Forbid zones with both dnssec-policy and max-zone-ttl

Since max-zone-ttl in zone/view/options is a no-op if dnssec-policy
is in use, let's make that a fatal error.

diff --git a/bin/tests/system/checkconf/bad-kasp-max-zone-ttl.conf b/bin/tests/system/checkconf/bad-kasp-max-zone-ttl.conf
new file mode 100644 (file)
index 0000000..0b59394
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-max-zone-ttl.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy is not defined. Should also be caught if it is inherited.
+ */
+
+options {
+       dnssec-policy default;
+};
+
+zone "example.net" {
+       type primary;
+       file "example.db";
+        max-zone-ttl 600;
+};

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index f6fe74916bd0f5eff9dbe8e1aba362195fd24d2c..9dd453b0fe6d6c514e30f786a57e695a9015f2a1 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -1806,10 +1806,10 @@ default is used.
 
    This should now be configured as part of :namedconf:ref:`dnssec-policy`.
    Use of this option in :namedconf:ref:`options`, :namedconf:ref:`view`
-   and :namedconf:ref:`zone` blocks has no effect on any zone for which
-   a :namedconf:ref:`dnssec-policy` has also been configured. In zones
-   without :namedconf:ref:`dnssec-policy`, this option is deprecated,
-   and will be rendered non-operational in a future release.
+   and :namedconf:ref:`zone` blocks is a fatal error if
+   :namedconf:ref:`dnssec-policy` has also been configured for the same
+   zone. In zones without :namedconf:ref:`dnssec-policy`, this option is
+   deprecated, and will be rendered non-operational in a future release.
 
    :any:`max-zone-ttl` specifies a maximum permissible TTL value in seconds.
    For convenience, TTL-style time-unit suffixes may be used to specify the

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index baacd29a8403e19af108e90a892dfd2872e95c59..3cad314ad810f0719cebffea5e434445ebfe584d 100644 (file)
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -3142,6 +3142,30 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
                }
        }
 
+       /*
+        * Reject zones with both dnssec-policy and max-zone-ttl
+        * */
+       if (has_dnssecpolicy) {
+               obj = NULL;
+               (void)cfg_map_get(zoptions, "max-zone-ttl", &obj);
+               if (obj == NULL && voptions != NULL) {
+                       (void)cfg_map_get(voptions, "max-zone-ttl", &obj);
+               }
+               if (obj == NULL && goptions != NULL) {
+                       (void)cfg_map_get(goptions, "max-zone-ttl", &obj);
+               }
+               if (obj != NULL) {
+                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                   "zone '%s': option 'max-zone-ttl' "
+                                   "cannot be used together with "
+                                   "'dnssec-policy'",
+                                   znamestr);
+                       if (result == ISC_R_SUCCESS) {
+                               result = ISC_R_FAILURE;
+                       }
+               }
+       }
+
        /*
         * Check validity of the zone options.
         */