diff --git a/src/dnssec/lib/event/action/zsk_rollover.c b/src/dnssec/lib/event/action/zsk_rollover.c
index 5db4348dd9f00d4935af57caf8d9d6ef79ec672f..598e29f2c95e005b536a8e8b56bb5dabd740955b 100644
--- a/src/dnssec/lib/event/action/zsk_rollover.c
+++ b/src/dnssec/lib/event/action/zsk_rollover.c
@@ -217,6 +217,11 @@ static int exec_remove_old_key(dnssec_event_ctx_t *ctx)
if (dnssec_keyusage_is_used(keyusage, retired->id)) {
dnssec_keyusage_free(keyusage);
free(path);
+
+ dnssec_key_free(retired->key);
+ free(retired->id);
+ free(retired);
+
return dnssec_kasp_zone_save(ctx->kasp, ctx->zone);
}
dnssec_keyusage_free(keyusage);
@@ -224,6 +229,10 @@ static int exec_remove_old_key(dnssec_event_ctx_t *ctx)
dnssec_keystore_remove_key(ctx->keystore, retired->id);
+ dnssec_key_free(retired->key);
+ free(retired->id);
+ free(retired);
+
return dnssec_kasp_zone_save(ctx->kasp, ctx->zone);
}
diff --git a/tests-extra/tests/dnssec/keyusage/data/keys/keys/712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2.pem b/tests-extra/tests/dnssec/keyusage/data/keys/keys/712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2.pem
new file mode 100644
index 0000000000000000000000000000000000000000..c5876ae5bb5f72e075c236e0a4ad67288715ab15
--- /dev/null
+++ b/tests-extra/tests/dnssec/keyusage/data/keys/keys/712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2.pem
@@ -0,0 +1,10 @@
+-----BEGIN PRIVATE KEY-----
+MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAybrKa545nAsfsu9m
+RYuyTg0WmUquP2MIwHCCRFHBTX7x9oxuj78yXtCZghZjm+GSl698kMBwm0V/2JbG
+pApgDwIDAQABAkB1bfzDZNnYUkljmiSIu2dSNCBBn82LLJU9oMDUEFtcRk7gdyS2
+taDBh6eCZVUsGErDg4kCHIQdrFjD0MuouXIBAiEA6NqaRS0mkuHiO2J+4XTCRzMV
+w3Bu+K88BfqFIkDQKoECIQDdyCx66rvJ8YApy7Tt86hM/chNjFg+j4ZknxM3RF2i
+jwIgFmJNSjEY8C2+ra6+O7YZpvaGNQ9t24Ic5wY6HhzU5gECIQDRcLIguf/xa3E/
+BzKr7Agp/Rfls/25xsyBxX/eF1/dnQIhAI+z7XQNd/cZUD1TwdziKBuWBDcYp/qH
+DmKe/7Xh+MZJ
+-----END PRIVATE KEY-----
diff --git a/tests-extra/tests/dnssec/keyusage/data/keys/keys/7a3500c7feac3fd99f09a208a83b97f7455fa3e0.pem b/tests-extra/tests/dnssec/keyusage/data/keys/keys/7a3500c7feac3fd99f09a208a83b97f7455fa3e0.pem
new file mode 100644
index 0000000000000000000000000000000000000000..76d5e2f63f6bfc0d2260672635fdbb164e68c21a
--- /dev/null
+++ b/tests-extra/tests/dnssec/keyusage/data/keys/keys/7a3500c7feac3fd99f09a208a83b97f7455fa3e0.pem
@@ -0,0 +1,10 @@
+-----BEGIN PRIVATE KEY-----
+MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAu9eosHX/Ag8J0r71
+lT9tzQeWbEZRAOZY8w+zC4hqTvtAZeE9SsB+ppoNM8bvdaxLVQNIIKKqOxsteOZY
+xMFicQIDAQABAkEAtXq84oeNsRqAXhjaQbB/T8gV31PsLNdfdq1jSTAprVVOmHSk
+CfKq30FOdIXnlLum2kypxejpdHGocI1rqZLzBQIhAOoPNuh/k3NeEau2VZt9dENN
+JL4ByVpMG2gMjiucHl57AiEAzXNc16CmvEfQ/i3JhEhbb1I8o7QGsOk9v8MP/DEz
+pQMCIF8EcCjwaX6DKK9JpPUrd8A+l/TeqswSa2nQ9wIzLYzzAiEAzBl4+DV+rrjh
+pEE0WpfPTe3yk+Z6ZzGuyFwt+ymd1qUCIBzE561e4uE5tyPB46ybM/029/GFa89z
+0D1ZBKVF7AWi
+-----END PRIVATE KEY-----
diff --git a/tests-extra/tests/dnssec/keyusage/data/keys/keys/f3b8db9d60fb412d0363dd0c0ac2ea72dc212777.pem b/tests-extra/tests/dnssec/keyusage/data/keys/keys/f3b8db9d60fb412d0363dd0c0ac2ea72dc212777.pem
new file mode 100644
index 0000000000000000000000000000000000000000..9dd9a5d61e2a4d80ecb394414150df7f615830e3
--- /dev/null
+++ b/tests-extra/tests/dnssec/keyusage/data/keys/keys/f3b8db9d60fb412d0363dd0c0ac2ea72dc212777.pem
@@ -0,0 +1,10 @@
+-----BEGIN PRIVATE KEY-----
+MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAoQok0evOsKK3EI3P
+JrUUyheN9zAQUYQtrVK8kUdgyqy+RoW2mSMG8aw5/bjbreU/+wg0O1xmps9ndn9U
+cz+PewIDAQABAkAyHD7y12acjjVawFXKXKSYchXp6hnZ08CG42zr5AMZbYLkhhN5
+9OWULkZ0dLrwOOw/ruhQSpOc9kjrWge2yLpZAiEA0gsSz0cU8A0xQ88aQbHOi3eZ
+EXvtoj0LecrbIy+ACI8CIQDERkhiroFvauc2rAMsfsVECmFjzyacpmYxts1KjKPI
+VQIhAMBICNkdzkoPGalkvzmip10/iC3cUGd0ELxW+xMT2dZ7AiEAqGnOLq6h7aKD
+JsxOJN3aEln92xCihwPY6It8d51Z48kCIGHjbq6UmCZUrhOSHm1Xm8m80XA662aR
+w+ZLnqtUjM4N
+-----END PRIVATE KEY-----
diff --git a/tests-extra/tests/dnssec/keyusage/data/keys/keyusage.json b/tests-extra/tests/dnssec/keyusage/data/keys/keyusage.json
new file mode 100644
index 0000000000000000000000000000000000000000..d7ba1b05561b035c4c751f71116366ffd712539a
--- /dev/null
+++ b/tests-extra/tests/dnssec/keyusage/data/keys/keyusage.json
@@ -0,0 +1,14 @@
+[
+ {
+ "key_id": "f3b8db9d60fb412d0363dd0c0ac2ea72dc212777",
+ "zones": [
+ "example.com", "records"
+ ]
+ },
+ {
+ "key_id": "712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2",
+ "zones": [
+ "example.com", "records"
+ ]
+ }
+]
diff --git a/tests-extra/tests/dnssec/keyusage/data/keys/zone_example.com.json b/tests-extra/tests/dnssec/keyusage/data/keys/zone_example.com.json
new file mode 100644
index 0000000000000000000000000000000000000000..b4877814d31fc5d7bb42f946e2c4abe1a82c485b
--- /dev/null
+++ b/tests-extra/tests/dnssec/keyusage/data/keys/zone_example.com.json
@@ -0,0 +1,31 @@
+{
+ "keys": [
+ {
+ "id": "7a3500c7feac3fd99f09a208a83b97f7455fa3e0",
+ "keytag": 58041,
+ "algorithm": 7,
+ "public_key": "AwEAAbvXqLB1/wIPCdK+9ZU/bc0HlmxGUQDmWPMPswuIak77QGXhPUrAfqaaDTPG73WsS1UDSCCiqjsbLXjmWMTBYnE=",
+ "ksk": true,
+ "publish": "1970-01-01T00:00:01+0000",
+ "active": "1970-01-01T00:00:01+0000"
+ },
+ {
+ "id": "f3b8db9d60fb412d0363dd0c0ac2ea72dc212777",
+ "keytag": 29654,
+ "algorithm": 7,
+ "public_key": "AwEAAaEKJNHrzrCitxCNzya1FMoXjfcwEFGELa1SvJFHYMqsvkaFtpkjBvGsOf24263lP/sINDtcZqbPZ3Z/VHM/j3s=",
+ "ksk": false,
+ "publish": "1970-01-01T00:00:01+0000",
+ "active": "1970-01-01T00:00:01+0000"
+ },
+ {
+ "id": "712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2",
+ "keytag": 55574,
+ "algorithm": 7,
+ "public_key": "AwEAAcm6ymueOZwLH7LvZkWLsk4NFplKrj9jCMBwgkRRwU1+8faMbo+/Ml7QmYIWY5vhkpevfJDAcJtFf9iWxqQKYA8=",
+ "ksk": false,
+ "publish": "2040-01-01T00:00:00+0000",
+ "active": "2040-01-01T00:00:00+0000"
+ }
+ ]
+}
diff --git a/tests-extra/tests/dnssec/keyusage/data/keys/zone_records.json b/tests-extra/tests/dnssec/keyusage/data/keys/zone_records.json
new file mode 100644
index 0000000000000000000000000000000000000000..b4877814d31fc5d7bb42f946e2c4abe1a82c485b
--- /dev/null
+++ b/tests-extra/tests/dnssec/keyusage/data/keys/zone_records.json
@@ -0,0 +1,31 @@
+{
+ "keys": [
+ {
+ "id": "7a3500c7feac3fd99f09a208a83b97f7455fa3e0",
+ "keytag": 58041,
+ "algorithm": 7,
+ "public_key": "AwEAAbvXqLB1/wIPCdK+9ZU/bc0HlmxGUQDmWPMPswuIak77QGXhPUrAfqaaDTPG73WsS1UDSCCiqjsbLXjmWMTBYnE=",
+ "ksk": true,
+ "publish": "1970-01-01T00:00:01+0000",
+ "active": "1970-01-01T00:00:01+0000"
+ },
+ {
+ "id": "f3b8db9d60fb412d0363dd0c0ac2ea72dc212777",
+ "keytag": 29654,
+ "algorithm": 7,
+ "public_key": "AwEAAaEKJNHrzrCitxCNzya1FMoXjfcwEFGELa1SvJFHYMqsvkaFtpkjBvGsOf24263lP/sINDtcZqbPZ3Z/VHM/j3s=",
+ "ksk": false,
+ "publish": "1970-01-01T00:00:01+0000",
+ "active": "1970-01-01T00:00:01+0000"
+ },
+ {
+ "id": "712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2",
+ "keytag": 55574,
+ "algorithm": 7,
+ "public_key": "AwEAAcm6ymueOZwLH7LvZkWLsk4NFplKrj9jCMBwgkRRwU1+8faMbo+/Ml7QmYIWY5vhkpevfJDAcJtFf9iWxqQKYA8=",
+ "ksk": false,
+ "publish": "2040-01-01T00:00:00+0000",
+ "active": "2040-01-01T00:00:00+0000"
+ }
+ ]
+}
diff --git a/tests-extra/tests/dnssec/keyusage/test.py b/tests-extra/tests/dnssec/keyusage/test.py
new file mode 100644
index 0000000000000000000000000000000000000000..47f72ebe360f030679b37139607c3cccc3c328c7
--- /dev/null
+++ b/tests-extra/tests/dnssec/keyusage/test.py
@@ -0,0 +1,97 @@
+#!/usr/bin/env python3
+
+'''Check if dnssec keys in use are protected from being removed automatically.'''
+
+import collections
+import os
+import shutil
+import datetime
+import time
+import subprocess
+
+from dnstest.utils import *
+from dnstest.keys import Keymgr
+from dnstest.test import Test
+
+def key_set(server, zone, key_id, **new_values):
+ cmd = ["zone", "key", "set", zone, key_id]
+ for option, value in new_values.items():
+ cmd += [option, value]
+ Keymgr.run_check(server.keydir, *cmd)
+
+t = Test()
+
+knot = t.server("knot")
+zone1 = t.zone("example.com.")
+zone2 = t.zone("records.")
