1. 13 May, 2020 2 commits
  2. 12 May, 2020 4 commits
  3. 07 May, 2020 1 commit
  4. 05 May, 2020 1 commit
  5. 01 May, 2020 6 commits
  6. 30 Apr, 2020 5 commits
  7. 28 Apr, 2020 1 commit
  8. 24 Apr, 2020 1 commit
  9. 21 Apr, 2020 2 commits
  10. 20 Apr, 2020 4 commits
  11. 17 Apr, 2020 1 commit
  12. 16 Apr, 2020 2 commits
  13. 08 Apr, 2020 6 commits
  14. 07 Apr, 2020 1 commit
    • Matthijs Mekking's avatar
      Fix kasp timing issue on Windows · 62a97570
      Matthijs Mekking authored
      This fixes another intermittent failure in the kasp system test.
      It does not happen often, except for in the Windows platform tests
      where it takes a long time to run the tests.
      
      In the "kasp" system test, there is an "rndc reconfig" call which
      triggers a new rekey event.  check_next_key_event() verifies the time
      remaining from the moment "rndc reconfig" is called until the next key
      event.  However, the next key event time is calculated from the key
      times provided during key creation (i.e. during test setup).  Given
      this, if "rndc reconfig" is called a significant amount of time after
      the test is started, some check_next_key_event() checks will fail.
      
      Fix by calculating the time passed since the start of the test and
      when 'rndc reconfig' happens.  Substract this time from the
      calculated next key event.
      
      This only needs to be done after an "rndc reconfig" on zones where
      the keymgr needs to wait for a period of time (for example for keys
      to become OMNIPRESENT, or HIDDEN). This is on step 2 and step 5 of
      the algorithm rollover.  In step 2 there is a waiting period before
      the DNSKEY is OMNIPRESENT, in step 5 there is a waiting period
      before the DNSKEY is HIDDEN.
      
      In step 1 new keys are created, in step 3 and 4 key states just
      entered OMNIPRESENT, and in step 6 we no longer care because the
      key lifetime is unlimited and we default to checking once per hour.
      
      Regardless of our indifference about the next key event after step 6,
      change some of the key timings in the setup script to better
      reflect reality: DNSKEY is in HIDDEN after step 5, DS times have
      changed when the new DS became active.
      62a97570
  15. 03 Apr, 2020 3 commits
    • Ondřej Surý's avatar
      Add CHANGES · 22aaeb51
      Ondřej Surý authored
      22aaeb51
    • Matthijs Mekking's avatar
      Replace hard coded value with constant · c1723b25
      Matthijs Mekking authored
      c1723b25
    • Matthijs Mekking's avatar
      Redesign dnssec sign statistics · 705810d5
      Matthijs Mekking authored
      The first attempt to add DNSSEC sign statistics was naive: for each
      zone we allocated 64K counters, twice.  In reality each zone has at
      most four keys, so the new approach only has room for four keys per
      zone. If after a rollover more keys have signed the zone, existing
      keys are rotated out.
      
      The DNSSEC sign statistics has three counters per key, so twelve
      counters per zone. First counter is actually a key id, so it is
      clear what key contributed to the metrics.  The second counter
      tracks the number of generated signatures, and the third tracks
      how many of those are refreshes.
      
      This means that in the zone structure we no longer need two separate
      references to DNSSEC sign metrics: both the resign and refresh stats
      are kept in a single dns_stats structure.
      
      Incrementing dnssecsignstats:
      
      Whenever a dnssecsignstat is incremented, we look up the key id
      to see if we already are counting metrics for this key.  If so,
      we update the corresponding operation counter (resign or
      refresh).
      
      If the key is new, store the value in a new counter and increment
      corresponding counter.
      
      If all slots are full, we rotate the keys and overwrite the last
      slot with the new key.
      
      Dumping dnssecsignstats:
      
      Dumping dnssecsignstats is no longer a simple wrapper around
      isc_stats_dump, but uses the same principle.  The difference is that
      rather than dumping the index (key tag) and counter, we have to look
      up the corresponding counter.
      705810d5