[35063] Don't publish an activated key automatically before its publish time

(cherry picked from commit 79d27f505a67ee1fb5cf104cbe7b1ead67d252b4)

diff --git a/CHANGES b/CHANGES
index 9713ad16226abb1c47c1cc45f30912c54aee134d..f7e091164d83a2ae97c5addb7f4521597a36ce82 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+3871.  [bug]           Don't publish an activated key automatically before
+                       its publish time. [RT #35063]
+
+3870.  [placeholder]
+
 3869.  [doc]           Document that in-view zones cannot be used for
                        response policy zones. [RT #35941]
 

diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh
index f86413e11627466dbd23a1ab0f36c5d53ce895be..3d29c1a2fc37eee0cdf59e483882b0deb0939155 100644 (file)
--- a/bin/tests/system/autosign/clean.sh
+++ b/bin/tests/system/autosign/clean.sh
@@ -16,6 +16,7 @@
 
 rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
 rm -f active.key inact.key del.key unpub.key standby.key rev.key
+rm -f activate-now-publish-1day.key
 rm -f nopriv.key vanishing.key del1.key del2.key
 rm -f delayksk.key delayzsk.key autoksk.key autozsk.key
 rm -f missingzsk.key inactivezsk.key

diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh
index 7b1b3c71862f0a5df778f14a0da4ce1d36db3ab3..cc95efdf2dc580832ef3cf3651f3ea35134a2687 100644 (file)
--- a/bin/tests/system/autosign/ns1/keygen.sh
+++ b/bin/tests/system/autosign/ns1/keygen.sh
@@ -31,6 +31,7 @@ zskdel=`$KEYGEN -3 -q -r $RANDFILE -D now $zone`
 zskinact=`$KEYGEN -3 -q -r $RANDFILE -I now $zone`
 zskunpub=`$KEYGEN -3 -q -r $RANDFILE -G $zone`
 zsksby=`$KEYGEN -3 -q -r $RANDFILE -A none $zone`
+zskactnowpub1d=`$KEYGEN -3 -q -r $RANDFILE -A now -P +1d $zone`
 zsknopriv=`$KEYGEN -3 -q -r $RANDFILE $zone`
 rm $zsknopriv.private
 
@@ -68,4 +69,5 @@ echo $zskinact > ../inact.key
 echo $zskunpub > ../unpub.key
 echo $zsknopriv > ../nopriv.key
 echo $zsksby > ../standby.key
+echo $zskactnowpub1d > ../activate-now-publish-1day.key
 $REVOKE -R $kskrev > ../rev.key

diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index 872a2c6884fb6b791cc9af36cdafb2d8d2bec80c..275152c42ac20c8819e94088e37a5ac08aa762c2 100644 (file)
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -772,6 +772,15 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking for activated but unpublished key ($n)"
+ret=0
+id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < activate-now-publish-1day.key`
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:checking that standby key does not sign records ($n)"
 ret=0
 id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 68954e97e9533503401ef95d186c3d083e15709f..86365225d01460aacd01719b5ae0c1855b7dca54 100644 (file)
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1251,7 +1251,10 @@ get_hints(dns_dnsseckey_t *key, isc_stdtime_t now) {
        /* Metadata says activate (so we must also publish) */
        if (actset && active <= now) {
                key->hint_sign = ISC_TRUE;
-               key->hint_publish = ISC_TRUE;
+
+               /* Only publish if publish time has already passed. */
+               if (pubset && publish <= now)
+                       key->hint_publish = ISC_TRUE;
        }
 
        /*