Don't also skip keymgr run if checkds is skipped

Checking the DS at the parent only happens if dns_zone_getdnsseckeys()
returns success. However, if this function somehow fails, it can also
prevent the keymgr from running.

Before adding the check DS functionality, the keymgr should only run
if 'dns_dnssec_findmatchingkeys()' did not return an error (either
ISC_R_SUCCESS or ISC_R_NOTFOUND). After this change the correct
result code is used again.

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index f0360e4d4492c5507dfe43e24f8d607610e10e14..249712a4a02e374d309eae0217dd1281aa3f765d 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -21959,20 +21959,20 @@ zone_rekey(dns_zone_t *zone) {
                ISC_LIST_INIT(zone->checkds_ok);
                UNLOCK_ZONE(zone);
 
-               result = dns_zone_getdnsseckeys(zone, db, ver, now,
-                                               &zone->checkds_ok);
-
-               if (result == ISC_R_SUCCESS) {
+               isc_result_t ret = dns_zone_getdnsseckeys(zone, db, ver, now,
+                                                         &zone->checkds_ok);
+               if (ret == ISC_R_SUCCESS) {
                        zone_checkds(zone);
                } else {
                        dnssec_log(zone,
-                                  (result == ISC_R_NOTFOUND) ? ISC_LOG_DEBUG(1)
-                                                             : ISC_LOG_ERROR,
+                                  (ret == ISC_R_NOTFOUND) ? ISC_LOG_DEBUG(1)
+                                                          : ISC_LOG_ERROR,
                                   "zone_rekey:dns_zone_getdnsseckeys failed: "
                                   "%s",
-                                  isc_result_totext(result));
+                                  isc_result_totext(ret));
                }
 
+               /* Run keymgr */
                if (result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND) {
                        dns_zone_lock_keyfiles(zone);
                        result = dns_keymgr_run(&zone->origin, zone->rdclass,
@@ -21993,6 +21993,12 @@ zone_rekey(dns_zone_t *zone) {
 
        KASP_UNLOCK(kasp);
 
+       /*
+        * Update CDS, CDNSKEY and DNSKEY record sets if the keymgr ran
+        * successfully (dns_keymgr_run returned ISC_R_SUCCESS), or in
+        * case of DNSSEC management without dnssec-policy if we have keys
+        * (dns_dnssec_findmatchingkeys returned ISC_R_SUCCESS).
+        */
        if (result == ISC_R_SUCCESS) {
                dns_kasp_digestlist_t digests;
                bool cdsdel = false;