Add inline-signing to dnssec-policy

Add an option to enable/disable inline-signing inside the
dnssec-policy clause. The existing inline-signing option that is
set in the zone clause takes priority, but if it is omitted, then the
value that is set in dnssec-policy is taken.

The built-in policies use inline-signing.

This means that if you want to use the default policy without
inline-signing you either have to set it explicitly in the zone
clause:

    zone "example" {
        ...
        dnssec-policy default;
        inline-signing no;
    };

Or create a new policy, only overriding the inline-signing option:

    dnssec-policy "default-dynamic" {
        inline-signing no;
    };

    zone "example" {
        ...
        dnssec-policy default-dynamic;
    };

This also means that if you are going insecure with a dynamic zone,
the built-in "insecure" policy needs to be accompanied with
"inline-signing no;".

bin/named/config.c

@@ -294,6 +294,7 @@ dnssec-policy \"default\" {\n\
 	cdnskey yes;\n\
 	cds-digest-types { 2; };\n\
 	dnskey-ttl " DNS_KASP_KEY_TTL ";\n\
+	inline-signing yes;\n\
 	publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
 	retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\
 	purge-keys " DNS_KASP_PURGE_KEYS "; \n\
@@ -308,6 +309,7 @@ dnssec-policy \"default\" {\n\
 \n\
 dnssec-policy \"insecure\" {\n\
 	keys { };\n\
+	inline-signing yes;\n\
 };\n\
 \n\
 "

bin/named/include/named/zoneconf.h

@@ -44,7 +44,9 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
  */
 
 bool
-named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig);
+named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
+		    const cfg_obj_t *vconfig, const cfg_obj_t *config,
+		    dns_kasplist_t *kasplist);
 /*%<
  * If 'zone' can be safely reconfigured according to the configuration
  * data in 'zconfig', return true.  If the configuration data is so
@@ -53,10 +55,12 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig);
  */
 
 bool
-named_zone_inlinesigning(const cfg_obj_t *zconfig);
+named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
+			 const cfg_obj_t *config, dns_kasplist_t *kasplist);
 /*%<
  * Determine if zone uses inline-signing. This is true if inline-signing
- * is set to yes.
+ * is set to yes, in the zone clause or in the zone's dnssec-policy clause.
+ * By default, dnssec-policy uses inline-signing.
  */
 
 isc_result_t

bin/named/server.c

@@ -6715,7 +6715,9 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 		goto cleanup;
 	}
 
-	if (zone != NULL && !named_zone_reusable(zone, zconfig)) {
+	if (zone != NULL &&
+	    !named_zone_reusable(zone, zconfig, vconfig, config, kasplist))
+	{
 		dns_zone_detach(&zone);
 		fullsign = true;
 	}
@@ -6788,7 +6790,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 			      strcasecmp(ztypestr, "slave") == 0));
 
 	if (zone_maybe_inline) {
-		inline_signing = named_zone_inlinesigning(zconfig);
+		inline_signing = named_zone_inlinesigning(zconfig, vconfig,
+							  config, kasplist);
 	}
 	if (inline_signing) {
 		dns_zone_getraw(zone, &raw);

bin/named/zoneconf.c

@@ -1917,7 +1917,9 @@ named_zone_configure_writeable_dlz(dns_dlzdb_t *dlzdatabase, dns_zone_t *zone,
 }
 
 bool
-named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
+named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
+		    const cfg_obj_t *vconfig, const cfg_obj_t *config,
+		    dns_kasplist_t *kasplist) {
 	const cfg_obj_t *zoptions = NULL;
 	const cfg_obj_t *obj = NULL;
 	const char *cfilename;
@@ -1951,7 +1953,8 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
 		has_raw = false;
 	}
 
-	inline_signing = named_zone_inlinesigning(zconfig);
+	inline_signing = named_zone_inlinesigning(zconfig, vconfig, config,
+						  kasplist);
 	if (!inline_signing && has_raw) {
 		dns_zone_log(zone, ISC_LOG_DEBUG(1),
 			     "not reusable: old zone was inline-signing");
@@ -1988,15 +1991,53 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
 }
 
 bool
-named_zone_inlinesigning(const cfg_obj_t *zconfig) {
-	const cfg_obj_t *zoptions = NULL;
+named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
+			 const cfg_obj_t *config, dns_kasplist_t *kasplist) {
+	const cfg_obj_t *maps[4];
 	const cfg_obj_t *signing = NULL;
+	const cfg_obj_t *policy = NULL;
+	dns_kasp_t *kasp = NULL;
+	isc_result_t res;
 	bool inline_signing = false;
+	int i = 0;
 
-	zoptions = cfg_tuple_get(zconfig, "options");
-	inline_signing = (cfg_map_get(zoptions, "inline-signing", &signing) ==
-				  ISC_R_SUCCESS &&
-			  cfg_obj_asboolean(signing));
+	maps[i++] = cfg_tuple_get(zconfig, "options");
+	if (vconfig != NULL) {
+		maps[i++] = cfg_tuple_get(vconfig, "options");
+	}
+	if (config != NULL) {
+		const cfg_obj_t *options = NULL;
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL) {
+			maps[i++] = options;
+		}
+	}
+	maps[i] = NULL;
+
+	/* "inline-signing" is a zone-only clause, so look in maps[0] only. */
+	res = cfg_map_get(maps[0], "inline-signing", &signing);
+	if (res == ISC_R_SUCCESS && cfg_obj_isboolean(signing)) {
+		return (cfg_obj_asboolean(signing));
+	}
+
+	/* If inline-signing is not set, check the value in dnssec-policy. */
+	policy = NULL;
+	res = named_config_get(maps, "dnssec-policy", &policy);
+	/* If no dnssec-policy found, then zone is not using inline-signing. */
+	if (res != ISC_R_SUCCESS ||
+	    strcmp(cfg_obj_asstring(policy), "none") == 0)
+	{
+		return (false);
+	}
+
+	/* Lookup the policy. */
+	res = dns_kasplist_find(kasplist, cfg_obj_asstring(policy), &kasp);
+	if (res != ISC_R_SUCCESS) {
+		return (false);
+	}
+
+	inline_signing = dns_kasp_inlinesigning(kasp);
+	dns_kasp_detach(&kasp);
 
 	return (inline_signing);
 }

bin/tests/system/autosign/ns2/named.conf.in

@@ -81,6 +81,7 @@ zone "example" {
 	allow-query { any; };
 	allow-transfer { any; };
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 	sig-signing-type 65280;
 };
@@ -99,6 +100,7 @@ zone "private.secure.example" {
 	allow-query { any; };
 	allow-transfer { any; };
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy private;
 };
 
@@ -108,6 +110,7 @@ zone "insecure.secure.example" {
 	allow-query { any; };
 	allow-transfer { any; };
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -117,6 +120,7 @@ zone "child.nsec3.example" {
 	allow-query { any; };
 	allow-transfer { any; };
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy nsec3;
 };
 
@@ -126,6 +130,7 @@ zone "child.optout.example" {
 	allow-query { any; };
 	allow-transfer { any; };
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy optout;
 };
 
@@ -135,6 +140,7 @@ zone "optout-with-ent" {
 	allow-query { any; };
 	allow-transfer { any; };
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy optout;
 };
 

bin/tests/system/autosign/ns3/named.conf.in

@@ -141,6 +141,7 @@ zone "secure.example" {
 	type primary;
 	file "secure.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -154,6 +155,7 @@ zone "nsec3.example" {
 	type primary;
 	file "nsec3.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy nsec3;
 };
 
@@ -161,6 +163,7 @@ zone "autonsec3.example" {
 	type primary;
 	file "autonsec3.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy nsec3;
 };
 
@@ -168,6 +171,7 @@ zone "optout.nsec3.example" {
 	type primary;
 	file "optout.nsec3.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy optout;
 };
 
@@ -175,6 +179,7 @@ zone "nsec3.nsec3.example" {
 	type primary;
 	file "nsec3.nsec3.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy nsec3;
 };
 
@@ -182,6 +187,7 @@ zone "jitter.nsec3.example" {
 	type primary;
 	file "jitter.nsec3.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy jitter-nsec3;
 	sig-signing-nodes 1000;
 	sig-signing-signatures 100;
@@ -191,6 +197,7 @@ zone "secure.nsec3.example" {
 	type primary;
 	file "secure.nsec3.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy nsec3;
 };
 
@@ -205,6 +212,7 @@ zone "secure.optout.example" {
 	type primary;
 	file "secure.optout.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy optout;
 };
 
@@ -212,6 +220,7 @@ zone "nsec3.optout.example" {
 	type primary;
 	file "nsec3.optout.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy optout;
 };
 
@@ -219,6 +228,7 @@ zone "optout.optout.example" {
 	type primary;
 	file "optout.optout.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy optout;
 };
 
@@ -226,6 +236,7 @@ zone "rsasha256.example" {
 	type primary;
 	file "rsasha256.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy rsasha256;
 };
 
@@ -233,6 +244,7 @@ zone "rsasha512.example" {
 	type primary;
 	file "rsasha512.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy rsasha512;
 };
 
@@ -240,6 +252,7 @@ zone "nsec-only.example" {
 	type primary;
 	file "nsec-only.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -247,6 +260,7 @@ zone "nsec3-to-nsec.example" {
 	type primary;
 	file "nsec3-to-nsec.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy nsec3;
 };
 
@@ -254,6 +268,7 @@ zone "oldsigs.example" {
 	type primary;
 	file "oldsigs.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy jitter;
 	sig-signing-nodes 1000;
 	sig-signing-signatures 100;
@@ -263,6 +278,7 @@ zone "prepub.example" {
 	type primary;
 	file "prepub.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -270,6 +286,7 @@ zone "ttl1.example" {
 	type primary;
 	file "ttl1.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -277,6 +294,7 @@ zone "ttl2.example" {
 	type primary;
 	file "ttl2.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -284,6 +302,7 @@ zone "ttl3.example" {
 	type primary;
 	file "ttl3.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -291,6 +310,7 @@ zone "ttl4.example" {
 	type primary;
 	file "ttl4.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -303,6 +323,7 @@ zone "nozsk.example" {
 	type primary;
 	file "nozsk.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -310,6 +331,7 @@ zone "inaczsk.example" {
 	type primary;
 	file "inaczsk.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -317,6 +339,7 @@ zone "noksk.example" {
 	type primary;
 	file "noksk.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -324,6 +347,7 @@ zone "sync.example" {
 	type primary;
 	file "sync.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy sync;
 };
 
@@ -338,6 +362,7 @@ zone "inaczsk2.example" {
 	type primary;
 	file "inaczsk2.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -345,6 +370,7 @@ zone "delzsk.example." {
 	type primary;
 	file "delzsk.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy nsec3;
 };
 
@@ -352,6 +378,7 @@ zone "dname-at-apex-nsec3.example" {
 	type primary;
 	file "dname-at-apex-nsec3.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy nsec3;
 };
 

bin/tests/system/checkconf/good-kasp.conf

@@ -21,6 +21,7 @@ dnssec-policy "test" {
 	cds-digest-types {
 		"sha-256";
 	};
+	inline-signing yes;
 	dnskey-ttl 3600;
 	keys {
 		ksk key-directory lifetime P1Y algorithm ecdsa256;
@@ -44,7 +45,6 @@ options {
 zone "example1" {
 	type primary;
 	file "example1.db";
-	inline-signing yes;
 };
 zone "example2" {
 	type primary;
@@ -57,7 +57,6 @@ zone "example2" {
 zone "example3" {
 	type primary;
 	file "example3.db";
-	inline-signing yes;
 	dnssec-policy "default";
 };
 zone "dnssec-policy-none-shared-zonefile1" {

bin/tests/system/kasp/ns3/named-fips.conf.in

@@ -133,7 +133,7 @@ zone "secondary.kasp" {
 zone "dynamic.kasp" {
 	type primary;
 	file "dynamic.kasp.db";
-	dnssec-policy "default";
+	dnssec-policy "default-dynamic";
 	allow-update { any; };
 };
 

bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in

@@ -19,6 +19,10 @@ dnssec-policy "unlimited" {
 	};
 };
 
+dnssec-policy "default-dynamic" {
+	inline-signing no;
+};
+
 dnssec-policy "manual-rollover" {
 	dnskey-ttl 3600;
 

bin/tests/system/kasp/ns4/named.conf.in

@@ -155,6 +155,7 @@ view "example1" {
 
 	zone "example.net" {
 		type primary;
+		inline-signing no;
 		file "example1.db";
 	};
 };

bin/tests/system/kasp/ns6/named.conf.in

@@ -59,6 +59,7 @@ zone "step1.going-insecure-dynamic.kasp" {
 	type primary;
 	file "step1.going-insecure-dynamic.kasp.db";
 	dnssec-policy "unsigning";
+	inline-signing no;
 	allow-update { any; };
 };
 

bin/tests/system/kasp/ns6/named2.conf.in

@@ -65,6 +65,7 @@ zone "step2.going-insecure.kasp" {
 zone "step1.going-insecure-dynamic.kasp" {
         type primary;
         file "step1.going-insecure-dynamic.kasp.db";
+	inline-signing no;
         dnssec-policy "insecure";
 	allow-update { any; };
 };
@@ -72,6 +73,7 @@ zone "step1.going-insecure-dynamic.kasp" {
 zone "step2.going-insecure-dynamic.kasp" {
         type primary;
         file "step2.going-insecure-dynamic.kasp.db";
+	inline-signing no;
         dnssec-policy "insecure";
 	allow-update { any; };
 };

bin/tests/system/nsec3/ns3/named-fips.conf.in

@@ -94,6 +94,7 @@ zone "nsec3-change.kasp" {
 zone "nsec3-dynamic-change.kasp" {
 	type primary;
 	file "nsec3-dynamic-change.kasp.db";
+	inline-signing no;
 	dnssec-policy "nsec3";
 	allow-update { any; };
 };
@@ -134,6 +135,7 @@ zone "nsec3-fails-to-load.kasp" {
 zone "nsec3-dynamic-to-inline.kasp" {
 	type primary;
 	file "nsec3-dynamic-to-inline.kasp.db";
+	inline-signing no;
 	dnssec-policy "nsec3";
 	allow-update { any; };
 };

bin/tests/system/nsec3/ns3/named2-fips.conf.in

@@ -97,6 +97,7 @@ zone "nsec3-dynamic-change.kasp" {
 	type primary;
 	file "nsec3-dynamic-change.kasp.db";
 	//dnssec-policy "nsec3";
+	inline-signing no;
 	dnssec-policy "nsec3-other";
 	allow-update { any; };
 };

bin/tests/system/nsupdate/ns3/named.conf.in

@@ -35,6 +35,10 @@ controls {
 	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
+dnssec-policy "default-dynamic" {
+	inline-signing no;
+};
+
 zone "example" {
 	type primary;
 	allow-update { any; };
@@ -84,6 +88,6 @@ zone "too-big.test" {
 zone "multisigner.test" {
 	type primary;
 	allow-update { any; };
-	dnssec-policy "default";
+	dnssec-policy "default-dynamic";
 	file "multisigner.test.db";
 };

bin/tests/system/statschannel/ns2/named.conf.in

@@ -38,6 +38,7 @@ controls {
 };
 
 dnssec-policy "dnssec" {
+	inline-signing no;
 	keys {
 		ksk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
 		zsk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
@@ -45,6 +46,7 @@ dnssec-policy "dnssec" {
 };
 
 dnssec-policy "manykeys" {
+	inline-signing no;
 	keys {
 		ksk lifetime unlimited algorithm 8;
 		zsk lifetime unlimited algorithm 8;

bin/tests/system/statschannel/ns2/named2.conf.in

@@ -45,6 +45,7 @@ dnssec-policy "dnssec" {
 };
 
 dnssec-policy "manykeys" {
+	inline-signing no;
 	keys {
 		ksk lifetime unlimited algorithm 8;
 		zsk lifetime unlimited algorithm 8;

doc/misc/dnssec-policy.default.conf

@@ -31,6 +31,7 @@ dnssec-policy "default" {
 	signatures-validity-dnskey 14d;
 
 	// Zone parameters
+	inline-signing yes;
 	max-zone-ttl 86400;
 	zone-propagation-delay 300;
 

doc/misc/options

@@ -14,6 +14,7 @@ dnssec-policy <string> {
 	cdnskey <boolean>;
 	cds-digest-types { <string>; ... };
 	dnskey-ttl <duration>;
+	inline-signing <boolean>;
 	keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
 	max-zone-ttl <duration>;
 	nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ];

lib/dns/include/dns/kasp.h

@@ -103,6 +103,7 @@ struct dns_kasp {
 	/* Zone settings */
 	dns_ttl_t zone_max_ttl;
 	uint32_t  zone_propagation_delay;
+	bool	  inline_signing;
 
 	/* Parent settings */
 	dns_ttl_t parent_ds_ttl;
@@ -389,6 +390,30 @@ dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value);
  *\li   'kasp' is a valid, thawed kasp.
  */
 
+bool
+dns_kasp_inlinesigning(dns_kasp_t *kasp);
+/*%<
+ * Should we use inline-signing for this DNSSEC policy?
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   true or false.
+ */
+
+void
+dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value);
+/*%<
+ * Set inline-signing.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
 dns_ttl_t
 dns_kasp_zonemaxttl(dns_kasp_t *kasp);
 /*%<

lib/dns/kasp.c

@@ -247,6 +247,22 @@ dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value) {
 	kasp->retire_safety = value;
 }
 
+bool
+dns_kasp_inlinesigning(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->inline_signing);
+}
+
+void
+dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->inline_signing = value;
+}
+
 dns_ttl_t
 dns_kasp_zonemaxttl(dns_kasp_t *kasp) {
 	REQUIRE(DNS_KASP_VALID(kasp));

lib/isccfg/kaspconf.c

@@ -360,6 +360,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 	const cfg_obj_t *koptions = NULL;
 	const cfg_obj_t *keys = NULL;
 	const cfg_obj_t *nsec3 = NULL;
+	const cfg_obj_t *inlinesigning = NULL;
+	const cfg_obj_t *cds = NULL;
 	const cfg_obj_t *obj = NULL;
 	const cfg_listelt_t *element = NULL;
 	const char *kaspname = NULL;
@@ -446,6 +448,14 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 	}
 
 	/* Configuration: Zone settings */
+	(void)confget(maps, "inline-signing", &inlinesigning);
+	if (inlinesigning != NULL && cfg_obj_isboolean(inlinesigning)) {
+		dns_kasp_setinlinesigning(kasp,
+					  cfg_obj_asboolean(inlinesigning));
+	} else {
+		dns_kasp_setinlinesigning(kasp, true);
+	}
+
 	maxttl = get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL);
 	dns_kasp_setzonemaxttl(kasp, maxttl);
 
@@ -470,10 +480,9 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 		dns_kasp_setcdnskey(kasp, true);
 	}
 
-	obj = NULL;
-	(void)confget(maps, "cds-digest-types", &obj);
-	if (obj != NULL) {
-		for (element = cfg_list_first(obj); element != NULL;
+	(void)confget(maps, "cds-digest-types", &cds);
+	if (cds != NULL) {
+		for (element = cfg_list_first(cds); element != NULL;
 		     element = cfg_list_next(element))
 		{
 			result = add_digest(kasp, cfg_listelt_value(element),

lib/isccfg/namedconf.c

@@ -2208,6 +2208,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = {
 	{ "cdnskey", &cfg_type_boolean, 0 },
 	{ "cds-digest-types", &cfg_type_algorithmlist, 0 },
 	{ "dnskey-ttl", &cfg_type_duration, 0 },
+	{ "inline-signing", &cfg_type_boolean, 0 },
 	{ "keys", &cfg_type_kaspkeys, 0 },
 	{ "max-zone-ttl", &cfg_type_duration, 0 },
 	{ "nsec3param", &cfg_type_nsec3, 0 },