Also inherit from "default" for "insecure" policy

Remove the duplication from the defaultconf and inherit the values not set in the "insecure" policy from the "default" policy. Therefore, we must insist that the first read built-in policy is the default one.
2026-06-09 01:42:07 -04:00 · 2022-06-24 09:22:38 +02:00 · 2022-06-24 09:22:38 +02:00 · c2a7950417
commit c2a7950417
parent 80b55f9cfa
3 changed files with 8 additions and 16 deletions
--- a/bin/named/config.c
+++ b/bin/named/config.c
@ -318,18 +318,6 @@ dnssec-policy \"default\" {\n\
 \n\
 dnssec-policy \"insecure\" {\n\
 	keys { };\n\
-\n\
-	dnskey-ttl " DNS_KASP_KEY_TTL "; \n\
-	publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
-	retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\
-	purge-keys " DNS_KASP_PURGE_KEYS "; \n\
-	signatures-refresh " DNS_KASP_SIG_REFRESH "; \n\
-	signatures-validity " DNS_KASP_SIG_VALIDITY "; \n\
-	signatures-validity-dnskey " DNS_KASP_SIG_VALIDITY_DNSKEY "; \n\
-	max-zone-ttl " DNS_KASP_ZONE_MAXTTL "; \n\
-	zone-propagation-delay " DNS_KASP_ZONE_PROPDELAY "; \n\
-	parent-ds-ttl " DNS_KASP_DS_TTL "; \n\
-	parent-propagation-delay " DNS_KASP_PARENT_PROPDELAY "; \n\
 };\n\
 \n\
 "
--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -9086,14 +9086,19 @@ load_configuration(const char *filename, named_server_t *server,
 	     element = cfg_list_next(element))
 	{
 		cfg_obj_t *kconfig = cfg_listelt_value(element);
+
 		kasp = NULL;
-		CHECK(cfg_kasp_fromconfig(kconfig, NULL, named_g_mctx,
+		CHECK(cfg_kasp_fromconfig(kconfig, default_kasp, named_g_mctx,
 					  named_g_lctx, &kasplist, &kasp));
 		INSIST(kasp != NULL);
 		dns_kasp_freeze(kasp);
-		if (strcmp(dns_kasp_getname(kasp), "default") == 0) {
+
+		/* Insist that the first built-in policy is the default one. */
+		if (default_kasp == NULL) {
+			INSIST(strcmp(dns_kasp_getname(kasp), "default") == 0);
 			dns_kasp_attach(kasp, &default_kasp);
 		}
+
 		dns_kasp_detach(&kasp);
 	}
 	INSIST(default_kasp != NULL);
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@ -511,9 +511,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 		if (result != ISC_R_SUCCESS) {
 			goto cleanup;
 		}
-	} else if (default_kasp && strcmp(kaspname, "insecure") != 0) {
+	} else if (default_kasp) {
 		dns_kasp_key_t *key, *new_key;
-
 		/*
 		 * If there are no specific keys configured in the policy,
 		 * inherit from the default policy (except for the built-in