From 70f9eb896e13c36d7957ac03e3844c425888abd7 Mon Sep 17 00:00:00 2001 From: Philip Homburg Date: Thu, 2 Apr 2026 14:45:34 +0200 Subject: [PATCH 1/2] Introduces apex_remove and apex_records. --- src/commands/keyset/cmd.rs | 39 +++++++++++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/src/commands/keyset/cmd.rs b/src/commands/keyset/cmd.rs index 0d77363..de3c341 100644 --- a/src/commands/keyset/cmd.rs +++ b/src/commands/keyset/cmd.rs @@ -89,6 +89,9 @@ const DEFAULT_TTL: Ttl = Ttl::from_secs(3600); /// stale. const DEFAULT_AUTOREMOVE_DELAY: Duration = Duration::from_secs(7 * 24 * 3600); +/// These are the apex RRtypes that keyset controls. +const APEX_REMOVE: &[Rtype; 3] = &[Rtype::DNSKEY, Rtype::CDS, Rtype::CDNSKEY]; + // Types to simplify some HashSet types. /// Type for a Name that uses a Vec. type NameVecU8 = Name>; @@ -705,6 +708,8 @@ impl Keyset { ds_rrset: Vec::new(), cds_rrset: Vec::new(), ns_rrset: Vec::new(), + apex_remove: (*APEX_REMOVE).into(), + apex_records: Vec::new(), cron_next: None, internal: HashMap::new(), @@ -755,7 +760,7 @@ impl Keyset { ) })?; - let ws = WorkSpace { + let mut ws = WorkSpace { config: ksc, state: kss, config_changed: false, @@ -1822,20 +1827,35 @@ pub struct KeySetState { /// Domain KeySet state. pub keyset: KeySet, - /// DNSKEY RRset plus signatures to include in the signed zone. + /// DNSKEY RRset plus signatures to include in the signed zone. This + /// field is obsolete. Use apex_remove and apex_records. pub dnskey_rrset: Vec, /// DS records to add to the parent zone. pub ds_rrset: Vec, /// CDS and CDNSKEY RRsets plus signatures to include in the signed zone. + /// This field is obsolete. Use apex_remove and apex_records. pub cds_rrset: Vec, /// Place holder for NS records. Maybe the four _rrset fields should be /// combined. Though for extensibility there needs to be a field that /// informs the signer which Rtypes need special treatment. + /// This field is obsolete. Use apex_remove and apex_records. pub ns_rrset: Vec, + /// These are the apex RRtypes that are controlled by keyset. A signer + /// should remove all records for these types from the apex of + /// the zone before adding the records in the apex_records field. + #[serde(default)] + pub apex_remove: HashSet, + + /// Records plus signatures to include in the signed zone. This field + /// replaces dnskey_rrset, cds_rrset, ns_rrset. In the future the old + /// fields will be removed. + #[serde(default)] + pub apex_records: Vec, + /// Next time to call the cron subcommand. cron_next: Option, @@ -4073,7 +4093,20 @@ impl WorkSpace { } /// Write state to a file. - fn write_state(&self) -> Result<(), Error> { + fn write_state(&mut self) -> Result<(), Error> { + // Always set apex_remove. + self.state.apex_remove = (*APEX_REMOVE).into(); + + // Update apex_records from the old fields. + self.state.apex_records = [ + self.state.dnskey_rrset.clone(), + self.state.cds_rrset.clone(), + self.state.ns_rrset.clone(), + ] + .into_iter() + .flatten() + .collect(); + let json = serde_json::to_string_pretty(&self.state).expect("should not fail"); Self::write_to_new_and_rename(&json, &self.config.state_file) } From 31217defdbb2ca401d6b1aa0469a3d27c6475bf3 Mon Sep 17 00:00:00 2001 From: Philip Homburg Date: Thu, 2 Apr 2026 19:59:14 +0200 Subject: [PATCH 2/2] Not apex_records but apex_extra. --- src/commands/keyset/cmd.rs | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/src/commands/keyset/cmd.rs b/src/commands/keyset/cmd.rs index de3c341..896591d 100644 --- a/src/commands/keyset/cmd.rs +++ b/src/commands/keyset/cmd.rs @@ -709,7 +709,7 @@ impl Keyset { cds_rrset: Vec::new(), ns_rrset: Vec::new(), apex_remove: (*APEX_REMOVE).into(), - apex_records: Vec::new(), + apex_extra: Vec::new(), cron_next: None, internal: HashMap::new(), @@ -1828,33 +1828,33 @@ pub struct KeySetState { pub keyset: KeySet, /// DNSKEY RRset plus signatures to include in the signed zone. This - /// field is obsolete. Use apex_remove and apex_records. + /// field is obsolete. Use apex_remove and apex_extra. pub dnskey_rrset: Vec, /// DS records to add to the parent zone. pub ds_rrset: Vec, /// CDS and CDNSKEY RRsets plus signatures to include in the signed zone. - /// This field is obsolete. Use apex_remove and apex_records. + /// This field is obsolete. Use apex_remove and apex_extra. pub cds_rrset: Vec, /// Place holder for NS records. Maybe the four _rrset fields should be /// combined. Though for extensibility there needs to be a field that /// informs the signer which Rtypes need special treatment. - /// This field is obsolete. Use apex_remove and apex_records. + /// This field is obsolete. Use apex_remove and apex_extra. pub ns_rrset: Vec, /// These are the apex RRtypes that are controlled by keyset. A signer /// should remove all records for these types from the apex of - /// the zone before adding the records in the apex_records field. + /// the zone before adding the records in the apex_extra field. #[serde(default)] pub apex_remove: HashSet, - /// Records plus signatures to include in the signed zone. This field + /// Records plus signatures to add to the signed zone. This field /// replaces dnskey_rrset, cds_rrset, ns_rrset. In the future the old /// fields will be removed. #[serde(default)] - pub apex_records: Vec, + pub apex_extra: Vec, /// Next time to call the cron subcommand. cron_next: Option, @@ -4097,8 +4097,8 @@ impl WorkSpace { // Always set apex_remove. self.state.apex_remove = (*APEX_REMOVE).into(); - // Update apex_records from the old fields. - self.state.apex_records = [ + // Update apex_extra from the old fields. + self.state.apex_extra = [ self.state.dnskey_rrset.clone(), self.state.cds_rrset.clone(), self.state.ns_rrset.clone(),