Write new DNSKEY TTL to key file

When the current DNSKEY TTL does not match the one from the policy, write the new TTL to disk.
2025-08-30 14:07:59 +00:00 · 2023-12-22 15:08:45 +01:00 · 2023-12-22 15:08:45 +01:00 · b770740b44
commit b770740b44
parent 27e74b2e4b
4 changed files with 14 additions and 9 deletions
--- a/bin/tests/system/kasp.sh
+++ b/bin/tests/system/kasp.sh
@ -213,7 +213,7 @@ set_policy() {
  POLICY=$1
  NUM_KEYS=$2
  DNSKEY_TTL=$3
-  KEYFILE_TTL=${4:-$3}
+  KEYFILE_TTL=$3
  CDS_DELETE="no"
  CDS_SHA256="yes"
  CDS_SHA384="no"
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@ -1379,7 +1379,7 @@ check_rrsig_refresh
 # Zone: dnskey-ttl-mismatch.autosign
 #
 set_zone "dnskey-ttl-mismatch.autosign"
-set_policy "autosign" "2" "300" "30"
+set_policy "autosign" "2" "300"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 key_clear "KEY1"
@ -4079,7 +4079,7 @@ dnssec_verify
 # Zone: step1.going-insecure.kasp
 #
 set_zone "step1.going-insecure.kasp"
-set_policy "insecure" "2" "7200"
+set_policy "insecure" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # Expect a CDS/CDNSKEY Delete Record.
 set_cdsdelete
@ -4116,7 +4116,7 @@ check_next_key_event 93600
 # Zone: step2.going-insecure.kasp
 #
 set_zone "step2.going-insecure.kasp"
-set_policy "insecure" "2" "7200"
+set_policy "insecure" "2" "3600"
 set_server "ns6" "10.53.0.6"

 # The DS is long enough removed from the zone to be considered HIDDEN.
@ -4146,7 +4146,7 @@ check_next_key_event 7500
 #
 set_zone "step1.going-insecure-dynamic.kasp"
 set_dynamic
-set_policy "insecure" "2" "7200"
+set_policy "insecure" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # Expect a CDS/CDNSKEY Delete Record.
 set_cdsdelete
@ -4184,7 +4184,7 @@ check_next_key_event 93600
 #
 set_zone "step2.going-insecure-dynamic.kasp"
 set_dynamic
-set_policy "insecure" "2" "7200"
+set_policy "insecure" "2" "3600"
 set_server "ns6" "10.53.0.6"

 # The DS is long enough removed from the zone to be considered HIDDEN.
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@ -41,7 +41,7 @@ set_zone_policy() {
  POLICY=$2
  NUM_KEYS=$3
  DNSKEY_TTL=$4
-  KEYFILE_TTL=${5:-$4}
+  KEYFILE_TTL=$4
  # The CDS digest type in these tests are all the default,
  # which is SHA-256 (2).
  CDS_SHA256="yes"
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@ -2214,11 +2214,16 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 	for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
 	     dkey = ISC_LIST_NEXT(dkey, link))
 	{
-		if (dst_key_ismodified(dkey->key) && !dkey->purge) {
+		bool modified = dst_key_ismodified(dkey->key);
+		if (dst_key_getttl(dkey->key) != dns_kasp_dnskeyttl(kasp)) {
+			dst_key_setttl(dkey->key, dns_kasp_dnskeyttl(kasp));
+			modified = true;
+		}
+		if (modified && !dkey->purge) {
 			dns_dnssec_get_hints(dkey, now);
 			RETERR(dst_key_tofile(dkey->key, options, directory));
-			dst_key_setmodified(dkey->key, false);
 		}
+		dst_key_setmodified(dkey->key, false);
 	}

 	result = ISC_R_SUCCESS;