From ac1b70ad00c246da8c4eabc63c5d387a6ae3c035 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 13 Oct 2023 11:46:05 +0200
Subject: [PATCH] Don't resign raw version of the zone

Update the function 'set_resigntime()' so that raw versions of
inline-signing zones are not scheduled to be resigned.

Also update the check in the same function for zone is dynamic, there
exists a function 'dns_zone_isdynamic()' that does a similar thing
and is more complete.

Also in 'zone_postload()' check whether the zone is not the raw
version of an inline-signing zone, preventing calculating the next
resign time.

(cherry picked from commit 741ce2d07a7637391c729e108080529accfc834f)
---
 lib/dns/zone.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 4428e3d000..a9bcea5105 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -3971,15 +3971,11 @@ set_resigntime(dns_zone_t *zone) {
 	INSIST(LOCKED_ZONE(zone));
 
 	/* We only re-sign zones that can be dynamically updated */
-	if (zone->update_disabled) {
+	if (!dns_zone_isdynamic(zone, false)) {
 		return;
 	}
 
-	if (!inline_secure(zone) &&
-	    (zone->type != dns_zone_primary ||
-	     (zone->ssutable == NULL &&
-	      (zone->update_acl == NULL || dns_acl_isnone(zone->update_acl)))))
-	{
+	if (inline_raw(zone)) {
 		return;
 	}
 
@@ -5330,7 +5326,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 		is_dynamic = dns_zone_isdynamic(zone, false);
 		if (zone->type == dns_zone_primary &&
 		    !DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_NORESIGN) &&
-		    is_dynamic && dns_db_issecure(db))
+		    is_dynamic && dns_db_issecure(db) && !inline_raw(zone))
 		{
 			dns_name_t *name;
 			dns_fixedname_t fixed;