07d38ea3cb
Signed-off-by: huangyu <huangyu106@huawei.com> (cherry picked from commit cd59b6ec71f1147990c7f96b1e74baf413b7d4c9)
81 lines
2.5 KiB
Diff
81 lines
2.5 KiB
Diff
From 111b215987a1cccc2e55a0fea4d8621103d9de9f Mon Sep 17 00:00:00 2001
|
|
From: Matthijs Mekking <matthijs@isc.org>
|
|
Date: Wed, 13 Jul 2022 10:28:59 +0200
|
|
Subject: [PATCH] Reject zones with TTL higher than dnssec-policy max-zone-ttl
|
|
|
|
Reject loading of zones with TTL higher than the max-zone-ttl
|
|
from the dnssec-policy.
|
|
|
|
With this change, any zone with a dnssec-policy in use will ignore
|
|
the max-zone-ttl option in zone/view/options.
|
|
---
|
|
bin/named/zoneconf.c | 38 +++++++++++++++++---------------------
|
|
1 file changed, 17 insertions(+), 21 deletions(-)
|
|
|
|
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
|
|
index d1d45d818bc..c918d0ac248 100644
|
|
--- a/bin/named/zoneconf.c
|
|
+++ b/bin/named/zoneconf.c
|
|
@@ -897,6 +897,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
|
|
dns_stats_t *dnssecsignstats;
|
|
dns_zonestat_level_t statlevel = dns_zonestat_none;
|
|
int seconds;
|
|
+ dns_ttl_t maxttl = 0; /* unlimited */
|
|
dns_zone_t *mayberaw = (raw != NULL) ? raw : zone;
|
|
isc_dscp_t dscp;
|
|
|
|
@@ -1060,27 +1061,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
|
|
}
|
|
}
|
|
|
|
- obj = NULL;
|
|
- result = named_config_get(maps, "max-zone-ttl", &obj);
|
|
- if (result == ISC_R_SUCCESS && masterformat == dns_masterformat_map) {
|
|
- isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
|
|
- NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
|
|
- "zone '%s': 'max-zone-ttl' is not compatible "
|
|
- "with 'masterfile-format map'",
|
|
- zname);
|
|
- return (ISC_R_FAILURE);
|
|
- } else if (result == ISC_R_SUCCESS) {
|
|
- dns_ttl_t maxttl = 0; /* unlimited */
|
|
-
|
|
- if (cfg_obj_isduration(obj)) {
|
|
- maxttl = cfg_obj_asduration(obj);
|
|
- }
|
|
- dns_zone_setmaxttl(zone, maxttl);
|
|
- if (raw != NULL) {
|
|
- dns_zone_setmaxttl(raw, maxttl);
|
|
- }
|
|
- }
|
|
-
|
|
obj = NULL;
|
|
result = named_config_get(maps, "max-records", &obj);
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
|
@@ -1534,6 +1514,22 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
|
|
dns_zone_setjournalsize(zone, journal_size);
|
|
}
|
|
|
|
+ if (use_kasp) {
|
|
+ maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone));
|
|
+ } else {
|
|
+ obj = NULL;
|
|
+ result = named_config_get(maps, "max-zone-ttl", &obj);
|
|
+ if (result == ISC_R_SUCCESS) {
|
|
+ if (cfg_obj_isduration(obj)) {
|
|
+ maxttl = cfg_obj_asduration(obj);
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ dns_zone_setmaxttl(zone, maxttl);
|
|
+ if (raw != NULL) {
|
|
+ dns_zone_setmaxttl(raw, maxttl);
|
|
+ }
|
|
+
|
|
/*
|
|
* Configure update-related options. These apply to
|
|
* primary servers only.
|
|
--
|
|
GitLab
|
|
|