2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00

dnssec-policy: to sign inline or not

When dnssec-policy was introduced, it implicitly set inline-signing.
But DNSSEC maintenance required either inline-signing to be enabled,
or a dynamic zone.  In other words, not in all cases you want to
DNSSEC maintain your zone with inline-signing.

Change the behavior and determine whether inline-signing is
required: if the zone is dynamic, don't use inline-signing,
otherwise implicitly set it.

You can also explicitly set inline-signing to yes with dnssec-policy,
the restriction that both inline-signing and dnssec-policy cannot
be set at the same time is now lifted.

However, 'inline-signing no;' on a non-dynamic zone with a
dnssec-policy is not possible.
This commit is contained in:
Matthijs Mekking
2020-04-08 13:08:20 +02:00
parent 1055575cfe
commit 644f0d958a
8 changed files with 279 additions and 193 deletions

View File

@@ -2275,9 +2275,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
for (element = cfg_list_first(kasps); element != NULL;
element = cfg_list_next(element))
{
const char *kn = cfg_obj_asstring(cfg_tuple_get(
cfg_listelt_value(element), "name"));
if (strcmp(kaspname, kn) == 0) {
const cfg_obj_t *kobj = cfg_tuple_get(
cfg_listelt_value(element), "name");
if (strcmp(kaspname, cfg_obj_asstring(kobj)) ==
0) {
has_dnssecpolicy = true;
}
}
@@ -2495,13 +2496,14 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
res1 = cfg_map_get(zoptions, "inline-signing", &obj);
if (res1 == ISC_R_SUCCESS) {
signing = cfg_obj_asboolean(obj);
}
if (signing && has_dnssecpolicy) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"inline-signing: cannot be configured if "
"dnssec-policy is also set");
result = ISC_R_FAILURE;
if (has_dnssecpolicy && !ddns && !signing) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'inline-signing;' cannot be set "
"to 'no' "
"if dnssec-policy is also set on a "
"non-dynamic DNS zone");
result = ISC_R_FAILURE;
}
}
obj = NULL;
@@ -2511,7 +2513,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
arg = cfg_obj_asstring(obj);
}
if (strcasecmp(arg, "off") != 0) {
if (!ddns && !signing) {
if (!ddns && !signing && strcasecmp(arg, "off") != 0) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'auto-dnssec %s;' requires%s "
"inline-signing to be configured "
@@ -2524,7 +2526,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
: "");
result = ISC_R_FAILURE;
}
if (has_dnssecpolicy) {
if (strcasecmp(arg, "off") != 0 && has_dnssecpolicy) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'auto-dnssec %s;' cannot be "
"configured if dnssec-policy is "