Relax zone_cdscheck function

If we have a CDS or CDNSKEY we at least need to have a DNSKEY with the
same algorithm published and signing the CDS RRset. Same for CDNSKEY
of course.

This relaxes the zone_cdscheck function, because before the CDS or
CDNSKEY had to match a DNSKEY, now only the algorithm has to match.

This allows a provider in a multisigner model to update the CDS/CDNSKEY
RRset in the zone that is served by the other provider.

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 309afb05927f74c29c0794e29206e38972e0f2ef..f1cf499a232fa08869b2c031e90b8ca9e4972e5f 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -22000,7 +22000,6 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
        isc_result_t result;
        dns_dbnode_t *node = NULL;
        dns_rdataset_t dnskey, cds, cdnskey;
-       unsigned char buffer[DNS_DS_BUFFERSIZE];
        unsigned char algorithms[256];
        unsigned int i;
        bool empty = false;
@@ -22085,16 +22084,14 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
                             result = dns_rdataset_next(&dnskey))
                        {
                                dns_rdata_t rdata = DNS_RDATA_INIT;
-                               dns_rdata_t dsrdata = DNS_RDATA_INIT;
+                               dns_rdata_dnskey_t structdnskey;
 
                                dns_rdataset_current(&dnskey, &rdata);
-                               CHECK(dns_ds_buildrdata(&zone->origin, &rdata,
-                                                       structcds.digest_type,
-                                                       buffer, &dsrdata));
-                               if (crdata.length == dsrdata.length &&
-                                   memcmp(crdata.data, dsrdata.data,
-                                          dsrdata.length) == 0)
-                               {
+                               CHECK(dns_rdata_tostruct(&rdata, &structdnskey,
+                                                        NULL));
+
+                               if (structdnskey.algorithm ==
+                                   structcds.algorithm) {
                                        algorithms[structcds.algorithm] = found;
                                }
                        }
@@ -22159,12 +22156,14 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
                             result = dns_rdataset_next(&dnskey))
                        {
                                dns_rdata_t rdata = DNS_RDATA_INIT;
+                               dns_rdata_dnskey_t structdnskey;
 
                                dns_rdataset_current(&dnskey, &rdata);
-                               if (crdata.length == rdata.length &&
-                                   memcmp(crdata.data, rdata.data,
-                                          rdata.length) == 0)
-                               {
+                               CHECK(dns_rdata_tostruct(&rdata, &structdnskey,
+                                                        NULL));
+
+                               if (structdnskey.algorithm ==
+                                   structcdnskey.algorithm) {
                                        algorithms[structcdnskey.algorithm] =
                                                found;
                                }