plugin/sign: track zone file's mtime (#4431)

* plugin/sign: track zone file's mtime Resign if the original zone's mtime is change in some way. Closes #4407 Signed-off-by: Miek Gieben <miek@miek.nl> * Update plugin/sign/README.md Co-authored-by: Chris O'Haver <cohaver@infoblox.com> Co-authored-by: Yong Tang <yong.tang.github@outlook.com> Co-authored-by: Chris O'Haver <cohaver@infoblox.com>
2025-11-02 10:13:14 -05:00 · 2021-02-10 16:56:03 +01:00
parent d29fd8c550
commit c4720b8ad2
3 changed files with 73 additions and 4 deletions
--- a/plugin/sign/signer.go
+++ b/plugin/sign/signer.go
@@ -22,6 +22,7 @@ type Signer struct {
 	origin      string
 	dbfile      string
 	directory   string
+	modTime     time.Time
 	jitterIncep time.Duration
 	jitterExpir time.Duration

@@ -41,6 +42,11 @@ func (s *Signer) Sign(now time.Time) (*file.Zone, error) {
 		return nil, err
 	}

+	// s.dbfile is a parseable zone file, track the mtime
+	if fi, err := os.Stat(s.dbfile); err == nil {
+		s.modTime = fi.ModTime()
+	}
+
 	mttl := z.Apex.SOA.Minttl
 	ttl := z.Apex.SOA.Header().Ttl
 	inception, expiration := lifetime(now, s.jitterIncep, s.jitterExpir)
@@ -115,6 +121,12 @@ func (s *Signer) resign() error {
 	if err != nil && os.IsNotExist(err) {
 		return err
 	}
+	// if modtime of the input zone file has changed, we will also resign.
+	if fi, err := os.Stat(s.dbfile); err == nil {
+		if !s.modTime.IsZero() && fi.ModTime() != s.modTime {
+			return fmt.Errorf("zone's modification time %s; differs from last seen modification time: %s", fi.ModTime().Format(timeFmt), s.modTime.Format(timeFmt))
+		}
+	}

 	now := time.Now().UTC()
 	return resign(rd, now)