Relax zone_cdscheck function

If we have a CDS or CDNSKEY we at least need to have a DNSKEY with the
same algorithm published and signing the CDS RRset. Same for CDNSKEY
of course.

This relaxes the zone_cdscheck function, because before the CDS or
CDNSKEY had to match a DNSKEY, now only the algorithm has to match.

This allows a provider in a multisigner model to update the CDS/CDNSKEY
RRset in the zone that is served by the other provider.

(cherry picked from commit 577bf913b9431c29812b2c7413ecb0dfa1eb7526)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 12021e473d61f972796ce2055be5892b4065a4a5..d887f34539fd1a94dd23da4a1e32b95aa338a2b8 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -21787,7 +21787,6 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
        isc_result_t result;
        dns_dbnode_t *node = NULL;
        dns_rdataset_t dnskey, cds, cdnskey;
-       unsigned char buffer[DNS_DS_BUFFERSIZE];
        unsigned char algorithms[256];
        unsigned int i;
        bool empty = false;
@@ -21872,16 +21871,14 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
                             result = dns_rdataset_next(&dnskey))
                        {
                                dns_rdata_t rdata = DNS_RDATA_INIT;
-                               dns_rdata_t dsrdata = DNS_RDATA_INIT;
+                               dns_rdata_dnskey_t structdnskey;
 
                                dns_rdataset_current(&dnskey, &rdata);
-                               CHECK(dns_ds_buildrdata(&zone->origin, &rdata,
-                                                       structcds.digest_type,
-                                                       buffer, &dsrdata));
-                               if (crdata.length == dsrdata.length &&
-                                   memcmp(crdata.data, dsrdata.data,
-                                          dsrdata.length) == 0)
-                               {
+                               CHECK(dns_rdata_tostruct(&rdata, &structdnskey,
+                                                        NULL));
+
+                               if (structdnskey.algorithm ==
+                                   structcds.algorithm) {
                                        algorithms[structcds.algorithm] = found;
                                }
                        }
@@ -21946,12 +21943,14 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
                             result = dns_rdataset_next(&dnskey))
                        {
                                dns_rdata_t rdata = DNS_RDATA_INIT;
+                               dns_rdata_dnskey_t structdnskey;
 
                                dns_rdataset_current(&dnskey, &rdata);
-                               if (crdata.length == rdata.length &&
-                                   memcmp(crdata.data, rdata.data,
-                                          rdata.length) == 0)
-                               {
+                               CHECK(dns_rdata_tostruct(&rdata, &structdnskey,
+                                                        NULL));
+
+                               if (structdnskey.algorithm ==
+                                   structcdnskey.algorithm) {
                                        algorithms[structcdnskey.algorithm] =
                                                found;
                                }