mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Code Issues Releases Wiki Activity

Code changes for CSK

Browse Source 
Update dns_dnssec_keyactive to differentiate between the roles ZSK
and KSK.  A key is active if it is signing but that differs per role.
A ZSK is signing if its ZRRSIG state is in RUMOURED or OMNIPRESENT,
a KSK is signing if its KRRSIG state is in RUMOURED or OMNIPRESENT.

This means that a key can be actively signing for one role but not
the other.  Add checks in inline signing (zone.c and update.c) to
cover the case where a CSK is active in its KSK role but not the ZSK
role.
This commit is contained in:
Matthijs Mekking
2019-10-30 14:38:28 +01:00
parent 6468ffc336
commit 67033bfd3d
5 changed files with 56 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
lib/dns/dst_api.c
View File

@@ -2476,7 +2476,7 @@ dst_key_is_active(dst_key_t *key, isc_stdtime_t now)
bool
dst_key_is_signing(dst_key_t *key, isc_stdtime_t now, isc_stdtime_t *active)
dst_key_is_signing(dst_key_t *key, int role, isc_stdtime_t now, isc_stdtime_t *active)
{
dst_key_state_t state;
isc_result_t result;
@@ -2503,7 +2503,7 @@ dst_key_is_signing(dst_key_t *key, isc_stdtime_t now, isc_stdtime_t *active)
* If the RRSIG state is RUMOURED or OMNIPRESENT, it means the key
* is active.
*/
if (ksk) {
if (ksk && role == DST_BOOL_KSK) {
result = dst_key_getstate(key, DST_KEY_KRRSIG, &state);
if (result == ISC_R_SUCCESS) {
krrsig_ok = ((state == DST_KEY_STATE_RUMOURED) ||
@@ -2515,8 +2515,7 @@ dst_key_is_signing(dst_key_t *key, isc_stdtime_t now, isc_stdtime_t *active)
time_ok = true;
inactive = false;
}
}
if (zsk) {
} else if (zsk && role == DST_BOOL_ZSK) {
result = dst_key_getstate(key, DST_KEY_ZRRSIG, &state);
if (result == ISC_R_SUCCESS) {
zrrsig_ok = ((state == DST_KEY_STATE_RUMOURED) ||