allow both key and DS trust anchors to be used for the same name.

diff --git a/CHANGES b/CHANGES
index 9f813bb1cf0b0bc2eb817ad6aa0a51e05c06e95f..1e9a7be9850d3a291e4ce27cc3c17d009cebf4d8 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5345.  [func]          Key-style trust anchors and DS-style trust anchors
+                       can now both be used for the same name. [GL !2892]
+
 5344.  [bug]           Handle accept() errors properly in netmgr. [GL !2880]
 
 5343.  [func]          Add statistics counters to the netmgr. [GL #1311]

diff --git a/bin/tests/system/checkconf/bad-ds-key-1.conf b/bin/tests/system/checkconf/good-ds-key-1.conf
similarity index 100%
rename from bin/tests/system/checkconf/bad-ds-key-1.conf
rename to bin/tests/system/checkconf/good-ds-key-1.conf

diff --git a/bin/tests/system/checkconf/bad-ds-key-2.conf b/bin/tests/system/checkconf/good-ds-key-2.conf
similarity index 100%
rename from bin/tests/system/checkconf/bad-ds-key-2.conf
rename to bin/tests/system/checkconf/good-ds-key-2.conf

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index d8715ec5c1a260f9e2d0cb34374a9fa12e9d748a..bc86ee9fd71760290f981ca4594564c0e81359dc 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -10986,8 +10986,7 @@ example.com                 CNAME   rpz-tcp-only.
          </para>
          <para>
            It is not possible to mix static with initial trust anchors
-           for the same domain name. It is also not possible to mix
-           <command>key</command> with <command>ds</command> trust anchors.
+           for the same domain name.
          </para>
          <para>
            The first time <command>named</command> runs with an

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index e5097e8a623bf7b3795acc53fc0308056572ea35..4cb376f9767b32971e56994c407066e6fadb589f 100644 (file)
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -3593,64 +3593,6 @@ record_ds_keys(isc_symtab_t *symtab, isc_mem_t *mctx, const cfg_obj_t *keylist)
        return (ret);
 }
 
-static isc_result_t
-check_non_ds_keys(isc_symtab_t *symtab, const cfg_obj_t *keylist,
-                 isc_log_t *logctx)
-{
-       isc_result_t result, ret = ISC_R_SUCCESS;
-       const cfg_listelt_t *elt;
-       dns_fixedname_t fixed;
-       dns_name_t *name;
-       char namebuf[DNS_NAME_FORMATSIZE];
-
-       name = dns_fixedname_initname(&fixed);
-
-       for (elt = cfg_list_first(keylist);
-            elt != NULL;
-            elt = cfg_list_next(elt))
-       {
-               const cfg_obj_t *obj = cfg_listelt_value(elt);
-               const cfg_obj_t *init = NULL;
-               const char *str;
-               isc_symvalue_t symvalue;
-
-               init = cfg_tuple_get(obj, "anchortype");
-               if (cfg_obj_isvoid(init) ||
-                   strcasecmp(cfg_obj_asstring(init), "static-ds") == 0 ||
-                   strcasecmp(cfg_obj_asstring(init), "initial-ds") == 0)
-               {
-                       /* DS-style entry, skip it */
-                       continue;
-               }
-
-               str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
-               result = dns_name_fromstring(name, str, 0, NULL);
-               if (result != ISC_R_SUCCESS) {
-                       continue;
-               }
-
-               dns_name_format(name, namebuf, sizeof(namebuf));
-               result = isc_symtab_lookup(symtab, namebuf, 1, &symvalue);
-               if (result == ISC_R_SUCCESS) {
-                       const char *file = cfg_obj_file(symvalue.as_cpointer);
-                       unsigned int line = cfg_obj_line(symvalue.as_cpointer);
-                       if (file == NULL) {
-                               file = "<unknown file>";
-                       }
-                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-                                   "ds-style and key-style keys "
-                                   "cannot be used for the "
-                                   "same domain. "
-                                   "ds-style defined at "
-                                   "%s:%u", file, line);
-
-                       ret = ISC_R_FAILURE;
-               }
-       }
-
-       return (ret);
-}
-
 /*
  * Check for conflicts between static and initialiizing keys.
  */
@@ -3739,8 +3681,7 @@ check_ta_conflicts(const cfg_obj_t *global_ta, const cfg_obj_t *view_ta,
 
        /*
         * Next, ensure that there's no conflict between the
-        * static keys and the trust-anchors configured with "initial-key",
-        * or between DS-style and DNSKEY-style trust-anchors.
+        * static keys and the trust-anchors configured with "initial-key".
         */
        for (elt = cfg_list_first(global_ta);
             elt != NULL;
@@ -3751,11 +3692,6 @@ check_ta_conflicts(const cfg_obj_t *global_ta, const cfg_obj_t *view_ta,
                if (result == ISC_R_SUCCESS) {
                        result = tresult;
                }
-
-               tresult = check_non_ds_keys(dstab, keylist, logctx);
-               if (result == ISC_R_SUCCESS) {
-                       result = tresult;
-               }
        }
 
        for (elt = cfg_list_first(view_ta);
@@ -3767,11 +3703,6 @@ check_ta_conflicts(const cfg_obj_t *global_ta, const cfg_obj_t *view_ta,
                if (result == ISC_R_SUCCESS) {
                        result = tresult;
                }
-
-               tresult = check_non_ds_keys(dstab, keylist, logctx);
-               if (result == ISC_R_SUCCESS) {
-                       result = tresult;
-               }
        }
 
  cleanup: