bind/backport-0007-Only-warn-if-we-could-not-delete-signature.patch

From 8e31f6981a4e080bc02158a74f4f99f70144cf45 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 3 Dec 2021 16:18:13 +0100
Subject: [PATCH] Only warn if we could not delete signature

BIND can log this warning:

    zone example.ch/IN (signed): Key example.ch/ECDSAP256SHA256/56340
      missing or inactive and has no replacement: retaining signatures.

This log can happen when BIND tries to remove signatures because the
are about to expire or to be resigned. These RRsets may be signed with
the KSK if the ZSK files has been removed from disk. When we have
created a new ZSK we can replace the signatures creeated by the KSK
with signatures from the new ZSK.

It complains about the KSK being missing or inactive, but actually it
takes the key id from the RRSIG.

The warning is logged if BIND detects the private ZSK file is missing.

The warning is logged even if we were able to delete the signature.

With the change from this commit it only logs this warning if it is not
okay to delete the signature.

(cherry picked from commit 2d2858841a8a749792f50ff077d03cf50f730981)
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/8e31f6981a4e080bc02158a74f4f99f70144cf45
---
 lib/dns/zone.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 8bfc5e8bc9..27373b34fe 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -6858,7 +6858,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 				}
 				deleted = true;
 			}
-			if (warn) {
+			if (warn && !deleted) {
 				/*
 				 * At this point, we've got an RRSIG,
 				 * which is signed by an inactive key.
@@ -6868,7 +6868,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 				 * offline will prevent us spinning waiting
 				 * for the private part.
 				 */
-				if (incremental && !deleted) {
+				if (incremental) {
 					result = offline(db, ver, zonediff,
 							 name, rdataset.ttl,
 							 &rdata);
-- 
2.23.0
backport bugfix patches 2022-12-26 15:55:21 +08:00			`From 8e31f6981a4e080bc02158a74f4f99f70144cf45 Mon Sep 17 00:00:00 2001`
			`From: Matthijs Mekking <matthijs@isc.org>`
			`Date: Fri, 3 Dec 2021 16:18:13 +0100`
			`Subject: [PATCH] Only warn if we could not delete signature`

			`BIND can log this warning:`

			`zone example.ch/IN (signed): Key example.ch/ECDSAP256SHA256/56340`
			`missing or inactive and has no replacement: retaining signatures.`

			`This log can happen when BIND tries to remove signatures because the`
			`are about to expire or to be resigned. These RRsets may be signed with`
			`the KSK if the ZSK files has been removed from disk. When we have`
			`created a new ZSK we can replace the signatures creeated by the KSK`
			`with signatures from the new ZSK.`

			`It complains about the KSK being missing or inactive, but actually it`
			`takes the key id from the RRSIG.`

			`The warning is logged if BIND detects the private ZSK file is missing.`

			`The warning is logged even if we were able to delete the signature.`

			`With the change from this commit it only logs this warning if it is not`
			`okay to delete the signature.`

			`(cherry picked from commit 2d2858841a8a749792f50ff077d03cf50f730981)`
			`Conflict: NA`
			`Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/8e31f6981a4e080bc02158a74f4f99f70144cf45`
			`---`
			`lib/dns/zone.c \| 4 ++--`
			`1 file changed, 2 insertions(+), 2 deletions(-)`

			`diff --git a/lib/dns/zone.c b/lib/dns/zone.c`
			`index 8bfc5e8bc9..27373b34fe 100644`
			`--- a/lib/dns/zone.c`
			`+++ b/lib/dns/zone.c`
			`@@ -6858,7 +6858,7 @@ del_sigs(dns_zone_t zone, dns_db_t db, dns_dbversion_t ver, dns_name_t name,`
			`}`
			`deleted = true;`
			`}`
			`- if (warn) {`
			`+ if (warn && !deleted) {`
			`/*`
			`* At this point, we've got an RRSIG,`
			`* which is signed by an inactive key.`
			`@@ -6868,7 +6868,7 @@ del_sigs(dns_zone_t zone, dns_db_t db, dns_dbversion_t ver, dns_name_t name,`
			`* offline will prevent us spinning waiting`
			`* for the private part.`
			`*/`
			`- if (incremental && !deleted) {`
			`+ if (incremental) {`
			`result = offline(db, ver, zonediff,`
			`name, rdataset.ttl,`
			`&rdata);`
			`--`
			`2.23.0`