From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 13 Oct 2023 09:46:05 +0000 (+0200)
Subject: Don't resign raw version of the zone
X-Git-Tag: v9.19.18~40^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=741ce2d07a7637391c729e108080529accfc834f;p=thirdparty%2Fbind9.git

Don't resign raw version of the zone

Update the function 'set_resigntime()' so that raw versions of
inline-signing zones are not scheduled to be resigned.

Also update the check in the same function for zone is dynamic, there
exists a function 'dns_zone_isdynamic()' that does a similar thing
and is more complete.

Also in 'zone_postload()' check whether the zone is not the raw
version of an inline-signing zone, preventing calculating the next
resign time.
---

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index b9bea598ef0..6fb44e43cd5 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -3825,15 +3825,11 @@ set_resigntime(dns_zone_t *zone) {
 	INSIST(LOCKED_ZONE(zone));
 
 	/* We only re-sign zones that can be dynamically updated */
-	if (zone->update_disabled) {
+	if (!dns_zone_isdynamic(zone, false)) {
 		return;
 	}
 
-	if (!inline_secure(zone) &&
-	    (zone->type != dns_zone_primary ||
-	     (zone->ssutable == NULL &&
-	      (zone->update_acl == NULL || dns_acl_isnone(zone->update_acl)))))
-	{
+	if (inline_raw(zone)) {
 		return;
 	}
 
@@ -5174,7 +5170,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 
 		is_dynamic = dns_zone_isdynamic(zone, false);
 		if (zone->type == dns_zone_primary && is_dynamic &&
-		    dns_db_issecure(db))
+		    dns_db_issecure(db) && !inline_raw(zone))
 		{
 			dns_name_t *name;
 			dns_fixedname_t fixed;