# Have the child generate subdomain keys and pass DS sets to us.
( cd ../ns3 && $SHELL keygen.sh )
-for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 \
- nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \
- cdnskey-delete
+for subdomain in secure nsec3 optout rsasha256 rsasha512 \
+ nsec3-to-nsec oldsigs dname-at-apex-nsec3
do
cp ../ns3/dsset-$subdomain.example. .
done
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+example. 0 SOA . . 0 0 0 0 0
+example. 0 NS .
+example. 0 DNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
+foo.example. 0 DS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
records, only in-zone hostnames are checked (for out-of-zone hostnames,
use :iscman:`named-checkzone`). For NS records, only names below top-of-zone
are checked (for out-of-zone names and glue consistency checks, use
- :iscman:`named-checkzone`). The default is ``yes``.
+ :iscman:`named-checkzone`). DS records not at delegations are rejected.
+ The default is ``yes``.
The use of the SPF record to publish Sender Policy Framework is
deprecated, as the migration from using TXT records to SPF records was
dns_name_t *bottom;
isc_result_t result;
bool ok = true, have_spf, have_txt;
+ int level;
+ char namebuf[DNS_NAME_FORMATSIZE];
name = dns_fixedname_initname(&fixed);
bottom = dns_fixedname_initname(&fixedbottom);
* Don't check the NS records at the origin.
*/
if (dns_name_equal(name, &zone->origin)) {
- goto checkfordname;
+ goto checkfords;
}
result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ns,
0, 0, &rdataset, NULL);
if (result != ISC_R_SUCCESS) {
- goto checkfordname;
+ goto checkfords;
}
/*
* Remember bottom of zone due to NS.
dns_rdataset_disassociate(&rdataset);
goto next;
+ checkfords:
+ result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds,
+ 0, 0, &rdataset, NULL);
+ if (result != ISC_R_SUCCESS) {
+ goto checkfordname;
+ }
+ dns_rdataset_disassociate(&rdataset);
+
+ if (zone->type == dns_zone_primary) {
+ level = ISC_LOG_ERROR;
+ ok = false;
+ } else {
+ level = ISC_LOG_WARNING;
+ }
+ dns_name_format(name, namebuf, sizeof(namebuf));
+ dns_zone_log(zone, level, "DS not at delegation point (%s)",
+ namebuf);
+
checkfordname:
result = dns_db_findrdataset(db, node, NULL,
dns_rdatatype_dname, 0, 0,
notxt:
if (have_spf && !have_txt) {
- char namebuf[DNS_NAME_FORMATSIZE];
-
dns_name_format(name, namebuf, sizeof(namebuf));
dns_zone_log(zone, ISC_LOG_WARNING,
"'%s' found type "
projects / thirdparty / bind9.git / commitdiff
