Commit d72ad7c5 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡
Browse files

Treat dnssec-policy "none" as a builtin zone

Configure "none" as a builtin policy. Change the 'cfg_kasp_fromconfig'
api so that the 'name' will determine what policy needs to be
configured.

When transitioning a zone from secure to insecure, there will be
cases when a zone with no DNSSEC policy (dnssec-policy none) should
be using KASP. When there are key state files available, this is an
indication that the zone once was DNSSEC signed but is reconfigured
to become insecure.

If we would not run the keymgr, named would abruptly remove the
DNSSEC records from the zone, making the zone bogus. Therefore,
change the code such that a zone will use kasp if there is a valid
dnssec-policy configured, or if there are state files available.
parent c393e22b
......@@ -269,8 +269,8 @@ kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, const char *name,
continue;
}
result = cfg_kasp_fromconfig(kconfig, mctx, lctx, &kasplist,
&kasp);
result = cfg_kasp_fromconfig(kconfig, NULL, mctx, lctx,
&kasplist, &kasp);
if (result != ISC_R_SUCCESS) {
fatal("failed to configure dnssec-policy '%s': %s",
cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
......@@ -284,7 +284,7 @@ kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, const char *name,
*kaspp = kasp;
/*
* Same cleanup for kasp list.
* Cleanup kasp list.
*/
for (kasp = ISC_LIST_HEAD(kasplist); kasp != NULL; kasp = kasp_next) {
kasp_next = ISC_LIST_NEXT(kasp, link);
......@@ -782,7 +782,7 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
}
/* Set dnssec-policy related metadata */
if (ctx->policy) {
if (ctx->policy != NULL) {
dst_key_setnum(key, DST_NUM_LIFETIME, ctx->lifetime);
dst_key_setbool(key, DST_BOOL_KSK, ctx->ksk);
dst_key_setbool(key, DST_BOOL_ZSK, ctx->zsk);
......
......@@ -8950,18 +8950,25 @@ load_configuration(const char *filename, named_server_t *server,
{
cfg_obj_t *kconfig = cfg_listelt_value(element);
kasp = NULL;
CHECK(cfg_kasp_fromconfig(kconfig, named_g_mctx, named_g_lctx,
&kasplist, &kasp));
CHECK(cfg_kasp_fromconfig(kconfig, NULL, named_g_mctx,
named_g_lctx, &kasplist, &kasp));
INSIST(kasp != NULL);
dns_kasp_freeze(kasp);
dns_kasp_detach(&kasp);
}
/*
* Create the default kasp.
* Create the built-in kasp policies ("default", "none").
*/
kasp = NULL;
CHECK(cfg_kasp_fromconfig(NULL, named_g_mctx, named_g_lctx, &kasplist,
&kasp));
CHECK(cfg_kasp_fromconfig(NULL, "default", named_g_mctx, named_g_lctx,
&kasplist, &kasp));
INSIST(kasp != NULL);
dns_kasp_freeze(kasp);
dns_kasp_detach(&kasp);
kasp = NULL;
CHECK(cfg_kasp_fromconfig(NULL, "none", named_g_mctx, named_g_lctx,
&kasplist, &kasp));
INSIST(kasp != NULL);
dns_kasp_freeze(kasp);
dns_kasp_detach(&kasp);
......@@ -14357,7 +14364,6 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
isc_buffer_t **text) {
isc_result_t result = ISC_R_SUCCESS;
dns_zone_t *zone = NULL;
dns_kasp_t *kasp = NULL;
dns_name_t *origin;
dns_db_t *db = NULL;
dns_dbnode_t *node = NULL;
......@@ -14476,8 +14482,7 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
CHECK(ISC_R_UNEXPECTEDEND);
}
kasp = dns_zone_getkasp(zone);
if (kasp != NULL) {
if (dns_zone_use_kasp(zone)) {
(void)putstr(text, "zone uses dnssec-policy, use rndc dnssec "
"command instead");
(void)putnull(text);
......
......@@ -913,6 +913,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
bool check = false, fail = false;
bool warn = false, ignore = false;
bool ixfrdiff;
bool use_kasp = false;
dns_masterformat_t masterformat;
const dns_master_style_t *masterstyle = &dns_master_style_default;
isc_stats_t *zoneqrystats;
......@@ -1248,19 +1249,15 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
result = named_config_get(maps, "dnssec-policy", &obj);
if (result == ISC_R_SUCCESS) {
kaspname = cfg_obj_asstring(obj);
if (strcmp(kaspname, "none") != 0) {
result = dns_kasplist_find(kasplist, kaspname,
&kasp);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(obj, named_g_lctx,
ISC_LOG_ERROR,
"'dnssec-policy '%s' not "
"found ",
kaspname);
RETERR(result);
}
dns_zone_setkasp(zone, kasp);
result = dns_kasplist_find(kasplist, kaspname, &kasp);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR,
"'dnssec-policy '%s' not found ",
kaspname);
RETERR(result);
}
dns_zone_setkasp(zone, kasp);
use_kasp = dns_zone_use_kasp(zone);
}
obj = NULL;
......@@ -1561,7 +1558,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
bool allow = false, maint = false;
