From fc36798a81cb1aeef54f482b7aa0d8704127247e Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 14 Jan 2020 11:17:30 -0800
Subject: [PATCH] allow both key and DS trust anchors to be used for the same
 name.

---
 CHANGES                                       |  3 +
 .../{bad-ds-key-1.conf => good-ds-key-1.conf} |  0
 .../{bad-ds-key-2.conf => good-ds-key-2.conf} |  0
 doc/arm/Bv9ARM-book.xml                       |  3 +-
 lib/bind9/check.c                             | 71 +------------------
 5 files changed, 5 insertions(+), 72 deletions(-)
 rename bin/tests/system/checkconf/{bad-ds-key-1.conf => good-ds-key-1.conf} (100%)
 rename bin/tests/system/checkconf/{bad-ds-key-2.conf => good-ds-key-2.conf} (100%)

diff --git a/CHANGES b/CHANGES
index 9f813bb1cf..1e9a7be985 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5345.	[func]		Key-style trust anchors and DS-style trust anchors
+			can now both be used for the same name. [GL !2892]
+
 5344.	[bug]		Handle accept() errors properly in netmgr. [GL !2880]
 
 5343.	[func]		Add statistics counters to the netmgr. [GL #1311]
diff --git a/bin/tests/system/checkconf/bad-ds-key-1.conf b/bin/tests/system/checkconf/good-ds-key-1.conf
similarity index 100%
rename from bin/tests/system/checkconf/bad-ds-key-1.conf
rename to bin/tests/system/checkconf/good-ds-key-1.conf
diff --git a/bin/tests/system/checkconf/bad-ds-key-2.conf b/bin/tests/system/checkconf/good-ds-key-2.conf
similarity index 100%
rename from bin/tests/system/checkconf/bad-ds-key-2.conf
rename to bin/tests/system/checkconf/good-ds-key-2.conf
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index d8715ec5c1..bc86ee9fd7 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -10986,8 +10986,7 @@ example.com                 CNAME   rpz-tcp-only.
 	  </para>
 	  <para>
 	    It is not possible to mix static with initial trust anchors
-	    for the same domain name. It is also not possible to mix
-	    <command>key</command> with <command>ds</command> trust anchors.
+	    for the same domain name.
 	  </para>
 	  <para>
 	    The first time <command>named</command> runs with an
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index e5097e8a62..4cb376f976 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -3593,64 +3593,6 @@ record_ds_keys(isc_symtab_t *symtab, isc_mem_t *mctx, const cfg_obj_t *keylist)
 	return (ret);
 }
 
-static isc_result_t
-check_non_ds_keys(isc_symtab_t *symtab, const cfg_obj_t *keylist,
-		  isc_log_t *logctx)
-{
-	isc_result_t result, ret = ISC_R_SUCCESS;
-	const cfg_listelt_t *elt;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	char namebuf[DNS_NAME_FORMATSIZE];
-
-	name = dns_fixedname_initname(&fixed);
-
-	for (elt = cfg_list_first(keylist);
-	     elt != NULL;
-	     elt = cfg_list_next(elt))
-	{
-		const cfg_obj_t *obj = cfg_listelt_value(elt);
-		const cfg_obj_t *init = NULL;
-		const char *str;
-		isc_symvalue_t symvalue;
-
-		init = cfg_tuple_get(obj, "anchortype");
-		if (cfg_obj_isvoid(init) ||
-		    strcasecmp(cfg_obj_asstring(init), "static-ds") == 0 ||
-		    strcasecmp(cfg_obj_asstring(init), "initial-ds") == 0)
-		{
-			/* DS-style entry, skip it */
-			continue;
-		}
-
-		str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
-		result = dns_name_fromstring(name, str, 0, NULL);
-		if (result != ISC_R_SUCCESS) {
-			continue;
-		}
-
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		result = isc_symtab_lookup(symtab, namebuf, 1, &symvalue);
-		if (result == ISC_R_SUCCESS) {
-			const char *file = cfg_obj_file(symvalue.as_cpointer);
-			unsigned int line = cfg_obj_line(symvalue.as_cpointer);
-			if (file == NULL) {
-				file = "<unknown file>";
-			}
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "ds-style and key-style keys "
-				    "cannot be used for the "
-				    "same domain. "
-				    "ds-style defined at "
-				    "%s:%u", file, line);
-
-			ret = ISC_R_FAILURE;
-		}
-	}
-
-	return (ret);
-}
-
 /*
  * Check for conflicts between static and initialiizing keys.
  */
@@ -3739,8 +3681,7 @@ check_ta_conflicts(const cfg_obj_t *global_ta, const cfg_obj_t *view_ta,
 
 	/*
 	 * Next, ensure that there's no conflict between the
-	 * static keys and the trust-anchors configured with "initial-key",
-	 * or between DS-style and DNSKEY-style trust-anchors.
+	 * static keys and the trust-anchors configured with "initial-key".
 	 */
 	for (elt = cfg_list_first(global_ta);
 	     elt != NULL;
@@ -3751,11 +3692,6 @@ check_ta_conflicts(const cfg_obj_t *global_ta, const cfg_obj_t *view_ta,
 		if (result == ISC_R_SUCCESS) {
 			result = tresult;
 		}
-
-		tresult = check_non_ds_keys(dstab, keylist, logctx);
-		if (result == ISC_R_SUCCESS) {
-			result = tresult;
-		}
 	}
 
 	for (elt = cfg_list_first(view_ta);
@@ -3767,11 +3703,6 @@ check_ta_conflicts(const cfg_obj_t *global_ta, const cfg_obj_t *view_ta,
 		if (result == ISC_R_SUCCESS) {
 			result = tresult;
 		}
-
-		tresult = check_non_ds_keys(dstab, keylist, logctx);
-		if (result == ISC_R_SUCCESS) {
-			result = tresult;
-		}
 	}
 
  cleanup: