Skip to content

auto-dnssec documented under options, only accepted under zone

Summary

auto-dnssec is documented under the grammar for the options statement, but can only be specified inside a zone statement.

BIND version used

BIND 9.16.22 (Extended Support Version) <id:59bfaba>
running on FreeBSD amd64 12.2-RELEASE-p7 FreeBSD 12.2-RELEASE-p7 GENERIC
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--with-gssapi=/usr/local' 'CFLAGS=-I/usr/local/include -O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS=-L/usr/local/lib -Wl,-rpath,/usr/local/lib:/usr/local/lib -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-lkrb5 -lgssapi_krb5 -L/usr/local/lib' 'KRB5CONFIG=/usr/local/bin/krb5-config' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' '--enable-tcp-fastopen' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.2' 'build_alias=amd64-portbld-freebsd12.2' 'CC=cc' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG FreeBSD Clang 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)
compiled with OpenSSL version: OpenSSL 1.1.1l  24 Aug 2021
linked to OpenSSL version: OpenSSL 1.1.1l  24 Aug 2021
compiled with libuv version: 1.42.0
linked to libuv version: 1.42.0
compiled with libxml2 version: 2.9.12
linked to libxml2 version: 20912
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.4.0
linked to protobuf-c version: 1.4.0
threads support is enabled

default paths:
  named configuration:  /usr/local/etc/namedb/named.conf
  rndc configuration:   /usr/local/etc/namedb/rndc.conf
  DNSSEC root key:      /usr/local/etc/namedb/bind.keys
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/pid
  named lock file:      /var/run/named/named.lock

Steps to reproduce

Set auto-dnssec under options and start or reload named.

What is the current bug behavior?

The configuration is rejected as invalid.

What is the expected correct behavior?

If the documentation is correct, this option should define the default setting for all subsequent zone definitions, just like allow-transfer and friends.

If the documentation is incorrect, specification of auto-dnssec should appear under "zone Statement Definition and Usage".

Relevant configuration files

named.conf:

options {
    auto-dnssec maintain;  # or "allow"
};

Relevant logs and/or screenshots

% sudo service named start
/usr/local/etc/namedb/named.conf:2: auto-dnssec may only be activated at the zone level
/usr/local/etc/rc.d/named: ERROR: named-checkconf for /usr/local/etc/namedb/named.conf failed

Possible fixes

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information