From: Libor Peltan Date: Fri, 5 Dec 2025 12:00:05 +0000 (+0100) Subject: dnssec/DS-push: replan from timers if reconf'd during submission X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fmerge-requests%2F1833%2Fhead;p=thirdparty%2Fknot-dns.git dnssec/DS-push: replan from timers if reconf'd during submission --- diff --git a/src/knot/dnssec/zone-sign.c b/src/knot/dnssec/zone-sign.c index 7308ec4f9d..0166886d2f 100644 --- a/src/knot/dnssec/zone-sign.c +++ b/src/knot/dnssec/zone-sign.c @@ -884,11 +884,18 @@ int knot_zone_sign_update_dnskeys(zone_update_t *update, CHECK_RET; } - if (dnssec_ctx->policy->ds_push && node_rrtype_exists(ch.add->apex, KNOT_RRTYPE_CDS)) { + if (node_rrtype_exists(ch.add->apex, KNOT_RRTYPE_CDS)) { // there is indeed a change to CDS update->zone->timers->next_ds_push = time(NULL) + dnssec_ctx->policy->propagation_delay; update->zone->timers->flags |= TIMERS_MODIFIED; - zone_events_schedule_at(update->zone, ZONE_EVENT_DS_PUSH, update->zone->timers->next_ds_push); + // the event is planned only if DS-push configured, but timers set always just for case of later reconfiguration + if (dnssec_ctx->policy->ds_push) { + zone_events_schedule_at(update->zone, ZONE_EVENT_DS_PUSH, update->zone->timers->next_ds_push); + } + } else if (node_rrtype_exists(ch.remove->apex, KNOT_RRTYPE_CDS)) { + // CDS removal + update->zone->timers->next_ds_push = 0; + update->zone->timers->flags |= TIMERS_MODIFIED; } ret = zone_update_apply_changeset(update, &ch); diff --git a/src/knot/events/replan.c b/src/knot/events/replan.c index 5c3ddbcf77..304cec7f18 100644 --- a/src/knot/events/replan.c +++ b/src/knot/events/replan.c @@ -147,7 +147,13 @@ void replan_from_timers(conf_t *conf, zone_t *zone) if (ds_check == 0) { ds_check = TIME_IGNORE; } - ds_push = zone->timers->next_ds_push; + val = conf_zone_get(conf, C_DS_PUSH, zone->name); + if (val.code != KNOT_EOK) { + val = conf_id_get(conf, C_POLICY, C_DS_PUSH, &policy); + } + if (conf_val_count(&val) > 0) { + ds_push = zone->timers->next_ds_push; + } if (ds_push == 0) { ds_push = TIME_IGNORE; } diff --git a/tests-extra/tests/dnssec/ds_push/test.py b/tests-extra/tests/dnssec/ds_push/test.py index a252e33db4..51326aadb9 100644 --- a/tests-extra/tests/dnssec/ds_push/test.py +++ b/tests-extra/tests/dnssec/ds_push/test.py @@ -124,7 +124,6 @@ child.dnssec(child_zone).propagation_delay = 4 child.dnssec(child_zone).ksk_shared = True child.dnssec(child_zone).cds_cdnskey_publish = "always" -child.conf_zone(child_zone).ds_push = [ parent ] child.conf_ss("submission", child_zone).parent = [ parent ] child.conf_ss("submission", child_zone).check_interval = 2 @@ -135,7 +134,17 @@ t.sleep(2) child.start() child.zone_wait(child_zone) -t.sleep(9) +SLEEP_FIRST=random.randint(0, 5) +t.sleep(SLEEP_FIRST) + +child.conf_zone(child_zone).ds_push = [ parent ] +child.gen_confile() +child.reload() + +t.sleep(7-SLEEP_FIRST) + +if not child.log_search("KSK submission, confirmed"): + set_err("initial KSK not confirmed") pregenerate_key(child, child_zone, "ECDSAP256SHA256") watch_ksk_rollover(t, child, child_zone[0], 2, 2, 3, "KSK rollover")