From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 25 Feb 2025 07:40:33 +0000 (+0100)
Subject: Fix a small keymgr bug
X-Git-Tag: v9.21.7~39^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ef671919d539d3cc41b2fbd276cae0ef017d2891;p=thirdparty%2Fbind9.git

Fix a small keymgr bug

While converting the kasp system test to pytest, I encountered a small
bug in the keymgr code. We retire keys when there is more than one
key matching a 'keys' line from the dnssec-policy. But if there are
multiple identical 'keys' lines, as is the case for the test zone
'checkds-doubleksk.kasp', we retire one of the two keys that have the
same properties.

Fix this by checking if there are double matches. This is not fool proof
because there may be many keys for a few identical 'keys' lines, but it
is good enough for now. In practice it makes no sense to have a policy
that dictates multiple keys with identical properties.
---

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index bae21437bdc..6b56d5da8fa 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -2022,6 +2022,20 @@ keymgr_purge_keyfile(dst_key_t *key, int type) {
 	}
 }
 
+static bool
+dst_key_doublematch(dns_dnsseckey_t *key, dns_kasp_t *kasp) {
+	int matches = 0;
+
+	for (dns_kasp_key_t *kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
+	     kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link))
+	{
+		if (dns_kasp_key_match(kkey, key)) {
+			matches++;
+		}
+	}
+	return matches > 1;
+}
+
 /*
  * Examine 'keys' and match 'kasp' policy.
  *
@@ -2161,6 +2175,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 					 * matches the kasp policy.
 					 */
 					if (!dst_key_is_unused(dkey->key) &&
+					    !dst_key_doublematch(dkey, kasp) &&
 					    (dst_key_goal(dkey->key) ==
 					     OMNIPRESENT) &&
 					    !keymgr_dep(dkey->key, keyring,