From 511bc1b8828123c67be6d5ba70c2faaaeadabc3d Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 13 Apr 2021 16:45:16 +0200
Subject: [PATCH] Check for filename clashes /w dnssec-policy zones

Just like with dynamic and/or inline-signing zones, check if no two
or more zone configurations set the same filename. In these cases,
the zone files are not read-only and named-checkconf should catch
a configuration where multiple zone statements write to the same file.

Add some bad configuration tests where KASP zones reference the same
zone file.

Update the good-kasp test to allow for two zones configure the same
file name, dnssec-policy none.
---
 bin/tests/system/checkconf/bad-kasp10.conf | 26 ++++++++++++++++++++
 bin/tests/system/checkconf/bad-kasp11.conf | 26 ++++++++++++++++++++
 bin/tests/system/checkconf/bad-kasp12.conf | 28 ++++++++++++++++++++++
 bin/tests/system/checkconf/bad-kasp13.conf | 26 ++++++++++++++++++++
 bin/tests/system/checkconf/bad-kasp6.conf  | 25 +++++++++++++++++++
 bin/tests/system/checkconf/bad-kasp7.conf  | 26 ++++++++++++++++++++
 bin/tests/system/checkconf/bad-kasp8.conf  | 26 ++++++++++++++++++++
 bin/tests/system/checkconf/bad-kasp9.conf  | 26 ++++++++++++++++++++
 bin/tests/system/checkconf/good-kasp.conf  |  9 +++++--
 lib/bind9/check.c                          | 18 +++++++-------
 10 files changed, 224 insertions(+), 12 deletions(-)
 create mode 100644 bin/tests/system/checkconf/bad-kasp10.conf
 create mode 100644 bin/tests/system/checkconf/bad-kasp11.conf
 create mode 100644 bin/tests/system/checkconf/bad-kasp12.conf
 create mode 100644 bin/tests/system/checkconf/bad-kasp13.conf
 create mode 100644 bin/tests/system/checkconf/bad-kasp6.conf
 create mode 100644 bin/tests/system/checkconf/bad-kasp7.conf
 create mode 100644 bin/tests/system/checkconf/bad-kasp8.conf
 create mode 100644 bin/tests/system/checkconf/bad-kasp9.conf

diff --git a/bin/tests/system/checkconf/bad-kasp10.conf b/bin/tests/system/checkconf/bad-kasp10.conf
new file mode 100644
index 0000000000..026fb52aaa
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp10.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone with dnssec-policy 'none', one zone with dnssec-policy 'insecure',
+// both using the same zone file.
+
+zone "example1.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "none";
+};
+
+zone "example2.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "insecure";
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp11.conf b/bin/tests/system/checkconf/bad-kasp11.conf
new file mode 100644
index 0000000000..6d5f51813e
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp11.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone with a dnssec-policy, the other with allow-update,
+// with the same zone file.
+
+zone "example1.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "default";
+};
+
+zone "example2.net" {
+	type master;
+	file "example.db";
+	allow-update { any; };
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp12.conf b/bin/tests/system/checkconf/bad-kasp12.conf
new file mode 100644
index 0000000000..3251f61874
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp12.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone with a dnssec-policy, the other with update-policy,
+// with the same zone file.
+
+zone "example1.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "default";
+};
+
+zone "example2.net" {
+	type master;
+	file "example.db";
+	update-policy {
+		grant * self * TXT;
+	};
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp13.conf b/bin/tests/system/checkconf/bad-kasp13.conf
new file mode 100644
index 0000000000..503859ba44
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp13.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone transitioning to insecure, the other with allow-update,
+// with the same zone file.
+
+zone "example1.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "insecure";
+};
+
+zone "example2.net" {
+	type master;
+	file "example.db";
+	allow-update { any; };
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp6.conf b/bin/tests/system/checkconf/bad-kasp6.conf
new file mode 100644
index 0000000000..672f4df868
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp6.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// Two zones with dnssec-policy with the same zone file.
+
+zone "example1.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "default";
+};
+
+zone "example2.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "default";
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp7.conf b/bin/tests/system/checkconf/bad-kasp7.conf
new file mode 100644
index 0000000000..b7ba4a9b2e
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp7.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// Two zones with dnssec-policy 'insecure' (transitioning to insecure)
+// with the same zone file.
+
+zone "example1.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "insecure";
+};
+
+zone "example2.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "insecure";
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp8.conf b/bin/tests/system/checkconf/bad-kasp8.conf
new file mode 100644
index 0000000000..af4f1a3d5a
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp8.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone with dnssec-policy, the other zone has 'dnssec-policy none',
+// both with the same zone file.
+
+zone "example1.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "default";
+};
+
+zone "example2.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "none";
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp9.conf b/bin/tests/system/checkconf/bad-kasp9.conf
new file mode 100644
index 0000000000..7fc5370afc
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp9.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone with dnssec-policy, the other zone has 'dnssec-policy insecure'
+// (transitioning to inseure), both with the same zone file.
+
+zone "example1.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "default";
+};
+
+zone "example2.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "insecure";
+};
+
diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf
index 87fdc9db58..2aa3091a8a 100644
--- a/bin/tests/system/checkconf/good-kasp.conf
+++ b/bin/tests/system/checkconf/good-kasp.conf
@@ -49,8 +49,13 @@ zone "example3" {
 	file "example3.db";
 	dnssec-policy "default";
 };
-zone "example4" {
+zone "dnssec-policy-none-shared-zonefile1" {
 	type master;
-	file "example4.db";
+	file "shared.db";
+	dnssec-policy "none";
+};
+zone "dnssec-policy-none-shared-zonefile2" {
+	type master;
+	file "shared.db";
 	dnssec-policy "none";
 };
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index ee00d2482a..042ede21e5 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -1192,9 +1192,7 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
 			if (result == ISC_R_SUCCESS) {
 				result = ISC_R_FAILURE;
 			}
-		}
-
-		if (bad_name) {
+		} else if (bad_name) {
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 				    "dnssec-policy name may not be 'insecure', "
 				    "'none', or 'default' (which are built-in "
@@ -1202,9 +1200,9 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
 			if (result == ISC_R_SUCCESS) {
 				result = ISC_R_FAILURE;
 			}
+		} else {
+			has_dnssecpolicy = true;
 		}
-
-		has_dnssecpolicy = true;
 	}
 
 	obj = NULL;
@@ -3220,10 +3218,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	}
 
 	/*
-	 * If the zone type is rbt/rbt64 then master/hint zones
-	 * require file clauses.
-	 * If inline signing is used, then slave zones require a
-	 * file clause as well
+	 * If the zone type is rbt/rbt64 then master/hint zones require file
+	 * clauses. If inline-signing is used, then slave zones require a
+	 * file clause as well.
 	 */
 	obj = NULL;
 	dlz = false;
@@ -3261,7 +3258,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 			result = tresult;
 		} else if (tresult == ISC_R_SUCCESS &&
 			   (ztype == CFG_ZONE_SLAVE ||
-			    ztype == CFG_ZONE_MIRROR || ddns))
+			    ztype == CFG_ZONE_MIRROR || ddns ||
+			    has_dnssecpolicy))
 		{
 			tresult = fileexist(fileobj, files, true, logctx);
 			if (tresult != ISC_R_SUCCESS) {