From: Evan Hunt <each@isc.org>
Date: Mon, 7 Dec 2009 20:51:12 +0000 (+0000)
Subject: 2806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
X-Git-Tag: v9.7.0rc1^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8b602f89be848d44472df92320e9d88213a1411;p=thirdparty%2Fbind9.git

2806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
			when it had changed. [RT #20703]
---

diff --git a/CHANGES b/CHANGES
index e4380db45f1..6a74fcd3bb5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
 	--- 9.7.0rc1 released ---
 
+2806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
+			when it had changed. [RT #20703]
+
 2805.	[bug]		Fixed namespace problems encountered when building
 			external programs using non-exported BIND9 libraries
 			(i.e., built without --enable-exportlib). [RT #20679]
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 9c22ee7a647..19f0546b872 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.539 2009/12/05 01:25:43 each Exp $ */
+/* $Id: zone.c,v 1.540 2009/12/07 20:51:12 each Exp $ */
 
 /*! \file */
 
@@ -13582,6 +13582,53 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
 	return (result);
 }
 
+static void
+sign_dnskey(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	    dns_diff_t *diff)
+{
+	isc_result_t result;
+	isc_stdtime_t now, inception, soaexpire;
+	isc_boolean_t check_ksk, keyset_kskonly;
+	dst_key_t *zone_keys[MAXZONEKEYS];
+	unsigned int nkeys = 0, i;
+
+	result = find_zone_keys(zone, db, ver, zone->mctx, MAXZONEKEYS,
+				zone_keys, &nkeys);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "sign_dnskey:find_zone_keys -> %s\n",
+			     dns_result_totext(result));
+		return;
+	}
+
+	isc_stdtime_get(&now);
+	inception = now - 3600;	/* Allow for clock skew. */
+	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+
+	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
+
+	result = del_sigs(zone, db, ver, &zone->origin, dns_rdatatype_dnskey,
+			  diff, zone_keys, nkeys, now);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "sign_dnskey:del_sigs -> %s\n",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	result = add_sigs(db, ver, &zone->origin, dns_rdatatype_dnskey, diff,
+			  zone_keys, nkeys, zone->mctx, inception, soaexpire,
+			  check_ksk, keyset_kskonly);
+
+	if (result != ISC_R_SUCCESS)
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_rekey:add_sigs -> %s\n",
+			     dns_result_totext(result));
+ failure:
+	for (i = 0; i < nkeys; i++)
+		dst_key_free(&zone_keys[i]);
+}
+
 static isc_result_t
 zone_rekey(dns_zone_t *zone) {
 	isc_result_t result;
@@ -13648,6 +13695,7 @@ zone_rekey(dns_zone_t *zone) {
 		if (!ISC_LIST_EMPTY(diff.tuples)) {
 			commit = ISC_TRUE;
 			dns_diff_apply(&diff, db, ver);
+			sign_dnskey(zone, db, ver, &diff);
 			add_signing_records(db, zone->privatetype, ver, &diff);
 			result = increment_soa_serial(db, ver, &diff, mctx);
 			if (result == ISC_R_SUCCESS)