Merge branch 'marka-Psync-future' into 'master'

dnssec: do not publish CDS records when -Psync is in the future

See merge request isc-projects/bind9!2925

CHANGES

@@ -1,3 +1,6 @@
+5348.	[bug]		dnssec-settime -Psync was not being honoured.
+			[GL !2893]
+
 	--- 9.15.8 released ---
 
 5347.	[bug]		Fixed a bug that could cause an intermittent crash

bin/tests/system/smartsign/tests.sh

@@ -55,6 +55,9 @@ cksk4=`$REVOKE $cksk3`
 echo_i "setting up sync key"
 cksk5=`$KEYGEN -q -a rsasha1 -fk -P now+1mo -A now+1mo -Psync now $czone`
 
+echo_i "and future sync key"
+cksk6=`$KEYGEN -q -a rsasha1 -fk -P now+1mo -A now+1mo -Psync now+1mo $czone`
+
 echo_i "generating parent keys"
 pzsk=`$KEYGEN -q -a rsasha1 $pzone`
 pksk=`$KEYGEN -q -a rsasha1 -fk $pzone`
@@ -348,6 +351,7 @@ awk 'BEGIN { r=1 } $2 == "CDS" { r=0 } END { exit r }' $cfile.signed || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+# this also checks that the future sync record is not yet published
 echo_i "checking sync record deletion"
 ret=0
 $SETTIME -P now -A now -Dsync now ${cksk5} > /dev/null

lib/dns/dnssec.c

@@ -648,6 +648,7 @@ syncpublish(dst_key_t *key, isc_stdtime_t now) {
 	isc_stdtime_t when;
 	dst_key_state_t state;
 	int major, minor;
+	bool publish;
 
 	/*
 	 * Is this an old-style key?
@@ -670,18 +671,16 @@ syncpublish(dst_key_t *key, isc_stdtime_t now) {
 	}
 
 	/* If no kasp state, check timings. */
+	publish = false;
 	result = dst_key_gettime(key, DST_TIME_SYNCPUBLISH, &when);
-	if (result != ISC_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS && when < now) {
-		return (false);
+		publish = true;
 	}
 	result = dst_key_gettime(key, DST_TIME_SYNCDELETE, &when);
-	if (result != ISC_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS && when < now) {
-		return (true);
+		publish = false;
 	}
-	if (when <= now) {
+	return (publish);
-		return (false);
-	}
-	return (true);
 }
 
 /*%<