49 #include <libhsmdns.h> 50 #include <ldns/ldns.h> 66 #define HIDDEN KEY_STATE_STATE_HIDDEN 67 #define RUMOURED KEY_STATE_STATE_RUMOURED 68 #define OMNIPRESENT KEY_STATE_STATE_OMNIPRESENT 69 #define UNRETENTIVE KEY_STATE_STATE_UNRETENTIVE 70 #define NA KEY_STATE_STATE_NA 72 static const char *module_str =
"enforcer";
75 #define NOKEY_TIMEOUT 60 84 static int max(
int a,
int b) {
return a>b?a:b; }
85 static int min(
int a,
int b) {
return a<b?a:b; }
97 minTime(
const time_t t, time_t* min)
100 if ( (t < *min || *min < 0) && t >= 0 ) *min = t;
113 addtime(
const time_t t,
const int seconds)
115 struct tm *tp = localtime(&t);
117 tp->tm_sec += seconds;
270 match(
key_data_t* key,
struct future_key *future_key,
int same_algorithm,
279 if (!future_key->
key) {
314 exists(
key_data_t** keylist,
size_t keylist_size,
struct future_key *future_key,
325 if (!future_key->
key) {
329 for (i = 0; i < keylist_size; i++) {
334 if (match(keylist[i], future_key, same_algorithm, mask) > 0) {
355 if (!successor_key) {
358 if (!predecessor_key) {
366 if (!
key_data_cmp(successor_key, predecessor_key))
return 0;
371 if (getState(successor_key, type, future_key) !=
RUMOURED 425 successor_rec(
key_data_t** keylist,
size_t keylist_size,
427 struct future_key *future_key,
439 if (!successor_key) {
442 if (!predecessor_key) {
448 if (!future_key->
key) {
526 if (!cmp && isPotentialSuccessor(successor_key, predecessor_key, future_key,
type) > 0) {
594 if (successor_rec(keylist, keylist_size, from_key, predecessor_key, future_key,
type, deplist_ext) > 0) {
607 for (i = 0; i < keylist_size; i++) {
615 if (isPotentialSuccessor(successor_key, keylist[i], future_key,
type) > 0) {
625 if (successor_rec(keylist+1, keylist_size-1, successor_key, keylist[i], future_key,
type, deplist_ext) > 0) {
643 key_data_t* predecessor_key,
struct future_key *future_key,
652 if (!successor_key) {
655 if (!predecessor_key) {
661 if (!future_key->
key) {
679 return successor_rec(keylist, keylist_size, successor_key, predecessor_key, future_key,
type, deplist);
689 exists_with_successor(
key_data_t** keylist,
size_t keylist_size,
690 struct future_key *future_key,
int same_algorithm,
709 for (i = 0; i < keylist_size; i++) {
710 if (match(keylist[i], future_key, same_algorithm, successor_mask) < 1) {
714 for (j = 0; j < keylist_size; j++) {
716 || match(keylist[j], future_key, same_algorithm, predecessor_mask) < 1)
721 if (successor(keylist, keylist_size, keylist[i], keylist[j], future_key,
type, deplist) > 0) {
736 unsignedOk(
key_data_t** keylist,
size_t keylist_size,
737 struct future_key *future_key,
749 if (!future_key->
key) {
753 for (i = 0; i < keylist_size; i++) {
759 ? getState(keylist[i], type, future_key)
762 ? getState(keylist[i], type, future_key)
765 ? getState(keylist[i], type, future_key)
768 ? getState(keylist[i], type, future_key)
776 if (cmp_mask[0] ==
HIDDEN || cmp_mask[0] ==
NA) {
782 if (cmp_mask[1] ==
HIDDEN || cmp_mask[1] ==
NA) {
788 if (cmp_mask[2] ==
HIDDEN || cmp_mask[2] ==
NA) {
794 if (cmp_mask[3] ==
HIDDEN || cmp_mask[3] ==
NA) {
803 if (exists(keylist, keylist_size, future_key, 1, cmp_mask) < 1) {
818 rule1(
key_data_t** keylist,
size_t keylist_size,
struct future_key *future_key,
838 if (!future_key->
key) {
847 if (exists(keylist, keylist_size, future_key, 0, mask[0]) > 0
848 || exists(keylist, keylist_size, future_key, 0, mask[1]) > 0)
