Reject zones with TTL higher than dnssec-policy max-zone-ttl

Reject loading of zones with TTL higher than the max-zone-ttl
from the dnssec-policy.

With this change, any zone with a dnssec-policy in use will ignore
the max-zone-ttl option in zone/view/options.

diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 9573d5cc663d5cd1aa9c58357a50340fd1daecf2..7fbf3851db83cbb64b23497f30faeceb7fc6f343 100644 (file)
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -907,6 +907,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
        dns_stats_t *dnssecsignstats;
        dns_zonestat_level_t statlevel = dns_zonestat_none;
        int seconds;
+       dns_ttl_t maxttl = 0; /* unlimited */
        dns_zone_t *mayberaw = (raw != NULL) ? raw : zone;
        isc_dscp_t dscp;
 
@@ -1065,20 +1066,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
                }
        }
 
-       obj = NULL;
-       result = named_config_get(maps, "max-zone-ttl", &obj);
-       if (result == ISC_R_SUCCESS) {
-               dns_ttl_t maxttl = 0; /* unlimited */
-
-               if (cfg_obj_isduration(obj)) {
-                       maxttl = cfg_obj_asduration(obj);
-               }
-               dns_zone_setmaxttl(zone, maxttl);
-               if (raw != NULL) {
-                       dns_zone_setmaxttl(raw, maxttl);
-               }
-       }
-
        obj = NULL;
        result = named_config_get(maps, "max-records", &obj);
        INSIST(result == ISC_R_SUCCESS && obj != NULL);
@@ -1531,6 +1518,22 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
                dns_zone_setjournalsize(zone, journal_size);
        }
 
+       if (use_kasp) {
+               maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone));
+       } else {
+               obj = NULL;
+               result = named_config_get(maps, "max-zone-ttl", &obj);
+               if (result == ISC_R_SUCCESS) {
+                       if (cfg_obj_isduration(obj)) {
+                               maxttl = cfg_obj_asduration(obj);
+                       }
+               }
+       }
+       dns_zone_setmaxttl(zone, maxttl);
+       if (raw != NULL) {
+               dns_zone_setmaxttl(raw, maxttl);
+       }
+
        /*
         * Configure update-related options.  These apply to
         * primary servers only.