[35063] Don't publish an activated key automatically before its publish time

CHANGES

@@ -1,3 +1,6 @@
+3871.	[bug]		Don't publish an activated key automatically before
+			its publish time. [RT #35063]
+
 3870.	[func]		Updated the random number generator used in
 			the resolver to use the updated ChaCha based one
 			(similar to OpenBSD's changes). Also moved the

bin/tests/system/autosign/clean.sh

@@ -16,6 +16,7 @@
 
 rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
 rm -f active.key inact.key del.key unpub.key standby.key rev.key
+rm -f activate-now-publish-1day.key
 rm -f nopriv.key vanishing.key del1.key del2.key
 rm -f delayksk.key delayzsk.key autoksk.key autozsk.key
 rm -f missingzsk.key inactivezsk.key

bin/tests/system/autosign/ns1/keygen.sh

@@ -31,6 +31,7 @@ zskdel=`$KEYGEN -3 -q -r $RANDFILE -D now $zone`
 zskinact=`$KEYGEN -3 -q -r $RANDFILE -I now $zone`
 zskunpub=`$KEYGEN -3 -q -r $RANDFILE -G $zone`
 zsksby=`$KEYGEN -3 -q -r $RANDFILE -A none $zone`
+zskactnowpub1d=`$KEYGEN -3 -q -r $RANDFILE -A now -P +1d $zone`
 zsknopriv=`$KEYGEN -3 -q -r $RANDFILE $zone`
 rm $zsknopriv.private
 
@@ -68,4 +69,5 @@ echo $zskinact > ../inact.key
 echo $zskunpub > ../unpub.key
 echo $zsknopriv > ../nopriv.key
 echo $zsksby > ../standby.key
+echo $zskactnowpub1d > ../activate-now-publish-1day.key
 $REVOKE -R $kskrev > ../rev.key

bin/tests/system/autosign/tests.sh

@@ -772,6 +772,15 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking for activated but unpublished key ($n)"
+ret=0
+id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < activate-now-publish-1day.key`
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:checking that standby key does not sign records ($n)"
 ret=0
 id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`

lib/dns/dnssec.c

@@ -1251,7 +1251,10 @@ get_hints(dns_dnsseckey_t *key, isc_stdtime_t now) {
 	/* Metadata says activate (so we must also publish) */
 	if (actset && active <= now) {
 		key->hint_sign = ISC_TRUE;
-		key->hint_publish = ISC_TRUE;
+
+		/* Only publish if publish time has already passed. */
+		if (pubset && publish <= now)
+			key->hint_publish = ISC_TRUE;
 	}
 
 	/*