[master] Revert "[master] tag initializing keys so they can't be used for normal validation"

This reverts commit 560d8b833edceb4b715fe46b45f2009dc09fdb5d. This change created a potential race between key refresh queries and root zone priming queries which could leave the root name servers in the bad-server cache.
2025-08-29 13:38:26 +00:00 · 2017-10-12 10:53:35 -07:00 · 2017-10-12 10:53:35 -07:00 · 3abcd7cd8a
commit 3abcd7cd8a
parent 5daa633313
22 changed files with 122 additions and 367 deletions
--- a/9
+++ b/9
@ -1,14 +1,5 @@
 	--- 9.12.0b1 released ---
 4773.	[bug]		Keys specified in "managed-keys" statements
 			can now only be used when validating key refresh
 			queries during initialization of RFC 5011 key
 			maintenance. If initialization fails, DNSSEC
 			validation of normal queries will also fail.
 			Previously, validation of normal queries could
 			succeed using the initializing key, potentially
 			masking problems with managed-keys. [RT #46077]
 4772.	[test]		Expanded unit testing framework for libns, using
 			hooks to interrupt query flow and inspect state
 			at specified locations. [RT #46173]
--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -844,8 +844,7 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
 				continue;
 			}
-			CHECK(dns_keytable_add2(secroots, managed,
+			CHECK(dns_keytable_add(secroots, managed, &dstkey));
 						managed, &dstkey));
 		}
 	}
@ -1044,8 +1043,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
 				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
 				      "managed-keys-directory '%s' "
-				      "must be writable and accessible",
+				      "is not writable", directory);
 				      directory);
 			result = ISC_R_NOPERM;
 			goto cleanup;
 		}
@ -6170,8 +6168,8 @@ directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
 	if (access(directory, DIR_PERM_OK) != 0) {
 		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
 			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "working directory '%s' must be "
+			      "directory '%s' is not writable",
-			      "writable and accessible", directory);
+			      directory);
 		return (ISC_R_NOPERM);
 	}
@ -6436,7 +6434,7 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) {
 	do {
 		dst_key_t *key = dns_keynode_key(keynode);
-		if (key != NULL && !dns_keynode_initial(keynode)) {
+		if (key != NULL) {
 			name = dst_key_name(key);
 			if (n < (sizeof(ids)/sizeof(ids[0]))) {
 				ids[n] = dst_key_id(key);
@ -6445,19 +6443,16 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) {
 		}
 		nextnode = NULL;
 		(void)dns_keytable_nextkeynode(keytable, keynode, &nextnode);
-		if (keynode != firstnode) {
+		if (keynode != firstnode)
 			dns_keytable_detachkeynode(keytable, &keynode);
 		}
 		keynode = nextnode;
 	} while (keynode != NULL);
-	if (n == 0) {
+	if (n == 0)
 		return;
 	}
-	if (n > 1) {
+	if (n > 1)
 		qsort(ids, n, sizeof(ids[0]), cid);
 	}
 	/*
 	 * Encoded as "_ta-xxxx\(-xxxx\)*" where xxxx is the hex version of
@ -6467,23 +6462,20 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) {
 	r.base = label;
 	r.length = sizeof(label);;
 	m = snprintf(r.base, r.length, "_ta");
-	if (m < 0 || (unsigned)m > r.length) {
+	if (m < 0 || (unsigned)m > r.length)
 		return;
 	}
 	isc_textregion_consume(&r, m);
 	for (i = 0; i < n; i++) {
 		m = snprintf(r.base, r.length, "-%04x", ids[i]);
-		if (m < 0 || (unsigned)m > r.length) {
+		if (m < 0 || (unsigned)m > r.length)
 			return;
 		}
 		isc_textregion_consume(&r, m);
 	}
 	dns_fixedname_init(&fixed);
 	tatname = dns_fixedname_name(&fixed);
 	result = dns_name_fromstring2(tatname, label, name, 0, NULL);
-	if (result != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS)
 		return;
 	}
 	dns_name_format(tatname, namebuf, sizeof(namebuf));
 	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
@ -6492,9 +6484,8 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) {
 		     view->name, namebuf);
 	tat = isc_mem_get(dotat_arg->view->mctx, sizeof(*tat));
-	if (tat == NULL) {
+	if (tat == NULL)
 		return;
 	}
 	tat->mctx = NULL;
 	tat->task = NULL;
@ -8499,8 +8490,7 @@ load_configuration(const char *filename, named_server_t *server,
 	if (access(".", DIR_PERM_OK) != 0) {
 		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
 			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "the working directory must be "
+			      "the working directory is not writable");
 			      "writable and accessible");
 		result = ISC_R_NOPERM;
 		goto cleanup;
 	}
--- a/bin/tests/system/mkeys/README
+++ b/bin/tests/system/mkeys/README
@ -16,8 +16,16 @@ is used so it will send TAT queries once per second.
