Merge branch '2778-unique-key-directories-reported-as-reused-in-9-16-17-regression-vs-9-16-16' into 'main'

Resolve "Unique key directories reported as reused in 9.16.17, regression vs 9.16.16" Closes #2778 See merge request isc-projects/bind9!5195
2026-06-08 11:12:07 -04:00 · 2021-06-18 07:21:27 +00:00 · 2021-06-18 07:21:27 +00:00 · fb335e4b47
commit fb335e4b47
parent 721237efb3 85033788d3
4 changed files with 82 additions and 2 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+5660.	[bug]		Checking of key-directory and dnssec-policy was broken.
+			The checks failed to account for key-directory
+			inheritance. [GL #2778]
+
 5659.	[bug]		'W' in wildcard expansions was being mapped to '\000'.
 			[GL #2779]

--- a/bin/tests/system/checkconf/good-key-directory.conf
+++ b/bin/tests/system/checkconf/good-key-directory.conf
@ -0,0 +1,68 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "internet" {
+  keys {
+    ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
+    zsk   key-directory   lifetime P90D        algorithm ecdsa256;
+  };
+
+  nsec3param iterations 15 optout no salt-length 8;
+};
+
+dnssec-policy "intranet" {
+  keys {
+    ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
+    zsk   key-directory   lifetime P30D        algorithm ecdsa256;
+  };
+  nsec3param iterations 15 optout no salt-length 8;
+};
+
+dnssec-policy "localhost" {
+  keys {
+    ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
+    zsk   key-directory   lifetime P30D        algorithm ecdsa256;
+  };
+  nsec3param iterations 15 optout no salt-length 8;
+};
+
+options {
+    key-directory "global/keys";
+};
+
+view "localhost" {
+    match-clients { 127.0.0.1; ::1; };
+    zone "example.com" IN {
+        type primary;
+        file "localhost/example.com.zone";
+        dnssec-policy "localhost";
+    };
+};
+
+view "external" {
+    match-clients { 0/0; };
+    key-directory "external/keys";
+    zone "example.com" IN {
+        type primary;
+        file "external/example.com.zone";
+        dnssec-policy "internet";
+    };
+};
+
+view "internal" {
+    match-clients { ::/0; };
+    key-directory "internal/keys";
+    zone "example.com" IN {
+        type primary;
+        file "internal/example.com.zone";
+        dnssec-policy "intranet";
+    };
+};
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@ -53,3 +53,5 @@ Bug Fixes
  to return the correct response as the ``W`` was mapped to ``\000``.
  :gl:`#2779`

+- Checking of ``key-directory`` and ``dnssec-policy`` was broken.
+  The checks failed to account for key-directory inheritance. :gl:`#2778`
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@ -3191,8 +3191,14 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	 * Warn if key-directory doesn't exist
 	 */
 	obj = NULL;
-	tresult = cfg_map_get(zoptions, "key-directory", &obj);
-	if (tresult == ISC_R_SUCCESS) {
+	(void)cfg_map_get(zoptions, "key-directory", &obj);
+	if (obj == NULL && voptions != NULL) {
+		(void)cfg_map_get(voptions, "key-directory", &obj);
+	}
+	if (obj == NULL && goptions != NULL) {
+		(void)cfg_map_get(goptions, "key-directory", &obj);
+	}
+	if (obj != NULL) {
 		dir = cfg_obj_asstring(obj);

 		tresult = isc_file_isdirectory(dir);