Don't resign raw version of the zone

Update the function 'set_resigntime()' so that raw versions of
inline-signing zones are not scheduled to be resigned.

Also update the check in the same function for zone is dynamic, there
exists a function 'dns_zone_isdynamic()' that does a similar thing
and is more complete.

Also in 'zone_postload()' check whether the zone is not the raw
version of an inline-signing zone, preventing calculating the next
resign time.

(cherry picked from commit 741ce2d07a7637391c729e108080529accfc834f)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 4428e3d0007eac1500860870f6ab7e617b589a2f..a9bcea5105c7e6f40de9960d1438876eb565173d 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -3971,15 +3971,11 @@ set_resigntime(dns_zone_t *zone) {
        INSIST(LOCKED_ZONE(zone));
 
        /* We only re-sign zones that can be dynamically updated */
-       if (zone->update_disabled) {
+       if (!dns_zone_isdynamic(zone, false)) {
                return;
        }
 
-       if (!inline_secure(zone) &&
-           (zone->type != dns_zone_primary ||
-            (zone->ssutable == NULL &&
-             (zone->update_acl == NULL || dns_acl_isnone(zone->update_acl)))))
-       {
+       if (inline_raw(zone)) {
                return;
        }
 
@@ -5330,7 +5326,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
                is_dynamic = dns_zone_isdynamic(zone, false);
                if (zone->type == dns_zone_primary &&
                    !DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_NORESIGN) &&
-                   is_dynamic && dns_db_issecure(db))
+                   is_dynamic && dns_db_issecure(db) && !inline_raw(zone))
                {
                        dns_name_t *name;
                        dns_fixedname_t fixed;