From e6a454ad12a2cabbd9bb0ec784b6e1c655cb7ef9 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 12 Oct 2023 12:02:02 +0200 Subject: [PATCH] Ignore inline-signing by default Ignore the option 'inline-signing' unless there is a 'dnssec-policy' configured for the zone. Having inline signing enabled while the zone is not DNSSEC signed does not make sense. If there is a 'dnssec-policy' the 'inline-signing' zone-only option can be used to override the value for the given zone. --- bin/named/zoneconf.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index fa34b4c7d4..06982f9aeb 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -2014,13 +2014,7 @@ named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, } maps[i] = NULL; - /* "inline-signing" is a zone-only clause, so look in maps[0] only. */ - res = cfg_map_get(maps[0], "inline-signing", &signing); - if (res == ISC_R_SUCCESS && cfg_obj_isboolean(signing)) { - return (cfg_obj_asboolean(signing)); - } - - /* If inline-signing is not set, check the value in dnssec-policy. */ + /* Check the value in dnssec-policy. */ policy = NULL; res = named_config_get(maps, "dnssec-policy", &policy); /* If no dnssec-policy found, then zone is not using inline-signing. */ @@ -2039,5 +2033,15 @@ named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, inline_signing = dns_kasp_inlinesigning(kasp); dns_kasp_detach(&kasp); + /* + * The zone option 'inline-signing' may override the value in + * dnssec-policy. This is a zone-only option, so look in maps[0] + * only. + */ + res = cfg_map_get(maps[0], "inline-signing", &signing); + if (res == ISC_R_SUCCESS && cfg_obj_isboolean(signing)) { + return (cfg_obj_asboolean(signing)); + } + return (inline_signing); }