ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Ignore inline-signing by default

Browse Source 
Ignore the option 'inline-signing' unless there is a 'dnssec-policy'
configured for the zone. Having inline signing enabled while the zone
is not DNSSEC signed does not make sense.

If there is a 'dnssec-policy' the 'inline-signing' zone-only option
can be used to override the value for the given zone.
This commit is contained in:
Matthijs Mekking
2023-10-12 12:02:02 +02:00
parent 0d58ce93e5
commit e6a454ad12
1 changed files with 11 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
bin/named/zoneconf.c
View File

@@ -2014,13 +2014,7 @@ named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
}
maps[i] = NULL;
/* "inline-signing" is a zone-only clause, so look in maps[0] only. */
res = cfg_map_get(maps[0], "inline-signing", &signing);
if (res == ISC_R_SUCCESS && cfg_obj_isboolean(signing)) {
return (cfg_obj_asboolean(signing));
}
/* If inline-signing is not set, check the value in dnssec-policy. */
/* Check the value in dnssec-policy. */
policy = NULL;
res = named_config_get(maps, "dnssec-policy", &policy);
/* If no dnssec-policy found, then zone is not using inline-signing. */
@@ -2039,5 +2033,15 @@ named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
inline_signing = dns_kasp_inlinesigning(kasp);
dns_kasp_detach(&kasp);
/*
* The zone option 'inline-signing' may override the value in
* dnssec-policy. This is a zone-only option, so look in maps[0]
* only.
*/
res = cfg_map_get(maps[0], "inline-signing", &signing);
if (res == ISC_R_SUCCESS && cfg_obj_isboolean(signing)) {
return (cfg_obj_asboolean(signing));
}
return (inline_signing);
}