Commit 89783da0 authored by Mark Andrews's avatar Mark Andrews
Browse files

1581. [func] Disable DNSSEC support by default. To enable

                        DNSSEC specify "enable-dnssec yes;" in named.conf.
parent 4230c2e8
1581. [func] Disable DNSSEC support by default. To enable
DNSSEC specify "enable-dnssec yes;" in named.conf.
1580. [placeholder] rt3746a 1580. [placeholder] rt3746a
1579. [placeholder] rt3746a 1579. [placeholder] rt3746a
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: config.c,v 1.42 2003/04/17 12:11:39 marka Exp $ */ /* $Id: config.c,v 1.43 2004/02/17 03:40:19 marka Exp $ */
#include <config.h> #include <config.h>
...@@ -123,6 +123,7 @@ options {\n\ ...@@ -123,6 +123,7 @@ options {\n\
check-names master ignore;\n\ check-names master ignore;\n\
check-names slave ignore;\n\ check-names slave ignore;\n\
check-names response ignore;\n\ check-names response ignore;\n\
enable-dnssec no; /* Make yes for 9.4. */ \n\
\n\ \n\
/* zone */\n\ /* zone */\n\
allow-query {any;};\n\ allow-query {any;};\n\
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: query.c,v 1.253 2004/02/03 00:59:03 marka Exp $ */ /* $Id: query.c,v 1.254 2004/02/17 03:40:20 marka Exp $ */
#include <config.h> #include <config.h>
...@@ -3342,6 +3342,14 @@ ns_query_start(ns_client_t *client) { ...@@ -3342,6 +3342,14 @@ ns_query_start(ns_client_t *client) {
*/ */
client->next = query_next_callback; client->next = query_next_callback;
/*
* Behave as if we don't support DNSSEC if not enabled.
*/
if (!client->view->enablednssec) {
message->flags &= ~DNS_MESSAGEFLAG_CD;
client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
}
if ((message->flags & DNS_MESSAGEFLAG_RD) != 0) if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
client->query.attributes |= NS_QUERYATTR_WANTRECURSION; client->query.attributes |= NS_QUERYATTR_WANTRECURSION;
...@@ -3477,7 +3485,8 @@ ns_query_start(ns_client_t *client) { ...@@ -3477,7 +3485,8 @@ ns_query_start(ns_client_t *client) {
* Set AD. We must clear it if we add non-validated data to a * Set AD. We must clear it if we add non-validated data to a
* response. * response.
*/ */
message->flags |= DNS_MESSAGEFLAG_AD; if (client->view->enablednssec)
message->flags |= DNS_MESSAGEFLAG_AD;
qclient = NULL; qclient = NULL;
ns_client_attach(client, &qclient); ns_client_attach(client, &qclient);
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: server.c,v 1.411 2004/01/27 02:13:22 marka Exp $ */ /* $Id: server.c,v 1.412 2004/02/17 03:40:20 marka Exp $ */
#include <config.h> #include <config.h>
...@@ -1061,13 +1061,19 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, ...@@ -1061,13 +1061,19 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
result = ns_config_get(maps, "provide-ixfr", &obj); result = ns_config_get(maps, "provide-ixfr", &obj);
INSIST(result == ISC_R_SUCCESS); INSIST(result == ISC_R_SUCCESS);
view->provideixfr = cfg_obj_asboolean(obj); view->provideixfr = cfg_obj_asboolean(obj);
obj = NULL;
result = ns_config_get(maps, "enable-dnssec", &obj);
INSIST(result == ISC_R_SUCCESS);
view->enablednssec = cfg_obj_asboolean(obj);
/* /*
* For now, there is only one kind of trusted keys, the * For now, there is only one kind of trusted keys, the
* "security roots". * "security roots".
*/ */
CHECK(configure_view_dnsseckeys(vconfig, config, mctx, if (view->enablednssec)
&view->secroots)); CHECK(configure_view_dnsseckeys(vconfig, config, mctx,
&view->secroots));
obj = NULL; obj = NULL;
result = ns_config_get(maps, "max-cache-ttl", &obj); result = ns_config_get(maps, "max-cache-ttl", &obj);
...@@ -1122,7 +1128,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, ...@@ -1122,7 +1128,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
} }
} else } else
dns_view_setrootdelonly(view, ISC_FALSE); dns_view_setrootdelonly(view, ISC_FALSE);
result = ISC_R_SUCCESS; result = ISC_R_SUCCESS;
cleanup: cleanup:
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: named.conf,v 1.16 2001/01/09 21:42:47 bwelling Exp $ */ /* $Id: named.conf,v 1.17 2004/02/17 03:40:20 marka Exp $ */
// NS1 // NS1
...@@ -29,6 +29,7 @@ options { ...@@ -29,6 +29,7 @@ options {
listen-on-v6 { none; }; listen-on-v6 { none; };
recursion no; recursion no;
notify yes; notify yes;
enable-dnssec yes;
}; };
zone "." { zone "." {
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: named.conf,v 1.19 2002/02/20 03:33:54 marka Exp $ */ /* $Id: named.conf,v 1.20 2004/02/17 03:40:21 marka Exp $ */
// NS2 // NS2
...@@ -29,6 +29,7 @@ options { ...@@ -29,6 +29,7 @@ options {
listen-on-v6 { none; }; listen-on-v6 { none; };
recursion no; recursion no;
notify yes; notify yes;
enable-dnssec yes;
}; };
zone "." { zone "." {
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: named.conf,v 1.21 2002/02/20 03:33:58 marka Exp $ */ /* $Id: named.conf,v 1.22 2004/02/17 03:40:21 marka Exp $ */
// NS3 // NS3
...@@ -29,6 +29,7 @@ options { ...@@ -29,6 +29,7 @@ options {
listen-on-v6 { none; }; listen-on-v6 { none; };
recursion no; recursion no;
notify yes; notify yes;
enable-dnssec yes;
}; };
zone "." { zone "." {
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: named.conf,v 1.18 2001/01/11 20:41:37 gson Exp $ */ /* $Id: named.conf,v 1.19 2004/02/17 03:40:21 marka Exp $ */
// NS4 // NS4
...@@ -28,6 +28,7 @@ options { ...@@ -28,6 +28,7 @@ options {
listen-on { 10.53.0.4; }; listen-on { 10.53.0.4; };
listen-on-v6 { none; }; listen-on-v6 { none; };
recursion yes; recursion yes;
enable-dnssec yes;
}; };
zone "." { zone "." {
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: named.conf,v 1.16 2001/01/11 20:41:39 gson Exp $ */ /* $Id: named.conf,v 1.17 2004/02/17 03:40:21 marka Exp $ */
// NS5 // NS5
...@@ -28,6 +28,7 @@ options { ...@@ -28,6 +28,7 @@ options {
listen-on { 10.53.0.5; }; listen-on { 10.53.0.5; };
listen-on-v6 { none; }; listen-on-v6 { none; };
recursion yes; recursion yes;
enable-dnssec yes;
}; };
zone "." { zone "." {
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: named.conf,v 1.2 2004/01/15 04:09:17 marka Exp $ */ /* $Id: named.conf,v 1.3 2004/02/17 03:40:22 marka Exp $ */
// NS6 // NS6
...@@ -30,6 +30,7 @@ options { ...@@ -30,6 +30,7 @@ options {
recursion yes; recursion yes;
notify yes; notify yes;
disable-algorithms . { DSA; }; disable-algorithms . { DSA; };
enable-dnssec yes;
}; };
zone "." { zone "." {
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: named.conf,v 1.11 2001/01/09 21:43:45 bwelling Exp $ */ /* $Id: named.conf,v 1.12 2004/02/17 03:40:22 marka Exp $ */
options { options {
query-source address 10.53.0.1; query-source address 10.53.0.1;
...@@ -27,6 +27,7 @@ options { ...@@ -27,6 +27,7 @@ options {
listen-on-v6 { none; }; listen-on-v6 { none; };
recursion no; recursion no;
notify no; notify no;
enable-dnssec yes;
}; };
zone "." { zone "." {
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
"http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"> "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
<!-- File: $Id: Bv9ARM-book.xml,v 1.232 2004/01/14 02:06:49 marka Exp $ --> <!-- File: $Id: Bv9ARM-book.xml,v 1.233 2004/02/17 03:40:22 marka Exp $ -->
<book> <book>
<title>BIND 9 Administrator Reference Manual</title> <title>BIND 9 Administrator Reference Manual</title>
...@@ -2744,6 +2744,7 @@ statement in the <filename>named.conf</filename> file:</para> ...@@ -2744,6 +2744,7 @@ statement in the <filename>named.conf</filename> file:</para>
<optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional> <optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
<optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional> <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
<optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional> <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
<optional> enable-dnssec <replaceable>yes_or_no</replaceable>; </optional>
<optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional> <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
<optional> forwarders { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional> <optional> forwarders { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ; ... }; </optional> <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ; ... }; </optional>
...@@ -3324,6 +3325,14 @@ when the serial number on the master is less than what named currently ...@@ -3324,6 +3325,14 @@ when the serial number on the master is less than what named currently
has. The default is <userinput>no</userinput>. has. The default is <userinput>no</userinput>.
</para></listitem></varlistentry> </para></listitem></varlistentry>
<varlistentry><term><command>enable-dnssec</command></term>
<listitem>
<para>
Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>
named behaves as if it does not support DNSSEC.
The default is <userinput>no</userinput>.
</para></listitem></varlistentry>
</variablelist> </variablelist>
</sect3> </sect3>
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: view.h,v 1.87 2003/09/30 05:56:17 marka Exp $ */ /* $Id: view.h,v 1.88 2004/02/17 03:40:23 marka Exp $ */
#ifndef DNS_VIEW_H #ifndef DNS_VIEW_H
#define DNS_VIEW_H 1 #define DNS_VIEW_H 1
...@@ -107,6 +107,7 @@ struct dns_view { ...@@ -107,6 +107,7 @@ struct dns_view {
isc_boolean_t additionalfromcache; isc_boolean_t additionalfromcache;
isc_boolean_t additionalfromauth; isc_boolean_t additionalfromauth;
isc_boolean_t minimalresponses; isc_boolean_t minimalresponses;
isc_boolean_t enablednssec;
dns_transfer_format_t transfer_format; dns_transfer_format_t transfer_format;
dns_acl_t * queryacl; dns_acl_t * queryacl;
dns_acl_t * recursionacl; dns_acl_t * recursionacl;
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: view.c,v 1.123 2003/10/03 02:19:31 marka Exp $ */ /* $Id: view.c,v 1.124 2004/02/17 03:40:23 marka Exp $ */
#include <config.h> #include <config.h>
...@@ -155,6 +155,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, ...@@ -155,6 +155,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
view->auth_nxdomain = ISC_FALSE; /* Was true in BIND 8 */ view->auth_nxdomain = ISC_FALSE; /* Was true in BIND 8 */
view->additionalfromcache = ISC_TRUE; view->additionalfromcache = ISC_TRUE;
view->additionalfromauth = ISC_TRUE; view->additionalfromauth = ISC_TRUE;
view->enablednssec = ISC_TRUE;
view->minimalresponses = ISC_FALSE; view->minimalresponses = ISC_FALSE;
view->transfer_format = dns_one_answer; view->transfer_format = dns_one_answer;
view->queryacl = NULL; view->queryacl = NULL;
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: namedconf.c,v 1.25 2004/01/14 02:06:51 marka Exp $ */ /* $Id: namedconf.c,v 1.26 2004/02/17 03:40:23 marka Exp $ */
#include <config.h> #include <config.h>
...@@ -678,6 +678,7 @@ view_clauses[] = { ...@@ -678,6 +678,7 @@ view_clauses[] = {
{ "root-delegation-only", &cfg_type_optional_exclude, 0 }, { "root-delegation-only", &cfg_type_optional_exclude, 0 },
{ "disable-algorithms", &cfg_type_disablealgorithm, { "disable-algorithms", &cfg_type_disablealgorithm,
CFG_CLAUSEFLAG_MULTI }, CFG_CLAUSEFLAG_MULTI },
{ "enable-dnssec", &cfg_type_boolean, 0 },
{ NULL, NULL, 0 } { NULL, NULL, 0 }
}; };
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment