]> git.ipfire.org Git - thirdparty/dnspython.git/commitdiff
projects / thirdparty / dnspython.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3140ae8)
Fix signing initially empty zone. (#1213)
authorBrian Wellington <bwelling@xbill.org>
Sat, 26 Jul 2025 15:13:41 +0000 (08:13 -0700)
committerGitHub <noreply@github.com>
Sat, 26 Jul 2025 15:13:41 +0000 (08:13 -0700)
dns.dnssec.sign_zone() fails if the SOA is added in the same transaction
that signs the zone, because it's not using the active transaction when
looking for the SOA. (#1210)

dns/dnssec.py patch | blob | blame | history
tests/test_dnssec.py patch | blob | blame | history

diff --git a/dns/dnssec.py b/dns/dnssec.py
index 76d728a5f1e08eb3e9bc647327792f9aa32d6466..5cb7cfcbea70e3722719d1fc13a0987986f3b9c7 100644 (file)
--- a/dns/dnssec.py
+++ b/dns/dnssec.py
@@ -1148,7 +1148,7 @@ def _sign_zone_nsec(
             if rrset_signer:
                 rrset_signer(txn, rrset)
 
-    rrsig_ttl = zone.get_soa().minimum
+    rrsig_ttl = zone.get_soa(txn).minimum
     delegation = None
     last_secure = None
 
diff --git a/tests/test_dnssec.py b/tests/test_dnssec.py
index ce468d7083bea79e7e783b54355ab5d0b595a33b..117244b11f979195a74e6df7e37be8f6510046e1 100644 (file)
--- a/tests/test_dnssec.py
+++ b/tests/test_dnssec.py
@@ -1090,6 +1090,21 @@ class DNSSECMiscTestCase(unittest.TestCase):
         zone2 = dns.zone.from_text(test_zone_with_nsec, "example.", relativize=False)
         self.assertEqual(zone1.to_text(), zone2.to_text())
 
+    def test_sign_zone_initially_empty(self):
+        zone = dns.zone.Zone("example.")
+        soa = dns.rdataset.from_text("IN", "SOA", 3600,
+                                     "ns.example. hostmaster.example. 1 2 3 4 5")
+        privkey = ed25519.Ed25519PrivateKey.generate()
+        dnskey = dns.dnssec.make_dnskey(privkey.public_key(),
+                                        dns.dnssec.ED25519)
+        with zone.writer() as txn:
+            txn.add(dns.name.empty, soa)
+            dns.dnssec.sign_zone(zone, txn=txn, keys=[(privkey, dnskey)],
+                                 lifetime=3600)
+
+        self.assertIsNotNone(zone.find_rdataset(dns.name.empty, "SOA"))
+        self.assertIsNotNone(zone.find_rdataset(dns.name.empty, "RRSIG",
+                                                covers="SOA"))
 
 @unittest.skipUnless(dns.dnssec._have_pyca, "Python Cryptography cannot be imported")
 class DNSSECMakeDSTestCase(unittest.TestCase):
Mirror of https://github.com/rthalley/dnspython.git