git.ipfire.org Git - thirdparty/bind9.git/commit

author	Matthijs Mekking <matthijs@isc.org>
	Thu, 27 Aug 2020 12:24:50 +0000 (14:24 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Wed, 2 Sep 2020 10:00:14 +0000 (12:00 +0200)
commit	c8205bfa0e838c7dae35a24d526e4ccd00614f85
tree	ec2e20c652524a8676ee149215afb2cdbe968a38	tree \| snapshot
parent	2d2b8e7c0258089c7f8f24368f6027bc410edaae	commit \| diff

Fix CDS (non-)publication

The CDS/CDNSKEY record will be published when the DS is in the
rumoured state. However, with the introduction of the rndc '-checkds'
command, the logic in the keymgr was changed to prevent the DS
state to go in RUMOURED unless the specific command was given. Hence,
the CDS was never published before it was seen in the parent.

Initially I thought this was a policy approval rule, however it is
actually a DNSSEC timing rule. Remove the restriction from
'keymgr_policy_approval' and update the 'keymgr_transition_time'
function. When looking to move the DS state to OMNIPRESENT it will
no longer calculate the state from its last change, but from when
the DS was seen in the parent, "DS Publish". If the time was not set,
default to next key event of an hour.

Similarly for moving the DS state to HIDDEN, the time to wait will
be derived from the "DS Delete" time, not from when the DS state
last changed.

CHANGES		diff \| blob \| blame \| history
bin/tests/system/kasp/tests.sh		diff \| blob \| blame \| history
lib/dns/keymgr.c		diff \| blob \| blame \| history