3076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and

dnssec-keyfromlabel sets the default TTL of the
			key.  When possible, automatic signing will use that
			TTL when the key is published.  [RT #23304]

CHANGES

@@ -1,3 +1,8 @@
+3076.	[func]		New '-L' option in dnssec-keygen, dnsset-settime, and
+			dnssec-keyfromlabel sets the default TTL of the
+			key.  When possible, automatic signing will use that
+			TTL when the key is published.  [RT #23304]
+
 3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistant
 			timestamp when determining which keys are active.
 			[RT #23642]

bin/dnssec/dnssec-keyfromlabel.c

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.34 2011/03/12 04:59:46 tbox Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.35 2011/03/17 01:40:34 each Exp $ */
 
 /*! \file */
 
@@ -84,6 +84,7 @@ usage(void) {
 	fprintf(stderr, "    -K directory: directory in which to place "
 			"key files\n");
 	fprintf(stderr, "    -k: generate a TYPE=KEY key\n");
+	fprintf(stderr, "    -L ttl: default key TTL\n");
 	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
 	fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
 	fprintf(stderr, "    -p protocol: default: 3 [dnssec]\n");
@@ -137,12 +138,13 @@ main(int argc, char **argv) {
 	dns_rdataclass_t rdclass;
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
 	char		*label = NULL;
+	dns_ttl_t	ttl;
 	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
 	isc_stdtime_t	inactive = 0, delete = 0;
 	isc_stdtime_t	now;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
 	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
-	isc_boolean_t	setdel = ISC_FALSE;
+	isc_boolean_t	setdel = ISC_FALSE, setttl = ISC_FALSE;
 	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
 	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
 	isc_boolean_t	unsetdel = ISC_FALSE;
@@ -164,7 +166,7 @@ main(int argc, char **argv) {
 	isc_stdtime_get(&now);
 
 	while ((ch = isc_commandline_parse(argc, argv,
-				"3a:Cc:E:f:K:kl:n:p:t:v:yFhGP:A:R:I:D:")) != -1)
+			"3a:Cc:E:f:K:kl:L:n:p:t:v:yFhGP:A:R:I:D:")) != -1)
 	{
 	    switch (ch) {
 		case '3':
@@ -202,6 +204,13 @@ main(int argc, char **argv) {
 		case 'k':
 			options |= DST_TYPE_KEY;
 			break;
+		case 'L':
+			if (strcmp(isc_commandline_argument, "none") == 0)
+				ttl = 0;
+			else
+				ttl = strtottl(isc_commandline_argument);
+			setttl = ISC_TRUE;
+			break;
 		case 'l':
 			label = isc_mem_strdup(mctx, isc_commandline_argument);
 			break;
@@ -509,6 +518,10 @@ main(int argc, char **argv) {
 		dst_key_setprivateformat(key, 1, 2);
 	}
 
+	/* Set default key TTL */
+	if (setttl)
+		dst_key_setttl(key, ttl);
+
 	/*
 	 * Do not overwrite an existing key.  Warn LOUDLY if there
 	 * is a risk of ID collision due to this key or another key

bin/dnssec/dnssec-keyfromlabel.docbook

@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-keyfromlabel.docbook,v 1.20 2011/02/03 12:18:10 tbox Exp $ -->
+<!-- $Id: dnssec-keyfromlabel.docbook,v 1.21 2011/03/17 01:40:34 each Exp $ -->
 <refentry id="man.dnssec-keyfromlabel">
   <refentryinfo>
     <date>February 8, 2008</date>
@@ -59,6 +59,7 @@
       <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-k</option></arg>
       <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
       <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
       <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
@@ -234,6 +235,20 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-L <replaceable class="parameter">ttl</replaceable></term>
+        <listitem>
+          <para>
+            Sets the default TTL to use for this key when it is converted
+            into a DNSKEY RR.  If the key is imported into a zone,
+            this is the TTL that will be used for it, unless there was
+            already a DNSKEY RRset in place, in which case the existing TTL
+            would take precedence.  Setting the default TTL to
+            <literal>0</literal> or <literal>none</literal> removes it.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-p <replaceable class="parameter">protocol</replaceable></term>
         <listitem>

bin/dnssec/dnssec-keygen.c

@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.117 2011/03/12 04:59:46 tbox Exp $ */
+/* $Id: dnssec-keygen.c,v 1.118 2011/03/17 01:40:34 each Exp $ */
 
 /*! \file */
 
@@ -125,7 +125,9 @@ usage(void) {
 	fprintf(stderr, "    -f <keyflag>: KSK | REVOKE\n");
 	fprintf(stderr, "    -g <generator>: use specified generator "
 			"(DH only)\n");
+	fprintf(stderr, "    -L <ttl>: default key TTL\n");
 	fprintf(stderr, "    -p <protocol>: (default: 3 [dnssec])\n");
+	fprintf(stderr, "    -r <randomdev>: a file containing random data\n");
 	fprintf(stderr, "    -s <strength>: strength value this key signs DNS "
 			"records with (default: 0)\n");
 	fprintf(stderr, "    -T <rrtype>: DNSKEY | KEY (default: DNSKEY; "
@@ -134,8 +136,6 @@ usage(void) {
 	fprintf(stderr, "    -t <type>: "
 			"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
 			"(default: AUTHCONF)\n");
-	fprintf(stderr, "    -r <randomdev>: a file containing random data\n");
-
 	fprintf(stderr, "    -h: print usage and exit\n");
 	fprintf(stderr, "    -m <memory debugging mode>:\n");
 	fprintf(stderr, "       usage | trace | record | size | mctx\n");
@@ -227,6 +227,7 @@ main(int argc, char **argv) {
 	dns_rdataclass_t rdclass;
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
 	int		dbits = 0;
+	dns_ttl_t	ttl = 0;
 	isc_boolean_t	use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
 	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
 	isc_stdtime_t	inactive = 0, delete = 0;
@@ -234,7 +235,7 @@ main(int argc, char **argv) {
 	int		prepub = -1;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
 	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
-	isc_boolean_t	setdel = ISC_FALSE;
+	isc_boolean_t	setdel = ISC_FALSE, setttl = ISC_FALSE;
 	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
 	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
 	isc_boolean_t	unsetdel = ISC_FALSE;
@@ -253,7 +254,7 @@ main(int argc, char **argv) {
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:km:n:P:p:qR:r:S:s:T:t:v:"
+#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:kL:m:n:P:p:qR:r:S:s:T:t:v:"
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
 		case 'm':
@@ -336,6 +337,13 @@ main(int argc, char **argv) {
 			      "To generate a key-signing key, use -f KSK.\n"
 			      "To generate a key with TYPE=KEY, use -T KEY.\n");
 			break;
+		case 'L':
+			if (strcmp(isc_commandline_argument, "none") == 0)
+				ttl = 0;
+			else
+				ttl = strtottl(isc_commandline_argument);
+			setttl = ISC_TRUE;
+			break;
 		case 'n':
 			nametype = isc_commandline_argument;
 			break;
@@ -960,6 +968,10 @@ main(int argc, char **argv) {
 			dst_key_setprivateformat(key, 1, 2);
 		}
 
+		/* Set the default key TTL */
+		if (setttl)
+			dst_key_setttl(key, ttl);
+
 		/*
 		 * Do not overwrite an existing key, or create a key
 		 * if there is a risk of ID collision due to this key

bin/dnssec/dnssec-keygen.docbook

@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-keygen.docbook,v 1.36 2010/12/23 04:07:59 marka Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.37 2011/03/17 01:40:34 each Exp $ -->
 <refentry id="man.dnssec-keygen">
   <refentryinfo>
     <date>June 30, 2000</date>
@@ -74,6 +74,7 @@
       <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
       <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
       <arg><option>-k</option></arg>
       <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
@@ -296,6 +297,20 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-L <replaceable class="parameter">ttl</replaceable></term>
+        <listitem>
+          <para>
+            Sets the default TTL to use for this key when it is converted
+            into a DNSKEY RR.  If the key is imported into a zone,
+            this is the TTL that will be used for it, unless there was
+            already a DNSKEY RRset in place, in which case the existing TTL
+            would take precedence.  Setting the default TTL to
+            <literal>0</literal> or <literal>none</literal> removes it.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-p <replaceable class="parameter">protocol</replaceable></term>
         <listitem>

bin/dnssec/dnssec-settime.c

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-settime.c,v 1.28 2010/12/19 07:29:36 each Exp $ */
+/* $Id: dnssec-settime.c,v 1.29 2011/03/17 01:40:35 each Exp $ */
 
 /*! \file */
 
@@ -66,6 +66,7 @@ usage(void) {
 	fprintf(stderr, "    -f:                 force update of old-style "
 						 "keys\n");
 	fprintf(stderr, "    -K directory:       set key file location\n");
+	fprintf(stderr, "    -L ttl:             set default key TTL\n");
 	fprintf(stderr, "    -v level:           set level of verbosity\n");
 	fprintf(stderr, "    -h:                 help\n");
 	fprintf(stderr, "Timing options:\n");
@@ -138,11 +139,12 @@ main(int argc, char **argv) {
 	unsigned int 	size = 0;
 	isc_uint16_t	flags = 0;
 	int		prepub = -1;
+	dns_ttl_t	ttl = 0;
 	isc_stdtime_t	now;
 	isc_stdtime_t	pub = 0, act = 0, rev = 0, inact = 0, del = 0;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
 	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
-	isc_boolean_t	setdel = ISC_FALSE;
+	isc_boolean_t	setdel = ISC_FALSE, setttl = ISC_FALSE;
 	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
 	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
 	isc_boolean_t	unsetdel = ISC_FALSE;
@@ -166,7 +168,7 @@ main(int argc, char **argv) {
 
 	isc_stdtime_get(&now);
 
-#define CMDLINE_FLAGS "A:D:E:fhI:i:K:P:p:R:S:uv:"
+#define CMDLINE_FLAGS "A:D:E:fhI:i:K:L:P:p:R:S:uv:"
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
 		case 'E':
@@ -230,6 +232,14 @@ main(int argc, char **argv) {
 				      "directory");
 			}
 			break;
+		case 'L':
+			if (strcmp(isc_commandline_argument, "none") == 0)
+				ttl = 0;
+			else
+				ttl = strtottl(isc_commandline_argument);
+			changed = ISC_TRUE;
+			setttl = ISC_TRUE;
+			break;
 		case 'v':
 			verbose = strtol(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0')
@@ -513,6 +523,9 @@ main(int argc, char **argv) {
 	else if (unsetdel)
 		dst_key_unsettime(key, DST_TIME_DELETE);
 
+	if (setttl)
+		dst_key_setttl(key, ttl);
+
 	/*
 	 * Print out time values, if -p was used.
 	 */

bin/dnssec/dnssec-settime.docbook

@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-settime.docbook,v 1.11 2010/08/16 22:21:06 marka Exp $ -->
+<!-- $Id: dnssec-settime.docbook,v 1.12 2011/03/17 01:40:35 each Exp $ -->
 <refentry id="man.dnssec-settime">
   <refentryinfo>
     <date>July 15, 2009</date>
@@ -47,6 +47,7 @@
       <command>dnssec-settime</command>
       <arg><option>-f</option></arg>
       <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
       <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
@@ -112,6 +113,20 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-L <replaceable class="parameter">ttl</replaceable></term>
+        <listitem>
+          <para>
+            Sets the default TTL to use for this key when it is converted
+            into a DNSKEY RR.  If the key is imported into a zone,
+            this is the TTL that will be used for it, unless there was
+            already a DNSKEY RRset in place, in which case the existing TTL
+            would take precedence.  Setting the default TTL to
+            <literal>0</literal> or <literal>none</literal> removes it.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-h</term>
         <listitem>

bin/dnssec/dnssec-signzone.docbook

@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signzone.docbook,v 1.47 2011/03/05 23:52:29 tbox Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.48 2011/03/17 01:40:35 each Exp $ -->
 <refentry id="man.dnssec-signzone">
   <refentryinfo>
     <date>June 05, 2009</date>
@@ -552,15 +552,17 @@
         <term>-T <replaceable class="parameter">ttl</replaceable></term>
         <listitem>
           <para>
-            Specifies the TTL to be used for new DNSKEY records imported
+            Specifies a TTL to be used for new DNSKEY records imported
-            into the zone from the key repository.  If not specified,
+            into the zone from the key repository.  If not
-            the default is the minimum TTL value from the zone's SOA
+            specified, the default is the TTL value from the zone's SOA
             record.  This option is ignored when signing without
             <option>-S</option>, since DNSKEY records are not imported
             from the key repository in that case.  It is also ignored if
             there are any pre-existing DNSKEY records at the zone apex,
             in which case new records' TTL values will be set to match
-            them.
+            them, or if any of the imported DNSKEY records had a default
+            TTL value.  In the event of a a conflict between TTL values in
+            imported keys, the shortest one is used.
           </para>
         </listitem>
       </varlistentry>

bin/tests/dst/t_dst.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_dst.c,v 1.58 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: t_dst.c,v 1.59 2011/03/17 01:40:35 each Exp $ */
 
