Remove implicit inline-signing code

Remove the code that sets implicit inline-signing on zones using dnssec-policy.
2025-08-29 05:28:00 +00:00 · 2022-06-07 15:35:49 +02:00 · 2022-06-07 15:35:49 +02:00 · d447b1b58c
commit d447b1b58c
parent d62439e2ec
3 changed files with 8 additions and 91 deletions
--- a/bin/named/include/named/zoneconf.h
+++ b/bin/named/include/named/zoneconf.h
@ -44,9 +44,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 */

 bool
-named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
-		    const cfg_obj_t *vconfig, const cfg_obj_t *config,
-		    cfg_aclconfctx_t *actx);
+named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig);
 /*%<
 * If 'zone' can be safely reconfigured according to the configuration
 * data in 'zconfig', return true.  If the configuration data is so
@ -55,12 +53,10 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
 */

 bool
-named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig,
-			 const cfg_obj_t *vconfig, const cfg_obj_t *config,
-			 cfg_aclconfctx_t *actx);
+named_zone_inlinesigning(const cfg_obj_t *zconfig);
 /*%<
 * Determine if zone uses inline-signing. This is true if inline-signing
- * is set to yes, or if there is a dnssec-policy on a non-dynamic zone.
+ * is set to yes.
 */

 isc_result_t
--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -6747,9 +6747,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 		goto cleanup;
 	}

-	if (zone != NULL &&
-	    !named_zone_reusable(zone, zconfig, vconfig, config, aclconf))
-	{
+	if (zone != NULL && !named_zone_reusable(zone, zconfig)) {
 		dns_zone_detach(&zone);
 	}

@ -6831,8 +6829,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 			      strcasecmp(ztypestr, "slave") == 0));

 	if (zone_maybe_inline) {
-		inline_signing = named_zone_inlinesigning(
-			zone, zconfig, vconfig, config, aclconf);
+		inline_signing = named_zone_inlinesigning(zconfig);
 	}
 	if (inline_signing) {
 		dns_zone_getraw(zone, &raw);
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@ -2044,9 +2044,7 @@ named_zone_configure_writeable_dlz(dns_dlzdb_t *dlzdatabase, dns_zone_t *zone,
 }

 bool
-named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
-		    const cfg_obj_t *vconfig, const cfg_obj_t *config,
-		    cfg_aclconfctx_t *actx) {
+named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
 	const cfg_obj_t *zoptions = NULL;
 	const cfg_obj_t *obj = NULL;
 	const char *cfilename;
@ -2080,8 +2078,7 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
 		has_raw = false;
 	}

-	inline_signing = named_zone_inlinesigning(zone, zconfig, vconfig,
-						  config, actx);
+	inline_signing = named_zone_inlinesigning(zconfig);
 	if (!inline_signing && has_raw) {
 		dns_zone_log(zone, ISC_LOG_DEBUG(1),
 			     "not reusable: old zone was inline-signing");
@ -2118,88 +2115,15 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
 }

 bool
-named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig,
-			 const cfg_obj_t *vconfig, const cfg_obj_t *config,
-			 cfg_aclconfctx_t *actx) {
-	isc_result_t res;
+named_zone_inlinesigning(const cfg_obj_t *zconfig) {
 	const cfg_obj_t *zoptions = NULL;
-	const cfg_obj_t *voptions = NULL;
-	const cfg_obj_t *options = NULL;
 	const cfg_obj_t *signing = NULL;
-	const cfg_obj_t *allowupdate = NULL;
-	const cfg_obj_t *updatepolicy = NULL;
-	bool zone_is_dynamic = false;
 	bool inline_signing = false;
-	bool dnssec_policy = false;
-
-	(void)cfg_map_get(config, "options", &options);

 	zoptions = cfg_tuple_get(zconfig, "options");
-	if (vconfig != NULL) {
-		voptions = cfg_tuple_get(vconfig, "options");
-	}
-
 	inline_signing = (cfg_map_get(zoptions, "inline-signing", &signing) ==
 				  ISC_R_SUCCESS &&
 			  cfg_obj_asboolean(signing));
-	if (inline_signing) {
-		return (true);
-	}
-
-	if (cfg_map_get(zoptions, "update-policy", &updatepolicy) ==
-	    ISC_R_SUCCESS) {
-		zone_is_dynamic = true;
-	} else {
-		res = cfg_map_get(zoptions, "allow-update", &allowupdate);
-		if (res != ISC_R_SUCCESS && voptions != NULL) {
-			res = cfg_map_get(voptions, "allow-update",
-					  &allowupdate);
-		}
-		if (res != ISC_R_SUCCESS && options != NULL) {
-			res = cfg_map_get(options, "allow-update",
-					  &allowupdate);
-		}
-		if (res == ISC_R_SUCCESS) {
-			dns_acl_t *acl = NULL;
-			res = cfg_acl_fromconfig(
-				allowupdate, config, named_g_lctx, actx,
-				dns_zone_getmctx(zone), 0, &acl);
-			if (res == ISC_R_SUCCESS && acl != NULL &&
-			    !dns_acl_isnone(acl)) {
-				zone_is_dynamic = true;
-			}
-			if (acl != NULL) {
-				dns_acl_detach(&acl);
-			}
-		}
-	}
-
-	/*
-	 * If inline-signing is not set, perhaps implictly through a
-	 * dnssec-policy.  Since automated DNSSEC maintenance requires
-	 * a dynamic zone, or inline-siging to be enabled, check if
-	 * the zone with dnssec-policy allows updates.  If not, enable
-	 * inline-signing.
-	 */
-	signing = NULL;
-	res = cfg_map_get(zoptions, "dnssec-policy", &signing);
-	if (res != ISC_R_SUCCESS && voptions != NULL) {
-		res = cfg_map_get(voptions, "dnssec-policy", &signing);
-	}
-	if (res != ISC_R_SUCCESS && options != NULL) {
-		res = cfg_map_get(options, "dnssec-policy", &signing);
-	}
-	if (res == ISC_R_SUCCESS) {
-		dnssec_policy = (strcmp(cfg_obj_asstring(signing), "none") !=
-				 0);
-	}
-
-	if (!inline_signing && !zone_is_dynamic && dnssec_policy) {
-		inline_signing = true;
-		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "inline-signing: "
-			     "implicitly through dnssec-policy");
-	}

 	return (inline_signing);
 }