From: Matthijs Mekking Date: Fri, 24 Jun 2022 07:22:38 +0000 (+0200) Subject: Also inherit from "default" for "insecure" policy X-Git-Tag: v9.19.3~22^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c2a7950417024cf6db52a9dc3f3135c473d22072;p=thirdparty%2Fbind9.git Also inherit from "default" for "insecure" policy Remove the duplication from the defaultconf and inherit the values not set in the "insecure" policy from the "default" policy. Therefore, we must insist that the first read built-in policy is the default one. --- diff --git a/bin/named/config.c b/bin/named/config.c index cfdcec0847a..f7cc14dbafa 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -318,18 +318,6 @@ dnssec-policy \"default\" {\n\ \n\ dnssec-policy \"insecure\" {\n\ keys { };\n\ -\n\ - dnskey-ttl " DNS_KASP_KEY_TTL "; \n\ - publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\ - retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\ - purge-keys " DNS_KASP_PURGE_KEYS "; \n\ - signatures-refresh " DNS_KASP_SIG_REFRESH "; \n\ - signatures-validity " DNS_KASP_SIG_VALIDITY "; \n\ - signatures-validity-dnskey " DNS_KASP_SIG_VALIDITY_DNSKEY "; \n\ - max-zone-ttl " DNS_KASP_ZONE_MAXTTL "; \n\ - zone-propagation-delay " DNS_KASP_ZONE_PROPDELAY "; \n\ - parent-ds-ttl " DNS_KASP_DS_TTL "; \n\ - parent-propagation-delay " DNS_KASP_PARENT_PROPDELAY "; \n\ };\n\ \n\ " diff --git a/bin/named/server.c b/bin/named/server.c index da9c18138c6..e36502863a3 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -9086,14 +9086,19 @@ load_configuration(const char *filename, named_server_t *server, element = cfg_list_next(element)) { cfg_obj_t *kconfig = cfg_listelt_value(element); + kasp = NULL; - CHECK(cfg_kasp_fromconfig(kconfig, NULL, named_g_mctx, + CHECK(cfg_kasp_fromconfig(kconfig, default_kasp, named_g_mctx, named_g_lctx, &kasplist, &kasp)); INSIST(kasp != NULL); dns_kasp_freeze(kasp); - if (strcmp(dns_kasp_getname(kasp), "default") == 0) { + + /* Insist that the first built-in policy is the default one. */ + if (default_kasp == NULL) { + INSIST(strcmp(dns_kasp_getname(kasp), "default") == 0); dns_kasp_attach(kasp, &default_kasp); } + dns_kasp_detach(&kasp); } INSIST(default_kasp != NULL); diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index 932466aad77..7c476b1a682 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -511,9 +511,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp, if (result != ISC_R_SUCCESS) { goto cleanup; } - } else if (default_kasp && strcmp(kaspname, "insecure") != 0) { + } else if (default_kasp) { dns_kasp_key_t *key, *new_key; - /* * If there are no specific keys configured in the policy, * inherit from the default policy (except for the built-in