+5354. [bug] dnssec-policy created new KSK keys when zone is in
+ initial stage of signing (the DS is not yet in
+ rumoured or omnipresent state). Fix by checking
+ key goals rather than active state when determining
+ new keys are needed. [GL #1593]
+
5353. [doc] Document port and dscp parameters in forwarders
configuration option. [GL !914]
dnssec-policy "rsasha1";
};
+/*
+ * A configured dnssec-policy with one rumoured key.
+ * Bugfix case for GL #1593.
+ */
+zone "rumoured.kasp" {
+ type master;
+ file "rumoured.kasp.db";
+ dnssec-policy "rsasha1";
+};
+
/*
* Different algorithms.
*/
# Set up zones that will be initially signed.
#
for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \
- rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 inherit
+ rumoured rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 inherit
do
setup "${zn}.kasp"
cp template.db.in "$zonefile"
$KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
$KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1
+zone="rumoured.kasp"
+Tpub="now"
+Tact="now+1d"
+KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA1 -b 2000 -L 1234 $zone 2> keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a RSASHA1 -L 1234 $zone 2> keygen.out.$zone.3)
+$SETTIME -s -P $Tpub -A $Tact -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -P $Tpub -A $Tact -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" > settime.out.$zone.2 2>&1
+$SETTIME -s -P $Tpub -A $Tact -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" > settime.out.$zone.2 2>&1
+
#
# Set up zones that are already signed.
#
check_subdomain
dnssec_verify
+#
+# Zone: rumoured.kasp.
+#
+# There are three keys in rumoured state.
+zone_properties "ns3" "rumoured.kasp" "rsasha1" "1234" "3" "10.53.0.3"
+# key_properties, key_timings and key_states same as above.
+check_keys
+check_apex
+check_subdomain
+dnssec_verify
+
#
# Zone: secondary.kasp.
#
return ds_ok && zrrsig_ok && time_ok && !inactive;
}
-
bool
dst_key_is_signing(dst_key_t *key, int role, isc_stdtime_t now, isc_stdtime_t *active)
{
return state_ok && time_ok;
}
+dst_key_state_t
+dst_key_goal(dst_key_t *key)
+{
+ dst_key_state_t state;
+ isc_result_t result;
+
+ result = dst_key_getstate(key, DST_KEY_GOAL, &state);
+ if (result == ISC_R_SUCCESS) {
+ return state;
+ }
+ return DST_KEY_STATE_HIDDEN;
+}
+
void
dst_key_copy_metadata(dst_key_t *to, dst_key_t *from)
{
* 'key' to be valid.
*/
+dst_key_state_t
+dst_key_goal(dst_key_t *key);
+/*%<
+ * Get the key goal. Should be OMNIPRESENT or HIDDEN.
+ * This can be used to determine if the key is being introduced or
+ * is on its way out.
+ *
+ * Requires:
+ * 'key' to be valid.
+ */
+
+
void
dst_key_copy_metadata(dst_key_t *to, dst_key_t *from);
/*%<
lifetime);
}
- if (dst_key_is_active(dkey->key, now)) {
+ if (dst_key_goal(dkey->key) == OMNIPRESENT) {
if (active_key != NULL) {
/*
* Multiple signing keys match
dst_key_getstate
dst_key_gettime
dst_key_getttl
+dst_key_goal
dst_key_id
dst_key_is_active
dst_key_is_published
projects / thirdparty / bind9.git / commitdiff
