From e7d9e3dd29af494029fdc7e0dfdaf23616422d47 Mon Sep 17 00:00:00 2001
From: Lubos Slovak <lubos.slovak@nic.cz>
Date: Mon, 9 Dec 2013 19:12:19 +0100
Subject: [PATCH] Delete NSEC chain if NSEC3 is enabled.
Applies both for full zone resign and for DDNS sign.
refs #125
---
src/libknot/dnssec/zone-nsec.c | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/src/libknot/dnssec/zone-nsec.c b/src/libknot/dnssec/zone-nsec.c
index dbf2e1508d..660d23978c 100644
--- a/src/libknot/dnssec/zone-nsec.c
+++ b/src/libknot/dnssec/zone-nsec.c
@@ -620,6 +620,18 @@ static knot_node_t *create_nsec3_node_for_node(knot_node_t *node,
return nsec3_node;
}
+static int remove_nsec_from_node(const knot_node_t *node,
+ knot_changeset_t *chgset)
+{
+ assert(node);
+ assert(chgset);
+
+ const knot_rrset_t *nsec = knot_node_rrset(node, KNOT_RRTYPE_NSEC);
+ assert(knot_rrset_rdata_rr_count(nsec) <= 1);
+
+ return changeset_remove_nsec(nsec, chgset);
+}
+
/*!
* \brief Create NSEC3 node for each regular node in the zone.
*
@@ -630,7 +642,8 @@ static knot_node_t *create_nsec3_node_for_node(knot_node_t *node,
* \return Error code, KNOT_EOK if successful.
*/
static int create_nsec3_nodes(const knot_zone_contents_t *zone, uint32_t ttl,
- knot_zone_tree_t *nsec3_nodes)
+ knot_zone_tree_t *nsec3_nodes,
+ knot_changeset_t *chgset)
{
assert(zone);
assert(nsec3_nodes);
@@ -664,6 +677,14 @@ static int create_nsec3_nodes(const knot_zone_contents_t *zone, uint32_t ttl,
break;
}
+ /* Remove possible NSEC from the node. (Do not allow both NSEC
+ * and NSEC3 in the zone at once.)
+ */
+ result = remove_nsec_from_node(node, chgset);
+ if (result != KNOT_EOK) {
+ break;
+ }
+
hattrie_iter_next(it);
}
@@ -721,7 +742,7 @@ static int create_nsec3_chain(const knot_zone_contents_t *zone, uint32_t ttl,
return KNOT_ENOMEM;
}
- result = create_nsec3_nodes(zone, ttl, nsec3_nodes);
+ result = create_nsec3_nodes(zone, ttl, nsec3_nodes, changeset);
if (result != KNOT_EOK) {
free_nsec3_tree(nsec3_nodes);
return result;
--
GitLab