upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-27 20:25:55 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

No longer update key lifetime if key is retired

Browse source 
The key lifetime should no longer be adjusted if the key is being
retired earlier, for example because a manual rollover was started.

This would falsely be seen as a dnssec-policy lifetime reconfiguration,
and would adjust the retire/removed time again.

This also means we should update the status output, and the next
rollover scheduled is now calculated using (retire-active) instead of
key lifetime.

(cherry picked from commit 129973ebb0)
This commit is contained in:
Matthijs Mekking 2024-06-24 15:18:40 +02:00
parent 7ab4a35820
commit 8ec554e3de
2 changed files with 3 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
bin/tests/system/kasp/tests.sh
View file

@ -2153,9 +2153,6 @@ active=$(key_get KEY1 ACTIVE)
set_addkeytime "KEY1" "RETIRED" "${active}" 15552000
retired=$(key_get KEY1 RETIRED)
rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${retired}" "$ZONE"
# Rollover starts in six months, but lifetime is set to six months plus
# prepublication duration = 15552000 + 7500 = 15559500 seconds.
set_keylifetime "KEY1" "15559500"
set_addkeytime "KEY1" "RETIRED" "${active}" 15559500
retired=$(key_get KEY1 RETIRED)
# Retire interval of this policy is 26h (93600 seconds).
@ -2171,9 +2168,6 @@ dnssec_verify
# Schedule KSK rollover now.
set_policy "manual-rollover" "3" "3600"
set_keystate "KEY1" "GOAL" "hidden"
# This key was activated one day ago, so lifetime is set to 1d plus
# prepublication duration (7500 seconds) = 93900 seconds.
set_keylifetime "KEY1" "93900"
created=$(key_get KEY1 CREATED)
set_keytime "KEY1" "RETIRED" "${created}"
rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "$ZONE"
@ -2198,9 +2192,6 @@ dnssec_verify
# Schedule ZSK rollover now.
set_policy "manual-rollover" "4" "3600"
set_keystate "KEY2" "GOAL" "hidden"
# This key was activated one day ago, so lifetime is set to 1d plus
# prepublication duration (7500 seconds) = 93900 seconds.
set_keylifetime "KEY2" "93900"
created=$(key_get KEY2 CREATED)
set_keytime "KEY2" "RETIRED" "${created}"
rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE"
@ -3655,9 +3646,6 @@ check_apex
check_subdomain
dnssec_verify
# Roll over KEY2.
# Set expected key lifetime, which is DNSKEY TTL plus the zone propagation delay,
# plus the publish-safety: 7200s + 1h + 1d = 97200 seconds.
set_keylifetime "KEY2" "97200"
created=$(key_get KEY2 CREATED)
rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE"
# Update expected number of keys and key states.

7
lib/dns/keymgr.c
View file

@ -2477,8 +2477,6 @@ rollover_status(dns_dnsseckey_t *dkey, dns_kasp_t *kasp, isc_stdtime_t now,
}
} else {
isc_stdtime_t retire_time = 0;
uint32_t lifetime = 0;
(void)dst_key_getnum(key, DST_NUM_LIFETIME, &lifetime);
ret = dst_key_gettime(key, retire, &retire_time);
if (ret == ISC_R_SUCCESS) {
if (now < retire_time) {
@ -2487,7 +2485,9 @@ rollover_status(dns_dnsseckey_t *dkey, dns_kasp_t *kasp, isc_stdtime_t now,
" Next rollover "
"scheduled on ");
retire_time = keymgr_prepublication_time(
dkey, kasp, lifetime, now);
dkey, kasp,
(retire_time - active_time),
now);
} else {
isc_buffer_printf(
buf, " Key will retire on ");
@ -2665,7 +2665,6 @@ dns_keymgr_rollover(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
retire = when + prepub;
dst_key_settime(key->key, DST_TIME_INACTIVE, retire);
dst_key_setnum(key->key, DST_NUM_LIFETIME, (retire - active));
/* Store key state and update hints. */
isc_dir_init(&dir);