From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Thu, 9 Feb 2017 13:22:58 +0000 (+0100)
Subject: trust anchors: remove key missing for too long
X-Git-Tag: v1.3.0~23^2~83^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=254044b2db78656ee38cde4aca4dd10aa205e05a;p=thirdparty%2Fknot-resolver.git

trust anchors: remove key missing for too long

It was strange to keep it indefinitely, and the code was already
half-prepared for this change.  Theoretically, if a resolver has been
stopped for too long to miss a key's period of Revoked status, it would
continue to trust the key forever.
---

diff --git a/daemon/lua/trust_anchors.lua.in b/daemon/lua/trust_anchors.lua.in
index 0619d9761..3eb6da5c2 100644
--- a/daemon/lua/trust_anchors.lua.in
+++ b/daemon/lua/trust_anchors.lua.in
@@ -148,6 +148,13 @@ local function ta_missing(ta, hold_down_time)
 	if ta.state == key_state.Valid then
 		ta.state = key_state.Missing
 		ta.timer = os.time() + hold_down_time
+
+	-- Remove key that is missing for too long
+	elseif ta.state == key_state.Missing and os.difftime(ta.timer, os.time()) <= 0 then
+		ta.state = key_state.Removed
+		print('[ ta ] key: '..key_tag..' removed because missing for too long')
+		keep_ta = false
+
 	-- Purge pending key
 	elseif ta.state == key_state.AddPend then
 		print('[ ta ] key: '..key_tag..' purging')