[Opendnssec-commits] [keihatsu.kirei.se/svn/dnssec] r5377 - in branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src: enforcer keystate

Yuri Schaeffer yuri at keihatsu.kirei.se
Tue Aug 9 11:39:29 CEST 2011


Author: yuri
Date: 2011-08-09 11:39:29 +0200 (Tue, 09 Aug 2011)
New Revision: 5377

Modified:
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcer.cpp
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcerdata.h
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcerzone.cpp
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcerzone.h
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/keystate/keystate.proto
Log:
TTL changes in the policy should now be entirely safe.
The zone tracks previous TTLs for all record types. Each record
has its own ttl.
Currently untested. Also, there is no reliable way to get a 
good value for the zone data signatures.


Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcer.cpp
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcer.cpp	2011-08-09 09:01:54 UTC (rev 5376)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcer.cpp	2011-08-09 09:39:29 UTC (rev 5377)
@@ -113,11 +113,12 @@
  * */
 void
 setState(KeyData &key, const RECORD record, const STATE state, 
-	const time_t now)
+	const time_t now, const int ttl)
 {
 	KeyState &ks = getRecord(key, record);
 	ks.setState(state);
 	ks.setLastChange(now);
+	ks.setTtl(ttl);
 }
 
 /**
@@ -430,39 +431,38 @@
  * Given a record, its next state, and its last change time when may 
  * apply the transition? This is largely policy related.
  * 
- * @param policy of this zone
+ * @param zone
  * @param record we are testing
  * @param next_state of record 
  * @param lastchange of record
+ * @param ttl of record, *may* be different from policy.
  * @return absolute time
  * */
 time_t
-minTransitionTime(const Policy *policy, const RECORD record, 
-	const STATE next_state, const time_t lastchange)
+minTransitionTime(EnforcerZone &zone, const RECORD record, 
+	const STATE next_state, const time_t lastchange, const int ttl)
 {
 	const char *scmd = "minTransitionTime";
+	const Policy *policy = zone.policy();
 
 	/** We may freely move a record to a uncertain state. */
 	if (next_state == RUM || next_state == UNR) return lastchange;
 	
 	switch(record) {
 		case DS:
-			return addtime(lastchange,
-				  policy->parent().ttlds()
-				+ policy->parent().registrationdelay()
-				+ policy->parent().propagationdelay());
+			return addtime(lastchange, ttl
+					+ policy->parent().registrationdelay()
+					+ policy->parent().propagationdelay());
 		/* TODO: 5011 will create special case here */
 		case DK: /** intentional fall-through */
 		case RD:
-			return addtime(lastchange,
-				  policy->keys().ttl()
+			return addtime(lastchange, ttl
 				+ policy->zone().propagationdelay()
 				+ (next_state == OMN)
 					? policy->keys().publishsafety()
 					: policy->keys().retiresafety());
 		case RS:
-			return addtime(lastchange,
-				  policy->signatures().ttl()
+			return addtime(lastchange, ttl
 				+ policy->zone().propagationdelay());
 		default: 
 			ods_fatal_exit("[%s] %s Unknown record type (%d), "
@@ -471,6 +471,42 @@
 	}
 }
 
+/** given the zone, what TTL should be used for record?
+ * 
+ * Normally we use the TTL from the policy. However a larger TTL might
+ * have been published in the near past causing this record to take 
+ * extra time to propagate */
+int
+getZoneTTL(EnforcerZone &zone, const RECORD record, const time_t now)
+{
+	const char *scmd = "getTTL";
+	const Policy *policy = zone.policy();
+	
+	time_t endDate;
+	int recordTTL;
+	
+	switch(record) {
+		case DS:
+			endDate = zone.ttlEnddateDs();
+			recordTTL = policy->parent().ttlds();
+			break;
+		case DK: /** intentional fall-through */
+		case RD:
+			endDate = zone.ttlEnddateDk();
+			recordTTL = policy->keys().ttl();
+			break;
+		case RS:
+			endDate = zone.ttlEnddateRs();
+			recordTTL = policy->signatures().ttl();
+			break;				  
+		default: 
+			ods_fatal_exit("[%s] %s Unknown record type (%d), "
+				"fault of programmer. Abort.",
+				module_str, scmd, (int)record);
+	}
+	return max((int)difftime(endDate, now), recordTTL);
+}
+
 /**
  * Try to push each key for this zone to a next state. If one changes
  * visit the rest again. Loop stops when no changes can be made without
@@ -491,6 +527,18 @@
 	const char *scmd = "updateZone";
 	ods_log_verbose("[%s] %s", module_str, scmd);
 
