49 #include <libhsmdns.h> 50 #include <ldns/ldns.h> 66 #define HIDDEN KEY_STATE_STATE_HIDDEN 67 #define RUMOURED KEY_STATE_STATE_RUMOURED 68 #define OMNIPRESENT KEY_STATE_STATE_OMNIPRESENT 69 #define UNRETENTIVE KEY_STATE_STATE_UNRETENTIVE 70 #define NA KEY_STATE_STATE_NA 72 static const char *module_str =
"enforcer";
75 #define NOKEY_TIMEOUT 60 84 static int max(
int a,
int b) {
return a>b?a:b; }
85 static int min(
int a,
int b) {
return a<b?a:b; }
97 minTime(
const time_t t, time_t* min)
100 if ( (t < *min || *min < 0) && t >= 0 ) *min = t;
113 addtime(
const time_t t,
const int seconds)
115 struct tm *tp = localtime(&t);
117 tp->tm_sec += seconds;
270 match(
key_data_t* key,
struct future_key *future_key,
int same_algorithm,
279 if (!future_key->
key) {
314 exists(
key_data_t** keylist,
size_t keylist_size,
struct future_key *future_key,
325 if (!future_key->
key) {
329 for (i = 0; i < keylist_size; i++) {
334 if (match(keylist[i], future_key, same_algorithm, mask) > 0) {
355 if (!successor_key) {
358 if (!predecessor_key) {
366 if (!
key_data_cmp(successor_key, predecessor_key))
return 0;
371 if (getState(successor_key, type, future_key) !=
RUMOURED 425 successor_rec(
key_data_t** keylist,
size_t keylist_size,
427 struct future_key *future_key,
439 if (!successor_key) {
442 if (!predecessor_key) {
448 if (!future_key->
key) {
526 if (!cmp && isPotentialSuccessor(successor_key, predecessor_key, future_key,
type) > 0) {
594 if (successor_rec(keylist, keylist_size, from_key, predecessor_key, future_key,
type, deplist_ext) > 0) {
607 for (i = 0; i < keylist_size; i++) {
615 if (isPotentialSuccessor(successor_key, keylist[i], future_key,
type) > 0) {
625 if (successor_rec(keylist, keylist_size, successor_key, keylist[i], future_key,
type, deplist_ext) > 0) {
643 key_data_t* predecessor_key,
struct future_key *future_key,
652 if (!successor_key) {
655 if (!predecessor_key) {
661 if (!future_key->
key) {
680 return successor_rec(keylist, keylist_size, successor_key, predecessor_key, future_key,
type, deplist);
690 exists_with_successor(
key_data_t** keylist,
size_t keylist_size,
691 struct future_key *future_key,
int same_algorithm,
710 for (i = 0; i < keylist_size; i++) {
711 if (match(keylist[i], future_key, same_algorithm, successor_mask) < 1) {
715 for (j = 0; j < keylist_size; j++) {
717 || match(keylist[j], future_key, same_algorithm, predecessor_mask) < 1)
722 if (successor(keylist, keylist_size, keylist[i], keylist[j], future_key,
type, deplist) > 0) {
737 unsignedOk(
key_data_t** keylist,
size_t keylist_size,
738 struct future_key *future_key,
750 if (!future_key->
key) {
754 for (i = 0; i < keylist_size; i++) {
760 ? getState(keylist[i], type, future_key)
763 ? getState(keylist[i], type, future_key)
766 ? getState(keylist[i], type, future_key)
769 ? getState(keylist[i], type, future_key)
777 if (cmp_mask[0] ==
HIDDEN || cmp_mask[0] ==
NA) {
783 if (cmp_mask[1] ==
HIDDEN || cmp_mask[1] ==
NA) {
789 if (cmp_mask[2] ==
HIDDEN || cmp_mask[2] ==
NA) {
795 if (cmp_mask[3] ==
HIDDEN || cmp_mask[3] ==
NA) {
804 if (exists(keylist, keylist_size, future_key, 1, cmp_mask) < 1) {
819 rule1(
key_data_t** keylist,
size_t keylist_size,
struct future_key *future_key,
839 if (!future_key->
key) {
848 if (exists(keylist, keylist_size, future_key, 0, mask[0]) > 0
849 || exists(keylist, keylist_size, future_key, 0, mask[1]) > 0)
