From: Miod Vallat <miod.vallat@powerdns.com>
Date: Fri, 13 Jun 2025 08:54:55 +0000 (+0200)
Subject: Increase zone serial after crypto key operations (if setup to do so).
X-Git-Tag: dnsdist-2.1.0-alpha0^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=63f450344a32719aa3daa856180522adbbe678b2;p=thirdparty%2Fpdns.git

Increase zone serial after crypto key operations (if setup to do so).

Fixes: #11733
---

diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index 9cbe0d5d7b..4bfa4b18a1 100644
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -1320,6 +1320,29 @@ static void apiZoneCryptokeysGET(HttpRequest* req, HttpResponse* resp)
   apiZoneCryptokeysExport(zoneData.zoneName, inquireKeyId, resp, &zoneData.dnssecKeeper);
 }
 
+// Common processing following a crypto keys operation which caused keys to be
+// added or removed. If this is a primary zone, we need to increase its
+// serial if configured to do so.
+static void apiZoneCryptokeysPostProcessing(ZoneData& zoneData)
+{
+  // We do not check using isPrimaryType() because we also want to include
+  // DomainInfo::Native here.
+  if (!zoneData.domainInfo.isSecondaryType()) {
+    UeberBackend backend;
+    SOAData soaData;
+    bool zone_disabled = !backend.getSOAUncached(zoneData.zoneName, soaData);
+
+    if (!zone_disabled) {
+      string soa_edit_api_kind;
+      string soa_edit_kind;
+
+      zoneData.domainInfo.backend->getDomainMetadataOne(zoneData.zoneName, "SOA-EDIT-API", soa_edit_api_kind);
+      zoneData.domainInfo.backend->getDomainMetadataOne(zoneData.zoneName, "SOA-EDIT", soa_edit_kind);
+      updateZoneSerial(zoneData.domainInfo, soaData, soa_edit_api_kind, soa_edit_kind);
+    }
+  }
+}
+
 /*
  * This method handles DELETE requests for URL /api/v1/servers/:server_id/zones/:zone_name/cryptokeys/:cryptokey_id .
  * It deletes a key from :zone_name specified by :cryptokey_id.
@@ -1341,6 +1364,7 @@ static void apiZoneCryptokeysDELETE(HttpRequest* req, HttpResponse* resp)
   }
 
   if (zoneData.dnssecKeeper.removeKey(zoneData.zoneName, inquireKeyId)) {
+    apiZoneCryptokeysPostProcessing(zoneData);
     resp->body = "";
     resp->status = 204;
   }
@@ -1489,6 +1513,7 @@ static void apiZoneCryptokeysPOST(HttpRequest* req, HttpResponse* resp)
   else {
     throw ApiException("Either you submit just the 'privatekey' field or you leave 'privatekey' empty and submit the other fields.");
   }
+  apiZoneCryptokeysPostProcessing(zoneData);
   apiZoneCryptokeysExport(zoneData.zoneName, insertedId, resp, &zoneData.dnssecKeeper);
   resp->status = 201;
 }
@@ -1543,6 +1568,7 @@ static void apiZoneCryptokeysPUT(HttpRequest* req, HttpResponse* resp)
     }
   }
 
+  apiZoneCryptokeysPostProcessing(zoneData);
   resp->body = "";
   resp->status = 204;
 }