git.ipfire.org Git - thirdparty/bind9.git/commit

author	Matthijs Mekking <matthijs@isc.org>
	Tue, 14 Jan 2025 14:18:40 +0000 (15:18 +0100)
committer	Matthijs Mekking <matthijs@isc.org>
	Thu, 23 Jan 2025 09:43:07 +0000 (09:43 +0000)
commit	5e3aef364fc3c6382a5761eb339ca780df0829ef
tree	9e00ddac98eb86adfd9cbb80cc50379af43c992f	tree \| snapshot
parent	0a91321d787968f1fb0409023d6ab233f0a4403e	commit \| diff

dnssec-signzone retain signature if key is offline

Track inside the dns_dnsseckey structure whether we have seen the
private key, or if this key only has a public key file.

If the key only has a public key file, or a DNSKEY reference in the
zone, mark the key 'pubkey'. In dnssec-signzone, if the key only
has a public key available, consider the key to be offline. Any
signatures that should be refreshed for which the key is not available,
retain the signature.

So in the code, 'expired' becomes 'refresh', and the new 'expired'
is only used to determine whether we need to keep the signature if
the corresponding key is not available (retaining the signature if
it is not expired).

In the 'keysthatsigned' function, we can remove:
- key->force_publish = false;
- key->force_sign = false;

because they are redundant ('dns_dnsseckey_create' already sets these
values to false).

bin/dnssec/dnssec-signzone.c		diff \| blob \| blame \| history
bin/tests/system/dnssec/tests.sh		diff \| blob \| blame \| history
lib/dns/dnssec.c		diff \| blob \| blame \| history
lib/dns/include/dns/dnssec.h		diff \| blob \| blame \| history