From 5ed673c0d2b076dc96b8208c2d09ea8fdf4e514f Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 4 Dec 2017 10:03:51 +1100
Subject: [PATCH] 4837.   [bug]           dns_update_signatures{inc} (add_sigs)
 was not                         properly determining if there were active KSK
 and                         ZSK keys for a algorithm when update-check-ksk is
                         true (default) leaving records unsigned. [RT #46743]

(cherry picked from commit 196e01da5fed56b219b7a86b5549450ce05249a7)
(cherry picked from commit bf459d24a117ae2c54c37016430b41cd6d73491c)
(cherry picked from commit 5623f65cc4fb4baf74a55c9c5fde114193794059)
---
 CHANGES                                |  5 +++++
 bin/tests/system/inline/clean.sh       |  6 +++++
 bin/tests/system/inline/ns1/root.db.in |  3 +++
 bin/tests/system/inline/ns2/named.conf |  6 +++++
 bin/tests/system/inline/ns3/named.conf |  8 +++++++
 bin/tests/system/inline/ns3/sign.sh    |  9 ++++++++
 bin/tests/system/inline/setup.sh       |  1 +
 bin/tests/system/inline/tests.sh       | 31 ++++++++++++++++++++++++++
 lib/dns/update.c                       |  6 +++++
 9 files changed, 75 insertions(+)

diff --git a/CHANGES b/CHANGES
index eb4940709d..0dbdd34631 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+4837.	[bug]		dns_update_signatures{inc} (add_sigs) was not
+			properly determining if there were active KSK and
+			ZSK keys for a algorithm when update-check-ksk is
+			true (default) leaving records unsigned. [RT #46743]
+
 4836.	[bug]		Zones created using "rndc addzone" could
 			temporarily fail to inherit an "allow-transfer"
 			ACL that had been configured in the options
diff --git a/bin/tests/system/inline/clean.sh b/bin/tests/system/inline/clean.sh
index 7f526d5383..f55f3c5ef1 100644
--- a/bin/tests/system/inline/clean.sh
+++ b/bin/tests/system/inline/clean.sh
@@ -23,6 +23,8 @@ rm -f ns1/root.db.signed
 rm -f ns2/bits.db
 rm -f ns2/bits.db.jnl
 rm -f ns1/signer.out
+rm -f ns2/inactivezsk.db
+rm -f ns2/inactivezsk.db.jnl
 rm -f ns2/retransfer.db
 rm -f ns2/retransfer.db.jnl
 rm -f ns2/retransfer3.db
@@ -52,6 +54,10 @@ rm -f ns3/expired.db
 rm -f ns3/expired.db.jnl
 rm -f ns3/expired.db.signed
 rm -f ns3/expired.db.signed.jnl
+rm -f ns3/inactivezsk.bk
+rm -f ns3/inactivezsk.bk.jnl
+rm -f ns3/inactivezsk.bk.signed
+rm -f ns3/inactivezsk.bk.signed.jnl
 rm -f ns3/nsec3.db
 rm -f ns3/nsec3.db.jnl
 rm -f ns3/nsec3.db.signed
diff --git a/bin/tests/system/inline/ns1/root.db.in b/bin/tests/system/inline/ns1/root.db.in
index e319b37eb0..1ef90a3ca0 100644
--- a/bin/tests/system/inline/ns1/root.db.in
+++ b/bin/tests/system/inline/ns1/root.db.in
@@ -56,3 +56,6 @@ ns3.externalkey.	A	10.53.0.3
 
