Commit cfe92110 authored by Mark Andrews's avatar Mark Andrews

2007. [func] It is now possible to explicitly enable DNSSEC

                        validation.  default dnssec-validation no; to
                        be changed to yes in 9.5.0.  [RT #15674]
parent 93875126
2007. [func] It is now possible to explicitly enable DNSSEC
validation. default dnssec-validation no; to
be changed to yes in 9.5.0. [RT #15674]
2006. [security] Allow-query-cache and allow-recursion now default
to the builtin acls "localnets" and "localhost".
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.72 2006/03/09 03:30:18 marka Exp $ */
/* $Id: config.c,v 1.73 2006/03/09 23:21:53 marka Exp $ */
/*! \file */
......@@ -135,7 +135,8 @@ options {\n\
use-additional-cache true;\n\
acache-cleaning-interval 60;\n\
max-acache-size 0;\n\
dnssec-enable no; /* Make yes for 9.4. */ \n\
dnssec-enable yes;\n\
dnssec-validation no; /* Make yes for 9.5. */ \n\
dnssec-accept-expired no;\n\
clients-per-query 10;\n\
max-clients-per-query 100;\n\
......
......@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.conf.docbook,v 1.20 2006/03/06 01:27:51 marka Exp $ -->
<!-- $Id: named.conf.docbook,v 1.21 2006/03/09 23:21:53 marka Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
......@@ -263,6 +263,7 @@ options {
root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
dnssec-enable <replaceable>boolean</replaceable>;
dnssec-validation <replaceable>boolean</replaceable>;
dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-accept-expired <replaceable>boolean</replaceable>;
......@@ -410,6 +411,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
dnssec-enable <replaceable>boolean</replaceable>;
dnssec-validation <replaceable>boolean</replaceable>;
dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-accept-expired <replaceable>boolean</replaceable>;
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.c,v 1.282 2006/03/03 00:43:34 marka Exp $ */
/* $Id: query.c,v 1.283 2006/03/09 23:21:53 marka Exp $ */
/*! \file */
......@@ -4527,13 +4527,17 @@ ns_query_start(ns_client_t *client) {
* If the client has requested that DNSSEC checking be disabled,
* allow lookups to return pending data and instruct the resolver
* to return data before validation has completed.
*
* We don't need to set DNS_DBFIND_PENDINGOK when validation is
* disabled as there will be no pending data.
*/
if (message->flags & DNS_MESSAGEFLAG_CD ||
qtype == dns_rdatatype_rrsig)
{
client->query.dboptions |= DNS_DBFIND_PENDINGOK;
client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
}
} else if (!client->view->enablevalidation)
client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
/*
* Allow glue NS records to be added to the authority section
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.460 2006/03/09 03:30:18 marka Exp $ */
/* $Id: server.c,v 1.461 2006/03/09 23:21:53 marka Exp $ */
/*! \file */
......@@ -1493,6 +1493,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
INSIST(result == ISC_R_SUCCESS);
view->acceptexpired = cfg_obj_asboolean(obj);
obj = NULL;
result = ns_config_get(maps, "dnssec-validation", &obj);
INSIST(result == ISC_R_SUCCESS);
view->enablevalidation = cfg_obj_asboolean(obj);
obj = NULL;
result = ns_config_get(maps, "dnssec-lookaside", &obj);
if (result == ISC_R_SUCCESS) {
......
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.3 2004/06/04 02:31:41 marka Exp $ */
/* $Id: named.conf,v 1.4 2006/03/09 23:21:53 marka Exp $ */
/*
* Choose a keyname that is unlikely to clash with any real key names.
......@@ -58,6 +58,7 @@ options {
recursion yes;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside "." trust-anchor "dlv.utld";
};
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.20 2004/03/10 02:19:53 marka Exp $ */
/* $Id: named.conf,v 1.21 2006/03/09 23:21:53 marka Exp $ */
// NS1
......@@ -32,6 +32,7 @@ options {
recursion no;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.24 2004/05/05 01:32:57 marka Exp $ */
/* $Id: named.conf,v 1.25 2006/03/09 23:21:53 marka Exp $ */
// NS2
......@@ -32,6 +32,7 @@ options {
recursion no;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.27 2004/05/05 01:32:57 marka Exp $ */
/* $Id: named.conf,v 1.28 2006/03/09 23:21:53 marka Exp $ */
// NS3
......@@ -32,6 +32,7 @@ options {
recursion no;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.23 2004/04/15 23:40:23 marka Exp $ */
/* $Id: named.conf,v 1.24 2006/03/09 23:21:53 marka Exp $ */
// NS4
......@@ -31,6 +31,7 @@ options {
listen-on-v6 { none; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-must-be-secure mustbesecure.example yes;
};
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.20 2004/03/10 02:19:54 marka Exp $ */
/* $Id: named.conf,v 1.21 2006/03/09 23:21:53 marka Exp $ */
// NS5
......@@ -31,6 +31,7 @@ options {
listen-on-v6 { none; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
......
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.7 2004/06/04 02:31:41 marka Exp $ */
/* $Id: named.conf,v 1.8 2006/03/09 23:21:53 marka Exp $ */
// NS6
......@@ -32,6 +32,7 @@ options {
notify yes;
disable-algorithms . { DSA; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv;
};
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.15 2004/03/10 02:19:54 marka Exp $ */
/* $Id: named.conf,v 1.16 2006/03/09 23:21:54 marka Exp $ */
controls { /* empty */ };
......@@ -30,6 +30,7 @@ options {
recursion no;
notify no;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.298 2006/03/09 03:30:18 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.299 2006/03/09 23:21:54 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
......@@ -4393,6 +4393,7 @@ category notify { null; };
<optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
<optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
<optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
<optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
......@@ -5484,6 +5485,18 @@ options {
<para>
Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>
named behaves as if it does not support DNSSEC.
The default is <userinput>yes</userinput>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>dnssec-validation</command></term>
<listitem>
<para>
Enable DNSSEC validation in named.
Note <command>dnssec-enable</command> also needs to be
set to <userinput>yes</userinput> to be effective.
The default is <userinput>no</userinput>.
</para>
</listitem>
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check.c,v 1.72 2006/03/06 01:27:52 marka Exp $ */
/* $Id: check.c,v 1.73 2006/03/09 23:21:54 marka Exp $ */
/*! \file */
......@@ -1394,6 +1394,8 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult = ISC_R_SUCCESS;
cfg_aclconfctx_t actx;
cfg_obj_t *obj;
isc_boolean_t enablednssec, enablevalidation;
/*
* Check that all zone statements are syntactically correct and
......@@ -1499,6 +1501,33 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
result = ISC_R_FAILURE;
}
/*
* Check that dnssec-enable/dnssec-validation are sensible.
*/
obj = NULL;
if (voptions != NULL)
(void)cfg_map_get(voptions, "dnssec-enable", &obj);
if (obj == NULL)
(void)cfg_map_get(config, "dnssec-enable", &obj);
if (obj == NULL)
enablednssec = ISC_TRUE;
else
enablednssec = cfg_obj_asboolean(obj);
obj = NULL;
if (voptions != NULL)
(void)cfg_map_get(voptions, "dnssec-validation", &obj);
if (obj == NULL)
(void)cfg_map_get(config, "dnssec-validation", &obj);
if (obj == NULL)
enablevalidation = ISC_FALSE; /* XXXMPA Change for 9.5. */
else
enablevalidation = cfg_obj_asboolean(obj);
if (enablevalidation && !enablednssec)
cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
"'dnssec-validation yes;' and 'dnssec-enable no;'");
if (voptions != NULL)
tresult = check_options(voptions, logctx, mctx);
else
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: view.h,v 1.100 2006/01/05 00:01:46 marka Exp $ */
/* $Id: view.h,v 1.101 2006/03/09 23:21:54 marka Exp $ */
#ifndef DNS_VIEW_H
#define DNS_VIEW_H 1
......@@ -112,6 +112,7 @@ struct dns_view {
isc_boolean_t additionalfromauth;
isc_boolean_t minimalresponses;
isc_boolean_t enablednssec;
isc_boolean_t enablevalidation;
isc_boolean_t acceptexpired;
dns_transfer_format_t transfer_format;
dns_acl_t * queryacl;
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: resolver.c,v 1.329 2006/02/17 00:24:21 marka Exp $ */
/* $Id: resolver.c,v 1.330 2006/03/09 23:21:54 marka Exp $ */
/*! \file */
......@@ -3536,14 +3536,16 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
/*
* Is DNSSEC validation required for this name?
*/
result = dns_keytable_issecuredomain(res->view->secroots, name,
&secure_domain);
if (result != ISC_R_SUCCESS)
return (result);
if (res->view->enablevalidation) {
result = dns_keytable_issecuredomain(res->view->secroots, name,
&secure_domain);
if (result != ISC_R_SUCCESS)
return (result);
if (!secure_domain && res->view->dlv != NULL) {
valoptions = DNS_VALIDATOR_DLV;
secure_domain = ISC_TRUE;
if (!secure_domain && res->view->dlv != NULL) {
valoptions = DNS_VALIDATOR_DLV;
secure_domain = ISC_TRUE;
}
}
if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
......@@ -3955,14 +3957,16 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
/*
* Is DNSSEC validation required for this name?
*/
result = dns_keytable_issecuredomain(res->view->secroots, name,
&secure_domain);
if (result != ISC_R_SUCCESS)
return (result);
if (fctx->res->view->enablevalidation) {
result = dns_keytable_issecuredomain(res->view->secroots, name,
&secure_domain);
if (result != ISC_R_SUCCESS)
return (result);
if (!secure_domain && res->view->dlv != NULL) {
valoptions = DNS_VALIDATOR_DLV;
secure_domain = ISC_TRUE;
if (!secure_domain && res->view->dlv != NULL) {
valoptions = DNS_VALIDATOR_DLV;
secure_domain = ISC_TRUE;
}
}
if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: view.c,v 1.136 2006/01/05 00:01:46 marka Exp $ */
/* $Id: view.c,v 1.137 2006/03/09 23:21:54 marka Exp $ */
/*! \file */
......@@ -160,6 +160,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
view->additionalfromcache = ISC_TRUE;
view->additionalfromauth = ISC_TRUE;
view->enablednssec = ISC_TRUE;
view->enablevalidation = ISC_TRUE;
view->acceptexpired = ISC_FALSE;
view->minimalresponses = ISC_FALSE;
view->transfer_format = dns_one_answer;
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: namedconf.c,v 1.67 2006/03/06 01:27:52 marka Exp $ */
/* $Id: namedconf.c,v 1.68 2006/03/09 23:21:54 marka Exp $ */
/*! \file */
......@@ -768,6 +768,7 @@ view_clauses[] = {
{ "disable-algorithms", &cfg_type_disablealgorithm,
CFG_CLAUSEFLAG_MULTI },
{ "dnssec-enable", &cfg_type_boolean, 0 },
{ "dnssec-validation", &cfg_type_boolean, 0 },
{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
{ "dnssec-must-be-secure", &cfg_type_mustbesecure,
CFG_CLAUSEFLAG_MULTI },
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment