Commit 311918e5 authored by Brian Wellington's avatar Brian Wellington
Browse files

Don't allow dynamic updates of SIG records, since it either leaves the

database in an inconsistent state or fails when it shouldn't.  This will be
supported at some point, but it's better to flat out refuse than fail badly.
parent 7cd4c3dd
......@@ -2069,10 +2069,17 @@ update_action(isc_task_t *task, isc_event_t *event) {
* "Unlike traditional dynamic update, the client
* is forbidden from updating NXT records."
*/
if (dns_db_issecure(db) && rdata.type == dns_rdatatype_nxt) {
FAILC(DNS_R_REFUSED,
"explicit NXT updates are not allowed "
"in secure zones");
if (dns_db_issecure(db)) {
if (rdata.type == dns_rdatatype_nxt) {
FAILC(DNS_R_REFUSED,
"explicit NXT updates are not allowed "
"in secure zones");
}
else if (rdata.type == dns_rdatatype_sig) {
FAILC(DNS_R_REFUSED,
"explicit SIG updates are currently not "
"supported in secure zones");
}
}
if (ssutable != NULL && client->signer != NULL) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment