Class | KASPAuditor::KeyTracker |
In: |
../../auditor/lib/kasp_auditor/key_tracker.rb
|
Parent: | Object |
This class manages the caches that are used to track the lifecycle of keys used to sign the zone. We need to store all the keys that we see for each zone that we audit. We need the following states : pre-published, in-use, retired, and dead. REVOKED will indicate retired for RFC5011 keys, but non-5011 keys may go through a "present, but not used" retirement phase. Keys may also move straight to dead. Once dead, keys are no longer tracked. As we start to track a non-RFC5011 zone, we may have problems differentiating between pre-published and retired keys. Thus some keys may go directly from pre-published to dead.
FILE : have one file cache for each zone which is tracked :
(<workingdirectory>/tracking/<zone_name>
The file will consist of a list of [key, status, timestamp] tuples, where status is one of :
PREPUBLISHED, INUSE, RETIRED, DEAD
DEAD keys may be purged from the file (and may indeed never appear). The key_tag will be the PRE-REVOKED key_tag (even for revoked keys). The timestamp field records the time the key first entered the new state. The file starts with two records - one for the timestamp at which the file was originally created, and one for the last SOA serial that was seen.
SEPARATOR | = | "\0\0$~$~$~\0\0" |
cache | [R] | |
last_soa_serial | [RW] |
Each run, the auditor needs to load the key caches for the zone, then audit the zone, keeping track of which keys are used. The key caches are then updated. The auditor needs to run the lifetime, numStandby checks on the keys as well.
If the key caches can‘t be found, then create new ones.
These files, once started for a zone, will never be deleted.
Compare two serials according to RFC 1982. Return 0 if equal, -1 if s1 is bigger, 1 if s1 is smaller.
Load the cache for the zone from the workingdirectory. Create a new cache if one can‘t be found. Also defaults to reloading the SOA serial for the zone.
The auditor calls this method at the end of the auditing run. This is the only public method in this class. It passes in all the keys it has seen, and the keys it has seen used. keys is a list of DNSKeys, and keys_used is a list of the key_tags used to sign RRSIGs in the zone. The data is then used to track the lifecycle of zone keys, and perform associated auditing checks