From 7e2d9531a79d289ee99dd436da14efb6d9a505fc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Wed, 3 Jun 2020 14:42:11 +0200
Subject: [PATCH] Change the invalid CIDR from parser error to warning
In [RT #43367], the BIND 9 changed the strictness of address / prefix
length checks:
Check prefixes in acls to make sure the address and
prefix lengths are consistent. Warn only in
BIND 9.11 and earlier.
Unfortunately, a regression slipped in and the check was made an error
also in the BIND 9.11. This commit fixes the regression, but turning
the error into a warning.
---
bin/tests/system/checkconf/tests.sh | 9 +++++++++
...conf => warn-address-prefix-length-mismatch.conf} | 12 ++++++++++--
lib/isccfg/parser.c | 9 ---------
util/copyrights | 2 +-
4 files changed, 20 insertions(+), 12 deletions(-)
rename bin/tests/system/checkconf/{bad-ipv4-prefix-dotted2.conf => warn-address-prefix-length-mismatch.conf} (70%)
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 85fb4839e9..d2b0daa35c 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -386,6 +386,15 @@ grep "dlv.isc.org has been shut down" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
+n=`expr $n + 1`
+echo_i "check that invalid address/prefix length generates a warning ($n)"
+ret=0
+$CHECKCONF warn-address-prefix-length-mismatch.conf > checkconf.out$n 2>/dev/null || ret=1
+LINES=$(grep -c "address/prefix length mismatch" < checkconf.out$n) || ret=1
+[ "$LINES" -eq 8 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
n=`expr $n + 1`
echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)"
ret=0
diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
similarity index 70%
rename from bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
rename to bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
index 2c768c7e1a..5e3bc3f6ee 100644
--- a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
+++ b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
@@ -9,6 +9,14 @@
* information regarding copyright ownership.
*/
-acl myacl {
- 127.1/8; /* No-zero bits */
+zone example {
+ type master;
+ file "example.db";
+ auto-dnssec maintain;
+ allow-update {
+ 192.0.2.64/24;
+ 192.0.2.128/24;
+ 198.51.100.255/24;
+ 203.0.113.2/24;
+ };
};
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
index e2af054661..44a1dfc37a 100644
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -2634,15 +2634,6 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
"invalid prefix length");
return (ISC_R_RANGE);
}
- result = isc_netaddr_prefixok(&netaddr, prefixlen);
- if (result != ISC_R_SUCCESS) {
- char buf[ISC_NETADDR_FORMATSIZE + 1];
- isc_netaddr_format(&netaddr, buf, sizeof(buf));
- cfg_parser_error(pctx, CFG_LOG_NOPREP,
- "'%s/%u': address/prefix length "
- "mismatch", buf, prefixlen);
- return (ISC_R_FAILURE);
- }
} else {
if (expectprefix) {
cfg_parser_error(pctx, CFG_LOG_NEAR,
--
GitLab