ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

dnssec-policy now requires inline-signing

Browse Source 
Having implicit inline-signing set for dnssec-policy when there is no
update policy is confusing, so lets make this explicit.

(cherry picked from commit 5ca02fe6e7e591d1fb85936ea4dda720c3d741ef)
This commit is contained in:
Matthijs Mekking
2022-06-07 14:46:05 +02:00
parent a6b6a1c9dd
commit d7175c41a7
1 changed files with 17 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
lib/bind9/check.c
View File

@@ -2853,7 +2853,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
const char *target = NULL;
unsigned int ztype;
const cfg_obj_t *zoptions, *goptions = NULL;
const cfg_obj_t *obj = NULL;
const cfg_obj_t *obj = NULL, *kasp = NULL;
const cfg_obj_t *inviewobj = NULL;
isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult;
@@ -3142,6 +3142,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
}
}
}
if (has_dnssecpolicy) {
kasp = obj;
}
}
/*
@@ -3439,12 +3442,17 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
res1 = cfg_map_get(zoptions, "inline-signing", &obj);
if (res1 == ISC_R_SUCCESS) {
signing = cfg_obj_asboolean(obj);
if (has_dnssecpolicy && !ddns && !signing) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'inline-signing;' cannot be set "
"to 'no' "
"if dnssec-policy is also set on a "
"non-dynamic DNS zone");
}
if (has_dnssecpolicy) {
if (!ddns && !signing) {
cfg_obj_log(kasp, logctx, ISC_LOG_ERROR,
"'dnssec-policy;' requires%s "
"inline-signing to be configured "
"for the zone",
(ztype == CFG_ZONE_PRIMARY)
? " dynamic DNS or"
: "");
result = ISC_R_FAILURE;
}
}
@@ -3456,7 +3464,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
arg = cfg_obj_asstring(obj);
}
if (strcasecmp(arg, "off") != 0) {
if (!ddns && !signing && strcasecmp(arg, "off") != 0) {
if (!ddns && !signing && !has_dnssecpolicy) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'auto-dnssec %s;' requires%s "
"inline-signing to be configured "
@@ -3468,7 +3476,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
result = ISC_R_FAILURE;
}
if (strcasecmp(arg, "off") != 0 && has_dnssecpolicy) {
if (has_dnssecpolicy) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'auto-dnssec %s;' cannot be "
"configured if dnssec-policy is "