[#1625] Algorithm rollover waited too long

Algorithm rollover waited too long before introducing zone
signatures.  It waited to make sure all signatures were resigned,
but when introducing a new algorithm, all signatures are resigned
immediately.  Only add the sign delay if there is a predecessor key.

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 9253c4fd0c2111e96c0db00769e6edfcb6dba6ae..a91173d64686a1e502d12ed05ddcf4a5bc10086e 100644 (file)
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -1000,14 +1000,22 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
                         * TTLsig is the maximum TTL of all zone RRSIG
                         * records.  This translates to:
                         *
-                        *     Dsgn + zone-propragation-delay + max-zone-ttl.
+                        *     Dsgn + zone-propagation-delay + max-zone-ttl.
                         *
                         * We will also add the retire-safety interval.
                         */
-                       nexttime = lastchange + dns_kasp_signdelay(kasp) +
-                                  dns_kasp_zonemaxttl(kasp) +
+                       nexttime = lastchange + dns_kasp_zonemaxttl(kasp) +
                                   dns_kasp_zonepropagationdelay(kasp) +
                                   dns_kasp_retiresafety(kasp);
+                       /*
+                        * Only add the sign delay Dsgn if there is an actual
+                        * predecessor key.
+                        */
+                       uint32_t pre;
+                       if (dst_key_getnum(key->key, DST_NUM_PREDECESSOR,
+                                          &pre) == ISC_R_SUCCESS) {
+                               nexttime += dns_kasp_signdelay(kasp);
+                       }
                        break;
                default:
                        nexttime = now;