add named.conf option root-key-sentinel

diff --git a/bin/named/config.c b/bin/named/config.c
index 43269b4a3a79ad53471949399e5c0617b8cc4052..a2d2eb7ea75c74f6ecdbfeb3db175457ea743d3a 100644 (file)
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -195,6 +195,7 @@ options {\n\
        resolver-nonbackoff-tries 3;\n\
        resolver-retry-interval 800; /* in milliseconds */\n\
 #      rfc2308-type1 <obsolete>;\n\
+       root-key-sentinel yes;\n\
        servfail-ttl 1;\n\
 #      sortlist <none>\n\
        stale-answer-enable false;\n\

diff --git a/bin/named/server.c b/bin/named/server.c
index faf6481778f2730d0d665b8eef14f4e0309bec59..e037557f6c45c5a37c42fca020ab2f92f4c88b52 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -4682,6 +4682,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
        INSIST(result == ISC_R_SUCCESS);
        view->trust_anchor_telemetry = cfg_obj_asboolean(obj);
 
+       obj = NULL;
+       result = named_config_get(maps, "root-key-sentinel", &obj);
+       INSIST(result == ISC_R_SUCCESS);
+       view->root_key_sentinel = cfg_obj_asboolean(obj);
+
        CHECK(configure_view_acl(vconfig, config, named_g_config,
                                 "allow-query-cache-on", NULL, actx,
                                 named_g_mctx, &view->cacheonacl));

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index d57aa019bc557486e38b4a8aba7da8fd6b48e8e1..d1e8a8d62171e95f8b86eaf293d6a7dc7dc33698 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5845,6 +5845,17 @@ options {
              </listitem>
            </varlistentry>
 
+           <varlistentry>
+             <term><command>root-key-sentinel</command></term>
+             <listitem>
+               <para>
+                 Respond to root key sentinel probes as described in
+                 draft-ietf-dnsop-kskroll-sentinel-08. The default is
+                 <userinput>yes</userinput>.
+               </para>
+             </listitem>
+           </varlistentry>
+
            <varlistentry>
              <term><command>maintain-ixfr-base</command></term>
              <listitem>

diff --git a/doc/misc/options b/doc/misc/options
index 2604c6c9511685a9134b932f85c60f17b22d62d3..6606dc93e149795a7273d447476aa1dc28a89b46 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -318,6 +318,7 @@ options {
             } ];
         rfc2308-type1 <boolean>; // not yet implemented
         root-delegation-only [ exclude { <quoted_string>; ... } ];
+        root-key-sentinel <boolean>;
         rrset-order { [ class <string> ] [ type <string> ] [ name
             <quoted_string> ] <string> <string>; ... };
         secroots-file <quoted_string>;
@@ -643,6 +644,7 @@ view <string> [ <class> ] {
             dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
             } ];
         rfc2308-type1 <boolean>; // not yet implemented
+        root-key-sentinel <boolean>;
         root-delegation-only [ exclude { <quoted_string>; ... } ];
         rrset-order { [ class <string> ] [ type <string> ] [ name
             <quoted_string> ] <string> <string>; ... };

diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index df49832e5d6efb1b0b8d8b5b4ff660d723be5df1..3fd4959506f1aaf4af12c88eeb3d7e72fcb66214 100644 (file)
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -125,6 +125,7 @@ struct dns_view {
        isc_boolean_t                   requireservercookie;
        isc_boolean_t                   synthfromdnssec;
        isc_boolean_t                   trust_anchor_telemetry;
+       isc_boolean_t                   root_key_sentinel;
        dns_transfer_format_t           transfer_format;
        dns_acl_t *                     cacheacl;
        dns_acl_t *                     cacheonacl;

diff --git a/lib/dns/view.c b/lib/dns/view.c
index 049d0fd59f28b36e85e60a3360864a2f79204292..8fbdd7bf85a41d6aab71aa56732aba34be86d593 100644 (file)
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -242,6 +242,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
        view->requireservercookie = ISC_FALSE;
        view->synthfromdnssec = ISC_TRUE;
        view->trust_anchor_telemetry = ISC_TRUE;
+       view->root_key_sentinel = ISC_TRUE;
        view->new_zone_dir = NULL;
        view->new_zone_file = NULL;
        view->new_zone_db = NULL;

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 710dd12a05cb6a3a0e8239641bedceb932abd44b..07feeb3713f966210509ddf6e57d3725e254f59d 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1958,6 +1958,7 @@ view_clauses[] = {
        { "response-policy", &cfg_type_rpz, 0 },
        { "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
        { "root-delegation-only",  &cfg_type_optional_exclude, 0 },
+       { "root-key-sentinel", &cfg_type_boolean, 0 },
        { "rrset-order", &cfg_type_rrsetorder, 0 },
        { "send-cookie", &cfg_type_boolean, 0 },
        { "servfail-ttl", &cfg_type_ttlval, 0 },

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 275b2304321a12817e17042c27e047450a62f5a1..790840f6d1828fe9d7617a7fde07368fa17f2be1 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5227,7 +5227,8 @@ ns__query_start(query_ctx_t *qctx) {
        /*
         * Setup for root key sentinel processing.
         */
-       if (qctx->client->query.restarts == 0 &&
+       if (qctx->client->view->root_key_sentinel &&
+           qctx->client->query.restarts == 0 &&
            (qctx->qtype == dns_rdatatype_a ||
             qctx->qtype == dns_rdatatype_aaaa) &&
            (qctx->client->message->flags & DNS_MESSAGEFLAG_CD) == 0)