Merge branch '2678-named-checkconf-doesn-t-catch-redefinition-of-dnssec-policy-insecure' into 'main'

Resolve "named-checkconf doesn't catch redefinition of dnssec-policy insecure" Closes #2678 See merge request isc-projects/bind9!4994
2026-05-28 04:34:54 -04:00 · 2021-05-05 07:03:12 +00:00 · 2021-05-05 07:03:12 +00:00 · 2be319b759
commit 2be319b759
parent 0f53872542 dba13d280a
4 changed files with 29 additions and 6 deletions
--- a/bin/tests/system/checkconf/bad-kasp-define-default.conf
+++ b/bin/tests/system/checkconf/bad-kasp-define-default.conf
@ -9,7 +9,7 @@
 * information regarding copyright ownership.
 */

-// Using the keyword 'default' is not allowed.
+// 'default' is a built-in policy, redefinition not allowed.
 dnssec-policy "default" {
 	signatures-refresh P5D;
 };
@ -19,4 +19,3 @@ zone "example.net" {
 	file "example.db";
 	dnssec-policy "default";
 };
-
--- a/bin/tests/system/checkconf/bad-kasp-define-insecure.conf
+++ b/bin/tests/system/checkconf/bad-kasp-define-insecure.conf
@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// 'insecure' is a built-in policy, redefinition not allowed.
+dnssec-policy "insecure" {
+	signatures-refresh P5D;
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "insecure";
+};
--- a/bin/tests/system/checkconf/bad-kasp-define-none.conf
+++ b/bin/tests/system/checkconf/bad-kasp-define-none.conf
@ -9,7 +9,7 @@
 * information regarding copyright ownership.
 */

-// Using the keyword 'none' is not allowed.
+// 'none' is a built-in policy, redefinition not allowed.
 dnssec-policy "none" {
 	signatures-refresh P5D;
 };
@ -19,4 +19,3 @@ zone "example.net" {
 	file "example.db";
 	dnssec-policy "none";
 };
-
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@ -893,6 +893,9 @@ kasp_name_allowed(const cfg_listelt_t *element) {
 	if (strcmp("default", name) == 0) {
 		return (false);
 	}
+	if (strcmp("insecure", name) == 0) {
+		return (false);
+	}
 	return (true);
 }

@ -1193,8 +1196,9 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,

 		if (bad_name) {
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "dnssec-policy name may not be 'none' or "
-				    "'default' (which is the built-in policy)");
+				    "dnssec-policy name may not be 'insecure', "
+				    "'none', or 'default' (which are built-in "
+				    "policies)");
 			if (result == ISC_R_SUCCESS) {
 				result = ISC_R_FAILURE;
 			}