Determine checkds default from config

author Matthijs Mekking <matthijs@isc.org>

Tue, 28 Mar 2023 14:57:58 +0000 (16:57 +0200)

committer Matthijs Mekking <matthijs@isc.org>

Mon, 3 Apr 2023 14:01:22 +0000 (14:01 +0000)
author Matthijs Mekking <matthijs@isc.org>
Tue, 28 Mar 2023 14:57:58 +0000 (16:57 +0200)
committer Matthijs Mekking <matthijs@isc.org>
Mon, 3 Apr 2023 14:01:22 +0000 (14:01 +0000)
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c

index 21dbe6d8a905d273ef2469a73f5971621b1c950b..470069ac8d70ec7ee09bd93b3d3c0526962355a5 100644 (file)
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1228,29 +1228,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
                         dns_zone_setkasp(zone, NULL);
                 }
  
-               obj = NULL;
-               result = named_config_get(maps, "checkds", &obj);
-               if (result == ISC_R_SUCCESS) {
-                       if (cfg_obj_isboolean(obj)) {
-                               if (cfg_obj_asboolean(obj)) {
-                                       checkdstype = dns_checkdstype_yes;
-                               } else {
-                                       checkdstype = dns_checkdstype_no;
-                               }
-                       } else {
-                               const char *str = cfg_obj_asstring(obj);
-                               if (strcasecmp(str, "explicit") == 0) {
-                                       checkdstype = dns_checkdstype_explicit;
-                               } else {
-                                       UNREACHABLE();
-                               }
-                       }
-               }
-               if (raw != NULL) {
-                       dns_zone_setcheckdstype(raw, dns_checkdstype_no);
-               }
-               dns_zone_setcheckdstype(zone, checkdstype);
-
                 obj = NULL;
                 result = named_config_get(maps, "notify", &obj);
                 INSIST(result == ISC_R_SUCCESS && obj != NULL);
@@ -1711,19 +1688,47 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
          * Configure parental agents, applies to primary and secondary zones.
          */
         if (ztype == dns_zone_primary || ztype == dns_zone_secondary) {
-               obj = NULL;
-               (void)cfg_map_get(zoptions, "parental-agents", &obj);
-               if (obj != NULL) {
+               const cfg_obj_t *parentals = NULL;
+               (void)cfg_map_get(zoptions, "parental-agents", &parentals);
+               if (parentals != NULL) {
                         dns_ipkeylist_t ipkl;
                         dns_ipkeylist_init(&ipkl);
                         CHECK(named_config_getipandkeylist(
-                               config, "parental-agents", obj, mctx, &ipkl));
+                               config, "parental-agents", parentals, mctx,
+                               &ipkl));
                         dns_zone_setparentals(zone, ipkl.addrs, ipkl.sources,
                                               ipkl.keys, ipkl.tlss, ipkl.count);
                         dns_ipkeylist_clear(mctx, &ipkl);
                 } else {
                         dns_zone_setparentals(zone, NULL, NULL, NULL, NULL, 0);
                 }
+
+               obj = NULL;
+               result = named_config_get(maps, "checkds", &obj);
+               if (result == ISC_R_SUCCESS) {
+                       if (cfg_obj_isboolean(obj)) {
+                               if (cfg_obj_asboolean(obj)) {
+                                       checkdstype = dns_checkdstype_yes;
+                               } else {
+                                       checkdstype = dns_checkdstype_no;
+                               }
+                       } else {
+                               const char *str = cfg_obj_asstring(obj);
+                               if (strcasecmp(str, "explicit") == 0) {
+                                       checkdstype = dns_checkdstype_explicit;
+                               } else {
+                                       UNREACHABLE();
+                               }
+                       }
+               } else if (parentals != NULL) {
+                       checkdstype = dns_checkdstype_explicit;
+               } else {
+                       checkdstype = dns_checkdstype_yes;
+               }
+               if (raw != NULL) {
+                       dns_zone_setcheckdstype(raw, dns_checkdstype_no);
+               }
+               dns_zone_setcheckdstype(zone, checkdstype);
         }
  
         /*%
diff --git a/bin/tests/system/checkds/ns9/named.conf.in b/bin/tests/system/checkds/ns9/named.conf.in

index 2d4dcb28f896e8655e9d6d827ade84b715ced289..94d830cd1beab8d1f6ca073aa4fd8fd7cb431180 100644 (file)
--- a/bin/tests/system/checkds/ns9/named.conf.in
+++ b/bin/tests/system/checkds/ns9/named.conf.in
@@ -56,7 +56,6 @@ zone "good.explicit.dspublish.ns2" {
         inline-signing yes;
         dnssec-policy "default";
         parental-agents { 10.53.0.8 port @PORT@; };
-       checkds explicit;
  };
  
  /* Same as above, but now with a reference to parental-agents. */
@@ -66,7 +65,6 @@ zone "reference.explicit.dspublish.ns2" {
         inline-signing yes;
         dnssec-policy "default";
         parental-agents { "ns8"; };
-       checkds explicit;
  };
  