bool sigvalinsecs;
if (kasp != NULL) {
if (use_kasp) {
if (dns_kasp_nsec3(kasp)) {
result = dns_zone_setnsec3param(
zone, 1, dns_kasp_nsec3flags(kasp),
......@@ -1575,7 +1572,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
INSIST(result == ISC_R_SUCCESS);
}
if (kasp != NULL) {
if (use_kasp) {
seconds = (uint32_t)dns_kasp_sigvalidity_dnskey(kasp);
} else {
obj = NULL;
......@@ -1586,7 +1583,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
}
dns_zone_setkeyvalidityinterval(zone, seconds);
if (kasp != NULL) {
if (use_kasp) {
seconds = (uint32_t)dns_kasp_sigvalidity(kasp);
dns_zone_setsigvalidityinterval(zone, seconds);
seconds = (uint32_t)dns_kasp_sigrefresh(kasp);
......@@ -1673,7 +1670,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
obj = NULL;
result = cfg_map_get(zoptions, "auto-dnssec", &obj);
if (dns_zone_getkasp(zone) != NULL) {
if (kasp != NULL && strcmp(dns_kasp_getname(kasp), "none") != 0)
{
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, true);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true);
......@@ -1692,6 +1690,11 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
} else {
bool s2i = dns_zone_secure_to_insecure(zone, false);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, s2i);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, s2i);
}
}
......@@ -2139,11 +2142,15 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
bool
named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig,
const cfg_obj_t *vconfig, const cfg_obj_t *config) {
isc_result_t res;
const cfg_obj_t *zoptions = NULL;
const cfg_obj_t *voptions = NULL;
const cfg_obj_t *options = NULL;
const cfg_obj_t *signing = NULL;
bool inline_signing;
const cfg_obj_t *allowupdate = NULL;
const cfg_obj_t *updatepolicy = NULL;
bool zone_is_dynamic = false;
bool inline_signing = false;
(void)cfg_map_get(config, "options", &options);
......@@ -2155,6 +2162,38 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig,
inline_signing = (cfg_map_get(zoptions, "inline-signing", &signing) ==
ISC_R_SUCCESS &&
cfg_obj_asboolean(signing));
if (inline_signing) {
return (true);
}
if (cfg_map_get(zoptions, "update-policy", &updatepolicy) ==
ISC_R_SUCCESS) {
zone_is_dynamic = true;
} else {
res = cfg_map_get(zoptions, "allow-update", &allowupdate);
if (res != ISC_R_SUCCESS && voptions != NULL) {
res = cfg_map_get(voptions, "allow-update",
&allowupdate);
}
if (res != ISC_R_SUCCESS && options != NULL) {
res = cfg_map_get(options, "allow-update",
&allowupdate);
}
if (res == ISC_R_SUCCESS) {
dns_acl_t *acl = NULL;
cfg_aclconfctx_t *actx = NULL;
res = cfg_acl_fromconfig(
allowupdate, config, named_g_lctx, actx,
dns_zone_getmctx(zone), 0, &acl);
if (res == ISC_R_SUCCESS && acl != NULL &&
!dns_acl_isnone(acl)) {
zone_is_dynamic = true;
}
if (acl != NULL) {
dns_acl_detach(&acl);
}
}
}
/*
* If inline-signing is not set, perhaps implictly through a
......@@ -2164,51 +2203,24 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig,
* inline-signing.
*/
signing = NULL;
if (!inline_signing &&
if (!inline_signing && !zone_is_dynamic &&
cfg_map_get(zoptions, "dnssec-policy", &signing) == ISC_R_SUCCESS &&
signing != NULL && strcmp(cfg_obj_asstring(signing), "none") != 0)
signing != NULL)
{
{
isc_result_t res;
bool zone_is_dynamic = false;
const cfg_obj_t *au = NULL;
const cfg_obj_t *up = NULL;
if (cfg_map_get(zoptions, "update-policy", &up) ==
ISC_R_SUCCESS) {
zone_is_dynamic = true;
} else {
res = cfg_map_get(zoptions, "allow-update",
&au);
if (res != ISC_R_SUCCESS && voptions != NULL) {
res = cfg_map_get(voptions,
"allow-update", &au);
}
if (res != ISC_R_SUCCESS && options != NULL) {
res = cfg_map_get(options,
"allow-update", &au);
}
if (res == ISC_R_SUCCESS) {
dns_acl_t *acl = NULL;
cfg_aclconfctx_t *actx = NULL;
res = cfg_acl_fromconfig(
au, config, named_g_lctx, actx,
dns_zone_getmctx(zone), 0,
&acl);
if (res == ISC_R_SUCCESS &&
acl != NULL && !dns_acl_isnone(acl))
{
zone_is_dynamic = true;
}
if (acl != NULL) {
dns_acl_detach(&acl);
}
}
}
if (!zone_is_dynamic) {
inline_signing = true;
}
if (strcmp(cfg_obj_asstring(signing), "none") != 0) {
inline_signing = true;
dns_zone_log(
zone, ISC_LOG_DEBUG(1), "inline-signing: %s",
inline_signing
? "implicitly through dnssec-policy"
: "no");
} else {
inline_signing = dns_zone_secure_to_insecure(zone,
true);
dns_zone_log(
zone, ISC_LOG_DEBUG(1), "inline-signing: %s",
inline_signing ? "transitioning to insecure"
: "no");
}
}
......
