Various rndc dnssec -checkds fixes

While working on 'rndc dnssec -rollover' I noticed the following
(small) issues:

- The key files where updated with hints set to "-when" and that
  should always be "now.
- The kasp system test did not properly update the test number when
  calling 'rndc dnssec -checkds' (and ensuring that works).
- There was a missing ']' in the rndc.c help output.

bin/rndc/rndc.c

@@ -111,7 +111,7 @@ command is one of the following:\n\
 		Add zone to given view. Requires allow-new-zones option.\n\
   delzone [-clean] zone [class [view]]\n\
 		Removes zone from given view.\n\
-  dnssec -checkds [-key id [-alg algorithm] [-when time] (published|withdrawn) zone [class [view]]\n\
+  dnssec -checkds [-key id [-alg algorithm]] [-when time] (published|withdrawn) zone [class [view]]\n\
 		Mark the DS record for the KSK of the given zone as seen\n\
 		in the parent.  If the zone has multiple KSKs, select a\n\
 		specific key by providing the keytag with -key id and\n\

bin/tests/system/kasp/tests.sh

@@ -1236,10 +1236,16 @@ rndc_checkds() {
 		_whencmd="-when ${_when}"
 	fi
 
-	echo_i "calling checkds ${_keycmd} ${_whencmd} ${_what} zone ${_zone} ($n)"
+	n=$((n+1))
+	echo_i "calling rndc dnssec -checkds ${_keycmd} ${_whencmd} ${_what} zone ${_zone} ($n)"
+	ret=0
+
 	rndccmd $_server dnssec -checkds $_keycmd $_whencmd $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (${_keycmd} ${_whencmd} ${_what} zone ${_zone} failed"
 
 	_loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
+
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
 }
 
 # Tell named to schedule a key rollover.
@@ -1251,15 +1257,16 @@ rndc_rollover() {
 	_zone=$5
 	_view=$6
 
+	_whencmd=""
+	if [ "${_when}" != "now" ]; then
+		_whencmd="-when ${_when}"
+	fi
+
 	n=$((n+1))
-	echo_i "calling rndc dnssec -rollover key ${_keyid} zone ${_zone} ($n)"
+	echo_i "calling rndc dnssec -rollover key ${_keyid} ${_whencmd} zone ${_zone} ($n)"
 	ret=0
 
-	if [ "${_when}" = "now" ]; then
-		rndccmd $_server dnssec -rollover -key $_keyid $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
-	else
-		rndccmd $_server dnssec -rollover -key $_keyid -when $_when $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
-	fi
+	rndccmd $_server dnssec -rollover -key $_keyid $_whencmd $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
 
 	_loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
 

lib/dns/include/dns/keymgr.h

@@ -53,11 +53,13 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 
 isc_result_t
 dns_keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-		   const char *directory, isc_stdtime_t now, bool dspublish);
+		   const char *directory, isc_stdtime_t now, isc_stdtime_t when,
+		   bool dspublish);
 isc_result_t
 dns_keymgr_checkds_id(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-		      const char *directory, isc_stdtime_t now, bool dspublish,
-		      dns_keytag_t id, unsigned int algorithm);
+		      const char *directory, isc_stdtime_t now,
+		      isc_stdtime_t when, bool dspublish, dns_keytag_t id,
+		      unsigned int algorithm);
 /*%<
  * Check DS for one key in 'keyring'. The key must have the KSK role.
  * If 'dspublish' is set to true, set the DS Publish time to 'now'.

lib/dns/keymgr.c

@@ -1864,8 +1864,9 @@ failure:
 
 static isc_result_t
 keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-	       const char *directory, isc_stdtime_t now, bool dspublish,
-	       dns_keytag_t id, unsigned int alg, bool check_id) {
+	       const char *directory, isc_stdtime_t now, isc_stdtime_t when,
+	       bool dspublish, dns_keytag_t id, unsigned int alg,
+	       bool check_id) {
 	int options = (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_STATE);
 	isc_dir_t dir;
 	isc_result_t result;
@@ -1905,9 +1906,9 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
 	}
 
 	if (dspublish) {
-		dst_key_settime(ksk_key->key, DST_TIME_DSPUBLISH, now);
+		dst_key_settime(ksk_key->key, DST_TIME_DSPUBLISH, when);
 	} else {
-		dst_key_settime(ksk_key->key, DST_TIME_DSDELETE, now);
+		dst_key_settime(ksk_key->key, DST_TIME_DSDELETE, when);
 	}
 
 	/* Store key state and update hints. */
@@ -1929,17 +1930,19 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
 
 isc_result_t
 dns_keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-		   const char *directory, isc_stdtime_t now, bool dspublish) {
-	return (keymgr_checkds(kasp, keyring, directory, now, dspublish, 0, 0,
-			       false));
+		   const char *directory, isc_stdtime_t now, isc_stdtime_t when,
+		   bool dspublish) {
+	return (keymgr_checkds(kasp, keyring, directory, now, when, dspublish,
+			       0, 0, false));
 }
 
 isc_result_t
 dns_keymgr_checkds_id(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-		      const char *directory, isc_stdtime_t now, bool dspublish,
-		      dns_keytag_t id, unsigned int alg) {
-	return (keymgr_checkds(kasp, keyring, directory, now, dspublish, id,
-			       alg, true));
+		      const char *directory, isc_stdtime_t now,
+		      isc_stdtime_t when, bool dspublish, dns_keytag_t id,
+		      unsigned int alg) {
+	return (keymgr_checkds(kasp, keyring, directory, now, when, dspublish,
+			       id, alg, true));
 }
 
 static void