diff options
Diffstat (limited to 'src/knot/dnssec/zone-events.h')
-rw-r--r-- | src/knot/dnssec/zone-events.h | 134 |
1 files changed, 134 insertions, 0 deletions
diff --git a/src/knot/dnssec/zone-events.h b/src/knot/dnssec/zone-events.h new file mode 100644 index 0000000..d3667f3 --- /dev/null +++ b/src/knot/dnssec/zone-events.h @@ -0,0 +1,134 @@ +/* Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <time.h> + +#include "knot/zone/zone.h" +#include "knot/updates/changesets.h" +#include "knot/updates/zone-update.h" +#include "knot/dnssec/context.h" + +enum zone_sign_flags { + ZONE_SIGN_NONE = 0, + ZONE_SIGN_DROP_SIGNATURES = (1 << 0), + ZONE_SIGN_KEEP_SERIAL = (1 << 1), +}; + +typedef enum zone_sign_flags zone_sign_flags_t; + +typedef enum { + KEY_ROLL_ALLOW_KSK_ROLL = (1 << 0), + KEY_ROLL_FORCE_KSK_ROLL = (1 << 1), + KEY_ROLL_ALLOW_ZSK_ROLL = (1 << 2), + KEY_ROLL_FORCE_ZSK_ROLL = (1 << 3), + KEY_ROLL_ALLOW_NSEC3RESALT = (1 << 4), + KEY_ROLL_ALLOW_ALL = KEY_ROLL_ALLOW_KSK_ROLL | + KEY_ROLL_ALLOW_ZSK_ROLL | + KEY_ROLL_ALLOW_NSEC3RESALT +} zone_sign_roll_flags_t; + +typedef struct { + knot_time_t next_sign; + knot_time_t next_rollover; + knot_time_t next_nsec3resalt; + knot_time_t last_nsec3resalt; + bool keys_changed; + bool plan_ds_check; +} zone_sign_reschedule_t; + +/*! + * \brief Generate/rollover keys in keystore as needed. + * + * \param kctx Pointers to the keytore, policy, etc. + * \param zone_name Zone name. + * + * \return Error code, KNOT_EOK if successful. + */ +int knot_dnssec_sign_process_events(const kdnssec_ctx_t *kctx, + const knot_dname_t *zone_name); + +/*! + * \brief DNSSEC re-sign zone, store new records into changeset. Valid signatures + * and NSEC(3) records will not be changed. + * + * \param update Zone Update structure with current zone contents to be updated by signing. + * \param conf Knot configuration. + * \param flags Zone signing flags. + * \param roll_flags Key rollover flags. + * \param adjust_now If not zero: adjust "now" to this timestamp. + * \param reschedule Signature refresh time of the oldest signature in zone. + * + * \return Error code, KNOT_EOK if successful. + */ +int knot_dnssec_zone_sign(zone_update_t *update, + conf_t *conf, + zone_sign_flags_t flags, + zone_sign_roll_flags_t roll_flags, + knot_time_t adjust_now, + zone_sign_reschedule_t *reschedule); + +/*! + * \brief Sign changeset (inside incremental Zone Update) created by DDNS or so... + * + * \param update Zone Update structure with current zone contents, changes to be signed and to be updated with signatures. + * \param conf Knot configuration. + * + * \return Error code, KNOT_EOK if successful. + */ +int knot_dnssec_sign_update(zone_update_t *update, conf_t *conf); + +/*! + * \brief Create new NCES3 salt if the old one is too old, and plan next resalt. + * + * For given zone, check NSEC3 salt in KASP db and decide if it shall be recreated + * and tell the user the next time it shall be called. + * + * This function is optimized to be called from NSEC3RESALT_EVENT, + * but also during zone load so that the zone gets loaded already with + * proper DNSSEC chain. + * + * \param ctx zone signing context + * \param soa_rrsigs_ok Zone is signed by current active ZSKs. + * \param salt_changed output if KNOT_EOK: when was the salt last changed? (either ctx->now or 0) + * \param when_resalt output: timestamp when next resalt takes place + * + * \return KNOT_E* + */ +int knot_dnssec_nsec3resalt(kdnssec_ctx_t *ctx, bool soa_rrsigs_ok, + knot_time_t *salt_changed, knot_time_t *when_resalt); + +/*! + * \brief When DNSSEC signing failed, re-plan on this time. + * + * \param ctx zone signing context + * + * \return Timestamp of next signing attempt. + */ +knot_time_t knot_dnssec_failover_delay(const kdnssec_ctx_t *ctx); + +/*! + * \brief Validate zone DNSSEC based on its contents. + * + * \param update Zone update with contents. + * \param conf Knot configuration. + * \param now If not zero: adjust "now" to this timestamp. + * \param incremental Try to validate incrementally. + * + * \return KNOT_E* + */ +int knot_dnssec_validate_zone(zone_update_t *update, conf_t *conf, knot_time_t now, bool incremental); |