diff --git a/DnsServerCore/Dns/Zones/AuthZone.cs b/DnsServerCore/Dns/Zones/AuthZone.cs index faf0ed70..9b8a838d 100644 --- a/DnsServerCore/Dns/Zones/AuthZone.cs +++ b/DnsServerCore/Dns/Zones/AuthZone.cs @@ -484,7 +484,12 @@ namespace DnsServerCore.Dns.Zones internal IReadOnlyList RefreshSignatures() { if (!_entries.TryGetValue(DnsResourceRecordType.RRSIG, out IReadOnlyList rrsigRecords)) + { + if ((_entries.Count == 1) && _entries.TryGetValue(DnsResourceRecordType.NS, out _)) + return Array.Empty(); //delegation NS records are not signed + throw new InvalidOperationException(); + } List typesToRefresh = new List(); DateTime utcNow = DateTime.UtcNow; @@ -513,7 +518,7 @@ namespace DnsServerCore.Dns.Zones internal virtual IReadOnlyList SignRRSet(IReadOnlyList records) { - throw new InvalidOperationException(); + throw new NotImplementedException(); } internal IReadOnlyList GetUpdatedNSecRRSet(string nextDomainName, uint ttl) @@ -523,11 +528,13 @@ namespace DnsServerCore.Dns.Zones foreach (KeyValuePair> entry in _entries) types.Add(entry.Key); - if (!_entries.ContainsKey(DnsResourceRecordType.NSEC)) + if (!types.Contains(DnsResourceRecordType.NSEC)) + { types.Add(DnsResourceRecordType.NSEC); - if (!_entries.ContainsKey(DnsResourceRecordType.RRSIG)) - types.Add(DnsResourceRecordType.RRSIG); + if (!types.Contains(DnsResourceRecordType.RRSIG)) + types.Add(DnsResourceRecordType.RRSIG); + } types.Sort(); @@ -556,7 +563,7 @@ namespace DnsServerCore.Dns.Zones switch (entry.Key) { case DnsResourceRecordType.NSEC3: - case DnsResourceRecordType.RRSIG: + //rare case when there is a record created at the same name as that of an existing NSEC3 continue; default: @@ -565,13 +572,6 @@ namespace DnsServerCore.Dns.Zones } } - if (types.Count > 0) - { - //zone is not an empty non-terminal (ENT) - if (!_entries.ContainsKey(DnsResourceRecordType.RRSIG)) - types.Add(DnsResourceRecordType.RRSIG); - } - types.Sort(); DnsNSEC3RecordData newNSec3 = new DnsNSEC3RecordData(DnssecNSEC3HashAlgorithm.SHA1, DnssecNSEC3Flags.None, iterations, salt, nextHashedOwnerName, types); @@ -587,7 +587,7 @@ namespace DnsServerCore.Dns.Zones switch (entry.Key) { case DnsResourceRecordType.NSEC3: - case DnsResourceRecordType.RRSIG: + //rare case when there is a record created at the same name as that of an existing NSEC3 continue; default: @@ -598,16 +598,8 @@ namespace DnsServerCore.Dns.Zones if (_name.Equals(zoneName, StringComparison.OrdinalIgnoreCase)) { - types.Add(DnsResourceRecordType.NSEC3PARAM); //add NSEC3PARAM type to NSEC3 for unsigned zone apex - - if (!_entries.ContainsKey(DnsResourceRecordType.RRSIG)) - types.Add(DnsResourceRecordType.RRSIG); - } - else if (types.Count > 0) - { - //zone is not an empty non-terminal (ENT) - if (!_entries.ContainsKey(DnsResourceRecordType.RRSIG)) - types.Add(DnsResourceRecordType.RRSIG); + if (!types.Contains(DnsResourceRecordType.NSEC3PARAM)) + types.Add(DnsResourceRecordType.NSEC3PARAM); //add NSEC3PARAM type to NSEC3 for unsigned zone apex } types.Sort();