keymgr: bug in Depends function

While working on the dnssec system test I noticed a bug in the keymgr code. The function keymgr_dep implements the Depends function, described as follows:

The Depends relation refers to types of rollovers in which a certain record type is going to be swapped. For example, with the ZSK Pre-Publish rollover method the signatures created by the successor key z are being propagated first, so that the zone signatures for x and z can be swapped (smooth rollover). In this case, we say that z is the successor of x for the ZRRSIG record type. Here, x is the predecessor key that is going to be withdrawn from the zone. The set Dep(x, T) is a separately administrated set of keys that have a dependency on x for record type T.

For example, with the ZSK Pre-Publish method, the ZRRSIG records of key x can be withdrawn if there is a succeeding ZRRSIG of key z introduced in the zone. Key x now depends on key z, therefore z will be in the set Dep(x, ZRRSIG). The successor relation requires that the predecessor key must not have any other keys relying on it. In other words, the set Dep(x, T) must be empty.

But if the key is phased out (all its states are in HIDDEN), there is no longer a dependency. Since the relationship is still maintained (Predecessor and Successor metadata), the keymgr_dep function still returned true. In other words, the set Dep(x, T) is not considered empty.

This slows down key rollovers, only retiring keys when the successor key has been fully propagated.

Edited Jan 31, 2024 by Matthijs Mekking

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information