This happens because old key is purged by one zone view, then the other
is freaking out about it.
Keys that are unused or being purged should not be taken into account
when verifying key files are available.
The keyring is maintained per zone. So in one zone, a key in the
keyring is being purged. The corresponding key file is removed.
The key maintenance is done for the other zone view. The key in that
keyring is not yet set to purge, but its corresponding key file is
removed. This leads to "some keys are missing" log errors.
We should not check the purge variable at this point, but the
current time and purge-keys duration.
This commit fixes this erroneous logic.
(cherry picked from commit
d494698852e21e25d65d1e2453813a7b19a0a755)
*
*/
bool
-dst_key_is_unused(dst_key_t *key) {
+dst_key_is_unused(const dst_key_t *key) {
isc_stdtime_t val;
dst_key_state_t st;
int state_type;
}
dst_key_state_t
-dst_key_goal(dst_key_t *key) {
+dst_key_goal(const dst_key_t *key) {
dst_key_state_t state;
isc_result_t result;
*
*/
+bool
+dns_keymgr_key_may_be_purged(const dst_key_t *key, uint32_t after,
+ isc_stdtime_t now);
+/*%<
+ * Checks if the key files for 'key' may be removed from disk.
+ *
+ * Requires:
+ *\li 'key' is a valid key.
+ *
+ * Returns:
+ *\li true if the key files may be purged, false otherwise.
+ */
+
ISC_LANG_ENDDECLS
*/
bool
-dst_key_is_unused(dst_key_t *key);
+dst_key_is_unused(const dst_key_t *key);
/*%<
* Check if this key is unused.
*
*/
dst_key_state_t
-dst_key_goal(dst_key_t *key);
+dst_key_goal(const dst_key_t *key);
/*%<
* Get the key goal. Should be OMNIPRESENT or HIDDEN.
* This can be used to determine if the key is being introduced or
*
*/
static bool
-keymgr_key_match_state(dst_key_t *key, dst_key_t *subject, int type,
+keymgr_key_match_state(const dst_key_t *key, const dst_key_t *subject, int type,
dst_key_state_t next_state,
dst_key_state_t states[NUM_KEYSTATES]) {
REQUIRE(key != NULL);
return ISC_R_SUCCESS;
}
-static bool
-keymgr_key_may_be_purged(dst_key_t *key, uint32_t after, isc_stdtime_t now) {
+bool
+dns_keymgr_key_may_be_purged(const dst_key_t *key, uint32_t after,
+ isc_stdtime_t now) {
bool ksk = false;
bool zsk = false;
dst_key_state_t hidden[NUM_KEYSTATES] = { HIDDEN, NA, NA, NA };
}
/* Check purge-keys interval. */
- if (keymgr_key_may_be_purged(dkey->key,
- dns_kasp_purgekeys(kasp), now))
+ if (dns_keymgr_key_may_be_purged(dkey->key,
+ dns_kasp_purgekeys(kasp), now))
{
dst_key_format(dkey->key, keystr, sizeof(keystr));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
/*%
* KASP flags
*/
-#define KASP_LOCK(k) \
- if ((k) != NULL) { \
- LOCK((&((k)->lock))); \
+#define KASP_LOCK(k) \
+ if ((k) != NULL) { \
+ LOCK(&((k)->lock)); \
}
-#define KASP_UNLOCK(k) \
- if ((k) != NULL) { \
- UNLOCK((&((k)->lock))); \
+#define KASP_UNLOCK(k) \
+ if ((k) != NULL) { \
+ UNLOCK(&((k)->lock)); \
}
/*
} while (0)
#endif /* ifdef DNS_ZONE_CHECKLOCK */
-#define ZONEDB_INITLOCK(l) isc_rwlock_init((l))
+#define ZONEDB_INITLOCK(l) isc_rwlock_init(l)
#define ZONEDB_DESTROYLOCK(l) isc_rwlock_destroy(l)
#define ZONEDB_LOCK(l, t) RWLOCK((l), (t))
#define ZONEDB_UNLOCK(l, t) RWUNLOCK((l), (t))
}
static isc_result_t
-zone_verifykeys(dns_zone_t *zone, dns_dnsseckeylist_t *newkeys) {
+zone_verifykeys(dns_zone_t *zone, dns_dnsseckeylist_t *newkeys,
+ uint32_t purgeval, isc_stdtime_t now) {
dns_dnsseckey_t *key1, *key2, *next;
/*
if (dst_key_is_unused(key1->key)) {
continue;
}
+ if (dns_keymgr_key_may_be_purged(key1->key, purgeval, now)) {
+ continue;
+ }
if (key1->purge) {
continue;
}
if (kasp != NULL && !offlineksk) {
/* Verify new keys. */
- isc_result_t ret = zone_verifykeys(zone, &keys);
+ isc_result_t ret = zone_verifykeys(
+ zone, &keys, dns_kasp_purgekeys(kasp), now);
if (ret != ISC_R_SUCCESS) {
dnssec_log(zone, ISC_LOG_ERROR,
"zone_rekey:zone_verifykeys failed: "
projects / thirdparty / bind9.git / commitdiff
