2780. [bug] dnssec-keygen -A none didn't properly unset the

activation date in all cases. [RT #20648]

2779.	[bug]		Dynamic key revokation could fail. [RT #20644]

2778.	[bug]		dnssec-signzone could fail when a key was revoked
			without deleting the unrevoked version. [RT #20638]

CHANGES

@@ -1,3 +1,13 @@
+	--- 9.7.0b3 released ---
+
+2780.	[bug]		dnssec-keygen -A none didn't properly unset the
+			activation date in all cases. [RT #20648]
+
+2779.	[bug]		Dynamic key revokation could fail. [RT #20644]
+
+2778.	[bug]		dnssec-signzone could fail when a key was revoked
+			without deleting the unrevoked version. [RT #20638]
+
 2777.	[contrib]	DLZ MYSQL auto reconnect support discovery was wrong.
 
 2776.	[bug]		Change #2762 was not correct. [RT #20647]
@@ -11,8 +21,6 @@
 2773.	[bug]		In autosigned zones, the SOA could be signed
 			with the KSK. [RT #20628]
 
-	--- 9.7.0b3 released ---
-
 2772.	[security]	When validating, track whether pending data was from
 			the additional section or not and only return it if
 			validates as secure. [RT #20438]

bin/dnssec/dnssec-keyfromlabel.c

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.27 2009/11/21 17:51:49 fdupont Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.28 2009/11/23 02:55:40 each Exp $ */
 
 /*! \file */
 
@@ -461,12 +461,14 @@ main(int argc, char **argv) {
 
 		if (setpub)
 			dst_key_settime(key, DST_TIME_PUBLISH, publish);
-		else if (!genonly)
+		else if (setact)
+			dst_key_settime(key, DST_TIME_PUBLISH, activate);
+		else if (!genonly && !unsetpub)
 			dst_key_settime(key, DST_TIME_PUBLISH, now);
 
 		if (setact)
 			dst_key_settime(key, DST_TIME_ACTIVATE, activate);
-		else if (!genonly)
+		else if (!genonly && !unsetact)
 			dst_key_settime(key, DST_TIME_ACTIVATE, now);
 
 		if (setrev) {

bin/dnssec/dnssec-keygen.c

@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.106 2009/10/28 00:27:10 marka Exp $ */
+/* $Id: dnssec-keygen.c,v 1.107 2009/11/23 02:55:40 each Exp $ */
 
 /*! \file */
 
@@ -772,13 +772,16 @@ main(int argc, char **argv) {
 
 			if (setpub)
 				dst_key_settime(key, DST_TIME_PUBLISH, publish);
-			else if (!genonly && !setact)
+			else if (setact)
+				dst_key_settime(key, DST_TIME_PUBLISH,
+						activate);
+			else if (!genonly && !unsetpub)
 				dst_key_settime(key, DST_TIME_PUBLISH, now);
 
 			if (setact)
 				dst_key_settime(key, DST_TIME_ACTIVATE,
 						activate);
-			else if (!genonly && !setpub)
+			else if (!genonly && !unsetact)
 				dst_key_settime(key, DST_TIME_ACTIVATE, now);
 
 			if (setrev) {

bin/dnssec/dnssec-signzone.c

@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.253 2009/11/16 04:27:44 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.254 2009/11/23 02:55:40 each Exp $ */
 
 /*! \file */
 
@@ -2760,7 +2760,7 @@ static void
 build_final_keylist() {
 	isc_result_t result;
 	dns_dbversion_t *ver = NULL;
-	dns_diff_t del, add;
+	dns_diff_t diff;
 	dns_dnsseckeylist_t matchkeys;
 	char name[DNS_NAME_FORMATSIZE];
 
@@ -2777,31 +2777,24 @@ build_final_keylist() {
 	result = dns_db_newversion(gdb, &ver);
 	check_result(result, "dns_db_newversion");
 
-	dns_diff_init(mctx, &del);
-	dns_diff_init(mctx, &add);
+	dns_diff_init(mctx, &diff);
 
 	/*
 	 * Update keylist with information from from the key repository.
 	 */
 	dns_dnssec_updatekeys(&keylist, &matchkeys, NULL, gorigin, keyttl,
-			      &add, &del, ignore_kskflag, mctx, report);
+			      &diff, ignore_kskflag, mctx, report);
 
 	dns_name_format(gorigin, name, sizeof(name));
 
