From 2389fcb4dcb55a1598a3b8b0f48e8d9ddfb429cf Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 1 Apr 2020 16:35:06 +0200
Subject: [PATCH] Only initialize goal on active keys

If we initialize goals on all keys, superfluous keys that match
the policy all desire to be active.  For example, there are six
keys available for a policy that needs just two, we only want to
set the goal state to OMNIPRESENT on two keys, not six.
---
 bin/tests/system/kasp/ns6/named.conf.in      |  4 ++--
 bin/tests/system/kasp/ns6/named2.conf.in     |  6 ++---
 bin/tests/system/kasp/ns6/policies/kasp.conf |  6 ++++-
 bin/tests/system/kasp/ns6/setup.sh           |  6 +++--
 bin/tests/system/kasp/tests.sh               | 22 +++++++++----------
 lib/dns/keymgr.c                             | 23 ++++++++++++--------
 6 files changed, 39 insertions(+), 28 deletions(-)

diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in
index 5cecb8c542..f9aa284ef4 100644
--- a/bin/tests/system/kasp/ns6/named.conf.in
+++ b/bin/tests/system/kasp/ns6/named.conf.in
@@ -46,9 +46,9 @@ zone "migrate.kasp" {
 	update-check-ksk yes;
 };
 
-zone "migrate-nomatch.kasp" {
+zone "migrate-nomatch-alglen.kasp" {
 	type master;
-	file "migrate-nomatch.kasp.db";
+	file "migrate-nomatch-alglen.kasp.db";
 	auto-dnssec maintain;
 	allow-update { any; };
 	dnssec-dnskey-kskonly yes;
diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in
index 0428dcbdf8..d63318c6ac 100644
--- a/bin/tests/system/kasp/ns6/named2.conf.in
+++ b/bin/tests/system/kasp/ns6/named2.conf.in
@@ -43,11 +43,11 @@ zone "migrate.kasp" {
 	dnssec-policy "migrate";
 };
 
-zone "migrate-nomatch.kasp" {
+zone "migrate-nomatch-alglen.kasp" {
 	type master;
-	file "migrate-nomatch.kasp.db";
+	file "migrate-nomatch-alglen.kasp.db";
 	allow-update { any; };
-	dnssec-policy "migrate-nomatch";
+	dnssec-policy "migrate-nomatch-alglen";
 };
 
 /*
diff --git a/bin/tests/system/kasp/ns6/policies/kasp.conf b/bin/tests/system/kasp/ns6/policies/kasp.conf
index 16fb3d60aa..ae36e0934f 100644
--- a/bin/tests/system/kasp/ns6/policies/kasp.conf
+++ b/bin/tests/system/kasp/ns6/policies/kasp.conf
@@ -58,7 +58,11 @@ dnssec-policy "migrate" {
 	};
 };
 
-dnssec-policy "migrate-nomatch" {
+/*
+ * This policy tests migration from existing keys with 1024 bits RSASHA1 keys
+ * to 2048 bits RSASHA1 keys.
+ */
+dnssec-policy "migrate-nomatch-alglen" {
 	dnskey-ttl 300;
 
 	keys {
diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh
index 5c489e774f..7a9ed929c1 100644
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@@ -52,8 +52,10 @@ private_type_record $zone 5 "$ZSK" >> "$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
 
 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
-# time the existing keys do not match the policy.
-setup migrate-nomatch.kasp
+# time the existing keys do not match the policy.  The existing keys are
+# 1024 bits RSASHA1 keys, and will be migrated to a dnssec-policy that
+# dictates 2048 bits RSASHA1 keys.
+setup migrate-nomatch-alglen.kasp
 echo "$zone" >> zones
 KSK=$($KEYGEN -a RSASHA1 -b 1024 -f KSK -L 300 $zone 2> keygen.out.$zone.1)
 ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zone 2> keygen.out.$zone.2)
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index ed24aedf58..50de840ad6 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -2920,11 +2920,11 @@ _migrate_zsk=$(key_get KEY2 ID)
 #
 # Testing migration with unmatched existing keys.
 #
-set_zone "migrate-nomatch.kasp"
+set_zone "migrate-nomatch-alglen.kasp"
 set_policy "none" "2" "300"
 set_server "ns6" "10.53.0.6"
 
