new: usr: named-checkconf -e prints the effective configuration

The new `named-checkconf -e` option prints the effective server configuration, including all the default settings, that would result from loading the specified configuration file into `named`. Closes #2798 Merge branch 'colin/effective-config-checkconf' into 'main' See merge request isc-projects/bind9!11122
2026-06-11 07:49:59 -04:00 · 2025-10-29 23:49:37 +01:00 · 2025-10-29 23:49:37 +01:00 · 05c2ef2f77
commit 05c2ef2f77
parent 5ba7df7f0e bd2c9594ba
4 changed files with 92 additions and 5 deletions
--- a/bin/check/named-checkconf.c
+++ b/bin/check/named-checkconf.c
@ -13,6 +13,7 @@

 /*! \file */

+#include <defaultconfig.h>
 #include <errno.h>
 #include <stdbool.h>
 #include <stdio.h>
@ -57,7 +58,7 @@ usage(void);
 static void
 usage(void) {
 	fprintf(stderr,
-		"usage: %s [-achijklvz] [-p [-x]] [-t directory] "
+		"usage: %s [-achijklvz] [-pe [-x]] [-t directory] "
 		"[named.conf]\n",
 		isc_commandline_progname);
 	exit(EXIT_SUCCESS);
@ -554,6 +555,7 @@ main(int argc, char **argv) {
 	bool load_zones = false;
 	bool list_zones = false;
 	bool print = false;
+	bool effective = false;
 	unsigned int flags = 0;
 	unsigned int parserflags = 0;
 	unsigned int checkflags = BIND_CHECK_PLUGINS | BIND_CHECK_ALGORITHMS;
@ -565,7 +567,7 @@ main(int argc, char **argv) {
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "acdhijklm:nt:pvxz"
+#define CMDLINE_FLAGS "acdehijklm:nt:pvxz"
 	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (c) {
 		case 'm':
@ -638,6 +640,11 @@ main(int argc, char **argv) {
 			print = true;
 			break;

+		case 'e':
+			print = true;
+			effective = true;
+			break;
+
 		case 'v':
 			printf("%s\n", PACKAGE_VERSION);
 			result = ISC_R_SUCCESS;
@ -701,6 +708,27 @@ main(int argc, char **argv) {
 		CHECK(load_zones_fromconfig(config, list_zones));
 	}

+	if (effective) {
+		cfg_obj_t *effectiveconf = NULL;
+		cfg_obj_t *defaultconfig = NULL;
+		isc_buffer_t b;
+
+		isc_buffer_constinit(&b, common_named_defaultconf,
+				     sizeof(common_named_defaultconf) - 1);
+		isc_buffer_add(&b, sizeof(common_named_defaultconf) - 1);
+
+		CHECK(cfg_parse_buffer(
+			isc_g_mctx, &b, __FILE__, 0, &cfg_type_namedconf,
+			CFG_PCTX_NODEPRECATED | CFG_PCTX_NOOBSOLETE |
+				CFG_PCTX_NOEXPERIMENTAL | CFG_PCTX_BUILTIN,
+			&defaultconfig));
+		effectiveconf = cfg_effective_config(config, defaultconfig);
+
+		cfg_obj_detach(&defaultconfig);
+		cfg_obj_detach(&config);
+		config = effectiveconf;
+	}
+
 	if (print) {
 		cfg_printx(config, flags, output, &result);
 	}
--- a/bin/check/named-checkconf.rst
+++ b/bin/check/named-checkconf.rst
@ -21,7 +21,7 @@ named-checkconf - named configuration file syntax checking tool
 Synopsis
 ~~~~~~~~

-:program:`named-checkconf` [**-achjklnvz**] [**-p** [**-x** ]] [**-t** directory] {filename}
+:program:`named-checkconf` [**-achjklnvz**] [**-pe** [**-x** ]] [**-t** directory] {filename}

 Description
 ~~~~~~~~~~~
@ -48,6 +48,19 @@ Options
   a `named.conf` intended to be run on another machine with possibly a
   different set of supported DNSSEC key algorithms.

+.. option:: -e
+
+   This option prints the effective server configuration that would
+   result from :iscman:`named.conf` and its included files, if no errors
+   were detected, in canonical form.
+
+   The effective configuration is the result of loading a configuration
+   file and applying it on top of the default settings for :iscman:`named`.
+   All configurable settings are included.
+
+   See also the :option:`-x` and :option:`-p` options.
+
+
 .. option:: -h

   This option prints the usage summary and exits.
@ -85,8 +98,9 @@ Options

 .. option:: -p

-   This option prints out the :iscman:`named.conf` and included files in canonical form if
-   no errors were detected. See also the :option:`-x` option.
+   This option prints the contents of :iscman:`named.conf` and all
+   included files in canonical form, if no errors were detected. See also
+   the :option:`-x` and :option:`-e` options.

 .. option:: -t directory

--- a/bin/tests/system/checkconf/effective.conf
+++ b/bin/tests/system/checkconf/effective.conf
@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	listen-on port 5353 { 127.1.2.3; };
+};
+
+view foo {
+};
--- a/bin/tests/system/checkconf/tests_checkconf.py
+++ b/bin/tests/system/checkconf/tests_checkconf.py
@ -0,0 +1,26 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import os
+
+import isctest
+
+
+def test_checkconf_effective():
+    proc = isctest.run.cmd([os.environ["CHECKCONF"], "-e", "effective.conf"])
+    checkconf_output = proc.stdout.decode()
+    assert "listen-on port 5353 {\n\t\t127.1.2.3/32;\n\t};" in checkconf_output
+    assert 'view "_bind" chaos {' in checkconf_output
+    assert 'view "foo" {\n}' in checkconf_output
+
+    # builtin-trust-anchors is non documented and internal clause only, it must
+    # not be visible.
+    assert "builtin-trust-anchors" not in checkconf_output