dnssec-policy now requires inline-signing

author Matthijs Mekking <matthijs@isc.org>

Tue, 7 Jun 2022 12:46:05 +0000 (14:46 +0200)

committer Matthijs Mekking <matthijs@isc.org>

Mon, 15 Aug 2022 08:05:39 +0000 (10:05 +0200)
author Matthijs Mekking <matthijs@isc.org>
Tue, 7 Jun 2022 12:46:05 +0000 (14:46 +0200)
committer Matthijs Mekking <matthijs@isc.org>
Mon, 15 Aug 2022 08:05:39 +0000 (10:05 +0200)
diff --git a/lib/bind9/check.c b/lib/bind9/check.c

index 3cad314ad810f0719cebffea5e434445ebfe584d..f24d02c02dd7ebe48fff7ac88cbe0bf072f649b5 100644 (file)
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -2851,7 +2851,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
         const char *target = NULL;
         unsigned int ztype;
         const cfg_obj_t *zoptions, *goptions = NULL;
-       const cfg_obj_t *obj = NULL;
+       const cfg_obj_t *obj = NULL, *kasp = NULL;
         const cfg_obj_t *inviewobj = NULL;
         isc_result_t result = ISC_R_SUCCESS;
         isc_result_t tresult;
@@ -3140,6 +3140,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
                                 }
                         }
                 }
+               if (has_dnssecpolicy) {
+                       kasp = obj;
+               }
         }
  
         /*
@@ -3440,12 +3443,17 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
                 res1 = cfg_map_get(zoptions, "inline-signing", &obj);
                 if (res1 == ISC_R_SUCCESS) {
                         signing = cfg_obj_asboolean(obj);
-                       if (has_dnssecpolicy && !ddns && !signing) {
-                               cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-                                           "'inline-signing;' cannot be set "
-                                           "to 'no' "
-                                           "if dnssec-policy is also set on a "
-                                           "non-dynamic DNS zone");
+               }
+
+               if (has_dnssecpolicy) {
+                       if (!ddns && !signing) {
+                               cfg_obj_log(kasp, logctx, ISC_LOG_ERROR,
+                                           "'dnssec-policy;' requires%s "
+                                           "inline-signing to be configured "
+                                           "for the zone",
+                                           (ztype == CFG_ZONE_PRIMARY)
+                                                   ? " dynamic DNS or"
+                                                   : "");
                                 result = ISC_R_FAILURE;
                         }
                 }
@@ -3457,7 +3465,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
                         arg = cfg_obj_asstring(obj);
                 }
                 if (strcasecmp(arg, "off") != 0) {
-                       if (!ddns && !signing && strcasecmp(arg, "off") != 0) {
+                       if (!ddns && !signing && !has_dnssecpolicy) {
                                 cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
                                             "'auto-dnssec %s;' requires%s "
                                             "inline-signing to be configured "
@@ -3469,7 +3477,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
                                 result = ISC_R_FAILURE;
                         }
  
-                       if (strcasecmp(arg, "off") != 0 && has_dnssecpolicy) {
+                       if (has_dnssecpolicy) {
                                 cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
                                             "'auto-dnssec %s;' cannot be "
                                             "configured if dnssec-policy is "
author	Matthijs Mekking <matthijs@isc.org>
	Tue, 7 Jun 2022 12:46:05 +0000 (14:46 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Mon, 15 Aug 2022 08:05:39 +0000 (10:05 +0200)