From: Matthijs Mekking Date: Tue, 21 Feb 2023 07:46:43 +0000 (+0100) Subject: Update syncupdate() function to disable CDNSKEY X-Git-Tag: v9.19.11~14^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ea4130d6bdb2b97e6617c719b6230f152439899e;p=thirdparty%2Fbind9.git Update syncupdate() function to disable CDNSKEY Add a new function argument so you can choose whether the CDNSKEY record should be published or not. --- diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 123bc87b8d0..edcbf44069c 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -2803,7 +2803,7 @@ build_final_keylist(void) { */ dns_dnssec_syncupdate(&keylist, &rmkeys, &cdsset, &cdnskeyset, now, - &digests, keyttl, &diff, mctx); + &digests, cdnskey, keyttl, &diff, mctx); dns_name_format(gorigin, name, sizeof(name)); diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 6c6093d3dfc..a207da8b797 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -2026,7 +2026,8 @@ isc_result_t dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys, dns_rdataset_t *cds, dns_rdataset_t *cdnskey, isc_stdtime_t now, dns_kasp_digestlist_t *digests, - dns_ttl_t ttl, dns_diff_t *diff, isc_mem_t *mctx) { + bool gencdnskey, dns_ttl_t ttl, dns_diff_t *diff, + isc_mem_t *mctx) { unsigned char keybuf[DST_KEY_MAXSIZE]; isc_result_t result; dns_dnsseckey_t *key; @@ -2055,8 +2056,9 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys, alg->digest, ttl, diff, mctx)); } - if (!dns_rdataset_isassociated(cdnskey) || - !exists(cdnskey, &cdnskeyrdata)) + if (gencdnskey && + (!dns_rdataset_isassociated(cdnskey) || + !exists(cdnskey, &cdnskeyrdata))) { isc_log_write( dns_lctx, DNS_LOGCATEGORY_GENERAL, diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h index 7b776444595..17280fe5707 100644 --- a/lib/dns/include/dns/dnssec.h +++ b/lib/dns/include/dns/dnssec.h @@ -352,14 +352,15 @@ isc_result_t dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys, dns_rdataset_t *cds, dns_rdataset_t *cdnskey, isc_stdtime_t now, dns_kasp_digestlist_t *digests, - dns_ttl_t hint_ttl, dns_diff_t *diff, isc_mem_t *mctx); + bool gencdnskey, dns_ttl_t hint_ttl, dns_diff_t *diff, + isc_mem_t *mctx); /*%< * Update the CDS and CDNSKEY RRsets, adding and removing keys as needed. * * For each key in 'keys', check if corresponding CDS and CDNSKEY records - * need to be published. If needed, there will be one CDNSKEY record added to - * the 'cdnskey' RRset and one CDS record to the 'cds' RRset for each digest - * type in 'digests'. + * need to be published. If needed and 'gencdnskey' is true, there will be one + * CDNSKEY record added to the 'cdnskey' RRset. Also one CDS record will be + * added to the 'cds' RRset for each digest type in 'digests'. * * For each key in 'rmkeys', remove any associated CDS and CDNSKEY records from * the RRsets 'cds' and 'cdnskey'. diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 271445e70c7..544b502a4c3 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -20576,8 +20576,8 @@ zone_rekey(dns_zone_t *zone) { * Update CDS / CDNSKEY records. */ result = dns_dnssec_syncupdate(&dnskeys, &rmkeys, &cdsset, - &cdnskeyset, now, &digests, ttl, - &diff, mctx); + &cdnskeyset, now, &digests, true, + ttl, &diff, mctx); if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, "zone_rekey:couldn't update CDS/CDNSKEY: %s",