mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00
Code Issues Releases Wiki Activity

remove remaining DLV-related configuration checks

Browse Source
This commit is contained in:
Evan Hunt 2019-08-07 11:53:13 -07:00
parent 02d95d0b62
commit efa5f7ed54
4 changed files with 2 additions and 218 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
bin/named/server.c
View File

@ -3783,7 +3783,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
const cfg_obj_t *zonelist; const cfg_obj_t *zonelist;
const cfg_obj_t *dlzlist; const cfg_obj_t *dlzlist;
const cfg_obj_t *dlz; const cfg_obj_t *dlz;
const cfg_obj_t *dlvobj = NULL;
unsigned int dlzargc; unsigned int dlzargc;
char **dlzargv; char **dlzargv;
const cfg_obj_t *dyndb_list, *plugin_list; const cfg_obj_t *dyndb_list, *plugin_list;
@ -4614,7 +4613,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
} }
/* /*
* Set supported DS/DLV digest types. * Set supported DS digest types.
*/ */
dns_resolver_reset_ds_digests(view->resolver); dns_resolver_reset_ds_digests(view->resolver);
disabled = NULL; disabled = NULL;
@ -5204,57 +5203,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
view->prefetch_eligible = view->prefetch_trigger + 6; view->prefetch_eligible = view->prefetch_trigger + 6;
} }
obj = NULL;
result = named_config_get(optionmaps, "dnssec-lookaside", &obj);
if (result == ISC_R_SUCCESS) {
/* "auto" is deprecated, log a warning if seen */
const char *dom;
dlvobj = cfg_listelt_value(cfg_list_first(obj));
dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain"));
if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
/* If "no", skip; if "auto", log warning */
if (!strcasecmp(dom, "no")) {
result = ISC_R_NOTFOUND;
} else if (!strcasecmp(dom, "auto")) {
/*
* Warning logged by libbind9.
*/
result = ISC_R_NOTFOUND;
}
}
}
if (result == ISC_R_SUCCESS) {
dns_name_t *dlv, *iscdlv;
dns_fixedname_t f;
/* Also log a warning if manually configured to dlv.isc.org */
iscdlv = dns_fixedname_initname(&f);
CHECK(dns_name_fromstring(iscdlv, "dlv.isc.org", 0, NULL));
for (element = cfg_list_first(obj);
element != NULL;
element = cfg_list_next(element))
{
obj = cfg_listelt_value(element);
obj = cfg_tuple_get(obj, "trust-anchor");
dlv = dns_fixedname_name(&view->dlv_fixed);
CHECK(dns_name_fromstring(dlv, cfg_obj_asstring(obj),
DNS_NAME_DOWNCASE, NULL));
if (dns_name_equal(dlv, iscdlv)) {
/*
* Warning logged by libbind9.
*/
view->dlv = NULL;
} else {
view->dlv = dlv;
}
}
} else {
view->dlv = NULL;
}
/* /*
* For now, there is only one kind of trusted keys, the * For now, there is only one kind of trusted keys, the
* "security roots". * "security roots".

20
bin/tests/system/checkconf/check-dlv-ksk-key.conf
View File

@ -1,20 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-keys {
dlv.isc.org static-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWE
n4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8
+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ
2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnG
xPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mR
x/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWL
KjHzpT59k/VStTDN0YUuWrBNh";
};

12
bin/tests/system/checkconf/tests.sh
View File

@ -389,7 +389,6 @@ echo_i "check that 'dnssec-lookaside auto;' generates a warning ($n)"
ret=0 ret=0
$CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1 $CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1
grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-lookaside 'auto' is no longer supported" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret` status=`expr $status + $ret`
@ -398,7 +397,6 @@ echo_i "check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a wa
ret=0 ret=0
$CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1 $CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1
grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
grep "dlv.isc.org has been shut down" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret` status=`expr $status + $ret`
@ -406,8 +404,6 @@ n=`expr $n + 1`
echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates a warning ($n)" echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates a warning ($n)"
ret=0 ret=0
$CHECKCONF warn-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1 $CHECKCONF warn-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
lines=$(wc -l < checkconf.out$n)
if [ $lines != 1 ]; then ret=1; fi
grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret` status=`expr $status + $ret`
@ -457,14 +453,6 @@ grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret` status=`expr $status + $ret`
echo_i "check that the dlv.isc.org KSK generates a warning ($n)"
ret=0
$CHECKCONF check-dlv-ksk-key.conf > checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] || ret=1
grep "trust anchor for dlv.isc.org is present" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
echo_i "check that 'geoip-use-ecs no' generates a warning ($n)" echo_i "check that 'geoip-use-ecs no' generates a warning ($n)"
ret=0 ret=0
$CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1 $CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1

