From: Matthijs Mekking Date: Thu, 22 May 2025 09:23:48 +0000 (+0200) Subject: Fix spurious missing key files log messages X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2Frt-24694-patch;p=thirdparty%2Fbind9.git Fix spurious missing key files log messages I suspect this happens because old key is purged by one zone view, then the other is freaking out about it. Keys that are unused or being purged should not be taken into account. The keyring is maintained per zone. So in one zone, a key in the keyring is being purged. The corresponding key file is removed. The key maintenance is done for the other zone view. The key in that keyring is not yet set to purge, but its corresponding key file is removed. This leads to "some keys are missing" I think we should not check the purge variable at this point, but the current time and purge-keys duration. That is what this commit does. --- diff --git a/lib/dns/include/dns/keymgr.h b/lib/dns/include/dns/keymgr.h index bf08fbb549e..243d843d628 100644 --- a/lib/dns/include/dns/keymgr.h +++ b/lib/dns/include/dns/keymgr.h @@ -128,4 +128,16 @@ dns_keymgr_status(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring, * */ +bool +dns_keymgr_key_may_be_purged(dst_key_t *key, uint32_t after, isc_stdtime_t now); +/*%< + * Checks if the key files for 'key' may be removed from disk. + * + * Requires: + *\li 'key' is not NULL. + * + * Returns: + *\li true if the key files may be purged, false otherwise. + */ + ISC_LANG_ENDDECLS diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index cbcd3c992e4..8480c767792 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -1933,8 +1933,8 @@ keymgr_key_rollover(dns_kasp_key_t *kaspkey, dns_dnsseckey_t *active_key, return ISC_R_SUCCESS; } -static bool -keymgr_key_may_be_purged(dst_key_t *key, uint32_t after, isc_stdtime_t now) { +bool +dns_keymgr_key_may_be_purged(dst_key_t *key, uint32_t after, isc_stdtime_t now) { bool ksk = false; bool zsk = false; dst_key_state_t hidden[NUM_KEYSTATES] = { HIDDEN, NA, NA, NA }; @@ -2117,7 +2117,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, } /* Check purge-keys interval. */ - if (keymgr_key_may_be_purged(dkey->key, + if (dns_keymgr_key_may_be_purged(dkey->key, dns_kasp_purgekeys(kasp), now)) { dst_key_format(dkey->key, keystr, sizeof(keystr)); diff --git a/lib/dns/zone.c b/lib/dns/zone.c index e91c2f6bde8..e468de244af 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -22016,7 +22016,7 @@ update_ttl(dns_rdataset_t *rdataset, dns_name_t *name, dns_ttl_t ttl, } static isc_result_t -zone_verifykeys(dns_zone_t *zone, dns_dnsseckeylist_t *newkeys) { +zone_verifykeys(dns_zone_t *zone, dns_dnsseckeylist_t *newkeys, uint32_t purgeval, isc_stdtime_t now) { dns_dnsseckey_t *key1, *key2, *next; /* @@ -22029,6 +22029,9 @@ zone_verifykeys(dns_zone_t *zone, dns_dnsseckeylist_t *newkeys) { if (dst_key_is_unused(key1->key)) { continue; } + if (dns_keymgr_key_may_be_purged(key1->key, purgeval, now)) { + continue; + } if (key1->purge) { continue; } @@ -22224,7 +22227,7 @@ zone_rekey(dns_zone_t *zone) { if (kasp != NULL) { /* Verify new keys. */ - isc_result_t ret = zone_verifykeys(zone, &keys); + isc_result_t ret = zone_verifykeys(zone, &keys, dns_kasp_purgekeys(kasp), now); if (ret != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, "zone_rekey:zone_verifykeys failed: "