From 0d5e0867df94c05b7523b89e0a4135c0cec728e1 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 11 Jul 2022 10:30:44 +0200 Subject: [PATCH] Inherit dnssec-policy in check for inline-signing When dnssec-policy is used, and the zone is not dynamic, BIND will assume that the zone is inline-signed. But the function responsible for this did not inherit the dnssec-policy option from the view or options level, and thus never enabled inline-signing, while the zone should have been. This is fixed by this commit. (cherry picked from commit 576b21b1682605a7d04e51c8a7721180f828b2d7) --- bin/named/zoneconf.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 7a414201709..d1d45d818bc 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -2171,6 +2171,7 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig, const cfg_obj_t *updatepolicy = NULL; bool zone_is_dynamic = false; bool inline_signing = false; + bool dnssec_policy = false; (void)cfg_map_get(config, "options", &options); @@ -2222,16 +2223,23 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig, * inline-signing. */ signing = NULL; - if (!inline_signing && !zone_is_dynamic && - cfg_map_get(zoptions, "dnssec-policy", &signing) == ISC_R_SUCCESS && - signing != NULL) - { - if (strcmp(cfg_obj_asstring(signing), "none") != 0) { - inline_signing = true; - dns_zone_log(zone, ISC_LOG_DEBUG(1), - "inline-signing: " - "implicitly through dnssec-policy"); - } + res = cfg_map_get(zoptions, "dnssec-policy", &signing); + if (res != ISC_R_SUCCESS && voptions != NULL) { + res = cfg_map_get(voptions, "dnssec-policy", &signing); + } + if (res != ISC_R_SUCCESS && options != NULL) { + res = cfg_map_get(options, "dnssec-policy", &signing); + } + if (res == ISC_R_SUCCESS) { + dnssec_policy = (strcmp(cfg_obj_asstring(signing), "none") != + 0); + } + + if (!inline_signing && !zone_is_dynamic && dnssec_policy) { + inline_signing = true; + dns_zone_log(zone, ISC_LOG_DEBUG(1), + "inline-signing: " + "implicitly through dnssec-policy"); } return (inline_signing); -- GitLab