Fix dnssec-policy NSEC3 on dynamic zones

When applying dnssec-policy on a dynamic zone (e.g. that allows Dynamic
Updates), the NSEC3 parameters were put on the queue, but they were
not being processed (until a reload of the zone or reconfiguration).

Process the NSEC3PARAM queue on zone postload when handling a
dynamic zone.

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 2fe91debe44200e9665f06f21daf331a7878fc16..5b8b1f1ddca11f82493a0214ce02ddfa0ff3f7e5 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -4881,12 +4881,32 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
                              "could not find NS and/or SOA records");
        }
 
+       /*
+        * Process any queued NSEC3PARAM change requests. Only for dynamic
+        * zones, an inline-signing zone will perform this action when
+        * receiving the secure db (receive_secure_db).
+        */
+       is_dynamic = dns_zone_isdynamic(zone, true);
+       if (is_dynamic) {
+               isc_event_t *setnsec3param_event;
+               dns_zone_t *dummy;
+
+               while (!ISC_LIST_EMPTY(zone->setnsec3param_queue)) {
+                       setnsec3param_event =
+                               ISC_LIST_HEAD(zone->setnsec3param_queue);
+                       ISC_LIST_UNLINK(zone->setnsec3param_queue,
+                                       setnsec3param_event, ev_link);
+                       dummy = NULL;
+                       zone_iattach(zone, &dummy);
+                       isc_task_send(zone->task, &setnsec3param_event);
+               }
+       }
+
        /*
         * Check to make sure the journal is up to date, and remove the
         * journal file if it isn't, as we wouldn't be able to apply
         * updates otherwise.
         */
-       is_dynamic = dns_zone_isdynamic(zone, true);
        if (zone->journal != NULL && is_dynamic &&
            !DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS))
        {