From 342a0f48e39dda9cf3db0d87b5f68ae4c86e922e Mon Sep 17 00:00:00 2001 From: Yorgos Thessalonikefs Date: Tue, 20 May 2025 16:21:02 +0200 Subject: [PATCH] - Add more checks about respip in unbound-checkconf. Also fixes #310: unbound-checkconf not reporting RPZ configuration error. --- doc/Changelog | 5 ++++- smallapp/unbound-checkconf.c | 10 ++++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 1c0e2be43..2e2f96df8 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,10 +1,13 @@ 20 May 2025: Yorgos - Merge #1285: RST man pages. It introduces restructuredText man pages to sync the online and source code man page documentation. - The templated man pages (*.in) are still part of the repo but + The templated man pages (*.in) are still part of the repo but generated with docutils from their .rst counterpart. Documentation on how to generate those (mainly for core developers) is in README.man. + - Add more checks about respip in unbound-checkconf. + Also fixes #310: unbound-checkconf not reporting RPZ configuration + error. 19 May 2025: Wouter - Fix for cname chain length with qtype ANY and qname minimisation. diff --git a/smallapp/unbound-checkconf.c b/smallapp/unbound-checkconf.c index 9dd73fa8f..07892fc4d 100644 --- a/smallapp/unbound-checkconf.c +++ b/smallapp/unbound-checkconf.c @@ -294,7 +294,8 @@ view_and_respipchecks(struct config_file* cfg) { struct views* views = NULL; struct respip_set* respip = NULL; - int ignored = 0; + int have_view_respip_cfg = 0; + int use_response_ip = 0; if(!(views = views_create())) fatal_exit("Could not create views: out of memory"); if(!(respip = respip_set_create())) @@ -303,8 +304,11 @@ view_and_respipchecks(struct config_file* cfg) fatal_exit("Could not set up views"); if(!respip_global_apply_cfg(respip, cfg)) fatal_exit("Could not setup respip set"); - if(!respip_views_apply_cfg(views, cfg, &ignored)) + if(!respip_views_apply_cfg(views, cfg, &have_view_respip_cfg)) fatal_exit("Could not setup per-view respip sets"); + use_response_ip = !respip_set_is_empty(respip) || have_view_respip_cfg; + if(use_response_ip && !strstr(cfg->module_conf, "respip")) + fatal_exit("response-ip options require respip module"); acl_view_tag_checks(cfg, views); views_delete(views); respip_set_delete(respip); @@ -968,6 +972,8 @@ check_auth(struct config_file* cfg) if(!az || !auth_zones_apply_cfg(az, cfg, 0, &is_rpz, NULL, NULL)) { fatal_exit("Could not setup authority zones"); } + if(is_rpz && !strstr(cfg->module_conf, "respip")) + fatal_exit("RPZ requires the respip module"); auth_zones_delete(az); } -- 2.47.3