diff --git a/bin/named/config.c b/bin/named/config.c index 861c46c03d..b5548b3631 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -294,6 +294,7 @@ dnssec-policy \"default\" {\n\ cdnskey yes;\n\ cds-digest-types { 2; };\n\ dnskey-ttl " DNS_KASP_KEY_TTL ";\n\ + inline-signing yes;\n\ publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\ retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\ purge-keys " DNS_KASP_PURGE_KEYS "; \n\ @@ -308,6 +309,7 @@ dnssec-policy \"default\" {\n\ \n\ dnssec-policy \"insecure\" {\n\ keys { };\n\ + inline-signing yes;\n\ };\n\ \n\ " diff --git a/bin/named/include/named/zoneconf.h b/bin/named/include/named/zoneconf.h index 387d8a1ef1..dbecd4a79e 100644 --- a/bin/named/include/named/zoneconf.h +++ b/bin/named/include/named/zoneconf.h @@ -44,7 +44,9 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, */ bool -named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig); +named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig, + const cfg_obj_t *vconfig, const cfg_obj_t *config, + dns_kasplist_t *kasplist); /*%< * If 'zone' can be safely reconfigured according to the configuration * data in 'zconfig', return true. If the configuration data is so @@ -53,10 +55,12 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig); */ bool -named_zone_inlinesigning(const cfg_obj_t *zconfig); +named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, + const cfg_obj_t *config, dns_kasplist_t *kasplist); /*%< * Determine if zone uses inline-signing. This is true if inline-signing - * is set to yes. + * is set to yes, in the zone clause or in the zone's dnssec-policy clause. + * By default, dnssec-policy uses inline-signing. */ isc_result_t diff --git a/bin/named/server.c b/bin/named/server.c index cbcba3d28d..c88ca57423 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -6715,7 +6715,9 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, goto cleanup; } - if (zone != NULL && !named_zone_reusable(zone, zconfig)) { + if (zone != NULL && + !named_zone_reusable(zone, zconfig, vconfig, config, kasplist)) + { dns_zone_detach(&zone); fullsign = true; } @@ -6788,7 +6790,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, strcasecmp(ztypestr, "slave") == 0)); if (zone_maybe_inline) { - inline_signing = named_zone_inlinesigning(zconfig); + inline_signing = named_zone_inlinesigning(zconfig, vconfig, + config, kasplist); } if (inline_signing) { dns_zone_getraw(zone, &raw); diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 358f114ebd..1759da7837 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1917,7 +1917,9 @@ named_zone_configure_writeable_dlz(dns_dlzdb_t *dlzdatabase, dns_zone_t *zone, } bool -named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) { +named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig, + const cfg_obj_t *vconfig, const cfg_obj_t *config, + dns_kasplist_t *kasplist) { const cfg_obj_t *zoptions = NULL; const cfg_obj_t *obj = NULL; const char *cfilename; @@ -1951,7 +1953,8 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) { has_raw = false; } - inline_signing = named_zone_inlinesigning(zconfig); + inline_signing = named_zone_inlinesigning(zconfig, vconfig, config, + kasplist); if (!inline_signing && has_raw) { dns_zone_log(zone, ISC_LOG_DEBUG(1), "not reusable: old zone was inline-signing"); @@ -1988,15 +1991,53 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) { } bool -named_zone_inlinesigning(const cfg_obj_t *zconfig) { - const cfg_obj_t *zoptions = NULL; +named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, + const cfg_obj_t *config, dns_kasplist_t *kasplist) { + const cfg_obj_t *maps[4]; const cfg_obj_t *signing = NULL; + const cfg_obj_t *policy = NULL; + dns_kasp_t *kasp = NULL; + isc_result_t res; bool inline_signing = false; + int i = 0; - zoptions = cfg_tuple_get(zconfig, "options"); - inline_signing = (cfg_map_get(zoptions, "inline-signing", &signing) == - ISC_R_SUCCESS && - cfg_obj_asboolean(signing)); + maps[i++] = cfg_tuple_get(zconfig, "options"); + if (vconfig != NULL) { + maps[i++] = cfg_tuple_get(vconfig, "options"); + } + if (config != NULL) { + const cfg_obj_t *options = NULL; + (void)cfg_map_get(config, "options", &options); + if (options != NULL) { + maps[i++] = options; + } + } + maps[i] = NULL; + + /* "inline-signing" is a zone-only clause, so look in maps[0] only. */ + res = cfg_map_get(maps[0], "inline-signing", &signing); + if (res == ISC_R_SUCCESS && cfg_obj_isboolean(signing)) { + return (cfg_obj_asboolean(signing)); + } + + /* If inline-signing is not set, check the value in dnssec-policy. */ + policy = NULL; + res = named_config_get(maps, "dnssec-policy", &policy); + /* If no dnssec-policy found, then zone is not using inline-signing. */ + if (res != ISC_R_SUCCESS || + strcmp(cfg_obj_asstring(policy), "none") == 0) + { + return (false); + } + + /* Lookup the policy. */ + res = dns_kasplist_find(kasplist, cfg_obj_asstring(policy), &kasp); + if (res != ISC_R_SUCCESS) { + return (false); + } + + inline_signing = dns_kasp_inlinesigning(kasp); + dns_kasp_detach(&kasp); return (inline_signing); } diff --git a/bin/tests/system/autosign/ns2/named.conf.in b/bin/tests/system/autosign/ns2/named.conf.in index caf2ab83de..0dad4bde0d 100644 --- a/bin/tests/system/autosign/ns2/named.conf.in +++ b/bin/tests/system/autosign/ns2/named.conf.in @@ -81,6 +81,7 @@ zone "example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; + inline-signing no; dnssec-policy autosign; sig-signing-type 65280; }; @@ -99,6 +100,7 @@ zone "private.secure.example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; + inline-signing no; dnssec-policy private; }; @@ -108,6 +110,7 @@ zone "insecure.secure.example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -117,6 +120,7 @@ zone "child.nsec3.example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; + inline-signing no; dnssec-policy nsec3; }; @@ -126,6 +130,7 @@ zone "child.optout.example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; + inline-signing no; dnssec-policy optout; }; @@ -135,6 +140,7 @@ zone "optout-with-ent" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; + inline-signing no; dnssec-policy optout; }; diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in index 7111515be5..343c743af3 100644 --- a/bin/tests/system/autosign/ns3/named.conf.in +++ b/bin/tests/system/autosign/ns3/named.conf.in @@ -141,6 +141,7 @@ zone "secure.example" { type primary; file "secure.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -154,6 +155,7 @@ zone "nsec3.example" { type primary; file "nsec3.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy nsec3; }; @@ -161,6 +163,7 @@ zone "autonsec3.example" { type primary; file "autonsec3.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy nsec3; }; @@ -168,6 +171,7 @@ zone "optout.nsec3.example" { type primary; file "optout.nsec3.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy optout; }; @@ -175,6 +179,7 @@ zone "nsec3.nsec3.example" { type primary; file "nsec3.nsec3.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy nsec3; }; @@ -182,6 +187,7 @@ zone "jitter.nsec3.example" { type primary; file "jitter.nsec3.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy jitter-nsec3; sig-signing-nodes 1000; sig-signing-signatures 100; @@ -191,6 +197,7 @@ zone "secure.nsec3.example" { type primary; file "secure.nsec3.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy nsec3; }; @@ -205,6 +212,7 @@ zone "secure.optout.example" { type primary; file "secure.optout.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy optout; }; @@ -212,6 +220,7 @@ zone "nsec3.optout.example" { type primary; file "nsec3.optout.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy optout; }; @@ -219,6 +228,7 @@ zone "optout.optout.example" { type primary; file "optout.optout.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy optout; }; @@ -226,6 +236,7 @@ zone "rsasha256.example" { type primary; file "rsasha256.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy rsasha256; }; @@ -233,6 +244,7 @@ zone "rsasha512.example" { type primary; file "rsasha512.