  /* Same as above, but now with resolver parental agent configured. */
@@ -78,7 +76,6 @@ zone "resolver.explicit.dspublish.ns2" {
         parental-agents {
                 10.53.0.3 port @PORT@;
         };
-       checkds explicit;
  };
  
  /* Same as above, but now with auto parental agents. */
@@ -119,7 +116,6 @@ zone "not-yet.explicit.dspublish.ns5" {
         parental-agents {
                 10.53.0.5 port @PORT@; // missing
         };
-       checkds explicit;
  };
  
  zone "not-yet.yes.dspublish.ns5" {
@@ -142,7 +138,6 @@ zone "bad.explicit.dspublish.ns6" {
         parental-agents {
                 10.53.0.6 port @PORT@; // bad
         };
-       checkds explicit;
  };
  
  zone "bad.yes.dspublish.ns6" {
@@ -173,7 +168,6 @@ zone "good.explicit.dspublish.ns2-4" {
                 10.53.0.8 port @PORT@;
                 10.53.0.4 port @PORT@;
         };
-       checkds explicit;
  };
  
  zone "good.yes.dspublish.ns2-4" {
@@ -206,7 +200,6 @@ zone "incomplete.explicit.dspublish.ns2-4-5" {
                 10.53.0.4 port @PORT@;
                 10.53.0.5 port @PORT@; // missing
         };
-       checkds explicit;
  };
  
  zone "incomplete.yes.dspublish.ns2-4-5" {
@@ -231,7 +224,6 @@ zone "bad.explicit.dspublish.ns2-4-6" {
                 10.53.0.4 port @PORT@;
                 10.53.0.6 port @PORT@; // bad
         };
-       checkds explicit;
  };
  
  zone "bad.yes.dspublish.ns2-4-6" {
@@ -263,7 +255,6 @@ zone "good.explicit.dsremoved.ns5" {
         inline-signing yes;
         dnssec-policy "insecure";
         parental-agents { 10.53.0.10 port @PORT@; };
-       checkds explicit;
  };
  
  zone "resolver.explicit.dsremoved.ns5" {
@@ -274,7 +265,6 @@ zone "resolver.explicit.dsremoved.ns5" {
         parental-agents {
                 10.53.0.3 port @PORT@;
         };
-       checkds explicit;
  };
  
  zone "good.yes.dsremoved.ns5" {
@@ -312,7 +302,6 @@ zone "still-there.explicit.dsremoved.ns2" {
         parental-agents {
                 10.53.0.2 port @PORT@; // still published
         };
-       checkds explicit;
  };
  
  zone "still-there.yes.dsremoved.ns2" {
@@ -335,7 +324,6 @@ zone "bad.explicit.dsremoved.ns6" {
         parental-agents {
                 10.53.0.6 port @PORT@; // bad
         };
-       checkds explicit;
  };
  
  zone "bad.yes.dsremoved.ns6" {
@@ -366,7 +354,6 @@ zone "good.explicit.dsremoved.ns5-7" {
                 10.53.0.10 port @PORT@;
                 10.53.0.7 port @PORT@;
         };
-       checkds explicit;
  };
  
  zone "good.yes.dsremoved.ns5-7" {
@@ -399,7 +386,6 @@ zone "incomplete.explicit.dsremoved.ns2-5-7" {
                 10.53.0.10 port @PORT@;
                 10.53.0.7 port @PORT@;
         };
-       checkds explicit;
  };
  
  zone "incomplete.yes.dsremoved.ns2-5-7" {
@@ -424,7 +410,6 @@ zone "bad.explicit.dsremoved.ns5-6-7" {
                 10.53.0.7 port @PORT@;
                 10.53.0.6 port @PORT@; // bad
         };
-       checkds explicit;
  };
  
  zone "bad.yes.dsremoved.ns5-6-7" {
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst

index 8225c5708955702c13e9f0b6e7083998dc572291..50ff92492a03c305ec700b231b892dd0d2e89c95 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -6439,10 +6439,12 @@ The following options apply to DS queries sent to :any:`parental-agents`:
  
     If set to ``yes``, DS queries are sent when a KSK rollover is in progress.
     The queries are sent to the servers listed in the parent zone's NS records.
-   This is the default.
+   This is the default if there are no :any:`parental-agents` configured for
+   the zone.
  
     If set to ``explicit``, DS queries are sent only to servers explicitly listed
-   using :any:`parental-agents`.
+   using :any:`parental-agents`. This is the default if there are parental
+   agents configured.
  
     If set to ``no``, no DS queries are sent. Users should manually run
     :option:`rndc dnssec -checkds <rndc dnssec>` with the appropriate parameters
author	Matthijs Mekking <matthijs@isc.org>
	Tue, 28 Mar 2023 14:57:58 +0000 (16:57 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Mon, 3 Apr 2023 14:01:22 +0000 (14:01 +0000)
bin/named/zoneconf.c		patch \| blob \| blame \| history
bin/tests/system/checkds/ns9/named.conf.in		patch \| blob \| blame \| history
doc/arm/reference.rst		patch \| blob \| blame \| history