From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 12 Oct 2023 10:02:02 +0000 (+0200)
Subject: Ignore inline-signing by default
X-Git-Tag: v9.19.18~37^2~3
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e6a454ad12a2cabbd9bb0ec784b6e1c655cb7ef9;p=thirdparty%2Fbind9.git

Ignore inline-signing by default

Ignore the option 'inline-signing' unless there is a 'dnssec-policy'
configured for the zone. Having inline signing enabled while the zone
is not DNSSEC signed does not make sense.

If there is a 'dnssec-policy' the 'inline-signing' zone-only option
can be used to override the value for the given zone.
---

diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index fa34b4c7d4c..06982f9aeb1 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -2014,13 +2014,7 @@ named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
 	}
 	maps[i] = NULL;
 
-	/* "inline-signing" is a zone-only clause, so look in maps[0] only. */
-	res = cfg_map_get(maps[0], "inline-signing", &signing);
-	if (res == ISC_R_SUCCESS && cfg_obj_isboolean(signing)) {
-		return (cfg_obj_asboolean(signing));
-	}
-
-	/* If inline-signing is not set, check the value in dnssec-policy. */
+	/* Check the value in dnssec-policy. */
 	policy = NULL;
 	res = named_config_get(maps, "dnssec-policy", &policy);
 	/* If no dnssec-policy found, then zone is not using inline-signing. */
@@ -2039,5 +2033,15 @@ named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
 	inline_signing = dns_kasp_inlinesigning(kasp);
 	dns_kasp_detach(&kasp);
 
+	/*
+	 * The zone option 'inline-signing' may override the value in
+	 * dnssec-policy. This is a zone-only option, so look in maps[0]
+	 * only.
+	 */
+	res = cfg_map_get(maps[0], "inline-signing", &signing);
+	if (res == ISC_R_SUCCESS && cfg_obj_isboolean(signing)) {
+		return (cfg_obj_asboolean(signing));
+	}
+
 	return (inline_signing);
 }