string soa_edit;
di.backend->getDomainMetadataOne(zonename, "SOA-EDIT", soa_edit);
doc["soa_edit"] = soa_edit;
+
string nsec3param;
- di.backend->getDomainMetadataOne(zonename, "NSEC3PARAM", nsec3param);
- doc["nsec3param"] = nsec3param;
- string nsec3narrow;
bool nsec3narrowbool = false;
- di.backend->getDomainMetadataOne(zonename, "NSEC3NARROW", nsec3narrow);
- if (nsec3narrow == "1")
- nsec3narrowbool = true;
+ bool is_secured = dk.isSecuredZone(zonename);
+ if (is_secured) { // ignore NSEC3PARAM and NSEC3NARROW metadata present in the db for unsigned zones
+ di.backend->getDomainMetadataOne(zonename, "NSEC3PARAM", nsec3param);
+ string nsec3narrow;
+ di.backend->getDomainMetadataOne(zonename, "NSEC3NARROW", nsec3narrow);
+ if (nsec3narrow == "1") {
+ nsec3narrowbool = true;
+ }
+ }
+ doc["nsec3param"] = nsec3param;
doc["nsec3narrow"] = nsec3narrowbool;
- doc["dnssec"] = dk.isSecuredZone(zonename);
+ doc["dnssec"] = is_secured;
string api_rectify;
di.backend->getDomainMetadataOne(zonename, "API-RECTIFY", api_rectify);
bool dnssecInJSON = false;
bool dnssecDocVal = false;
bool nsec3paramInJSON = false;
+ bool updateNsec3Param = false;
string nsec3paramDocVal;
try {
throwUnableToSecure(zonename);
}
shouldRectify = true;
+ updateNsec3Param = true;
}
} else {
// "dnssec": false in json
throw ApiException("Unable to un-secure zone '"+ zonename.toString()+"'");
}
shouldRectify = true;
+ updateNsec3Param = true;
}
}
}
- if (nsec3paramInJSON) {
+ if (nsec3paramInJSON || updateNsec3Param) {
shouldRectify = true;
- if (!isDNSSECZone) {
- throw ApiException("NSEC3PARAMs provided for zone '"+zonename.toString()+"', but zone is not DNSSEC secured.");
+ if (!isDNSSECZone && !nsec3paramDocVal.empty()) {
+ throw ApiException("NSEC3PARAM value provided for zone '" + zonename.toString() + "', but zone is not DNSSEC secured.");
}
- if (nsec3paramDocVal.length() == 0) {
+ if (nsec3paramDocVal.empty()) {
// Switch to NSEC
if (!dk.unsetNSEC3PARAM(zonename)) {
throw ApiException("Unable to remove NSEC3PARAMs from zone '" + zonename.toString());
}
}
-
- if (nsec3paramDocVal.length() > 0) {
+ else {
// Set the NSEC3PARAMs
NSEC3PARAMRecordContent ns3pr(nsec3paramDocVal);
string error_msg = "";
self.assertEqual(r.status_code, 200)
self.assertEqual(data['nsec3param'], '')
+ def test_create_zone_without_dnssec_unset_nsec3parm(self):
+ """
+ Create a non dnssec zone and set an empty "nsec3param"
+ """
+ name, payload, data = self.create_zone(dnssec=False)
+ r = self.session.put(self.url("/api/v1/servers/localhost/zones/" + name),
+ data=json.dumps({'nsec3param': ''}))
+
+ self.assertEqual(r.status_code, 204)
+
+ def test_create_zone_without_dnssec_set_nsec3parm(self):
+ """
+ Create a non dnssec zone and set "nsec3param"
+ """
+ name, payload, data = self.create_zone(dnssec=False)
+ r = self.session.put(self.url("/api/v1/servers/localhost/zones/" + name),
+ data=json.dumps({'nsec3param': '1 0 1 ab'}))
+
+ self.assertEqual(r.status_code, 422)
+
def test_create_zone_dnssec_serial(self):
"""
Create a zone set/unset "dnssec" and see if the serial was increased