From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 31 Jan 2024 11:25:29 +0000 (+0100)
Subject: Fix bug in keymgr Depends function
X-Git-Tag: v9.19.23~41^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0aac81cf805aac0e36b429eebffd766a4a07aa0f;p=thirdparty%2Fbind9.git

Fix bug in keymgr Depends function

The Depends relation refers to types of rollovers in which a certain
record type is going to be swapped. Specifically, the Depends relation
says there should be no dependency on the predecessor key (the set
Dep(x, T) must be empty).

But if the key is phased out (all its states are in HIDDEN), there is
no longer a dependency. Since the relationship is still maintained
(Predecessor and Successor metadata), the keymgr_dep function still
returned true. In other words, the set Dep(x, T) is not considered
empty.

This slows down key rollovers, only retiring keys when the successor
key has been fully propagated.
---

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index cc59e42c0b0..c26d517d4c1 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -630,6 +630,13 @@ keymgr_dep(dst_key_t *k, dns_dnsseckeylist_t *keyring, uint32_t *dep) {
 		 * Check if k is a direct successor of d, e.g. d depends on k.
 		 */
 		if (keymgr_direct_dep(d->key, k)) {
+			dst_key_state_t hidden[NUM_KEYSTATES] = {
+				HIDDEN, HIDDEN, HIDDEN, HIDDEN
+			};
+			if (keymgr_key_match_state(d->key, k, NA, NA, hidden)) {
+				continue;
+			}
+
 			if (dep != NULL) {
 				*dep = dst_key_id(d->key);
 			}