Don't allow DNSSEC records in the raw zone

There was an exception for dnssec-policy that allowed DNSSEC in the
unsigned version of the zone. This however causes a crash if the
zone switches from dynamic to inline-signing in the case of NSEC3,
because we are now trying to add an NSEC3 record to a non-NSEC3 node.
This is because BIND expects none of the records in the unsigned
version of the zone to be NSEC3.

Remove the exception for dnssec-policy when copying non DNSSEC
records, but do allow for DNSKEY as this may be a published DNSKEY
from a different provider.

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 672d2997bc0f5d714d89de7b25ce0454c23a26c9..cf2fc489c71fb2a8fb26aba7f97dcefe6c5db1e9 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -17169,9 +17169,8 @@ restore_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
 }
 
 static isc_result_t
-copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version,
-                       dns_db_t *rawdb, dns_dbiterator_t *dbiterator,
-                       unsigned int *oldserial) {
+copy_non_dnssec_records(dns_db_t *db, dns_db_t *version, dns_db_t *rawdb,
+                       dns_dbiterator_t *dbiterator, unsigned int *oldserial) {
        dns_dbnode_t *rawnode = NULL, *node = NULL;
        dns_fixedname_t fixed;
        dns_name_t *name = dns_fixedname_initname(&fixed);
@@ -17208,14 +17207,8 @@ copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version,
                    rdataset.type == dns_rdatatype_dnskey ||
                    rdataset.type == dns_rdatatype_nsec3param)
                {
-                       /*
-                        * Allow DNSSEC records with dnssec-policy.
-                        * WMM: Perhaps add config option for it.
-                        */
-                       if (dns_zone_getkasp(zone) == NULL) {
-                               dns_rdataset_disassociate(&rdataset);
-                               continue;
-                       }
+                       dns_rdataset_disassociate(&rdataset);
+                       continue;
                }
                if (rdataset.type == dns_rdatatype_soa && oldserial != NULL) {
                        result = checkandaddsoa(db, node, version, &rdataset,
@@ -17318,8 +17311,8 @@ receive_secure_db(isc_task_t *task, isc_event_t *event) {
        for (result = dns_dbiterator_first(dbiterator); result == ISC_R_SUCCESS;
             result = dns_dbiterator_next(dbiterator))
        {
-               result = copy_non_dnssec_records(zone, db, version, rawdb,
-                                                dbiterator, oldserialp);
+               result = copy_non_dnssec_records(db, version, rawdb, dbiterator,
+                                                oldserialp);
                if (result != ISC_R_SUCCESS) {
                        goto failure;
                }