From b3301da262584b12b58941abd2bf104c2ea42c6d Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 26 Feb 2021 10:00:09 +1100
Subject: [PATCH 1/4] inline-signing should have been in zone_only_clauses

---
 bin/named/config.c           | 2 +-
 bin/named/named.conf.rst     | 2 --
 doc/man/named.conf.5in       | 2 --
 doc/misc/options             | 2 --
 doc/misc/options.active      | 2 --
 doc/misc/options.grammar.rst | 1 -
 lib/isccfg/namedconf.c       | 4 ++--
 7 files changed, 3 insertions(+), 12 deletions(-)

diff --git a/bin/named/config.c b/bin/named/config.c
index b11e0c9df6..3e23ed0a7b 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -225,7 +225,7 @@ options {\n\
 	dnssec-update-mode maintain;\n\
 #	forward <none>\n\
 #	forwarders <none>\n\
-	inline-signing no;\n\
+#	inline-signing no;\n\
 	ixfr-from-differences false;\n\
 #	maintain-ixfr-base <obsolete>;\n\
 #	max-ixfr-log-size <obsolete>\n\
diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst
index 87a8d12cd8..bb4003ac1c 100644
--- a/bin/named/named.conf.rst
+++ b/bin/named/named.conf.rst
@@ -276,7 +276,6 @@ OPTIONS
   	hostname ( quoted_string | none );
   	http-port integer;
   	https-port integer;
-  	inline-signing boolean;
   	interface-interval duration;
   	ipv4only-contact string;
   	ipv4only-enable boolean;
@@ -666,7 +665,6 @@ VIEW
   	forwarders [ port integer ] [ dscp integer ] { ( ipv4_address
   	    | ipv6_address ) [ port integer ] [ dscp integer ]; ... };
   	glue-cache boolean;// deprecated
-  	inline-signing boolean;
   	ipv4only-contact string;
   	ipv4only-enable boolean;
   	ipv4only-server string;
diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
index 41a3a112d9..35872a5ad1 100644
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -343,7 +343,6 @@ options {
       hostname ( quoted_string | none );
       http\-port integer;
       https\-port integer;
-      inline\-signing boolean;
       interface\-interval duration;
       ipv4only\-contact string;
       ipv4only\-enable boolean;
@@ -765,7 +764,6 @@ view string [ class ] {
       forwarders [ port integer ] [ dscp integer ] { ( ipv4_address
           | ipv6_address ) [ port integer ] [ dscp integer ]; ... };
       glue\-cache boolean;// deprecated
-      inline\-signing boolean;
       ipv4only\-contact string;
       ipv4only\-enable boolean;
       ipv4only\-server string;
diff --git a/doc/misc/options b/doc/misc/options
index a297bf9e00..6a035d686e 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -200,7 +200,6 @@ options {
         hostname ( <quoted_string> | none );
         http-port <integer>;
         https-port <integer>;
-        inline-signing <boolean>;
         interface-interval <duration>;
         ipv4only-contact <string>;
         ipv4only-enable <boolean>;
@@ -550,7 +549,6 @@ view <string> [ <class> ] {
         forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
             | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
         glue-cache <boolean>; // deprecated
-        inline-signing <boolean>;
         ipv4only-contact <string>;
         ipv4only-enable <boolean>;
         ipv4only-server <string>;
diff --git a/doc/misc/options.active b/doc/misc/options.active
index c103a5e4b8..c8c56ea427 100644
--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@@ -199,7 +199,6 @@ options {
         hostname ( <quoted_string> | none );
         http-port <integer>;
         https-port <integer>;
-        inline-signing <boolean>;
         interface-interval <duration>;
         ipv4only-contact <string>;
         ipv4only-enable <boolean>;
@@ -547,7 +546,6 @@ view <string> [ <class> ] {
         forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
             | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
         glue-cache <boolean>; // deprecated
-        inline-signing <boolean>;
         ipv4only-contact <string>;
         ipv4only-enable <boolean>;
         ipv4only-server <string>;
diff --git a/doc/misc/options.grammar.rst b/doc/misc/options.grammar.rst
index 5176f572bd..5a4c4290f6 100644
--- a/doc/misc/options.grammar.rst
+++ b/doc/misc/options.grammar.rst
@@ -121,7 +121,6 @@
   	hostname ( <quoted_string> | none );
   	http-port <integer>;
   	https-port <integer>;
-  	inline-signing <boolean>;
   	interface-interval <duration>;
   	ipv4only-contact <string>;
   	ipv4only-enable <boolean>;
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 56fc96b407..59c2e57e9f 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2194,8 +2194,6 @@ static cfg_clausedef_t zone_clauses[] = {
 	{ "forwarders", &cfg_type_portiplist,
 	  CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB |
 		  CFG_ZONE_STATICSTUB | CFG_ZONE_FORWARD },
-	{ "inline-signing", &cfg_type_boolean,
-	  CFG_ZONE_MASTER | CFG_ZONE_SLAVE },
 	{ "key-directory", &cfg_type_qstring,
 	  CFG_ZONE_MASTER | CFG_ZONE_SLAVE },
 	{ "maintain-ixfr-base", NULL, CFG_CLAUSEFLAG_ANCIENT },
@@ -2305,6 +2303,8 @@ static cfg_clausedef_t zone_only_clauses[] = {
 	  CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB |
 		  CFG_ZONE_HINT | CFG_ZONE_REDIRECT },
 	{ "in-view", &cfg_type_astring, CFG_ZONE_INVIEW },
+	{ "inline-signing", &cfg_type_boolean,
+	  CFG_ZONE_MASTER | CFG_ZONE_SLAVE },
 	{ "ixfr-base", NULL, CFG_CLAUSEFLAG_ANCIENT },
 	{ "ixfr-from-differences", &cfg_type_boolean,
 	  CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR },

From 475a553e375c5a6e0fda2916e0f52f8d9fac5eb2 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 26 Feb 2021 10:06:17 +1100
Subject: [PATCH 2/4] Add CHANGES note for [GL #2536]

---
 CHANGES | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGES b/CHANGES
index 4b4d18e57d..3c752cc442 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+5633.	[doc]		Inline-signing was incorrectly described as being
+			inherited from the options / view levels and was
+			incorrectly accepted at those levels without effect.
+			This has been corrected. [GL #2536]
+
 5632.	[func]		Add built-in dnssec-policy "insecure". This is used to
 			transition a zone from a signed state to a unsigned
 			state. [GL #2645]

From 03978a7881fe2eecf0bfeadb57d5ca048fac9927 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 26 Feb 2021 10:10:04 +1100
Subject: [PATCH 3/4] Add Release note for [GL #2536]

---
 doc/notes/notes-current.rst | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 423ecede42..b9b48a46c4 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -54,6 +54,12 @@ Feature Changes
   ``dnssec-policy`` to ``insecure`` will cause CDS and CDNSKEY DELETE records
   to be published. :gl:`#2645`
 
+- ``inline-signing`` was incorrectly described as being inherited from the
+  ``options`` or ``view`` levels and was incorrectly accepted at those levels
+  without effect.  This has been corrected, ``named.conf`` files with
+  ``inline-signing`` at those levels will no longer load with this fix applied.
+  :gl:`#2536`
+
 Bug Fixes
 ~~~~~~~~~
 

From a548a450b38c3f39ee261993dcdb5886b82c1f59 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 4 May 2021 10:16:59 +0200
Subject: [PATCH 4/4] checkconf tests for inline-signing at options/view

---
 .../system/checkconf/bad-inline-options.conf  | 22 ++++++++++++++
 .../system/checkconf/bad-inline-view.conf     | 29 +++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 bin/tests/system/checkconf/bad-inline-options.conf
 create mode 100644 bin/tests/system/checkconf/bad-inline-view.conf

diff --git a/bin/tests/system/checkconf/bad-inline-options.conf b/bin/tests/system/checkconf/bad-inline-options.conf
new file mode 100644
index 0000000000..fbbc69c074
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-inline-options.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * inline-signing not allowed at options level.
+ */
+options {
+	inline-signing yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/checkconf/bad-inline-view.conf b/bin/tests/system/checkconf/bad-inline-view.conf
new file mode 100644
index 0000000000..364b884ada
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-inline-view.conf
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * inline-signing not allowed at view level.
+ */
+view "a" {
+	inline-signing yes;
+
+	zone "." {
+		type primary;
+		file "root.db.signed";
+	};
+};
+
+view "b" {
+	zone "." {
+		type primary;
+		file "root.db";
+	};
+};