suppress report-channel for zones above the agent-domain

RFC 9567 section 8.1 specifies that the agent domain cannot
be a subdomain of the domain it is reporting on. therefore,
in addition to making it illegal to configure that at the
zone level, we also need to disable send-report-channel for
any zone for which the global send-report-channel value is
a subdomain.

we also now warn if send-report-channel is configured
globally to a zone that we host, but that zone doesn't
have log-report-channel set.

diff --git a/bin/named/config.c b/bin/named/config.c
index 3a89ef1bd2026647736d622fdd1df5633b964922..83381489b4f673427cf19ba8af71fc97f0aa34e5 100644 (file)
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -236,7 +236,7 @@ options {\n\
        notify yes;\n\
        notify-delay 5;\n\
        notify-to-soa no;\n\
-#      send-report-channel <none>\n\
+       send-report-channel .;\n\
        serial-update-method increment;\n\
        sig-signing-nodes 100;\n\
        sig-signing-signatures 10;\n\

diff --git a/bin/named/server.c b/bin/named/server.c
index 64e5e061666c3a8b228865539379ec4ab6b4115d..35b3ac92533a5be301c71841c29027d31c1ecd4c 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -4271,22 +4271,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
                }
        }
 
-       obj = NULL;
-       result = named_config_get(maps, "send-report-channel", &obj);
-       if (view->rad != NULL) {
-               dns_name_free(view->rad, view->mctx);
-               isc_mem_put(view->mctx, view->rad, sizeof(*view->rad));
-       }
-       if (result == ISC_R_SUCCESS) {
-               str = cfg_obj_asstring(obj);
-               if (strcmp(str, ".") != 0 && strcmp(str, "") != 0) {
-                       view->rad = isc_mem_get(mctx, sizeof(*view->rad));
-                       dns_name_init(view->rad, NULL);
-                       CHECK(dns_name_fromstring(view->rad, str, dns_rootname,
-                                                 0, mctx));
-               }
-       }
-
        obj = NULL;
        result = named_config_get(maps, "dnssec-accept-expired", &obj);
        INSIST(result == ISC_R_SUCCESS);

diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 6b21fca1c1b8335a8c5d52f1e9e5b1368c04a03a..af54b54b0e3b85362c448f27ada0abc7ce65d7e8 100644 (file)
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1208,6 +1208,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
        if (ztype != dns_zone_stub && ztype != dns_zone_staticstub &&
            ztype != dns_zone_redirect)
        {
+               bool logreports = false;
+
                /* Make a reference to the default policy. */
                result = dns_kasplist_find(kasplist, "default", &kasp);
                INSIST(result == ISC_R_SUCCESS && kasp != NULL);
@@ -1482,23 +1484,49 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
                dns_zone_setoption(zone, DNS_ZONEOPT_NSEC3TESTZONE,
                                   cfg_obj_asboolean(obj));
 
-               obj = NULL;
-               (void)cfg_map_get(zoptions, "send-report-channel", &obj);
-               if (obj != NULL) {
-                       dns_fixedname_t fixed;
-                       dns_name_t *rad = dns_fixedname_initname(&fixed);
-                       CHECK(dns_name_fromstring(rad, cfg_obj_asstring(obj),
-                                                 dns_rootname, 0, mctx));
-                       dns_zone_setrad(zone, rad);
-               } else {
-                       dns_zone_setrad(zone, NULL);
-               }
-
                obj = NULL;
                result = cfg_map_get(zoptions, "log-report-channel", &obj);
                if (result == ISC_R_SUCCESS) {
+                       logreports = cfg_obj_asboolean(obj);
                        dns_zone_setoption(zone, DNS_ZONEOPT_LOGREPORTS,
-                                          cfg_obj_asboolean(obj));
+                                          logreports);
+               }
+               obj = NULL;
+               result = named_config_get(maps, "send-report-channel", &obj);
+               if (result == ISC_R_SUCCESS && obj != NULL) {
+                       dns_fixedname_t fixed;
+                       dns_name_t *rad = dns_fixedname_initname(&fixed);
+                       const char *adstr = cfg_obj_asstring(obj);
+                       dns_name_t *zn = dns_zone_getorigin(zone);
+
+                       CHECK(dns_name_fromstring(rad, adstr, dns_rootname, 0,
+                                                 mctx));
+                       if (logreports || dns_name_equal(rad, dns_rootname)) {
+                               /* Disable RC for error-logging zones or root */
+                               dns_zone_setrad(zone, NULL);
+                       } else if (dns_name_equal(rad, zn)) {
+                               /*
+                                * It's illegal to set a matching agent
+                                * domain at the zone level, but it could
+                                * be set in options/view. If so, and the
+                                * matching zone doesn't log reports, warn.
+                                */
+                               cfg_obj_log(obj, ISC_LOG_WARNING,
+                                           "send-report-channel is set to "
+                                           "'%s' but that zone does not have "
+                                           "log-report-channel set",
+                                           zname);
+                               dns_zone_setrad(zone, NULL);
+                       } else if (dns_name_issubdomain(rad, zn)) {
+                               cfg_obj_log(obj, ISC_LOG_WARNING,
+                                           "send-report-channel '%s' ignored "
+                                           "for zone '%s' because it is a "
+                                           "subdomain of the zone",
+                                           adstr, zname);
+                               dns_zone_setrad(zone, NULL);
+                       } else {
+                               dns_zone_setrad(zone, rad);
+                       }
                }
        } else if (ztype == dns_zone_redirect) {
                dns_zone_setnotifytype(zone, dns_notifytype_no);

diff --git a/bin/tests/system/auth/ns1/example.rad.db b/bin/tests/system/auth/ns1/example.rad.db
new file mode 100644 (file)
index 0000000..08d3197
--- /dev/null
+++ b/bin/tests/system/auth/ns1/example.rad.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300        ; 5 minutes
+@                       IN SOA  ns root (
+                               2018010100 ; serial
+                               1800       ; refresh (30 minutes)
+                               1800       ; retry (30 minutes)
+                               1814400    ; expire (3 weeks)
+                               3600       ; minimum (1 hour)
+                               )
+                       NS      ns
+ns                      A       10.53.0.1
+server                 A       10.53.0.100
+*._er                   TXT     "Report received"

diff --git a/bin/tests/system/auth/ns1/named.conf.in b/bin/tests/system/auth/ns1/named.conf.in
index f9036f7688cc56b7086f216c3c98265ab9bdf7f2..7841ca4ae60f7aa23bf77cdd83c1760b9acaf1d8 100644 (file)
--- a/bin/tests/system/auth/ns1/named.conf.in
+++ b/bin/tests/system/auth/ns1/named.conf.in
@@ -39,9 +39,14 @@ view main in {
                send-report-channel "rad.example.net";
        };
 
-       zone example.rad {
+       zone rad {
                type primary;
                file "rad.db";
+       };
+
+       zone example.rad {
+               type primary;
+               file "example.rad.db";
                log-report-channel yes;
        };
 };

diff --git a/bin/tests/system/auth/ns1/rad.db b/bin/tests/system/auth/ns1/rad.db
index 08d3197011576224f16b59da1e4481d8c67ac9bd..b36fbb99a694e38165a7911c1f1bba7fde744f73 100644 (file)
--- a/bin/tests/system/auth/ns1/rad.db
+++ b/bin/tests/system/auth/ns1/rad.db
@@ -20,4 +20,5 @@ $TTL 300        ; 5 minutes
                        NS      ns
 ns                      A       10.53.0.1
 server                 A       10.53.0.100
-*._er                   TXT     "Report received"
+
+example                        NS      ns

diff --git a/bin/tests/system/auth/tests.sh b/bin/tests/system/auth/tests.sh
index 3c6c0e5380187870c27012cb3522dda4c48a6ee4..473afc5a469b6123d7620993b5b10462a6bcd3a7 100644 (file)
--- a/bin/tests/system/auth/tests.sh
+++ b/bin/tests/system/auth/tests.sh
@@ -194,6 +194,22 @@ grep "; Report-Channel: example.rad" dig.out.test$n >/dev/null || ret=1
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "check that Report-Channel option is omitted for names in error-logging zones ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 example.rad >dig.out.test$n
+grep "; Report-Channel: example.rad" dig.out.test$n >/dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that Report-Channel option is omitted for zones above the agent-domain ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 rad >dig.out.test$n
+grep "; Report-Channel: example.rad" dig.out.test$n >/dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "check that a zone-level Report-Channel EDNS option is added to responses ($n)"
 ret=0

diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index d6fbf86b64ff5b537e07573be0514d43915c8e62..845531c0d839b239777a534414f4d3c1907bc77b 100644 (file)
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -186,7 +186,6 @@ struct dns_view {
        uint32_t              maxrrperset;
        uint32_t              maxtypepername;
        uint8_t               max_restarts;
-       dns_name_t           *rad; /* reporting agent domain */
 
        /*
         * Configurable data for server use only,

diff --git a/lib/dns/view.c b/lib/dns/view.c
index fd261a9919b3a6bcc8740e19831c9e113a39b1d1..2be324156c2c0106af0dfd7953e4d51c7dc67a85 100644 (file)
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -376,10 +376,6 @@ destroy(dns_view_t *view) {
                dns_dns64_unlink(&view->dns64, dns64);
                dns_dns64_destroy(&dns64);
        }
-       if (view->rad != NULL) {
-               dns_name_free(view->rad, view->mctx);
-               isc_mem_put(view->mctx, view->rad, sizeof(*view->rad));
-       }
        if (view->managed_keys != NULL) {
                dns_zone_detach(&view->managed_keys);
        }

diff --git a/lib/ns/client.c b/lib/ns/client.c
index a1a2b4ad34febe0daed80d17760bab958d3a8c86..c4838cf2f3eddab6b2a160dbf99ef7b21ef85178 100644 (file)
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -1243,8 +1243,6 @@ no_nsid:
                dns_name_t *rad = NULL;
                if (dns_name_dynamic(&client->rad)) {
                        rad = &client->rad;
-               } else if (view != NULL && view->rad != NULL) {
-                       rad = view->rad;
                }
                if (rad != NULL && !dns_name_equal(rad, dns_rootname)) {
                        INSIST(count < DNS_EDNSOPTIONS);