Ignore inline-signing by default

Ignore the option 'inline-signing' unless there is a 'dnssec-policy'
configured for the zone. Having inline signing enabled while the zone
is not DNSSEC signed does not make sense.

If there is a 'dnssec-policy' the 'inline-signing' zone-only option
can be used to override the value for the given zone.

diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index fa34b4c7d4c62890a0e561dd0bafc883ad1be429..06982f9aeb160262d9a169b8011d61db54ec6ebe 100644 (file)
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -2014,13 +2014,7 @@ named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
        }
        maps[i] = NULL;
 
-       /* "inline-signing" is a zone-only clause, so look in maps[0] only. */
-       res = cfg_map_get(maps[0], "inline-signing", &signing);
-       if (res == ISC_R_SUCCESS && cfg_obj_isboolean(signing)) {
-               return (cfg_obj_asboolean(signing));
-       }
-
-       /* If inline-signing is not set, check the value in dnssec-policy. */
+       /* Check the value in dnssec-policy. */
        policy = NULL;
        res = named_config_get(maps, "dnssec-policy", &policy);
        /* If no dnssec-policy found, then zone is not using inline-signing. */
@@ -2039,5 +2033,15 @@ named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
        inline_signing = dns_kasp_inlinesigning(kasp);
        dns_kasp_detach(&kasp);
 
+       /*
+        * The zone option 'inline-signing' may override the value in
+        * dnssec-policy. This is a zone-only option, so look in maps[0]
+        * only.
+        */
+       res = cfg_map_get(maps[0], "inline-signing", &signing);
+       if (res == ISC_R_SUCCESS && cfg_obj_isboolean(signing)) {
+               return (cfg_obj_asboolean(signing));
+       }
+
        return (inline_signing);
 }