Don't sign the raw zone

The raw zone is not supposed to be signed.  DNSKEY records in a raw zone
should not trigger zone signing.  The update code needs to be able to
identify when it is working on a raw zone.  Add dns_zone_israw() and
dns_zone_issecure() enable it to do this. Also, we need to check the
case for 'auto-dnssec maintain'.

diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index c431f3870322d9e48303bc771740f55689469365..7041523702bc15bccd14b4b68c14bf5e1977a19d 100644 (file)
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -2317,6 +2317,12 @@ dns_zone_link(dns_zone_t *zone, dns_zone_t *raw);
 void
 dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw);
 
+bool
+dns_zone_israw(dns_zone_t *zone);
+
+bool
+dns_zone_issecure(dns_zone_t *zone);
+
 isc_result_t
 dns_zone_keydone(dns_zone_t *zone, const char *data);
 /*%<

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 922cdd333465c7f8e3bcdf6c9624c5eac50ada95..40682992fa93ea8e72cd378f3b3bad3aa2b3381f 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -22189,6 +22189,26 @@ dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw) {
        UNLOCK(&zone->lock);
 }
 
+bool
+dns_zone_israw(dns_zone_t *zone) {
+       bool israw;
+       REQUIRE(DNS_ZONE_VALID(zone));
+       LOCK(&zone->lock);
+       israw = zone->secure != NULL;
+       UNLOCK(&zone->lock);
+       return (israw);
+}
+
+bool
+dns_zone_issecure(dns_zone_t *zone) {
+       bool issecure;
+       REQUIRE(DNS_ZONE_VALID(zone));
+       LOCK(&zone->lock);
+       issecure = zone->raw != NULL;
+       UNLOCK(&zone->lock);
+       return (issecure);
+}
+
 struct keydone {
        bool all;
        unsigned char data[5];

diff --git a/lib/ns/update.c b/lib/ns/update.c
index 493637f1475ba5c71f770391d59757125c50ca7e..efffd4054dcb3d87366468af46e9522d7c80a477 100644 (file)
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -2900,6 +2900,7 @@ update_action(void *arg) {
        dns_ttl_t maxttl = 0;
        uint32_t maxrecords;
        uint64_t records;
+       bool is_inline, is_maintain, is_signing;
 
        dns_diff_init(mctx, &diff);
        dns_diff_init(mctx, &temp);
@@ -2910,6 +2911,10 @@ update_action(void *arg) {
        dns_zone_getssutable(zone, &ssutable);
        options = dns_zone_getoptions(zone);
 
+       is_inline = (!dns_zone_israw(zone) && dns_zone_issecure(zone));
+       is_maintain = ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0);
+       is_signing = is_inline || (!is_inline && is_maintain);
+
        /*
         * Get old and new versions now that queryacl has been checked.
         */
@@ -3435,7 +3440,7 @@ update_action(void *arg) {
                        goto failure;
                }
        }
-       if (!ISC_LIST_EMPTY(diff.tuples)) {
+       if (!ISC_LIST_EMPTY(diff.tuples) && is_signing) {
                result = dns_zone_cdscheck(zone, db, ver);
                if (result == DNS_R_BADCDS || result == DNS_R_BADCDNSKEY) {
                        update_log(client, zone, LOGLEVEL_PROTOCOL,
@@ -3481,11 +3486,13 @@ update_action(void *arg) {
 
                CHECK(rollback_private(db, privatetype, ver, &diff));
 
-               CHECK(add_signing_records(db, privatetype, ver, &diff));
+               if (is_signing) {
+                       CHECK(add_signing_records(db, privatetype, ver, &diff));
+               }
 
                CHECK(add_nsec3param_records(client, zone, db, ver, &diff));
 
-               if (had_dnskey && !has_dnskey) {
+               if (is_signing && had_dnskey && !has_dnskey) {
                        /*
                         * We are transitioning from secure to insecure.
                         * Cause all NSEC3 chains to be deleted.  When the