From 1b2e6f494a89651ac922b7476c7b57d976535df5 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 31 Jan 2024 12:25:29 +0100 Subject: [PATCH 1/2] Fix bug in keymgr Depends function The Depends relation refers to types of rollovers in which a certain record type is going to be swapped. Specifically, the Depends relation says there should be no dependency on the predecessor key (the set Dep(x, T) must be empty). But if the key is phased out (all its states are in HIDDEN), there is no longer a dependency. Since the relationship is still maintained (Predecessor and Successor metadata), the keymgr_dep function still returned true. In other words, the set Dep(x, T) is not considered empty. This slows down key rollovers, only retiring keys when the successor key has been fully propagated. (cherry picked from commit 0aac81cf805aac0e36b429eebffd766a4a07aa0f) --- lib/dns/keymgr.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index 34fa1dd0cc..023dee9e43 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -617,6 +617,13 @@ keymgr_dep(dst_key_t *k, dns_dnsseckeylist_t *keyring, uint32_t *dep) { * Check if k is a direct successor of d, e.g. d depends on k. */ if (keymgr_direct_dep(d->key, k)) { + dst_key_state_t hidden[NUM_KEYSTATES] = { + HIDDEN, HIDDEN, HIDDEN, HIDDEN + }; + if (keymgr_key_match_state(d->key, k, NA, NA, hidden)) { + continue; + } + if (dep != NULL) { *dep = dst_key_id(d->key); } From 3ecccb678fa78668f118c0ead6ea0beadbcb7f13 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 31 Jan 2024 12:37:12 +0100 Subject: [PATCH 2/2] Add CHANGES for #4552 (cherry picked from commit 32e43764dd08105bec826b9db7896b48b7e2c193) --- CHANGES | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index eaac247f7d..467bb7df76 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,6 @@ -6356. [bug] Create the pruning task in the dns_cache_flush(), so +6359. [bug] Fix bug in Depends (keymgr_dep) function. [GL #4552] + +6356. [bug] Attach the loop also in the dns_cache_flush(), so the cache pruning still works after the flush. [GL #4621]