OpenDNSSEC-signer  1.3.16
signconf.c
Go to the documentation of this file.
1 /*
2  * $Id: signconf.c 7437 2013-11-27 10:20:58Z matthijs $
3  *
4  * Copyright (c) 2009 NLNet Labs. All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  * notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  * notice, this list of conditions and the following disclaimer in the
13  * documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
17  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
19  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
21  * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
22  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
23  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
24  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
25  * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26  *
27  */
28 
34 #include "parser/confparser.h"
35 #include "parser/signconfparser.h"
36 #include "scheduler/task.h"
37 #include "shared/duration.h"
38 #include "shared/file.h"
39 #include "shared/hsm.h"
40 #include "shared/log.h"
41 #include "signer/backup.h"
42 #include "shared/status.h"
43 #include "signer/keys.h"
44 #include "signer/signconf.h"
45 
46 static const char* sc_str = "signconf";
47 
48 
55 {
56  signconf_type* sc;
57  allocator_type* allocator = allocator_create(malloc, free);
58  if (!allocator) {
59  ods_log_error("[%s] unable to create: create allocator failed",
60  sc_str);
61  return NULL;
62  }
63  ods_log_assert(allocator);
64 
65  sc = (signconf_type*) allocator_alloc(allocator, sizeof(signconf_type));
66  if (!sc) {
67  ods_log_error("[%s] unable to create: allocator failed", sc_str);
68  allocator_cleanup(allocator);
69  return NULL;
70  }
71  ods_log_assert(sc);
72  sc->allocator = allocator;
73  sc->filename = NULL;
74  /* Signatures */
75  sc->sig_resign_interval = NULL;
76  sc->sig_refresh_interval = NULL;
77  sc->sig_validity_default = NULL;
78  sc->sig_validity_denial = NULL;
79  sc->sig_jitter = NULL;
80  sc->sig_inception_offset = NULL;
81  /* Denial of existence */
82  sc->nsec3param_ttl = NULL;
83  sc->nsec_type = 0;
84  sc->nsec3_optout = 0;
85  sc->nsec3_algo = 0;
86  sc->nsec3_iterations = 0;
87  sc->nsec3_salt = NULL;
88  /* Keys */
89  sc->dnskey_ttl = NULL;
90  sc->keys = NULL;
91  /* Source of authority */
92  sc->soa_ttl = NULL;
93  sc->soa_min = NULL;
94  sc->soa_serial = NULL;
95  /* Other useful information */
96  sc->last_modified = 0;
97  sc->audit = 0;
98  return sc;
99 }
100 
101 
106 static ods_status
107 signconf_read(signconf_type* signconf, const char* scfile)
108 {
109  const char* rngfile = ODS_SE_RNGDIR "/signconf.rng";
110  ods_status status = ODS_STATUS_OK;
111  FILE* fd = NULL;
112 
113  ods_log_assert(scfile);
114  ods_log_assert(signconf);
115  ods_log_debug("[%s] read file %s", sc_str, scfile);
116 
117  status = parse_file_check(scfile, rngfile);
118  if (status != ODS_STATUS_OK) {
119  ods_log_error("[%s] unable to parse file %s: %s", sc_str, scfile,
120  ods_status2str(status));
121  return status;
122  }
123 
124  fd = ods_fopen(scfile, NULL, "r");
125  if (fd) {
126  signconf->filename = allocator_strdup(signconf->allocator, scfile);
131  signconf->sig_jitter = parse_sc_sig_jitter(scfile);
133  signconf->nsec_type = parse_sc_nsec_type(scfile);
134  if (signconf->nsec_type == LDNS_RR_TYPE_NSEC3) {
135  signconf->nsec3param_ttl = parse_sc_nsec3param_ttl(scfile);
