Forbid zones with both dnssec-policy and max-zone-ttl

Since max-zone-ttl in zone/view/options is a no-op if dnssec-policy is in use, let's make that a fatal error.
2025-08-30 22:15:20 +00:00 · 2022-07-19 12:13:42 -07:00
parent 0712ba502c
commit b1d0cac280
3 changed files with 54 additions and 4 deletions
--- a/bin/tests/system/checkconf/bad-kasp-max-zone-ttl.conf
+++ b/bin/tests/system/checkconf/bad-kasp-max-zone-ttl.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy is not defined. Should also be caught if it is inherited.
+ */
+
+options {
+	dnssec-policy default;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+        max-zone-ttl 600;
+};
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -1806,10 +1806,10 @@ default is used.

   This should now be configured as part of :namedconf:ref:`dnssec-policy`.
   Use of this option in :namedconf:ref:`options`, :namedconf:ref:`view`
-   and :namedconf:ref:`zone` blocks has no effect on any zone for which
-   a :namedconf:ref:`dnssec-policy` has also been configured. In zones
-   without :namedconf:ref:`dnssec-policy`, this option is deprecated,
-   and will be rendered non-operational in a future release.
+   and :namedconf:ref:`zone` blocks is a fatal error if
+   :namedconf:ref:`dnssec-policy` has also been configured for the same
+   zone. In zones without :namedconf:ref:`dnssec-policy`, this option is
+   deprecated, and will be rendered non-operational in a future release.

   :any:`max-zone-ttl` specifies a maximum permissible TTL value in seconds.
   For convenience, TTL-style time-unit suffixes may be used to specify the
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -3142,6 +3142,30 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		}
 	}

+	/*
+	 * Reject zones with both dnssec-policy and max-zone-ttl
+	 * */
+	if (has_dnssecpolicy) {
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "max-zone-ttl", &obj);
+		if (obj == NULL && voptions != NULL) {
+			(void)cfg_map_get(voptions, "max-zone-ttl", &obj);
+		}
+		if (obj == NULL && goptions != NULL) {
+			(void)cfg_map_get(goptions, "max-zone-ttl", &obj);
+		}
+		if (obj != NULL) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "zone '%s': option 'max-zone-ttl' "
+				    "cannot be used together with "
+				    "'dnssec-policy'",
+				    znamestr);
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
 	/*
 	 * Check validity of the zone options.
 	 */