]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
When signing with a new algorithm preserve NSEC/NSEC3 chains
authorMark Andrews <marka@isc.org>
Tue, 14 Mar 2023 02:13:14 +0000 (13:13 +1100)
committerMark Andrews <marka@isc.org>
Tue, 14 Mar 2023 12:26:39 +0000 (23:26 +1100)
If the zone already has existing NSEC/NSEC3 chains then zone_sign
needs to continue to use them.  If there are no chains then use
kasp setting otherwise generate an NSEC chain.

bin/tests/system/nsec3/tests.sh
lib/dns/zone.c

index 1646e89d6b4b543e5651d56fefa45fc247ed399e..9d9fec20bb4c6953f4325a4c49c095b9897a92b6 100644 (file)
@@ -421,12 +421,6 @@ then
        set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
        set_key_default_values "KEY2"
        echo_i "check zone ${ZONE} after reconfig"
-
-       ret=0
-       wait_for_log 10 "zone $ZONE/IN (signed): wait building NSEC3 chain until NSEC only DNSKEYs are removed" ns3/named.run || ret=1
-       test "$ret" -eq 0 || echo_i "failed"
-       status=$((status+ret))
-
        check_nsec
 
        # Zone: nsec3-to-rsasha1.kasp.
index 1c10265aa28c823d8977c7408ea909f0c55ced40..7444fb29e3e81166731e9fcaa7dd303f102a1e24 100644 (file)
@@ -9197,23 +9197,23 @@ zone_sign(dns_zone_t *zone) {
                   use_kasp ? "yes" : "no");
 
        /* Determine which type of chain to build */
-       if (use_kasp) {
-               build_nsec3 = dns_kasp_nsec3(kasp);
-               if (!dns_zone_check_dnskey_nsec3(zone, db, version, NULL,
-                                                (dst_key_t **)&zone_keys,
-                                                nkeys))
-               {
-                       dnssec_log(zone, ISC_LOG_INFO,
-                                  "wait building NSEC3 chain until NSEC only "
-                                  "DNSKEYs are removed");
-                       build_nsec3 = false;
-               }
-               build_nsec = !build_nsec3;
-       } else {
-               CHECK(dns_private_chains(db, version, zone->privatetype,
-                                        &build_nsec, &build_nsec3));
-               /* If neither chain is found, default to NSEC */
-               if (!build_nsec && !build_nsec3) {
+       CHECK(dns_private_chains(db, version, zone->privatetype, &build_nsec,
+                                &build_nsec3));
+       if (!build_nsec && !build_nsec3) {
+               if (use_kasp) {
+                       build_nsec3 = dns_kasp_nsec3(kasp);
+                       if (!dns_zone_check_dnskey_nsec3(
+                                   zone, db, version, NULL,
+                                   (dst_key_t **)&zone_keys, nkeys))
+                       {
+                               dnssec_log(zone, ISC_LOG_INFO,
+                                          "wait building NSEC3 chain until "
+                                          "NSEC only DNSKEYs are removed");
+                               build_nsec3 = false;
+                       }
+                       build_nsec = !build_nsec3;
+               } else {
+                       /* If neither chain is found, default to NSEC */
                        build_nsec = true;
                }
        }