Merge branch '4032-ignore-max-zone-ttl-dnssec-policy-insecure-v9_18' into 'bind-9.18'

[9.18] Ignore max-zone-ttl on dnssec-policy insecure

See merge request isc-projects/bind9!8155

CHANGES

@@ -1,3 +1,6 @@
+6219.	[bug]		Ignore 'max-zone-ttl' on 'dnssec-policy insecure'.
+			[GL #4032]
+
 6215.	[protocol]	Return REFUSED to GSS-API TKEY requests if GSS-API
 			support is not configured. [GL #4225]
 

bin/named/config.c

@@ -319,6 +319,7 @@ dnssec-policy \"default\" {\n\
 };\n\
 \n\
 dnssec-policy \"insecure\" {\n\
+	max-zone-ttl 0; \n\
 	keys { };\n\
 };\n\
 \n\

bin/named/zoneconf.c

@@ -1511,7 +1511,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	}
 
 	if (use_kasp) {
-		maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone));
+		maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone), false);
 	} else {
 		obj = NULL;
 		result = named_config_get(maps, "max-zone-ttl", &obj);

doc/notes/notes-current.rst

@@ -40,6 +40,10 @@ Bug Fixes
   flushed.  This has been fixed to not process queued already received queries
   over TCP while the server is in the "exclusive" mode.  :gl:`#4200`
 
+- Ignore :any:`max-zone-ttl` for :any:`dnssec-policy` "insecure",
+  otherwise some zones will not be loaded if they use a TTL value larger
+  than 86400. :gl:`#4032`.
+
 Known Issues
 ~~~~~~~~~~~~
 

lib/dns/include/dns/kasp.h

@@ -382,9 +382,11 @@ dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value);
  */
 
 dns_ttl_t
-dns_kasp_zonemaxttl(dns_kasp_t *kasp);
+dns_kasp_zonemaxttl(dns_kasp_t *kasp, bool fallback);
 /*%<
- * Get maximum zone TTL.
+ * Get maximum zone TTL. If 'fallback' is true, return a default maximum TTL
+ * if the maximum zone TTL is set to unlimited (value 0). Fallback should be
+ * used if determining key rollover timings in keymgr.c
  *
  * Requires:
  *

lib/dns/kasp.c

@@ -27,6 +27,9 @@
 #include <dns/keyvalues.h>
 #include <dns/log.h>
 
+/* Default TTLsig (maximum zone ttl) */
+#define DEFAULT_TTLSIG 86400
+
 isc_result_t
 dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
 	dns_kasp_t *kasp;
@@ -237,10 +240,13 @@ dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value) {
 }
 
 dns_ttl_t
-dns_kasp_zonemaxttl(dns_kasp_t *kasp) {
+dns_kasp_zonemaxttl(dns_kasp_t *kasp, bool fallback) {
 	REQUIRE(DNS_KASP_VALID(kasp));
 	REQUIRE(kasp->frozen);
 
+	if (kasp->zone_max_ttl == 0 && fallback) {
+		return (DEFAULT_TTLSIG);
+	}
 	return (kasp->zone_max_ttl);
 }
 

lib/dns/keymgr.c

@@ -132,11 +132,11 @@ keymgr_settime_remove(dns_dnsseckey_t *key, dns_kasp_t *kasp) {
 
 	ret = dst_key_getbool(key->key, DST_BOOL_ZSK, &zsk);
 	if (ret == ISC_R_SUCCESS && zsk) {
+		dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
 		/* ZSK: Iret = Dsgn + Dprp + TTLsig */
-		zsk_remove = retire + dns_kasp_zonemaxttl(kasp) +
-			     dns_kasp_zonepropagationdelay(kasp) +
-			     dns_kasp_retiresafety(kasp) +
-			     dns_kasp_signdelay(kasp);
+		zsk_remove =
+			retire + ttlsig + dns_kasp_zonepropagationdelay(kasp) +
+			dns_kasp_retiresafety(kasp) + dns_kasp_signdelay(kasp);
 	}
 	ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk);
 	if (ret == ISC_R_SUCCESS && ksk) {
@@ -179,7 +179,8 @@ keymgr_settime_syncpublish(dns_dnsseckey_t *key, dns_kasp_t *kasp, bool first) {
 	if (first) {
 		/* Also need to wait until the signatures are omnipresent. */
 		isc_stdtime_t zrrsig_present;
-		zrrsig_present = published + dns_kasp_zonemaxttl(kasp) +
+		dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
+		zrrsig_present = published + ttlsig +
 				 dns_kasp_zonepropagationdelay(kasp) +
 				 dns_kasp_publishsafety(kasp);
 		if (zrrsig_present > syncpublish) {
@@ -260,7 +261,9 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 				 * No predecessor, wait for zone to be
 				 * completely signed.
 				 */
-				syncpub2 = pub + dns_kasp_zonemaxttl(kasp) +
+				dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp,
+								       true);
+				syncpub2 = pub + ttlsig +
 					   dns_kasp_publishsafety(kasp) +
 					   dns_kasp_zonepropagationdelay(kasp);
 			}
@@ -1240,6 +1243,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
 		       isc_stdtime_t now, isc_stdtime_t *when) {
 	isc_result_t ret;
 	isc_stdtime_t lastchange, dstime, nexttime = now;
+	dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
 
 	/*
 	 * No need to wait if we move things into an uncertain state.
@@ -1312,7 +1316,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
 			 *
 			 * We will also add the retire-safety interval.
 			 */
-			nexttime = lastchange + dns_kasp_zonemaxttl(kasp) +
+			nexttime = lastchange + ttlsig +
 				   dns_kasp_zonepropagationdelay(kasp) +
 				   dns_kasp_retiresafety(kasp);
 			/*
@@ -1585,9 +1589,9 @@ keymgr_key_init(dns_dnsseckey_t *key, dns_kasp_t *kasp, isc_stdtime_t now,
 	/* Get time metadata. */
 	ret = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active);
 	if (active <= now && ret == ISC_R_SUCCESS) {
-		dns_ttl_t zone_ttl = dns_kasp_zonemaxttl(kasp);
-		zone_ttl += dns_kasp_zonepropagationdelay(kasp);
-		if ((active + zone_ttl) <= now) {
+		dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
+		ttlsig += dns_kasp_zonepropagationdelay(kasp);
+		if ((active + ttlsig) <= now) {
 			zrrsig_state = OMNIPRESENT;
 		} else {
 			zrrsig_state = RUMOURED;
@@ -1618,9 +1622,9 @@ keymgr_key_init(dns_dnsseckey_t *key, dns_kasp_t *kasp, isc_stdtime_t now,
 	}
 	ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire);
 	if (retire <= now && ret == ISC_R_SUCCESS) {
-		dns_ttl_t zone_ttl = dns_kasp_zonemaxttl(kasp);
-		zone_ttl += dns_kasp_zonepropagationdelay(kasp);
-		if ((retire + zone_ttl) <= now) {
+		dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
+		ttlsig += dns_kasp_zonepropagationdelay(kasp);
+		if ((retire + ttlsig) <= now) {
 			zrrsig_state = HIDDEN;
 		} else {
 			zrrsig_state = UNRETENTIVE;