Warn if 'stale-refresh-time' < 30 (default)

RFC 8767 recommends that attempts to refresh to be done no more frequently than every 30 seconds. Added check into named-checkconf, which will warn if values below the default are found in configuration. BIND will also log the warning during loading of configuration in the same fashion.
2026-06-11 10:10:00 -04:00 · 2020-11-05 13:07:47 -03:00 · 2020-11-05 13:07:47 -03:00 · 5e47a13fd0
commit 5e47a13fd0
parent 4827ad0ec4
4 changed files with 52 additions and 0 deletions
--- a/bin/tests/system/checkconf/servestale.stale-refresh-time.0.conf
+++ b/bin/tests/system/checkconf/servestale.stale-refresh-time.0.conf
@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	stale-refresh-time 0;
+};
--- a/bin/tests/system/checkconf/servestale.stale-refresh-time.29.conf
+++ b/bin/tests/system/checkconf/servestale.stale-refresh-time.29.conf
@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	stale-refresh-time 29;
+};
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@ -139,6 +139,19 @@ grep '.*' < checkconf.out$n.2 > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

+n=`expr $n + 1`
+echo_i "checking named-checkconf servestale warnings ($n)"
+ret=0
+$CHECKCONF servestale.stale-refresh-time.0.conf > checkconf.out$n.1 2>&1
+grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+ret=0
+$CHECKCONF servestale.stale-refresh-time.29.conf > checkconf.out$n.1 2>&1
+grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 n=`expr $n + 1`
 echo_i "range checking fields that do not allow zero ($n)"
 ret=0
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@ -1662,6 +1662,17 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 		}
 	}

+	obj = NULL;
+	(void)cfg_map_get(options, "stale-refresh-time", &obj);
+	if (obj != NULL) {
+		uint32_t refresh_time = cfg_obj_asduration(obj);
+		if (refresh_time > 0 && refresh_time < 30) {
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "'stale-refresh-time' should either be 0 "
+				    "or otherwise 30 seconds or higher");
+		}
+	}
+
 	return (result);
 }