git.ipfire.org Git - thirdparty/bind9.git/commit

author	Matthijs Mekking <matthijs@isc.org>
	Thu, 27 Aug 2020 12:24:50 +0000 (14:24 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Wed, 2 Sep 2020 12:59:20 +0000 (14:59 +0200)
commit	6405b04477e4050c291bcc2134ccbadbc343b60f
tree	be5eb616cdc2daaae55cad8476c0bc9d001d7f98	tree \| snapshot
parent	7065299a9d4db769ae296d52e574852dbfa30e73	commit \| diff

Fix CDS (non-)publication

The CDS/CDNSKEY record will be published when the DS is in the
rumoured state. However, with the introduction of the rndc '-checkds'
command, the logic in the keymgr was changed to prevent the DS
state to go in RUMOURED unless the specific command was given. Hence,
the CDS was never published before it was seen in the parent.

Initially I thought this was a policy approval rule, however it is
actually a DNSSEC timing rule. Remove the restriction from
'keymgr_policy_approval' and update the 'keymgr_transition_time'
function. When looking to move the DS state to OMNIPRESENT it will
no longer calculate the state from its last change, but from when
the DS was seen in the parent, "DS Publish". If the time was not set,
default to next key event of an hour.

Similarly for moving the DS state to HIDDEN, the time to wait will
be derived from the "DS Delete" time, not from when the DS state
last changed.

(cherry picked from commit c8205bfa0e838c7dae35a24d526e4ccd00614f85)

CHANGES		diff \| blob \| blame \| history
bin/tests/system/kasp/tests.sh		diff \| blob \| blame \| history
lib/dns/keymgr.c		diff \| blob \| blame \| history