From: Petr Špaček <pspacek@isc.org>
Date: Wed, 5 Oct 2022 12:44:09 +0000 (+0200)
Subject: Clarify error message about missing inline-signing & dnssec-policy
X-Git-Tag: v9.19.6~3^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=058c1744bac8317be57724ff0f235ee1e8a7438e;p=thirdparty%2Fbind9.git

Clarify error message about missing inline-signing & dnssec-policy
---

diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index c42f673a8b8..f32e6266c14 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -492,7 +492,7 @@ n=`expr $n + 1`
 echo_i "checking named-checkconf kasp errors ($n)"
 ret=0
 $CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
-grep "'dnssec-policy;' requires dynamic DNS or inline-signing to be configured for the zone" < checkconf.out$n > /dev/null || ret=1
+grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1
 grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
 grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
 grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 2ddd90b2706..99b41c051a3 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -3450,11 +3450,16 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		if (has_dnssecpolicy) {
 			if (!ddns && !signing) {
 				cfg_obj_log(kasp, logctx, ISC_LOG_ERROR,
-					    "'dnssec-policy;' requires%s "
-					    "inline-signing to be configured "
-					    "for the zone",
+					    "'inline-signing yes;' must also "
+					    "be configured explicitly for "
+					    "zones using dnssec-policy%s. See "
+					    "https://kb.isc.org/docs/"
+					    "dnssec-policy-requires-dynamic-"
+					    "dns-or-inline-signing",
 					    (ztype == CFG_ZONE_PRIMARY)
-						    ? " dynamic DNS or"
+						    ? " without a configured "
+						      "'allow-update' or "
+						      "'update-policy'"
 						    : "");
 				result = ISC_R_FAILURE;
 			}