mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 01:59:26 +00:00
Code Issues Releases Wiki Activity

Detect if keymgr made changes

Browse Source 
If so we also want to tickle the apex because DNSKEY/CDNSKEY/CDS
RRsets may need to be re-signed.

Note that this may be overzealous, because if state transitions
happen just because of timing events (RUMOURED -> OMNIPRESENT,
UNRETENTIVE -> HIDDEN) this would have to cause changes in the
zone DNSSEC records.
This commit is contained in:
Matthijs Mekking 2025-07-24 11:14:16 +02:00
parent aa49850b5e
commit a0dc0434e5
2 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/dns/keymgr.c
View File

@ -1463,6 +1463,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
static isc_result_t static isc_result_t
keymgr_update(dns_dnsseckeylist_t *keyring, dns_kasp_t *kasp, isc_stdtime_t now, keymgr_update(dns_dnsseckeylist_t *keyring, dns_kasp_t *kasp, isc_stdtime_t now,
isc_stdtime_t *nexttime, uint8_t opts) { isc_stdtime_t *nexttime, uint8_t opts) {
isc_result_t result = DNS_R_UNCHANGED;
bool changed; bool changed;
bool force = ((opts & DNS_KEYMGRATTR_FORCESTEP) != 0); bool force = ((opts & DNS_KEYMGRATTR_FORCESTEP) != 0);
@ -1625,12 +1626,13 @@ transition:
/* We changed something, continue processing. */ /* We changed something, continue processing. */
if (changed) { if (changed) {
result = ISC_R_SUCCESS;
/* No longer force for the next run */ /* No longer force for the next run */
force = false; force = false;
goto transition; goto transition;
} }
return ISC_R_SUCCESS; return result;
} }
/* /*
@ -2121,7 +2123,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
dns_dnsseckeylist_t *dnskeys, const char *keydir, dns_dnsseckeylist_t *dnskeys, const char *keydir,
dns_kasp_t *kasp, uint8_t opts, isc_stdtime_t now, dns_kasp_t *kasp, uint8_t opts, isc_stdtime_t now,
isc_stdtime_t *nexttime) { isc_stdtime_t *nexttime) {
isc_result_t result = ISC_R_SUCCESS; isc_result_t result = DNS_R_UNCHANGED;
dns_dnsseckeylist_t newkeys; dns_dnsseckeylist_t newkeys;
int numkeys = 0; int numkeys = 0;
int options = (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_STATE); int options = (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_STATE);
@ -2314,7 +2316,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
} }
/* Read to update key states. */ /* Read to update key states. */
keymgr_update(keyring, kasp, now, nexttime, opts); isc_result_t retval = keymgr_update(keyring, kasp, now, nexttime, opts);
/* Store key states and update hints. */ /* Store key states and update hints. */
ISC_LIST_FOREACH(*keyring, dkey, link) { ISC_LIST_FOREACH(*keyring, dkey, link) {
@ -2322,6 +2324,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
if (dst_key_getttl(dkey->key) != dns_kasp_dnskeyttl(kasp)) { if (dst_key_getttl(dkey->key) != dns_kasp_dnskeyttl(kasp)) {
dst_key_setttl(dkey->key, dns_kasp_dnskeyttl(kasp)); dst_key_setttl(dkey->key, dns_kasp_dnskeyttl(kasp));
modified = true; modified = true;
retval = ISC_R_SUCCESS;
} }
if (modified && !dkey->purge) { if (modified && !dkey->purge) {
const char *directory = dst_key_directory(dkey->key); const char *directory = dst_key_directory(dkey->key);
@ -2347,10 +2350,9 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
dst_key_setmodified(dkey->key, false); dst_key_setmodified(dkey->key, false);
} }
result = ISC_R_SUCCESS; result = retval;
failure: failure:
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) {
ISC_LIST_FOREACH(newkeys, newkey, link) { ISC_LIST_FOREACH(newkeys, newkey, link) {
ISC_LIST_UNLINK(newkeys, newkey, link); ISC_LIST_UNLINK(newkeys, newkey, link);
INSIST(newkey->key != NULL); INSIST(newkey->key != NULL);

9
lib/dns/zone.c
View File

@ -22233,6 +22233,7 @@ zone_rekey(dns_zone_t *zone) {
bool newalg = false; bool newalg = false;
bool fullsign; bool fullsign;
bool offlineksk = false; bool offlineksk = false;
bool kasp_change = false;
uint8_t options = 0; uint8_t options = 0;
uint32_t sigval = 0; uint32_t sigval = 0;
dns_ttl_t ttl = 3600; dns_ttl_t ttl = 3600;
@ -22468,7 +22469,11 @@ zone_rekey(dns_zone_t *zone) {
kasp, options, now, &nexttime); kasp, options, now, &nexttime);
dns_zone_unlock_keyfiles(zone); dns_zone_unlock_keyfiles(zone);
if (result != ISC_R_SUCCESS) { if (result == ISC_R_SUCCESS) {
kasp_change = true;
} else if (result == DNS_R_UNCHANGED) {
result = ISC_R_SUCCESS;
} else {
dnssec_log(zone, ISC_LOG_ERROR, dnssec_log(zone, ISC_LOG_ERROR,
"zone_rekey:dns_keymgr_run " "zone_rekey:dns_keymgr_run "
"failed: %s", "failed: %s",
@ -22686,7 +22691,7 @@ zone_rekey(dns_zone_t *zone) {
"allowed"); "allowed");
} }
if (newactive || fullsign || sane_diff) { if (newactive || fullsign || sane_diff || kasp_change) {
CHECK(dns_diff_apply(&diff, db, ver)); CHECK(dns_diff_apply(&diff, db, ver));
CHECK(clean_nsec3param(zone, db, ver, &diff)); CHECK(clean_nsec3param(zone, db, ver, &diff));
CHECK(add_signing_records(db, zone->privatetype, ver, CHECK(add_signing_records(db, zone->privatetype, ver,