Commit fa52cd9e authored by Valentin Samir's avatar Valentin Samir

Only activate new KSK on ds-seen

parent 5d45cade
...@@ -123,7 +123,8 @@ class Zone(object): ...@@ -123,7 +123,8 @@ class Zone(object):
now = datetime.datetime.utcnow() now = datetime.datetime.utcnow()
new_ksk = Key.create("KSK", self.name) new_ksk = Key.create("KSK", self.name)
new_ksk.publish = now new_ksk.publish = now
new_ksk.activate = (now + INTERVAL) # do not activate the new key until ds-seen
new_ksk.activate = None
bind_reload() bind_reload()
active_ksk = [key for key in self.KSK if key.is_publish and key.delete is None] active_ksk = [key for key in self.KSK if key.is_publish and key.delete is None]
if len(active_ksk) >= 2: if len(active_ksk) >= 2:
...@@ -146,9 +147,11 @@ class Zone(object): ...@@ -146,9 +147,11 @@ class Zone(object):
return return
print "Key %s found" % keyid print "Key %s found" % keyid
now = datetime.datetime.utcnow() now = datetime.datetime.utcnow()
if seen_ksk.activate is None:
seen_ksk.activate = (now + INTERVAL)
for ksk in old_ksks: for ksk in old_ksks:
print " * program key %s removal" % ksk.keyid print " * program key %s removal" % ksk.keyid
inactive = max(seen_ksk.activate, now + INTERVAL) inactive = seen_ksk.activate
# delete INTERVAL after being inactive # delete INTERVAL after being inactive
ksk.delete = inactive + INTERVAL ksk.delete = inactive + INTERVAL
# set inactive in at least INTERVAL # set inactive in at least INTERVAL
...@@ -234,20 +237,25 @@ class Key(object): ...@@ -234,20 +237,25 @@ class Key(object):
return datetime.datetime.strptime(date, "%Y%m%d%H%M%S") return datetime.datetime.strptime(date, "%Y%m%d%H%M%S")
def _date_to_key(self, date): def _date_to_key(self, date):
return datetime.datetime.strftime(date, "%Y%m%d%H%M%S") if date is None:
return 'none'
else:
return datetime.datetime.strftime(date, "%Y%m%d%H%M%S")
@classmethod @classmethod
def create(cls, typ, name): def create(cls, typ, name, options=None):
if options is None:
options = []
path = os.path.join(BASE, name) path = os.path.join(BASE, name)
cmd = ["/usr/sbin/dnssec-keygen", "-a", "RSASHA256"]
if typ == "KSK": if typ == "KSK":
cmd = [ cmd.extend(["-b", "2048", "-f", "KSK"])
"/usr/sbin/dnssec-keygen", "-a", "RSASHA256",
"-b", "2048", "-f", "KSK", "-K", path, name
]
elif typ == "ZSK": elif typ == "ZSK":
cmd = ["/usr/sbin/dnssec-keygen", "-a", "RSASHA256", "-b", "1024", "-K", path, name] cmd.extend(["-b", "1024"])
else: else:
raise ValueError("typ must be KSK or ZSK") raise ValueError("typ must be KSK or ZSK")
cmd.extend(options)
cmd.extend(["-K", path, name])
p = subprocess.Popen(cmd, stdout=subprocess.PIPE) p = subprocess.Popen(cmd, stdout=subprocess.PIPE)
p.wait() p.wait()
if p.returncode != 0: if p.returncode != 0:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment