Update inline-signing checkconf code

When using automated DNSSEC management, it is required that the zone
is dynamic, or that inline-signing is enabled (or both). Update the
checkconf code to also allow inline-signing to be enabled within
dnssec-policy.

bin/tests/system/checkconf/bad-kasp-inline-signing.conf

@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * inline-signing is a boolean value.
+ */
+dnssec-policy "inline" {
+	inline-signing never-ever;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+	dnssec-policy "inline";
+};

bin/tests/system/checkconf/bad-noddns.conf

@@ -11,9 +11,13 @@
  * information regarding copyright ownership.
  */
 
+dnssec-policy "test" {
+	inline-signing no;
+};
+
 zone example {
 	type primary;
 	file "example.db";
-	dnssec-policy default;
+	dnssec-policy test;
 	allow-update { none; };
 };

bin/tests/system/checkconf/good-kasp.conf

@@ -21,8 +21,8 @@ dnssec-policy "test" {
 	cds-digest-types {
 		"sha-256";
 	};
-	inline-signing yes;
 	dnskey-ttl 3600;
+	inline-signing yes;
 	keys {
 		ksk key-directory lifetime P1Y algorithm ecdsa256;
 		zsk lifetime P30D algorithm 13;

bin/tests/system/kasp/ns6/named.conf.in

@@ -73,6 +73,7 @@ zone "step1.going-straight-to-none.kasp" {
 zone "step1.going-straight-to-none-dynamic.kasp" {
 	type primary;
 	file "step1.going-straight-to-none-dynamic.kasp.db.signed";
+	inline-signing no;
 	dnssec-policy "default";
 	allow-update { any; };
 };

bin/tests/system/kasp/ns6/named2.conf.in

@@ -87,6 +87,7 @@ zone "step1.going-straight-to-none.kasp" {
 zone "step1.going-straight-to-none-dynamic.kasp" {
         type primary;
         file "step1.going-straight-to-none-dynamic.kasp.db.signed";
+        inline-signing no;
         dnssec-policy "none";
         allow-update { any; };
 };

bin/tests/system/zonechecks/ns1/named.conf.in

@@ -36,6 +36,7 @@ controls {
 };
 
 dnssec-policy "zonechecks" {
+	inline-signing no;
 	keys {
 		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
 		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;

lib/isccfg/check.c

@@ -2793,6 +2793,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	bool dlz;
 	bool ddns = false;
 	bool has_dnssecpolicy = false;
+	bool kasp_inlinesigning = false;
 	const void *clauses = NULL;
 	const char *option = NULL;
 	const char *kaspname = NULL;
@@ -3038,10 +3039,13 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		kaspname = cfg_obj_asstring(obj);
 		if (strcmp(kaspname, "default") == 0) {
 			has_dnssecpolicy = true;
+			kasp_inlinesigning = true;
 		} else if (strcmp(kaspname, "insecure") == 0) {
 			has_dnssecpolicy = true;
+			kasp_inlinesigning = true;
 		} else if (strcmp(kaspname, "none") == 0) {
 			has_dnssecpolicy = false;
+			kasp_inlinesigning = false;
 		} else {
 			(void)cfg_map_get(config, "dnssec-policy", &kasps);
 			for (element = cfg_list_first(kasps); element != NULL;
@@ -3052,7 +3056,24 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 				if (strcmp(kaspname, cfg_obj_asstring(kobj)) ==
 				    0)
 				{
+					const cfg_obj_t *inlinesigning = NULL;
+					const cfg_obj_t *kopt = cfg_tuple_get(
+						cfg_listelt_value(element),
+						"options");
+					if (cfg_map_get(kopt, "inline-signing",
+							&inlinesigning) ==
+					    ISC_R_SUCCESS)
+					{
+						kasp_inlinesigning =
+							cfg_obj_asboolean(
+								inlinesigning);
+					} else {
+						/* By default true */
+						kasp_inlinesigning = true;
+					}
+
 					has_dnssecpolicy = true;
+					break;
 				}
 			}
 
@@ -3369,6 +3390,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		res1 = cfg_map_get(zoptions, "inline-signing", &obj);
 		if (res1 == ISC_R_SUCCESS) {
 			signing = cfg_obj_asboolean(obj);
+		} else if (has_dnssecpolicy) {
+			signing = kasp_inlinesigning;
 		}
 
 		if (has_dnssecpolicy) {