Skip private records when syncing secure db

When synchronizing the secure database, we skip DNSSEC records that
BIND 9 maintains with inline-signing. We should also skip private
RDATA type records that are used to track the current state of a
zone-signing process.

(cherry picked from commit 6dcb9ce77ff774ffab3139c052b0f177338953d0)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 6188e1fb3c6bb10cc2c7f385f55f06fa1b7084a4..915e129d9297f23e7653ff840711705ebcf0a96f 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -16881,6 +16881,17 @@ sync_secure_db(dns_zone_t *seczone, dns_zone_t *raw, dns_db_t *secdb,
 
                next = ISC_LIST_NEXT(tuple, link);
 
+               /*
+                * Skip private records that BIND maintains with inline-signing.
+                */
+               if (seczone->privatetype != 0 &&
+                   tuple->rdata.type == seczone->privatetype)
+               {
+                       ISC_LIST_UNLINK(diff->tuples, tuple, link);
+                       dns_difftuple_free(&tuple);
+                       continue;
+               }
+
                /*
                 * Skip DNSSEC records that BIND maintains with inline-signing.
                 */