Update the NSEC3PARAM TTL to match the SOA minimum

author Mark Andrews <marka@isc.org>

Wed, 20 Dec 2023 02:07:51 +0000 (13:07 +1100)

committer Mark Andrews <marka@isc.org>

Thu, 21 Dec 2023 09:12:09 +0000 (20:12 +1100)
author Mark Andrews <marka@isc.org>
Wed, 20 Dec 2023 02:07:51 +0000 (13:07 +1100)
committer Mark Andrews <marka@isc.org>
Thu, 21 Dec 2023 09:12:09 +0000 (20:12 +1100)
diff --git a/lib/dns/zone.c b/lib/dns/zone.c

index 1ab0b2e4e436a98ff85cacba62bc5798bf907dad..6f5cf676903ae5b42931879b7f564b58272ce9d7 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -7505,11 +7505,6 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
                 goto failure;
         }
  
-       /*
-        * Preserve the existing ttl.
-        */
-       ttl = rdataset.ttl;
-
         /*
          * Delete all NSEC3PARAM records which match that in nsec3chain.
          */
@@ -7526,6 +7521,16 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
                     memcmp(nsec3param.salt, chain->nsec3param.salt,
                            nsec3param.salt_length))
                 {
+                       /*
+                        * If the SOA minimum is different to the current TTL,
+                        * delete the record.  We will re-add it with the new
+                        * TTL below.
+                        */
+                       if (rdataset.ttl != ttl) {
+                               CHECK(update_one_rr(db, ver, diff,
+                                                   DNS_DIFFOP_DEL, name,
+                                                   rdataset.ttl, &rdata));
+                       }
                         dns_rdata_reset(&rdata);
                         continue;
                 }
@@ -7538,6 +7543,34 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
                 goto failure;
         }
  
+       /*
+        * Restore any NSEC3PARAM records that we deleted to change the TTL.
+        */
+       if (rdataset.ttl != ttl) {
+               for (result = dns_rdataset_first(&rdataset);
+                    result == ISC_R_SUCCESS;
+                    result = dns_rdataset_next(&rdataset))
+               {
+                       dns_rdataset_current(&rdataset, &rdata);
+                       CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+                       if (nsec3param.hash != chain->nsec3param.hash ||
+                           (active && nsec3param.flags != 0) ||
+                           nsec3param.iterations !=
+                                   chain->nsec3param.iterations ||
+                           nsec3param.salt_length !=
+                                   chain->nsec3param.salt_length ||
+                           memcmp(nsec3param.salt, chain->nsec3param.salt,
+                                  nsec3param.salt_length))
+                       {
+                               CHECK(update_one_rr(db, ver, diff,
+                                                   DNS_DIFFOP_ADD, name, ttl,
+                                                   &rdata));
+                       }
+                       dns_rdata_reset(&rdata);
+               }
+       }
+
         dns_rdataset_disassociate(&rdataset);
  
  try_private:
author	Mark Andrews <marka@isc.org>
	Wed, 20 Dec 2023 02:07:51 +0000 (13:07 +1100)
committer	Mark Andrews <marka@isc.org>
	Thu, 21 Dec 2023 09:12:09 +0000 (20:12 +1100)