103 lines
3.4 KiB
Diff
103 lines
3.4 KiB
Diff
From fb8f102ffcd0e0bb3b9691ceec5ee8a24025af28 Mon Sep 17 00:00:00 2001
|
|
From: Evan Hunt <each@isc.org>
|
|
Date: Thu, 21 Jul 2022 11:07:31 -0700
|
|
Subject: [PATCH] warn about zones with both dnssec-policy and max-zone-ttl
|
|
|
|
max-zone-ttl in zone/view/options is a no-op if dnssec-policy
|
|
is in use, so generate a warning.
|
|
Conflict: NA
|
|
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/fb8f102ffcd0e0bb3b9691ceec5ee8a24025af28
|
|
---
|
|
bin/tests/system/checkconf/tests.sh | 8 ++++++
|
|
.../checkconf/warn-kasp-max-zone-ttl.conf | 26 +++++++++++++++++++
|
|
lib/bind9/check.c | 21 +++++++++++++++
|
|
3 files changed, 55 insertions(+)
|
|
create mode 100644 bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf
|
|
|
|
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
|
|
index cec8f8407e..9143e9e08c 100644
|
|
--- a/bin/tests/system/checkconf/tests.sh
|
|
+++ b/bin/tests/system/checkconf/tests.sh
|
|
@@ -585,6 +585,14 @@ grep "not recommended" < checkconf.out$n > /dev/null || ret=1
|
|
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
|
|
status=`expr $status + $ret`
|
|
|
|
+n=`expr $n + 1`
|
|
+echo_i "check that using both max-zone-ttl and dnssec-policy generates a warning ($n)"
|
|
+ret=0
|
|
+$CHECKCONF warn-kasp-max-zone-ttl.conf > checkconf.out$n 2>/dev/null || ret=1
|
|
+grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" < checkconf.out$n > /dev/null || ret=1
|
|
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
|
|
+status=`expr $status + $ret`
|
|
+
|
|
n=$((n+1))
|
|
echo_i "check that masterfile-format map generates deprecation warning ($n)"
|
|
ret=0
|
|
diff --git a/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf b/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf
|
|
new file mode 100644
|
|
index 0000000000..0b5939478e
|
|
--- /dev/null
|
|
+++ b/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf
|
|
@@ -0,0 +1,26 @@
|
|
+/*
|
|
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
+ *
|
|
+ * SPDX-License-Identifier: MPL-2.0
|
|
+ *
|
|
+ * This Source Code Form is subject to the terms of the Mozilla Public
|
|
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
+ *
|
|
+ * See the COPYRIGHT file distributed with this work for additional
|
|
+ * information regarding copyright ownership.
|
|
+ */
|
|
+
|
|
+/*
|
|
+ * The dnssec-policy is not defined. Should also be caught if it is inherited.
|
|
+ */
|
|
+
|
|
+options {
|
|
+ dnssec-policy default;
|
|
+};
|
|
+
|
|
+zone "example.net" {
|
|
+ type primary;
|
|
+ file "example.db";
|
|
+ max-zone-ttl 600;
|
|
+};
|
|
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
|
|
index 0be4871020..0707ea44b9 100644
|
|
--- a/lib/bind9/check.c
|
|
+++ b/lib/bind9/check.c
|
|
@@ -2633,6 +2633,27 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
|
|
}
|
|
}
|
|
|
|
+ /*
|
|
+ * Warn about zones with both dnssec-policy and max-zone-ttl
|
|
+ */
|
|
+ if (has_dnssecpolicy) {
|
|
+ obj = NULL;
|
|
+ (void)cfg_map_get(zoptions, "max-zone-ttl", &obj);
|
|
+ if (obj == NULL && voptions != NULL) {
|
|
+ (void)cfg_map_get(voptions, "max-zone-ttl", &obj);
|
|
+ }
|
|
+ if (obj == NULL && goptions != NULL) {
|
|
+ (void)cfg_map_get(goptions, "max-zone-ttl", &obj);
|
|
+ }
|
|
+ if (obj != NULL) {
|
|
+ cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
|
|
+ "zone '%s': option 'max-zone-ttl' "
|
|
+ "is ignored when used together with "
|
|
+ "'dnssec-policy'",
|
|
+ znamestr);
|
|
+ }
|
|
+ }
|
|
+
|
|
/*
|
|
* Check validity of the zone options.
|
|
*/
|
|
--
|
|
2.27.0
|
|
|