Fix bug introduced by #763 related to offline keys

In some cases we want to keep expired signatures. For example, if the
KSK is offline, we don't want to fall back to signing with the ZSK.
We could remove the signatures, but in any case we end up with a broken
zone.

The change made for GL #763 prevented the behavior to sign the DNSKEY
RRset with the ZSK if the KSK was offline (and signatures were expired).

The change causes the definition of "having both keys": if one key is
offline, we still consider having both keys, so we don't fallback
signing with the ZSK if KSK is offline.

That change also works the other way, if the ZSK is offline, we don't
fallback signing with the KSK.

This commit fixes that, so we only fallback signing zone RRsets with
the KSK, not signing key RRsets with the ZSK.

diff --git a/lib/dns/update.c b/lib/dns/update.c
index cfbe4405c499195d0626e56c13ea63a21f4320a3..3349015788ed850e0f98861c6b50465f4110fe38 100644 (file)
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1157,8 +1157,8 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
                                }
 
                                /* Don't consider inactive keys, however
-                                * the key may be temporary offline, so do
-                                * consider keys which private key files are
+                                * the KSK may be temporary offline, so do
+                                * consider KSKs which private key files are
                                 * unavailable.
                                 */
                                if (dst_key_inactive(keys[j])) {
@@ -1170,7 +1170,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
                                }
                                if (KSK(keys[j])) {
                                        have_ksk = true;
-                               } else {
+                               } else if (dst_key_isprivate(keys[j])) {
                                        have_nonksk = true;
                                }
                                both = have_ksk && have_nonksk;

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index be02dbea29ecfbbe4dd813b036a19b11d1a53c79..6df19b0dc0b69aee81cc1366773e660eff7d1905 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -3523,7 +3523,8 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
                result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
                INSIST(result == ISC_R_SUCCESS);
 
-               /* RFC 3110, section 4: Performance Considerations:
+               /*
+                * RFC 3110, section 4: Performance Considerations:
                 *
                 * A public exponent of 3 minimizes the effort needed to verify
                 * a signature.  Use of 3 as the public exponent is weak for
@@ -7111,8 +7112,9 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
                                        continue;
                                }
 
-                               /* Don't consider inactive keys, however
-                                * the key may be temporary offline, so do
+                               /*
+                                * Don't consider inactive keys, however
+                                * the KSK may be temporary offline, so do
                                 * consider keys which private key files are
                                 * unavailable.
                                 */
@@ -7125,7 +7127,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
                                }
                                if (KSK(keys[j])) {
                                        have_ksk = true;
-                               } else {
+                               } else if (dst_key_isprivate(keys[j])) {
                                        have_nonksk = true;
                                }
                                both = have_ksk && have_nonksk;
@@ -9756,9 +9758,10 @@ zone_sign(dns_zone_t *zone) {
                                                       ALG(zone_keys[j]))) {
                                                continue;
                                        }
-                                       /* Don't consider inactive keys, however
+                                       /*
+                                        * Don't consider inactive keys, however
                                         * the key may be temporary offline, so
-                                        * do consider keys which private key
+                                        * do consider KSKs which private key
                                         * files are unavailable.
                                         */
                                        if (dst_key_inactive(zone_keys[j])) {
@@ -9769,7 +9772,8 @@ zone_sign(dns_zone_t *zone) {
                                        }
                                        if (KSK(zone_keys[j])) {
                                                have_ksk = true;
-                                       } else {
+                                       } else if (dst_key_isprivate(
+                                                          zone_keys[j])) {
                                                have_nonksk = true;
                                        }
                                        both = have_ksk && have_nonksk;
@@ -14891,8 +14895,10 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
                timeout = 30;
        }
 
-       /* Save request parameters so we can reuse them later on
-          for resolving missing glue A/AAAA records. */
+       /*
+        * Save request parameters so we can reuse them later on
+        * for resolving missing glue A/AAAA records.
+        */
        cb_args = isc_mem_get(zone->mctx, sizeof(*cb_args));
        cb_args->stub = stub;
        cb_args->tsig_key = key;