863 rule2(
key_data_t** keylist,
size_t keylist_size,
struct future_key *future_key,
877 if (!keylist || !future_key || !future_key->
key) {
886 if (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
887 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1],
KEY_STATE_TYPE_DS, deplist) > 0
888 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[5], mask[3],
KEY_STATE_TYPE_DNSKEY, deplist) > 0
889 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[5], mask[4],
KEY_STATE_TYPE_DNSKEY, deplist) > 0
890 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[6], mask[3],
KEY_STATE_TYPE_DNSKEY, deplist) > 0
891 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[6], mask[4],
KEY_STATE_TYPE_DNSKEY, deplist) > 0
892 || unsignedOk(keylist, keylist_size, future_key, mask[7],
KEY_STATE_TYPE_DS) > 0)
906 rule3(
key_data_t** keylist,
size_t keylist_size,
struct future_key *future_key,
942 if (!future_key->
key) {
951 if (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
952 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1],
KEY_STATE_TYPE_DNSKEY, deplist) > 0
953 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[4], mask[3],
KEY_STATE_TYPE_RRSIG, deplist) > 0
968 dnssecApproval(
key_data_t** keylist,
size_t keylist_size,
969 struct future_key* future_key,
int allow_unsigned,
999 || !rule1(keylist, keylist_size, future_key, 0)
1000 || rule1(keylist, keylist_size, future_key, 1) > 0)
1001 && (!rule2(keylist, keylist_size, future_key, 0, deplist)
1002 || rule2(keylist, keylist_size, future_key, 1, deplist) > 0)
1003 && (!rule3(keylist, keylist_size, future_key, 0, deplist)
1004 || rule3(keylist, keylist_size, future_key, 1, deplist) > 0))
1040 return addtime(lastchange, ttl
1047 return addtime(lastchange, ttl
1054 return addtime(lastchange, ttl
1074 policyApproval(
key_data_t** keylist,
size_t keylist_size,
1098 if (!keylist || !future_key || !future_key->
key) {
1112 switch (future_key->
type) {
1166 if (exists(keylist, keylist_size, future_key, 1, mask[6]) > 0
1167 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[8], mask[7],
KEY_STATE_TYPE_DS, deplist) > 0
1168 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[11], mask[9],
KEY_STATE_TYPE_DNSKEY, deplist) > 0)
1212 if (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
1213 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1],
KEY_STATE_TYPE_DNSKEY, deplist) > 0
1214 || exists_with_successor(keylist, keylist_size, future_key, 1, mask[4], mask[3],
KEY_STATE_TYPE_RRSIG, deplist) > 0
1280 return max((
int)difftime(end_date, now), ttl);
1290 isSuccessable(
struct future_key* future_key)
1300 switch (future_key->
type) {
1334 size_t keylist_size,
struct future_key *future_key,
1337 static const char *scmd =
"markSuccessors";
1358 if (isSuccessable(future_key) < 1) {
1362 for (i = 0; i < keylist_size; i++) {
1363 if (isPotentialSuccessor(keylist[i], future_key->
key, future_key, future_key->
type) > 0) {
1364 switch (future_key->
type) {
1392 ods_log_error(
"[%s] %s: unable to create key dependency between %s and %s",
1417 const time_t now,
int allow_unsigned,
int *zone_updated,
1420 time_t returntime_zone = -1;
1422 static const char *scmd =
"updateZone";
1424 unsigned int j, change;
1431 struct future_key future_key;
1434 time_t returntime_key;
1436 int key_data_updated, process, key_state_created;
