From fa20a1df396e640b327f79df6fe29adb384179e6 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 3 Sep 2024 11:52:19 +0200
Subject: [PATCH 1/2] Fix bug in dns_keymgr_offline

If the ZSK has lifetime unlimited, the timing metadata "Inactive" and
"Delete" cannot be found and is treated as an error. Fix by allowing
these metadata to not exist.

(cherry picked from commit 5af53a329f3d5ea9af2bd5e88127c4a98b23696c)
---
 lib/dns/keymgr.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index b4d44dc314..79b6880b1a 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -2697,7 +2697,8 @@ dns_keymgr_offline(const dns_name_t *origin, dns_dnsseckeylist_t *keyring,
 		isc_stdtime_t lastchange = 0, nextchange = 0;
 		dst_key_state_t dnskey_state = HIDDEN, zrrsig_state = HIDDEN,
 				goal_state = HIDDEN;
-		dst_key_state_t current_dnskey, current_zrrsig, current_goal;
+		dst_key_state_t current_dnskey = HIDDEN,
+				current_zrrsig = HIDDEN, current_goal = HIDDEN;
 
 		(void)dst_key_role(dkey->key, &ksk, &zsk);
 		if (ksk || !zsk) {
@@ -2716,9 +2717,8 @@ dns_keymgr_offline(const dns_name_t *origin, dns_dnsseckeylist_t *keyring,
 		RETERR(dst_key_gettime(dkey->key, DST_TIME_PUBLISH,
 				       &published));
 		RETERR(dst_key_gettime(dkey->key, DST_TIME_ACTIVATE, &active));
-		RETERR(dst_key_gettime(dkey->key, DST_TIME_INACTIVE,
-				       &inactive));
-		RETERR(dst_key_gettime(dkey->key, DST_TIME_DELETE, &remove));
+		(void)dst_key_gettime(dkey->key, DST_TIME_INACTIVE, &inactive);
+		(void)dst_key_gettime(dkey->key, DST_TIME_DELETE, &remove);
 
 		/* Determine key states from the metadata. */
 		if (active <= now) {
@@ -2753,7 +2753,7 @@ dns_keymgr_offline(const dns_name_t *origin, dns_dnsseckeylist_t *keyring,
 			goal_state = OMNIPRESENT;
 		}
 
-		if (inactive <= now) {
+		if (inactive > 0 && inactive <= now) {
 			dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
 			ttlsig += dns_kasp_zonepropagationdelay(kasp);
 			if ((inactive + ttlsig) <= now) {
@@ -2769,7 +2769,7 @@ dns_keymgr_offline(const dns_name_t *origin, dns_dnsseckeylist_t *keyring,
 			goal_state = HIDDEN;
 		}
 
-		if (remove <= now) {
+		if (remove > 0 && remove <= now) {
 			dns_ttl_t key_ttl = dst_key_getttl(dkey->key);
 			key_ttl += dns_kasp_zonepropagationdelay(kasp);
 			if ((remove + key_ttl) <= now) {

From 66f850f01c334f8ecadc5cbe52afe902536291c4 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 3 Sep 2024 11:50:32 +0200
Subject: [PATCH 2/2] Nit logging change

Fix wrong function name (dns_dnssec_keymgr -> dns_keymgr_run).

Add error log if dns_keymgr_offline() fails.

(cherry picked from commit 911daeb30648b27053259121405e2260998657e0)
---
 lib/dns/zone.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 946454222d..9a36c997d0 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -22285,7 +22285,7 @@ zone_rekey(dns_zone_t *zone) {
 
 			if (result != ISC_R_SUCCESS) {
 				dnssec_log(zone, ISC_LOG_ERROR,
-					   "zone_rekey:dns_dnssec_keymgr "
+					   "zone_rekey:dns_keymgr_run "
 					   "failed: %s",
 					   isc_result_totext(result));
 				KASP_UNLOCK(kasp);
@@ -22301,6 +22301,13 @@ zone_rekey(dns_zone_t *zone) {
 		result = dns_keymgr_offline(&zone->origin, &keys, kasp, now,
 					    &nexttime);
 		dns_zone_unlock_keyfiles(zone);
+
+		if (result != ISC_R_SUCCESS) {
+			dnssec_log(zone, ISC_LOG_ERROR,
+				   "zone_rekey:dns_keymgr_offline "
+				   "failed: %s",
+				   isc_result_totext(result));
+		}
 	}
 
 	KASP_UNLOCK(kasp);