From b1d0cac280cd97f2a0ef09655f24ed23645804ed Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 19 Jul 2022 12:13:42 -0700 Subject: [PATCH] Forbid zones with both dnssec-policy and max-zone-ttl Since max-zone-ttl in zone/view/options is a no-op if dnssec-policy is in use, let's make that a fatal error. --- .../checkconf/bad-kasp-max-zone-ttl.conf | 26 +++++++++++++++++++ doc/arm/reference.rst | 8 +++--- lib/bind9/check.c | 24 +++++++++++++++++ 3 files changed, 54 insertions(+), 4 deletions(-) create mode 100644 bin/tests/system/checkconf/bad-kasp-max-zone-ttl.conf diff --git a/bin/tests/system/checkconf/bad-kasp-max-zone-ttl.conf b/bin/tests/system/checkconf/bad-kasp-max-zone-ttl.conf new file mode 100644 index 0000000000..0b5939478e --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-max-zone-ttl.conf @@ -0,0 +1,26 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * The dnssec-policy is not defined. Should also be caught if it is inherited. + */ + +options { + dnssec-policy default; +}; + +zone "example.net" { + type primary; + file "example.db"; + max-zone-ttl 600; +}; diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index f6fe74916b..9dd453b0fe 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1806,10 +1806,10 @@ default is used. This should now be configured as part of :namedconf:ref:`dnssec-policy`. Use of this option in :namedconf:ref:`options`, :namedconf:ref:`view` - and :namedconf:ref:`zone` blocks has no effect on any zone for which - a :namedconf:ref:`dnssec-policy` has also been configured. In zones - without :namedconf:ref:`dnssec-policy`, this option is deprecated, - and will be rendered non-operational in a future release. + and :namedconf:ref:`zone` blocks is a fatal error if + :namedconf:ref:`dnssec-policy` has also been configured for the same + zone. In zones without :namedconf:ref:`dnssec-policy`, this option is + deprecated, and will be rendered non-operational in a future release. :any:`max-zone-ttl` specifies a maximum permissible TTL value in seconds. For convenience, TTL-style time-unit suffixes may be used to specify the diff --git a/lib/bind9/check.c b/lib/bind9/check.c index baacd29a84..3cad314ad8 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -3142,6 +3142,30 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, } } + /* + * Reject zones with both dnssec-policy and max-zone-ttl + * */ + if (has_dnssecpolicy) { + obj = NULL; + (void)cfg_map_get(zoptions, "max-zone-ttl", &obj); + if (obj == NULL && voptions != NULL) { + (void)cfg_map_get(voptions, "max-zone-ttl", &obj); + } + if (obj == NULL && goptions != NULL) { + (void)cfg_map_get(goptions, "max-zone-ttl", &obj); + } + if (obj != NULL) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "zone '%s': option 'max-zone-ttl' " + "cannot be used together with " + "'dnssec-policy'", + znamestr); + if (result == ISC_R_SUCCESS) { + result = ISC_R_FAILURE; + } + } + } + /* * Check validity of the zone options. */