134
lib/bind9/check.c
View File

@ -58,11 +58,6 @@
#include <bind9/check.h> #include <bind9/check.h>
static unsigned char dlviscorg_ndata[] = "\003dlv\003isc\003org";
static unsigned char dlviscorg_offsets[] = { 0, 4, 8, 12 };
static dns_name_t const dlviscorg =
DNS_NAME_INITABSOLUTE(dlviscorg_ndata, dlviscorg_offsets);
static isc_result_t static isc_result_t
fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, bool writeable, fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, bool writeable,
isc_log_t *logctxlogc); isc_log_t *logctxlogc);
@ -858,9 +853,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
const cfg_obj_t *resignobj = NULL; const cfg_obj_t *resignobj = NULL;
const cfg_listelt_t *element; const cfg_listelt_t *element;
isc_symtab_t *symtab = NULL; isc_symtab_t *symtab = NULL;
dns_fixedname_t fixed;
const char *str; const char *str;
dns_name_t *name;
isc_buffer_t b; isc_buffer_t b;
uint32_t lifetime = 3600; uint32_t lifetime = 3600;
const char *ccalg = "siphash24"; const char *ccalg = "siphash24";
@ -1069,7 +1062,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
} }
/* /*
* Set supported DS/DLV digest types. * Set supported DS digest types.
*/ */
obj = NULL; obj = NULL;
(void)cfg_map_get(options, "disable-ds-digests", &obj); (void)cfg_map_get(options, "disable-ds-digests", &obj);
@ -1085,107 +1078,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
} }
} }
name = dns_fixedname_initname(&fixed);
/*
* Check the DLV zone name.
*/
obj = NULL;
(void)cfg_map_get(options, "dnssec-lookaside", &obj);
if (obj != NULL) {
tresult = isc_symtab_create(mctx, 100, freekey, mctx,
false, &symtab);
if (tresult != ISC_R_SUCCESS)
result = tresult;
for (element = cfg_list_first(obj);
element != NULL;
element = cfg_list_next(element))
{
const char *dlv;
const cfg_obj_t *dlvobj, *anchor;
obj = cfg_listelt_value(element);
anchor = cfg_tuple_get(obj, "trust-anchor");
dlvobj = cfg_tuple_get(obj, "domain");
dlv = cfg_obj_asstring(dlvobj);
/*
* If domain is "auto" or "no" and trust anchor
* is missing, skip remaining tests
*/
if (cfg_obj_isvoid(anchor)) {
if (!strcasecmp(dlv, "no")) {
continue;
}
if (!strcasecmp(dlv, "auto")) {
cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
"dnssec-lookaside 'auto' "
"is no longer supported");
continue;
}
}
tresult = dns_name_fromstring(name, dlv, 0, NULL);
if (tresult != ISC_R_SUCCESS) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"bad domain name '%s'", dlv);
result = tresult;
continue;
}
if (symtab != NULL) {
tresult = nameexist(obj, dlv, 1, symtab,
"dnssec-lookaside '%s': "
"already exists; previous "
"definition: %s:%u",
logctx, mctx);
if (tresult != ISC_R_SUCCESS &&
result == ISC_R_SUCCESS)
result = tresult;
}
/*
* XXXMPA to be removed when multiple lookaside
* namespaces are supported.
*/
if (!dns_name_equal(dns_rootname, name)) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"dnssec-lookaside '%s': "
"non-root not yet supported", dlv);
if (result == ISC_R_SUCCESS)
result = ISC_R_FAILURE;
}
if (cfg_obj_isvoid(anchor)) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"dnssec-lookaside requires "
"either or 'no' or a "
"domain and trust anchor");
if (result == ISC_R_SUCCESS)
result = ISC_R_FAILURE;
continue;
}
dlv = cfg_obj_asstring(anchor);
tresult = dns_name_fromstring(name, dlv, 0, NULL);
if (tresult != ISC_R_SUCCESS) {
cfg_obj_log(anchor, logctx, ISC_LOG_ERROR,
"bad domain name '%s'", dlv);
if (result == ISC_R_SUCCESS)
result = tresult;
continue;
}
if (dns_name_equal(&dlviscorg, name)) {
cfg_obj_log(anchor, logctx, ISC_LOG_WARNING,
"dlv.isc.org has been shut down");
continue;
}
}
if (symtab != NULL)
isc_symtab_destroy(&symtab);
}
/* /*
* Check auto-dnssec at the view/options level * Check auto-dnssec at the view/options level
*/ */
@ -3058,7 +2950,6 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
#define ROOT_KSK_ANY 0x03 #define ROOT_KSK_ANY 0x03
#define ROOT_KSK_2010 0x04 #define ROOT_KSK_2010 0x04
#define ROOT_KSK_2017 0x08 #define ROOT_KSK_2017 0x08
#define DLV_KSK_KEY 0x10
static isc_result_t static isc_result_t
check_trusted_key(const cfg_obj_t *key, bool managed, check_trusted_key(const cfg_obj_t *key, bool managed,
@ -3235,13 +3126,6 @@ check_trusted_key(const cfg_obj_t *key, bool managed,
} }
} }
/*
* Flag any use of dlv.isc.org, regardless of content.
*/
if (dns_name_equal(keyname, &dlviscorg)) {
*keyflags |= DLV_KSK_KEY;
}
return (result); return (result);
} }
@ -3830,14 +3714,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
"with initial-key instead."); "with initial-key instead.");
} }
if ((flags & DLV_KSK_KEY) != 0) {
cfg_obj_log(check_keys[i], logctx,
ISC_LOG_WARNING,
"trust anchor for dlv.isc.org "
"is present; dlv.isc.org has "
"been shut down");
}
tflags |= flags; tflags |= flags;
} }
} }
@ -3908,14 +3784,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
"the updated 2017 key"); "the updated 2017 key");
} }
if ((flags & DLV_KSK_KEY) != 0) {
cfg_obj_log(check_keys[i], logctx,
ISC_LOG_WARNING,
"trust anchor for dlv.isc.org "
"is present; dlv.isc.org has "
"been shut down");
}
dflags |= flags; dflags |= flags;
} }
} }