From 4fa9d8389a1739cebcda00a94ea36bb67199f0b1 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 4 Aug 2021 17:23:07 +1000
Subject: [PATCH 1/3] Check that primary key names are syntactically valid

---
 bin/tests/system/checkconf/bad-primaries-key.conf | 15 +++++++++++++++
 lib/bind9/check.c                                 | 14 ++++++++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 bin/tests/system/checkconf/bad-primaries-key.conf

diff --git a/bin/tests/system/checkconf/bad-primaries-key.conf b/bin/tests/system/checkconf/bad-primaries-key.conf
new file mode 100644
index 0000000000..c58f79a839
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-primaries-key.conf
@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+        type secondary;
+        primaries { 1.2.3.4 key a..b; };
+};
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index d247962fc7..fb88e0b229 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -2121,6 +2121,20 @@ resume:
 
 		if (cfg_obj_issockaddr(addr)) {
 			count++;
+			if (cfg_obj_isstring(key)) {
+				const char *str = cfg_obj_asstring(key);
+				dns_fixedname_t fname;
+				dns_name_t *nm = dns_fixedname_initname(&fname);
+				tresult = dns_name_fromstring(nm, str, 0, NULL);
+				if (tresult != ISC_R_SUCCESS) {
+					cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+						    "'%s' is not a valid name",
+						    str);
+					if (result == ISC_R_SUCCESS) {
+						result = tresult;
+					}
+				}
+			}
 			continue;
 		}
 		if (!cfg_obj_isvoid(key)) {

From eb8c1ed3c5fcba5d7d87bb8f1faf1c4b7daaaaa2 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 4 Aug 2021 17:33:00 +1000
Subject: [PATCH 2/3] Check that primary tls names are syntactically valid

---
 .../system/checkconf/bad-primaries-tls.conf   | 15 ++++++++++++
 lib/bind9/check.c                             | 24 +++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 bin/tests/system/checkconf/bad-primaries-tls.conf

diff --git a/bin/tests/system/checkconf/bad-primaries-tls.conf b/bin/tests/system/checkconf/bad-primaries-tls.conf
new file mode 100644
index 0000000000..abb54ba259
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-primaries-tls.conf
@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+        type secondary;
+        primaries { 1.2.3.4 tls a..b; };
+};
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index fb88e0b229..570a2e8ed3 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -2114,10 +2114,12 @@ resume:
 		const char *listname;
 		const cfg_obj_t *addr;
 		const cfg_obj_t *key;
+		const cfg_obj_t *tls;
 
 		addr = cfg_tuple_get(cfg_listelt_value(element),
 				     "remoteselement");
 		key = cfg_tuple_get(cfg_listelt_value(element), "key");
+		tls = cfg_tuple_get(cfg_listelt_value(element), "tls");
 
 		if (cfg_obj_issockaddr(addr)) {
 			count++;
@@ -2135,6 +2137,20 @@ resume:
 					}
 				}
 			}
+			if (cfg_obj_isstring(tls)) {
+				const char *str = cfg_obj_asstring(tls);
+				dns_fixedname_t fname;
+				dns_name_t *nm = dns_fixedname_initname(&fname);
+				tresult = dns_name_fromstring(nm, str, 0, NULL);
+				if (tresult != ISC_R_SUCCESS) {
+					cfg_obj_log(tls, logctx, ISC_LOG_ERROR,
+						    "'%s' is not a valid name",
+						    str);
+					if (result == ISC_R_SUCCESS) {
+						result = tresult;
+					}
+				}
+			}
 			continue;
 		}
 		if (!cfg_obj_isvoid(key)) {
@@ -2145,6 +2161,14 @@ resume:
 				result = ISC_R_FAILURE;
 			}
 		}
+		if (!cfg_obj_isvoid(tls)) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "unexpected token '%s'",
+				    cfg_obj_asstring(tls));
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		}
 		listname = cfg_obj_asstring(addr);
 		symvalue.as_cpointer = addr;
 		tresult = isc_symtab_define(symtab, listname, 1, symvalue,

From 5d2183c450be4b946ef88eb6f81ca74729e2127d Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 4 Aug 2021 17:35:06 +1000
Subject: [PATCH 3/3] Add CHANGED for [GL #2461]

---
 CHANGES | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGES b/CHANGES
index b06db7e0f0..a9d83fa060 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5701.	[bug]		named-checkconf failed to detect syntactically invalid
+			key and tls names. [GL #2461]
+
 5700.	[bug]		Journals where not being removed when a catalog zone
 			was removed. [GL #2842]