Add built-in dnssec-policy "insecure"

Add a new built-in policy "insecure", to be used to gracefully unsign a zone. Previously you could just remove the 'dnssec-policy' configuration from your zone statement, or remove it. The built-in policy "none" (or not configured) now actually means no DNSSEC maintenance for the corresponding zone. So if you immediately reconfigure your zone from whatever policy to "none", your zone will temporarily be seen as bogus by validating resolvers. This means we can remove the functions 'dns_zone_use_kasp()' and 'dns_zone_secure_to_insecure()' again. We also no longer have to check for the existence of key state files to figure out if a zone is transitioning to insecure.
2025-08-31 14:35:26 +00:00 · 2021-04-21 16:09:06 +02:00
parent 1f4234ec89
commit 2710d9a11d
8 changed files with 49 additions and 145 deletions
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1087,6 +1087,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 	 bool keyset_kskonly) {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
+	dns_kasp_t *kasp = dns_zone_getkasp(zone);
 	dns_rdataset_t rdataset;
 	dns_rdata_t sig_rdata = DNS_RDATA_INIT;
 	dns_stats_t *dnssecsignstats = dns_zone_getdnssecsignstats(zone);
@@ -1097,7 +1098,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 	bool use_kasp = false;
 	isc_mem_t *mctx = diff->mctx;

-	if (dns_zone_use_kasp(zone)) {
+	if (kasp != NULL) {
 		check_ksk = false;
 		keyset_kskonly = true;
 		use_kasp = true;