If a zone is not reusable, trigger full sign

If after a reconfig a zone is not reusable because inline-signing
was turned on/off, trigger a full resign. This is necessary because
otherwise the zone maintenance may decide to only apply the changes
in the journal, leaving the zone in an inconsistent DNSSEC state.

(cherry picked from commit 4d143f2cc46663e6a7935b3d650c361ed630e03a)

diff --git a/bin/named/server.c b/bin/named/server.c
index 5f66233103ca33871c09bede4e8374673a242b63..7daa64f1b075e28fb71c504ae26926d981f3f9b3 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -6501,6 +6501,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
        bool zone_is_catz = false;
        bool zone_maybe_inline = false;
        bool inline_signing = false;
+       bool fullsign = false;
 
        options = NULL;
        (void)cfg_map_get(config, "options", &options);
@@ -6769,6 +6770,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 
        if (zone != NULL && !named_zone_reusable(zone, zconfig)) {
                dns_zone_detach(&zone);
+               fullsign = true;
        }
 
        if (zone != NULL && (rpz_num != dns_zone_get_rpz_num(zone) ||
@@ -6902,7 +6904,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
         * Ensure that zone keys are reloaded on reconfig
         */
        if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0) {
-               dns_zone_rekey(zone, false);
+               dns_zone_rekey(zone, fullsign);
        }
 
 cleanup: