add named.conf option root-key-sentinel

(cherry picked from commit 68e9315c7d3e3800527385be67d6a2e8c8fc6ba0)
(cherry picked from commit ee763ef281e99da4208bb4ee67540c18426585fc)
(cherry picked from commit 9a5f3082879e1d0505d78dbdeaa658e24d1901aa)
(cherry picked from commit 468a3bcdac22c1089727e2701906829139250eb7)

diff --git a/bin/named/config.c b/bin/named/config.c
index f74dd486d959ae1e41a8076ef2cb9dcf2c951164..2532d0d879260468456ed238a8de1f6c47233013 100644 (file)
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -164,6 +164,7 @@ options {\n\
        recursion true;\n\
        request-ixfr true;\n\
        rfc2308-type1 no;\n\
+       root-key-sentinel yes;\n\
 #      sortlist <none>\n\
 #      topology <none>\n\
        transfer-format many-answers;\n\

diff --git a/bin/named/query.c b/bin/named/query.c
index 364b5a50a052b99b513f8ff91e0a9d2bcb390c3c..a2f248ad6d30aa1308f27e76bcea92fed25afddd 100644 (file)
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -6105,7 +6105,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
        /*
         * Setup for root key sentinel processing.
         */
-       if (client->query.restarts == 0 &&
+       if (client->view->root_key_sentinel &&
+           client->query.restarts == 0 &&
            (qtype == dns_rdatatype_a ||
             qtype == dns_rdatatype_aaaa) &&
            (client->message->flags & DNS_MESSAGEFLAG_CD) == 0)

diff --git a/bin/named/server.c b/bin/named/server.c
index 108d126b620e2410da771ef22cf1efc069dc171d..5f5c39c3080cf23392f92dfe0a6e18d9e9b77f51 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -3115,6 +3115,15 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
        else
                INSIST(0);
 
+       obj = NULL;
+       result = ns_config_get(maps, "root-key-sentinel", &obj);
+       INSIST(result == ISC_R_SUCCESS);
+       view->root_key_sentinel = cfg_obj_asboolean(obj);
+
+       CHECK(configure_view_acl(vconfig, config, ns_g_config,
+                                "allow-query-cache-on", NULL, actx,
+                                ns_g_mctx, &view->cacheonacl));
+
        /*
         * Set sources where additional data and CNAME/DNAME
         * targets for authoritative answers may be found.

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 795eed674069543925fdb9dd0d4580e66d90528a..e3335d9f73646ad7d5b3c6101a9552b3ff12a895 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5659,6 +5659,17 @@ options {
              </listitem>
            </varlistentry>
 
+           <varlistentry>
+             <term><command>root-key-sentinel</command></term>
+             <listitem>
+               <para>
+                 Respond to root key sentinel probes as described in
+                 draft-ietf-dnsop-kskroll-sentinel-08. The default is
+                 <userinput>yes</userinput>.
+               </para>
+             </listitem>
+           </varlistentry>
+
            <varlistentry>
              <term><command>maintain-ixfr-base</command></term>
              <listitem>

diff --git a/doc/misc/options b/doc/misc/options
index 09cd32c287343774ff19ece4bd5efc8e43238bbe..b9b8b87e75900d9206935d65aa9d864bd9358216 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -230,6 +230,7 @@ options {
             max-policy-ttl <integer> ] [ min-ns-dots <integer> ];
         rfc2308-type1 <boolean>; // not yet implemented
         root-delegation-only [ exclude { <quoted_string>; ... } ];
+        root-key-sentinel <boolean>;
         rrset-order { [ class <string> ] [ type <string> ] [ name
             <quoted_string> ] <string> <string>; ... };
         secroots-file <quoted_string>;
@@ -462,6 +463,7 @@ view <string> [ <class> ] {
             ... } [ recursive-only <boolean> ] [ break-dnssec <boolean> ] [
             max-policy-ttl <integer> ] [ min-ns-dots <integer> ];
         rfc2308-type1 <boolean>; // not yet implemented
+        root-key-sentinel <boolean>;
         root-delegation-only [ exclude { <quoted_string>; ... } ];
         rrset-order { [ class <string> ] [ type <string> ] [ name
             <quoted_string> ] <string> <string>; ... };

diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index d4de397fc2888232d1df005fd093253bc4229790..9c5e795d652f8a767fb6c8d893ed0adbe9659b93 100644 (file)
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -14,8 +14,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
-
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
 
@@ -126,6 +124,7 @@ struct dns_view {
        isc_boolean_t                   enablednssec;
        isc_boolean_t                   enablevalidation;
        isc_boolean_t                   acceptexpired;
+       isc_boolean_t                   root_key_sentinel;
        dns_transfer_format_t           transfer_format;
        dns_acl_t *                     cacheacl;
        dns_acl_t *                     cacheonacl;

diff --git a/lib/dns/view.c b/lib/dns/view.c
index 762c968e51f25ce0f8be66eeb051ab9d1b3fce6d..d2c55281242a163be67ba6b022e7b224301c3461 100644 (file)
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -202,6 +202,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
        view->managed_keys = NULL;
        view->redirect = NULL;
 #ifdef BIND9
+       view->root_key_sentinel = ISC_TRUE;
        view->new_zone_file = NULL;
        view->new_zone_config = NULL;
        view->cfg_destroy = NULL;

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index dc5ede9a3bbf6d9ad03de6671250450d75153ebc..7af5c09065394a5064c87b4013c11d68aef47106 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1515,6 +1515,7 @@ view_clauses[] = {
        { "response-policy", &cfg_type_rpz, 0 },
        { "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
        { "root-delegation-only",  &cfg_type_optional_exclude, 0 },
+       { "root-key-sentinel", &cfg_type_boolean, 0 },
        { "rrset-order", &cfg_type_rrsetorder, 0 },
        { "sortlist", &cfg_type_bracketed_aml, 0 },
        { "suppress-initial-notify", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },