From 0aac81cf805aac0e36b429eebffd766a4a07aa0f Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 31 Jan 2024 12:25:29 +0100 Subject: [PATCH 1/2] Fix bug in keymgr Depends function The Depends relation refers to types of rollovers in which a certain record type is going to be swapped. Specifically, the Depends relation says there should be no dependency on the predecessor key (the set Dep(x, T) must be empty). But if the key is phased out (all its states are in HIDDEN), there is no longer a dependency. Since the relationship is still maintained (Predecessor and Successor metadata), the keymgr_dep function still returned true. In other words, the set Dep(x, T) is not considered empty. This slows down key rollovers, only retiring keys when the successor key has been fully propagated. --- lib/dns/keymgr.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index cc59e42c0b..c26d517d4c 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -630,6 +630,13 @@ keymgr_dep(dst_key_t *k, dns_dnsseckeylist_t *keyring, uint32_t *dep) { * Check if k is a direct successor of d, e.g. d depends on k. */ if (keymgr_direct_dep(d->key, k)) { + dst_key_state_t hidden[NUM_KEYSTATES] = { + HIDDEN, HIDDEN, HIDDEN, HIDDEN + }; + if (keymgr_key_match_state(d->key, k, NA, NA, hidden)) { + continue; + } + if (dep != NULL) { *dep = dst_key_id(d->key); } From 32e43764dd08105bec826b9db7896b48b7e2c193 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 31 Jan 2024 12:37:12 +0100 Subject: [PATCH 2/2] Add CHANGES for #4552 --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 3b990f5764..84f3caf0e5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +6359. [bug] Fix bug in Depends (keymgr_dep) function. [GL #4552] + 6358. [bug] Fix validate_dnskey_dsset when KSK is not signing, do not skip remainder of DS RRset. [GL #4625]