PrimarySubDomainZone: Added validation to prevent disabling records for signed zones.

2026-03-06 05:33:58 +00:00 · 2022-03-26 11:45:28 +05:30
parent 39f60523b3
commit e30d451c6b
1 changed files with 19 additions and 0 deletions
--- a/DnsServerCore/Dns/Zones/PrimarySubDomainZone.cs
+++ b/DnsServerCore/Dns/Zones/PrimarySubDomainZone.cs
@@ -17,6 +17,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.

 */

+using DnsServerCore.Dns.ResourceRecords;
 using System;
 using System.Collections.Generic;
 using TechnitiumLibrary.Net.Dns.ResourceRecords;
@@ -61,6 +62,15 @@ namespace DnsServerCore.Dns.Zones
                    case DnsResourceRecordType.ANAME:
                    case DnsResourceRecordType.APP:
                        throw new DnsServerException("The record type is not supported by DNSSEC signed primary zones.");
+
+                    default:
+                        foreach (DnsResourceRecord record in records)
+                        {
+                            if (record.IsDisabled())
+                                throw new DnsServerException("Cannot set records: disabling records in a signed zones is not supported.");
+                        }
+
+                        break;
                }
            }

@@ -105,6 +115,12 @@ namespace DnsServerCore.Dns.Zones
                    case DnsResourceRecordType.ANAME:
                    case DnsResourceRecordType.APP:
                        throw new DnsServerException("The record type is not supported by DNSSEC signed primary zones.");
+
+                    default:
+                        if (record.IsDisabled())
+                            throw new DnsServerException("Cannot add record: disabling records in a signed zones is not supported.");
+
+                        break;
                }
            }

@@ -210,6 +226,9 @@ namespace DnsServerCore.Dns.Zones
                    if (oldRecord.Type != newRecord.Type)
                        throw new InvalidOperationException("Old and new record types do not match.");

+                    if ((_primaryZone.DnssecStatus != AuthZoneDnssecStatus.Unsigned) && newRecord.IsDisabled())
+                        throw new DnsServerException("Cannot update record: disabling records in a signed zones is not supported.");
+
                    if (newRecord.OriginalTtlValue > _primaryZone.GetZoneSoaExpire())
                        throw new DnsServerException("Failed to update record: TTL cannot be greater than SOA EXPIRE.");