3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistant

author Mark Andrews <marka@isc.org>

Thu, 17 Mar 2011 01:20:49 +0000 (01:20 +0000)

committer Mark Andrews <marka@isc.org>

Thu, 17 Mar 2011 01:20:49 +0000 (01:20 +0000)
author Mark Andrews <marka@isc.org>
Thu, 17 Mar 2011 01:20:49 +0000 (01:20 +0000)
committer Mark Andrews <marka@isc.org>
Thu, 17 Mar 2011 01:20:49 +0000 (01:20 +0000)
diff --git a/CHANGES b/CHANGES

index 5e9d390eeeadaba926e6f7a5d1e778ffecc9b716..b11e58fe3e9298106b17f82fb558e416ec38dcae 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+3075.  [bug]           dns_dnssec_findzonekeys{2} used a inconsistant
+                       timestamp when determining which keys are active.
+                       [RT #23642]
+
  3074.  [bug]           Make the adb cache read through for zone data and
                         glue learn for zone named is authoritative for.
                         [RT #22842]
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c

index 65d1f31a8ae89a4b1a998b138b03c41f21c4971e..eedb6b87748e9552530de7907d6b1eb435f5cfdb 100644 (file)
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
   */
  
  /*
- * $Id: dnssec.c,v 1.119.170.2 2011/03/12 04:59:16 tbox Exp $
+ * $Id: dnssec.c,v 1.119.170.3 2011/03/17 01:20:49 marka Exp $
   */
  
  /*! \file */
@@ -543,9 +543,9 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
  }
  
  static isc_boolean_t
-key_active(dst_key_t *key) {
+key_active(dst_key_t *key, isc_stdtime_t now) {
         isc_result_t result;
-       isc_stdtime_t now, publish, active, revoke, inactive, delete;
+       isc_stdtime_t publish, active, revoke, inactive, delete;
         isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE;
         isc_boolean_t revset = ISC_FALSE, inactset = ISC_FALSE;
         isc_boolean_t delset = ISC_FALSE;
@@ -562,8 +562,6 @@ key_active(dst_key_t *key) {
         if (major == 1 && minor <= 2)
                 return (ISC_TRUE);
  
-       isc_stdtime_get(&now);
-
         result = dst_key_gettime(key, DST_TIME_PUBLISH, &publish);
         if (result == ISC_R_SUCCESS)
                 pubset = ISC_TRUE;
@@ -611,10 +609,13 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
         isc_result_t result;
         dst_key_t *pubkey = NULL;
         unsigned int count = 0;
+       isc_stdtime_t now;
  
         REQUIRE(nkeys != NULL);
         REQUIRE(keys != NULL);
  
+       isc_stdtime_get(&now);
+
         *nkeys = 0;
         dns_rdataset_init(&rdataset);
         RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
@@ -693,7 +694,7 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
                 /*
                  * If a key is marked inactive, skip it
                  */
-               if (!key_active(keys[count])) {
+               if (!key_active(keys[count], now)) {
                         dst_key_free(&keys[count]);
                         keys[count] = pubkey;
                         pubkey = NULL;
author	Mark Andrews <marka@isc.org>
	Thu, 17 Mar 2011 01:20:49 +0000 (01:20 +0000)
committer	Mark Andrews <marka@isc.org>
	Thu, 17 Mar 2011 01:20:49 +0000 (01:20 +0000)
CHANGES		patch \| blob \| blame \| history
lib/dns/dnssec.c		patch \| blob \| blame \| history