Commit d2ef84e0 authored by Mark Andrews's avatar Mark Andrews

2008. [func] It is now posssible to enable/disable DNSSEC

                        validation from rndc.  This is useful for the
                        mobile hosts where the current connection point
                        breaks DNSSEC (firewall/proxy).  [RT #15592]

                                rndc validation newstate [view]
parent 3a9a66b3
2008. [func] It is now posssible to enable/disable DNSSEC
validation from rndc. This is useful for the
mobile hosts where the current connection point
breaks DNSSEC (firewall/proxy). [RT #15592]
rndc validation newstate [view]
2007. [func] It is now possible to explicitly enable DNSSEC
validation. default dnssec-validation no; to
be changed to yes in 9.5.0. [RT #15674]
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: control.c,v 1.26 2005/04/29 00:36:15 marka Exp $ */
/* $Id: control.c,v 1.27 2006/03/09 23:39:00 marka Exp $ */
/*! \file */
......@@ -172,6 +172,8 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
result = ISC_R_SUCCESS;
} else if (command_compare(command, NS_COMMAND_NOTIFY)) {
result = ns_server_notifycommand(ns_g_server, command, text);
} else if (command_compare(command, NS_COMMAND_VALIDATION)) {
result = ns_server_validation(ns_g_server, command);
} else {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: control.h,v 1.21 2006/03/02 00:37:23 marka Exp $ */
/* $Id: control.h,v 1.22 2006/03/09 23:39:00 marka Exp $ */
#ifndef NAMED_CONTROL_H
#define NAMED_CONTROL_H 1
......@@ -54,6 +54,7 @@
#define NS_COMMAND_RECURSING "recursing"
#define NS_COMMAND_NULL "null"
#define NS_COMMAND_NOTIFY "notify"
#define NS_COMMAND_VALIDATION "validation"
isc_result_t
ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp);
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.h,v 1.82 2006/03/02 00:37:23 marka Exp $ */
/* $Id: server.h,v 1.83 2006/03/09 23:39:00 marka Exp $ */
#ifndef NAMED_SERVER_H
#define NAMED_SERVER_H 1
......@@ -221,4 +221,10 @@ ns_server_dumprecursing(ns_server_t *server);
void
ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr);
/*%
* Enable or disable dnssec validation.
*/
isc_result_t
ns_server_validation(ns_server_t *server, char *args);
#endif /* NAMED_SERVER_H */
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.c,v 1.283 2006/03/09 23:21:53 marka Exp $ */
/* $Id: query.c,v 1.284 2006/03/09 23:39:00 marka Exp $ */
/*! \file */
......@@ -4424,6 +4424,8 @@ ns_query_start(ns_client_t *client) {
if (!client->view->enablednssec) {
message->flags &= ~DNS_MESSAGEFLAG_CD;
client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
if (client->opt != NULL)
client->opt->ttl &= ~DNS_MESSAGEEXTFLAG_DO;
}
if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.461 2006/03/09 23:21:53 marka Exp $ */
/* $Id: server.c,v 1.462 2006/03/09 23:39:00 marka Exp $ */
/*! \file */
......@@ -1552,6 +1552,10 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
if (result == ISC_R_SUCCESS)
CHECK(mustbesecure(obj, view->resolver));
} else {
if (view->secroots != NULL)
dns_keytable_detach(&view->secroots);
dns_resolver_resetmustbesecure(view->resolver);
}
obj = NULL;
......@@ -4503,6 +4507,59 @@ ns_server_setdebuglevel(ns_server_t *server, char *args) {
return (ISC_R_SUCCESS);
}
isc_result_t
ns_server_validation(ns_server_t *server, char *args) {
char *ptr, *viewname;
dns_view_t *view;
isc_boolean_t changed = ISC_FALSE;
isc_result_t result;
isc_boolean_t enable;
/* Skip the command name. */
ptr = next_token(&args, " \t");
if (ptr == NULL)
return (ISC_R_UNEXPECTEDEND);
/* Find out what we are to do. */
ptr = next_token(&args, " \t");
if (ptr == NULL)
return (ISC_R_UNEXPECTEDEND);
if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") ||
!strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true"))
enable = ISC_TRUE;
else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") ||
!strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false"))
enable = ISC_FALSE;
else
return (DNS_R_SYNTAX);
/* Look for the view name. */
viewname = next_token(&args, " \t");
result = isc_task_beginexclusive(server->task);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
for (view = ISC_LIST_HEAD(server->viewlist);
view != NULL;
view = ISC_LIST_NEXT(view, link))
{
if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
continue;
result = dns_view_flushcache(view);
if (result != ISC_R_SUCCESS)
goto out;
view->enablevalidation = enable;
changed = ISC_TRUE;
}
if (changed)
result = ISC_R_SUCCESS;
else
result = ISC_R_FAILURE;
out:
isc_task_endexclusive(server->task);
return (result);
}
isc_result_t
ns_server_flushcache(ns_server_t *server, char *args) {
char *ptr, *viewname;
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rndc.c,v 1.110 2006/03/02 00:37:23 marka Exp $ */
/* $Id: rndc.c,v 1.111 2006/03/09 23:39:00 marka Exp $ */
/*! \file */
......@@ -132,6 +132,8 @@ command is one of the following:\n\
Flush the given name from the server's cache(s)\n\
status Display status of the server.\n\
recursing Dump the queries that are currently recursing (named.recursing)\n\
validation newstate [view]\n\
Enable / disable DNSSEC validation.\n\
*restart Restart the server.\n\
\n\
* == not yet implemented\n\
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: validator.c,v 1.143 2006/02/26 22:54:47 marka Exp $ */
/* $Id: validator.c,v 1.144 2006/03/09 23:39:00 marka Exp $ */
/*! \file */
......@@ -71,9 +71,9 @@
* validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep ->
* dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure
*
* \li When called without a rdataset and with DNS_VALIDATOR_DLV:
* validator_start -> startfinddlvsep -> dlv_validator_start ->
* validator_start -> nsecvalidate -> proveunsecure
* Note: there isn't a case for DNS_VALIDATOR_DLV here as we want nsecvalidate()
* to always validate the authority section even when it does not contain
* signatures.
*
* validator_start: determines what type of validation to do.
* validate: attempts to perform a positive validation.
......@@ -92,7 +92,6 @@
* have attempted a verify. */
#define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */
#define VALATTR_DLVTRIED 0x0020 /*%< Looked for a DLV record. */
#define VALATTR_AUTHNONPENDING 0x0040 /*%< Tidy up pending auth. */
/*!
* NSEC proofs to be looked for.
......@@ -157,18 +156,11 @@ dlv_validator_start(dns_validator_t *val);
static isc_result_t
finddlvsep(dns_validator_t *val, isc_boolean_t resume);
static void
auth_nonpending(dns_message_t *message);
static isc_result_t
startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure);
/*%
* Mark the RRsets as a answer.
*
* If VALATTR_AUTHNONPENDING is set then this is a negative answer
* in a insecure zone. We need to mark any pending RRsets as
* dns_trust_authauthority answers (this is deferred from resolver.c).
*/
static inline void
markanswer(dns_validator_t *val) {
......@@ -177,9 +169,6 @@ markanswer(dns_validator_t *val) {
val->event->rdataset->trust = dns_trust_answer;
if (val->event->sigrdataset != NULL)
val->event->sigrdataset->trust = dns_trust_answer;
if (val->event->message != NULL &&
(val->attributes & VALATTR_AUTHNONPENDING) != 0)
auth_nonpending(val->event->message);
}
static void
......@@ -218,31 +207,6 @@ exit_check(dns_validator_t *val) {
return (ISC_TRUE);
}
/*%
* Mark pending answers in the authority section as dns_trust_authauthority.
*/
static void
auth_nonpending(dns_message_t *message) {
isc_result_t result;
dns_name_t *name;
dns_rdataset_t *rdataset;
for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
result == ISC_R_SUCCESS;
result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
{
name = NULL;
dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link))
{
if (rdataset->trust == dns_trust_pending)
rdataset->trust = dns_trust_authauthority;
}
}
}
/*%
* Look in the NSEC record returned from a DS query to see if there is
* a NS RRset at this name. If it is found we are at a delegation point.
......@@ -2136,8 +2100,6 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
sigrdataset->covers == rdataset->type)
break;
}
if (sigrdataset == NULL)
continue;
/*
* If a signed zone is missing the zone key, bad
* things could happen. A query for data in the zone
......@@ -2226,7 +2188,6 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
validator_log(val, ISC_LOG_DEBUG(3),
"nonexistence proof(s) not found");
val->attributes |= VALATTR_AUTHNONPENDING;
val->attributes |= VALATTR_INSECURITY;
return (proveunsecure(val, ISC_FALSE));
}
......@@ -2753,7 +2714,8 @@ validator_start(isc_task_t *task, isc_event_t *event) {
LOCK(&val->lock);
if ((val->options & DNS_VALIDATOR_DLV) != 0) {
if ((val->options & DNS_VALIDATOR_DLV) != 0 &&
val->event->rdataset != NULL) {
validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV");
result = startfinddlvsep(val, dns_rootname);
} else if (val->event->rdataset != NULL &&
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment