Commit 8d28da69 authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

dnssec: fix adjusting node flags before signing

parent 622b540b
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -27,6 +27,7 @@
#include "knot/dnssec/zone-keys.h"
#include "knot/dnssec/zone-nsec.h"
#include "knot/dnssec/zone-sign.h"
#include "knot/zone/adjust.h"
static int sign_init(zone_contents_t *zone, zone_sign_flags_t flags, zone_sign_roll_flags_t roll_flags,
kdnssec_ctx_t *ctx, zone_sign_reschedule_t *reschedule)
......@@ -178,6 +179,11 @@ int knot_dnssec_zone_sign(zone_update_t *update,
goto done;
}
result = zone_adjust_contents(update->new_cont, adjust_cb_flags, NULL);
if (result != KNOT_EOK) {
return result;
};
result = knot_zone_create_nsec_chain(update, &keyset, &ctx);
if (result != KNOT_EOK) {
log_zone_error(zone_name, "DNSSEC, failed to create NSEC%s chain (%s)",
......@@ -254,6 +260,11 @@ int knot_dnssec_sign_update(zone_update_t *update, zone_sign_reschedule_t *resch
goto done;
}
result = zone_adjust_update(update, adjust_cb_flags, NULL);
if (result != KNOT_EOK) {
goto done;
}
knot_time_t expire_at = 0;
result = knot_zone_sign_update(update, &keyset, &ctx, &expire_at);
if (result != KNOT_EOK) {
......
......@@ -27,7 +27,6 @@
#include "knot/dnssec/key_records.h"
#include "knot/dnssec/rrset-sign.h"
#include "knot/dnssec/zone-sign.h"
#include "knot/zone/adjust.h"
#include "libknot/libknot.h"
#include "contrib/dynarray.h"
#include "contrib/macros.h"
......@@ -1163,11 +1162,6 @@ int knot_zone_sign_update(zone_update_t *update,
int ret = KNOT_EOK;
ret = zone_adjust_update(update, adjust_cb_flags_and_additionals, adjust_cb_nsec3_flags);
if (ret != KNOT_EOK) {
return ret;
}
/* Check if the UPDATE changed DNSKEYs or NSEC3PARAM.
* If so, we have to sign the whole zone. */
const bool full_sign = apex_dnssec_changed(update);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment