Add checking of _dns SVCB records constraints to nsupdate

_dns SVBC records have additional constrains which should be checked
when records are being added.  This adds those constraint checks but
allows the user to override them using 'check-svcb no'.

bin/nsupdate/nsupdate.c

@@ -186,6 +186,7 @@ static dns_message_t *answer = NULL;
 static uint32_t default_ttl = 0;
 static bool default_ttl_set = false;
 static bool checknames = true;
+static bool checksvcb = true;
 static const char *resolvconf = RESOLV_CONF;
 
 bool done = false;
@@ -2020,6 +2021,15 @@ parseclass:
 		}
 	}
 
+	if (!isdelete && checksvcb && rdata->type == dns_rdatatype_svcb) {
+		result = dns_rdata_checksvcb(name, rdata);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "check-svcb failed: %s\n",
+				isc_result_totext(result));
+			goto failure;
+		}
+	}
+
 	if (!isdelete && rdata->type == dns_rdatatype_nsec3param) {
 		dns_rdata_nsec3param_t nsec3param;
 
@@ -2106,6 +2116,32 @@ evaluate_checknames(char *cmdline) {
 	return (STATUS_MORE);
 }
 
+static uint16_t
+evaluate_checksvcb(char *cmdline) {
+	char *word;
+
+	ddebug("evaluate_checksvcb()");
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		fprintf(stderr, "could not read check-svcb directive\n");
+		return (STATUS_SYNTAX);
+	}
+	if (strcasecmp(word, "yes") == 0 || strcasecmp(word, "true") == 0 ||
+	    strcasecmp(word, "on") == 0)
+	{
+		checksvcb = true;
+	} else if (strcasecmp(word, "no") == 0 ||
+		   strcasecmp(word, "false") == 0 ||
+		   strcasecmp(word, "off") == 0)
+	{
+		checksvcb = false;
+	} else {
+		fprintf(stderr, "incorrect check-svcb directive: %s\n", word);
+		return (STATUS_SYNTAX);
+	}
+	return (STATUS_MORE);
+}
+
 static void
 setzone(dns_name_t *zonename) {
 	isc_result_t result;
@@ -2265,6 +2301,10 @@ do_next_command(char *cmdline) {
 	    strcasecmp(word, "checknames") == 0) {
 		return (evaluate_checknames(cmdline));
 	}
+	if (strcasecmp(word, "check-svcb") == 0 ||
+	    strcasecmp(word, "checksvcb") == 0) {
+		return (evaluate_checksvcb(cmdline));
+	}
 	if (strcasecmp(word, "gsstsig") == 0) {
 #if HAVE_GSSAPI
 		usegsstsig = true;

bin/nsupdate/nsupdate.rst

@@ -310,6 +310,12 @@ The command formats and their meanings are as follows:
    By default check-names processing is on. If check-names processing
    fails, the record is not added to the UPDATE message.
 
+``check-svbc [boolean]``
+   This command turns on or off check-svcb processing on records to be added.
+   Check-svcb has no effect on prerequisites or records to be deleted.
+   By default check-svcb processing is on. If check-svcb processing
+   fails, the record is not added to the UPDATE message.
+
 ``prereq nxdomain domain-name``
    This command requires that no resource record of any type exist with the name
    ``domain-name``.

doc/man/nsupdate.1in

@@ -349,6 +349,12 @@ Check\-names has no effect on prerequisites or records to be deleted.
 By default check\-names processing is on. If check\-names processing
 fails, the record is not added to the UPDATE message.
 .TP
+.B \fBcheck\-svbc [boolean]\fP
+This command turns on or off check\-svcb processing on records to be added.
+Check\-svcb has no effect on prerequisites or records to be deleted.
+By default check\-svcb processing is on. If check\-svcb processing
+fails, the record is not added to the UPDATE message.
+.TP
 .B \fBprereq nxdomain domain\-name\fP
 This command requires that no resource record of any type exist with the name
 \fBdomain\-name\fP\&.