Commit de7df3e5 authored by Evan Hunt's avatar Evan Hunt
Browse files

3111. [bug] Improved consistency checks for dnssec-enable and

                        dnssec-validation, added test cases to the
                        checkconf system test. [RT #24398]
parent d00e9bcc
3111. [bug] Improved consistency checks for dnssec-enable and
dnssec-validation, added test cases to the
checkconf system test. [RT #24398]
3110. [bug] dnssec-signzone: Wrong error message could appear
when attempting to sign with no KSK. [RT #24369]
......
#!/bin/sh
#
# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.2 2011/05/07 05:55:17 each Exp $
rm -f good.conf.in good.conf.out
/*
* Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec.1,v 1.2 2011/05/07 05:55:17 each Exp $ */
options {
dnssec-enable no;
dnssec-validation yes;
};
/*
* Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec.2,v 1.2 2011/05/07 05:55:17 each Exp $ */
options {
dnssec-enable no;
};
view view1 {
match-clients { any; };
dnssec-validation yes;
};
view view2 {
match-clients { none; };
dnssec-validation auto;
};
/*
* Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec.3,v 1.2 2011/05/07 05:55:17 each Exp $ */
options {
dnssec-validation no;
};
view view1 {
match-clients { any; };
dnssec-enable no;
};
view view2 {
match-clients { none; };
dnssec-enable yes;
};
......@@ -14,18 +14,25 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: good.conf,v 1.8 2011/05/05 23:47:17 tbox Exp $ */
/* $Id: good.conf,v 1.9 2011/05/07 05:55:17 each Exp $ */
/*
* This is just a random selection of configuration options.
*/
/* cut here */
options {
avoid-v4-udp-ports { 100; };
avoid-v6-udp-ports { 100; };
blackhole { 10.0.0.0/8; };
coresize 1G;
datasize 100M;
avoid-v4-udp-ports {
100;
};
avoid-v6-udp-ports {
100;
};
blackhole {
10.0.0.0/8;
};
coresize 1073741824;
datasize 104857600;
deallocate-on-exit yes;
directory ".";
dump-file "named_dumpdb";
......@@ -37,9 +44,15 @@ options {
host-statistics-max 100;
hostname none;
interface-interval 30;
listen-on port 90 { any; };
listen-on port 100 { 127.0.0.1; };
listen-on-v6 port 53 { none; };
listen-on port 90 {
"any";
};
listen-on port 100 {
127.0.0.1/32;
};
listen-on-v6 port 53 {
"none";
};
match-mapped-addresses yes;
memstatistics-file "named.memstats";
multiple-cnames no;
......@@ -54,25 +67,27 @@ options {
serial-query-rate 100;
server-id none;
};
view first {
match-clients { none; };
dnssec-validation auto;
dnssec-lookaside auto;
zone "example1" {
type master;
file "xxx";
update-policy local;
};
view "first" {
match-clients {
"none";
};
zone "example1" {
type master;
file "xxx";
update-policy local;
};
dnssec-lookaside auto;
dnssec-validation auto;
};
view second {
match-clients { any; };
dnssec-validation auto;
dnssec-lookaside auto;
zone "example1" {
type master;
file "yyy";
update-policy local;
};
view "second" {
match-clients {
"any";
};
zone "example1" {
type master;
file "yyy";
update-policy local;
};
dnssec-lookaside "." trust-anchor "dlv.isc.org.";
dnssec-validation auto;
};
......@@ -12,7 +12,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.5 2010/06/02 01:28:40 tbox Exp $
# $Id: tests.sh,v 1.6 2011/05/07 05:55:17 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
......@@ -20,7 +20,6 @@ SYSTEMTESTTOP=..
