From f8b346cb98cdf5a1c5e17a9089bc2981cde45a1b Mon Sep 17 00:00:00 2001 From: Chris Hofstaedtler Date: Tue, 2 Jun 2020 18:45:52 +0200 Subject: [PATCH] API: forbid rectify for presigned zones, only --- pdns/ws-auth.cc | 4 ++-- regression-tests.api/test_Zones.py | 5 ----- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc index 0f6eed87f4..15a704b134 100644 --- a/pdns/ws-auth.cc +++ b/pdns/ws-auth.cc @@ -1860,8 +1860,8 @@ static void apiServerZoneRectify(HttpRequest* req, HttpResponse* resp) { DNSSECKeeper dk(&B); - if (!dk.isSecuredZone(zonename)) - throw ApiException("Zone '" + zonename.toString() + "' is not DNSSEC signed, not rectifying."); + if (dk.isPresigned(zonename)) + throw ApiException("Zone '" + zonename.toString() + "' is pre-signed, not rectifying."); string error_msg = ""; string info; diff --git a/regression-tests.api/test_Zones.py b/regression-tests.api/test_Zones.py index f95ede6e7b..09c1844dc4 100644 --- a/regression-tests.api/test_Zones.py +++ b/regression-tests.api/test_Zones.py @@ -1925,11 +1925,6 @@ $ORIGIN %NAME% dbrecs = get_db_records(name, 'SOA') self.assertIsNotNone(dbrecs[0]['ordername']) - def test_explicit_rectify_no_dnssec(self): - _, _, data = self.create_zone = self.create_zone(api_rectify=False, dnssec=False) - r = self.session.put(self.url("/api/v1/servers/localhost/zones/" + data['id'] + "/rectify")) - self.assertEquals(r.status_code, 422) - def test_explicit_rectify_slave(self): # Some users want to move a zone to kind=Slave and then rectify, without a re-transfer. name, _, data = self.create_zone = self.create_zone(api_rectify=False, dnssec=True, nsec3param='1 0 1 ab') -- 2.47.2