From: Matthijs Mekking Date: Thu, 22 May 2025 09:23:48 +0000 (+0200) Subject: Fix spurious missing key files log messages X-Git-Tag: v9.20.11~23^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=54a68a4a97c78743ce15ecfc97e6d985c9372d34;p=thirdparty%2Fbind9.git Fix spurious missing key files log messages This happens because old key is purged by one zone view, then the other is freaking out about it. Keys that are unused or being purged should not be taken into account when verifying key files are available. The keyring is maintained per zone. So in one zone, a key in the keyring is being purged. The corresponding key file is removed. The key maintenance is done for the other zone view. The key in that keyring is not yet set to purge, but its corresponding key file is removed. This leads to "some keys are missing" log errors. We should not check the purge variable at this point, but the current time and purge-keys duration. This commit fixes this erroneous logic. (cherry picked from commit d494698852e21e25d65d1e2453813a7b19a0a755) --- diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 04043303f61..11edd569949 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -2408,7 +2408,7 @@ dst_key_tkeytoken(const dst_key_t *key) { * */ bool -dst_key_is_unused(dst_key_t *key) { +dst_key_is_unused(const dst_key_t *key) { isc_stdtime_t val; dst_key_state_t st; int state_type; @@ -2710,7 +2710,7 @@ dst_key_is_removed(dst_key_t *key, isc_stdtime_t now, isc_stdtime_t *remove) { } dst_key_state_t -dst_key_goal(dst_key_t *key) { +dst_key_goal(const dst_key_t *key) { dst_key_state_t state; isc_result_t result; diff --git a/lib/dns/include/dns/keymgr.h b/lib/dns/include/dns/keymgr.h index 6ce85bd8f20..884310b4cea 100644 --- a/lib/dns/include/dns/keymgr.h +++ b/lib/dns/include/dns/keymgr.h @@ -162,4 +162,17 @@ dns_keymgr_status(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring, * */ +bool +dns_keymgr_key_may_be_purged(const dst_key_t *key, uint32_t after, + isc_stdtime_t now); +/*%< + * Checks if the key files for 'key' may be removed from disk. + * + * Requires: + *\li 'key' is a valid key. + * + * Returns: + *\li true if the key files may be purged, false otherwise. + */ + ISC_LANG_ENDDECLS diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 9ddfacd92ae..a08a6092fad 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -1155,7 +1155,7 @@ dst_key_haskasp(dst_key_t *key); */ bool -dst_key_is_unused(dst_key_t *key); +dst_key_is_unused(const dst_key_t *key); /*%< * Check if this key is unused. * @@ -1212,7 +1212,7 @@ dst_key_is_removed(dst_key_t *key, isc_stdtime_t now, isc_stdtime_t *remove); */ dst_key_state_t -dst_key_goal(dst_key_t *key); +dst_key_goal(const dst_key_t *key); /*%< * Get the key goal. Should be OMNIPRESENT or HIDDEN. * This can be used to determine if the key is being introduced or diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index f0372a4ad74..185806a85b7 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -608,7 +608,7 @@ keymgr_desiredstate(dns_dnsseckey_t *key, dst_key_state_t state) { * */ static bool -keymgr_key_match_state(dst_key_t *key, dst_key_t *subject, int type, +keymgr_key_match_state(const dst_key_t *key, const dst_key_t *subject, int type, dst_key_state_t next_state, dst_key_state_t states[NUM_KEYSTATES]) { REQUIRE(key != NULL); @@ -1951,8 +1951,9 @@ keymgr_key_rollover(dns_kasp_key_t *kaspkey, dns_dnsseckey_t *active_key, return ISC_R_SUCCESS; } -static bool -keymgr_key_may_be_purged(dst_key_t *key, uint32_t after, isc_stdtime_t now) { +bool +dns_keymgr_key_may_be_purged(const dst_key_t *key, uint32_t after, + isc_stdtime_t now) { bool ksk = false; bool zsk = false; dst_key_state_t hidden[NUM_KEYSTATES] = { HIDDEN, NA, NA, NA }; @@ -2141,8 +2142,8 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, } /* Check purge-keys interval. */ - if (keymgr_key_may_be_purged(dkey->key, - dns_kasp_purgekeys(kasp), now)) + if (dns_keymgr_key_may_be_purged(dkey->key, + dns_kasp_purgekeys(kasp), now)) { dst_key_format(dkey->key, keystr, sizeof(keystr)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC, diff --git a/lib/dns/zone.c b/lib/dns/zone.c index c070b38810d..4ff40f192f9 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -141,14 +141,14 @@ /*% * KASP flags */ -#define KASP_LOCK(k) \ - if ((k) != NULL) { \ - LOCK((&((k)->lock))); \ +#define KASP_LOCK(k) \ + if ((k) != NULL) { \ + LOCK(&((k)->lock)); \ } -#define KASP_UNLOCK(k) \ - if ((k) != NULL) { \ - UNLOCK((&((k)->lock))); \ +#define KASP_UNLOCK(k) \ + if ((k) != NULL) { \ + UNLOCK(&((k)->lock)); \ } /* @@ -216,7 +216,7 @@ typedef struct dns_include dns_include_t; } while (0) #endif /* ifdef DNS_ZONE_CHECKLOCK */ -#define ZONEDB_INITLOCK(l) isc_rwlock_init((l)) +#define ZONEDB_INITLOCK(l) isc_rwlock_init(l) #define ZONEDB_DESTROYLOCK(l) isc_rwlock_destroy(l) #define ZONEDB_LOCK(l, t) RWLOCK((l), (t)) #define ZONEDB_UNLOCK(l, t) RWUNLOCK((l), (t)) @@ -22150,7 +22150,8 @@ update_ttl(dns_rdataset_t *rdataset, dns_name_t *name, dns_ttl_t ttl, } static isc_result_t -zone_verifykeys(dns_zone_t *zone, dns_dnsseckeylist_t *newkeys) { +zone_verifykeys(dns_zone_t *zone, dns_dnsseckeylist_t *newkeys, + uint32_t purgeval, isc_stdtime_t now) { dns_dnsseckey_t *key1, *key2, *next; /* @@ -22163,6 +22164,9 @@ zone_verifykeys(dns_zone_t *zone, dns_dnsseckeylist_t *newkeys) { if (dst_key_is_unused(key1->key)) { continue; } + if (dns_keymgr_key_may_be_purged(key1->key, purgeval, now)) { + continue; + } if (key1->purge) { continue; } @@ -22479,7 +22483,8 @@ zone_rekey(dns_zone_t *zone) { if (kasp != NULL && !offlineksk) { /* Verify new keys. */ - isc_result_t ret = zone_verifykeys(zone, &keys); + isc_result_t ret = zone_verifykeys( + zone, &keys, dns_kasp_purgekeys(kasp), now); if (ret != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, "zone_rekey:zone_verifykeys failed: "