mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Code Issues Releases Wiki Activity

2349. [func] Provide incremental re-signing support for secure

Browse Source 
dynamic zones. [RT #1091]
This commit is contained in:
Mark Andrews
2008-04-01 01:37:25 +00:00
parent 28b3569d62
commit a76b380643
29 changed files with 2781 additions and 304 deletions
Download Patch File Download Diff File Expand all files Collapse all files

121
lib/dns/diff.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: diff.c,v 1.14 2007/06/19 23:47:16 tbox Exp $ */
/* $Id: diff.c,v 1.15 2008/04/01 01:37:24 marka Exp $ */
/*! \file */
@@ -35,6 +35,7 @@
#include <dns/rdataclass.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
#include <dns/result.h>
@@ -192,6 +193,52 @@ dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuplep)
ENSURE(*tuplep == NULL);
}
static isc_stdtime_t
setresign(dns_rdataset_t *modified, dns_diffop_t op) {
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_rrsig_t sig;
isc_stdtime_t when;
unsigned int delta;
isc_result_t result;
result = dns_rdataset_first(modified);
INSIST(result == ISC_R_SUCCESS);
dns_rdataset_current(modified, &rdata);
(void)dns_rdata_tostruct(&rdata, &sig, NULL);
if ((rdata.flags & DNS_RDATA_OFFLINE) != 0) {
when = 0;
} else {
delta = (sig.timeexpire - sig.timesigned) * 3 / 4;
when = sig.timesigned + delta;
}
dns_rdata_reset(&rdata);
result = dns_rdataset_next(modified);
while (result == ISC_R_SUCCESS) {
dns_rdataset_current(modified, &rdata);
(void)dns_rdata_tostruct(&rdata, &sig, NULL);
if ((rdata.flags & DNS_RDATA_OFFLINE) != 0) {
goto next_rr;
}
delta = (sig.timeexpire - sig.timesigned)* 3 / 4;
switch (op) {
case DNS_DIFFOP_ADDRESIGN:
case DNS_DIFFOP_DELRESIGN:
if (when == 0 || sig.timesigned + delta < when)
when = sig.timesigned + delta;
break;
default:
INSIST(0);
}
next_rr:
dns_rdata_reset(&rdata);
result = dns_rdataset_next(modified);
}
INSIST(result == ISC_R_NOMORE);
fprintf(stderr, "setresign %u %u\n", modified->covers, when);
return (when);
}
static isc_result_t
diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
isc_boolean_t warn)
@@ -228,6 +275,9 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
dns_diffop_t op;
dns_rdatalist_t rdl;
dns_rdataset_t rds;
dns_rdataset_t ardataset;
dns_rdataset_t *modified = NULL;
isc_boolean_t offline;
op = t->op;
type = t->rdata.type;
@@ -255,6 +305,7 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
ISC_LIST_INIT(rdl.rdata);
ISC_LINK_INIT(&rdl, link);
offline = ISC_FALSE;
while (t != NULL &&
dns_name_equal(&t->name, name) &&
t->op == op &&
@@ -276,6 +327,10 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
namebuf, typebuf, classbuf,
(unsigned long) t->ttl,
(unsigned long) rdl.ttl);
if (t->rdata.flags &DNS_RDATA_OFFLINE) {
fprintf(stderr, "diff_apply offline\n");
offline = ISC_TRUE;
}
ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
t = ISC_LIST_NEXT(t, link);
}
@@ -285,27 +340,50 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
*/
dns_rdataset_init(&rds);
CHECK(dns_rdatalist_tordataset(&rdl, &rds));
if (rds.type == dns_rdatatype_rrsig)
switch (op) {
case DNS_DIFFOP_ADDRESIGN:
case DNS_DIFFOP_DELRESIGN:
modified = &ardataset;
dns_rdataset_init(modified);
break;
default:
break;
}
rds.trust = dns_trust_ultimate;
/*
* Merge the rdataset into the database.
*/
if (op == DNS_DIFFOP_ADD) {
switch (op) {
case DNS_DIFFOP_ADD:
case DNS_DIFFOP_ADDRESIGN:
result = dns_db_addrdataset(db, node, ver,
0, &rds,
DNS_DBADD_MERGE|
DNS_DBADD_EXACT|
DNS_DBADD_EXACTTTL,
NULL);
} else if (op == DNS_DIFFOP_DEL) {
modified);
break;
case DNS_DIFFOP_DEL:
case DNS_DIFFOP_DELRESIGN:
result = dns_db_subtractrdataset(db, node, ver,
&rds,
DNS_DBSUB_EXACT,
NULL);
} else {
modified);
break;
default:
INSIST(0);
}
if (result == DNS_R_UNCHANGED) {
if (result == ISC_R_SUCCESS) {
if (modified != NULL) {
isc_stdtime_t resign;
resign = setresign(modified, op);
dns_db_setsigningtime(db, modified,
resign);
}
} else if (result == DNS_R_UNCHANGED) {
/*
* This will not happen when executing a
* dynamic update, because that code will
@@ -318,14 +396,21 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
isc_log_write(DIFF_COMMON_LOGARGS,
ISC_LOG_WARNING,
"update with no effect");
} else if (result == ISC_R_SUCCESS ||
result == DNS_R_NXRRSET) {
} else if (result == DNS_R_NXRRSET) {
/*
* OK.
*/
} else {
if (modified != NULL &&
dns_rdataset_isassociated(modified))
dns_rdataset_disassociate(modified);
CHECK(result);
}
if (modified != NULL &&
dns_rdataset_isassociated(modified))
dns_rdataset_disassociate(modified);
if (offline)
fprintf(stderr, "end offline\n");
}
dns_db_detachnode(db, &node);
}
@@ -485,6 +570,7 @@ dns_diff_print(dns_diff_t *diff, FILE *file) {
dns_difftuple_t *t;
char *mem = NULL;
unsigned int size = 2048;
const char *op = NULL;
REQUIRE(DNS_DIFF_VALID(diff));
@@ -536,15 +622,20 @@ dns_diff_print(dns_diff_t *diff, FILE *file) {
buf.used--;
isc_buffer_usedregion(&buf, &r);
switch (t->op) {
case DNS_DIFFOP_EXISTS: op = "exists"; break;
case DNS_DIFFOP_ADD: op = "add"; break;
case DNS_DIFFOP_DEL: op = "del"; break;
case DNS_DIFFOP_ADDRESIGN: op = "add re-sign"; break;
case DNS_DIFFOP_DELRESIGN: op = "del re-sign"; break;
}
if (file != NULL)
fprintf(file, "%s %.*s\n",
t->op == DNS_DIFFOP_ADD ? "add" : "del",
(int) r.length, (char *) r.base);
fprintf(file, "%s %.*s\n", op, (int) r.length,
(char *) r.base);
else
isc_log_write(DIFF_COMMON_LOGARGS, ISC_LOG_DEBUG(7),
"%s %.*s",
t->op == DNS_DIFFOP_ADD ? "add" : "del",
(int) r.length, (char *) r.base);
"%s %.*s", op, (int) r.length,
(char *) r.base);
}
result = ISC_R_SUCCESS;
cleanup: