Commit 89783da0 authored by Mark Andrews's avatar Mark Andrews
Browse files

1581. [func] Disable DNSSEC support by default. To enable

                        DNSSEC specify "enable-dnssec yes;" in named.conf.
parent 4230c2e8
1581. [func] Disable DNSSEC support by default. To enable
DNSSEC specify "enable-dnssec yes;" in named.conf.
1580. [placeholder] rt3746a
1579. [placeholder] rt3746a
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.42 2003/04/17 12:11:39 marka Exp $ */
/* $Id: config.c,v 1.43 2004/02/17 03:40:19 marka Exp $ */
#include <config.h>
......@@ -123,6 +123,7 @@ options {\n\
check-names master ignore;\n\
check-names slave ignore;\n\
check-names response ignore;\n\
enable-dnssec no; /* Make yes for 9.4. */ \n\
\n\
/* zone */\n\
allow-query {any;};\n\
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.c,v 1.253 2004/02/03 00:59:03 marka Exp $ */
/* $Id: query.c,v 1.254 2004/02/17 03:40:20 marka Exp $ */
#include <config.h>
......@@ -3342,6 +3342,14 @@ ns_query_start(ns_client_t *client) {
*/
client->next = query_next_callback;
/*
* Behave as if we don't support DNSSEC if not enabled.
*/
if (!client->view->enablednssec) {
message->flags &= ~DNS_MESSAGEFLAG_CD;
client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
}
if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
client->query.attributes |= NS_QUERYATTR_WANTRECURSION;
......@@ -3477,6 +3485,7 @@ ns_query_start(ns_client_t *client) {
* Set AD. We must clear it if we add non-validated data to a
* response.
*/
if (client->view->enablednssec)
message->flags |= DNS_MESSAGEFLAG_AD;
qclient = NULL;
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.411 2004/01/27 02:13:22 marka Exp $ */
/* $Id: server.c,v 1.412 2004/02/17 03:40:20 marka Exp $ */
#include <config.h>
......@@ -1062,10 +1062,16 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
INSIST(result == ISC_R_SUCCESS);
view->provideixfr = cfg_obj_asboolean(obj);
obj = NULL;
result = ns_config_get(maps, "enable-dnssec", &obj);
INSIST(result == ISC_R_SUCCESS);
view->enablednssec = cfg_obj_asboolean(obj);
/*
* For now, there is only one kind of trusted keys, the
* "security roots".
*/
if (view->enablednssec)
CHECK(configure_view_dnsseckeys(vconfig, config, mctx,
&view->secroots));
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.16 2001/01/09 21:42:47 bwelling Exp $ */
/* $Id: named.conf,v 1.17 2004/02/17 03:40:20 marka Exp $ */
// NS1
......@@ -29,6 +29,7 @@ options {
listen-on-v6 { none; };
recursion no;
notify yes;
enable-dnssec yes;
};
zone "." {
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.19 2002/02/20 03:33:54 marka Exp $ */
/* $Id: named.conf,v 1.20 2004/02/17 03:40:21 marka Exp $ */
// NS2
......@@ -29,6 +29,7 @@ options {
listen-on-v6 { none; };
recursion no;
notify yes;
enable-dnssec yes;
};
zone "." {
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.21 2002/02/20 03:33:58 marka Exp $ */
/* $Id: named.conf,v 1.22 2004/02/17 03:40:21 marka Exp $ */
// NS3
......@@ -29,6 +29,7 @@ options {
listen-on-v6 { none; };
recursion no;
notify yes;
enable-dnssec yes;
};
zone "." {
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.18 2001/01/11 20:41:37 gson Exp $ */
/* $Id: named.conf,v 1.19 2004/02/17 03:40:21 marka Exp $ */
// NS4
......@@ -28,6 +28,7 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
enable-dnssec yes;
};
zone "." {
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.16 2001/01/11 20:41:39 gson Exp $ */
/* $Id: named.conf,v 1.17 2004/02/17 03:40:21 marka Exp $ */
// NS5
......@@ -28,6 +28,7 @@ options {
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion yes;
enable-dnssec yes;
};
zone "." {
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2004/01/15 04:09:17 marka Exp $ */
/* $Id: named.conf,v 1.3 2004/02/17 03:40:22 marka Exp $ */
// NS6
......@@ -30,6 +30,7 @@ options {
recursion yes;
notify yes;
disable-algorithms . { DSA; };
enable-dnssec yes;
};
zone "." {
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.11 2001/01/09 21:43:45 bwelling Exp $ */
/* $Id: named.conf,v 1.12 2004/02/17 03:40:22 marka Exp $ */
options {
query-source address 10.53.0.1;
......@@ -27,6 +27,7 @@ options {
listen-on-v6 { none; };
recursion no;
notify no;
enable-dnssec yes;
};
zone "." {
......
......@@ -2,7 +2,7 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
"http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
<!-- File: $Id: Bv9ARM-book.xml,v 1.232 2004/01/14 02:06:49 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.233 2004/02/17 03:40:22 marka Exp $ -->
<book>
<title>BIND 9 Administrator Reference Manual</title>
......@@ -2744,6 +2744,7 @@ statement in the <filename>named.conf</filename> file:</para>
<optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
<optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
<optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
<optional> enable-dnssec <replaceable>yes_or_no</replaceable>; </optional>
<optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
<optional> forwarders { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ; ... }; </optional>
......@@ -3324,6 +3325,14 @@ when the serial number on the master is less than what named currently
has. The default is <userinput>no</userinput>.
</para></listitem></varlistentry>
<varlistentry><term><command>enable-dnssec</command></term>
<listitem>
<para>
Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>
named behaves as if it does not support DNSSEC.
The default is <userinput>no</userinput>.
</para></listitem></varlistentry>
</variablelist>
</sect3>
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: view.h,v 1.87 2003/09/30 05:56:17 marka Exp $ */
/* $Id: view.h,v 1.88 2004/02/17 03:40:23 marka Exp $ */
#ifndef DNS_VIEW_H
#define DNS_VIEW_H 1
......@@ -107,6 +107,7 @@ struct dns_view {
isc_boolean_t additionalfromcache;
isc_boolean_t additionalfromauth;
isc_boolean_t minimalresponses;
isc_boolean_t enablednssec;
dns_transfer_format_t transfer_format;
dns_acl_t * queryacl;
dns_acl_t * recursionacl;
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: view.c,v 1.123 2003/10/03 02:19:31 marka Exp $ */
/* $Id: view.c,v 1.124 2004/02/17 03:40:23 marka Exp $ */
#include <config.h>
......@@ -155,6 +155,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
view->auth_nxdomain = ISC_FALSE; /* Was true in BIND 8 */
view->additionalfromcache = ISC_TRUE;
view->additionalfromauth = ISC_TRUE;
view->enablednssec = ISC_TRUE;
view->minimalresponses = ISC_FALSE;
view->transfer_format = dns_one_answer;
view->queryacl = NULL;
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: namedconf.c,v 1.25 2004/01/14 02:06:51 marka Exp $ */
/* $Id: namedconf.c,v 1.26 2004/02/17 03:40:23 marka Exp $ */
#include <config.h>
......@@ -678,6 +678,7 @@ view_clauses[] = {
{ "root-delegation-only", &cfg_type_optional_exclude, 0 },
{ "disable-algorithms", &cfg_type_disablealgorithm,
CFG_CLAUSEFLAG_MULTI },
{ "enable-dnssec", &cfg_type_boolean, 0 },
{ NULL, NULL, 0 }
};
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment