From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 7 Nov 2025 14:56:54 +0000 (+0100)
Subject: Skip private records when syncing secure db
X-Git-Tag: v9.21.16~35^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6dcb9ce77ff774ffab3139c052b0f177338953d0;p=thirdparty%2Fbind9.git

Skip private records when syncing secure db

When synchronizing the secure database, we skip DNSSEC records that
BIND 9 maintains with inline-signing. We should also skip private
RDATA type records that are used to track the current state of a
zone-signing process.
---

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index a46969b3e8e..2b70bdc93a7 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -16312,6 +16312,17 @@ sync_secure_db(dns_zone_t *seczone, dns_zone_t *raw, dns_db_t *secdb,
 	ISC_LIST_FOREACH(diff->tuples, tuple, link) {
 		dns_difftuplelist_t *al = &add, *dl = &del;
 
+		/*
+		 * Skip private records that BIND maintains with inline-signing.
+		 */
+		if (seczone->privatetype != 0 &&
+		    tuple->rdata.type == seczone->privatetype)
+		{
+			ISC_LIST_UNLINK(diff->tuples, tuple, link);
+			dns_difftuple_free(&tuple);
+			continue;
+		}
+
 		/*
 		 * Skip DNSSEC records that BIND maintains with inline-signing.
 		 */