Merge branch '4364-compilezone-disable-checks' into 'main'

disable checks by default in named-compilezone Closes #4364 See merge request isc-projects/bind9!8499
2023-12-21 04:26:07 +00:00
parent ecd1f4a2b8 0c90d09604
commit b248574f93
5 changed files with 44 additions and 25 deletions
--- a/8
+++ b/8
@@ -1,3 +1,11 @@
+6311.	[func]		Zone content checks are now disabled by default
+			when running named-compilezone. named-checkzone
+			can still be used for checking zone integrity,
+			or the former checks in named-compilezone can be
+			re-enabled by using "named-compilezone -i full
+			-k fail -n fail -r warn -m warn -M warn -S warn
+			-T warn -W warn -C check-svcb:fail". [GL #4364]
+
 6310.	[bug]		Memory leak in zone.c:sign_zone. When named signed a
 			zone it could leak dst_keys due to a misplaced
 			'continue'. [GL #4488]
--- a/bin/check/check-tool.c
+++ b/bin/check/check-tool.c
@@ -88,6 +88,7 @@ bool dochecksrv = false;
 bool docheckns = false;
 #endif /* if CHECK_LOCAL */
 dns_zoneopt_t zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_CHECKMX |
+			     DNS_ZONEOPT_CHECKDUPRR | DNS_ZONEOPT_CHECKSPF |
 			     DNS_ZONEOPT_MANYERRORS | DNS_ZONEOPT_CHECKNAMES |
 			     DNS_ZONEOPT_CHECKINTEGRITY |
 #if CHECK_SIBLING
--- a/bin/check/named-checkzone.c
+++ b/bin/check/named-checkzone.c
@@ -147,15 +147,12 @@ main(int argc, char **argv) {
 		UNREACHABLE();
 	}

-	/* Compilation specific defaults */
+	/* When compiling, disable checks by default */
 	if (progmode == progmode_compile) {
-		zone_options |= (DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_FATALNS |
-				 DNS_ZONEOPT_CHECKSPF | DNS_ZONEOPT_CHECKDUPRR |
-				 DNS_ZONEOPT_CHECKNAMES |
-				 DNS_ZONEOPT_CHECKNAMESFAIL |
-				 DNS_ZONEOPT_CHECKWILDCARD);
-	} else {
-		zone_options |= (DNS_ZONEOPT_CHECKDUPRR | DNS_ZONEOPT_CHECKSPF);
+		zone_options = 0;
+		docheckmx = false;
+		docheckns = false;
+		dochecksrv = false;
 	}

 #define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
--- a/bin/check/named-compilezone.rst
+++ b/bin/check/named-compilezone.rst
@@ -30,10 +30,16 @@ Description

 :program:`named-compilezone` checks the syntax and integrity of a zone file,
 and dumps the zone contents to a specified file in a specified format.
-It applies strict check levels by default, since the
-dump output is used as an actual zone file loaded by :iscman:`named`.
-When manually specified otherwise, the check levels must at least be as
-strict as those specified in the :iscman:`named` configuration file.
+
+Unlike :program:`named-checkzone`, zone contents are not strictly checked
+by default. If the output is to be used as an actual zone file to be loaded
+by :iscman:`named`, then the check levels should be manually configured to
+be at least as strict as those specified in the :iscman:`named` configuration
+file.
+
+Running :program:`named-checkzone` on the input prior to compiling will
+ensure that the zone compiles with the default requirements of
+:iscman:`named`.

 Options
 ~~~~~~~
@@ -77,13 +83,13 @@ Options

   ``check-svcb:fail`` turns on additional checks on ``_dns`` SVCB
   records and ``check-svcb:ignore`` disables these checks.  The
-   default is ``check-svcb:fail``.
+   default is ``check-svcb:ignore``.

 .. option:: -i mode

   This option performs post-load zone integrity checks. Possible modes are
-   ``full`` (the default), ``full-sibling``, ``local``,
-   ``local-sibling``, and ``none``.
+   ``full``, ``full-sibling``, ``local``,
+   ``local-sibling``, and ``none`` (the default).

   Mode ``full`` checks that MX records refer to A or AAAA records
   (both in-zone and out-of-zone hostnames). Mode ``local`` only
@@ -127,7 +133,7 @@ Options
 .. option:: -k mode

   This option performs ``check-names`` checks with the specified failure mode.
-   Possible modes are ``fail`` (the default), ``warn``, and ``ignore``.
+   Possible modes are ``fail``, ``warn``, and ``ignore`` (the default).

 .. option:: -l ttl

@@ -144,19 +150,19 @@ Options
 .. option:: -m mode

   This option specifies whether MX records should be checked to see if they are
-   addresses. Possible modes are ``fail``, ``warn`` (the default), and
-   ``ignore``.
+   addresses. Possible modes are ``fail``, ``warn``, and
+   ``ignore`` (the default).

 .. option:: -M mode

   This option checks whether a MX record refers to a CNAME. Possible modes are
-   ``fail``, ``warn`` (the default), and ``ignore``.
+   ``fail``, ``warn``, and ``ignore`` (the default).

 .. option:: -n mode

   This option specifies whether NS records should be checked to see if they are
-   addresses. Possible modes are ``fail`` (the default), ``warn``,  and
-   ``ignore``.
+   addresses. Possible modes are ``fail``, ``warn``,  and
+   ``ignore`` (the default).

 .. option:: -o filename

@@ -167,7 +173,7 @@ Options

   This option checks for records that are treated as different by DNSSEC but are
   semantically equal in plain DNS. Possible modes are ``fail``,
-   ``warn`` (the default), and ``ignore``.
+   ``warn``, and ``ignore`` (the default).

 .. option:: -s style

@@ -180,7 +186,7 @@ Options
 .. option:: -S mode

   This option checks whether an SRV record refers to a CNAME. Possible modes are
-   ``fail``, ``warn`` (the default), and ``ignore``.
+   ``fail``, ``warn``, and ``ignore`` (the default).

 .. option:: -t directory

@@ -192,7 +198,7 @@ Options

   This option checks whether Sender Policy Framework (SPF) records exist and issues a
   warning if an SPF-formatted TXT record is not also present. Possible
-   modes are ``warn`` (the default) and ``ignore``.
+   modes are ``warn`` and ``ignore`` (the default).

 .. option:: -w directory

@@ -210,7 +216,7 @@ Options
   This option specifies whether to check for non-terminal wildcards. Non-terminal
   wildcards are almost always the result of a failure to understand the
   wildcard matching algorithm (:rfc:`4592`). Possible modes are ``warn``
-   (the default) and ``ignore``.
+   and ``ignore`` (the default).

 .. option:: zonename

--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -32,6 +32,13 @@ Feature Changes

 - None.

+- :program:`named-compilezone` no longer performs zone integrity checks
+  by default; this allows faster conversion of a zone file from one format
+  to another. Zone checks can be performed by running :program:`named-checkzone`
+  separately, or the previous default behavior can be restored by using
+  ``named-compilezone -i full -k fail -n fail -r warn -m warn -M warn
+  -S warn -T warn -W warn -C check-svcb:fail``. :gl:`#4364`
+
 Bug Fixes
 ~~~~~~~~~