Reject primary zones with an DS record at the zone apex.

DS records only belong at delegation points and if present at the zone apex are invariably the result of administrative errors. Additionally they can't be queried for with modern resolvers as the parent servers will be queried.
2025-08-30 22:15:20 +00:00 · 2020-04-28 15:37:19 +10:00
parent 2d6f379935
commit 35a58d30c9
4 changed files with 47 additions and 23 deletions
--- a/lib/dns/master.c
+++ b/lib/dns/master.c
@@ -339,6 +339,13 @@ static unsigned char ip6_arpa_offsets[] = { 0, 4, 9 };
 static dns_name_t const ip6_arpa = DNS_NAME_INITABSOLUTE(ip6_arpa_data,
 							 ip6_arpa_offsets);

+static inline bool
+dns_master_isprimary(dns_loadctx_t *lctx) {
+	return ((lctx->options & DNS_MASTER_ZONE) != 0 &&
+		(lctx->options & DNS_MASTER_SLAVE) == 0 &&
+		(lctx->options & DNS_MASTER_KEY) == 0);
+}
+
 static inline isc_result_t
 gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *token, bool eol,
 	 dns_rdatacallbacks_t *callbacks) {
@@ -840,10 +847,7 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 	 * RFC2930: TKEY and TSIG are not allowed to be loaded
 	 * from master files.
 	 */
-	if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
-	    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
-	    dns_rdatatype_ismeta(type))
-	{
+	if (dns_master_isprimary(lctx) && dns_rdatatype_ismeta(type)) {
 		(*callbacks->error)(callbacks, "%s: %s:%lu: meta RR type '%s'",
 				    "$GENERATE", source, line, gtype);
 		result = DNS_R_METATYPE;
@@ -869,11 +873,8 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 			goto error_cleanup;
 		}

-		if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
-		    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
-		    (lctx->options & DNS_MASTER_KEY) == 0 &&
-		    !dns_name_issubdomain(owner, lctx->top))
-		{
+		if (dns_master_isprimary(lctx) &&
+		    !dns_name_issubdomain(owner, lctx->top)) {
 			char namebuf[DNS_NAME_FORMATSIZE];
 			dns_name_format(owner, namebuf, sizeof(namebuf));
 			/*
@@ -1541,11 +1542,8 @@ load_text(dns_loadctx_t *lctx) {
 						       callbacks);
 				}
 			}
-			if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
-			    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
-			    (lctx->options & DNS_MASTER_KEY) == 0 &&
-			    !dns_name_issubdomain(new_name, lctx->top))
-			{
+			if (dns_master_isprimary(lctx) &&
+			    !dns_name_issubdomain(new_name, lctx->top)) {
 				char namebuf[DNS_NAME_FORMATSIZE];
 				dns_name_format(new_name, namebuf,
 						sizeof(namebuf));
@@ -1740,8 +1738,7 @@ load_text(dns_loadctx_t *lctx) {
 		 * RFC1123: MD and MF are not allowed to be loaded from
 		 * master files.
 		 */
-		if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
-		    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
+		if (dns_master_isprimary(lctx) &&
 		    (type == dns_rdatatype_md || type == dns_rdatatype_mf))
 		{
 			char typebuf[DNS_RDATATYPE_FORMATSIZE];
@@ -1763,10 +1760,7 @@ load_text(dns_loadctx_t *lctx) {
 		 * RFC2930: TKEY and TSIG are not allowed to be loaded
 		 * from master files.
 		 */
-		if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
-		    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
-		    dns_rdatatype_ismeta(type))
-		{
+		if (dns_master_isprimary(lctx) && dns_rdatatype_ismeta(type)) {
 			char typebuf[DNS_RDATATYPE_FORMATSIZE];

 			result = DNS_R_METATYPE;
@@ -1902,6 +1896,30 @@ load_text(dns_loadctx_t *lctx) {
 			}
 		}

+		if (dns_rdatatype_atparent(type) &&
+		    dns_master_isprimary(lctx) &&
+		    dns_name_equal(ictx->current, lctx->top))
+		{
+			char namebuf[DNS_NAME_FORMATSIZE];
+			char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+			dns_name_format(ictx->current, namebuf,
+					sizeof(namebuf));
+			dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+			(*callbacks->error)(
+				callbacks,
+				"%s:%lu: %s record at top of zone (%s)", source,
+				line, typebuf, namebuf);
+			result = DNS_R_ATZONETOP;
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				target = target_ft;
+				continue;
+			} else {
+				goto insist_and_cleanup;
+			}
+		}
+
 		if (type == dns_rdatatype_rrsig || type == dns_rdatatype_sig) {
 			covers = dns_rdata_covers(&rdata[rdcount]);
 		} else {
@@ -1963,8 +1981,7 @@ load_text(dns_loadctx_t *lctx) {
 		}

 		if ((type == dns_rdatatype_sig || type == dns_rdatatype_nxt) &&
-		    lctx->warn_tcr && (lctx->options & DNS_MASTER_ZONE) != 0 &&
-		    (lctx->options & DNS_MASTER_SLAVE) == 0)
+		    lctx->warn_tcr && dns_master_isprimary(lctx))
 		{
 			(*callbacks->warn)(callbacks,
 					   "%s:%lu: old style DNSSEC "