From 07c2acf15d67d050726ae02d239bbfa957868774 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 31 Jan 2024 11:44:07 +0100 Subject: [PATCH] Don't also skip keymgr run if checkds is skipped Checking the DS at the parent only happens if dns_zone_getdnsseckeys() returns success. However, if this function somehow fails, it can also prevent the keymgr from running. Before adding the check DS functionality, the keymgr should only run if 'dns_dnssec_findmatchingkeys()' did not return an error (either ISC_R_SUCCESS or ISC_R_NOTFOUND). After this change the correct result code is used again. --- lib/dns/zone.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index f0360e4d44..249712a4a0 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -21959,20 +21959,20 @@ zone_rekey(dns_zone_t *zone) { ISC_LIST_INIT(zone->checkds_ok); UNLOCK_ZONE(zone); - result = dns_zone_getdnsseckeys(zone, db, ver, now, - &zone->checkds_ok); - - if (result == ISC_R_SUCCESS) { + isc_result_t ret = dns_zone_getdnsseckeys(zone, db, ver, now, + &zone->checkds_ok); + if (ret == ISC_R_SUCCESS) { zone_checkds(zone); } else { dnssec_log(zone, - (result == ISC_R_NOTFOUND) ? ISC_LOG_DEBUG(1) - : ISC_LOG_ERROR, + (ret == ISC_R_NOTFOUND) ? ISC_LOG_DEBUG(1) + : ISC_LOG_ERROR, "zone_rekey:dns_zone_getdnsseckeys failed: " "%s", - isc_result_totext(result)); + isc_result_totext(ret)); } + /* Run keymgr */ if (result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND) { dns_zone_lock_keyfiles(zone); result = dns_keymgr_run(&zone->origin, zone->rdclass, @@ -21993,6 +21993,12 @@ zone_rekey(dns_zone_t *zone) { KASP_UNLOCK(kasp); + /* + * Update CDS, CDNSKEY and DNSKEY record sets if the keymgr ran + * successfully (dns_keymgr_run returned ISC_R_SUCCESS), or in + * case of DNSSEC management without dnssec-policy if we have keys + * (dns_dnssec_findmatchingkeys returned ISC_R_SUCCESS). + */ if (result == ISC_R_SUCCESS) { dns_kasp_digestlist_t digests; bool cdsdel = false;