 #include <config.h>
 
@@ -264,8 +264,8 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
 }
 
 static void
-io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx,
+io(dns_name_t *name, isc_uint16_t id, isc_uint16_t alg, int type,
-   isc_result_t exp_result, int *nfails, int *nprobs)
+   isc_mem_t *mctx, isc_result_t exp_result, int *nfails, int *nprobs)
 {
 	dst_key_t	*key = NULL;
 	isc_result_t	ret;
@@ -277,7 +277,7 @@ io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx,
 	if (p == NULL) {
 		t_info("getcwd failed %d\n", errno);
 		++*nprobs;
-		return;
+		goto failure;
 	}
 
 	ret = dst_key_fromfile(name, id, alg, type, current, mctx, &key);
@@ -285,7 +285,25 @@ io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx,
 		t_info("dst_key_fromfile(%d) returned: %s\n",
 		       alg, dst_result_totext(ret));
 		++*nfails;
-		return;
+		goto failure;
+	}
+
+	if (dst_key_id(key) != id) {
+		t_info("key ID incorrect\n");
+		++*nfails;
+		goto failure;
+	}
+
+	if (dst_key_alg(key) != alg) {
+		t_info("key algorithm incorrect\n");
+		++*nfails;
+		goto failure;
+	}
+
+	if (dst_key_getttl(key) != 0) {
+		t_info("initial key TTL incorrect\n");
+		++*nfails;
+		goto failure;
 	}
 
 	ret = isc_file_mktemplate("/tmp/", tmp, sizeof(tmp));
@@ -293,14 +311,14 @@ io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx,
 		t_info("isc_file_mktemplate failed %s\n",
 		       isc_result_totext(ret));
 		++*nprobs;
-		return;
+		goto failure;
 	}
 
 	ret = isc_dir_createunique(tmp);
 	if (ret != ISC_R_SUCCESS) {
 		t_info("mkdir failed %d\n", errno);
 		++*nprobs;
-		return;
+		goto failure;
 	}
 
 	ret = dst_key_tofile(key, type, tmp);
@@ -308,14 +326,48 @@ io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx,
 		t_info("dst_key_tofile(%d) returned: %s\n",
 		       alg, dst_result_totext(ret));
 		++*nfails;
-		return;
+		goto failure;
 	}
 
 	if (dst_key_alg(key) != DST_ALG_DH)
 		use(key, mctx, exp_result, nfails);
 
+	/*
+	 * Skip the rest of this test if we weren't expecting
+	 * the read to be successful.
+	 */
+	if (exp_result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dst_key_setttl(key, 3600);
+	ret = dst_key_tofile(key, type, tmp);
+	if (ret != 0) {
+		t_info("dst_key_tofile(%d) returned: %s\n",
+		       alg, dst_result_totext(ret));
+		++*nfails;
+		goto failure;
+	}
+
+	/* Reread key to confirm TTL was changed */
+	dst_key_free(&key);
+	ret = dst_key_fromfile(name, id, alg, type, tmp, mctx, &key);
+	if (ret != ISC_R_SUCCESS) {
+		t_info("dst_key_fromfile(%d) returned: %s\n",
+		       alg, dst_result_totext(ret));
+		++*nfails;
+		goto failure;
+	}
+
+	if (dst_key_getttl(key) != 3600) {
+		t_info("modified key TTL incorrect\n");
+		++*nfails;
+		goto failure;
+	}
+
+ cleanup:
 	cleandir(tmp);
 
+ failure:
 	dst_key_free(&key);
 }
 

bin/tests/system/autosign/clean.sh

@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.7 2010/12/18 02:12:43 each Exp $
+# $Id: clean.sh,v 1.8 2011/03/17 01:40:35 each Exp $
 
 rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
 rm -f active.key inact.key del.key unpub.key standby.key rev.key
@@ -45,3 +45,4 @@ rm -f ns3/secure-to-insecure.example.db
 rm -f ns3/prepub.example.db
 rm -f ns3/prepub.example.db.in
 rm -f ns3/secure-to-insecure2.example.db
+rm -f ns3/ttl*.db

bin/tests/system/autosign/ns3/keygen.sh

@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: keygen.sh,v 1.8 2010/12/15 18:44:37 each Exp $
+# $Id: keygen.sh,v 1.9 2011/03/17 01:40:36 each Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -205,3 +205,36 @@ zonefile="${zone}.db"
 $KEYGEN -3 -q -r $RANDFILE -fk $zone > /dev/null
 $KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
 $SIGNER -S -3 beef -o $zone -f $zonefile $infile > /dev/null 2>&1
+
+#
+# Key TTL tests.
+#
+
+# no default key TTL; DNSKEY should get SOA TTL
+zone=ttl1.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+$KEYGEN -3 -q -r $RANDFILE -fk $zone > /dev/null
+$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
+cp $infile $zonefile
+
+# default key TTL should be used
+zone=ttl2.example 
+zonefile="${zone}.db"
+$KEYGEN -3 -q -r $RANDFILE -fk -L 60 $zone > /dev/null
+$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > /dev/null
+cp $infile $zonefile
+
+# mismatched key TTLs, should use shortest
+zone=ttl3.example
+zonefile="${zone}.db"
+$KEYGEN -3 -q -r $RANDFILE -fk -L 30 $zone > /dev/null
+$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > /dev/null
+cp $infile $zonefile
+
+# existing DNSKEY RRset, should retain TTL
+zone=ttl4.example
+zonefile="${zone}.db"
+$KEYGEN -3 -q -r $RANDFILE -L 30 -fk $zone > /dev/null
+cat ${infile} K${zone}.+*.key > $zonefile
+$KEYGEN -3 -q -r $RANDFILE -L 180 $zone > /dev/null

bin/tests/system/autosign/ns3/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.7 2010/12/15 18:44:37 each Exp $ */
+/* $Id: named.conf,v 1.8 2011/03/17 01:40:37 each Exp $ */
 
 // NS3
 
@@ -185,4 +185,32 @@ zone "prepub.example" {
 	auto-dnssec maintain;
 };
 
+zone "ttl1.example" {
+	type master;
+	file "ttl1.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "ttl2.example" {
+	type master;
+	file "ttl2.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "ttl3.example" {
+	type master;
+	file "ttl3.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "ttl4.example" {
+	type master;
+	file "ttl4.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
 include "trusted.conf";

bin/tests/system/autosign/ns3/ttl1.example.db.in

@@ -0,0 +1,31 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: ttl1.example.db.in,v 1.2 2011/03/17 01:40:37 each Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a

bin/tests/system/autosign/ns3/ttl2.example.db.in

@@ -0,0 +1,31 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: ttl2.example.db.in,v 1.2 2011/03/17 01:40:37 each Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a

bin/tests/system/autosign/ns3/ttl3.example.db.in

@@ -0,0 +1,31 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: ttl3.example.db.in,v 1.2 2011/03/17 01:40:38 each Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a

bin/tests/system/autosign/ns3/ttl4.example.db.in

@@ -0,0 +1,31 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: ttl4.example.db.in,v 1.2 2011/03/17 01:40:38 each Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a

bin/tests/system/autosign/tests.sh

@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.17 2011/03/02 09:03:45 fdupont Exp $
+# $Id: tests.sh,v 1.18 2011/03/17 01:40:36 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -182,6 +182,42 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking TTLs of imported DNSKEYs (no default) ($n)"
+ret=0
+$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
+[ -s dig.out.ns3.test$n ] || ret=1
+awk 'BEGIN {r=0} $2 != 300 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking TTLs of imported DNSKEYs (with default) ($n)"
+ret=0
+$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
+[ -s dig.out.ns3.test$n ] || ret=1
+awk 'BEGIN {r=0} $2 != 60 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking TTLs of imported DNSKEYs (mismatched) ($n)"
+ret=0
+$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
+[ -s dig.out.ns3.test$n ] || ret=1
+awk 'BEGIN {r=0} $2 != 30 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking TTLs of imported DNSKEYs (existing RRset) ($n)"
+ret=0
+$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
+[ -s dig.out.ns3.test$n ] || ret=1
+awk 'BEGIN {r=0} $2 != 30 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:checking positive validation NSEC ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1

bin/tests/system/smartsign/tests.sh

@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.9 2011/03/05 23:52:30 tbox Exp $
+# $Id: tests.sh,v 1.10 2011/03/17 01:40:38 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -31,7 +31,7 @@ cfile=child.db
 
 echo I:generating keys
 # active zsk
-czsk1=`$KEYGEN -q -r $RANDFILE $czone`
+czsk1=`$KEYGEN -q -r $RANDFILE -L 30 $czone`
 
 # not yet published or active
 czsk2=`$KEYGEN -q -r $RANDFILE -P none -A none $czone`
@@ -50,7 +50,7 @@ czsk5=`$KEYGEN -q -r $RANDFILE -P now+12h -A now+12h -I now+24h $czone`
 czsk6=`$KEYGEN -q -r $RANDFILE -S $czsk5 -i 6h 2>&-` 
 
 # active ksk
-cksk1=`$KEYGEN -q -r $RANDFILE -fk $czone`
+cksk1=`$KEYGEN -q -r $RANDFILE -fk -L 30 $czone`
 
 # published but not YET active; will be active in 20 seconds
 cksk2=`$KEYGEN -q -r $RANDFILE -fk $czone`
@@ -131,6 +131,31 @@ grep "key id = $czsuccessor" $cfile.signed && echo succ is there
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking key TTLs are correct"
+grep "${czone}. 30 IN" ${czsk1}.key > /dev/null 2>&1 || ret=1
+grep "${czone}. 30 IN" ${cksk1}.key > /dev/null 2>&1 || ret=1
+grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
+$SETTIME -L 45 ${czsk2} > /dev/null
+grep "${czone}. 45 IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
+$SETTIME -L 0 ${czsk2} > /dev/null
+grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking key TTLs were imported correctly"
+awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 30 {r = 1} END {exit r}' \
+        ${cfile}.signed || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:re-signing and checking imported TTLs again"
+$SETTIME -L 15 ${czsk2} > /dev/null
+czoneout=`$SIGNER -Sg -e now+1d -X now+2d -r $RANDFILE -o $czone $cfile 2>&1`
+awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 15 {r = 1} END {exit r}' \
+        ${cfile}.signed || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:checking child zone signatures"
 ret=0
 # check DNSKEY signatures first

lib/dns/dnssec.c

@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.122 2011/03/17 01:17:21 marka Exp $
+ * $Id: dnssec.c,v 1.123 2011/03/17 01:40:38 each Exp $
  */
 
 /*! \file */
@@ -625,6 +625,8 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
 		pubkey = NULL;
 		dns_rdataset_current(&rdataset, &rdata);
 		RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
+		dst_key_setttl(pubkey, rdataset.ttl);
+
 		if (!is_zone_key(pubkey) ||
 		    (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
 			goto next;
@@ -702,6 +704,12 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
 			goto next;
 		}
 
+		/*
+		 * Whatever the key's default TTL may have
+		 * been, the rdataset TTL takes priority.
+		 */
+		dst_key_setttl(keys[count], rdataset.ttl);
+
 		if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
 			/* We should never get here. */
 			dst_key_free(&keys[count]);
@@ -1432,6 +1440,7 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 		dns_rdata_reset(&rdata);
 		dns_rdataset_current(&keys, &rdata);
 		RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
+		dst_key_setttl(pubkey, keys.ttl);
 
 		if (!is_zone_key(pubkey) ||
 		    (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
@@ -1504,6 +1513,12 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 		if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0)
 			goto skip;
 
+		/*
+		 * Whatever the key's default TTL may have
+		 * been, the rdataset TTL takes priority.
+		 */
+		dst_key_setttl(privkey, dst_key_getttl(pubkey));
+
 		addkey(keylist, &privkey, savekeys, mctx);
  skip:
 		if (pubkey != NULL)
@@ -1629,16 +1644,22 @@ remove_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
 isc_result_t
 dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 		      dns_dnsseckeylist_t *removed, dns_name_t *origin,
-		      dns_ttl_t ttl, dns_diff_t *diff, isc_boolean_t allzsk,
+		      dns_ttl_t hint_ttl, dns_diff_t *diff,
-		      isc_mem_t *mctx, void (*report)(const char *, ...))
+		      isc_boolean_t allzsk, isc_mem_t *mctx,
+		      void (*report)(const char *, ...))
 {
 	isc_result_t result;
 	dns_dnsseckey_t *key, *key1, *key2, *next;
+	isc_boolean_t found_ttl = ISC_FALSE;
+	dns_ttl_t ttl = hint_ttl;
 
 	/*
 	 * First, look through the existing key list to find keys
 	 * supplied from the command line which are not in the zone.
 	 * Update the zone to include them.
+	 *
+	 * Also, if there are keys published in the zone already,
+	 * use their TTL for all subsequent published keys.
 	 */
 	for (key = ISC_LIST_HEAD(*keys);
 	     key != NULL;
@@ -1648,6 +1669,32 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 			RETERR(publish_key(diff, key, origin, ttl,
 					   mctx, allzsk, report));
 		}
+		if (key->source == dns_keysource_zoneapex) {
+			ttl = dst_key_getttl(key->key);
+			found_ttl = ISC_TRUE;
+		}
+	}
+
+	/*
+	 * If there were no existing keys, use the smallest nonzero
+	 * TTL of the keys found in the repository.
+	 */
+	if (!found_ttl && !ISC_LIST_EMPTY(*newkeys)) {
+		dns_ttl_t shortest = 0;
+
+		for (key = ISC_LIST_HEAD(*newkeys);
+		     key != NULL;
+		     key = ISC_LIST_NEXT(key, link)) {
+			dns_ttl_t thisttl = dst_key_getttl(key->key);
+			if (thisttl != 0 &&
+			    (shortest == 0 || thisttl < shortest))
+				shortest = thisttl;
+		}
+
+		if (shortest != 0) {
+			found_ttl = ISC_TRUE;
+			ttl = shortest;
+		}
 	}
 
 	/*

lib/dns/dst_api.c

@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.57 2011/01/11 23:47:13 tbox Exp $
+ * $Id: dst_api.c,v 1.58 2011/03/17 01:40:39 each Exp $
  */
 
 /*! \file */
@@ -91,6 +91,7 @@ static dst_key_t *	get_key_struct(dns_name_t *name,
 				       unsigned int protocol,
 				       unsigned int bits,
 				       dns_rdataclass_t rdclass,
+				       dns_ttl_t ttl,
 				       isc_mem_t *mctx);
 static isc_result_t	write_public_key(const dst_key_t *key, int type,
 					 const char *directory);
@@ -514,7 +515,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname,
 
 	key = get_key_struct(pubkey->key_name, pubkey->key_alg,
 			     pubkey->key_flags, pubkey->key_proto, 0,
-			     pubkey->key_class, mctx);
+			     pubkey->key_class, pubkey->key_ttl, mctx);
 	if (key == NULL) {
 		dst_key_free(&pubkey);
 		return (ISC_R_NOMEMORY);
@@ -712,7 +713,7 @@ dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,
 	REQUIRE(keyp != NULL && *keyp == NULL);
 
 	key = get_key_struct(name, DST_ALG_GSSAPI, 0, DNS_KEYPROTO_DNSSEC,
-			     0, dns_rdataclass_in, mctx);
+			     0, dns_rdataclass_in, 0, mctx);
 	if (key == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -750,7 +751,7 @@ dst_key_fromlabel(dns_name_t *name, int alg, unsigned int flags,
 
 	CHECKALG(alg);
 
-	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx);
+	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx);
 	if (key == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -804,7 +805,8 @@ dst_key_generate2(dns_name_t *name, unsigned int alg,
 
 	CHECKALG(alg);
 
-	key = get_key_struct(name, alg, flags, protocol, bits, rdclass, mctx);
+	key = get_key_struct(name, alg, flags, protocol, bits,
+			     rdclass, 0, mctx);
 	if (key == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -1210,7 +1212,7 @@ dst_key_restore(dns_name_t *name, unsigned int alg, unsigned int flags,
 	if (dst_t_func[alg]->restore == NULL)
 		return (ISC_R_NOTIMPLEMENTED);
 
-	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx);
+	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx);
 	if (key == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -1234,7 +1236,7 @@ static dst_key_t *
 get_key_struct(dns_name_t *name, unsigned int alg,
 	       unsigned int flags, unsigned int protocol,
 	       unsigned int bits, dns_rdataclass_t rdclass,
-	       isc_mem_t *mctx)
+	       dns_ttl_t ttl, isc_mem_t *mctx)
 {
 	dst_key_t *key;
 	isc_result_t result;
@@ -1274,6 +1276,7 @@ get_key_struct(dns_name_t *name, unsigned int alg,
 	key->keydata.generic = NULL;
 	key->key_size = bits;
 	key->key_class = rdclass;
+	key->key_ttl = ttl;
 	key->func = dst_t_func[alg];
 	key->fmt_major = 0;
 	key->fmt_minor = 0;
@@ -1301,7 +1304,7 @@ dst_key_read_public(const char *filename, int type,
 	unsigned int opt = ISC_LEXOPT_DNSMULTILINE;
 	dns_rdataclass_t rdclass = dns_rdataclass_in;
 	isc_lexspecials_t specials;
-	isc_uint32_t ttl;
+	isc_uint32_t ttl = 0;
 	isc_result_t result;
 	dns_rdatatype_t keytype;
 
@@ -1402,6 +1405,8 @@ dst_key_read_public(const char *filename, int type,
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup;
 
+	dst_key_setttl(*keyp, ttl);
+
  cleanup:
 	if (lex != NULL)
 		isc_lex_destroy(&lex);
@@ -1568,9 +1573,11 @@ write_public_key(const dst_key_t *key, int type, const char *directory) {
 
 	/* Now print the actual key */
 	ret = dns_name_print(key->key_name, fp);
-
 	fprintf(fp, " ");
 
+	if (key->key_ttl != 0)
+		fprintf(fp, "%d ", key->key_ttl);
+
 	isc_buffer_usedregion(&classb, &r);
 	isc_util_fwrite(r.base, 1, r.length, fp);
 
