2773. [bug] In autosigned zones, the SOA could be signed

with the KSK. [RT #20628]
2025-08-31 06:25:31 +00:00 · 2009-11-18 21:22:31 +00:00
parent e83a7cabc3
commit b08325a7f3
3 changed files with 7 additions and 4 deletions
--- a/3
+++ b/3
@@ -1,3 +1,6 @@
+2773.	[bug]		In autosigned zones, the SOA could be signed
+			with the KSK. [RT #20628]
+
 	--- 9.7.0b3 released ---

 2772.	[security]	When validating, track whether pending data was from
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: update.c,v 1.168 2009/11/09 01:28:32 each Exp $ */
+/* $Id: update.c,v 1.169 2009/11/18 21:22:31 each Exp $ */

 #include <config.h>

@@ -1926,7 +1926,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			if (type == dns_rdatatype_dnskey) {
 				if (!KSK(keys[i]) && keyset_kskonly)
 					continue;
-			} else if (!KSK(keys[i]))
+			} else if (KSK(keys[i]))
 				continue;
 		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
 			continue;
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: zone.c,v 1.529 2009/11/12 23:47:59 tbox Exp $ */
+/* $Id: zone.c,v 1.530 2009/11/18 21:22:31 each Exp $ */

 /*! \file */

@@ -4586,7 +4586,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 			if (type == dns_rdatatype_dnskey) {
 				if (!KSK(keys[i]) && keyset_kskonly)
 					continue;
-			} else if (!KSK(keys[i]))
+			} else if (KSK(keys[i]))
 				continue;
 		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
 				continue;