effective config: specific dnssec-policy case

Default dnssec-policies are not overridden by user-provided ones. Add
this specific case to make sure those are kept, and also ensure that the
default dnssec-policy is always in the first position (which is an
implicit requirement in the existing implementation).

Also simplify the server configuration code, as it only needs to build
the list of dnssec-policy based on the effective config list.

diff --git a/bin/named/server.c b/bin/named/server.c
index 8742428e8af81f85ef83b41090871e5d381996f8..595043d4665a7af6aeb945ed3a5b9da6f7e4160e 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -7834,9 +7834,9 @@ configure_kasplist(const cfg_obj_t *config, dns_kasplist_t *kasplist,
        APPLY_CONFIGURATION_SUBROUTINE_LOG;
 
        /*
-        * Create the built-in kasp policies ("default", "insecure").
+        * Create the DNSSEC key and signing policies (KASP).
         */
-       (void)cfg_map_get(named_g_defaultconfig, "dnssec-policy", &kasps);
+       (void)cfg_map_get(config, "dnssec-policy", &kasps);
        CFG_LIST_FOREACH(kasps, element) {
                cfg_obj_t *kconfig = cfg_listelt_value(element);
                dns_kasp_t *kasp = NULL;
@@ -7847,6 +7847,7 @@ configure_kasplist(const cfg_obj_t *config, dns_kasplist_t *kasplist,
                if (result != ISC_R_SUCCESS) {
                        return result;
                }
+
                INSIST(kasp != NULL);
                dns_kasp_freeze(kasp);
 
@@ -7858,27 +7859,6 @@ configure_kasplist(const cfg_obj_t *config, dns_kasplist_t *kasplist,
 
                dns_kasp_detach(&kasp);
        }
-       INSIST(default_kasp != NULL);
-
-       /*
-        * Create the DNSSEC key and signing policies (KASP).
-        */
-       kasps = NULL;
-       (void)cfg_map_get(config, "dnssec-policy", &kasps);
-       CFG_LIST_FOREACH(kasps, element) {
-               cfg_obj_t *kconfig = cfg_listelt_value(element);
-               dns_kasp_t *kasp = NULL;
-
-               result = cfg_kasp_fromconfig(kconfig, default_kasp, kaspopts,
-                                            isc_g_mctx, keystorelist, kasplist,
-                                            &kasp);
-               if (result != ISC_R_SUCCESS) {
-                       return result;
-               }
-               INSIST(kasp != NULL);
-               dns_kasp_freeze(kasp);
-               dns_kasp_detach(&kasp);
-       }
        dns_kasp_detach(&default_kasp);
 
        return result;

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 2e39482173e7f33f6121db70125cd99edb1b312a..ee632a98e8891f2d033d8b882dac63f683c80135 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1196,6 +1196,19 @@ map_merge(cfg_obj_t *effectivemap, const cfg_obj_t *defaultmap) {
        }
 }
 
+/*
+ * These are used when merging clauses with CFG_CLAUSEFLAG_MULTI, where
+ * the entries from the user configuration and the default configuration
+ * are added together, rather than the user configuration overriding the
+ * default.  merge_prepend() puts the default configuration at the
+ * beginning of the cloned object (for example, for dnssec-policy), and
+ * merge_append() puts it at the end (for example, for views).
+ */
+static void
+merge_prepend(cfg_obj_t *effectiveobj, const cfg_obj_t *defaultobj) {
+       cfg_list_addclone(effectiveobj, defaultobj, true);
+}
+
 static void
 merge_append(cfg_obj_t *effectiveobj, const cfg_obj_t *defaultobj) {
        cfg_list_addclone(effectiveobj, defaultobj, false);
@@ -1340,7 +1353,8 @@ options_merge(cfg_obj_t *effectiveoptions, const cfg_obj_t *defaultoptions) {
 static cfg_clausedef_t namedconf_clauses[] = {
        { "acl", &cfg_type_acl, CFG_CLAUSEFLAG_MULTI },
        { "controls", &cfg_type_controls, CFG_CLAUSEFLAG_MULTI },
-       { "dnssec-policy", &cfg_type_dnssecpolicy, CFG_CLAUSEFLAG_MULTI },
+       { "dnssec-policy", &cfg_type_dnssecpolicy, CFG_CLAUSEFLAG_MULTI,
+         merge_prepend },
 #if HAVE_LIBNGHTTP2
        { "http", &cfg_type_http_description,
          CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_OPTIONAL },