From 7e2d9531a79d289ee99dd436da14efb6d9a505fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Wed, 3 Jun 2020 14:42:11 +0200 Subject: [PATCH] Change the invalid CIDR from parser error to warning In [RT #43367], the BIND 9 changed the strictness of address / prefix length checks: Check prefixes in acls to make sure the address and prefix lengths are consistent. Warn only in BIND 9.11 and earlier. Unfortunately, a regression slipped in and the check was made an error also in the BIND 9.11. This commit fixes the regression, but turning the error into a warning. --- bin/tests/system/checkconf/tests.sh | 9 +++++++++ ...conf => warn-address-prefix-length-mismatch.conf} | 12 ++++++++++-- lib/isccfg/parser.c | 9 --------- util/copyrights | 2 +- 4 files changed, 20 insertions(+), 12 deletions(-) rename bin/tests/system/checkconf/{bad-ipv4-prefix-dotted2.conf => warn-address-prefix-length-mismatch.conf} (70%) diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 85fb4839e9..d2b0daa35c 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -386,6 +386,15 @@ grep "dlv.isc.org has been shut down" < checkconf.out$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo_i "check that invalid address/prefix length generates a warning ($n)" +ret=0 +$CHECKCONF warn-address-prefix-length-mismatch.conf > checkconf.out$n 2>/dev/null || ret=1 +LINES=$(grep -c "address/prefix length mismatch" < checkconf.out$n) || ret=1 +[ "$LINES" -eq 8 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + n=`expr $n + 1` echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)" ret=0 diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf similarity index 70% rename from bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf rename to bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf index 2c768c7e1a..5e3bc3f6ee 100644 --- a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf +++ b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf @@ -9,6 +9,14 @@ * information regarding copyright ownership. */ -acl myacl { - 127.1/8; /* No-zero bits */ +zone example { + type master; + file "example.db"; + auto-dnssec maintain; + allow-update { + 192.0.2.64/24; + 192.0.2.128/24; + 198.51.100.255/24; + 203.0.113.2/24; + }; }; diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c index e2af054661..44a1dfc37a 100644 --- a/lib/isccfg/parser.c +++ b/lib/isccfg/parser.c @@ -2634,15 +2634,6 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type, "invalid prefix length"); return (ISC_R_RANGE); } - result = isc_netaddr_prefixok(&netaddr, prefixlen); - if (result != ISC_R_SUCCESS) { - char buf[ISC_NETADDR_FORMATSIZE + 1]; - isc_netaddr_format(&netaddr, buf, sizeof(buf)); - cfg_parser_error(pctx, CFG_LOG_NOPREP, - "'%s/%u': address/prefix length " - "mismatch", buf, prefixlen); - return (ISC_R_FAILURE); - } } else { if (expectprefix) { cfg_parser_error(pctx, CFG_LOG_NEAR, -- GitLab