add named.conf option root-key-sentinel

(cherry picked from commit 68e9315c7d3e3800527385be67d6a2e8c8fc6ba0)
(cherry picked from commit ee763ef281e99da4208bb4ee67540c18426585fc)
(cherry picked from commit 9a5f3082879e1d0505d78dbdeaa658e24d1901aa)

diff --git a/bin/named/config.c b/bin/named/config.c
index 06ad653e520337a826e7c46ff46354026598647e..22fc82cc3a93bc58d8bc5559352f0707a018c624 100644 (file)
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -177,6 +177,7 @@ options {\n\
        recursion true;\n\
        request-ixfr true;\n\
        rfc2308-type1 no;\n\
+       root-key-sentinel yes;\n\
 #      sortlist <none>\n\
 #      topology <none>\n\
        transfer-format many-answers;\n\

diff --git a/bin/named/query.c b/bin/named/query.c
index db70c3996b8508bacbcb85a8ba020fc8c2450406..cf482c2e77f0bccfa67fffae5fd2e06fb41fe838 100644 (file)
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -6722,7 +6722,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
        /*
         * Setup for root key sentinel processing.
         */
-       if (client->query.restarts == 0 &&
+       if (client->view->root_key_sentinel &&
+           client->query.restarts == 0 &&
            (qtype == dns_rdatatype_a ||
             qtype == dns_rdatatype_aaaa) &&
            (client->message->flags & DNS_MESSAGEFLAG_CD) == 0)

diff --git a/bin/named/server.c b/bin/named/server.c
index a2e14a73d197e8b260b42dd3879d98bec9807b3a..f69cba98dc223d32e607fd188fcd973f251da593 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -3401,6 +3401,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
        INSIST(result == ISC_R_SUCCESS);
        view->trust_anchor_telemetry = cfg_obj_asboolean(obj);
 
+       obj = NULL;
+       result = ns_config_get(maps, "root-key-sentinel", &obj);
+       INSIST(result == ISC_R_SUCCESS);
+       view->root_key_sentinel = cfg_obj_asboolean(obj);
+
        CHECK(configure_view_acl(vconfig, config, ns_g_config,
                                 "allow-query-cache-on", NULL, actx,
                                 ns_g_mctx, &view->cacheonacl));

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 2eb1a132a57f4ee9def91d6242b6a06e4ba6b2dc..c001d4926459a83f1346f724fb85b860011d2aac 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5855,6 +5855,17 @@ options {
              </listitem>
            </varlistentry>
 
+           <varlistentry>
+             <term><command>root-key-sentinel</command></term>
+             <listitem>
+               <para>
+                 Respond to root key sentinel probes as described in
+                 draft-ietf-dnsop-kskroll-sentinel-08. The default is
+                 <userinput>yes</userinput>.
+               </para>
+             </listitem>
+           </varlistentry>
+
            <varlistentry>
              <term><command>maintain-ixfr-base</command></term>
              <listitem>

diff --git a/doc/misc/options b/doc/misc/options
index 04d0b0dd55deae2accf6fffd2f62f70ca4be5555..1830b9180a8742ec19b3f801f6fd0a178146122a 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -265,6 +265,7 @@ options {
             min-ns-dots <integer> ] [ qname-wait-recurse <boolean> ];
         rfc2308-type1 <boolean>; // not yet implemented
         root-delegation-only [ exclude { <quoted_string>; ... } ];
+        root-key-sentinel <boolean>;
         rrset-order { [ class <string> ] [ type <string> ] [ name
             <quoted_string> ] <string> <string>; ... };
         secroots-file <quoted_string>;
@@ -538,6 +539,7 @@ view <string> [ <class> ] {
             [ break-dnssec <boolean> ] [ max-policy-ttl <integer> ] [
             min-ns-dots <integer> ] [ qname-wait-recurse <boolean> ];
         rfc2308-type1 <boolean>; // not yet implemented
+        root-key-sentinel <boolean>;
         root-delegation-only [ exclude { <quoted_string>; ... } ];
         rrset-order { [ class <string> ] [ type <string> ] [ name
             <quoted_string> ] <string> <string>; ... };

diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index f4cbd26cf97809e4cf4c508b448cdff2bfef382e..e6b73e35b6f9fb9fe6fbfa720dd7167befe0903d 100644 (file)
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -14,8 +14,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
-
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
 
@@ -128,6 +126,7 @@ struct dns_view {
        isc_boolean_t                   enablevalidation;
        isc_boolean_t                   acceptexpired;
        isc_boolean_t                   trust_anchor_telemetry;
+       isc_boolean_t                   root_key_sentinel;
        dns_transfer_format_t           transfer_format;
        dns_acl_t *                     cacheacl;
        dns_acl_t *                     cacheonacl;

diff --git a/lib/dns/view.c b/lib/dns/view.c
index 8003b34c4823e28dc471c1de332807083693f1c9..184b0d02a0968896a62c8dff89f5cc3920bd4225 100644 (file)
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -206,6 +206,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
        view->requestnsid = ISC_FALSE;
        view->requestsit = ISC_TRUE;
        view->trust_anchor_telemetry = ISC_TRUE;
+       view->root_key_sentinel = ISC_TRUE;
        view->new_zone_file = NULL;
        view->new_zone_config = NULL;
        view->cfg_destroy = NULL;

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 082d865e577a58aca8e59511702fb4452194632a..ece40659cb79caf000ada8293757ff72b5f41fe5 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1639,6 +1639,7 @@ view_clauses[] = {
        { "response-policy", &cfg_type_rpz, 0 },
        { "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
        { "root-delegation-only",  &cfg_type_optional_exclude, 0 },
+       { "root-key-sentinel", &cfg_type_boolean, 0 },
        { "rrset-order", &cfg_type_rrsetorder, 0 },
        { "sortlist", &cfg_type_bracketed_aml, 0 },
        { "suppress-initial-notify", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },