46 #include <ldns/ldns.h>
50 static const char* rrset_str =
"rrset";
58 log_rr(ldns_rr* rr,
const char* pre,
int level)
65 str = ldns_rr2str(rr);
67 str[(strlen(str))-1] =
'\0';
69 for (i=0; i < strlen(str); i++) {
77 }
else if (level == 2) {
79 }
else if (level == 3) {
81 }
else if (level == 4) {
83 }
else if (level == 5) {
85 }
else if (level == 6) {
107 ods_log_error(
"[%s] unable to create RRset: no RRtype", rrset_str);
114 ods_log_error(
"[%s] unable to create RRset %u: create allocator "
115 "failed", rrset_str, (
unsigned) rrtype);
122 ods_log_error(
"[%s] unable to create RRset %u: allocator failed",
123 rrset_str, (
unsigned) rrtype);
136 rrset->
rrs = ldns_dnssec_rrs_new();
154 if (!rrset || !rrsig || !locator || !flags) {
155 ods_log_error(
"[%s] unable to recover RRSIG: missing parameters",
166 ods_log_error(
"[%s] unable to recover RRSIG: failed to add", rrset_str);
167 log_rr(rrsig,
"+RRSIG", 1);
186 rrs_examine_ns_rdata(ldns_dnssec_rrs* rrs, ldns_rdf* nsdname)
188 ldns_dnssec_rrs* walk = NULL;
189 if (!rrs || !nsdname) {
195 ldns_dname_compare(ldns_rr_rdf(walk->rr, 0), nsdname) == 0) {
211 if (!rrset || !nsdname || rrset->
rr_type != LDNS_RR_TYPE_NS) {
214 if (rrs_examine_ns_rdata(rrset->
add, nsdname)) {
217 if (rrs_examine_ns_rdata(rrset->
del, nsdname)) {
220 return rrs_examine_ns_rdata(rrset->
rrs, nsdname);
267 ldns_status status = LDNS_STATUS_OK;
276 ods_log_error(
"[%s] unable to add RR: no storage", rrset_str);
281 if (rrset->
rr_type != ldns_rr_get_type(rr)) {
282 ods_log_error(
"[%s] unable to add RR: RRtype mismatch", rrset_str);
287 rrset->
add = ldns_dnssec_rrs_new();
290 if (!rrset->
add->rr) {
296 if (status != LDNS_STATUS_OK) {
297 if (status == LDNS_STATUS_NO_DATA) {
299 "duplicate", rrset_str, rrset->
rr_type);
306 ldns_get_errorstr_by_id(status));
308 ldns_dnssec_rrs_deep_free(rrset->
add);
328 ldns_status status = LDNS_STATUS_OK;
337 ods_log_error(
"[%s] unable to delete RR: no storage", rrset_str);
342 if (rrset->
rr_type != ldns_rr_get_type(rr)) {
343 ods_log_error(
"[%s] unable to delete RR: RRtype mismatch", rrset_str);
348 rrset->
del = ldns_dnssec_rrs_new();
351 if (!rrset->
del->rr) {
357 if (status != LDNS_STATUS_OK) {
358 if (status == LDNS_STATUS_NO_DATA) {
363 "duplicate", rrset_str, rrset->
rr_type);
368 ods_log_error(
"[%s] unable to delete RR from RRset (%i): %s",
370 ldns_get_errorstr_by_id(status));
372 ldns_dnssec_rrs_deep_free(rrset->
del);
392 ldns_dnssec_rrs* rrs = NULL;
393 ldns_rr* del_rr = NULL;
402 del_rr = ldns_rr_clone(rrs->rr);
404 (ldns_rr_get_type(del_rr) == LDNS_RR_TYPE_DNSKEY)) == NULL) {
407 ldns_rr_free(del_rr);
430 ldns_status lstatus = LDNS_STATUS_OK;
431 ldns_dnssec_rrs* current = NULL;
432 ldns_dnssec_rrs* pending = NULL;
433 ldns_dnssec_rrs* prev = NULL;
441 current = rrset->
rrs;
442 pending = rrset->
add;
444 if (!current || !current->rr) {
447 if (!pending || !pending->rr) {
451 while (current && pending) {
453 if (lstatus != LDNS_STATUS_OK) {
455 rrset_str, ldns_get_errorstr_by_id(lstatus));
461 pending = pending->next;
462 }
else if (cmp < 0) {
464 if (rrset->
rr_type != LDNS_RR_TYPE_DNSKEY ||
467 rr = ldns_rr_clone(current->rr);
469 (ldns_rr_get_type(rr) == LDNS_RR_TYPE_DNSKEY));
477 current = current->next;
480 if (ldns_rr_ttl(current->rr) != ldns_rr_ttl(pending->rr)) {
481 ldns_rr_set_ttl(current->rr, ldns_rr_ttl(pending->rr));
486 rrset->
add = pending->next;
488 prev->next = pending->next;
490 pending->next = NULL;
493 ldns_dnssec_rrs_deep_free(pending);
496 current = current->next;
498 pending = rrset->
add;
500 pending = prev->next;
514 if (rrset->
rr_type != LDNS_RR_TYPE_DNSKEY ||