136  signconf->nsec3_optout = parse_sc_nsec3_optout(scfile);
137  signconf->nsec3_algo = parse_sc_nsec3_algorithm(scfile);
138  signconf->nsec3_iterations = parse_sc_nsec3_iterations(scfile);
139  signconf->nsec3_salt = parse_sc_nsec3_salt(signconf->allocator,
140  scfile);
141  }
142  signconf->keys = parse_sc_keys(signconf->allocator, scfile);
143  signconf->dnskey_ttl = parse_sc_dnskey_ttl(scfile);
144  signconf->soa_ttl = parse_sc_soa_ttl(scfile);
145  signconf->soa_min = parse_sc_soa_min(scfile);
146  signconf->soa_serial = parse_sc_soa_serial(signconf->allocator,
147  scfile);
148  signconf->audit = parse_sc_audit(scfile);
149  ods_fclose(fd);
150  return ODS_STATUS_OK;
151  }
152  ods_log_error("[%s] unable to read signconf file %s", sc_str, scfile);
153  return ODS_STATUS_ERR;
154 }
155 
156 
162 signconf_update(signconf_type** signconf, const char* scfile,
163  time_t last_modified)
164 {
165  signconf_type* new_sc = NULL;
166  time_t st_mtime = 0;
167  ods_status status = ODS_STATUS_OK;
168 
169  if (!signconf) {
170  ods_log_error("[%s] no signconf storage", sc_str);
171  return ODS_STATUS_UNCHANGED;
172  }
173  ods_log_assert(signconf);
174  if (!scfile) {
175  ods_log_error("[%s] no signconf filename", sc_str);
176  return ODS_STATUS_UNCHANGED;
177  }
178  ods_log_assert(scfile);
179 
180  /* is the file updated? */
181  st_mtime = ods_file_lastmodified(scfile);
182  if (st_mtime <= last_modified) {
183  ods_log_deeebug("[%s] file %s not modified since (file %u, "
184  "mem %u)", sc_str, scfile, (unsigned) st_mtime,
185  (unsigned) last_modified);
186  return ODS_STATUS_UNCHANGED;
187  }
188 
189  new_sc = signconf_create();
190  if (!new_sc) {
191  ods_log_error("[%s] error creating new signconf", sc_str);
192  return ODS_STATUS_ERR;
193  }
194 
195  status = signconf_read(new_sc, scfile);
196  if (status == ODS_STATUS_OK) {
197  new_sc->last_modified = st_mtime;
198  if (signconf_check(new_sc) != ODS_STATUS_OK) {
199  ods_log_error("[%s] signconf %s has errors", sc_str, scfile);
200  signconf_cleanup(new_sc);
201  return ODS_STATUS_CFG_ERR;
202  }
203  *signconf = new_sc;
204  } else {
205  ods_log_error("[%s] unable to read file %s: %s", sc_str, scfile,
206  ods_status2str(status));
207  signconf_cleanup(new_sc);
208  }
209  return status;
210 }
211 
212 
218 signconf_recover_from_backup(const char* filename)
219 {
220  signconf_type* signconf = NULL;
221  const char* zonename = NULL;
222  FILE* scfd = NULL;
223 
224  scfd = ods_fopen(filename, NULL, "r");
225  if (scfd) {
226  signconf = signconf_create();
227 
228  if (!backup_read_check_str(scfd, ODS_SE_FILE_MAGIC) ||
229  !backup_read_check_str(scfd, ";name:") ||
230  !backup_read_str(scfd, &zonename) ||
231  !backup_read_check_str(scfd, ";filename:") ||
232  !backup_read_str(scfd, &signconf->filename) ||
233  !backup_read_check_str(scfd, ";last_modified:") ||
234  !backup_read_time_t(scfd, &signconf->last_modified) ||
235  !backup_read_check_str(scfd, ";sig_resign_interval:") ||
236  !backup_read_duration(scfd, &signconf->sig_resign_interval) ||
237  !backup_read_check_str(scfd, ";sig_refresh_interval:") ||
238  !backup_read_duration(scfd, &signconf->sig_refresh_interval) ||
239  !backup_read_check_str(scfd, ";sig_validity_default:") ||
240  !backup_read_duration(scfd, &signconf->sig_validity_default) ||
241  !backup_read_check_str(scfd, ";sig_validity_denial:") ||
