mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-17 08:03:44 -04:00
39c0c5022d
When doing a dnssec-policy reconfiguration from a zone with NSEC only keys to a zone that uses NSEC3, figure out to wait with building the NSEC3 chain. Previously, BIND 9 would attempt to sign such a zone, but failed to do so because the NSEC3 chain conflicted with existing DNSKEY records in the zone that were not compatible with NSEC3. There exists logic for detecting such a case in the functions dnskey_sane() (in lib/dns/zone.c) and check_dnssec() (in lib/ns/update.c). Both functions look very similar so refactor them to use the same code and call the new function (called dns_zone_check_dnskey_nsec3()). Also update the dns_nsec_nseconly() function to take an additional parameter 'diff' that, if provided, will be checked whether an offending NSEC only DNSKEY will be deleted from the zone. If so, this key will not be considered when checking the zone for NSEC only DNSKEYs. This is needed to allow a transition from an NSEC zone with NSEC only DNSKEYs to an NSEC3 zone. (cherry picked from commit 09a81dc84ce0fee37442f03cdbd63c2398215376) |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| dnssec-cds.c | ||
| dnssec-cds.rst | ||
| dnssec-dsfromkey.c | ||
| dnssec-dsfromkey.rst | ||
| dnssec-importkey.c | ||
| dnssec-importkey.rst | ||
| dnssec-keyfromlabel.c | ||
| dnssec-keyfromlabel.rst | ||
| dnssec-keygen.c | ||
| dnssec-keygen.rst | ||
| dnssec-revoke.c | ||
| dnssec-revoke.rst | ||
| dnssec-settime.c | ||
| dnssec-settime.rst | ||
| dnssec-signzone.c | ||
| dnssec-signzone.rst | ||
| dnssec-verify.c | ||
| dnssec-verify.rst | ||
| dnssectool.c | ||
| dnssectool.h | ||
| Makefile.am | ||