From: Ondřej Surý Date: Wed, 29 Apr 2026 13:08:20 +0000 (+0200) Subject: Drop unused DNS_MASTER_NOINCLUDE and warn about untrusted zone text X-Git-Tag: v9.21.22~45^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=746fb2836956713123d065a1ae6c12aef547972d;p=thirdparty%2Fbind9.git Drop unused DNS_MASTER_NOINCLUDE and warn about untrusted zone text DNS_MASTER_NOINCLUDE was defined to suppress $INCLUDE processing, but no caller ever set it, so the guarded code path was dead and the flag gave the false impression that named-checkzone could be hardened against untrusted input. The zone-file parser cannot safely read text from a less-trusted source than the user running the tool: $INCLUDE opens any local file readable by that user, and fragments of its contents leak through tokenizer error messages. Rather than wire up an opt-in flag that suggests this is a supported mode, remove the dead flag and the dead guard, and document in the named-checkzone and named-compilezone manual pages that these tools must not be run on zone text from an untrusted source. Assisted-by: Claude:claude-opus-4-7 --- diff --git a/bin/check/named-checkzone.rst b/bin/check/named-checkzone.rst index a58cfb7a144..2e57020769f 100644 --- a/bin/check/named-checkzone.rst +++ b/bin/check/named-checkzone.rst @@ -33,6 +33,16 @@ performs the same checks as :iscman:`named` does when loading a zone. This makes :program:`named-checkzone` useful for checking zone files before configuring them into a name server. +.. warning:: + + :program:`named-checkzone` must not be run on zone text from an + untrusted source. Zone files may contain ``$INCLUDE`` directives, + which cause the parser to read arbitrary files readable by the + invoking user; fragments of those files can leak through parser + error messages. Run the tool only on zone text whose author you + trust, or under a dedicated unprivileged user with no access to + sensitive files. + Options ~~~~~~~ diff --git a/bin/check/named-compilezone.rst b/bin/check/named-compilezone.rst index c0678261941..c9b64c5e256 100644 --- a/bin/check/named-compilezone.rst +++ b/bin/check/named-compilezone.rst @@ -41,6 +41,16 @@ Running :program:`named-checkzone` on the input prior to compiling will ensure that the zone compiles with the default requirements of :iscman:`named`. +.. warning:: + + :program:`named-compilezone` must not be run on zone text from an + untrusted source. Zone files may contain ``$INCLUDE`` directives, + which cause the parser to read arbitrary files readable by the + invoking user; fragments of those files can leak through parser + error messages. Run the tool only on zone text whose author you + trust, or under a dedicated unprivileged user with no access to + sensitive files. + Options ~~~~~~~ diff --git a/lib/dns/include/dns/master.h b/lib/dns/include/dns/master.h index 59060d990e6..786efafb055 100644 --- a/lib/dns/include/dns/master.h +++ b/lib/dns/include/dns/master.h @@ -31,7 +31,6 @@ #define DNS_MASTER_MANYERRORS \ 0x00000002 /*%< Continue processing on errors. \ */ -#define DNS_MASTER_NOINCLUDE 0x00000004 /*%< Disallow $INCLUDE directives. */ #define DNS_MASTER_ZONE 0x00000008 /*%< Loading a zone master file. */ #define DNS_MASTER_HINT 0x00000010 /*%< Loading a hint master file. */ #define DNS_MASTER_SECONDARY 0x00000020 /*%< Secondary master file. */ diff --git a/lib/dns/master.c b/lib/dns/master.c index 4974999eeb6..c1f5fa9a279 100644 --- a/lib/dns/master.c +++ b/lib/dns/master.c @@ -1145,17 +1145,6 @@ load_text(dns_loadctx_t *lctx) { 0) { COMMITALL; - if ((lctx->options & DNS_MASTER_NOINCLUDE) != 0) - { - (callbacks->error)(callbacks, - "%s: %s:%lu: " - "$INCLUDE not " - "allowed", - "dns_master_load", - source, line); - result = DNS_R_REFUSED; - goto insist_and_cleanup; - } if (ttl_offset != 0) { (callbacks->error)(callbacks, "%s: %s:%lu: "