status=0
echo "I: checking that named-checkconf handles a known good config"
ret=0
$CHECKCONF good.conf > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
......@@ -28,13 +27,26 @@ status=`expr $status + $ret`
echo "I: checking that named-checkconf prints a known good config"
ret=0
$CHECKCONF -p good.conf > /dev/null 2>&1 || ret=1
awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in
[ -s good.conf.in ] || ret=1
$CHECKCONF -p good.conf.in | grep -v '^good.conf.in:' > good.conf.out 2>&1 || ret=1
cmp good.conf.in good.conf.out || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I: checking that named-checkconf handles a known bad config"
ret=0
$CHECKCONF bad.conf > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
ret=1
$CHECKCONF bad.conf > /dev/null 2>&1 || ret=0
echo "I: checking named-checkconf dnssec warnings"
ret=0
$CHECKCONF dnssec.1 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1
$CHECKCONF dnssec.2 2>&1 | grep 'validation auto.*enable no' > /dev/null || ret=1
$CHECKCONF dnssec.2 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1
# this one should have no warnings
$CHECKCONF dnssec.3 2>&1 | grep '.*' && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check.c,v 1.131 2011/05/05 18:04:01 each Exp $ */
/* $Id: check.c,v 1.132 2011/05/07 05:55:17 each Exp $ */
/*! \file */
......@@ -2100,9 +2100,15 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
isc_result_t tresult = ISC_R_SUCCESS;
cfg_aclconfctx_t actx;
const cfg_obj_t *obj;
const cfg_obj_t *options = NULL;
isc_boolean_t enablednssec, enablevalidation;
const char *valstr = "no";
/*
* Get global options block
*/
(void)cfg_map_get(config, "options", &options);
/*
* Check that all zone statements are syntactically correct and
* there are no duplicate zones.
......@@ -2138,8 +2144,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
* Check that forwarding is reasonable.
*/
if (voptions == NULL) {
const cfg_obj_t *options = NULL;
(void)cfg_map_get(config, "options", &options);
if (options != NULL)
if (check_forward(options, NULL,
logctx) != ISC_R_SUCCESS)
......@@ -2153,8 +2157,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
* Check that dual-stack-servers is reasonable.
*/
if (voptions == NULL) {
const cfg_obj_t *options = NULL;
(void)cfg_map_get(config, "options", &options);
if (options != NULL)
if (check_dual_stack(options, logctx) != ISC_R_SUCCESS)
result = ISC_R_FAILURE;
......@@ -2215,8 +2217,8 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
obj = NULL;
if (voptions != NULL)
(void)cfg_map_get(voptions, "dnssec-enable", &obj);
if (obj == NULL)
(void)cfg_map_get(config, "dnssec-enable", &obj);
if (obj == NULL && options != NULL)
(void)cfg_map_get(options, "dnssec-enable", &obj);
if (obj == NULL)
enablednssec = ISC_TRUE;
else
......@@ -2225,10 +2227,10 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
obj = NULL;
if (voptions != NULL)
(void)cfg_map_get(voptions, "dnssec-validation", &obj);
if (obj == NULL)
(void)cfg_map_get(config, "dnssec-validation", &obj);
if (obj == NULL && options != NULL)
(void)cfg_map_get(options, "dnssec-validation", &obj);
if (obj == NULL) {
enablevalidation = ISC_TRUE;
enablevalidation = enablednssec;
valstr = "yes";
} else if (cfg_obj_isboolean(obj)) {
enablevalidation = cfg_obj_asboolean(obj);
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: namedconf.c,v 1.136 2011/05/06 21:23:51 each Exp $ */
/* $Id: namedconf.c,v 1.137 2011/05/07 05:55:17 each Exp $ */
/*! \file */
......@@ -1130,6 +1130,24 @@ static cfg_type_t cfg_type_rpz = {
* dnssec-lookaside
*/
static void
print_lookaside(cfg_printer_t *pctx, const cfg_obj_t *obj)
{
const cfg_obj_t *domain = obj->value.tuple[0];
if (domain->value.string.length == 4 &&
strncmp(domain->value.string.base, "auto", 4) == 0)
cfg_print_cstr(pctx, "auto");
else
cfg_print_tuple(pctx, obj);
}
static void
doc_lookaside(cfg_printer_t *pctx, const cfg_type_t *type) {
UNUSED(type);
cfg_print_cstr(pctx, "( <string> trust-anchor <string> | auto )");
}
static keyword_type_t trustanchor_kw = { "trust-anchor", &cfg_type_astring };
static cfg_type_t cfg_type_optional_trustanchor = {
......@@ -1144,7 +1162,7 @@ static cfg_tuplefielddef_t lookaside_fields[] = {
};
static cfg_type_t cfg_type_lookaside = {
"lookaside", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
"lookaside", cfg_parse_tuple, print_lookaside, doc_lookaside,
&cfg_rep_tuple, lookaside_fields
};
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment