From e690bfaa6ba8f2456562ae8f55b19adc747ae8ea Mon Sep 17 00:00:00 2001
From: Colin Vidal <colin@isc.org>
Date: Tue, 21 Oct 2025 11:53:33 +0200
Subject: [PATCH 1/2] named-checkconf -e prints effective config

New command line switch `-e` introduced to `named-checkconf`. It acts
like `-p` but instead it print the effective configuration rather than
the user configuration.
---
 bin/check/named-checkconf.c   | 32 ++++++++++++++++++++++++++++++--
 bin/check/named-checkconf.rst | 20 +++++++++++++++++---
 2 files changed, 47 insertions(+), 5 deletions(-)

diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c
index 169fd66ef7..0949b7c0f3 100644
--- a/bin/check/named-checkconf.c
+++ b/bin/check/named-checkconf.c
@@ -13,6 +13,7 @@
 
 /*! \file */
 
+#include <defaultconfig.h>
 #include <errno.h>
 #include <stdbool.h>
 #include <stdio.h>
@@ -57,7 +58,7 @@ usage(void);
 static void
 usage(void) {
 	fprintf(stderr,
-		"usage: %s [-achijklvz] [-p [-x]] [-t directory] "
+		"usage: %s [-achijklvz] [-pe [-x]] [-t directory] "
 		"[named.conf]\n",
 		isc_commandline_progname);
 	exit(EXIT_SUCCESS);
@@ -554,6 +555,7 @@ main(int argc, char **argv) {
 	bool load_zones = false;
 	bool list_zones = false;
 	bool print = false;
+	bool effective = false;
 	unsigned int flags = 0;
 	unsigned int parserflags = 0;
 	unsigned int checkflags = BIND_CHECK_PLUGINS | BIND_CHECK_ALGORITHMS;
@@ -565,7 +567,7 @@ main(int argc, char **argv) {
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "acdhijklm:nt:pvxz"
+#define CMDLINE_FLAGS "acdehijklm:nt:pvxz"
 	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (c) {
 		case 'm':
@@ -638,6 +640,11 @@ main(int argc, char **argv) {
 			print = true;
 			break;
 
+		case 'e':
+			print = true;
+			effective = true;
+			break;
+
 		case 'v':
 			printf("%s\n", PACKAGE_VERSION);
 			result = ISC_R_SUCCESS;
@@ -701,6 +708,27 @@ main(int argc, char **argv) {
 		CHECK(load_zones_fromconfig(config, list_zones));
 	}
 
+	if (effective) {
+		cfg_obj_t *effectiveconf = NULL;
+		cfg_obj_t *defaultconfig = NULL;
+		isc_buffer_t b;
+
+		isc_buffer_constinit(&b, common_named_defaultconf,
+				     sizeof(common_named_defaultconf) - 1);
+		isc_buffer_add(&b, sizeof(common_named_defaultconf) - 1);
+
+		CHECK(cfg_parse_buffer(
+			isc_g_mctx, &b, __FILE__, 0, &cfg_type_namedconf,
+			CFG_PCTX_NODEPRECATED | CFG_PCTX_NOOBSOLETE |
+				CFG_PCTX_NOEXPERIMENTAL | CFG_PCTX_BUILTIN,
+			&defaultconfig));
+		effectiveconf = cfg_effective_config(config, defaultconfig);
+
+		cfg_obj_detach(&defaultconfig);
+		cfg_obj_detach(&config);
+		config = effectiveconf;
+	}
+
 	if (print) {
 		cfg_printx(config, flags, output, &result);
 	}
diff --git a/bin/check/named-checkconf.rst b/bin/check/named-checkconf.rst
index 516756e9a6..bfe2385fe7 100644
--- a/bin/check/named-checkconf.rst
+++ b/bin/check/named-checkconf.rst
@@ -21,7 +21,7 @@ named-checkconf - named configuration file syntax checking tool
 Synopsis
 ~~~~~~~~
 
-:program:`named-checkconf` [**-achjklnvz**] [**-p** [**-x** ]] [**-t** directory] {filename}
+:program:`named-checkconf` [**-achjklnvz**] [**-pe** [**-x** ]] [**-t** directory] {filename}
 
 Description
 ~~~~~~~~~~~
@@ -48,6 +48,19 @@ Options
    a `named.conf` intended to be run on another machine with possibly a
    different set of supported DNSSEC key algorithms.
 
+.. option:: -e
+
+   This option prints the effective server configuration that would
+   result from :iscman:`named.conf` and its included files, if no errors
+   were detected, in canonical form.
+
+   The effective configuration is the result of loading a configuration
+   file and applying it on top of the default settings for :iscman:`named`.
+   All configurable settings are included.
+
+   See also the :option:`-x` and :option:`-p` options.
+
+
 .. option:: -h
 
    This option prints the usage summary and exits.
@@ -85,8 +98,9 @@ Options
 
 .. option:: -p
 
-   This option prints out the :iscman:`named.conf` and included files in canonical form if
-   no errors were detected. See also the :option:`-x` option.
+   This option prints the contents of :iscman:`named.conf` and all
+   included files in canonical form, if no errors were detected. See also
+   the :option:`-x` and :option:`-e` options.
 
 .. option:: -t directory
 

From bd2c9594baccc7c003a9b84a048b04dfc453c149 Mon Sep 17 00:00:00 2001
From: Colin Vidal <colin@isc.org>
Date: Tue, 21 Oct 2025 11:53:56 +0200
Subject: [PATCH 2/2] add system test for named-checkconf -e

Add a system test checking the command line switch -e of
named-checkconf. The test doesn't care about the whole output of the
effective configuration (in particular to avoid breaking the test for
each default statement that would change) but instead just ensure the
effective configuration is actually returned by checking the presence of
the _bind chaos builtin view as well a user provided view and option
change.
---
 bin/tests/system/checkconf/effective.conf     | 19 ++++++++++++++
 bin/tests/system/checkconf/tests_checkconf.py | 26 +++++++++++++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 bin/tests/system/checkconf/effective.conf
 create mode 100644 bin/tests/system/checkconf/tests_checkconf.py

diff --git a/bin/tests/system/checkconf/effective.conf b/bin/tests/system/checkconf/effective.conf
new file mode 100644
index 0000000000..989997cbf7
--- /dev/null
+++ b/bin/tests/system/checkconf/effective.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	listen-on port 5353 { 127.1.2.3; };
+};
+
+view foo {
+};
diff --git a/bin/tests/system/checkconf/tests_checkconf.py b/bin/tests/system/checkconf/tests_checkconf.py
new file mode 100644
index 0000000000..082133481d
--- /dev/null
+++ b/bin/tests/system/checkconf/tests_checkconf.py
@@ -0,0 +1,26 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import os
+
+import isctest
+
+
+def test_checkconf_effective():
+    proc = isctest.run.cmd([os.environ["CHECKCONF"], "-e", "effective.conf"])
+    checkconf_output = proc.stdout.decode()
+    assert "listen-on port 5353 {\n\t\t127.1.2.3/32;\n\t};" in checkconf_output
+    assert 'view "_bind" chaos {' in checkconf_output
+    assert 'view "foo" {\n}' in checkconf_output
+
+    # builtin-trust-anchors is non documented and internal clause only, it must
+    # not be visible.
+    assert "builtin-trust-anchors" not in checkconf_output