Merge branch '4552-keymgr-depends-function-bug' into 'main'

Fix bug in keymgr Depends function Closes #4552 See merge request isc-projects/bind9!8682
2026-05-28 04:34:54 -04:00 · 2024-03-13 10:46:25 +00:00 · 2024-03-13 10:46:25 +00:00 · 377bd35574
commit 377bd35574
parent 03c040da53 32e43764dd
2 changed files with 9 additions and 0 deletions
--- a/2
+++ b/2
@ -1,3 +1,5 @@
+6359.	[bug]		Fix bug in Depends (keymgr_dep) function. [GL #4552]
+
 6358.	[bug]		Fix validate_dnskey_dsset when KSK is not signing,
 			do not skip remainder of DS RRset. [GL #4625]

--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@ -630,6 +630,13 @@ keymgr_dep(dst_key_t *k, dns_dnsseckeylist_t *keyring, uint32_t *dep) {
 		 * Check if k is a direct successor of d, e.g. d depends on k.
 		 */
 		if (keymgr_direct_dep(d->key, k)) {
+			dst_key_state_t hidden[NUM_KEYSTATES] = {
+				HIDDEN, HIDDEN, HIDDEN, HIDDEN
+			};
+			if (keymgr_key_match_state(d->key, k, NA, NA, hidden)) {
+				continue;
+			}
+
 			if (dep != NULL) {
 				*dep = dst_key_id(d->key);
 			}