Only initialize goal on active keys

If we initialize goals on all keys, superfluous keys that match
the policy all desire to be active.  For example, there are six
keys available for a policy that needs just two, we only want to
set the goal state to OMNIPRESENT on two keys, not six.

bin/tests/system/kasp/ns6/named.conf.in

@@ -46,9 +46,9 @@ zone "migrate.kasp" {
 	update-check-ksk yes;
 };
 
-zone "migrate-nomatch.kasp" {
+zone "migrate-nomatch-alglen.kasp" {
 	type master;
-	file "migrate-nomatch.kasp.db";
+	file "migrate-nomatch-alglen.kasp.db";
 	auto-dnssec maintain;
 	allow-update { any; };
 	dnssec-dnskey-kskonly yes;

bin/tests/system/kasp/ns6/named2.conf.in

@@ -43,11 +43,11 @@ zone "migrate.kasp" {
 	dnssec-policy "migrate";
 };
 
-zone "migrate-nomatch.kasp" {
+zone "migrate-nomatch-alglen.kasp" {
 	type master;
-	file "migrate-nomatch.kasp.db";
+	file "migrate-nomatch-alglen.kasp.db";
 	allow-update { any; };
-	dnssec-policy "migrate-nomatch";
+	dnssec-policy "migrate-nomatch-alglen";
 };
 
 /*

bin/tests/system/kasp/ns6/policies/kasp.conf

@@ -58,7 +58,11 @@ dnssec-policy "migrate" {
 	};
 };
 
-dnssec-policy "migrate-nomatch" {
+/*
+ * This policy tests migration from existing keys with 1024 bits RSASHA1 keys
+ * to 2048 bits RSASHA1 keys.
+ */
+dnssec-policy "migrate-nomatch-alglen" {
 	dnskey-ttl 300;
 
 	keys {

bin/tests/system/kasp/ns6/setup.sh

@@ -52,8 +52,10 @@ private_type_record $zone 5 "$ZSK" >> "$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
 
 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
-# time the existing keys do not match the policy.
+# time the existing keys do not match the policy.  The existing keys are
-setup migrate-nomatch.kasp
+# 1024 bits RSASHA1 keys, and will be migrated to a dnssec-policy that
+# dictates 2048 bits RSASHA1 keys.
+setup migrate-nomatch-alglen.kasp
 echo "$zone" >> zones
 KSK=$($KEYGEN -a RSASHA1 -b 1024 -f KSK -L 300 $zone 2> keygen.out.$zone.1)
 ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zone 2> keygen.out.$zone.2)

bin/tests/system/kasp/tests.sh

@@ -2920,11 +2920,11 @@ _migrate_zsk=$(key_get KEY2 ID)
 #
 # Testing migration with unmatched existing keys.
 #
-set_zone "migrate-nomatch.kasp"
+set_zone "migrate-nomatch-alglen.kasp"
 set_policy "none" "2" "300"
 set_server "ns6" "10.53.0.6"
 
-init_migration_nomatch() {
+init_migration_nomatch_alglen() {
 	key_clear        "KEY1"
 	key_set          "KEY1" "LEGACY" "yes"
 	set_keyrole      "KEY1" "ksk"
@@ -2957,7 +2957,7 @@ init_migration_nomatch() {
 	set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
 	set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
 }
-init_migration_nomatch
+init_migration_nomatch_alglen
 
 # Make sure the zone is signed with legacy keys.
 check_keys
@@ -2966,8 +2966,8 @@ check_subdomain
 dnssec_verify
 
 # Remember legacy key tags.
-_migratenomatch_ksk=$(key_get KEY1 ID)
+_migratenomatch_alglen_ksk=$(key_get KEY1 ID)
-_migratenomatch_zsk=$(key_get KEY2 ID)
+_migratenomatch_alglen_zsk=$(key_get KEY2 ID)
 
 # Reconfig dnssec-policy (triggering algorithm roll and other dnssec-policy
 # changes).
@@ -3033,13 +3033,13 @@ ret=0
 status=$((status+ret))
 
 # Test migration to dnssec-policy, existing keys do not match.
-set_zone "migrate-nomatch.kasp"
+set_zone "migrate-nomatch-alglen.kasp"
-set_policy "migrate-nomatch" "4" "300"
+set_policy "migrate-nomatch-alglen" "4" "300"
 set_server "ns6" "10.53.0.6"
 
 # The legacy keys need to be retired, but otherwise stay present until the
 # new keys are omnipresent, and can be used to construct a chain of trust.
-init_migration_nomatch
+init_migration_nomatch_alglen
 
 key_set      "KEY1" "LEGACY"  "no"
 set_keytime  "KEY1" "RETIRED" "yes"
@@ -3059,7 +3059,7 @@ set_keyrole      "KEY4" "zsk"
 set_keylifetime  "KEY4" "5184000"
 set_keyalgorithm "KEY4" "5" "RSASHA1" "2048"
 set_keysigning   "KEY4" "no"
-# This key is not active yet, first the DNSKEY needs to be omnipresent.
+# This key is considered to be prepublished, so it is not yet signing.
 set_zonesigning  "KEY4" "no"
 
 set_keytime  "KEY3" "PUBLISHED"    "yes"
@@ -3086,8 +3086,8 @@ dnssec_verify
 n=$((n+1))
 echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
 ret=0
-[ $_migratenomatch_ksk == $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
+[ $_migratenomatch_alglen_ksk == $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
-[ $_migratenomatch_zsk == $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
+[ $_migratenomatch_alglen_zsk == $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
 status=$((status+ret))
 
 #

lib/dns/keymgr.c

@@ -1402,7 +1402,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 					      keystr, keymgr_keyrole(dkey->key),
 					      dns_kasp_getname(kasp));
 
-				/* Initialize lifetime and goal, if not set. */
+				/* Initialize lifetime if not set. */
 				uint32_t l;
 				if (dst_key_getnum(dkey->key, DST_NUM_LIFETIME,
 						   &l) != ISC_R_SUCCESS) {
@@ -1411,14 +1411,6 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 						       lifetime);
 				}
 
-				dst_key_state_t goal;
-				if (dst_key_getstate(dkey->key, DST_KEY_GOAL,
-						     &goal) != ISC_R_SUCCESS) {
-					dst_key_setstate(dkey->key,
-							 DST_KEY_GOAL,
-							 OMNIPRESENT);
-				}
-
 				if (active_key) {
 					/* We already have an active key that
 					 * matches the kasp policy.
@@ -1442,6 +1434,19 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 					continue;
 				}
 
+				/*
+				 * This is possibly an active key created
+				 * outside dnssec-policy.  Initialize goal,
+				 * if not set.
+				 */
+				dst_key_state_t goal;
+				if (dst_key_getstate(dkey->key, DST_KEY_GOAL,
+						     &goal) != ISC_R_SUCCESS) {
+					dst_key_setstate(dkey->key,
+							 DST_KEY_GOAL,
+							 OMNIPRESENT);
+				}
+
 				/*
 				 * Save the matched key only if it is active
 				 * or desires to be active.