3111. [bug] Improved consistency checks for dnssec-enable and

                        dnssec-validation, added test cases to the
                        checkconf system test. [RT #24398]

diff --git a/CHANGES b/CHANGES
index c10c93c3a7ad2b460b966777ac51f01b6eb44469..94390ddc4b8704042c3b69faa40cf6a6dda45017 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+3111.   [bug]           Improved consistency checks for dnssec-enable and
+                        dnssec-validation, added test cases to the
+                        checkconf system test. [RT #24398]
+
 3110.  [bug]           dnssec-signzone: Wrong error message could appear
                        when attempting to sign with no KSK. [RT #24369]
 

diff --git a/bin/tests/system/checkconf/clean.sh b/bin/tests/system/checkconf/clean.sh
new file mode 100644 (file)
index 0000000..2d37841
--- /dev/null
+++ b/bin/tests/system/checkconf/clean.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+#
+# Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.1.6.2 2011/05/07 05:53:23 each Exp $
+
+rm -f good.conf.in good.conf.out

diff --git a/bin/tests/system/checkconf/dnssec.1 b/bin/tests/system/checkconf/dnssec.1
new file mode 100644 (file)
index 0000000..f623208
--- /dev/null
+++ b/bin/tests/system/checkconf/dnssec.1
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec.1,v 1.1.6.2 2011/05/07 05:53:23 each Exp $ */
+
+options {
+        dnssec-enable no;
+        dnssec-validation yes;
+};

diff --git a/bin/tests/system/checkconf/dnssec.2 b/bin/tests/system/checkconf/dnssec.2
new file mode 100644 (file)
index 0000000..8220b07
--- /dev/null
+++ b/bin/tests/system/checkconf/dnssec.2
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec.2,v 1.1.6.2 2011/05/07 05:53:24 each Exp $ */
+
+options {
+        dnssec-enable no;
+};
+
+view view1 {
+        match-clients { any; };
+        dnssec-validation yes;
+};
+
+view view2 {
+        match-clients { none; };
+        dnssec-validation auto;
+};

diff --git a/bin/tests/system/checkconf/dnssec.3 b/bin/tests/system/checkconf/dnssec.3
new file mode 100644 (file)
index 0000000..48999b6
--- /dev/null
+++ b/bin/tests/system/checkconf/dnssec.3
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec.3,v 1.1.6.2 2011/05/07 05:53:24 each Exp $ */
+
+options {
+        dnssec-validation no;
+};
+
+view view1 {
+        match-clients { any; };
+        dnssec-enable no;
+};
+
+view view2 {
+        match-clients { none; };
+        dnssec-enable yes;
+};

diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index 5d013f1ce5ecc27c7f7132e31b491b2e81aa1bd0..3bbbce483a304d91ba9742063c21fb4c89d71353 100644 (file)
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -14,18 +14,25 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: good.conf,v 1.6.114.2 2011/05/05 23:46:53 tbox Exp $ */
+/* $Id: good.conf,v 1.6.114.3 2011/05/07 05:53:24 each Exp $ */
 
 /*
  * This is just a random selection of configuration options.
  */
 
+/* cut here */
 options {
-       avoid-v4-udp-ports { 100; };
-       avoid-v6-udp-ports { 100; };
-       blackhole { 10.0.0.0/8; };
-       coresize 1G;
-       datasize 100M;
+       avoid-v4-udp-ports {
+               100;
+       };
+       avoid-v6-udp-ports {
+               100;
+       };
+       blackhole {
+               10.0.0.0/8;
+       };
+       coresize 1073741824;
+       datasize 104857600;
        deallocate-on-exit yes;
        directory ".";
        dump-file "named_dumpdb";
@@ -37,9 +44,15 @@ options {
        host-statistics-max 100;
        hostname none;
        interface-interval 30;
-       listen-on port 90 { any; };
-       listen-on port 100 { 127.0.0.1; };
-       listen-on-v6 port 53 { none; };
+       listen-on port 90 {
+               "any";
+       };
+       listen-on port 100 {
+               127.0.0.1/32;
+       };
+       listen-on-v6 port 53 {
+               "none";
+       };
        match-mapped-addresses yes;
        memstatistics-file "named.memstats";
        multiple-cnames no;
@@ -54,25 +67,27 @@ options {
        serial-query-rate 100;
        server-id none;
 };
-
-view first {
-        match-clients { none; };
-        dnssec-validation auto;
-        dnssec-lookaside auto;
-        zone "example1" {
-                type master;
-                file "xxx";
-                update-policy local;
-        };
+view "first" {
+       match-clients {
+               "none";
+       };
+       zone "example1" {
+               type master;
+               file "xxx";
+               update-policy local;
+       };
+       dnssec-lookaside auto;
+       dnssec-validation auto;
 };
-
-view second {
-        match-clients { any; };
-        dnssec-validation auto;
-        dnssec-lookaside auto;
-        zone "example1" {
-                type master;
-                file "yyy";
-                update-policy local;
-        };
+view "second" {
+       match-clients {
+               "any";
+       };
+       zone "example1" {
+               type master;
+               file "yyy";
+               update-policy local;
+       };
+       dnssec-lookaside "." trust-anchor "dlv.isc.org.";
+       dnssec-validation auto;
 };

diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 949e350836e0bb6e19ace28481c6ad8d91e26aaf..1eb61cad5f063bd814306448f641aaef04063c69 100644 (file)
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.5 2010/06/02 01:28:40 tbox Exp $
+# $Id: tests.sh,v 1.5.114.1 2011/05/07 05:53:24 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -20,7 +20,6 @@ SYSTEMTESTTOP=..
 status=0
 
 echo "I: checking that named-checkconf handles a known good config"
-
 ret=0
 $CHECKCONF good.conf > /dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -28,13 +27,26 @@ status=`expr $status + $ret`
 
 echo "I: checking that named-checkconf prints a known good config"
 ret=0
-$CHECKCONF -p good.conf > /dev/null 2>&1 || ret=1
+awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in
+[ -s good.conf.in ] || ret=1
+$CHECKCONF -p good.conf.in | grep -v '^good.conf.in:' > good.conf.out 2>&1 || ret=1
+cmp good.conf.in good.conf.out || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
+
 echo "I: checking that named-checkconf handles a known bad config"
+ret=0
+$CHECKCONF bad.conf > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
 