 ns3 is a validator with a broken key in managed-keys.
-ns4 is a validator with a deliberately broken managed-keys.bind and
+Tests TODO:
 managed-keys.jnl, causing RFC 5011 initialization to fail.
-ns5 is a validator which is prevented from getting a response from the
+- initial working KSK
-root server, causing key refresh queries to fail.
+
 TODO: test using delv with new trusted key too
 - introduce a REVOKE bit
 - later remove a signature
 - corrupt a signature
 TODO: also same things with dlv auto updates of trust anchor
--- a/bin/tests/system/mkeys/clean.sh
+++ b/bin/tests/system/mkeys/clean.sh
@ -15,4 +15,3 @@ rm -f */named.memstats */named.run
 rm -f dig.out* delv.out* rndc.out* signer.out*
 rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
 rm -f ns1/named.conf
 rm -rf ns4/nope
--- a/bin/tests/system/mkeys/ns1/named1.conf
+++ b/bin/tests/system/mkeys/ns1/named1.conf
@ -10,11 +10,6 @@
 controls { /* empty */ };
 acl allowed {
 	! 10.53.0.5;
 	any;
 };
 options {
 	query-source address 10.53.0.1;
 	notify-source 10.53.0.1;
@ -27,7 +22,6 @@ options {
 	notify no;
 	dnssec-enable yes;
 	dnssec-validation yes;
 	allow-query { allowed; };
 };
 key rndc_key {
--- a/bin/tests/system/mkeys/ns1/named2.conf
+++ b/bin/tests/system/mkeys/ns1/named2.conf
@ -10,11 +10,6 @@
 controls { /* empty */ };
 acl allowed {
 	! 10.53.0.5;
 	any;
 };
 options {
 	query-source address 10.53.0.1;
 	notify-source 10.53.0.1;
@ -27,7 +22,6 @@ options {
 	notify no;
 	dnssec-enable yes;
 	dnssec-validation yes;
 	allow-query { allowed; };
 };
 key rndc_key {
--- a/bin/tests/system/mkeys/ns1/sign.sh
+++ b/bin/tests/system/mkeys/ns1/sign.sh
@ -28,8 +28,6 @@ managed-keys {
 EOF
 ' > managed.conf
 cp managed.conf ../ns2/managed.conf
 cp managed.conf ../ns4/managed.conf
 cp managed.conf ../ns5/managed.conf
 # Configure a trusted key statement (used by delve)
 cat $keyname.key | grep -v '^; ' | $PERL -n -e '
--- a/bin/tests/system/mkeys/ns2/named.args
+++ b/bin/tests/system/mkeys/ns2/named.args
@ -1 +1 @@
-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=2/20/40 -T tat=1
+-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=2/20/40
--- a/bin/tests/system/mkeys/ns4/named.conf
+++ b/bin/tests/system/mkeys/ns4/named.conf
@ -1,41 +0,0 @@
 /*
 * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 */
 // NS4
 controls { /* empty */ };
 options {
 	query-source address 10.53.0.4;
 	notify-source 10.53.0.4;
 	transfer-source 10.53.0.4;
 	port 5300;
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	recursion yes;
 	notify no;
 	dnssec-enable yes;
 	dnssec-validation auto;
 	bindkeys-file "managed.conf";
 	managed-keys-directory "nope";
 };
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm hmac-sha256;
 };
 controls {
 	inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
 };
 zone "." {
 	type hint;
 	file "../../common/root.hint";
 };
--- a/bin/tests/system/mkeys/ns5/named.conf
+++ b/bin/tests/system/mkeys/ns5/named.conf
@ -1,38 +0,0 @@
 /*
 * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 */
 // NS5
 options {
 	query-source address 10.53.0.5;
 	notify-source 10.53.0.5;
 	transfer-source 10.53.0.5;
 	port 5300;
 	pid-file "named.pid";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
 	recursion yes;
 	notify no;
 	dnssec-enable yes;
 	dnssec-validation auto;
 	bindkeys-file "managed.conf";
 };
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm hmac-sha256;
 };
