const cfg_obj_t *zonelist;
const cfg_obj_t *dlzlist;
const cfg_obj_t *dlz;
- const cfg_obj_t *dlvobj = NULL;
unsigned int dlzargc;
char **dlzargv;
const cfg_obj_t *dyndb_list, *plugin_list;
}
/*
- * Set supported DS/DLV digest types.
+ * Set supported DS digest types.
*/
dns_resolver_reset_ds_digests(view->resolver);
disabled = NULL;
view->prefetch_eligible = view->prefetch_trigger + 6;
}
- obj = NULL;
- result = named_config_get(optionmaps, "dnssec-lookaside", &obj);
- if (result == ISC_R_SUCCESS) {
- /* "auto" is deprecated, log a warning if seen */
- const char *dom;
- dlvobj = cfg_listelt_value(cfg_list_first(obj));
- dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain"));
- if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
- /* If "no", skip; if "auto", log warning */
- if (!strcasecmp(dom, "no")) {
- result = ISC_R_NOTFOUND;
- } else if (!strcasecmp(dom, "auto")) {
- /*
- * Warning logged by libbind9.
- */
- result = ISC_R_NOTFOUND;
- }
- }
- }
-
- if (result == ISC_R_SUCCESS) {
- dns_name_t *dlv, *iscdlv;
- dns_fixedname_t f;
-
- /* Also log a warning if manually configured to dlv.isc.org */
- iscdlv = dns_fixedname_initname(&f);
- CHECK(dns_name_fromstring(iscdlv, "dlv.isc.org", 0, NULL));
-
- for (element = cfg_list_first(obj);
- element != NULL;
- element = cfg_list_next(element))
- {
- obj = cfg_listelt_value(element);
- obj = cfg_tuple_get(obj, "trust-anchor");
-
- dlv = dns_fixedname_name(&view->dlv_fixed);
- CHECK(dns_name_fromstring(dlv, cfg_obj_asstring(obj),
- DNS_NAME_DOWNCASE, NULL));
- if (dns_name_equal(dlv, iscdlv)) {
- /*
- * Warning logged by libbind9.
- */
- view->dlv = NULL;
- } else {
- view->dlv = dlv;
- }
- }
- } else {
- view->dlv = NULL;
- }
-
/*
* For now, there is only one kind of trusted keys, the
* "security roots".
ret=0
$CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1
grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
-grep "dnssec-lookaside 'auto' is no longer supported" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
ret=0
$CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1
grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
-grep "dlv.isc.org has been shut down" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates a warning ($n)"
ret=0
$CHECKCONF warn-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
-lines=$(wc -l < checkconf.out$n)
-if [ $lines != 1 ]; then ret=1; fi
grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
-echo_i "check that the dlv.isc.org KSK generates a warning ($n)"
-ret=0
-$CHECKCONF check-dlv-ksk-key.conf > checkconf.out$n 2>/dev/null || ret=1
-[ -s checkconf.out$n ] || ret=1
-grep "trust anchor for dlv.isc.org is present" < checkconf.out$n > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
-status=`expr $status + $ret`
-
echo_i "check that 'geoip-use-ecs no' generates a warning ($n)"
ret=0
$CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1
#include <bind9/check.h>
-static unsigned char dlviscorg_ndata[] = "\003dlv\003isc\003org";
-static unsigned char dlviscorg_offsets[] = { 0, 4, 8, 12 };
-static dns_name_t const dlviscorg =
- DNS_NAME_INITABSOLUTE(dlviscorg_ndata, dlviscorg_offsets);
-
static isc_result_t
fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, bool writeable,
isc_log_t *logctxlogc);
const cfg_obj_t *resignobj = NULL;
const cfg_listelt_t *element;
isc_symtab_t *symtab = NULL;
- dns_fixedname_t fixed;
const char *str;
- dns_name_t *name;
isc_buffer_t b;
uint32_t lifetime = 3600;
const char *ccalg = "siphash24";
}
/*
- * Set supported DS/DLV digest types.
+ * Set supported DS digest types.
*/
obj = NULL;
(void)cfg_map_get(options, "disable-ds-digests", &obj);
}
}
- name = dns_fixedname_initname(&fixed);
-
- /*
- * Check the DLV zone name.
