|
 |
d56ed2 |
diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8
|
|
|
d56ed2 |
index 8538ca8..0ab0049 100644
|
|
|
d56ed2 |
--- a/bin/check/named-checkzone.8
|
|
|
d56ed2 |
+++ b/bin/check/named-checkzone.8
|
|
|
d56ed2 |
@@ -251,7 +251,7 @@ so that include directives in the configuration file are processed as if run by
|
|
|
d56ed2 |
.PP
|
|
|
d56ed2 |
\-T \fImode\fR
|
|
|
d56ed2 |
.RS 4
|
|
|
d56ed2 |
-Check if Sender Policy Framework records (TXT and SPF) both exist or both don't exist. A warning is issued if they don't match. Possible modes are
|
|
|
d56ed2 |
+Check if Sender Policy Framework (SPF) records exist and issues a warning if an SPF-formatted TXT record is not also present. Possible modes are
|
|
|
d56ed2 |
\fB"warn"\fR
|
|
|
d56ed2 |
(default),
|
|
|
d56ed2 |
\fB"ignore"\fR.
|
|
|
d56ed2 |
diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook
|
|
|
d56ed2 |
index ea37fa2..e78d574 100644
|
|
|
d56ed2 |
--- a/bin/check/named-checkzone.docbook
|
|
|
d56ed2 |
+++ b/bin/check/named-checkzone.docbook
|
|
|
d56ed2 |
@@ -408,10 +408,10 @@
|
|
|
d56ed2 |
<term>-T <replaceable class="parameter">mode</replaceable></term>
|
|
|
d56ed2 |
<listitem>
|
|
|
d56ed2 |
<para>
|
|
|
d56ed2 |
- Check if Sender Policy Framework records (TXT and SPF)
|
|
|
d56ed2 |
- both exist or both don't exist. A warning is issued
|
|
|
d56ed2 |
- if they don't match. Possible modes are
|
|
|
d56ed2 |
- <command>"warn"</command> (default), <command>"ignore"</command>.
|
|
|
d56ed2 |
+ Check if Sender Policy Framework (SPF) records exist
|
|
|
d56ed2 |
+ and issues a warning if an SPF-formatted TXT record is
|
|
|
d56ed2 |
+ not also present. Possible modes are <command>"warn"</command>
|
|
|
d56ed2 |
+ (default), <command>"ignore"</command>.
|
|
|
d56ed2 |
</para>
|
|
|
d56ed2 |
</listitem>
|
|
|
d56ed2 |
</varlistentry>
|
|
|
d56ed2 |
diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh
|
|
|
d56ed2 |
index 2353c14..7d9192e 100644
|
|
|
d56ed2 |
--- a/bin/tests/system/checkzone/tests.sh
|
|
|
d56ed2 |
+++ b/bin/tests/system/checkzone/tests.sh
|
|
|
d56ed2 |
@@ -44,12 +44,12 @@ echo "I:checking with spf warnings ($n)"
|
|
|
d56ed2 |
ret=0
|
|
|
d56ed2 |
$CHECKZONE example zones/spf.db > test.out1.$n 2>&1 || ret=1
|
|
|
d56ed2 |
$CHECKZONE -T ignore example zones/spf.db > test.out2.$n 2>&1 || ret=1
|
|
|
d56ed2 |
-grep "'x.example' found SPF/TXT" test.out1.$n > /dev/null || ret=1
|
|
|
d56ed2 |
-grep "'y.example' found SPF/SPF" test.out1.$n > /dev/null || ret=1
|
|
|
d56ed2 |
-grep "'example' found SPF/" test.out1.$n > /dev/null && ret=1
|
|
|
d56ed2 |
-grep "'x.example' found SPF/" test.out2.$n > /dev/null && ret=1
|
|
|
d56ed2 |
-grep "'y.example' found SPF/" test.out2.$n > /dev/null && ret=1
|
|
|
d56ed2 |
-grep "'example' found SPF/" test.out2.$n > /dev/null && ret=1
|
|
|
d56ed2 |
+grep "'x.example' found type SPF" test.out1.$n > /dev/null && ret=1
|
|
|
d56ed2 |
+grep "'y.example' found type SPF" test.out1.$n > /dev/null || ret=1
|
|
|
d56ed2 |
+grep "'example' found type SPF" test.out1.$n > /dev/null && ret=1
|
|
|
d56ed2 |
+grep "'x.example' found type SPF" test.out2.$n > /dev/null && ret=1
|
|
|
d56ed2 |
+grep "'y.example' found type SPF" test.out2.$n > /dev/null && ret=1
|
|
|
d56ed2 |
+grep "'example' found type SPF" test.out2.$n > /dev/null && ret=1
|
|
|
d56ed2 |
n=`expr $n + 1`
|
|
|
d56ed2 |
if [ $ret != 0 ]; then echo "I:failed"; fi
|
|
|
d56ed2 |
status=`expr $status + $ret`
|
|
|
d56ed2 |
diff --git a/bin/tests/system/spf/tests.sh b/bin/tests/system/spf/tests.sh
|
|
|
d56ed2 |
index 6acd283..3da6e2e 100644
|
|
|
d56ed2 |
--- a/bin/tests/system/spf/tests.sh
|
|
|
d56ed2 |
+++ b/bin/tests/system/spf/tests.sh
|
|
|
d56ed2 |
@@ -24,19 +24,16 @@ echo "I:checking that SPF warnings have been correctly generated ($n)"
|
|
|
d56ed2 |
ret=0
|
|
|
d56ed2 |
|
|
|
d56ed2 |
grep "zone spf/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1
|
|
|
d56ed2 |
-grep "'x.spf' found SPF/TXT" ns1/named.run > /dev/null || ret=1
|
|
|
d56ed2 |
-grep "'y.spf' found SPF/SPF" ns1/named.run > /dev/null || ret=1
|
|
|
d56ed2 |
-grep "'spf' found SPF/" ns1/named.run > /dev/null && ret=1
|
|
|
d56ed2 |
+grep "'y.spf' found type SPF" ns1/named.run > /dev/null || ret=1
|
|
|
d56ed2 |
+grep "'spf' found type SPF" ns1/named.run > /dev/null && ret=1
|
|
|
d56ed2 |
|
|
|
d56ed2 |
grep "zone warn/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1
|
|
|
d56ed2 |
-grep "'x.warn' found SPF/TXT" ns1/named.run > /dev/null || ret=1
|
|
|
d56ed2 |
-grep "'y.warn' found SPF/SPF" ns1/named.run > /dev/null || ret=1
|
|
|
d56ed2 |
-grep "'warn' found SPF/" ns1/named.run > /dev/null && ret=1
|
|
|
d56ed2 |
+grep "'y.warn' found type SPF" ns1/named.run > /dev/null || ret=1
|
|
|
d56ed2 |
+grep "'warn' found type SPF" ns1/named.run > /dev/null && ret=1
|
|
|
d56ed2 |
|
|
|
d56ed2 |
grep "zone nowarn/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1
|
|
|
d56ed2 |
-grep "'x.nowarn' found SPF/" ns1/named.run > /dev/null && ret=1
|
|
|
d56ed2 |
-grep "'y.nowarn' found SPF/" ns1/named.run > /dev/null && ret=1
|
|
|
d56ed2 |
-grep "'nowarn' found SPF/" ns1/named.run > /dev/null && ret=1
|
|
|
d56ed2 |
+grep "'y.nowarn' found type SPF" ns1/named.run > /dev/null && ret=1
|
|
|
d56ed2 |
+grep "'nowarn' found type SPF" ns1/named.run > /dev/null && ret=1
|
|
|
d56ed2 |
n=`expr $n + 1`
|
|
|
d56ed2 |
if [ $ret != 0 ]; then echo "I:failed"; fi
|
|
|
d56ed2 |
status=`expr $status + $ret`
|
|
|
d56ed2 |
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
|
|
|
d56ed2 |
index 96c9faf..bd42e11 100644
|
|
|
d56ed2 |
--- a/doc/arm/Bv9ARM-book.xml
|
|
|
d56ed2 |
+++ b/doc/arm/Bv9ARM-book.xml
|
|
|
d56ed2 |
@@ -4750,7 +4750,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
|
|
|
d56ed2 |
<optional> check-mx-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
|
|
|
d56ed2 |
<optional> check-srv-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
|
|
|
d56ed2 |
<optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
|
|
|
d56ed2 |
- <optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
|
|
|
d56ed2 |
+ <optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>ignore</replaceable> ); </optional>
|
|
|
d56ed2 |
<optional> allow-new-zones { <replaceable>yes_or_no</replaceable> }; </optional>
|
|
|
d56ed2 |
<optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
|
|
|
d56ed2 |
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
|
|
|
d56ed2 |
@@ -6573,10 +6573,13 @@ options {
|
|
|
d56ed2 |
The default is <command>yes</command>.
|
|
|
d56ed2 |
</para>
|
|
|
d56ed2 |
<para>
|
|
|
d56ed2 |
- Check that the two forms of Sender Policy Framework
|
|
|
d56ed2 |
- records (TXT records starting with "v=spf1" and SPF) either
|
|
|
d56ed2 |
- both exist or both don't exist. Warnings are
|
|
|
d56ed2 |
- emitted it they don't and be suppressed with
|
|
|
d56ed2 |
+ The use of the SPF record for publishing Sender
|
|
|
d56ed2 |
+ Policy Framework is deprecated as the migration
|
|
|
d56ed2 |
+ from using TXT records to SPF records was abandoned.
|
|
|
d56ed2 |
+ Enabling this option also checks that a TXT Sender
|
|
|
d56ed2 |
+ Policy Framework record exists (starts with "v=spf1")
|
|
|
d56ed2 |
+ if there is an SPF record. Warnings are emitted if the
|
|
|
d56ed2 |
+ TXT record does not exist and can be suppressed with
|
|
|
d56ed2 |
<command>check-spf</command>.
|
|
|
d56ed2 |
</para>
|
|
|
d56ed2 |
</listitem>
|
|
|
d56ed2 |
@@ -6618,11 +6621,11 @@ options {
|
|
|
d56ed2 |
<term><command>check-spf</command></term>
|
|
|
d56ed2 |
<listitem>
|
|
|
d56ed2 |
<para>
|
|
|
d56ed2 |
- When performing integrity checks, check that the
|
|
|
d56ed2 |
- two forms of Sender Policy Framwork records (TXT
|
|
|
d56ed2 |
- records starting with "v=spf1" and SPF) both exist
|
|
|
d56ed2 |
- or both don't exist and issue a warning if not
|
|
|
d56ed2 |
- met. The default is <command>warn</command>.
|
|
|
d56ed2 |
+ If <command>check-integrity</command> is set then
|
|
|
d56ed2 |
+ check that there is a TXT Sender Policy Framework
|
|
|
d56ed2 |
+ record present (starts with "v=spf1") if there is an
|
|
|
d56ed2 |
+ SPF record present. The default is
|
|
|
d56ed2 |
+ <command>warn</command>.
|
|
|
d56ed2 |
</para>
|
|
|
d56ed2 |
</listitem>
|
|
|
d56ed2 |
</varlistentry>
|
|
|
d56ed2 |
@@ -10372,7 +10375,7 @@ view "external" {
|
|
|
d56ed2 |
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
|
|
|
d56ed2 |
<optional> check-mx (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
|
|
|
d56ed2 |
<optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
|
|
|
d56ed2 |
- <optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
|
|
|
d56ed2 |
+ <optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>ignore</replaceable> ); </optional>
|
|
|
d56ed2 |
<optional> check-integrity <replaceable>yes_or_no</replaceable> ; </optional>
|
|
|
d56ed2 |
<optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
|
|
|
d56ed2 |
<optional> file <replaceable>string</replaceable> ; </optional>
|
|
|
d56ed2 |
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
|
|
|
d56ed2 |
index 86fad98..08c6d10 100644
|
|
|
d56ed2 |
--- a/lib/dns/zone.c
|
|
|
d56ed2 |
+++ b/lib/dns/zone.c
|
|
|
d56ed2 |
@@ -2612,8 +2612,8 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
|
|
|
d56ed2 |
|
|
|
d56ed2 |
checkspf:
|
|
|
d56ed2 |
/*
|
|
|
d56ed2 |
- * Check if there is a type TXT spf record without a type SPF
|
|
|
d56ed2 |
- * RRset being present.
|
|
|
d56ed2 |
+ * Check if there is a type SPF record without an
|
|
|
d56ed2 |
+ * SPF-formatted type TXT record also being present.
|
|
|
d56ed2 |
*/
|
|
|
d56ed2 |
if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSPF))
|
|
|
d56ed2 |
goto next;
|
|
|
d56ed2 |
@@ -2642,16 +2642,13 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
|
|
|
d56ed2 |
dns_rdataset_disassociate(&rdataset);
|
|
|
d56ed2 |
|
|
|
d56ed2 |
notxt:
|
|
|
d56ed2 |
- if (have_spf != have_txt) {
|
|
|
d56ed2 |
+ if (have_spf && !have_txt) {
|
|
|
d56ed2 |
char namebuf[DNS_NAME_FORMATSIZE];
|
|
|
d56ed2 |
- const char *found = have_txt ? "TXT" : "SPF";
|
|
|
d56ed2 |
- const char *need = have_txt ? "SPF" : "TXT";
|
|
|
d56ed2 |
|
|
|
d56ed2 |
dns_name_format(name, namebuf, sizeof(namebuf));
|
|
|
d56ed2 |
- dns_zone_log(zone, ISC_LOG_WARNING, "'%s' found SPF/%s "
|
|
|
d56ed2 |
- "record but no SPF/%s record found, add "
|
|
|
d56ed2 |
- "matching type %s record", namebuf, found,
|
|
|
d56ed2 |
- need, need);
|
|
|
d56ed2 |
+ dns_zone_log(zone, ISC_LOG_WARNING, "'%s' found type "
|
|
|
d56ed2 |
+ "SPF record but no SPF TXT record found, "
|
|
|
d56ed2 |
+ "add matching type TXT record", namebuf);
|
|
|
d56ed2 |
}
|
|
|
d56ed2 |
|
|
|
d56ed2 |
next:
|