diff --git a/CHANGES b/CHANGES
index 18e9001c80..431542f46b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5147. [bug] dnssec-keymgr: Add a five-minute margin to better
+ handle key events close to 'now'. [GL #848]
+
5146. [placeholder]
5145. [func] Use atomics instead of locked variables for isc_quota
diff --git a/bin/python/dnssec-keymgr.docbook b/bin/python/dnssec-keymgr.docbook
index 1a209be3eb..32848250be 100644
--- a/bin/python/dnssec-keymgr.docbook
+++ b/bin/python/dnssec-keymgr.docbook
@@ -99,6 +99,12 @@
set by the option), and check the keys for
all the zones represented in the directory.
+
+ Key times that are in the past will not be updated unless
+ the is used (see below). Key inactivation
+ and deletion times that are less than five minutes in the future
+ will be delayed by five minutes.
+
It is expected that this tool will be run automatically and
unattended (for example, by cron).
diff --git a/bin/python/isc/keyseries.py.in b/bin/python/isc/keyseries.py.in
index 74ccc645f8..2f4906f809 100644
--- a/bin/python/isc/keyseries.py.in
+++ b/bin/python/isc/keyseries.py.in
@@ -83,31 +83,36 @@ class keyseries:
a = now
i = key.inactive()
+ fudge = 300
if not rp:
key.setinactive(None, **kwargs)
key.setdelete(None, **kwargs)
elif not i or a + rp != i:
- if not i and a + rp > now + prepub:
+ if not i and a + rp > now + prepub + fudge:
key.setinactive(a + rp, **kwargs)
key.setdelete(a + rp + postpub, **kwargs)
elif not i:
- key.setinactive(now + prepub, **kwargs)
- key.setdelete(now + prepub + postpub, **kwargs)
+ key.setinactive(now + prepub + fudge, **kwargs)
+ key.setdelete(now + prepub + postpub + fudge, **kwargs)
+ elif i < now:
+ pass
elif a + rp > i:
key.setinactive(a + rp, **kwargs)
key.setdelete(a + rp + postpub, **kwargs)
- elif a + rp > now + prepub:
+ elif a + rp > now + prepub + fudge:
key.setinactive(a + rp, **kwargs)
key.setdelete(a + rp + postpub, **kwargs)
else:
- key.setinactive(now + prepub, **kwargs)
- key.setdelete(now + prepub + postpub, **kwargs)
+ key.setinactive(now + prepub + fudge, **kwargs)
+ key.setdelete(now + prepub + postpub + fudge, **kwargs)
else:
d = key.delete()
- if not d or i + postpub > now:
+ if not d or i + postpub > now + fudge:
key.setdelete(i + postpub, **kwargs)
elif not d:
- key.setdelete(now + postpub, **kwargs)
+ key.setdelete(now + postpub + fudge, **kwargs)
+ elif d < now + fudge:
+ pass
elif d < i + postpub:
key.setdelete(i + postpub, **kwargs)
diff --git a/bin/tests/system/keymgr/01-ksk-inactive/expect b/bin/tests/system/keymgr/01-ksk-inactive/expect
index b076310d44..bf908e7c21 100644
--- a/bin/tests/system/keymgr/01-ksk-inactive/expect
+++ b/bin/tests/system/keymgr/01-ksk-inactive/expect
@@ -1,4 +1,4 @@
-kargs="-c policy.conf example.com"
+kargs="example.com"
kmatch=""
kret=0
cargs="-d 1h -m 2h example.com"
diff --git a/bin/tests/system/keymgr/02-zsk-inactive/expect b/bin/tests/system/keymgr/02-zsk-inactive/expect
index b076310d44..bf908e7c21 100644
--- a/bin/tests/system/keymgr/02-zsk-inactive/expect
+++ b/bin/tests/system/keymgr/02-zsk-inactive/expect
@@ -1,4 +1,4 @@
-kargs="-c policy.conf example.com"
+kargs="example.com"
kmatch=""
kret=0
cargs="-d 1h -m 2h example.com"
diff --git a/bin/tests/system/keymgr/03-ksk-unpublished/expect b/bin/tests/system/keymgr/03-ksk-unpublished/expect
index b076310d44..bf908e7c21 100644
--- a/bin/tests/system/keymgr/03-ksk-unpublished/expect
+++ b/bin/tests/system/keymgr/03-ksk-unpublished/expect
@@ -1,4 +1,4 @@
-kargs="-c policy.conf example.com"
+kargs="example.com"
kmatch=""
kret=0
cargs="-d 1h -m 2h example.com"
diff --git a/bin/tests/system/keymgr/04-zsk-unpublished/expect b/bin/tests/system/keymgr/04-zsk-unpublished/expect
index b076310d44..bf908e7c21 100644
--- a/bin/tests/system/keymgr/04-zsk-unpublished/expect
+++ b/bin/tests/system/keymgr/04-zsk-unpublished/expect
@@ -1,4 +1,4 @@
-kargs="-c policy.conf example.com"
+kargs="example.com"
kmatch=""
kret=0
cargs="-d 1h -m 2h example.com"
diff --git a/bin/tests/system/keymgr/05-ksk-unpub-active/expect b/bin/tests/system/keymgr/05-ksk-unpub-active/expect
index b076310d44..bf908e7c21 100644
--- a/bin/tests/system/keymgr/05-ksk-unpub-active/expect
+++ b/bin/tests/system/keymgr/05-ksk-unpub-active/expect
@@ -1,4 +1,4 @@
-kargs="-c policy.conf example.com"
+kargs="example.com"
kmatch=""
kret=0
cargs="-d 1h -m 2h example.com"
diff --git a/bin/tests/system/keymgr/06-zsk-unpub-active/expect b/bin/tests/system/keymgr/06-zsk-unpub-active/expect
index b076310d44..bf908e7c21 100644
--- a/bin/tests/system/keymgr/06-zsk-unpub-active/expect
+++ b/bin/tests/system/keymgr/06-zsk-unpub-active/expect
@@ -1,4 +1,4 @@
-kargs="-c policy.conf example.com"
+kargs="example.com"
kmatch=""
kret=0
cargs="-d 1h -m 2h example.com"
diff --git a/bin/tests/system/keymgr/07-ksk-ttl/expect b/bin/tests/system/keymgr/07-ksk-ttl/expect
index de792a9d5e..03d719c3f4 100644
--- a/bin/tests/system/keymgr/07-ksk-ttl/expect
+++ b/bin/tests/system/keymgr/07-ksk-ttl/expect
@@ -1,4 +1,4 @@
-kargs="-c policy.conf example.com"
+kargs="example.com"
kmatch=""
kret=0
cargs="-d 1w -m 2w example.com"
diff --git a/bin/tests/system/keymgr/08-zsk-ttl/expect b/bin/tests/system/keymgr/08-zsk-ttl/expect
index de792a9d5e..03d719c3f4 100644
--- a/bin/tests/system/keymgr/08-zsk-ttl/expect
+++ b/bin/tests/system/keymgr/08-zsk-ttl/expect
@@ -1,4 +1,4 @@
-kargs="-c policy.conf example.com"
+kargs="example.com"
kmatch=""
kret=0
cargs="-d 1w -m 2w example.com"
diff --git a/bin/tests/system/keymgr/09-no-keys/expect b/bin/tests/system/keymgr/09-no-keys/expect
index de792a9d5e..03d719c3f4 100644
--- a/bin/tests/system/keymgr/09-no-keys/expect
+++ b/bin/tests/system/keymgr/09-no-keys/expect
@@ -1,4 +1,4 @@
-kargs="-c policy.conf example.com"
+kargs="example.com"
kmatch=""
kret=0
cargs="-d 1w -m 2w example.com"
diff --git a/bin/tests/system/keymgr/10-change-roll/expect b/bin/tests/system/keymgr/10-change-roll/expect
index de792a9d5e..03d719c3f4 100644
--- a/bin/tests/system/keymgr/10-change-roll/expect
+++ b/bin/tests/system/keymgr/10-change-roll/expect
@@ -1,4 +1,4 @@
-kargs="-c policy.conf example.com"
+kargs="example.com"
kmatch=""
kret=0
cargs="-d 1w -m 2w example.com"
diff --git a/bin/tests/system/keymgr/11-many-simul/expect b/bin/tests/system/keymgr/11-many-simul/expect
index de792a9d5e..03d719c3f4 100644
--- a/bin/tests/system/keymgr/11-many-simul/expect
+++ b/bin/tests/system/keymgr/11-many-simul/expect
@@ -1,4 +1,4 @@
-kargs="-c policy.conf example.com"
+kargs="example.com"
kmatch=""
kret=0
cargs="-d 1w -m 2w example.com"
diff --git a/bin/tests/system/keymgr/12-many-active/expect b/bin/tests/system/keymgr/12-many-active/expect
index f990a7a027..67fc4e912c 100644
--- a/bin/tests/system/keymgr/12-many-active/expect
+++ b/bin/tests/system/keymgr/12-many-active/expect
@@ -1,4 +1,4 @@
-kargs="-c policy.conf -f example.com"
+kargs="-f example.com"
kmatch=""
kret=0
cargs="-d 1w -m 2w example.com"
diff --git a/bin/tests/system/keymgr/13-noroll/expect b/bin/tests/system/keymgr/13-noroll/expect
index 40616e1a93..67fc4e912c 100644
--- a/bin/tests/system/keymgr/13-noroll/expect
+++ b/bin/tests/system/keymgr/13-noroll/expect
@@ -1,4 +1,4 @@
-kargs="-f -c policy.conf example.com"
+kargs="-f example.com"
kmatch=""
kret=0
cargs="-d 1w -m 2w example.com"
diff --git a/bin/tests/system/keymgr/14-wrongalg/expect b/bin/tests/system/keymgr/14-wrongalg/expect
index 436f05fbc9..bd5eadbf7a 100644
--- a/bin/tests/system/keymgr/14-wrongalg/expect
+++ b/bin/tests/system/keymgr/14-wrongalg/expect
@@ -1,4 +1,4 @@
-kargs="-c policy.conf example.com"
+kargs="example.com"
kmatch=""
kret=0
cargs="-d 1w -m 2w example.com"
diff --git a/bin/tests/system/keymgr/15-unspec/expect b/bin/tests/system/keymgr/15-unspec/expect
index b1ff4fc3fe..ad300c498c 100644
--- a/bin/tests/system/keymgr/15-unspec/expect
+++ b/bin/tests/system/keymgr/15-unspec/expect
@@ -1,4 +1,4 @@
-kargs="-c policy.conf"
+kargs=""
kmatch=""
kret=0
cargs="-d 1w -m 2w example.com"
diff --git a/bin/tests/system/keymgr/16-wrongalg-unspec/expect b/bin/tests/system/keymgr/16-wrongalg-unspec/expect
index 7a21decc0b..c836535ce8 100644
--- a/bin/tests/system/keymgr/16-wrongalg-unspec/expect
+++ b/bin/tests/system/keymgr/16-wrongalg-unspec/expect
@@ -1,4 +1,4 @@
-kargs="-c policy.conf"
+kargs=""
kmatch=""
kret=0
cargs="-d 1w -m 2w example.com"
diff --git a/bin/tests/system/keymgr/17-noforce/expect b/bin/tests/system/keymgr/17-noforce/expect
index a5bf1f1ec5..029a4e903a 100644
--- a/bin/tests/system/keymgr/17-noforce/expect
+++ b/bin/tests/system/keymgr/17-noforce/expect
@@ -1,4 +1,4 @@
-kargs="-c policy.conf example.com"
+kargs="example.com"
kmatch=""
kret=1
cargs="-d 1w -m 2w example.com"
diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/expect b/bin/tests/system/keymgr/18-nonstd-prepub/expect
index de792a9d5e..e8518d8c3a 100644
--- a/bin/tests/system/keymgr/18-nonstd-prepub/expect
+++ b/bin/tests/system/keymgr/18-nonstd-prepub/expect
@@ -1,7 +1,7 @@
-kargs="-c policy.conf example.com"
+kargs="example.com"
kmatch=""
kret=0
-cargs="-d 1w -m 2w example.com"
+cargs="-d 1h -m 1d example.com"
cmatch=""
cret=0
warn=0
diff --git a/bin/tests/system/keymgr/19-old-keys/expect b/bin/tests/system/keymgr/19-old-keys/expect
index f3e49b3d28..ad73b536c9 100644
--- a/bin/tests/system/keymgr/19-old-keys/expect
+++ b/bin/tests/system/keymgr/19-old-keys/expect
@@ -1,7 +1,7 @@
-kargs="-c policy.conf example.com"
+kargs="example.com"
kmatch=""
kret=0
-cargs="-d 1w -m 2w example.com"
+cargs="-d 1h -m 1w example.com"
cmatch="4,Publish
4,Activate
2,Inactive
diff --git a/bin/tests/system/keymgr/tests.sh b/bin/tests/system/keymgr/tests.sh
index 3043f162e9..4f027c1a01 100644
--- a/bin/tests/system/keymgr/tests.sh
+++ b/bin/tests/system/keymgr/tests.sh
@@ -19,12 +19,12 @@ matchall () {
match_result=ok
file=$1
while IFS="," read expect matchline; do
- [ -z "$matchline" ] && continue
- matches=`grep "$matchline" $file | wc -l`
- [ "$matches" -ne "$expect" ] && {
- echo "'$matchline': expected $expect found $matches"
- return 1
- }
+ [ -z "$matchline" ] && continue
+ matches=`grep "$matchline" $file | wc -l`
+ [ "$matches" -ne "$expect" ] && {
+ echo "'$matchline': expected $expect found $matches"
+ return 1
+ }
done << EOF
$2
EOF
@@ -34,74 +34,84 @@ EOF
echo_i "checking for DNSSEC key coverage issues"
ret=0
for dir in [0-9][0-9]-*; do
- ret=0
- echo_i "$dir ($n)"
- kargs= cargs= kmatch= cmatch= kret= cret=0 warn= error= ok=
- . $dir/expect
+ ret=0
+ echo_i "$dir ($n)"
+ kargs= cargs= kmatch= cmatch= kret= cret=0 warn= error= ok=
+ . $dir/expect
- # use policy.conf if available
- policy=""
- [ -e "$dir/policy.conf" ] && policy="-c $dir/policy.conf"
- # run keymgr to update keys
+ # use policy.conf if available
+ policy=""
+ if [ -e "$dir/policy.conf" ]; then
+ policy="-c $dir/policy.conf"
+ if grep -e "-c policy.conf" $dir/expect > /dev/null
+ then
+ echo_i "fix $dir/expect: multiple policy files"
+ ret=1
+ fi
+ else
+ policy="-c policy.conf"
+ fi
+
+ # run keymgr to update keys
if [ "$CYGWIN" ]; then
- $KEYMGR $policy -K $dir -g `cygpath -w $KEYGEN` \
+ $KEYMGR $policy -K $dir -g `cygpath -w $KEYGEN` \
-s `cygpath -w $SETTIME` $kargs > keymgr.$n 2>&1
else
$KEYMGR $policy -K $dir -g $KEYGEN \
-s $SETTIME $kargs > keymgr.$n 2>&1
fi
- # check that return code matches expectations
- found=$?
- if [ $found -ne $kret ]; then
- echo "keymgr retcode was $found expected $kret"
- ret=1
- fi
+ # check that return code matches expectations
+ found=$?
+ if [ $found -ne $kret ]; then
+ echo "keymgr retcode was $found expected $kret"
+ ret=1
+ fi
- # check for matches in keymgr output
- matchall keymgr.$n "$kmatch" || ret=1
+ # check for matches in keymgr output
+ matchall keymgr.$n "$kmatch" || ret=1
- # now check coverage
- $COVERAGE -K $dir $cargs > coverage.$n 2>&1
- # check that return code matches expectations
- found=$?
- if [ $found -ne $cret ]; then
- echo "coverage retcode was $found expected $cret"
- ret=1
- fi
+ # now check coverage
+ $COVERAGE -K $dir $cargs > coverage.$n 2>&1
+ # check that return code matches expectations
+ found=$?
+ if [ $found -ne $cret ]; then
+ echo "coverage retcode was $found expected $cret"
+ ret=1
+ fi
- # check for correct number of errors
- found=`grep ERROR coverage.$n | wc -l`
- if [ $found -ne $error ]; then
- echo "error count was $found expected $error"
- ret=1
- fi
+ # check for correct number of errors
+ found=`grep ERROR coverage.$n | wc -l`
+ if [ $found -ne $error ]; then
+ echo "error count was $found expected $error"
+ ret=1
+ fi
- # check for correct number of warnings
- found=`grep WARNING coverage.$n | wc -l`
- if [ $found -ne $warn ]; then
- echo "warning count was $found expected $warn"
- ret=1
- fi
+ # check for correct number of warnings
+ found=`grep WARNING coverage.$n | wc -l`
+ if [ $found -ne $warn ]; then
+ echo "warning count was $found expected $warn"
+ ret=1
+ fi
- # check for correct number of OKs
- found=`grep "No errors found" coverage.$n | wc -l`
- if [ $found -ne $ok ]; then
- echo "good count was $found expected $ok"
- ret=1
- fi
+ # check for correct number of OKs
+ found=`grep "No errors found" coverage.$n | wc -l`
+ if [ $found -ne $ok ]; then
+ echo "good count was $found expected $ok"
+ ret=1
+ fi
- # check for matches in coverage output
- matchall coverage.$n "$cmatch" || ret=1
+ # check for matches in coverage output
+ matchall coverage.$n "$cmatch" || ret=1
- if [ -f $dir/extra.sh ]; then
- cd $dir
- . ./extra.sh
- cd ..
- fi
+ if [ -f $dir/extra.sh ]; then
+ cd $dir
+ . ./extra.sh
+ cd ..
+ fi
- n=`expr $n + 1`
- if [ $ret != 0 ]; then echo_i "failed"; fi
- status=`expr $status + $ret`
+ n=`expr $n + 1`
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
done
echo_i "checking domains ending in . ($n)"