From e8e40e2e01b6f122a75f7afc6b2b0e1ea97129fd Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 24 Nov 2022 11:10:58 +1100
Subject: [PATCH] Check that DS records are only present at delegations

This extends the integrity check to look for stray DS records
in the zone.
---
 bin/tests/system/autosign/ns2/keygen.sh      |  5 ++--
 bin/tests/system/checkzone/zones/bad-ds-2.db | 15 +++++++++++
 bin/tests/system/masterformat/ns1/example.db |  1 +
 doc/arm/reference.rst                        |  3 ++-
 lib/dns/zone.c                               | 26 +++++++++++++++++---
 5 files changed, 42 insertions(+), 8 deletions(-)
 create mode 100644 bin/tests/system/checkzone/zones/bad-ds-2.db

diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh
index ce36d8a288..25b5faaf6b 100644
--- a/bin/tests/system/autosign/ns2/keygen.sh
+++ b/bin/tests/system/autosign/ns2/keygen.sh
@@ -16,9 +16,8 @@
 # Have the child generate subdomain keys and pass DS sets to us.
 ( cd ../ns3 && $SHELL keygen.sh )
 
-for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 \
-		 nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \
-		 cdnskey-delete
+for subdomain in secure nsec3 optout rsasha256 rsasha512 \
+		 nsec3-to-nsec oldsigs dname-at-apex-nsec3
 do
 	cp ../ns3/dsset-$subdomain.example. .
 done
diff --git a/bin/tests/system/checkzone/zones/bad-ds-2.db b/bin/tests/system/checkzone/zones/bad-ds-2.db
new file mode 100644
index 0000000000..09d29f72d5
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-ds-2.db
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+example.	0	SOA	. . 0 0 0 0 0
+example.	0 	NS	.
+example. 	0	DNSKEY	257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
+foo.example.	0	DS 	14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
diff --git a/bin/tests/system/masterformat/ns1/example.db b/bin/tests/system/masterformat/ns1/example.db
index 5ca0ae2ace..2dee1a9d9e 100644
--- a/bin/tests/system/masterformat/ns1/example.db
+++ b/bin/tests/system/masterformat/ns1/example.db
@@ -37,6 +37,7 @@ dnskey			300	DNSKEY	256 3 13 (
 					3uhPJsJ7ivpbh+w==
 					)
 private-dnskey		300	DNSKEY	256 3 253 ( AAo= )
+ds			300	NS	.
 ds			300	DS	30795 1 1 (
 					310D27F4D82C1FC2400704EA9939FE6E1CEA
 					A3B9 )
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index b9c71af782..bf59f65c39 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2734,7 +2734,8 @@ Boolean Options
    records, only in-zone hostnames are checked (for out-of-zone hostnames,
    use :iscman:`named-checkzone`). For NS records, only names below top-of-zone
    are checked (for out-of-zone names and glue consistency checks, use
-   :iscman:`named-checkzone`). The default is ``yes``.
+   :iscman:`named-checkzone`). DS records not at delegations are rejected.
+   The default is ``yes``.
 
    The use of the SPF record to publish Sender Policy Framework is
    deprecated, as the migration from using TXT records to SPF records was
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index c1fedd43f9..fb718151cc 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -3349,6 +3349,8 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
 	dns_name_t *bottom;
 	isc_result_t result;
 	bool ok = true, have_spf, have_txt;
+	int level;
+	char namebuf[DNS_NAME_FORMATSIZE];
 
 	name = dns_fixedname_initname(&fixed);
 	bottom = dns_fixedname_initname(&fixedbottom);
@@ -3383,13 +3385,13 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
 		 * Don't check the NS records at the origin.
 		 */
 		if (dns_name_equal(name, &zone->origin)) {
-			goto checkfordname;
+			goto checkfords;
 		}
 
 		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ns,
 					     0, 0, &rdataset, NULL);
 		if (result != ISC_R_SUCCESS) {
-			goto checkfordname;
+			goto checkfords;
 		}
 		/*
 		 * Remember bottom of zone due to NS.
@@ -3410,6 +3412,24 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
 		dns_rdataset_disassociate(&rdataset);
 		goto next;
 
+	checkfords:
+		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds,
+					     0, 0, &rdataset, NULL);
+		if (result != ISC_R_SUCCESS) {
+			goto checkfordname;
+		}
+		dns_rdataset_disassociate(&rdataset);
+
+		if (zone->type == dns_zone_primary) {
+			level = ISC_LOG_ERROR;
+			ok = false;
+		} else {
+			level = ISC_LOG_WARNING;
+		}
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_zone_log(zone, level, "DS not at delegation point (%s)",
+			     namebuf);
+
 	checkfordname:
 		result = dns_db_findrdataset(db, node, NULL,
 					     dns_rdatatype_dname, 0, 0,
@@ -3499,8 +3519,6 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
 
 	notxt:
 		if (have_spf && !have_txt) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-
 			dns_name_format(name, namebuf, sizeof(namebuf));
 			dns_zone_log(zone, ISC_LOG_WARNING,
 				     "'%s' found type "