517 rr = ldns_rr_clone(current->rr);
519 (ldns_rr_get_type(rr) == LDNS_RR_TYPE_DNSKEY));
526 current = current->next;
538 rrset_commit_del(
rrset_type* rrset, ldns_rr* rr)
540 ldns_status status = LDNS_STATUS_OK;
541 ldns_dnssec_rrs* rrs = NULL;
542 ldns_dnssec_rrs* prev_rrs = NULL;
546 ods_log_error(
"[%s] unable to commit del RR: no RR", rrset_str);
551 ods_log_error(
"[%s] unable to commit del RR: no storage", rrset_str);
559 if (status != LDNS_STATUS_OK) {
560 ods_log_error(
"[%s] unable to commit del RR: compare failed",
568 prev_rrs->next = rrs->next;
570 rrset->
rrs = rrs->next;
573 ldns_dnssec_rrs_deep_free(rrs);
587 ods_log_warning(
"[%s] unable to commit del RR: no such RR", rrset_str);
598 rrset_commit_add(
rrset_type* rrset, ldns_rr* rr)
600 ldns_status status = LDNS_STATUS_OK;
603 ods_log_error(
"[%s] unable to commit add RR: no RR", rrset_str);
608 ods_log_error(
"[%s] unable to commit add RR: no storage", rrset_str);
614 rrset->
rrs = ldns_dnssec_rrs_new();
617 if (!rrset->
rrs->rr) {
625 if (status != LDNS_STATUS_OK) {
626 if (status == LDNS_STATUS_NO_DATA) {
633 rrset_str, ldns_get_errorstr_by_id(status));
655 ldns_dnssec_rrs* rrs = NULL;
670 status = rrset_commit_del(rrset, rrs->rr);
672 ods_log_alert(
"[%s] commit RRset (%i) failed: %s", rrset_str,
678 ldns_dnssec_rrs_deep_free(rrset->
del);
685 status = rrset_commit_add(rrset, rrs->rr);
687 ods_log_alert(
"[%s] commit RRset (%i) failed: %s", rrset_str,
693 ldns_dnssec_rrs_free(rrset->
add);
715 ldns_dnssec_rrs_deep_free(rrset->
add);
720 ldns_dnssec_rrs_deep_free(rrset->
del);
738 uint32_t refresh = 0;
739 uint32_t expiration = 0;
740 uint32_t inception = 0;
741 uint32_t reusedsigs = 0;
747 refresh = (uint32_t) (signtime +
753 if (rrset->
needs_signing || refresh <= (uint32_t) signtime) {
754 ods_log_debug(
"[%s] drop signatures for RRset[%i]", rrset_str,
770 "drop signatures for RRset[%i]", rrset_str, rrset->
rr_type);
778 expiration = ldns_rdf2native_int32(
779 ldns_rr_rrsig_expiration(rrsigs->
rr));
780 inception = ldns_rdf2native_int32(
781 ldns_rr_rrsig_inception(rrsigs->
rr));
783 if (expiration < refresh) {
787 "expiration minus refresh has passed: %u - %u < (signtime)",
788 rrset_str, rrset->
rr_type, expiration, refresh,
789 (uint32_t) signtime);
790 }
else if (inception > (uint32_t) signtime) {
794 "inception has not passed: %u < %u (signtime)", rrset_str,
795 rrset->
rr_type, inception, (uint32_t) signtime);
802 "key %s %u is dead", rrset_str,
807 "key %s %u flags mismatch", rrset_str,
812 next_rrsigs = rrsigs->
next;
827 "(refresh=%u, signtime=%u, inception=%u, expiration=%u)",
828 rrset_str, rrset->
rr_type, refresh, (uint32_t) signtime,
829 inception, expiration);
832 prev_rrsigs = rrsigs;
835 rrsigs = next_rrsigs;
846 rrset_signed_with_algorithm(
rrset_type* rrset, uint8_t algorithm)
850 if (!rrset || !algorithm) {
856 if (rrsigs->
rr && algorithm ==
857 ldns_rdf2native_int8(ldns_rr_rrsig_algorithm(rrsigs->
rr))) {
860 rrsigs = rrsigs->
next;
874 ldns_dnssec_rrs* rrs = NULL;
875 ldns_rr_list* rr_list = NULL;
878 rr_list = ldns_rr_list_new();
880 while (rrs && rrs->rr) {
881 error = (int) ldns_rr_list_push_rr(rr_list, rrs->rr);
883 ldns_rr_list_free(rr_list);
886 if (rrset->
rr_type == LDNS_RR_TYPE_CNAME ||
887 rrset->
rr_type == LDNS_RR_TYPE_DNAME) {
902 rrset_sigvalid_period(
signconf_type* sc, ldns_rr_type rrtype, time_t signtime,
903 time_t* inception, time_t* expiration)
908 time_t random_jitter = 0;
910 if (!sc || !rrtype || !signtime) {
919 if (rrtype == LDNS_RR_TYPE_NSEC || rrtype == LDNS_RR_TYPE_NSEC3) {
928 if (((validity + offset + random_jitter) - jitter) <
