[master] Minor improvements to code handling managed keys

4812. [bug] Minor improvements to stability and consistency of code handling managed keys. [RT #46468]

[master] Minor improvements to code handling managed keys
4812. [bug] Minor improvements to stability and consistency of code handling managed keys. [RT #46468]
312c84c7 · Michał Kępień · b231ddc6 · 312c84c7 · 312c84c7 · 312c84c7
Commit 312c84c7 authored Nov 09, 2017 by Michał Kępień
--- a/CHANGES
+++ b/CHANGES
+4812.	[bug]		Minor improvements to stability and consistency of code
+			handling managed keys. [RT #46468]
+
 4811.	[bug]		Revert api changes to use <isc/buffer.h> inline
 			macros.  Provide a alternative mechanism to turn
 			on the use of inline macros when building BIND.

--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -14455,10 +14455,10 @@ mkey_dumpzone(dns_view_t *view, isc_buffer_t **text) {
 			else if (revoked)
 				snprintf(buf, sizeof(buf),
 					 "\n\ttrust revoked");
-			else if (kd.addhd < now)
+			else if (kd.addhd <= now)
 				snprintf(buf, sizeof(buf),
 					 "\n\ttrusted since: %s", tbuf);
-			else if (kd.addhd >= now)
+			else if (kd.addhd > now)
 				snprintf(buf, sizeof(buf),
 					 "\n\ttrust pending: %s", tbuf);
 			CHECK(putstr(text, buf));

--- a/bin/tests/system/mkeys/tests.sh
+++ b/bin/tests/system/mkeys/tests.sh
@@ -131,11 +131,6 @@ echo "I: check new trust anchor can be added ($n)"
 ret=0
 standby1=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .`
 mkeys_loadkeys_on 1
-# Less than a second may have passed since the last time ns2 received a
-# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
-# timestamp to prevent the refresh from not being initiated due to all
-# acceptance timers being equal to current timestamp.
-sleep 1
 mkeys_refresh_on 2
 mkeys_status_on 2 > rndc.out.$n 2>&1
 # there should be two keys listed now
@@ -337,12 +332,6 @@ n=`expr $n + 1`
 echo "I: check that standby key is now trusted ($n)"
 ret=0
 wait_for_log "Returned from key fetch in keyfetch_done()" ns2/named.run
-# Less than a second may have passed since the last time ns2 received a
-# ./DNSKEY response from ns1.  Ensure status is checked at a different
-# timestamp to prevent false negatives caused by the add hold-down time for the
-# standby key being equal to current time ("trust pending") instead of in the
-# past ("trusted since").
-sleep 1
 mkeys_status_on 2 > rndc.out.$n 2>&1
 # two keys listed
 count=`grep -c "keyid: " rndc.out.$n` 
@@ -423,13 +412,9 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

 n=`expr $n + 1`
-echo "I: wait 21 seconds for key add/remove holddowns to expire ($n)"
+echo "I: wait 20 seconds for key add/remove holddowns to expire ($n)"
 ret=0
-# Wait for "month" plus 1 second.  If we only wait for "month" and the previous
-# two tests fit into a single second, we will get a false negative caused by
-# the add hold-down time for the second standby key being equal to current time
-# ("trust pending") instead of in the past ("trusted since").
-sleep 21
+sleep 20
 mkeys_refresh_on 2
 mkeys_status_on 2 > rndc.out.$n 2>&1
 # two keys listed
@@ -526,18 +511,11 @@ $SETTIME -R none -D none -K ns1 $standby1 > /dev/null
 $SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>&-
 cp -f ns1/root.db.signed ns1/root.db.tmp
 BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg=="
-# We need to prevent two different races here:
-#
-# 1. Less than a second may have passed since ns1 was started.  If we call
-#    dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by
-#    the subsequent "rndc reload ." call on platforms which do not set the
-#    "nanoseconds" field of isc_time_t, due to zone load time being seemingly
-#    equal to master file modification time.
-#
-# 2. Less than a second may have passed since the last time ns2 received a
-#    ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
-#    timestamp to prevent the refresh from not being initiated due to all
-#    acceptance timers being equal to current timestamp.
+# Less than a second may have passed since ns1 was started.  If we call
+# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the
+# subsequent "rndc reload ." call on platforms which do not set the
+# "nanoseconds" field of isc_time_t, due to zone load time being seemingly
+# equal to master file modification time.
 sleep 1
 sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n > ns1/root.db.signed
 mkeys_reload_on 1

--- a/contrib/scripts/check5011.pl
+++ b/contrib/scripts/check5011.pl
@@ -43,7 +43,7 @@ sub printstatus ($) {
 	my $a = shift;
 	if ($a->{removehd} ne "19700101000000") {
 		printf " untrusted and to be removed at %s\n", ext8601 $a->{removehd};
-	} elsif ($a->{addhd} lt $now) {
+	} elsif ($a->{addhd} le $now) {
 		printf " trusted\n";
 	} else {
 		printf " waiting for %s\n", ext8601 $a->{addhd};

--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -9722,7 +9722,7 @@ zone_refreshkeys(dns_zone_t *zone) {
 			}

 			/* Acceptance timer expired? */
-			if (kd.addhd < now)
+			if (kd.addhd <= now)
 				timer = kd.addhd;

 			/* Or do we just need to refresh the keyset? */
@@ -9824,12 +9824,10 @@ zone_refreshkeys(dns_zone_t *zone) {
 		isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
 		dns_zone_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s",
 			     timebuf);
-
-		if (!fetching)
-			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
 	}

-	UNLOCK_ZONE(zone);
+	if (!fetching)
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);

 	dns_diff_clear(&diff);
 	if (ver != NULL) {
@@ -9838,6 +9836,8 @@ zone_refreshkeys(dns_zone_t *zone) {
 	}
 	dns_db_detach(&db);

+	UNLOCK_ZONE(zone);
+
 	INSIST(ver == NULL);
 }