-
Matthijs Mekking authored
Migrating from 'auto-dnssec maintain;' to dnssec-policy did not work properly, mainly because the legacy keys were initialized badly. Several adjustments in the keymgr are required to get it right: - Set published time on keys when we calculate prepublication time. This is not strictly necessary, but it is weird to have an active key without the published time set. - Initalize key states also before matching keys. Determine the target state by looking at existing time metadata: If the time data is set and is in the past, it is a hint that the key and its corresponding records have been published in the zone already, and the state is initialized to RUMOURED. Otherwise, initialize it as HIDDEN. This fixes migration to dnssec-policy from existing keys. - Initialize key goal on keys that match key policy to OMNIPRESENT. These may be existing legacy keys that are being migrated. - A key that has its goal to OMNIPRESENT *or* an active key can match a kasp key. The code was changed with CHANGE 5354 that was a bugfix to prevent creating new KSK keys for zones in the initial stage of signing. However, this caused problems for restarts when rollovers are in progress, because an outroducing key can still be an active key. The test for this introduces a new KEY property 'legacy'. This is used to skip tests related to .state files.
68018991