mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 15:05:23 +00:00
Code Issues Releases Wiki Activity

dnssec-policy now requires inline-signing

Browse Source 
Having implicit inline-signing set for dnssec-policy when there is no
update policy is confusing, so lets make this explicit.
This commit is contained in:
Matthijs Mekking
2022-06-07 14:46:05 +02:00
parent 505d8fa1ee
commit fa1d24c03a
1 changed files with 17 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
lib/bind9/check.c
View File

@@ -2851,7 +2851,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
const char *target = NULL; const char *target = NULL;
unsigned int ztype; unsigned int ztype;
const cfg_obj_t *zoptions, *goptions = NULL; const cfg_obj_t *zoptions, *goptions = NULL;
const cfg_obj_t *obj = NULL; const cfg_obj_t *obj = NULL, *kasp = NULL;
const cfg_obj_t *inviewobj = NULL; const cfg_obj_t *inviewobj = NULL;
isc_result_t result = ISC_R_SUCCESS; isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult; isc_result_t tresult;
@@ -3140,6 +3140,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
} }
} }
} }
if (has_dnssecpolicy) {
kasp = obj;
}
} }
/* /*
@@ -3440,12 +3443,17 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
res1 = cfg_map_get(zoptions, "inline-signing", &obj); res1 = cfg_map_get(zoptions, "inline-signing", &obj);
if (res1 == ISC_R_SUCCESS) { if (res1 == ISC_R_SUCCESS) {
signing = cfg_obj_asboolean(obj); signing = cfg_obj_asboolean(obj);
if (has_dnssecpolicy && !ddns && !signing) { }
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'inline-signing;' cannot be set " if (has_dnssecpolicy) {
"to 'no' " if (!ddns && !signing) {
"if dnssec-policy is also set on a " cfg_obj_log(kasp, logctx, ISC_LOG_ERROR,
"non-dynamic DNS zone"); "'dnssec-policy;' requires%s "
"inline-signing to be configured "
"for the zone",
(ztype == CFG_ZONE_PRIMARY)
? " dynamic DNS or"
: "");
result = ISC_R_FAILURE; result = ISC_R_FAILURE;
} }
} }
@@ -3457,7 +3465,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
arg = cfg_obj_asstring(obj); arg = cfg_obj_asstring(obj);
} }
if (strcasecmp(arg, "off") != 0) { if (strcasecmp(arg, "off") != 0) {
if (!ddns && !signing && strcasecmp(arg, "off") != 0) { if (!ddns && !signing && !has_dnssecpolicy) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR, cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'auto-dnssec %s;' requires%s " "'auto-dnssec %s;' requires%s "
"inline-signing to be configured " "inline-signing to be configured "
@@ -3469,7 +3477,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
result = ISC_R_FAILURE; result = ISC_R_FAILURE;
} }
if (strcasecmp(arg, "off") != 0 && has_dnssecpolicy) { if (has_dnssecpolicy) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR, cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'auto-dnssec %s;' cannot be " "'auto-dnssec %s;' cannot be "
"configured if dnssec-policy is " "configured if dnssec-policy is "