conf: warn if whole zonefile-load + automatic DNSSEC signing + ACL transfer

Relates to #572

conf: warn if whole zonefile-load + automatic DNSSEC signing + ACL transfer
4fbcaf75 · Mark Karpilovskij · Daniel Salzman · f92db44f · 4fbcaf75 · 4fbcaf75
Commit 4fbcaf75 authored 7 years ago by Mark Karpilovskij Committed by Daniel Salzman 7 years ago
--- a/src/knot/conf/tools.c
+++ b/src/knot/conf/tools.c
@@ -31,6 +31,7 @@
 #include "knot/conf/module.h"
 #include "knot/conf/schema.h"
 #include "knot/common/log.h"
+#include "knot/updates/acl.h"
 #include "libknot/errcode.h"
 #include "libknot/yparser/yptrafo.h"
 #include "contrib/string.h"
@@ -423,6 +424,39 @@ int check_template(
 int check_zone(
 	knotd_conf_check_args_t *args)
 {
+	const knot_dname_t *zone = args->id;
+
+	// Check for dnssec_signing + zonefile_load whole + acl transfer.
+	conf_val_t dnssec = conf_zone_get_txn(args->extra->conf, args->extra->txn,
+	                                      C_DNSSEC_SIGNING, zone);
+	conf_val_t zf_load = conf_zone_get_txn(args->extra->conf, args->extra->txn,
+		                               C_ZONEFILE_LOAD, zone);
+	if (conf_bool(&dnssec) && conf_opt(&zf_load) == ZONEFILE_LOAD_WHOLE) {
+		conf_val_t acl = conf_zone_get_txn(args->extra->conf, args->extra->txn,
+		                                   C_ACL, zone);
+		bool stop = false;
+		while (acl.code == KNOT_EOK && !stop) {
+			conf_val_t action = conf_id_get_txn(args->extra->conf,
+			                                    args->extra->txn,
+			                                    C_ACL, C_ACTION, &acl);
+			while (action.code == KNOT_EOK) {
+				if (conf_opt(&action) != ACL_ACTION_TRANSFER) {
+					conf_val_next(&action);
+					continue;
+				}
+
+				CONF_LOG_ZONE(LOG_NOTICE, zone,
+				         "zone file change with DNSSEC signing can "
+				         "result in malformed outgoing IXFR, consider "
+				         "zone.zonefile-load setting");
+				stop = true;
+				break;
+			}
+
+			conf_val_next(&acl);
+		}
+	}
+
 	return KNOT_EOK;
 }


--- a/tests/knot/test_confio.c
+++ b/tests/knot/test_confio.c
@@ -938,10 +938,15 @@ static const yp_item_t desc_remote[] = {
 	{ NULL }
 };

+static const knot_lookup_t zonefile_load[] = {
+	{ 0, NULL }
+};
+
 #define ZONE_ITEMS \
 	{ C_FILE,           YP_TSTR,  YP_VNONE }, \
 	{ C_MASTER,         YP_TREF,  YP_VREF = { C_RMT }, YP_FMULTI, { check_ref } }, \
 	{ C_DNSSEC_SIGNING, YP_TBOOL, YP_VNONE }, \
+	{ C_ZONEFILE_LOAD,  YP_TOPT,  YP_VOPT = { zonefile_load, ZONEFILE_LOAD_WHOLE } }, \
 	{ C_COMMENT,        YP_TSTR,  YP_VNONE },

 static const yp_item_t desc_template[] = {