Merge branch '112-fix-mx-checks-for-dynamic-updates' into 'master'

Fix MX checks for dynamic updates

Closes #112

See merge request isc-projects/bind9!79

CHANGES

@@ -1,3 +1,7 @@
+4903.	[bug]		"check-mx fail;" did not prevent MX records containing
+			IP addresses from being added to a zone by a dynamic
+			update. [GL #112]
+
 4902.	[test]		Improved the reliability of the 'ixfr' system
 			test. [GL #66]
 

bin/tests/system/nsupdate/ns1/named.conf.in

@@ -43,6 +43,7 @@ zone "example.nil" {
 	type master;
 	file "example.db";
 	check-integrity no;
+	check-mx ignore;
 	update-policy {
 		grant ddns-key.example.nil subdomain example.nil ANY;
 	};
@@ -62,6 +63,7 @@ zone "other.nil" {
 	type master;
 	file "other.db";
 	check-integrity no;
+	check-mx warn;
 	update-policy local;
 	allow-query-on { 10.53.0.1; 127.0.0.1; };
 	allow-transfer { any; };
@@ -76,6 +78,7 @@ zone "update.nil" {
 	type master;
 	file "update.db";
 	check-integrity no;
+	check-mx fail;
 	allow-update { any; };
 	allow-transfer { any; };
 	also-notify { othermasters; };

bin/tests/system/nsupdate/tests.sh

@@ -162,6 +162,38 @@ grep ns5.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1
 grep ns6.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+ret=0
+echo_i "ensure 'check-mx ignore' allows adding MX records containing an address without a warning"
+$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END || ret=1
+server 10.53.0.1 ${PORT}
+update add mx03.example.nil 600 IN MX 10 10.53.0.1
+send
+END
+grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
+grep "mx03.example.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "ensure 'check-mx warn' allows adding MX records containing an address with a warning"
+$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1
+update add mx03.other.nil 600 IN MX 10 10.53.0.1
+send
+END
+grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
+grep "mx03.other.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "ensure 'check-mx fail' prevents adding MX records containing an address with a warning"
+$NSUPDATE > nsupdate.out 2>&1 << END && ret=1
+server 10.53.0.1 ${PORT}
+update add mx03.update.nil 600 IN MX 10 10.53.0.1
+send
+END
+grep REFUSED nsupdate.out > /dev/null 2>&1 || ret=1
+grep "mx03.update.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
 ret=0
 echo_i "check SIG(0) key is accepted"
 key=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -T KEY -n ENTITY xxx`

lib/ns/update.c

@@ -1737,7 +1737,7 @@ check_mx(ns_client_t *client, dns_zone_t *zone,
 		dns_name_format(&mx.mx, namebuf, sizeof(namebuf));
 		dns_name_format(&t->name, ownerbuf, sizeof(ownerbuf));
 		isaddress = ISC_FALSE;
-		if ((options & DNS_RDATA_CHECKMX) != 0 &&
+		if ((options & DNS_ZONEOPT_CHECKMX) != 0 &&
 		    strlcpy(tmp, namebuf, sizeof(tmp)) < sizeof(tmp)) {
 			if (tmp[strlen(tmp) - 1] == '.')
 				tmp[strlen(tmp) - 1] = '\0';
@@ -1746,7 +1746,7 @@ check_mx(ns_client_t *client, dns_zone_t *zone,
 				isaddress = ISC_TRUE;
 		}
 
-		if (isaddress && (options & DNS_RDATA_CHECKMXFAIL) != 0) {
+		if (isaddress && (options & DNS_ZONEOPT_CHECKMXFAIL) != 0) {
 			update_log(client, zone, ISC_LOG_ERROR,
 				   "%s/MX: '%s': %s",
 				   ownerbuf, namebuf,