3001. [func] Added a default trust anchor for the root zone, which

can be switched on by setting "dnssec-validation auto;" in the named.conf options. [RT #21727]

3001. [func] Added a default trust anchor for the root zone, which
can be switched on by setting "dnssec-validation auto;" in the named.conf options. [RT #21727]
79bf7c87 · Evan Hunt · f098c651 · 79bf7c87 · 79bf7c87 · 79bf7c87
Commit 79bf7c87 authored Jan 03, 2011 by Evan Hunt
--- a/CHANGES
+++ b/CHANGES
+3001.	[func]		Added a default trust anchor for the root zone, which
+			can be switched on by setting "dnssec-validation auto;"
+			in the named.conf options. [RT #21727]
+
 3000.	[bug]		More TKEY/GSS fixes:
 			 - nsupdate can now get the default realm from
 			   the user's Kerberos principal

--- a/bin/named/bind.keys.h
+++ b/bin/named/bind.keys.h
@@ -3,19 +3,97 @@
 * From bind.keys 1.6 2010/06/20 07:15:28 marka Exp  
 */
 #define TRUSTED_KEYS "\
+# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
+# which are included as part of BIND 9.  As of the current release, the only\n\
+# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
+# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\").  Trust anchors\n\
+# for any other zones MUST be configured elsewhere; if they are configured\n\
+# here, they will not be recognized or used by named.\n\
+#\n\
+# The built-in trust anchors are provided for convenience of configuration.\n\
+# They are not activated within named.conf unless specifically switched on.\n\
+# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
+# named.conf options.  To use the built-in DLV key, set\n\
+# \"dnssec-lookaside auto;\".  Without these options being set,\n\
+# the keys in this file are ignored.\n\
+#\n\
+# This file is NOT expected to be user-configured.\n\
+#\n\
+# These keys are current as of January 2011.  If any key fails to\n\
+# initialize correctly, it may have expired.  In that event you should\n\
+# replace this file with a current version.  The latest version of\n\
+# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
+\n\
 trusted-keys {\n\
-        # NOTE: This key is current as of October 2009.\n\
-        # If it fails to initialize correctly, it may have expired;\n\
-        # see https://www.isc.org/solutions/dlv for a replacement.\n\
-	dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
+	# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
+        # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
+        # in named.conf.\n\
+	dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
+		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
+		1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
+		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
+		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
+		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
+		TDN0YUuWrBNh\";\n\
+\n\
+	# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
+	# for current trust anchor information.\n\
+        # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
+        # in named.conf.\n\
+	. 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
+		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
+		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
+		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
+		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
+		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
+		QxA+Uk1ihz0=\";\n\
 };\n\
 "

 #define MANAGED_KEYS "\
+# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
+# which are included as part of BIND 9.  As of the current release, the only\n\
+# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
+# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\").  Trust anchors\n\
+# for any other zones MUST be configured elsewhere; if they are configured\n\
+# here, they will not be recognized or used by named.\n\
+#\n\
+# The built-in trust anchors are provided for convenience of configuration.\n\
+# They are not activated within named.conf unless specifically switched on.\n\
+# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
+# named.conf options.  To use the built-in DLV key, set\n\
+# \"dnssec-lookaside auto;\".  Without these options being set,\n\
+# the keys in this file are ignored.\n\
+#\n\
+# This file is NOT expected to be user-configured.\n\
+#\n\
+# These keys are current as of January 2011.  If any key fails to\n\
+# initialize correctly, it may have expired.  In that event you should\n\
+# replace this file with a current version.  The latest version of\n\
+# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
+\n\
 managed-keys {\n\
-        # NOTE: This key is current as of October 2009.\n\
-        # If it fails to initialize correctly, it may have expired;\n\
-        # see https://www.isc.org/solutions/dlv for a replacement.\n\
-	dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
+	# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
+        # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
+        # in named.conf.\n\
+	dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
+		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
+		1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
+		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
+		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
+		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
+		TDN0YUuWrBNh\";\n\
+\n\
+	# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
+	# for current trust anchor information.\n\
+        # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
+        # in named.conf.\n\
+	. initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
+		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
+		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
+		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
+		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
+		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
+		QxA+Uk1ihz0=\";\n\
 };\n\
 "
--- a/bin/named/bindkeys.pl
+++ b/bin/named/bindkeys.pl
@@ -14,12 +14,12 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: bindkeys.pl,v 1.5 2010/06/20 23:46:45 tbox Exp $
+# $Id: bindkeys.pl,v 1.6 2011/01/03 23:45:07 each Exp $

 use strict;
 use warnings;

-my $rev = '$Id: bindkeys.pl,v 1.5 2010/06/20 23:46:45 tbox Exp $';
+my $rev = '$Id: bindkeys.pl,v 1.6 2011/01/03 23:45:07 each Exp $';
 $rev =~ s/\$//g;
 $rev =~ s/,v//g;
 $rev =~ s/Id: //;
@@ -31,7 +31,7 @@ while (<>) {
    chomp;
    if (/\/\* .Id:.* \*\//) {
 	$keys = $_;
-        next;
+	next;
    }
    s/\"/\\\"/g;
    s/$/\\n\\/;
@@ -48,7 +48,7 @@ print "/*\n * Generated by $rev \n * From $keys\n */\n";
 my $mkey = '#define MANAGED_KEYS "\\' . "\n" . $lines . "\"\n";

 $lines =~ s/managed-keys/trusted-keys/;
-$lines =~ s/\s+initial-key//;
+$lines =~ s/\s+initial-key//g;
 my $tkey = '#define TRUSTED_KEYS "\\' . "\n" . $lines . "\"\n";

 print $tkey;

--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: server.c,v 1.591 2010/12/18 01:56:19 each Exp $ */
+/* $Id: server.c,v 1.592 2011/01/03 23:45:07 each Exp $ */

 /*! \file */

@@ -602,7 +602,8 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,

 static isc_result_t
 load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
-	       dns_view_t *view, isc_boolean_t managed, isc_mem_t *mctx)
+	       dns_view_t *view, isc_boolean_t managed,
+	       dns_name_t *keyname, isc_mem_t *mctx)
 {
 	const cfg_listelt_t *elt, *elt2;
 	const cfg_obj_t *key, *keylist;
@@ -630,6 +631,16 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
 			if (result != ISC_R_SUCCESS)
 				goto cleanup;

+			/*
+			 * If keyname was specified, we only add that key.
+			 */
+			if (keyname != NULL &&
+		  	    !dns_name_equal(keyname, dst_key_name(dstkey)))
+			{
+				dst_key_free(&dstkey);
+				continue;
+			}
+
 			CHECK(dns_keytable_add(secroots, managed, &dstkey));
 		}
 	}
@@ -653,15 +664,14 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
 static isc_result_t
 configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 			  const cfg_obj_t *config, const cfg_obj_t *bindkeys,
-			  isc_boolean_t auto_dlv, isc_mem_t *mctx)
+			  isc_boolean_t auto_dlv, isc_boolean_t auto_root,
+			  isc_mem_t *mctx)
 {
 	isc_result_t result = ISC_R_SUCCESS;
 	const cfg_obj_t *view_keys = NULL;
 	const cfg_obj_t *global_keys = NULL;
 	const cfg_obj_t *view_managed_keys = NULL;
 	const cfg_obj_t *global_managed_keys = NULL;
-	const cfg_obj_t *builtin_keys = NULL;
-	const cfg_obj_t *builtin_managed_keys = NULL;
 	const cfg_obj_t *maps[4];
 	const cfg_obj_t *voptions = NULL;
 	const cfg_obj_t *options = NULL;
@@ -707,9 +717,12 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	}

 	if (auto_dlv && view->rdclass == dns_rdataclass_in) {
+		const cfg_obj_t *builtin_keys = NULL;
+		const cfg_obj_t *builtin_managed_keys = NULL;
+
 		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
 			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-			      "using built-in trusted-keys for view %s",
+			      "using built-in DLV key for view %s",
 			      view->name);

