Fix spurious missing key files log messages

I suspect this happens because old key is purged by one zone view,
then the other is freaking out about it.

Keys that are unused or being purged should not be taken into account.

The keyring is maintained per zone. So in one zone, a key in the
keyring is being purged. The corresponding key file is removed.

The key maintenance is done for the other zone view. The key in that
keyring is not yet set to purge, but its corresponding key file is
removed. This leads to "some keys are missing"

I think we should not check the purge variable at this point, but the
current time and purge-keys duration. That is what this commit does.

diff --git a/lib/dns/include/dns/keymgr.h b/lib/dns/include/dns/keymgr.h
index bf08fbb549ed1d8540d057dbdccb2b5507dee0e7..243d843d62859fedda0686e40748351dcf90f4db 100644 (file)
--- a/lib/dns/include/dns/keymgr.h
+++ b/lib/dns/include/dns/keymgr.h
@@ -128,4 +128,16 @@ dns_keymgr_status(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
  *
  */
 
+bool
+dns_keymgr_key_may_be_purged(dst_key_t *key, uint32_t after, isc_stdtime_t now);
+/*%<
+ * Checks if the key files for 'key' may be removed from disk.
+ *
+ *     Requires:
+ *\li          'key' is not NULL.
+ *
+ *     Returns:
+ *\li          true if the key files may be purged, false otherwise.
+ */
+
 ISC_LANG_ENDDECLS

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index cbcd3c992e4aa3e7b2e9afb95ec985396495b9f1..8480c7677924ff33ad665865e3d783eb6c2cb877 100644 (file)
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -1933,8 +1933,8 @@ keymgr_key_rollover(dns_kasp_key_t *kaspkey, dns_dnsseckey_t *active_key,
        return ISC_R_SUCCESS;
 }
 
-static bool
-keymgr_key_may_be_purged(dst_key_t *key, uint32_t after, isc_stdtime_t now) {
+bool
+dns_keymgr_key_may_be_purged(dst_key_t *key, uint32_t after, isc_stdtime_t now) {
        bool ksk = false;
        bool zsk = false;
        dst_key_state_t hidden[NUM_KEYSTATES] = { HIDDEN, NA, NA, NA };
@@ -2117,7 +2117,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
                }
 
                /* Check purge-keys interval. */
-               if (keymgr_key_may_be_purged(dkey->key,
+               if (dns_keymgr_key_may_be_purged(dkey->key,
                                             dns_kasp_purgekeys(kasp), now))
                {
                        dst_key_format(dkey->key, keystr, sizeof(keystr));

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index e91c2f6bde8168f18c0df54d24cd6e00b48ff2ea..e468de244af1ed451766c65978c325e14ad27503 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -22016,7 +22016,7 @@ update_ttl(dns_rdataset_t *rdataset, dns_name_t *name, dns_ttl_t ttl,
 }
 
 static isc_result_t
-zone_verifykeys(dns_zone_t *zone, dns_dnsseckeylist_t *newkeys) {
+zone_verifykeys(dns_zone_t *zone, dns_dnsseckeylist_t *newkeys, uint32_t purgeval, isc_stdtime_t now) {
        dns_dnsseckey_t *key1, *key2, *next;
 
        /*
@@ -22029,6 +22029,9 @@ zone_verifykeys(dns_zone_t *zone, dns_dnsseckeylist_t *newkeys) {
                if (dst_key_is_unused(key1->key)) {
                        continue;
                }
+               if (dns_keymgr_key_may_be_purged(key1->key, purgeval, now)) {
+                       continue;
+               }
                if (key1->purge) {
                        continue;
                }
@@ -22224,7 +22227,7 @@ zone_rekey(dns_zone_t *zone) {
 
        if (kasp != NULL) {
                /* Verify new keys. */
-               isc_result_t ret = zone_verifykeys(zone, &keys);
+               isc_result_t ret = zone_verifykeys(zone, &keys, dns_kasp_purgekeys(kasp), now);
                if (ret != ISC_R_SUCCESS) {
                        dnssec_log(zone, ISC_LOG_ERROR,
                                   "zone_rekey:zone_verifykeys failed: "