-
Matthijs Mekking authored
Configure "none" as a builtin policy. Change the 'cfg_kasp_fromconfig' api so that the 'name' will determine what policy needs to be configured. When transitioning a zone from secure to insecure, there will be cases when a zone with no DNSSEC policy (dnssec-policy none) should be using KASP. When there are key state files available, this is an indication that the zone once was DNSSEC signed but is reconfigured to become insecure. If we would not run the keymgr, named would abruptly remove the DNSSEC records from the zone, making the zone bogus. Therefore, change the code such that a zone will use kasp if there is a valid dnssec-policy configured, or if there are state files available. (cherry picked from commit cf420b2a)
cf0439cd