add 300 seconds of fudge

2025-08-22 18:19:42 +00:00 · 2019-01-30 13:02:14 +11:00 · 2019-01-30 13:02:14 +11:00 · acf0292da4
commit acf0292da4
parent 36ea9b8181
2 changed files with 19 additions and 8 deletions
--- a/bin/python/dnssec-keymgr.docbook
+++ b/bin/python/dnssec-keymgr.docbook
@ -99,6 +99,12 @@
      set by the <option>-K</option> option), and check the keys for
      all the zones represented in the directory.
    </para>
+    <para>
+      Key times that are in the past will not be updated unless
+      the <option>-f</option> is used (see below).  Key inactivation
+      and deletion times that are less than five minutes in the future
+      will be delayed by five minutes.
+    </para>
    <para>
      It is expected that this tool will be run automatically and
      unattended (for example, by <command>cron</command>).
--- a/bin/python/isc/keyseries.py.in
+++ b/bin/python/isc/keyseries.py.in
@ -83,31 +83,36 @@ class keyseries:
            a = now

        i = key.inactive()
+        fudge = 300
        if not rp:
            key.setinactive(None, **kwargs)
            key.setdelete(None, **kwargs)
        elif not i or a + rp != i:
-            if not i and a + rp > now + prepub:
+            if not i and a + rp > now + prepub + fudge:
                key.setinactive(a + rp, **kwargs)
                key.setdelete(a + rp + postpub, **kwargs)
            elif not i:
-                key.setinactive(now + prepub, **kwargs)
-                key.setdelete(now + prepub + postpub, **kwargs)
+                key.setinactive(now + prepub + fudge, **kwargs)
+                key.setdelete(now + prepub + postpub + fudge, **kwargs)
+            elif i < now:
+                pass
            elif a + rp > i:
                key.setinactive(a + rp, **kwargs)
                key.setdelete(a + rp + postpub, **kwargs)
-            elif a + rp > now + prepub:
+            elif a + rp > now + prepub + fudge:
                key.setinactive(a + rp, **kwargs)
                key.setdelete(a + rp + postpub, **kwargs)
            else:
-                key.setinactive(now + prepub, **kwargs)
-                key.setdelete(now + prepub + postpub, **kwargs)
+                key.setinactive(now + prepub + fudge, **kwargs)
+                key.setdelete(now + prepub + postpub + fudge, **kwargs)
        else:
            d = key.delete()
-            if not d or i + postpub > now:
+            if not d or i + postpub > now + fudge:
                key.setdelete(i + postpub, **kwargs)
            elif not d:
-                key.setdelete(now + postpub, **kwargs)
+                key.setdelete(now + postpub + fudge, **kwargs)
+            elif d < now + fudge:
+                pass
            elif d < i + postpub:
                key.setdelete(i + postpub, **kwargs)