From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 18 Feb 2020 15:55:36 +0000 (+0100)
Subject: [#1626] Fix stuck algorithm rollover
X-Git-Tag: v9.17.1~69^2~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8542b8cab05f90445c201d39c7c0c351244c2d3;p=thirdparty%2Fbind9.git

[#1626] Fix stuck algorithm rollover

Algorithm rollover was stuck on submitting DS because keymgr thought
it would move to an invalid state.  It did not match the current
key because it checked it against the current key in the next state.
Fixed by when checking the current key, check it against the desired
state, not the existing state.
---

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 40d38ff8357..9253c4fd0c2 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -546,8 +546,15 @@ keymgr_ds_hidden_or_chained(dns_dnsseckeylist_t *keyring, dns_dnsseckey_t *key,
 		 * chain of trust (can be this key).
 		 */
 		dnskey_omnipresent[DST_KEY_DS] = NA;
-		(void)dst_key_getstate(dkey->key, DST_KEY_DS,
-				       &dnskey_omnipresent[DST_KEY_DS]);
+		if (next_state != NA &&
+		    dst_key_id(dkey->key) == dst_key_id(key->key))
+		{
+			/* Check next state rather than current state. */
+			dnskey_omnipresent[DST_KEY_DS] = next_state;
+		} else {
+			(void)dst_key_getstate(dkey->key, DST_KEY_DS,
+					       &dnskey_omnipresent[DST_KEY_DS]);
+		}
 		if (!keymgr_key_exists_with_state(
 			    keyring, key, type, next_state, dnskey_omnipresent,
 			    na, false, match_algorithms))