862 rule2(
key_data_t** keylist,
size_t keylist_size,
struct future_key *future_key,
876 if (!keylist || !future_key || !future_key->
key) {
885 if (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
886 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1],
KEY_STATE_TYPE_DS, deplist) > 0
887 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[5], mask[3],
KEY_STATE_TYPE_DNSKEY, deplist) > 0
888 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[5], mask[4],
KEY_STATE_TYPE_DNSKEY, deplist) > 0
889 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[6], mask[3],
KEY_STATE_TYPE_DNSKEY, deplist) > 0
890 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[6], mask[4],
KEY_STATE_TYPE_DNSKEY, deplist) > 0
891 || unsignedOk(keylist, keylist_size, future_key, mask[7],
KEY_STATE_TYPE_DS) > 0)
905 rule3(
key_data_t** keylist,
size_t keylist_size,
struct future_key *future_key,
941 if (!future_key->
key) {
950 if (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
951 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1],
KEY_STATE_TYPE_DNSKEY, deplist) > 0
952 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[4], mask[3],
KEY_STATE_TYPE_RRSIG, deplist) > 0
967 dnssecApproval(
key_data_t** keylist,
size_t keylist_size,
968 struct future_key* future_key,
int allow_unsigned,
998 || !rule1(keylist, keylist_size, future_key, 0)
999 || rule1(keylist, keylist_size, future_key, 1) > 0)
1000 && (!rule2(keylist, keylist_size, future_key, 0, deplist)
1001 || rule2(keylist, keylist_size, future_key, 1, deplist) > 0)
1002 && (!rule3(keylist, keylist_size, future_key, 0, deplist)
1003 || rule3(keylist, keylist_size, future_key, 1, deplist) > 0))
1039 return addtime(lastchange, ttl
1046 return addtime(lastchange, ttl
1053 return addtime(lastchange, ttl
1073 policyApproval(
key_data_t** keylist,
size_t keylist_size,
1097 if (!keylist || !future_key || !future_key->
key) {
1111 switch (future_key->
type) {
1165 if (exists(keylist, keylist_size, future_key, 1, mask[6]) > 0
1166 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[8], mask[7],
KEY_STATE_TYPE_DS, deplist) > 0
1167 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[11], mask[9],
KEY_STATE_TYPE_DNSKEY, deplist) > 0)
1211 if (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
1212 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1],
KEY_STATE_TYPE_DNSKEY, deplist) > 0
1213 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[4], mask[3],
KEY_STATE_TYPE_RRSIG, deplist) > 0
1279 return max((
int)difftime(end_date, now), ttl);
1289 isSuccessable(
struct future_key* future_key)
1299 switch (future_key->
type) {
1333 size_t keylist_size,
struct future_key *future_key,
1336 static const char *scmd =
"markSuccessors";
1357 if (isSuccessable(future_key) < 1) {
1361 for (i = 0; i < keylist_size; i++) {
1362 if (isPotentialSuccessor(keylist[i], future_key->
key, future_key, future_key->
type) > 0) {
1363 switch (future_key->
type) {
1391 ods_log_error(
"[%s] %s: unable to create key dependency between %s and %s",
1416 const time_t now,
int allow_unsigned,
int *zone_updated,
1419 time_t returntime_zone = -1;
1421 static const char *scmd =
"updateZone";
1423 unsigned int j, change;
1430 struct future_key future_key;
1433 time_t returntime_key;
1435 int key_data_updated, process, key_state_created;
