git.ipfire.org Git - thirdparty/bind9.git/commit

author	Mark Andrews <marka@isc.org>
	Tue, 21 Jan 2020 23:04:16 +0000 (23:04 +0000)
committer	Mark Andrews <marka@isc.org>
	Tue, 21 Jan 2020 23:04:16 +0000 (23:04 +0000)
commit	2db5a2539a18792f26006b22ae054914db784690
tree	b2824f343143697ed28fe2cad8bff5c3c547c0a9	tree \| snapshot
parent	79c15d2c07d675322250beff0d4357285742df02	commit \| diff

dnssec: do not publish CDS records when -Psync is in the future

This is a bug I encountered when trying to schedule an algorithm
rollover. My plan, for a zone whose maximum TTL is 48h, was to sign
with the new algorithm and schedule a change of CDS records for more
than 48 hours in the future, roughly like this:

    $ dnssec-keygen -a 13 -fk -Psync now+50h $zone
    $ dnssec-keygen -a 13 $zone
    $ dnssec-settime -Dsync now+50h $zone_ksk_old

However the algorithm 13 CDS was published immediately, which could
have made the zone bogus.

To reveal the bug using the `smartsign` test, this change just adds a
KSK with all its times in the future, so it should not affect the
existing checks at all. But the final check (that there are no CDS or
CDSNSKEY records after -Dsync) fails with the old `syncpublish()`
logic, because the future key's sync records appear early. With the
new `syncpublish()` logic the future key does not affect the test, as
expected, and it now passes.

(cherry picked from commit 4227b7969b27c50cf6f45e8d5a776edab74b097b)

CHANGES		diff \| blob \| blame \| history
bin/tests/system/smartsign/tests.sh		diff \| blob \| blame \| history
lib/dns/dnssec.c		diff \| blob \| blame \| history