cb8a958 DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP

1 file Authored by pspacek 8 years ago, Committed by mbasti 8 years ago,
    DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP
    
    Previously we published timestamps of planned state changes in LDAP.
    This led to situations where state transition in OpenDNSSEC was blocked
    by an additional condition (or unavailability of OpenDNSSEC) but BIND
    actually did the transition as planned.
    
    Additionally key state mapping was incorrect for KSK so sometimes KSK
    was not used for signing when it should.
    
    Example (for code without this fix):
    - Add a zone and let OpenDNSSEC to generate keys.
    - Wait until keys are in state "published" and next state is "inactive".
    - Shutdown OpenDNSSEC or break replication from DNSSEC key master.
    - See that keys on DNS replicas will transition to state "inactive" even
      though it should not happen because OpenDNSSEC is not available
      (i.e. new keys may not be available).
    - End result is that affected zone will not be signed anymore, even
      though it should stay signed with the old keys.
    
    https://fedorahosted.org/freeipa/ticket/5348
    
    Reviewed-By: Martin Basti <mbasti@redhat.com>
    Reviewed-By: Martin Basti <mbasti@redhat.com>
    
        
file modified
+95 -10