+5424. [bug] With kasp, when creating a successor key, the goal
+ state of the current active key (predecessor) was not
+ changed and thus was never is removed from the zone.
+ [GL #1846]
+
5423. [bug] Fix a bug in keymgr_key_has_successor: it would
return a false positive if any other key in the
keyring has a successor. [GL #1845]
prepub = keymgr_prepublication_time(active_key, kasp, lifetime,
now);
if (prepub == 0 || prepub > now) {
+ if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
+ dst_key_format(active_key->key, keystr,
+ sizeof(keystr));
+ isc_log_write(
+ dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+ DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+ "keymgr: new successor needed for "
+ "DNSKEY %s (%s) (policy %s) in %u "
+ "seconds",
+ keystr, keymgr_keyrole(active_key->key),
+ dns_kasp_getname(kasp), (prepub - now));
+ }
+
/* No need to start rollover now. */
if (*nexttime == 0 || prepub < *nexttime) {
*nexttime = prepub;
if (keymgr_key_has_successor(active_key, keyring)) {
/* Key already has successor. */
+ if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
+ dst_key_format(active_key->key, keystr,
+ sizeof(keystr));
+ isc_log_write(
+ dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+ DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+ "keymgr: key DNSKEY %s (%s) (policy "
+ "%s) already has successor",
+ keystr, keymgr_keyrole(active_key->key),
+ dns_kasp_getname(kasp));
+ }
return (ISC_R_SUCCESS);
}
dst_key_settime(new_key->key, DST_TIME_PUBLISH, prepub);
dst_key_settime(new_key->key, DST_TIME_ACTIVATE, active);
keymgr_settime_syncpublish(new_key, kasp, false);
+
+ /*
+ * Retire predecessor.
+ */
+ dst_key_setstate(active_key->key, DST_KEY_GOAL, HIDDEN);
}
/* This key wants to be present. */
projects / thirdparty / bind9.git / commitdiff
