delay trust anchor management until zones are loaded

it was possible for a managed trust anchor needing to send a key
refresh query to be unable to do so because an authoritative zone
was not yet loaded. this has been corrected by delaying the
synchronization of managed-keys zones until after all zones are
loaded.

diff --git a/bin/named/server.c b/bin/named/server.c
index b57976ff31910a63ad02da7e56e09b9ff7ddd742..12d05faaaca49815e33c0004d850dc6303572430 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -9865,6 +9865,7 @@ view_loaded(void *arg) {
        if (isc_refcount_decrement(&zl->refs) == 1) {
                named_server_t *server = zl->server;
                bool reconfig = zl->reconfig;
+               dns_view_t *view = NULL;
 
                isc_refcount_destroy(&zl->refs);
                isc_mem_put(server->mctx, zl, sizeof(*zl));
@@ -9885,6 +9886,28 @@ view_loaded(void *arg) {
                                      "all zones loaded");
                }
 
+               for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+                    view = ISC_LIST_NEXT(view, link))
+               {
+                       if (view->managed_keys != NULL) {
+                               result = dns_zone_synckeyzone(
+                                       view->managed_keys);
+                               if (result != ISC_R_SUCCESS) {
+                                       isc_log_write(
+                                               named_g_lctx,
+                                               DNS_LOGCATEGORY_DNSSEC,
+                                               DNS_LOGMODULE_DNSSEC,
+                                               ISC_LOG_ERROR,
+                                               "failed to initialize "
+                                               "managed-keys for view %s "
+                                               "(%s): DNSSEC validation is "
+                                               "at risk",
+                                               view->name,
+                                               isc_result_totext(result));
+                               }
+                       }
+               }
+
                CHECKFATAL(dns_zonemgr_forcemaint(server->zonemgr),
                           "forcing zone maintenance");
 

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index a7a04fab57e634c3d89c0996ad1d4849f6cbea8f..76f6dc4bc317fedd95d56a70a7ec1263512006c3 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -4607,8 +4607,7 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
        }
 
 failure:
-       if (result != ISC_R_SUCCESS && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
-       {
+       if (result != ISC_R_SUCCESS) {
                dnssec_log(zone, ISC_LOG_ERROR,
                           "unable to synchronize managed keys: %s",
                           isc_result_totext(result));
@@ -5075,10 +5074,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
                break;
 
        case dns_zone_key:
-               result = sync_keyzone(zone, db);
-               if (result != ISC_R_SUCCESS) {
-                       goto cleanup;
-               }
+               /* Nothing needs to be done now */
                break;
 
        default:
@@ -5235,13 +5231,6 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
        goto done;
 
 cleanup:
-       if (zone->type == dns_zone_key && result != ISC_R_SUCCESS) {
-               dnssec_log(zone, ISC_LOG_ERROR,
-                          "failed to initialize managed-keys (%s): "
-                          "DNSSEC validation is at risk",
-                          isc_result_totext(result));
-       }
-
        if (result != ISC_R_SUCCESS) {
                dns_zone_rpz_disable_db(zone, db);
                dns_zone_catz_disable_db(zone, db);