07d38ea3cb
Signed-off-by: huangyu <huangyu106@huawei.com> (cherry picked from commit cd59b6ec71f1147990c7f96b1e74baf413b7d4c9)
68 lines
2.2 KiB
Diff
68 lines
2.2 KiB
Diff
From 0d5e0867df94c05b7523b89e0a4135c0cec728e1 Mon Sep 17 00:00:00 2001
|
|
From: Matthijs Mekking <matthijs@isc.org>
|
|
Date: Mon, 11 Jul 2022 10:30:44 +0200
|
|
Subject: [PATCH] Inherit dnssec-policy in check for inline-signing
|
|
|
|
When dnssec-policy is used, and the zone is not dynamic, BIND will
|
|
assume that the zone is inline-signed. But the function responsible
|
|
for this did not inherit the dnssec-policy option from the view or
|
|
options level, and thus never enabled inline-signing, while the zone
|
|
should have been.
|
|
|
|
This is fixed by this commit.
|
|
|
|
(cherry picked from commit 576b21b1682605a7d04e51c8a7721180f828b2d7)
|
|
---
|
|
bin/named/zoneconf.c | 28 ++++++++++++++++++----------
|
|
1 file changed, 18 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
|
|
index 7a414201709..d1d45d818bc 100644
|
|
--- a/bin/named/zoneconf.c
|
|
+++ b/bin/named/zoneconf.c
|
|
@@ -2171,6 +2171,7 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig,
|
|
const cfg_obj_t *updatepolicy = NULL;
|
|
bool zone_is_dynamic = false;
|
|
bool inline_signing = false;
|
|
+ bool dnssec_policy = false;
|
|
|
|
(void)cfg_map_get(config, "options", &options);
|
|
|
|
@@ -2222,16 +2223,23 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig,
|
|
* inline-signing.
|
|
*/
|
|
signing = NULL;
|
|
- if (!inline_signing && !zone_is_dynamic &&
|
|
- cfg_map_get(zoptions, "dnssec-policy", &signing) == ISC_R_SUCCESS &&
|
|
- signing != NULL)
|
|
- {
|
|
- if (strcmp(cfg_obj_asstring(signing), "none") != 0) {
|
|
- inline_signing = true;
|
|
- dns_zone_log(zone, ISC_LOG_DEBUG(1),
|
|
- "inline-signing: "
|
|
- "implicitly through dnssec-policy");
|
|
- }
|
|
+ res = cfg_map_get(zoptions, "dnssec-policy", &signing);
|
|
+ if (res != ISC_R_SUCCESS && voptions != NULL) {
|
|
+ res = cfg_map_get(voptions, "dnssec-policy", &signing);
|
|
+ }
|
|
+ if (res != ISC_R_SUCCESS && options != NULL) {
|
|
+ res = cfg_map_get(options, "dnssec-policy", &signing);
|
|
+ }
|
|
+ if (res == ISC_R_SUCCESS) {
|
|
+ dnssec_policy = (strcmp(cfg_obj_asstring(signing), "none") !=
|
|
+ 0);
|
|
+ }
|
|
+
|
|
+ if (!inline_signing && !zone_is_dynamic && dnssec_policy) {
|
|
+ inline_signing = true;
|
|
+ dns_zone_log(zone, ISC_LOG_DEBUG(1),
|
|
+ "inline-signing: "
|
|
+ "implicitly through dnssec-policy");
|
|
}
|
|
|
|
return (inline_signing);
|
|
--
|
|
GitLab
|
|
|