Commit 3a304939 authored by Evan Hunt's avatar Evan Hunt
Browse files

2572. [func] Simplify DLV configuration, with a new option

			"dnssec-lookaside auto;"  This is the equivalent
			of "dnssec-lookaside . trust-anchor dlv.isc.org;"
			plus setting a trusted-key for dlv.isc.org.

			Note: The trusted key is hard-coded into named,
			but is also stored in (and can be overridden
			by) $sysconfdir/bind.keys.  As the ISC DLV key
			rolls over it can be kept up to date by replacing
			the bind.keys file with a key downloaded from
			https://www.isc.org/solutions/dlv. [RT #18685]
parent ffcd068f
2572. [func] Simplify DLV configuration, with a new option
"dnssec-lookaside auto;" This is the equivalent
of "dnssec-lookaside . trust-anchor dlv.isc.org;"
plus setting a trusted-key for dlv.isc.org.
Note: The trusted key is hard-coded into named,
but is also stored in (and can be overridden
by) $sysconfdir/bind.keys. As the ISC DLV key
rolls over it can be kept up to date by replacing
the bind.keys file with a key downloaded from
https://www.isc.org/solutions/dlv. [RT #18685]
2571. [func] Add a new tool "arpaname" which translates IP addresses 2571. [func] Add a new tool "arpaname" which translates IP addresses
to the corresponding IN-ADDR.ARPA or IP6.ARPA name. to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
[RT #18976] [RT #18976]
......
...@@ -13,7 +13,7 @@ ...@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE. # PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.54 2009/02/18 23:47:48 tbox Exp $ # $Id: Makefile.in,v 1.55 2009/03/04 02:42:30 each Exp $
srcdir = @srcdir@ srcdir = @srcdir@
VPATH = @srcdir@ VPATH = @srcdir@
...@@ -55,6 +55,7 @@ installdirs: ...@@ -55,6 +55,7 @@ installdirs:
install:: isc-config.sh installdirs install:: isc-config.sh installdirs
${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir} ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
${INSTALL_DATA} ${srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1 ${INSTALL_DATA} ${srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
${INSTALL_SCRIPT} bind.keys ${DESTDIR}${sysconfdir}
tags: tags:
rm -f TAGS rm -f TAGS
......
...@@ -13,7 +13,7 @@ ...@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE. # PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.101 2008/09/23 17:25:47 jinmei Exp $ # $Id: Makefile.in,v 1.102 2009/03/04 02:42:30 each Exp $
srcdir = @srcdir@ srcdir = @srcdir@
VPATH = @srcdir@ VPATH = @srcdir@
...@@ -111,10 +111,14 @@ main.@O@: main.c ...@@ -111,10 +111,14 @@ main.@O@: main.c
-DNS_LOCALSTATEDIR=\"${localstatedir}\" \ -DNS_LOCALSTATEDIR=\"${localstatedir}\" \
-DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c -DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
config.@O@: config.c bind.keys.h: ${top_srcdir}/bind.keys
${PERL} ${srcdir}/bindkeys.pl < $< > $@
config.@O@: config.c bind.keys.h
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \ -DVERSION=\"${VERSION}\" \
-DNS_LOCALSTATEDIR=\"${localstatedir}\" \ -DNS_LOCALSTATEDIR=\"${localstatedir}\" \
-DNS_SYSCONFDIR=\"${sysconfdir}\" \
-c ${srcdir}/config.c -c ${srcdir}/config.c
named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS} named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
...@@ -131,7 +135,7 @@ docclean manclean maintainer-clean:: ...@@ -131,7 +135,7 @@ docclean manclean maintainer-clean::
rm -f ${MANOBJS} rm -f ${MANOBJS}
clean distclean maintainer-clean:: clean distclean maintainer-clean::
rm -f ${TARGETS} ${OBJS} rm -f ${TARGETS} ${OBJS} bind.keys.h
bind9.xsl.h: bind9.xsl convertxsl.pl bind9.xsl.h: bind9.xsl convertxsl.pl
${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h ${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h
......
#define TRUSTED_KEYS "\
trusted-keys {\n\
# NOTE: This key expires September 2009 \n\
# Go to https://www.isc.org/solutions/dlv to download a replacement\n\
dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
};\n\
"
#!/usr/bin/env perl
#
# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: bindkeys.pl,v 1.2 2009/03/04 02:42:30 each Exp $
use strict;
use warnings;
my $lines = '#define TRUSTED_KEYS "\\' . "\n";
while (<>) {
chomp;
s/\"/\\\"/g;
s/$/\\n\\/;
$lines .= $_ . "\n";
}
$lines .= '"' . "\n";
print $lines;
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: config.c,v 1.93 2008/11/06 05:30:24 marka Exp $ */ /* $Id: config.c,v 1.94 2009/03/04 02:42:30 each Exp $ */
/*! \file */ /*! \file */
...@@ -45,6 +45,8 @@ ...@@ -45,6 +45,8 @@
#include <named/config.h> #include <named/config.h>
#include <named/globals.h> #include <named/globals.h>
#include "bind.keys.h"
/*% default configuration */ /*% default configuration */
static char defaultconf[] = "\ static char defaultconf[] = "\
options {\n\ options {\n\
...@@ -70,6 +72,7 @@ options {\n\ ...@@ -70,6 +72,7 @@ options {\n\
multiple-cnames no;\n\ multiple-cnames no;\n\
# named-xfer <obsolete>;\n\ # named-xfer <obsolete>;\n\
# pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\ # pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
bindkeys-file \"" NS_SYSCONFDIR "/bind.keys\";\n\
port 53;\n\ port 53;\n\
recursing-file \"named.recursing\";\n\ recursing-file \"named.recursing\";\n\
" "
...@@ -101,6 +104,9 @@ options {\n\ ...@@ -101,6 +104,9 @@ options {\n\
max-udp-size 4096;\n\ max-udp-size 4096;\n\
request-nsid false;\n\ request-nsid false;\n\
reserved-sockets 512;\n\ reserved-sockets 512;\n\
\n\
/* DLV */\n\
dnssec-lookaside . trust-anchor dlv.isc.org;\n\
\n\ \n\
/* view */\n\ /* view */\n\
allow-notify {none;};\n\ allow-notify {none;};\n\
...@@ -218,6 +224,19 @@ view \"_bind\" chaos {\n\ ...@@ -218,6 +224,19 @@ view \"_bind\" chaos {\n\
database \"_builtin id\";\n\ database \"_builtin id\";\n\
};\n\ };\n\
};\n\ };\n\
"
"#\n\
# Default trusted key(s) for builtin DLV support\n\
# (used if \"dnssec-lookaside auto;\" is set and\n\
# sysconfdir/bind.keys doesn't exist).\n\
#\n\
# BEGIN TRUSTED KEYS\n"
/* Imported from bind.keys.h: */
TRUSTED_KEYS
"# END TRUSTED KEYS\n\
"; ";
isc_result_t isc_result_t
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: globals.h,v 1.80 2008/11/16 22:49:18 marka Exp $ */ /* $Id: globals.h,v 1.81 2009/03/04 02:42:30 each Exp $ */
#ifndef NAMED_GLOBALS_H #ifndef NAMED_GLOBALS_H
#define NAMED_GLOBALS_H 1 #define NAMED_GLOBALS_H 1
...@@ -86,6 +86,7 @@ EXTERN cfg_obj_t * ns_g_config INIT(NULL); ...@@ -86,6 +86,7 @@ EXTERN cfg_obj_t * ns_g_config INIT(NULL);
EXTERN const cfg_obj_t * ns_g_defaults INIT(NULL); EXTERN const cfg_obj_t * ns_g_defaults INIT(NULL);
EXTERN const char * ns_g_conffile INIT(NS_SYSCONFDIR EXTERN const char * ns_g_conffile INIT(NS_SYSCONFDIR
"/named.conf"); "/named.conf");
EXTERN cfg_obj_t * ns_g_bindkeys INIT(NULL);
EXTERN const char * ns_g_keyfile INIT(NS_SYSCONFDIR EXTERN const char * ns_g_keyfile INIT(NS_SYSCONFDIR
"/rndc.key"); "/rndc.key");
EXTERN const char * lwresd_g_conffile INIT(NS_SYSCONFDIR EXTERN const char * lwresd_g_conffile INIT(NS_SYSCONFDIR
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: server.h,v 1.96 2009/01/27 22:29:58 jinmei Exp $ */ /* $Id: server.h,v 1.97 2009/03/04 02:42:30 each Exp $ */
#ifndef NAMED_SERVER_H #ifndef NAMED_SERVER_H
#define NAMED_SERVER_H 1 #define NAMED_SERVER_H 1
...@@ -54,6 +54,7 @@ struct ns_server { ...@@ -54,6 +54,7 @@ struct ns_server {
dns_acl_t *blackholeacl; dns_acl_t *blackholeacl;
char * statsfile; /*%< Statistics file name */ char * statsfile; /*%< Statistics file name */
char * dumpfile; /*%< Dump file name */ char * dumpfile; /*%< Dump file name */
char * bindkeysfile; /*%< bind.keys file name */
char * recfile; /*%< Recursive file name */ char * recfile; /*%< Recursive file name */
isc_boolean_t version_set; /*%< User has set version */ isc_boolean_t version_set; /*%< User has set version */
char * version; /*%< User-specified version */ char * version; /*%< User-specified version */
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: main.c,v 1.168 2009/01/17 23:47:42 tbox Exp $ */ /* $Id: main.c,v 1.169 2009/03/04 02:42:30 each Exp $ */
/*! \file */ /*! \file */
...@@ -719,8 +719,8 @@ setup(void) { ...@@ -719,8 +719,8 @@ setup(void) {
absolute_conffile, absolute_conffile,
sizeof(absolute_conffile)); sizeof(absolute_conffile));
if (result != ISC_R_SUCCESS) if (result != ISC_R_SUCCESS)
ns_main_earlyfatal("could not construct absolute path of " ns_main_earlyfatal("could not construct absolute path "
"configuration file: %s", "of configuration file: %s",
isc_result_totext(result)); isc_result_totext(result));
ns_g_conffile = absolute_conffile; ns_g_conffile = absolute_conffile;
} }
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: server.c,v 1.528 2009/02/16 05:08:43 marka Exp $ */ /* $Id: server.c,v 1.529 2009/03/04 02:42:30 each Exp $ */
/*! \file */ /*! \file */
...@@ -458,58 +458,106 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key, ...@@ -458,58 +458,106 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
return (result); return (result);
} }
static void
configure_view_dnsseckeylist(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
dns_keytable_t *keytable, isc_mem_t *mctx)
{
const cfg_listelt_t *elt, *elt2;
const cfg_obj_t *key;
const cfg_obj_t *keylist;
isc_result_t result;
for (elt = cfg_list_first(keys);
elt != NULL;
elt = cfg_list_next(elt)) {
keylist = cfg_listelt_value(elt);
for (elt2 = cfg_list_first(keylist);
elt2 != NULL;
elt2 = cfg_list_next(elt2)) {
key = cfg_listelt_value(elt2);
CHECK(configure_view_dnsseckey(vconfig, key,
keytable, mctx));
}
}
cleanup:
return;
}
/*% /*%
* Configure DNSSEC keys for a view. Currently used only for * Configure DNSSEC keys for a view. Currently used only for the security
* the security roots. * roots.
* *
* The per-view configuration values and the server-global defaults are read * The per-view configuration values and the server-global defaults are read
* from 'vconfig' and 'config'. The variable to be configured is '*target'. * from 'vconfig' and 'config'. The variable to be configured is '*target'.
*/ */
static isc_result_t static isc_result_t
configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config, configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config,
const cfg_obj_t *bindkeys, isc_boolean_t auto_dlv,
isc_mem_t *mctx, dns_keytable_t **target) isc_mem_t *mctx, dns_keytable_t **target)
{ {
isc_result_t result; const cfg_obj_t *view_keys = NULL;
const cfg_obj_t *keys = NULL; const cfg_obj_t *global_keys = NULL;
const cfg_obj_t *builtin_keys = NULL;
const cfg_obj_t *maps[4];
const cfg_obj_t *voptions = NULL; const cfg_obj_t *voptions = NULL;
const cfg_listelt_t *element, *element2; const cfg_obj_t *options = NULL;
const cfg_obj_t *keylist;
const cfg_obj_t *key;
dns_keytable_t *keytable = NULL; dns_keytable_t *keytable = NULL;
isc_result_t result;
int i = 0;
CHECK(dns_keytable_create(mctx, &keytable)); CHECK(dns_keytable_create(mctx, &keytable));
if (vconfig != NULL) if (vconfig != NULL) {
voptions = cfg_tuple_get(vconfig, "options"); voptions = cfg_tuple_get(vconfig, "options");
if (voptions != NULL) {
(void)cfg_map_get(voptions, "trusted-keys", &view_keys);
maps[i++] = voptions;
}
}
keys = NULL; if (config != NULL) {
if (voptions != NULL) (void)cfg_map_get(config, "trusted-keys", &global_keys);
(void)cfg_map_get(voptions, "trusted-keys", &keys); (void)cfg_map_get(config, "options", &options);
if (keys == NULL) if (options != NULL) {
(void)cfg_map_get(config, "trusted-keys", &keys); maps[i++] = options;
for (element = cfg_list_first(keys);
element != NULL;
element = cfg_list_next(element))
{
keylist = cfg_listelt_value(element);
for (element2 = cfg_list_first(keylist);
element2 != NULL;
element2 = cfg_list_next(element2))
{
key = cfg_listelt_value(element2);
CHECK(configure_view_dnsseckey(vconfig, key,
keytable, mctx));
} }
} }
maps[i++] = ns_g_defaults;
maps[i] = NULL;
if (auto_dlv) {
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
"using built-in trusted-keys");
/*
* If bind.keys exists, it overrides the trusted-keys
* clause hard-coded in ns_g_config.
*/
if (bindkeys != NULL)
(void)cfg_map_get(bindkeys, "trusted-keys",
&builtin_keys);
else
(void)cfg_map_get(ns_g_config, "trusted-keys",
&builtin_keys);
configure_view_dnsseckeylist(builtin_keys, vconfig,
keytable, mctx);
}
configure_view_dnsseckeylist(global_keys, vconfig, keytable, mctx);
configure_view_dnsseckeylist(view_keys, vconfig, keytable, mctx);
dns_keytable_detach(target); dns_keytable_detach(target);
*target = keytable; /* Transfer ownership. */ *target = keytable; /* Transfer ownership. */
keytable = NULL; keytable = NULL;
result = ISC_R_SUCCESS;
cleanup: cleanup:
return (result); return (ISC_R_SUCCESS);
} }
static isc_result_t static isc_result_t
...@@ -1057,11 +1105,12 @@ cache_sharable(dns_view_t *originview, dns_view_t *view, ...@@ -1057,11 +1105,12 @@ cache_sharable(dns_view_t *originview, dns_view_t *view,
static isc_result_t static isc_result_t
configure_view(dns_view_t *view, const cfg_obj_t *config, configure_view(dns_view_t *view, const cfg_obj_t *config,
const cfg_obj_t *vconfig, ns_cachelist_t *cachelist, const cfg_obj_t *vconfig, ns_cachelist_t *cachelist,
isc_mem_t *mctx, cfg_aclconfctx_t *actx, const cfg_obj_t *bindkeys, isc_mem_t *mctx,
isc_boolean_t need_hints) cfg_aclconfctx_t *actx, isc_boolean_t need_hints)
{ {
const cfg_obj_t *maps[4]; const cfg_obj_t *maps[4];
const cfg_obj_t *cfgmaps[3]; const cfg_obj_t *cfgmaps[3];
const cfg_obj_t *optionmaps[3];
const cfg_obj_t *options = NULL; const cfg_obj_t *options = NULL;
const cfg_obj_t *voptions = NULL; const cfg_obj_t *voptions = NULL;
const cfg_obj_t *forwardtype; const cfg_obj_t *forwardtype;
...@@ -1091,7 +1140,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, ...@@ -1091,7 +1140,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
dns_dispatch_t *dispatch6 = NULL; dns_dispatch_t *dispatch6 = NULL;
isc_boolean_t reused_cache = ISC_FALSE; isc_boolean_t reused_cache = ISC_FALSE;
isc_boolean_t shared_cache = ISC_FALSE; isc_boolean_t shared_cache = ISC_FALSE;
int i; int i = 0, j = 0, k = 0;
const char *str; const char *str;
const char *cachename = NULL; const char *cachename = NULL;
dns_order_t *order = NULL; dns_order_t *order = NULL;
...@@ -1107,6 +1156,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, ...@@ -1107,6 +1156,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
const cfg_obj_t *disablelist = NULL; const cfg_obj_t *disablelist = NULL;
isc_stats_t *resstats = NULL; isc_stats_t *resstats = NULL;
dns_stats_t *resquerystats = NULL; dns_stats_t *resquerystats = NULL;
isc_boolean_t auto_dlv = ISC_FALSE;
ns_cache_t *nsc; ns_cache_t *nsc;
isc_boolean_t zero_no_soattl; isc_boolean_t zero_no_soattl;
...@@ -1117,22 +1167,28 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, ...@@ -1117,22 +1167,28 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
if (config != NULL) if (config != NULL)
(void)cfg_map_get(config, "options", &options); (void)cfg_map_get(config, "options", &options);
i = 0; /*
* maps: view options, options, defaults
* cfgmaps: view options, config
* optionmaps: view options, options
*/
if (vconfig != NULL) { if (vconfig != NULL) {
voptions = cfg_tuple_get(vconfig, "options"); voptions = cfg_tuple_get(vconfig, "options");
maps[i++] = voptions; maps[i++] = voptions;
optionmaps[j++] = voptions;
cfgmaps[k++] = voptions;
} }
if (options != NULL) if (options != NULL) {
maps[i++] = options; maps[i++] = options;
optionmaps[j++] = options;
}
maps[i++] = ns_g_defaults; maps[i++] = ns_g_defaults;
maps[i] = NULL; maps[i] = NULL;
optionmaps[j] = NULL;
i = 0;
if (voptions != NULL)
cfgmaps[i++] = voptions;
if (config != NULL) if (config != NULL)
cfgmaps[i++] = config; cfgmaps[k++] = config;
cfgmaps[i] = NULL; cfgmaps[k] = NULL;
if (!strcmp(viewname, "_default")) { if (!strcmp(viewname, "_default")) {
sep = ""; sep = "";
...@@ -1860,7 +1916,21 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, ...@@ -1860,7 +1916,21 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
view->enablednssec = cfg_obj_asboolean(obj); view->enablednssec = cfg_obj_asboolean(obj);
obj = NULL; obj = NULL;
result = ns_config_get(maps, "dnssec-lookaside", &obj); result = ns_config_get(optionmaps, "dnssec-lookaside", &obj);
if (result == ISC_R_SUCCESS) {
/* If set to "auto", use the version from the defaults */
const cfg_obj_t *dlvobj;
dlvobj = cfg_listelt_value(cfg_list_first(obj));
if (!strcmp(cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain")),
"auto") &&
cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
auto_dlv = ISC_TRUE;
obj = NULL;
result = cfg_map_get(ns_g_defaults,
"dnssec-lookaside", &obj);
}
}
if (result == ISC_R_SUCCESS) { if (result == ISC_R_SUCCESS) {
for (element = cfg_list_first(obj); for (element = cfg_list_first(obj);
element != NULL; element != NULL;
...@@ -1905,8 +1975,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, ...@@ -1905,8 +1975,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
* For now, there is only one kind of trusted keys, the * For now, there is only one kind of trusted keys, the
* "security roots". * "security roots".
*/ */
CHECK(configure_view_dnsseckeys(vconfig, config, mctx, CHECK(configure_view_dnsseckeys(vconfig, config, bindkeys, auto_dlv,
&view->secroots)); mctx, &view->secroots));
dns_resolver_resetmustbesecure(view->resolver); dns_resolver_resetmustbesecure(view->resolver);
obj = NULL; obj = NULL;
result = ns_config_get(maps, "dnssec-must-be-secure", &obj); result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
...@@ -2475,7 +2545,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, ...@@ -2475,7 +2545,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
ztypestr = cfg_obj_asstring(typeobj); ztypestr = cfg_obj_asstring(typeobj);
/* /*
* "hints zones" aren't zones. If we've got one, * "hints zones" aren't zones. If we've got one,
* configure it and return. * configure it and return.
*/ */
if (strcasecmp(ztypestr, "hint") == 0) { if (strcasecmp(ztypestr, "hint") == 0) {
...@@ -3045,8 +3115,8 @@ load_configuration(const char *filename, ns_server_t *server, ...@@ -3045,8 +3115,8 @@ load_configuration(const char *filename, ns_server_t *server,
isc_boolean_t first_time) isc_boolean_t first_time)
{ {
cfg_aclconfctx_t aclconfctx; cfg_aclconfctx_t aclconfctx;
cfg_obj_t *config; cfg_obj_t *config = NULL, *bindkeys = NULL;
cfg_parser_t *parser = NULL; cfg_parser_t *conf_pars