Add an option to disable ZONEVERSION responses

The option provide-zoneversion controls whether ZONEVERSION is returned. This applies to primary, secondary and mirror zones.
2025-04-18 09:44:09 +03:00 · 2024-08-29 09:43:21 +10:00 · 2024-08-29 09:43:21 +10:00 · 9428e32b13
commit 9428e32b13
parent 480122f988
10 changed files with 26 additions and 1 deletions
--- a/bin/named/config.c
+++ b/bin/named/config.c
@ -240,6 +240,7 @@ options {\n\
 	notify yes;\n\
 	notify-delay 5;\n\
 	notify-to-soa no;\n\
+	provide-zoneversion yes;\n\
 	send-report-channel .;\n\
 	serial-update-method increment;\n\
 	sig-signing-nodes 100;\n\
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@ -1227,6 +1227,12 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			dns_zone_setkasp(zone, NULL);
 		}

+		obj = NULL;
+		result = named_config_get(maps, "provide-zoneversion", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setoption(zone, DNS_ZONEOPT_ZONEVERSION,
+				   cfg_obj_asboolean(obj));
+
 		obj = NULL;
 		result = named_config_get(maps, "notify", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@ -2165,6 +2165,14 @@ Boolean Options
   ultimate primary should be set to still send NOTIFY messages to all the name servers
   listed in the NS RRset.

+.. namedconf:statement:: provide-zoneversion
+   :tags: transfer
+   :short: Controls the return EDNS ZONEVERSION answers.
+
+   If ``yes`` EDNS ZONEVERSION answers will be returned otherwise
+   not for primary, secondary and mirror zones.  The default is
+   ``yes``.
+
 .. namedconf:statement:: recursion
   :tags: query
   :short: Defines whether recursion and caching are allowed.
@ -5613,6 +5621,7 @@ and :namedconf:ref:`options` blocks:
   - :namedconf:ref:`notify-source-v6`
   - :namedconf:ref:`notify-source`
   - :namedconf:ref:`provide-ixfr`
+   - :namedconf:ref:`provide-zoneversion`
   - :namedconf:ref:`query-source-v6`
   - :namedconf:ref:`query-source`
   - :namedconf:ref:`request-expire`
--- a/doc/misc/mirror.zoneopt
+++ b/doc/misc/mirror.zoneopt
@ -33,6 +33,7 @@ zone <string> [ <class> ] {
 	notify-source ( <ipv4_address> | * );
 	notify-source-v6 ( <ipv6_address> | * );
 	primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	provide-zoneversion <boolean>;
 	request-expire <boolean>;
 	request-ixfr <boolean>;
 	request-ixfr-max-diffs <integer>;
--- a/doc/misc/options
+++ b/doc/misc/options
@ -226,6 +226,7 @@ options {
 	preferred-glue <string>;
 	prefetch <integer> [ <integer> ];
 	provide-ixfr <boolean>;
+	provide-zoneversion <boolean>;
 	qname-minimization ( strict | relaxed | disabled | off );
 	query-source [ address ] ( <ipv4_address> | * | none );
 	query-source-v6 [ address ] ( <ipv6_address> | * | none );
@ -511,6 +512,7 @@ view <string> [ <class> ] {
 	preferred-glue <string>;
 	prefetch <integer> [ <integer> ];
 	provide-ixfr <boolean>;
+	provide-zoneversion <boolean>;
 	qname-minimization ( strict | relaxed | disabled | off );
 	query-source [ address ] ( <ipv4_address> | * | none );
 	query-source-v6 [ address ] ( <ipv6_address> | * | none );
--- a/doc/misc/primary.zoneopt
+++ b/doc/misc/primary.zoneopt
@ -51,6 +51,7 @@ zone <string> [ <class> ] {
 	parental-agents [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
 	parental-source ( <ipv4_address> | * );
 	parental-source-v6 ( <ipv6_address> | * );
+	provide-zoneversion <boolean>;
 	send-report-channel <string>;
 	serial-update-method ( date | increment | unixtime );
 	sig-signing-nodes <integer>;
--- a/doc/misc/secondary.zoneopt
+++ b/doc/misc/secondary.zoneopt
@ -50,6 +50,7 @@ zone <string> [ <class> ] {
 	parental-source ( <ipv4_address> | * );
 	parental-source-v6 ( <ipv6_address> | * );
 	primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	provide-zoneversion <boolean>;
 	request-expire <boolean>;
 	request-ixfr <boolean>;
 	request-ixfr-max-diffs <integer>;
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@ -102,6 +102,7 @@ typedef enum {
 	DNS_ZONEOPT_CHECKTTL = 1 << 28,	      /*%< check max-zone-ttl */
 	DNS_ZONEOPT_AUTOEMPTY = 1 << 29,      /*%< automatic empty zone */
 	DNS_ZONEOPT_CHECKSVCB = 1 << 30,      /*%< check SVBC records */
+	DNS_ZONEOPT_ZONEVERSION = 1U << 31,   /*%< enable zoneversion */
 	DNS_ZONEOPT___MAX = UINT64_MAX, /* trick to make the ENUM 64-bit wide */
 } dns_zoneopt_t;

--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -1508,7 +1508,8 @@ dns_zone_getzoneversion(dns_zone_t *zone, isc_buffer_t *b) {

 	LOCK_ZONE(zone);
 	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-	if (zone->db != NULL) {
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_ZONEVERSION) && zone->db != NULL)
+	{
 		result = dns_db_getzoneversion(zone->db, b);
 		if (result == ISC_R_NOTIMPLEMENTED) {
 			result = zone_get_from_db(zone, zone->db, NULL,
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@ -2355,6 +2355,8 @@ static cfg_clausedef_t zone_clauses[] = {
 	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
 	{ "parental-source-v6", &cfg_type_sockaddr6wild,
 	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "provide-zoneversion", &cfg_type_boolean,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
 	{ "send-report-channel", &cfg_type_astring,
 	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
 	{ "request-expire", &cfg_type_boolean,