......@@ -960,22 +960,18 @@ check_dnssecstatus() {
rndccmd $_server dnssec -status $_zone in $_view > rndc.dnssec.status.out.$_zone.$n || log_error "rndc dnssec -status zone ${_zone} failed"
if [ "$_policy" = "none" ]; then
grep "Zone does not have dnssec-policy" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for unsigned zone ${_zone}"
else
grep "dnssec-policy: ${_policy}" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for signed zone ${_zone}"
if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
grep "key: $(key_get KEY1 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY1 ID) from dnssec status"
fi
if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
grep "key: $(key_get KEY2 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY2 ID) from dnssec status"
fi
if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
grep "key: $(key_get KEY3 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY3 ID) from dnssec status"
fi
if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
grep "key: $(key_get KEY4 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY4 ID) from dnssec status"
fi
grep "dnssec-policy: ${_policy}" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for signed zone ${_zone}"
if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
grep "key: $(key_get KEY1 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY1 ID) from dnssec status"
fi
if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
grep "key: $(key_get KEY2 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY2 ID) from dnssec status"
fi
if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
grep "key: $(key_get KEY3 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY3 ID) from dnssec status"
fi
if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
grep "key: $(key_get KEY4 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY4 ID) from dnssec status"
fi
test "$ret" -eq 0 || echo_i "failed"
......
......@@ -1015,9 +1015,9 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
continue;
}
ret = cfg_kasp_fromconfig(kconfig, mctx,
logctx, &list,
&kasp);
ret = cfg_kasp_fromconfig(kconfig, NULL,
mctx, logctx,
&list, &kasp);
if (ret != ISC_R_SUCCESS) {
if (result == ISC_R_SUCCESS) {
result = ret;
......
......@@ -694,6 +694,32 @@ dns_zone_getkasp(dns_zone_t *zone);
*\li 'zone' to be a valid zone.
*/
bool
dns_zone_secure_to_insecure(dns_zone_t *zone, bool reconfig);
/*%<
* Returns true if the zone is transitioning to insecure.
* Only can happen if a zone previously used a dnssec-policy,
* but changed the value to "none" (or removed the configuration
* option). If 'reconfig' is true, only check the key files,
* because the zone structure is not yet updated with the
* newest configuration.
*
* Require:
*\li 'zone' to be a valid zone.
*/
bool
dns_zone_use_kasp(dns_zone_t *zone);
/*%<
* Check if zone needs to use kasp.
* True if there is a policy that is not "none",
* or if there are state files associated with the keys
* related to this zone.
*
* Require:
*\li 'zone' to be a valid zone.
*/
void
dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp);
/*%<
......
......@@ -1087,7 +1087,6 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
bool keyset_kskonly) {
isc_result_t result;
dns_dbnode_t *node = NULL;
dns_kasp_t *kasp = dns_zone_getkasp(zone);
dns_rdataset_t rdataset;
dns_rdata_t sig_rdata = DNS_RDATA_INIT;
dns_stats_t *dnssecsignstats = dns_zone_getdnssecsignstats(zone);
......@@ -1095,11 +1094,13 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
unsigned char data[1024]; /* XXX */
unsigned int i, j;
bool added_sig = false;
bool use_kasp = false;
isc_mem_t *mctx = diff->mctx;
if (kasp != NULL) {
if (dns_zone_use_kasp(zone)) {
check_ksk = false;
keyset_kskonly = true;
use_kasp = true;
}
dns_rdataset_init(&rdataset);
......@@ -1174,7 +1175,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
}
}
if (kasp != NULL) {
if (use_kasp) {
/*
* A dnssec-policy is found. Check what RRsets this
* key should sign.
......
......@@ -1278,6 +1278,7 @@ dns_zone_rekey
dns_zone_replacedb
dns_zone_rpz_enable
dns_zone_rpz_enable_db
dns_zone_secure_to_insecure
dns_zone_set_parentcatz
dns_zone_setadded
dns_zone_setalsonotify
......@@ -1366,6 +1367,7 @@ dns_zone_setzeronosoattl
dns_zone_signwithkey
dns_zone_synckeyzone
dns_zone_unload
dns_zone_use_kasp
dns_zone_verifydb
dns_zonekey_iszonekey
dns_zonemgr_attach
......
......@@ -1830,7 +1830,7 @@ dns_zone_isdynamic(dns_zone_t *zone, bool ignore_freeze) {
}
 
