upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-04 09:12:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

Merge branch '2603-test-dnssec-policy-none' into 'main'

Browse source 
Check zonefile is untouched if dnssec-policy none

Closes #2603

See merge request isc-projects/bind9!4888
This commit is contained in:
Matthijs Mekking 2021-05-05 17:15:58 +00:00
commit cf99c1dc85
25 changed files with 259 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
CHANGES
View file

@ -1,3 +1,6 @@
5636. [bug] Check that zone files for 'dnssec-policy' zones are
only referenced once in 'named.conf'. [GL #2603]
5635. [bug] Journal compaction could fail when a journal with
invalid transaction headers was not detected at
startup. [GL #2670]
@ -53,7 +56,7 @@
5619. [protocol] Implement draft-vandijk-dnsop-nsec-ttl, updating the
protocol such that NSEC(3) TTL values are set to the
minimum of the SOA MINIMUM value and the SOA TTL.
[GL #2347].
[GL #2347]
5618. [bug] When introducing change 5149, "rndc dumpdb" started
to print a line above a stale RRset, indicating how

2
bin/named/unix/os.c
View file

@ -379,7 +379,7 @@ all_digits(const char *s) {
return (false);
}
while (*s != '\0') {
if (!isdigit((*s) & 0xff)) {
if (!isdigit((unsigned char)(*s))) {
return (false);
}
s++;

26
bin/tests/system/checkconf/bad-kasp10.conf Normal file
View file

@ -0,0 +1,26 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// One zone with dnssec-policy 'none', one zone with dnssec-policy 'insecure',
// both using the same zone file.
zone "example1.net" {
type master;
file "example.db";
dnssec-policy "none";
};
zone "example2.net" {
type master;
file "example.db";
dnssec-policy "insecure";
};

26
bin/tests/system/checkconf/bad-kasp11.conf Normal file
View file

@ -0,0 +1,26 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// One zone with a dnssec-policy, the other with allow-update,
// with the same zone file.
zone "example1.net" {
type master;
file "example.db";
dnssec-policy "default";
};
zone "example2.net" {
type master;
file "example.db";
allow-update { any; };
};

28
bin/tests/system/checkconf/bad-kasp12.conf Normal file
View file

@ -0,0 +1,28 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// One zone with a dnssec-policy, the other with update-policy,
// with the same zone file.
zone "example1.net" {
type master;
file "example.db";
dnssec-policy "default";
};
zone "example2.net" {
type master;
file "example.db";
update-policy {
grant * self * TXT;
};
};

26
bin/tests/system/checkconf/bad-kasp13.conf Normal file
View file

@ -0,0 +1,26 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// One zone transitioning to insecure, the other with allow-update,
// with the same zone file.
zone "example1.net" {
type master;
file "example.db";
dnssec-policy "insecure";
};
zone "example2.net" {
type master;
file "example.db";
allow-update { any; };
};

25
bin/tests/system/checkconf/bad-kasp6.conf Normal file
View file

@ -0,0 +1,25 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// Two zones with dnssec-policy with the same zone file.
zone "example1.net" {
type master;
file "example.db";
dnssec-policy "default";
};
zone "example2.net" {
type master;
file "example.db";
dnssec-policy "default";
};

26
bin/tests/system/checkconf/bad-kasp7.conf Normal file
View file

@ -0,0 +1,26 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// Two zones with dnssec-policy 'insecure' (transitioning to insecure)
// with the same zone file.
zone "example1.net" {
type master;
file "example.db";
dnssec-policy "insecure";
};
zone "example2.net" {
type master;
file "example.db";
dnssec-policy "insecure";
};

26
bin/tests/system/checkconf/bad-kasp8.conf Normal file
View file

@ -0,0 +1,26 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// One zone with dnssec-policy, the other zone has 'dnssec-policy none',
// both with the same zone file.
zone "example1.net" {
type master;
file "example.db";
dnssec-policy "default";
};
zone "example2.net" {
type master;
file "example.db";
dnssec-policy "none";
};

26
bin/tests/system/checkconf/bad-kasp9.conf Normal file
View file

@ -0,0 +1,26 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// One zone with dnssec-policy, the other zone has 'dnssec-policy insecure'
// (transitioning to inseure), both with the same zone file.
zone "example1.net" {
type master;
file "example.db";
dnssec-policy "default";
};
zone "example2.net" {
type master;
file "example.db";
dnssec-policy "insecure";
};

9
bin/tests/system/checkconf/good-kasp.conf
View file

@ -49,8 +49,13 @@ zone "example3" {
file "example3.db";
dnssec-policy "default";
};
zone "example4" {
zone "dnssec-policy-none-shared-zonefile1" {
type master;
file "example4.db";
file "shared.db";
dnssec-policy "none";
};
zone "dnssec-policy-none-shared-zonefile2" {
type master;
file "shared.db";
dnssec-policy "none";
};

1
bin/tests/system/kasp/ns3/setup.sh
View file

@ -77,6 +77,7 @@ zone="unsigned.kasp"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="${zone}.db.infile"
cp template.db.in $infile
cp template.db.in $zonefile
# Set up zone that stays unsigned.

7
bin/tests/system/kasp/tests.sh
View file

@ -804,6 +804,13 @@ check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
check_apex
check_subdomain
# Make sure the zone file is untouched.
n=$((n+1))
echo_i "Make sure the zonefile for zone ${ZONE} is not edited ($n)"
ret=0
diff "${DIR}/${ZONE}.db.infile" "${DIR}/${ZONE}.db" || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
#
# Zone: insecure.kasp.

3
doc/notes/notes-current.rst
View file

@ -88,3 +88,6 @@ Bug Fixes
- Journal compaction could fail when a journal with invalid transaction
headers was not detected at startup. :gl:`#2670`
- ``named-checkconf`` now complains if zones with ``dnssec-policy`` reference
the same zone file more than once. :gl:`#2603`

19
lib/bind9/check.c
View file

@ -11,6 +11,7 @@
/*! \file */
#include <ctype.h>
#include <inttypes.h>
#include <stdbool.h>
#include <stdlib.h>
@ -1192,9 +1193,7 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
if (result == ISC_R_SUCCESS) {
result = ISC_R_FAILURE;
}
}
if (bad_name) {
} else if (bad_name) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"dnssec-policy name may not be 'insecure', "
"'none', or 'default' (which are built-in "
@ -1202,9 +1201,9 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
if (result == ISC_R_SUCCESS) {
result = ISC_R_FAILURE;
}
} else {
has_dnssecpolicy = true;
}
has_dnssecpolicy = true;
}
obj = NULL;
@ -3220,10 +3219,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
}
/*
* If the zone type is rbt/rbt64 then master/hint zones
* require file clauses.
* If inline signing is used, then slave zones require a
* file clause as well
* If the zone type is rbt/rbt64 then master/hint zones require file
* clauses. If inline-signing is used, then slave zones require a
* file clause as well.
*/
obj = NULL;
dlz = false;
@ -3261,7 +3259,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
result = tresult;
} else if (tresult == ISC_R_SUCCESS &&
(ztype == CFG_ZONE_SLAVE ||
ztype == CFG_ZONE_MIRROR || ddns))
ztype == CFG_ZONE_MIRROR || ddns ||
has_dnssecpolicy))
{
tresult = fileexist(fileobj, files, true, logctx);
if (tresult != ISC_R_SUCCESS) {

13
lib/dns/dnssec.c
View file

@ -11,6 +11,7 @@
/*! \file */
#include <ctype.h>
#include <inttypes.h>
#include <stdbool.h>
#include <stdlib.h>
@ -1433,8 +1434,7 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
alg = 0;
for (i = len + 1 + 1; i < dir.entry.length; i++) {
if (dir.entry.name[i] < '0' || dir.entry.name[i] > '9')
{
if (!isdigit((unsigned char)dir.entry.name[i])) {
break;
}
alg *= 10;
@ -1452,15 +1452,8 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
}
for (i++; i < dir.entry.length; i++) {
if (dir.entry.name[i] < '0' || dir.entry.name[i] > '9')
{
if (!isdigit((unsigned char)dir.entry.name[i])) {
break;
/*
* Did we not read exactly 5 more digits?
* Did we overflow?
* Did we correctly terminate?
*/
}
}