 		/*
@@ -730,19 +743,56 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,

 		if (builtin_keys != NULL)
 			CHECK(load_view_keys(builtin_keys, vconfig, view,
-					     ISC_FALSE, mctx));
+					     ISC_FALSE, view->dlv, mctx));
 		if (builtin_managed_keys != NULL)
 			CHECK(load_view_keys(builtin_managed_keys, vconfig,
-					     view, ISC_TRUE, mctx));
+					     view, ISC_TRUE, view->dlv, mctx));
 	}

-	CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE, mctx));
-	CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE, mctx));
+	if (auto_root && view->rdclass == dns_rdataclass_in) {
+		const cfg_obj_t *builtin_keys = NULL;
+		const cfg_obj_t *builtin_managed_keys = NULL;
+
+		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "using built-in root key for view %s",
+			      view->name);
+
+		/*
+		 * If bind.keys exists, it overrides the managed-keys
+		 * clause hard-coded in ns_g_config.
+		 */
+		if (bindkeys != NULL) {
+			(void)cfg_map_get(bindkeys, "trusted-keys",
+					  &builtin_keys);
+			(void)cfg_map_get(bindkeys, "managed-keys",
+					  &builtin_managed_keys);
+		} else {
+			(void)cfg_map_get(ns_g_config, "trusted-keys",
+					  &builtin_keys);
+			(void)cfg_map_get(ns_g_config, "managed-keys",
+					  &builtin_managed_keys);
+		}
+
+		if (builtin_keys != NULL)
+			CHECK(load_view_keys(builtin_keys, vconfig, view,
+					     ISC_FALSE, dns_rootname, mctx));
+		if (builtin_managed_keys != NULL)
+			CHECK(load_view_keys(builtin_managed_keys, vconfig,
+					     view, ISC_TRUE, dns_rootname,
+					     mctx));
+	}
+
+	CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE,
+			     NULL, mctx));
+	CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE,
+			     NULL, mctx));
+
 	if (view->rdclass == dns_rdataclass_in) {
 		CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE,
-				     mctx));
+				     NULL, mctx));
 		CHECK(load_view_keys(global_managed_keys, vconfig, view,
-				     ISC_TRUE, mctx));
+				     ISC_TRUE, NULL, mctx));
 	}

 	/*
@@ -1374,6 +1424,7 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
 	isc_stats_t *resstats = NULL;
 	dns_stats_t *resquerystats = NULL;
 	isc_boolean_t auto_dlv = ISC_FALSE;
+	isc_boolean_t auto_root = ISC_FALSE;
 	ns_cache_t *nsc;
 	isc_boolean_t zero_no_soattl;
 	cfg_parser_t *newzones_parser = NULL;
@@ -1740,7 +1791,13 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
 	obj = NULL;
 	result = ns_config_get(maps, "dnssec-validation", &obj);
 	INSIST(result == ISC_R_SUCCESS);
-	view->enablevalidation = cfg_obj_asboolean(obj);
+	if (cfg_obj_isboolean(obj)) {
+		view->enablevalidation = cfg_obj_asboolean(obj);
+	} else {
+		/* If dnssec-validation is not boolean, it must be "auto" */
+		view->enablevalidation = ISC_TRUE;
+		auto_root = ISC_TRUE;
+	}

 	obj = NULL;
 	result = ns_config_get(maps, "max-cache-ttl", &obj);
@@ -2362,24 +2419,6 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
 			dns_name_t *dlv;

 			obj = cfg_listelt_value(element);
-#if 0
-			dns_fixedname_t fixed;
-			dns_name_t *name;
-
-			/*
-			 * When we support multiple dnssec-lookaside
-			 * entries this is how to find the domain to be
-			 * checked. XXXMPA
-			 */
-			dns_fixedname_init(&fixed);
-			name = dns_fixedname_name(&fixed);
-			str = cfg_obj_asstring(cfg_tuple_get(obj,
-							     "domain"));
-			isc_buffer_init(&b, str, strlen(str));
-			isc_buffer_add(&b, strlen(str));
-			CHECK(dns_name_fromtext(name, &b, dns_rootname,
-						0, NULL));
-#endif
 			str = cfg_obj_asstring(cfg_tuple_get(obj,
 							     "trust-anchor"));
 			isc_buffer_init(&b, str, strlen(str));
@@ -2397,7 +2436,7 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
 	 * "security roots".
 	 */
 	CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys,
-					auto_dlv, mctx));
+					auto_dlv, auto_root, mctx));
 	dns_resolver_resetmustbesecure(view->resolver);
 	obj = NULL;
 	result = ns_config_get(maps, "dnssec-must-be-secure", &obj);

--- a/bin/tests/system/dnssec/README
+++ b/bin/tests/system/dnssec/README
@@ -2,7 +2,7 @@ Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 2000-2002  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.

-$Id: README,v 1.8 2004/03/05 05:00:08 marka Exp $
+$Id: README,v 1.9 2011/01/03 23:45:07 each Exp $

 The test setup for the DNSSEC tests has a secure root.

@@ -15,3 +15,7 @@ for the root.

 ns5 is a caching-only server, configured with the an incorrect trusted
 key for the root.  It is used for testing failure cases.
+
+ns6 is a caching-only server configured to use DLV.
+
+ns7 is used for checking non-cacheable answers.
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -15,9 +15,10 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: clean.sh,v 1.31 2010/12/18 02:12:44 each Exp $
+# $Id: clean.sh,v 1.32 2011/01/03 23:45:07 each Exp $

-rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
+rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed
+rm -f */trusted.conf */managed.conf */tmp* */*.jnl */*.bk
 rm -f ns1/root.db ns2/example.db ns3/secure.example.db
 rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
 rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl
@@ -44,4 +45,4 @@ rm -f ns1/managed.key.id
 rm -f signer/example.db
 rm -f ns2/algroll.db
 rm -f ns3/kskonly.example.db
-
+rm -f ns4/named.conf
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: sign.sh,v 1.34 2010/11/16 01:14:51 marka Exp $
+# $Id: sign.sh,v 1.35 2011/01/03 23:45:07 each Exp $

 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -39,7 +39,6 @@ cat $infile $keyname.key > $zonefile
 $SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null

 # Configure the resolving server with a trusted key.
-
 cat $keyname.key | grep -v '^; ' | $PERL -n -e '
 local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
 local $key = join("", @rest);
@@ -49,11 +48,23 @@ trusted-keys {
 };
 EOF
 ' > trusted.conf
+
+# ...or with a managed key.
+cat $keyname.key | grep -v '^; ' | $PERL -n -e '
+local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+local $key = join("", @rest);
+print <<EOF
+managed-keys {
+    "$dn" initial-key $flags $proto $alg "$key";
+};
+EOF
+' > managed.conf
 cp trusted.conf ../ns2/trusted.conf
 cp trusted.conf ../ns3/trusted.conf
 cp trusted.conf ../ns4/trusted.conf
 cp trusted.conf ../ns6/trusted.conf
 cp trusted.conf ../ns7/trusted.conf
+cp managed.conf ../ns4/managed.conf
 #
 #  Save keyid for managed key id test.
 #

--- a/bin/tests/system/dnssec/ns4/named1.conf
+++ b/bin/tests/system/dnssec/ns4/named1.conf
+/*
+ * Copyright (C) 2004, 2006, 2007, 2010  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named1.conf,v 1.2 2011/01/03 23:45:08 each Exp $ */
+
+// NS4
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	acache-enable yes;
+	dnssec-enable yes;
+	dnssec-validation yes;
+	dnssec-must-be-secure mustbesecure.example yes;
+
+        # Note: We only reference the bind.keys file here to confirm that it
+        # is *not* being used.  It contains the real root key, and we're
+        # using a local toy root zone for the tests, so it wouldn't work.
+        # But since dnssec-validation is set to "yes" not "auto", that
+        # won't matter.
+        bindkeys-file "../../../../../bind.keys";
+};
+
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm hmac-md5;
+};
+
+controls {
+        inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";
--- a/bin/tests/system/dnssec/ns4/named.conf
+++ b/bin/tests/system/dnssec/ns4/named.conf
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: named.conf,v 1.30 2010/06/25 23:46:51 tbox Exp $ */
+/* $Id: named2.conf,v 1.2 2011/01/03 23:45:08 each Exp $ */

