From f554cda1274b82e6acc063c95b1a99bc178253be Mon Sep 17 00:00:00 2001 From: Otto Moerbeek Date: Fri, 7 Feb 2025 10:41:05 +0100 Subject: [PATCH] Do a consistency check of the recurse flag for the forward_zones case --- pdns/recursordist/settings/rust/src/bridge.rs | 15 ++++++++++++++- pdns/recursordist/settings/table.py | 4 ++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/pdns/recursordist/settings/rust/src/bridge.rs b/pdns/recursordist/settings/rust/src/bridge.rs index 8b47796d68..2ca152d15d 100644 --- a/pdns/recursordist/settings/rust/src/bridge.rs +++ b/pdns/recursordist/settings/rust/src/bridge.rs @@ -302,7 +302,20 @@ impl ForwardZone { &(field.to_owned() + ".forwarders"), &self.forwarders, validate_socket_address_or_name, - ) + )?; + + let expected = match field { + "recursor.forward_zones" => Some(false), + // We cannot do the check below here as the override to true takes place later, the validation + // is run immediately after parsing + // "recursor.forward_zones_recurse" => Some(true), + _ => None, + }; + if expected.is_some() && self.recurse != expected.unwrap() { + let msg = format!("{}.recurse has wrong value in this context", field); + return Err(ValidationError { msg }); + } + Ok(()) } fn to_yaml_map(&self) -> serde_yaml::Value { diff --git a/pdns/recursordist/settings/table.py b/pdns/recursordist/settings/table.py index d3fbc671d0..8a4b912eb7 100644 --- a/pdns/recursordist/settings/table.py +++ b/pdns/recursordist/settings/table.py @@ -1106,9 +1106,9 @@ To forward to a recursive resolver use :ref:`setting-yaml-recursor.forward_zones .. warning:: When using DNSSEC validation (which is default), forwards to non-delegated (e.g. internal) zones that have a DNSSEC signed parent zone will validate as ``Bogus``. To prevent this, add a Negative Trust Anchor (NTA) for this zone in the :ref:`setting-lua-config-file` with :func:`addNTA`. - If this forwarded zone is signed, instead of adding NTA, add the DS record to the :ref:`setting-lua-config-file` usinf :fun:adTA`. + If this forwarded zone is signed, instead of adding NTA, add the DS record to the :ref:`setting-lua-config-file` using :fun:adTA`. See the :doc:`dnssec` information. - When using trust anchors listend in YAML, use the :ref:`setting-yaml-dnssec.trustanchors` and :ref:`setting-yaml-dnssec.negative_trustanchors` clauses. + When using trust anchors listed in a YAML settings file, use the :ref:`setting-yaml-dnssec.trustanchors` and :ref:`setting-yaml-dnssec.negative_trustanchors` clauses. .. note:: The ``recurse`` field of a `Forward Zone`_ is fixed to ``false`` in the context of :ref:`setting-yaml-recursor.forward_zones`. -- 2.47.2