Force set DS state after 'rndc dnssec -checkds'

Set the DS state after issuing 'rndc dnssec -checkds'. If the DS
was published, it should go in RUMOURED state, regardless whether it
is already safe to do so according to the state machine.

Leaving it in HIDDEN (or if it was magically already in OMNIPRESENT or
UNRETENTIVE) would allow for easy shoot in the foot situations.

Similar, if the DS was withdrawn, the state should be set to
UNRETENTIVE. Leaving it in OMNIPRESENT (or RUMOURED/HIDDEN)
would also allow for easy shoot in the foot situations.

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 12b77cf0719516c2062aaf1def0cc7ece15cbf07..2be9284cabb14e80778b7eca586ed8764fd8693e 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -550,15 +550,23 @@ _wait_for_metadata() {
 
 n=$((n+1))
 echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)"
-rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE"
-retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state"
+now=$(date +%Y%m%d%H%M%S)
+rndc_checkds "$SERVER" "$DIR" "-" "$now" "published" "$ZONE"
+retry_quiet 3 _wait_for_metadata "DSPublish: $now" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state"
+# DS State should be forced into RUMOURED.
+set_keystate "KEY1" "STATE_DS"     "rumoured"
+check_keys
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
 n=$((n+1))
 echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)"
-rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE"
-retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state"
+now=$(date +%Y%m%d%H%M%S)
+rndc_checkds "$SERVER" "$DIR" "-" "$now" "withdrawn" "$ZONE"
+retry_quiet 3 _wait_for_metadata "DSRemoved: $now" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state"
+# DS State should be forced into UNRETENTIVE.
+set_keystate "KEY1" "STATE_DS"     "unretentive"
+check_keys
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index d4b76bb19bba1130b7be5972b52fd82d69c84d77..757c64678f794ab83d915b564e796d9930342b98 100644 (file)
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -2273,9 +2273,19 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
        }
 
        if (dspublish) {
+               dst_key_state_t s;
                dst_key_settime(ksk_key->key, DST_TIME_DSPUBLISH, when);
+               result = dst_key_getstate(ksk_key->key, DST_KEY_DS, &s);
+               if (result != ISC_R_SUCCESS || s != RUMOURED) {
+                       dst_key_setstate(ksk_key->key, DST_KEY_DS, RUMOURED);
+               }
        } else {
+               dst_key_state_t s;
                dst_key_settime(ksk_key->key, DST_TIME_DSDELETE, when);
+               result = dst_key_getstate(ksk_key->key, DST_KEY_DS, &s);
+               if (result != ISC_R_SUCCESS || s != UNRETENTIVE) {
+                       dst_key_setstate(ksk_key->key, DST_KEY_DS, UNRETENTIVE);
+               }
        }
 
        if (isc_log_wouldlog(dns_lctx, ISC_LOG_NOTICE)) {