Merge branch '2888-be-more-strict-about-clashing-source-ports' into 'main'

check port in *-source and *-source-v6 options in named.conf

Closes #2888

See merge request isc-projects/bind9!5399

CHANGES

@@ -1,3 +1,7 @@
+5715.	[func]		Add a check when the *-source(-v6) clashes with the
+			global listening port. Such a configuration was already
+			forbidden, but it failed silently. [GL #2888]
+
 5714.	[bug]		Remove the "adjust interface" mechanism that
 			set up a listener on interfaces where the *-source(-v6)
 			address and port were the same as the listening

bin/tests/system/checkconf/bad-notify-source-v6.conf

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	notify-source-v6 fd92:7065:b8e:ffff::1 port 5300;
+};

bin/tests/system/checkconf/bad-notify-source.conf

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	notify-source 10.53.0.1 port 5300;
+};

bin/tests/system/checkconf/bad-parental-source-v6.conf

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	parental-source-v6 fd92:7065:b8e:ffff::1 port 5300;
+};

bin/tests/system/checkconf/bad-parental-source.conf

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	parental-source 10.53.0.1 port 5300;
+};

bin/tests/system/checkconf/bad-port.conf

@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 99999;
+};

bin/tests/system/checkconf/bad-transfer-source-v6.conf

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	transfer-source-v6 fd92:7065:b8e:ffff::1 port 5300;
+};

bin/tests/system/checkconf/bad-transfer-source.conf

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	transfer-source 10.53.0.1 port 5300;
+};

bin/tests/system/checkconf/good-notify-source-v6.conf

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	notify-source-v6 fd92:7065:b8e:ffff::1;
+};

bin/tests/system/checkconf/good-notify-source.conf

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	notify-source 10.53.0.1;
+};

bin/tests/system/checkconf/good-parental-source-v6.conf

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	parental-source-v6 fd92:7065:b8e:ffff::1;
+};

bin/tests/system/checkconf/good-parental-source.conf

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	parental-source 10.53.0.1;
+};

bin/tests/system/checkconf/good-transfer-source-v6.conf

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	transfer-source-v6 fd92:7065:b8e:ffff::1;
+};

bin/tests/system/checkconf/good-transfer-source.conf

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	transfer-source 10.53.0.1;
+};

bin/tests/system/checkconf/tests.sh

@@ -421,6 +421,7 @@ echo_i "check that named-checkconf -l prints out the zone list ($n)"
 ret=0
 $CHECKCONF -l good.conf |
 grep -v "is not implemented" |
+grep -v "is not recommended" |
 grep -v "no longer exists" |
 grep -v "is obsolete" > checkconf.out$n || ret=1
 diff good.zonelist checkconf.out$n > diff.out$n || ret=1
@@ -558,6 +559,18 @@ grep "exceeds 100%" < checkconf.out$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "check that *-source options with specified port generate warnings ($n)"
+ret=0
+$CHECKCONF warn-transfer-source.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "not recommended" < checkconf.out$n > /dev/null || ret=1
+$CHECKCONF warn-notify-source.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "not recommended" < checkconf.out$n > /dev/null || ret=1
+$CHECKCONF warn-parental-source.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "not recommended" < checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
 rmdir keys
 
 echo_i "exit status: $status"

bin/tests/system/checkconf/warn-notify-source.conf

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	notify-source 10.53.0.1 port 100;
+};

bin/tests/system/checkconf/warn-parental-source.conf

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	parental-source 10.53.0.1 port 100;
+};

bin/tests/system/checkconf/warn-transfer-source.conf

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	transfer-source 10.53.0.1 port 100;
+};

doc/arm/reference.rst

@@ -2643,6 +2643,11 @@ options are:
 .. note:: Solaris 2.5.1 and earlier does not support setting the source address
    for TCP sockets.
 
+.. warning:: Specifying a single port is discouraged, as it removes a layer of
+   protection against spoofing errors.
+
+.. warning:: The configured ``port`` must not be same as the listening port.
+
 .. note:: See also ``transfer-source``, ``notify-source`` and ``parental-source``.
 
 .. _zone_transfers:
@@ -2781,6 +2786,11 @@ options apply to zone transfers.
    .. note:: Solaris 2.5.1 and earlier does not support setting the source
       address for TCP sockets.
 
+   .. warning:: Specifying a single port is discouraged, as it removes a layer of
+      protection against spoofing errors.
+
+   .. warning:: The configured ``port`` must not be same as the listening port.
+
 ``transfer-source-v6``
    This option is the same as ``transfer-source``, except zone transfers are performed
    using IPv6.
@@ -2814,6 +2824,11 @@ options apply to zone transfers.
    .. note:: Solaris 2.5.1 and earlier does not support setting the source
       address for TCP sockets.
 
+   .. warning:: Specifying a single port is discouraged, as it removes a layer of
+      protection against spoofing errors.
+
+   .. warning:: The configured ``port`` must not be same as the listening port.
+
 ``notify-source-v6``
    This option acts like ``notify-source``, but applies to notify messages sent to IPv6
    addresses.
@@ -5208,6 +5223,11 @@ The following options apply to DS queries sent to ``parental-agents``:
    .. note:: Solaris 2.5.1 and earlier does not support setting the source
       address for TCP sockets.
 
+   .. warning:: Specifying a single port is discouraged, as it removes a layer of
+      protection against spoofing errors.
+
+   .. warning:: The configured ``port`` must not be same as the listening port.
+
 ``parental-source-v6``
    This option acts like ``parental-source``, but applies to parental DS
    queries sent to IPv6 addresses.

doc/notes/notes-current.rst

@@ -43,6 +43,18 @@ Feature Changes
 - SHA-1 CDS records are no longer used by ``dnssec-cds`` to make DS
   records. Thanks to Tony Finch. :gl:`!2946`
 
+- ``named`` and ``named-checkconf`` now issue a warning when there is a single
+  configured port in the ``query-source``, ``transfer-source``,
+  ``notify-source``, and ``parental-source``, and/or in their respective IPv6 counterparts.
+  :gl:`#2888`
+
+- ``named`` and ``named-checkconf`` now return an error when the single configured
+  port in the ``query-source``, ``transfer-source``, ``notify-source``,
+  ``parental-source``, and/or their respective IPv6 counterparts clashes with the
+  global listening port. This configuration is no longer supported as of BIND
+  9.16.0 but no error was reported, although sending UDP messages
+  (such as notifies) would fail. :gl:`#2888`
+
 Bug Fixes
 ~~~~~~~~~
 

lib/bind9/check.c

@@ -66,6 +66,8 @@
 
 #include <bind9/check.h>
 
+static in_port_t dnsport = 53;
+
 static isc_result_t
 fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, bool writeable,
 	  isc_log_t *logctxlogc);
@@ -1039,6 +1041,30 @@ check_listeners(const cfg_obj_t *list, const cfg_obj_t *config,
 	return (result);
 }
 
+static isc_result_t
+check_port(const cfg_obj_t *options, isc_log_t *logctx, const char *type,
+	   in_port_t *portp) {
+	const cfg_obj_t *portobj = NULL;
+	isc_result_t result;
+
+	result = cfg_map_get(options, type, &portobj);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (cfg_obj_asuint32(portobj) >= UINT16_MAX) {
+		cfg_obj_log(portobj, logctx, ISC_LOG_ERROR,
+			    "port '%u' out of range",
+			    cfg_obj_asuint32(portobj));
+		return (ISC_R_RANGE);
+	}
+
+	if (portp != NULL) {
+		*portp = (in_port_t)cfg_obj_asuint32(portobj);
+	}
+	return (ISC_R_SUCCESS);
+}
+
 static isc_result_t
 check_options(const cfg_obj_t *options, const cfg_obj_t *config,
 	      isc_log_t *logctx, isc_mem_t *mctx, optlevel_t optlevel) {
@@ -1055,6 +1081,10 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
 	bool has_dnssecpolicy = false;
 	const char *ccalg = "siphash24";
 	cfg_aclconfctx_t *actx = NULL;
+	static const char *sources[] = {
+		"query-source",
+		"query-source-v6",
+	};
 
 	/*
 	 * { "name", scale, value }
@@ -1099,6 +1129,57 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
 	};
 #endif /* ifdef HAVE_DNSTAP */
 
+	if (optlevel == optlevel_options) {
+		/*
+		 * Check port values, and record "port" for later use.
+		 */
+		tresult = check_port(options, logctx, "port", &dnsport);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+		tresult = check_port(options, logctx, "tls-port", NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+		tresult = check_port(options, logctx, "http-port", NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+		tresult = check_port(options, logctx, "https-port", NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+
+	if (optlevel == optlevel_options || optlevel == optlevel_view) {
+		/*
+		 * Warn if query-source or query-source-v6 options specify
+		 * a port, and fail if they specify the DNS port.
+		 */
+		for (i = 0; i < ARRAY_SIZE(sources); i++) {
+			obj = NULL;
+			(void)cfg_map_get(options, sources[i], &obj);
+			if (obj != NULL) {
+				const isc_sockaddr_t *sa =
+					cfg_obj_assockaddr(obj);
+				in_port_t port = isc_sockaddr_getport(sa);
+				if (port == dnsport) {
+					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+						    "'%s' cannot specify the "
+						    "DNS listener port (%d)",
+						    sources[i], port);
+					result = ISC_R_FAILURE;
+				} else if (port != 0) {
+					cfg_obj_log(obj, logctx,
+						    ISC_LOG_WARNING,
+						    "'%s': specifying a port "
+						    "is not recommended",
+						    sources[i]);
+				}
+			}
+		}
+	}
+
 	/*
 	 * Check that fields specified in units of time other than seconds
 	 * have reasonable values.
@@ -2568,13 +2649,16 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		"allow-update",
 		"allow-update-forwarding",
 	};
-
 	static optionstable dialups[] = {
 		{ "notify", CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
 		{ "notify-passive", CFG_ZONE_SECONDARY },
 		{ "passive", CFG_ZONE_SECONDARY | CFG_ZONE_STUB },
 		{ "refresh", CFG_ZONE_SECONDARY | CFG_ZONE_STUB },
 	};
+	static const char *sources[] = {
+		"transfer-source",  "transfer-source-v6", "notify-source",
+		"notify-source-v6", "parental-source",	  "parental-source-v6",
+	};
 
 	znamestr = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
 
@@ -2852,7 +2936,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	/*
 	 * Check that ACLs expand correctly.
 	 */
-	for (i = 0; i < (sizeof(acls) / sizeof(acls[0])); i++) {
+	for (i = 0; i < ARRAY_SIZE(acls); i++) {
 		tresult = checkacl(acls[i], actx, zconfig, voptions, config,
 				   logctx, mctx);
 		if (tresult != ISC_R_SUCCESS) {
@@ -2871,8 +2955,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	}
 
 	/*
-	 * Master, slave, and mirror zones may have an "also-notify" field, but
-	 * shouldn't if notify is disabled.
+	 * Primary, secondary, and mirror zones may have an "also-notify"
+	 * field, but shouldn't if notify is disabled.
 	 */
 	if (ztype == CFG_ZONE_PRIMARY || ztype == CFG_ZONE_SECONDARY ||
 	    ztype == CFG_ZONE_MIRROR)
@@ -2927,9 +3011,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	}
 
 	/*
-	 * Slave, mirror, and stub zones must have a "primaries" field, with one
-	 * exception: when mirroring the root zone, a default, built-in master
-	 * server list is used in the absence of one explicitly specified.
+	 * Secondary, mirror, and stub zones must have a "primaries" field,
+	 * with one exception: when mirroring the root zone, a default,
+	 * built-in primary server list is used in the absence of one
+	 * explicitly specified.
 	 */
 	if (ztype == CFG_ZONE_SECONDARY || ztype == CFG_ZONE_STUB ||
 	    (ztype == CFG_ZONE_MIRROR && zname != NULL &&
@@ -2975,6 +3060,34 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		}
 	}
 
+	/*
+	 * Warn if *-source and *-source-v6 options specify a port,
+	 * and fail if they specify the default listener port.
+	 */
+	for (i = 0; i < ARRAY_SIZE(sources); i++) {
+		obj = NULL;
+		(void)cfg_map_get(zoptions, sources[i], &obj);
+		if (obj == NULL && goptions != NULL) {
+			(void)cfg_map_get(goptions, sources[i], &obj);
+		}
+		if (obj != NULL) {
+			in_port_t port =
+				isc_sockaddr_getport(cfg_obj_assockaddr(obj));
+			if (port == dnsport) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "'%s' cannot specify the "
+					    "DNS listener port (%d)",
+					    sources[i], port);
+				result = ISC_R_FAILURE;
+			} else if (port != 0) {
+				cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+					    "'%s': specifying a port is "
+					    "not recommended",
+					    sources[i]);
+			}
+		}
+	}
+
 	/*
 	 * Primary and secondary zones that have a "parental-agents" field,
 	 * must have a corresponding "parental-agents" clause.
@@ -3016,7 +3129,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	}
 
 	/*
-	 * Master zones can't have both "allow-update" and "update-policy".
+	 * Primary zones can't have both "allow-update" and "update-policy".
 	 */
 	if (ztype == CFG_ZONE_PRIMARY || ztype == CFG_ZONE_SECONDARY) {
 		bool signing = false;
@@ -3433,8 +3546,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	}
 
 	/*
-	 * If the zone type is rbt/rbt64 then master/hint zones require file
-	 * clauses. If inline-signing is used, then slave zones require a
+	 * If the zone type is rbt/rbt64 then primary/hint zones require file
+	 * clauses. If inline-signing is used, then secondary zones require a
 	 * file clause as well.
 	 */
 	obj = NULL;
@@ -3757,15 +3870,6 @@ check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab, isc_mem_t *mctx,
 	return (result);
 }
 
-static struct {
-	const char *v4;
-	const char *v6;
-} sources[] = { { "transfer-source", "transfer-source-v6" },
-		{ "notify-source", "notify-source-v6" },
-		{ "parental-source", "parental-source-v6" },
-		{ "query-source", "query-source-v6" },
-		{ NULL, NULL } };
-
 /*
  * RNDC keys are not normalised unlike TSIG keys.
  *
@@ -3793,6 +3897,15 @@ rndckey_exists(const cfg_obj_t *keylist, const char *keyname) {
 	return (false);
 }
 
+static struct {
+	const char *v4;
+	const char *v6;
+} sources[] = { { "transfer-source", "transfer-source-v6" },
+		{ "notify-source", "notify-source-v6" },
+		{ "parental-source", "parental-source-v6" },
+		{ "query-source", "query-source-v6" },
+		{ NULL, NULL } };
+
 static isc_result_t
 check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	      isc_symtab_t *symtab, isc_log_t *logctx) {
@@ -3842,6 +3955,10 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
 		}
 		source = 0;
 		do {
+			/*
+			 * For a v6 server we can't specify a v4 source,
+			 * and vice versa.
+			 */
 			obj = NULL;
 			if (n1.family == AF_INET) {
 				xfr = sources[source].v6;
@@ -3856,6 +3973,31 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
 					    p1, xfr);
 				result = ISC_R_FAILURE;
 			}
+
+			/*
+			 * Check that we aren't using the DNS
+			 * listener port (i.e. 53, or whatever was set
+			 * as "port" in options) as a source port.
+			 */
+			obj = NULL;
+			if (n1.family == AF_INET) {
+				xfr = sources[source].v4;
+			} else {
+				xfr = sources[source].v6;
+			}
+			(void)cfg_map_get(v1, xfr, &obj);
+			if (obj != NULL) {
+				const isc_sockaddr_t *sa =
+					cfg_obj_assockaddr(obj);
+				in_port_t port = isc_sockaddr_getport(sa);
+				if (port == dnsport) {
+					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+						    "'%s' cannot specify the "
+						    "DNS listener port (%d)",
+						    xfr, port);
+					result = ISC_R_FAILURE;
+				}
+			}
 		} while (sources[++source].v4 != NULL);
 		e2 = e1;
 		while ((e2 = cfg_list_next(e2)) != NULL) {
@@ -5351,8 +5493,7 @@ bind9_check_namedconf(const cfg_obj_t *config, bool check_plugins,
 	const cfg_obj_t *options = NULL;
 	const cfg_obj_t *views = NULL;
 	const cfg_obj_t *acls = NULL;
-	const cfg_obj_t *kals = NULL;
-	const cfg_obj_t *obj;
+	const cfg_obj_t *obj = NULL;
 	const cfg_listelt_t *velement;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
@@ -5600,43 +5741,6 @@ bind9_check_namedconf(const cfg_obj_t *config, bool check_plugins,
 		}
 	}
 
-	tresult = cfg_map_get(config, "kal", &kals);
-	if (tresult == ISC_R_SUCCESS) {
-		const cfg_listelt_t *elt;
-		const cfg_listelt_t *elt2;
-		const char *aclname;
-
-		for (elt = cfg_list_first(kals); elt != NULL;
-		     elt = cfg_list_next(elt)) {
-			const cfg_obj_t *acl = cfg_listelt_value(elt);
-
-			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
-
-			for (elt2 = cfg_list_next(elt); elt2 != NULL;
-			     elt2 = cfg_list_next(elt2)) {
-				const cfg_obj_t *acl2 = cfg_listelt_value(elt2);
-				const char *name;
-				name = cfg_obj_asstring(
-					cfg_tuple_get(acl2, "name"));
-				if (strcasecmp(aclname, name) == 0) {
-					const char *file = cfg_obj_file(acl);
-					unsigned int line = cfg_obj_line(acl);
-
-					if (file == NULL) {
-						file = "<unknown file>";
-					}
-
-					cfg_obj_log(acl2, logctx, ISC_LOG_ERROR,
-						    "attempt to redefine "
-						    "kal '%s' previous "
-						    "definition: %s:%u",
-						    name, file, line);
-					result = ISC_R_FAILURE;
-				}
-			}
-		}
-	}
-
 cleanup:
 	if (symtab != NULL) {
 		isc_symtab_destroy(&symtab);