1437 const db_enum_t* state_enum, *next_state_enum, *type_enum;
1443 return returntime_zone;
1448 return returntime_zone;
1453 return returntime_zone;
1455 if (!zone_updated) {
1457 ods_log_error(
"[%s] %s: no zone_updated", module_str, scmd);
1458 return returntime_zone;
1463 return returntime_zone;
1468 return returntime_zone;
1489 ods_log_error(
"[%s] %s: zone_set_ttl_end_ds() failed", module_str, scmd);
1501 for (i = 0; i < keylist_size; i++) {
1506 if (keylist_size < i) {
1514 ods_log_error(
"[%s] %s: zone_set_ttl_end_dk() failed", module_str, scmd);
1532 ods_log_error(
"[%s] %s: zone_set_ttl_end_rs() failed", module_str, scmd);
1543 for (i = 0; process && i < keylist_size; i++) {
1544 key_state_created = 0;
1555 ods_log_error(
"[%s] %s: key state DS creation failed", module_str, scmd);
1561 key_state_created = 1;
1567 ods_log_error(
"[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
1586 ods_log_error(
"[%s] %s: key state DNSKEY creation failed", module_str, scmd);
1592 key_state_created = 1;
1598 ods_log_error(
"[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
1616 ods_log_error(
"[%s] %s: key state RRSIGDNSKEY creation failed", module_str, scmd);
1622 key_state_created = 1;
1628 ods_log_error(
"[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
1644 ||
key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_RRSIG, now))
1647 ods_log_error(
"[%s] %s: key state RRSIG creation failed", module_str, scmd);
1653 key_state_created = 1;
1659 ods_log_error(
"[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
1668 if (key_state_created) {
1670 ods_log_error(
"[%s] %s: Unable to recache key states after creating some", module_str, scmd);
1683 for (i = 0; process && i < keylist_size; i++) {
1695 ods_log_error(
"[%s] %s: (state || next_state) == INVALID", module_str, scmd);
1703 if (state == next_state) {
1722 if (type_enum->
value == (
int)type[j]) {
1727 if (state_enum->
value == (
int)state) {
1732 if (next_state_enum->
value == (
int)next_state) {
1736 ods_log_verbose(
"[%s] %s: May %s %s %s in state %s transition to %s?", module_str, scmd,
1741 next_state_enum->
text);
1743 future_key.
key = keylist[i];
1744 future_key.
type = type[j];
1750 if (policyApproval(keylist, keylist_size, &future_key, deplist) < 1) {
1753 ods_log_verbose(
"[%s] %s Policy says we can (1/3)", module_str, scmd);
1758 if (dnssecApproval(keylist, keylist_size, &future_key, allow_unsigned, deplisttmp) < 1) {
1761 ods_log_verbose(
"[%s] %s DNSSEC says we can (2/3)", module_str, scmd);
1763 returntime_key = minTransitionTime(policy, type[j], next_state,
1765 getZoneTTL(policy, zone, type[j], now));
1772 if (type[j] == KEY_STATE_TYPE_RRSIG
1776 returntime_key = addtime(returntime_key,
1787 if (returntime_key > now) {
1788 minTime(returntime_key, &returntime_zone);
1793 module_str, scmd, (
unsigned long)now, (
unsigned long)returntime_key);
1802 ods_log_crit(
"[%s] %s Ready for transition but key material not backed up yet (%s)",
1808 returntime_key = addtime(now, 60);
1809 minTime(returntime_key, &returntime_zone);
1820 key_data_updated = 0;
1837 key_data_updated = 1;
1842 key_data_updated = 1;
1856 key_data_updated = 1;
1866 key_data_updated = 1;
1873 if (key_data_updated) {
1875 ods_log_error(
"[%s] %s: key data update failed", module_str, scmd);
1888 ods_log_error(
"[%s] %s: key data reread failed", module_str, scmd);
1900 switch (future_key.
type) {
1918 ods_log_error(
"[%s] %s: future key type error", module_str, scmd);
1924 if (next_state_enum->
value == (
int)next_state) {
1928 ods_log_verbose(
"[%s] %s: Transitioning %s %s %s from %s to %s", module_str, scmd,
1933 next_state_enum->
text);
1940 ods_log_error(
"[%s] %s: key state transition failed", module_str, scmd);
1949 ods_log_error(
"[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
1958 if (markSuccessors(dbconn, keylist, keylist_size, &future_key, deplisttmp, zone) < 0) {
1959 ods_log_error(
"[%s] %s: markSuccessors() error", module_str, scmd);
1969 ods_log_error(
"[%s] %s: Unable to recache key states after transition", module_str, scmd);
1977 }
while (process && change);
1979 return returntime_zone;
1989 const hsm_key_t *hkey, *hkey_young = NULL;
1994 if (!key_list || !pkey)
2020 if (match)
continue;
2042 static const char *scmd =
"existsPolicyForKey";
2046 if (!policykeylist) {
2086 int max_inception = -1;
2088 if (!key_list || !pkey)
return -1;
2115 return max_inception;
2232 zone_t *zone,
const time_t now,
int *allow_unsigned,
int *zone_updated)
2234 time_t return_at = -1;
2244 static const char *scmd =
"updatePolicy";
2267 if (!allow_unsigned) {
2269 ods_log_error(
"[%s] %s: no allow_unsigned", module_str, scmd);
2272 if (!zone_updated) {
2274 ods_log_error(
"[%s] %s: no zone_updated", module_str, scmd);
2286 ods_log_error(
"[%s] %s: error policy_get_policy_keys()", module_str, scmd);
2297 ods_log_error(
"[%s] %s: error zone_get_keys()", module_str, scmd);
2307 ret = existsPolicyForKey(policykeylist, key);
2310 ods_log_error(
"[%s] %s: error existsPolicyForKey() < 0", module_str, scmd);
2321 ods_log_error(
"[%s] %s: error update mutkey", module_str, scmd);
2337 *allow_unsigned = pkey ? 0 : 1;
2343 ods_log_error(
"[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
2356 force_roll = enforce_roll(zone, pkey);
2362 if (!key_for_conf(keylist, pkey)) {
2365 else if (!force_roll) {
2381 inception = last_inception_policy(keylist, pkey);
2382 if (inception != -1 &&
2386 minTime(t_ret, &return_at);
2387 setnextroll(zone, pkey, t_ret);
2409 ods_log_crit(
"[%s] %s: For policy %s %s key lifetime of %d " 2410 "is unreasonably short with respect to sum of parent " 2411 "TTL (%d) and key TTL (%d). Will not insert key!",
2415 setnextroll(zone, pkey, now);
2424 ods_log_crit(
"[%s] %s: For policy %s %s key lifetime of %d " 2425 "is unreasonably short with respect to sum of " 2426 "MaxZoneTTL (%d) and key TTL (%d). Will not insert key!",
2430 setnextroll(zone, pkey, now);
2440 hsmkey = getLastReusableKey(keylist, pkey);
2455 ods_log_warning(
"[%s] %s: No keys available in HSM for policy %s, retry in %d seconds",
2458 setnextroll(zone, pkey, now);
2538 ods_log_error(
"[%s] %s: error key_data_create()", module_str, scmd);
2549 minTime(t_ret, &return_at);
2550 setnextroll(zone, pkey, t_ret);
2577 ods_log_error(
"[%s] %s: error update mutkey2", module_str, scmd);
2604 if (enforce_roll(zone, pkey)) {
2605 if (set_roll(zone, pkey, 0)) {
2607 ods_log_error(
"[%s] %s: error set_roll()", module_str, scmd);
2625 const int purgetime)
2627 static const char *scmd =
"removeDeadKeys";
2628 time_t first_purge = -1, key_time;
2629 size_t i, deplist2_size = 0;
2630 int key_purgable, cmp;
2641 if (deplist2_size > 0)
2643 for (i = 1; i < deplist2_size; i++)
2646 for (i = 0; i < keylist_size; i++) {
2650 for (j = 0; j<4; j++) {
2666 if (key_time != -1) key_time = addtime(key_time, purgetime);
2669 if (now >= key_time) {
2675 ods_log_info(
"[%s] %s deleting key: %s", module_str, scmd,
2684 ods_log_error(
"[%s] %s: key_state_delete() || key_data_delete() || hsm_key_factory_release_key() failed", module_str, scmd);
2691 minTime(key_time, &first_purge);
2695 for (j = 0; j < deplist2_size; j++) {
2696 if (!deplist2[j])
continue;
2699 ods_log_error(
"[%s] %s: cmp deplist from failed", module_str, scmd);
2706 ods_log_error(
