Add an option to disable ZONEVERSION responses

The option provide-zoneversion controls whether ZONEVERSION is
returned.  This applies to primary, secondary and mirror zones.

diff --git a/bin/named/config.c b/bin/named/config.c
index d398a92990461da666aaeafcc42f95a3db4d1420..ade302bd74118c54bb00990a5623db371b9e1a72 100644 (file)
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -240,6 +240,7 @@ options {\n\
        notify yes;\n\
        notify-delay 5;\n\
        notify-to-soa no;\n\
+       provide-zoneversion yes;\n\
        send-report-channel .;\n\
        serial-update-method increment;\n\
        sig-signing-nodes 100;\n\

diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 35f530134450de4e985ffb018ac33fb17ebf372a..cdcf115e70529957c62ef05d5e8ede397f9dcdb2 100644 (file)
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1227,6 +1227,12 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
                        dns_zone_setkasp(zone, NULL);
                }
 
+               obj = NULL;
+               result = named_config_get(maps, "provide-zoneversion", &obj);
+               INSIST(result == ISC_R_SUCCESS && obj != NULL);
+               dns_zone_setoption(zone, DNS_ZONEOPT_ZONEVERSION,
+                                  cfg_obj_asboolean(obj));
+
                obj = NULL;
                result = named_config_get(maps, "notify", &obj);
                INSIST(result == ISC_R_SUCCESS && obj != NULL);

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 67cde91d2959baff12b9b565f33a883221916d47..b36725487b465419f05842489b4aa2a688ad2c9c 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2165,6 +2165,14 @@ Boolean Options
    ultimate primary should be set to still send NOTIFY messages to all the name servers
    listed in the NS RRset.
 
+.. namedconf:statement:: provide-zoneversion
+   :tags: transfer
+   :short: Controls the return EDNS ZONEVERSION answers.
+
+   If ``yes`` EDNS ZONEVERSION answers will be returned otherwise
+   not for primary, secondary and mirror zones.  The default is
+   ``yes``.
+
 .. namedconf:statement:: recursion
    :tags: query
    :short: Defines whether recursion and caching are allowed.
@@ -5613,6 +5621,7 @@ and :namedconf:ref:`options` blocks:
    - :namedconf:ref:`notify-source-v6`
    - :namedconf:ref:`notify-source`
    - :namedconf:ref:`provide-ixfr`
+   - :namedconf:ref:`provide-zoneversion`
    - :namedconf:ref:`query-source-v6`
    - :namedconf:ref:`query-source`
    - :namedconf:ref:`request-expire`

diff --git a/doc/misc/mirror.zoneopt b/doc/misc/mirror.zoneopt
index b1c5c08ea755e4eb4272a1c31a0300945607d557..4db4d9f19b32ab70fb541ad0d57921c46659571a 100644 (file)
--- a/doc/misc/mirror.zoneopt
+++ b/doc/misc/mirror.zoneopt
@@ -33,6 +33,7 @@ zone <string> [ <class> ] {
        notify-source ( <ipv4_address> | * );
        notify-source-v6 ( <ipv6_address> | * );
        primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+       provide-zoneversion <boolean>;
        request-expire <boolean>;
        request-ixfr <boolean>;
        request-ixfr-max-diffs <integer>;

diff --git a/doc/misc/options b/doc/misc/options
index e233c042dc9d05334b161e7b3468c1a5a70f50de..55f4afb3faa835df62ff2f45607bf9e33e12e443 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -226,6 +226,7 @@ options {
        preferred-glue <string>;
        prefetch <integer> [ <integer> ];
        provide-ixfr <boolean>;
+       provide-zoneversion <boolean>;
        qname-minimization ( strict | relaxed | disabled | off );
        query-source [ address ] ( <ipv4_address> | * | none );
        query-source-v6 [ address ] ( <ipv6_address> | * | none );
@@ -511,6 +512,7 @@ view <string> [ <class> ] {
        preferred-glue <string>;
        prefetch <integer> [ <integer> ];
        provide-ixfr <boolean>;
+       provide-zoneversion <boolean>;
        qname-minimization ( strict | relaxed | disabled | off );
        query-source [ address ] ( <ipv4_address> | * | none );
        query-source-v6 [ address ] ( <ipv6_address> | * | none );

diff --git a/doc/misc/primary.zoneopt b/doc/misc/primary.zoneopt
index dfa2b796612a99990d61b782cdf3a57e56264f54..28d8dad453f110018a43dca18747db71f5496ef5 100644 (file)
--- a/doc/misc/primary.zoneopt
+++ b/doc/misc/primary.zoneopt
@@ -51,6 +51,7 @@ zone <string> [ <class> ] {
        parental-agents [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
        parental-source ( <ipv4_address> | * );
        parental-source-v6 ( <ipv6_address> | * );
+       provide-zoneversion <boolean>;
        send-report-channel <string>;
        serial-update-method ( date | increment | unixtime );
        sig-signing-nodes <integer>;

diff --git a/doc/misc/secondary.zoneopt b/doc/misc/secondary.zoneopt
index 6fbe1fbaf5f6483952944964ce2a9ce791761e69..08c7008ca21bdf60838390c00b505ccb3d1008fd 100644 (file)
--- a/doc/misc/secondary.zoneopt
+++ b/doc/misc/secondary.zoneopt
@@ -50,6 +50,7 @@ zone <string> [ <class> ] {
        parental-source ( <ipv4_address> | * );
        parental-source-v6 ( <ipv6_address> | * );
        primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+       provide-zoneversion <boolean>;
        request-expire <boolean>;
        request-ixfr <boolean>;
        request-ixfr-max-diffs <integer>;

diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index cec638fe64aa6e30120679d3f2f1b34259b0acc3..a9d8526a7f03f9645a89733b9b3ebdcdfd4b6b9f 100644 (file)
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -102,6 +102,7 @@ typedef enum {
        DNS_ZONEOPT_CHECKTTL = 1 << 28,       /*%< check max-zone-ttl */
        DNS_ZONEOPT_AUTOEMPTY = 1 << 29,      /*%< automatic empty zone */
        DNS_ZONEOPT_CHECKSVCB = 1 << 30,      /*%< check SVBC records */
+       DNS_ZONEOPT_ZONEVERSION = 1U << 31,   /*%< enable zoneversion */
        DNS_ZONEOPT___MAX = UINT64_MAX, /* trick to make the ENUM 64-bit wide */
 } dns_zoneopt_t;
 

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 8d4c101f32d385c7556ea8cfe03f349ac676115f..7d16993f1ced81abcbec6e06ca713a5d2fc93565 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -1508,7 +1508,8 @@ dns_zone_getzoneversion(dns_zone_t *zone, isc_buffer_t *b) {
 
        LOCK_ZONE(zone);
        ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-       if (zone->db != NULL) {
+       if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_ZONEVERSION) && zone->db != NULL)
+       {
                result = dns_db_getzoneversion(zone->db, b);
                if (result == ISC_R_NOTIMPLEMENTED) {
                        result = zone_get_from_db(zone, zone->db, NULL,

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 45649d87701c3c8962602a3e00ef62c672030e91..72b317db159355184536016a2187cef221c22347 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2355,6 +2355,8 @@ static cfg_clausedef_t zone_clauses[] = {
          CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
        { "parental-source-v6", &cfg_type_sockaddr6wild,
          CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+       { "provide-zoneversion", &cfg_type_boolean,
+         CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
        { "send-report-channel", &cfg_type_astring,
          CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
        { "request-expire", &cfg_type_boolean,