Fix checkconf dnssec-policy inheritance bug

Similar to #2778, the check for 'dnssec-policy' failed to account for it being inheritable.
2025-08-31 06:25:31 +00:00 · 2021-06-18 11:00:23 +02:00
parent 30b23706d6
commit 75ec7d1d9f
4 changed files with 53 additions and 1 deletions
--- a/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited-view.conf
+++ b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited-view.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy is not defined. Should also be caught if it is inherited.
+ */
+
+view "test" {
+	dnssec-policy "notdefined";
+
+	zone "example.net" {
+		type primary;
+		file "example.db";
+	};
+};
--- a/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited.conf
+++ b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy is not defined. Should also be caught if it is inherited.
+ */
+
+options {
+	dnssec-policy "notdefined";
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+};
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -158,7 +158,7 @@ view "third" {
 		allow-update {
 			"any";
 		};
-		auto-dnssec maintain;
+		dnssec-policy "default";
 	};
 	zone "p" {
 		type primary;
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -2636,6 +2636,12 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	 */
 	obj = NULL;
 	(void)cfg_map_get(zoptions, "dnssec-policy", &obj);
+	if (obj == NULL && voptions != NULL) {
+		(void)cfg_map_get(voptions, "dnssec-policy", &obj);
+	}
+	if (obj == NULL && goptions != NULL) {
+		(void)cfg_map_get(goptions, "dnssec-policy", &obj);
+	}
 	if (obj != NULL) {
 		const cfg_obj_t *kasps = NULL;