+zones = zone1 + zone2;
+t.link(zones, knot)
+
+shutil.copytree(os.path.join(t.data_dir, "keys"), knot.keydir)
+
+# policy parameters
+key_ttl = 10
+zone1_delay = 0
+zone2_delay = 10
+# policy
+knot.dnssec(zone1).enable = True
+knot.dnssec(zone2).enable = True
+knot.dnssec(zone1).dnskey_ttl = key_ttl
+knot.dnssec(zone2).dnskey_ttl = key_ttl
+knot.dnssec(zone1).zsk_lifetime = 10
+knot.dnssec(zone2).zsk_lifetime = 10
+knot.dnssec(zone1).propagation_delay = zone1_delay
+knot.dnssec(zone2).propagation_delay = zone2_delay
+knot.dnssec(zone1).rrsig_lifetime = 10
+knot.dnssec(zone2).rrsig_lifetime = 10
+knot.dnssec(zone1).rrsig_refresh = 5
+knot.dnssec(zone2).rrsig_refresh = 5
+knot.dnssec(zone1).alg = "rsasha1-nsec3-sha1"
+knot.dnssec(zone2).alg = "rsasha1-nsec3-sha1"
+
+# parameters
+zonename1 = zone1[0].name
+zonename2 = zone2[0].name
+
+KSK = "7a3500c7feac3fd99f09a208a83b97f7455fa3e0"
+ACTIVE = "f3b8db9d60fb412d0363dd0c0ac2ea72dc212777"
+PUBLISHED = "712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2"
+
+time = str(round(time.time()) - 10)
+
+#ksk
+key_set(knot, zonename1, KSK, publish=time, active=time)
+key_set(knot, zonename2, KSK, publish=time, active=time)
+#zsk - active
+key_set(knot, zonename1, ACTIVE, publish=time, active=time)
+key_set(knot, zonename2, ACTIVE, publish=time, active=time)
+#zsk - published
+key_set(knot, zonename1, PUBLISHED, publish=time)
+key_set(knot, zonename2, PUBLISHED, publish=time)
+
+# time to rollover - dnskey_ttl + propagation delay
+zone1_time = key_ttl + zone1_delay
+zone2_time = key_ttl + zone2_delay - zone1_time
+
+t.start()
+t.sleep(zone1_time)
+# Key is used by ZONE2 - was key deleted?
+if not os.path.exists(os.path.join(knot.keydir, 'keys', ACTIVE + ".pem")):
+ set_err("MISSING KEY")
+ check_log("ERROR: Key in use deleted")
+
+if not os.path.exists(os.path.join(knot.keydir, 'keys', PUBLISHED + ".pem")):
+ set_err("NEXT KEY")
+ check_log("ERROR: Published key was deleted")
+
+t.sleep(zone2_time)
+# key is not used anymore - was key deleted?
+if os.path.exists(os.path.join(knot.keydir, 'keys', ACTIVE + ".pem")):
+ set_err("REDUNDANT KEY")
+ check_log("ERROR: Retired key was not deleted")
+
+if not os.path.exists(os.path.join(knot.keydir, 'keys', PUBLISHED + ".pem")):
+ set_err("NEXT KEY")
+ check_log("ERROR: Published key was deleted")
+
+t.end()
diff --git a/tests-extra/tools/dnstest/server.py b/tests-extra/tools/dnstest/server.py
index 2d155ad43842f2a0fc91b46911d9290c4f8f50ce..980be14ce098ad3c6dcac7a49d7b006f51781ea2 100644
--- a/tests-extra/tools/dnstest/server.py
+++ b/tests-extra/tools/dnstest/server.py
@@ -41,12 +41,15 @@ class ZoneDnssec(object):
self.alg = None
self.ksk_size = None
self.zsk_size = None
+ self.dnskey_ttl = None
+ self.zsk_lifetime = None
+ self.propagation_delay = None
+ self.rrsig_lifetime = None
+ self.rrsig_refresh = None
self.nsec3 = None
self.nsec3_iters = None
self.nsec3_salt_lifetime = None
self.nsec3_salt_len = None
- self.rrsig_lifetime = None
- self.rrsig_refresh = None
class Zone(object):
'''DNS zone description'''
@@ -1042,12 +1045,15 @@ class Knot(Server):
self._str(s, "algorithm", z.dnssec.alg)
self._str(s, "ksk_size", z.dnssec.ksk_size)
self._str(s, "zsk_size", z.dnssec.zsk_size)
+ self._str(s, "dnskey-ttl", z.dnssec.dnskey_ttl)
+ self._str(s, "zsk-lifetime", z.dnssec.zsk_lifetime)
+ self._str(s, "propagation-delay", z.dnssec.propagation_delay)
+ self._str(s, "rrsig-lifetime", z.dnssec.rrsig_lifetime)
+ self._str(s, "rrsig-refresh", z.dnssec.rrsig_refresh)
self._bool(s, "nsec3", z.dnssec.nsec3)
self._str(s, "nsec3-iterations", z.dnssec.nsec3_iters)
self._str(s, "nsec3-salt-lifetime", z.dnssec.nsec3_salt_lifetime)
self._str(s, "nsec3-salt-length", z.dnssec.nsec3_salt_len)
- self._str(s, "rrsig-lifetime", z.dnssec.rrsig_lifetime)
- self._str(s, "rrsig-refresh", z.dnssec.rrsig_refresh)
s.end()
s.begin("template")