From 949768b252f3cb8a64425f15c9819b24202bb553 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 10 Oct 2022 14:14:43 +0200 Subject: [PATCH] Don't allow DNSSEC records in the raw zone There was an exception for dnssec-policy that allowed DNSSEC in the unsigned version of the zone. This however causes a crash if the zone switches from dynamic to inline-signing in the case of NSEC3, because we are now trying to add an NSEC3 record to a non-NSEC3 node. This is because BIND expects none of the records in the unsigned version of the zone to be NSEC3. Remove the exception for dnssec-policy when copying non DNSSEC records, but do allow for DNSKEY as this may be a published DNSKEY from a different provider. (cherry picked from commit 332b98ae49948e26a90f1d6e0a625f6eec568777) --- lib/dns/zone.c | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 9a248ff318..e6c6bd01ca 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -16969,9 +16969,8 @@ restore_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, } static isc_result_t -copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version, - dns_db_t *rawdb, dns_dbiterator_t *dbiterator, - unsigned int *oldserial) { +copy_non_dnssec_records(dns_db_t *db, dns_db_t *version, dns_db_t *rawdb, + dns_dbiterator_t *dbiterator, unsigned int *oldserial) { dns_dbnode_t *rawnode = NULL, *node = NULL; dns_fixedname_t fixed; dns_name_t *name = dns_fixedname_initname(&fixed); @@ -17008,14 +17007,8 @@ copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version, rdataset.type == dns_rdatatype_dnskey || rdataset.type == dns_rdatatype_nsec3param) { - /* - * Allow DNSSEC records with dnssec-policy. - * WMM: Perhaps add config option for it. - */ - if (dns_zone_getkasp(zone) == NULL) { - dns_rdataset_disassociate(&rdataset); - continue; - } + dns_rdataset_disassociate(&rdataset); + continue; } if (rdataset.type == dns_rdatatype_soa && oldserial != NULL) { result = checkandaddsoa(db, node, version, &rdataset, @@ -17118,8 +17111,8 @@ receive_secure_db(isc_task_t *task, isc_event_t *event) { for (result = dns_dbiterator_first(dbiterator); result == ISC_R_SUCCESS; result = dns_dbiterator_next(dbiterator)) { - result = copy_non_dnssec_records(zone, db, version, rawdb, - dbiterator, oldserialp); + result = copy_non_dnssec_records(db, version, rawdb, dbiterator, + oldserialp); if (result != ISC_R_SUCCESS) { goto failure; } -- 2.23.0