mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-04 16:45:24 +00:00
Code Issues Releases Wiki Activity

Code changes for CSK

Browse Source 
Update dns_dnssec_keyactive to differentiate between the roles ZSK
and KSK.  A key is active if it is signing but that differs per role.
A ZSK is signing if its ZRRSIG state is in RUMOURED or OMNIPRESENT,
a KSK is signing if its KRRSIG state is in RUMOURED or OMNIPRESENT.

This means that a key can be actively signing for one role but not
the other.  Add checks in inline signing (zone.c and update.c) to
cover the case where a CSK is active in its KSK role but not the ZSK
role.
This commit is contained in:
Matthijs Mekking
2019-10-30 14:38:28 +01:00
parent 6468ffc336
commit 67033bfd3d
5 changed files with 56 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/dns/include/dst/dst.h
View File

@@ -1138,9 +1138,10 @@ dst_key_is_active(dst_key_t *key, isc_stdtime_t now);
*/
bool
dst_key_is_signing(dst_key_t *key, isc_stdtime_t now, isc_stdtime_t *active);
dst_key_is_signing(dst_key_t *key, int role, isc_stdtime_t now,
isc_stdtime_t *active);
/*%<
* Check if it is safe to use this key for signing.
* Check if it is safe to use this key for signing, given the role.
*
* Requires:
* 'key' to be valid.