From 200026649a194068ac23c47f9b4369145504831f Mon Sep 17 00:00:00 2001
From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Sat, 8 May 2010 20:16:38 +0000
Subject: [PATCH] revamp the 'activeness' of keys, dnsseckeeper now gives more
 information about keys

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1596 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---
 pdns/dnssecinfra.cc  |  10 ++--
 pdns/dnsseckeeper.cc |  18 ++++---
 pdns/dnsseckeeper.hh |  15 ++++--
 pdns/pdnssec.cc      | 124 +++++++++++++++++++++++++++++++++++++++----
 4 files changed, 143 insertions(+), 24 deletions(-)

diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
index 2a3c92262..c1db21fe0 100644
--- a/pdns/dnssecinfra.cc
+++ b/pdns/dnssecinfra.cc
@@ -216,13 +216,13 @@ DNSKEYRecordContent getDNSKEYFor(const std::string& keyRepositoryDir, const std:
   if(!withKSK) {
     DNSSECKeeper::zskset_t zskset=dk.getZSKsFor(qname);
     BOOST_FOREACH(DNSSECKeeper::zskset_t::value_type value, zskset) {
-      if(value.second) {
-	cerr<<"Found a ZSK for '"<<qname<<"', key tag = "<<value.first.getDNSKEY().getTag()<<endl;
-	*rc=value.first.d_key;
-	return value.first.getDNSKEY();
+      if(value.second.active) {
+        cerr<<"Found a ZSK for '"<<qname<<"', key tag = "<<value.first.getDNSKEY().getTag()<<endl;
+        *rc=value.first.d_key;
+        return value.first.getDNSKEY();
       }
       else 
-	cerr<<"Found an expired ZSK for '"<<qname<<"', key tag = "<<value.first.getDNSKEY().getTag()<<endl;
+        cerr<<"Found an expired ZSK for '"<<qname<<"', key tag = "<<value.first.getDNSKEY().getTag()<<endl;
     }
     cerr<<"withKSK was not true, but found nothing!"<<endl;
     exit(1);
diff --git a/pdns/dnsseckeeper.cc b/pdns/dnsseckeeper.cc
index 5388f5576..5e75ae88f 100644
--- a/pdns/dnsseckeeper.cc
+++ b/pdns/dnsseckeeper.cc
@@ -133,8 +133,12 @@ void DNSSECKeeper::addZSKFor(const std::string& name, bool next)
 bool zskSortByDates(const DNSSECKeeper::zskset_t::value_type& a, const DNSSECKeeper::zskset_t::value_type& b)
 {
   return 
-    tie(a.first.beginValidity, a.first.endValidity) < 
-    tie(b.first.beginValidity, b.first.endValidity);
+    tie(a.second.beginValidity, a.second.endValidity) < 
+    tie(b.second.beginValidity, b.second.endValidity);
+}
+void DNSSECKeeper::deleteZSKFor(const std::string& zname, const std::string& fname)
+{
+  unlink((d_dirname +"/"+ zname +"/zsks/"+fname).c_str());
 }
 
 DNSSECKeeper::zskset_t DNSSECKeeper::getZSKsFor(const std::string& zone, bool all)
@@ -174,11 +178,13 @@ DNSSECKeeper::zskset_t DNSSECKeeper::getZSKsFor(const std::string& zone, bool al
       ts1.tm_mon--;
       ts2.tm_mon--;
 
-      dpk.beginValidity=timegm(&ts1);
-      dpk.endValidity=timegm(&ts2);
+      KeyMetaData kmd;
+      kmd.beginValidity=timegm(&ts1);
+      kmd.endValidity=timegm(&ts2);
       time_t now=time(0);
-
-      zskset.push_back(make_pair(dpk, now > dpk.beginValidity && now < dpk.endValidity));
+      kmd.active = now > kmd.beginValidity && now < kmd.endValidity;
+      kmd.fname = dir_itr->leaf();
+      zskset.push_back(make_pair(dpk, kmd));
     }
     sort(zskset.begin(), zskset.end(), zskSortByDates);
   }
diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh
index 656044d15..f2b027218 100644
--- a/pdns/dnsseckeeper.hh
+++ b/pdns/dnsseckeeper.hh
@@ -76,21 +76,30 @@ struct DNSSECPrivateKey
   
   RSAContext d_key;
   DNSKEYRecordContent getDNSKEY();
-  time_t beginValidity, endValidity; // wart
 };
 
 class DNSSECKeeper
 {
+public:
+  struct KeyMetaData
+  {
+    time_t beginValidity, endValidity; // wart  
+    bool active;
+    string fname;
+  };  
 public:
   explicit DNSSECKeeper(const std::string& dirname) : d_dirname(dirname){}
   bool haveKSKFor(const std::string& zone, DNSSECPrivateKey* ksk=0);
   
-  typedef std::vector<std::pair<DNSSECPrivateKey, bool> > zskset_t;
+  typedef std::vector<std::pair<DNSSECPrivateKey, KeyMetaData> > zskset_t;
   zskset_t getZSKsFor(const std::string& zone, bool all=false);
-  void addZSKFor(const std::string& fname, bool next=false);
+  void addZSKFor(const std::string& zname, bool next=false);
+  void deleteZSKFor(const std::string& zname, const std::string& fname);
 
   void addZone(const std::string& fname);
 
+  
+
 private:
   std::string d_dirname;
 };
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index b85950d58..dd5955551 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -3,12 +3,26 @@
 #include "statbag.hh"
 #include <boost/foreach.hpp>
 #include <boost/program_options.hpp>
+#include "dnsbackend.hh"
+#include "ueberbackend.hh"
+#include "arguments.hh"
+#include "packetcache.hh"
+
+StatBag S;
+PacketCache PC;
 
 using namespace boost;
 namespace po = boost::program_options;
 po::variables_map g_vm;
 
-StatBag S;
+string s_programname="pdns_server";
+
+ArgvMap &arg()
+{
+  static ArgvMap arg;
+  return arg;
+}
+
 
 string humanTime(time_t t)
 {
@@ -19,7 +33,85 @@ string humanTime(time_t t)
   return ret;
 }
 
+void loadMainConfig()
+{
+   static char pietje[128]="!@@SYSCONFDIR@@:";
+  ::arg().set("config-dir","Location of configuration directory (pdns.conf)")=
+    strcmp(pietje+1,"@@SYSCONFDIR@@:") ? pietje+strlen("@@SYSCONFDIR@@:")+1 : SYSCONFDIR;
+  
+  ::arg().set("launch","Which backends to launch");
+  
+  ::arg().set("config-name","Name of this virtual configuration - will rename the binary image")="";
+  ::arg().setCmd("help","Provide a helpful message");
+  //::arg().laxParse(argc,argv);
+
+  if(::arg().mustDo("help")) {
+    cerr<<"syntax:"<<endl<<endl;
+    cerr<<::arg().helpstring(::arg()["help"])<<endl;
+    exit(99);
+  }
+
+  if(::arg()["config-name"]!="") 
+    s_programname+="-"+::arg()["config-name"];
+
+  string configname=::arg()["config-dir"]+"/"+s_programname+".conf";
+  cleanSlashes(configname);
+
+  cerr<<"configname: '"<<configname<<"'\n";
+  
+  ::arg().laxFile(configname.c_str());
+
+
+  BackendMakers().launch(::arg()["launch"]); // vrooooom!
+  ::arg().laxFile(configname.c_str());    
+  cerr<<::arg()["launch"]<<", '" << ::arg()["gmysql-dbname"] <<"'" <<endl;
+
+
+  S.declare("qsize-q","Number of questions waiting for database attention");
+    
+  S.declare("deferred-cache-inserts","Amount of cache inserts that were deferred because of maintenance");
+  S.declare("deferred-cache-lookup","Amount of cache lookups that were deferred because of maintenance");
+          
+  S.declare("query-cache-hit","Number of hits on the query cache");
+  S.declare("query-cache-miss","Number of misses on the query cache");
+  ::arg().set("max-cache-entries", "Maximum number of cache entries")="1000000";
+  ::arg().set("recursor","If recursion is desired, IP address of a recursing nameserver")="no"; 
+  ::arg().set("recursive-cache-ttl","Seconds to store packets in the PacketCache")="10";
+  ::arg().set("cache-ttl","Seconds to store packets in the PacketCache")="20";              
+  ::arg().set("negquery-cache-ttl","Seconds to store packets in the PacketCache")="60";
+  ::arg().set("query-cache-ttl","Seconds to store packets in the PacketCache")="20";              
+  ::arg().set("soa-refresh-default","Default SOA refresh")="10800";
+  ::arg().set("soa-retry-default","Default SOA retry")="3600";
+  ::arg().set("soa-expire-default","Default SOA expire")="604800";
+    ::arg().setSwitch("query-logging","Hint backends that queries should be logged")="no";
+  ::arg().set("soa-minimum-ttl","Default SOA mininum ttl")="3600";    
+  UeberBackend::go();
+}
+
+void listZones()
+{
+  loadMainConfig();
+  cerr<<"hier1 launcheable: "<<BackendMakers().numLauncheable()<<endl;
+  
+  cerr<<"new"<<endl;
+  UeberBackend* B = new UeberBackend("default");
+  SOAData sd;
+  cerr<<"hier2 "<<(void*)B<<endl;
+  if(!B->getSOA("powerdnssec.org", sd)) {
+    cerr<<"No SOA!"<<endl;
+  } 
+  cerr<<"ID: "<<sd.domain_id<<endl;
+  sd.db->list("powerdnssec.org", sd.domain_id);
+  DNSResourceRecord rr;
+  
+  while(sd.db->get(rr)) {
+    cerr<<rr.qname<<endl;
+  }
+  cerr<<"Done listing"<<endl;
+}
+
 int main(int argc, char** argv)
+try
 {
   po::options_description desc("Allowed options");
   desc.add_options()
@@ -47,7 +139,10 @@ int main(int argc, char** argv)
 
