Disable some behavior in offline-ksk mode

Some things we no longer want to do when we are in offline-ksk mode.

1. Don't check for inactive and private keys if the key is a KSK.
2. Don't update the TTL of DNSKEY, CDS and CDNSKEY RRset, these come
   from the SKR.

diff --git a/lib/dns/update.c b/lib/dns/update.c
index 17cc0d67d8e03788b924a07f62fc4679f67c3a69..485cbbcc1efca263ca0b26c5bee146344117ac0b 100644 (file)
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1149,10 +1149,10 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
                bool both = false;
 
                /* Don't add signatures for offline or inactive keys */
-               if (!dst_key_isprivate(keys[i])) {
+               if (!dst_key_isprivate(keys[i]) && !offlineksk) {
                        continue;
                }
-               if (dst_key_inactive(keys[i])) {
+               if (dst_key_inactive(keys[i]) && !offlineksk) {
                        continue;
                }
 
@@ -1179,6 +1179,13 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
                                }
                        }
 
+                       if (!dst_key_isprivate(keys[i]) && offlineksk && zsk) {
+                               continue;
+                       }
+                       if (dst_key_inactive(keys[i]) && offlineksk && zsk) {
+                               continue;
+                       }
+
                        if (dns_rdatatype_iskeymaterial(type)) {
                                /*
                                 * DNSKEY RRset is signed with KSK.

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 942855c2cd7e51a5adebc99c87049c80e611f2c5..9d7af1f5c63933fefe7c26c2091ea087a211f6c9 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -6599,12 +6599,17 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
        dns_rdataset_t rdataset;
        unsigned int i;
        dns_rdata_rrsig_t rrsig;
-       bool kasp = zone->kasp;
+       dns_kasp_t *kasp = zone->kasp;
        bool found;
+       bool offlineksk = false;
        int64_t timewarn = 0, timemaybe = 0;
 
        dns_rdataset_init(&rdataset);
 
+       if (kasp != NULL) {
+               offlineksk = dns_kasp_offlineksk(kasp);
+       }
+
        if (type == dns_rdatatype_nsec3) {
                result = dns_db_findnsec3node(db, name, false, &node);
        } else {
@@ -6640,7 +6645,9 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 
                if (!dns_rdatatype_iskeymaterial(type)) {
                        bool warn = false, deleted = false;
-                       if (delsig_ok(&rrsig, keys, nkeys, kasp, &warn)) {
+                       if (delsig_ok(&rrsig, keys, nkeys, (kasp != NULL),
+                                     &warn))
+                       {
                                result = update_one_rr(db, ver, zonediff->diff,
                                                       DNS_DIFFOP_DELRESIGN,
                                                       name, rdataset.ttl,
@@ -6710,7 +6717,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
                                 * iff there is a new offline signature.
                                 */
                                if (!dst_key_inactive(keys[i]) &&
-                                   !dst_key_isprivate(keys[i]))
+                                   !dst_key_isprivate(keys[i]) && !offlineksk)
                                {
                                        int64_t timeexpire = dns_time64_from32(
                                                rrsig.timeexpire);
@@ -6832,10 +6839,10 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
 
        for (i = 0; i < nkeys; i++) {
                /* Don't add signatures for offline or inactive keys */
-               if (!dst_key_isprivate(keys[i])) {
+               if (!dst_key_isprivate(keys[i]) && !offlineksk) {
                        continue;
                }
-               if (dst_key_inactive(keys[i])) {
+               if (dst_key_inactive(keys[i]) && !offlineksk) {
                        continue;
                }
 
@@ -6866,9 +6873,20 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
                        /*
                         * Don't consider inactive keys or offline keys.
                         */
-                       (void)dst_key_have_ksk_and_zsk(keys, nkeys, i, true,
-                                                      ksk, zsk, NULL,
-                                                      &have_zsk);
+                       if (!dst_key_isprivate(keys[i]) && offlineksk && zsk) {
+                               continue;
+                       }
+                       if (dst_key_inactive(keys[i]) && offlineksk && zsk) {
+                               continue;
+                       }
+
+                       if (offlineksk) {
+                               have_zsk = true;
+                       } else {
+                               (void)dst_key_have_ksk_and_zsk(keys, nkeys, i,
+                                                              true, ksk, zsk,
+                                                              NULL, &have_zsk);
+                       }
 
                        if (dns_rdatatype_iskeymaterial(type)) {
                                /*
@@ -22079,7 +22097,7 @@ zone_rekey(dns_zone_t *zone) {
                 */
                if (kasp == NULL) {
                        ttl = keyset.ttl;
-               } else if (ttl != keyset.ttl) {
+               } else if (ttl != keyset.ttl && !offlineksk) {
                        result = update_ttl(&keyset, &zone->origin, ttl, &diff);
                        if (result != ISC_R_SUCCESS) {
                                dnssec_log(zone, ISC_LOG_ERROR,
@@ -22115,7 +22133,8 @@ zone_rekey(dns_zone_t *zone) {
                                     dns_rdatatype_none, 0, &cdsset, NULL);
        if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdsset)) {
                dns_rdataset_disassociate(&cdsset);
-       } else if (result == ISC_R_SUCCESS && kasp != NULL && ttl != cdsset.ttl)
+       } else if (result == ISC_R_SUCCESS && kasp != NULL &&
+                  ttl != cdsset.ttl && !offlineksk)
        {
                result = update_ttl(&cdsset, &zone->origin, ttl, &diff);
                if (result != ISC_R_SUCCESS) {
@@ -22135,7 +22154,7 @@ zone_rekey(dns_zone_t *zone) {
        if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdnskeyset)) {
                dns_rdataset_disassociate(&cdnskeyset);
        } else if (result == ISC_R_SUCCESS && kasp != NULL &&
-                  ttl != cdnskeyset.ttl)
+                  ttl != cdnskeyset.ttl && !offlineksk)
        {
                result = update_ttl(&cdnskeyset, &zone->origin, ttl, &diff);
                if (result != ISC_R_SUCCESS) {