Commit bef18eca authored by Evan Hunt's avatar Evan Hunt Committed by Ondřej Surý

Set "dnssec-validation auto" by default

- the default setting for dnssec-validation is now "auto", which
  activates DNSSEC validation using the IANA root key.  The old behavior
  can be restored by explicitly setting "dnssec-validation yes", which
  "yes", which activates DNSSEC validation only if keys are explicitly
  configured in named.conf.
- the ARM has been updated to describe the new behavior
parent 1f743fe0
......@@ -130,6 +130,7 @@ config.@O@: config.c
-DDYNDB_LIBDIR=\"@libdir@/bind\" \
-DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \
-DNAMED_SYSCONFDIR=\"${sysconfdir}\" \
-DVALIDATION_DEFAULT=\"@VALIDATION_DEFAULT@\" \
-c ${srcdir}/config.c
server.@O@: server.c
......
......@@ -146,7 +146,7 @@ options {\n\
clients-per-query 10;\n\
dnssec-accept-expired no;\n\
dnssec-enable yes;\n\
dnssec-validation yes; \n"
dnssec-validation " VALIDATION_DEFAULT "; \n"
#ifdef HAVE_DNSTAP
" dnstap-identity hostname;\n"
#endif
......
......@@ -4,15 +4,17 @@
# be configured elsewhere; if they are configured here, they will not be
# recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
# To use the built-in key, use "dnssec-validation auto;" in the
# named.conf options. Without this option being set, the keys in this
# file are ignored.
# To use the built-in root key, set "dnssec-validation auto;" in the
# named.conf options or else leave "dnssec-validation" unset. If
# "dnssec-validation" is set to "yes", then the keys in this file are
# ignored; keys will need to be explicitly configured in named.conf for
# validation to work. "auto" is the default setting, unless named is
# built with "configure --disable-auto-validation", in which case the
# default is "yes".
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of October 2017. If any key fails to
# These keys are current as of May 2018. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
......
......@@ -7,15 +7,17 @@
# be configured elsewhere; if they are configured here, they will not be\n\
# recognized or used by named.\n\
#\n\
# The built-in trust anchors are provided for convenience of configuration.\n\
# They are not activated within named.conf unless specifically switched on.\n\
# To use the built-in key, use \"dnssec-validation auto;\" in the\n\
# named.conf options. Without this option being set, the keys in this\n\
# file are ignored.\n\
# To use the built-in root key, set \"dnssec-validation auto;\" in the\n\
# named.conf options or else leave \"dnssec-validation\" unset. If\n\
# \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\
# ignored; keys will need to be explicitly configured in named.conf for\n\
# validation to work. \"auto\" is the default setting, unless named is\n\
# built with \"configure --disable-auto-validation\", in which case the\n\
# default is \"yes\".\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
# These keys are current as of October 2017. If any key fails to\n\
# These keys are current as of May 2018. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
......@@ -60,15 +62,17 @@ trusted-keys {\n\
# be configured elsewhere; if they are configured here, they will not be\n\
# recognized or used by named.\n\
#\n\
# The built-in trust anchors are provided for convenience of configuration.\n\
# They are not activated within named.conf unless specifically switched on.\n\
# To use the built-in key, use \"dnssec-validation auto;\" in the\n\
# named.conf options. Without this option being set, the keys in this\n\
# file are ignored.\n\
# To use the built-in root key, set \"dnssec-validation auto;\" in the\n\
# named.conf options or else leave \"dnssec-validation\" unset. If\n\
# \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\
# ignored; keys will need to be explicitly configured in named.conf for\n\
# validation to work. \"auto\" is the default setting, unless named is\n\
# built with \"configure --disable-auto-validation\", in which case the\n\
# default is \"yes\".\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
# These keys are current as of October 2017. If any key fails to\n\
# These keys are current as of May 2018. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
......
......@@ -677,6 +677,7 @@ BIND9_ISCCFG_BUILDINCLUDE
BIND9_ISCCC_BUILDINCLUDE
BIND9_ISC_BUILDINCLUDE
BIND9_TOP_BUILDDIR
VALIDATION_DEFAULT
UNITTESTS
ATFLIBS
ATFBIN
......@@ -1039,6 +1040,7 @@ with_libidn2
with_atf
with_tuning
enable_querytrace
enable_auto_validation
with_dlopen
with_dlz_postgres
with_dlz_mysql
......@@ -1715,6 +1717,9 @@ Optional Features:
--enable-dnsrps enable DNS Response Policy Service API
--enable-dnstap enable dnstap support (requires fstrm, protobuf-c)
--enable-querytrace enable very verbose query trace logging [default=no]
--enable-auto-validation
turn on DNSSEC validation by default, using the IANA
root key [default=yes]
--enable-full-report report values of all configure options
Optional Packages:
......@@ -22693,6 +22698,32 @@ $as_echo "no" >&6; }
;;
esac
#
# Was --disable-auto-validation specified?
#
# Check whether --enable-auto-validation was given.
if test "${enable_auto_validation+set}" = set; then :
enableval=$enable_auto_validation; want_autoval="$enableval"
else
want_autoval="yes"
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable DNSSEC validation by default" >&5
$as_echo_n "checking whether to enable DNSSEC validation by default... " >&6; }
case "$want_autoval" in
no)
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
VALIDATION_DEFAULT=yes
;;
*)
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
VALIDATION_DEFAULT=auto
;;
esac
#
# Substitutions
#
......@@ -26446,6 +26477,7 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)"
test "no" = "$want_autoval" || echo " DNSSEC validation active by default (--enable-auto-validation)"
echo " Cryptographic library for DNSSEC: $CRYPTOLIB"
echo " Dynamically loadable zone (DLZ) drivers:"
......@@ -26484,6 +26516,8 @@ report() {
test "yes" = "$enable_fixed" || \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
test "no" = "$want_autoval" && echo " DNSSEC validation requires configuration (--disable-auto-validation)"
if test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11"
then
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
......
......@@ -4732,6 +4732,26 @@ no)
;;
esac
#
# Was --disable-auto-validation specified?
#
AC_ARG_ENABLE(auto-validation,
AS_HELP_STRING([--enable-auto-validation],
[turn on DNSSEC validation by default, using the IANA root key [default=yes]]),
want_autoval="$enableval", want_autoval="yes")
AC_MSG_CHECKING([whether to enable DNSSEC validation by default])
case "$want_autoval" in
no)
AC_MSG_RESULT(no)
VALIDATION_DEFAULT=yes
;;
*)
AC_MSG_RESULT(yes)
VALIDATION_DEFAULT=auto
;;
esac
AC_SUBST(VALIDATION_DEFAULT)
#
# Substitutions
#
......@@ -5365,6 +5385,7 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)"
test "no" = "$want_autoval" || echo " DNSSEC validation active by default (--enable-auto-validation)"
echo " Cryptographic library for DNSSEC: $CRYPTOLIB"
echo " Dynamically loadable zone (DLZ) drivers:"
......@@ -5403,6 +5424,8 @@ report() {
test "yes" = "$enable_fixed" || \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
test "no" = "$want_autoval" && echo " DNSSEC validation requires configuration (--disable-auto-validation)"
if test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11"
then
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
......
......@@ -2207,28 +2207,36 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
To enable <command>named</command> to respond appropriately
to DNS requests from DNSSEC aware clients,
<command>dnssec-enable</command> must be set to yes.
(This is the default setting.)
This is the default setting.
</para>
<para>
To enable <command>named</command> to validate answers from
other servers, the <command>dnssec-enable</command> option
must be set to <userinput>yes</userinput>, and the
<command>dnssec-validation</command> options must be set to
<userinput>yes</userinput> or <userinput>auto</userinput>.
<command>dnssec-validation</command> option must be set to
either <userinput>yes</userinput> or <userinput>auto</userinput>.
</para>
<para>
When <command>dnssec-validation</command> is set to
<userinput>auto</userinput>, a trust anchor for the DNS
root zone will automatically be used. This trust anchor is
provided as part of BIND and is kept up to date using RFC 5011
key management.
If <command>dnssec-validation</command> is set to
<userinput>auto</userinput>, then a default
trust anchor for the DNS root zone will be used.
If it is set to <userinput>yes</userinput>, however,
then at least one trust anchor must be configured
with a <command>trusted-keys</command> or
<command>managed-keys</command> statement in
<filename>named.conf</filename>, or DNSSEC validation
will not occur. The default setting is
<userinput>yes</userinput>.
<userinput>yes</userinput>, then
DNSSEC validation only occurs if
at least one trust anchor has been explicitly configured
in <filename>named.conf</filename>,
using a <command>trusted-keys</command> or
<command>managed-keys</command> statement.
If <command>dnssec-validation</command> is set to
<userinput>no</userinput>, then DNSSEC validation will
not occur.
The default is <userinput>auto</userinput> unless BIND is
built with <command>configure --disable-auto-validation</command>,
in which case the default is <userinput>yes</userinput>.
</para>
<para>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment