mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00
Code Issues Releases Wiki Activity

Output rndc dnssec -status

Browse Source 
Implement the 'rndc dnssec -status' command that will output
some information about the key states, such as which policy is
used for the zone, what keys are in use, and when rollover is
scheduled.

Add loose testing in the kasp system test, the actual times are
already tested via key file inspection.
This commit is contained in:
Matthijs Mekking 2020-06-18 17:07:52 +02:00
parent e1ba1bea7c
commit 19ce9ec1d4
8 changed files with 408 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
bin/named/server.c
View File

@ -14471,8 +14471,14 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
isc_result_t result = ISC_R_SUCCESS; isc_result_t result = ISC_R_SUCCESS;
dns_zone_t *zone = NULL; dns_zone_t *zone = NULL;
dns_kasp_t *kasp = NULL; dns_kasp_t *kasp = NULL;
bool status = false; dns_dnsseckeylist_t keys;
dns_dnsseckey_t *key;
const char *ptr; const char *ptr;
/* variables for -status */
char output[BUFSIZ];
isc_stdtime_t now;
isc_time_t timenow;
const char *dir;
/* Skip the command name. */ /* Skip the command name. */
ptr = next_token(lex, text); ptr = next_token(lex, text);
@ -14486,25 +14492,49 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
return (ISC_R_UNEXPECTEDEND); return (ISC_R_UNEXPECTEDEND);
} }
if (strcasecmp(ptr, "-status") == 0) { if (strcasecmp(ptr, "-status") != 0) {
status = true; return (DNS_R_SYNTAX);
} else {
CHECK(DNS_R_SYNTAX);
} }
ISC_LIST_INIT(keys);
CHECK(zone_from_args(server, lex, NULL, &zone, NULL, text, false)); CHECK(zone_from_args(server, lex, NULL, &zone, NULL, text, false));
if (zone == NULL) { if (zone == NULL) {
CHECK(ISC_R_UNEXPECTEDEND); CHECK(ISC_R_UNEXPECTEDEND);
} }
kasp = dns_zone_getkasp(zone); kasp = dns_zone_getkasp(zone);
if (kasp == NULL) {
if (status) { CHECK(putstr(text, "zone does not have dnssec-policy"));
CHECK(putstr(text, "-status command not implemented"));
CHECK(putnull(text)); CHECK(putnull(text));
goto cleanup;
} }
/* -status */
TIME_NOW(&timenow);
now = isc_time_seconds(&timenow);
dir = dns_zone_getkeydirectory(zone);
LOCK(&kasp->lock);
result = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone), dir, now,
dns_zone_getmctx(zone), &keys);
UNLOCK(&kasp->lock);
if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
goto cleanup;
}
LOCK(&kasp->lock);
dns_keymgr_status(kasp, &keys, now, &output[0], sizeof(output));
UNLOCK(&kasp->lock);
CHECK(putstr(text, output));
CHECK(putnull(text));
cleanup: cleanup:
while (!ISC_LIST_EMPTY(keys)) {
key = ISC_LIST_HEAD(keys);
ISC_LIST_UNLINK(keys, key, link);
dns_dnsseckey_destroy(dns_zone_getmctx(zone), &key);
}
if (zone != NULL) { if (zone != NULL) {
dns_zone_detach(&zone); dns_zone_detach(&zone);
} }

1
bin/tests/system/kasp/clean.sh
View File

@ -24,4 +24,5 @@ rm -f ns*/managed-keys.bind
rm -f ns*/*.mkeys rm -f ns*/*.mkeys
rm -f ns*/zones ns*/*.db.infile rm -f ns*/zones ns*/*.db.infile
rm -f *.created published.test* retired.test* rm -f *.created published.test* retired.test*
rm -f rndc.dnssec.status.out.*
rm -f python.out.* rm -f python.out.*

9
bin/tests/system/kasp/ns4/named.conf.in
View File

@ -11,6 +11,15 @@
// NS4 // NS4
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
key "sha1" { key "sha1" {
algorithm "hmac-sha1"; algorithm "hmac-sha1";
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";

9
bin/tests/system/kasp/ns5/named.conf.in
View File

@ -11,6 +11,15 @@
// NS5 // NS5
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
key "sha1" { key "sha1" {
algorithm "hmac-sha1"; algorithm "hmac-sha1";
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";

132
bin/tests/system/kasp/tests.sh
View File

@ -919,6 +919,46 @@ check_keys()
status=$((status+ret)) status=$((status+ret))
} }
# Call rndc dnssec -status on server $1 for zone $2 and check output.
# This is a loose verification, it just tests if the right policy
# name is returned, and if all expected keys are listed. The rndc
# dnssec -status output also lists whether a key is published,
# used for signing, is retired, or is removed, and if not when
# it is scheduled to do so, and it shows the states for the various
# DNSSEC records.
check_dnssecstatus() {
_server=$1
_zone=$2
_view=$3
n=$((n+1))
echo_i "check rndc dnssec -status output for ${_zone} ($n)"
ret=0
rndccmd $_server dnssec -status $_zone in $_view > rndc.dnssec.status.out.$_zone.$n || log_error "rndc dnssec -status zone ${_zone} failed"
if [ "$POLICY" = "none" ]; then
grep "zone does not have dnssec-policy" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for zone ${_zone}"
else
grep "dnssec-policy: ${POLICY}" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for zone ${_zone}"
if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
grep "key: $(key_get KEY1 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY1 ID) from dnssec status"
fi
if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
grep "key: $(key_get KEY2 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY2 ID) from dnssec status"
fi
if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
grep "key: $(key_get KEY3 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY3 ID) from dnssec status"
fi
if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
grep "key: $(key_get KEY4 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY4 ID) from dnssec status"
fi
fi
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
}
# Check if RRset of type $1 in file $2 is signed with the right keys. # Check if RRset of type $1 in file $2 is signed with the right keys.
# The right keys are the ones that expect a signature and matches the role $3. # The right keys are the ones that expect a signature and matches the role $3.
check_signatures() { check_signatures() {
@ -1165,6 +1205,7 @@ set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
set_keystate "KEY1" "STATE_DS" "hidden" set_keystate "KEY1" "STATE_DS" "hidden"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy set_keytimes_csk_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1206,6 +1247,7 @@ set_policy "default" "1" "3600"
set_server "ns3" "10.53.0.3" set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above. # Key properties, timings and states same as above.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy set_keytimes_csk_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1238,6 +1280,7 @@ set_policy "default" "1" "3600"
set_server "ns3" "10.53.0.3" set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above. # Key properties, timings and states same as above.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy set_keytimes_csk_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1265,6 +1308,7 @@ set_policy "default" "1" "3600"
set_server "ns3" "10.53.0.3" set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above. # Key properties, timings and states same as above.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy set_keytimes_csk_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1390,6 +1434,7 @@ set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
key_clear "KEY4" key_clear "KEY4"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy set_keytimes_algorithm_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1409,6 +1454,7 @@ key_clear "KEY3"
key_clear "KEY4" key_clear "KEY4"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
check_apex check_apex
check_subdomain check_subdomain
@ -1432,6 +1478,7 @@ set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
set_keystate "KEY1" "STATE_DS" "hidden" set_keystate "KEY1" "STATE_DS" "hidden"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy set_keytimes_csk_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1484,6 +1531,7 @@ set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
key_clear "KEY4" key_clear "KEY4"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy set_keytimes_algorithm_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1499,6 +1547,7 @@ set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above. # Key properties, timings and states same as above.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy set_keytimes_algorithm_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1514,6 +1563,7 @@ set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above. # Key properties, timings and states same as above.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy "pregenerated" set_keytimes_algorithm_policy "pregenerated"
check_keytimes check_keytimes
check_apex check_apex
@ -1529,6 +1579,7 @@ set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above. # Key properties, timings and states same as above.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy set_keytimes_algorithm_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1546,6 +1597,7 @@ set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above. # Key properties, timings and states same as above.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy "pregenerated" set_keytimes_algorithm_policy "pregenerated"
check_keytimes check_keytimes
check_apex check_apex
@ -1562,6 +1614,7 @@ set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above. # Key properties, timings and states same as above.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy set_keytimes_algorithm_policy
# Activation date is a day later. # Activation date is a day later.
set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400 set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400
@ -1587,6 +1640,7 @@ set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above. # Key properties, timings and states same as above.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy set_keytimes_algorithm_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1635,6 +1689,7 @@ set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000"
# Key timings and states same as above. # Key timings and states same as above.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy set_keytimes_algorithm_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1654,6 +1709,7 @@ set_keyalgorithm "KEY3" "8" "RSASHA256" "2000"
# Key timings and states same as above. # Key timings and states same as above.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy set_keytimes_algorithm_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1673,6 +1729,7 @@ set_keyalgorithm "KEY3" "10" "RSASHA512" "2000"
# Key timings and states same as above. # Key timings and states same as above.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy set_keytimes_algorithm_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1692,6 +1749,7 @@ set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
# Key timings and states same as above. # Key timings and states same as above.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy set_keytimes_algorithm_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1711,6 +1769,7 @@ set_keyalgorithm "KEY3" "14" "ECDSAP384SHA384" "384"
# Key timings and states same as above. # Key timings and states same as above.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_algorithm_policy set_keytimes_algorithm_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1787,6 +1846,7 @@ key_clear "KEY3"
key_clear "KEY4" key_clear "KEY4"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_autosign_policy set_keytimes_autosign_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1844,6 +1904,7 @@ set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above. # Key properties, timings and states same as above.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_autosign_policy set_keytimes_autosign_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1901,6 +1962,7 @@ set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above. # Key properties, timings and states same as above.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_autosign_policy set_keytimes_autosign_policy
check_keytimes check_keytimes
check_apex check_apex
@ -1941,6 +2003,7 @@ set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_ZRRSIG" "hidden" set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_autosign_policy set_keytimes_autosign_policy
# The old ZSK is retired. # The old ZSK is retired.
@ -1995,6 +2058,7 @@ set_policy "none" "0" "0"
set_server "ns2" "10.53.0.2" set_server "ns2" "10.53.0.2"
TSIG="" TSIG=""
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
check_apex check_apex
check_subdomain check_subdomain
@ -2003,6 +2067,7 @@ set_policy "none" "0" "0"
set_server "ns4" "10.53.0.4" set_server "ns4" "10.53.0.4"
TSIG="hmac-sha1:sha1:$SHA1" TSIG="hmac-sha1:sha1:$SHA1"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
check_apex check_apex
check_subdomain check_subdomain
@ -2011,6 +2076,7 @@ set_policy "none" "0" "0"
set_server "ns4" "10.53.0.4" set_server "ns4" "10.53.0.4"
TSIG="hmac-sha224:sha224:$SHA224" TSIG="hmac-sha224:sha224:$SHA224"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
check_apex check_apex
check_subdomain check_subdomain
@ -2019,6 +2085,7 @@ set_policy "none" "0" "0"
set_server "ns4" "10.53.0.4" set_server "ns4" "10.53.0.4"
TSIG="hmac-sha256:sha256:$SHA256" TSIG="hmac-sha256:sha256:$SHA256"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
check_apex check_apex
check_subdomain check_subdomain
@ -2027,6 +2094,7 @@ set_policy "none" "0" "0"
set_server "ns4" "10.53.0.4" set_server "ns4" "10.53.0.4"
TSIG="hmac-sha256:sha256:$SHA256" TSIG="hmac-sha256:sha256:$SHA256"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
check_apex check_apex
check_subdomain check_subdomain
@ -2035,6 +2103,7 @@ set_policy "none" "0" "0"
set_server "ns5" "10.53.0.5" set_server "ns5" "10.53.0.5"
TSIG="hmac-sha1:sha1:$SHA1" TSIG="hmac-sha1:sha1:$SHA1"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
check_apex check_apex
check_subdomain check_subdomain
@ -2043,6 +2112,7 @@ set_policy "none" "0" "0"
set_server "ns5" "10.53.0.5" set_server "ns5" "10.53.0.5"
TSIG="hmac-sha1:sha1:$SHA1" TSIG="hmac-sha1:sha1:$SHA1"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
check_apex check_apex
check_subdomain check_subdomain
@ -2051,6 +2121,7 @@ set_policy "none" "0" "0"
set_server "ns5" "10.53.0.5" set_server "ns5" "10.53.0.5"
TSIG="hmac-sha224:sha224:$SHA224" TSIG="hmac-sha224:sha224:$SHA224"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
check_apex check_apex
check_subdomain check_subdomain
@ -2059,6 +2130,7 @@ set_policy "none" "0" "0"
set_server "ns5" "10.53.0.5" set_server "ns5" "10.53.0.5"
TSIG="hmac-sha256:sha256:$SHA256" TSIG="hmac-sha256:sha256:$SHA256"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
check_apex check_apex
check_subdomain check_subdomain
@ -2067,6 +2139,7 @@ set_policy "none" "0" "0"
set_server "ns5" "10.53.0.5" set_server "ns5" "10.53.0.5"
TSIG="hmac-sha256:sha256:$SHA256" TSIG="hmac-sha256:sha256:$SHA256"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
check_apex check_apex
check_subdomain check_subdomain
@ -2093,6 +2166,7 @@ set_policy "default" "1" "3600"
set_server "ns2" "10.53.0.2" set_server "ns2" "10.53.0.2"
TSIG="" TSIG=""
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy set_keytimes_csk_policy
check_keytimes check_keytimes
check_apex check_apex
@ -2104,6 +2178,7 @@ set_policy "default" "1" "3600"
set_server "ns4" "10.53.0.4" set_server "ns4" "10.53.0.4"
TSIG="hmac-sha1:sha1:$SHA1" TSIG="hmac-sha1:sha1:$SHA1"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy set_keytimes_csk_policy
check_keytimes check_keytimes
check_apex check_apex
@ -2115,6 +2190,7 @@ set_policy "default" "1" "3600"
set_server "ns4" "10.53.0.4" set_server "ns4" "10.53.0.4"
TSIG="hmac-sha224:sha224:$SHA224" TSIG="hmac-sha224:sha224:$SHA224"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy set_keytimes_csk_policy
check_keytimes check_keytimes
check_apex check_apex
@ -2126,6 +2202,7 @@ set_policy "default" "1" "3600"
set_server "ns5" "10.53.0.5" set_server "ns5" "10.53.0.5"
TSIG="hmac-sha1:sha1:$SHA1" TSIG="hmac-sha1:sha1:$SHA1"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy set_keytimes_csk_policy
check_keytimes check_keytimes
check_apex check_apex
@ -2137,6 +2214,7 @@ set_policy "default" "1" "3600"
set_server "ns5" "10.53.0.5" set_server "ns5" "10.53.0.5"
TSIG="hmac-sha224:sha224:$SHA224" TSIG="hmac-sha224:sha224:$SHA224"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy set_keytimes_csk_policy
check_keytimes check_keytimes
check_apex check_apex
@ -2162,6 +2240,7 @@ set_server "ns4" "10.53.0.4"
TSIG="hmac-sha1:sha1:$SHA1" TSIG="hmac-sha1:sha1:$SHA1"
wait_for_nsec wait_for_nsec
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy set_keytimes_csk_policy
check_keytimes check_keytimes
check_apex check_apex
@ -2174,6 +2253,7 @@ set_server "ns4" "10.53.0.4"
TSIG="hmac-sha224:sha224:$SHA224" TSIG="hmac-sha224:sha224:$SHA224"
wait_for_nsec wait_for_nsec
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy set_keytimes_csk_policy
check_keytimes check_keytimes
check_apex check_apex
@ -2186,6 +2266,7 @@ set_server "ns4" "10.53.0.4"
TSIG="hmac-sha256:sha256:$SHA256" TSIG="hmac-sha256:sha256:$SHA256"
wait_for_nsec wait_for_nsec
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy set_keytimes_csk_policy
check_keytimes check_keytimes
check_apex check_apex
@ -2198,6 +2279,7 @@ set_server "ns5" "10.53.0.5"
TSIG="hmac-sha224:sha224:$SHA224" TSIG="hmac-sha224:sha224:$SHA224"
wait_for_nsec wait_for_nsec
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy set_keytimes_csk_policy
check_keytimes check_keytimes
check_apex check_apex
@ -2210,6 +2292,7 @@ set_server "ns5" "10.53.0.5"
TSIG="hmac-sha256:sha256:$SHA256" TSIG="hmac-sha256:sha256:$SHA256"
wait_for_nsec wait_for_nsec
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
set_keytimes_csk_policy set_keytimes_csk_policy
check_keytimes check_keytimes
check_apex check_apex
@ -2221,6 +2304,7 @@ set_server "ns4" "10.53.0.4"
TSIG="hmac-sha1:keyforview1:$VIEW1" TSIG="hmac-sha1:keyforview1:$VIEW1"
wait_for_nsec wait_for_nsec
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE" "example1"
set_keytimes_csk_policy set_keytimes_csk_policy
check_keytimes check_keytimes
check_apex check_apex
@ -2239,6 +2323,7 @@ status=$((status+ret))
TSIG="hmac-sha1:keyforview2:$VIEW2" TSIG="hmac-sha1:keyforview2:$VIEW2"
wait_for_nsec wait_for_nsec
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE" "example2"
check_apex check_apex
dnssec_verify dnssec_verify
n=$((n+1)) n=$((n+1))
@ -2284,6 +2369,7 @@ key_clear "KEY3"
key_clear "KEY4" key_clear "KEY4"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# The first key is immediately published and activated. # The first key is immediately published and activated.
created=$(key_get KEY1 CREATED) created=$(key_get KEY1 CREATED)
@ -2340,6 +2426,7 @@ set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# The key was published and activated 900 seconds ago (with settime). # The key was published and activated 900 seconds ago (with settime).
created=$(key_get KEY1 CREATED) created=$(key_get KEY1 CREATED)
@ -2368,6 +2455,7 @@ set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_DS" "rumoured" set_keystate "KEY1" "STATE_DS" "rumoured"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# The key was published and activated 44700 seconds ago (with settime). # The key was published and activated 44700 seconds ago (with settime).
created=$(key_get KEY1 CREATED) created=$(key_get KEY1 CREATED)
@ -2395,6 +2483,7 @@ set_server "ns3" "10.53.0.3"
