keygen/settime: Write out successor/predecessor

When creating a successor key, or calculating time for a successor
key, write out the successor and predecessor metadata to the
related files.

diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 09b7c09508eb24730c49f48a6150d90c3aa43ae6..f0600232efdb57dcb047842925e1a26a332e27ac 100644 (file)
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -767,6 +767,19 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv)
                fatal("cannot generate a null key due to possible key ID "
                      "collision");
 
+       if (ctx->predecessor != NULL && prevkey != NULL) {
+               dst_key_setnum(prevkey, DST_NUM_SUCCESSOR, dst_key_id(key));
+               dst_key_setnum(key, DST_NUM_PREDECESSOR, dst_key_id(prevkey));
+
+               ret = dst_key_tofile(prevkey, ctx->options, ctx->directory);
+               if (ret != ISC_R_SUCCESS) {
+                       char keystr[DST_KEY_FORMATSIZE];
+                       dst_key_format(prevkey, keystr, sizeof(keystr));
+                       fatal("failed to update predecessor %s: %s\n", keystr,
+                             isc_result_totext(ret));
+               }
+       }
+
        ret = dst_key_tofile(key, ctx->options, ctx->directory);
        if (ret != ISC_R_SUCCESS) {
                char keystr[DST_KEY_FORMATSIZE];

diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index cc72e55662fd128f0879985dacb21257d05d4bcc..1cc12e51906757c41d079014e77399260ceb4d1b 100644 (file)
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -715,6 +715,11 @@ main(int argc, char **argv) {
        if (setttl)
                dst_key_setttl(key, ttl);
 
+       if (predecessor != NULL && prevkey != NULL) {
+               dst_key_setnum(prevkey, DST_NUM_SUCCESSOR, dst_key_id(key));
+               dst_key_setnum(key, DST_NUM_PREDECESSOR, dst_key_id(prevkey));
+       }
+
        /*
         * No metadata changes were made but we're forcing an upgrade
         * to the new format anyway: use "-P now -A now" as the default
@@ -816,6 +821,9 @@ main(int argc, char **argv) {
 
        if (changed) {
                writekey(key, directory, write_state);
+               if (predecessor != NULL && prevkey != NULL) {
+                       writekey(prevkey, directory, write_state);
+               }
        }
 
        if (prevkey != NULL)

diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 978f8839c48aca7ed6b2ce0c8c1e82fc38430250..54dcd06d7df5d7afa832bdfde793e696852515ab 100644 (file)
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -1997,6 +1997,8 @@ write_key_state(const dst_key_t *key, int type, const char *directory) {
                fprintf(fp, "Length: %u\n", key->key_size);
 
                printnum(key, DST_NUM_LIFETIME, "Lifetime", fp);
+               printnum(key, DST_NUM_PREDECESSOR, "Predecessor", fp);
+               printnum(key, DST_NUM_SUCCESSOR, "Successor", fp);
 
                printbool(key, DST_BOOL_KSK, "KSK", fp);
                printbool(key, DST_BOOL_ZSK, "ZSK", fp);