From: Mark Andrews <marka@isc.org>
Date: Wed, 2 Nov 2022 06:55:52 +0000 (+0000)
Subject: TLS setting of primaries with catalog zones where being ignored
X-Git-Tag: v9.19.8~45^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=65f2512315fa9d46e2caf3695e066f14fa974b21;p=thirdparty%2Fbind9.git

TLS setting of primaries with catalog zones where being ignored

Extract the tlss values if present from the ipkeylist entry and add
the resulting tls setting to the constructed configuration for the
primary.

When comparing catalog zone entries for reuse also check the
masters.tlss values for equality.
---

diff --git a/lib/dns/catz.c b/lib/dns/catz.c
index 1b0128dbd00..8c375084f53 100644
--- a/lib/dns/catz.c
+++ b/lib/dns/catz.c
@@ -379,6 +379,20 @@ dns_catz_entry_cmp(const dns_catz_entry_t *ea, const dns_catz_entry_t *eb) {
 		}
 	}
 
+	for (size_t i = 0; i < eb->opts.masters.count; i++) {
+		if ((ea->opts.masters.tlss[i] == NULL) !=
+		    (eb->opts.masters.tlss[i] == NULL)) {
+			return (false);
+		}
+		if (ea->opts.masters.tlss[i] == NULL) {
+			continue;
+		}
+		if (!dns_name_equal(ea->opts.masters.tlss[i],
+				    eb->opts.masters.tlss[i])) {
+			return (false);
+		}
+	}
+
 	/* If one is NULL and the other isn't, the entries don't match */
 	if ((ea->opts.allow_query == NULL) != (eb->opts.allow_query == NULL)) {
 		return (false);
@@ -1974,6 +1988,15 @@ dns_catz_generate_zonecfg(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
 				goto cleanup;
 			}
 		}
+
+		if (entry->opts.masters.tlss[i] != NULL) {
+			isc_buffer_putstr(buffer, " tls ");
+			result = dns_name_totext(entry->opts.masters.tlss[i],
+						 true, buffer);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+		}
 		isc_buffer_putstr(buffer, "; ");
 	}
 	isc_buffer_putstr(buffer, "}; ");