Add inline-signing to dnssec-policy

Add an option to enable/disable inline-signing inside the dnssec-policy clause. The existing inline-signing option that is set in the zone clause takes priority, but if it is omitted, then the value that is set in dnssec-policy is taken. The built-in policies use inline-signing. This means that if you want to use the default policy without inline-signing you either have to set it explicitly in the zone clause: zone "example" { ... dnssec-policy default; inline-signing no; }; Or create a new policy, only overriding the inline-signing option: dnssec-policy "default-dynamic" { inline-signing no; }; zone "example" { ... dnssec-policy default-dynamic; }; This also means that if you are going insecure with a dynamic zone, the built-in "insecure" policy needs to be accompanied with "inline-signing no;".
2025-08-31 14:35:26 +00:00 · 2023-04-03 17:00:36 +02:00
parent 4bf94f4c52
commit bbfdcc36c8
23 changed files with 178 additions and 25 deletions
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -247,6 +247,22 @@ dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value) {
 	kasp->retire_safety = value;
 }

+bool
+dns_kasp_inlinesigning(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->inline_signing);
+}
+
+void
+dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->inline_signing = value;
+}
+
 dns_ttl_t
 dns_kasp_zonemaxttl(dns_kasp_t *kasp) {
 	REQUIRE(DNS_KASP_VALID(kasp));