3147. [func] Initial inline signing support. [RT #23657]

9198ab37 · Mark Andrews · 88070800 · 9198ab37 · 9198ab37 · 9198ab37
Commit 9198ab37 authored Aug 30, 2011 by Mark Andrews
--- a/CHANGES
+++ b/CHANGES
+3147.	[func]		Initial inline signing support.  [RT #23657]
+
 	--- 9.9.0a1 released ---

 3146.   [test]		Fixed gcc4.6.0 errors in ATF. [RT #25598]

--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: config.c,v 1.119 2011/07/01 02:25:47 marka Exp $ */
+/* $Id: config.c,v 1.120 2011/08/30 05:16:10 marka Exp $ */

 /*! \file */

@@ -199,6 +199,7 @@ options {\n\
 	sig-signing-nodes 100;\n\
 	sig-signing-signatures 10;\n\
 	sig-signing-type 65534;\n\
+	inline-signing no;\n\
 	zone-statistics false;\n\
 	max-journal-size unlimited;\n\
 	ixfr-from-differences false;\n\
@@ -294,7 +295,8 @@ ns_checknames_get(const cfg_obj_t **maps, const char *which,
 		if (maps[i] == NULL)
 			return (ISC_R_NOTFOUND);
 		checknames = NULL;
-		if (cfg_map_get(maps[i], "check-names", &checknames) == ISC_R_SUCCESS) {
+		if (cfg_map_get(maps[i], "check-names",
+			        &checknames) == ISC_R_SUCCESS) {
 			/*
 			 * Zone map entry is not a list.
 			 */
@@ -307,7 +309,8 @@ ns_checknames_get(const cfg_obj_t **maps, const char *which,
 			     element = cfg_list_next(element)) {
 				value = cfg_listelt_value(element);
 				type = cfg_tuple_get(value, "type");
-				if (strcasecmp(cfg_obj_asstring(type), which) == 0) {
+				if (strcasecmp(cfg_obj_asstring(type),
+					       which) == 0) {
 					*obj = cfg_tuple_get(value, "mode");
 					return (ISC_R_SUCCESS);
 				}

--- a/bin/named/include/named/zoneconf.h
+++ b/bin/named/include/named/zoneconf.h
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: zoneconf.h,v 1.28 2010/12/20 23:47:20 tbox Exp $ */
+/* $Id: zoneconf.h,v 1.29 2011/08/30 05:16:11 marka Exp $ */

 #ifndef NS_ZONECONF_H
 #define NS_ZONECONF_H 1
@@ -33,7 +33,7 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		  const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
-		  dns_zone_t *zone);
+		  dns_zone_t *zone, dns_zone_t *raw);
 /*%<
 * Configure or reconfigure a zone according to the named.conf
 * data in 'cctx' and 'czone'.

--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: server.c,v 1.616 2011/08/02 20:36:11 each Exp $ */
+/* $Id: server.c,v 1.617 2011/08/30 05:16:10 marka Exp $ */

 /*! \file */

@@ -3225,6 +3225,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 {
 	dns_view_t *pview = NULL;	/* Production view */
 	dns_zone_t *zone = NULL;	/* New or reused zone */
+	dns_zone_t *raw = NULL;		/* New or reused raw zone */
 	dns_zone_t *dupzone = NULL;
 	const cfg_obj_t *options = NULL;
 	const cfg_obj_t *zoptions = NULL;
@@ -3232,6 +3233,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	const cfg_obj_t *forwarders = NULL;
 	const cfg_obj_t *forwardtype = NULL;
 	const cfg_obj_t *only = NULL;
+	const cfg_obj_t *signing = NULL;
 	isc_result_t result;
 	isc_result_t tresult;
 	isc_buffer_t buffer;
@@ -3378,7 +3380,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 			dns_zone_setstats(zone, ns_g_server->zonestats);
 		}
 		CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf,
-					zone));
+					zone, NULL));
 		dns_zone_attach(zone, &view->redirect);
 		goto cleanup;
 	}
@@ -3469,10 +3471,30 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	 */
 	dns_zone_setadded(zone, added);

+	signing = NULL;
+	if ((strcasecmp(ztypestr, "master") == 0 ||
+	     strcasecmp(ztypestr, "slave") == 0) &&
+	    cfg_map_get(zoptions, "inline-signing", &signing) == ISC_R_SUCCESS &&
+	    cfg_obj_asboolean(signing))
+	{
+		dns_zone_getraw(zone, &raw);
+		if (raw == NULL) {
+			CHECK(dns_zone_create(&raw, mctx));
+			CHECK(dns_zone_setorigin(raw, origin));
+			dns_zone_setview(raw, view);
+			if (view->acache != NULL)
+				dns_zone_setacache(raw, view->acache);
+			CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr,
+						 raw));
+			dns_zone_setstats(raw, ns_g_server->zonestats);
+			dns_zone_link(zone, raw);
+		}
+	}
+
 	/*
 	 * Configure the zone.
 	 */
-	CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf, zone));
+	CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf, zone, raw));

 	/*
 	 * Add the zone to its view in the new view list.
@@ -3482,6 +3504,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 cleanup:
 	if (zone != NULL)
 		dns_zone_detach(&zone);
+	if (raw != NULL)
+		dns_zone_detach(&raw);
 	if (pview != NULL)
 		dns_view_detach(&pview);


--- a/bin/named/update.c
+++ b/bin/named/update.c
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: zoneconf.c,v 1.178 2011/07/01 02:25:47 marka Exp $ */
+/* $Id: zoneconf.c,v 1.179 2011/08/30 05:16:11 marka Exp $ */

 /*% */

@@ -786,7 +786,7 @@ checknames(dns_zonetype_t ztype, const cfg_obj_t **maps,
 isc_result_t
 ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		  const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
-		  dns_zone_t *zone)
+		  dns_zone_t *zone, dns_zone_t *raw)
 {
 	isc_result_t result;
 	const char *zname;
@@ -820,6 +820,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	isc_stats_t *zoneqrystats;
 	isc_boolean_t zonestats_on;
 	int seconds;
+	dns_zone_t *mayberaw = (raw != NULL) ? raw : zone;

 	i = 0;
 	if (zconfig != NULL) {
@@ -851,9 +852,16 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	RETERR(ns_config_getclass(cfg_tuple_get(zconfig, "class"),
 				  vclass, &zclass));
 	dns_zone_setclass(zone, zclass);
+	if (raw != NULL)
+		dns_zone_setclass(raw, zclass);

 	ztype = zonetype_fromconfig(zoptions);
-	dns_zone_settype(zone, ztype);
+	if (raw != NULL) {
+		dns_zone_settype(raw, ztype);
+		dns_zone_settype(zone, dns_zone_master);
+	} else
+		dns_zone_settype(zone, ztype);
+	

 	obj = NULL;
 	result = cfg_map_get(zoptions, "database", &obj);
@@ -914,18 +922,40 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		else
 			INSIST(0);
 	}
-	RETERR(dns_zone_setfile2(zone, filename, masterformat));
+
+	if (raw != NULL) {
+#define SIGNED ".signed"
+		size_t signedlen = strlen(filename) + sizeof(SIGNED);
+		char *signedname;
+
+		RETERR(dns_zone_setfile2(raw, filename, masterformat));
+		signedname = isc_mem_get(mctx, signedlen);
+		if (signedname == NULL)
+			return (ISC_R_NOMEMORY);
+
+		(void)snprintf(signedname, signedlen, "%s" SIGNED, filename);
+		result = dns_zone_setfile2(zone, signedname,
+					   dns_masterformat_raw);
+		isc_mem_put(mctx, signedname, signedlen);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	} else
+		RETERR(dns_zone_setfile2(zone, filename, masterformat));

 	obj = NULL;
 	result = cfg_map_get(zoptions, "journal", &obj);
 	if (result == ISC_R_SUCCESS)
-		RETERR(dns_zone_setjournal(zone, cfg_obj_asstring(obj)));
+		RETERR(dns_zone_setjournal(mayberaw, cfg_obj_asstring(obj)));

+	/*
+	 * Notify messages are processed by the raw zone if it exists.
+	 */
 	if (ztype == dns_zone_slave)
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  allow_notify, ac, zone,
+					  allow_notify, ac, mayberaw,
 					  dns_zone_setnotifyacl,
 					  dns_zone_clearnotifyacl));
+
 	/*
 	 * XXXAG This probably does not make sense for stubs.
 	 */
@@ -955,6 +985,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		else
 			INSIST(0);
 	}
+	if (raw != NULL)
+		dns_zone_setdialup(raw, dialup);
 	dns_zone_setdialup(zone, dialup);

 	obj = NULL;
@@ -994,6 +1026,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			else
 				INSIST(0);
 		}
+		if (raw != NULL)
+			dns_zone_setnotifytype(raw, dns_notifytype_no);
 		dns_zone_setnotifytype(zone, notifytype);

 		obj = NULL;
@@ -1052,6 +1086,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		obj = NULL;
 		result = ns_config_get(maps, "max-journal-size", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		if (raw != NULL)
+			dns_zone_setjournalsize(raw, -1);
 		dns_zone_setjournalsize(zone, -1);
 		if (cfg_obj_isstring(obj)) {
 			const char *str = cfg_obj_asstring(obj);
@@ -1071,6 +1107,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			}
 			journal_size = (isc_uint32_t)value;
 		}
+		if (raw != NULL)
+			dns_zone_setjournalsize(raw, journal_size);
 		dns_zone_setjournalsize(zone, journal_size);

 		obj = NULL;
@@ -1086,7 +1124,14 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			ixfrdiff = ISC_TRUE;
 		else
 			ixfrdiff = ISC_FALSE;
-		dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS, ixfrdiff);
+		if (raw != NULL) {
+			dns_zone_setoption(raw, DNS_ZONEOPT_IXFRFROMDIFFS,
+					   ISC_TRUE);
+			dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS,
+					   ISC_FALSE);
+		} else
+			dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS,
+					   ixfrdiff);

 		checknames(ztype, maps, &obj);
 		INSIST(obj != NULL);
@@ -1099,8 +1144,21 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			fail = check = ISC_FALSE;
 		} else
 			INSIST(0);
-		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES, check);
-		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL, fail);
+		if (raw != NULL) {
+			dns_zone_setoption(raw, DNS_ZONEOPT_CHECKNAMES,
+					   check);
+			dns_zone_setoption(raw, DNS_ZONEOPT_CHECKNAMESFAIL,
+					   fail);
+			dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES,
+					   ISC_FALSE);
+			dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL,
+					   ISC_FALSE);
+		} else {
+			dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES,
+					   check);
+			dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL,
+					   fail);
+		}

 		obj = NULL;
 		result = ns_config_get(maps, "notify-delay", &obj);
@@ -1159,11 +1217,11 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		dns_acl_t *updateacl;

 		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  allow_update, ac, zone,
+					  allow_update, ac, mayberaw,
 					  dns_zone_setupdateacl,
 					  dns_zone_clearupdateacl));

-		updateacl = dns_zone_getupdateacl(zone);
+		updateacl = dns_zone_getupdateacl(mayberaw);
 		if (updateacl != NULL  && dns_acl_isinsecure(updateacl))
 			isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
 				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
@@ -1171,7 +1229,12 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 				      "address, which is insecure",
 				      zname);

-		RETERR(configure_zone_ssutable(zoptions, zone, zname));
+		RETERR(configure_zone_ssutable(zoptions, mayberaw, zname));
+	}
+
+	if (ztype == dns_zone_master || raw != NULL) {
+		isc_boolean_t allow = ISC_FALSE, maint = ISC_FALSE;
+		isc_boolean_t create = ISC_FALSE;

 		obj = NULL;
 		result = ns_config_get(maps, "sig-validity-interval", &obj);
@@ -1236,10 +1299,28 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
 		RETERR(dns_zone_setrefreshkeyinterval(zone,
 						      cfg_obj_asuint32(obj)));
-	} else if (ztype == dns_zone_slave) {
+
+		obj = NULL;
+		result = cfg_map_get(zoptions, "auto-dnssec", &obj);
+		if (result == ISC_R_SUCCESS) {
+			const char *arg = cfg_obj_asstring(obj);
+			if (strcasecmp(arg, "allow") == 0)
+				allow = ISC_TRUE;
+			else if (strcasecmp(arg, "maintain") == 0)
+				allow = maint = ISC_TRUE;
+			else if (strcasecmp(arg, "off") == 0)
+				;
+			else
+				INSIST(0);
+			dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
+			dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
+		}
+	} 
+
+	if (ztype == dns_zone_slave) {
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  allow_update_forwarding, ac, zone,
-					  dns_zone_setforwardacl,
+					  allow_update_forwarding, ac,
+					  mayberaw, dns_zone_setforwardacl,
 					  dns_zone_clearforwardacl));
 	}

@@ -1255,7 +1336,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			check = cfg_obj_asboolean(obj);
 		else
 			check = ISC_FALSE;
-		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKWILDCARD, check);
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKWILDCARD, check);

 		obj = NULL;
 		result = ns_config_get(maps, "check-dup-records", &obj);
@@ -1269,8 +1350,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			fail = check = ISC_FALSE;
 		} else
 			INSIST(0);
-		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKDUPRR, check);
-		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKDUPRRFAIL, fail);
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKDUPRR, check);
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKDUPRRFAIL, fail);

 		obj = NULL;
 		result = ns_config_get(maps, "check-mx", &obj);
@@ -1284,13 +1365,13 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			fail = check = ISC_FALSE;
 		} else
 			INSIST(0);
-		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKMX, check);
-		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKMXFAIL, fail);
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKMX, check);
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKMXFAIL, fail);

 		obj = NULL;
 		result = ns_config_get(maps, "check-integrity", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKINTEGRITY,
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKINTEGRITY,
 				   cfg_obj_asboolean(obj));

 		obj = NULL;
@@ -1305,8 +1386,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			warn = ignore = ISC_TRUE;
 		} else
 			INSIST(0);
-		dns_zone_setoption(zone, DNS_ZONEOPT_WARNMXCNAME, warn);
-		dns_zone_setoption(zone, DNS_ZONEOPT_IGNOREMXCNAME, ignore);
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_WARNMXCNAME, warn);
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNOREMXCNAME, ignore);

 		obj = NULL;
 		result = ns_config_get(maps, "check-srv-cname", &obj);
@@ -1320,31 +1401,16 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			warn = ignore = ISC_TRUE;
 		} else
 			INSIST(0);
-		dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn);
-		dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_WARNSRVCNAME, warn);
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNORESRVCNAME,
+				   ignore);

 		obj = NULL;
 		result = ns_config_get(maps, "dnssec-secure-to-insecure", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setoption(zone, DNS_ZONEOPT_SECURETOINSECURE,
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_SECURETOINSECURE,
 				   cfg_obj_asboolean(obj));

-		obj = NULL;
-		result = cfg_map_get(zoptions, "auto-dnssec", &obj);
-		if (result == ISC_R_SUCCESS) {
-			const char *arg = cfg_obj_asstring(obj);
-			if (strcasecmp(arg, "allow") == 0)
-				allow = ISC_TRUE;
-			else if (strcasecmp(arg, "maintain") == 0)
-				allow = maint = ISC_TRUE;
-			else if (strcasecmp(arg, "off") == 0)
-				;
-			else
-				INSIST(0);
-			dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
-			dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
-		}
-
 		obj = NULL;
 		result = cfg_map_get(zoptions, "dnssec-update-mode", &obj);
 		if (result == ISC_R_SUCCESS) {
@@ -1385,12 +1451,12 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			RETERR(ns_config_getipandkeylist(config, obj, mctx,
 							 &addrs, &keynames,
 							 &count));
-			result = dns_zone_setmasterswithkeys(zone, addrs,
+			result = dns_zone_setmasterswithkeys(mayberaw, addrs,
 							     keynames, count);
 			ns_config_putipandkeylist(mctx, &addrs, &keynames,
 						  count);
-		} else
-			result = dns_zone_setmasters(zone, NULL, 0);
+		} else 
+			result = dns_zone_setmasters(mayberaw, NULL, 0);
 		RETERR(result);

 		multi = ISC_FALSE;
@@ -1400,59 +1466,63 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			INSIST(result == ISC_R_SUCCESS && obj != NULL);
 			multi = cfg_obj_asboolean(obj);
 		}
-		dns_zone_setoption(zone, DNS_ZONEOPT_MULTIMASTER, multi);
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_MULTIMASTER, multi);

 		obj = NULL;
 		result = ns_config_get(maps, "max-transfer-time-in", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setmaxxfrin(zone, cfg_obj_asuint32(obj) * 60);
+		dns_zone_setmaxxfrin(mayberaw, cfg_obj_asuint32(obj) * 60);

 		obj = NULL;
 		result = ns_config_get(maps, "max-transfer-idle-in", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setidlein(zone, cfg_obj_asuint32(obj) * 60);
+		dns_zone_setidlein(mayberaw, cfg_obj_asuint32(obj) * 60);

 		obj = NULL;
 		result = ns_config_get(maps, "max-refresh-time", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setmaxrefreshtime(zone, cfg_obj_asuint32(obj));
+		dns_zone_setmaxrefreshtime(mayberaw, cfg_obj_asuint32(obj));

 		obj = NULL;
 		result = ns_config_get(maps, "min-refresh-time", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setminrefreshtime(zone, cfg_obj_asuint32(obj));
+		dns_zone_setminrefreshtime(mayberaw, cfg_obj_asuint32(obj));

 		obj = NULL;
 		result = ns_config_get(maps, "max-retry-time", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setmaxretrytime(zone, cfg_obj_asuint32(obj));
+		dns_zone_setmaxretrytime(mayberaw, cfg_obj_asuint32(obj));

 		obj = NULL;
 		result = ns_config_get(maps, "min-retry-time", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setminretrytime(zone, cfg_obj_asuint32(obj));
+		dns_zone_setminretrytime(mayberaw, cfg_obj_asuint32(obj));

 		obj = NULL;
 		result = ns_config_get(maps, "transfer-source", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		RETERR(dns_zone_setxfrsource4(zone, cfg_obj_assockaddr(obj)));
+		RETERR(dns_zone_setxfrsource4(mayberaw,
+					      cfg_obj_assockaddr(obj)));
 		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));

 		obj = NULL;
 		result = ns_config_get(maps, "transfer-source-v6", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		RETERR(dns_zone_setxfrsource6(zone, cfg_obj_assockaddr(obj)));
+		RETERR(dns_zone_setxfrsource6(mayberaw,
+					      cfg_obj_assockaddr(obj)));
 		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));

 		obj = NULL;
 		result = ns_config_get(maps, "alt-transfer-source", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		RETERR(dns_zone_setaltxfrsource4(zone, cfg_obj_assockaddr(obj)));
+		RETERR(dns_zone_setaltxfrsource4(mayberaw,
+					         cfg_obj_assockaddr(obj)));

 		obj = NULL;
 		result = ns_config_get(maps, "alt-transfer-source-v6", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		RETERR(dns_zone_setaltxfrsource6(zone, cfg_obj_assockaddr(obj)));
+		RETERR(dns_zone_setaltxfrsource6(mayberaw,
+					         cfg_obj_assockaddr(obj)));

 		obj = NULL;
 		(void)ns_config_get(maps, "use-alt-transfer-source", &obj);
@@ -1468,11 +1538,11 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 				alt = ISC_FALSE;
 		} else
 			alt = cfg_obj_asboolean(obj);
-		dns_zone_setoption(zone, DNS_ZONEOPT_USEALTXFRSRC, alt);
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_USEALTXFRSRC, alt);

 		obj = NULL;
 		(void)ns_config_get(maps, "try-tcp-refresh", &obj);
-		dns_zone_setoption(zone, DNS_ZONEOPT_TRYTCPREFRESH,
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_TRYTCPREFRESH,
 				   cfg_obj_asboolean(obj));
 		break;

@@ -1540,7 +1610,18 @@ ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
 	if (!((cfilename == NULL && zfilename == NULL) ||
 	      (cfilename != NULL && zfilename != NULL &&
 	       strcmp(cfilename, zfilename) == 0)))
-	    return (ISC_FALSE);
+		return (ISC_FALSE);
+
+	obj = NULL;
+        (void)cfg_map_get(zoptions, "signing", &obj);
+	if (obj == NULL || !cfg_obj_asboolean(obj)) {
+		dns_zone_t *raw = NULL;
+		dns_zone_getraw(zone, &raw);
+		if (raw != NULL) {
+			dns_zone_detach(&raw);
+			return (ISC_FALSE);
+		}
+	}

 	return (ISC_TRUE);
 }
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: conf.sh.in,v 1.68 2011/08/09 02:24:28 marka Exp $
+# $Id: conf.sh.in,v 1.69 2011/08/30 05:16:11 marka Exp $

 #
 # Common configuration data for system tests, to be sourced into
@@ -54,7 +54,7 @@ JOURNALPRINT=$TOP/bin/tools/named-journalprint
 # v6synth
 SUBDIRS="acl allow_query addzone autosign builtin cacheclean checkconf
 	 checknames checkzone database dlv dlvauto dlz dlzexternal
-         dname dns64 dnssec forward glue gost ixfr limits
+         dname dns64 dnssec forward glue gost ixfr inline limits
 	 logfileconfig lwresd masterfile masterformat metadata notify
 	 nsupdate pending pkcs11 redirect resolver rndc rpz rrsetorder
 	 sortlist smartsign staticstub stub tkey tsig tsiggss unknown

--- a/bin/tests/system/inline/clean.sh
+++ b/bin/tests/system/inline/clean.sh
+rm -f */named.memstats
+rm -f */named.run
+rm -f */trusted.conf
+rm -f ns2/bits.db
+rm -f ns3/K*
+rm -f ns3/bits.bk
+rm -f ns3/bits.bk.jnl
+rm -f ns3/bits.bk.signed
+rm -f ns3/bits.bk.signed.jnl
+rm -f ns4/noixfr.db
+rm -f random.data
--- a/bin/tests/system/inline/ns1/named.conf
+++ b/bin/tests/system/inline/ns1/named.conf
+/*
+ * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.1 2011/08/30 05:16:13 marka Exp $ */
+
+// NS1
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;