"[%s] %s: key_dependency_delete() failed", module_str, scmd);
2712 for (i = 0; i < deplist2_size; i++){
2722 int allow_unsigned = 0;
2723 time_t policy_return_time, zone_return_time, purge_return_time = -1, return_time;
2727 size_t keylist_size, i;
2729 static const char *scmd =
"update";
2730 int key_data_updated;
2748 if (!zone_updated) {
2758 policy_return_time = updatePolicy(engine, dbconn, policy, zone, now, &allow_unsigned, zone_updated);
2760 if (allow_unsigned) {
2761 ods_log_info(
"[%s] No keys configured for %s, zone will become unsigned eventually",
2770 ods_log_error(
"[%s] %s: error zone_get_key_dependencies()", module_str, scmd);
2776 ods_log_error(
"[%s] %s: error zone_get_keys()", module_str, scmd);
2793 ods_log_error(
"[%s] %s: error calloc(keylist_size)", module_str, scmd);
2798 for (i = 0; i < keylist_size; i++) {
2809 ods_log_error(
"[%s] %s: error key_data_list cache", module_str, scmd);
2810 for (i = 0; i < keylist_size; i++) {
2827 zone_return_time = updateZone(dbconn, policy, zone, now, allow_unsigned, zone_updated,
2828 keylist, keylist_size, deplist);
2834 purge_return_time = removeDeadKeys(dbconn, keylist, keylist_size, deplist, now,
2843 for (i = 0; i < keylist_size; i++) {
2844 key_data_updated = 0;
2850 key_data_updated = 1;
2864 key_data_updated = 1;
2881 key_data_updated = 1;
2898 key_data_updated = 1;
2902 if (key_data_updated) {
2914 for (i = 0; i < keylist_size; i++) {
2922 return_time = zone_return_time;
2923 minTime(policy_return_time, &return_time);
2924 minTime(purge_return_time, &return_time);
const char * key_data_role_text(const key_data_t *key_data)
const char * key_state_state_text(const key_state_t *key_state)
const policy_key_t * policy_key_list_next(policy_key_list_t *policy_key_list)
int key_data_set_inception(key_data_t *key_data, unsigned int inception)
int key_data_get_by_id(key_data_t *key_data, const db_value_t *id)
int key_state_set_ttl(key_state_t *key_state, unsigned int ttl)
int key_dependency_delete(key_dependency_t *key_dependency)
int key_state_delete(key_state_t *key_state)
hsm_key_t * key_data_get_hsm_key(const key_data_t *key_data)
int zone_set_roll_csk_now(zone_t *zone, unsigned int roll_csk_now)
unsigned int next_zsk_roll
int zone_set_ttl_end_dk(zone_t *zone, unsigned int ttl_end_dk)
unsigned int zone_roll_zsk_now(const zone_t *zone)
hsm_key_t * hsm_key_factory_get_key(engine_type *engine, const db_connection_t *connection, const policy_key_t *policy_key, hsm_key_state_t hsm_key_state)
unsigned int policy_parent_registration_delay(const policy_t *policy)
unsigned int key_data_publish(const key_data_t *key_data)
const char * key_state_type_text(const key_state_t *key_state)
key_state_t * key_data_get_cached_rrsig(key_data_t *key_data)
const char * policy_name(const policy_t *policy)
unsigned int key_data_active_zsk(const key_data_t *key_data)
int zone_set_roll_zsk_now(zone_t *zone, unsigned int roll_zsk_now)
unsigned int policy_signatures_max_zone_ttl(const policy_t *policy)
int zone_set_ttl_end_ds(zone_t *zone, unsigned int ttl_end_ds)
int key_data_cmp(const key_data_t *key_data_a, const key_data_t *key_data_b)
enum key_state_state key_state_state_t
enum key_data_role key_data_role_t
void ods_log_info(const char *format,...)
unsigned int policy_signatures_refresh(const policy_t *policy)
const db_value_t * key_data_id(const key_data_t *key_data)
unsigned int zone_ttl_end_rs(const zone_t *zone)
key_data_list_t * zone_get_keys(const zone_t *zone)
const hsm_key_t * key_data_cached_hsm_key(const key_data_t *key_data)
unsigned int policy_signatures_validity_default(const policy_t *policy)
size_t key_data_list_size(key_data_list_t *key_data_list)
unsigned int policy_parent_propagation_delay(const policy_t *policy)
int zone_set_signconf_needs_writing(zone_t *zone, unsigned int signconf_needs_writing)
void ods_log_error(const char *format,...)