1436 const db_enum_t* state_enum, *next_state_enum, *type_enum;
1442 return returntime_zone;
1447 return returntime_zone;
1452 return returntime_zone;
1454 if (!zone_updated) {
1456 ods_log_error(
"[%s] %s: no zone_updated", module_str, scmd);
1457 return returntime_zone;
1462 return returntime_zone;
1467 return returntime_zone;
1488 ods_log_error(
"[%s] %s: zone_set_ttl_end_ds() failed", module_str, scmd);
1500 for (i = 0; i < keylist_size; i++) {
1505 if (keylist_size < i) {
1513 ods_log_error(
"[%s] %s: zone_set_ttl_end_dk() failed", module_str, scmd);
1531 ods_log_error(
"[%s] %s: zone_set_ttl_end_rs() failed", module_str, scmd);
1542 for (i = 0; process && i < keylist_size; i++) {
1543 key_state_created = 0;
1554 ods_log_error(
"[%s] %s: key state DS creation failed", module_str, scmd);
1560 key_state_created = 1;
1566 ods_log_error(
"[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
1585 ods_log_error(
"[%s] %s: key state DNSKEY creation failed", module_str, scmd);
1591 key_state_created = 1;
1597 ods_log_error(
"[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
1615 ods_log_error(
"[%s] %s: key state RRSIGDNSKEY creation failed", module_str, scmd);
1621 key_state_created = 1;
1627 ods_log_error(
"[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
1643 ||
key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_RRSIG, now))
1646 ods_log_error(
"[%s] %s: key state RRSIG creation failed", module_str, scmd);
1652 key_state_created = 1;
1658 ods_log_error(
"[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
1667 if (key_state_created) {
1669 ods_log_error(
"[%s] %s: Unable to recache key states after creating some", module_str, scmd);
1682 for (i = 0; process && i < keylist_size; i++) {
1694 ods_log_error(
"[%s] %s: (state || next_state) == INVALID", module_str, scmd);
1702 if (state == next_state) {
1721 if (type_enum->
value == (
int)type[j]) {
1726 if (state_enum->
value == (
int)state) {
1731 if (next_state_enum->
value == (
int)next_state) {
1735 ods_log_verbose(
"[%s] %s: May %s %s %s in state %s transition to %s?", module_str, scmd,
1740 next_state_enum->
text);
1742 future_key.
key = keylist[i];
1743 future_key.
type = type[j];
1749 if (policyApproval(keylist, keylist_size, &future_key, deplist) < 1) {
1752 ods_log_verbose(
"[%s] %s Policy says we can (1/3)", module_str, scmd);
1757 if (dnssecApproval(keylist, keylist_size, &future_key, allow_unsigned, deplisttmp) < 1) {
1760 ods_log_verbose(
"[%s] %s DNSSEC says we can (2/3)", module_str, scmd);
1762 returntime_key = minTransitionTime(policy, type[j], next_state,
1764 getZoneTTL(policy, zone, type[j], now));
1771 if (type[j] == KEY_STATE_TYPE_RRSIG
1775 returntime_key = addtime(returntime_key,
1786 if (returntime_key > now) {
1787 minTime(returntime_key, &returntime_zone);
1792 module_str, scmd, (
unsigned long)now, (
unsigned long)returntime_key);
1801 ods_log_crit(
"[%s] %s Ready for transition but key material not backed up yet (%s)",
1807 returntime_key = addtime(now, 60);
1808 minTime(returntime_key, &returntime_zone);
1819 key_data_updated = 0;
1836 key_data_updated = 1;
1841 key_data_updated = 1;
1855 key_data_updated = 1;
1865 key_data_updated = 1;
1872 if (key_data_updated) {
1874 ods_log_error(
"[%s] %s: key data update failed", module_str, scmd);
1887 ods_log_error(
"[%s] %s: key data reread failed", module_str, scmd);
1899 switch (future_key.