+	/** This code keeps track of TTL changes. If in the past a large
+	 * TTL is used, our keys *may* need to transition extra 
+	 * careful to make sure each resolver picks up the RRset.
+	 * When this date passes we may start using the policies TTL. */
+	if (zone.ttlEnddateDs() <= now)
+		zone.setTtlEnddateDs(now + policy->parent().ttlds());
+	if (zone.ttlEnddateDk() <= now)
+		zone.setTtlEnddateDk(now + policy->keys().ttl());
+	if (zone.ttlEnddateRs() <= now)
+		/* TODO: this property is never set? (p->s->ttl) */
+		zone.setTtlEnddateRs(now + policy->signatures().ttl()); 
+
 	/** Keep looping till there are no state changes.
 	 * Find the earliest update time */
 	do {
@@ -520,21 +568,23 @@
 					continue;
 				ods_log_verbose("[%s] %s DNSSEC says we can (2/3)", 
 					module_str, scmd);
-					
-				time_t returntime_key = minTransitionTime(policy, record, 
-					next_state, getRecord(key, record).lastChange());
 
+				time_t returntime_key = minTransitionTime(zone, record, 
+					next_state, getRecord(key, record).lastChange(), 
+					getRecord(key, record).ttl());
+
 				/** It is to soon to make this change. Schedule it. */
 				if (returntime_key > now) {
 					minTime(returntime_key, returntime_zone);
 					continue;
 				}
+
 				ods_log_verbose("[%s] %s Timing says we can (3/3) now: %d key: %d", 
 					module_str, scmd, now, returntime_key);
 				
 				/** We've passed all tests! Make the transition */
-				/* TODO: save next change instead of now */
-				setState(key, record, next_state, now);
+				int ttl = getZoneTTL(zone, record, now);
+				setState(key, record, next_state, now, ttl);
 				change = true;
 			}
 		}
@@ -797,6 +847,12 @@
 			new_key.keyStateDNSKEY().setLastChange(now);
 			new_key.keyStateRRSIGDNSKEY().setLastChange(now);
 			new_key.keyStateRRSIG().setLastChange(now);
+			
+			new_key.keyStateDS().setTtl(getZoneTTL(zone, DS, now));
+			new_key.keyStateDNSKEY().setTtl(getZoneTTL(zone, DK, now));
+			new_key.keyStateRRSIGDNSKEY().setTtl(getZoneTTL(zone, RD, now));
+			new_key.keyStateRRSIG().setTtl(getZoneTTL(zone, RS, now));
+			
 			new_key.setIntroducing(true);
 
 			/** New key inserted, come back after its lifetime */

Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcerdata.h
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcerdata.h	2011-08-09 09:01:54 UTC (rev 5376)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcerdata.h	2011-08-09 09:39:29 UTC (rev 5377)
@@ -132,9 +132,12 @@
 public:
     virtual int state() = 0;
     virtual void setState(int value) = 0;
-    
+
     virtual int lastChange() = 0;
     virtual void setLastChange(int value) = 0;
+
+    virtual int ttl() = 0;
+    virtual void setTtl(int value) = 0;
     
     virtual bool minimize() = 0;
 };
@@ -208,6 +211,14 @@
     
     /* set to true when the signer configuration for the signer needs to  be updated. */
     virtual void setSignerConfNeedsWriting(bool value) = 0;
+    
+    /* Moment at which current TTL becomes effective */
+    virtual time_t ttlEnddateDs() = 0;
+    virtual void setTtlEnddateDs(time_t value) = 0;
+    virtual time_t ttlEnddateDk() = 0;
+    virtual void setTtlEnddateDk(time_t value) = 0;
+    virtual time_t ttlEnddateRs() = 0;
+    virtual void setTtlEnddateRs(time_t value) = 0;
 };
 
 typedef time_t (*update_func_type)(EnforcerZone *zone, time_t now, HsmKeyFactory *keyfactory);

Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcerzone.cpp
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcerzone.cpp	2011-08-09 09:01:54 UTC (rev 5376)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcerzone.cpp	2011-08-09 09:39:29 UTC (rev 5377)
@@ -41,6 +41,16 @@
     _keystate->set_last_change( value );
 }
 
+int KeyStatePB::ttl()
+{
+    return _keystate->ttl();
+}
+
+void KeyStatePB::setTtl(int value)
+{
+    _keystate->set_ttl( value );
+}
+
 bool KeyStatePB::minimize()
 {
     return _keystate->minimize();
@@ -283,3 +293,33 @@
 {
     _zone->set_next_change(value);
 }
+
+
+time_t EnforcerZonePB::ttlEnddateDs()
+{
+    return _zone->has_ttl_end_ds() ? _zone->ttl_end_ds() : 0;
+}
+
+void EnforcerZonePB::setTtlEnddateDs(time_t value)
+{
+    _zone->set_ttl_end_ds(value);
+}
+time_t EnforcerZonePB::ttlEnddateDk()
+{
+    return _zone->has_ttl_end_dk() ? _zone->ttl_end_dk() : 0;
+}
+
+void EnforcerZonePB::setTtlEnddateDk(time_t value)
+{
+    _zone->set_ttl_end_dk(value);
+}
+
+time_t EnforcerZonePB::ttlEnddateRs()
+{
+    return _zone->has_ttl_end_rs() ? _zone->ttl_end_rs() : 0;
+}
+
+void EnforcerZonePB::setTtlEnddateRs(time_t value)
+{
+    _zone->set_ttl_end_rs(value);
+}

Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcerzone.h
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcerzone.h	2011-08-09 09:01:54 UTC (rev 5376)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/enforcerzone.h	2011-08-09 09:39:29 UTC (rev 5377)
@@ -23,6 +23,9 @@
     virtual int lastChange();
     virtual void setLastChange(int value);
 
+    virtual int ttl();
+    virtual void setTtl(int value);
+
     virtual bool minimize();
     void setMinimize(bool value);
 };
@@ -116,6 +119,14 @@
     
     /* When the key states in this zone are expected to change state. */
     void setNextChange(time_t value);
+
+    /* Moment at which current TTL becomes effective */
+    virtual time_t ttlEnddateDs();
+    virtual void setTtlEnddateDs(time_t value);
+    virtual time_t ttlEnddateDk();
+    virtual void setTtlEnddateDk(time_t value);
+    virtual time_t ttlEnddateRs();
+    virtual void setTtlEnddateRs(time_t value);
 };
 
 #endif

Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/keystate/keystate.proto
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/keystate/keystate.proto	2011-08-09 09:01:54 UTC (rev 5376)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/keystate/keystate.proto	2011-08-09 09:39:29 UTC (rev 5377)
@@ -20,6 +20,9 @@
     required bool signconf_needs_writing = 4;
     required string signconf_path = 5 [(xml).path="SignConfPath"];
     optional uint32 next_change = 6; // don't write determine when importing
+    optional uint32 ttl_end_ds = 7 [(xml).path="ttlEndDs"]; // after this date no old ttl is rumoured
+    optional uint32 ttl_end_dk = 8 [(xml).path="ttlEndDk"]; // after this date no old ttl is rumoured
+    optional uint32 ttl_end_rs = 9 [(xml).path="ttlEndRs"]; // after this date no old ttl is rumoured
 } 
 
 message KeyData {
@@ -45,6 +48,7 @@
     optional rrstate state = 1 [default = hidden, (xml).path="State"];
     optional uint32 last_change = 2 [(xml).path="LastChange"]; // Encode as UTC Zulu time ?
     optional bool minimize = 3 [default = false, (xml).path="Minimize"];
+    optional uint32 ttl = 4 [(xml).path="ttl"];
 }
 
 enum keyrole {




More information about the Opendnssec-commits mailing list