git.ipfire.org Git - thirdparty/bind9.git/commit

author	Matthijs Mekking <matthijs@isc.org>
	Wed, 21 Apr 2021 14:09:06 +0000 (16:09 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Fri, 30 Apr 2021 11:58:22 +0000 (13:58 +0200)
commit	375112a623d91b2f3fa235aafabc9ca80bc68a3d
tree	2a799421faa3f0103ad6e06f1bab3565284d99fd	tree \| snapshot
parent	fdf7be247d4f596a4c7ac3b525c4dd1a41689964	commit \| diff

Add built-in dnssec-policy "insecure"

Add a new built-in policy "insecure", to be used to gracefully unsign
a zone. Previously you could just remove the 'dnssec-policy'
configuration from your zone statement, or remove it.

The built-in policy "none" (or not configured) now actually means
no DNSSEC maintenance for the corresponding zone. So if you
immediately reconfigure your zone from whatever policy to "none",
your zone will temporarily be seen as bogus by validating resolvers.

This means we can remove the functions 'dns_zone_use_kasp()' and
'dns_zone_secure_to_insecure()' again. We also no longer have to
check for the existence of key state files to figure out if a zone
is transitioning to insecure.

(cherry picked from commit 2710d9a11d0602814ff3454e9d319420f1578a0c)

bin/named/server.c		diff \| blob \| blame \| history
bin/named/zoneconf.c		diff \| blob \| blame \| history
lib/bind9/check.c		diff \| blob \| blame \| history
lib/dns/include/dns/zone.h		diff \| blob \| blame \| history
lib/dns/update.c		diff \| blob \| blame \| history
lib/dns/win32/libdns.def.in		diff \| blob \| blame \| history
lib/dns/zone.c		diff \| blob \| blame \| history
lib/isccfg/kaspconf.c		diff \| blob \| blame \| history