set_keystate "KEY1" "STATE_DS" "omnipresent" set_keystate "KEY1" "STATE_DS" "omnipresent"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# The key was published and activated 143100 seconds ago (with settime). # The key was published and activated 143100 seconds ago (with settime).
created=$(key_get KEY1 CREATED) created=$(key_get KEY1 CREATED)
@ -2487,6 +2576,7 @@ key_clear "KEY3"
key_clear "KEY4" key_clear "KEY4"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# These keys are immediately published and activated. # These keys are immediately published and activated.
rollover_predecessor_keytimes 0 rollover_predecessor_keytimes 0
@ -2521,6 +2611,7 @@ set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_ZRRSIG" "hidden" set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 694 hours ago (2498400 seconds). # The old keys were activated 694 hours ago (2498400 seconds).
rollover_predecessor_keytimes -2498400 rollover_predecessor_keytimes -2498400
@ -2558,6 +2649,7 @@ set_keystate "KEY3" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# The old keys are activated 30 days ago (2592000 seconds). # The old keys are activated 30 days ago (2592000 seconds).
rollover_predecessor_keytimes -2592000 rollover_predecessor_keytimes -2592000
@ -2599,6 +2691,7 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
set_keystate "KEY3" "STATE_ZRRSIG" "omnipresent" set_keystate "KEY3" "STATE_ZRRSIG" "omnipresent"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# The old keys are activated 961 hours ago (3459600 seconds). # The old keys are activated 961 hours ago (3459600 seconds).
rollover_predecessor_keytimes -3459600 rollover_predecessor_keytimes -3459600
@ -2628,6 +2721,7 @@ set_server "ns3" "10.53.0.3"
set_keystate "KEY2" "STATE_DNSKEY" "hidden" set_keystate "KEY2" "STATE_DNSKEY" "hidden"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# The old keys are activated 962 hours ago (3463200 seconds). # The old keys are activated 962 hours ago (3463200 seconds).
rollover_predecessor_keytimes -3463200 rollover_predecessor_keytimes -3463200
@ -2697,6 +2791,7 @@ key_clear "KEY3"
key_clear "KEY4" key_clear "KEY4"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# These keys are immediately published and activated. # These keys are immediately published and activated.
rollover_predecessor_keytimes 0 rollover_predecessor_keytimes 0
@ -2733,6 +2828,7 @@ set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
set_keystate "KEY3" "STATE_DS" "hidden" set_keystate "KEY3" "STATE_DS" "hidden"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 1413 hours ago (5086800 seconds). # The old keys were activated 1413 hours ago (5086800 seconds).
rollover_predecessor_keytimes -5086800 rollover_predecessor_keytimes -5086800
@ -2776,6 +2872,7 @@ set_keystate "KEY3" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY3" "STATE_DS" "rumoured" set_keystate "KEY3" "STATE_DS" "rumoured"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 59 days ago (5097600 seconds). # The old keys were activated 59 days ago (5097600 seconds).
rollover_predecessor_keytimes -5097600 rollover_predecessor_keytimes -5097600
@ -2817,6 +2914,7 @@ set_keystate "KEY1" "STATE_DS" "hidden"
set_keystate "KEY3" "STATE_DS" "omnipresent" set_keystate "KEY3" "STATE_DS" "omnipresent"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 1490 hours ago (5364000 seconds). # The old keys were activated 1490 hours ago (5364000 seconds).
rollover_predecessor_keytimes -5364000 rollover_predecessor_keytimes -5364000
@ -2849,6 +2947,7 @@ set_keystate "KEY1" "STATE_DNSKEY" "hidden"
set_keystate "KEY1" "STATE_KRRSIG" "hidden" set_keystate "KEY1" "STATE_KRRSIG" "hidden"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# The old KSK is activated 1492 hours ago (5371200 seconds). # The old KSK is activated 1492 hours ago (5371200 seconds).
rollover_predecessor_keytimes -5371200 rollover_predecessor_keytimes -5371200
@ -2922,6 +3021,7 @@ key_clear "KEY3"
key_clear "KEY4" key_clear "KEY4"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# This key is immediately published and activated. # This key is immediately published and activated.
csk_rollover_predecessor_keytimes 0 0 csk_rollover_predecessor_keytimes 0 0
@ -2958,6 +3058,7 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
set_keystate "KEY2" "STATE_DS" "hidden" set_keystate "KEY2" "STATE_DS" "hidden"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 4437 hours ago (15973200 seconds) # This key was activated 4437 hours ago (15973200 seconds)
# and started signing 4461 hours ago (16059600 seconds). # and started signing 4461 hours ago (16059600 seconds).
@ -3001,6 +3102,7 @@ set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
set_keystate "KEY2" "STATE_DS" "rumoured" set_keystate "KEY2" "STATE_DS" "rumoured"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 185 days ago (15984000 seconds) # This key was activated 185 days ago (15984000 seconds)
# and started signing 186 days ago (16070400 seconds). # and started signing 186 days ago (16070400 seconds).
@ -3049,6 +3151,7 @@ set_keystate "KEY1" "STATE_DS" "hidden"
set_keystate "KEY2" "STATE_DS" "omnipresent" set_keystate "KEY2" "STATE_DS" "omnipresent"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 4468 hours ago (16084800 seconds) # This key was activated 4468 hours ago (16084800 seconds)
# and started signing 4492 hours ago (16171200 seconds). # and started signing 4492 hours ago (16171200 seconds).
@ -3080,6 +3183,7 @@ set_server "ns3" "10.53.0.3"
set_keystate "KEY1" "STATE_KRRSIG" "hidden" set_keystate "KEY1" "STATE_KRRSIG" "hidden"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 4470 hours ago (16092000 seconds) # This key was activated 4470 hours ago (16092000 seconds)
# and started signing 4494 hours ago (16178400 seconds). # and started signing 4494 hours ago (16178400 seconds).
@ -3117,6 +3221,7 @@ set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 5067 hours ago (18241200 seconds) # This key was activated 5067 hours ago (18241200 seconds)
# and started signing 5091 hours ago (18327600 seconds). # and started signing 5091 hours ago (18327600 seconds).
@ -3148,6 +3253,7 @@ set_server "ns3" "10.53.0.3"
set_keystate "KEY1" "STATE_DNSKEY" "hidden" set_keystate "KEY1" "STATE_DNSKEY" "hidden"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 5069 hours ago (18248400 seconds) # This key was activated 5069 hours ago (18248400 seconds)
# and started signing 5093 hours ago (18334800 seconds). # and started signing 5093 hours ago (18334800 seconds).
@ -3214,6 +3320,7 @@ key_clear "KEY3"
key_clear "KEY4" key_clear "KEY4"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# This key is immediately published and activated. # This key is immediately published and activated.
csk_rollover_predecessor_keytimes 0 0 csk_rollover_predecessor_keytimes 0 0
@ -3250,6 +3357,7 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
set_keystate "KEY2" "STATE_DS" "hidden" set_keystate "KEY2" "STATE_DS" "hidden"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 4293 hours ago (15454800 seconds) # This key was activated 4293 hours ago (15454800 seconds)
# and started signing 4461 hours ago (16059600 seconds). # and started signing 4461 hours ago (16059600 seconds).
@ -3292,6 +3400,7 @@ set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
set_keystate "KEY2" "STATE_DS" "rumoured" set_keystate "KEY2" "STATE_DS" "rumoured"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 179 days ago (15465600 seconds) # This key was activated 179 days ago (15465600 seconds)
# and started signing 186 days ago (16070400 seconds). # and started signing 186 days ago (16070400 seconds).
@ -3337,6 +3446,7 @@ set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 4334 hours ago (15602400 seconds) # This key was activated 4334 hours ago (15602400 seconds)
# and started signing 4502 hours ago (16207200 seconds). # and started signing 4502 hours ago (16207200 seconds).
@ -3377,6 +3487,7 @@ set_keystate "KEY1" "STATE_DS" "hidden"
set_keystate "KEY2" "STATE_DS" "omnipresent" set_keystate "KEY2" "STATE_DS" "omnipresent"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 4467 hours ago (16081200 seconds) # This key was activated 4467 hours ago (16081200 seconds)
# and started signing 4635 hours ago (16686000 seconds). # and started signing 4635 hours ago (16686000 seconds).
@ -3409,6 +3520,7 @@ set_keystate "KEY1" "STATE_DNSKEY" "hidden"
set_keystate "KEY1" "STATE_KRRSIG" "hidden" set_keystate "KEY1" "STATE_KRRSIG" "hidden"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# This key was activated 4469 hours ago (16088400 seconds) # This key was activated 4469 hours ago (16088400 seconds)
# and started signing 4637 hours ago (16693200 seconds). # and started signing 4637 hours ago (16693200 seconds).
@ -3469,6 +3581,7 @@ set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# These keys are immediately published and activated. # These keys are immediately published and activated.
Lksk=0 Lksk=0
@ -3510,6 +3623,7 @@ set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_DS" "omnipresent" set_keystate "KEY1" "STATE_DS" "omnipresent"
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# This key is immediately published and activated. # This key is immediately published and activated.
Lcsk=0 Lcsk=0
@ -3565,6 +3679,7 @@ init_migration_match
# Make sure the zone is signed with legacy keys. # Make sure the zone is signed with legacy keys.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# These keys are immediately published and activated. # These keys are immediately published and activated.
rollover_predecessor_keytimes 0 rollover_predecessor_keytimes 0
@ -3615,6 +3730,7 @@ init_migration_nomatch_algnum
# Make sure the zone is signed with legacy keys. # Make sure the zone is signed with legacy keys.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# The KSK is immediately published and activated. # The KSK is immediately published and activated.
# -P : now-3900s # -P : now-3900s
@ -3677,6 +3793,7 @@ init_migration_nomatch_alglen
# Make sure the zone is signed with legacy keys. # Make sure the zone is signed with legacy keys.
check_keys check_keys
check_dnssecstatus "$SERVER" "$ZONE"
# The KSK is immediately published and activated. # The KSK is immediately published and activated.
# -P : now-3900s # -P : now-3900s
@ -3765,6 +3882,7 @@ key_set "KEY2" "LEGACY" "no"
check_keys check_keys
wait_for_done_signing wait_for_done_signing
check_dnssecstatus "$SERVER" "$ZONE"
rollover_predecessor_keytimes 0 rollover_predecessor_keytimes 0
# Key now has lifetime of 60 days (5184000 seconds). # Key now has lifetime of 60 days (5184000 seconds).
@ -3831,6 +3949,7 @@ set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
check_keys check_keys
wait_for_done_signing wait_for_done_signing
check_dnssecstatus "$SERVER" "$ZONE"
# KSK must be retired since it no longer matches the policy. # KSK must be retired since it no longer matches the policy.
# -P : now-3900s # -P : now-3900s
@ -3947,6 +4066,7 @@ set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
check_keys check_keys
wait_for_done_signing wait_for_done_signing
check_dnssecstatus "$SERVER" "$ZONE"
# KSK must be retired since it no longer matches the policy. # KSK must be retired since it no longer matches the policy.
# -P : now-3900s # -P : now-3900s
@ -4088,6 +4208,7 @@ set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
check_keys check_keys
wait_for_done_signing wait_for_done_signing
check_dnssecstatus "$SERVER" "$ZONE"
# The old keys are published and activated. # The old keys are published and activated.
rollover_predecessor_keytimes 0 rollover_predecessor_keytimes 0
@ -4167,6 +4288,7 @@ set_keystate "KEY4" "STATE_DNSKEY" "omnipresent"
check_keys check_keys
wait_for_done_signing wait_for_done_signing
check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated three hours ago (10800 seconds). # The old keys were activated three hours ago (10800 seconds).
rollover_predecessor_keytimes -10800 rollover_predecessor_keytimes -10800
@ -4222,6 +4344,7 @@ set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent"
check_keys check_keys
wait_for_done_signing wait_for_done_signing
check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 9 hours ago (32400 seconds) # The old keys were activated 9 hours ago (32400 seconds)
# and retired 6 hours ago (21600 seconds). # and retired 6 hours ago (21600 seconds).
@ -4279,6 +4402,7 @@ set_keystate "KEY3" "STATE_DS" "omnipresent"
check_keys check_keys
wait_for_done_signing wait_for_done_signing
check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 38 hours ago (136800 seconds) # The old keys were activated 38 hours ago (136800 seconds)
# and retired 35 hours ago (126000 seconds). # and retired 35 hours ago (126000 seconds).
@ -4327,6 +4451,7 @@ set_keystate "KEY2" "STATE_DNSKEY" "hidden"
check_keys check_keys
wait_for_done_signing wait_for_done_signing
check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 40 hours ago (144000 seconds) # The old keys were activated 40 hours ago (144000 seconds)
# and retired 35 hours ago (133200 seconds). # and retired 35 hours ago (133200 seconds).
@ -4378,6 +4503,7 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
check_keys check_keys
wait_for_done_signing wait_for_done_signing
check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 47 hours ago (169200 seconds) # The old keys were activated 47 hours ago (169200 seconds)
# and retired 34 hours ago (158400 seconds). # and retired 34 hours ago (158400 seconds).
@ -4458,6 +4584,7 @@ set_keystate "KEY2" "STATE_DS" "hidden"
check_keys check_keys
wait_for_done_signing wait_for_done_signing
check_dnssecstatus "$SERVER" "$ZONE"
# CSK must be retired since it no longer matches the policy. # CSK must be retired since it no longer matches the policy.
csk_rollover_predecessor_keytimes 0 0 csk_rollover_predecessor_keytimes 0 0
@ -4515,6 +4642,7 @@ set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
check_keys check_keys
wait_for_done_signing wait_for_done_signing
check_dnssecstatus "$SERVER" "$ZONE"
# The old key was activated three hours ago (10800 seconds). # The old key was activated three hours ago (10800 seconds).
csk_rollover_predecessor_keytimes -10800 -10800 csk_rollover_predecessor_keytimes -10800 -10800
@ -4561,6 +4689,7 @@ set_keystate "KEY2" "STATE_DS" "rumoured"
check_keys check_keys
wait_for_done_signing wait_for_done_signing
check_dnssecstatus "$SERVER" "$ZONE"
# The old key was activated 9 hours ago (10800 seconds) # The old key was activated 9 hours ago (10800 seconds)
# and retired 6 hours ago (21600 seconds). # and retired 6 hours ago (21600 seconds).
@ -4605,6 +4734,7 @@ set_keystate "KEY2" "STATE_DS" "omnipresent"
check_keys check_keys
wait_for_done_signing wait_for_done_signing
check_dnssecstatus "$SERVER" "$ZONE"
# The old key was activated 38 hours ago (136800 seconds) # The old key was activated 38 hours ago (136800 seconds)
# and retired 35 hours ago (126000 seconds). # and retired 35 hours ago (126000 seconds).
@ -4642,6 +4772,7 @@ set_keystate "KEY1" "STATE_KRRSIG" "hidden"
check_keys check_keys
wait_for_done_signing wait_for_done_signing
check_dnssecstatus "$SERVER" "$ZONE"
# The old key was activated 40 hours ago (144000 seconds) # The old key was activated 40 hours ago (144000 seconds)
# and retired 37 hours ago (133200 seconds). # and retired 37 hours ago (133200 seconds).
@ -4683,6 +4814,7 @@ set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
check_keys check_keys
wait_for_done_signing wait_for_done_signing
check_dnssecstatus "$SERVER" "$ZONE"
# The old keys were activated 47 hours ago (169200 seconds) # The old keys were activated 47 hours ago (169200 seconds)
# and retired 44 hours ago (158400 seconds). # and retired 44 hours ago (158400 seconds).

