Write new DNSKEY TTL to key file

When the current DNSKEY TTL does not match the one from the policy,
write the new TTL to disk.

diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh
index a1f669adf790c96d9d4da731928073be8f79b332..5f879cbe713de9ff3c2757dbf3b73d4eb929f651 100644 (file)
--- a/bin/tests/system/kasp.sh
+++ b/bin/tests/system/kasp.sh
@@ -213,7 +213,7 @@ set_policy() {
   POLICY=$1
   NUM_KEYS=$2
   DNSKEY_TTL=$3
-  KEYFILE_TTL=${4:-$3}
+  KEYFILE_TTL=$3
   CDS_DELETE="no"
   CDS_SHA256="yes"
   CDS_SHA384="no"

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 981dd69b8e3068d292f00203fc91a1d24ebeaffd..59dd4d391af97d31dcfe1c8c788fc7bf316af77d 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -1379,7 +1379,7 @@ check_rrsig_refresh
 # Zone: dnskey-ttl-mismatch.autosign
 #
 set_zone "dnskey-ttl-mismatch.autosign"
-set_policy "autosign" "2" "300" "30"
+set_policy "autosign" "2" "300"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 key_clear "KEY1"
@@ -4079,7 +4079,7 @@ dnssec_verify
 # Zone: step1.going-insecure.kasp
 #
 set_zone "step1.going-insecure.kasp"
-set_policy "insecure" "2" "7200"
+set_policy "insecure" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # Expect a CDS/CDNSKEY Delete Record.
 set_cdsdelete
@@ -4116,7 +4116,7 @@ check_next_key_event 93600
 # Zone: step2.going-insecure.kasp
 #
 set_zone "step2.going-insecure.kasp"
-set_policy "insecure" "2" "7200"
+set_policy "insecure" "2" "3600"
 set_server "ns6" "10.53.0.6"
 
 # The DS is long enough removed from the zone to be considered HIDDEN.
@@ -4146,7 +4146,7 @@ check_next_key_event 7500
 #
 set_zone "step1.going-insecure-dynamic.kasp"
 set_dynamic
-set_policy "insecure" "2" "7200"
+set_policy "insecure" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # Expect a CDS/CDNSKEY Delete Record.
 set_cdsdelete
@@ -4184,7 +4184,7 @@ check_next_key_event 93600
 #
 set_zone "step2.going-insecure-dynamic.kasp"
 set_dynamic
-set_policy "insecure" "2" "7200"
+set_policy "insecure" "2" "3600"
 set_server "ns6" "10.53.0.6"
 
 # The DS is long enough removed from the zone to be considered HIDDEN.

diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh
index da61c8abb37ae2dadc446b056e18235b0cf5b9eb..f7ab72a7d4b82f521d58d1ab16a131f27d76c886 100644 (file)
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -41,7 +41,7 @@ set_zone_policy() {
   POLICY=$2
   NUM_KEYS=$3
   DNSKEY_TTL=$4
-  KEYFILE_TTL=${5:-$4}
+  KEYFILE_TTL=$4
   # The CDS digest type in these tests are all the default,
   # which is SHA-256 (2).
   CDS_SHA256="yes"

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index ea8dfb788bb99153aa8375674fdeb3fc1e741d5b..56672a1198e5e5d0bed51693ab268bbca6ea43f5 100644 (file)
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -2214,11 +2214,16 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
        for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
             dkey = ISC_LIST_NEXT(dkey, link))
        {
-               if (dst_key_ismodified(dkey->key) && !dkey->purge) {
+               bool modified = dst_key_ismodified(dkey->key);
+               if (dst_key_getttl(dkey->key) != dns_kasp_dnskeyttl(kasp)) {
+                       dst_key_setttl(dkey->key, dns_kasp_dnskeyttl(kasp));
+                       modified = true;
+               }
+               if (modified && !dkey->purge) {
                        dns_dnssec_get_hints(dkey, now);
                        RETERR(dst_key_tofile(dkey->key, options, directory));
-                       dst_key_setmodified(dkey->key, false);
                }
+               dst_key_setmodified(dkey->key, false);
        }
 
        result = ISC_R_SUCCESS;