From 9ee33d99b3670c7ba66d869dd973bee6b3c9b17d Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 20 Jun 2023 10:06:01 +0200
Subject: [PATCH] Allow rndc signing commands with dnssec-policy

Some 'rndc signing' commands can still be used in conjunction with
'dnssec-policy' because it shows the progress of signing and
private type records can be cleaned up. Allow these commands to be
executed.

However, setting NSEC3 parameters is incompatible with dnssec-policy.
---
 bin/named/server.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/bin/named/server.c b/bin/named/server.c
index 8a6b065708..130175bcff 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -14455,6 +14455,7 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
 	unsigned char salt[255];
 	const char *ptr;
 	size_t n;
+	bool kasp = false;
 
 	REQUIRE(text != NULL);
 
@@ -14562,17 +14563,14 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
 	}
 
 	if (dns_zone_getkasp(zone) != NULL) {
-		(void)putstr(text, "zone uses dnssec-policy, use rndc dnssec "
-				   "command instead");
-		(void)putnull(text);
-		goto cleanup;
+		kasp = true;
 	}
 
 	if (clear) {
 		CHECK(dns_zone_keydone(zone, keystr));
 		(void)putstr(text, "request queued");
 		(void)putnull(text);
-	} else if (chain) {
+	} else if (chain && !kasp) {
 		CHECK(dns_zone_setnsec3param(
 			zone, (uint8_t)hash, (uint8_t)flags, iter,
 			(uint8_t)saltlen, salt, true, resalt));
@@ -14629,6 +14627,10 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
 		if (result == ISC_R_NOMORE) {
 			result = ISC_R_SUCCESS;
 		}
+	} else if (kasp) {
+		(void)putstr(text, "zone uses dnssec-policy, use rndc dnssec "
+				   "command instead");
+		(void)putnull(text);
 	}
 
 cleanup: