From: Aram Sargsyan <aram@isc.org>
Date: Thu, 14 Dec 2023 10:40:05 +0000 (+0000)
Subject: Require trust anchors for 'dnnsec-validation yes'
X-Git-Tag: v9.19.22~61^2~5
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4cdef214d2b13cb0c709579e12fcfda0478c8c20;p=thirdparty%2Fbind9.git

Require trust anchors for 'dnnsec-validation yes'

Using the 'dnssec-validation yes' option now requires an explicitly
confgiured 'trust-anchors' statement (or 'managed-keys' or
'trusted-keys', both deprecated).
---

diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c
index 464ece61cdd..66d24f5ed7e 100644
--- a/lib/isccfg/check.c
+++ b/lib/isccfg/check.c
@@ -5744,8 +5744,21 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	if (obj == NULL && options != NULL) {
 		(void)cfg_map_get(options, "dnssec-validation", &obj);
 	}
-	if (obj != NULL && !cfg_obj_isboolean(obj)) {
-		autovalidation = true;
+	if (obj != NULL) {
+		if (!cfg_obj_isboolean(obj)) {
+			autovalidation = true;
+		} else if (cfg_obj_asboolean(obj)) {
+			if (global_ta == NULL && view_ta == NULL &&
+			    global_tkeys == NULL && view_tkeys == NULL)
+			{
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "the 'dnssec-validation yes' "
+					    "option requires configured "
+					    "'trust-anchors'; consider using "
+					    "'dnssec-validation auto'.");
+				result = ISC_R_FAILURE;
+			}
+		}
 	}
 
 	tresult = check_ta_conflicts(global_ta, view_ta, global_tkeys,