]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 63edc44)
keymgr: also set DeleteCDS when setting PublishCDS
authorMatthijs Mekking <matthijs@isc.org>
Tue, 4 Mar 2025 16:14:33 +0000 (17:14 +0100)
committerMatthijs Mekking <matthijs@isc.org>
Thu, 20 Mar 2025 10:12:16 +0000 (10:12 +0000)
The keymgr never set the expected timing metadata when CDS/CDNSKEY
records for the corresponding key will be removed from the zone. This
is not troublesome, as key states dictate when this happens, but with
the new pytest we use the timing metadata to determine if the CDS and/or
CDNSKEY for the given key needs to be published.

lib/dns/keymgr.c patch | blob | blame | history

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index c07046a9a82e661e9af1eeee56c5c40b969d55ff..6f7e568b439d7cfb3c6c0fd2e56e966db73780ae 100644 (file)
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -195,6 +195,13 @@ dns_keymgr_settime_syncpublish(dst_key_t *key, dns_kasp_t *kasp, bool first) {
                }
        }
        dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncpublish);
+
+       uint32_t lifetime = 0;
+       ret = dst_key_getnum(key, DST_NUM_LIFETIME, &lifetime);
+       if (ret == ISC_R_SUCCESS && lifetime > 0) {
+               dst_key_settime(key, DST_TIME_SYNCDELETE,
+                               (syncpublish + lifetime));
+       }
 }
 
 /*
@@ -242,6 +249,17 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
                pub = now;
        }
 
+       /*
+        * To calculate phase out times ("Retired", "Removed", ...),
+        * the key lifetime is required.
+        */
+       uint32_t klifetime = 0;
+       ret = dst_key_getnum(key->key, DST_NUM_LIFETIME, &klifetime);
+       if (ret != ISC_R_SUCCESS) {
+               dst_key_setnum(key->key, DST_NUM_LIFETIME, lifetime);
+               klifetime = lifetime;
+       }
+
        /*
         * Calculate prepublication time.
         */
@@ -277,6 +295,10 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
                        syncpub = ISC_MAX(syncpub1, syncpub2);
                        dst_key_settime(key->key, DST_TIME_SYNCPUBLISH,
                                        syncpub);
+                       if (klifetime > 0) {
+                               dst_key_settime(key->key, DST_TIME_SYNCDELETE,
+                                               (syncpub + klifetime));
+                       }
                }
        }
 
@@ -289,13 +311,6 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 
        ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire);
        if (ret != ISC_R_SUCCESS) {
-               uint32_t klifetime = 0;
-
-               ret = dst_key_getnum(key->key, DST_NUM_LIFETIME, &klifetime);
-               if (ret != ISC_R_SUCCESS) {
-                       dst_key_setnum(key->key, DST_NUM_LIFETIME, lifetime);
-                       klifetime = lifetime;
-               }
                if (klifetime == 0) {
                        /*
                         * No inactive time and no lifetime,
@@ -418,6 +433,7 @@ keymgr_key_update_lifetime(dns_dnsseckey_t *key, dns_kasp_t *kasp,
                } else {
                        dst_key_unsettime(key->key, DST_TIME_INACTIVE);
                        dst_key_unsettime(key->key, DST_TIME_DELETE);
+                       dst_key_unsettime(key->key, DST_TIME_SYNCDELETE);
                }
        }
 }
Mirror of https://gitlab.isc.org/isc-projects/bind9.git