diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 58e27cab19..f33c36c9d1 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -193,7 +193,6 @@ dns_dnssec_sign(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_result_t ret; isc_buffer_t *databuf = NULL; char data[256 + 8]; - uint32_t flags; unsigned int sigsize; dns_fixedname_t fnewname; dns_fixedname_t fsigner; @@ -211,17 +210,6 @@ dns_dnssec_sign(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, return DNS_R_INVALIDTIME; } - /* - * Is the key allowed to sign data? - */ - flags = dst_key_flags(key); - if ((flags & DNS_KEYTYPE_NOAUTH) != 0) { - return DNS_R_KEYUNAUTHORIZED; - } - if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) { - return DNS_R_KEYUNAUTHORIZED; - } - sig.mctx = mctx; sig.common.rdclass = set->rdclass; sig.common.rdtype = dns_rdatatype_rrsig; @@ -383,7 +371,6 @@ dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, unsigned char data[300]; dst_context_t *ctx = NULL; int labels = 0; - uint32_t flags; bool downcase = false; REQUIRE(name != NULL); @@ -448,19 +435,6 @@ dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, break; } - /* - * Is the key allowed to sign data? - */ - flags = dst_key_flags(key); - if ((flags & DNS_KEYTYPE_NOAUTH) != 0) { - inc_stat(dns_dnssecstats_fail); - return DNS_R_KEYUNAUTHORIZED; - } - if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) { - inc_stat(dns_dnssecstats_fail); - return DNS_R_KEYUNAUTHORIZED; - } - again: ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC, false, maxbits, &ctx); @@ -1582,9 +1556,7 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp, RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &dnskey)); dst_key_setttl(dnskey, keys.ttl); - if (!is_zone_key(dnskey) || - (dst_key_flags(dnskey) & DNS_KEYTYPE_NOAUTH) != 0) - { + if (!is_zone_key(dnskey)) { goto skip; } @@ -1690,11 +1662,6 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp, } RETERR(result); - /* This should never happen. */ - if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0) { - goto skip; - } - /* * Whatever the key's default TTL may have * been, the rdataset TTL takes priority. diff --git a/lib/dns/key.c b/lib/dns/key.c index 6e8091bc75..07bd5cf88e 100644 --- a/lib/dns/key.c +++ b/lib/dns/key.c @@ -134,9 +134,6 @@ bool dst_key_iszonekey(const dst_key_t *key) { REQUIRE(VALID_KEY(key)); - if ((key->key_flags & DNS_KEYTYPE_NOAUTH) != 0) { - return false; - } if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) { return false; } diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 47282e435c..b52fe8204c 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -6216,9 +6216,7 @@ findzonekeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey)); dst_key_setttl(pubkey, rdataset.ttl); - if (!is_zone_key(pubkey) || - (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0) - { + if (!is_zone_key(pubkey)) { goto next; } /* Corrupted .key file? */ @@ -6312,12 +6310,6 @@ findzonekeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, * been, the rdataset TTL takes priority. */ dst_key_setttl(keys[count], rdataset.ttl); - - if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) { - /* We should never get here. */ - dst_key_free(&keys[count]); - goto next; - } count++; next: if (pubkey != NULL) { @@ -20467,8 +20459,7 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); - if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK | - DNS_KEYTYPE_NOAUTH)) != DNS_KEYOWNER_ZONE) + if ((dnskey.flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) { ISC_LIST_UNLINK(diff->tuples, tuple, link); ISC_LIST_APPEND(tuples, tuple, link);