Merge branch '3937-zone-sign-kasp' into 'main'

Resolve "NSEC records aren't signed with both configured algorithms during NSEC3->NSEC transition" Closes #3937 See merge request isc-projects/bind9!7682
2025-08-31 14:35:26 +00:00 · 2023-03-14 13:16:37 +00:00
parent bfbaef2f7b aafcb8611c
commit 95f971b001
3 changed files with 21 additions and 23 deletions
--- a/4
+++ b/4
@@ -1,3 +1,7 @@
+6124.	[bug]		When changing from a NSEC3 capable DNSSEC algorithm to
+			an NSEC3 incapable DNSSEC algorithm using KASP the zone
+			could sometimes be incompletely signed. [GL #3937]
+
 6123.	[placeholder]

 6122.	[func]		BIND now requires liburcu for lock-free data structures
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -421,12 +421,6 @@ then
 	set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
 	set_key_default_values "KEY2"
 	echo_i "check zone ${ZONE} after reconfig"
-
-	ret=0
-	wait_for_log 10 "zone $ZONE/IN (signed): wait building NSEC3 chain until NSEC only DNSKEYs are removed" ns3/named.run || ret=1
-	test "$ret" -eq 0 || echo_i "failed"
-	status=$((status+ret))
-
 	check_nsec

 	# Zone: nsec3-to-rsasha1.kasp.
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -9197,23 +9197,23 @@ zone_sign(dns_zone_t *zone) {
 		   use_kasp ? "yes" : "no");

 	/* Determine which type of chain to build */
-	if (use_kasp) {
-		build_nsec3 = dns_kasp_nsec3(kasp);
-		if (!dns_zone_check_dnskey_nsec3(zone, db, version, NULL,
-						 (dst_key_t **)&zone_keys,
-						 nkeys))
-		{
-			dnssec_log(zone, ISC_LOG_INFO,
-				   "wait building NSEC3 chain until NSEC only "
-				   "DNSKEYs are removed");
-			build_nsec3 = false;
-		}
-		build_nsec = !build_nsec3;
-	} else {
-		CHECK(dns_private_chains(db, version, zone->privatetype,
-					 &build_nsec, &build_nsec3));
-		/* If neither chain is found, default to NSEC */
-		if (!build_nsec && !build_nsec3) {
+	CHECK(dns_private_chains(db, version, zone->privatetype, &build_nsec,
+				 &build_nsec3));
+	if (!build_nsec && !build_nsec3) {
+		if (use_kasp) {
+			build_nsec3 = dns_kasp_nsec3(kasp);
+			if (!dns_zone_check_dnskey_nsec3(
+				    zone, db, version, NULL,
+				    (dst_key_t **)&zone_keys, nkeys))
+			{
+				dnssec_log(zone, ISC_LOG_INFO,
+					   "wait building NSEC3 chain until "
+					   "NSEC only DNSKEYs are removed");
+				build_nsec3 = false;
+			}
+			build_nsec = !build_nsec3;
+		} else {
+			/* If neither chain is found, default to NSEC */
 			build_nsec = true;
 		}
 	}