-	result = dns_diff_applysilently(&del, gdb, ver);
+	result = dns_diff_applysilently(&diff, gdb, ver);
 	if (result != ISC_R_SUCCESS)
-		fatal("failed to delete DNSKEYs at node '%s': %s",
-		      name, isc_result_totext(result));
-
-	result = dns_diff_applysilently(&add, gdb, ver);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to add DNSKEYs at node '%s': %s",
+		fatal("failed to update DNSKEY RRset at node '%s': %s",
 		      name, isc_result_totext(result));
 
 	dns_db_closeversion(gdb, &ver, ISC_TRUE);
 
-	dns_diff_clear(&del);
-	dns_diff_clear(&add);
+	dns_diff_clear(&diff);
 }
 
 static void

bin/named/update.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.169 2009/11/18 21:22:31 each Exp $ */
+/* $Id: update.c,v 1.170 2009/11/23 02:55:41 each Exp $ */
 
 #include <config.h>
 
@@ -1883,8 +1883,8 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 				  (isc_stdtime_t) 0, &rdataset, NULL));
 	dns_db_detachnode(db, &node);
 
-#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) == 1)
-#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) == 1)
+#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
+#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
 #define ALG(x) dst_key_alg(x)
 
 	/*

lib/dns/dnssec.c

@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.110 2009/11/17 05:46:53 each Exp $
+ * $Id: dnssec.c,v 1.111 2009/11/23 02:55:41 each Exp $
  */
 
 /*! \file */
@@ -1078,7 +1078,7 @@ get_hints(dns_dnsseckey_t *key) {
 	 *
 	 * If it hasn't already been done, we should also revoke it now.
 	 */
-	if (key->hint_publish && (revset && revoke < now)) {
+	if (key->hint_publish && (revset && revoke <= now)) {
 		isc_uint32_t flags;
 		key->hint_sign = ISC_TRUE;
 		flags = dst_key_flags(key->key);
@@ -1384,7 +1384,7 @@ make_dnskey(dst_key_t *key, unsigned char *buf, int bufsize,
 }
 
 static isc_result_t
-publish_key(dns_diff_t *add, dns_dnsseckey_t *key, dns_name_t *origin,
+publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
 	    dns_ttl_t ttl, isc_mem_t *mctx, isc_boolean_t allzsk,
 	    void (*report)(const char *, ...))
 {
@@ -1418,7 +1418,7 @@ publish_key(dns_diff_t *add, dns_dnsseckey_t *key, dns_name_t *origin,
 	/* publish key */
 	RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_ADD, origin, ttl,
 				    &dnskey, &tuple));
-	dns_diff_append(add, &tuple);
+	dns_diff_appendminimal(diff, &tuple);
 	result = ISC_R_SUCCESS;
 
  failure:
@@ -1426,7 +1426,7 @@ publish_key(dns_diff_t *add, dns_dnsseckey_t *key, dns_name_t *origin,
 }
 
 static isc_result_t
-remove_key(dns_diff_t *del, dns_dnsseckey_t *key, dns_name_t *origin,
+remove_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
 	  dns_ttl_t ttl, isc_mem_t *mctx, const char *reason,
 	  void (*report)(const char *, ...))
 {
@@ -1443,7 +1443,7 @@ remove_key(dns_diff_t *del, dns_dnsseckey_t *key, dns_name_t *origin,
 	RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey));
 	RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_DEL, origin, ttl, &dnskey,
 				    &tuple));
-	dns_diff_append(del, &tuple);
+	dns_diff_appendminimal(diff, &tuple);
 	result = ISC_R_SUCCESS;
 
  failure:
@@ -1459,9 +1459,8 @@ remove_key(dns_diff_t *del, dns_dnsseckey_t *key, dns_name_t *origin,
 isc_result_t
 dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 		      dns_dnsseckeylist_t *removed, dns_name_t *origin,
-		      dns_ttl_t ttl, dns_diff_t *add, dns_diff_t *del,
-		      isc_boolean_t allzsk, isc_mem_t *mctx,
-		      void (*report)(const char *, ...))
+		      dns_ttl_t ttl, dns_diff_t *diff, isc_boolean_t allzsk,
+		      isc_mem_t *mctx, void (*report)(const char *, ...))
 {
 	isc_result_t result;
 	dns_dnsseckey_t *key, *key1, *key2, *next;
@@ -1476,7 +1475,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 	     key = ISC_LIST_NEXT(key, link)) {
 		if (key->source == dns_keysource_user &&
 		    (key->hint_publish || key->force_publish)) {
-			RETERR(publish_key(add, key, origin, ttl,
+			RETERR(publish_key(diff, key, origin, ttl,
 					   mctx, allzsk, report));
 		}
 	}
@@ -1515,7 +1514,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 
 			if (key1->source != dns_keysource_zoneapex &&
 			    (key1->hint_publish || key1->force_publish)) {
-				RETERR(publish_key(add, key1, origin, ttl,
+				RETERR(publish_key(diff, key1, origin, ttl,
 						   mctx, allzsk, report));
 				if (key1->hint_sign || key1->force_sign)
 					key1->first_sign = ISC_TRUE;
@@ -1526,7 +1525,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 
 		/* Match found: remove or update it as needed */
 		if (key1->hint_remove) {
-			RETERR(remove_key(del, key2, origin, ttl, mctx,
+			RETERR(remove_key(diff, key2, origin, ttl, mctx,
 					  "expired", report));
 			ISC_LIST_UNLINK(*keys, key2, link);
 			if (removed != NULL)
@@ -1541,7 +1540,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 			 * We need to remove the old version and pull
 			 * in the new one.
 			 */
-			RETERR(remove_key(del, key2, origin, ttl, mctx,
+			RETERR(remove_key(diff, key2, origin, ttl, mctx,
 					  "revoked", report));
 			ISC_LIST_UNLINK(*keys, key2, link);
 			if (removed != NULL)
@@ -1549,7 +1548,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 			else
 				dns_dnsseckey_destroy(mctx, &key2);
 
-			RETERR(publish_key(add, key1, origin, ttl,
+			RETERR(publish_key(diff, key1, origin, ttl,
 					   mctx, allzsk, report));
 			ISC_LIST_UNLINK(*newkeys, key1, link);
 			ISC_LIST_APPEND(*keys, key1, link);

lib/dns/include/dns/dnssec.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec.h,v 1.39 2009/10/27 03:59:45 each Exp $ */
+/* $Id: dnssec.h,v 1.40 2009/11/23 02:55:41 each Exp $ */
 
 #ifndef DNS_DNSSEC_H
 #define DNS_DNSSEC_H 1
@@ -290,19 +290,18 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 isc_result_t
 dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 		      dns_dnsseckeylist_t *removed, dns_name_t *origin,
-		      dns_ttl_t ttl, dns_diff_t *add, dns_diff_t *del,
-		      isc_boolean_t allzsk, isc_mem_t *mctx,
-		      void (*report)(const char *, ...));
+		      dns_ttl_t ttl, dns_diff_t *diff, isc_boolean_t allzsk,
+		      isc_mem_t *mctx, void (*report)(const char *, ...));
 /*%<
  * Update the list of keys in 'keys' with new key information in 'newkeys'.
  *
  * For each key in 'newkeys', see if it has a match in 'keys'.
  * - If not, and if the metadata says the key should be published:
- *   add it to 'keys', and place a dns_difftuple into 'add' so
+ *   add it to 'keys', and place a dns_difftuple into 'diff' so
  *   the key can be added to the DNSKEY set.  If the metadata says it
  *   should be active, set the first_sign flag.
  * - If so, and if the metadata says it should be removed:
- *   remove it from 'keys', and place a dns_difftuple into 'del' so
+ *   remove it from 'keys', and place a dns_difftuple into 'diff' so
  *   the key can be removed from the DNSKEY set.  if 'removed' is non-NULL,
  *   copy the key into that list; otherwise destroy it.
  * - Otherwise, make sure keys has current metadata.

lib/dns/zone.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.530 2009/11/18 21:22:31 each Exp $ */
+/* $Id: zone.c,v 1.531 2009/11/23 02:55:41 each Exp $ */
 