/* Kasp zones are always dynamic. */
if (dns_zone_getkasp(zone) != NULL) {
if (dns_zone_use_kasp(zone)) {
return (true);
}
 
......@@ -5826,6 +5826,82 @@ dns_zone_getkasp(dns_zone_t *zone) {
return (zone->kasp);
}
 
static bool
statefile_exist(dns_zone_t *zone) {
isc_result_t ret;
dns_dnsseckeylist_t keys;
dns_dnsseckey_t *key = NULL;
isc_stdtime_t now;
isc_time_t timenow;
bool found = false;
TIME_NOW(&timenow);
now = isc_time_seconds(&timenow);
ISC_LIST_INIT(keys);
ret = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone),
dns_zone_getkeydirectory(zone), now,
dns_zone_getmctx(zone), &keys);
if (ret == ISC_R_SUCCESS) {
for (key = ISC_LIST_HEAD(keys); key != NULL;
key = ISC_LIST_NEXT(key, link)) {
if (dst_key_haskasp(key->key)) {
found = true;
break;
}
}
}
/* Clean up keys */
while (!ISC_LIST_EMPTY(keys)) {
key = ISC_LIST_HEAD(keys);
ISC_LIST_UNLINK(keys, key, link);
dns_dnsseckey_destroy(dns_zone_getmctx(zone), &key);
}
return (found);
}
bool
dns_zone_secure_to_insecure(dns_zone_t *zone, bool reconfig) {
REQUIRE(DNS_ZONE_VALID(zone));
/*
* If checking during reconfig, the zone is not yet updated
* with the new kasp configuration, so only check the key
* files.
*/
if (reconfig) {
return (statefile_exist(zone));
}
if (zone->kasp == NULL) {
return (false);
}
if (strcmp(dns_kasp_getname(zone->kasp), "none") != 0) {
return (false);
}
/*
* "dnssec-policy none", but if there are key state files
* this zone used to be secure but is transitioning back to
* insecure.
*/
return (statefile_exist(zone));
}
bool
dns_zone_use_kasp(dns_zone_t *zone) {
dns_kasp_t *kasp = dns_zone_getkasp(zone);
if (kasp == NULL) {
return (false);
} else if (strcmp(dns_kasp_getname(kasp), "none") != 0) {
return (true);
}
return dns_zone_secure_to_insecure(zone, false);
}
void
dns_zone_setoption(dns_zone_t *zone, dns_zoneopt_t option, bool value) {
REQUIRE(DNS_ZONE_VALID(zone));
......@@ -6777,17 +6853,18 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
isc_stdtime_t expire, bool check_ksk, bool keyset_kskonly) {
isc_result_t result;
dns_dbnode_t *node = NULL;
dns_kasp_t *kasp = dns_zone_getkasp(zone);
dns_stats_t *dnssecsignstats;
dns_rdataset_t rdataset;
dns_rdata_t sig_rdata = DNS_RDATA_INIT;
unsigned char data[1024]; /* XXX */
isc_buffer_t buffer;
unsigned int i, j;
bool use_kasp = false;
 