242  !backup_read_duration(scfd, &signconf->sig_validity_denial) ||
243  !backup_read_check_str(scfd, ";sig_jitter:") ||
244  !backup_read_duration(scfd, &signconf->sig_jitter) ||
245  !backup_read_check_str(scfd, ";sig_inception_offset:") ||
246  !backup_read_duration(scfd, &signconf->sig_inception_offset) ||
247  !backup_read_check_str(scfd, ";nsec_type:") ||
248  !backup_read_rr_type(scfd, &signconf->nsec_type) ||
249  !backup_read_check_str(scfd, ";dnskey_ttl:") ||
250  !backup_read_duration(scfd, &signconf->dnskey_ttl) ||
251  !backup_read_check_str(scfd, ";soa_ttl:") ||
252  !backup_read_duration(scfd, &signconf->soa_ttl) ||
253  !backup_read_check_str(scfd, ";soa_min:") ||
254  !backup_read_duration(scfd, &signconf->soa_min) ||
255  !backup_read_check_str(scfd, ";soa_serial:") ||
256  !backup_read_str(scfd, &signconf->soa_serial) ||
257  !backup_read_check_str(scfd, ";audit:") ||
258  !backup_read_int(scfd, &signconf->audit) ||
259  !backup_read_check_str(scfd, ODS_SE_FILE_MAGIC))
260  {
261  ods_log_error("[%s] unable to recover signconf backup file %s: corrupt "
262  "backup file ", sc_str, filename?filename:"(null)");
263  signconf_cleanup(signconf);
264  signconf = NULL;
265  }
266 
267  if (zonename) {
268  free((void*) zonename);
269  }
270  ods_fclose(scfd);
271  return signconf;
272  }
273 
274  ods_log_debug("[%s] unable to recover signconf backup file %s", sc_str,
275  filename?filename:"(null)");
276  return NULL;
277 }
278 
279 
284 static void
285 signconf_backup_duration(FILE* fd, const char* opt, duration_type* duration)
286 {
287  char* str = duration2string(duration);
288  fprintf(fd, "%s %s ", opt, str?str:"(null)");
289  free((void*) str);
290  return;
291 }
292 
293 
294 
299 void
301 {
302  if (!fd || !sc) {
303  return;
304  }
305  ods_log_assert(fd);
306  ods_log_assert(sc);
307 
308  fprintf(fd, ";;Signconf: lastmod %u ", (unsigned) sc->last_modified);
309  signconf_backup_duration(fd, "resign", sc->sig_resign_interval);
310  signconf_backup_duration(fd, "refresh", sc->sig_refresh_interval);
311  signconf_backup_duration(fd, "valid", sc->sig_validity_default);
312  signconf_backup_duration(fd, "denial", sc->sig_validity_denial);
313  signconf_backup_duration(fd, "jitter", sc->sig_jitter);
314  signconf_backup_duration(fd, "offset", sc->sig_inception_offset);
315  fprintf(fd, "nsec %u ", (unsigned) sc->nsec_type);
316  signconf_backup_duration(fd, "dnskeyttl", sc->dnskey_ttl);
317  signconf_backup_duration(fd, "soattl", sc->soa_ttl);
318  signconf_backup_duration(fd, "soamin", sc->soa_min);
319  fprintf(fd, "serial %s ", sc->soa_serial?sc->soa_serial:"(null)");
320  fprintf(fd, "audit %i\n", sc->audit);
321  return;
322 }
323 
324 
329 static int
330 signconf_soa_serial_check(const char* serial) {
331  if (!serial) {
332  return 1;
333  }
334 
335  if (strlen(serial) == 4 && strncmp(serial, "keep", 4) == 0) {
336  return 0;
337  }
338  if (strlen(serial) == 7 && strncmp(serial, "counter", 7) == 0) {
339  return 0;
340  }
341  if (strlen(serial) == 8 && strncmp(serial, "unixtime", 8) == 0) {
342  return 0;
343  }
344  if (strlen(serial) == 11 && strncmp(serial, "datecounter", 11) == 0) {
345  return 0;
346  }
347  return 1;
348 }
349 
356 {
357  ods_status status = ODS_STATUS_OK;
358 
359  if (!sc->sig_resign_interval) {
360  ods_log_error("[%s] check failed: no signature resign interval found",
361  sc_str);
362  status = ODS_STATUS_CFG_ERR;
