From 6b8519147a5c24b4a5942042e83fd539d0d445cc Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 4 Nov 2015 10:34:28 -0800
Subject: [PATCH] [master] NTAs did not survive reoad/reconfig

4251.	[bug]		NTAs were deleted when the server was reconfigured
			or reloaded. [RT #41058]
---
 CHANGES                          | 3 +++
 bin/named/server.c               | 4 ++--
 bin/tests/system/dnssec/tests.sh | 2 ++
 doc/arm/notes.xml                | 7 ++++++-
 4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 914afd9d00..914f27c825 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4251.	[bug]		NTAs were deleted when the server was reconfigured
+			or reloaded. [RT #41058]
+
 4250.	[func]		Log the TSIG key in use during inbound zone
 			transfers. [RT #41075]
 
diff --git a/bin/named/server.c b/bin/named/server.c
index ff5ac5e983..1b820bc416 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -6786,6 +6786,8 @@ load_configuration(const char *filename, ns_server_t *server,
 			goto cleanup;
 	}
 
+	(void) ns_server_loadnta(server);
+
 	result = ISC_R_SUCCESS;
 
  cleanup:
@@ -7055,8 +7057,6 @@ run_server(isc_task_t *task, isc_event_t *event) {
 	isc_hash_init();
 
 	CHECKFATAL(load_zones(server, ISC_TRUE), "loading zones");
-
-	(void) ns_server_loadnta(server);
 }
 
 void
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index fd3f6fc2d1..e124d5e52a 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1674,11 +1674,13 @@ ret=0
 #
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -f -l 20s bogus.example 2>&1 | sed 's/^/I:ns4 /'
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta badds.example 2>&1 | sed 's/^/I:ns4 /'
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig # reconfig should maintain NTAs
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.1
 lines=`wc -l < rndc.out.ns4.test$n.1`
 [ "$lines" -eq 2 ] || ret=1
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta secure.example 2>&1 | sed 's/^/I:ns4 /'
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta fakenode.secure.example 2>&1 | sed 's/^/I:ns4 /'
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reload # reload should maintain NTAs
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.2
 lines=`wc -l < rndc.out.ns4.test$n.2`
 [ "$lines" -eq 4 ] || ret=1
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index dc0e4d9c5c..4493dac524 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -692,7 +692,6 @@
     </itemizedlist>
   </section>
   <section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
-
     <itemizedlist>
       <listitem>
 	<para>
@@ -864,6 +863,12 @@
 	      already in progress. [RT #39649]
 	    </para>
 	  </listitem>
+	  <listitem>
+	    <para>
+	      Negative trust anchors (NTAs) were incorrectly deleted
+	      when the server was reloaded or reconfigured. [RT #41058]
+	    </para>
+	  </listitem>
 	</itemizedlist>
       </listitem>
     </itemizedlist>