• Evan Hunt's avatar
    refactor create_keydata · 4d3ed3f4
    Evan Hunt authored
    use empty placeholder KEYDATA records for all trust anchors, not just
    DS-style trust anchors.
    this revealed a pre-existing bug: keyfetch_done() skips keys without
    the SEP bit when populating the managed-keys zone. consequently, if a
    zone only has a single ZSK which is configured as trust anchor and no
    KSKs, then no KEYDATA record is ever written to the managed-keys zone
    when keys are refreshed.
    that was how the root server in the dnssec system test was configured.
    however, previously, the KEYDATA was created when the key was
    initialized; this prevented us from noticing the bug until now.
    configuring a ZSK as an RFC 5011 trust anchor is not forbidden by the
    spec, but it is highly unusual and not well defined.  so for the time
    being, I have modified the system test to generate both a KSK and ZSK
    for the root zone, enabling the test to pass.
    we should consider adding code to detect this condition and allow keys
    without the SEP bit to be used as trust anchors if no key with the SEP
    bit is available, or at minimum, log a warning.
sign.sh 1.55 KB