Detect if keymgr made changes

If so we also want to tickle the apex because DNSKEY/CDNSKEY/CDS
RRsets may need to be re-signed.

Note that this may be overzealous, because if state transitions
happen just because of timing events (RUMOURED -> OMNIPRESENT,
UNRETENTIVE -> HIDDEN) this would have to cause changes in the
zone DNSSEC records.

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index e9ab2a866a4a940258479b11ab9f439c1c393ba1..935d989c4dcc91cb27c4cfdf8c06d4b295f095bf 100644 (file)
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -1463,6 +1463,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
 static isc_result_t
 keymgr_update(dns_dnsseckeylist_t *keyring, dns_kasp_t *kasp, isc_stdtime_t now,
              isc_stdtime_t *nexttime, uint8_t opts) {
+       isc_result_t result = DNS_R_UNCHANGED;
        bool changed;
        bool force = ((opts & DNS_KEYMGRATTR_FORCESTEP) != 0);
 
@@ -1625,12 +1626,13 @@ transition:
 
        /* We changed something, continue processing. */
        if (changed) {
+               result = ISC_R_SUCCESS;
                /* No longer force for the next run */
                force = false;
                goto transition;
        }
 
-       return ISC_R_SUCCESS;
+       return result;
 }
 
 /*
@@ -2121,7 +2123,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
               dns_dnsseckeylist_t *dnskeys, const char *keydir,
               dns_kasp_t *kasp, uint8_t opts, isc_stdtime_t now,
               isc_stdtime_t *nexttime) {
-       isc_result_t result = ISC_R_SUCCESS;
+       isc_result_t result = DNS_R_UNCHANGED;
        dns_dnsseckeylist_t newkeys;
        int numkeys = 0;
        int options = (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_STATE);
@@ -2314,7 +2316,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
        }
 
        /* Read to update key states. */
-       keymgr_update(keyring, kasp, now, nexttime, opts);
+       isc_result_t retval = keymgr_update(keyring, kasp, now, nexttime, opts);
 
        /* Store key states and update hints. */
        ISC_LIST_FOREACH(*keyring, dkey, link) {
@@ -2322,6 +2324,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
                if (dst_key_getttl(dkey->key) != dns_kasp_dnskeyttl(kasp)) {
                        dst_key_setttl(dkey->key, dns_kasp_dnskeyttl(kasp));
                        modified = true;
+                       retval = ISC_R_SUCCESS;
                }
                if (modified && !dkey->purge) {
                        const char *directory = dst_key_directory(dkey->key);
@@ -2347,10 +2350,9 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
                dst_key_setmodified(dkey->key, false);
        }
 
-       result = ISC_R_SUCCESS;
-
+       result = retval;
 failure:
-       if (result != ISC_R_SUCCESS) {
+       if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) {
                ISC_LIST_FOREACH(newkeys, newkey, link) {
                        ISC_LIST_UNLINK(newkeys, newkey, link);
                        INSIST(newkey->key != NULL);

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 2ccfe722ca29346b24679a68de0516e0af4154d7..edd6f5d143f91b0a0baba9ea14083aeeeba45217 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -22233,6 +22233,7 @@ zone_rekey(dns_zone_t *zone) {
        bool newalg = false;
        bool fullsign;
        bool offlineksk = false;
+       bool kasp_change = false;
        uint8_t options = 0;
        uint32_t sigval = 0;
        dns_ttl_t ttl = 3600;
@@ -22468,7 +22469,11 @@ zone_rekey(dns_zone_t *zone) {
                                                kasp, options, now, &nexttime);
                        dns_zone_unlock_keyfiles(zone);
 
-                       if (result != ISC_R_SUCCESS) {
+                       if (result == ISC_R_SUCCESS) {
+                               kasp_change = true;
+                       } else if (result == DNS_R_UNCHANGED) {
+                               result = ISC_R_SUCCESS;
+                       } else {
                                dnssec_log(zone, ISC_LOG_ERROR,
                                           "zone_rekey:dns_keymgr_run "
                                           "failed: %s",
@@ -22686,7 +22691,7 @@ zone_rekey(dns_zone_t *zone) {
                                   "allowed");
                }
 
-               if (newactive || fullsign || sane_diff) {
+               if (newactive || fullsign || sane_diff || kasp_change) {
                        CHECK(dns_diff_apply(&diff, db, ver));
                        CHECK(clean_nsec3param(zone, db, ver, &diff));
                        CHECK(add_signing_records(db, zone->privatetype, ver,