363  }
364  if (!sc->sig_refresh_interval) {
365  ods_log_error("[%s] check failed: no signature resign interval found",
366  sc_str);
367  status = ODS_STATUS_CFG_ERR;
368  }
369  if (!sc->sig_validity_default) {
370  ods_log_error("[%s] check failed: no signature default validity found",
371  sc_str);
372  status = ODS_STATUS_CFG_ERR;
373  }
374  if (!sc->sig_validity_denial) {
375  ods_log_error("[%s] check failed: no signature denial validity found",
376  sc_str);
377  status = ODS_STATUS_CFG_ERR;
378  }
379  if (!sc->sig_jitter) {
380  ods_log_error("[%s] check failed: no signature jitter found", sc_str);
381  status = ODS_STATUS_CFG_ERR;
382  }
383  if (!sc->sig_inception_offset) {
384  ods_log_error("[%s] check failed: no signature inception offset found",
385  sc_str);
386  status = ODS_STATUS_CFG_ERR;
387  }
388  if (sc->nsec_type == LDNS_RR_TYPE_NSEC3) {
389  if (sc->nsec3_algo != LDNS_SHA1) {
390  ods_log_error("[%s] check failed: invalid nsec3 algorithm",
391  sc_str);
392  status = ODS_STATUS_CFG_ERR;
393  }
394  /* iterations */
395  /* salt */
396  /* optout */
397  } else if (sc->nsec_type != LDNS_RR_TYPE_NSEC) {
398  ods_log_error("[%s] check failed: wrong nsec type %i", sc_str,
399  sc->nsec_type);
400  status = ODS_STATUS_CFG_ERR;
401  }
402  if (!sc->keys || sc->keys->count == 0) {
403  ods_log_error("[%s] check failed: no keys found", sc_str);
404  status = ODS_STATUS_CFG_ERR;
405  }
406  if (!sc->dnskey_ttl) {
407  ods_log_error("[%s] check failed: no dnskey ttl found", sc_str);
408  status = ODS_STATUS_CFG_ERR;
409  }
410  if (!sc->soa_ttl) {
411  ods_log_error("[%s] check failed: no soa ttl found", sc_str);
412  status = ODS_STATUS_CFG_ERR;
413  }
414  if (!sc->soa_min) {
415  ods_log_error("[%s] check failed: no soa minimum found", sc_str);
416  status = ODS_STATUS_CFG_ERR;
417  }
418  if (!sc->soa_serial) {
419  ods_log_error("[%s] check failed: no soa serial type found", sc_str);
420  status = ODS_STATUS_CFG_ERR;
421  } else if (signconf_soa_serial_check(sc->soa_serial) != 0) {
422  ods_log_error("[%s] check failed: wrong soa serial type %s", sc_str,
423  sc->soa_serial);
424  status = ODS_STATUS_CFG_ERR;
425  }
426 
427  return status;
428 }
429 
430 
435 task_id
437 {
438  task_id new_task = TASK_NONE;
439  if (!a || !b) {
440  return TASK_NONE;
441  }
442  ods_log_assert(a);
443  ods_log_assert(b);
444 
445  if (duration_compare(a->soa_min, b->soa_min)) {
446  new_task = TASK_NSECIFY;
447  } else if (a->nsec_type != b->nsec_type) {
448  new_task = TASK_NSECIFY;
449  } else if (a->nsec_type == LDNS_RR_TYPE_NSEC3) {
450  if ((ods_strcmp(a->nsec3_salt, b->nsec3_salt) != 0) ||
451  (a->nsec3_algo != b->nsec3_algo) ||
452  (a->nsec3_iterations != b->nsec3_iterations) ||
453  (a->nsec3_optout != b->nsec3_optout)) {
454 
455  new_task = TASK_NSECIFY;
456  } else if (duration_compare(a->nsec3param_ttl, b->nsec3param_ttl)) {
457  new_task = TASK_READ;
458  }
459  }
460  return new_task;
461 }
462 
463 
470  task_id* task)
471 {
472  hsm_ctx_t* ctx = NULL;
473  task_id new_task = TASK_NONE;
474  ods_status status = ODS_STATUS_OK;
475  key_type* walk = NULL;
476  key_type* ka = NULL;
477  key_type* kb = NULL;
478  int remove = 0;
479  int copy = 0;
480 
481  if (!a || !b) {
482  return TASK_NONE;
483  }
484  ods_log_assert(a);
485  ods_log_assert(b);
486  ods_log_assert(task);
487 
488  ctx = hsm_create_context();
489  if (!ctx) {
