Commit 22e29471 authored by Evan Hunt's avatar Evan Hunt
Browse files

[master] check allow-update in view/options

3787.	[bug]		The code that checks whether "auto-dnssec" is
			allowed was ignoring "allow-update" ACLs set at
			the options or view level. [RT #29536]
parent 6f49db82
3787. [bug] The code that checks whether "auto-dnssec" is
allowed was ignoring "allow-update" ACLs set at
the options or view level. [RT #29536]
3786. [func] Provide more detailed error codes when using
native PKCS#11. "pkcs11-tokens" now fails robustly
rather than asserting when run against an HSM with
......
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
zone example {
type master;
file "example.db";
auto-dnssec maintain;
allow-update { none; };
};
......@@ -14,8 +14,6 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: good.conf,v 1.9 2011/05/07 05:55:17 each Exp $ */
/*
* This is just a random selection of configuration options.
*/
......@@ -125,6 +123,14 @@ view "third" {
10.0.0.100;
};
};
zone "dnssec" {
type master;
file "file";
auto-dnssec maintain;
};
allow-update {
"any";
};
};
key "mykey" {
algorithm "hmac-md5";
......
......@@ -15,8 +15,6 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id$ */
/*! \file */
#include <config.h>
......@@ -1734,12 +1732,13 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
* Master zones can't have both "allow-update" and "update-policy".
*/
if (ztype == MASTERZONE || ztype == SLAVEZONE) {
isc_boolean_t ddns = ISC_FALSE, signing = ISC_FALSE;
isc_result_t res1, res2, res3;
const cfg_obj_t *au = NULL;
const char *arg;
isc_boolean_t ddns = ISC_FALSE, signing = ISC_FALSE;
obj = NULL;
res1 = cfg_map_get(zoptions, "allow-update", &obj);
res1 = cfg_map_get(zoptions, "allow-update", &au);
obj = NULL;
res2 = cfg_map_get(zoptions, "update-policy", &obj);
if (res1 == ISC_R_SUCCESS && res2 == ISC_R_SUCCESS) {
......@@ -1748,10 +1747,40 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
"when 'update-policy' is present",
znamestr);
result = ISC_R_FAILURE;
} else if (res2 == ISC_R_SUCCESS &&
check_update_policy(obj, logctx) != ISC_R_SUCCESS)
result = ISC_R_FAILURE;
ddns = ISC_TF(res1 == ISC_R_SUCCESS || res2 == ISC_R_SUCCESS);
} else if (res2 == ISC_R_SUCCESS) {
res3 = check_update_policy(obj, logctx);
if (res3 != ISC_R_SUCCESS)
result = ISC_R_FAILURE;
}
/*
* To determine whether auto-dnssec is allowed,
* we should also check for allow-update at the
* view and options levels.
*/
obj = NULL;
if (res1 != ISC_R_SUCCESS && voptions != NULL)
res1 = cfg_map_get(voptions, "allow-update", &au);
if (res1 != ISC_R_SUCCESS && goptions != NULL)
res1 = cfg_map_get(goptions, "allow-update", &au);
if (res2 == ISC_R_SUCCESS)
ddns = ISC_TRUE;
else if (res1 == ISC_R_SUCCESS) {
dns_acl_t *acl = NULL;
res1 = cfg_acl_fromconfig(au, config, logctx,
actx, mctx, 0, &acl);
if (res1 != ISC_R_SUCCESS) {
cfg_obj_log(au, logctx, ISC_LOG_ERROR,
"acl expansion failed: %s",
isc_result_totext(result));
result = ISC_R_FAILURE;
} else if (acl != NULL) {
if (!dns_acl_isnone(acl))
ddns = ISC_TRUE;
dns_acl_detach(&acl);
}
}
obj = NULL;
res1 = cfg_map_get(zoptions, "inline-signing", &obj);
......@@ -1772,12 +1801,6 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
" dynamic DNS or" : "");
result = ISC_R_FAILURE;
}
if (strcasecmp(arg, "create") == 0) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'auto-dnssec create;' is not "
"yet implemented");
result = ISC_R_FAILURE;
}
obj = NULL;
res1 = cfg_map_get(zoptions, "sig-signing-type", &obj);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment