Allow DNSKEY when syncing secure journal/db

When synchronizing the journal or database from the unsigned version of the zone to the secure version of the zone, allow DNSKEY records to be synced, because these may be added by the user with the sole intent to publish the record (not used for signing). This may be the case for example in the multisigner model 2 (RFC 8901). Additional code needs to be added to ensure that we do not remove DNSKEY records that are under our control. Keys under our control are keys that are used for signing the zone and thus that we have key files for. Same counts for CDNSKEY and CDS (records that are derived from keys).
2025-08-31 06:25:31 +00:00 · 2022-10-05 13:36:42 +02:00
parent 3b6e9a5fa7
commit b0b3e2f12e
2 changed files with 66 additions and 3 deletions
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -3377,6 +3377,30 @@ update_action(void *arg) {
 						continue;
 					}
 				}
+				/*
+				 * Don't remove DNSKEY, CDNSKEY, CDS records
+				 * that are in use (under our control).
+				 */
+				if (rdata.type == dns_rdatatype_dnskey ||
+				    rdata.type == dns_rdatatype_cdnskey ||
+				    rdata.type == dns_rdatatype_cds)
+				{
+					isc_result_t r;
+					bool inuse = false;
+					r = dns_zone_dnskey_inuse(zone, &rdata,
+								  &inuse);
+					if (r != ISC_R_SUCCESS) {
+						FAIL(r);
+					}
+					if (inuse) {
+						update_log(client, zone,
+							   LOGLEVEL_PROTOCOL,
+							   "attempt to "
+							   "delete in use "
+							   "DNSKEY ignored");
+						continue;
+					}
+				}
 			}
 			dns_name_format(name, namestr, sizeof(namestr));
 			dns_rdatatype_format(rdata.type, typestr,