fix: usr: Fix setting retire in dns_keymgr_key_init

A wrong-variable bug in `dns_keymgr_key_init()` causes the DNSSEC key inactive time to never be read. This means the key state is retracting zone signatures where it should have, delaying the key rollover. ISC would like to thank Naresh Kandula Parmar (Nottiboy) for reporting this. Closes #5774 Merge branch '5774-fix-setting-retire' into 'main' See merge request isc-projects/bind9!11624
2026-05-28 04:34:54 -04:00 · 2026-03-05 10:49:45 +00:00 · 2026-03-05 10:49:45 +00:00 · a6701c37b9
commit a6701c37b9
parent d2cb28d43e 05c69f4103
1 changed files with 2 additions and 2 deletions
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@ -1733,8 +1733,8 @@ dns_keymgr_key_init(dns_dnsseckey_t *key, dns_kasp_t *kasp, isc_stdtime_t now,
 		}
 		goal_state = OMNIPRESENT;
 	}
-	result = dst_key_gettime(key->key, DST_TIME_INACTIVE, &result);
-	if (result <= now && result == ISC_R_SUCCESS) {
+	result = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire);
+	if (retire <= now && result == ISC_R_SUCCESS) {
 		dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
 		ttlsig += dns_kasp_zonepropagationdelay(kasp);
 		if ((retire + ttlsig) <= now) {