929 ((validity + offset) - jitter) ) {
930 ods_log_error(
"[%s] signature validity %u too low, should be at "
931 "least %u", rrset_str,
932 ((validity + offset + random_jitter) - jitter),
933 ((validity + offset) - jitter));
934 }
else if (((validity + offset + random_jitter) - jitter) >
935 ((validity + offset) + jitter) ) {
936 ods_log_error(
"[%s] signature validity %u too high, should be at "
937 "most %u", rrset_str,
938 ((validity + offset + random_jitter) - jitter),
939 ((validity + offset) + jitter));
941 ods_log_debug(
"[%s] signature validity %u in range [%u - %u]",
942 rrset_str, ((validity + offset + random_jitter) - jitter),
943 ((validity + offset) - jitter),
944 ((validity + offset) + jitter));
946 *inception = signtime - offset;
947 *expiration = (signtime + validity + random_jitter) - jitter;
961 uint32_t newsigs = 0;
962 uint32_t reusedsigs = 0;
963 ldns_rr* rrsig = NULL;
964 ldns_rr_list* rr_list = NULL;
968 time_t inception = 0;
969 time_t expiration = 0;
972 ods_log_error(
"[%s] unable to sign RRset: no RRset", rrset_str);
978 ods_log_error(
"[%s] unable to sign RRset: no owner", rrset_str);
984 ods_log_error(
"[%s] unable to sign RRset: no signconf", rrset_str);
990 reusedsigs = rrset_recycle(rrset, sc, signtime);
993 rr_list = rrset2rrlist(rrset);
995 ods_log_error(
"[%s] unable to sign RRset[%i]: to RRlist failed",
999 if (ldns_rr_list_rr_count(rr_list) <= 0) {
1001 ldns_rr_list_free(rr_list);
1010 rrset_sigvalid_period(sc, rrset->
rr_type, signtime,
1011 &inception, &expiration);
1016 if (!key->
zsk && rrset->
rr_type != LDNS_RR_TYPE_DNSKEY) {
1022 if (!key->
ksk && rrset->
rr_type == LDNS_RR_TYPE_DNSKEY) {
1030 if (rrset_signed_with_algorithm(rrset, key->
algorithm)) {
1032 "already has signature with same algorithm", rrset_str,
1046 rrsig =
lhsm_sign(ctx, rr_list, key, owner, inception, expiration);
1048 ods_log_error(
"[%s] unable to sign RRset[%i]: error creating "
1049 "RRSIG RR", rrset_str, rrset->
rr_type);
1050 ldns_rr_list_free(rr_list);
1055 ods_log_deeebug(
"[%s] new signature created for RRset[%i]", rrset_str,
1057 log_rr(rrsig,
"+rrsig", 7);
1062 log_rr(rrsig,
"~RRSIG", 2);
1064 ldns_rr_free(rrsig);
1067 ods_log_error(
"[%s] unable to sign RRset[%i]: error adding RRSIG",
1069 log_rr(rrsig,
"+RRSIG", 1);
1070 ldns_rr_list_free(rr_list);
1079 walk_rrsigs = new_rrsigs;
1080 while (walk_rrsigs) {
1081 if (walk_rrsigs->
rr) {
1085 ldns_rr_clone(walk_rrsigs->
rr),
1089 "RRset[%i]: skipping", rrset_str, rrset->
rr_type);
1090 log_rr(walk_rrsigs->
rr,
"~RRSIG", 2);
1093 ods_log_error(
"[%s] unable to sign RRset[%i]: error adding "
1094 "RRSIG to RRset[%i]", rrset_str, rrset->
rr_type,
1096 log_rr(walk_rrsigs->
rr,
"+RRSIG", 1);
1097 ldns_rr_list_free(rr_list);
1103 log_rr(walk_rrsigs->
rr,
"+RRSIG", 6);
1105 walk_rrsigs = walk_rrsigs->
next;
1110 ldns_rr_list_free(rr_list);
1113 if (rrset->
rr_type == LDNS_RR_TYPE_SOA) {
1134 ods_log_error(
"[%s] unable to queue RRset: no RRset", rrset_str);
1139 ods_log_error(
"[%s] unable to queue RRset: no worker", rrset_str);
1144 ods_log_error(
"[%s] unable to queue RRset: no queue", rrset_str);
1152 status =
fifoq_push(q, (
void*) rrset, worker, &tries);
1188 ldns_dnssec_rrs_deep_free(rrset->
rrs);
1192 ldns_dnssec_rrs_deep_free(rrset->
add);
1196 ldns_dnssec_rrs_deep_free(rrset->
del);
1217 if (!rrset || !fd) {
1224 if (rrset->
rr_type == LDNS_RR_TYPE_CNAME ||
1225 rrset->
rr_type == LDNS_RR_TYPE_DNAME) {
1227 if (rrset->
rrs->rr) {
1228 ldns_rr_print(fd, rrset->
rrs->rr);
1231 ldns_dnssec_rrs_print(fd, rrset->
rrs);
1234 if (rrset->
rrsigs && !skip_rrsigs) {
1248 if (!rrset || !fd) {