int key_state_set_key_data_id(key_state_t *key_state, const db_value_t *key_data_id)
unsigned int zone_roll_csk_now(const zone_t *zone)
int key_dependency_set_zone_id(key_dependency_t *key_dependency, const db_value_t *zone_id)
int key_state_set_minimize(key_state_t *key_state, unsigned int minimize)
key_dependency_list_t * zone_get_key_dependencies(const zone_t *zone)
const db_enum_t key_state_enum_set_type[]
int key_data_set_role(key_data_t *key_data, key_data_role_t role)
unsigned int policy_signatures_validity_denial(const policy_t *policy)
key_data_t * key_data_list_get_next(key_data_list_t *key_data_list)
unsigned int policy_signatures_jitter(const policy_t *policy)
const char * hsm_key_repository(const hsm_key_t *hsm_key)
time_t update(engine_type *engine, db_connection_t *dbconn, zone_t *zone, policy_t *policy, time_t now, int *zone_updated)
unsigned int next_csk_roll
int key_data_create(key_data_t *key_data)
int key_data_set_hsm_key_id(key_data_t *key_data, const db_value_t *hsm_key_id)
unsigned int key_data_introducing(const key_data_t *key_data)
const db_value_t * key_dependency_to_key_data_id(const key_dependency_t *key_dependency)
int hsm_key_factory_release_key(hsm_key_t *hsm_key, const db_connection_t *connection)
unsigned int policy_zone_propagation_delay(const policy_t *policy)
int key_state_set_type(key_state_t *key_state, key_state_type_t type)
int key_state_update(key_state_t *key_state)
size_t policy_key_list_size(policy_key_list_t *policy_key_list)
int key_dependency_set_type(key_dependency_t *key_dependency, key_dependency_type_t type)
void ods_log_crit(const char *format,...)
unsigned int key_state_minimize(const key_state_t *key_state)
const key_state_t * key_data_cached_rrsigdnskey(key_data_t *key_data)
key_dependency_t * key_dependency_new(const db_connection_t *connection)
int db_value_cmp(const db_value_t *value_a, const db_value_t *value_b, int *result)
void key_dependency_list_free(key_dependency_list_t *key_dependency_list)
unsigned int zone_ttl_end_dk(const zone_t *zone)
unsigned int key_data_inception(const key_data_t *key_data)
int key_state_set_state(key_state_t *key_state, key_state_state_t state)
const char * policy_key_repository(const policy_key_t *policy_key)
const key_dependency_t * key_dependency_list_next(key_dependency_list_t *key_dependency_list)
unsigned int policy_zone_soa_ttl(const policy_t *policy)
unsigned int zone_roll_ksk_now(const zone_t *zone)
void key_state_free(key_state_t *key_state)
int zone_set_ttl_end_rs(zone_t *zone, unsigned int ttl_end_rs)
unsigned int hsm_key_inception(const hsm_key_t *hsm_key)
unsigned int policy_key_lifetime(const policy_key_t *policy_key)
key_data_t * key_data_new(const db_connection_t *connection)
const key_data_t * key_data_list_begin(key_data_list_t *key_data_list)
void key_dependency_free(key_dependency_t *key_dependency)
unsigned int policy_keys_publish_safety(const policy_t *policy)
int zone_set_roll_ksk_now(zone_t *zone, unsigned int roll_ksk_now)
policy_key_list_t * policy_get_policy_keys(const policy_t *policy)
const db_value_t * key_dependency_from_key_data_id(const key_dependency_t *key_dependency)
unsigned int zone_signconf_needs_writing(const zone_t *zone)
const key_data_t * key_data_list_next(key_data_list_t *key_data_list)
int key_data_set_publish(key_data_t *key_data, unsigned int publish)
int key_data_cache_key_states(key_data_t *key_data)
hsm_key_t * hsm_key_list_get_begin(hsm_key_list_t *hsm_key_list)
const db_enum_t key_state_enum_set_state[]
unsigned int key_state_last_change(const key_state_t *key_state)
const char * hsm_key_locator(const hsm_key_t *hsm_key)
int key_dependency_set_from_key_data_id(key_dependency_t *key_dependency, const db_value_t *from_key_data_id)
unsigned int policy_parent_ds_ttl(const policy_t *policy)
unsigned int policy_key_minimize(const policy_key_t *policy_key)
const char * zone_name(const zone_t *zone)
unsigned int policy_denial_ttl(const policy_t *policy)
size_t key_dependency_list_size(key_dependency_list_t *key_dependency_list)
const key_state_t * key_data_cached_rrsig(key_data_t *key_data)
key_state_t * key_state_new(const db_connection_t *connection)
key_dependency_t * key_dependency_list_get_next(key_dependency_list_t *key_dependency_list)
key_state_t * key_data_get_cached_rrsigdnskey(key_data_t *key_data)
const char * policy_key_role_text(const policy_key_t *policy_key)
unsigned int policy_keys_retire_safety(const policy_t *policy)
hsm_key_t * hsm_key_list_get_next(hsm_key_list_t *hsm_key_list)
int key_data_set_zone_id(key_data_t *key_data, const db_value_t *zone_id)
int key_dependency_create(key_dependency_t *key_dependency)
key_state_t * key_data_get_cached_ds(key_data_t *key_data)
void ods_log_verbose(const char *format,...)
