Various rndc dnssec -checkds fixes

While working on 'rndc dnssec -rollover' I noticed the following (small) issues: - The key files where updated with hints set to "-when" and that should always be "now. - The kasp system test did not properly update the test number when calling 'rndc dnssec -checkds' (and ensuring that works). - There was a missing ']' in the rndc.c help output.
2025-09-01 06:55:30 +00:00 · 2020-08-24 10:05:28 +02:00
parent fcd34abb9e
commit edc53fc416
4 changed files with 34 additions and 22 deletions
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -111,7 +111,7 @@ command is one of the following:\n\
 		Add zone to given view. Requires allow-new-zones option.\n\
  delzone [-clean] zone [class [view]]\n\
 		Removes zone from given view.\n\
-  dnssec -checkds [-key id [-alg algorithm] [-when time] (published|withdrawn) zone [class [view]]\n\
+  dnssec -checkds [-key id [-alg algorithm]] [-when time] (published|withdrawn) zone [class [view]]\n\
 		Mark the DS record for the KSK of the given zone as seen\n\
 		in the parent.  If the zone has multiple KSKs, select a\n\
 		specific key by providing the keytag with -key id and\n\
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -1236,10 +1236,16 @@ rndc_checkds() {
 		_whencmd="-when ${_when}"
 	fi
-	echo_i "calling checkds ${_keycmd} ${_whencmd} ${_what} zone ${_zone} ($n)"
+	n=$((n+1))
 	echo_i "calling rndc dnssec -checkds ${_keycmd} ${_whencmd} ${_what} zone ${_zone} ($n)"
 	ret=0
 	rndccmd $_server dnssec -checkds $_keycmd $_whencmd $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (${_keycmd} ${_whencmd} ${_what} zone ${_zone} failed"
 	_loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
 	test "$ret" -eq 0 || echo_i "failed"
 	status=$((status+ret))
 }
 # Tell named to schedule a key rollover.
@@ -1251,15 +1257,16 @@ rndc_rollover() {
 	_zone=$5
 	_view=$6
 	_whencmd=""
 	if [ "${_when}" != "now" ]; then
 		_whencmd="-when ${_when}"
 	fi
 	n=$((n+1))
-	echo_i "calling rndc dnssec -rollover key ${_keyid} zone ${_zone} ($n)"
+	echo_i "calling rndc dnssec -rollover key ${_keyid} ${_whencmd} zone ${_zone} ($n)"
 	ret=0
-	if [ "${_when}" = "now" ]; then
+	rndccmd $_server dnssec -rollover -key $_keyid $_whencmd $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
 		rndccmd $_server dnssec -rollover -key $_keyid $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
 	else
 		rndccmd $_server dnssec -rollover -key $_keyid -when $_when $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
 	fi
 	_loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
--- a/lib/dns/include/dns/keymgr.h
+++ b/lib/dns/include/dns/keymgr.h
@@ -53,11 +53,13 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 isc_result_t
 dns_keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-		   const char *directory, isc_stdtime_t now, bool dspublish);
+		   const char *directory, isc_stdtime_t now, isc_stdtime_t when,
 		   bool dspublish);
 isc_result_t
 dns_keymgr_checkds_id(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-		      const char *directory, isc_stdtime_t now, bool dspublish,
+		      const char *directory, isc_stdtime_t now,
-		      dns_keytag_t id, unsigned int algorithm);
+		      isc_stdtime_t when, bool dspublish, dns_keytag_t id,
 		      unsigned int algorithm);
 /*%<
 * Check DS for one key in 'keyring'. The key must have the KSK role.
 * If 'dspublish' is set to true, set the DS Publish time to 'now'.
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -1864,8 +1864,9 @@ failure:
 static isc_result_t
 keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-	       const char *directory, isc_stdtime_t now, bool dspublish,
+	       const char *directory, isc_stdtime_t now, isc_stdtime_t when,
-	       dns_keytag_t id, unsigned int alg, bool check_id) {
+	       bool dspublish, dns_keytag_t id, unsigned int alg,
 	       bool check_id) {
 	int options = (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_STATE);
 	isc_dir_t dir;
 	isc_result_t result;
@@ -1905,9 +1906,9 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
 	}
 	if (dspublish) {
-		dst_key_settime(ksk_key->key, DST_TIME_DSPUBLISH, now);
+		dst_key_settime(ksk_key->key, DST_TIME_DSPUBLISH, when);
 	} else {
-		dst_key_settime(ksk_key->key, DST_TIME_DSDELETE, now);
+		dst_key_settime(ksk_key->key, DST_TIME_DSDELETE, when);
 	}
 	/* Store key state and update hints. */
@@ -1929,17 +1930,19 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
 isc_result_t
 dns_keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-		   const char *directory, isc_stdtime_t now, bool dspublish) {
+		   const char *directory, isc_stdtime_t now, isc_stdtime_t when,
-	return (keymgr_checkds(kasp, keyring, directory, now, dspublish, 0, 0,
+		   bool dspublish) {
-			       false));
+	return (keymgr_checkds(kasp, keyring, directory, now, when, dspublish,
 			       0, 0, false));
 }
 isc_result_t
 dns_keymgr_checkds_id(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
-		      const char *directory, isc_stdtime_t now, bool dspublish,
+		      const char *directory, isc_stdtime_t now,
-		      dns_keytag_t id, unsigned int alg) {
+		      isc_stdtime_t when, bool dspublish, dns_keytag_t id,
-	return (keymgr_checkds(kasp, keyring, directory, now, dspublish, id,
+		      unsigned int alg) {
-			       alg, true));
+	return (keymgr_checkds(kasp, keyring, directory, now, when, dspublish,
 			       id, alg, true));
 }
 static void