Fix bug in keymgr Depends function

The Depends relation refers to types of rollovers in which a certain
record type is going to be swapped. Specifically, the Depends relation
says there should be no dependency on the predecessor key (the set
Dep(x, T) must be empty).

But if the key is phased out (all its states are in HIDDEN), there is
no longer a dependency. Since the relationship is still maintained
(Predecessor and Successor metadata), the keymgr_dep function still
returned true. In other words, the set Dep(x, T) is not considered
empty.

This slows down key rollovers, only retiring keys when the successor
key has been fully propagated.

(cherry picked from commit 0aac81cf805aac0e36b429eebffd766a4a07aa0f)

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 34fa1dd0cc6a1ddf057964b97bc9ed9a7a02d8e8..023dee9e43a6c0f773568f6ad02170f3038fd7c7 100644 (file)
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -617,6 +617,13 @@ keymgr_dep(dst_key_t *k, dns_dnsseckeylist_t *keyring, uint32_t *dep) {
                 * Check if k is a direct successor of d, e.g. d depends on k.
                 */
                if (keymgr_direct_dep(d->key, k)) {
+                       dst_key_state_t hidden[NUM_KEYSTATES] = {
+                               HIDDEN, HIDDEN, HIDDEN, HIDDEN
+                       };
+                       if (keymgr_key_match_state(d->key, k, NA, NA, hidden)) {
+                               continue;
+                       }
+
                        if (dep != NULL) {
                                *dep = dst_key_id(d->key);
                        }