3111. [bug] Improved consistency checks for dnssec-enable and

                        dnssec-validation, added test cases to the
                        checkconf system test. [RT #24398]

CHANGES

+3111.   [bug]           Improved consistency checks for dnssec-enable and
+                        dnssec-validation, added test cases to the
+                        checkconf system test. [RT #24398]
+
 3110.	[bug]		dnssec-signzone: Wrong error message could appear
 			when attempting to sign with no KSK. [RT #24369]
 

bin/tests/system/checkconf/clean.sh

+#!/bin/sh
+#
+# Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2 2011/05/07 05:55:17 each Exp $
+
+rm -f good.conf.in good.conf.out

bin/tests/system/checkconf/dnssec.1

+/*
+ * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec.1,v 1.2 2011/05/07 05:55:17 each Exp $ */
+
+options {
+        dnssec-enable no;
+        dnssec-validation yes;
+};

bin/tests/system/checkconf/dnssec.2

+/*
+ * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec.2,v 1.2 2011/05/07 05:55:17 each Exp $ */
+
+options {
+        dnssec-enable no;
+};
+
+view view1 {
+        match-clients { any; };
+        dnssec-validation yes;
+};
+
+view view2 {
+        match-clients { none; };
+        dnssec-validation auto;
+};

bin/tests/system/checkconf/dnssec.3

+/*
+ * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec.3,v 1.2 2011/05/07 05:55:17 each Exp $ */
+
+options {
+        dnssec-validation no;
+};
+
+view view1 {
+        match-clients { any; };
+        dnssec-enable no;
+};
+
+view view2 {
+        match-clients { none; };
+        dnssec-enable yes;
+};

bin/tests/system/checkconf/good.conf

@@ -14,18 +14,25 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: good.conf,v 1.8 2011/05/05 23:47:17 tbox Exp $ */
+/* $Id: good.conf,v 1.9 2011/05/07 05:55:17 each Exp $ */
 
 /*
  * This is just a random selection of configuration options.
  */
 
+/* cut here */
 options {
-	avoid-v4-udp-ports { 100; };
-	avoid-v6-udp-ports { 100; };
-	blackhole { 10.0.0.0/8; };
-	coresize 1G;
-	datasize 100M;
+	avoid-v4-udp-ports {
+		100;
+	};
+	avoid-v6-udp-ports {
+		100;
+	};
+	blackhole {
+		10.0.0.0/8;
+	};
+	coresize 1073741824;
+	datasize 104857600;
 	deallocate-on-exit yes;
 	directory ".";
 	dump-file "named_dumpdb";
@@ -37,9 +44,15 @@ options {
 	host-statistics-max 100;
 	hostname none;
 	interface-interval 30;
-	listen-on port 90 { any; };
-	listen-on port 100 { 127.0.0.1; };
-	listen-on-v6 port 53 { none; };
+	listen-on port 90 {
+		"any";
+	};
+	listen-on port 100 {
+		127.0.0.1/32;
+	};
+	listen-on-v6 port 53 {
+		"none";
+	};
 	match-mapped-addresses yes;
 	memstatistics-file "named.memstats";
 	multiple-cnames no;
@@ -54,25 +67,27 @@ options {
 	serial-query-rate 100;
 	server-id none;
 };
-
-view first {
-        match-clients { none; };
-        dnssec-validation auto;
-        dnssec-lookaside auto;
-        zone "example1" {
-                type master;
-                file "xxx";
-                update-policy local;
-        };
+view "first" {
+	match-clients {
+		"none";
+	};
+	zone "example1" {
+		type master;
+		file "xxx";
+		update-policy local;
+	};
+	dnssec-lookaside auto;
+	dnssec-validation auto;
 };
-
-view second {
-        match-clients { any; };
-        dnssec-validation auto;
-        dnssec-lookaside auto;
-        zone "example1" {
-                type master;
-                file "yyy";
-                update-policy local;
-        };
+view "second" {
+	match-clients {
+		"any";
+	};
+	zone "example1" {
+		type master;
+		file "yyy";
+		update-policy local;
+	};
+	dnssec-lookaside "." trust-anchor "dlv.isc.org.";
+	dnssec-validation auto;
 };

bin/tests/system/checkconf/tests.sh

@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.5 2010/06/02 01:28:40 tbox Exp $
+# $Id: tests.sh,v 1.6 2011/05/07 05:55:17 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -20,7 +20,6 @@ SYSTEMTESTTOP=..
 status=0
 
 echo "I: checking that named-checkconf handles a known good config"
-
 ret=0
 $CHECKCONF good.conf > /dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -28,13 +27,26 @@ status=`expr $status + $ret`
 
 echo "I: checking that named-checkconf prints a known good config"
 ret=0
-$CHECKCONF -p good.conf > /dev/null 2>&1 || ret=1
+awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in
+[ -s good.conf.in ] || ret=1
+$CHECKCONF -p good.conf.in | grep -v '^good.conf.in:' > good.conf.out 2>&1 || ret=1
+cmp good.conf.in good.conf.out || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
+
 echo "I: checking that named-checkconf handles a known bad config"
+ret=0
+$CHECKCONF bad.conf > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
 
-ret=1
-$CHECKCONF bad.conf > /dev/null 2>&1 || ret=0
+echo "I: checking named-checkconf dnssec warnings"
+ret=0
+$CHECKCONF dnssec.1 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1
+$CHECKCONF dnssec.2 2>&1 | grep 'validation auto.*enable no' > /dev/null || ret=1
+$CHECKCONF dnssec.2 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1
+# this one should have no warnings
+$CHECKCONF dnssec.3 2>&1 | grep '.*' && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 

lib/bind9/check.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.131 2011/05/05 18:04:01 each Exp $ */
+/* $Id: check.c,v 1.132 2011/05/07 05:55:17 each Exp $ */
 
 /*! \file */
 
@@ -2100,9 +2100,15 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	isc_result_t tresult = ISC_R_SUCCESS;
 	cfg_aclconfctx_t actx;
 	const cfg_obj_t *obj;
+	const cfg_obj_t *options = NULL;
 	isc_boolean_t enablednssec, enablevalidation;
 	const char *valstr = "no";
 
+	/*
+	 * Get global options block
+	 */
+	(void)cfg_map_get(config, "options", &options);
+
 	/*
 	 * Check that all zone statements are syntactically correct and
 	 * there are no duplicate zones.
@@ -2138,8 +2144,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	 * Check that forwarding is reasonable.
 	 */
 	if (voptions == NULL) {
-		const cfg_obj_t *options = NULL;
-		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL)
 			if (check_forward(options, NULL,
 					  logctx) != ISC_R_SUCCESS)
@@ -2153,8 +2157,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	 * Check that dual-stack-servers is reasonable.
 	 */
 	if (voptions == NULL) {
-		const cfg_obj_t *options = NULL;
-		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL)
 			if (check_dual_stack(options, logctx) != ISC_R_SUCCESS)
 				result = ISC_R_FAILURE;
@@ -2215,8 +2217,8 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	obj = NULL;
 	if (voptions != NULL)
 		(void)cfg_map_get(voptions, "dnssec-enable", &obj);
-	if (obj == NULL)
-		(void)cfg_map_get(config, "dnssec-enable", &obj);
+	if (obj == NULL && options != NULL)
+		(void)cfg_map_get(options, "dnssec-enable", &obj);
 	if (obj == NULL)
 		enablednssec = ISC_TRUE;
 	else
@@ -2225,10 +2227,10 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	obj = NULL;
 	if (voptions != NULL)
 		(void)cfg_map_get(voptions, "dnssec-validation", &obj);
-	if (obj == NULL)
-		(void)cfg_map_get(config, "dnssec-validation", &obj);
+	if (obj == NULL && options != NULL)
+		(void)cfg_map_get(options, "dnssec-validation", &obj);
 	if (obj == NULL) {
-		enablevalidation = ISC_TRUE;
+		enablevalidation = enablednssec;
 		valstr = "yes";
 	} else if (cfg_obj_isboolean(obj)) {
 		enablevalidation = cfg_obj_asboolean(obj);

lib/isccfg/namedconf.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.136 2011/05/06 21:23:51 each Exp $ */
+/* $Id: namedconf.c,v 1.137 2011/05/07 05:55:17 each Exp $ */
 
 /*! \file */
 
@@ -1130,6 +1130,24 @@ static cfg_type_t cfg_type_rpz = {
  * dnssec-lookaside
  */
 
+static void
+print_lookaside(cfg_printer_t *pctx, const cfg_obj_t *obj)
+{
+	const cfg_obj_t *domain = obj->value.tuple[0];
+
+	if (domain->value.string.length == 4 &&
+	    strncmp(domain->value.string.base, "auto", 4) == 0)
+		cfg_print_cstr(pctx, "auto");
+	else
+		cfg_print_tuple(pctx, obj);
+}
+
+static void
+doc_lookaside(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( <string> trust-anchor <string> | auto )");
+}
+
 static keyword_type_t trustanchor_kw = { "trust-anchor", &cfg_type_astring };
 
 static cfg_type_t cfg_type_optional_trustanchor = {
@@ -1144,7 +1162,7 @@ static cfg_tuplefielddef_t lookaside_fields[] = {
 };
 
 static cfg_type_t cfg_type_lookaside = {
-	"lookaside", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	"lookaside", cfg_parse_tuple, print_lookaside, doc_lookaside,
 	&cfg_rep_tuple, lookaside_fields
 };