Update key lifetime and metadata after reconfig

If dnssec-policy is reconfigured and the key lifetime has changed,
update existing keys with the new lifetime and adjust the retire
and removed timing metadata accordingly.

If the key has no lifetime yet, just initialize the lifetime. It
may be that the retire/removed timing metadata has already been set.

Skip keys which goal is not set to omnipresent. These keys are already
in the progress of retiring, or still unused.

(cherry picked from commit 1cec0b04481567e814ee3388f84ecf2daf87f169)

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 023dee9e43a6c0f773568f6ad02170f3038fd7c7..8d2f54eac8abb5f1368292cfea402e5e4af3ba98 100644 (file)
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -413,6 +413,41 @@ keymgr_dnsseckey_kaspkey_match(dns_dnsseckey_t *dkey, dns_kasp_key_t *kkey) {
        return (true);
 }
 
+/* Update lifetime and retire and remove time accordingly. */
+static void
+keymgr_key_update_lifetime(dns_dnsseckey_t *key, dns_kasp_t *kasp,
+                          isc_stdtime_t now, uint32_t lifetime) {
+       uint32_t l;
+       dst_key_state_t g = HIDDEN;
+       isc_result_t r;
+
+       (void)dst_key_getstate(key->key, DST_KEY_GOAL, &g);
+       r = dst_key_getnum(key->key, DST_NUM_LIFETIME, &l);
+       /* Initialize lifetime. */
+       if (r != ISC_R_SUCCESS) {
+               dst_key_setnum(key->key, DST_NUM_LIFETIME, lifetime);
+               return;
+       }
+       /* Skip keys that are still hidden or already retiring. */
+       if (g != OMNIPRESENT) {
+               return;
+       }
+       /* Update lifetime and timing metadata. */
+       if (l != lifetime) {
+               dst_key_setnum(key->key, DST_NUM_LIFETIME, lifetime);
+               if (lifetime > 0) {
+                       uint32_t a = now;
+                       (void)dst_key_gettime(key->key, DST_TIME_ACTIVATE, &a);
+                       dst_key_settime(key->key, DST_TIME_INACTIVE,
+                                       (a + lifetime));
+                       keymgr_settime_remove(key, kasp);
+               } else {
+                       dst_key_unsettime(key->key, DST_TIME_INACTIVE);
+                       dst_key_unsettime(key->key, DST_TIME_DELETE);
+               }
+       }
+}
+
 static bool
 keymgr_keyid_conflict(dst_key_t *newkey, dns_dnsseckeylist_t *keys) {
        uint16_t id = dst_key_id(newkey);
@@ -2122,15 +2157,9 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
                                              keystr, keymgr_keyrole(dkey->key),
                                              dns_kasp_getname(kasp));
 
-                               /* Initialize lifetime if not set. */
-                               uint32_t l;
-                               if (dst_key_getnum(dkey->key, DST_NUM_LIFETIME,
-                                                  &l) != ISC_R_SUCCESS)
-                               {
-                                       dst_key_setnum(dkey->key,
-                                                      DST_NUM_LIFETIME,
-                                                      lifetime);
-                               }
+                               /* Update lifetime if changed. */
+                               keymgr_key_update_lifetime(dkey, kasp, now,
+                                                          lifetime);
 
                                if (active_key) {
                                        /* We already have an active key that