Don't use 'rndc signing' with kasp

The 'rndc signing' command allows you to manipulate the private
records that are used to store signing state. Don't use these with
'dnssec-policy' as such manipulations may violate the policy (if you
want to change the NSEC3 parameters, change the policy and reconfig).

diff --git a/bin/named/server.c b/bin/named/server.c
index 6ffc8da3e2d4596bdb603cdd843dc64145aefd80..bba09ab48f568ca94ffc90aeb029089328a2cb69 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -14358,6 +14358,7 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
                     isc_buffer_t **text) {
        isc_result_t result = ISC_R_SUCCESS;
        dns_zone_t *zone = NULL;
+       dns_kasp_t *kasp = NULL;
        dns_name_t *origin;
        dns_db_t *db = NULL;
        dns_dbnode_t *node = NULL;
@@ -14475,6 +14476,14 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
                CHECK(ISC_R_UNEXPECTEDEND);
        }
 
+       kasp = dns_zone_getkasp(zone);
+       if (kasp != NULL) {
+               (void)putstr(text, "zone uses dnssec-policy, use rndc dnssec "
+                                  "command instead");
+               (void)putnull(text);
+               goto cleanup;
+       }
+
        if (clear) {
                CHECK(dns_zone_keydone(zone, keystr));
                (void)putstr(text, "request queued");