46 static const char* sc_str =
"signconf";
59 ods_log_error(
"[%s] unable to create: create allocator failed",
67 ods_log_error(
"[%s] unable to create: allocator failed", sc_str);
109 const char* rngfile = ODS_SE_RNGDIR
"/signconf.rng";
119 ods_log_error(
"[%s] unable to parse file %s: %s", sc_str, scfile,
134 if (signconf->
nsec_type == LDNS_RR_TYPE_NSEC3) {
152 ods_log_error(
"[%s] unable to read signconf file %s", sc_str, scfile);
163 time_t last_modified)
182 if (st_mtime <= last_modified) {
184 "mem %u)", sc_str, scfile, (
unsigned) st_mtime,
185 (
unsigned) last_modified);
195 status = signconf_read(new_sc, scfile);
199 ods_log_error(
"[%s] signconf %s has errors", sc_str, scfile);
205 ods_log_error(
"[%s] unable to read file %s: %s", sc_str, scfile,
221 const char* zonename = NULL;
261 ods_log_error(
"[%s] unable to recover signconf backup file %s: corrupt "
262 "backup file ", sc_str, filename?filename:
"(null)");
268 free((
void*) zonename);
274 ods_log_debug(
"[%s] unable to recover signconf backup file %s", sc_str,
275 filename?filename:
"(null)");
285 signconf_backup_duration(FILE* fd,
const char* opt,
duration_type* duration)
288 fprintf(fd,
"%s %s ", opt, str?str:
"(null)");
308 fprintf(fd,
";;Signconf: lastmod %u ", (
unsigned) sc->
last_modified);
313 signconf_backup_duration(fd,
"jitter", sc->
sig_jitter);
315 fprintf(fd,
"nsec %u ", (
unsigned) sc->
nsec_type);
316 signconf_backup_duration(fd,
"dnskeyttl", sc->
dnskey_ttl);
317 signconf_backup_duration(fd,
"soattl", sc->
soa_ttl);
318 signconf_backup_duration(fd,
"soamin", sc->
soa_min);
320 fprintf(fd,
"audit %i\n", sc->
audit);
330 signconf_soa_serial_check(
const char* serial) {
335 if (strlen(serial) == 4 && strncmp(serial,
"keep", 4) == 0) {
338 if (strlen(serial) == 7 && strncmp(serial,
"counter", 7) == 0) {
341 if (strlen(serial) == 8 && strncmp(serial,
"unixtime", 8) == 0) {
344 if (strlen(serial) == 11 && strncmp(serial,
"datecounter", 11) == 0) {
360 ods_log_error(
"[%s] check failed: no signature resign interval found",
365 ods_log_error(
"[%s] check failed: no signature resign interval found",
370 ods_log_error(
"[%s] check failed: no signature default validity found",
375 ods_log_error(
"[%s] check failed: no signature denial validity found",
380 ods_log_error(
"[%s] check failed: no signature jitter found", sc_str);
384 ods_log_error(
"[%s] check failed: no signature inception offset found",
388 if (sc->
nsec_type == LDNS_RR_TYPE_NSEC3) {
397 }
else if (sc->
nsec_type != LDNS_RR_TYPE_NSEC) {
398 ods_log_error(
"[%s] check failed: wrong nsec type %i", sc_str,
407 ods_log_error(
"[%s] check failed: no dnskey ttl found", sc_str);
411 ods_log_error(
"[%s] check failed: no soa ttl found", sc_str);
415 ods_log_error(
"[%s] check failed: no soa minimum found", sc_str);
419 ods_log_error(
"[%s] check failed: no soa serial type found", sc_str);
421 }
else if (signconf_soa_serial_check(sc->
soa_serial) != 0) {
422 ods_log_error(
"[%s] check failed: wrong soa serial type %s", sc_str,
449 }
else if (a->
nsec_type == LDNS_RR_TYPE_NSEC3) {
472 hsm_ctx_t* ctx = NULL;
488 ctx = hsm_create_context();
499 while (walk && walk->
locator) {
519 }
else if (walk->
ksk != kb->
ksk) {
521 }
else if (walk->
zsk != kb->
zsk) {
531 if (del && walk->
dnskey) {
532 if (!ldns_rr_list_push_rr(del, walk->
dnskey)) {
575 hsm_destroy_context(ctx);
621 fprintf(out,
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
624 fprintf(out,
"<SignerConfiguration>\n");
625 fprintf(out,
"\t<Zone name=\"%s\">\n", name?name:
"(null)");
628 fprintf(out,
"\t\t<Signatures>\n");
630 fprintf(out,
"\t\t\t<Resign>%s</Resign>\n", s?s:
"(null)");
634 fprintf(out,
"\t\t\t<Refresh>%s</Refresh>\n", s?s:
"(null)");
637 fprintf(out,
"\t\t\t<Validity>\n");
640 fprintf(out,
"\t\t\t\t<Default>%s</Default>\n", s?s:
"(null)");
644 fprintf(out,
"\t\t\t\t<Denial>%s</Denial>\n", s?s:
"(null)");
647 fprintf(out,
"\t\t\t</Validity>\n");
650 fprintf(out,
"\t\t\t<Jitter>%s</Jitter>\n", s?s:
"(null)");
654 fprintf(out,
"\t\t\t<InceptionOffset>%s</InceptionOffset>\n",
658 fprintf(out,
"\t\t</Signatures>\n");
662 fprintf(out,
"\t\t<Denial>\n");
663 if (sc->
nsec_type == LDNS_RR_TYPE_NSEC) {
664 fprintf(out,
"\t\t\t<NSEC />\n");
665 }
else if (sc->
nsec_type == LDNS_RR_TYPE_NSEC3) {
666 fprintf(out,
"\t\t\t<NSEC3>\n");
669 fprintf(out,
"\t\t\t\t<TTL>%s</TTL>\n", s?s:
"(null)");
673 fprintf(out,
"\t\t\t\t<OptOut />\n");
675 fprintf(out,
"\t\t\t\t<Hash>\n");
676 fprintf(out,
"\t\t\t\t\t<Algorithm>%i</Algorithm>\n",
678 fprintf(out,
"\t\t\t\t\t<Iterations>%i</Iterations>\n",
680 fprintf(out,
"\t\t\t\t\t<Salt>%s</Salt>\n",
682 fprintf(out,
"\t\t\t\t</Hash>\n");
683 fprintf(out,
"\t\t\t</NSEC3>\n");
685 fprintf(out,
"\t\t</Denial>\n");
689 fprintf(out,
"\t\t<Keys>\n");
691 fprintf(out,
"\t\t\t<TTL>%s</TTL>\n", s?s:
"(null)");
695 fprintf(out,
"\t\t</Keys>\n");
699 fprintf(out,
"\t\t<SOA>\n");
701 fprintf(out,
"\t\t\t<TTL>%s</TTL>\n", s?s:
"(null)");
705 fprintf(out,
"\t\t\t<Minimum>%s</Minimum>\n", s?s:
"(null)");
708 fprintf(out,
"\t\t\t<Serial>%s</Serial>\n",
710 fprintf(out,
"\t\t</SOA>\n");
715 fprintf(out,
"\t\t<Audit />\n");
719 fprintf(out,
"\t</Zone>\n");
720 fprintf(out,
"</SignerConfiguration>\n");
734 char* refresh = NULL;
735 char* validity = NULL;
739 char* dnskeyttl = NULL;
742 char* paramttl = NULL;
756 ods_log_info(
"[%s] zone %s signconf: RESIGN[%s] REFRESH[%s] "
757 "VALIDITY[%s] DENIAL[%s] JITTER[%s] OFFSET[%s] NSEC[%i] "
758 "DNSKEYTTL[%s] SOATTL[%s] MINIMUM[%s] SERIAL[%s] AUDIT[%i]",
761 resign?resign:
"(null)",
762 refresh?refresh:
"(null)",
763 validity?validity:
"(null)",
764 denial?denial:
"(null)",
765 jitter?jitter:
"(null)",
766 offset?offset:
"(null)",
768 dnskeyttl?dnskeyttl:
"(null)",
769 soattl?soattl:
"(null)",
770 soamin?soamin:
"(null)",
774 if (sc->
nsec_type == LDNS_RR_TYPE_NSEC3) {
775 ods_log_info(
"[%s] zone %s nsec3: PARAMTTL[%s] OPTOUT[%i] "
776 "ALGORITHM[%u] ITERATIONS[%u] SALT[%s]",
779 paramttl?paramttl:
"PT0S",
790 free((
void*)refresh);
791 free((
void*)validity);
795 free((
void*)dnskeyttl);
796 free((
void*)paramttl);
signconf_type * signconf_create(void)
void keylist_cleanup(keylist_type *kl)
duration_type * parse_sc_sig_validity_default(const char *cfgfile)
int backup_read_str(FILE *in, const char **str)
uint32_t nsec3_iterations
duration_type * parse_sc_sig_validity_denial(const char *cfgfile)
duration_type * sig_inception_offset
task_id signconf_compare_denial(signconf_type *a, signconf_type *b)
uint32_t parse_sc_nsec3_algorithm(const char *cfgfile)
void keylist_log(keylist_type *kl, const char *name)
void ods_log_debug(const char *format,...)
