[v9_10] Make dnssec-verify suggest using -o when appropriate

4679. [cleanup] Suggest using -o when dnssec-verify finds a SOA record not at top of zone and -o is not used. [RT #45519] (cherry picked from commit 877c264edc)
2026-06-12 13:10:00 -04:00 · 2017-08-04 10:45:30 +02:00 · 2017-08-04 10:45:30 +02:00 · 2dbab02703
commit 2dbab02703
parent 0ee8fe7865
3 changed files with 38 additions and 1 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+4679.	[cleanup]	Suggest using -o when dnssec-verify finds a SOA record
+			not at top of zone and -o is not used. [RT #45519]
+
 4677.	[cleanup]	Split up the main function in dig to better support
 			the iOS app version. [RT #45508]

--- a/bin/dnssec/dnssec-verify.c
+++ b/bin/dnssec/dnssec-verify.c
@ -114,9 +114,26 @@ loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
 	check_result(result, "dns_db_create()");

 	result = dns_db_load2(*db, file, inputformat);
-	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
+	switch (result) {
+	case DNS_R_SEENINCLUDE:
+	case ISC_R_SUCCESS:
+		break;
+	case DNS_R_NOTZONETOP:
+		/*
+		 * Comparing pointers (vs. using strcmp()) is intentional: we
+		 * want to check whether -o was supplied on the command line,
+		 * not whether origin and file contain the same string.
+		 */
+		if (origin == file) {
+			fatal("failed loading zone '%s' from file '%s': "
+			      "use -o to specify a different zone origin",
+			      origin, file);
+		}
+		/* FALLTHROUGH */
+	default:
 		fatal("failed loading zone from '%s': %s",
 		      file, isc_result_totext(result));
+	}
 }

 ISC_PLATFORM_NORETURN_PRE static void
--- a/bin/tests/system/verify/tests.sh
+++ b/bin/tests/system/verify/tests.sh
@ -94,5 +94,22 @@ do
 	[ $dumpit = 1 ] && cat verify.out.$n
 done

+n=`expr $n + 1`
+echo "I:checking error message when -o is not used and a SOA record not at top of zone is found ($n)"
+ret=0
+# When -o is not used, origin is set to zone file name, which should cause an error in this case
+$VERIFY zones/ksk+zsk.nsec.good > verify.out.$n 2>&1 && ret=1
+grep "not at top of zone" verify.out.$n > /dev/null || ret=1
+grep "use -o to specify a different zone origin" verify.out.$n > /dev/null || ret=1
+[ $ret = 0 ] || failed
+
+n=`expr $n + 1`
+echo "I:checking error message when an invalid -o is specified and a SOA record not at top of zone is found ($n)"
+ret=0
+$VERIFY -o invalid.origin zones/ksk+zsk.nsec.good > verify.out.$n 2>&1 && ret=1
+grep "not at top of zone" verify.out.$n > /dev/null || ret=1
+grep "use -o to specify a different zone origin" verify.out.$n > /dev/null && ret=1
+[ $ret = 0 ] || failed
+
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1