Various rndc dnssec -checkds fixes

While working on 'rndc dnssec -rollover' I noticed the following
(small) issues:

- The key files where updated with hints set to "-when" and that
  should always be "now.
- The kasp system test did not properly update the test number when
  calling 'rndc dnssec -checkds' (and ensuring that works).
- There was a missing ']' in the rndc.c help output.

diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index f35d79c5ba5cc2dd7d93979cefac3587099a41f5..170fd1fff2cb072ee1106f44867e8db85689c100 100644 (file)
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -111,7 +111,7 @@ command is one of the following:\n\
                Add zone to given view. Requires allow-new-zones option.\n\
   delzone [-clean] zone [class [view]]\n\
                Removes zone from given view.\n\
-  dnssec -checkds [-key id [-alg algorithm] [-when time] (published|withdrawn) zone [class [view]]\n\
+  dnssec -checkds [-key id [-alg algorithm]] [-when time] (published|withdrawn) zone [class [view]]\n\
                Mark the DS record for the KSK of the given zone as seen\n\
                in the parent.  If the zone has multiple KSKs, select a\n\
                specific key by providing the keytag with -key id and\n\

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 7b9f8bb404fec0095a2e48386a693cddac4a9190..19665deaebc92d649154369c37c90f94964378e8 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -1236,10 +1236,16 @@ rndc_checkds() {
                _whencmd="-when ${_when}"
        fi
 
-       echo_i "calling checkds ${_keycmd} ${_whencmd} ${_what} zone ${_zone} ($n)"
+       n=$((n+1))
+       echo_i "calling rndc dnssec -checkds ${_keycmd} ${_whencmd} ${_what} zone ${_zone} ($n)"
+       ret=0
+
        rndccmd $_server dnssec -checkds $_keycmd $_whencmd $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (${_keycmd} ${_whencmd} ${_what} zone ${_zone} failed"
 
        _loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
+
+       test "$ret" -eq 0 || echo_i "failed"
+       status=$((status+ret))
 }
 
 # Tell named to schedule a key rollover.
@@ -1251,15 +1257,16 @@ rndc_rollover() {
        _zone=$5
        _view=$6
 
+       _whencmd=""
+       if [ "${_when}" != "now" ]; then
+               _whencmd="-when ${_when}"
+       fi
+
        n=$((n+1))
-       echo_i "calling rndc dnssec -rollover key ${_keyid} zone ${_zone} ($n)"
+       echo_i "calling rndc dnssec -rollover key ${_keyid} ${_whencmd} zone ${_zone} ($n)"
        ret=0
 
-       if [ "${_when}" = "now" ]; then
-               rndccmd $_server dnssec -rollover -key $_keyid $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
-       else
-               rndccmd $_server dnssec -rollover -key $_keyid -when $_when $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
-       fi
+       rndccmd $_server dnssec -rollover -key $_keyid $_whencmd $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
 
        _loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
 

diff --git a/lib/dns/include/dns/keymgr.h b/lib/dns/include/dns/keymgr.h
index bd53b1c58af8ce88854170ac9eec92a6b582b033..14ee5c980d21b854d1a9e16650c3b820edeaf59b 100644 (file)
--- a/lib/dns/include/dns/keymgr.h
+++ b/lib/dns/include/dns/keymgr.h
@@ -53,11 +53,13 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 
 isc_result_t
 dns_keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-                  const char *directory, isc_stdtime_t now, bool dspublish);
+                  const char *directory, isc_stdtime_t now, isc_stdtime_t when,
+                  bool dspublish);
 isc_result_t
 dns_keymgr_checkds_id(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-                     const char *directory, isc_stdtime_t now, bool dspublish,
-                     dns_keytag_t id, unsigned int algorithm);
+                     const char *directory, isc_stdtime_t now,
+                     isc_stdtime_t when, bool dspublish, dns_keytag_t id,
+                     unsigned int algorithm);
 /*%<
  * Check DS for one key in 'keyring'. The key must have the KSK role.
  * If 'dspublish' is set to true, set the DS Publish time to 'now'.

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index c31405c89d097d8b995446ee9b5a53a8317ce36c..2d1edc97cb5d1569a56fffc56a837345a7695ce1 100644 (file)
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -1864,8 +1864,9 @@ failure:
 
 static isc_result_t
 keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-              const char *directory, isc_stdtime_t now, bool dspublish,
-              dns_keytag_t id, unsigned int alg, bool check_id) {
+              const char *directory, isc_stdtime_t now, isc_stdtime_t when,
+              bool dspublish, dns_keytag_t id, unsigned int alg,
+              bool check_id) {
        int options = (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_STATE);
        isc_dir_t dir;
        isc_result_t result;
@@ -1905,9 +1906,9 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
        }
 
        if (dspublish) {
-               dst_key_settime(ksk_key->key, DST_TIME_DSPUBLISH, now);
+               dst_key_settime(ksk_key->key, DST_TIME_DSPUBLISH, when);
        } else {
-               dst_key_settime(ksk_key->key, DST_TIME_DSDELETE, now);
+               dst_key_settime(ksk_key->key, DST_TIME_DSDELETE, when);
        }
 
        /* Store key state and update hints. */
@@ -1929,17 +1930,19 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
 
 isc_result_t
 dns_keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-                  const char *directory, isc_stdtime_t now, bool dspublish) {
-       return (keymgr_checkds(kasp, keyring, directory, now, dspublish, 0, 0,
-                              false));
+                  const char *directory, isc_stdtime_t now, isc_stdtime_t when,
+                  bool dspublish) {
+       return (keymgr_checkds(kasp, keyring, directory, now, when, dspublish,
+                              0, 0, false));
 }
 
 isc_result_t
 dns_keymgr_checkds_id(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-                     const char *directory, isc_stdtime_t now, bool dspublish,
-                     dns_keytag_t id, unsigned int alg) {
-       return (keymgr_checkds(kasp, keyring, directory, now, dspublish, id,
-                              alg, true));
+                     const char *directory, isc_stdtime_t now,
+                     isc_stdtime_t when, bool dspublish, dns_keytag_t id,
+                     unsigned int alg) {
+       return (keymgr_checkds(kasp, keyring, directory, now, when, dspublish,
+                              id, alg, true));
 }
 
 static void