git.ipfire.org Git - thirdparty/bind9.git/commit

author	Matthijs Mekking <matthijs@isc.org>
	Thu, 3 Dec 2020 14:01:42 +0000 (15:01 +0100)
committer	Matthijs Mekking <matthijs@isc.org>
	Wed, 23 Dec 2020 08:02:11 +0000 (09:02 +0100)
commit	cf420b2af0d45693d0f5f34d9113ea411b5f2225
tree	aa5807f4b00b4c79ca5dd69d8fd1b9bc71adcedf	tree \| snapshot
parent	8f2c5e45da47394c812f5499b2766b13387c7bbc	commit \| diff

Treat dnssec-policy "none" as a builtin zone

Configure "none" as a builtin policy. Change the 'cfg_kasp_fromconfig'
api so that the 'name' will determine what policy needs to be
configured.

When transitioning a zone from secure to insecure, there will be
cases when a zone with no DNSSEC policy (dnssec-policy none) should
be using KASP. When there are key state files available, this is an
indication that the zone once was DNSSEC signed but is reconfigured
to become insecure.

If we would not run the keymgr, named would abruptly remove the
DNSSEC records from the zone, making the zone bogus. Therefore,
change the code such that a zone will use kasp if there is a valid
dnssec-policy configured, or if there are state files available.

bin/dnssec/dnssec-keygen.c		diff \| blob \| blame \| history
bin/named/server.c		diff \| blob \| blame \| history
bin/named/zoneconf.c		diff \| blob \| blame \| history
bin/tests/system/kasp/tests.sh		diff \| blob \| blame \| history
lib/bind9/check.c		diff \| blob \| blame \| history
lib/dns/include/dns/zone.h		diff \| blob \| blame \| history
lib/dns/update.c		diff \| blob \| blame \| history
lib/dns/win32/libdns.def.in		diff \| blob \| blame \| history
lib/dns/zone.c		diff \| blob \| blame \| history
lib/isccfg/include/isccfg/kaspconf.h		diff \| blob \| blame \| history
lib/isccfg/kaspconf.c		diff \| blob \| blame \| history