mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Code Issues Releases Wiki Activity

dnssec-policy now requires inline-signing

Browse Source 
Having implicit inline-signing set for dnssec-policy when there is no
update policy is confusing, so lets make this explicit.
This commit is contained in:
Matthijs Mekking
2022-06-07 14:46:05 +02:00
parent 505d8fa1ee
commit fa1d24c03a
1 changed files with 17 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
lib/bind9/check.c
View File

@@ -2851,7 +2851,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
const char *target = NULL;
unsigned int ztype;
const cfg_obj_t *zoptions, *goptions = NULL;
const cfg_obj_t *obj = NULL;
const cfg_obj_t *obj = NULL, *kasp = NULL;
const cfg_obj_t *inviewobj = NULL;
isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult;
@@ -3140,6 +3140,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
}
}
}
if (has_dnssecpolicy) {
kasp = obj;
}
}
/*
@@ -3440,12 +3443,17 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
res1 = cfg_map_get(zoptions, "inline-signing", &obj);
if (res1 == ISC_R_SUCCESS) {
signing = cfg_obj_asboolean(obj);
if (has_dnssecpolicy && !ddns && !signing) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'inline-signing;' cannot be set "
"to 'no' "
"if dnssec-policy is also set on a "
"non-dynamic DNS zone");
}
if (has_dnssecpolicy) {
if (!ddns && !signing) {
cfg_obj_log(kasp, logctx, ISC_LOG_ERROR,
"'dnssec-policy;' requires%s "
"inline-signing to be configured "
"for the zone",
(ztype == CFG_ZONE_PRIMARY)
? " dynamic DNS or"
: "");
result = ISC_R_FAILURE;
}
}
@@ -3457,7 +3465,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
arg = cfg_obj_asstring(obj);
}
if (strcasecmp(arg, "off") != 0) {
if (!ddns && !signing && strcasecmp(arg, "off") != 0) {
if (!ddns && !signing && !has_dnssecpolicy) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'auto-dnssec %s;' requires%s "
"inline-signing to be configured "
@@ -3469,7 +3477,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
result = ISC_R_FAILURE;
}
if (strcasecmp(arg, "off") != 0 && has_dnssecpolicy) {
if (has_dnssecpolicy) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'auto-dnssec %s;' cannot be "
"configured if dnssec-policy is "