if (kasp != NULL) {
if (dns_zone_use_kasp(zone)) {
check_ksk = false;
keyset_kskonly = true;
use_kasp = true;
}
 
dns_rdataset_init(&rdataset);
......@@ -6865,8 +6942,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
}
}
}
if (kasp != NULL) {
if (use_kasp) {
/*
* A dnssec-policy is found. Check what RRsets this
* key should sign.
......@@ -7301,7 +7377,7 @@ signed_with_good_key(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
dns_rdata_reset(&rdata);
}
 
if (kasp) {
if (dns_zone_use_kasp(zone)) {
dns_kasp_key_t *kkey;
int zsk_count = 0;
bool approved;
......@@ -7418,7 +7494,6 @@ sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name,
bool is_zsk, bool keyset_kskonly, bool is_bottom_of_zone,
dns_diff_t *diff, int32_t *signatures, isc_mem_t *mctx) {
isc_result_t result;
dns_kasp_t *kasp = dns_zone_getkasp(zone);
dns_rdatasetiter_t *iterator = NULL;
dns_rdataset_t rdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
......@@ -7514,7 +7589,7 @@ sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name,
} else if (is_zsk && !dst_key_is_signing(key, DST_BOOL_ZSK,
inception, &when)) {
/* Only applies to dnssec-policy. */
if (kasp != NULL) {
if (dns_zone_use_kasp(zone)) {
goto next_rdataset;
}
}
......@@ -9158,6 +9233,7 @@ zone_sign(dns_zone_t *zone) {
bool is_bottom_of_zone;
bool build_nsec = false;
bool build_nsec3 = false;
bool use_kasp = false;
bool first;
isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire;
......@@ -9214,7 +9290,6 @@ zone_sign(dns_zone_t *zone) {
}
 
kasp = dns_zone_getkasp(zone);
sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
inception = now - 3600; /* Allow for clock skew. */
soaexpire = now + sigvalidityinterval;
......@@ -9251,16 +9326,20 @@ zone_sign(dns_zone_t *zone) {
signing = ISC_LIST_HEAD(zone->signing);
first = true;
 
check_ksk = (kasp != NULL)
? false
: DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
keyset_kskonly = (kasp != NULL)
? true
: DNS_ZONE_OPTION(zone,
DNS_ZONEOPT_DNSKEYKSKONLY);
if (dns_zone_use_kasp(zone)) {
check_ksk = false;
keyset_kskonly = true;
use_kasp = true;
} else {
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
keyset_kskonly = DNS_ZONE_OPTION(zone,
DNS_ZONEOPT_DNSKEYKSKONLY);
}
dnssec_log(zone, ISC_LOG_DEBUG(3), "zone_sign:use kasp -> %s",
use_kasp ? "yes" : "no");
 
/* Determine which type of chain to build */
if (kasp != NULL) {
if (use_kasp) {
build_nsec3 = dns_kasp_nsec3(kasp);
build_nsec = !build_nsec3;
} else {
......@@ -9445,7 +9524,7 @@ zone_sign(dns_zone_t *zone) {
}
}
}
if (kasp != NULL) {
if (use_kasp) {
/*
* A dnssec-policy is found. Check what
* RRsets this key can sign.
......@@ -16454,7 +16533,7 @@ copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version,
* Allow DNSSEC records with dnssec-policy.
* WMM: Perhaps add config option for it.
*/
if (dns_zone_getkasp(zone) == NULL) {
if (!dns_zone_use_kasp(zone)) {
dns_rdataset_disassociate(&rdataset);
continue;
}
......@@ -19739,7 +19818,7 @@ zone_rekey(dns_zone_t *zone) {
dns__zonediff_t zonediff;
bool commit = false, newactive = false;
bool newalg = false;
bool fullsign;
bool fullsign, use_kasp;
dns_ttl_t ttl = 3600;
const char *dir = NULL;
isc_mem_t *mctx = NULL;
......@@ -19810,9 +19889,10 @@ zone_rekey(dns_zone_t *zone) {
* True when called from "rndc sign". Indicates the zone should be