Add 'tls' validation for XoT enabled primaries

This commit ensure that the 'tls' name specified in the 'primaries' clause of a 'zone' statement is a valid one. Prior to that such a name would be silently accepted, leading to silent XFRs-via-TLS failures.
2021-11-30 00:31:36 +02:00
parent 7843fb4ece
commit 69cef39099
4 changed files with 73 additions and 0 deletions
--- a/bin/tests/system/checkconf/bad-dot-primaries.conf
+++ b/bin/tests/system/checkconf/bad-dot-primaries.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example" {
+	type secondary;
+	primaries { 10.53.0.1 tls undefined; };
+	file "example.db";
+	allow-transfer { any; };
+};
--- a/bin/tests/system/checkconf/good-dot-primaries-ephemeral.conf
+++ b/bin/tests/system/checkconf/good-dot-primaries-ephemeral.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example" {
+	type secondary;
+	primaries { 10.53.0.1 tls ephemeral; };
+	file "example.db";
+	allow-transfer { any; };
+};
--- a/bin/tests/system/checkconf/good-dot-primaries.conf
+++ b/bin/tests/system/checkconf/good-dot-primaries.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	protocols { TLSv1.2; };
+	ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+	prefer-server-ciphers no;
+};
+
+zone "example" {
+	type secondary;
+	primaries { 10.53.0.1 tls local-tls; };
+	file "example.db";
+	allow-transfer { any; };
+};
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -2434,6 +2434,22 @@ resume:
 						result = tresult;
 					}
 				}
+
+				if (strcasecmp(str, "ephemeral") != 0) {
+					const cfg_obj_t *tlsmap = NULL;
+
+					tlsmap = find_maplist(config, "tls",
+							      str);
+					if (tlsmap == NULL) {
+						cfg_obj_log(
+							tls, logctx,
+							ISC_LOG_ERROR,
+							"tls '%s' is not "
+							"defined",
+							cfg_obj_asstring(tls));
+						result = ISC_R_FAILURE;
+					}
+				}
 			}
 			continue;
 		}