Fix bug in keymgr Depends function

The Depends relation refers to types of rollovers in which a certain
record type is going to be swapped. Specifically, the Depends relation
says there should be no dependency on the predecessor key (the set
Dep(x, T) must be empty).

But if the key is phased out (all its states are in HIDDEN), there is
no longer a dependency. Since the relationship is still maintained
(Predecessor and Successor metadata), the keymgr_dep function still
returned true. In other words, the set Dep(x, T) is not considered
empty.

This slows down key rollovers, only retiring keys when the successor
key has been fully propagated.

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index cc59e42c0b0acc7bdbe4e69b043e6f29f9d9c392..c26d517d4c15530d02ea1a03f120dde05358c78c 100644 (file)
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -630,6 +630,13 @@ keymgr_dep(dst_key_t *k, dns_dnsseckeylist_t *keyring, uint32_t *dep) {
                 * Check if k is a direct successor of d, e.g. d depends on k.
                 */
                if (keymgr_direct_dep(d->key, k)) {
+                       dst_key_state_t hidden[NUM_KEYSTATES] = {
+                               HIDDEN, HIDDEN, HIDDEN, HIDDEN
+                       };
+                       if (keymgr_key_match_state(d->key, k, NA, NA, hidden)) {
+                               continue;
+                       }
+
                        if (dep != NULL) {
                                *dep = dst_key_id(d->key);
                        }