isc_buffer_constinit(&b, common_named_defaultconf,
sizeof(common_named_defaultconf) - 1);
isc_buffer_add(&b, sizeof(common_named_defaultconf) - 1);
- return cfg_parse_buffer(isc_g_mctx, &b, __FILE__, 0,
- &cfg_type_namedconf,
- CFG_PCTX_NODEPRECATED | CFG_PCTX_NOOBSOLETE |
- CFG_PCTX_NOEXPERIMENTAL,
- conf);
+ return cfg_parse_buffer(
+ isc_g_mctx, &b, __FILE__, 0, &cfg_type_namedconf,
+ CFG_PCTX_NODEPRECATED | CFG_PCTX_NOOBSOLETE |
+ CFG_PCTX_NOEXPERIMENTAL | CFG_PCTX_BUILTIN,
+ conf);
}
isc_result_t
"from '%s'",
view->name, named_g_bindkeysfile);
- (void)cfg_map_get(bindkeys, "trust-anchors",
- &builtin_keys);
+ CHECK(cfg_map_get(bindkeys, "trust-anchors",
+ &builtin_keys));
if (builtin_keys == NULL) {
isc_log_write(DNS_LOGCATEGORY_SECURITY,
"using built-in root key for view %s",
view->name);
- (void)cfg_map_get(config, "trust-anchors",
- &builtin_keys);
+ CHECK(cfg_map_get(config, "builtin-trust-anchors",
+ &builtin_keys));
}
if (builtin_keys != NULL) {
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+};
+
+builtin-trust-anchors {
+};
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust
# anchor information for the root zone.
-trust-anchors {
+builtin-trust-anchors {
# This key (20326) was published in the root zone in 2017, and
# is scheduled to be phased out starting in 2025. It will remain
# in the root zone until some time after its successor key has
/*% Clause has been obsolete so long that it's now a fatal error */
CFG_CLAUSEFLAG_ANCIENT = 1 << 9,
+
+ /*% Clause allowed in the builtin configuration only */
+ CFG_CLAUSEFLAG_BUILTINONLY = 1 << 10,
};
/*%
#define CFG_PCTX_NOOBSOLETE (1 << 2)
#define CFG_PCTX_NOEXPERIMENTAL (1 << 3)
#define CFG_PCTX_ALLCONFIGS (1 << 4)
+#define CFG_PCTX_BUILTIN (1 << 5)
/*@{*/
/*%
&cfg_rep_list,
&cfg_type_managedkey };
+cfg_type_t cfg_type_builtin_dnsseckeys = {
+ "builtin-dnsseckeys", cfg_parse_bracketed_list, NULL, NULL,
+ &cfg_rep_list, &cfg_type_managedkey
+};
+
/*%
* A list of key entries, used in a DNSSEC Key and Signing Policy.
*/
CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_NOTCONFIGURED },
#endif
{ "template", &cfg_type_template, CFG_CLAUSEFLAG_MULTI },
+ { "builtin-trust-anchors", &cfg_type_builtin_dnsseckeys,
+ CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_BUILTINONLY |
+ CFG_CLAUSEFLAG_NODOC },
{ "tls", &cfg_type_tlsconf, CFG_CLAUSEFLAG_MULTI },
{ "view", &cfg_type_view, CFG_CLAUSEFLAG_MULTI, merge_append },
{ NULL, NULL, 0 }
#define REQUIRE_PCTX_FLAGS(flags) \
REQUIRE((flags & ~(CFG_PCTX_NODEPRECATED | CFG_PCTX_NOOBSOLETE | \
- CFG_PCTX_NOEXPERIMENTAL)) == 0)
+ CFG_PCTX_NOEXPERIMENTAL | CFG_PCTX_BUILTIN)) == 0)
isc_result_t
cfg_parse_file(isc_mem_t *mctx, const char *filename, const cfg_type_t *type,
clause->name);
CHECK(ISC_R_FAILURE);
}
+ if ((pctx->flags & CFG_PCTX_BUILTIN) == 0 &&
+ (clause->flags & CFG_CLAUSEFLAG_BUILTINONLY) != 0)
+ {
+ cfg_parser_error(pctx, 0,
+ "option '%s' is allowed in the "
+ "builtin configuration only",
+ clause->name);
+ CHECK(ISC_R_FAILURE);
+ }
/* Issue warnings if appropriate */
if ((pctx->flags & CFG_PCTX_NODEPRECATED) == 0 &&
for (clause = *clauseset; clause->name != NULL; clause++) {
isc_result_t result;
+
+ if ((clause->flags & CFG_CLAUSEFLAG_BUILTINONLY) != 0) {
+ continue;
+ }
+
result = isc_symtab_lookup(obj->value.map.symtab,
clause->name,
SYMTAB_DUMMY_TYPE, &symval);
projects / thirdparty / bind9.git / commitdiff