490  *task = TASK_NONE;
491  return ODS_STATUS_HSM_ERR;
492  }
493  ods_log_assert(ctx);
494 
495  /* keys deleted? */
496  if (a->keys) {
497  walk = a->keys->first_key;
498  }
499  while (walk && walk->locator) {
500  remove = 0;
501  copy = 0;
502 
503  kb = keylist_lookup(b->keys, walk->locator);
504  if (!kb) {
505  remove = 1; /* [DEL] key removed from signconf */
506  } else {
507  if (duration_compare(a->dnskey_ttl, b->dnskey_ttl) != 0) {
508  remove = 1; /* [DEL] consider to be different key */
509  } else if (walk->flags != kb->flags) {
510  remove = 1; /* [DEL] consider to be different key */
511  } else if (walk->algorithm != kb->algorithm) {
512  remove = 1; /* [DEL] consider to be different key */
513  } else if (walk->publish != kb->publish) {
514  if (walk->publish) {
515  remove = 1; /* [DEL] withdraw dnskey from zone */
516  } else {
517  new_task = TASK_READ; /* [ADD] introduce key to zone */
518  }
519  } else if (walk->ksk != kb->ksk) {
520  copy = 1; /* [UNCHANGED] same key, different role */
521  } else if (walk->zsk != kb->zsk) {
522  copy = 1; /* [UNCHANGED] same key, different role */
523  } else {
524  /* [UNCHANGED] identical key credentials */
525  copy = 1;
526  }
527  }
528 
529  if (remove) {
530  new_task = TASK_READ;
531  if (del && walk->dnskey) {
532  if (!ldns_rr_list_push_rr(del, walk->dnskey)) {
533  ods_log_error("[%s] del key failed", sc_str);
534  new_task = TASK_SIGNCONF;
535  break;
536  }
537  }
538  } else if (copy) {
539  if (walk->dnskey && !kb->dnskey) {
540  kb->dnskey = walk->dnskey;
541  kb->hsmkey = walk->hsmkey;
542  status = lhsm_get_key(ctx, ldns_rr_owner(walk->dnskey), kb);
543  walk->hsmkey = NULL;
544  walk->dnskey = NULL;
545  }
546  if (status != ODS_STATUS_OK) {
547  ods_log_error("[%s] copy key failed", sc_str);
548  new_task = TASK_SIGNCONF;
549  break;
550  }
551  }
552  walk = walk->next;
553  }
554 
555  if (new_task == TASK_NONE) {
556  /* no error and no keys were deleted, perhaps keys were added */
557  walk = NULL;
558  if (b->keys) {
559  walk = b->keys->first_key;
560  }
561  while (walk) {
562  ka = keylist_lookup(a->keys, walk->locator);
563  if (!ka) {
564  new_task = TASK_READ; /* [ADD] key added to signconf */
565  break;
566  }
571  walk = walk->next;
572  }
573  }
574  *task = new_task;
575  hsm_destroy_context(ctx);
576  return ODS_STATUS_OK;
577 }
578 
579 
584 void
586 {
587  allocator_type* allocator;
588  if (!sc) {
589  return;
590  }
600  keylist_cleanup(sc->keys);
601 
602  allocator = sc->allocator;
603  allocator_deallocate(allocator, (void*) sc->filename);
604  allocator_deallocate(allocator, (void*) sc->nsec3_salt);
605  allocator_deallocate(allocator, (void*) sc->soa_serial);
606  allocator_deallocate(allocator, (void*) sc);
607  allocator_cleanup(allocator);
608  return;
609 }
610 
611 
616 void
617 signconf_print(FILE* out, signconf_type* sc, const char* name)
618 {
619  char* s = NULL;
620 
621  fprintf(out, "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
622 
623  if (sc) {
624  fprintf(out, "<SignerConfiguration>\n");
625  fprintf(out, "\t<Zone name=\"%s\">\n", name?name:"(null)");
626 
627  /* Signatures */
628  fprintf(out, "\t\t<Signatures>\n");
630  fprintf(out, "\t\t\t<Resign>%s</Resign>\n", s?s:"(null)");
631  free((void*)s);
632 
634  fprintf(out, "\t\t\t<Refresh>%s</Refresh>\n", s?s:"(null)");
635  free((void*)s);
636 
637  fprintf(out, "\t\t\t<Validity>\n");