 controls {
 	inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; };
 };
 zone "." {
 	type hint;
 	file "../../common/root.hint";
 };
--- a/bin/tests/system/mkeys/setup.sh
+++ b/bin/tests/system/mkeys/setup.sh
@ -16,9 +16,3 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 cp ns1/named1.conf ns1/named.conf
 cd ns1 && $SHELL sign.sh
 cd ../ns4
 mkdir nope
 touch nope/managed-keys.bind
 touch nope/managed.keys.bind.jnl
 chmod 444 nope/*
--- a/bin/tests/system/mkeys/tests.sh
+++ b/bin/tests/system/mkeys/tests.sh
@ -28,7 +28,6 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I: check positive validation with valid trust anchor ($n)"
 ret=0
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns2 /'
 $DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
 grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
@ -391,7 +390,6 @@ $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns2
 n=`expr $n + 1`
 echo "I: check positive validation ($n)"
 ret=0
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns2 /'
 $DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
 grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
@ -448,6 +446,7 @@ rm -f ${revoked}.key ${revoked}.private
 $SETTIME -D none -R none -K ns1 `cat ns1/managed.key` > /dev/null
 $SETTIME -D now -K ns1 $standby1 > /dev/null
 $SETTIME -D now -K ns1 $standby2 > /dev/null
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns1 /'
 sleep 1
 $SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -o . ns1/root.db > /dev/null 2>&-
 $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 reload . | sed 's/^/I: ns1 /'
@ -455,7 +454,6 @@ sleep 3
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /'
 sleep 1
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns1 /'
 $DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
 grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
@ -539,7 +537,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I: check that trust-anchor-telemetry queries are logged ($n)"
 ret=0
-grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run > /dev/null || ret=1
+grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns3/named.run > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
@ -564,45 +562,5 @@ grep "name: \." rndc.out.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I: check that trust-anchor-telemetry queries contain the correct key ($n)"
 ret=0
 # convert the hexadecimal key from the TAT query into decimal and
 # compare against the known key.
 tathex=`grep "query '_ta-[0-9a-f]*/NULL/IN' approved" ns1/named.run | awk '{print $6; exit 0}' | sed -e 's/(_ta-\([a-f0-9][a-f0-d]*\)):/\1/'`
 tatkey=`$PERL -e 'printf("%d\n", hex(@ARGV[0]));' $tathex`
 realkey=`$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 secroots - | grep '; managed' | sed 's#.*SHA256/\([0-9][0-9]*\) ; managed.*#\1#'`
 [ "$tatkey" -eq "$realkey" ] || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I: check initialization fails if managed-keys can't be created ($n)"
 ret=0
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 secroots | sed 's/^/I: ns4 /'
 grep '; initializing managed' ns4/named.secroots > /dev/null 2>&1 || ret=1
 grep '; managed' ns4/named.secroots > /dev/null 2>&1 && ret=1
 grep '; trusted' ns4/named.secroots > /dev/null 2>&1 && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I: check failure to contact root servers does not prevent key refreshes after restart ($n)"