type) {
1917 ods_log_error(
"[%s] %s: future key type error", module_str, scmd);
1923 if (next_state_enum->
value == (
int)next_state) {
1927 ods_log_verbose(
"[%s] %s: Transitioning %s %s %s from %s to %s", module_str, scmd,
1932 next_state_enum->
text);
1939 ods_log_error(
"[%s] %s: key state transition failed", module_str, scmd);
1948 ods_log_error(
"[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
1957 if (markSuccessors(dbconn, keylist, keylist_size, &future_key, deplisttmp, zone) < 0) {
1958 ods_log_error(
"[%s] %s: markSuccessors() error", module_str, scmd);
1968 ods_log_error(
"[%s] %s: Unable to recache key states after transition", module_str, scmd);
1976 }
while (process && change);
1978 return returntime_zone;
1988 const hsm_key_t *hkey, *hkey_young = NULL;
1993 if (!key_list || !pkey)
2019 if (match)
continue;
2041 static const char *scmd =
"existsPolicyForKey";
2045 if (!policykeylist) {
2085 int max_inception = -1;
2087 if (!key_list || !pkey)
return -1;
2114 return max_inception;
2231 zone_t *zone,
const time_t now,
int *allow_unsigned,
int *zone_updated)
2233 time_t return_at = -1;
2243 static const char *scmd =
"updatePolicy";
2266 if (!allow_unsigned) {
2268 ods_log_error(
"[%s] %s: no allow_unsigned", module_str, scmd);
2271 if (!zone_updated) {
2273 ods_log_error(
"[%s] %s: no zone_updated", module_str, scmd);
2285 ods_log_error(
"[%s] %s: error policy_get_policy_keys()", module_str, scmd);
2296 ods_log_error(
"[%s] %s: error zone_get_keys()", module_str, scmd);
2306 ret = existsPolicyForKey(policykeylist, key);
2309 ods_log_error(
"[%s] %s: error existsPolicyForKey() < 0", module_str, scmd);
2320 ods_log_error(
"[%s] %s: error update mutkey", module_str, scmd);
2336 *allow_unsigned = pkey ? 0 : 1;
2342 ods_log_error(
"[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
2355 force_roll = enforce_roll(zone, pkey);
2361 if (!key_for_conf(keylist, pkey)) {
2364 else if (!force_roll) {
2380 inception = last_inception_policy(keylist, pkey);
2381 if (inception != -1 &&
2385 minTime(t_ret, &return_at);
2386 setnextroll(zone, pkey, t_ret);
2408 ods_log_crit(
"[%s] %s: For policy %s %s key lifetime of %d " 2409 "is unreasonably short with respect to sum of parent " 2410 "TTL (%d) and key TTL (%d). Will not insert key!",
2414 setnextroll(zone, pkey, now);
2423 ods_log_crit(
"[%s] %s: For policy %s %s key lifetime of %d " 2424 "is unreasonably short with respect to sum of " 2425 "MaxZoneTTL (%d) and key TTL (%d). Will not insert key!",
2429 setnextroll(zone, pkey, now);
2439 hsmkey = getLastReusableKey(keylist, pkey);
2454 ods_log_warning(
"[%s] %s: No keys available in HSM for policy %s, retry in %d seconds",
2457 setnextroll(zone, pkey, now);
2537 ods_log_error(
"[%s] %s: error key_data_create()", module_str, scmd);
2548 minTime(t_ret, &return_at);
2549 setnextroll(zone, pkey, t_ret);
2576 ods_log_error(
"[%s] %s: error update mutkey2", module_str, scmd);
2603 if (enforce_roll(zone, pkey)) {
2604 if (set_roll(zone, pkey, 0)) {
2606 ods_log_error(
"[%s] %s: error set_roll()", module_str, scmd);
2624 const int purgetime)
2626 static const char *scmd =
"removeDeadKeys";
2627 time_t first_purge = -1, key_time;
2628 size_t i, deplist2_size = 0;
2629 int key_purgable, cmp;
2640 if (deplist2_size > 0)
2642 for (i = 1; i < deplist2_size; i++)
2645 for (i = 0; i < keylist_size; i++) {
2649 for (j = 0; j<4; j++) {
2665 if (key_time != -1) key_time = addtime(key_time, purgetime);
2668 if (now >= key_time) {
2674 ods_log_info(
"[%s] %s deleting key: %s", module_str, scmd,
2683 ods_log_error(
"[%s] %s: key_state_delete() || key_data_delete() || hsm_key_factory_release_key() failed", module_str, scmd);
2690 minTime(key_time, &first_purge);
2694 for (j = 0; j < deplist2_size; j++) {
2695 if (!deplist2[j])
continue;
2698 ods_log_error(
"[%s] %s: cmp deplist from failed", module_str, scmd);
2705 ods_log_error(
