[Opendnssec-commits] [keihatsu.kirei.se/svn/dnssec] r1676 - in trunk/OpenDNSSEC: . enforcer/communicated enforcer/ksm enforcer/ksm/include/ksm

Sion Lloyd sion at nominet.org.uk
Mon Aug 24 11:47:15 CEST 2009


Author: sion
Date: 2009-08-24 11:47:15 +0200 (Mon, 24 Aug 2009)
New Revision: 1676

Modified:
   trunk/OpenDNSSEC/NEWS
   trunk/OpenDNSSEC/enforcer/communicated/communicator.c
   trunk/OpenDNSSEC/enforcer/ksm/include/ksm/ksm.h
   trunk/OpenDNSSEC/enforcer/ksm/ksm_list.c
Log:
Rollover warnings implemented (pivotal story 891643). Until the configuration parameters exist the warning period is set to 10 mins and only one warning will be sent. The story will not close until this has been finished.


Modified: trunk/OpenDNSSEC/NEWS
===================================================================
--- trunk/OpenDNSSEC/NEWS	2009-08-24 09:32:47 UTC (rev 1675)
+++ trunk/OpenDNSSEC/NEWS	2009-08-24 09:47:15 UTC (rev 1676)
@@ -4,6 +4,12 @@
 
 Features:
 * ksmutil import key implemented
+* warn (by sending a message to the log) about impending key rollover
+* Changes to the KASP DB, please apply:
+  If want to use your old DB:
+    sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_090820_1.sqlite3
+  Or start fresh (with loss of information):
+    ksmutil setup
 
 Bugfixes:
 * Better display of null backups (i.e. backup required) in ksmutil list

Modified: trunk/OpenDNSSEC/enforcer/communicated/communicator.c
===================================================================
--- trunk/OpenDNSSEC/enforcer/communicated/communicator.c	2009-08-24 09:32:47 UTC (rev 1675)
+++ trunk/OpenDNSSEC/enforcer/communicated/communicator.c	2009-08-24 09:47:15 UTC (rev 1676)
@@ -99,6 +99,8 @@
     char *tag_name;
     int zone_id = -1;
     int signer_flag = 1; /* Is the signer responding? (1 == yes) */
+    char* ksk_expected = NULL;  /* When is the next ksk rollover expected? */
+    char* zsk_expected = NULL;  /* When is the next zsk rollover expected? */
     
     xmlChar *name_expr = (unsigned char*) "name";
     xmlChar *policy_expr = (unsigned char*) "//Zone/Policy";
@@ -110,6 +112,10 @@
 
     char* temp_char = NULL;
 
+    /* Stuff to see if we need to log an "impending rollover" warning */
+    char* datetime = NULL;
+    int roll_time = 0;
+
     if (config == NULL) {
         log_msg(NULL, LOG_ERR, "Error in server_main, no config provided");
         exit(1);
@@ -343,8 +349,44 @@
                         continue;
                     }
 
+                    /* See if we need to send a warning about an impending rollover */
+                    datetime = DtParseDateTimeString("now");
+                    /* First the KSK */
+                    status2 = KsmCheckNextRollover(KSM_TYPE_KSK, zone_id, &ksk_expected);
+                    if (status2 != 0) {
+                        log_msg(config, LOG_ERR, "Error checking for impending rollover for %s", zone_name);
+                        /* TODO should we quit or continue? */
+                    }
+                    status2 = DtDateDiff(ksk_expected, datetime, &roll_time);
+                    if (status2 != 0) {
+                        log_msg(config, LOG_ERR, "Error checking for impending rollover for %s", zone_name);
+                    }
+                    /* TODO parameterise this; use 10mins for now though */
+                    if (roll_time <= 600 && roll_time >= (600 - config->interval)) {
+                        log_msg(config, LOG_ERR, "Rollover of KSK expected at %s for %s", ksk_expected, zone_name);
+                    }
+
+                    /* Then the ZSK */
+                    status2 = KsmCheckNextRollover(KSM_TYPE_ZSK, zone_id, &zsk_expected);
+                    if (status2 != 0) {
+                        log_msg(config, LOG_ERR, "Error checking for impending rollover for %s", zone_name);
+                        /* TODO should we quit or continue? */
+                    }
+                    status2 = DtDateDiff(zsk_expected, datetime, &roll_time);
+                    if (status2 != 0) {
+                        log_msg(config, LOG_ERR, "Error checking for impending rollover for %s", zone_name);
+                    }
+                    /* TODO parameterise this; use 10mins for now though */
+                    if (roll_time <= 600 && roll_time >= (600 - config->interval)) {
+                        log_msg(config, LOG_ERR, "Rollover of ZSK expected at %s for %s", zsk_expected, zone_name);
+                    }
+
+                    
+
+
                     StrFree(current_filename);
                     StrFree(zone_name);
+                    StrFree(datetime);
                 }
                 /* Read the next line */
                 ret = xmlTextReaderRead(reader);

