From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 13 Oct 2020 12:52:02 +0000 (+0200)
Subject: Don't use 'rndc signing' with kasp
X-Git-Tag: v9.16.10~9^2~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b6cf88333a67b262d5019a08f82cfec27ceb1b3a;p=thirdparty%2Fbind9.git

Don't use 'rndc signing' with kasp

The 'rndc signing' command allows you to manipulate the private
records that are used to store signing state. Don't use these with
'dnssec-policy' as such manipulations may violate the policy (if you
want to change the NSEC3 parameters, change the policy and reconfig).

(cherry picked from commit eae9a6d297602d316287b1596f4446841d3c05b8)
---

diff --git a/bin/named/server.c b/bin/named/server.c
index d5766b20ec5..4bbb7bd2540 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -14317,6 +14317,7 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
 		     isc_buffer_t **text) {
 	isc_result_t result = ISC_R_SUCCESS;
 	dns_zone_t *zone = NULL;
+	dns_kasp_t *kasp = NULL;
 	dns_name_t *origin;
 	dns_db_t *db = NULL;
 	dns_dbnode_t *node = NULL;
@@ -14434,6 +14435,14 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
 		CHECK(ISC_R_UNEXPECTEDEND);
 	}
 
+	kasp = dns_zone_getkasp(zone);
+	if (kasp != NULL) {
+		(void)putstr(text, "zone uses dnssec-policy, use rndc dnssec "
+				   "command instead");
+		(void)putnull(text);
+		goto cleanup;
+	}
+
 	if (clear) {
 		CHECK(dns_zone_keydone(zone, keystr));
 		(void)putstr(text, "request queued");