[9.20] fix: usr: Fix bug in Offline KSK that is using ZSK with unlimited lifetime

If the ZSK has unlimited lifetime, the timing metadata "Inactive" and "Delete" cannot be found and is treated as an error, preventing the zone to be signed. This has been fixed. Closes #4914 Backport of MR !9447 Merge branch 'backport-4914-offline-ksk-zsk-lifetime-unlimited-bug-9.20' into 'bind-9.20' See merge request isc-projects/bind9!9453
2026-05-28 04:34:54 -04:00 · 2024-09-09 17:28:11 +00:00 · 2024-09-09 17:28:11 +00:00 · 3f115d3cda
commit 3f115d3cda
parent 90bec9e287 66f850f01c
2 changed files with 14 additions and 7 deletions
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@ -2697,7 +2697,8 @@ dns_keymgr_offline(const dns_name_t *origin, dns_dnsseckeylist_t *keyring,
 		isc_stdtime_t lastchange = 0, nextchange = 0;
 		dst_key_state_t dnskey_state = HIDDEN, zrrsig_state = HIDDEN,
 				goal_state = HIDDEN;
-		dst_key_state_t current_dnskey, current_zrrsig, current_goal;
+		dst_key_state_t current_dnskey = HIDDEN,
+				current_zrrsig = HIDDEN, current_goal = HIDDEN;

 		(void)dst_key_role(dkey->key, &ksk, &zsk);
 		if (ksk || !zsk) {
@ -2716,9 +2717,8 @@ dns_keymgr_offline(const dns_name_t *origin, dns_dnsseckeylist_t *keyring,
 		RETERR(dst_key_gettime(dkey->key, DST_TIME_PUBLISH,
 				       &published));
 		RETERR(dst_key_gettime(dkey->key, DST_TIME_ACTIVATE, &active));
-		RETERR(dst_key_gettime(dkey->key, DST_TIME_INACTIVE,
-				       &inactive));
-		RETERR(dst_key_gettime(dkey->key, DST_TIME_DELETE, &remove));
+		(void)dst_key_gettime(dkey->key, DST_TIME_INACTIVE, &inactive);
+		(void)dst_key_gettime(dkey->key, DST_TIME_DELETE, &remove);

 		/* Determine key states from the metadata. */
 		if (active <= now) {
@ -2753,7 +2753,7 @@ dns_keymgr_offline(const dns_name_t *origin, dns_dnsseckeylist_t *keyring,
 			goal_state = OMNIPRESENT;
 		}

-		if (inactive <= now) {
+		if (inactive > 0 && inactive <= now) {
 			dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
 			ttlsig += dns_kasp_zonepropagationdelay(kasp);
 			if ((inactive + ttlsig) <= now) {
@ -2769,7 +2769,7 @@ dns_keymgr_offline(const dns_name_t *origin, dns_dnsseckeylist_t *keyring,
 			goal_state = HIDDEN;
 		}

-		if (remove <= now) {
+		if (remove > 0 && remove <= now) {
 			dns_ttl_t key_ttl = dst_key_getttl(dkey->key);
 			key_ttl += dns_kasp_zonepropagationdelay(kasp);
 			if ((remove + key_ttl) <= now) {
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -22285,7 +22285,7 @@ zone_rekey(dns_zone_t *zone) {

 			if (result != ISC_R_SUCCESS) {
 				dnssec_log(zone, ISC_LOG_ERROR,
-					   "zone_rekey:dns_dnssec_keymgr "
+					   "zone_rekey:dns_keymgr_run "
 					   "failed: %s",
 					   isc_result_totext(result));
 				KASP_UNLOCK(kasp);
@ -22301,6 +22301,13 @@ zone_rekey(dns_zone_t *zone) {
 		result = dns_keymgr_offline(&zone->origin, &keys, kasp, now,
 					    &nexttime);
 		dns_zone_unlock_keyfiles(zone);
+
+		if (result != ISC_R_SUCCESS) {
+			dnssec_log(zone, ISC_LOG_ERROR,
+				   "zone_rekey:dns_keymgr_offline "
+				   "failed: %s",
+				   isc_result_totext(result));
+		}
 	}

 	KASP_UNLOCK(kasp);