1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
/*! \file dns/keymgr.h */
#include <isc/lang.h>
#include <isc/stdtime.h>
#include <dns/types.h>
#include <dst/dst.h>
ISC_LANG_BEGINDECLS
isc_result_t
dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
const char *directory, isc_mem_t *mctx,
dns_dnsseckeylist_t *keyring, dns_dnsseckeylist_t *dnskeys,
dns_kasp_t *kasp, isc_stdtime_t now, isc_stdtime_t *nexttime);
/*%<
* Manage keys in 'keyring' and update timing data according to 'kasp' policy.
* Create new keys for 'origin' if necessary in 'directory'. Append all such
* keys, along with use hints gleaned from their metadata, onto 'keyring'.
*
* Update key states and store changes back to disk. Store when to run next
* in 'nexttime'.
*
* Requires:
*\li 'origin' is a valid FQDN.
*\li 'mctx' is a valid memory context.
*\li 'keyring' is not NULL.
*\li 'kasp' is not NULL.
*
* Returns:
*\li #ISC_R_SUCCESS
*\li any error returned by dst_key_generate(), isc_dir_open(),
* dst_key_to_file(), or dns_dnsseckey_create().
*
* Ensures:
*\li On error, keypool is unchanged
*/
isc_result_t
dns_keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
const char *directory, isc_stdtime_t now, isc_stdtime_t when,
bool dspublish);
isc_result_t
dns_keymgr_checkds_id(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
const char *directory, isc_stdtime_t now,
isc_stdtime_t when, bool dspublish, dns_keytag_t id,
unsigned int algorithm);
/*%<
* Check DS for one key in 'keyring'. The key must have the KSK role.
* If 'dspublish' is set to true, set the DS Publish time to 'now'.
* If 'dspublish' is set to false, set the DS Removed time to 'now'.
* If a specific key 'id' is given it must match the keytag.
* If the 'algorithm' is non-zero, it must match the key's algorithm.
* The result is stored in the key state file.
*
* Requires:
*\li 'kasp' is not NULL.
*\li 'keyring' is not NULL.
*
* Returns:
*\li #ISC_R_SUCCESS (No error).
*\li #DNS_R_NOKEYMATCH (No matching keys found).
*\li #DNS_R_TOOMANYKEYS (More than one matching keys found).
*
*/
isc_result_t
dns_keymgr_rollover(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
const char *directory, isc_stdtime_t now,
isc_stdtime_t when, dns_keytag_t id,
unsigned int algorithm);
/*%<
* Rollover key with given 'id'. If the 'algorithm' is non-zero, it must
* match the key's algorithm. The changes are stored in the key state file.
*
* A rollover means adjusting the key metadata so that keymgr will start the
* actual rollover on the next run. Update the 'inactive' time and adjust
* key lifetime to match the 'when' to rollover time.
*
* The 'when' time may be in the past. In that case keymgr will roll the
* key as soon as possible.
*
* The 'when' time may be in the future. This may extend the lifetime,
* overriding the default lifetime from the policy.
*
* Requires:
*\li 'kasp' is not NULL.
*\li 'keyring' is not NULL.
*
* Returns:
*\li #ISC_R_SUCCESS (No error).
*\li #DNS_R_NOKEYMATCH (No matching keys found).
*\li #DNS_R_TOOMANYKEYS (More than one matching keys found).
*\li #DNS_R_KEYNOTACTIVE (Key is not active).
*
*/
void
dns_keymgr_status(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
isc_stdtime_t now, char *out, size_t out_len);
/*%<
* Retrieve the status of given 'kasp' policy and keys in the
* 'keyring' and store the printable output in the 'out' buffer.
*
* Requires:
*\li 'kasp' is not NULL.
*\li 'keyring' is not NULL.
*\li 'out' is not NULL.
*
* Returns:
*\li Printable status in 'out'.
*
*/
ISC_LANG_ENDDECLS
|
