From aecf92dcf01d578918fae0ecd416de7cc34ec24a Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 25 Feb 2025 08:40:33 +0100 Subject: [PATCH] Fix a small keymgr bug While converting the kasp system test to pytest, I encountered a small bug in the keymgr code. We retire keys when there is more than one key matching a 'keys' line from the dnssec-policy. But if there are multiple identical 'keys' lines, as is the case for the test zone 'checkds-doubleksk.kasp', we retire one of the two keys that have the same properties. Fix this by checking if there are double matches. This is not fool proof because there may be many keys for a few identical 'keys' lines, but it is good enough for now. In practice it makes no sense to have a policy that dictates multiple keys with identical properties. --- lib/dns/keymgr.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index bae21437bd..6b56d5da8f 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -2022,6 +2022,20 @@ keymgr_purge_keyfile(dst_key_t *key, int type) { } } +static bool +dst_key_doublematch(dns_dnsseckey_t *key, dns_kasp_t *kasp) { + int matches = 0; + + for (dns_kasp_key_t *kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); + kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link)) + { + if (dns_kasp_key_match(kkey, key)) { + matches++; + } + } + return matches > 1; +} + /* * Examine 'keys' and match 'kasp' policy. * @@ -2161,6 +2175,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, * matches the kasp policy. */ if (!dst_key_is_unused(dkey->key) && + !dst_key_doublematch(dkey, kasp) && (dst_key_goal(dkey->key) == OMNIPRESENT) && !keymgr_dep(dkey->key, keyring,