Fix a small keymgr bug

While converting the kasp system test to pytest, I encountered a small
bug in the keymgr code. We retire keys when there is more than one
key matching a 'keys' line from the dnssec-policy. But if there are
multiple identical 'keys' lines, as is the case for the test zone
'checkds-doubleksk.kasp', we retire one of the two keys that have the
same properties.

Fix this by checking if there are double matches. This is not fool proof
because there may be many keys for a few identical 'keys' lines, but it
is good enough for now. In practice it makes no sense to have a policy
that dictates multiple keys with identical properties.

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index bae21437bdcecaada76c50f5c8fcd7db74a0faa0..6b56d5da8fab345dbfaeed6b93a01793e6aae163 100644 (file)
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -2022,6 +2022,20 @@ keymgr_purge_keyfile(dst_key_t *key, int type) {
        }
 }
 
+static bool
+dst_key_doublematch(dns_dnsseckey_t *key, dns_kasp_t *kasp) {
+       int matches = 0;
+
+       for (dns_kasp_key_t *kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
+            kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link))
+       {
+               if (dns_kasp_key_match(kkey, key)) {
+                       matches++;
+               }
+       }
+       return matches > 1;
+}
+
 /*
  * Examine 'keys' and match 'kasp' policy.
  *
@@ -2161,6 +2175,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
                                         * matches the kasp policy.
                                         */
                                        if (!dst_key_is_unused(dkey->key) &&
+                                           !dst_key_doublematch(dkey, kasp) &&
                                            (dst_key_goal(dkey->key) ==
                                             OMNIPRESENT) &&
                                            !keymgr_dep(dkey->key, keyring,