diff --git a/bin/tests/system/checkconf/bad-kasp1.conf b/bin/tests/system/checkconf/bad-kasp-define-default.conf similarity index 89% rename from bin/tests/system/checkconf/bad-kasp1.conf rename to bin/tests/system/checkconf/bad-kasp-define-default.conf index 686160f983..65095c4f8e 100644 --- a/bin/tests/system/checkconf/bad-kasp1.conf +++ b/bin/tests/system/checkconf/bad-kasp-define-default.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -// Using the keyword 'default' is not allowed. +// 'default' is a built-in policy, redefinition not allowed. dnssec-policy "default" { signatures-refresh P5D; }; @@ -19,4 +19,3 @@ zone "example.net" { file "example.db"; dnssec-policy "default"; }; - diff --git a/bin/tests/system/checkconf/bad-kasp-define-insecure.conf b/bin/tests/system/checkconf/bad-kasp-define-insecure.conf new file mode 100644 index 0000000000..19ae2d56dd --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-define-insecure.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// 'insecure' is a built-in policy, redefinition not allowed. +dnssec-policy "insecure" { + signatures-refresh P5D; +}; + +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "insecure"; +}; diff --git a/bin/tests/system/checkconf/bad-kasp5.conf b/bin/tests/system/checkconf/bad-kasp-define-none.conf similarity index 90% rename from bin/tests/system/checkconf/bad-kasp5.conf rename to bin/tests/system/checkconf/bad-kasp-define-none.conf index a399079db5..4fc3781699 100644 --- a/bin/tests/system/checkconf/bad-kasp5.conf +++ b/bin/tests/system/checkconf/bad-kasp-define-none.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -// Using the keyword 'none' is not allowed. +// 'none' is a built-in policy, redefinition not allowed. dnssec-policy "none" { signatures-refresh P5D; }; @@ -19,4 +19,3 @@ zone "example.net" { file "example.db"; dnssec-policy "none"; }; - diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 13e1da994b..ee00d2482a 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -893,6 +893,9 @@ kasp_name_allowed(const cfg_listelt_t *element) { if (strcmp("default", name) == 0) { return (false); } + if (strcmp("insecure", name) == 0) { + return (false); + } return (true); } @@ -1193,8 +1196,9 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config, if (bad_name) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "dnssec-policy name may not be 'none' or " - "'default' (which is the built-in policy)"); + "dnssec-policy name may not be 'insecure', " + "'none', or 'default' (which are built-in " + "policies)"); if (result == ISC_R_SUCCESS) { result = ISC_R_FAILURE; }