]> git.ipfire.org Git - thirdparty/knot-dns.git/commitdiff
projects / thirdparty / knot-dns.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5de6f10)
semchecks: check for DELEG at the zone apex
authorDaniel Salzman <daniel.salzman@nic.cz>
Wed, 22 Apr 2026 10:17:52 +0000 (12:17 +0200)
committerLibor Peltan <libor.peltan@nic.cz>
Wed, 6 May 2026 10:14:06 +0000 (12:14 +0200)
doc/reference.rst patch | blob | blame | history
src/knot/zone/semantic-check.c patch | blob | blame | history
src/knot/zone/semantic-check.h patch | blob | blame | history
tests/knot/semantic_check_data/deleg_apex.zone [new file with mode: 0644] patch | blob
tests/knot/test_semantic_check.in patch | blob | blame | history

diff --git a/doc/reference.rst b/doc/reference.rst
index f56d01600582e15cc9d6c70c6c0e1364c53758e9..c29780e5fef60a4840d9a4f1e95dd51c8d35f42c 100644 (file)
--- a/doc/reference.rst
+++ b/doc/reference.rst
@@ -3022,6 +3022,7 @@ Mandatory checks:
 - Multiple DNAME records with the same owner exist (:rfc:`6672`)
 - NS record exists together with a DNAME record (:rfc:`6672`)
 - DS record exists at the zone apex (:rfc:`3658`)
+- DELEG record exists at the zone apex (TBD)
 
 (*) The marked check can't be weakened by the soft mode. All other mandatory checks
 are subject to the optional soft mode.
diff --git a/src/knot/zone/semantic-check.c b/src/knot/zone/semantic-check.c
index 3e4b28450e446ad0ef86832a4186741f533b0a8b..68b89a4b14a673f5ed7c0f9a3f8a3ab2db1ac384 100644 (file)
--- a/src/knot/zone/semantic-check.c
+++ b/src/knot/zone/semantic-check.c
@@ -31,6 +31,9 @@ static const char *error_messages[SEM_ERR_UNKNOWN + 1] = {
        [SEM_ERR_DNAME_EXTRA_NS] =
        "NS record exists beside DNAME",
 
+       [SEM_ERR_DELEG_APEX] =
+       "DELEG at the zone apex",
+
        [SEM_ERR_NS_APEX] =
        "missing NS at the zone apex",
        [SEM_ERR_NS_GLUE] =
@@ -116,6 +119,7 @@ static int check_delegation(const zone_node_t *node, semchecks_data_t *data);
 static int check_nsec3param(const zone_node_t *node, semchecks_data_t *data);
 static int check_submission(const zone_node_t *node, semchecks_data_t *data);
 static int check_ds(const zone_node_t *node, semchecks_data_t *data);
+static int check_deleg(const zone_node_t *node, semchecks_data_t *data);
 
 struct check_function {
        int (*function)(const zone_node_t *, semchecks_data_t *);
@@ -128,6 +132,7 @@ static const struct check_function CHECK_FUNCTIONS[] = {
        { check_dname,          MANDATORY | SOFT },
        { check_delegation,     MANDATORY | SOFT }, // mandatory for apex, optional for others
        { check_ds,             MANDATORY | SOFT }, // mandatory for apex, optional for others
+       { check_deleg,          MANDATORY | SOFT }, // mandatory for apex
        { check_nsec3param,     DNSSEC },
        { check_submission,     DNSSEC },
 };
@@ -359,6 +364,22 @@ static int check_ds(const zone_node_t *node, semchecks_data_t *data)
        return KNOT_EOK;
 }
 
+static int check_deleg(const zone_node_t *node, semchecks_data_t *data)
+{
+       if (data->zone->apex != node) {
+               return KNOT_EOK;
+       }
+
+       const knot_rdataset_t *deleg_rrs = node_rdataset(node, KNOT_RRTYPE_DELEG);
+       if (deleg_rrs != NULL) {
+               data->handler->error = true;
+               data->handler->cb(data->handler, data->zone, node->owner,
+                                 SEM_ERR_DELEG_APEX, NULL);
+       }
+
+       return KNOT_EOK;
+}
+
 static int check_soa(const zone_node_t *node, semchecks_data_t *data)
 {
        if (data->zone->apex != node) {
diff --git a/src/knot/zone/semantic-check.h b/src/knot/zone/semantic-check.h
index 3b79b28c30aa7e243fe98bdf8bd46dda99fd1acc..c8dbf4bb006080c4f98a57837c9137bfa2d3f544 100644 (file)
--- a/src/knot/zone/semantic-check.h
+++ b/src/knot/zone/semantic-check.h
@@ -33,6 +33,8 @@ typedef enum {
        SEM_ERR_DNAME_MULTIPLE,
        SEM_ERR_DNAME_EXTRA_NS,
 
+       SEM_ERR_DELEG_APEX,
+
        // Optional checks.
        SEM_ERR_NS_APEX,
        SEM_ERR_NS_GLUE,
diff --git a/tests/knot/semantic_check_data/deleg_apex.zone b/tests/knot/semantic_check_data/deleg_apex.zone
new file mode 100644 (file)
index 0000000..a654853
--- /dev/null
+++ b/tests/knot/semantic_check_data/deleg_apex.zone
@@ -0,0 +1,11 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@      IN      SOA     dns1.example.com. hostmaster.example.com. (
+               2010111217      ; serial
+               6h              ; refresh
+               1h              ; retry
+               1w              ; expire
+               1d )            ; minimum
+
+       DELEG   server-name=ns.example.org.
diff --git a/tests/knot/test_semantic_check.in b/tests/knot/test_semantic_check.in
index e1dafeab90e4332420f1c615874d5e1ba9f0a255..d8fa47da1de1fdf503686f9eb709a2f81c1dc15d 100644 (file)
--- a/tests/knot/test_semantic_check.in
+++ b/tests/knot/test_semantic_check.in
@@ -97,6 +97,7 @@ NSEC3_INSECURE_DELEGATION_OPT="wrong NSEC3 opt-out"
 NS_APEX="missing NS at the zone apex"
 NS_GLUE="missing glue record"
 RRSIG_UNVERIFIABLE="no valid signature for a record"
+DELEG_APEX="DELEG at the zone apex"
 
 plan_lazy
 
@@ -114,6 +115,7 @@ expect_error "dname_children.zone"   1 1 "$DNAME_CHILDREN"
 expect_error "dname_multiple.zone"   1 1 "$DNAME_MULTIPLE"
 expect_error "dname_extra_ns.zone"   1 1 "$DNAME_EXTRA_NS"
 expect_error "ds_apex.zone"          1 1 "$DS_APEX"
+expect_error "deleg_apex.zone"       1 1 "$DELEG_APEX"
 
 expect_error "ns_apex.missing" 0 1 "$NS_APEX"
 expect_error "glue_apex_both.missing" 0 2 "$NS_GLUE"
Mirror of https://gitlab.nic.cz/knot/knot-dns.git