Remove zone keyopts field

author Evan Hunt <each@isc.org>

Sat, 7 Jun 2025 21:57:54 +0000 (14:57 -0700)

committer Evan Hunt <each@isc.org>

Fri, 13 Jun 2025 01:29:29 +0000 (18:29 -0700)
author Evan Hunt <each@isc.org>
Sat, 7 Jun 2025 21:57:54 +0000 (14:57 -0700)
committer Evan Hunt <each@isc.org>
Fri, 13 Jun 2025 01:29:29 +0000 (18:29 -0700)
diff --git a/bin/named/server.c b/bin/named/server.c

index 86ddf1b64afe89cc122157e0dd7b5f55591e9f38..db395e20ef2c9665f503c7b615a6c66e16d5ee61 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -6559,7 +6559,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
         /*
          * Ensure that zone keys are reloaded on reconfig
          */
-       if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0) {
+       if (dns_zone_getkasp(zone) != NULL) {
                 dns_zone_rekey(zone, fullsign);
         }
  
@@ -11983,7 +11983,6 @@ named_server_rekey(named_server_t *server, isc_lex_t *lex,
         isc_result_t result;
         dns_zone_t *zone = NULL;
         dns_zonetype_t type;
-       uint16_t keyopts;
         bool fullsign = false;
         char *ptr;
  
@@ -12014,14 +12013,10 @@ named_server_rekey(named_server_t *server, isc_lex_t *lex,
                 return DNS_R_NOTPRIMARY;
         }
  
-       keyopts = dns_zone_getkeyopts(zone);
-
         /*
          * "rndc loadkeys" requires a "dnssec-policy".
          */
-       if ((keyopts & DNS_ZONEKEY_ALLOW) == 0) {
-               result = ISC_R_NOPERM;
-       } else if ((keyopts & DNS_ZONEKEY_MAINTAIN) == 0 && !fullsign) {
+       if (dns_zone_getkasp(zone) == NULL) {
                 result = ISC_R_NOPERM;
         } else {
                 dns_zone_rekey(zone, fullsign);
@@ -14713,7 +14708,7 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex,
         dns_zonetype_t zonetype;
         bool dynamic = false, frozen = false;
         bool hasraw = false;
-       bool secure, maintain, allow;
+       bool secure, maintain;
         dns_db_t *db = NULL, *rawdb = NULL;
         char **incfiles = NULL;
         int nfiles = 0;
@@ -14770,8 +14765,7 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex,
  
         /* Security */
         secure = dns_db_issecure(db);
-       allow = ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_ALLOW) != 0);
-       maintain = ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0);
+       maintain = (dns_zone_getkasp(zone) != NULL);
  
         /* Master files */
         file = dns_zone_getfile(mayberaw);
@@ -14896,8 +14890,6 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex,
                         CHECK(putstr(text, "\nnext key event: "));
                         CHECK(putstr(text, kbuf));
                 }
-       } else if (allow) {
-               CHECK(putstr(text, "\nkey maintenance: on command"));
         } else if (secure || hasraw) {
                 CHECK(putstr(text, "\nkey maintenance: none"));
         }
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c

index 0e069b13098a7e8381a3d1258c2059f9ee43206d..a0fe793c6fc374a05922676768412a16e2ffec27 100644 (file)
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1616,14 +1616,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
                 INSIST(result == ISC_R_SUCCESS && obj != NULL);
                 CHECK(dns_zone_setrefreshkeyinterval(zone,
                                                      cfg_obj_asuint32(obj)));
-
-               if (kasp != NULL) {
-                       bool s2i = (strcmp(dns_kasp_getname(kasp),
-                                          "insecure") != 0);
-                       dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true);
-                       dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, !s2i);
-                       dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true);
-               }
         }
  
         if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) {
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h

index cb1b4b0773931fe794d5aaedd3ad3de929aa2fb9..dcf796f4c13fcb357ec31d51ec303e214944d758 100644 (file)
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -103,20 +103,10 @@ typedef enum {
         DNS_ZONEOPT_AUTOEMPTY = 1 << 29,      /*%< automatic empty zone */
         DNS_ZONEOPT_CHECKSVCB = 1 << 30,      /*%< check SVBC records */
         DNS_ZONEOPT_ZONEVERSION = 1U << 31,   /*%< enable zoneversion */
+       DNS_ZONEOPT_FULLSIGN = 1ULL << 32,    /*%< fully sign zone */
         DNS_ZONEOPT___MAX = UINT64_MAX, /* trick to make the ENUM 64-bit wide */
  } dns_zoneopt_t;
  
