Backport fix for manual DNSSEC key rolllovers.

Resolves: RHEL-12487
2026-01-26 15:42:28 +01:00 · 2026-01-26 15:42:28 +01:00 · 5f7955d31d
commit 5f7955d31d
parent 7b64b8a7d1
2 changed files with 104 additions and 2 deletions
--- a/bind-9.20-robust-key-rollovers.patch
+++ b/bind-9.20-robust-key-rollovers.patch
@ -0,0 +1,97 @@
+diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
+index 6c04682004..8eda1535a0 100644
+--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
+@@ -1154,19 +1154,18 @@ static bool
+ keymgr_transition_allowed(dns_dnsseckeylist_t *keyring, dns_dnsseckey_t *key,
+ 			  int type, dst_key_state_t next_state,
+ 			  bool secure_to_insecure) {
+	bool rule1a, rule1b, rule2a, rule2b, rule3a, rule3b;
+	rule1a = keymgr_have_ds(keyring, key, type, NA, secure_to_insecure);
+	rule1b = keymgr_have_ds(keyring, key, type, next_state, secure_to_insecure);
+	rule2a = keymgr_have_dnskey(keyring, key, type, NA);
+	rule2b = keymgr_have_dnskey(keyring, key, type, next_state);
+	rule3a = keymgr_have_rrsig(keyring, key, type, NA);
+	rule3b = keymgr_have_rrsig(keyring, key, type, next_state);
+
+ 	/* Debug logging. */
+ 	if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
+-		bool rule1a, rule1b, rule2a, rule2b, rule3a, rule3b;
+ 		char keystr[DST_KEY_FORMATSIZE];
+ 		dst_key_format(key->key, keystr, sizeof(keystr));
+-		rule1a = keymgr_have_ds(keyring, key, type, NA,
+-					secure_to_insecure);
+-		rule1b = keymgr_have_ds(keyring, key, type, next_state,
+-					secure_to_insecure);
+-		rule2a = keymgr_have_dnskey(keyring, key, type, NA);
+-		rule2b = keymgr_have_dnskey(keyring, key, type, next_state);
+-		rule3a = keymgr_have_rrsig(keyring, key, type, NA);
+-		rule3b = keymgr_have_rrsig(keyring, key, type, next_state);
+ 		isc_log_write(
+ 			dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_DNSSEC,
+ 			ISC_LOG_DEBUG(1),
+@@ -1179,30 +1178,40 @@ keymgr_transition_allowed(dns_dnsseckeylist_t *keyring, dns_dnsseckey_t *key,
+ 			rule3a ? "true" : "false", rule3b ? "true" : "false");
+ 	}
+ 
+-	return (
+-		/*
+-		 * Rule 1: There must be a DS at all times.
+-		 * First check the current situation: if the rule check fails,
+-		 * we allow the transition to attempt to move us out of the
+-		 * invalid state.  If the rule check passes, also check if
+-		 * the next state is also still a valid situation.
+-		 */
+-		(!keymgr_have_ds(keyring, key, type, NA, secure_to_insecure) ||
+-		 keymgr_have_ds(keyring, key, type, next_state,
+-				secure_to_insecure)) &&
+-		/*
+-		 * Rule 2: There must be a DNSKEY at all times.  Again, first
+-		 * check the current situation, then assess the next state.
+-		 */
+-		(!keymgr_have_dnskey(keyring, key, type, NA) ||
+-		 keymgr_have_dnskey(keyring, key, type, next_state)) &&
+-		/*
+-		 * Rule 3: There must be RRSIG records at all times. Again,
+-		 * first check the current situation, then assess the next
+-		 * state.
+-		 */
+-		(!keymgr_have_rrsig(keyring, key, type, NA) ||
+-		 keymgr_have_rrsig(keyring, key, type, next_state)));
+	/*
+	 * Rule checking:
+	 * First check the current situation: if the rule check fails,
+	 * we allow the transition to attempt to move us out of the
+	 * invalid state.  If the rule check passes, also check if
+	 * the next state is also still a valid situation.
+	 */
+	char keystr2[DST_KEY_FORMATSIZE];
+	dst_key_format(key->key, keystr2, sizeof(keystr2));
+
+	/*
+	 * Rule 1: There must be a DS at all times.
+	 */
+	if (!rule1a && !rule1b && next_state == UNRETENTIVE) {
+		return false;
+	}
+	/*
+	 * Rule 2: There must be a DNSKEY at all times.  Again, first
+	 * check the current situation, then assess the next state.
+	 */
+	if (!rule2a && !rule2b && next_state == UNRETENTIVE) {
+		return false;
+	}
+	/*
+	 * Rule 3: There must be RRSIG records at all times. Again,
+	 * first check the current situation, then assess the next
+	 * state.
+	 */
+	if (!rule3a && !rule3b && next_state == UNRETENTIVE) {
+		return false;
+	}
+
+	return (!rule1a || rule1b) && (!rule2a || rule2b) &&
+		   (!rule3a || rule3b);
+ }
+ 
+ /*
--- a/bind.spec
+++ b/bind.spec
@ -54,7 +54,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  40%{?dist}
+Release:  41%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -201,6 +201,8 @@ Patch224: bind-9.16-CVE-2025-40780.patch
 Patch225: bind-9.16-CVE-2025-40778.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7942
 Patch226: bind-9.16-properly-process-extra-nameserver-lines.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11329
+Patch227: bind-9.20-robust-key-rollovers.patch

 %{?systemd_ordering}
 # https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers
@ -1260,11 +1262,14 @@ fi;
 %endif

 %changelog
+* Thu Jan 29 2026 Fedor Vorobev <fvorobev@redhat.com> - 32:9.16.23-41
+- Backport fix for manual DNSSEC key rollovers. (RHEL-12487)
+
 * Wed Jan 28 2026 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-40
 - Add forgotten _libdir/named into bind-chroot tmpfiles (RHEL-135629)

 * Thu Jan 22 2026 Fedor Vorobev <fvorobev@redhat.com> - 32:9.16.23-39
- Backport fix for nameserver line processing. (RHEL-79714) 
+- Backport fix for nameserver line processing. (RHEL-79714)

 * Fri Dec 12 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-38
 - Add sysusers named user creation (RHEL-132053)