From: Witold Kręcicki <wpk@isc.org>
Date: Tue, 21 Jan 2020 13:20:19 +0000 (+0100)
Subject: dnssec: use less-or-equal when looking at SyncPublish time
X-Git-Tag: v9.16.0~54^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=741bc11bdb4c09cc662d5ff7a8a8636e1d3e9a9e;p=thirdparty%2Fbind9.git

dnssec: use less-or-equal when looking at SyncPublish time

If we created a key, mark its SyncPublish time as 'now' and started
bind the key might not be published if the SyncPublish time is in
the same second as the time the zone is loaded. This is mostly
for dnssec system test, as this kind of scenario is very unlikely
in a real world environment.
---

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index f448113193a..9d40ac65277 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -673,7 +673,7 @@ syncpublish(dst_key_t *key, isc_stdtime_t now) {
 	/* If no kasp state, check timings. */
 	publish = false;
 	result = dst_key_gettime(key, DST_TIME_SYNCPUBLISH, &when);
-	if (result == ISC_R_SUCCESS && when < now) {
+	if (result == ISC_R_SUCCESS && when <= now) {
 		publish = true;
 	}
 	result = dst_key_gettime(key, DST_TIME_SYNCDELETE, &when);