 // NS4

@@ -32,8 +32,8 @@ options {
 	recursion yes;
 	acache-enable yes;
 	dnssec-enable yes;
-	dnssec-validation yes;
-	dnssec-must-be-secure mustbesecure.example yes;
+	dnssec-validation auto;
+        bindkeys-file "managed.conf";
 };

 key rndc_key {
@@ -49,5 +49,3 @@ zone "." {
 	type hint;
 	file "../../common/root.hint";
 };
-
-include "trusted.conf";
--- a/bin/tests/system/dnssec/setup.sh
+++ b/bin/tests/system/dnssec/setup.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: setup.sh,v 1.17 2009/10/27 22:25:37 marka Exp $
+# $Id: setup.sh,v 1.18 2011/01/03 23:45:07 each Exp $

 ../../../tools/genrandom 400 random.data

@@ -23,4 +23,6 @@ cd ns1 && sh sign.sh

 echo "a.bogus.example.	A	10.0.0.22" >>../ns3/bogus.example.db.signed

+cd ../ns4 && cp -f named1.conf named.conf
 cd ../ns5 && cp -f trusted.conf.bad trusted.conf
+
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: tests.sh,v 1.71 2010/11/16 01:14:51 marka Exp $
+# $Id: tests.sh,v 1.72 2011/01/03 23:45:07 each Exp $

 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -1055,5 +1055,57 @@ else
    echo "I:The DNSSEC update test requires the Net::DNS library." >&2
 fi

+# Reconfigure caching server to use "dnssec-validation auto", and repeat
+# some of the DNSSEC validation tests to ensure that it works correctly.
+echo "I:switching to automatic root key configuration"
+cp ns4/named2.conf ns4/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
+sleep 5
+
+echo "I:checking positive validation NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking positive validation NSEC3 ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.nsec3.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.nsec3.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking positive validation OPTOUT ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.optout.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.optout.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking negative validation ($n)"
+ret=0
+$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status
--- a/bind.keys
+++ b/bind.keys
-/* $Id: bind.keys,v 1.6 2010/06/20 07:15:28 marka Exp $ */
+/* $Id: bind.keys,v 1.7 2011/01/03 23:45:07 each Exp $ */
+# The bind.keys file is used to override the built-in DNSSEC trust anchors
+# which are included as part of BIND 9.  As of the current release, the only
+# trust anchors it contains are those for the DNS root zone ("."), and for
+# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org").  Trust anchors
+# for any other zones MUST be configured elsewhere; if they are configured
+# here, they will not be recognized or used by named.
+#
+# The built-in trust anchors are provided for convenience of configuration.
+# They are not activated within named.conf unless specifically switched on.
+# To use the built-in root key, set "dnssec-validation auto;" in
+# named.conf options.  To use the built-in DLV key, set
+# "dnssec-lookaside auto;".  Without these options being set,
+# the keys in this file are ignored.
+#
+# This file is NOT expected to be user-configured.
+#
+# These keys are current as of January 2011.  If any key fails to
+# initialize correctly, it may have expired.  In that event you should
+# replace this file with a current version.  The latest version of
+# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
+
 managed-keys {
-        # NOTE: This key is current as of October 2009.
-        # If it fails to initialize correctly, it may have expired;
-        # see https://www.isc.org/solutions/dlv for a replacement.
-	dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
+	# ISC DLV: See https://www.isc.org/solutions/dlv for details.
+        # NOTE: This key is activated by setting "dnssec-lookaside auto;"
+        # in named.conf.
+	dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
+		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
+		1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
+		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
+		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
+		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
+		TDN0YUuWrBNh";
+
+	# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
+	# for current trust anchor information.
+        # NOTE: This key is activated by setting "dnssec-validation auto;"
+        # in named.conf.
+	. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX