3103. [bug] Configuring 'dnssec-validation auto' in a view

instead of in the options statement could trigger an assertion failure in named-checkconf. [RT #24382]

3103. [bug] Configuring 'dnssec-validation auto' in a view
instead of in the options statement could trigger an assertion failure in named-checkconf. [RT #24382]
d454a60f · Evan Hunt · cecfa999 · d454a60f · d454a60f · d454a60f
Commit d454a60f authored May 05, 2011 by Evan Hunt
--- a/CHANGES
+++ b/CHANGES
+3103.	[bug]		Configuring 'dnssec-validation auto' in a view
+			instead of in the options statement could trigger
+			an assertion failure in named-checkconf. [RT #24382]
+
 3102.	[func]		New 'dnssec-loadkeys-interval' option configures
 			how often, in minutes, to check the key repository
 			for updates when using automatic key maintenance.

--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -14,7 +14,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: good.conf,v 1.6 2010/06/02 01:28:40 tbox Exp $ */
+/* $Id: good.conf,v 1.7 2011/05/05 16:13:35 each Exp $ */

 /*
 * This is just a random selection of configuration options.
@@ -55,8 +55,24 @@ options {
 	server-id none;
 };

-zone "example1" {
-	type master;
-	file "xxx";
-	update-policy local;
+view first {
+        match-clients { none; };
+        dnssec-validation auto;
+        dnssec-lookaside auto;
+        zone "example1" {
+                type master;
+                file "xxx";
+                update-policy local;
+        };
+};
+
+view second {
+        match-clients { any; };
+        dnssec-validation auto;
+        dnssec-lookaside auto;
+        zone "example1" {
+                type master;
+                file "yyy";
+                update-policy local;
+        };
 };
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: check.c,v 1.129 2011/04/29 21:37:15 each Exp $ */
+/* $Id: check.c,v 1.130 2011/05/05 16:13:35 each Exp $ */

 /*! \file */

@@ -2101,6 +2101,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	cfg_aclconfctx_t actx;
 	const cfg_obj_t *obj;
 	isc_boolean_t enablednssec, enablevalidation;
+	const char *valstr = "no";

 	/*
 	 * Check that all zone statements are syntactically correct and
@@ -2227,13 +2228,20 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	if (obj == NULL)
 		(void)cfg_map_get(config, "dnssec-validation", &obj);
 	if (obj == NULL)
-		enablevalidation = ISC_FALSE;	/* XXXMPA Change for 9.5. */
-	else
+		enablevalidation = ISC_TRUE;
+		valstr = "yes";
+	else if (cfg_obj_isboolean(obj)) {
 		enablevalidation = cfg_obj_asboolean(obj);
+		valstr = enablevalidation ? "yes" : "no";
+	} else {
+		enablevalidation = ISC_TRUE;
+		valstr = "auto";
+	}

 	if (enablevalidation && !enablednssec)
 		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
-			    "'dnssec-validation yes;' and 'dnssec-enable no;'");
+			    "'dnssec-validation %s;' and 'dnssec-enable no;'",
+			    valstr);

 	/*
 	 * Check trusted-keys and managed-keys.