plugin/sign/sign.go

// Package sign implements a zone signer as a plugin.
package sign

import (
	"path/filepath"
	"time"
)

// Sign contains signers that sign the zones files.
type Sign struct {
	signers []*Signer
}

// OnStartup scans all signers and signs or resigns zones if needed.
func (s *Sign) OnStartup() error {
	for _, signer := range s.signers {
		why := signer.resign()
		if why == nil {
			log.Infof("Skipping signing zone %q in %q: signatures are valid", signer.origin, filepath.Join(signer.directory, signer.signedfile))
			continue
		}
		go signAndLog(signer, why)
	}
	return nil
}

// Various duration constants for signing of the zones.
const (
	DurationExpireDays              = 7 * 24 * time.Hour  // max time allowed before expiration
	DurationResignDays              = 6 * 24 * time.Hour  // if the last sign happenend this long ago, sign again
	DurationSignatureExpireDays     = 32 * 24 * time.Hour // sign for 32 days
	DurationRefreshHours            = 5 * time.Hour       // check zones every 5 hours
	DurationJitter                  = -18 * time.Hour     // default max jitter
	DurationSignatureInceptionHours = -3 * time.Hour      // -(2+1) hours, be sure to catch daylight saving time and such, jitter is subtracted
)

const timeFmt = "2006-01-02T15:04:05.000Z07:00"
plugin/sign: a plugin that signs zone (#2993) * plugin/sign: a plugin that signs zones Sign is a plugin that signs zone data (on disk). The README.md details what exactly happens to should be accurate related to the code. Signs are signed with a CSK, resigning and first time signing is all handled by sign plugin. Logging with a test zone looks something like this: ~~~ txt [INFO] plugin/sign: Signing "miek.nl." because open plugin/sign/testdata/db.miek.nl.signed: no such file or directory [INFO] plugin/sign: Signed "miek.nl." with key tags "59725" in 11.670985ms, saved in "plugin/sign/testdata/db.miek.nl.signed". Next: 2019-07-20T15:49:06.560Z [INFO] plugin/file: Successfully reloaded zone "miek.nl." in "plugin/sign/testdata/db.miek.nl.signed" with serial 1563636548 [INFO] plugin/sign: Signing "miek.nl." because resign was: 10m0s ago [INFO] plugin/sign: Signed "miek.nl." with key tags "59725" in 2.055895ms, saved in "plugin/sign/testdata/db.miek.nl.signed". Next: 2019-07-20T16:09:06.560Z [INFO] plugin/file: Successfully reloaded zone "miek.nl." in "plugin/sign/testdata/db.miek.nl.signed" with serial 1563637748 ~~~ Signed-off-by: Miek Gieben <miek@miek.nl> * Adjust readme and remove timestamps Signed-off-by: Miek Gieben <miek@miek.nl> * Comment on the newline Signed-off-by: Miek Gieben <miek@miek.nl> * Update plugin/sign/README.md Co-Authored-By: Michael Grosser <development@stp-ip.net> 2019-08-29 15:41:59 +01:00			`// Package sign implements a zone signer as a plugin.`
			`package sign`

			`import (`
			`"path/filepath"`
			`"time"`
			`)`

			`// Sign contains signers that sign the zones files.`
			`type Sign struct {`
			`signers []*Signer`
			`}`

			`// OnStartup scans all signers and signs or resigns zones if needed.`
			`func (s *Sign) OnStartup() error {`
			`for _, signer := range s.signers {`
			`why := signer.resign()`
			`if why == nil {`
			`log.Infof("Skipping signing zone %q in %q: signatures are valid", signer.origin, filepath.Join(signer.directory, signer.signedfile))`
			`continue`
			`}`
			`go signAndLog(signer, why)`
			`}`
			`return nil`
			`}`

			`// Various duration constants for signing of the zones.`
			`const (`
			`DurationExpireDays = 7 * 24 * time.Hour // max time allowed before expiration`
			`DurationResignDays = 6 * 24 * time.Hour // if the last sign happenend this long ago, sign again`
			`DurationSignatureExpireDays = 32 * 24 * time.Hour // sign for 32 days`
			`DurationRefreshHours = 5 * time.Hour // check zones every 5 hours`
			`DurationJitter = -18 * time.Hour // default max jitter`
fix spelling mistakes (#3364) Automatically submitted. 2019-10-09 15:24:18 +08:00			`DurationSignatureInceptionHours = -3 * time.Hour // -(2+1) hours, be sure to catch daylight saving time and such, jitter is subtracted`
plugin/sign: a plugin that signs zone (#2993) * plugin/sign: a plugin that signs zones Sign is a plugin that signs zone data (on disk). The README.md details what exactly happens to should be accurate related to the code. Signs are signed with a CSK, resigning and first time signing is all handled by sign plugin. Logging with a test zone looks something like this: ~~~ txt [INFO] plugin/sign: Signing "miek.nl." because open plugin/sign/testdata/db.miek.nl.signed: no such file or directory [INFO] plugin/sign: Signed "miek.nl." with key tags "59725" in 11.670985ms, saved in "plugin/sign/testdata/db.miek.nl.signed". Next: 2019-07-20T15:49:06.560Z [INFO] plugin/file: Successfully reloaded zone "miek.nl." in "plugin/sign/testdata/db.miek.nl.signed" with serial 1563636548 [INFO] plugin/sign: Signing "miek.nl." because resign was: 10m0s ago [INFO] plugin/sign: Signed "miek.nl." with key tags "59725" in 2.055895ms, saved in "plugin/sign/testdata/db.miek.nl.signed". Next: 2019-07-20T16:09:06.560Z [INFO] plugin/file: Successfully reloaded zone "miek.nl." in "plugin/sign/testdata/db.miek.nl.signed" with serial 1563637748 ~~~ Signed-off-by: Miek Gieben <miek@miek.nl> * Adjust readme and remove timestamps Signed-off-by: Miek Gieben <miek@miek.nl> * Comment on the newline Signed-off-by: Miek Gieben <miek@miek.nl> * Update plugin/sign/README.md Co-Authored-By: Michael Grosser <development@stp-ip.net> 2019-08-29 15:41:59 +01:00			`)`

			`const timeFmt = "2006-01-02T15:04:05.000Z07:00"`