From: Matthijs Mekking Date: Fri, 22 Mar 2019 14:42:10 +0000 (+0100) Subject: With update-check-ksk also consider offline keys X-Git-Tag: v9.11.7~30^2~2 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=4af2d5b6d6724521f52084ee55f9a1cfe4246f9c;p=thirdparty%2Fbind9.git With update-check-ksk also consider offline keys The option `update-check-ksk` will look if both KSK and ZSK are available before signing records. It will make sure the keys are active and available. However, for operational practices keys may be offline. This commit relaxes the update-check-ksk check and will mark a key that is offline to be available when adding signature tasks. (cherry picked from commit 3cb8c49c73906b28921012619a3bb87805613b81) (cherry picked from commit b508cffeee3bfb8bc7dcf39db59ec3782a5d9e4c) --- diff --git a/CHANGES b/CHANGES index 28df46719b3..ae83d90b91e 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ recursion was requested by the client, not on whether recursion was available. [GL #963] +5209. [bug] When update-check-ksk is true, add_sigs was not + considering offline keys, leaving record sets signed + with the incorrect type key. [GL #763] + 5208. [test] Run valid rdata wire encodings through totext+fromtext and tofmttext+fromtext methods to check these methods. [GL #899] diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 57295fc00fb..000b42b8418 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -8669,9 +8669,6 @@ zone_sign(dns_zone_t *zone) { */ if (!dst_key_isprivate(zone_keys[i])) continue; - /* - * Should be redundant. - */ if (dst_key_inactive(zone_keys[i])) continue; @@ -8710,11 +8707,11 @@ zone_sign(dns_zone_t *zone) { continue; if (!dst_key_isprivate(zone_keys[j])) continue; - /* - * Should be redundant. + /* Don't consider inactive keys, however + * the key may be temporary offline, so do + * consider keys which private key files are + * unavailable. */ - if (dst_key_inactive(zone_keys[j])) - continue; if (REVOKE(zone_keys[j])) continue; if (KSK(zone_keys[j]))