3076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and

dnssec-keyfromlabel sets the default TTL of the key. When possible, automatic signing will use that TTL when the key is published. [RT #23304]
2025-08-31 06:25:31 +00:00 · 2011-03-17 01:40:40 +00:00
parent 0e095727ff
commit 61bcc23203
25 changed files with 535 additions and 55 deletions
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
 */

 /*
- * $Id: dnssec.c,v 1.122 2011/03/17 01:17:21 marka Exp $
+ * $Id: dnssec.c,v 1.123 2011/03/17 01:40:38 each Exp $
 */

 /*! \file */
@@ -625,6 +625,8 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
 		pubkey = NULL;
 		dns_rdataset_current(&rdataset, &rdata);
 		RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
+		dst_key_setttl(pubkey, rdataset.ttl);
+
 		if (!is_zone_key(pubkey) ||
 		    (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
 			goto next;
@@ -702,6 +704,12 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
 			goto next;
 		}

+		/*
+		 * Whatever the key's default TTL may have
+		 * been, the rdataset TTL takes priority.
+		 */
+		dst_key_setttl(keys[count], rdataset.ttl);
+
 		if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
 			/* We should never get here. */
 			dst_key_free(&keys[count]);
@@ -1432,6 +1440,7 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 		dns_rdata_reset(&rdata);
 		dns_rdataset_current(&keys, &rdata);
 		RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
+		dst_key_setttl(pubkey, keys.ttl);

 		if (!is_zone_key(pubkey) ||
 		    (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
@@ -1504,6 +1513,12 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 		if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0)
 			goto skip;

+		/*
+		 * Whatever the key's default TTL may have
+		 * been, the rdataset TTL takes priority.
+		 */
+		dst_key_setttl(privkey, dst_key_getttl(pubkey));
+
 		addkey(keylist, &privkey, savekeys, mctx);
 skip:
 		if (pubkey != NULL)
@@ -1629,16 +1644,22 @@ remove_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
 isc_result_t
 dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 		      dns_dnsseckeylist_t *removed, dns_name_t *origin,
-		      dns_ttl_t ttl, dns_diff_t *diff, isc_boolean_t allzsk,
-		      isc_mem_t *mctx, void (*report)(const char *, ...))
+		      dns_ttl_t hint_ttl, dns_diff_t *diff,
+		      isc_boolean_t allzsk, isc_mem_t *mctx,
+		      void (*report)(const char *, ...))
 {
 	isc_result_t result;
 	dns_dnsseckey_t *key, *key1, *key2, *next;
+	isc_boolean_t found_ttl = ISC_FALSE;
+	dns_ttl_t ttl = hint_ttl;

 	/*
 	 * First, look through the existing key list to find keys
 	 * supplied from the command line which are not in the zone.
 	 * Update the zone to include them.
+	 *
+	 * Also, if there are keys published in the zone already,
+	 * use their TTL for all subsequent published keys.
 	 */
 	for (key = ISC_LIST_HEAD(*keys);
 	     key != NULL;
@@ -1648,6 +1669,32 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 			RETERR(publish_key(diff, key, origin, ttl,
 					   mctx, allzsk, report));
 		}
+		if (key->source == dns_keysource_zoneapex) {
+			ttl = dst_key_getttl(key->key);
+			found_ttl = ISC_TRUE;
+		}
+	}
+
+	/*
+	 * If there were no existing keys, use the smallest nonzero
+	 * TTL of the keys found in the repository.
+	 */
+	if (!found_ttl && !ISC_LIST_EMPTY(*newkeys)) {
+		dns_ttl_t shortest = 0;
+
+		for (key = ISC_LIST_HEAD(*newkeys);
+		     key != NULL;
+		     key = ISC_LIST_NEXT(key, link)) {
+			dns_ttl_t thisttl = dst_key_getttl(key->key);
+			if (thisttl != 0 &&
+			    (shortest == 0 || thisttl < shortest))
+				shortest = thisttl;
+		}
+
+		if (shortest != 0) {
+			found_ttl = ISC_TRUE;
+			ttl = shortest;
+		}
 	}

 	/*