From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 19 Jun 2024 12:48:04 +0000 (+0200)
Subject: Disable some behavior in offline-ksk mode
X-Git-Tag: v9.21.1~23^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2e3068ed608d971b8527cb257e8983ddd0cd1c0e;p=thirdparty%2Fbind9.git

Disable some behavior in offline-ksk mode

Some things we no longer want to do when we are in offline-ksk mode.

1. Don't check for inactive and private keys if the key is a KSK.
2. Don't update the TTL of DNSKEY, CDS and CDNSKEY RRset, these come
   from the SKR.
---

diff --git a/lib/dns/update.c b/lib/dns/update.c
index 17cc0d67d8e..485cbbcc1ef 100644
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1149,10 +1149,10 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 		bool both = false;
 
 		/* Don't add signatures for offline or inactive keys */
-		if (!dst_key_isprivate(keys[i])) {
+		if (!dst_key_isprivate(keys[i]) && !offlineksk) {
 			continue;
 		}
-		if (dst_key_inactive(keys[i])) {
+		if (dst_key_inactive(keys[i]) && !offlineksk) {
 			continue;
 		}
 
@@ -1179,6 +1179,13 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 				}
 			}
 
+			if (!dst_key_isprivate(keys[i]) && offlineksk && zsk) {
+				continue;
+			}
+			if (dst_key_inactive(keys[i]) && offlineksk && zsk) {
+				continue;
+			}
+
 			if (dns_rdatatype_iskeymaterial(type)) {
 				/*
 				 * DNSKEY RRset is signed with KSK.
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 942855c2cd7..9d7af1f5c63 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -6599,12 +6599,17 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	dns_rdataset_t rdataset;
 	unsigned int i;
 	dns_rdata_rrsig_t rrsig;
-	bool kasp = zone->kasp;
+	dns_kasp_t *kasp = zone->kasp;
 	bool found;
+	bool offlineksk = false;
 	int64_t timewarn = 0, timemaybe = 0;
 
 	dns_rdataset_init(&rdataset);
 
+	if (kasp != NULL) {
+		offlineksk = dns_kasp_offlineksk(kasp);
+	}
+
 	if (type == dns_rdatatype_nsec3) {
 		result = dns_db_findnsec3node(db, name, false, &node);
 	} else {
@@ -6640,7 +6645,9 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 
 		if (!dns_rdatatype_iskeymaterial(type)) {
 			bool warn = false, deleted = false;
-			if (delsig_ok(&rrsig, keys, nkeys, kasp, &warn)) {
+			if (delsig_ok(&rrsig, keys, nkeys, (kasp != NULL),
+				      &warn))
+			{
 				result = update_one_rr(db, ver, zonediff->diff,
 						       DNS_DIFFOP_DELRESIGN,
 						       name, rdataset.ttl,
@@ -6710,7 +6717,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 				 * iff there is a new offline signature.
 				 */
 				if (!dst_key_inactive(keys[i]) &&
-				    !dst_key_isprivate(keys[i]))
+				    !dst_key_isprivate(keys[i]) && !offlineksk)
 				{
 					int64_t timeexpire = dns_time64_from32(
 						rrsig.timeexpire);
@@ -6832,10 +6839,10 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
 
 	for (i = 0; i < nkeys; i++) {
 		/* Don't add signatures for offline or inactive keys */
-		if (!dst_key_isprivate(keys[i])) {
+		if (!dst_key_isprivate(keys[i]) && !offlineksk) {
 			continue;
 		}
-		if (dst_key_inactive(keys[i])) {
+		if (dst_key_inactive(keys[i]) && !offlineksk) {
 			continue;
 		}
 
@@ -6866,9 +6873,20 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
 			/*
 			 * Don't consider inactive keys or offline keys.
 			 */
-			(void)dst_key_have_ksk_and_zsk(keys, nkeys, i, true,
-						       ksk, zsk, NULL,
-						       &have_zsk);
+			if (!dst_key_isprivate(keys[i]) && offlineksk && zsk) {
+				continue;
+			}
+			if (dst_key_inactive(keys[i]) && offlineksk && zsk) {
+				continue;
+			}
+
+			if (offlineksk) {
+				have_zsk = true;
+			} else {
+				(void)dst_key_have_ksk_and_zsk(keys, nkeys, i,
+							       true, ksk, zsk,
+							       NULL, &have_zsk);
+			}
 
 			if (dns_rdatatype_iskeymaterial(type)) {
 				/*
@@ -22079,7 +22097,7 @@ zone_rekey(dns_zone_t *zone) {
 		 */
 		if (kasp == NULL) {
 			ttl = keyset.ttl;
-		} else if (ttl != keyset.ttl) {
+		} else if (ttl != keyset.ttl && !offlineksk) {
 			result = update_ttl(&keyset, &zone->origin, ttl, &diff);
 			if (result != ISC_R_SUCCESS) {
 				dnssec_log(zone, ISC_LOG_ERROR,
@@ -22115,7 +22133,8 @@ zone_rekey(dns_zone_t *zone) {
 				     dns_rdatatype_none, 0, &cdsset, NULL);
 	if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdsset)) {
 		dns_rdataset_disassociate(&cdsset);
-	} else if (result == ISC_R_SUCCESS && kasp != NULL && ttl != cdsset.ttl)
+	} else if (result == ISC_R_SUCCESS && kasp != NULL &&
+		   ttl != cdsset.ttl && !offlineksk)
 	{
 		result = update_ttl(&cdsset, &zone->origin, ttl, &diff);
 		if (result != ISC_R_SUCCESS) {
@@ -22135,7 +22154,7 @@ zone_rekey(dns_zone_t *zone) {
 	if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdnskeyset)) {
 		dns_rdataset_disassociate(&cdnskeyset);
 	} else if (result == ISC_R_SUCCESS && kasp != NULL &&
-		   ttl != cdnskeyset.ttl)
+		   ttl != cdnskeyset.ttl && !offlineksk)
 	{
 		result = update_ttl(&cdnskeyset, &zone->origin, ttl, &diff);
 		if (result != ISC_R_SUCCESS) {