256.type = dns_rdatatype_cds;
  
                 if (syncpublish(key->key, now)) {
+                       char keystr[DST_KEY_FORMATSIZE];
+                       dst_key_format(key->key, keystr, sizeof(keystr));
+
                         if (!dns_rdataset_isassociated(cdnskey) ||
                             !exists(cdnskey, &cdnskeyrdata)) {
+                               isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+                                             DNS_LOGMODULE_DNSSEC,
+                                             ISC_LOG_INFO,
+                                             "CDS for key %s is now published",
+                                             keystr);
                                 RETERR(addrdata(&cdnskeyrdata, diff, origin,
                                                 ttl, mctx));
                         }
                         /* Only publish SHA-256 (SHA-1 is deprecated) */
                         if (!dns_rdataset_isassociated(cds) ||
                             !exists(cds, &cds_sha256)) {
+                               isc_log_write(
+                                       dns_lctx, DNS_LOGCATEGORY_GENERAL,
+                                       DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+                                       "CDNSKEY for key %s is now published",
+                                       keystr);
                                 RETERR(addrdata(&cds_sha256, diff, origin, ttl,
                                                 mctx));
                         }
author	Matthijs Mekking <matthijs@isc.org>
	Thu, 27 Aug 2020 12:32:52 +0000 (14:32 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Wed, 2 Sep 2020 10:00:16 +0000 (12:00 +0200)
bin/tests/system/kasp/tests.sh		patch \| blob \| blame \| history
lib/dns/dnssec.c		patch \| blob \| blame \| history