add named.conf option root-key-sentinel

(cherry picked from commit 68e9315c7d3e3800527385be67d6a2e8c8fc6ba0)
(cherry picked from commit ee763ef281e99da4208bb4ee67540c18426585fc)

diff --git a/bin/named/config.c b/bin/named/config.c
index 24af8e8dfc6683644469c4c2978f36f9ccd545c8..91badc7f85b338fb4f4f97da38ac6be994eb6d1b 100644 (file)
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -193,6 +193,7 @@ options {\n\
        request-ixfr true;\n\
        require-server-cookie no;\n\
 #      rfc2308-type1 <obsolete>;\n\
+       root-key-sentinel yes;\n\
        servfail-ttl 1;\n\
 #      sortlist <none>\n\
 #      topology <none>\n\

diff --git a/bin/named/query.c b/bin/named/query.c
index f5b4889fe2f2a54e57e97654a56149971b978e83..38de6ddbeafac5ba90e242e32a065ed5a3e40334 100644 (file)
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -7080,7 +7080,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
        /*
         * Setup for root key sentinel processing.
         */
-       if (client->query.restarts == 0 &&
+       if (client->view->root_key_sentinel &&
+           client->query.restarts == 0 &&
            (qtype == dns_rdatatype_a ||
             qtype == dns_rdatatype_aaaa) &&
            (client->message->flags & DNS_MESSAGEFLAG_CD) == 0)

diff --git a/bin/named/server.c b/bin/named/server.c
index 03566eb16f4c51c03b7fcfd17310e22ae7c21152..038e610e6b5ffbee11b82b30ff7c003ea5d3957c 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -4255,6 +4255,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
        INSIST(result == ISC_R_SUCCESS);
        view->trust_anchor_telemetry = cfg_obj_asboolean(obj);
 
+       obj = NULL;
+       result = ns_config_get(maps, "root-key-sentinel", &obj);
+       INSIST(result == ISC_R_SUCCESS);
+       view->root_key_sentinel = cfg_obj_asboolean(obj);
+
        CHECK(configure_view_acl(vconfig, config, ns_g_config,
                                 "allow-query-cache-on", NULL, actx,
                                 ns_g_mctx, &view->cacheonacl));

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 98024a07cbedfae8c1a6df266ac5cd8edb4d675c..f1a3d65e43e6456acc3755852051e7db32b7b481 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5952,6 +5952,17 @@ options {
              </listitem>
            </varlistentry>
 
+           <varlistentry>
+             <term><command>root-key-sentinel</command></term>
+             <listitem>
+               <para>
+                 Respond to root key sentinel probes as described in
+                 draft-ietf-dnsop-kskroll-sentinel-08. The default is
+                 <userinput>yes</userinput>.
+               </para>
+             </listitem>
+           </varlistentry>
+
            <varlistentry>
              <term><command>maintain-ixfr-base</command></term>
              <listitem>

diff --git a/doc/misc/options b/doc/misc/options
index a8462a7781c9cce1de0dd69d9a416c704ccfb4f4..3b251521d72a8969b03770a0583fa481c4d3e5a4 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -307,6 +307,7 @@ options {
             qname-wait-recurse <boolean> ] [ recursive-only <boolean> ];
         rfc2308-type1 <boolean>; // not yet implemented
         root-delegation-only [ exclude { <quoted_string>; ... } ];
+        root-key-sentinel <boolean>;
         rrset-order { [ class <string> ] [ type <string> ] [ name
             <quoted_string> ] <string> <string>; ... };
         secroots-file <quoted_string>;
@@ -607,6 +608,7 @@ view <string> [ <class> ] {
             min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [
             qname-wait-recurse <boolean> ] [ recursive-only <boolean> ];
         rfc2308-type1 <boolean>; // not yet implemented
+        root-key-sentinel <boolean>;
         root-delegation-only [ exclude { <quoted_string>; ... } ];
         rrset-order { [ class <string> ] [ type <string> ] [ name
             <quoted_string> ] <string> <string>; ... };

diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index bac6a81f6f264bcf1b693405ad2a382a6ad07da6..7cd88f8377ad54959e91e90cf0edb55aa54ea2d6 100644 (file)
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -126,6 +126,7 @@ struct dns_view {
        isc_boolean_t                   acceptexpired;
        isc_boolean_t                   requireservercookie;
        isc_boolean_t                   trust_anchor_telemetry;
+       isc_boolean_t                   root_key_sentinel;
        dns_transfer_format_t           transfer_format;
        dns_acl_t *                     cacheacl;
        dns_acl_t *                     cacheonacl;

diff --git a/lib/dns/view.c b/lib/dns/view.c
index feeb7d9b7b73ad6891be2cece733a3e400a4e554..f53193c3ec05c075985f7fabc536da134b7b3454 100644 (file)
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -239,6 +239,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
        view->sendcookie = ISC_TRUE;
        view->requireservercookie = ISC_FALSE;
        view->trust_anchor_telemetry = ISC_TRUE;
+       view->root_key_sentinel = ISC_TRUE;
        view->new_zone_file = NULL;
        view->new_zone_db = NULL;
        view->new_zone_dbenv = NULL;

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 9a2dbd3be044daf8d3a488ff636b08deb4b330e8..cabbba9d7dba2e43b65852876e3e436b6658b01b 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1806,6 +1806,7 @@ view_clauses[] = {
        { "response-policy", &cfg_type_rpz, 0 },
        { "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
        { "root-delegation-only",  &cfg_type_optional_exclude, 0 },
+       { "root-key-sentinel", &cfg_type_boolean, 0 },
        { "rrset-order", &cfg_type_rrsetorder, 0 },
        { "send-cookie", &cfg_type_boolean, 0 },
        { "servfail-ttl", &cfg_type_ttlval, 0 },