From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 4 Mar 2025 16:14:33 +0000 (+0100)
Subject: keymgr: also set DeleteCDS when setting PublishCDS
X-Git-Tag: v9.21.7~39^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8c9d2eb2bf588b2e2dee39986963d03a1edac391;p=thirdparty%2Fbind9.git

keymgr: also set DeleteCDS when setting PublishCDS

The keymgr never set the expected timing metadata when CDS/CDNSKEY
records for the corresponding key will be removed from the zone. This
is not troublesome, as key states dictate when this happens, but with
the new pytest we use the timing metadata to determine if the CDS and/or
CDNSKEY for the given key needs to be published.
---

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index c07046a9a82..6f7e568b439 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -195,6 +195,13 @@ dns_keymgr_settime_syncpublish(dst_key_t *key, dns_kasp_t *kasp, bool first) {
 		}
 	}
 	dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncpublish);
+
+	uint32_t lifetime = 0;
+	ret = dst_key_getnum(key, DST_NUM_LIFETIME, &lifetime);
+	if (ret == ISC_R_SUCCESS && lifetime > 0) {
+		dst_key_settime(key, DST_TIME_SYNCDELETE,
+				(syncpublish + lifetime));
+	}
 }
 
 /*
@@ -242,6 +249,17 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 		pub = now;
 	}
 
+	/*
+	 * To calculate phase out times ("Retired", "Removed", ...),
+	 * the key lifetime is required.
+	 */
+	uint32_t klifetime = 0;
+	ret = dst_key_getnum(key->key, DST_NUM_LIFETIME, &klifetime);
+	if (ret != ISC_R_SUCCESS) {
+		dst_key_setnum(key->key, DST_NUM_LIFETIME, lifetime);
+		klifetime = lifetime;
+	}
+
 	/*
 	 * Calculate prepublication time.
 	 */
@@ -277,6 +295,10 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 			syncpub = ISC_MAX(syncpub1, syncpub2);
 			dst_key_settime(key->key, DST_TIME_SYNCPUBLISH,
 					syncpub);
+			if (klifetime > 0) {
+				dst_key_settime(key->key, DST_TIME_SYNCDELETE,
+						(syncpub + klifetime));
+			}
 		}
 	}
 
@@ -289,13 +311,6 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 
 	ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire);
 	if (ret != ISC_R_SUCCESS) {
-		uint32_t klifetime = 0;
-
-		ret = dst_key_getnum(key->key, DST_NUM_LIFETIME, &klifetime);
-		if (ret != ISC_R_SUCCESS) {
-			dst_key_setnum(key->key, DST_NUM_LIFETIME, lifetime);
-			klifetime = lifetime;
-		}
 		if (klifetime == 0) {
 			/*
 			 * No inactive time and no lifetime,
@@ -418,6 +433,7 @@ keymgr_key_update_lifetime(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 		} else {
 			dst_key_unsettime(key->key, DST_TIME_INACTIVE);
 			dst_key_unsettime(key->key, DST_TIME_DELETE);
+			dst_key_unsettime(key->key, DST_TIME_SYNCDELETE);
 		}
 	}
 }