From: Matthijs Mekking Date: Tue, 11 Oct 2022 09:07:43 +0000 (+0200) Subject: If a zone is not reusable, trigger full sign X-Git-Tag: v9.19.7~8^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4d143f2cc46663e6a7935b3d650c361ed630e03a;p=thirdparty%2Fbind9.git If a zone is not reusable, trigger full sign If after a reconfig a zone is not reusable because inline-signing was turned on/off, trigger a full resign. This is necessary because otherwise the zone maintenance may decide to only apply the changes in the journal, leaving the zone in an inconsistent DNSSEC state. --- diff --git a/bin/named/server.c b/bin/named/server.c index b95d1ee108b..b38e00d027a 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -6501,6 +6501,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, bool zone_is_catz = false; bool zone_maybe_inline = false; bool inline_signing = false; + bool fullsign = false; options = NULL; (void)cfg_map_get(config, "options", &options); @@ -6769,6 +6770,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, if (zone != NULL && !named_zone_reusable(zone, zconfig)) { dns_zone_detach(&zone); + fullsign = true; } if (zone != NULL && (rpz_num != dns_zone_get_rpz_num(zone) || @@ -6903,7 +6905,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, * Ensure that zone keys are reloaded on reconfig */ if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0) { - dns_zone_rekey(zone, false); + dns_zone_rekey(zone, fullsign); } cleanup: