From 668eab446808dc40e6746825a2e8205a3c738528 Mon Sep 17 00:00:00 2001
From: Libor Peltan <libor.peltan@nic.cz>
Date: Mon, 2 Dec 2024 14:30:40 +0100
Subject: [PATCH] dnssec/rollovers: prevent increasing confusion when 2 active
 ZSKs

---
 src/knot/dnssec/key-events.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/knot/dnssec/key-events.c b/src/knot/dnssec/key-events.c
index bf32d82c6f..ee54df17e9 100644
--- a/src/knot/dnssec/key-events.c
+++ b/src/knot/dnssec/key-events.c
@@ -244,7 +244,7 @@ static int generate_ksk(kdnssec_ctx_t *ctx, knot_time_t when_active, bool pre_ac
 static bool running_rollover(const kdnssec_ctx_t *ctx)
 {
 	bool res = false;
-	bool ready_ksk = false, active_ksk = false;
+	int ready_ksk = 0, active_ksk = 0, active_zsk = 0;
 
 	for (size_t i = 0; i < ctx->zone->num_keys; i++) {
 		knot_kasp_key_t *key = &ctx->zone->keys[i];
@@ -259,10 +259,11 @@ static bool running_rollover(const kdnssec_ctx_t *ctx)
 			res = true;
 			break;
 		case DNSSEC_KEY_STATE_READY:
-			ready_ksk = (ready_ksk || key->is_ksk);
+			ready_ksk += (key->is_ksk ? 1 : 0);
 			break;
 		case DNSSEC_KEY_STATE_ACTIVE:
-			active_ksk = (active_ksk || key->is_ksk);
+			active_ksk += (key->is_ksk ? 1 : 0);
+			active_zsk += (key->is_zsk ? 1 : 0);
 			break;
 		case DNSSEC_KEY_STATE_RETIRE_ACTIVE:
 		case DNSSEC_KEY_STATE_POST_ACTIVE:
@@ -274,7 +275,7 @@ static bool running_rollover(const kdnssec_ctx_t *ctx)
 			break;
 		}
 	}
-	if (ready_ksk && active_ksk) {
+	if (ready_ksk + active_ksk > 1 || active_zsk > 1) {
 		res = true;
 	}
 	return res;
-- 
GitLab