Fix checkconf dnssec-policy inheritance bug

Similar to #2778, the check for 'dnssec-policy' failed to account for
it being inheritable.

diff --git a/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited-view.conf b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited-view.conf
new file mode 100644 (file)
index 0000000..fec6b81
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited-view.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy is not defined. Should also be caught if it is inherited.
+ */
+
+view "test" {
+       dnssec-policy "notdefined";
+
+       zone "example.net" {
+               type primary;
+               file "example.db";
+       };
+};

diff --git a/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited.conf b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited.conf
new file mode 100644 (file)
index 0000000..62614fc
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy is not defined. Should also be caught if it is inherited.
+ */
+
+options {
+       dnssec-policy "notdefined";
+};
+
+zone "example.net" {
+       type primary;
+       file "example.db";
+};

diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index 6b950996ccf6b75f91431d5c7d2f8acb5b391b50..d3f00397669ad084105d3d4a1c508ec4a1572a87 100644 (file)
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -158,7 +158,7 @@ view "third" {
                allow-update {
                        "any";
                };
-               auto-dnssec maintain;
+               dnssec-policy "default";
        };
        zone "p" {
                type primary;

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 728adec4404d44289694f469d70c5c71cfdf651d..02ed0f41209ec2eb8535c5bc8a8819e61fa7e36f 100644 (file)
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -2636,6 +2636,12 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
         */
        obj = NULL;
        (void)cfg_map_get(zoptions, "dnssec-policy", &obj);
+       if (obj == NULL && voptions != NULL) {
+               (void)cfg_map_get(voptions, "dnssec-policy", &obj);
+       }
+       if (obj == NULL && goptions != NULL) {
+               (void)cfg_map_get(goptions, "dnssec-policy", &obj);
+       }
        if (obj != NULL) {
                const cfg_obj_t *kasps = NULL;