[v9_11] Minor improvements to code handling managed keys

4812.	[bug]		Minor improvements to stability and consistency of code
			handling managed keys. [RT #46468]

(cherry picked from commit 312c84c73aaffff6d13bb56eef688be68aea3392)

diff --git a/CHANGES b/CHANGES
index af050686546f906630057e0aafff74d7eef9d85d..5fc634fb91461b9637d38b51a6761821da75ec35 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4812.  [bug]           Minor improvements to stability and consistency of code
+                       handling managed keys. [RT #46468]
+
 4810.  [test]          The chain system test failed if the IPv6 interfaces
                        were not configured. [RT #46508]
 

diff --git a/bin/named/server.c b/bin/named/server.c
index 05d2a4cac126ef20b0cd27408ca6bf5e637749a8..ec79ea11bc7bd457248f573d99d40e307c7491ab 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -13720,10 +13720,10 @@ mkey_dumpzone(dns_view_t *view, isc_buffer_t **text) {
                        else if (revoked)
                                snprintf(buf, sizeof(buf),
                                         "\n\ttrust revoked");
-                       else if (kd.addhd < now)
+                       else if (kd.addhd <= now)
                                snprintf(buf, sizeof(buf),
                                         "\n\ttrusted since: %s", tbuf);
-                       else if (kd.addhd >= now)
+                       else if (kd.addhd > now)
                                snprintf(buf, sizeof(buf),
                                         "\n\ttrust pending: %s", tbuf);
                        CHECK(putstr(text, buf));

diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh
index a7033fa54b7e5eb62ff4e3eb843825e5af123781..4778309444867c383050018ed7824a082191ddd9 100644 (file)
--- a/bin/tests/system/mkeys/tests.sh
+++ b/bin/tests/system/mkeys/tests.sh
@@ -129,11 +129,6 @@ echo "I: check new trust anchor can be added ($n)"
 ret=0
 standby1=`$KEYGEN -qfk -r $RANDFILE -K ns1 .`
 mkeys_loadkeys_on 1
-# Less than a second may have passed since the last time ns2 received a
-# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
-# timestamp to prevent the refresh from not being initiated due to all
-# acceptance timers being equal to current timestamp.
-sleep 1
 mkeys_refresh_on 2
 mkeys_status_on 2 > rndc.out.$n 2>&1
 # there should be two keys listed now
@@ -308,12 +303,6 @@ n=`expr $n + 1`
 echo "I: check that standby key is now trusted ($n)"
 ret=0
 wait_for_log "Returned from key fetch in keyfetch_done()" ns2/named.run
-# Less than a second may have passed since the last time ns2 received a
-# ./DNSKEY response from ns1.  Ensure status is checked at a different
-# timestamp to prevent false negatives caused by the add hold-down time for the
-# standby key being equal to current time ("trust pending") instead of in the
-# past ("trusted since").
-sleep 1
 mkeys_status_on 2 > rndc.out.$n 2>&1
 # two keys listed
 count=`grep -c "keyid: " rndc.out.$n` 
@@ -394,13 +383,9 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo "I: wait 21 seconds for key add/remove holddowns to expire ($n)"
+echo "I: wait 20 seconds for key add/remove holddowns to expire ($n)"
 ret=0
-# Wait for "month" plus 1 second.  If we only wait for "month" and the previous
-# two tests fit into a single second, we will get a false negative caused by
-# the add hold-down time for the second standby key being equal to current time
-# ("trust pending") instead of in the past ("trusted since").
-sleep 21
+sleep 20
 mkeys_refresh_on 2
 mkeys_status_on 2 > rndc.out.$n 2>&1
 # two keys listed
@@ -497,18 +482,11 @@ $SETTIME -R none -D none -K ns1 $standby1 > /dev/null
 $SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>&-
 cp -f ns1/root.db.signed ns1/root.db.tmp
 BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg=="
-# We need to prevent two different races here:
-#
-# 1. Less than a second may have passed since ns1 was started.  If we call
-#    dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by
-#    the subsequent "rndc reload ." call on platforms which do not set the
-#    "nanoseconds" field of isc_time_t, due to zone load time being seemingly
-#    equal to master file modification time.
-#
-# 2. Less than a second may have passed since the last time ns2 received a
-#    ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
-#    timestamp to prevent the refresh from not being initiated due to all
-#    acceptance timers being equal to current timestamp.
+# Less than a second may have passed since ns1 was started.  If we call
+# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the
+# subsequent "rndc reload ." call on platforms which do not set the
+# "nanoseconds" field of isc_time_t, due to zone load time being seemingly
+# equal to master file modification time.
 sleep 1
 sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n > ns1/root.db.signed
 mkeys_reload_on 1

diff --git a/contrib/scripts/check5011.pl b/contrib/scripts/check5011.pl
index 0751a80d49e01dc8d0e6167cd9ac42edebeb14e5..78b0a4c612fe217583afcf960a844ee851f321be 100644 (file)
--- a/contrib/scripts/check5011.pl
+++ b/contrib/scripts/check5011.pl
@@ -43,7 +43,7 @@ sub printstatus ($) {
        my $a = shift;
        if ($a->{removehd} ne "19700101000000") {
                printf " untrusted and to be removed at %s\n", ext8601 $a->{removehd};
-       } elsif ($a->{addhd} lt $now) {
+       } elsif ($a->{addhd} le $now) {
                printf " trusted\n";
        } else {
                printf " waiting for %s\n", ext8601 $a->{addhd};

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 912ff23a66c74f4fb987d587722535758cab2cc3..fe548eae9f282456beb0c8054c3fc428994cc67f 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -9662,7 +9662,7 @@ zone_refreshkeys(dns_zone_t *zone) {
                        }
 
                        /* Acceptance timer expired? */
-                       if (kd.addhd < now)
+                       if (kd.addhd <= now)
                                timer = kd.addhd;
 
                        /* Or do we just need to refresh the keyset? */
@@ -9764,12 +9764,10 @@ zone_refreshkeys(dns_zone_t *zone) {
                isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
                dns_zone_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s",
                             timebuf);
-
-               if (!fetching)
-                       DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
        }
 
-       UNLOCK_ZONE(zone);
+       if (!fetching)
+               DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
 
        dns_diff_clear(&diff);
        if (ver != NULL) {
@@ -9778,6 +9776,8 @@ zone_refreshkeys(dns_zone_t *zone) {
        }
        dns_db_detach(&db);
 
+       UNLOCK_ZONE(zone);
+
        INSIST(ver == NULL);
 }