mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00
Code Issues Releases Wiki Activity

Require trust anchors for 'dnnsec-validation yes'

Browse Source 
Using the 'dnssec-validation yes' option now requires an explicitly
confgiured 'trust-anchors' statement (or 'managed-keys' or
'trusted-keys', both deprecated).
This commit is contained in:
Aram Sargsyan 2023-12-14 10:40:05 +00:00
parent 308ed1a1ea
commit 4cdef214d2
1 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lib/isccfg/check.c
View File

@ -5744,8 +5744,21 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
if (obj == NULL && options != NULL) {
(void)cfg_map_get(options, "dnssec-validation", &obj);
}
if (obj != NULL && !cfg_obj_isboolean(obj)) {
autovalidation = true;
if (obj != NULL) {
if (!cfg_obj_isboolean(obj)) {
autovalidation = true;
} else if (cfg_obj_asboolean(obj)) {
if (global_ta == NULL && view_ta == NULL &&
global_tkeys == NULL && view_tkeys == NULL)
{
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"the 'dnssec-validation yes' "
"option requires configured "
"'trust-anchors'; consider using "
"'dnssec-validation auto'.");
result = ISC_R_FAILURE;
}
}
}
tresult = check_ta_conflicts(global_ta, view_ta, global_tkeys,