Code changes for CSK

Update dns_dnssec_keyactive to differentiate between the roles ZSK and KSK. A key is active if it is signing but that differs per role. A ZSK is signing if its ZRRSIG state is in RUMOURED or OMNIPRESENT, a KSK is signing if its KRRSIG state is in RUMOURED or OMNIPRESENT. This means that a key can be actively signing for one role but not the other. Add checks in inline signing (zone.c and update.c) to cover the case where a CSK is active in its KSK role but not the ZSK role.
2025-08-31 06:25:31 +00:00 · 2019-10-30 14:38:28 +01:00
parent 6468ffc336
commit 67033bfd3d
5 changed files with 56 additions and 16 deletions
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1167,6 +1167,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 			 * A dnssec-policy is found. Check what RRsets this
 			 * key should sign.
 			 */
+			isc_stdtime_t when;
 			isc_result_t kresult;
 			bool ksk = false;
 			bool zsk = false;
@@ -1200,6 +1201,14 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 				 * Other RRsets are signed with ZSK.
 				 */
 				continue;
+			} else if (zsk && !dst_key_is_signing(keys[i],
+							      DST_BOOL_ZSK,
+							      inception,
+							      &when)) {
+				/*
+				 * This key is not active for zone-signing.
+				 */
+				continue;
 			}

 			/*