 ret=0
 # By the time we get here, ns5 should have attempted refreshing its managed
 # keys.  These attempts should fail as ns1 is configured to REFUSE all queries
 # from ns5.  Note we do not configure ns5 with "-T mkeytimers"; this is to
 # ensure key refresh retry will be scheduled one hour in the future instead of
 # a few seconds in the future, in order to prevent races when ns5 is restarted.
 $PERL $SYSTEMTESTTOP/stop.pl --use-rndc . ns5
 $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns5
 sleep 2
 # ns5/named.run will contain logs from both the old instance and the new
 # instance.  In order for the test to pass, both must attempt a fetch.
 count=`grep -c "Creating key fetch" ns5/named.run`
 [ $count -lt 2 ] && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1
--- a/bin/tests/system/runtime/ns2/named-alt2.conf
+++ b/bin/tests/system/runtime/ns2/named-alt2.conf
@ -13,7 +13,7 @@ controls { /* empty */ };
 options {
 	query-source address 10.53.0.2;
 	port 5300;
-	pid-file "named2.pid";
+	pid-file "named3.pid";
 	listen-on { 10.53.0.2; 10.53.0.3; };
 	listen-on-v6 { fd92:7065:b8e:ffff::2; };
 	recursion no;
--- a/bin/tests/system/runtime/ns2/named-alt3.conf
+++ b/bin/tests/system/runtime/ns2/named-alt3.conf
@ -13,7 +13,7 @@ controls { /* empty */ };
 options {
 	query-source address 10.53.0.2;
 	port 5300;
-	pid-file "named2.pid";
+	pid-file "named4.pid";
 	lock-file none;
 	listen-on { 10.53.0.2; 10.53.0.3; };
 	listen-on-v6 { fd92:7065:b8e:ffff::2; };
--- a/bin/tests/system/runtime/tests.sh
+++ b/bin/tests/system/runtime/tests.sh
@ -37,7 +37,7 @@ ret=0
 (cd ns2; $NAMED -c named-alt2.conf -D ns2-extra-2 -X named.lock -m record,size,mctx -d 99 -g -U 4 >> named3.run 2>&1 & )
 sleep 2
 grep "another named process" ns2/named3.run > /dev/null || ret=1
-[ -s ns2/named2.pid ] && $KILL -15 `cat ns2/named2.pid`
+[ -s ns2/named3.pid ] && $KILL -15 `cat ns2/named3.pid`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
@ -47,11 +47,10 @@ ret=0
 (cd ns2; $NAMED -c named-alt3.conf -D ns2-extra-3 -m record,size,mctx -d 99 -g -U 4 >> named4.run 2>&1 & )
 sleep 2
 grep "another named process" ns2/named4.run > /dev/null && ret=1
-[ -s ns2/named2.pid ] && $KILL -15 `cat ns2/named2.pid`
+[ -s ns2/named4.pid ] && $KILL -15 `cat ns2/named4.pid`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 if [ ! "$CYGWIN" ]; then
 n=`expr $n + 1`
 echo "I: checking that named refuses to reconfigure if working directory is not writable ($n)"
 ret=0
@ -59,7 +58,7 @@ if [ ! "$CYGWIN" ]; then
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
 grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
 sleep 1
-    grep "[^-]directory './nope' must be writable" ns2/named.run > /dev/null 2>&1 || ret=1
+grep "[^-]directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
@ -70,13 +69,10 @@ if [ ! "$CYGWIN" ]; then
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
 grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
 sleep 1
-    grep "managed-keys-directory './nope' must be writable" ns2/named.run > /dev/null 2>&1 || ret=1
+grep "managed-keys-directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
    echo "I: kill existing named process"
    [ -s "ns2/named.pid" ] && kill -15 `cat ns2/named.pid`
 n=`expr $n + 1`
 echo "I: checking that named refuses to start if working directory is not writable ($n)"
 ret=0
@ -84,8 +80,11 @@ if [ ! "$CYGWIN" ]; then
 $NAMED -c named-alt4.conf -d 99 -g > named4.run 2>&1 &
 sleep 2
 grep "exiting (due to fatal error)" named4.run > /dev/null || ret=1
-    cd ..
+# pidfile could be in either place depending on whether the directory
 # successfully changed.
 [ -s named.pid ] && kill -15 `cat named.pid` > /dev/null 2>&1
 [ -s ../named.pid ] && kill -15 `cat ../named.pid` > /dev/null 2>&1
 cd ..
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
@ -96,11 +95,13 @@ if [ ! "$CYGWIN" ]; then
 $NAMED -c named-alt5.conf -d 99 -g > named5.run 2>&1 &
 sleep 2
 grep "exiting (due to fatal error)" named5.run > /dev/null || ret=1
-    cd ..