"[%s] %s: key_dependency_delete() failed", module_str, scmd);
2711 for (i = 0; i < deplist2_size; i++){
2721 int allow_unsigned = 0;
2722 time_t policy_return_time, zone_return_time, purge_return_time = -1, return_time;
2726 size_t keylist_size, i;
2728 static const char *scmd =
"update";
2729 int key_data_updated;
2747 if (!zone_updated) {
2757 policy_return_time = updatePolicy(engine, dbconn, policy, zone, now, &allow_unsigned, zone_updated);
2759 if (allow_unsigned) {
2760 ods_log_info(
"[%s] No keys configured for %s, zone will become unsigned eventually",
2769 ods_log_error(
"[%s] %s: error zone_get_key_dependencies()", module_str, scmd);
2775 ods_log_error(
"[%s] %s: error zone_get_keys()", module_str, scmd);
2792 ods_log_error(
"[%s] %s: error calloc(keylist_size)", module_str, scmd);
2797 for (i = 0; i < keylist_size; i++) {
2808 ods_log_error(
"[%s] %s: error key_data_list cache", module_str, scmd);
2809 for (i = 0; i < keylist_size; i++) {
2826 zone_return_time = updateZone(dbconn, policy, zone, now, allow_unsigned, zone_updated,
2827 keylist, keylist_size, deplist);
2833 purge_return_time = removeDeadKeys(dbconn, keylist, keylist_size, deplist, now,
2842 for (i = 0; i < keylist_size; i++) {
2843 key_data_updated = 0;
2849 key_data_updated = 1;
2863 key_data_updated = 1;
2880 key_data_updated = 1;
2897 key_data_updated = 1;
2901 if (key_data_updated) {
2913 for (i = 0; i < keylist_size; i++) {
2921 return_time = zone_return_time;
2922 minTime(policy_return_time, &return_time);
2923 minTime(purge_return_time, &return_time);
const char * key_data_role_text(const key_data_t *key_data)
const char * key_state_state_text(const key_state_t *key_state)
const policy_key_t * policy_key_list_next(policy_key_list_t *policy_key_list)
int key_data_set_inception(key_data_t *key_data, unsigned int inception)
int key_data_get_by_id(key_data_t *key_data, const db_value_t *id)
int key_state_set_ttl(key_state_t *key_state, unsigned int ttl)
int key_dependency_delete(key_dependency_t *key_dependency)
int key_state_delete(key_state_t *key_state)
hsm_key_t * key_data_get_hsm_key(const key_data_t *key_data)
int zone_set_roll_csk_now(zone_t *zone, unsigned int roll_csk_now)
unsigned int next_zsk_roll
int zone_set_ttl_end_dk(zone_t *zone, unsigned int ttl_end_dk)
unsigned int zone_roll_zsk_now(const zone_t *zone)
hsm_key_t * hsm_key_factory_get_key(engine_type *engine, const db_connection_t *connection, const policy_key_t *policy_key, hsm_key_state_t hsm_key_state)
unsigned int policy_parent_registration_delay(const policy_t *policy)
unsigned int key_data_publish(const key_data_t *key_data)
const char * key_state_type_text(const key_state_t *key_state)
key_state_t * key_data_get_cached_rrsig(key_data_t *key_data)
const char * policy_name(const policy_t *policy)
unsigned int key_data_active_zsk(const key_data_t *key_data)
int zone_set_roll_zsk_now(zone_t *zone, unsigned int roll_zsk_now)
unsigned int policy_signatures_max_zone_ttl(const policy_t *policy)
int zone_set_ttl_end_ds(zone_t *zone, unsigned int ttl_end_ds)
int key_data_cmp(const key_data_t *key_data_a, const key_data_t *key_data_b)
enum key_state_state key_state_state_t
enum key_data_role key_data_role_t
void ods_log_info(const char *format,...)
unsigned int policy_signatures_refresh(const policy_t *policy)
const db_value_t * key_data_id(const key_data_t *key_data)
unsigned int zone_ttl_end_rs(const zone_t *zone)
key_data_list_t * zone_get_keys(const zone_t *zone)
const hsm_key_t * key_data_cached_hsm_key(const key_data_t *key_data)
unsigned int policy_signatures_validity_default(const policy_t *policy)
size_t key_data_list_size(key_data_list_t *key_data_list)
unsigned int policy_parent_propagation_delay(const policy_t *policy)
int zone_set_signconf_needs_writing(zone_t *zone, unsigned int signconf_needs_writing)
void ods_log_error(const char *format,...)
