From dcf79ce61f83c0f021209cd718e062dfff2be090 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 16 Oct 2019 17:43:30 +0200 Subject: [PATCH] keygen/settime: Write out successor/predecessor When creating a successor key, or calculating time for a successor key, write out the successor and predecessor metadata to the related files. --- bin/dnssec/dnssec-keygen.c | 13 +++++++++++++ bin/dnssec/dnssec-settime.c | 8 ++++++++ lib/dns/dst_api.c | 2 ++ 3 files changed, 23 insertions(+) diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 09b7c09508e..f0600232efd 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -767,6 +767,19 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) fatal("cannot generate a null key due to possible key ID " "collision"); + if (ctx->predecessor != NULL && prevkey != NULL) { + dst_key_setnum(prevkey, DST_NUM_SUCCESSOR, dst_key_id(key)); + dst_key_setnum(key, DST_NUM_PREDECESSOR, dst_key_id(prevkey)); + + ret = dst_key_tofile(prevkey, ctx->options, ctx->directory); + if (ret != ISC_R_SUCCESS) { + char keystr[DST_KEY_FORMATSIZE]; + dst_key_format(prevkey, keystr, sizeof(keystr)); + fatal("failed to update predecessor %s: %s\n", keystr, + isc_result_totext(ret)); + } + } + ret = dst_key_tofile(key, ctx->options, ctx->directory); if (ret != ISC_R_SUCCESS) { char keystr[DST_KEY_FORMATSIZE]; diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index cc72e55662f..1cc12e51906 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -715,6 +715,11 @@ main(int argc, char **argv) { if (setttl) dst_key_setttl(key, ttl); + if (predecessor != NULL && prevkey != NULL) { + dst_key_setnum(prevkey, DST_NUM_SUCCESSOR, dst_key_id(key)); + dst_key_setnum(key, DST_NUM_PREDECESSOR, dst_key_id(prevkey)); + } + /* * No metadata changes were made but we're forcing an upgrade * to the new format anyway: use "-P now -A now" as the default @@ -816,6 +821,9 @@ main(int argc, char **argv) { if (changed) { writekey(key, directory, write_state); + if (predecessor != NULL && prevkey != NULL) { + writekey(prevkey, directory, write_state); + } } if (prevkey != NULL) diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 978f8839c48..54dcd06d7df 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -1997,6 +1997,8 @@ write_key_state(const dst_key_t *key, int type, const char *directory) { fprintf(fp, "Length: %u\n", key->key_size); printnum(key, DST_NUM_LIFETIME, "Lifetime", fp); + printnum(key, DST_NUM_PREDECESSOR, "Predecessor", fp); + printnum(key, DST_NUM_SUCCESSOR, "Successor", fp); printbool(key, DST_BOOL_KSK, "KSK", fp); printbool(key, DST_BOOL_ZSK, "ZSK", fp); -- 2.47.3