named-checkconf now detects redefinition of dnssec-policy 'insecure'

(cherry picked from commit dba13d280aacb1ee52de54b0607b3beb4ff1aa0e)

diff --git a/bin/tests/system/checkconf/bad-kasp1.conf b/bin/tests/system/checkconf/bad-kasp-define-default.conf
similarity index 89%
rename from bin/tests/system/checkconf/bad-kasp1.conf
rename to bin/tests/system/checkconf/bad-kasp-define-default.conf
index 686160f983cf292963011519b8a2e170ff86d97b..65095c4f8eca983b8c0687c32254462bd4e3c34a 100644 (file)
--- a/bin/tests/system/checkconf/bad-kasp1.conf
+++ b/bin/tests/system/checkconf/bad-kasp-define-default.conf
@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-// Using the keyword 'default' is not allowed.
+// 'default' is a built-in policy, redefinition not allowed.
 dnssec-policy "default" {
        signatures-refresh P5D;
 };
@@ -19,4 +19,3 @@ zone "example.net" {
        file "example.db";
        dnssec-policy "default";
 };
-

diff --git a/bin/tests/system/checkconf/bad-kasp-define-insecure.conf b/bin/tests/system/checkconf/bad-kasp-define-insecure.conf
new file mode 100644 (file)
index 0000000..19ae2d5
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-define-insecure.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// 'insecure' is a built-in policy, redefinition not allowed.
+dnssec-policy "insecure" {
+       signatures-refresh P5D;
+};
+
+zone "example.net" {
+       type master;
+       file "example.db";
+       dnssec-policy "insecure";
+};

diff --git a/bin/tests/system/checkconf/bad-kasp5.conf b/bin/tests/system/checkconf/bad-kasp-define-none.conf
similarity index 90%
rename from bin/tests/system/checkconf/bad-kasp5.conf
rename to bin/tests/system/checkconf/bad-kasp-define-none.conf
index a399079db5b7a32633c4c0419095199200779e5c..4fc3781699ad68c3448719b87d9a6b8acfba7af8 100644 (file)
--- a/bin/tests/system/checkconf/bad-kasp5.conf
+++ b/bin/tests/system/checkconf/bad-kasp-define-none.conf
@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-// Using the keyword 'none' is not allowed.
+// 'none' is a built-in policy, redefinition not allowed.
 dnssec-policy "none" {
        signatures-refresh P5D;
 };
@@ -19,4 +19,3 @@ zone "example.net" {
        file "example.db";
        dnssec-policy "none";
 };
-

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 3db2d97a464a6da8e3b9eff4758246f0a60fc971..ab61371d60ca20c4bd9c150ccc7a2c4a2ff0218c 100644 (file)
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -892,6 +892,9 @@ kasp_name_allowed(const cfg_listelt_t *element) {
        if (strcmp("default", name) == 0) {
                return (false);
        }
+       if (strcmp("insecure", name) == 0) {
+               return (false);
+       }
        return (true);
 }
 
@@ -1053,8 +1056,9 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 
                if (bad_name) {
                        cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-                                   "dnssec-policy name may not be 'none' or "
-                                   "'default' (which is the built-in policy)");
+                                   "dnssec-policy name may not be 'insecure', "
+                                   "'none', or 'default' (which are built-in "
+                                   "policies)");
                        if (result == ISC_R_SUCCESS) {
                                result = ISC_R_FAILURE;
                        }