From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 17 Jun 2026 15:34:42 +0000 (+0200)
Subject: Remove CDs/CDNSKEY records on reconfig
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1c4c2cba8b2cf56f241c831f74b1f4f381bc45a3;p=thirdparty%2Fbind9.git

Remove CDs/CDNSKEY records on reconfig

When adding to dnssec-policy:

    cdnskey no;
    cds-digest-types { };

and then reconfig the server, named must remove existing CDS and CDNSKEY
records. Note this already worked when adding CDS digest, or setting
'cdnskey yes;', but not when digests were removed from the list, or
when setting 'cdnskey no;'.
---

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 991a5e9fff5..8a0effb2d91 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1832,6 +1832,17 @@ add_cds(dns_dnsseckey_t *key, dns_rdata_t *keyrdata, const char *keystr,
 	return DNS_R_UNCHANGED;
 }
 
+static bool
+contains_digest(dns_kasp_digestlist_t *digests, unsigned int digesttype) {
+	ISC_LIST_FOREACH(*digests, alg, link) {
+		if (digesttype == alg->digest) {
+			return true;
+		}
+	}
+
+	return false;
+}
+
 static isc_result_t
 delete_cds(dns_dnsseckey_t *key, dns_rdata_t *keyrdata, const char *keystr,
 	   dns_rdataset_t *cds, unsigned int digesttype, dns_diff_t *diff,
@@ -1921,20 +1932,21 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
 			}
 		}
 
-		if (syncdelete(key->key, now)) {
+		if (dns_rdataset_isassociated(cds)) {
 			char keystr[DST_KEY_FORMATSIZE];
 			dst_key_format(key->key, keystr, sizeof(keystr));
 
-			if (dns_rdataset_isassociated(cds)) {
-				/* Delete all possible CDS records */
-				for (dns_dsdigest_t digest = DNS_DSDIGEST_SHA1;
-				     digest < DNS_DSDIGEST_TOTAL; digest++)
+			/* Delete all possible CDS records */
+			for (dns_dsdigest_t digest = DNS_DSDIGEST_SHA1;
+			     digest < DNS_DSDIGEST_TOTAL; digest++)
+			{
+				if (syncdelete(key->key, now) ||
+				    !contains_digest(digests, digest))
 				{
 					result = delete_cds(
 						key, &cdnskeyrdata,
 						(const char *)keystr, cds,
 						digest, diff, mctx);
-
 					switch (result) {
 					case ISC_R_SUCCESS:
 						changed = true;
@@ -1954,19 +1966,24 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
 					}
 				}
 			}
+		}
 
-			if (dns_rdataset_isassociated(cdnskey)) {
-				if (exists(cdnskey, &cdnskeyrdata)) {
-					isc_log_write(DNS_LOGCATEGORY_GENERAL,
-						      DNS_LOGMODULE_DNSSEC,
-						      ISC_LOG_INFO,
-						      "CDNSKEY for key %s is "
-						      "now deleted",
-						      keystr);
-					delrdata(&cdnskeyrdata, diff, origin,
-						 cdnskey->ttl, mctx);
-					changed = true;
-				}
+		if (dns_rdataset_isassociated(cdnskey) &&
+		    exists(cdnskey, &cdnskeyrdata))
+		{
+			if (syncdelete(key->key, now) || !gencdnskey) {
+				char keystr[DST_KEY_FORMATSIZE];
+				dst_key_format(key->key, keystr,
+					       sizeof(keystr));
+
+				isc_log_write(
+					DNS_LOGCATEGORY_GENERAL,
+					DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+					"CDNSKEY for key %s is now deleted",
+					keystr);
+				delrdata(&cdnskeyrdata, diff, origin,
+					 cdnskey->ttl, mctx);
+				changed = true;
 			}
 		}
 	}