Modified: trunk/OpenDNSSEC/enforcer/ksm/include/ksm/ksm.h
===================================================================
--- trunk/OpenDNSSEC/enforcer/ksm/include/ksm/ksm.h	2009-08-24 09:32:47 UTC (rev 1675)
+++ trunk/OpenDNSSEC/enforcer/ksm/include/ksm/ksm.h	2009-08-24 09:47:15 UTC (rev 1676)
@@ -565,6 +565,7 @@
 int KsmListPolicies();
 int KsmListRollovers(int zone_id);
 int KsmListKeys(int zone_id, int long_list);
+int KsmCheckNextRollover(int keytype, int zone_id, char** datetime);
 
 #ifdef __cplusplus
 };

Modified: trunk/OpenDNSSEC/enforcer/ksm/ksm_list.c
===================================================================
--- trunk/OpenDNSSEC/enforcer/ksm/ksm_list.c	2009-08-24 09:32:47 UTC (rev 1675)
+++ trunk/OpenDNSSEC/enforcer/ksm/ksm_list.c	2009-08-24 09:47:15 UTC (rev 1676)
@@ -461,3 +461,59 @@
 
     return status;
 }
+
+/*+
+ * KsmCheckNextRollover - Find next expected rollover
+ *
+ *
+ * Arguments:
+ *
+ *      int keytype
+ *          KSK or ZSK
+ *
+ *      int zone_id
+ *          ID of the zone
+ *
+ *      char** datetime
+ *          (returned) date that a rollover is expected
+ *
+ * Returns:
+ *      int
+ *          Status return.  0 on success.
+ *                          other on fail
+ */
+
+int KsmCheckNextRollover(int keytype, int zone_id, char** datetime)
+{
+    char*       sql = NULL;     /* SQL query */
+    int         status = 0;     /* Status return */
+    DB_RESULT	result;         /* Result of the query */
+    DB_ROW      row = NULL;     /* Row data */
+
+    /* Select rows */
+    sql = DqsSpecifyInit("KEYDATA_VIEW", "retire");
+    DqsConditionInt(&sql, "KEYTYPE", DQS_COMPARE_EQ, keytype, 0);
+    DqsConditionInt(&sql, "STATE", DQS_COMPARE_EQ, KSM_STATE_ACTIVE, 1);
+    DqsConditionInt(&sql, "ZONE_ID", DQS_COMPARE_EQ, zone_id, 2);
+    StrAppend(&sql, " order by retire asc");
+
+    DqsEnd(&sql);
+
+    status = DbExecuteSql(DbHandle(), sql, &result);
+
+    if (status == 0) {
+        status = DbFetchRow(result, &row);
+
+        /* First row should be the closest rollover if there are multiple active keys */
+        if (status == 0) {
+            DbString(row, 0, datetime);
+        }
+
+        DbFreeResult(result);
+        DbFreeRow(row);
+    }
+
+    DusFree(sql);
+
+    return status;
+}




More information about the Opendnssec-commits mailing list