Don't use 'rndc signing' with kasp

The 'rndc signing' command allows you to manipulate the private
records that are used to store signing state. Don't use these with
'dnssec-policy' as such manipulations may violate the policy (if you
want to change the NSEC3 parameters, change the policy and reconfig).

(cherry picked from commit eae9a6d297602d316287b1596f4446841d3c05b8)

diff --git a/bin/named/server.c b/bin/named/server.c
index d5766b20ec5020454f714aa712ff2303f50c0078..4bbb7bd2540b81902ad59ffb4a62b4c90577eefa 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -14317,6 +14317,7 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
                     isc_buffer_t **text) {
        isc_result_t result = ISC_R_SUCCESS;
        dns_zone_t *zone = NULL;
+       dns_kasp_t *kasp = NULL;
        dns_name_t *origin;
        dns_db_t *db = NULL;
        dns_dbnode_t *node = NULL;
@@ -14434,6 +14435,14 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
                CHECK(ISC_R_UNEXPECTEDEND);
        }
 
+       kasp = dns_zone_getkasp(zone);
+       if (kasp != NULL) {
+               (void)putstr(text, "zone uses dnssec-policy, use rndc dnssec "
+                                  "command instead");
+               (void)putnull(text);
+               goto cleanup;
+       }
+
        if (clear) {
                CHECK(dns_zone_keydone(zone, keystr));
                (void)putstr(text, "request queued");