upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 12:30:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch '3554-improve-dnssec-policy-inline-signing-err-msg-v9_18' into 'v9_18'

Browse source 
Clarify new configuration incompabitility: dnssec-policy vs. inline-signing [v9_18]

See merge request isc-projects/bind9!6871
This commit is contained in:
Petr Špaček 2022-10-06 08:30:42 +00:00
commit d2b428d8d2
3 changed files with 22 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
bin/tests/system/checkconf/tests.sh
View file

@ -491,7 +491,7 @@ n=`expr $n + 1`
echo_i "checking named-checkconf kasp errors ($n)"
ret=0
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
grep "'dnssec-policy;' requires dynamic DNS or inline-signing to be configured for the zone" < checkconf.out$n > /dev/null || ret=1
grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1
grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1

12
doc/notes/notes-current.rst
View file

@ -20,6 +20,18 @@ Security Fixes
Known Issues
~~~~~~~~~~~~
- Upgrading from BIND 9.16.32, 9.18.6, or older, may require a manual
configuration change. The following configurations are affected:
- :any:`type primary` zones configured with :any:`dnssec-policy` but without
either :any:`allow-update` or :any:`update-policy`
- :any:`type secondary` zones configured with :any:`dnssec-policy`
In these cases please add :namedconf:ref:`inline-signing yes;
<inline-signing>` to individual zone configuration(s). Without applying this
change :iscman:`named` will fail to start. For more details see
https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
- BIND 9.18 does not support dynamic updates forwarding (see
:any:`allow-update-forwarding`) in conjuction with zone transfers
over TLS (XoT). :gl:`#3512`

13
lib/bind9/check.c
View file

@ -3447,11 +3447,16 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
if (has_dnssecpolicy) {
if (!ddns && !signing) {
cfg_obj_log(kasp, logctx, ISC_LOG_ERROR,
"'dnssec-policy;' requires%s "
"inline-signing to be configured "
"for the zone",
"'inline-signing yes;' must also "
"be configured explicitly for "
"zones using dnssec-policy%s. See "
"https://kb.isc.org/docs/"
"dnssec-policy-requires-dynamic-"
"dns-or-inline-signing",
(ztype == CFG_ZONE_PRIMARY)
? " dynamic DNS or"
? " without a configured "
"'allow-update' or "
"'update-policy'"
: "");
result = ISC_R_FAILURE;
}