Commit 6aadf7c8 authored by Evan Hunt's avatar Evan Hunt

Merge branch '388-clarify-dnssec-enable' into 'master'

Clarify the relationship between "dnssec-enable" and "dnssec-validation" 

Closes #388

See merge request !483
parents 871bc201 c9eb1518
Pipeline #5161 passed with stages
in 8 minutes and 9 seconds
5044. [cleanup] If "dnssec-enable" is no, then "dnssec-validation"
now also defaults to no. [GL #388]
5043. [bug] Fix creating and validating EdDSA signatures. [GL #579]
5042. [test] Make the chained delegations in reclimit behave
......
......@@ -4067,14 +4067,38 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
view->acceptexpired = cfg_obj_asboolean(obj);
obj = NULL;
result = named_config_get(maps, "dnssec-validation", &obj);
result = named_config_get(maps, "dnssec-enable", &obj);
INSIST(result == ISC_R_SUCCESS);
if (cfg_obj_isboolean(obj)) {
view->enablevalidation = cfg_obj_asboolean(obj);
} else {
/* If dnssec-validation is not boolean, it must be "auto" */
view->enablevalidation = true;
auto_root = true;
view->enablednssec = cfg_obj_asboolean(obj);
obj = NULL;
/* 'optionmaps', not 'maps': don't check named_g_defaults yet */
(void)named_config_get(optionmaps, "dnssec-validation", &obj);
if (obj == NULL) {
/*
* If dnssec-enable is yes, then we default to
* VALIDATION_DEFAULT as set in config.c. Otherwise
* we default to "no".
*/
if (view->enablednssec) {
(void)cfg_map_get(named_g_defaults,
"dnssec-validation", &obj);
INSIST(obj != NULL);
} else {
view->enablevalidation = false;
}
}
if (obj != NULL) {
if (cfg_obj_isboolean(obj)) {
view->enablevalidation = cfg_obj_asboolean(obj);
} else {
/*
* If dnssec-validation is set but not boolean,
* then it must be "auto"
*/
view->enablevalidation = true;
auto_root = true;
}
}
obj = NULL;
......@@ -5090,11 +5114,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
view->prefetch_eligible = view->prefetch_trigger + 6;
}
obj = NULL;
result = named_config_get(maps, "dnssec-enable", &obj);
INSIST(result == ISC_R_SUCCESS);
view->enablednssec = cfg_obj_asboolean(obj);
obj = NULL;
result = named_config_get(optionmaps, "dnssec-lookaside", &obj);
if (result == ISC_R_SUCCESS) {
......
......@@ -1070,11 +1070,14 @@
<listitem>
<para>
Enable, disable, or check the current status of
DNSSEC validation.
Note <command>dnssec-enable</command> also needs to be
set to <userinput>yes</userinput> or
<userinput>auto</userinput> to be effective.
It defaults to enabled.
DNSSEC validation. By default, validation is enabled.
(Note that <command>dnssec-enable</command> must also be
<userinput>yes</userinput> (the default value) for signatures
to be returned along with validated data. If validation is
enabled while <command>dnssec-enable</command> is set to
<userinput>no</userinput>, the server will validate internally,
but will not supply clients with the necessary records to allow
validity to be confirmed.)
</para>
</listitem>
</varlistentry>
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS4
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
bindkeys-file "managed.conf";
dnssec-enable no;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
key auth {
secret "1234abcd8765";
algorithm hmac-sha256;
};
......@@ -3573,5 +3573,20 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
# Note: after this check, ns4 will not be validating any more; do not add any
# further validation tests employing ns4 below this check.
echo_i "check that validation defaults to off when dnssec-enable is off ($n)"
ret=0
# Sanity check - validation should be enabled.
$RNDCCMD 10.53.0.4 validation status | grep "enabled" > /dev/null || ret=1
# Set "dnssec-enable" to "no" and reconfigure.
copy_setports ns4/named5.conf.in ns4/named.conf
$RNDCCMD 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i
# Check validation status again.
$RNDCCMD 10.53.0.4 validation status | grep "disabled" > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -2201,43 +2201,54 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</section>
<section xml:id="dnssec_config"><info><title>Configuring Servers</title></info>
<section xml:id="dnssec_config"><info><title>Configuring Servers for DNSSEC</title></info>
<para>
To enable <command>named</command> to respond appropriately
to DNS requests from DNSSEC aware clients,
<command>dnssec-enable</command> must be set to yes.
This is the default setting.
to DNS requests from DNSSEC-aware clients,
<command>dnssec-enable</command> must be set to
<userinput>yes</userinput>. This is the default setting.
</para>
<para>
To enable <command>named</command> to validate answers from
other servers, the <command>dnssec-enable</command> option
must be set to <userinput>yes</userinput>, and the
To enable <command>named</command> to validate answers
received from other servers, the
<command>dnssec-validation</command> option must be set to
either <userinput>yes</userinput> or <userinput>auto</userinput>.
</para>
<para>
When <command>dnssec-validation</command> is set to
<userinput>auto</userinput>, a trust anchor for the DNS
root zone will automatically be used. This trust anchor is
provided as part of BIND and is kept up to date using RFC 5011
key management.
If <command>dnssec-validation</command> is set to
<userinput>yes</userinput>, then
DNSSEC validation only occurs if
at least one trust anchor has been explicitly configured
in <filename>named.conf</filename>,
</para>
<para>
When <command>dnssec-validation</command> is set to
<userinput>yes</userinput>, DNSSEC validation will only occur
if at least one trust anchor has been explicitly configured
in <filename>named.conf</filename>
using a <command>trusted-keys</command> or
<command>managed-keys</command> statement.
If <command>dnssec-validation</command> is set to
<userinput>no</userinput>, then DNSSEC validation will
not occur.
</para>
<para>
When <command>dnssec-validation</command> is set to
<userinput>no</userinput>, DNSSEC validation will not occur.
</para>
<para>
The default is <userinput>auto</userinput> unless BIND is
built with <command>configure --disable-auto-validation</command>,
in which case the default is <userinput>yes</userinput>.
</para>
<para>
If <command>dnssec-enable</command> is set to
<userinput>no</userinput>, then the default for
<command>dnssec-validation</command> is also changed to
<userinput>no</userinput>. If
<command>dnssec-validation</command> is set to
<userinput>yes</userinput>, the server will
perform DNSSEC validation internally, but will not return
signatures when queried - but it will not be turned on
automatically.
</para>
<para>
<command>trusted-keys</command> are copies of DNSKEY RRs
......@@ -6600,34 +6611,54 @@ options {
<term><command>dnssec-validation</command></term>
<listitem>
<para>
Enable DNSSEC validation in <command>named</command>.
Note <command>dnssec-enable</command> also needs to be
set to <userinput>yes</userinput> to be effective.
This enables DNSSEC validation in <command>named</command>.
Note that <command>dnssec-enable</command> also needs to
be set to <userinput>yes</userinput> for signatures to be
returned to the client along with validated answers.
</para>
<para>
If set to <userinput>auto</userinput>,
DNSSEC validation is enabled, and a default trust anchor
for the DNS root zone is used.
</para>
<para>
If set to <userinput>yes</userinput>, DNSSEC validation is
enabled, but a trust anchor must be manually configured
using a <command>trusted-keys</command>
or <command>managed-keys</command> statement; if there
is no configured trust anchor, validation will not take
place.
</para>
<para>
If set to <userinput>no</userinput>, DNSSEC validation
is disabled.
</para>
<para>
If set to <userinput>auto</userinput>, DNSSEC validation
is enabled, and a default trust anchor for the DNS root
zone is used. If set to <userinput>yes</userinput>,
DNSSEC validation is enabled, but a trust anchor must be
manually configured using a <command>trusted-keys</command>
or <command>managed-keys</command> statement. The default
is <userinput>yes</userinput>.
<para>
The default is <userinput>auto</userinput>, unless
BIND is built with
<command>configure --disable-auto-validation</command>,
in which case the default is <userinput>yes</userinput>.
If <command>dnssec-enable</command> is set to
<userinput>no</userinput>, then the default for
<command>dnssec-validation</command> is also
<userinput>no</userinput>. Validation can still be turned on
if desired - this results in a server that performs DNSSEC
validation but does not return signatures when queried -
but it will not be turned on automatically.
</para>
<para>
The default root trust anchor is stored in the file
<filename>bind.keys</filename>.
<command>named</command> will load that key at
startup if <command>dnssec-validation</command> is
set to <constant>auto</constant>. A copy of the file is
set to <userinput>auto</userinput>. A copy of the file is
installed along with BIND 9, and is current as of the
release date. If the root key expires, a new copy of
<filename>bind.keys</filename> can be downloaded
from <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/bind-keys">https://www.isc.org/bind-keys</link>.
</para>
<para>
To prevent problems if <filename>bind.keys</filename> is
(To prevent problems if <filename>bind.keys</filename> is
not found, the current trust anchor is also compiled in
to <command>named</command>. Relying on this is not
recommended, however, as it requires <command>named</command>
......@@ -6635,8 +6666,8 @@ options {
</para>
<note>
<para>
<command>named</command> <emphasis>only</emphasis>
loads the root key from <filename>bind.keys</filename>.
<command>named</command> loads <emphasis>only</emphasis>
the root key from <filename>bind.keys</filename>.
The file cannot be used to store keys for other zones.
The root key in <filename>bind.keys</filename> is ignored
if <command>dnssec-validation auto</command> is not in
......
......@@ -1029,6 +1029,8 @@
./bin/tests/system/dnssec/ns4/named2.conf.in CONF-C 2011,2013,2016,2017,2018
./bin/tests/system/dnssec/ns4/named3.conf.in CONF-C 2012,2013,2016,2017,2018
./bin/tests/system/dnssec/ns4/named4.conf.in CONF-C 2013,2016,2017,2018
./bin/tests/system/dnssec/ns4/named5.conf.in CONF-C 2018
./bin/tests/system/dnssec/ns5/.gitignore X 2015,2018
./bin/tests/system/dnssec/ns5/named1.conf.in CONF-C 2000,2001,2004,2006,2007,2015,2016,2017,2018
./bin/tests/system/dnssec/ns5/named2.conf.in CONF-C 2000,2001,2004,2006,2007,2015,2016,2018
./bin/tests/system/dnssec/ns5/sign.sh SH 2015,2016,2017,2018
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment