git.ipfire.org Git - thirdparty/bind9.git/commit

author	Matthijs Mekking <matthijs@isc.org>
	Thu, 3 Dec 2020 14:01:42 +0000 (15:01 +0100)
committer	Matthijs Mekking <matthijs@isc.org>
	Wed, 23 Dec 2020 10:56:33 +0000 (11:56 +0100)
commit	cf0439cd5f5ba60f308cb1ec6e0c47751f6bcfef
tree	2a5cea72a67d29a936d0170bc7e17afa981a291e	tree \| snapshot
parent	6ff69ee8ba44c89b728aadfa807532f5f320971e	commit \| diff

Treat dnssec-policy "none" as a builtin zone

Configure "none" as a builtin policy. Change the 'cfg_kasp_fromconfig'
api so that the 'name' will determine what policy needs to be
configured.

When transitioning a zone from secure to insecure, there will be
cases when a zone with no DNSSEC policy (dnssec-policy none) should
be using KASP. When there are key state files available, this is an
indication that the zone once was DNSSEC signed but is reconfigured
to become insecure.

If we would not run the keymgr, named would abruptly remove the
DNSSEC records from the zone, making the zone bogus. Therefore,
change the code such that a zone will use kasp if there is a valid
dnssec-policy configured, or if there are state files available.

(cherry picked from commit cf420b2af0d45693d0f5f34d9113ea411b5f2225)

bin/dnssec/dnssec-keygen.c		diff \| blob \| blame \| history
bin/named/server.c		diff \| blob \| blame \| history
bin/named/zoneconf.c		diff \| blob \| blame \| history
bin/tests/system/kasp/tests.sh		diff \| blob \| blame \| history
lib/bind9/check.c		diff \| blob \| blame \| history
lib/dns/include/dns/zone.h		diff \| blob \| blame \| history
lib/dns/update.c		diff \| blob \| blame \| history
lib/dns/win32/libdns.def.in		diff \| blob \| blame \| history
lib/dns/zone.c		diff \| blob \| blame \| history
lib/isccfg/include/isccfg/kaspconf.h		diff \| blob \| blame \| history
lib/isccfg/kaspconf.c		diff \| blob \| blame \| history