From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 20 Mar 2025 10:13:22 +0000 (+0000)
Subject: fix: usr: Fix several small DNSSEC timing issues
X-Git-Tag: v9.21.7~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d2214cb704ca9fb80e3f136ca1fce03dd8ade7ce;p=thirdparty%2Fbind9.git

fix: usr: Fix several small DNSSEC timing issues

The following small issues related to `dnssec-policy` have been fixed:
- In some cases the key manager inside BIND 9 could run every hour, while it could have run less often.
- While `CDS` and `CDNSKEY` records will be removed correctly from the zone when the corresponding `DS` record needs to be updated, the expected timing metadata when this will happen was never set.
- There were a couple of cases where the safety intervals are added inappropriately, delaying key rollovers longer than necessary.
- If you have identical `keys` in your `dnssec-policy`, they may be retired inappropriately. Note that having keys with identical properties is discouraged in all cases.

Closes #5242

Merge branch '5242-several-keymgr-issues' into 'main'

See merge request isc-projects/bind9!10251
---

d2214cb704ca9fb80e3f136ca1fce03dd8ade7ce