From 43bbfbeb3c27e5e1402237ac6a90c2ade6ed2cb5 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Mon, 18 May 2026 15:13:38 +0200
Subject: [PATCH 1/2] Check conf dnssec-policy inline-signing secondary

Add a variant of checking configuration where inline-signing is
enabled on the secondary, requiring the 'file' entry. This time,
inline-signing is implicitly enabled via dnssec-policy.
---
 bin/tests/system/checkconf/inline-inherit.conf | 7 +++++++
 bin/tests/system/checkconf/tests.sh            | 3 +++
 2 files changed, 10 insertions(+)
 create mode 100644 bin/tests/system/checkconf/inline-inherit.conf

diff --git a/bin/tests/system/checkconf/inline-inherit.conf b/bin/tests/system/checkconf/inline-inherit.conf
new file mode 100644
index 0000000000..8cc7da6b85
--- /dev/null
+++ b/bin/tests/system/checkconf/inline-inherit.conf
@@ -0,0 +1,7 @@
+remote-servers "stealthPrimaries" {127.0.0.1;};
+zone "example.net" {
+	type secondary;
+	dnssec-policy default;
+	primaries { stealthPrimaries; };
+};
+
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 330da510e3..539afaf56a 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -277,6 +277,9 @@ l=$(grep "missing 'file' entry" <checkconf.out$n.2 | wc -l)
 $CHECKCONF inline-bad.conf >checkconf.out$n.3 2>&1 && ret=1
 l=$(grep "missing 'file' entry" <checkconf.out$n.3 | wc -l)
 [ $l -eq 1 ] || ret=1
+$CHECKCONF inline-inherit.conf >checkconf.out$n.3 2>&1 && ret=1
+l=$(grep "missing 'file' entry" <checkconf.out$n.3 | wc -l)
+[ $l -eq 1 ] || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 

From 77649ea8e20987a5a45e9027f0947d2451765566 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Mon, 18 May 2026 15:15:39 +0200
Subject: [PATCH 2/2] Fix startup crash on bump in the wire signer

A secondary server that is configured as a bump in the wire signer
with inline-signing implicitly enabled via dnssec-policy requires
a 'file' entry.
---
 lib/isccfg/check.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c
index 2995319627..26ae9a70b9 100644
--- a/lib/isccfg/check.c
+++ b/lib/isccfg/check.c
@@ -3900,7 +3900,7 @@ isccfg_check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		if (obj != NULL) {
 			inline_signing = signing = cfg_obj_asboolean(obj);
 		} else if (has_dnssecpolicy) {
-			signing = kasp_inlinesigning;
+			inline_signing = signing = kasp_inlinesigning;
 		}
 
 		if (has_dnssecpolicy) {