mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Code Issues Releases Wiki Activity

Test keytimes on CSK rollover

Browse Source 
This improves keytime testing on CSK rollover.  It now
tests for specific times, and also tests for SyncPublish and
Removed keytimes.

Since an "active key" for ZSK and KSK means something
different, this makes it tricky to decide when a CSK is
active. An "active key" intuitively means the key is signing
so we say a CSK is active when it is creating zone signatures.

This change means a lot of timings for the CSK rollover tests
need to be adjusted.

The keymgr code needs a slight change on calculating the
prepublication time: For a KSK we need to include the parent
registration delay, but for CSK we look at the zone signing
property and stick with the ZSK prepublication calculation.
This commit is contained in:
Matthijs Mekking
2020-05-11 15:12:32 +02:00
parent 649d0833ce
commit e233433772
3 changed files with 595 additions and 163 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
lib/dns/keymgr.c
View File

@@ -121,6 +121,10 @@ keymgr_settime_remove(dns_dnsseckey_t *key, dns_kasp_t *kasp) {
dns_kasp_parentpropagationdelay(kasp) +
dns_kasp_retiresafety(kasp);
}
if (zsk && ksk) {
ksk_remove += dns_kasp_parentregistrationdelay(kasp);
}
remove = ksk_remove > zsk_remove ? ksk_remove : zsk_remove;
dst_key_settime(key->key, DST_TIME_DELETE, remove);
}
@@ -183,7 +187,7 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
uint32_t lifetime, isc_stdtime_t now) {
isc_result_t ret;
isc_stdtime_t active, retire, pub, prepub;
bool ksk = false;
bool zsk = false, ksk = false;
REQUIRE(key != NULL);
REQUIRE(key->key != NULL);
@@ -244,7 +248,10 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
dst_key_settime(key->key, DST_TIME_SYNCPUBLISH,
syncpub);
}
}
(void)dst_key_getbool(key->key, DST_BOOL_ZSK, &zsk);
if (!zsk && ksk) {
/*
* Include registration delay in prepublication time.
*/
@@ -1697,6 +1704,8 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
dst_key_id(newkey->key));
(void)dst_key_gettime(active_key->key,
DST_TIME_INACTIVE, &retire);
active = retire;
/*
* If prepublication time and/or retire time are
* in the past (before the new key was created), use
@@ -1704,16 +1713,15 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
* effectively immediately making the key active.
*/
if (prepub < created) {
retire += (created - prepub);
active += (created - prepub);
prepub = created;
}
if (retire < created) {
retire = created;
if (active < created) {
active = created;
}
dst_key_settime(newkey->key, DST_TIME_PUBLISH, prepub);
dst_key_settime(newkey->key, DST_TIME_ACTIVATE, retire);
dst_key_settime(newkey->key, DST_TIME_ACTIVATE, active);
keymgr_settime_syncpublish(newkey, kasp, false);
active = retire;
}
/* This key wants to be present. */