Fix spurious missing key files log messages

This happens because old key is purged by one zone view, then the other
is freaking out about it.

Keys that are unused or being purged should not be taken into account
when verifying key files are available.

The keyring is maintained per zone. So in one zone, a key in the
keyring is being purged. The corresponding key file is removed.

The key maintenance is done for the other zone view. The key in that
keyring is not yet set to purge, but its corresponding key file is
removed. This leads to "some keys are missing" log errors.

We should not check the purge variable at this point, but the
current time and purge-keys duration.

This commit fixes this erroneous logic.

diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 5e52548d2960a5e4764c46463b0f1449350c7e26..a794c9d5bb88dd41f86f93e79509750aa6450af7 100644 (file)
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -2296,7 +2296,7 @@ dst_key_tkeytoken(const dst_key_t *key) {
  *
  */
 bool
-dst_key_is_unused(dst_key_t *key) {
+dst_key_is_unused(const dst_key_t *key) {
        isc_stdtime_t val;
        dst_key_state_t st;
        int state_type;
@@ -2598,7 +2598,7 @@ dst_key_is_removed(dst_key_t *key, isc_stdtime_t now, isc_stdtime_t *remove) {
 }
 
 dst_key_state_t
-dst_key_goal(dst_key_t *key) {
+dst_key_goal(const dst_key_t *key) {
        dst_key_state_t state;
        isc_result_t result;
 

diff --git a/lib/dns/include/dns/keymgr.h b/lib/dns/include/dns/keymgr.h
index 2e5b6572fba1911fb1679b3f43e76171f28b383d..bf24457e3cbe7eda4bbade0b1e41ae2a92809b2c 100644 (file)
--- a/lib/dns/include/dns/keymgr.h
+++ b/lib/dns/include/dns/keymgr.h
@@ -158,3 +158,16 @@ dns_keymgr_status(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
  *\li          Printable status in 'out'.
  *
  */
+
+bool
+dns_keymgr_key_may_be_purged(const dst_key_t *key, uint32_t after,
+                            isc_stdtime_t now);
+/*%<
+ * Checks if the key files for 'key' may be removed from disk.
+ *
+ *     Requires:
+ *\li          'key' is a valid key.
+ *
+ *     Returns:
+ *\li          true if the key files may be purged, false otherwise.
+ */

diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 8ba5fe136005c7b37e4737869c653411eb565db6..25b541385660d4cca1cfb5d1743ac6003f3c5a23 100644 (file)
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -1081,7 +1081,7 @@ dst_key_haskasp(dst_key_t *key);
  */
 
 bool
-dst_key_is_unused(dst_key_t *key);
+dst_key_is_unused(const dst_key_t *key);
 /*%<
  * Check if this key is unused.
  *
@@ -1138,7 +1138,7 @@ dst_key_is_removed(dst_key_t *key, isc_stdtime_t now, isc_stdtime_t *remove);
  */
 
 dst_key_state_t
-dst_key_goal(dst_key_t *key);
+dst_key_goal(const dst_key_t *key);
 /*%<
  * Get the key goal. Should be OMNIPRESENT or HIDDEN.
  * This can be used to determine if the key is being introduced or

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index fb94cce729f76c8ea90b88d857cd88bb5abcdc5e..26a2b2c1a1ec62b13084e959ac732c23524b1fc8 100644 (file)
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -605,7 +605,7 @@ keymgr_desiredstate(dns_dnsseckey_t *key, dst_key_state_t state) {
  *
  */
 static bool
-keymgr_key_match_state(dst_key_t *key, dst_key_t *subject, int type,
+keymgr_key_match_state(const dst_key_t *key, const dst_key_t *subject, int type,
                       dst_key_state_t next_state,
                       dst_key_state_t states[NUM_KEYSTATES]) {
        REQUIRE(key != NULL);
@@ -1930,8 +1930,9 @@ keymgr_key_rollover(dns_kasp_key_t *kaspkey, dns_dnsseckey_t *active_key,
        return ISC_R_SUCCESS;
 }
 
-static bool
-keymgr_key_may_be_purged(dst_key_t *key, uint32_t after, isc_stdtime_t now) {
+bool
+dns_keymgr_key_may_be_purged(const dst_key_t *key, uint32_t after,
+                            isc_stdtime_t now) {
        bool ksk = false;
        bool zsk = false;
        dst_key_state_t hidden[NUM_KEYSTATES] = { HIDDEN, NA, NA, NA };
@@ -2106,8 +2107,8 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
                }
 
                /* Check purge-keys interval. */
-               if (keymgr_key_may_be_purged(dkey->key,
-                                            dns_kasp_purgekeys(kasp), now))
+               if (dns_keymgr_key_may_be_purged(dkey->key,
+                                                dns_kasp_purgekeys(kasp), now))
                {
                        dst_key_format(dkey->key, keystr, sizeof(keystr));
                        isc_log_write(DNS_LOGCATEGORY_DNSSEC,

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index ffe1b658877e999e967ff767f2713e705346329c..2100a9810bcd4f5fe61ee22b8c23284f350ebb60 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -21974,7 +21974,8 @@ update_ttl(dns_rdataset_t *rdataset, dns_name_t *name, dns_ttl_t ttl,
 }
 
 static isc_result_t
-zone_verifykeys(dns_zone_t *zone, dns_dnsseckeylist_t *newkeys) {
+zone_verifykeys(dns_zone_t *zone, dns_dnsseckeylist_t *newkeys,
+               uint32_t purgeval, isc_stdtime_t now) {
        /*
         * Make sure that the existing keys are also present in the new keylist.
         */
@@ -21984,6 +21985,9 @@ zone_verifykeys(dns_zone_t *zone, dns_dnsseckeylist_t *newkeys) {
                if (dst_key_is_unused(key1->key)) {
                        continue;
                }
+               if (dns_keymgr_key_may_be_purged(key1->key, purgeval, now)) {
+                       continue;
+               }
                if (key1->purge) {
                        continue;
                }
@@ -22271,7 +22275,8 @@ zone_rekey(dns_zone_t *zone) {
 
        if (kasp != NULL && !offlineksk) {
                /* Verify new keys. */
-               isc_result_t ret = zone_verifykeys(zone, &keys);
+               isc_result_t ret = zone_verifykeys(
+                       zone, &keys, dns_kasp_purgekeys(kasp), now);
                if (ret != ISC_R_SUCCESS) {
                        dnssec_log(zone, ISC_LOG_ERROR,
                                   "zone_rekey:zone_verifykeys failed: "