Lines Matching full:anchor
2 * validator/autotrust.c - RFC5011 trust anchor management for unbound.
72 static void do_revoked(struct module_env* env, struct autr_ta* anchor, int* c);
135 * @param ta: trust anchor key with DNSKEY data.
359 log_err("trust anchor for '%s' presented twice", buf);
370 log_err("trust anchor for '%s' in probetree twice", buf);
428 log_err("anchor cannot be with and without autotrust");
442 /** Add trust anchor from RR */
464 * Add new trust anchor from a string in file.
466 * @param str: string with anchor and comments, if any comments.
517 * Load single anchor
812 /** parse id sequence for anchor */
846 * @param anchors: the anchor is added to this, if "id:" is seen.
847 * @param anchor: the anchor as result value or previously returned anchor
850 * +2 revoked trust anchor file.
854 struct trust_anchor** anchor)
856 struct trust_anchor* tp = *anchor;
859 *anchor = parse_id(anchors, line+6);
860 if(!*anchor) return -1;
1009 verbose(VERB_ALGO, "reading autotrust anchor file %s", nm);
1012 log_err("could not parse auto-trust-anchor-file "
1021 log_warn("trust anchor %s has been revoked", nm);
1034 if(!r) log_err("failed to load trust anchor from %s "
1121 if(fprintf(out, "; autotrust trust anchor file\n") < 0) {
1130 "; to restart the trust anchor, overwrite this file.\n"
1276 verbose(VERB_ALGO, "autotrust: validate DNSKEY with anchor: %s",
1340 /** revoke a trust anchor */
1385 /** compare trust anchor with rdata, 0 if equal. Pass rdata(no len) */
1688 * @param ta: trust anchor to check for.
1719 /** Set the state for this trust anchor */
1733 do_newkey(struct module_env* env, struct autr_ta* anchor, int* c)
1735 if (anchor->s == AUTR_STATE_START)
1736 set_trustanchor_state(env, anchor, c, AUTR_STATE_ADDPEND);
1741 do_addtime(struct module_env* env, struct autr_ta* anchor, int* c)
1746 time_t exceeded = check_holddown(env, anchor, env->cfg->add_holddown);
1747 if (exceeded && anchor->s == AUTR_STATE_ADDPEND) {
1748 verbose_key(anchor, VERB_ALGO, "add-holddown time exceeded "
1750 (long long)exceeded, anchor->pending_count);
1751 if(anchor->pending_count >= MIN_PENDINGCOUNT) {
1752 set_trustanchor_state(env, anchor, c, AUTR_STATE_VALID);
1753 anchor->pending_count = 0;
1756 verbose_key(anchor, VERB_ALGO, "add-holddown time sanity check "
1757 "failed (pending count: %d)", anchor->pending_count);
1763 do_remtime(struct module_env* env, struct autr_ta* anchor, int* c)
1765 time_t exceeded = check_holddown(env, anchor, env->cfg->del_holddown);
1766 if(exceeded && anchor->s == AUTR_STATE_REVOKED) {
1767 verbose_key(anchor, VERB_ALGO, "del-holddown time exceeded "
1769 set_trustanchor_state(env, anchor, c, AUTR_STATE_REMOVED);
1775 do_keyrem(struct module_env* env, struct autr_ta* anchor, int* c)
1777 if(anchor->s == AUTR_STATE_ADDPEND) {
1778 set_trustanchor_state(env, anchor, c, AUTR_STATE_START);
1779 anchor->pending_count = 0;
1780 } else if(anchor->s == AUTR_STATE_VALID)
1781 set_trustanchor_state(env, anchor, c, AUTR_STATE_MISSING);
1786 do_keypres(struct module_env* env, struct autr_ta* anchor, int* c)
1788 if(anchor->s == AUTR_STATE_MISSING)
1789 set_trustanchor_state(env, anchor, c, AUTR_STATE_VALID);
1794 do_revoked(struct module_env* env, struct autr_ta* anchor, int* c)
1796 if(anchor->s == AUTR_STATE_VALID || anchor->s == AUTR_STATE_MISSING) {
1797 set_trustanchor_state(env, anchor, c, AUTR_STATE_REVOKED);
1798 verbose_key(anchor, VERB_ALGO, "old id, prior to revocation");
1799 revoke_dnskey(anchor, 0);
1800 verbose_key(anchor, VERB_ALGO, "new id, after revocation");
1804 /** Do statestable transition matrix for anchor */
1806 anchor_state_update(struct module_env* env, struct autr_ta* anchor, int* c)
1808 log_assert(anchor);
1809 switch(anchor->s) {
1813 if (anchor->fetched)
1814 do_newkey(env, anchor, c);
1819 if (!anchor->fetched)
1820 do_keyrem(env, anchor, c);
1822 else do_addtime(env, anchor, c);
1827 if (anchor->revoked)
1828 do_revoked(env, anchor, c);
1830 else if (!anchor->fetched)
1831 do_keyrem(env, anchor, c);
1832 else if(!anchor->last_change) {
1833 verbose_key(anchor, VERB_ALGO, "first seen");
1834 reset_holddown(env, anchor, c);
1840 if (anchor->revoked)
1841 do_revoked(env, anchor, c);
1843 else if (anchor->fetched)
1844 do_keypres(env, anchor, c);
1848 if (anchor->fetched)
1849 reset_holddown(env, anchor, c);
1851 else do_remtime(env, anchor, c);
1865 struct autr_ta* anchor;
1868 for(anchor = tp->autr->keys; anchor; anchor = anchor->next) {
1870 if(sldns_wirerr_get_type(anchor->rr, anchor->rr_len,
1871 anchor->dname_len) == LDNS_RR_TYPE_DNSKEY &&
1872 anchor->last_change == 0 &&
1873 !ta_is_dnskey_sep(anchor) &&
1874 anchor->s == AUTR_STATE_VALID)
1879 for(anchor = tp->autr->keys; anchor; anchor = anchor->next) {
1880 if (ta_is_dnskey_sep(anchor) &&
1881 anchor->s == AUTR_STATE_ADDPEND) {
1882 verbose_key(anchor, VERB_ALGO, "trust KSK from "
1884 set_trustanchor_state(env, anchor, changed,
1897 struct autr_ta* anchor;
1901 for(anchor = tp->autr->keys; anchor; anchor = anchor->next) {
1903 if (!ta_is_dnskey_sep(anchor))
1905 if (anchor->s == AUTR_STATE_VALID)
1909 * a ZSK (last-change=0) anchor, which is VALID and there are KSKs
1921 for(anchor = tp->autr->keys; anchor; anchor = anchor->next) {
1923 if(anchor->s == AUTR_STATE_START)
1926 if (!ta_is_dnskey_sep(anchor)) {
1928 verbose_key(anchor, VERB_ALGO, "remove ZSK "
1930 set_trustanchor_state(env, anchor, changed,
1936 if (anchor->s != AUTR_STATE_MISSING)
1941 exceeded = check_holddown(env, anchor, env->cfg->keep_missing);
1943 * one valid KSK: remove missing trust anchor */
1945 verbose_key(anchor, VERB_ALGO, "keep-missing time "
1948 set_trustanchor_state(env, anchor, changed,
1958 struct autr_ta* anchor;
1959 for(anchor = tp->autr->keys; anchor; anchor = anchor->next) {
1961 if(!ta_is_dnskey_sep(anchor))
1963 anchor_state_update(env, anchor, changed);
1973 struct autr_ta* anchor;
1974 for(anchor = tp->autr->keys; anchor; anchor = anchor->next) {
1975 if(ta_is_dnskey_sep(anchor) &&
1976 anchor->s == AUTR_STATE_ADDPEND)
1977 do_addtime(env, anchor, c);
2072 /** set next probe for trust anchor */
2129 /* use space allocated for dnskey_rrset to save name of anchor */
2178 /* we could just catch the anchor here while another thread
2282 /** debug print a trust anchor key */
2373 /** probe a trust anchor DNSKEY and unlocks tp */
2424 /** fetch first to-probe trust-anchor and lock it and set retrytime */
2470 /* make a probe for this anchor */