4
lib/dns/name.c
View file

@ -1204,7 +1204,7 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
POST(state);
/* FALLTHROUGH */
case ft_escape:
if (!isdigit(c & 0xff)) {
if (!isdigit((unsigned char)c)) {
if (count >= 63) {
return (DNS_R_LABELTOOLONG);
}
@ -1224,7 +1224,7 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
state = ft_escdecimal;
/* FALLTHROUGH */
case ft_escdecimal:
if (!isdigit(c & 0xff)) {
if (!isdigit((unsigned char)c)) {
return (DNS_R_BADESCAPE);
}
value *= 10;

4
lib/dns/rcode.c
View file

@ -219,8 +219,8 @@ maybe_numeric(unsigned int *valuep, isc_textregion_t *source, unsigned int max,
char buffer[NUMBERSIZE];
int v;
if (!isdigit(source->base[0] & 0xff) || source->length > NUMBERSIZE - 1)
{
if (!isdigit((unsigned char)source->base[0]) ||
source->length > NUMBERSIZE - 1) {
return (ISC_R_BADNUMBER);
}

5
lib/dns/rdata/generic/x25_19.c
View file

@ -35,7 +35,8 @@ fromtext_x25(ARGS_FROMTEXT) {
RETTOK(DNS_R_SYNTAX);
}
for (i = 0; i < token.value.as_textregion.length; i++) {
if (!isdigit(token.value.as_textregion.base[i] & 0xff)) {
if (!isdigit((unsigned char)token.value.as_textregion.base[i]))
{
RETTOK(ISC_R_RANGE);
}
}
@ -125,7 +126,7 @@ fromstruct_x25(ARGS_FROMSTRUCT) {
}
for (i = 0; i < x25->x25_len; i++) {
if (!isdigit(x25->x25[i] & 0xff)) {
if (!isdigit((unsigned char)x25->x25[i])) {
return (ISC_R_RANGE);
}
}

4
lib/dns/rdata/in_1/atma_34.c
View file

@ -91,7 +91,7 @@ fromtext_in_atma(ARGS_FROMTEXT) {
lastwasperiod = true;
continue;
}
if ((sr->base[0] < '0') || (sr->base[0] > '9')) {
if (!isdigit((unsigned char)sr->base[0])) {
RETTOK(DNS_R_SYNTAX);
}
RETERR(mem_tobuffer(target, sr->base, 1));
@ -157,7 +157,7 @@ fromwire_in_atma(ARGS_FROMWIRE) {
if (region.base[0] == 1) {
unsigned int i;
for (i = 1; i < region.length; i++) {
if (region.base[i] < '0' || region.base[i] > '9') {
if (!isdigit((unsigned char)region.base[i])) {
return (DNS_R_FORMERR);
}
}

2
lib/isc/tm.c
View file

@ -89,7 +89,7 @@ conv_num(const char **buf, int *dest, int llim, int ulim) {
/* The limit also determines the number of valid digits. */
int rulim = ulim;
if (**buf < '0' || **buf > '9') {
if (!isdigit((unsigned char)**buf)) {
return (0);
}

2
lib/isc/unix/dir.c
View file

@ -230,7 +230,7 @@ isc_dir_createunique(char *templet) {
*/
p = x;
while (*p != '\0') {
if (isdigit(*p & 0xff)) {
if (isdigit((unsigned char)*p)) {
*p = 'a';
} else if (*p != 'z') {
++*p;

2
lib/isc/win32/dir.c
View file

@ -273,7 +273,7 @@ isc_dir_createunique(char *templet) {
*/
p = x;
while (*p != '\0') {
if (isdigit(*p & 0xff)) {
if (isdigit((unsigned char)*p)) {
*p = 'a';
} else if (*p != 'z') {
++*p;

2
lib/isc/win32/file.c
View file

@ -102,7 +102,7 @@ gettemp(char *path, bool binary, int *doopen) {
if (*trv == 'z') {
*trv++ = 'a';
} else {
if (isdigit(*trv)) {
if (isdigit((unsigned char)*trv)) {
*trv = 'a';
} else {
++*trv;

3
lib/ns/query.c
View file

@ -11,6 +11,7 @@
/*! \file */
#include <ctype.h>
#include <inttypes.h>
#include <stdbool.h>
#include <string.h>
@ -5352,7 +5353,7 @@ get_root_key_sentinel_id(query_ctx_t *qctx, const char *ndata) {
int i;
for (i = 0; i < 5; i++) {
if (ndata[i] < '0' || ndata[i] > '9') {
if (!isdigit((unsigned char)ndata[i])) {
return (false);
}
v *= 10;