set_zone "step2.going-insecure.kasp"
set_policy "none" "2" "7200"
set_server "ns6" "10.53.0.6"
-# Expect a CDS/CDNSKEY Delete Record.
-set_cdsdelete
# The DS is long enough removed from the zone to be considered HIDDEN.
# This means the DNSKEY and the KSK signatures can be removed.
set_dynamic
set_policy "none" "2" "7200"
set_server "ns6" "10.53.0.6"
-# Expect a CDS/CDNSKEY Delete Record.
-set_cdsdelete
# The DS is long enough removed from the zone to be considered HIDDEN.
# This means the DNSKEY and the KSK signatures can be removed.
}
if (result == ISC_R_SUCCESS) {
- bool insecure = dns_zone_secure_to_insecure(zone, false);
+ /*
+ * Publish CDS/CDNSKEY DELETE records if the zone is
+ * transitioning from secure to insecure.
+ */
+ bool cds_delete = dns_zone_secure_to_insecure(zone, false);
+ isc_stdtime_t when;
/*
* Only update DNSKEY TTL if we have a policy.
goto failure;
}
+ if (cds_delete) {
+ /*
+ * Only publish CDS/CDNSKEY DELETE records if there is
+ * a KSK that can be used to verify the RRset. This
+ * means there must be a key with the KSK role that is
+ * published and is used for signing.
+ */
+ cds_delete = false;
+ for (key = ISC_LIST_HEAD(dnskeys); key != NULL;
+ key = ISC_LIST_NEXT(key, link)) {
+ dst_key_t *dstk = key->key;
+ bool ksk = false;
+ (void)dst_key_getbool(dstk, DST_BOOL_KSK, &ksk);
+ if (!ksk) {
+ continue;
+ }
+
+ if (dst_key_haskasp(dstk) &&
+ dst_key_is_published(dstk, now, &when) &&
+ dst_key_is_signing(dstk, DST_BOOL_KSK, now,
+ &when))
+ {
+ cds_delete = true;
+ break;
+ }
+ }
+ }
result = dns_dnssec_syncdelete(&cdsset, &cdnskeyset,
&zone->origin, zone->rdclass,
- ttl, &diff, mctx, insecure);
+ ttl, &diff, mctx, cds_delete);
if (result != ISC_R_SUCCESS) {
dnssec_log(zone, ISC_LOG_ERROR,
"zone_rekey:couldn't update CDS/CDNSKEY "