638 
640  fprintf(out, "\t\t\t\t<Default>%s</Default>\n", s?s:"(null)");
641  free((void*)s);
642 
644  fprintf(out, "\t\t\t\t<Denial>%s</Denial>\n", s?s:"(null)");
645  free((void*)s);
646 
647  fprintf(out, "\t\t\t</Validity>\n");
648 
649  s = duration2string(sc->sig_jitter);
650  fprintf(out, "\t\t\t<Jitter>%s</Jitter>\n", s?s:"(null)");
651  free((void*)s);
652 
654  fprintf(out, "\t\t\t<InceptionOffset>%s</InceptionOffset>\n",
655  s?s:"(null)");
656  free((void*)s);
657 
658  fprintf(out, "\t\t</Signatures>\n");
659  fprintf(out, "\n");
660 
661  /* Denial */
662  fprintf(out, "\t\t<Denial>\n");
663  if (sc->nsec_type == LDNS_RR_TYPE_NSEC) {
664  fprintf(out, "\t\t\t<NSEC />\n");
665  } else if (sc->nsec_type == LDNS_RR_TYPE_NSEC3) {
666  fprintf(out, "\t\t\t<NSEC3>\n");
667  if (sc->nsec3param_ttl) {
669  fprintf(out, "\t\t\t\t<TTL>%s</TTL>\n", s?s:"(null)");
670  free((void*)s);
671  }
672  if (sc->nsec3_optout) {
673  fprintf(out, "\t\t\t\t<OptOut />\n");
674  }
675  fprintf(out, "\t\t\t\t<Hash>\n");
676  fprintf(out, "\t\t\t\t\t<Algorithm>%i</Algorithm>\n",
677  sc->nsec3_algo);
678  fprintf(out, "\t\t\t\t\t<Iterations>%i</Iterations>\n",
679  sc->nsec3_iterations);
680  fprintf(out, "\t\t\t\t\t<Salt>%s</Salt>\n",
681  sc->nsec3_salt?sc->nsec3_salt:"(null)");
682  fprintf(out, "\t\t\t\t</Hash>\n");
683  fprintf(out, "\t\t\t</NSEC3>\n");
684  }
685  fprintf(out, "\t\t</Denial>\n");
686  fprintf(out, "\n");
687 
688  /* Keys */
689  fprintf(out, "\t\t<Keys>\n");
690  s = duration2string(sc->dnskey_ttl);
691  fprintf(out, "\t\t\t<TTL>%s</TTL>\n", s?s:"(null)");
692  free((void*)s);
693  fprintf(out, "\n");
694  keylist_print(out, sc->keys);
695  fprintf(out, "\t\t</Keys>\n");
696  fprintf(out, "\n");
697 
698  /* SOA */
699  fprintf(out, "\t\t<SOA>\n");
700  s = duration2string(sc->soa_ttl);
701  fprintf(out, "\t\t\t<TTL>%s</TTL>\n", s?s:"(null)");
702  free((void*)s);
703 
704  s = duration2string(sc->soa_min);
705  fprintf(out, "\t\t\t<Minimum>%s</Minimum>\n", s?s:"(null)");
706  free((void*)s);
707 
708  fprintf(out, "\t\t\t<Serial>%s</Serial>\n",
709  sc->soa_serial?sc->soa_serial:"(null)");
710  fprintf(out, "\t\t</SOA>\n");
711  fprintf(out, "\n");
712 
713  /* Audit */
714  if (sc->audit) {
715  fprintf(out, "\t\t<Audit />\n");
716  fprintf(out, "\n");
717  }
718 
719  fprintf(out, "\t</Zone>\n");
720  fprintf(out, "</SignerConfiguration>\n");
721  }
722  return;
723 }
724 
725 
730 void
731 signconf_log(signconf_type* sc, const char* name)
732 {
733  char* resign = NULL;
734  char* refresh = NULL;
735  char* validity = NULL;
736  char* denial = NULL;
737  char* jitter = NULL;
738  char* offset = NULL;
739  char* dnskeyttl = NULL;
740  char* soattl = NULL;
741  char* soamin = NULL;
742  char* paramttl = NULL;
743 
744  if (sc) {
745  resign = duration2string(sc->sig_resign_interval);
746  refresh = duration2string(sc->sig_refresh_interval);
747  validity = duration2string(sc->sig_validity_default);
748  denial = duration2string(sc->sig_validity_denial);
749  jitter = duration2string(sc->sig_jitter);
751  dnskeyttl = duration2string(sc->dnskey_ttl);
752  paramttl = duration2string(sc->nsec3param_ttl);
753  soattl = duration2string(sc->soa_ttl);
754  soamin = duration2string(sc->soa_min);
755 
756  ods_log_info("[%s] zone %s signconf: RESIGN[%s] REFRESH[%s] "
757  "VALIDITY[%s] DENIAL[%s] JITTER[%s] OFFSET[%s] NSEC[%i] "