 /*! \file */
 
@@ -4549,8 +4549,8 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 		goto failure;
 	}
 
-#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) == 1)
-#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) == 1)
+#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
+#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
 #define ALG(x) dst_key_alg(x)
 
 	for (i = 0; i < nkeys; i++) {
@@ -13441,7 +13441,7 @@ zone_rekey(dns_zone_t *zone) {
 	dns_rdataset_t soaset, soasigs, keyset, keysigs;
 	dns_dnsseckeylist_t dnskeys, keys, oldkeys;
 	dns_dnsseckey_t *key;
-	dns_diff_t add, del;
+	dns_diff_t diff;
 	isc_boolean_t commit = ISC_FALSE;
 	dns_ttl_t ttl = 3600;
 	const char *dir;
@@ -13459,8 +13459,7 @@ zone_rekey(dns_zone_t *zone) {
 	dns_rdataset_init(&keysigs);
 	dir = dns_zone_getkeydirectory(zone);
 	mctx = zone->mctx;
-	dns_diff_init(mctx, &add);
-	dns_diff_init(mctx, &del);
+	dns_diff_init(mctx, &diff);
 	isc_stdtime_get(&now);
 
 	CHECK(dns_zone_getdb(zone, &db));
@@ -13492,23 +13491,15 @@ zone_rekey(dns_zone_t *zone) {
 		check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
 
 		CHECK(dns_dnssec_updatekeys(&dnskeys, &keys, &oldkeys,
-					    &zone->origin, ttl, &add, &del,
+					    &zone->origin, ttl, &diff,
 					    ISC_TF(!check_ksk), mctx, logmsg));
-		if (!ISC_LIST_EMPTY(del.tuples)) {
+		if (!ISC_LIST_EMPTY(diff.tuples)) {
 			commit = ISC_TRUE;
-			add_signing_records(db, zone->privatetype, ver, &del);
-			dns_diff_apply(&del, db, ver);
-			result = increment_soa_serial(db, ver, &del, mctx);
+			add_signing_records(db, zone->privatetype, ver, &diff);
+			dns_diff_apply(&diff, db, ver);
+			result = increment_soa_serial(db, ver, &diff, mctx);
 			if (result == ISC_R_SUCCESS)
-				zone_journal(zone, &del, "zone_rekey");
-		}
-		if (!ISC_LIST_EMPTY(add.tuples)) {
-			commit = ISC_TRUE;
-			add_signing_records(db, zone->privatetype, ver, &add);
-			dns_diff_apply(&add, db, ver);
-			result = increment_soa_serial(db, ver, &add, mctx);
-			if (result == ISC_R_SUCCESS)
-				zone_journal(zone, &add, "zone_rekey");
+				zone_journal(zone, &diff, "zone_rekey");
 
 		}
 	}
@@ -13548,16 +13539,22 @@ zone_rekey(dns_zone_t *zone) {
 		 * key metadata indicates there is a key change event
 		 * scheduled in the future, set the key refresh timer.
 		 */
+//HERE
+dns_zone_log(zone, ISC_LOG_NOTICE, "1");
 		if (!DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
 			break;
+dns_zone_log(zone, ISC_LOG_NOTICE, "2");
 
 		result = next_keyevent(key->key, &then);
 		if (result != ISC_R_SUCCESS)
 			continue;
+dns_zone_log(zone, ISC_LOG_NOTICE, "3");
 
 		isc_time_set(&timethen, then, 0);
 		if (isc_time_isepoch(&zone->refreshkeytime) ||
 		    isc_time_compare(&timethen, &zone->refreshkeytime) < 0) {
+//HERE
+dns_zone_log(zone, ISC_LOG_NOTICE, "setting refreshkeytime to %d\n", then);
 			zone->refreshkeytime = timethen;
 			zone_settimer(zone, &timenow);
 		}
@@ -13566,8 +13563,7 @@ zone_rekey(dns_zone_t *zone) {
 	result = ISC_R_SUCCESS;
 
  failure:
-	dns_diff_clear(&add);
-	dns_diff_clear(&del);
+	dns_diff_clear(&diff);
 
 	clear_keylist(&dnskeys, mctx);
 	clear_keylist(&keys, mctx);