diff --git a/CHANGES b/CHANGES index e472d096bf..590141923e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +3111. [bug] Improved consistency checks for dnssec-enable and + dnssec-validation, added test cases to the + checkconf system test. [RT #24398] + 3110. [bug] dnssec-signzone: Wrong error message could appear when attempting to sign with no KSK. [RT #24369] diff --git a/bin/tests/system/checkconf/clean.sh b/bin/tests/system/checkconf/clean.sh new file mode 100644 index 0000000000..b39a05baed --- /dev/null +++ b/bin/tests/system/checkconf/clean.sh @@ -0,0 +1,19 @@ +#!/bin/sh +# +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: clean.sh,v 1.2 2011/05/07 05:55:17 each Exp $ + +rm -f good.conf.in good.conf.out diff --git a/bin/tests/system/checkconf/dnssec.1 b/bin/tests/system/checkconf/dnssec.1 new file mode 100644 index 0000000000..098b625f20 --- /dev/null +++ b/bin/tests/system/checkconf/dnssec.1 @@ -0,0 +1,22 @@ +/* + * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: dnssec.1,v 1.2 2011/05/07 05:55:17 each Exp $ */ + +options { + dnssec-enable no; + dnssec-validation yes; +}; diff --git a/bin/tests/system/checkconf/dnssec.2 b/bin/tests/system/checkconf/dnssec.2 new file mode 100644 index 0000000000..3ee32fe255 --- /dev/null +++ b/bin/tests/system/checkconf/dnssec.2 @@ -0,0 +1,31 @@ +/* + * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: dnssec.2,v 1.2 2011/05/07 05:55:17 each Exp $ */ + +options { + dnssec-enable no; +}; + +view view1 { + match-clients { any; }; + dnssec-validation yes; +}; + +view view2 { + match-clients { none; }; + dnssec-validation auto; +}; diff --git a/bin/tests/system/checkconf/dnssec.3 b/bin/tests/system/checkconf/dnssec.3 new file mode 100644 index 0000000000..ae826ded3f --- /dev/null +++ b/bin/tests/system/checkconf/dnssec.3 @@ -0,0 +1,31 @@ +/* + * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: dnssec.3,v 1.2 2011/05/07 05:55:17 each Exp $ */ + +options { + dnssec-validation no; +}; + +view view1 { + match-clients { any; }; + dnssec-enable no; +}; + +view view2 { + match-clients { none; }; + dnssec-enable yes; +}; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf index 55966add5a..711da3e859 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf @@ -14,18 +14,25 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: good.conf,v 1.8 2011/05/05 23:47:17 tbox Exp $ */ +/* $Id: good.conf,v 1.9 2011/05/07 05:55:17 each Exp $ */ /* * This is just a random selection of configuration options. */ +/* cut here */ options { - avoid-v4-udp-ports { 100; }; - avoid-v6-udp-ports { 100; }; - blackhole { 10.0.0.0/8; }; - coresize 1G; - datasize 100M; + avoid-v4-udp-ports { + 100; + }; + avoid-v6-udp-ports { + 100; + }; + blackhole { + 10.0.0.0/8; + }; + coresize 1073741824; + datasize 104857600; deallocate-on-exit yes; directory "."; dump-file "named_dumpdb"; @@ -37,9 +44,15 @@ options { host-statistics-max 100; hostname none; interface-interval 30; - listen-on port 90 { any; }; - listen-on port 100 { 127.0.0.1; }; - listen-on-v6 port 53 { none; }; + listen-on port 90 { + "any"; + }; + listen-on port 100 { + 127.0.0.1/32; + }; + listen-on-v6 port 53 { + "none"; + }; match-mapped-addresses yes; memstatistics-file "named.memstats"; multiple-cnames no; @@ -54,25 +67,27 @@ options { serial-query-rate 100; server-id none; }; - -view first { - match-clients { none; }; - dnssec-validation auto; - dnssec-lookaside auto; - zone "example1" { - type master; - file "xxx"; - update-policy local; - }; +view "first" { + match-clients { + "none"; + }; + zone "example1" { + type master; + file "xxx"; + update-policy local; + }; + dnssec-lookaside auto; + dnssec-validation auto; }; - -view second { - match-clients { any; }; - dnssec-validation auto; - dnssec-lookaside auto; - zone "example1" { - type master; - file "yyy"; - update-policy local; - }; +view "second" { + match-clients { + "any"; + }; + zone "example1" { + type master; + file "yyy"; + update-policy local; + }; + dnssec-lookaside "." trust-anchor "dlv.isc.org."; + dnssec-validation auto; }; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 949e350836..3229890662 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -12,7 +12,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.5 2010/06/02 01:28:40 tbox Exp $ +# $Id: tests.sh,v 1.6 2011/05/07 05:55:17 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -20,7 +20,6 @@ SYSTEMTESTTOP=.. status=0 echo "I: checking that named-checkconf handles a known good config" - ret=0 $CHECKCONF good.conf > /dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -28,13 +27,26 @@ status=`expr $status + $ret` echo "I: checking that named-checkconf prints a known good config" ret=0 -$CHECKCONF -p good.conf > /dev/null 2>&1 || ret=1 +awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in +[ -s good.conf.in ] || ret=1 +$CHECKCONF -p good.conf.in | grep -v '^good.conf.in:' > good.conf.out 2>&1 || ret=1 +cmp good.conf.in good.conf.out || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` -echo "I: checking that named-checkconf handles a known bad config" -ret=1 -$CHECKCONF bad.conf > /dev/null 2>&1 || ret=0 +echo "I: checking that named-checkconf handles a known bad config" +ret=0 +$CHECKCONF bad.conf > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I: checking named-checkconf dnssec warnings" +ret=0 +$CHECKCONF dnssec.1 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1 +$CHECKCONF dnssec.2 2>&1 | grep 'validation auto.*enable no' > /dev/null || ret=1 +$CHECKCONF dnssec.2 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1 +# this one should have no warnings +$CHECKCONF dnssec.3 2>&1 | grep '.*' && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 3c91c44fea..c56e230afb 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.131 2011/05/05 18:04:01 each Exp $ */ +/* $Id: check.c,v 1.132 2011/05/07 05:55:17 each Exp $ */ /*! \file */ @@ -2100,9 +2100,15 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, isc_result_t tresult = ISC_R_SUCCESS; cfg_aclconfctx_t actx; const cfg_obj_t *obj; + const cfg_obj_t *options = NULL; isc_boolean_t enablednssec, enablevalidation; const char *valstr = "no"; + /* + * Get global options block + */ + (void)cfg_map_get(config, "options", &options); + /* * Check that all zone statements are syntactically correct and * there are no duplicate zones. @@ -2138,8 +2144,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, * Check that forwarding is reasonable. */ if (voptions == NULL) { - const cfg_obj_t *options = NULL; - (void)cfg_map_get(config, "options", &options); if (options != NULL) if (check_forward(options, NULL, logctx) != ISC_R_SUCCESS) @@ -2153,8 +2157,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, * Check that dual-stack-servers is reasonable. */ if (voptions == NULL) { - const cfg_obj_t *options = NULL; - (void)cfg_map_get(config, "options", &options); if (options != NULL) if (check_dual_stack(options, logctx) != ISC_R_SUCCESS) result = ISC_R_FAILURE; @@ -2215,8 +2217,8 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, obj = NULL; if (voptions != NULL) (void)cfg_map_get(voptions, "dnssec-enable", &obj); - if (obj == NULL) - (void)cfg_map_get(config, "dnssec-enable", &obj); + if (obj == NULL && options != NULL) + (void)cfg_map_get(options, "dnssec-enable", &obj); if (obj == NULL) enablednssec = ISC_TRUE; else @@ -2225,10 +2227,10 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, obj = NULL; if (voptions != NULL) (void)cfg_map_get(voptions, "dnssec-validation", &obj); - if (obj == NULL) - (void)cfg_map_get(config, "dnssec-validation", &obj); + if (obj == NULL && options != NULL) + (void)cfg_map_get(options, "dnssec-validation", &obj); if (obj == NULL) { - enablevalidation = ISC_TRUE; + enablevalidation = enablednssec; valstr = "yes"; } else if (cfg_obj_isboolean(obj)) { enablevalidation = cfg_obj_asboolean(obj); diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 6fc5323dde..7baca1c38c 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: namedconf.c,v 1.136 2011/05/06 21:23:51 each Exp $ */ +/* $Id: namedconf.c,v 1.137 2011/05/07 05:55:17 each Exp $ */ /*! \file */ @@ -1130,6 +1130,24 @@ static cfg_type_t cfg_type_rpz = { * dnssec-lookaside */ +static void +print_lookaside(cfg_printer_t *pctx, const cfg_obj_t *obj) +{ + const cfg_obj_t *domain = obj->value.tuple[0]; + + if (domain->value.string.length == 4 && + strncmp(domain->value.string.base, "auto", 4) == 0) + cfg_print_cstr(pctx, "auto"); + else + cfg_print_tuple(pctx, obj); +} + +static void +doc_lookaside(cfg_printer_t *pctx, const cfg_type_t *type) { + UNUSED(type); + cfg_print_cstr(pctx, "( trust-anchor | auto )"); +} + static keyword_type_t trustanchor_kw = { "trust-anchor", &cfg_type_astring }; static cfg_type_t cfg_type_optional_trustanchor = { @@ -1144,7 +1162,7 @@ static cfg_tuplefielddef_t lookaside_fields[] = { }; static cfg_type_t cfg_type_lookaside = { - "lookaside", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, + "lookaside", cfg_parse_tuple, print_lookaside, doc_lookaside, &cfg_rep_tuple, lookaside_fields };