Fix a small keymgr bug

While converting the kasp system test to pytest, I encountered a small bug in the keymgr code. We retire keys when there is more than one key matching a 'keys' line from the dnssec-policy. But if there are multiple identical 'keys' lines, as is the case for the test zone 'checkds-doubleksk.kasp', we retire one of the two keys that have the same properties. Fix this by checking if there are double matches. This is not fool proof because there may be many keys for a few identical 'keys' lines, but it is good enough for now. In practice it makes no sense to have a policy that dictates multiple keys with identical properties.
2025-08-31 14:35:26 +00:00 · 2025-02-25 08:40:33 +01:00
parent 329a332708
commit ef671919d5
1 changed files with 15 additions and 0 deletions
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -2022,6 +2022,20 @@ keymgr_purge_keyfile(dst_key_t *key, int type) {
 	}
 }

+static bool
+dst_key_doublematch(dns_dnsseckey_t *key, dns_kasp_t *kasp) {
+	int matches = 0;
+
+	for (dns_kasp_key_t *kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
+	     kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link))
+	{
+		if (dns_kasp_key_match(kkey, key)) {
+			matches++;
+		}
+	}
+	return matches > 1;
+}
+
 /*
 * Examine 'keys' and match 'kasp' policy.
 *
@@ -2161,6 +2175,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 					 * matches the kasp policy.
 					 */
 					if (!dst_key_is_unused(dkey->key) &&
+					    !dst_key_doublematch(dkey, kasp) &&
 					    (dst_key_goal(dkey->key) ==
 					     OMNIPRESENT) &&
 					    !keymgr_dep(dkey->key, keyring,