Commit ec953433 authored by Libor Peltan's avatar Libor Peltan

bugfix: CSK->KZSK rollover retires CSK early

parent ce76dcd7
......@@ -472,7 +472,7 @@ static int exec_new_signatures(kdnssec_ctx_t *ctx, knot_kasp_key_t *newkey)
knot_kasp_key_t *key = &ctx->zone->keys[i];
key_state_t keystate = get_key_state(key, ctx->now);
uint8_t keyalg = dnssec_key_get_algorithm(key->key);
if (((newkey->is_ksk && key->is_ksk) || (newkey->is_zsk && key->is_zsk))
if (((newkey->is_ksk && key->is_ksk) || (newkey->is_zsk && key->is_zsk && !key->is_ksk))
&& keystate == DNSSEC_KEY_STATE_ACTIVE) {
if (key->is_ksk || keyalg != dnssec_key_get_algorithm(newkey->key)) {
key->timing.retire_active = ctx->now;
......
......@@ -142,6 +142,7 @@ def watch_ksk_rollover(t, server, zone, before_keys, after_keys, total_keys, des
server.gen_confile()
server.reload()
t.sleep(server.dnssec(zone).propagation_delay + 1) # check that Knot does wait for the submittion to succeed
submission_cb()
t.sleep(4)
if before_keys < 2 or after_keys > 1:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment