67 lines
2.6 KiB
Diff
67 lines
2.6 KiB
Diff
From 949768b252f3cb8a64425f15c9819b24202bb553 Mon Sep 17 00:00:00 2001
|
|
From: Matthijs Mekking <matthijs@isc.org>
|
|
Date: Mon, 10 Oct 2022 14:14:43 +0200
|
|
Subject: [PATCH] Don't allow DNSSEC records in the raw zone
|
|
|
|
There was an exception for dnssec-policy that allowed DNSSEC in the
|
|
unsigned version of the zone. This however causes a crash if the
|
|
zone switches from dynamic to inline-signing in the case of NSEC3,
|
|
because we are now trying to add an NSEC3 record to a non-NSEC3 node.
|
|
This is because BIND expects none of the records in the unsigned
|
|
version of the zone to be NSEC3.
|
|
|
|
Remove the exception for dnssec-policy when copying non DNSSEC
|
|
records, but do allow for DNSKEY as this may be a published DNSKEY
|
|
from a different provider.
|
|
|
|
(cherry picked from commit 332b98ae49948e26a90f1d6e0a625f6eec568777)
|
|
---
|
|
lib/dns/zone.c | 19 ++++++-------------
|
|
1 file changed, 6 insertions(+), 13 deletions(-)
|
|
|
|
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
|
|
index 9a248ff318..e6c6bd01ca 100644
|
|
--- a/lib/dns/zone.c
|
|
+++ b/lib/dns/zone.c
|
|
@@ -16969,9 +16969,8 @@ restore_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
|
|
}
|
|
|
|
static isc_result_t
|
|
-copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version,
|
|
- dns_db_t *rawdb, dns_dbiterator_t *dbiterator,
|
|
- unsigned int *oldserial) {
|
|
+copy_non_dnssec_records(dns_db_t *db, dns_db_t *version, dns_db_t *rawdb,
|
|
+ dns_dbiterator_t *dbiterator, unsigned int *oldserial) {
|
|
dns_dbnode_t *rawnode = NULL, *node = NULL;
|
|
dns_fixedname_t fixed;
|
|
dns_name_t *name = dns_fixedname_initname(&fixed);
|
|
@@ -17008,14 +17007,8 @@ copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version,
|
|
rdataset.type == dns_rdatatype_dnskey ||
|
|
rdataset.type == dns_rdatatype_nsec3param)
|
|
{
|
|
- /*
|
|
- * Allow DNSSEC records with dnssec-policy.
|
|
- * WMM: Perhaps add config option for it.
|
|
- */
|
|
- if (dns_zone_getkasp(zone) == NULL) {
|
|
- dns_rdataset_disassociate(&rdataset);
|
|
- continue;
|
|
- }
|
|
+ dns_rdataset_disassociate(&rdataset);
|
|
+ continue;
|
|
}
|
|
if (rdataset.type == dns_rdatatype_soa && oldserial != NULL) {
|
|
result = checkandaddsoa(db, node, version, &rdataset,
|
|
@@ -17118,8 +17111,8 @@ receive_secure_db(isc_task_t *task, isc_event_t *event) {
|
|
for (result = dns_dbiterator_first(dbiterator); result == ISC_R_SUCCESS;
|
|
result = dns_dbiterator_next(dbiterator))
|
|
{
|
|
- result = copy_non_dnssec_records(zone, db, version, rawdb,
|
|
- dbiterator, oldserialp);
|
|
+ result = copy_non_dnssec_records(db, version, rawdb, dbiterator,
|
|
+ oldserialp);
|
|
if (result != ISC_R_SUCCESS) {
|
|
goto failure;
|
|
}
|
|
--
|
|
2.23.0
|