diff --git a/lib/bind9/check.c b/lib/bind9/check.c index d88bf2883d..ae62c9002d 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -2853,7 +2853,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, const char *target = NULL; unsigned int ztype; const cfg_obj_t *zoptions, *goptions = NULL; - const cfg_obj_t *obj = NULL; + const cfg_obj_t *obj = NULL, *kasp = NULL; const cfg_obj_t *inviewobj = NULL; isc_result_t result = ISC_R_SUCCESS; isc_result_t tresult; @@ -3142,6 +3142,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, } } } + if (has_dnssecpolicy) { + kasp = obj; + } } /* @@ -3439,12 +3442,17 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, res1 = cfg_map_get(zoptions, "inline-signing", &obj); if (res1 == ISC_R_SUCCESS) { signing = cfg_obj_asboolean(obj); - if (has_dnssecpolicy && !ddns && !signing) { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "'inline-signing;' cannot be set " - "to 'no' " - "if dnssec-policy is also set on a " - "non-dynamic DNS zone"); + } + + if (has_dnssecpolicy) { + if (!ddns && !signing) { + cfg_obj_log(kasp, logctx, ISC_LOG_ERROR, + "'dnssec-policy;' requires%s " + "inline-signing to be configured " + "for the zone", + (ztype == CFG_ZONE_PRIMARY) + ? " dynamic DNS or" + : ""); result = ISC_R_FAILURE; } } @@ -3456,7 +3464,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, arg = cfg_obj_asstring(obj); } if (strcasecmp(arg, "off") != 0) { - if (!ddns && !signing && strcasecmp(arg, "off") != 0) { + if (!ddns && !signing && !has_dnssecpolicy) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "'auto-dnssec %s;' requires%s " "inline-signing to be configured " @@ -3468,7 +3476,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, result = ISC_R_FAILURE; } - if (strcasecmp(arg, "off") != 0 && has_dnssecpolicy) { + if (has_dnssecpolicy) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "'auto-dnssec %s;' cannot be " "configured if dnssec-policy is "