Don't sign the raw zone

The raw zone is not supposed to be signed. DNSKEY records in a raw zone should not trigger zone signing. The update code needs to be able to identify when it is working on a raw zone. Add dns_zone_israw() and dns_zone_issecure() enable it to do this. Also, we need to check the case for 'auto-dnssec maintain'.
2025-08-28 13:08:06 +00:00 · 2022-10-12 17:01:57 +11:00 · 2022-10-12 17:01:57 +11:00 · d24297343f
commit d24297343f
parent 508c60ad90
3 changed files with 36 additions and 3 deletions
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@ -2317,6 +2317,12 @@ dns_zone_link(dns_zone_t *zone, dns_zone_t *raw);
 void
 dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw);

+bool
+dns_zone_israw(dns_zone_t *zone);
+
+bool
+dns_zone_issecure(dns_zone_t *zone);
+
 isc_result_t
 dns_zone_keydone(dns_zone_t *zone, const char *data);
 /*%<
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -22189,6 +22189,26 @@ dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw) {
 	UNLOCK(&zone->lock);
 }

+bool
+dns_zone_israw(dns_zone_t *zone) {
+	bool israw;
+	REQUIRE(DNS_ZONE_VALID(zone));
+	LOCK(&zone->lock);
+	israw = zone->secure != NULL;
+	UNLOCK(&zone->lock);
+	return (israw);
+}
+
+bool
+dns_zone_issecure(dns_zone_t *zone) {
+	bool issecure;
+	REQUIRE(DNS_ZONE_VALID(zone));
+	LOCK(&zone->lock);
+	issecure = zone->raw != NULL;
+	UNLOCK(&zone->lock);
+	return (issecure);
+}
+
 struct keydone {
 	bool all;
 	unsigned char data[5];
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@ -2900,6 +2900,7 @@ update_action(void *arg) {
 	dns_ttl_t maxttl = 0;
 	uint32_t maxrecords;
 	uint64_t records;
+	bool is_inline, is_maintain, is_signing;

 	dns_diff_init(mctx, &diff);
 	dns_diff_init(mctx, &temp);
@ -2910,6 +2911,10 @@ update_action(void *arg) {
 	dns_zone_getssutable(zone, &ssutable);
 	options = dns_zone_getoptions(zone);

+	is_inline = (!dns_zone_israw(zone) && dns_zone_issecure(zone));
+	is_maintain = ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0);
+	is_signing = is_inline || (!is_inline && is_maintain);
+
 	/*
 	 * Get old and new versions now that queryacl has been checked.
 	 */
@ -3435,7 +3440,7 @@ update_action(void *arg) {
 			goto failure;
 		}
 	}
-	if (!ISC_LIST_EMPTY(diff.tuples)) {
+	if (!ISC_LIST_EMPTY(diff.tuples) && is_signing) {
 		result = dns_zone_cdscheck(zone, db, ver);
 		if (result == DNS_R_BADCDS || result == DNS_R_BADCDNSKEY) {
 			update_log(client, zone, LOGLEVEL_PROTOCOL,
@ -3481,11 +3486,13 @@ update_action(void *arg) {

 		CHECK(rollback_private(db, privatetype, ver, &diff));

-		CHECK(add_signing_records(db, privatetype, ver, &diff));
+		if (is_signing) {
+			CHECK(add_signing_records(db, privatetype, ver, &diff));
+		}

 		CHECK(add_nsec3param_records(client, zone, db, ver, &diff));

-		if (had_dnskey && !has_dnskey) {
+		if (is_signing && had_dnskey && !has_dnskey) {
 			/*
 			 * We are transitioning from secure to insecure.
 			 * Cause all NSEC3 chains to be deleted.  When the