• Tony Finch's avatar
    dnssec: do not publish CDS records when -Psync is in the future · 4227b796
    Tony Finch authored
    This is a bug I encountered when trying to schedule an algorithm
    rollover. My plan, for a zone whose maximum TTL is 48h, was to sign
    with the new algorithm and schedule a change of CDS records for more
    than 48 hours in the future, roughly like this:
    
        $ dnssec-keygen -a 13 -fk -Psync now+50h $zone
        $ dnssec-keygen -a 13 $zone
        $ dnssec-settime -Dsync now+50h $zone_ksk_old
    
    However the algorithm 13 CDS was published immediately, which could
    have made the zone bogus.
    
    To reveal the bug using the `smartsign` test, this change just adds a
    KSK with all its times in the future, so it should not affect the
    existing checks at all. But the final check (that there are no CDS or
    CDSNSKEY records after -Dsync) fails with the old `syncpublish()`
    logic, because the future key's sync records appear early. With the
    new `syncpublish()` logic the future key does not affect the test, as
    expected, and it now passes.
    4227b796
Name
Last commit
Last update
.gitlab/issue_templates Loading commit data...
bin Loading commit data...
cocci Loading commit data...
conftools/perllib/dnsconf Loading commit data...
contrib Loading commit data...
doc Loading commit data...
docutil Loading commit data...
fuzz Loading commit data...
lib Loading commit data...
m4 Loading commit data...
make Loading commit data...
unit Loading commit data...
util Loading commit data...
win32utils Loading commit data...
.dir-locals.el Loading commit data...
.gitattributes Loading commit data...
.gitignore Loading commit data...
.gitlab-ci.yml Loading commit data...
.uncrustify.cfg Loading commit data...
CHANGES Loading commit data...
CODE_OF_CONDUCT Loading commit data...
CODE_OF_CONDUCT.md Loading commit data...
CONTRIBUTING Loading commit data...
CONTRIBUTING.md Loading commit data...
COPYRIGHT Loading commit data...
HISTORY Loading commit data...
HISTORY.md Loading commit data...
Kyuafile Loading commit data...
LICENSE Loading commit data...
Makefile.in Loading commit data...
OPTIONS Loading commit data...
OPTIONS.md Loading commit data...
PLATFORMS Loading commit data...
PLATFORMS.md Loading commit data...
README Loading commit data...
README.md Loading commit data...
aclocal.m4 Loading commit data...
autogen.sh Loading commit data...
bind.keys Loading commit data...
bind.keys.h Loading commit data...
config.guess Loading commit data...
config.h.in Loading commit data...
config.h.win32 Loading commit data...
config.sub Loading commit data...
config.threads.in Loading commit data...
configure Loading commit data...
configure.ac Loading commit data...
install-sh Loading commit data...
ltmain.sh Loading commit data...
mkinstalldirs Loading commit data...
version Loading commit data...