758  "DNSKEYTTL[%s] SOATTL[%s] MINIMUM[%s] SERIAL[%s] AUDIT[%i]",
759  sc_str,
760  name?name:"(null)",
761  resign?resign:"(null)",
762  refresh?refresh:"(null)",
763  validity?validity:"(null)",
764  denial?denial:"(null)",
765  jitter?jitter:"(null)",
766  offset?offset:"(null)",
767  (int) sc->nsec_type,
768  dnskeyttl?dnskeyttl:"(null)",
769  soattl?soattl:"(null)",
770  soamin?soamin:"(null)",
771  sc->soa_serial?sc->soa_serial:"(null)",
772  (int) sc->audit);
773 
774  if (sc->nsec_type == LDNS_RR_TYPE_NSEC3) {
775  ods_log_info("[%s] zone %s nsec3: PARAMTTL[%s] OPTOUT[%i] "
776  "ALGORITHM[%u] ITERATIONS[%u] SALT[%s]",
777  sc_str,
778  name?name:"(null)",
779  paramttl?paramttl:"PT0S",
780  sc->nsec3_optout,
781  sc->nsec3_algo,
782  sc->nsec3_iterations,
783  sc->nsec3_salt?sc->nsec3_salt:"(null)");
784  }
785 
786  /* Keys */
787  keylist_log(sc->keys, name);
788 
789  free((void*)resign);
790  free((void*)refresh);
791  free((void*)validity);
792  free((void*)denial);
793  free((void*)jitter);
794  free((void*)offset);
795  free((void*)dnskeyttl);
796  free((void*)paramttl);
797  free((void*)soattl);
798  free((void*)soamin);
799  }
800  return;
801 }
signconf_type * signconf_create(void)
Definition: signconf.c:54
key_type * next
Definition: keys.h:67
void keylist_cleanup(keylist_type *kl)
Definition: keys.c:482
duration_type * parse_sc_sig_validity_default(const char *cfgfile)
int backup_read_str(FILE *in, const char **str)
Definition: backup.c:94
Definition: task.h:43
uint32_t nsec3_iterations
Definition: signconf.h:67
duration_type * parse_sc_sig_validity_denial(const char *cfgfile)
duration_type * sig_inception_offset
Definition: signconf.h:61
int publish
Definition: keys.h:64
task_id signconf_compare_denial(signconf_type *a, signconf_type *b)
Definition: signconf.c:436
int zsk
Definition: keys.h:66
uint32_t parse_sc_nsec3_algorithm(const char *cfgfile)
void keylist_log(keylist_type *kl, const char *name)
Definition: keys.c:431
void ods_log_debug(const char *format,...)
Definition: log.c:285
duration_type * soa_min
Definition: signconf.h:74
duration_type * parse_sc_soa_ttl(const char *cfgfile)
ods_status signconf_check(signconf_type *sc)
Definition: signconf.c:355
int backup_read_duration(FILE *in, duration_type **v)
Definition: backup.c:128
ldns_rr * dnskey
Definition: keys.h:59
const char * nsec3_salt
Definition: signconf.h:68
const char * soa_serial
Definition: signconf.h:75
keylist_type * keys
Definition: signconf.h:71
duration_type * soa_ttl
Definition: signconf.h:73
void * allocator_alloc(allocator_type *allocator, size_t size)
Definition: allocator.c:67
duration_type * sig_validity_default
Definition: signconf.h:58
void signconf_cleanup(signconf_type *sc)
Definition: signconf.c:585
int backup_read_rr_type(FILE *in, ldns_rr_type *v)
Definition: backup.c:145
duration_type * sig_validity_denial
Definition: signconf.h:59
duration_type * nsec3param_ttl
Definition: signconf.h:63
void ods_log_info(const char *format,...)
Definition: log.c:317
int backup_read_time_t(FILE *in, time_t *v)
Definition: backup.c:111
enum ods_enum_status ods_status
Definition: status.h:64
const char * parse_sc_soa_serial(allocator_type *allocator, const char *cfgfile)
ods_status parse_file_check(const char *cfgfile, const char *rngfile)
Definition: confparser.c:55
time_t ods_file_lastmodified(const char *file)
Definition: file.c:287
void ods_log_error(const char *format,...)
Definition: log.c:349
duration_type * parse_sc_sig_inception_offset(const char *cfgfile)
const char * ods_status2str(ods_status status)
Definition: status.c:84
void keylist_print(FILE *fd, keylist_type *kl)
Definition: keys.c:388
int ods_strcmp(const char *s1, const char *s2)
Definition: file.c:317
int backup_read_int(FILE *in, int *v)
Definition: backup.c:162
void duration_cleanup(duration_type *duration)
Definition: duration.c:566
ldns_rr_type nsec_type
Definition: signconf.h:64
void signconf_print(FILE *out, signconf_type *sc, const char *name)
Definition: signconf.c:617
enum task_id_enum task_id
Definition: task.h:51
keylist_type * parse_sc_keys(allocator_type *allocator, const char *cfgfile)
FILE * ods_fopen(const char *file, const char *dir, const char *mode)
Definition: file.c:188
const char * parse_sc_nsec3_salt(allocator_type *allocator, const char *cfgfile)
duration_type * parse_sc_dnskey_ttl(const char *cfgfile)
duration_type * parse_sc_sig_jitter(const char *cfgfile)
duration_type * sig_refresh_interval
Definition: signconf.h:57
signconf_type * signconf_recover_from_backup(const char *filename)
Definition: signconf.c:218
const char * locator
Definition: keys.h:58
allocator_type * allocator_create(void *(*allocator)(size_t size), void(*deallocator)(void *))
Definition: allocator.c:48
Definition: task.h:45
ods_status lhsm_get_key(hsm_ctx_t *ctx, ldns_rdf *owner, key_type *key_id)
Definition: hsm.c:136
duration_type * parse_sc_nsec3param_ttl(const char *cfgfile)
void signconf_backup(FILE *fd, signconf_type *sc)
Definition: signconf.c:300
char * allocator_strdup(allocator_type *allocator, const char *string)
Definition: allocator.c:122
char * duration2string(duration_type *duration)
Definition: duration.c:231
duration_type * parse_sc_sig_refresh_interval(const char *cfgfile)
int parse_sc_nsec3_optout(const char *cfgfile)
duration_type * parse_sc_soa_min(const char *cfgfile)
time_t last_modified
Definition: signconf.h:78
uint32_t nsec3_algo
Definition: signconf.h:66
int duration_compare(duration_type *d1, duration_type *d2)
Definition: duration.c:85
size_t count
Definition: keys.h:77
void ods_fclose(FILE *fd)
Definition: file.c:245
allocator_type * allocator
Definition: signconf.h:54
void allocator_cleanup(allocator_type *allocator)
Definition: allocator.c:153
duration_type * dnskey_ttl
Definition: signconf.h:70
void signconf_log(signconf_type *sc, const char *name)
Definition: signconf.c:731
int ksk
Definition: keys.h:65
uint8_t algorithm
Definition: keys.h:62
int backup_read_check_str(FILE *in, const char *str)
Definition: backup.c:74
duration_type * sig_jitter
Definition: signconf.h:60
duration_type * sig_resign_interval
Definition: signconf.h:56
key_type * keylist_lookup(keylist_type *list, const char *locator)
Definition: keys.c:330
key_type * first_key
Definition: keys.h:78
void ods_log_deeebug(const char *format,...)
Definition: log.c:269
ldns_rr_type parse_sc_nsec_type(const char *cfgfile)
void allocator_deallocate(allocator_type *allocator, void *data)
Definition: allocator.c:136
int parse_sc_audit(const char *cfgfile)
#define ods_log_assert(x)
Definition: log.h:141
const char * filename
Definition: signconf.h:77
uint32_t flags
Definition: keys.h:63
duration_type * parse_sc_sig_resign_interval(const char *cfgfile)
uint32_t parse_sc_nsec3_iterations(const char *cfgfile)
hsm_key_t * hsmkey
Definition: keys.h:60
ods_status signconf_update(signconf_type **signconf, const char *scfile, time_t last_modified)
Definition: signconf.c:162
ods_status signconf_compare_keys(signconf_type *a, signconf_type *b, ldns_rr_list *del, task_id *task)
Definition: signconf.c:469
int nsec3_optout
Definition: signconf.h:65