Test rndc rollover inactive key

When users (accidentally) try to roll an inactive key, throw an error.

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index be067da571d8fcc5d884d5e529bf204bcf239aaf..7b9f8bb404fec0095a2e48386a693cddac4a9190 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -2802,6 +2802,15 @@ check_apex
 check_subdomain
 dnssec_verify
 
+# Try to schedule a ZSK rollover for an inactive key (should fail).
+n=$((n+1))
+echo_i "check that rndc dnssec -rollover fails if key is inactive ($n)"
+ret=0
+rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" > rndc.dnssec.rollover.out.$ZONE.$n
+grep "key is not active and cannot be rolled" rndc.dnssec.rollover.out.$ZONE.$n > /dev/null || log_error "bad error message"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 #
 # Testing DNSSEC introduction.
 #

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 36bb4a3f71ef4d1c7987e04502d9a028cd31c3ae..c31405c89d097d8b995446ee9b5a53a8317ce36c 100644 (file)
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -2181,7 +2181,7 @@ dns_keymgr_rollover(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
        }
 
        result = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active);
-       if (result != ISC_R_SUCCESS) {
+       if (result != ISC_R_SUCCESS || active > now) {
                return (ISC_R_UNEXPECTED);
        }