 retransfer3.		NS	ns3.retransfer.
 ns3.retransfer3.	A	10.53.0.3
+
+inactivezsk.		NS	ns3.inactivezsk.
+ns3.inactivezsk.	A	10.53.0.3
diff --git a/bin/tests/system/inline/ns2/named.conf b/bin/tests/system/inline/ns2/named.conf
index a49dd00803..be88a501e2 100644
--- a/bin/tests/system/inline/ns2/named.conf
+++ b/bin/tests/system/inline/ns2/named.conf
@@ -61,3 +61,9 @@ zone "nsec3-loop" {
 	file "nsec3-loop.db";
 	notify no;
 };
+
+zone "inactivezsk" {
+	type master;
+	file "inactivezsk.db";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/inline/ns3/named.conf b/bin/tests/system/inline/ns3/named.conf
index 95dbe38394..8fcbac2bba 100644
--- a/bin/tests/system/inline/ns3/named.conf
+++ b/bin/tests/system/inline/ns3/named.conf
@@ -120,3 +120,11 @@ zone "retransfer3" {
 	auto-dnssec maintain;
 	file "retransfer3.bk";
 };
+
+zone "inactivezsk" {
+	type slave;
+	masters { 10.53.0.2; };
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "inactivezsk.bk";
+};
diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh
index d51d288a96..5ae0cb837b 100755
--- a/bin/tests/system/inline/ns3/sign.sh
+++ b/bin/tests/system/inline/ns3/sign.sh
@@ -83,6 +83,15 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
+zone=inactivezsk
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -P now -A now+3600 $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
 for s in a c d h k l m q z
 do
 	zone=test-$s
diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh
index 227f89902a..e7de6fb0b9 100644
--- a/bin/tests/system/inline/setup.sh
+++ b/bin/tests/system/inline/setup.sh
@@ -24,6 +24,7 @@ rm -f ns1/root.db.signed
 
 touch ns2/trusted.conf
 cp ns2/bits.db.in ns2/bits.db
+cp ns2/bits.db.in ns2/inactivezsk.db
 cp ns2/bits.db.in ns2/retransfer.db
 cp ns2/bits.db.in ns2/retransfer3.db
 rm -f ns2/bits.db.jnl
diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh
index 92a8da5525..15fbf7584c 100755
--- a/bin/tests/system/inline/tests.sh
+++ b/bin/tests/system/inline/tests.sh
@@ -940,5 +940,36 @@ $IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo "I:testing checking that inline signing works with inactive KSK ($n)"
+ret=0
+
+$DIG $DIGOPTS @10.53.0.3 -p 5300 soa inactivezsk  > dig.out.ns3.pre.test$n || ret=1
+soa1=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n`
+
+$NSUPDATE << EOF
+server 10.53.0.2 5300
+update add added.inactivezsk 0 IN TXT added record
+send
+EOF
+
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+    $DIG $DIGOPTS @10.53.0.3 -p 5300 soa inactivezsk  > dig.out.ns3.post.test$n || ret=1
+    soa2=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n`
+    test ${soa1:-0} -ne ${soa2:-0} && break
+    sleep 1
+done
+test ${soa1:-0} -ne ${soa2:-0} || ret=1
+
+$DIG $DIGOPTS @10.53.0.3 -p 5300 txt added.inactivezsk > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1
+grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
+grep "TXT 7 2" dig.out.ns3.test$n > /dev/null || ret=1
+grep "TXT 8 2" dig.out.ns3.test$n > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/lib/dns/update.c b/lib/dns/update.c
index 64516a6a31..2c266f816c 100644
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1112,6 +1112,8 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 
 		if (!dst_key_isprivate(keys[i]))
 			continue;
+		if (dst_key_inactive(keys[i]))	/* Should be redundant. */
+			continue;
 
 		if (check_ksk && !REVOKE(keys[i])) {
 			isc_boolean_t have_ksk, have_nonksk;
@@ -1125,6 +1127,10 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 			for (j = 0; j < nkeys; j++) {
 				if (j == i || ALG(keys[i]) != ALG(keys[j]))
 					continue;
+				if (!dst_key_isprivate(keys[j]))
+					continue;
+				if (dst_key_inactive(keys[j]))	/* SBR */
+					continue;
 				if (REVOKE(keys[j]))
 					continue;
 				if (KSK(keys[j]))