-/*
- * Zone key maintenance options
- */
-typedef enum {
-       DNS_ZONEKEY_ALLOW = 0x00000001U,    /*%< fetch keys on command */
-       DNS_ZONEKEY_MAINTAIN = 0x00000002U, /*%< publish/sign on schedule */
-       DNS_ZONEKEY_CREATE = 0x00000004U,   /*%< make keys when needed */
-       DNS_ZONEKEY_FULLSIGN = 0x00000008U, /*%< roll to new keys immediately */
-       DNS_ZONEKEY___MAX = UINT64_MAX, /* trick to make the ENUM 64-bit wide */
-} dns_zonekey_t;
-
  /*
   * Zone states
   */
@@ -762,25 +752,6 @@ dns_zone_getoptions(dns_zone_t *zone);
   *\li  'zone' to be a valid zone.
   */
  
-void
-dns_zone_setkeyopt(dns_zone_t *zone, unsigned int option, bool value);
-/*%<
- *     Set key options on ('value' == true) or off ('value' ==
- *     #false).
- *
- * Require:
- *\li  'zone' to be a valid zone.
- */
-
-unsigned int
-dns_zone_getkeyopts(dns_zone_t *zone);
-/*%<
- *     Returns the current zone key options.
- *
- * Require:
- *\li  'zone' to be a valid zone.
- */
-
  void
  dns_zone_setminrefreshtime(dns_zone_t *zone, uint32_t val);
  /*%<
diff --git a/lib/dns/zone.c b/lib/dns/zone.c

index 6e54a086441612630fd8d4754f2b760a384affa0..edb2a9d12d6bf400c91f58b098d9aa77eb966137 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -439,11 +439,6 @@ struct dns_zone {
         uint32_t nodes;
         dns_rdatatype_t privatetype;
  
-       /*%
-        * Autosigning/key-maintenance options
-        */
-       atomic_uint_fast64_t keyopts;
-
         /*%
          * True if added by "rndc addzone"
          */
@@ -589,11 +584,6 @@ typedef enum {
  #define DNS_ZONE_SETOPTION(z, o) atomic_fetch_or(&(z)->options, (o))
  #define DNS_ZONE_CLROPTION(z, o) atomic_fetch_and(&(z)->options, ~(o))
  
-#define DNS_ZONEKEY_OPTION(z, o) \
-       ((atomic_load_relaxed(&(z)->keyopts) & (o)) != 0)
-#define DNS_ZONEKEY_SETOPTION(z, o) atomic_fetch_or(&(z)->keyopts, (o))
-#define DNS_ZONEKEY_CLROPTION(z, o) atomic_fetch_and(&(z)->keyopts, ~(o))
-
  /* Flags for zone_load() */
  typedef enum {
         DNS_ZONELOADFLAG_NOSTAT = 0x00000001U, /* Do not stat() master files */
@@ -2629,10 +2619,8 @@ dns_zone_loadandthaw(dns_zone_t *zone) {
                  * have been made. If we do DNSSEC maintenance on this
                  * zone, schedule a full sign for this zone.
                  */
-               if (zone->type == dns_zone_primary &&
-                   DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
-               {
-                       DNS_ZONEKEY_SETOPTION(zone, DNS_ZONEKEY_FULLSIGN);
+               if (zone->type == dns_zone_primary && zone->kasp != NULL) {
+                       DNS_ZONE_SETOPTION(zone, DNS_ZONEOPT_FULLSIGN);
                 }
                 result = zone_load(zone, DNS_ZONELOADFLAG_THAW, false);
         }
@@ -5444,9 +5432,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
         /*
          * Schedule DNSSEC key refresh.
          */
-       if (zone->type == dns_zone_primary &&
-           DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
-       {
+       if (zone->type == dns_zone_primary && zone->kasp != NULL) {
                 zone->refreshkeytime = now;
         }
  
@@ -6049,7 +6035,7 @@ dns_zone_setdefaultkasp(dns_zone_t *zone, dns_kasp_t *kasp) {
  
  dns_kasp_t *
  dns_zone_getkasp(dns_zone_t *zone) {
-       dns_kasp_t *kasp;
+       dns_kasp_t *kasp = NULL;
  
         REQUIRE(DNS_ZONE_VALID(zone));
  
@@ -6114,24 +6100,6 @@ dns_zone_getoptions(dns_zone_t *zone) {
         return atomic_load_relaxed(&zone->options);
  }
  
-void
-dns_zone_setkeyopt(dns_zone_t *zone, unsigned int keyopt, bool value) {
-       REQUIRE(DNS_ZONE_VALID(zone));
-
-       if (value) {
-               DNS_ZONEKEY_SETOPTION(zone, keyopt);
-       } else {
-               DNS_ZONEKEY_CLROPTION(zone, keyopt);
-       }
-}
-
-unsigned int
-dns_zone_getkeyopts(dns_zone_t *zone) {
-       REQUIRE(DNS_ZONE_VALID(zone));
-
-       return atomic_load_relaxed(&zone->keyopts);
-}
-
  void
  dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
         REQUIRE(DNS_ZONE_VALID(zone));
@@ -22171,7 +22139,7 @@ zone_rekey(dns_zone_t *zone) {
          * True when called from "rndc sign".  Indicates the zone should be
          * fully signed now.
          */
-       fullsign = DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN);
+       fullsign = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FULLSIGN);
  
         if (offlineksk) {
                 /* Lookup the correct bundle in the SKR. */
@@ -22601,7 +22569,7 @@ zone_rekey(dns_zone_t *zone) {
                  * Clear fullsign flag, if it was set, so we don't do
                  * another full signing next time.
                  */
-               DNS_ZONEKEY_CLROPTION(zone, DNS_ZONEKEY_FULLSIGN);
+               DNS_ZONE_CLROPTION(zone, DNS_ZONEOPT_FULLSIGN);
  
                 /*
                  * Cause the zone to add/delete NSEC3 chains for the
@@ -22680,14 +22648,12 @@ zone_rekey(dns_zone_t *zone) {
                 dnssec_log(zone, ISC_LOG_DEBUG(3),
                            "next key event in %u seconds", nexttime_seconds);
                 dnssec_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
-       }
-       /*
-        * If we're doing key maintenance, set the key refresh timer to
-        * the next scheduled key event or to 'dnssec-loadkeys-interval'
-        * seconds in the future, whichever is sooner.
-        */
-       else if (DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
-       {
+       } else {
+               /*
+                * If we're doing key maintenance, set the key refresh timer to
+                * the next scheduled key event or to 'dnssec-loadkeys-interval'
+                * seconds in the future, whichever is sooner.
+                */
                 isc_time_t timethen;
                 isc_stdtime_t then;
  
@@ -22804,7 +22770,7 @@ dns_zone_rekey(dns_zone_t *zone, bool fullsign) {
                 LOCK_ZONE(zone);
  
                 if (fullsign) {
-                       DNS_ZONEKEY_SETOPTION(zone, DNS_ZONEKEY_FULLSIGN);
+                       DNS_ZONE_SETOPTION(zone, DNS_ZONEOPT_FULLSIGN);
                 }
  
                 now = isc_time_now();
diff --git a/lib/ns/update.c b/lib/ns/update.c

index f215805e4137f809f6285818f9b2fd2c074e9614..e781e8cb7f0f39d9a32a6559687855e97eae5c37 100644 (file)
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -2693,8 +2693,8 @@ update_action(void *arg) {
         options = dns_zone_getoptions(zone);
  
         is_inline = (!dns_zone_israw(zone) && dns_zone_issecure(zone));
-       is_maintain = ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0);
-       is_signing = is_inline || (!is_inline && is_maintain);
+       is_maintain = (dns_zone_getkasp(zone) != NULL) && !dns_zone_israw(zone);
+       is_signing = is_inline || is_maintain;
  
         /*
          * Get old and new versions now that queryacl has been checked.
author	Evan Hunt <each@isc.org>
	Sat, 7 Jun 2025 21:57:54 +0000 (14:57 -0700)
committer	Evan Hunt <each@isc.org>
	Fri, 13 Jun 2025 01:29:29 +0000 (18:29 -0700)
bin/named/server.c		patch \| blob \| blame \| history
bin/named/zoneconf.c		patch \| blob \| blame \| history
lib/dns/include/dns/zone.h		patch \| blob \| blame \| history
lib/dns/zone.c		patch \| blob \| blame \| history
lib/ns/update.c		patch \| blob \| blame \| history