git.ipfire.org Git - thirdparty/bind9.git/commit

author	Matthijs Mekking <matthijs@isc.org>
	Wed, 10 Aug 2022 13:29:59 +0000 (15:29 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Mon, 22 Aug 2022 13:55:46 +0000 (15:55 +0200)
commit	501dc87d75386d50bb713ae3c23c1122e6a5af57
tree	600c3b577e2869ea7154e2df13e7dbfe569cfdfe	tree \| snapshot
parent	856c0e78a9041b9c532b56de9ad01acdc50bd140	commit \| diff

Wait with NSEC3 during a DNSSEC policy change

When doing a dnssec-policy reconfiguration from a zone with NSEC only
keys to a zone that uses NSEC3, figure out to wait with building the
NSEC3 chain.

Previously, BIND 9 would attempt to sign such a zone, but failed to
do so because the NSEC3 chain conflicted with existing DNSKEY records
in the zone that were not compatible with NSEC3.

There exists logic for detecting such a case in the functions
dnskey_sane() (in lib/dns/zone.c) and check_dnssec() (in
lib/ns/update.c). Both functions look very similar so refactor them
to use the same code and call the new function (called
dns_zone_check_dnskey_nsec3()).

Also update the dns_nsec_nseconly() function to take an additional
parameter 'diff' that, if provided, will be checked whether an
offending NSEC only DNSKEY will be deleted from the zone. If so,
this key will not be considered when checking the zone for NSEC only
DNSKEYs. This is needed to allow a transition from an NSEC zone with
NSEC only DNSKEYs to an NSEC3 zone.

bin/dnssec/dnssec-signzone.c		diff \| blob \| blame \| history
lib/dns/include/dns/nsec.h		diff \| blob \| blame \| history
lib/dns/include/dns/zone.h		diff \| blob \| blame \| history
lib/dns/nsec.c		diff \| blob \| blame \| history
lib/dns/zone.c		diff \| blob \| blame \| history
lib/ns/update.c		diff \| blob \| blame \| history