-init_migration_nomatch() {
+init_migration_nomatch_alglen() {
 	key_clear        "KEY1"
 	key_set          "KEY1" "LEGACY" "yes"
 	set_keyrole      "KEY1" "ksk"
@@ -2957,7 +2957,7 @@ init_migration_nomatch() {
 	set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
 	set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
 }
-init_migration_nomatch
+init_migration_nomatch_alglen
 
 # Make sure the zone is signed with legacy keys.
 check_keys
@@ -2966,8 +2966,8 @@ check_subdomain
 dnssec_verify
 
 # Remember legacy key tags.
-_migratenomatch_ksk=$(key_get KEY1 ID)
-_migratenomatch_zsk=$(key_get KEY2 ID)
+_migratenomatch_alglen_ksk=$(key_get KEY1 ID)
+_migratenomatch_alglen_zsk=$(key_get KEY2 ID)
 
 # Reconfig dnssec-policy (triggering algorithm roll and other dnssec-policy
 # changes).
@@ -3033,13 +3033,13 @@ ret=0
 status=$((status+ret))
 
 # Test migration to dnssec-policy, existing keys do not match.
-set_zone "migrate-nomatch.kasp"
-set_policy "migrate-nomatch" "4" "300"
+set_zone "migrate-nomatch-alglen.kasp"
+set_policy "migrate-nomatch-alglen" "4" "300"
 set_server "ns6" "10.53.0.6"
 
 # The legacy keys need to be retired, but otherwise stay present until the
 # new keys are omnipresent, and can be used to construct a chain of trust.
-init_migration_nomatch
+init_migration_nomatch_alglen
 
 key_set      "KEY1" "LEGACY"  "no"
 set_keytime  "KEY1" "RETIRED" "yes"
@@ -3059,7 +3059,7 @@ set_keyrole      "KEY4" "zsk"
 set_keylifetime  "KEY4" "5184000"
 set_keyalgorithm "KEY4" "5" "RSASHA1" "2048"
 set_keysigning   "KEY4" "no"
-# This key is not active yet, first the DNSKEY needs to be omnipresent.
+# This key is considered to be prepublished, so it is not yet signing.
 set_zonesigning  "KEY4" "no"
 
 set_keytime  "KEY3" "PUBLISHED"    "yes"
@@ -3086,8 +3086,8 @@ dnssec_verify
 n=$((n+1))
 echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
 ret=0
-[ $_migratenomatch_ksk == $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
-[ $_migratenomatch_zsk == $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
+[ $_migratenomatch_alglen_ksk == $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
+[ $_migratenomatch_alglen_zsk == $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
 status=$((status+ret))
 
 #
diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 268db30d2b..09ba4dc9c4 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -1402,7 +1402,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 					      keystr, keymgr_keyrole(dkey->key),
 					      dns_kasp_getname(kasp));
 
-				/* Initialize lifetime and goal, if not set. */
+				/* Initialize lifetime if not set. */
 				uint32_t l;
 				if (dst_key_getnum(dkey->key, DST_NUM_LIFETIME,
 						   &l) != ISC_R_SUCCESS) {
@@ -1411,14 +1411,6 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 						       lifetime);
 				}
 
-				dst_key_state_t goal;
-				if (dst_key_getstate(dkey->key, DST_KEY_GOAL,
-						     &goal) != ISC_R_SUCCESS) {
-					dst_key_setstate(dkey->key,
-							 DST_KEY_GOAL,
-							 OMNIPRESENT);
-				}
-
 				if (active_key) {
 					/* We already have an active key that
 					 * matches the kasp policy.
@@ -1442,6 +1434,19 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 					continue;
 				}
 
+				/*
+				 * This is possibly an active key created
+				 * outside dnssec-policy.  Initialize goal,
+				 * if not set.
+				 */
+				dst_key_state_t goal;
+				if (dst_key_getstate(dkey->key, DST_KEY_GOAL,
+						     &goal) != ISC_R_SUCCESS) {
+					dst_key_setstate(dkey->key,
+							 DST_KEY_GOAL,
+							 OMNIPRESENT);
+				}
+
 				/*
 				 * Save the matched key only if it is active
 				 * or desires to be active.