Add checking of _dns SVCB records constraints to nsupdate

_dns SVBC records have additional constrains which should be checked
when records are being added.  This adds those constraint checks but
allows the user to override them using 'check-svcb no'.

diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index f939281bf34f93000ff253ff87147de7bd169b59..e15044996267009ae27aab1a604dbe1e50b90de8 100644 (file)
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -186,6 +186,7 @@ static dns_message_t *answer = NULL;
 static uint32_t default_ttl = 0;
 static bool default_ttl_set = false;
 static bool checknames = true;
+static bool checksvcb = true;
 static const char *resolvconf = RESOLV_CONF;
 
 bool done = false;
@@ -2020,6 +2021,15 @@ parseclass:
                }
        }
 
+       if (!isdelete && checksvcb && rdata->type == dns_rdatatype_svcb) {
+               result = dns_rdata_checksvcb(name, rdata);
+               if (result != ISC_R_SUCCESS) {
+                       fprintf(stderr, "check-svcb failed: %s\n",
+                               isc_result_totext(result));
+                       goto failure;
+               }
+       }
+
        if (!isdelete && rdata->type == dns_rdatatype_nsec3param) {
                dns_rdata_nsec3param_t nsec3param;
 
@@ -2106,6 +2116,32 @@ evaluate_checknames(char *cmdline) {
        return (STATUS_MORE);
 }
 
+static uint16_t
+evaluate_checksvcb(char *cmdline) {
+       char *word;
+
+       ddebug("evaluate_checksvcb()");
+       word = nsu_strsep(&cmdline, " \t\r\n");
+       if (word == NULL || *word == 0) {
+               fprintf(stderr, "could not read check-svcb directive\n");
+               return (STATUS_SYNTAX);
+       }
+       if (strcasecmp(word, "yes") == 0 || strcasecmp(word, "true") == 0 ||
+           strcasecmp(word, "on") == 0)
+       {
+               checksvcb = true;
+       } else if (strcasecmp(word, "no") == 0 ||
+                  strcasecmp(word, "false") == 0 ||
+                  strcasecmp(word, "off") == 0)
+       {
+               checksvcb = false;
+       } else {
+               fprintf(stderr, "incorrect check-svcb directive: %s\n", word);
+               return (STATUS_SYNTAX);
+       }
+       return (STATUS_MORE);
+}
+
 static void
 setzone(dns_name_t *zonename) {
        isc_result_t result;
@@ -2265,6 +2301,10 @@ do_next_command(char *cmdline) {
            strcasecmp(word, "checknames") == 0) {
                return (evaluate_checknames(cmdline));
        }
+       if (strcasecmp(word, "check-svcb") == 0 ||
+           strcasecmp(word, "checksvcb") == 0) {
+               return (evaluate_checksvcb(cmdline));
+       }
        if (strcasecmp(word, "gsstsig") == 0) {
 #if HAVE_GSSAPI
                usegsstsig = true;

diff --git a/bin/nsupdate/nsupdate.rst b/bin/nsupdate/nsupdate.rst
index d2f21fd2c52b5a3ba683878aa56cfc0df3b9bd28..cc1aa39fafa1da3f1f79c16e0f447b0b56201565 100644 (file)
--- a/bin/nsupdate/nsupdate.rst
+++ b/bin/nsupdate/nsupdate.rst
@@ -310,6 +310,12 @@ The command formats and their meanings are as follows:
    By default check-names processing is on. If check-names processing
    fails, the record is not added to the UPDATE message.
 
+``check-svbc [boolean]``
+   This command turns on or off check-svcb processing on records to be added.
+   Check-svcb has no effect on prerequisites or records to be deleted.
+   By default check-svcb processing is on. If check-svcb processing
+   fails, the record is not added to the UPDATE message.
+
 ``prereq nxdomain domain-name``
    This command requires that no resource record of any type exist with the name
    ``domain-name``.

diff --git a/doc/man/nsupdate.1in b/doc/man/nsupdate.1in
index 4fc6406912a9dc504f3ee1892c6fa37577b9c537..28f38930aeaa5441e4938677824783a6db8925eb 100644 (file)
--- a/doc/man/nsupdate.1in
+++ b/doc/man/nsupdate.1in
@@ -349,6 +349,12 @@ Check\-names has no effect on prerequisites or records to be deleted.
 By default check\-names processing is on. If check\-names processing
 fails, the record is not added to the UPDATE message.
 .TP
+.B \fBcheck\-svbc [boolean]\fP
+This command turns on or off check\-svcb processing on records to be added.
+Check\-svcb has no effect on prerequisites or records to be deleted.
+By default check\-svcb processing is on. If check\-svcb processing
+fails, the record is not added to the UPDATE message.
+.TP
 .B \fBprereq nxdomain domain\-name\fP
 This command requires that no resource record of any type exist with the name
 \fBdomain\-name\fP\&.