From: Matthijs Mekking Date: Fri, 26 Feb 2021 08:27:32 +0000 (+0100) Subject: Fix keymgr key init bug X-Git-Tag: v9.17.12~28^2~2 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=27e7d5f698f3eebc5b1ff26737331cef972873e1;p=thirdparty%2Fbind9.git Fix keymgr key init bug The 'keymgr_key_init()' function initializes key states if they have not been set previously. It looks at the key timing metadata and determines using the given times whether a state should be set to RUMOURED or OMNIPRESENT. However, the DNSKEY and ZRRSIG states were mixed up: When looking at the Activate timing metadata we should set the ZRRSIG state, and when looking at the Published timing metadata we should set the DNSKEY state. --- diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index 009c06b1952..05ee2e74e49 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -1549,23 +1549,23 @@ keymgr_key_init(dns_dnsseckey_t *key, dns_kasp_t *kasp, isc_stdtime_t now) { /* Get time metadata. */ ret = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active); if (active <= now && ret == ISC_R_SUCCESS) { - dns_ttl_t key_ttl = dst_key_getttl(key->key); - key_ttl += dns_kasp_zonepropagationdelay(kasp); - if ((active + key_ttl) <= now) { - dnskey_state = OMNIPRESENT; + dns_ttl_t zone_ttl = dns_kasp_zonemaxttl(kasp); + zone_ttl += dns_kasp_zonepropagationdelay(kasp); + if ((active + zone_ttl) <= now) { + zrrsig_state = OMNIPRESENT; } else { - dnskey_state = RUMOURED; + zrrsig_state = RUMOURED; } goal_state = OMNIPRESENT; } ret = dst_key_gettime(key->key, DST_TIME_PUBLISH, &pub); if (pub <= now && ret == ISC_R_SUCCESS) { - dns_ttl_t zone_ttl = dns_kasp_zonemaxttl(kasp); - zone_ttl += dns_kasp_zonepropagationdelay(kasp); - if ((pub + zone_ttl) <= now) { - zrrsig_state = OMNIPRESENT; + dns_ttl_t key_ttl = dst_key_getttl(key->key); + key_ttl += dns_kasp_zonepropagationdelay(kasp); + if ((pub + key_ttl) <= now) { + dnskey_state = OMNIPRESENT; } else { - zrrsig_state = RUMOURED; + dnskey_state = RUMOURED; } goal_state = OMNIPRESENT; }