Update inline-signing checkconf code

When using automated DNSSEC management, it is required that the zone
is dynamic, or that inline-signing is enabled (or both). Update the
checkconf code to also allow inline-signing to be enabled within
dnssec-policy.

diff --git a/bin/tests/system/checkconf/bad-kasp-inline-signing.conf b/bin/tests/system/checkconf/bad-kasp-inline-signing.conf
new file mode 100644 (file)
index 0000000..178be5e
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-inline-signing.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * inline-signing is a boolean value.
+ */
+dnssec-policy "inline" {
+       inline-signing never-ever;
+};
+
+zone "." {
+       type primary;
+       file "root.db";
+       dnssec-policy "inline";
+};

diff --git a/bin/tests/system/checkconf/bad-noddns.conf b/bin/tests/system/checkconf/bad-noddns.conf
index 76435bc6e6cdd51d1f56271194d751893321b616..203bf4dda50d32cf309f83126d0ce78bb02b7668 100644 (file)
--- a/bin/tests/system/checkconf/bad-noddns.conf
+++ b/bin/tests/system/checkconf/bad-noddns.conf
@@ -11,9 +11,13 @@
  * information regarding copyright ownership.
  */
 
+dnssec-policy "test" {
+       inline-signing no;
+};
+
 zone example {
        type primary;
        file "example.db";
-       dnssec-policy default;
+       dnssec-policy test;
        allow-update { none; };
 };

diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf
index 28210cfc69fb1949225db9ab91033fdcbe0f1966..fb3fceab0a2f902f66acea8838605fc42433d399 100644 (file)
--- a/bin/tests/system/checkconf/good-kasp.conf
+++ b/bin/tests/system/checkconf/good-kasp.conf
@@ -21,8 +21,8 @@ dnssec-policy "test" {
        cds-digest-types {
                "sha-256";
        };
-       inline-signing yes;
        dnskey-ttl 3600;
+       inline-signing yes;
        keys {
                ksk key-directory lifetime P1Y algorithm ecdsa256;
                zsk lifetime P30D algorithm 13;

diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in
index cb82b0b6c68f725a441acb1a567c1347933206e4..a4b9ef8af7921d98345b673a3726eee59e10fc92 100644 (file)
--- a/bin/tests/system/kasp/ns6/named.conf.in
+++ b/bin/tests/system/kasp/ns6/named.conf.in
@@ -73,6 +73,7 @@ zone "step1.going-straight-to-none.kasp" {
 zone "step1.going-straight-to-none-dynamic.kasp" {
        type primary;
        file "step1.going-straight-to-none-dynamic.kasp.db.signed";
+       inline-signing no;
        dnssec-policy "default";
        allow-update { any; };
 };

diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in
index 2fa5b80383924e97a43ded234db73e8f0fda381d..5edcbcbe778047ce43e97a582019df1d1b15c73b 100644 (file)
--- a/bin/tests/system/kasp/ns6/named2.conf.in
+++ b/bin/tests/system/kasp/ns6/named2.conf.in
@@ -87,6 +87,7 @@ zone "step1.going-straight-to-none.kasp" {
 zone "step1.going-straight-to-none-dynamic.kasp" {
         type primary;
         file "step1.going-straight-to-none-dynamic.kasp.db.signed";
+        inline-signing no;
         dnssec-policy "none";
         allow-update { any; };
 };

diff --git a/bin/tests/system/zonechecks/ns1/named.conf.in b/bin/tests/system/zonechecks/ns1/named.conf.in
index efb11b01d8fab513fd3dd384f942a6d29b868977..68215001476307834486c133b4972e5353e2d802 100644 (file)
--- a/bin/tests/system/zonechecks/ns1/named.conf.in
+++ b/bin/tests/system/zonechecks/ns1/named.conf.in
@@ -36,6 +36,7 @@ controls {
 };
 
 dnssec-policy "zonechecks" {
+       inline-signing no;
        keys {
                ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
                zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;

diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c
index af53af5aa90db6e4801538da888a8c7e38f0eddb..44be487daa52d16a11e2b01ce6116db18577d04e 100644 (file)
--- a/lib/isccfg/check.c
+++ b/lib/isccfg/check.c
@@ -2793,6 +2793,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
        bool dlz;
        bool ddns = false;
        bool has_dnssecpolicy = false;
+       bool kasp_inlinesigning = false;
        const void *clauses = NULL;
        const char *option = NULL;
        const char *kaspname = NULL;
@@ -3038,10 +3039,13 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
                kaspname = cfg_obj_asstring(obj);
                if (strcmp(kaspname, "default") == 0) {
                        has_dnssecpolicy = true;
+                       kasp_inlinesigning = true;
                } else if (strcmp(kaspname, "insecure") == 0) {
                        has_dnssecpolicy = true;
+                       kasp_inlinesigning = true;
                } else if (strcmp(kaspname, "none") == 0) {
                        has_dnssecpolicy = false;
+                       kasp_inlinesigning = false;
                } else {
                        (void)cfg_map_get(config, "dnssec-policy", &kasps);
                        for (element = cfg_list_first(kasps); element != NULL;
@@ -3052,7 +3056,24 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
                                if (strcmp(kaspname, cfg_obj_asstring(kobj)) ==
                                    0)
                                {
+                                       const cfg_obj_t *inlinesigning = NULL;
+                                       const cfg_obj_t *kopt = cfg_tuple_get(
+                                               cfg_listelt_value(element),
+                                               "options");
+                                       if (cfg_map_get(kopt, "inline-signing",
+                                                       &inlinesigning) ==
+                                           ISC_R_SUCCESS)
+                                       {
+                                               kasp_inlinesigning =
+                                                       cfg_obj_asboolean(
+                                                               inlinesigning);
+                                       } else {
+                                               /* By default true */
+                                               kasp_inlinesigning = true;
+                                       }
+
                                        has_dnssecpolicy = true;
+                                       break;
                                }
                        }
 
@@ -3369,6 +3390,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
                res1 = cfg_map_get(zoptions, "inline-signing", &obj);
                if (res1 == ISC_R_SUCCESS) {
                        signing = cfg_obj_asboolean(obj);
+               } else if (has_dnssecpolicy) {
+                       signing = kasp_inlinesigning;
                }
 
                if (has_dnssecpolicy) {