From ce3b2c5189e874f1c45d699cfb4f30fc7a8cd604 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 25 Nov 2009 03:17:11 +0000 Subject: [PATCH] 2788. [bug] dnssec-signzone could sign with keys that were not requested [RT #20625] --- CHANGES | 3 +++ bin/dnssec/dnssec-signzone.c | 14 ++++++++------ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index d3768a396b..782a0d893c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2788. [bug] dnssec-signzone could sign with keys that were + not requested [RT #20625] + 2787. [bug] Spurious log message when zone keys were dynamically reconfigured. [RT #20659] diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index f31bd751da..2fb2dcc95a 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.255 2009/11/24 03:42:31 each Exp $ */ +/* $Id: dnssec-signzone.c,v 1.256 2009/11/25 03:17:11 each Exp $ */ /*! \file */ @@ -3643,16 +3643,18 @@ main(int argc, char *argv[]) { /* * Fill keylist with: * 1) Keys listed in the DNSKEY set that have - * private keys associated - * 2) KSKs set on the command line - * 3) ZSKs set on the command line + * private keys associated, *if* no keys were + * set on the command line. + * 2) ZSKs set on the command line + * 3) KSKs set on the command line * 4) Any keys remaining in the DNSKEY set which * do not have private keys associated and were * not specified on the command line. */ - loadzonekeys(!smartsign, ISC_FALSE); - loadexplicitkeys(dskeyfile, ndskeys, ISC_TRUE); + if (argc == 0 || smartsign) + loadzonekeys(!smartsign, ISC_FALSE); loadexplicitkeys(argv, argc, ISC_FALSE); + loadexplicitkeys(dskeyfile, ndskeys, ISC_TRUE); loadzonekeys(!smartsign, ISC_TRUE); /*