Add 'tls' validation for XoT enabled primaries

This commit ensure that the 'tls' name specified in the 'primaries'
clause of a 'zone' statement is a valid one.

Prior to that such a name would be silently accepted, leading to
silent XFRs-via-TLS failures.

diff --git a/bin/tests/system/checkconf/bad-dot-primaries.conf b/bin/tests/system/checkconf/bad-dot-primaries.conf
new file mode 100644 (file)
index 0000000..6a4cade
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dot-primaries.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example" {
+       type secondary;
+       primaries { 10.53.0.1 tls undefined; };
+       file "example.db";
+       allow-transfer { any; };
+};

diff --git a/bin/tests/system/checkconf/good-dot-primaries-ephemeral.conf b/bin/tests/system/checkconf/good-dot-primaries-ephemeral.conf
new file mode 100644 (file)
index 0000000..fbb9b98
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dot-primaries-ephemeral.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example" {
+       type secondary;
+       primaries { 10.53.0.1 tls ephemeral; };
+       file "example.db";
+       allow-transfer { any; };
+};

diff --git a/bin/tests/system/checkconf/good-dot-primaries.conf b/bin/tests/system/checkconf/good-dot-primaries.conf
new file mode 100644 (file)
index 0000000..3fbe289
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dot-primaries.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+       protocols { TLSv1.2; };
+       ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+       prefer-server-ciphers no;
+};
+
+zone "example" {
+       type secondary;
+       primaries { 10.53.0.1 tls local-tls; };
+       file "example.db";
+       allow-transfer { any; };
+};

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 1130983732ca4710ab447906b8c29a8c80662369..715d9fd9dfb61846f1c1a1027d18785861e639f9 100644 (file)
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -2434,6 +2434,22 @@ resume:
                                                result = tresult;
                                        }
                                }
+
+                               if (strcasecmp(str, "ephemeral") != 0) {
+                                       const cfg_obj_t *tlsmap = NULL;
+
+                                       tlsmap = find_maplist(config, "tls",
+                                                             str);
+                                       if (tlsmap == NULL) {
+                                               cfg_obj_log(
+                                                       tls, logctx,
+                                                       ISC_LOG_ERROR,
+                                                       "tls '%s' is not "
+                                                       "defined",
+                                                       cfg_obj_asstring(tls));
+                                               result = ISC_R_FAILURE;
+                                       }
+                               }
                        }
                        continue;
                }