+# pidfile could be in either place depending on whether the directory
 # successfully changed.
 [ -s named.pid ] && kill -15 `cat named.pid` > /dev/null 2>&1
 [ -s ../named.pid ] && kill -15 `cat ../named.pid` > /dev/null 2>&1
 cd ..
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 fi
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@ -492,17 +492,6 @@
 	  are not writable by the effective user ID. [RT #46077]
 	</para>
      </listitem>
      <listitem>
 	<para>
 	  Initializing keys specified in a <command>managed-keys</command>
 	  statement or by <command>dnssec-validation auto;</command> are
 	  no longer treated as valid for any use other than validation of
 	  RFC 5011 initialization queries. The effect of this is that
 	  DNSSEC validation will fail if RFC 5011 key maintenance
 	  cannot be initialized: initialization problems will not be
 	  masked, but will be immediately visible. [RT #46077]
 	</para>
      </listitem>
      <listitem>
 	<para>
 	  Previously, <command>update-policy local;</command> accepted
--- a/lib/dns/client.c
+++ b/lib/dns/client.c
@ -1546,7 +1546,7 @@ dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
-	result = dns_keytable_add2(secroots, ISC_FALSE, ISC_FALSE, &dstkey);
+	result = dns_keytable_add(secroots, ISC_FALSE, &dstkey);
 cleanup:
 	if (dstkey != NULL)
--- a/lib/dns/include/dns/keytable.h
+++ b/lib/dns/include/dns/keytable.h
@ -102,19 +102,10 @@ dns_keytable_detach(dns_keytable_t **keytablep);
 isc_result_t
 dns_keytable_add(dns_keytable_t *keytable, isc_boolean_t managed,
-		 dst_key_t **keyp) ISC_DEPRECATED;
+		 dst_key_t **keyp);
 isc_result_t
 dns_keytable_add2(dns_keytable_t *keytable, isc_boolean_t managed,
 		 isc_boolean_t initial, dst_key_t **keyp);
 /*%<
 * Add '*keyp' to 'keytable' (using the name in '*keyp').
- * The value of keynode->managed is set to 'managed', and the
+ * The value of keynode->managed is set to 'managed'
 * value of keynode->initial is set to 'initial'. ('initial' should
 * be only used when adding managed-keys from configuration: this
 * indicates a secure root which can be *only* used for validating
 * RFC 5011 key refresh queries, but not for other DNSSEC validation.
 * Once a key refresh query has validated, we update the keynode
 * with inital == ISC_FALSE.)
 *
 * Notes:
 *
@ -411,19 +402,6 @@ dns_keynode_managed(dns_keynode_t *keynode);
 * Is this flagged as a managed key?
 */
 isc_boolean_t
 dns_keynode_initial(dns_keynode_t *keynode);
 /*%<
 * Is this flagged as an initializing key?
 */
 void
 dns_keynode_trust(dns_keynode_t *keynode);
 /*%<
 * Sets keynode->initial to ISC_FALSE in order mark the key as
 * trusted: no longer an initializing key.
