From: Mark Andrews Date: Tue, 14 Mar 2023 02:13:14 +0000 (+1100) Subject: When signing with a new algorithm preserve NSEC/NSEC3 chains X-Git-Tag: v9.19.12~78^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4b5520145969222e6482e4552e49e96cc7d9bd97;p=thirdparty%2Fbind9.git When signing with a new algorithm preserve NSEC/NSEC3 chains If the zone already has existing NSEC/NSEC3 chains then zone_sign needs to continue to use them. If there are no chains then use kasp setting otherwise generate an NSEC chain. --- diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index 1646e89d6b4..9d9fec20bb4 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -421,12 +421,6 @@ then set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent" set_key_default_values "KEY2" echo_i "check zone ${ZONE} after reconfig" - - ret=0 - wait_for_log 10 "zone $ZONE/IN (signed): wait building NSEC3 chain until NSEC only DNSKEYs are removed" ns3/named.run || ret=1 - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - check_nsec # Zone: nsec3-to-rsasha1.kasp. diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 1c10265aa28..7444fb29e3e 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -9197,23 +9197,23 @@ zone_sign(dns_zone_t *zone) { use_kasp ? "yes" : "no"); /* Determine which type of chain to build */ - if (use_kasp) { - build_nsec3 = dns_kasp_nsec3(kasp); - if (!dns_zone_check_dnskey_nsec3(zone, db, version, NULL, - (dst_key_t **)&zone_keys, - nkeys)) - { - dnssec_log(zone, ISC_LOG_INFO, - "wait building NSEC3 chain until NSEC only " - "DNSKEYs are removed"); - build_nsec3 = false; - } - build_nsec = !build_nsec3; - } else { - CHECK(dns_private_chains(db, version, zone->privatetype, - &build_nsec, &build_nsec3)); - /* If neither chain is found, default to NSEC */ - if (!build_nsec && !build_nsec3) { + CHECK(dns_private_chains(db, version, zone->privatetype, &build_nsec, + &build_nsec3)); + if (!build_nsec && !build_nsec3) { + if (use_kasp) { + build_nsec3 = dns_kasp_nsec3(kasp); + if (!dns_zone_check_dnskey_nsec3( + zone, db, version, NULL, + (dst_key_t **)&zone_keys, nkeys)) + { + dnssec_log(zone, ISC_LOG_INFO, + "wait building NSEC3 chain until " + "NSEC only DNSKEYs are removed"); + build_nsec3 = false; + } + build_nsec = !build_nsec3; + } else { + /* If neither chain is found, default to NSEC */ build_nsec = true; } }