From 79d27f505a67ee1fb5cf104cbe7b1ead67d252b4 Mon Sep 17 00:00:00 2001 From: Mukund Sivaraman Date: Wed, 4 Jun 2014 14:31:42 +0530 Subject: [PATCH] [35063] Don't publish an activated key automatically before its publish time --- CHANGES | 3 +++ bin/tests/system/autosign/clean.sh | 1 + bin/tests/system/autosign/ns1/keygen.sh | 2 ++ bin/tests/system/autosign/tests.sh | 9 +++++++++ lib/dns/dnssec.c | 5 ++++- 5 files changed, 19 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 36d398f228..e47f816285 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3871. [bug] Don't publish an activated key automatically before + its publish time. [RT #35063] + 3870. [func] Updated the random number generator used in the resolver to use the updated ChaCha based one (similar to OpenBSD's changes). Also moved the diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index f86413e116..3d29c1a2fc 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -16,6 +16,7 @@ rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk rm -f active.key inact.key del.key unpub.key standby.key rev.key +rm -f activate-now-publish-1day.key rm -f nopriv.key vanishing.key del1.key del2.key rm -f delayksk.key delayzsk.key autoksk.key autozsk.key rm -f missingzsk.key inactivezsk.key diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh index 7b1b3c7186..cc95efdf2d 100644 --- a/bin/tests/system/autosign/ns1/keygen.sh +++ b/bin/tests/system/autosign/ns1/keygen.sh @@ -31,6 +31,7 @@ zskdel=`$KEYGEN -3 -q -r $RANDFILE -D now $zone` zskinact=`$KEYGEN -3 -q -r $RANDFILE -I now $zone` zskunpub=`$KEYGEN -3 -q -r $RANDFILE -G $zone` zsksby=`$KEYGEN -3 -q -r $RANDFILE -A none $zone` +zskactnowpub1d=`$KEYGEN -3 -q -r $RANDFILE -A now -P +1d $zone` zsknopriv=`$KEYGEN -3 -q -r $RANDFILE $zone` rm $zsknopriv.private @@ -68,4 +69,5 @@ echo $zskinact > ../inact.key echo $zskunpub > ../unpub.key echo $zsknopriv > ../nopriv.key echo $zsksby > ../standby.key +echo $zskactnowpub1d > ../activate-now-publish-1day.key $REVOKE -R $kskrev > ../rev.key diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 872a2c6884..275152c42a 100644 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -772,6 +772,15 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking for activated but unpublished key ($n)" +ret=0 +id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < activate-now-publish-1day.key` +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:checking that standby key does not sign records ($n)" ret=0 id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key` diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 68954e97e9..86365225d0 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -1251,7 +1251,10 @@ get_hints(dns_dnsseckey_t *key, isc_stdtime_t now) { /* Metadata says activate (so we must also publish) */ if (actset && active <= now) { key->hint_sign = ISC_TRUE; - key->hint_publish = ISC_TRUE; + + /* Only publish if publish time has already passed. */ + if (pubset && publish <= now) + key->hint_publish = ISC_TRUE; } /*