From: Artem Boldariev Date: Mon, 29 Nov 2021 22:31:36 +0000 (+0200) Subject: Add 'tls' validation for XoT enabled primaries X-Git-Tag: v9.17.21~10^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=69cef39099c75f3acf78c295d4bf7c212c446b16;p=thirdparty%2Fbind9.git Add 'tls' validation for XoT enabled primaries This commit ensure that the 'tls' name specified in the 'primaries' clause of a 'zone' statement is a valid one. Prior to that such a name would be silently accepted, leading to silent XFRs-via-TLS failures. --- diff --git a/bin/tests/system/checkconf/bad-dot-primaries.conf b/bin/tests/system/checkconf/bad-dot-primaries.conf new file mode 100644 index 00000000000..6a4cadee6b1 --- /dev/null +++ b/bin/tests/system/checkconf/bad-dot-primaries.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example" { + type secondary; + primaries { 10.53.0.1 tls undefined; }; + file "example.db"; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/checkconf/good-dot-primaries-ephemeral.conf b/bin/tests/system/checkconf/good-dot-primaries-ephemeral.conf new file mode 100644 index 00000000000..fbb9b98b392 --- /dev/null +++ b/bin/tests/system/checkconf/good-dot-primaries-ephemeral.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example" { + type secondary; + primaries { 10.53.0.1 tls ephemeral; }; + file "example.db"; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/checkconf/good-dot-primaries.conf b/bin/tests/system/checkconf/good-dot-primaries.conf new file mode 100644 index 00000000000..3fbe2891775 --- /dev/null +++ b/bin/tests/system/checkconf/good-dot-primaries.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls local-tls { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers no; +}; + +zone "example" { + type secondary; + primaries { 10.53.0.1 tls local-tls; }; + file "example.db"; + allow-transfer { any; }; +}; diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 1130983732c..715d9fd9dfb 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -2434,6 +2434,22 @@ resume: result = tresult; } } + + if (strcasecmp(str, "ephemeral") != 0) { + const cfg_obj_t *tlsmap = NULL; + + tlsmap = find_maplist(config, "tls", + str); + if (tlsmap == NULL) { + cfg_obj_log( + tls, logctx, + ISC_LOG_ERROR, + "tls '%s' is not " + "defined", + cfg_obj_asstring(tls)); + result = ISC_R_FAILURE; + } + } } continue; }