Skip private records when syncing secure db

When synchronizing the secure database, we skip DNSSEC records that
BIND 9 maintains with inline-signing. We should also skip private
RDATA type records that are used to track the current state of a
zone-signing process.

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index a46969b3e8e324871cd743f7584dcf80a575c29a..2b70bdc93a731d7477d9dfaa186b38c34e35a0d3 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -16312,6 +16312,17 @@ sync_secure_db(dns_zone_t *seczone, dns_zone_t *raw, dns_db_t *secdb,
        ISC_LIST_FOREACH(diff->tuples, tuple, link) {
                dns_difftuplelist_t *al = &add, *dl = &del;
 
+               /*
+                * Skip private records that BIND maintains with inline-signing.
+                */
+               if (seczone->privatetype != 0 &&
+                   tuple->rdata.type == seczone->privatetype)
+               {
+                       ISC_LIST_UNLINK(diff->tuples, tuple, link);
+                       dns_difftuple_free(&tuple);
+                       continue;
+               }
+
                /*
                 * Skip DNSSEC records that BIND maintains with inline-signing.
                 */