unsigned int policy_key_manual_rollover(const policy_key_t *policy_key)
int key_state_set_last_change(key_state_t *key_state, unsigned int last_change)
const key_state_t * key_data_cached_ds(key_data_t *key_data)
int key_data_cache_hsm_key(key_data_t *key_data)
void key_data_list_free(key_data_list_t *key_data_list)
int key_state_create(key_state_t *key_state)
key_dependency_t * key_dependency_list_get_begin(key_dependency_list_t *key_dependency_list)
const db_value_t * key_data_hsm_key_id(const key_data_t *key_data)
const key_state_t * key_data_cached_dnskey(key_data_t *key_data)
unsigned int key_data_minimize(const key_data_t *key_data)
int key_data_set_active_ksk(key_data_t *key_data, unsigned int active_ksk)
void key_data_free(key_data_t *key_data)
const key_dependency_t * key_dependency_list_begin(key_dependency_list_t *key_dependency_list)
const db_value_t * zone_id(const zone_t *zone)
unsigned int hsm_key_algorithm(const hsm_key_t *hsm_key)
int key_data_set_ds_at_parent(key_data_t *key_data, key_data_ds_at_parent_t ds_at_parent)
hsm_key_list_t * hsm_key_list_new_get_by_policy_key(const policy_key_t *pkey)
void hsm_key_free(hsm_key_t *hsm_key)
key_data_t * key_data_new_copy(const key_data_t *key_data)
unsigned int key_data_active_ksk(const key_data_t *key_data)
key_state_state_t next_state
unsigned int policy_key_algorithm(const policy_key_t *policy_key)
int key_data_set_introducing(key_data_t *key_data, unsigned int introducing)
unsigned int key_data_algorithm(const key_data_t *key_data)
int key_data_update(key_data_t *key_data)
enum key_state_type key_state_type_t
unsigned int next_ksk_roll
int key_data_set_keytag(key_data_t *key_data, unsigned int keytag)
int key_data_set_active_zsk(key_data_t *key_data, unsigned int active_zsk)
key_dependency_list_t * key_dependency_list_new_copy(const key_dependency_list_t *from_key_dependency_list)
int key_dependency_set_to_key_data_id(key_dependency_t *key_dependency, const db_value_t *to_key_data_id)
unsigned int policy_keys_shared(const policy_t *policy)
void hsm_key_list_free(hsm_key_list_t *hsm_key_list)
unsigned int policy_key_bits(const policy_key_t *policy_key)
void policy_key_list_free(policy_key_list_t *policy_key_list)
const db_value_t * hsm_key_id(const hsm_key_t *hsm_key)
unsigned int hsm_key_bits(const hsm_key_t *hsm_key)
enum key_dependency_type key_dependency_type_t
int key_data_delete(key_data_t *key_data)
const policy_key_t * policy_key_list_begin(policy_key_list_t *policy_key_list)
key_data_t * key_dependency_get_from_key_data(const key_dependency_t *key_dependency)
void ods_log_warning(const char *format,...)
unsigned int policy_zone_soa_minimum(const policy_t *policy)
int key_data_set_algorithm(key_data_t *key_data, unsigned int algorithm)
int hsm_key_factory_release_key_id(const db_value_t *hsm_key_id, const db_connection_t *connection)
unsigned int policy_keys_purge_after(const policy_t *policy)
unsigned int zone_ttl_end_ds(const zone_t *zone)
unsigned int policy_keys_ttl(const policy_t *policy)
key_state_t * key_data_get_cached_dnskey(key_data_t *key_data)
int key_data_set_minimize(key_data_t *key_data, unsigned int minimize)
unsigned int policy_signatures_resign(const policy_t *policy)
key_data_t * key_data_list_get_begin(key_data_list_t *key_data_list)