static bool
cdflag = false,
no_sigs = false,
- root_validation = true,
- dlv_validation = true;
+ root_validation = true;
static bool use_tcp = false;
static char *anchorfile = NULL;
static char *trust_anchor = NULL;
-static char *dlv_anchor = NULL;
static int num_keys = 0;
-static dns_fixedname_t afn, dfn;
-static dns_name_t *anchor_name = NULL, *dlv_name = NULL;
+static dns_fixedname_t afn;
+static dns_name_t *anchor_name = NULL;
/* Default bind.keys contents */
static char anchortext[] = DNSSEC_KEYS;
" q-opt is one of:\n"
" -x dot-notation (shortcut for reverse lookups)\n"
" -d level (set debugging level)\n"
-" -a anchor-file (specify root and dlv trust anchors)\n"
+" -a anchor-file (specify root trust anchor)\n"
" -b address[#port] (bind to source address/port)\n"
" -p port (specify port number)\n"
" -q name (specify query name)\n"
" +[no]comments (Control display of comment lines)\n"
" +[no]rrcomments (Control display of per-record "
"comments)\n"
-" +[no]unknownformat (Print RDATA in RFC 3597 \"unknown\" format)\n"
+" +[no]unknownformat (Print RDATA in RFC 3597 "
+ "\"unknown\" format)\n"
" +[no]short (Short form answer)\n"
" +[no]split=## (Split hex/base64 fields into chunks)\n"
" +[no]tcp (TCP mode)\n"
" +[no]rtrace (Trace resolver fetches)\n"
" +[no]mtrace (Trace messages received)\n"
" +[no]vtrace (Trace validation process)\n"
-" +[no]dlv (DNSSEC lookaside validation anchor)\n"
+" +[no]dlv (Obsolete)\n"
" +[no]root (DNSSEC validation trust anchor)\n"
" +[no]dnssec (Display DNSSEC records)\n"
" -h (print help and exit)\n"
tstr = "glue data";
break;
case dns_trust_answer:
- if (root_validation || dlv_validation)
+ if (root_validation) {
tstr = "unsigned answer";
- else
- tstr = "answer not validated";
+ }
break;
case dns_trust_authauthority:
tstr = "authority data";
dns_fixedname_t fkeyname;
dns_name_t *keyname;
isc_result_t result;
- bool match_root = false, match_dlv = false;
+ bool match_root = false;
keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
CHECK(convert_name(&fkeyname, &keyname, keynamestr));
- if (!root_validation && !dlv_validation)
+ if (!root_validation) {
return (ISC_R_SUCCESS);
+ }
- if (anchor_name)
+ if (anchor_name) {
match_root = dns_name_equal(keyname, anchor_name);
- if (dlv_name)
- match_dlv = dns_name_equal(keyname, dlv_name);
+ }
- if (!match_root && !match_dlv)
+ if (!match_root) {
return (ISC_R_SUCCESS);
- if ((!root_validation && match_root) || (!dlv_validation && match_dlv))
+ }
+ if (!root_validation && match_root) {
return (ISC_R_SUCCESS);
+ }
- if (match_root)
+ if (match_root) {
delv_log(ISC_LOG_DEBUG(3), "adding trust anchor %s",
trust_anchor);
- if (match_dlv)
- delv_log(ISC_LOG_DEBUG(3), "adding DLV trust anchor %s",
- dlv_anchor);
+ }
flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
cfg_obj_t *bindkeys = NULL;
const char *filename = anchorfile;
- if (!root_validation && !dlv_validation) {
+ if (!root_validation) {
return (ISC_R_SUCCESS);
}
if (trust_anchor != NULL) {
CHECK(convert_name(&afn, &anchor_name, trust_anchor));
}
- if (dlv_anchor != NULL) {
- CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
- }
CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
fatal("No trusted keys were loaded");
}
- if (dlv_validation) {
- dns_client_setdlv(client, dns_rdataclass_in, dlv_anchor);
- }
-
-
cleanup:
if (bindkeys != NULL) {
cfg_obj_destroy(parser, &bindkeys);
switch (cmd[1]) {
case 'l': /* dlv */
FULLCHECK("dlv");
- if (state && no_sigs)
- break;
- dlv_validation = state;
- if (value != NULL) {
- dlv_anchor = isc_mem_strdup(mctx, value);
+ if (state) {
+ fprintf(stderr, "Invalid option: "
+ "+dlv is obsolete\n");
+ exit(1);
}
break;
case 'n': /* dnssec */
/* NOTREACHED */
case 'i':
no_sigs = true;
- dlv_validation = false;
root_validation = false;
break;
case 'm':
/* Set up resolution options */
resopt = DNS_CLIENTRESOPT_ALLOWRUN | DNS_CLIENTRESOPT_NOCDFLAG;
- if (no_sigs)
+ if (no_sigs) {
resopt |= DNS_CLIENTRESOPT_NODNSSEC;
- if (!root_validation && !dlv_validation)
+ }
+ if (!root_validation) {
resopt |= DNS_CLIENTRESOPT_NOVALIDATE;
- if (cdflag)
+ }
+ if (cdflag) {
resopt &= ~DNS_CLIENTRESOPT_NOCDFLAG;
- if (use_tcp)
+ }
+ if (use_tcp) {
resopt |= DNS_CLIENTRESOPT_TCP;
+ }
/* Perform resolution */
ISC_LIST_INIT(namelist);
dns_client_freeresanswer(client, &namelist);
cleanup:
- if (dlv_anchor != NULL)
- isc_mem_free(mctx, dlv_anchor);
if (trust_anchor != NULL)
isc_mem_free(mctx, trust_anchor);
if (anchorfile != NULL)
<command>delv</command> will send to a specified name server all
queries needed to fetch and validate the requested data; this
includes the original requested query, subsequent queries to follow
- CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
+ CNAME or DNAME chains, and queries for DNSKEY and DS records
to establish a chain of trust for DNSSEC validation.
It does not perform iterative resolution, but simulates the
behavior of a name server configured for DNSSEC validating and
<para>
Keys that do not match the root zone name are ignored.
An alternate key name can be specified using the
- <option>+root=NAME</option> options. DNSSEC Lookaside
- Validation can also be turned on by using the
- <option>+dlv=NAME</option> to specify the name of a
- zone containing DLV records.
+ <option>+root=NAME</option> options.
</para>
<para>
Note: When reading the trust anchor file,
request DNSSEC records or whether to validate them.
DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of
- <option>-i</option> or <option>+noroot</option> and
- <option>+nodlv</option>.
+ <option>-i</option> or <option>+noroot</option>.
</para>
</listitem>
</varlistentry>
<term><option>+[no]root[=ROOT]</option></term>
<listitem>
<para>
- Indicates whether to perform conventional (non-lookaside)
+ Indicates whether to perform conventional
DNSSEC validation, and if so, specifies the
name of a trust anchor. The default is to validate using
a trust anchor of "." (the root zone), for which there is
</listitem>
</varlistentry>
- <varlistentry>
- <term><option>+[no]dlv[=DLV]</option></term>
- <listitem>
- <para>
- Indicates whether to perform DNSSEC lookaside validation,
- and if so, specifies the name of the DLV trust anchor.
- The <option>-a</option> option must also be used to specify
- a file containing the DLV key.
- </para>
- </listitem>
- </varlistentry>
-
<varlistentry>
<term><option>+[no]tcp</option></term>
<listitem>
projects / thirdparty / bind9.git / commitdiff
