a KSK revoked by named could not be deleted. [RT #20881]

diff --git a/CHANGES b/CHANGES
index 9ebc7a9a24f411c150d52a3b7c09b282b7e8c42c..1c0469ec8cc579b9b45201f4cb42db41f2a94bc7 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2838.  [bug]           A KSK revoked by named could not be deleted.
+                       [RT #20881]
+
 2837.  [port]          Prevent Linux spurious warnings about fwrite().
                        [RT #20812]
 

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 6509a89c256c32c367f0d49b963f46f3c8cc61f5..db63291a9cf497cbf695f5180726f594189e0c54 100644 (file)
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.117 2009/12/18 23:49:03 tbox Exp $
+ * $Id: dnssec.c,v 1.118 2010/01/13 08:35:24 fdupont Exp $
  */
 
 /*! \file */
@@ -1449,6 +1449,33 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
                                          DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
                                          directory, mctx, &privkey);
 
+               /*
+                * If the key was revoked and the private file
+                * doesn't exist, maybe it was revoked internally
+                * by named.  Try loading the unrevoked version.
+                */
+               if (result == ISC_R_FILENOTFOUND) {
+                       isc_uint32_t flags;
+                       flags = dst_key_flags(pubkey);
+                       if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
+                               dst_key_setflags(pubkey,
+                                                flags & ~DNS_KEYFLAG_REVOKE);
+                               result = dst_key_fromfile(dst_key_name(pubkey),
+                                                         dst_key_id(pubkey),
+                                                         dst_key_alg(pubkey),
+                                                         DST_TYPE_PUBLIC|
+                                                         DST_TYPE_PRIVATE,
+                                                         directory,
+                                                         mctx, &privkey);
+                               if (result == ISC_R_SUCCESS &&
+                                   dst_key_pubcompare(pubkey, privkey,
+                                                      ISC_FALSE)) {
+                                       dst_key_setflags(privkey, flags);
+                               }
+                               dst_key_setflags(pubkey, flags);
+                       }
+               }
+
                if (result != ISC_R_SUCCESS) {
                        char keybuf[DNS_NAME_FORMATSIZE];
                        char algbuf[DNS_SECALG_FORMATSIZE];