mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 05:28:00 +00:00
Code Issues Releases Wiki Activity

Allow rndc signing commands with dnssec-policy

Browse Source 
Some 'rndc signing' commands can still be used in conjunction with
'dnssec-policy' because it shows the progress of signing and
private type records can be cleaned up. Allow these commands to be
executed.

However, setting NSEC3 parameters is incompatible with dnssec-policy.
This commit is contained in:
Matthijs Mekking 2023-06-20 10:06:01 +02:00
parent f4eb3ba459
commit 9ee33d99b3
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
bin/named/server.c
View File

@ -14455,6 +14455,7 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
unsigned char salt[255];
const char *ptr;
size_t n;
bool kasp = false;
REQUIRE(text != NULL);
@ -14562,17 +14563,14 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
}
if (dns_zone_getkasp(zone) != NULL) {
(void)putstr(text, "zone uses dnssec-policy, use rndc dnssec "
"command instead");
(void)putnull(text);
goto cleanup;
kasp = true;
}
if (clear) {
CHECK(dns_zone_keydone(zone, keystr));
(void)putstr(text, "request queued");
(void)putnull(text);
} else if (chain) {
} else if (chain && !kasp) {
CHECK(dns_zone_setnsec3param(
zone, (uint8_t)hash, (uint8_t)flags, iter,
(uint8_t)saltlen, salt, true, resalt));
@ -14629,6 +14627,10 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
if (result == ISC_R_NOMORE) {
result = ISC_R_SUCCESS;
}
} else if (kasp) {
(void)putstr(text, "zone uses dnssec-policy, use rndc dnssec "
"command instead");
(void)putnull(text);
}
cleanup: