Write new DNSKEY TTL to key file

When the current DNSKEY TTL does not match the one from the policy,
write the new TTL to disk.

bin/tests/system/kasp.sh

@@ -213,7 +213,7 @@ set_policy() {
   POLICY=$1
   NUM_KEYS=$2
   DNSKEY_TTL=$3
-  KEYFILE_TTL=${4:-$3}
+  KEYFILE_TTL=$3
   CDS_DELETE="no"
   CDS_SHA256="yes"
   CDS_SHA384="no"

bin/tests/system/kasp/tests.sh

@@ -1379,7 +1379,7 @@ check_rrsig_refresh
 # Zone: dnskey-ttl-mismatch.autosign
 #
 set_zone "dnskey-ttl-mismatch.autosign"
-set_policy "autosign" "2" "300" "30"
+set_policy "autosign" "2" "300"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 key_clear "KEY1"
@@ -4079,7 +4079,7 @@ dnssec_verify
 # Zone: step1.going-insecure.kasp
 #
 set_zone "step1.going-insecure.kasp"
-set_policy "insecure" "2" "7200"
+set_policy "insecure" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # Expect a CDS/CDNSKEY Delete Record.
 set_cdsdelete
@@ -4116,7 +4116,7 @@ check_next_key_event 93600
 # Zone: step2.going-insecure.kasp
 #
 set_zone "step2.going-insecure.kasp"
-set_policy "insecure" "2" "7200"
+set_policy "insecure" "2" "3600"
 set_server "ns6" "10.53.0.6"
 
 # The DS is long enough removed from the zone to be considered HIDDEN.
@@ -4146,7 +4146,7 @@ check_next_key_event 7500
 #
 set_zone "step1.going-insecure-dynamic.kasp"
 set_dynamic
-set_policy "insecure" "2" "7200"
+set_policy "insecure" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # Expect a CDS/CDNSKEY Delete Record.
 set_cdsdelete
@@ -4184,7 +4184,7 @@ check_next_key_event 93600
 #
 set_zone "step2.going-insecure-dynamic.kasp"
 set_dynamic
-set_policy "insecure" "2" "7200"
+set_policy "insecure" "2" "3600"
 set_server "ns6" "10.53.0.6"
 
 # The DS is long enough removed from the zone to be considered HIDDEN.

bin/tests/system/nsec3/tests.sh

@@ -41,7 +41,7 @@ set_zone_policy() {
   POLICY=$2
   NUM_KEYS=$3
   DNSKEY_TTL=$4
-  KEYFILE_TTL=${5:-$4}
+  KEYFILE_TTL=$4
   # The CDS digest type in these tests are all the default,
   # which is SHA-256 (2).
   CDS_SHA256="yes"

lib/dns/keymgr.c

@@ -2214,11 +2214,16 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 	for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
 	     dkey = ISC_LIST_NEXT(dkey, link))
 	{
-		if (dst_key_ismodified(dkey->key) && !dkey->purge) {
+		bool modified = dst_key_ismodified(dkey->key);
+		if (dst_key_getttl(dkey->key) != dns_kasp_dnskeyttl(kasp)) {
+			dst_key_setttl(dkey->key, dns_kasp_dnskeyttl(kasp));
+			modified = true;
+		}
+		if (modified && !dkey->purge) {
 			dns_dnssec_get_hints(dkey, now);
 			RETERR(dst_key_tofile(dkey->key, options, directory));
-			dst_key_setmodified(dkey->key, false);
 		}
+		dst_key_setmodified(dkey->key, false);
 	}
 
 	result = ISC_R_SUCCESS;