17
lib/dns/include/dns/keymgr.h
View File

@ -51,6 +51,23 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
*\li On error, keypool is unchanged *\li On error, keypool is unchanged
*/ */
void
dns_keymgr_status(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
isc_stdtime_t now, char *out, size_t out_len);
/*%<
* Retrieve the status of given 'kasp' policy and keys in the
* 'keyring' and store the printable output in the 'out' buffer.
*
* Requires:
*\li 'kasp' is not NULL.
*\li 'keyring' is not NULL.
*\li 'out' is not NULL.
*
* Returns:
*\li Printable status in 'out'.
*
*/
ISC_LANG_ENDDECLS ISC_LANG_ENDDECLS
#endif /* DNS_KEYMGR_H */ #endif /* DNS_KEYMGR_H */

201
lib/dns/keymgr.c
View File

@ -1841,3 +1841,204 @@ failure:
return (result); return (result);
} }
static void
keytime_status(dst_key_t *key, isc_stdtime_t now, isc_buffer_t *buf,
const char *pre, int ks, int kt) {
char timestr[26]; /* Minimal buf as per ctime_r() spec. */
isc_result_t ret;
isc_stdtime_t when = 0;
dst_key_state_t state;
isc_buffer_printf(buf, "%s", pre);
(void)dst_key_getstate(key, ks, &state);
ret = dst_key_gettime(key, kt, &when);
if (state == RUMOURED || state == OMNIPRESENT) {
isc_buffer_printf(buf, "yes - since ");
} else if (now < when) {
isc_buffer_printf(buf, "no - scheduled ");
} else {
isc_buffer_printf(buf, "no\n");
return;
}
if (ret == ISC_R_SUCCESS) {
isc_stdtime_tostring(when, timestr, sizeof(timestr));
isc_buffer_printf(buf, "%s\n", timestr);
}
}
static void
rollover_status(dns_dnsseckey_t *dkey, dns_kasp_t *kasp, isc_stdtime_t now,
isc_buffer_t *buf, bool zsk) {
char timestr[26]; /* Minimal buf as per ctime_r() spec. */
isc_result_t ret = ISC_R_SUCCESS;
isc_stdtime_t active_time = 0;
dst_key_state_t state = NA, goal = NA;
int rrsig, active, retire;
dst_key_t *key = dkey->key;
if (zsk) {
rrsig = DST_KEY_ZRRSIG;
active = DST_TIME_ACTIVATE;
retire = DST_TIME_INACTIVE;
} else {
rrsig = DST_KEY_KRRSIG;
active = DST_TIME_PUBLISH;
retire = DST_TIME_DELETE;
}
isc_buffer_printf(buf, "\n");
(void)dst_key_getstate(key, DST_KEY_GOAL, &goal);
(void)dst_key_getstate(key, rrsig, &state);
(void)dst_key_gettime(key, active, &active_time);
if (active_time == 0) {
// only interested in keys that were once active.
return;
}
if (goal == HIDDEN && (state == UNRETENTIVE || state == HIDDEN)) {
isc_stdtime_t remove_time = 0;
// is the key removed yet?
state = NA;
(void)dst_key_getstate(key, DST_KEY_DNSKEY, &state);
if (state == RUMOURED || state == OMNIPRESENT) {
ret = dst_key_gettime(key, DST_TIME_DELETE,
&remove_time);
if (ret == ISC_R_SUCCESS) {
isc_buffer_printf(buf, " Key is retired, will "
"be removed on ");
isc_stdtime_tostring(remove_time, timestr,
sizeof(timestr));
isc_buffer_printf(buf, "%s", timestr);
}
} else {
isc_buffer_printf(
buf, " Key has been removed from the zone");
}
} else {
isc_stdtime_t retire_time = 0;
uint32_t lifetime = 0;
(void)dst_key_getnum(key, DST_NUM_LIFETIME, &lifetime);
ret = dst_key_gettime(key, retire, &retire_time);
if (ret == ISC_R_SUCCESS) {
if (now < retire_time) {
if (goal == OMNIPRESENT) {
isc_buffer_printf(buf,
" Next rollover "
"scheduled on ");
retire_time = keymgr_prepublication_time(
dkey, kasp, lifetime, now);
} else {
isc_buffer_printf(
buf, " Key will retire on ");
}
} else {
isc_buffer_printf(buf,
" Rollover is due since ");
}
isc_stdtime_tostring(retire_time, timestr,
sizeof(timestr));
isc_buffer_printf(buf, "%s", timestr);
} else {
isc_buffer_printf(buf, " No rollover scheduled");
}
}
isc_buffer_printf(buf, "\n");
}
static void
keystate_status(dst_key_t *key, isc_buffer_t *buf, const char *pre, int ks) {
dst_key_state_t state = NA;
(void)dst_key_getstate(key, ks, &state);
switch (state) {
case HIDDEN:
isc_buffer_printf(buf, " - %shidden\n", pre);
break;
case RUMOURED:
isc_buffer_printf(buf, " - %srumoured\n", pre);
break;
case OMNIPRESENT:
isc_buffer_printf(buf, " - %somnipresent\n", pre);
break;
case UNRETENTIVE:
isc_buffer_printf(buf, " - %sunretentive\n", pre);
break;
case NA:
default:
/* print nothing */
break;
}
}
void
dns_keymgr_status(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
isc_stdtime_t now, char *out, size_t out_len) {
isc_buffer_t buf;
char timestr[26]; /* Minimal buf as per ctime_r() spec. */
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(keyring != NULL);
REQUIRE(out != NULL);
isc_buffer_init(&buf, out, out_len);
// policy name
isc_buffer_printf(&buf, "dnssec-policy: %s\n", dns_kasp_getname(kasp));
isc_buffer_printf(&buf, "current time: ");
isc_stdtime_tostring(now, timestr, sizeof(timestr));
isc_buffer_printf(&buf, "%s\n", timestr);
for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
dkey = ISC_LIST_NEXT(dkey, link))
{
char algstr[DNS_NAME_FORMATSIZE];
bool ksk = false, zsk = false;
if (dst_key_is_unused(dkey->key)) {
continue;
}
// key data
dst_key_getbool(dkey->key, DST_BOOL_KSK, &ksk);
dst_key_getbool(dkey->key, DST_BOOL_ZSK, &zsk);
dns_secalg_format((dns_secalg_t)dst_key_alg(dkey->key), algstr,
sizeof(algstr));
isc_buffer_printf(&buf, "\nkey: %d (%s), %s\n",
dst_key_id(dkey->key), algstr,
keymgr_keyrole(dkey->key));
// publish status
keytime_status(dkey->key, now, &buf,
" published: ", DST_KEY_DNSKEY,
DST_TIME_PUBLISH);
// signing status
if (ksk) {
keytime_status(dkey->key, now, &buf,
" key signing: ", DST_KEY_KRRSIG,
DST_TIME_PUBLISH);
}
if (zsk) {
keytime_status(dkey->key, now, &buf,
" zone signing: ", DST_KEY_ZRRSIG,
DST_TIME_ACTIVATE);
}
// rollover status
rollover_status(dkey, kasp, now, &buf, zsk);
// key states
keystate_status(dkey->key, &buf,
"goal: ", DST_KEY_GOAL);
keystate_status(dkey->key, &buf,
"dnskey: ", DST_KEY_DNSKEY);
keystate_status(dkey->key, &buf,
"ds: ", DST_KEY_DS);
keystate_status(dkey->key, &buf,
"zone rrsig: ", DST_KEY_ZRRSIG);
keystate_status(dkey->key, &buf,
"key rrsig: ", DST_KEY_KRRSIG);
}
}

1
lib/dns/win32/libdns.def.in
View File

@ -470,6 +470,7 @@ dns_keydata_fromdnskey
dns_keydata_todnskey dns_keydata_todnskey
dns_keyflags_fromtext dns_keyflags_fromtext
dns_keymgr_run dns_keymgr_run
dns_keymgr_status
dns_keynode_dsset dns_keynode_dsset
dns_keynode_initial dns_keynode_initial
dns_keynode_managed dns_keynode_managed