574 uint32_t newsigs = 0;
575 uint32_t reusedsigs = 0;
576 ldns_rr* rrsig = NULL;
578 ldns_rr_list* rr_list = NULL;
579 ldns_rr_list* rr_list_clone = NULL;
580 const char* locator = NULL;
581 time_t inception = 0;
582 time_t expiration = 0;
585 ldns_rr_type dstatus = LDNS_RR_TYPE_FIRST;
586 ldns_rr_type delegpt = LDNS_RR_TYPE_FIRST;
587 uint8_t algorithm = 0;
590 ods_log_assert(rrset);
592 ods_log_assert(zone);
595 if (rrset->
rrtype == LDNS_RR_TYPE_NSEC ||
596 rrset->
rrtype == LDNS_RR_TYPE_NSEC3) {
597 dstatus = LDNS_RR_TYPE_SOA;
598 delegpt = LDNS_RR_TYPE_SOA;
606 for(nrrsigs=0; (
signature = collection_iterator(rrset->
rrsigs)); nrrsigs++)
614 int nmatchedsignatures;
619 ods_log_assert(rrset->
rrs);
620 ods_log_assert(rrset->
rrs[0].
rr);
623 if (dstatus != LDNS_RR_TYPE_SOA) {
625 "skip signing occluded RRset", LOG_DEEEBUG);
627 free(matchedsignatures);
628 return ODS_STATUS_OK;
630 if (delegpt != LDNS_RR_TYPE_SOA && rrset->
rrtype != LDNS_RR_TYPE_DS) {
632 "skip signing delegation RRset", LOG_DEEEBUG);
634 free(matchedsignatures);
635 return ODS_STATUS_OK;
639 "sign RRset", LOG_DEEEBUG);
640 ods_log_assert(dstatus == LDNS_RR_TYPE_SOA ||
641 (delegpt == LDNS_RR_TYPE_SOA || rrset->
rrtype == LDNS_RR_TYPE_DS));
643 rr_list = rrset2rrlist(rrset);
644 if (ldns_rr_list_rr_count(rr_list) <= 0) {
646 ldns_rr_list_free(rr_list);
648 free(matchedsignatures);
649 return ODS_STATUS_OK;
652 rr_list_clone = ldns_rr_list_clone(rr_list);
659 uint32_t min_ttl = ldns_rr_ttl(ldns_rr_list_rr(rr_list_clone, 0));
660 for (i = 1; i < ldns_rr_list_rr_count(rr_list_clone); i++) {
661 uint32_t rr_ttl = ldns_rr_ttl(ldns_rr_list_rr(rr_list_clone, i));
662 if (rr_ttl < min_ttl) min_ttl = rr_ttl;
664 for (i = 0; i < ldns_rr_list_rr_count(rr_list_clone); i++) {
665 ldns_rr_set_ttl(ldns_rr_list_rr(rr_list_clone, i), min_ttl);
671 &inception, &expiration);
672 uint32_t refresh = 0;
680 for (
int i = 0; i < nmatchedsignatures; i++) {
683 expiration = ldns_rdf2native_int32(ldns_rr_rrsig_expiration(matchedsignatures[i].
signature->
rr));
684 inception = ldns_rdf2native_int32(ldns_rr_rrsig_inception(matchedsignatures[i].
signature->
rr));
686 if (matchedsignatures[i].
key && matchedsignatures[i].
key->
ksk && !matchedsignatures[i].
key->
zsk && rrset->
rrtype != LDNS_RR_TYPE_DNSKEY) {
688 matchedsignatures[i].
key = NULL;
690 }
else if (matchedsignatures[i].
key && !matchedsignatures[i].
key->
ksk && !matchedsignatures[i].
key->
zsk && rrset->
rrtype != LDNS_RR_TYPE_DNSKEY && !matchedsignatures[i].
signature) {
692 matchedsignatures[i].
key = NULL;
693 }
else if (matchedsignatures[i].
key && !matchedsignatures[i].
key->
ksk && !matchedsignatures[i].
key->
zsk && rrset->
rrtype != LDNS_RR_TYPE_DNSKEY && !matchedsignatures[i].
