From fb8f102ffcd0e0bb3b9691ceec5ee8a24025af28 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 21 Jul 2022 11:07:31 -0700 Subject: [PATCH] warn about zones with both dnssec-policy and max-zone-ttl max-zone-ttl in zone/view/options is a no-op if dnssec-policy is in use, so generate a warning. Conflict: NA Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/fb8f102ffcd0e0bb3b9691ceec5ee8a24025af28 --- bin/tests/system/checkconf/tests.sh | 8 ++++++ .../checkconf/warn-kasp-max-zone-ttl.conf | 26 +++++++++++++++++++ lib/bind9/check.c | 21 +++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index cec8f8407e..9143e9e08c 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -585,6 +585,14 @@ grep "not recommended" < checkconf.out$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo_i "check that using both max-zone-ttl and dnssec-policy generates a warning ($n)" +ret=0 +$CHECKCONF warn-kasp-max-zone-ttl.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" < checkconf.out$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + n=$((n+1)) echo_i "check that masterfile-format map generates deprecation warning ($n)" ret=0 diff --git a/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf b/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf new file mode 100644 index 0000000000..0b5939478e --- /dev/null +++ b/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf @@ -0,0 +1,26 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * The dnssec-policy is not defined. Should also be caught if it is inherited. + */ + +options { + dnssec-policy default; +}; + +zone "example.net" { + type primary; + file "example.db"; + max-zone-ttl 600; +}; diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 0be4871020..0707ea44b9 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -2633,6 +2633,27 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, } } + /* + * Warn about zones with both dnssec-policy and max-zone-ttl + */ + if (has_dnssecpolicy) { + obj = NULL; + (void)cfg_map_get(zoptions, "max-zone-ttl", &obj); + if (obj == NULL && voptions != NULL) { + (void)cfg_map_get(voptions, "max-zone-ttl", &obj); + } + if (obj == NULL && goptions != NULL) { + (void)cfg_map_get(goptions, "max-zone-ttl", &obj); + } + if (obj != NULL) { + cfg_obj_log(obj, logctx, ISC_LOG_WARNING, + "zone '%s': option 'max-zone-ttl' " + "is ignored when used together with " + "'dnssec-policy'", + znamestr); + } + } + /* * Check validity of the zone options. */ -- 2.27.0