git.ipfire.org Git - thirdparty/bind9.git/commit

author	Matthijs Mekking <matthijs@isc.org>
	Mon, 3 Mar 2025 11:07:03 +0000 (12:07 +0100)
committer	Matthijs Mekking <matthijs@isc.org>
	Thu, 20 Mar 2025 10:12:16 +0000 (10:12 +0000)
commit	63edc4435f8ddefbbabbf9731f2b44d59d68c40b
tree	35b685693c9c79afb0774ab7d68edf51242a89c2	tree \| snapshot
parent	ef671919d539d3cc41b2fbd276cae0ef017d2891	commit \| diff

Fix wrong usage of safety intervals in keymgr

There are a couple of cases where the safety intervals are added
inappropriately:

1. When setting the PublishCDS/SyncPublish timing metadata, we don't
   need to add the publish-safety value if we are calculating the time
   when the zone is completely signed for the first time. This value
   is for when the DNSKEY has been published and we add a safety
   interval before considering the DNSKEY omnipresent.

2. The retire-safety value should only be added to ZSK rollovers if
   there is an actual rollover happening, similar to adding the sign
   delay.

3. The retire-safety value should only be added to KSK rollovers if
   there is an actual rollover happening. We consider the new DS
   omnipresent a bit later, so that we are forced to keep the old DS
   a bit longer.

bin/tests/system/kasp/ns3/setup.sh		diff \| blob \| blame \| history
bin/tests/system/kasp/ns6/setup.sh		diff \| blob \| blame \| history
bin/tests/system/kasp/tests.sh		diff \| blob \| blame \| history
lib/dns/keymgr.c		diff \| blob \| blame \| history