git.ipfire.org Git - thirdparty/bind9.git/commit

author	Matthijs Mekking <matthijs@isc.org>
	Thu, 6 Feb 2020 07:57:13 +0000 (08:57 +0100)
committer	Matthijs Mekking <matthijs@isc.org>
	Thu, 6 Feb 2020 09:17:22 +0000 (10:17 +0100)
commit	b378d0371f5c15f8dd29c0ad6efbb87b3cb62ae5
tree	56eb8dc723f97fdfa5d5ff744f1341dad9d6a9f9	tree \| snapshot
parent	a787bc0b141a9ca8fd318c85878c71f42a88d8a0	commit \| diff

Fix kasp bug new KSK on restart [#1593]

When you do a restart or reconfig of named, or rndc loadkeys, this
triggers the key manager to run. The key manager will check if new
keys need to be created. If there is an active key, and key rollover
is scheduled far enough away, no new key needs to be created.

However, there was a bug that when you just start to sign your zone,
it takes a while before the KSK becomes an active key. An active KSK
has its DS submitted or published, but before the key manager allows
that, the DNSKEY needs to be omnipresent. If you restart named
or rndc loadkeys in quick succession when you just started to sign
your zone, new keys will be created because the KSK is not yet
considered active.

Fix is to check for introducing as well as active keys. These keys
all have in common that their goal is to become omnipresent.

CHANGES		diff \| blob \| blame \| history
bin/tests/system/kasp/ns3/named.conf.in		diff \| blob \| blame \| history
bin/tests/system/kasp/ns3/setup.sh		diff \| blob \| blame \| history
bin/tests/system/kasp/tests.sh		diff \| blob \| blame \| history
lib/dns/dst_api.c		diff \| blob \| blame \| history
lib/dns/include/dst/dst.h		diff \| blob \| blame \| history
lib/dns/keymgr.c		diff \| blob \| blame \| history
lib/dns/win32/libdns.def.in		diff \| blob \| blame \| history