From: Evan Hunt Date: Wed, 18 Nov 2009 21:22:31 +0000 (+0000) Subject: 2773. [bug] In autosigned zones, the SOA could be signed X-Git-Tag: v9.4.3-P1~2^2~215 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b08325a7f3092cca1131e1a04a43a4ecef713e29;p=thirdparty%2Fbind9.git 2773. [bug] In autosigned zones, the SOA could be signed with the KSK. [RT #20628] --- diff --git a/CHANGES b/CHANGES index 0e2440074d3..7bc19c2924e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2773. [bug] In autosigned zones, the SOA could be signed + with the KSK. [RT #20628] + --- 9.7.0b3 released --- 2772. [security] When validating, track whether pending data was from diff --git a/bin/named/update.c b/bin/named/update.c index d7a054beb23..a31606a4a93 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.168 2009/11/09 01:28:32 each Exp $ */ +/* $Id: update.c,v 1.169 2009/11/18 21:22:31 each Exp $ */ #include @@ -1926,7 +1926,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, if (type == dns_rdatatype_dnskey) { if (!KSK(keys[i]) && keyset_kskonly) continue; - } else if (!KSK(keys[i])) + } else if (KSK(keys[i])) continue; } else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) continue; diff --git a/lib/dns/zone.c b/lib/dns/zone.c index ea26c1e5ff7..14733600038 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.529 2009/11/12 23:47:59 tbox Exp $ */ +/* $Id: zone.c,v 1.530 2009/11/18 21:22:31 each Exp $ */ /*! \file */ @@ -4586,7 +4586,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, if (type == dns_rdatatype_dnskey) { if (!KSK(keys[i]) && keyset_kskonly) continue; - } else if (!KSK(keys[i])) + } else if (KSK(keys[i])) continue; } else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) continue;