Commit 684a44b4 authored by Mark Andrews's avatar Mark Andrews

Merge branch 'marka-Psync-future' into 'master'

dnssec: do not publish CDS records when -Psync is in the future

See merge request !2925
parents ccf7bbab 0cd10c77
Pipeline #31395 failed with stages
in 41 minutes and 6 seconds
5348. [bug] dnssec-settime -Psync was not being honoured.
[GL !2893]
--- 9.15.8 released --- --- 9.15.8 released ---
5347. [bug] Fixed a bug that could cause an intermittent crash 5347. [bug] Fixed a bug that could cause an intermittent crash
......
...@@ -55,6 +55,9 @@ cksk4=`$REVOKE $cksk3` ...@@ -55,6 +55,9 @@ cksk4=`$REVOKE $cksk3`
echo_i "setting up sync key" echo_i "setting up sync key"
cksk5=`$KEYGEN -q -a rsasha1 -fk -P now+1mo -A now+1mo -Psync now $czone` cksk5=`$KEYGEN -q -a rsasha1 -fk -P now+1mo -A now+1mo -Psync now $czone`
echo_i "and future sync key"
cksk6=`$KEYGEN -q -a rsasha1 -fk -P now+1mo -A now+1mo -Psync now+1mo $czone`
echo_i "generating parent keys" echo_i "generating parent keys"
pzsk=`$KEYGEN -q -a rsasha1 $pzone` pzsk=`$KEYGEN -q -a rsasha1 $pzone`
pksk=`$KEYGEN -q -a rsasha1 -fk $pzone` pksk=`$KEYGEN -q -a rsasha1 -fk $pzone`
...@@ -348,6 +351,7 @@ awk 'BEGIN { r=1 } $2 == "CDS" { r=0 } END { exit r }' $cfile.signed || ret=1 ...@@ -348,6 +351,7 @@ awk 'BEGIN { r=1 } $2 == "CDS" { r=0 } END { exit r }' $cfile.signed || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
# this also checks that the future sync record is not yet published
echo_i "checking sync record deletion" echo_i "checking sync record deletion"
ret=0 ret=0
$SETTIME -P now -A now -Dsync now ${cksk5} > /dev/null $SETTIME -P now -A now -Dsync now ${cksk5} > /dev/null
......
...@@ -648,6 +648,7 @@ syncpublish(dst_key_t *key, isc_stdtime_t now) { ...@@ -648,6 +648,7 @@ syncpublish(dst_key_t *key, isc_stdtime_t now) {
isc_stdtime_t when; isc_stdtime_t when;
dst_key_state_t state; dst_key_state_t state;
int major, minor; int major, minor;
bool publish;
/* /*
* Is this an old-style key? * Is this an old-style key?
...@@ -670,18 +671,16 @@ syncpublish(dst_key_t *key, isc_stdtime_t now) { ...@@ -670,18 +671,16 @@ syncpublish(dst_key_t *key, isc_stdtime_t now) {
} }
/* If no kasp state, check timings. */ /* If no kasp state, check timings. */
publish = false;
result = dst_key_gettime(key, DST_TIME_SYNCPUBLISH, &when); result = dst_key_gettime(key, DST_TIME_SYNCPUBLISH, &when);
if (result != ISC_R_SUCCESS) { if (result == ISC_R_SUCCESS && when < now) {
return (false); publish = true;
} }
result = dst_key_gettime(key, DST_TIME_SYNCDELETE, &when); result = dst_key_gettime(key, DST_TIME_SYNCDELETE, &when);
if (result != ISC_R_SUCCESS) { if (result == ISC_R_SUCCESS && when < now) {
return (true); publish = false;
}
if (when <= now) {
return (false);
} }
return (true); return (publish);
} }
/*%< /*%<
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment