diff --git a/bin/named/config.c b/bin/named/config.c index 3a89ef1bd2..83381489b4 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -236,7 +236,7 @@ options {\n\ notify yes;\n\ notify-delay 5;\n\ notify-to-soa no;\n\ -# send-report-channel \n\ + send-report-channel .;\n\ serial-update-method increment;\n\ sig-signing-nodes 100;\n\ sig-signing-signatures 10;\n\ diff --git a/bin/named/server.c b/bin/named/server.c index 64e5e06166..35b3ac9253 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -4271,22 +4271,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, } } - obj = NULL; - result = named_config_get(maps, "send-report-channel", &obj); - if (view->rad != NULL) { - dns_name_free(view->rad, view->mctx); - isc_mem_put(view->mctx, view->rad, sizeof(*view->rad)); - } - if (result == ISC_R_SUCCESS) { - str = cfg_obj_asstring(obj); - if (strcmp(str, ".") != 0 && strcmp(str, "") != 0) { - view->rad = isc_mem_get(mctx, sizeof(*view->rad)); - dns_name_init(view->rad, NULL); - CHECK(dns_name_fromstring(view->rad, str, dns_rootname, - 0, mctx)); - } - } - obj = NULL; result = named_config_get(maps, "dnssec-accept-expired", &obj); INSIST(result == ISC_R_SUCCESS); diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 6b21fca1c1..af54b54b0e 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1208,6 +1208,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, if (ztype != dns_zone_stub && ztype != dns_zone_staticstub && ztype != dns_zone_redirect) { + bool logreports = false; + /* Make a reference to the default policy. */ result = dns_kasplist_find(kasplist, "default", &kasp); INSIST(result == ISC_R_SUCCESS && kasp != NULL); @@ -1482,23 +1484,49 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_zone_setoption(zone, DNS_ZONEOPT_NSEC3TESTZONE, cfg_obj_asboolean(obj)); - obj = NULL; - (void)cfg_map_get(zoptions, "send-report-channel", &obj); - if (obj != NULL) { - dns_fixedname_t fixed; - dns_name_t *rad = dns_fixedname_initname(&fixed); - CHECK(dns_name_fromstring(rad, cfg_obj_asstring(obj), - dns_rootname, 0, mctx)); - dns_zone_setrad(zone, rad); - } else { - dns_zone_setrad(zone, NULL); - } - obj = NULL; result = cfg_map_get(zoptions, "log-report-channel", &obj); if (result == ISC_R_SUCCESS) { + logreports = cfg_obj_asboolean(obj); dns_zone_setoption(zone, DNS_ZONEOPT_LOGREPORTS, - cfg_obj_asboolean(obj)); + logreports); + } + obj = NULL; + result = named_config_get(maps, "send-report-channel", &obj); + if (result == ISC_R_SUCCESS && obj != NULL) { + dns_fixedname_t fixed; + dns_name_t *rad = dns_fixedname_initname(&fixed); + const char *adstr = cfg_obj_asstring(obj); + dns_name_t *zn = dns_zone_getorigin(zone); + + CHECK(dns_name_fromstring(rad, adstr, dns_rootname, 0, + mctx)); + if (logreports || dns_name_equal(rad, dns_rootname)) { + /* Disable RC for error-logging zones or root */ + dns_zone_setrad(zone, NULL); + } else if (dns_name_equal(rad, zn)) { + /* + * It's illegal to set a matching agent + * domain at the zone level, but it could + * be set in options/view. If so, and the + * matching zone doesn't log reports, warn. + */ + cfg_obj_log(obj, ISC_LOG_WARNING, + "send-report-channel is set to " + "'%s' but that zone does not have " + "log-report-channel set", + zname); + dns_zone_setrad(zone, NULL); + } else if (dns_name_issubdomain(rad, zn)) { + cfg_obj_log(obj, ISC_LOG_WARNING, + "send-report-channel '%s' ignored " + "for zone '%s' because it is a " + "subdomain of the zone", + adstr, zname); + dns_zone_setrad(zone, NULL); + } else { + dns_zone_setrad(zone, rad); + } } } else if (ztype == dns_zone_redirect) { dns_zone_setnotifytype(zone, dns_notifytype_no); diff --git a/bin/tests/system/auth/ns1/example.rad.db b/bin/tests/system/auth/ns1/example.rad.db new file mode 100644 index 0000000000..08d3197011 --- /dev/null +++ b/bin/tests/system/auth/ns1/example.rad.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2018010100 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 +server A 10.53.0.100 +*._er TXT "Report received" diff --git a/bin/tests/system/auth/ns1/named.conf.in b/bin/tests/system/auth/ns1/named.conf.in index f9036f7688..7841ca4ae6 100644 --- a/bin/tests/system/auth/ns1/named.conf.in +++ b/bin/tests/system/auth/ns1/named.conf.in @@ -39,9 +39,14 @@ view main in { send-report-channel "rad.example.net"; }; - zone example.rad { + zone rad { type primary; file "rad.db"; + }; + + zone example.rad { + type primary; + file "example.rad.db"; log-report-channel yes; }; }; diff --git a/bin/tests/system/auth/ns1/rad.db b/bin/tests/system/auth/ns1/rad.db index 08d3197011..b36fbb99a6 100644 --- a/bin/tests/system/auth/ns1/rad.db +++ b/bin/tests/system/auth/ns1/rad.db @@ -20,4 +20,5 @@ $TTL 300 ; 5 minutes NS ns ns A 10.53.0.1 server A 10.53.0.100 -*._er TXT "Report received" + +example NS ns diff --git a/bin/tests/system/auth/tests.sh b/bin/tests/system/auth/tests.sh index 3c6c0e5380..473afc5a46 100644 --- a/bin/tests/system/auth/tests.sh +++ b/bin/tests/system/auth/tests.sh @@ -194,6 +194,22 @@ grep "; Report-Channel: example.rad" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) +n=$((n + 1)) +echo_i "check that Report-Channel option is omitted for names in error-logging zones ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 example.rad >dig.out.test$n +grep "; Report-Channel: example.rad" dig.out.test$n >/dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that Report-Channel option is omitted for zones above the agent-domain ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 rad >dig.out.test$n +grep "; Report-Channel: example.rad" dig.out.test$n >/dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + n=$((n + 1)) echo_i "check that a zone-level Report-Channel EDNS option is added to responses ($n)" ret=0 diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h index d6fbf86b64..845531c0d8 100644 --- a/lib/dns/include/dns/view.h +++ b/lib/dns/include/dns/view.h @@ -186,7 +186,6 @@ struct dns_view { uint32_t maxrrperset; uint32_t maxtypepername; uint8_t max_restarts; - dns_name_t *rad; /* reporting agent domain */ /* * Configurable data for server use only, diff --git a/lib/dns/view.c b/lib/dns/view.c index fd261a9919..2be324156c 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -376,10 +376,6 @@ destroy(dns_view_t *view) { dns_dns64_unlink(&view->dns64, dns64); dns_dns64_destroy(&dns64); } - if (view->rad != NULL) { - dns_name_free(view->rad, view->mctx); - isc_mem_put(view->mctx, view->rad, sizeof(*view->rad)); - } if (view->managed_keys != NULL) { dns_zone_detach(&view->managed_keys); } diff --git a/lib/ns/client.c b/lib/ns/client.c index a1a2b4ad34..c4838cf2f3 100644 --- a/lib/ns/client.c +++ b/lib/ns/client.c @@ -1243,8 +1243,6 @@ no_nsid: dns_name_t *rad = NULL; if (dns_name_dynamic(&client->rad)) { rad = &client->rad; - } else if (view != NULL && view->rad != NULL) { - rad = view->rad; } if (rad != NULL && !dns_name_equal(rad, dns_rootname)) { INSIST(count < DNS_EDNSOPTIONS);