Update syncupdate() function to disable CDNSKEY

Add a new function argument so you can choose whether the CDNSKEY
record should be published or not.

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 123bc87b8d05ecdcd97b9be16fa5a50a292b8f4c..edcbf44069c9c95942619c3b2a7c1987c786deff 100644 (file)
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -2803,7 +2803,7 @@ build_final_keylist(void) {
         */
 
        dns_dnssec_syncupdate(&keylist, &rmkeys, &cdsset, &cdnskeyset, now,
-                             &digests, keyttl, &diff, mctx);
+                             &digests, cdnskey, keyttl, &diff, mctx);
 
        dns_name_format(gorigin, name, sizeof(name));
 

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 6c6093d3dfc2d50e7f389a03b5ecbed95d54b860..a207da8b797d0f863fd517e4c4121dbff1725e21 100644 (file)
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -2026,7 +2026,8 @@ isc_result_t
 dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
                      dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
                      isc_stdtime_t now, dns_kasp_digestlist_t *digests,
-                     dns_ttl_t ttl, dns_diff_t *diff, isc_mem_t *mctx) {
+                     bool gencdnskey, dns_ttl_t ttl, dns_diff_t *diff,
+                     isc_mem_t *mctx) {
        unsigned char keybuf[DST_KEY_MAXSIZE];
        isc_result_t result;
        dns_dnsseckey_t *key;
@@ -2055,8 +2056,9 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
                                               alg->digest, ttl, diff, mctx));
                        }
 
-                       if (!dns_rdataset_isassociated(cdnskey) ||
-                           !exists(cdnskey, &cdnskeyrdata))
+                       if (gencdnskey &&
+                           (!dns_rdataset_isassociated(cdnskey) ||
+                            !exists(cdnskey, &cdnskeyrdata)))
                        {
                                isc_log_write(
                                        dns_lctx, DNS_LOGCATEGORY_GENERAL,

diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 7b77644459598926a32190213e1e86c03959f87a..17280fe570734c159a1f571d942fa93f72a915b1 100644 (file)
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -352,14 +352,15 @@ isc_result_t
 dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
                      dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
                      isc_stdtime_t now, dns_kasp_digestlist_t *digests,
-                     dns_ttl_t hint_ttl, dns_diff_t *diff, isc_mem_t *mctx);
+                     bool gencdnskey, dns_ttl_t hint_ttl, dns_diff_t *diff,
+                     isc_mem_t *mctx);
 /*%<
  * Update the CDS and CDNSKEY RRsets, adding and removing keys as needed.
  *
  * For each key in 'keys', check if corresponding CDS and CDNSKEY records
- * need to be published. If needed, there will be one CDNSKEY record added to
- * the 'cdnskey' RRset and one CDS record to the 'cds' RRset for each digest
- * type in 'digests'.
+ * need to be published. If needed and 'gencdnskey' is true, there will be one
+ * CDNSKEY record added to the 'cdnskey' RRset. Also one CDS record will be
+ * added to the 'cds' RRset for each digest type in 'digests'.
  *
  * For each key in 'rmkeys', remove any associated CDS and CDNSKEY records from
  * the RRsets 'cds' and 'cdnskey'.

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 271445e70c78bedbe5118b795cca3b6597d96300..544b502a4c3f6f33d70a0d61d601228ebae06c0b 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -20576,8 +20576,8 @@ zone_rekey(dns_zone_t *zone) {
                 * Update CDS / CDNSKEY records.
                 */
                result = dns_dnssec_syncupdate(&dnskeys, &rmkeys, &cdsset,
-                                              &cdnskeyset, now, &digests, ttl,
-                                              &diff, mctx);
+                                              &cdnskeyset, now, &digests, true,
+                                              ttl, &diff, mctx);
                if (result != ISC_R_SUCCESS) {
                        dnssec_log(zone, ISC_LOG_ERROR,
                                   "zone_rekey:couldn't update CDS/CDNSKEY: %s",