int key_state_set_key_data_id(key_state_t *key_state, const db_value_t *key_data_id)
unsigned int zone_roll_csk_now(const zone_t *zone)
int key_dependency_set_zone_id(key_dependency_t *key_dependency, const db_value_t *zone_id)
int key_state_set_minimize(key_state_t *key_state, unsigned int minimize)
key_dependency_list_t * zone_get_key_dependencies(const zone_t *zone)
const db_enum_t key_state_enum_set_type[]
int key_data_set_role(key_data_t *key_data, key_data_role_t role)
unsigned int policy_signatures_validity_denial(const policy_t *policy)
key_data_t * key_data_list_get_next(key_data_list_t *key_data_list)
unsigned int policy_signatures_jitter(const policy_t *policy)
const char * hsm_key_repository(const hsm_key_t *hsm_key)
time_t update(engine_type *engine, db_connection_t *dbconn, zone_t *zone, policy_t *policy, time_t now, int *zone_updated)
unsigned int next_csk_roll
int key_data_create(key_data_t *key_data)
int key_data_set_hsm_key_id(key_data_t *key_data, const db_value_t *hsm_key_id)
unsigned int key_data_introducing(const key_data_t *key_data)
const db_value_t * key_dependency_to_key_data_id(const key_dependency_t *key_dependency)
int hsm_key_factory_release_key(hsm_key_t *hsm_key, const db_connection_t *connection)
unsigned int policy_zone_propagation_delay(const policy_t *policy)
int key_state_set_type(key_state_t *key_state, key_state_type_t type)
int key_state_update(key_state_t *key_state)
size_t policy_key_list_size(policy_key_list_t *policy_key_list)
int key_dependency_set_type(key_dependency_t *key_dependency, key_dependency_type_t type)
void ods_log_crit(const char *format,...)
unsigned int key_state_minimize(const key_state_t *key_state)
const key_state_t * key_data_cached_rrsigdnskey(key_data_t *key_data)
key_dependency_t * key_dependency_new(const db_connection_t *connection)
int db_value_cmp(const db_value_t *value_a, const db_value_t *value_b, int *result)
void key_dependency_list_free(key_dependency_list_t *key_dependency_list)
unsigned int zone_ttl_end_dk(const zone_t *zone)
unsigned int key_data_inception(const key_data_t *key_data)
int key_state_set_state(key_state_t *key_state, key_state_state_t state)
const char * policy_key_repository(const policy_key_t *policy_key)
const key_dependency_t * key_dependency_list_next(key_dependency_list_t *key_dependency_list)
unsigned int policy_zone_soa_ttl(const policy_t *policy)
unsigned int zone_roll_ksk_now(const zone_t *zone)
void key_state_free(key_state_t *key_state)
int zone_set_ttl_end_rs(zone_t *zone, unsigned int ttl_end_rs)
unsigned int hsm_key_inception(const hsm_key_t *hsm_key)
unsigned int policy_key_lifetime(const policy_key_t *policy_key)
key_data_t * key_data_new(const db_connection_t *connection)
const key_data_t * key_data_list_begin(key_data_list_t *key_data_list)
void key_dependency_free(key_dependency_t *key_dependency)
unsigned int policy_keys_publish_safety(const policy_t *policy)
int zone_set_roll_ksk_now(zone_t *zone, unsigned int roll_ksk_now)
policy_key_list_t * policy_get_policy_keys(const policy_t *policy)
const db_value_t * key_dependency_from_key_data_id(const key_dependency_t *key_dependency)
unsigned int zone_signconf_needs_writing(const zone_t *zone)
const key_data_t * key_data_list_next(key_data_list_t *key_data_list)
int key_data_set_publish(key_data_t *key_data, unsigned int publish)
int key_data_cache_key_states(key_data_t *key_data)
hsm_key_t * hsm_key_list_get_begin(hsm_key_list_t *hsm_key_list)
const db_enum_t key_state_enum_set_state[]
unsigned int key_state_last_change(const key_state_t *key_state)
const char * hsm_key_locator(const hsm_key_t *hsm_key)
int key_dependency_set_from_key_data_id(key_dependency_t *key_dependency, const db_value_t *from_key_data_id)
unsigned int policy_parent_ds_ttl(const policy_t *policy)
unsigned int policy_key_minimize(const policy_key_t *policy_key)
const char * zone_name(const zone_t *zone)
unsigned int policy_denial_ttl(const policy_t *policy)
size_t key_dependency_list_size(key_dependency_list_t *key_dependency_list)
const key_state_t * key_data_cached_rrsig(key_data_t *key_data)
key_state_t * key_state_new(const db_connection_t *connection)
key_dependency_t * key_dependency_list_get_next(key_dependency_list_t *key_dependency_list)
key_state_t * key_data_get_cached_rrsigdnskey(key_data_t *key_data)
const char * policy_key_role_text(const policy_key_t *policy_key)
unsigned int policy_keys_retire_safety(const policy_t *policy)
hsm_key_t * hsm_key_list_get_next(hsm_key_list_t *hsm_key_list)
int key_data_set_zone_id(key_data_t *key_data, const db_value_t *zone_id)
int key_dependency_create(key_dependency_t *key_dependency)
key_state_t * key_data_get_cached_ds(key_data_t *key_data)
void ods_log_verbose(const char *format,...)
unsigned int policy_key_manual_rollover(const policy_key_t *policy_key)
int key_state_set_last_change(key_state_t *key_state, unsigned int last_change)
const key_state_t * key_data_cached_ds(key_data_t *key_data)
int key_data_cache_hsm_key(key_data_t *key_data)
void key_data_list_free(key_data_list_t *key_data_list)
int key_state_create(key_state_t *key_state)
key_dependency_t * key_dependency_list_get_begin(key_dependency_list_t *key_dependency_list)
const db_value_t * key_data_hsm_key_id(const key_data_t *key_data)
const key_state_t * key_data_cached_dnskey(key_data_t *key_data)
unsigned int key_data_minimize(const key_data_t *key_data)
int key_data_set_active_ksk(key_data_t *key_data, unsigned int active_ksk)
void key_data_free(key_data_t *key_data)
const key_dependency_t * key_dependency_list_begin(key_dependency_list_t *key_dependency_list)
const db_value_t * zone_id(const zone_t *zone)
unsigned int hsm_key_algorithm(const hsm_key_t *hsm_key)
int key_data_set_ds_at_parent(key_data_t *key_data, key_data_ds_at_parent_t ds_at_parent)
hsm_key_list_t * hsm_key_list_new_get_by_policy_key(const policy_key_t *pkey)
void hsm_key_free(hsm_key_t *hsm_key)
key_data_t * key_data_new_copy(const key_data_t *key_data)
unsigned int key_data_active_ksk(const key_data_t *key_data)
key_state_state_t next_state
unsigned int policy_key_algorithm(const policy_key_t *policy_key)
int key_data_set_introducing(key_data_t *key_data, unsigned int introducing)
unsigned int key_data_algorithm(const key_data_t *key_data)
int key_data_update(key_data_t *key_data)
enum key_state_type key_state_type_t
unsigned int next_ksk_roll
int key_data_set_keytag(key_data_t *key_data, unsigned int keytag)
int key_data_set_active_zsk(key_data_t *key_data, unsigned int active_zsk)
key_dependency_list_t * key_dependency_list_new_copy(const key_dependency_list_t *from_key_dependency_list)
int key_dependency_set_to_key_data_id(key_dependency_t *key_dependency, const db_value_t *to_key_data_id)
unsigned int policy_keys_shared(const policy_t *policy)
void hsm_key_list_free(hsm_key_list_t *hsm_key_list)
unsigned int policy_key_bits(const policy_key_t *policy_key)
void policy_key_list_free(policy_key_list_t *policy_key_list)
const db_value_t * hsm_key_id(const hsm_key_t *hsm_key)
unsigned int hsm_key_bits(const hsm_key_t *hsm_key)
enum key_dependency_type key_dependency_type_t
int key_data_delete(key_data_t *key_data)
const policy_key_t * policy_key_list_begin(policy_key_list_t *policy_key_list)
key_data_t * key_dependency_get_from_key_data(const key_dependency_t *key_dependency)
void ods_log_warning(const char *format,...)
unsigned int policy_zone_soa_minimum(const policy_t *policy)
int key_data_set_algorithm(key_data_t *key_data, unsigned int algorithm)
int hsm_key_factory_release_key_id(const db_value_t *hsm_key_id, const db_connection_t *connection)
unsigned int policy_keys_purge_after(const policy_t *policy)
unsigned int zone_ttl_end_ds(const zone_t *zone)
unsigned int policy_keys_ttl(const policy_t *policy)
key_state_t * key_data_get_cached_dnskey(key_data_t *key_data)
int key_data_set_minimize(key_data_t *key_data, unsigned int minimize)
unsigned int policy_signatures_resign(const policy_t *policy)
key_data_t * key_data_list_get_begin(key_data_list_t *key_data_list)