From 6dcb9ce77ff774ffab3139c052b0f177338953d0 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 7 Nov 2025 15:56:54 +0100
Subject: [PATCH] Skip private records when syncing secure db

When synchronizing the secure database, we skip DNSSEC records that
BIND 9 maintains with inline-signing. We should also skip private
RDATA type records that are used to track the current state of a
zone-signing process.
---
 lib/dns/zone.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index a46969b3e8..2b70bdc93a 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -16312,6 +16312,17 @@ sync_secure_db(dns_zone_t *seczone, dns_zone_t *raw, dns_db_t *secdb,
 	ISC_LIST_FOREACH(diff->tuples, tuple, link) {
 		dns_difftuplelist_t *al = &add, *dl = &del;
 
+		/*
+		 * Skip private records that BIND maintains with inline-signing.
+		 */
+		if (seczone->privatetype != 0 &&
+		    tuple->rdata.type == seczone->privatetype)
+		{
+			ISC_LIST_UNLINK(diff->tuples, tuple, link);
+			dns_difftuple_free(&tuple);
+			continue;
+		}
+
 		/*
 		 * Skip DNSSEC records that BIND maintains with inline-signing.
 		 */