From 0712ba502cdc9bb2a55bcd3b41184cddd29b47fb Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 13 Jul 2022 10:28:59 +0200 Subject: [PATCH] Reject zones with TTL higher than dnssec-policy max-zone-ttl Reject loading of zones with TTL higher than the max-zone-ttl from the dnssec-policy. With this change, any zone with a dnssec-policy in use will ignore the max-zone-ttl option in zone/view/options. --- bin/named/zoneconf.c | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 9bc94ee597..898f93af16 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -907,6 +907,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_stats_t *dnssecsignstats; dns_zonestat_level_t statlevel = dns_zonestat_none; int seconds; + dns_ttl_t maxttl = 0; /* unlimited */ dns_zone_t *mayberaw = (raw != NULL) ? raw : zone; isc_dscp_t dscp; @@ -1065,20 +1066,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } } - obj = NULL; - result = named_config_get(maps, "max-zone-ttl", &obj); - if (result == ISC_R_SUCCESS) { - dns_ttl_t maxttl = 0; /* unlimited */ - - if (cfg_obj_isduration(obj)) { - maxttl = cfg_obj_asduration(obj); - } - dns_zone_setmaxttl(zone, maxttl); - if (raw != NULL) { - dns_zone_setmaxttl(raw, maxttl); - } - } - obj = NULL; result = named_config_get(maps, "max-records", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); @@ -1531,6 +1518,22 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_zone_setjournalsize(zone, journal_size); } + if (use_kasp) { + maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone)); + } else { + obj = NULL; + result = named_config_get(maps, "max-zone-ttl", &obj); + if (result == ISC_R_SUCCESS) { + if (cfg_obj_isduration(obj)) { + maxttl = cfg_obj_asduration(obj); + } + } + } + dns_zone_setmaxttl(zone, maxttl); + if (raw != NULL) { + dns_zone_setmaxttl(raw, maxttl); + } + /* * Configure update-related options. These apply to * primary servers only.