   DNSSECKeeper dk(g_vm["key-repository"].as<string>());
 
-  if(cmds[0] == "update-zone-keys") {
+  if(cmds[0] == "list-zones") {
+    listZones();
+  }
+  else if(cmds[0] == "update-zone-keys") {
     if(cmds.size() != 2) {
       cerr << "Error: "<<cmds[0]<<" takes exactly 1 parameter"<<endl;
       return 0;
@@ -63,13 +158,22 @@ int main(int argc, char** argv)
     DNSSECKeeper::zskset_t zskset=dk.getZSKsFor(zone);
 
     int inforce=0;
+    time_t now = time(&now);
+    
+    
     if(!zskset.empty())  {
       cerr<<"There were ZSKs already for zone '"<<zone<<"': "<<endl;
       
       BOOST_FOREACH(DNSSECKeeper::zskset_t::value_type value, zskset) {
-        cerr<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second<<", "<<value.first.beginValidity<<" - "<<value.first.endValidity<<endl;
-        if(value.second) 
+        cerr<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<", "<<humanTime(value.second.beginValidity)<<" - "<<humanTime(value.second.endValidity)<<endl;
+        if(value.second.active) 
           inforce++;
+        if(value.second.endValidity < now - 2*86400) { // 'expired more than two days ago'  
+          cerr<<"\tThis key is no longer used and too old to keep around, deleting!\n";
+          dk.deleteZSKFor(zone, value.second.fname);
+        } else if(value.second.endValidity < now) { // 'expired more than two days ago'  
+          cerr<<"\tThis key is no longer in active use, but needs to linger\n";
+        }
       }
     }
       
@@ -87,7 +191,7 @@ int main(int argc, char** argv)
 
     cerr<<"There are now "<<zskset.size()<<" ZSKs"<<endl;
     BOOST_FOREACH(DNSSECKeeper::zskset_t::value_type value, zskset) {
-      cerr<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second<<endl;
+      cerr<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<endl;
     }
 
   }
@@ -112,16 +216,13 @@ int main(int argc, char** argv)
     
     DNSSECKeeper::zskset_t zskset=dk.getZSKsFor(zone);
 
-    int inforce=0;
     if(zskset.empty())  {
       cerr << "No ZSKs for zone '"<<zone<<"'."<<endl;
     }
     else {  
       cerr << "ZSKs for zone '"<<zone<<"':"<<endl;
       BOOST_FOREACH(DNSSECKeeper::zskset_t::value_type value, zskset) {
-        cerr<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second<<", "<< humanTime(value.first.beginValidity)<<" - "<<humanTime(value.first.endValidity)<<endl;
-        if(value.second) 
-        inforce++;
+        cerr<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<", "<< humanTime(value.second.beginValidity)<<" - "<<humanTime(value.second.endValidity)<<endl;
       }
     }
   }
@@ -162,7 +263,7 @@ int main(int argc, char** argv)
 
     cerr<<"There are now "<<zskset.size()<<" ZSKs"<<endl;
     BOOST_FOREACH(DNSSECKeeper::zskset_t::value_type value, zskset) {
-      cerr<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second<<endl;
+      cerr<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<endl;
     }
   }
   else {
@@ -171,3 +272,6 @@ int main(int argc, char** argv)
   }
   return 0;
 }
+catch(AhuException& ae) {
+  cerr<<"Error: "<<ae.reason<<endl;
+}
-- 
2.50.1