From c2a7950417024cf6db52a9dc3f3135c473d22072 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 24 Jun 2022 09:22:38 +0200
Subject: [PATCH] Also inherit from "default" for "insecure" policy

Remove the duplication from the defaultconf and inherit the values
not set in the "insecure" policy from the "default" policy. Therefore,
we must insist that the first read built-in policy is the default one.
---
 bin/named/config.c    | 12 ------------
 bin/named/server.c    |  9 +++++++--
 lib/isccfg/kaspconf.c |  3 +--
 3 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/bin/named/config.c b/bin/named/config.c
index cfdcec0847..f7cc14dbaf 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -318,18 +318,6 @@ dnssec-policy \"default\" {\n\
 \n\
 dnssec-policy \"insecure\" {\n\
 	keys { };\n\
-\n\
-	dnskey-ttl " DNS_KASP_KEY_TTL "; \n\
-	publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
-	retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\
-	purge-keys " DNS_KASP_PURGE_KEYS "; \n\
-	signatures-refresh " DNS_KASP_SIG_REFRESH "; \n\
-	signatures-validity " DNS_KASP_SIG_VALIDITY "; \n\
-	signatures-validity-dnskey " DNS_KASP_SIG_VALIDITY_DNSKEY "; \n\
-	max-zone-ttl " DNS_KASP_ZONE_MAXTTL "; \n\
-	zone-propagation-delay " DNS_KASP_ZONE_PROPDELAY "; \n\
-	parent-ds-ttl " DNS_KASP_DS_TTL "; \n\
-	parent-propagation-delay " DNS_KASP_PARENT_PROPDELAY "; \n\
 };\n\
 \n\
 "
diff --git a/bin/named/server.c b/bin/named/server.c
index da9c18138c..e36502863a 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -9086,14 +9086,19 @@ load_configuration(const char *filename, named_server_t *server,
 	     element = cfg_list_next(element))
 	{
 		cfg_obj_t *kconfig = cfg_listelt_value(element);
+
 		kasp = NULL;
-		CHECK(cfg_kasp_fromconfig(kconfig, NULL, named_g_mctx,
+		CHECK(cfg_kasp_fromconfig(kconfig, default_kasp, named_g_mctx,
 					  named_g_lctx, &kasplist, &kasp));
 		INSIST(kasp != NULL);
 		dns_kasp_freeze(kasp);
-		if (strcmp(dns_kasp_getname(kasp), "default") == 0) {
+
+		/* Insist that the first built-in policy is the default one. */
+		if (default_kasp == NULL) {
+			INSIST(strcmp(dns_kasp_getname(kasp), "default") == 0);
 			dns_kasp_attach(kasp, &default_kasp);
 		}
+
 		dns_kasp_detach(&kasp);
 	}
 	INSIST(default_kasp != NULL);
diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index 932466aad7..7c476b1a68 100644
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -511,9 +511,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 		if (result != ISC_R_SUCCESS) {
 			goto cleanup;
 		}
-	} else if (default_kasp && strcmp(kaspname, "insecure") != 0) {
+	} else if (default_kasp) {
 		dns_kasp_key_t *key, *new_key;
-
 		/*
 		 * If there are no specific keys configured in the policy,
 		 * inherit from the default policy (except for the built-in