diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index a463752edb..6df2aaefa7 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -191,7 +191,6 @@ dns_dnssec_sign(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_result_t ret; isc_buffer_t *databuf = NULL; char data[256 + 8]; - uint32_t flags; unsigned int sigsize; dns_fixedname_t fnewname; dns_fixedname_t fsigner; @@ -209,17 +208,6 @@ dns_dnssec_sign(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, return DNS_R_INVALIDTIME; } - /* - * Is the key allowed to sign data? - */ - flags = dst_key_flags(key); - if ((flags & DNS_KEYTYPE_NOAUTH) != 0) { - return DNS_R_KEYUNAUTHORIZED; - } - if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) { - return DNS_R_KEYUNAUTHORIZED; - } - sig.mctx = mctx; sig.common.rdclass = set->rdclass; sig.common.rdtype = dns_rdatatype_rrsig; @@ -381,7 +369,6 @@ dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, unsigned char data[300]; dst_context_t *ctx = NULL; int labels = 0; - uint32_t flags; bool downcase = false; REQUIRE(name != NULL); @@ -446,19 +433,6 @@ dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, break; } - /* - * Is the key allowed to sign data? - */ - flags = dst_key_flags(key); - if ((flags & DNS_KEYTYPE_NOAUTH) != 0) { - inc_stat(dns_dnssecstats_fail); - return DNS_R_KEYUNAUTHORIZED; - } - if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) { - inc_stat(dns_dnssecstats_fail); - return DNS_R_KEYUNAUTHORIZED; - } - again: ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC, false, maxbits, &ctx); @@ -1104,7 +1078,6 @@ dns_dnssec_signs(dns_rdata_t *rdata, const dns_name_t *name, bool dns_dnssec_iszonekey(dns_rdata_dnskey_t *key) { return (key->flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE && - (key->flags & DNS_KEYTYPE_NOAUTH) == 0 && (key->protocol == DNS_KEYPROTO_DNSSEC || key->protocol == DNS_KEYPROTO_ANY); } @@ -1615,9 +1588,7 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp, RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &dnskey)); dst_key_setttl(dnskey, keys.ttl); - if (!is_zone_key(dnskey) || - (dst_key_flags(dnskey) & DNS_KEYTYPE_NOAUTH) != 0) - { + if (!is_zone_key(dnskey)) { goto skip; } @@ -1723,11 +1694,6 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp, } RETERR(result); - /* This should never happen. */ - if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0) { - goto skip; - } - /* * Whatever the key's default TTL may have * been, the rdataset TTL takes priority. diff --git a/lib/dns/key.c b/lib/dns/key.c index 6e8091bc75..07bd5cf88e 100644 --- a/lib/dns/key.c +++ b/lib/dns/key.c @@ -134,9 +134,6 @@ bool dst_key_iszonekey(const dst_key_t *key) { REQUIRE(VALID_KEY(key)); - if ((key->key_flags & DNS_KEYTYPE_NOAUTH) != 0) { - return false; - } if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) { return false; } diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 96e642f957..5e054459a2 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -6439,9 +6439,7 @@ findzonekeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey)); dst_key_setttl(pubkey, rdataset.ttl); - if (!is_zone_key(pubkey) || - (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0) - { + if (!is_zone_key(pubkey)) { goto next; } /* Corrupted .key file? */ @@ -6535,12 +6533,6 @@ findzonekeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, * been, the rdataset TTL takes priority. */ dst_key_setttl(keys[count], rdataset.ttl); - - if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) { - /* We should never get here. */ - dst_key_free(&keys[count]); - goto next; - } count++; next: if (pubkey != NULL) { @@ -20613,8 +20605,7 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); - if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK | - DNS_KEYTYPE_NOAUTH)) != DNS_KEYOWNER_ZONE) + if ((dnskey.flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) { ISC_LIST_UNLINK(diff->tuples, tuple, link); ISC_LIST_APPEND(tuples, tuple, link);