From: Colin Vidal <colin@isc.org>
Date: Mon, 13 Oct 2025 14:00:17 +0000 (+0200)
Subject: introduce default config builtin-root-anchors
X-Git-Tag: v9.21.15~22^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7ff1b7ef21e0193cd53ad0504264f9fe95900af6;p=thirdparty%2Fbind9.git

introduce default config builtin-root-anchors

Since the effective configuration tree is a "merged" configuration tree
from the user and the default configurations, the effective configuration
provides a unique configuration tree used by apply_confiuration() to
configure the server.

However, there is one specific case where the configuration code needs
to differentiate whether the configuration originally came from the
default or the user configuration: the trust-anchors. This is because
the default trust-anchors _have_ to be those for the root zone, and the
one provided by the user can be for any zone. A check enforces this.

In order to keep this difference visible from the configuration code,
with a unique configuration tree, we now introduce a default-only
`builtin-trust-anchors` statement which holds the builtin root
trust-anchors. It can't be used from the user configuration (this would
raise an error), hence it is not documented.
---

diff --git a/bin/named/config.c b/bin/named/config.c
index ab4bbe33cc3..05c832798a1 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -55,11 +55,11 @@ named_config_parsedefaults(cfg_obj_t **conf) {
 	isc_buffer_constinit(&b, common_named_defaultconf,
 			     sizeof(common_named_defaultconf) - 1);
 	isc_buffer_add(&b, sizeof(common_named_defaultconf) - 1);
-	return cfg_parse_buffer(isc_g_mctx, &b, __FILE__, 0,
-				&cfg_type_namedconf,
-				CFG_PCTX_NODEPRECATED | CFG_PCTX_NOOBSOLETE |
-					CFG_PCTX_NOEXPERIMENTAL,
-				conf);
+	return cfg_parse_buffer(
+		isc_g_mctx, &b, __FILE__, 0, &cfg_type_namedconf,
+		CFG_PCTX_NODEPRECATED | CFG_PCTX_NOOBSOLETE |
+			CFG_PCTX_NOEXPERIMENTAL | CFG_PCTX_BUILTIN,
+		conf);
 }
 
 isc_result_t
diff --git a/bin/named/server.c b/bin/named/server.c
index 39f9bbd5756..61cc44cca30 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -1140,8 +1140,8 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 				      "from '%s'",
 				      view->name, named_g_bindkeysfile);
 
-			(void)cfg_map_get(bindkeys, "trust-anchors",
-					  &builtin_keys);
+			CHECK(cfg_map_get(bindkeys, "trust-anchors",
+					  &builtin_keys));
 
 			if (builtin_keys == NULL) {
 				isc_log_write(DNS_LOGCATEGORY_SECURITY,
@@ -1159,8 +1159,8 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 				      "using built-in root key for view %s",
 				      view->name);
 
-			(void)cfg_map_get(config, "trust-anchors",
-					  &builtin_keys);
+			CHECK(cfg_map_get(config, "builtin-trust-anchors",
+					  &builtin_keys));
 		}
 
 		if (builtin_keys != NULL) {
diff --git a/bin/tests/system/checkconf/bad-builtin-trustanchors.conf b/bin/tests/system/checkconf/bad-builtin-trustanchors.conf
new file mode 100644
index 00000000000..1c12eb0616f
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-builtin-trustanchors.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+};
+
+builtin-trust-anchors {
+};
diff --git a/bind.keys b/bind.keys
index 4cead78f165..3c495b4bfa9 100644
--- a/bind.keys
+++ b/bind.keys
@@ -20,7 +20,7 @@
 # See https://data.iana.org/root-anchors/root-anchors.xml for current trust
 # anchor information for the root zone.
 
-trust-anchors {
+builtin-trust-anchors {
         # This key (20326) was published in the root zone in 2017, and
         # is scheduled to be phased out starting in 2025. It will remain
         # in the root zone until some time after its successor key has
diff --git a/lib/isccfg/include/isccfg/grammar.h b/lib/isccfg/include/isccfg/grammar.h
index 068d4120fdf..03e52ae7263 100644
--- a/lib/isccfg/include/isccfg/grammar.h
+++ b/lib/isccfg/include/isccfg/grammar.h
@@ -64,6 +64,9 @@ enum {
 
 	/*% Clause has been obsolete so long that it's now a fatal error */
 	CFG_CLAUSEFLAG_ANCIENT = 1 << 9,
+
+	/*% Clause allowed in the builtin configuration only */
+	CFG_CLAUSEFLAG_BUILTINONLY = 1 << 10,
 };
 
 /*%
@@ -288,6 +291,7 @@ struct cfg_parser {
 #define CFG_PCTX_NOOBSOLETE	(1 << 2)
 #define CFG_PCTX_NOEXPERIMENTAL (1 << 3)
 #define CFG_PCTX_ALLCONFIGS	(1 << 4)
+#define CFG_PCTX_BUILTIN	(1 << 5)
 
 /*@{*/
 /*%
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 37fb30eb92d..19825db929c 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -910,6 +910,11 @@ static cfg_type_t cfg_type_dnsseckeys = { "dnsseckeys",
 					  &cfg_rep_list,
 					  &cfg_type_managedkey };
 
+cfg_type_t cfg_type_builtin_dnsseckeys = {
+	"builtin-dnsseckeys", cfg_parse_bracketed_list, NULL, NULL,
+	&cfg_rep_list,	      &cfg_type_managedkey
+};
+
 /*%
  * A list of key entries, used in a DNSSEC Key and Signing Policy.
  */
@@ -1381,6 +1386,9 @@ static cfg_clausedef_t namedconf_clauses[] = {
 	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_NOTCONFIGURED },
 #endif
 	{ "template", &cfg_type_template, CFG_CLAUSEFLAG_MULTI },
+	{ "builtin-trust-anchors", &cfg_type_builtin_dnsseckeys,
+	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_BUILTINONLY |
+		  CFG_CLAUSEFLAG_NODOC },
 	{ "tls", &cfg_type_tlsconf, CFG_CLAUSEFLAG_MULTI },
 	{ "view", &cfg_type_view, CFG_CLAUSEFLAG_MULTI, merge_append },
 	{ NULL, NULL, 0 }
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
index 646471e52b7..3be2772f945 100644
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -801,7 +801,7 @@ cleanup:
 
 #define REQUIRE_PCTX_FLAGS(flags)                                        \
 	REQUIRE((flags & ~(CFG_PCTX_NODEPRECATED | CFG_PCTX_NOOBSOLETE | \
-			   CFG_PCTX_NOEXPERIMENTAL)) == 0)
+			   CFG_PCTX_NOEXPERIMENTAL | CFG_PCTX_BUILTIN)) == 0)
 
 isc_result_t
 cfg_parse_file(isc_mem_t *mctx, const char *filename, const cfg_type_t *type,
@@ -2461,6 +2461,15 @@ cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 					 clause->name);
 			CHECK(ISC_R_FAILURE);
 		}
+		if ((pctx->flags & CFG_PCTX_BUILTIN) == 0 &&
+		    (clause->flags & CFG_CLAUSEFLAG_BUILTINONLY) != 0)
+		{
+			cfg_parser_error(pctx, 0,
+					 "option '%s' is allowed in the "
+					 "builtin configuration only",
+					 clause->name);
+			CHECK(ISC_R_FAILURE);
+		}
 
 		/* Issue warnings if appropriate */
 		if ((pctx->flags & CFG_PCTX_NODEPRECATED) == 0 &&
@@ -2698,6 +2707,11 @@ cfg_print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 
 		for (clause = *clauseset; clause->name != NULL; clause++) {
 			isc_result_t result;
+
+			if ((clause->flags & CFG_CLAUSEFLAG_BUILTINONLY) != 0) {
+				continue;
+			}
+
 			result = isc_symtab_lookup(obj->value.map.symtab,
 						   clause->name,
 						   SYMTAB_DUMMY_TYPE, &symval);