 */
 isc_result_t
 dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target);
 /*%<
--- a/lib/dns/keytable.c
+++ b/lib/dns/keytable.c
@ -47,7 +47,6 @@ struct dns_keynode {
 	isc_refcount_t          refcount;
 	dst_key_t *             key;
 	isc_boolean_t           managed;
 	isc_boolean_t		initial;
 	struct dns_keynode *    next;
 };
@ -166,7 +165,7 @@ dns_keytable_detach(dns_keytable_t **keytablep) {
 }
 static isc_result_t
-insert(dns_keytable_t *keytable, isc_boolean_t managed, isc_boolean_t initial,
+insert(dns_keytable_t *keytable, isc_boolean_t managed,
       const dns_name_t *keyname, dst_key_t **keyp)
 {
 	isc_result_t result;
@ -181,7 +180,6 @@ insert(dns_keytable_t *keytable, isc_boolean_t managed, isc_boolean_t initial,
 		return (result);
 	knode->managed = managed;
 	knode->initial = initial;
 	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
@ -235,21 +233,14 @@ insert(dns_keytable_t *keytable, isc_boolean_t managed, isc_boolean_t initial,
 isc_result_t
 dns_keytable_add(dns_keytable_t *keytable, isc_boolean_t managed,
 		 dst_key_t **keyp)
 {
 	return (dns_keytable_add2(keytable, managed, ISC_FALSE, keyp));
 }
 isc_result_t
 dns_keytable_add2(dns_keytable_t *keytable, isc_boolean_t managed,
 		  isc_boolean_t initial, dst_key_t **keyp)
 {
 	REQUIRE(keyp != NULL && *keyp != NULL);
-	return (insert(keytable, managed, initial, dst_key_name(*keyp), keyp));
+	return (insert(keytable, managed, dst_key_name(*keyp), keyp));
 }
 isc_result_t
 dns_keytable_marksecure(dns_keytable_t *keytable, const dns_name_t *name) {
-	return (insert(keytable, ISC_TRUE, ISC_FALSE, name, NULL));
+	return (insert(keytable, ISC_TRUE, name, NULL));
 }
 isc_result_t
@ -653,8 +644,7 @@ dns_keytable_totext(dns_keytable_t *keytable, isc_buffer_t **text) {
 			if (knode->key == NULL)
 				continue;
 			dst_key_format(knode->key, pbuf, sizeof(pbuf));
-			snprintf(obuf, sizeof(obuf), "%s ; %s%s\n", pbuf,
+			snprintf(obuf, sizeof(obuf), "%s ; %s\n", pbuf,
 				 knode->initial ? "initializing " : "",
 				knode->managed ? "managed" : "trusted");
 			result = putstr(text, obuf);
 			if (result != ISC_R_SUCCESS)
@ -733,26 +723,6 @@ dns_keynode_managed(dns_keynode_t *keynode) {
 	return (keynode->managed);
 }
 isc_boolean_t
 dns_keynode_initial(dns_keynode_t *keynode) {
 	/*
 	 * Is this an initailizing key?
 	 */
 	REQUIRE(VALID_KEYNODE(keynode));
 	return (keynode->initial);
 }
 void
 dns_keynode_trust(dns_keynode_t *keynode) {
 	/*
 	 * This is no longer an initializing key.
 	 */
 	REQUIRE(VALID_KEYNODE(keynode));
 	keynode->initial = ISC_FALSE;
 }
 isc_result_t
 dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target) {
 	isc_result_t result;
@ -766,7 +736,6 @@ dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target) {
 	knode->magic = KEYNODE_MAGIC;
 	knode->managed = ISC_FALSE;
 	knode->initial = ISC_FALSE;
 	knode->key = NULL;
 	knode->next = NULL;
--- a/lib/dns/tests/keytable_test.c
+++ b/lib/dns/tests/keytable_test.c
@ -126,7 +126,7 @@ create_tables() {
 	/* Add a normal key */
 	create_key(257, 3, 5, "example.com", keystr1, &key);
-	ATF_REQUIRE_EQ(dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key),
+	ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key),
 		       ISC_R_SUCCESS);
 	/* Add a null key */
@ -185,7 +185,7 @@ ATF_TC_BODY(add, tc) {
 	 * nextkeynode() should still return NOTFOUND.
 	 */
 	create_key(257, 3, 5, "example.com", keystr1, &key);
-	ATF_REQUIRE_EQ(dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key),
+	ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key),
 		       ISC_R_SUCCESS);
 	ATF_REQUIRE_EQ(dns_keytable_nextkeynode(keytable, keynode,
 						&next_keynode), ISC_R_NOTFOUND);
@ -193,7 +193,7 @@ ATF_TC_BODY(add, tc) {
 	/* Add another key (different keydata) */
 	dns_keytable_detachkeynode(keytable, &keynode);
 	create_key(257, 3, 5, "example.com", keystr2, &key);
-	ATF_REQUIRE_EQ(dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key),
+	ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key),
 		       ISC_R_SUCCESS);
 	ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("example.com"),
 					 &keynode), ISC_R_SUCCESS);
@ -209,7 +209,7 @@ ATF_TC_BODY(add, tc) {
 	ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("null.example"),
 					 &null_keynode), ISC_R_SUCCESS);
 	create_key(257, 3, 5, "null.example", keystr2, &key);
-	ATF_REQUIRE_EQ(dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key),
+	ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key),
 		       ISC_R_SUCCESS);
 	ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("null.example"),
 					 &keynode), ISC_R_SUCCESS);
@ -523,7 +523,7 @@ ATF_TC_BODY(nta, tc) {
 	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 	create_key(257, 3, 5, "example", keystr1, &key);
-	result = dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key);
+	result = dns_keytable_add(keytable, ISC_FALSE, &key);
 	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 	isc_stdtime_get(&now);
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@ -1629,7 +1629,6 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 			if (vresult == ISC_R_SUCCESS)
 				break;
 			if (val->keynode != NULL) {
 				dst_key_t *key = NULL;
 				dns_keynode_t *nextnode = NULL;
 				result = dns_keytable_findnextkeynode(
 							val->keytable,
@ -1642,13 +1641,9 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 					val->key = NULL;
 					break;
 				}
-				key = dns_keynode_key(val->keynode);
+				val->key = dns_keynode_key(val->keynode);
-				if (key == NULL)
+				if (val->key == NULL)
 					break;
 				if (dns_keynode_initial(val->keynode)) {
 					continue;
 				}
 				val->key = key;
 			} else {
 				if (get_dst_key(val, val->siginfo, val->keyset)
 				    != ISC_R_SUCCESS)
@ -1665,10 +1660,10 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 					     val->view->acceptexpired);
 		}
-		if (val->keynode != NULL) {
+		if (val->keynode != NULL)
 			dns_keytable_detachkeynode(val->keytable,
 						   &val->keynode);
-		} else {
+		else {
 			if (val->key != NULL)
 				dst_key_free(&val->key);
 			if (val->keyset != NULL) {
@ -2028,16 +2023,14 @@ validatezonekey(dns_validator_t *val) {
 								&keynode);
 					break;
 				}
-				if (! dns_keynode_initial(keynode)) {
+				result = verify(val, dstkey, &sigrdata,
-					result = verify(val, dstkey,
+						sig.keyid);
 							&sigrdata, sig.keyid);
 				if (result == ISC_R_SUCCESS) {
 					dns_keytable_detachkeynode(
 								val->keytable,
 								&keynode);
 					break;
 				}
 				}
 				result = dns_keytable_findnextkeynode(
 								val->keytable,
 								keynode,
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -3934,8 +3934,7 @@ compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx,
 */
 static void
 trust_key(dns_zone_t *zone, dns_name_t *keyname,
-	  dns_rdata_dnskey_t *dnskey, isc_boolean_t initial,
+	  dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx)
 	  isc_mem_t *mctx)
 {
 	isc_result_t result;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
@ -3954,7 +3953,7 @@ trust_key(dns_zone_t *zone, dns_name_t *keyname,
 		goto failure;
 	CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &dstkey));
-	CHECK(dns_keytable_add2(sr, ISC_TRUE, initial, &dstkey));
+	CHECK(dns_keytable_add(sr, ISC_TRUE, &dstkey));
 	dns_keytable_detach(&sr);
  failure:
@ -4040,8 +4039,7 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
 		/* Add to keytables. */
 		trusted++;
-		trust_key(zone, name, &dnskey,
+		trust_key(zone, name, &dnskey, mctx);
 			  ISC_TF(keydata.addhd == 0), mctx);
 	}
 	if (trusted == 0 && pending != 0) {
@ -4776,9 +4774,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	case dns_zone_key:
 		result = sync_keyzone(zone, db);
-		if (result != ISC_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 		}
 		break;
 	default:
@ -4928,17 +4925,9 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	return (result);
 cleanup:
 	if (zone->type == dns_zone_key && result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
 			     "failed to initialize managed-keys (%s): "
 			     "DNSSEC validation WILL FAIL",
 			     isc_result_totext(result));
 	}
 	for (inc = ISC_LIST_HEAD(zone->newincludes);
 	     inc != NULL;
-	     inc = ISC_LIST_HEAD(zone->newincludes))
+	     inc = ISC_LIST_HEAD(zone->newincludes)) {
 	{
 		ISC_LIST_UNLINK(zone->newincludes, inc, link);
 		isc_mem_free(zone->mctx, inc->name);
 		isc_mem_put(zone->mctx, inc, sizeof(*inc));
@ -9099,7 +9088,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	dst_key_t *dstkey;
 	isc_stdtime_t now;
 	int pending = 0;
-	isc_boolean_t secure = ISC_FALSE, initial = ISC_FALSE;
+	isc_boolean_t secure = ISC_FALSE;
 	isc_boolean_t free_needed;
 	UNUSED(task);
@ -9176,8 +9165,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	 */
 	for (result = dns_rdataset_first(&kfetch->dnskeysigset);
 	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&kfetch->dnskeysigset))
+	     result = dns_rdataset_next(&kfetch->dnskeysigset)) {
 	{
 		dns_keynode_t *keynode = NULL;
 		dns_rdata_reset(&sigrr);
@ -9196,8 +9184,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 				break;
 			if (dst_key_alg(dstkey) == sig.algorithm &&
-			    dst_key_id(dstkey) == sig.keyid)
+			    dst_key_id(dstkey) == sig.keyid) {
 			{
 				result = dns_dnssec_verify2(keyname,
 						    &kfetch->dnskeyset,
 						    dstkey, ISC_FALSE,
@ -9215,9 +9202,6 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 						dns_trust_secure;
 					kfetch->dnskeysigset.trust =
 						dns_trust_secure;
 					secure = ISC_TRUE;
 					initial = dns_keynode_initial(keynode);
 					dns_keynode_trust(keynode);
 					break;
 				}
 			}
@ -9228,11 +9212,11 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 			keynode = nextnode;
 		}
-		if (keynode != NULL) {
+		if (keynode != NULL)
 			dns_keytable_detachkeynode(secroots, &keynode);
 		}
-		if (secure) {
+		if (kfetch->dnskeyset.trust == dns_trust_secure) {
 			secure = ISC_TRUE;
 			break;
 		}
 	}
@ -9241,6 +9225,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	 * If we were not able to verify the answer using the current
 	 * trusted keys then all we can do is look at any revoked keys.
 	 */
 	if (!secure) {
 		dns_zone_log(zone, ISC_LOG_DEBUG(3),
 			     "DNSKEY set for zone '%s' could not be verified "
@ -9480,13 +9465,10 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 					trustkey = ISC_TRUE;
 					dns_zone_log(zone, ISC_LOG_INFO,
 						     "Key %d for zone %s "
-						     "%s: key now trusted",
+						     "acceptance timer "
-						     keytag, namebuf,
+						     "complete: "
-						     initial
+						     "key now trusted",
-						      ? "initializing key "
+						     keytag, namebuf);
 							"verified"
 						      : "acceptance timer "
 							"complete");
 				}
 			} else if (keydata.addhd > now) {
 				/*
@ -9585,7 +9567,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 			/* Trust this key. */
 			result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
 			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			trust_key(zone, keyname, &dnskey, ISC_FALSE, mctx);
+			trust_key(zone, keyname, &dnskey, mctx);
 		}
 		if (secure && !deletekey) {
@ -9607,6 +9589,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 		fail_secure(zone, keyname);
 done:
 	if (!ISC_LIST_EMPTY(diff.tuples)) {
 		/* Write changes to journal file. */
 		CHECK(update_soa_serial(kfetch->db, ver, &diff, mctx,
@ -9619,12 +9602,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	}
 failure:
-	if (result != ISC_R_SUCCESS) {
+
 		dns_zone_log(zone, ISC_LOG_ERROR,
 			     "error during managed-keys processing (%s): "
 			     "DNSSEC validation may be at risk",
 			     isc_result_totext(result));
 	}
 	dns_diff_clear(&diff);
 	if (ver != NULL)
 		dns_db_closeversion(kfetch->db, &ver, commit);
@ -9734,7 +9712,7 @@ zone_refreshkeys(dns_zone_t *zone) {
 			}
 			/* Acceptance timer expired? */
-			if (kd.addhd < now)
+			if (kd.addhd != 0 && kd.addhd < now)
 				timer = kd.addhd;
 			/* Or do we just need to refresh the keyset? */
`@ -1 +1 @@`
	`-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=2/20/40 -T tat=1`	`-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=2/20/40`