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy rsasha512; }; @@ -240,6 +252,7 @@ zone "nsec-only.example" { type primary; file "nsec-only.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -247,6 +260,7 @@ zone "nsec3-to-nsec.example" { type primary; file "nsec3-to-nsec.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy nsec3; }; @@ -254,6 +268,7 @@ zone "oldsigs.example" { type primary; file "oldsigs.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy jitter; sig-signing-nodes 1000; sig-signing-signatures 100; @@ -263,6 +278,7 @@ zone "prepub.example" { type primary; file "prepub.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -270,6 +286,7 @@ zone "ttl1.example" { type primary; file "ttl1.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -277,6 +294,7 @@ zone "ttl2.example" { type primary; file "ttl2.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -284,6 +302,7 @@ zone "ttl3.example" { type primary; file "ttl3.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -291,6 +310,7 @@ zone "ttl4.example" { type primary; file "ttl4.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -303,6 +323,7 @@ zone "nozsk.example" { type primary; file "nozsk.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -310,6 +331,7 @@ zone "inaczsk.example" { type primary; file "inaczsk.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -317,6 +339,7 @@ zone "noksk.example" { type primary; file "noksk.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -324,6 +347,7 @@ zone "sync.example" { type primary; file "sync.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy sync; }; @@ -338,6 +362,7 @@ zone "inaczsk2.example" { type primary; file "inaczsk2.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -345,6 +370,7 @@ zone "delzsk.example." { type primary; file "delzsk.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy nsec3; }; @@ -352,6 +378,7 @@ zone "dname-at-apex-nsec3.example" { type primary; file "dname-at-apex-nsec3.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy nsec3; }; diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf index 384fcfe34b..28210cfc69 100644 --- a/bin/tests/system/checkconf/good-kasp.conf +++ b/bin/tests/system/checkconf/good-kasp.conf @@ -21,6 +21,7 @@ dnssec-policy "test" { cds-digest-types { "sha-256"; }; + inline-signing yes; dnskey-ttl 3600; keys { ksk key-directory lifetime P1Y algorithm ecdsa256; @@ -44,7 +45,6 @@ options { zone "example1" { type primary; file "example1.db"; - inline-signing yes; }; zone "example2" { type primary; @@ -57,7 +57,6 @@ zone "example2" { zone "example3" { type primary; file "example3.db"; - inline-signing yes; dnssec-policy "default"; }; zone "dnssec-policy-none-shared-zonefile1" { diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in index a6e8b3a5b9..61cc6d410d 100644 --- a/bin/tests/system/kasp/ns3/named-fips.conf.in +++ b/bin/tests/system/kasp/ns3/named-fips.conf.in @@ -133,7 +133,7 @@ zone "secondary.kasp" { zone "dynamic.kasp" { type primary; file "dynamic.kasp.db"; - dnssec-policy "default"; + dnssec-policy "default-dynamic"; allow-update { any; }; }; diff --git a/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in index 90a92a223c..320f221252 100644 --- a/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in +++ b/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in @@ -19,6 +19,10 @@ dnssec-policy "unlimited" { }; }; +dnssec-policy "default-dynamic" { + inline-signing no; +}; + dnssec-policy "manual-rollover" { dnskey-ttl 3600; diff --git a/bin/tests/system/kasp/ns4/named.conf.in b/bin/tests/system/kasp/ns4/named.conf.in index 459ea73a89..0871546af5 100644 --- a/bin/tests/system/kasp/ns4/named.conf.in +++ b/bin/tests/system/kasp/ns4/named.conf.in @@ -155,6 +155,7 @@ view "example1" { zone "example.net" { type primary; + inline-signing no; file "example1.db"; }; }; diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in index d20bf7194a..cb82b0b6c6 100644 --- a/bin/tests/system/kasp/ns6/named.conf.in +++ b/bin/tests/system/kasp/ns6/named.conf.in @@ -59,6 +59,7 @@ zone "step1.going-insecure-dynamic.kasp" { type primary; file "step1.going-insecure-dynamic.kasp.db"; dnssec-policy "unsigning"; + inline-signing no; allow-update { any; }; }; diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in index 13a57f91f7..2fa5b80383 100644 --- a/bin/tests/system/kasp/ns6/named2.conf.in +++ b/bin/tests/system/kasp/ns6/named2.conf.in @@ -65,6 +65,7 @@ zone "step2.going-insecure.kasp" { zone "step1.going-insecure-dynamic.kasp" { type primary; file "step1.going-insecure-dynamic.kasp.db"; + inline-signing no; dnssec-policy "insecure"; allow-update { any; }; }; @@ -72,6 +73,7 @@ zone "step1.going-insecure-dynamic.kasp" { zone "step2.going-insecure-dynamic.kasp" { type primary; file "step2.going-insecure-dynamic.kasp.db"; + inline-signing no; dnssec-policy "insecure"; allow-update { any; }; }; diff --git a/bin/tests/system/nsec3/ns3/named-fips.conf.in b/bin/tests/system/nsec3/ns3/named-fips.conf.in index 183b31590a..14c09ebe88 100644 --- a/bin/tests/system/nsec3/ns3/named-fips.conf.in +++ b/bin/tests/system/nsec3/ns3/named-fips.conf.in @@ -94,6 +94,7 @@ zone "nsec3-change.kasp" { zone "nsec3-dynamic-change.kasp" { type primary; file "nsec3-dynamic-change.kasp.db"; + inline-signing no; dnssec-policy "nsec3"; allow-update { any; }; }; @@ -132,10 +133,11 @@ zone "nsec3-fails-to-load.kasp" { /* These zones switch from dynamic to inline-signing or vice versa. */ zone "nsec3-dynamic-to-inline.kasp" { - type primary; - file "nsec3-dynamic-to-inline.kasp.db"; - dnssec-policy "nsec3"; - allow-update { any; }; + type primary; + file "nsec3-dynamic-to-inline.kasp.db"; + inline-signing no; + dnssec-policy "nsec3"; + allow-update { any; }; }; zone "nsec3-inline-to-dynamic.kasp" { diff --git a/bin/tests/system/nsec3/ns3/named2-fips.conf.in b/bin/tests/system/nsec3/ns3/named2-fips.conf.in index ef7afeb8ad..1ff5925d46 100644 --- a/bin/tests/system/nsec3/ns3/named2-fips.conf.in +++ b/bin/tests/system/nsec3/ns3/named2-fips.conf.in @@ -97,6 +97,7 @@ zone "nsec3-dynamic-change.kasp" { type primary; file "nsec3-dynamic-change.kasp.db"; //dnssec-policy "nsec3"; + inline-signing no; dnssec-policy "nsec3-other"; allow-update { any; }; }; diff --git a/bin/tests/system/nsupdate/ns3/named.conf.in b/bin/tests/system/nsupdate/ns3/named.conf.in index 7628532924..66c874ab0c 100644 --- a/bin/tests/system/nsupdate/ns3/named.conf.in +++ b/bin/tests/system/nsupdate/ns3/named.conf.in @@ -35,6 +35,10 @@ controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +dnssec-policy "default-dynamic" { + inline-signing no; +}; + zone "example" { type primary; allow-update { any; }; @@ -84,6 +88,6 @@ zone "too-big.test" { zone "multisigner.test" { type primary; allow-update { any; }; - dnssec-policy "default"; + dnssec-policy "default-dynamic"; file "multisigner.test.db"; }; diff --git a/bin/tests/system/statschannel/ns2/named.conf.in b/bin/tests/system/statschannel/ns2/named.conf.in index c2f81afb9e..342d03b561 100644 --- a/bin/tests/system/statschannel/ns2/named.conf.in +++ b/bin/tests/system/statschannel/ns2/named.conf.in @@ -38,6 +38,7 @@ controls { }; dnssec-policy "dnssec" { + inline-signing no; keys { ksk lifetime unlimited algorithm @DEFAULT_ALGORITHM@; zsk lifetime unlimited algorithm @DEFAULT_ALGORITHM@; @@ -45,6 +46,7 @@ dnssec-policy "dnssec" { }; dnssec-policy "manykeys" { + inline-signing no; keys { ksk lifetime unlimited algorithm 8; zsk lifetime unlimited algorithm 8; diff --git a/bin/tests/system/statschannel/ns2/named2.conf.in b/bin/tests/system/statschannel/ns2/named2.conf.in index 2f2fd74c6f..c726ae4220 100644 --- a/bin/tests/system/statschannel/ns2/named2.conf.in +++ b/bin/tests/system/statschannel/ns2/named2.conf.in @@ -45,6 +45,7 @@ dnssec-policy "dnssec" { }; dnssec-policy "manykeys" { + inline-signing no; keys { ksk lifetime unlimited algorithm 8; zsk lifetime unlimited algorithm 8; diff --git a/doc/misc/dnssec-policy.default.conf b/doc/misc/dnssec-policy.default.conf index 785a36c02e..cd033c1760 100644 --- a/doc/misc/dnssec-policy.default.conf +++ b/doc/misc/dnssec-policy.default.conf @@ -31,6 +31,7 @@ dnssec-policy "default" { signatures-validity-dnskey 14d; // Zone parameters + inline-signing yes; max-zone-ttl 86400; zone-propagation-delay 300; diff --git a/doc/misc/options b/doc/misc/options index ed5082403b..537da0fe24 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -14,6 +14,7 @@ dnssec-policy { cdnskey ; cds-digest-types { ; ... }; dnskey-ttl ; + inline-signing ; keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime algorithm [ ]; ... }; max-zone-ttl ; nsec3param [ iterations ] [ optout ] [ salt-length ]; diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h index 347e3ff746..88b6157233 100644 --- a/lib/dns/include/dns/kasp.h +++ b/lib/dns/include/dns/kasp.h @@ -103,6 +103,7 @@ struct dns_kasp { /* Zone settings */ dns_ttl_t zone_max_ttl; uint32_t zone_propagation_delay; + bool inline_signing; /* Parent settings */ dns_ttl_t parent_ds_ttl; @@ -389,6 +390,30 @@ dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value); *\li 'kasp' is a valid, thawed kasp. */ +bool +dns_kasp_inlinesigning(dns_kasp_t *kasp); +/*%< + * Should we use inline-signing for this DNSSEC policy? + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + * + * Returns: + * + *\li true or false. + */ + +void +dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value); +/*%< + * Set inline-signing. + * + * Requires: + * + *\li 'kasp' is a valid, thawed kasp. + */ + dns_ttl_t dns_kasp_zonemaxttl(dns_kasp_t *kasp); /*%< diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c index 792dcfe927..c6fa9aa8ab 100644 --- a/lib/dns/kasp.c +++ b/lib/dns/kasp.c @@ -247,6 +247,22 @@ dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value) { kasp->retire_safety = value; } +bool +dns_kasp_inlinesigning(dns_kasp_t *kasp) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(kasp->frozen); + + return (kasp->inline_signing); +} + +void +dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(!kasp->frozen); + + kasp->inline_signing = value; +} + dns_ttl_t dns_kasp_zonemaxttl(dns_kasp_t *kasp) { REQUIRE(DNS_KASP_VALID(kasp)); diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index 03d1a1fa68..19365fdc06 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -360,6 +360,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp, const cfg_obj_t *koptions = NULL; const cfg_obj_t *keys = NULL; const cfg_obj_t *nsec3 = NULL; + const cfg_obj_t *inlinesigning = NULL; + const cfg_obj_t *cds = NULL; const cfg_obj_t *obj = NULL; const cfg_listelt_t *element = NULL; const char *kaspname = NULL; @@ -446,6 +448,14 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp, } /* Configuration: Zone settings */ + (void)confget(maps, "inline-signing", &inlinesigning); + if (inlinesigning != NULL && cfg_obj_isboolean(inlinesigning)) { + dns_kasp_setinlinesigning(kasp, + cfg_obj_asboolean(inlinesigning)); + } else { + dns_kasp_setinlinesigning(kasp, true); + } + maxttl = get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL); dns_kasp_setzonemaxttl(kasp, maxttl); @@ -470,10 +480,9 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp, dns_kasp_setcdnskey(kasp, true); } - obj = NULL; - (void)confget(maps, "cds-digest-types", &obj); - if (obj != NULL) { - for (element = cfg_list_first(obj); element != NULL; + (void)confget(maps, "cds-digest-types", &cds); + if (cds != NULL) { + for (element = cfg_list_first(cds); element != NULL; element = cfg_list_next(element)) { result = add_digest(kasp, cfg_listelt_value(element), diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 64517d33b1..23da61eb61 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2208,6 +2208,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = { { "cdnskey", &cfg_type_boolean, 0 }, { "cds-digest-types", &cfg_type_algorithmlist, 0 }, { "dnskey-ttl", &cfg_type_duration, 0 }, + { "inline-signing", &cfg_type_boolean, 0 }, { "keys", &cfg_type_kaspkeys, 0 }, { "max-zone-ttl", &cfg_type_duration, 0 }, { "nsec3param", &cfg_type_nsec3, 0 },