If a zone is not reusable, trigger full sign

If after a reconfig a zone is not reusable because inline-signing
was turned on/off, trigger a full resign. This is necessary because
otherwise the zone maintenance may decide to only apply the changes
in the journal, leaving the zone in an inconsistent DNSSEC state.

(cherry picked from commit 4d143f2cc46663e6a7935b3d650c361ed630e03a)

diff --git a/bin/named/server.c b/bin/named/server.c
index 4aa2a3b4f4bd70d3d5cd5aedb9e09e9009f4fac7..aae666df30412ef0d64aa3e945da669f5405b5f2 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -6299,6 +6299,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
        bool zone_is_catz = false;
        bool zone_maybe_inline = false;
        bool inline_signing = false;
+       bool fullsign = false;
 
        options = NULL;
        (void)cfg_map_get(config, "options", &options);
@@ -6567,6 +6568,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 
        if (zone != NULL && !named_zone_reusable(zone, zconfig)) {
                dns_zone_detach(&zone);
+               fullsign = true;
        }
 
        if (zone != NULL && (rpz_num != dns_zone_get_rpz_num(zone) ||
@@ -6700,7 +6702,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
         * Ensure that zone keys are reloaded on reconfig
         */
        if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0) {
-               dns_zone_rekey(zone, false);
+               dns_zone_rekey(zone, fullsign);
        }
 
 cleanup: