# keymgr: bug in Depends function

While working on the `dnssec`

system test I noticed a bug in the `keymgr`

code. The function `keymgr_dep`

implements the `Depends`

function, described as follows:

The `Depends`

relation refers to types of rollovers in which a certain record type is going to be swapped. For example, with the ZSK Pre-Publish rollover method the signatures created by the successor key `z`

are being propagated first, so that the zone signatures for `x`

and `z`

can be swapped (smooth rollover). In this case, we say that `z`

is the successor of `x`

for the `ZRRSIG`

record type. Here, `x`

is the predecessor key that is going to be withdrawn from the zone. The set `Dep(x, T)`

is a separately administrated set of keys that have a dependency on `x`

for record type `T`

.

For example, with the ZSK Pre-Publish method, the `ZRRSIG`

records of key `x`

can be withdrawn if there is a succeeding `ZRRSIG`

of key `z`

introduced in the zone. Key `x`

now depends on key `z`

, therefore `z`

will be in the set `Dep(x, ZRRSIG)`

. The successor relation requires that the predecessor key must not have any other keys relying on it. In other words, the set `Dep(x, T)`

must be empty.

But if the key is phased out (all its states are in `HIDDEN`

), there is no longer a dependency. Since the relationship is still maintained (`Predecessor`

and `Successor`

metadata), the `keymgr_dep`

function still returned `true`

. In other words, the set `Dep(x, T)`

is not considered empty.

This slows down key rollovers, only retiring keys when the successor key has been fully propagated.