From: Matthijs Mekking <matthijs@isc.org>
Date: Mon, 2 Sep 2024 15:48:22 +0000 (+0200)
Subject: Change dnssec-ksr key sorting
X-Git-Tag: v9.21.3~77^2~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ea1fc5c47b1e242eaa43483a00bbb5922c4ad2d3;p=thirdparty%2Fbind9.git

Change dnssec-ksr key sorting

Sort keys on algorithm, then keytag. This is more convenient for
testing.
---

diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c
index ea4d3e729ed..9919fd42105 100644
--- a/bin/dnssec/dnssec-ksr.c
+++ b/bin/dnssec/dnssec-ksr.c
@@ -182,10 +182,14 @@ getkasp(ksr_ctx_t *ksr, dns_kasp_t **kasp) {
 }
 
 static int
-keytag_cmp(const void *k1, const void *k2) {
+keyalgtag_cmp(const void *k1, const void *k2) {
 	dns_dnsseckey_t **key1 = (dns_dnsseckey_t **)k1;
 	dns_dnsseckey_t **key2 = (dns_dnsseckey_t **)k2;
-	if (dst_key_id((*key1)->key) < dst_key_id((*key2)->key)) {
+	if (dst_key_alg((*key1)->key) < dst_key_alg((*key2)->key)) {
+		return (-1);
+	} else if (dst_key_alg((*key1)->key) > dst_key_alg((*key2)->key)) {
+		return (1);
+	} else if (dst_key_id((*key1)->key) < dst_key_id((*key2)->key)) {
 		return (-1);
 	} else if (dst_key_id((*key1)->key) > dst_key_id((*key2)->key)) {
 		return (1);
@@ -220,7 +224,7 @@ get_dnskeys(ksr_ctx_t *ksr, dns_dnsseckeylist_t *keys) {
 	{
 		keys_sorted[i] = dk;
 	}
-	qsort(keys_sorted, n, sizeof(dns_dnsseckey_t *), keytag_cmp);
+	qsort(keys_sorted, n, sizeof(dns_dnsseckey_t *), keyalgtag_cmp);
 	while (!ISC_LIST_EMPTY(keys_read)) {
 		dns_dnsseckey_t *key = ISC_LIST_HEAD(keys_read);
 		ISC_LIST_UNLINK(keys_read, key, link);
diff --git a/bin/tests/system/ksr/ns1/named.conf.in b/bin/tests/system/ksr/ns1/named.conf.in
index 9cd4ed67253..75710b42dc6 100644
--- a/bin/tests/system/ksr/ns1/named.conf.in
+++ b/bin/tests/system/ksr/ns1/named.conf.in
@@ -79,9 +79,9 @@ dnssec-policy "no-cds" {
 dnssec-policy "two-tone" {
 	offline-ksk yes;
 	keys {
-		ksk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
 		ksk lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
-		zsk lifetime P3M algorithm @DEFAULT_ALGORITHM@;
 		zsk lifetime P5M algorithm @ALTERNATIVE_ALGORITHM@;
+		ksk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk lifetime P3M algorithm @DEFAULT_ALGORITHM@;
 	};
 };