46 static const char* sc_str =
"signconf";
59 ods_log_error(
"[%s] unable to create: create allocator failed",
67 ods_log_error(
"[%s] unable to create: allocator failed", sc_str);
108 const char* rngfile = ODS_SE_RNGDIR
"/signconf.rng";
118 ods_log_error(
"[%s] unable to parse file %s: %s", sc_str, scfile,
133 if (signconf->
nsec_type == LDNS_RR_TYPE_NSEC3) {
150 ods_log_error(
"[%s] unable to read signconf file %s", sc_str, scfile);
161 time_t last_modified)
180 if (st_mtime <= last_modified) {
182 "mem %u)", sc_str, scfile, (
unsigned) st_mtime,
183 (
unsigned) last_modified);
193 status = signconf_read(new_sc, scfile);
197 ods_log_error(
"[%s] signconf %s has errors", sc_str, scfile);
203 ods_log_error(
"[%s] unable to read file %s: %s", sc_str, scfile,
219 const char* zonename = NULL;
259 ods_log_error(
"[%s] unable to recover signconf backup file %s: corrupt "
260 "backup file ", sc_str, filename?filename:
"(null)");
266 free((
void*) zonename);
272 ods_log_debug(
"[%s] unable to recover signconf backup file %s", sc_str,
273 filename?filename:
"(null)");
283 signconf_backup_duration(FILE* fd,
const char* opt,
duration_type* duration)
286 fprintf(fd,
"%s %s ", opt, str);
306 fprintf(fd,
";;Signconf: lastmod %u ", (
unsigned) sc->
last_modified);
311 signconf_backup_duration(fd,
"jitter", sc->
sig_jitter);
313 fprintf(fd,
"nsec %u ", (
unsigned) sc->
nsec_type);
314 signconf_backup_duration(fd,
"dnskeyttl", sc->
dnskey_ttl);
315 signconf_backup_duration(fd,
"soattl", sc->
soa_ttl);
316 signconf_backup_duration(fd,
"soamin", sc->
soa_min);
318 fprintf(fd,
"audit %i\n", sc->
audit);
328 signconf_soa_serial_check(
const char* serial) {
333 if (strlen(serial) == 4 && strncmp(serial,
"keep", 4) == 0) {
336 if (strlen(serial) == 7 && strncmp(serial,
"counter", 7) == 0) {
339 if (strlen(serial) == 8 && strncmp(serial,
"unixtime", 8) == 0) {
342 if (strlen(serial) == 11 && strncmp(serial,
"datecounter", 11) == 0) {
358 ods_log_error(
"[%s] check failed: no signature resign interval found",
363 ods_log_error(
"[%s] check failed: no signature resign interval found",
368 ods_log_error(
"[%s] check failed: no signature default validity found",
373 ods_log_error(
"[%s] check failed: no signature denial validity found",
378 ods_log_error(
"[%s] check failed: no signature jitter found", sc_str);
382 ods_log_error(
"[%s] check failed: no signature inception offset found",
386 if (sc->
nsec_type == LDNS_RR_TYPE_NSEC3) {
395 }
else if (sc->
nsec_type != LDNS_RR_TYPE_NSEC) {
396 ods_log_error(
"[%s] check failed: wrong nsec type %i", sc_str,
405 ods_log_error(
"[%s] check failed: no dnskey ttl found", sc_str);
409 ods_log_error(
"[%s] check failed: no soa ttl found", sc_str);
413 ods_log_error(
"[%s] check failed: no soa minimum found", sc_str);
417 ods_log_error(
"[%s] check failed: no soa serial type found", sc_str);
419 }
else if (signconf_soa_serial_check(sc->
soa_serial) != 0) {
420 ods_log_error(
"[%s] check failed: wrong soa serial type %s", sc_str,
447 }
else if (a->
nsec_type == LDNS_RR_TYPE_NSEC3) {
485 while (walk && walk->
locator) {
505 }
else if (walk->
ksk != kb->
ksk) {
507 }
else if (walk->
zsk != kb->
zsk) {
517 if (del && walk->
dnskey) {
518 if (!ldns_rr_list_push_rr(del, walk->
dnskey)) {
626 fprintf(out,
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
629 fprintf(out,
"<SignerConfiguration>\n");
630 fprintf(out,
"\t<Zone name=\"%s\">\n", name?name:
"(null)");
633 fprintf(out,
"\t\t<Signatures>\n");
635 fprintf(out,
"\t\t\t<Resign>%s</Resign>\n", s?s:
"(null)");
639 fprintf(out,
"\t\t\t<Refresh>%s</Refresh>\n", s?s:
"(null)");
642 fprintf(out,
"\t\t\t<Validity>\n");
645 fprintf(out,
"\t\t\t\t<Default>%s</Default>\n", s?s:
"(null)");
649 fprintf(out,
"\t\t\t\t<Denial>%s</Denial>\n", s?s:
"(null)");
652 fprintf(out,
"\t\t\t</Validity>\n");
655 fprintf(out,
"\t\t\t<Jitter>%s</Jitter>\n", s?s:
"(null)");
659 fprintf(out,
"\t\t\t<InceptionOffset>%s</InceptionOffset>\n",
663 fprintf(out,
"\t\t</Signatures>\n");
667 fprintf(out,
"\t\t<Denial>\n");
668 if (sc->
nsec_type == LDNS_RR_TYPE_NSEC) {
669 fprintf(out,
"\t\t\t<NSEC />\n");
670 }
else if (sc->
nsec_type == LDNS_RR_TYPE_NSEC3) {
671 fprintf(out,
"\t\t\t<NSEC3>\n");
673 fprintf(out,
"\t\t\t\t<OptOut />\n");
675 fprintf(out,
"\t\t\t\t<Hash>\n");
676 fprintf(out,
"\t\t\t\t\t<Algorithm>%i</Algorithm>\n",
678 fprintf(out,
"\t\t\t\t\t<Iterations>%i</Iterations>\n",
680 fprintf(out,
"\t\t\t\t\t<Salt>%s</Salt>\n",
682 fprintf(out,
"\t\t\t\t</Hash>\n");
683 fprintf(out,
"\t\t\t</NSEC3>\n");
685 fprintf(out,
"\t\t</Denial>\n");
689 fprintf(out,
"\t\t<Keys>\n");
691 fprintf(out,
"\t\t\t<TTL>%s</TTL>\n", s?s:
"(null)");
695 fprintf(out,
"\t\t</Keys>\n");
699 fprintf(out,
"\t\t<SOA>\n");
701 fprintf(out,
"\t\t\t<TTL>%s</TTL>\n", s?s:
"(null)");
705 fprintf(out,
"\t\t\t<Minimum>%s</Minimum>\n", s?s:
"(null)");
708 fprintf(out,
"\t\t\t<Serial>%s</Serial>\n",
710 fprintf(out,
"\t\t</SOA>\n");
715 fprintf(out,
"\t\t<Audit />\n");
719 fprintf(out,
"\t</Zone>\n");
720 fprintf(out,
"</SignerConfiguration>\n");
734 char* refresh = NULL;
735 char* validity = NULL;
739 char* dnskeyttl = NULL;
754 ods_log_info(
"[%s] zone %s signconf: RESIGN[%s] REFRESH[%s] "
755 "VALIDITY[%s] DENIAL[%s] JITTER[%s] OFFSET[%s] NSEC[%i] "
756 "DNSKEYTTL[%s] SOATTL[%s] MINIMUM[%s] SERIAL[%s] AUDIT[%i]",
757 sc_str, name?name:
"(null)", resign, refresh, validity, denial,
758 jitter, offset, (
int) sc->
nsec_type, dnskeyttl, soattl,
762 if (sc->
nsec_type == LDNS_RR_TYPE_NSEC3) {
763 ods_log_info(
"[%s] zone %s nsec3: OPTOUT[%i] ALGORITHM[%u] "
764 "ITERATIONS[%u] SALT[%s]", sc_str, name, sc->
nsec3_optout,
773 free((
void*)refresh);
774 free((
void*)validity);
778 free((
void*)dnskeyttl);