@@ -1659,7 +1666,7 @@ frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags,
 	REQUIRE(mctx != NULL);
 	REQUIRE(keyp != NULL && *keyp == NULL);
 
-	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx);
+	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx);
 	if (key == NULL)
 		return (ISC_R_NOMEMORY);
 

lib/dns/dst_internal.h

@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_internal.h,v 1.29 2011/01/11 23:47:13 tbox Exp $ */
+/* $Id: dst_internal.h,v 1.30 2011/03/17 01:40:39 each Exp $ */
 
 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -96,6 +96,7 @@ struct dst_key {
 	isc_uint16_t	key_id;		/*%< identifier of the key */
 	isc_uint16_t	key_bits;	/*%< hmac digest bits */
 	dns_rdataclass_t key_class;	/*%< class of the key record */
+	dns_ttl_t	key_ttl;	/*%< default/initial dnskey ttl */
 	isc_mem_t	*mctx;		/*%< memory context */
 	char		*engine;	/*%< engine name (HSM) */
 	char		*label;		/*%< engine label (HSM) */

lib/dns/include/dns/dnssec.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec.h,v 1.42 2010/01/09 23:48:45 tbox Exp $ */
+/* $Id: dnssec.h,v 1.43 2011/03/17 01:40:39 each Exp $ */
 
 #ifndef DNS_DNSSEC_H
 #define DNS_DNSSEC_H 1
@@ -290,7 +290,7 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 isc_result_t
 dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 		      dns_dnsseckeylist_t *removed, dns_name_t *origin,
-		      dns_ttl_t ttl, dns_diff_t *diff, isc_boolean_t allzsk,
+		      dns_ttl_t hint_ttl, dns_diff_t *diff, isc_boolean_t allzsk,
 		      isc_mem_t *mctx, void (*report)(const char *, ...));
 /*%<
  * Update the list of keys in 'keys' with new key information in 'newkeys'.
@@ -309,9 +309,11 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
  * If 'allzsk' is true, we are allowing KSK-flagged keys to be used as
  * ZSKs.
  *
- * 'ttl' is the TTL of the DNSKEY RRset; if it is longer than the
+ * 'hint_ttl' is the TTL to use for the DNSKEY RRset if there is no
- * time until a new key will be activated, then we have to delay the
+ * existing RRset, and if none of the keys to be added has a default TTL
- * key's activation.
+ * (in which case we would use the shortest one).  If the TTL is longer
+ * than the time until a new key will be activated, then we have to delay
+ * the key's activation.
  *
  * 'report' points to a function for reporting status.
  *

lib/dns/include/dst/dst.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.31 2011/01/11 23:47:14 tbox Exp $ */
+/* $Id: dst.h,v 1.32 2011/03/17 01:40:39 each Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
@@ -735,6 +735,26 @@ dst_key_setbits(dst_key_t *key, isc_uint16_t bits);
  *	"key" is a valid key.
  */
 
+void
+dst_key_setttl(dst_key_t *key, dns_ttl_t ttl);
+/*%<
+ * Set the default TTL to use when converting the key
+ * to a KEY or DNSKEY RR.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+dns_ttl_t
+dst_key_getttl(const dst_key_t *key);
+/*%<
+ * Get the default TTL to use when converting the key
+ * to a KEY or DNSKEY RR.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
 isc_result_t
 dst_key_setflags(dst_key_t *key, isc_uint32_t flags);
 /*

lib/dns/key.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: key.c,v 1.8 2007/06/19 23:47:16 tbox Exp $ */
+/* $Id: key.c,v 1.9 2011/03/17 01:40:39 each Exp $ */
 
 #include <config.h>
 
@@ -144,4 +144,16 @@ dst_key_getbits(const dst_key_t *key) {
 	return (key->key_bits);
 }
 
+void
+dst_key_setttl(dst_key_t *key, dns_ttl_t ttl) {
+	REQUIRE(VALID_KEY(key));
+	key->key_ttl = ttl;
+}
+
+dns_ttl_t
+dst_key_getttl(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_ttl);
+}
+
 /*! \file */

lib/dns/win32/libdns.def

@@ -945,6 +945,7 @@ dst_key_generate
 dst_key_generate2
 dst_key_getprivateformat
 dst_key_gettime
+dst_key_getttl
 dst_key_id
 dst_key_isnullkey
 dst_key_isprivate
@@ -959,6 +960,7 @@ dst_key_setbits
 dst_key_setflags
 dst_key_setprivateformat
 dst_key_settime
+dst_key_setttl
 dst_key_sigsize
 dst_key_size
 dst_key_tobuffer