duration_type * parse_sc_soa_ttl(const char *cfgfile)
ods_status signconf_check(signconf_type *sc)
int backup_read_duration(FILE *in, duration_type **v)
void * allocator_alloc(allocator_type *allocator, size_t size)
duration_type * sig_validity_default
void signconf_cleanup(signconf_type *sc)
int backup_read_rr_type(FILE *in, ldns_rr_type *v)
duration_type * sig_validity_denial
duration_type * nsec3param_ttl
void ods_log_info(const char *format,...)
int backup_read_time_t(FILE *in, time_t *v)
enum ods_enum_status ods_status
const char * parse_sc_soa_serial(allocator_type *allocator, const char *cfgfile)
ods_status parse_file_check(const char *cfgfile, const char *rngfile)
time_t ods_file_lastmodified(const char *file)
void ods_log_error(const char *format,...)
duration_type * parse_sc_sig_inception_offset(const char *cfgfile)
const char * ods_status2str(ods_status status)
void keylist_print(FILE *fd, keylist_type *kl)
int ods_strcmp(const char *s1, const char *s2)
int backup_read_int(FILE *in, int *v)
void duration_cleanup(duration_type *duration)
void signconf_print(FILE *out, signconf_type *sc, const char *name)
enum task_id_enum task_id
keylist_type * parse_sc_keys(allocator_type *allocator, const char *cfgfile)
FILE * ods_fopen(const char *file, const char *dir, const char *mode)
const char * parse_sc_nsec3_salt(allocator_type *allocator, const char *cfgfile)
duration_type * parse_sc_dnskey_ttl(const char *cfgfile)
duration_type * parse_sc_sig_jitter(const char *cfgfile)
duration_type * sig_refresh_interval
signconf_type * signconf_recover_from_backup(const char *filename)
allocator_type * allocator_create(void *(*allocator)(size_t size), void(*deallocator)(void *))
ods_status lhsm_get_key(hsm_ctx_t *ctx, ldns_rdf *owner, key_type *key_id)
duration_type * parse_sc_nsec3param_ttl(const char *cfgfile)
void signconf_backup(FILE *fd, signconf_type *sc)
char * allocator_strdup(allocator_type *allocator, const char *string)
char * duration2string(duration_type *duration)
duration_type * parse_sc_sig_refresh_interval(const char *cfgfile)
int parse_sc_nsec3_optout(const char *cfgfile)
duration_type * parse_sc_soa_min(const char *cfgfile)
int duration_compare(duration_type *d1, duration_type *d2)
void ods_fclose(FILE *fd)
allocator_type * allocator
void allocator_cleanup(allocator_type *allocator)
duration_type * dnskey_ttl
void signconf_log(signconf_type *sc, const char *name)
int backup_read_check_str(FILE *in, const char *str)
duration_type * sig_jitter
duration_type * sig_resign_interval
key_type * keylist_lookup(keylist_type *list, const char *locator)
void ods_log_deeebug(const char *format,...)
ldns_rr_type parse_sc_nsec_type(const char *cfgfile)
void allocator_deallocate(allocator_type *allocator, void *data)
int parse_sc_audit(const char *cfgfile)
#define ods_log_assert(x)
duration_type * parse_sc_sig_resign_interval(const char *cfgfile)
uint32_t parse_sc_nsec3_iterations(const char *cfgfile)
ods_status signconf_update(signconf_type **signconf, const char *scfile, time_t last_modified)
ods_status signconf_compare_keys(signconf_type *a, signconf_type *b, ldns_rr_list *del, task_id *task)