mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Code Issues Releases Wiki Activity

named-checkconf now detects redefinition of dnssec-policy 'insecure'

Browse Source
This commit is contained in:
Mark Andrews
2021-05-05 11:23:02 +10:00
parent 0f53872542
commit dba13d280a
4 changed files with 29 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
bin/tests/system/checkconf/bad-kasp1.conf → bin/tests/system/checkconf/bad-kasp-define-default.conf
View File

@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
// Using the keyword 'default' is not allowed.
// 'default' is a built-in policy, redefinition not allowed.
dnssec-policy "default" {
signatures-refresh P5D;
};
@@ -19,4 +19,3 @@ zone "example.net" {
file "example.db";
dnssec-policy "default";
};

21
bin/tests/system/checkconf/bad-kasp-define-insecure.conf Normal file
View File

@@ -0,0 +1,21 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// 'insecure' is a built-in policy, redefinition not allowed.
dnssec-policy "insecure" {
signatures-refresh P5D;
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "insecure";
};

3
bin/tests/system/checkconf/bad-kasp5.conf → bin/tests/system/checkconf/bad-kasp-define-none.conf
View File

@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
// Using the keyword 'none' is not allowed.
// 'none' is a built-in policy, redefinition not allowed.
dnssec-policy "none" {
signatures-refresh P5D;
};
@@ -19,4 +19,3 @@ zone "example.net" {
file "example.db";
dnssec-policy "none";
};

8
lib/bind9/check.c
View File

@@ -893,6 +893,9 @@ kasp_name_allowed(const cfg_listelt_t *element) {
if (strcmp("default", name) == 0) {
return (false);
}
if (strcmp("insecure", name) == 0) {
return (false);
}
return (true);
}
@@ -1193,8 +1196,9 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
if (bad_name) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"dnssec-policy name may not be 'none' or "
"'default' (which is the built-in policy)");
"dnssec-policy name may not be 'insecure', "
"'none', or 'default' (which are built-in "
"policies)");
if (result == ISC_R_SUCCESS) {
result = ISC_R_FAILURE;
}