-DDYNDB_LIBDIR=\"@libdir@/bind\" \
-DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \
-DNAMED_SYSCONFDIR=\"${sysconfdir}\" \
+ -DVALIDATION_DEFAULT=\"@VALIDATION_DEFAULT@\" \
-c ${srcdir}/config.c
server.@O@: server.c
clients-per-query 10;\n\
dnssec-accept-expired no;\n\
dnssec-enable yes;\n\
- dnssec-validation yes; \n"
+ dnssec-validation " VALIDATION_DEFAULT "; \n"
#ifdef HAVE_DNSTAP
" dnstap-identity hostname;\n"
#endif
# be configured elsewhere; if they are configured here, they will not be
# recognized or used by named.
#
-# The built-in trust anchors are provided for convenience of configuration.
-# They are not activated within named.conf unless specifically switched on.
-# To use the built-in key, use "dnssec-validation auto;" in the
-# named.conf options. Without this option being set, the keys in this
-# file are ignored.
+# To use the built-in root key, set "dnssec-validation auto;" in the
+# named.conf options or else leave "dnssec-validation" unset. If
+# "dnssec-validation" is set to "yes", then the keys in this file are
+# ignored; keys will need to be explicitly configured in named.conf for
+# validation to work. "auto" is the default setting, unless named is
+# built with "configure --disable-auto-validation", in which case the
+# default is "yes".
#
# This file is NOT expected to be user-configured.
#
-# These keys are current as of October 2017. If any key fails to
+# These keys are current as of May 2018. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
# be configured elsewhere; if they are configured here, they will not be\n\
# recognized or used by named.\n\
#\n\
-# The built-in trust anchors are provided for convenience of configuration.\n\
-# They are not activated within named.conf unless specifically switched on.\n\
-# To use the built-in key, use \"dnssec-validation auto;\" in the\n\
-# named.conf options. Without this option being set, the keys in this\n\
-# file are ignored.\n\
+# To use the built-in root key, set \"dnssec-validation auto;\" in the\n\
+# named.conf options or else leave \"dnssec-validation\" unset. If\n\
+# \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\
+# ignored; keys will need to be explicitly configured in named.conf for\n\
+# validation to work. \"auto\" is the default setting, unless named is\n\
+# built with \"configure --disable-auto-validation\", in which case the\n\
+# default is \"yes\".\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
-# These keys are current as of October 2017. If any key fails to\n\
+# These keys are current as of May 2018. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
# be configured elsewhere; if they are configured here, they will not be\n\
# recognized or used by named.\n\
#\n\
-# The built-in trust anchors are provided for convenience of configuration.\n\
-# They are not activated within named.conf unless specifically switched on.\n\
-# To use the built-in key, use \"dnssec-validation auto;\" in the\n\
-# named.conf options. Without this option being set, the keys in this\n\
-# file are ignored.\n\
+# To use the built-in root key, set \"dnssec-validation auto;\" in the\n\
+# named.conf options or else leave \"dnssec-validation\" unset. If\n\
+# \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\
+# ignored; keys will need to be explicitly configured in named.conf for\n\
+# validation to work. \"auto\" is the default setting, unless named is\n\
+# built with \"configure --disable-auto-validation\", in which case the\n\
+# default is \"yes\".\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
-# These keys are current as of October 2017. If any key fails to\n\
+# These keys are current as of May 2018. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
BIND9_ISCCC_BUILDINCLUDE
BIND9_ISC_BUILDINCLUDE
BIND9_TOP_BUILDDIR
+VALIDATION_DEFAULT
UNITTESTS
ATFLIBS
ATFBIN
with_atf
with_tuning
enable_querytrace
+enable_auto_validation
with_dlopen
with_dlz_postgres
with_dlz_mysql
--enable-dnsrps enable DNS Response Policy Service API
--enable-dnstap enable dnstap support (requires fstrm, protobuf-c)
--enable-querytrace enable very verbose query trace logging [default=no]
+ --enable-auto-validation
+ turn on DNSSEC validation by default, using the IANA
+ root key [default=yes]
--enable-full-report report values of all configure options
Optional Packages:
;;
esac
+#
+# Was --disable-auto-validation specified?
+#
+# Check whether --enable-auto-validation was given.
+if test "${enable_auto_validation+set}" = set; then :
+ enableval=$enable_auto_validation; want_autoval="$enableval"
+else
+ want_autoval="yes"
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable DNSSEC validation by default" >&5
+$as_echo_n "checking whether to enable DNSSEC validation by default... " >&6; }
+case "$want_autoval" in
+no)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ VALIDATION_DEFAULT=yes
+ ;;
+*)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ VALIDATION_DEFAULT=auto
+ ;;
+esac
+
+
#
# Substitutions
#
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)"
+ test "no" = "$want_autoval" || echo " DNSSEC validation active by default (--enable-auto-validation)"
echo " Cryptographic library for DNSSEC: $CRYPTOLIB"
echo " Dynamically loadable zone (DLZ) drivers:"
test "yes" = "$enable_fixed" || \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
+ test "no" = "$want_autoval" && echo " DNSSEC validation requires configuration (--disable-auto-validation)"
+
if test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11"
then
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
;;
esac
+#
+# Was --disable-auto-validation specified?
+#
+AC_ARG_ENABLE(auto-validation,
+ AS_HELP_STRING([--enable-auto-validation],
+ [turn on DNSSEC validation by default, using the IANA root key [default=yes]]),
+ want_autoval="$enableval", want_autoval="yes")
+AC_MSG_CHECKING([whether to enable DNSSEC validation by default])
+case "$want_autoval" in
+no)
+ AC_MSG_RESULT(no)
+ VALIDATION_DEFAULT=yes
+ ;;
+*)
+ AC_MSG_RESULT(yes)
+ VALIDATION_DEFAULT=auto
+ ;;
+esac
+AC_SUBST(VALIDATION_DEFAULT)
+
#
# Substitutions
#
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)"
+ test "no" = "$want_autoval" || echo " DNSSEC validation active by default (--enable-auto-validation)"
echo " Cryptographic library for DNSSEC: $CRYPTOLIB"
echo " Dynamically loadable zone (DLZ) drivers:"
test "yes" = "$enable_fixed" || \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
+ test "no" = "$want_autoval" && echo " DNSSEC validation requires configuration (--disable-auto-validation)"
+
if test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11"
then
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
To enable <command>named</command> to respond appropriately
to DNS requests from DNSSEC aware clients,
<command>dnssec-enable</command> must be set to yes.
- (This is the default setting.)
+ This is the default setting.
</para>
<para>
To enable <command>named</command> to validate answers from
other servers, the <command>dnssec-enable</command> option
must be set to <userinput>yes</userinput>, and the
- <command>dnssec-validation</command> options must be set to
- <userinput>yes</userinput> or <userinput>auto</userinput>.
+ <command>dnssec-validation</command> option must be set to
+ either <userinput>yes</userinput> or <userinput>auto</userinput>.
</para>
<para>
+ When <command>dnssec-validation</command> is set to
+ <userinput>auto</userinput>, a trust anchor for the DNS
+ root zone will automatically be used. This trust anchor is
+ provided as part of BIND and is kept up to date using RFC 5011
+ key management.
If <command>dnssec-validation</command> is set to
- <userinput>auto</userinput>, then a default
- trust anchor for the DNS root zone will be used.
- If it is set to <userinput>yes</userinput>, however,
- then at least one trust anchor must be configured
- with a <command>trusted-keys</command> or
- <command>managed-keys</command> statement in
- <filename>named.conf</filename>, or DNSSEC validation
- will not occur. The default setting is
- <userinput>yes</userinput>.
+ <userinput>yes</userinput>, then
+ DNSSEC validation only occurs if
+ at least one trust anchor has been explicitly configured
+ in <filename>named.conf</filename>,
+ using a <command>trusted-keys</command> or
+ <command>managed-keys</command> statement.
+ If <command>dnssec-validation</command> is set to
+ <userinput>no</userinput>, then DNSSEC validation will
+ not occur.
+ The default is <userinput>auto</userinput> unless BIND is
+ built with <command>configure --disable-auto-validation</command>,
+ in which case the default is <userinput>yes</userinput>.
</para>
<para>
projects / thirdparty / bind9.git / commitdiff