key->
publish) {
694 matchedsignatures[i].
key = NULL;
696 }
else if (matchedsignatures[i].
key && !matchedsignatures[i].
key->
ksk && !matchedsignatures[i].
key->
zsk && rrset->
rrtype == LDNS_RR_TYPE_DNSKEY) {
697 matchedsignatures[i].
key = NULL;
699 }
else if (matchedsignatures[i].
key && !matchedsignatures[i].
key->
ksk && matchedsignatures[i].
key->
zsk && rrset->
rrtype == LDNS_RR_TYPE_DNSKEY) {
701 matchedsignatures[i].
key = NULL;
703 }
else if (matchedsignatures[i].
key && matchedsignatures[i].
key->
ksk && matchedsignatures[i].
key->
locator == NULL) {
705 matchedsignatures[i].
key = NULL;
706 }
else if (refresh <= (uint32_t) signtime) {
709 }
else if (matchedsignatures[i].
signature && expiration < refresh && matchedsignatures[i].
key && !matchedsignatures[i].
key->
ksk && !matchedsignatures[i].
key->
zsk) {
712 matchedsignatures[i].
key = NULL;
713 }
else if (matchedsignatures[i].
signature && expiration < refresh) {
716 }
else if (matchedsignatures[i].
signature && inception > (uint32_t) signtime) {
719 }
else if (matchedsignatures[i].
signature && !matchedsignatures[i].
key) {
722 }
else if (dstatus != LDNS_RR_TYPE_SOA || (delegpt != LDNS_RR_TYPE_SOA && rrset->
rrtype != LDNS_RR_TYPE_DS)) {
724 matchedsignatures[i].
key = NULL;
727 ods_log_assert(dstatus == LDNS_RR_TYPE_SOA || (delegpt == LDNS_RR_TYPE_SOA || rrset->
rrtype == LDNS_RR_TYPE_DS));
735 for (
int i = 0; i < nmatchedsignatures; i++) {
736 if (!matchedsignatures[i].
signature && matchedsignatures[i].
key) {
741 for (j = 0; j < nmatchedsignatures; j++) {
748 if (j < nmatchedsignatures) {
749 matchedsignatures[i].
key = NULL;
760 for(i=0; i<nrrsigs; i++) {
761 if(matchedsignatures[i].
signature == NULL) {
762 if (rrsigs[i] != NULL) {
769 for(i=0; i<nrrsigs; i++) {
770 if(matchedsignatures[i].
signature == NULL) {
771 if (rrsigs[i] != NULL) {
774 collection_del_cursor(rrset->
rrsigs);
785 rrset_sigvalid_period(zone->
signconf, rrset->
rrtype, signtime, &inception, &expiration);
787 for (
int i = 0; i < nmatchedsignatures; i++) {
788 if (!matchedsignatures[i].
signature && matchedsignatures[i].
key) {
790 ods_log_deeebug(
"[%s] signing RRset[%i] with key %s", rrset_str,
792 rrsig =
lhsm_sign(ctx, rr_list_clone, matchedsignatures[i].
key,
793 zone->
apex, inception, expiration);
795 ods_log_crit(
"[%s] unable to sign RRset[%i]: lhsm_sign() failed",
796 rrset_str, rrset->
rrtype);
797 free(matchedsignatures);
798 ldns_rr_list_free(rr_list);
799 ldns_rr_list_free(rr_list_clone);
800 return ODS_STATUS_HSM_ERR;
803 locator = strdup(matchedsignatures[i].
key->
locator);
819 ods_log_error(
"[%s] unable to publish dnskeys for zone %s: "
820 "error decoding literal dnskey", rrset_str, zone->
name);
821 ldns_rr_list_deep_free(rr_list_clone);
837 free(matchedsignatures);
838 ldns_rr_list_free(rr_list);
839 ldns_rr_list_deep_free(rr_list_clone);
841 if (rrset->
rrtype == LDNS_RR_TYPE_SOA) {
847 return ODS_STATUS_OK;
ldns_rr_type domain_is_delegpt(domain_type *domain)
ldns_rr_type domain_is_occluded(domain_type *domain)