Still start if inline-signing and dyn. updates are not set

Attempts to modify behaviour done in 9.16.33. It requires explicit
specification of inline-signing yes for any zone, which has specified
dnssec-policy. For primary zones also when  allow-update and
update-policy are disabled. Turn it into warning only on RHEL builds,
do not prevent starting of named.

That should roughly emulate error message present on 9.16.23:
'inline-signing;' cannot be set to 'no' if dnssec-policy is also set on
a non-dynamic DNS zone.

But point a link into upstream KB article in any case. This has appeared
only when inline-signing were specified in a zone block. For that case
make it still fatal, but with new message.

https://downloads.isc.org/isc/bind9/9.16.50/doc/arm/html/notes.html#known-issues

Related to upstream commit 30fceec069ae0942749e6aa783f67756e82fcaae.

Resolves: RHEL-6454
This commit is contained in:
Petr Menšík 2024-07-18 20:00:39 +02:00 committed by Fedor Vorobev
parent 852e1cb6c3
commit fa95441ced
2 changed files with 73 additions and 0 deletions

View File

@ -0,0 +1,70 @@
From fb3761d9b1ca804fd6c2acabe42745f9ee79bac0 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 18 Jul 2024 19:36:04 +0200
Subject: [PATCH] Do not block start if inline-signing and dyn. updates are not
set
Attempts to modify behaviour done in 9.16.33. It requires explicit
specification of inline-signing yes for any zone, which has specified
dnssec-policy. For primary zones also when allow-update and
update-policy are disabled. Turn it into warning only on RHEL builds,
do not prevent starting of named.
That should roughly emulate error message present on 9.16.23:
'inline-signing;' cannot be set to 'no' if dnssec-policy is also set on
a non-dynamic DNS zone.
But point a link into upstream KB article in any case. This has appeared
only when inline-signing were specified in a zone block. For that case
make it still fatal, but with new message.
https://downloads.isc.org/isc/bind9/9.16.50/doc/arm/html/notes.html#known-issues
Related to upstream commit 30fceec069ae0942749e6aa783f67756e82fcaae.
---
lib/bind9/check.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index ee64543..01c03d3 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -2951,20 +2951,32 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
}
if (has_dnssecpolicy) {
+ /* Red Hat downstream change. Warn only about inline-signing
+ * if inline-signing is not present in zone definition.
+ * But fail hard if present, but disabled, like before. */
if (!ddns && !signing) {
- cfg_obj_log(kasp, logctx, ISC_LOG_ERROR,
- "'inline-signing yes;' must also "
+ const char *verb = "should";
+ int log_lvl = ISC_LOG_WARNING;
+
+ if (res1 == ISC_R_SUCCESS) {
+ verb = "must";
+ log_lvl = ISC_LOG_ERROR;
+ result = ISC_R_FAILURE;
+ }
+
+ cfg_obj_log(kasp, logctx, log_lvl,
+ "'inline-signing yes;' %s also "
"be configured explicitly for "
"zones using dnssec-policy%s. See "
"https://kb.isc.org/docs/"
"dnssec-policy-requires-dynamic-"
"dns-or-inline-signing",
+ verb,
(ztype == CFG_ZONE_PRIMARY)
? " without a configured "
"'allow-update' or "
"'update-policy'"
: "");
- result = ISC_R_FAILURE;
}
}
--
2.45.2

View File

@ -105,6 +105,8 @@ Patch137:bind-9.11-kyua-pkcs11.patch
Patch157:bind-9.11-fips-tests.patch
Patch164:bind-9.11-rh1666814.patch
# Downstream, make error only warning
Patch165: bind-9.16-RH-inline-signing.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/26c9da5f2857b72077c17e06ac79f068c63782cc
# https://gitlab.isc.org/isc-projects/bind9/commit/c5ebda6deb0997dc520b26fa0639891459de5cb6
# https://gitlab.isc.org/isc-projects/bind9/commit/d56d2a32b861e81c2aaaabd309c4c58b629ede32
@ -1219,6 +1221,7 @@ fi;
%changelog
* Mon Mar 16 2026 Petr Menšík <pemensik@redhat.com> - 32:9.16.50-1
- Update to 9.16.50 (RHEL-6454)
- Allow starting without inline-signing and dnssec-policy
* Mon May 25 2026 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-44
- Fix GSS-API resource leak (CVE-2026-3039)