Various rndc dnssec -checkds fixes

While working on 'rndc dnssec -rollover' I noticed the following
(small) issues:

- The key files where updated with hints set to "-when" and that
  should always be "now.
- The kasp system test did not properly update the test number when
  calling 'rndc dnssec -checkds' (and ensuring that works).
- There was a missing ']' in the rndc.c help output.

(cherry picked from commit edc53fc4160095bb32b05982c2a623ac4e7c6ab7)

diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index c873ee5cdfde783c7f4054c740ee3123f9045eda..a3271b202c978ad2c07e19942984f2d2b04559d8 100644 (file)
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -104,7 +104,7 @@ command is one of the following:\n\
                Add zone to given view. Requires allow-new-zones option.\n\
   delzone [-clean] zone [class [view]]\n\
                Removes zone from given view.\n\
-  dnssec -checkds [-key id [-alg algorithm] [-when time] (published|withdrawn) zone [class [view]]\n\
+  dnssec -checkds [-key id [-alg algorithm]] [-when time] (published|withdrawn) zone [class [view]]\n\
                Mark the DS record for the KSK of the given zone as seen\n\
                in the parent.  If the zone has multiple KSKs, select a\n\
                specific key by providing the keytag with -key id and\n\

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 66e299082dea0af6fd8a5227c95f999ef147b533..fecf1a9e1947976a3c53253c9d13e3d96ef7d1b2 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -1237,10 +1237,16 @@ rndc_checkds() {
                _whencmd="-when ${_when}"
        fi
 
-       echo_i "calling checkds ${_keycmd} ${_whencmd} ${_what} zone ${_zone} ($n)"
+       n=$((n+1))
+       echo_i "calling rndc dnssec -checkds ${_keycmd} ${_whencmd} ${_what} zone ${_zone} ($n)"
+       ret=0
+
        rndccmd $_server dnssec -checkds $_keycmd $_whencmd $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (${_keycmd} ${_whencmd} ${_what} zone ${_zone} failed"
 
        _loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
+
+       test "$ret" -eq 0 || echo_i "failed"
+       status=$((status+ret))
 }
 
 # Tell named to schedule a key rollover.
@@ -1252,15 +1258,16 @@ rndc_rollover() {
        _zone=$5
        _view=$6
 
+       _whencmd=""
+       if [ "${_when}" != "now" ]; then
+               _whencmd="-when ${_when}"
+       fi
+
        n=$((n+1))
-       echo_i "calling rndc dnssec -rollover key ${_keyid} zone ${_zone} ($n)"
+       echo_i "calling rndc dnssec -rollover key ${_keyid} ${_whencmd} zone ${_zone} ($n)"
        ret=0
 
-       if [ "${_when}" = "now" ]; then
-               rndccmd $_server dnssec -rollover -key $_keyid $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
-       else
-               rndccmd $_server dnssec -rollover -key $_keyid -when $_when $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
-       fi
+       rndccmd $_server dnssec -rollover -key $_keyid $_whencmd $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
 
        _loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
 

diff --git a/lib/dns/include/dns/keymgr.h b/lib/dns/include/dns/keymgr.h
index bd53b1c58af8ce88854170ac9eec92a6b582b033..14ee5c980d21b854d1a9e16650c3b820edeaf59b 100644 (file)
--- a/lib/dns/include/dns/keymgr.h
+++ b/lib/dns/include/dns/keymgr.h
@@ -53,11 +53,13 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 
 isc_result_t
 dns_keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-                  const char *directory, isc_stdtime_t now, bool dspublish);
+                  const char *directory, isc_stdtime_t now, isc_stdtime_t when,
+                  bool dspublish);
 isc_result_t
 dns_keymgr_checkds_id(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-                     const char *directory, isc_stdtime_t now, bool dspublish,
-                     dns_keytag_t id, unsigned int algorithm);
+                     const char *directory, isc_stdtime_t now,
+                     isc_stdtime_t when, bool dspublish, dns_keytag_t id,
+                     unsigned int algorithm);
 /*%<
  * Check DS for one key in 'keyring'. The key must have the KSK role.
  * If 'dspublish' is set to true, set the DS Publish time to 'now'.

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index c31405c89d097d8b995446ee9b5a53a8317ce36c..2d1edc97cb5d1569a56fffc56a837345a7695ce1 100644 (file)
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -1864,8 +1864,9 @@ failure:
 
 static isc_result_t
 keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-              const char *directory, isc_stdtime_t now, bool dspublish,
-              dns_keytag_t id, unsigned int alg, bool check_id) {
+              const char *directory, isc_stdtime_t now, isc_stdtime_t when,
+              bool dspublish, dns_keytag_t id, unsigned int alg,
+              bool check_id) {
        int options = (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_STATE);
        isc_dir_t dir;
        isc_result_t result;
@@ -1905,9 +1906,9 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
        }
 
        if (dspublish) {
-               dst_key_settime(ksk_key->key, DST_TIME_DSPUBLISH, now);
+               dst_key_settime(ksk_key->key, DST_TIME_DSPUBLISH, when);
        } else {
-               dst_key_settime(ksk_key->key, DST_TIME_DSDELETE, now);
+               dst_key_settime(ksk_key->key, DST_TIME_DSDELETE, when);
        }
 
        /* Store key state and update hints. */
@@ -1929,17 +1930,19 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
 
 isc_result_t
 dns_keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-                  const char *directory, isc_stdtime_t now, bool dspublish) {
-       return (keymgr_checkds(kasp, keyring, directory, now, dspublish, 0, 0,
-                              false));
+                  const char *directory, isc_stdtime_t now, isc_stdtime_t when,
+                  bool dspublish) {
+       return (keymgr_checkds(kasp, keyring, directory, now, when, dspublish,
+                              0, 0, false));
 }
 
 isc_result_t
 dns_keymgr_checkds_id(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-                     const char *directory, isc_stdtime_t now, bool dspublish,
-                     dns_keytag_t id, unsigned int alg) {
-       return (keymgr_checkds(kasp, keyring, directory, now, dspublish, id,
-                              alg, true));
+                     const char *directory, isc_stdtime_t now,
+                     isc_stdtime_t when, bool dspublish, dns_keytag_t id,
+                     unsigned int alg) {
+       return (keymgr_checkds(kasp, keyring, directory, now, when, dspublish,
+                              id, alg, true));
 }
 
 static void