[Opendnssec-commits] [keihatsu.kirei.se/svn/dnssec] r5371 - branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer

Yuri Schaeffer yuri at keihatsu.kirei.se
Fri Aug 5 16:56:12 CEST 2011


Author: yuri
Date: 2011-08-05 16:56:11 +0200 (Fri, 05 Aug 2011)
New Revision: 5371

Modified:
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcer.cpp
Log:
Remove keys only after purge time. Do not remove keys if purgetime isn't specified.



Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcer.cpp
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcer.cpp	2011-08-05 13:35:39 UTC (rev 5370)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcer.cpp	2011-08-05 14:56:11 UTC (rev 5371)
@@ -835,19 +835,30 @@
  * Removes all keys from list that are no longer used.
  * 
  * @param key_list list to filter.
+ * @param now
+ * @param purgetime period after which dead keys may be removed
  * */
 void
-removeDeadKeys(KeyDataList &key_list)
+removeDeadKeys(KeyDataList &key_list, const time_t now, const int purgetime)
 {
 	const char *scmd = "removeDeadKeys";
 	
 	for (int i = key_list.numKeys()-1; i >= 0; i--) {
 		KeyData &key = key_list.key(i);
-		if (	(getState(key, DS) == HID || getState(key, DS) == NOCARE) &&
-				(getState(key, DK) == HID || getState(key, DK) == NOCARE) &&
-				(getState(key, RD) == HID || getState(key, RD) == NOCARE) &&
-				(getState(key, RS) == HID || getState(key, RS) == NOCARE) &&
-				!key.introducing()) {
+		if (!key.introducing() &&
+			(getState(key, DS) == HID && 
+			now >= addtime(key.keyStateDS().lastChange(), purgetime) || 
+				getState(key, DS) == NOCARE) &&
+			(getState(key, DK) == HID && 
+			now >= addtime(key.keyStateDNSKEY().lastChange(), purgetime) || 
+				getState(key, DK) == NOCARE) &&
+			(getState(key, RD) == HID && 
+			now >= addtime(key.keyStateRRSIGDNSKEY().lastChange(), purgetime) ||
+				getState(key, RD) == NOCARE) &&
+			(getState(key, RS) == HID &&
+			now >= addtime(key.keyStateRRSIG().lastChange(), purgetime) ||
+				getState(key, RS) == NOCARE) )
+		{
 			ods_log_info("[%s] %s delete key: %s", module_str, scmd, key.locator().c_str());
 			key_list.delKey(i);
 		}
@@ -861,6 +872,7 @@
 	time_t policy_return_time, zone_return_time;
 	bool allow_unsigned;
 	KeyDataList &key_list = zone.keyDataList();
+	const Policy *policy = zone.policy();
 	const char *scmd = "update";
 
 	ods_log_info("[%s] %s Zone: %s", module_str, scmd, zone.name().c_str());
@@ -871,8 +883,11 @@
 			"[%s] %s No keys configured, zone will become unsigned eventually",
 			module_str, scmd);
 	zone_return_time = updateZone(zone, now, allow_unsigned);
-	removeDeadKeys(key_list);
 
+	/* Only purge old keys of the configuration says so. */
+	if (policy->keys().has_purge())
+		removeDeadKeys(key_list, now, policy->keys().purge());
+
 	/** Always set these flags. Normally this needs to be done _only_
 	 * when signerConfNeedsWriting() is set. However a previous
 	 * signerconf might not be available, we have no way of telling. :(




More information about the Opendnssec-commits mailing list