API: Allow disabling DNSSEC

Closes #5909
Closes #5910

diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index c8369b21e42d88f1cc09152cf9cfb02fae09c7db..aca1b38d38a15669740a96ad27933190d2b8ded8 100644 (file)
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -589,6 +589,26 @@ bool DNSSECKeeper::getTSIGForAccess(const DNSName& zone, const string& master, D
   return false;
 }
 
+bool DNSSECKeeper::unSecureZone(const DNSName& zone, string& error, string& info) {
+  // Not calling isSecuredZone(), as it will return false for zones with zero
+  // active keys.
+  DNSSECKeeper::keyset_t keyset=getKeys(zone);
+
+  if(keyset.empty())  {
+    error = "No keys for zone '" + zone.toLogString() + "'.";
+    return false;
+  }
+
+  for(auto& key : keyset) {
+    deactivateKey(zone, key.second.id);
+    removeKey(zone, key.second.id);
+  }
+
+  unsetNSEC3PARAM(zone);
+  unsetPresigned(zone);
+  return true;
+}
+
 /* Rectifies the zone
  *
  * \param zone The zone to rectify

diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh
index 2a3f878dc7e0a1a88fc442b1a45abf057a83d9cd..044b7f294ed70d47726c23b1c5e49fbe0be3ae45 100644 (file)
--- a/pdns/dnsseckeeper.hh
+++ b/pdns/dnsseckeeper.hh
@@ -210,6 +210,7 @@ public:
   
   void getFromMeta(const DNSName& zname, const std::string& key, std::string& value);
   void getSoaEdit(const DNSName& zname, std::string& value);
+  bool unSecureZone(const DNSName& zone, std::string& error, std::string& info);
   bool rectifyZone(const DNSName& zone, std::string& error, std::string& info, bool doTransaction);
 private:
 

diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index 189d39f6d1943300ecb30c67808ef26c2a4ae3c9..b46572eb263e1c5329a685ee1066df2387b1e49c 100644 (file)
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -1358,24 +1358,12 @@ bool disableDNSSECOnZone(DNSSECKeeper& dk, const DNSName& zone)
     return false;
   }
 
-  if(!dk.isSecuredZone(zone)) {
-    cerr<<"Zone is not secured"<<endl;
-    return false;
-  }
-  DNSSECKeeper::keyset_t keyset=dk.getKeys(zone);
-
-  if(keyset.empty())  {
-    cerr << "No keys for zone '"<<zone<<"'."<<endl;
+  string error, info;
+  bool ret = dk.unSecureZone(zone, error, info);
+  if (!ret) {
+    cerr << error << endl;
   }
-  else {  
-    for(DNSSECKeeper::keyset_t::value_type value :  keyset) {
-      dk.deactivateKey(zone, value.second.id);
-      dk.removeKey(zone, value.second.id);
-    }
-  }
-  dk.unsetNSEC3PARAM(zone);
-  dk.unsetPresigned(zone);
-  return true;
+  return ret;
 }
 
 int setZoneAccount(const DNSName& zone, const string &account)

diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index 9b228f936be41cc23587160bb5afe3456ceb6fb7..714bdbf2e3c852b67939761163edbd1bce5df4cd 100644 (file)
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -626,7 +626,15 @@ static void updateDomainSettingsFromDocument(UeberBackend& B, const DomainInfo&
     } else {
       // "dnssec": false in json
       if (isDNSSECZone) {
-        throw ApiException("Refusing to un-secure zone " + zonename.toString());
+        string info, error;
+        if (!dk.unSecureZone(zonename, error, info)) {
+          throw ApiException("Error while un-securing zone '"+ zonename.toString()+"': " + error);
+        }
+        isDNSSECZone = dk.isSecuredZone(zonename);
+        if (isDNSSECZone) {
+          throw ApiException("Unable to un-secure zone '"+ zonename.toString()+"'");
+        }
+        shouldRectify = true;
       }
     }
   }

diff --git a/regression-tests.api/test_Zones.py b/regression-tests.api/test_Zones.py
index af2c7209996677f455a9f5ea341fd94774181438..339513f5e7b61e3b520960dc86b5ba55a0f0fbf5 100644 (file)
--- a/regression-tests.api/test_Zones.py
+++ b/regression-tests.api/test_Zones.py
@@ -363,6 +363,30 @@ class AuthZones(ApiTestCase, AuthZonesHelperMixin):
         self.assertEquals(keys[0]['active'], True)
         self.assertEquals(keys[0]['keytype'], 'csk')
 
+    def test_create_zone_with_dnssec_disable_dnssec(self):
+        """
+        Create a zone with "dnssec", then set "dnssec" to false and see if the
+        keys are gone
+        """
+        name = unique_zone_name()
+        name, payload, data = self.create_zone(dnssec=True)
+
+        self.session.put(self.url("/api/v1/servers/localhost/zones/" + name),
+                         data=json.dumps({'dnssec': False}))
+        r = self.session.get(self.url("/api/v1/servers/localhost/zones/" + name))
+
+        zoneinfo = r.json()
+
+        self.assertEquals(r.status_code, 200)
+        self.assertEquals(zoneinfo['dnssec'], False)
+
+        r = self.session.get(self.url("/api/v1/servers/localhost/zones/" + name + '/cryptokeys'))
+
+        keys = r.json()
+
+        self.assertEquals(r.status_code, 200)
+        self.assertEquals(len(keys), 0)
+
     def test_create_zone_with_nsec3param(self):
         """
         Create a zone with "nsec3param" set and see if the metadata was added.