-ret=1
-$CHECKCONF bad.conf > /dev/null 2>&1 || ret=0
+echo "I: checking named-checkconf dnssec warnings"
+ret=0
+$CHECKCONF dnssec.1 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1
+$CHECKCONF dnssec.2 2>&1 | grep 'validation auto.*enable no' > /dev/null || ret=1
+$CHECKCONF dnssec.2 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1
+# this one should have no warnings
+$CHECKCONF dnssec.3 2>&1 | grep '.*' && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 9ab6d6b518d65399de6179bc123a2584f9364d76..c9ee1af8c3a5e1c6d58b9086f87839663d2d1ec1 100644 (file)
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.125.14.4 2011/05/05 18:02:09 each Exp $ */
+/* $Id: check.c,v 1.125.14.5 2011/05/07 05:53:24 each Exp $ */
 
 /*! \file */
 
@@ -2088,9 +2088,15 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
        isc_result_t tresult = ISC_R_SUCCESS;
        cfg_aclconfctx_t actx;
        const cfg_obj_t *obj;
+       const cfg_obj_t *options = NULL;
        isc_boolean_t enablednssec, enablevalidation;
        const char *valstr = "no";
 
+       /*
+        * Get global options block
+        */
+       (void)cfg_map_get(config, "options", &options);
+
        /*
         * Check that all zone statements are syntactically correct and
         * there are no duplicate zones.
@@ -2126,8 +2132,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
         * Check that forwarding is reasonable.
         */
        if (voptions == NULL) {
-               const cfg_obj_t *options = NULL;
-               (void)cfg_map_get(config, "options", &options);
                if (options != NULL)
                        if (check_forward(options, NULL,
                                          logctx) != ISC_R_SUCCESS)
@@ -2141,8 +2145,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
         * Check that dual-stack-servers is reasonable.
         */
        if (voptions == NULL) {
-               const cfg_obj_t *options = NULL;
-               (void)cfg_map_get(config, "options", &options);
                if (options != NULL)
                        if (check_dual_stack(options, logctx) != ISC_R_SUCCESS)
                                result = ISC_R_FAILURE;
@@ -2203,8 +2205,8 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
        obj = NULL;
        if (voptions != NULL)
                (void)cfg_map_get(voptions, "dnssec-enable", &obj);
-       if (obj == NULL)
-               (void)cfg_map_get(config, "dnssec-enable", &obj);
+       if (obj == NULL && options != NULL)
+               (void)cfg_map_get(options, "dnssec-enable", &obj);
        if (obj == NULL)
                enablednssec = ISC_TRUE;
        else
@@ -2213,10 +2215,10 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
        obj = NULL;
        if (voptions != NULL)
                (void)cfg_map_get(voptions, "dnssec-validation", &obj);
-       if (obj == NULL)
-               (void)cfg_map_get(config, "dnssec-validation", &obj);
+       if (obj == NULL && options != NULL)
+               (void)cfg_map_get(options, "dnssec-validation", &obj);
        if (obj == NULL) {
-               enablevalidation = ISC_TRUE;
+               enablevalidation = enablednssec;
                valstr = "yes";
        } else if (cfg_obj_isboolean(obj)) {
                enablevalidation = cfg_obj_asboolean(obj);

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 0e6b8af9494ec3e2d6eb45aa30f0f70d2b6889e3..55b065b9f7b476a6ac3a1a24c5f7dbf23fbebb00 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.131.8.2 2011/03/11 06:47:08 marka Exp $ */
+/* $Id: namedconf.c,v 1.131.8.3 2011/05/07 05:53:24 each Exp $ */
 
 /*! \file */
 
@@ -1131,6 +1131,24 @@ static cfg_type_t cfg_type_rpz = {
  * dnssec-lookaside
  */
 
+static void
+print_lookaside(cfg_printer_t *pctx, const cfg_obj_t *obj)
+{
+       const cfg_obj_t *domain = obj->value.tuple[0];
+
+       if (domain->value.string.length == 4 &&
+           strncmp(domain->value.string.base, "auto", 4) == 0)
+               cfg_print_cstr(pctx, "auto");
+       else
+               cfg_print_tuple(pctx, obj);
+}
+
+static void
+doc_lookaside(cfg_printer_t *pctx, const cfg_type_t *type) {
+       UNUSED(type);
+       cfg_print_cstr(pctx, "( <string> trust-anchor <string> | auto )");
+}
+
 static keyword_type_t trustanchor_kw = { "trust-anchor", &cfg_type_astring };
 
 static cfg_type_t cfg_type_optional_trustanchor = {
@@ -1145,7 +1163,7 @@ static cfg_tuplefielddef_t lookaside_fields[] = {
 };
 
 static cfg_type_t cfg_type_lookaside = {
-       "lookaside", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+       "lookaside", cfg_parse_tuple, print_lookaside, doc_lookaside,
        &cfg_rep_tuple, lookaside_fields
 };