[Opendnssec-commits] [svn.opendnssec.org/svn/dnssec] r6012 - in branches/OpenDNSSEC-enforcer-ng/signer/src: adapter parser signer

matthijs at nlnetlabs.nl matthijs at nlnetlabs.nl
Wed Jan 4 16:41:36 CET 2012


Author: matthijs
Date: 2012-01-04 16:41:36 +0100 (Wed, 04 Jan 2012)
New Revision: 6012

Modified:
   branches/OpenDNSSEC-enforcer-ng/signer/src/adapter/adapi.c
   branches/OpenDNSSEC-enforcer-ng/signer/src/parser/signconfparser.c
   branches/OpenDNSSEC-enforcer-ng/signer/src/parser/signconfparser.h
   branches/OpenDNSSEC-enforcer-ng/signer/src/signer/denial.c
   branches/OpenDNSSEC-enforcer-ng/signer/src/signer/signconf.c
   branches/OpenDNSSEC-enforcer-ng/signer/src/signer/signconf.h
   branches/OpenDNSSEC-enforcer-ng/signer/src/signer/zone.c
Log:
OPENDNSSEC-45: Implement MaxZoneTTL

* The MaxZoneTTL element is expected at the location //SignerConfiguration/Zone/Signatures/MaxZoneTTL
* NSEC and NSEC3 TTLs are not capped (they use the SOA MINIMUM value)



Modified: branches/OpenDNSSEC-enforcer-ng/signer/src/adapter/adapi.c
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/signer/src/adapter/adapi.c	2012-01-04 15:24:18 UTC (rev 6011)
+++ branches/OpenDNSSEC-enforcer-ng/signer/src/adapter/adapi.c	2012-01-04 15:41:36 UTC (rev 6012)
@@ -284,6 +284,7 @@
 adapi_process_rr(zone_type* zone, ldns_rr* rr, int add)
 {
     ods_status status = ODS_STATUS_OK;
+    uint32_t tmp = 0;
     ods_log_assert(rr);
     ods_log_assert(zone);
     ods_log_assert(zone->name);
@@ -295,6 +296,10 @@
             "to in");
         ldns_rr_set_class(rr, LDNS_RR_CLASS_IN);
     }
+    /* Convert MaxZoneTTL */
+    if (zone->signconf->max_zone_ttl) {
+        tmp = (uint32_t) duration2time(zone->signconf->max_zone_ttl);
+    }
     /* RR processing */
     if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_SOA) {
         if (ldns_dname_compare(ldns_rr_owner(rr), zone->apex)) {
@@ -323,6 +328,10 @@
             return ODS_STATUS_UNCHANGED;
         }
     }
+    /* //MaxZoneTTL. Possibly overrides //SOA/TTL and //Keys/TTL. */
+    if (tmp && tmp < ldns_rr_ttl(rr)) {
+       ldns_rr_set_ttl(rr, tmp);
+    }
 
     /* TODO: DNAME and CNAME checks */
     /* TODO: NS and DS checks */

Modified: branches/OpenDNSSEC-enforcer-ng/signer/src/parser/signconfparser.c
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/signer/src/parser/signconfparser.c	2012-01-04 15:24:18 UTC (rev 6011)
+++ branches/OpenDNSSEC-enforcer-ng/signer/src/parser/signconfparser.c	2012-01-04 15:41:36 UTC (rev 6012)
@@ -306,6 +306,22 @@
 }
 
 
+duration_type*
+parse_sc_max_zone_ttl(const char* cfgfile)
+{
+    duration_type* duration = NULL;
+    const char* str = parse_conf_string(cfgfile,
+        "//SignerConfiguration/Zone/Signatures/MaxZoneTTL",
+        1);
+    if (!str) {
+        return NULL;
+    }
+    duration = duration_create_from_string(str);
+    free((void*)str);
+    return duration;
+}
+
+
 /**
  * Parse elements from the configuration file.
  *

Modified: branches/OpenDNSSEC-enforcer-ng/signer/src/parser/signconfparser.h
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/signer/src/parser/signconfparser.h	2012-01-04 15:24:18 UTC (rev 6011)
+++ branches/OpenDNSSEC-enforcer-ng/signer/src/parser/signconfparser.h	2012-01-04 15:41:36 UTC (rev 6012)
@@ -66,6 +66,7 @@
 duration_type* parse_sc_dnskey_ttl(const char* cfgfile);
 duration_type* parse_sc_soa_ttl(const char* cfgfile);
 duration_type* parse_sc_soa_min(const char* cfgfile);
+duration_type* parse_sc_max_zone_ttl(const char* cfgfile);
 
 /**
  * Parse elements from the configuration file.

Modified: branches/OpenDNSSEC-enforcer-ng/signer/src/signer/denial.c
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/signer/src/signer/denial.c	2012-01-04 15:24:18 UTC (rev 6011)
+++ branches/OpenDNSSEC-enforcer-ng/signer/src/signer/denial.c	2012-01-04 15:41:36 UTC (rev 6012)
@@ -253,6 +253,8 @@
     ldns_rr* nsec_rr = NULL;
     rr_type* record = NULL;
     zone_type* zone = NULL;
+    uint32_t ttl = 0;
+    uint32_t maxttl = 0;
     ods_log_assert(denial);
     ods_log_assert(nxt);
     zone = (zone_type*) denial->zone;
@@ -272,9 +274,23 @@
             }
         }
         ods_log_assert(denial->rrset);
+        ttl = zone->default_ttl;
+        /* SOA MINIMUM */
+        if (zone->signconf->soa_min) {
+            ttl = (uint32_t) duration2time(zone->signconf->soa_min);
+        }
+        /* MaxZoneTTL */
+/* I think we should not cap ttl for NSEC(3) RRs...
+        if (zone->signconf->max_zone_ttl) {
+            maxttl = (uint32_t) duration2time(zone->signconf->max_zone_ttl);
+            if (maxttl < ttl) {
+                ttl = maxttl;
+            }
+        }
+*/
         /* create new NSEC(3) rr */
-        nsec_rr = denial_create_nsec(denial, nxt, zone->default_ttl,
-            zone->klass, zone->signconf->nsec3params);
+        nsec_rr = denial_create_nsec(denial, nxt, ttl, zone->klass,
+            zone->signconf->nsec3params);
         if (!nsec_rr) {
             ods_log_alert("[%s] unable to nsecify: denial_create_nsec() "
                 "failed", denial_str);

Modified: branches/OpenDNSSEC-enforcer-ng/signer/src/signer/signconf.c
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/signer/src/signer/signconf.c	2012-01-04 15:24:18 UTC (rev 6011)
+++ branches/OpenDNSSEC-enforcer-ng/signer/src/signer/signconf.c	2012-01-04 15:41:36 UTC (rev 6012)
@@ -87,6 +87,7 @@
     sc->soa_min = NULL;
     sc->soa_serial = NULL;
     /* Other useful information */
+    sc->max_zone_ttl = NULL;
     sc->last_modified = 0;
     sc->audit = 0;
     return sc;
@@ -145,6 +146,7 @@
         signconf->soa_min = parse_sc_soa_min(scfile);
         signconf->soa_serial = parse_sc_soa_serial(signconf->allocator,
             scfile);
+        signconf->max_zone_ttl = parse_sc_max_zone_ttl(scfile);
         signconf->audit = parse_sc_audit(scfile);
         ods_fclose(fd);
         return ODS_STATUS_OK;
@@ -615,6 +617,7 @@
     duration_cleanup(sc->dnskey_ttl);
     duration_cleanup(sc->soa_ttl);
     duration_cleanup(sc->soa_min);
+    duration_cleanup(sc->max_zone_ttl);
     keylist_cleanup(sc->keys);
     nsec3params_cleanup(sc->nsec3params);
     allocator = sc->allocator;

Modified: branches/OpenDNSSEC-enforcer-ng/signer/src/signer/signconf.h
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/signer/src/signer/signconf.h	2012-01-04 15:24:18 UTC (rev 6011)
+++ branches/OpenDNSSEC-enforcer-ng/signer/src/signer/signconf.h	2012-01-04 15:41:36 UTC (rev 6012)
@@ -75,6 +75,7 @@
     duration_type* soa_min;
     const char* soa_serial;
     /* Other useful information */
+    duration_type* max_zone_ttl;
     const char* filename;
     time_t last_modified;
     int audit;

Modified: branches/OpenDNSSEC-enforcer-ng/signer/src/signer/zone.c
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/signer/src/signer/zone.c	2012-01-04 15:24:18 UTC (rev 6011)
+++ branches/OpenDNSSEC-enforcer-ng/signer/src/signer/zone.c	2012-01-04 15:41:36 UTC (rev 6012)
@@ -230,6 +230,7 @@
 {
     hsm_ctx_t* ctx = NULL;
     uint32_t ttl = 0;
+    uint32_t maxttl = 0;
     uint16_t i = 0;
     ods_status status = ODS_STATUS_OK;
     rrset_type* rrset = NULL;
@@ -247,11 +248,18 @@
             "error creating libhsm context", zone_str, zone->name);
         return ODS_STATUS_HSM_ERR;
     }
+    ttl = zone->default_ttl;
     /* dnskey ttl */
-    ttl = zone->default_ttl;
     if (zone->signconf->dnskey_ttl) {
         ttl = (uint32_t) duration2time(zone->signconf->dnskey_ttl);
     }
+    /* MaxZoneTTL */
+    if (zone->signconf->max_zone_ttl) {
+        maxttl = (uint32_t) duration2time(zone->signconf->max_zone_ttl);
+        if (maxttl < ttl) {
+            ttl = maxttl;
+        }
+    }
     /* publish keys */
     for (i=0; i < zone->signconf->keys->count; i++) {
         if (!zone->signconf->keys->keys[i].publish) {
@@ -267,6 +275,8 @@
                 break;
             }
         }
+        ods_log_debug("[%s] publish %s DNSKEY locator %s", zone_str,
+            zone->name, zone->signconf->keys->keys[i].locator);
         ods_log_assert(zone->signconf->keys->keys[i].dnskey);
         ldns_rr_set_ttl(zone->signconf->keys->keys[i].dnskey, ttl);
         ldns_rr_set_class(zone->signconf->keys->keys[i].dnskey, zone->klass);
@@ -336,6 +346,8 @@
     rr_type* n3prr = NULL;
     ldns_rr* rr = NULL;
     ods_status status = ODS_STATUS_OK;
+    uint32_t ttl = 0;
+    uint32_t maxttl = 0;
 
     if (!zone || !zone->name || !zone->db || !zone->signconf) {
         return ODS_STATUS_ASSERT_ERR;
@@ -355,7 +367,15 @@
             return ODS_STATUS_MALLOC_ERR;
         }
         ldns_rr_set_class(rr, zone->klass);
-        ldns_rr_set_ttl(rr, zone->default_ttl);
+        ttl = zone->default_ttl;
+        /* MaxZoneTTL */
+        if (zone->signconf->max_zone_ttl) {
+            maxttl = (uint32_t) duration2time(zone->signconf->max_zone_ttl);
+            if (maxttl < ttl) {
+                ttl = maxttl;
+            }
+        }
+        ldns_rr_set_ttl(rr, ttl);
         ldns_rr_set_owner(rr, ldns_rdf_clone(zone->apex));
         ldns_nsec3_add_param_rdfs(rr,
             zone->signconf->nsec3params->algorithm, 0,




More information about the Opendnssec-commits mailing list