From 5bcccf47546a0694e2dee8ed32f704d4094889d6 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sun, 20 Oct 2024 22:36:17 -0700 Subject: [PATCH] expand validity checks for send-report-channel when configured at the zone level, send-report-channel cannot be a subdomain of the zone name. --- bin/tests/system/auth/ns1/named.conf.in | 6 +-- bin/tests/system/auth/tests.sh | 12 ++--- .../checkconf/{bad-rad.conf => bad-rad1.conf} | 0 bin/tests/system/checkconf/bad-rad2.conf | 20 ++++++++ bin/tests/system/checkconf/bad-rad3.conf | 20 ++++++++ doc/arm/reference.rst | 3 ++ lib/isccfg/check.c | 50 +++++++++++++++---- 7 files changed, 91 insertions(+), 20 deletions(-) rename bin/tests/system/checkconf/{bad-rad.conf => bad-rad1.conf} (100%) create mode 100644 bin/tests/system/checkconf/bad-rad2.conf create mode 100644 bin/tests/system/checkconf/bad-rad3.conf diff --git a/bin/tests/system/auth/ns1/named.conf.in b/bin/tests/system/auth/ns1/named.conf.in index 92fd707dbd..f9036f7688 100644 --- a/bin/tests/system/auth/ns1/named.conf.in +++ b/bin/tests/system/auth/ns1/named.conf.in @@ -22,7 +22,7 @@ options { recursion no; notify yes; dnssec-validation no; - send-report-channel "rad.example.net"; + send-report-channel "example.rad"; }; view main in { @@ -36,10 +36,10 @@ view main in { zone example.com { type primary; file "example.com.db"; - send-report-channel "rad.example.com"; + send-report-channel "rad.example.net"; }; - zone rad.example.net { + zone example.rad { type primary; file "rad.db"; log-report-channel yes; diff --git a/bin/tests/system/auth/tests.sh b/bin/tests/system/auth/tests.sh index 38fb85d76f..3c6c0e5380 100644 --- a/bin/tests/system/auth/tests.sh +++ b/bin/tests/system/auth/tests.sh @@ -190,7 +190,7 @@ n=$((n + 1)) echo_i "check that a Report-Channel EDNS option is added to responses ($n)" ret=0 $DIG $DIGOPTS @10.53.0.1 example.net >dig.out.test$n -grep "; Report-Channel: rad.example.net" dig.out.test$n >/dev/null || ret=1 +grep "; Report-Channel: example.rad" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -198,7 +198,7 @@ n=$((n + 1)) echo_i "check that a zone-level Report-Channel EDNS option is added to responses ($n)" ret=0 $DIG $DIGOPTS @10.53.0.1 example.com >dig.out.test$n -grep "; Report-Channel: rad.example.com" dig.out.test$n >/dev/null || ret=1 +grep "; Report-Channel: rad.example.net" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -206,9 +206,9 @@ n=$((n + 1)) echo_i "check that error report queries are logged and no Report-Channel option is present in the response ($n)" ret=0 nextpart ns1/named.run >/dev/null -$DIG $DIGOPTS @10.53.0.1 _er.0.example.1._er.rad.example.net TXT >dig.out.test$n -nextpart ns1/named.run | grep "dns-reporting-agent '_er.0.example.1._er.rad.example.net/IN'" >/dev/null || ret=1 -grep "; Report-Channel: rad.example.net" dig.out.test$n >/dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.1 _er.0.example.1._er.example.rad TXT >dig.out.test$n +nextpart ns1/named.run | grep "dns-reporting-agent '_er.0.example.1._er.example.rad/IN'" >/dev/null || ret=1 +grep "; Report-Channel: example.rad" dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -218,7 +218,7 @@ ret=0 nextpart ns1/named.run >/dev/null $DIG $DIGOPTS @10.53.0.1 _er.0.example.1._er.example.com TXT >dig.out.test$n nextpart ns1/named.run | grep "dns-reporting-agent '_er.0.example.1._er.example.com/IN'" >/dev/null && ret=1 -grep "; Report-Channel: rad.example.com" dig.out.test$n >/dev/null || ret=1 +grep "; Report-Channel: rad.example.net" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) diff --git a/bin/tests/system/checkconf/bad-rad.conf b/bin/tests/system/checkconf/bad-rad1.conf similarity index 100% rename from bin/tests/system/checkconf/bad-rad.conf rename to bin/tests/system/checkconf/bad-rad1.conf diff --git a/bin/tests/system/checkconf/bad-rad2.conf b/bin/tests/system/checkconf/bad-rad2.conf new file mode 100644 index 0000000000..a954401bb2 --- /dev/null +++ b/bin/tests/system/checkconf/bad-rad2.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone example.com { + type primary; + file "example.db"; + + /* agent-domain can't be the same as the zone name */ + send-report-channel example.com; +}; diff --git a/bin/tests/system/checkconf/bad-rad3.conf b/bin/tests/system/checkconf/bad-rad3.conf new file mode 100644 index 0000000000..80a34280ae --- /dev/null +++ b/bin/tests/system/checkconf/bad-rad3.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone example.com { + type primary; + file "example.db"; + + /* agent-domain can't be the below the zone name */ + send-report-channel sub.example.com; +}; diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 38eeb39ee2..ea5bfbe073 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1945,6 +1945,9 @@ default is used. There should be an authoritative zone configured to respond to such queries, with the :any:`log-report-channel` option set to ``yes``. + Note that a zone cannot be configured to use itself or any subdomain + of itself as an agent-domain. + .. namedconf:statement:: stale-answer-ttl :tags: query :short: Specifies the time to live (TTL) to be returned on stale answers, in seconds. diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c index a24297290b..432cdb3947 100644 --- a/lib/isccfg/check.c +++ b/lib/isccfg/check.c @@ -1618,18 +1618,21 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config, } /* - * Check send-report-channel. + * Check send-report-channel. (Skip for zone level because we + * have an additional check in check_zoneconf() for that.) */ - obj = NULL; - (void)cfg_map_get(options, "send-report-channel", &obj); - if (obj != NULL) { - str = cfg_obj_asstring(obj); - tresult = check_name(str); - if (tresult != ISC_R_SUCCESS) { - cfg_obj_log(obj, ISC_LOG_ERROR, - "'%s' is not a valid name", str); - if (result == ISC_R_SUCCESS) { - result = tresult; + if (optlevel != optlevel_zone) { + obj = NULL; + (void)cfg_map_get(options, "send-report-channel", &obj); + if (obj != NULL) { + str = cfg_obj_asstring(obj); + tresult = check_name(str); + if (tresult != ISC_R_SUCCESS) { + cfg_obj_log(obj, ISC_LOG_ERROR, + "'%s' is not a valid name", str); + if (result == ISC_R_SUCCESS) { + result = tresult; + } } } } @@ -3858,6 +3861,31 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, } } + obj = NULL; + (void)cfg_map_get(zoptions, "send-report-channel", &obj); + if (obj != NULL) { + const char *str = cfg_obj_asstring(obj); + dns_fixedname_t fad; + dns_name_t *ad = dns_fixedname_initname(&fad); + + tresult = dns_name_fromstring(ad, str, dns_rootname, 0, NULL); + if (tresult != ISC_R_SUCCESS) { + cfg_obj_log(obj, ISC_LOG_ERROR, + "'%s' is not a valid name", str); + if (result == ISC_R_SUCCESS) { + result = ISC_R_FAILURE; + } + } else if (dns_name_issubdomain(ad, zname)) { + cfg_obj_log(obj, ISC_LOG_ERROR, + "send-report-channel '%s' cannot " + "be at or below the zone name '%s'", + str, znamestr); + if (result == ISC_R_SUCCESS) { + result = ISC_R_FAILURE; + } + } + } + /* * Warn if key-directory doesn't exist */