[v9_10] Fix calculation of dates for a successor key

4685. [bug] dnssec-settime incorrectly calculated publication and activation dates for a successor key. [RT #45806] (cherry picked from commit 5201b96d03)
2026-06-12 08:50:00 -04:00 · 2017-08-21 09:55:27 +02:00 · 2017-08-21 09:55:27 +02:00 · 457dc09806
commit 457dc09806
parent c67ab4349a
4 changed files with 31 additions and 7 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+4685.	[bug]		dnssec-settime incorrectly calculated publication and
+			activation dates for a successor key. [RT #45806]
+
 4684.	[bug]		delv could send bogus DNS queries when an explicit
 			server address was specified on the command line along
 			with -4/-6. [RT #45804]
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@ -86,6 +86,11 @@ usage(void) {
 						     "inactivation date\n");
 	fprintf(stderr, "    -D date/[+-]offset/none: set/unset key "
 						     "deletion date\n");
+	fprintf(stderr, "    -S <key>: generate a successor to an existing "
+				      "key\n");
+	fprintf(stderr, "    -i <interval>: prepublication interval for "
+					   "successor key "
+					   "(default: 30 days)\n");
 	fprintf(stderr, "Printing options:\n");
 	fprintf(stderr, "    -p C/P/A/R/I/D/all: print a particular time "
 						"value or values\n");
@ -388,13 +393,16 @@ main(int argc, char **argv) {
 			      "You must set one before\n\t"
 			      "generating a successor.");

-		pub = prevact - prepub;
-		if (pub < now && prepub != 0)
-			fatal("Predecessor will become inactive before the\n\t"
-			      "prepublication period ends.  Either change "
-			      "its inactivation date,\n\t"
-			      "or use the -i option to set a shorter "
-			      "prepublication interval.");
+		pub = previnact - prepub;
+		act = previnact;
+
+		if ((previnact - prepub) < now && prepub != 0)
+			fatal("Time until predecessor inactivation is\n\t"
+			      "shorter than the prepublication interval.  "
+			      "Either change\n\t"
+			      "predecessor inactivation date, or use the -i "
+			      "option to set\n\t"
+			      "a shorter prepublication interval.");

 		result = dst_key_gettime(prevkey, DST_TIME_DELETE, &prevdel);
 		if (result != ISC_R_SUCCESS)
--- a/bin/dnssec/dnssec-settime.docbook
+++ b/bin/dnssec/dnssec-settime.docbook
@ -58,6 +58,8 @@
      <arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
      <arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
      <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
--- a/bin/tests/system/metadata/tests.sh
+++ b/bin/tests/system/metadata/tests.sh
@ -196,5 +196,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+echo "I:checking calculation of dates for a successor key ($n)"
+ret=0
+oldkey=`$KEYGEN -q -r $RANDFILE $czone`
+newkey=`$KEYGEN -q -r $RANDFILE $czone`
+$SETTIME -A -2d -I +2d $oldkey > settime1.test$n 2>&1 || ret=1
+$SETTIME -i 1d -S $oldkey $newkey > settime2.test$n 2>&1 || ret=1
+$SETTIME -pA $newkey | grep "1970" > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1