- */
- obj = NULL;
- (void)cfg_map_get(options, "dnssec-lookaside", &obj);
- if (obj != NULL) {
- tresult = isc_symtab_create(mctx, 100, freekey, mctx,
- false, &symtab);
- if (tresult != ISC_R_SUCCESS)
- result = tresult;
- for (element = cfg_list_first(obj);
- element != NULL;
- element = cfg_list_next(element))
- {
- const char *dlv;
- const cfg_obj_t *dlvobj, *anchor;
-
- obj = cfg_listelt_value(element);
-
- anchor = cfg_tuple_get(obj, "trust-anchor");
- dlvobj = cfg_tuple_get(obj, "domain");
- dlv = cfg_obj_asstring(dlvobj);
-
- /*
- * If domain is "auto" or "no" and trust anchor
- * is missing, skip remaining tests
- */
- if (cfg_obj_isvoid(anchor)) {
- if (!strcasecmp(dlv, "no")) {
- continue;
- }
- if (!strcasecmp(dlv, "auto")) {
- cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
- "dnssec-lookaside 'auto' "
- "is no longer supported");
- continue;
- }
- }
-
- tresult = dns_name_fromstring(name, dlv, 0, NULL);
- if (tresult != ISC_R_SUCCESS) {
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "bad domain name '%s'", dlv);
- result = tresult;
- continue;
- }
- if (symtab != NULL) {
- tresult = nameexist(obj, dlv, 1, symtab,
- "dnssec-lookaside '%s': "
- "already exists; previous "
- "definition: %s:%u",
- logctx, mctx);
- if (tresult != ISC_R_SUCCESS &&
- result == ISC_R_SUCCESS)
- result = tresult;
- }
-
- /*
- * XXXMPA to be removed when multiple lookaside
- * namespaces are supported.
- */
- if (!dns_name_equal(dns_rootname, name)) {
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "dnssec-lookaside '%s': "
- "non-root not yet supported", dlv);
- if (result == ISC_R_SUCCESS)
- result = ISC_R_FAILURE;
- }
-
- if (cfg_obj_isvoid(anchor)) {
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "dnssec-lookaside requires "
- "either or 'no' or a "
- "domain and trust anchor");
- if (result == ISC_R_SUCCESS)
- result = ISC_R_FAILURE;
- continue;
- }
-
- dlv = cfg_obj_asstring(anchor);
- tresult = dns_name_fromstring(name, dlv, 0, NULL);
- if (tresult != ISC_R_SUCCESS) {
- cfg_obj_log(anchor, logctx, ISC_LOG_ERROR,
- "bad domain name '%s'", dlv);
- if (result == ISC_R_SUCCESS)
- result = tresult;
- continue;
- }
- if (dns_name_equal(&dlviscorg, name)) {
- cfg_obj_log(anchor, logctx, ISC_LOG_WARNING,
- "dlv.isc.org has been shut down");
- continue;
- }
- }
-
- if (symtab != NULL)
- isc_symtab_destroy(&symtab);
- }
-
/*
* Check auto-dnssec at the view/options level
*/
#define ROOT_KSK_ANY 0x03
#define ROOT_KSK_2010 0x04
#define ROOT_KSK_2017 0x08
-#define DLV_KSK_KEY 0x10
static isc_result_t
check_trusted_key(const cfg_obj_t *key, bool managed,
}
}
- /*
- * Flag any use of dlv.isc.org, regardless of content.
- */
- if (dns_name_equal(keyname, &dlviscorg)) {
- *keyflags |= DLV_KSK_KEY;
- }
-
return (result);
}
"with initial-key instead.");
}
- if ((flags & DLV_KSK_KEY) != 0) {
- cfg_obj_log(check_keys[i], logctx,
- ISC_LOG_WARNING,
- "trust anchor for dlv.isc.org "
- "is present; dlv.isc.org has "
- "been shut down");
- }
-
tflags |= flags;
}
}
"the updated 2017 key");
}
- if ((flags & DLV_KSK_KEY) != 0) {
- cfg_obj_log(check_keys[i], logctx,
- ISC_LOG_WARNING,
- "trust anchor for dlv.isc.org "
- "is present; dlv.isc.org has "
- "been shut down");
- }
-
dflags |= flags;
}
}
projects / thirdparty / bind9.git / commitdiff
