mirror of
https://github.com/isc-projects/bind9.git
synced 2026-04-26 08:39:00 -04:00
88e5bc0687
The find_zone_keys() function was not working properly for inline-signed zones. It only worked if the DNSKEY records were also published in the unsigned version of the zone. But this is not the case when you use dnssec-policy, the DNSKEY records will only occur in the signed version of the zone. Therefor, when looking for keys to sign the zone, only the newly added keys in the dynamic update were found (which could be zero), ignoring existing keys. Also, if a DNSKEY was added, it would try to sign the zone with just this new key, and this would only work if the key files for that key were imported into the key-directory. This is a design error, because the goal is to sign the zone with the keys for which we actually have key files for. So instead of looking for DNSKEY records to then search for the matching key files, call dns_dnssec_findmatchingkeys() which just looks for the keys we have on disk for the given zone. It will also set the correct DNSSEC signing hints. |
||
|---|---|---|
| .. | ||
| dns | ||
| isc | ||
| isccc | ||
| isccfg | ||
| ns | ||
| .gitignore | ||
| Makefile.am | ||