1982. [bug] DNSKEY was being accepted on the parent side of

a delegation.  KEY is still accepted there for
                        RFC 3007 validated updates. [RT #15620]

CHANGES

@@ -1,3 +1,7 @@
+1982.	[bug]		DNSKEY was being accepted on the parent side of
+			a delegation.  KEY is still accepted there for
+			RFC 3007 validated updates. [RT #15620]
+
 1981.	[bug]		win32: condition.c:wait() could fail to reattain
 			the mutex lock.
 

lib/dns/rbtdb.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.225 2006/01/06 00:01:44 marka Exp $ */
+/* $Id: rbtdb.c,v 1.226 2006/02/16 00:59:38 marka Exp $ */
 
 /*! \file */
 
@@ -2581,12 +2581,12 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 
 	/*
 	 * Certain DNSSEC types are not subject to CNAME matching
-	 * (RFC2535, section 2.3.5).
+	 * (RFC4035, section 2.5 and RFC3007).
 	 *
 	 * We don't check for RRSIG, because we don't store RRSIG records
 	 * directly.
 	 */
-	if (type == dns_rdatatype_dnskey || type == dns_rdatatype_nsec)
+	if (type == dns_rdatatype_key || type == dns_rdatatype_nsec)
 		cname_ok = ISC_FALSE;
 
 	/*
@@ -2645,9 +2645,15 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				search.need_cleanup = ISC_TRUE;
 				maybe_zonecut = ISC_FALSE;
 				at_zonecut = ISC_TRUE;
+				/*
+				 * It is not clear if KEY should still be
+				 * allowed at the parent side of the zone
+				 * cut or not.  It is needed for RFC3007
+				 * validated updates.
+				 */
 				if ((search.options & DNS_DBFIND_GLUEOK) == 0
 				    && type != dns_rdatatype_nsec
-				    && type != dns_rdatatype_dnskey) {
+				    && type != dns_rdatatype_key) {
 					/*
 					 * Glue is not OK, but any answer we
 					 * could return would be glue.  Return
@@ -2831,8 +2837,14 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		 * and the type is NSEC or KEY.
 		 */
 		if (search.zonecut == node) {
+			/*
+			 * It is not clear if KEY should still be
+			 * allowed at the parent side of the zone
+			 * cut or not.  It is needed for RFC3007
+			 * validated updates.
+			 */
 			if (type == dns_rdatatype_nsec ||
-			    type == dns_rdatatype_dnskey)
+			    type == dns_rdatatype_key)
 				result = ISC_R_SUCCESS;
 			else if (type == dns_rdatatype_any)
 				result = DNS_R_ZONECUT;
@@ -3377,12 +3389,12 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 
 	/*
 	 * Certain DNSSEC types are not subject to CNAME matching
-	 * (RFC2535, section 2.3.5).
+	 * (RFC4035, section 2.5 and RFC3007).
 	 *
 	 * We don't check for RRSIG, because we don't store RRSIG records
 	 * directly.
 	 */
-	if (type == dns_rdatatype_dnskey || type == dns_rdatatype_nsec)
+	if (type == dns_rdatatype_key || type == dns_rdatatype_nsec)
 		cname_ok = ISC_FALSE;
 
 	/*
@@ -4307,16 +4319,13 @@ cname_and_other_data(dns_rbtnode_t *node, rbtdb_serial_t serial) {
 			 * Look for active extant "other data".
 			 *
 			 * "Other data" is any rdataset whose type is not
-			 * DNSKEY, RRSIG DNSKEY, NSEC, RRSIG NSEC,
+			 * KEY, RRSIG KEY, NSEC, RRSIG NSEC or RRSIG CNAME.
-			 * or RRSIG CNAME.
 			 */
 			rdtype = RBTDB_RDATATYPE_BASE(header->type);
 			if (rdtype == dns_rdatatype_rrsig ||
 			    rdtype == dns_rdatatype_sig)
 				rdtype = RBTDB_RDATATYPE_EXT(header->type);
 			if (rdtype != dns_rdatatype_nsec &&
-			    rdtype != dns_rdatatype_dnskey &&
-			    rdtype != dns_rdatatype_nxt &&
 			    rdtype != dns_rdatatype_key &&
 			    rdtype != dns_rdatatype_cname) {
 				/*