From: Mark Andrews <marka@isc.org>
Date: Tue, 13 Mar 2018 04:17:22 +0000 (+1100)
Subject: add named.conf option root-key-sentinel
X-Git-Tag: v9.9.13rc1~12^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3890b5d7bad0472634902ef126d0e1b4a691ff02;p=thirdparty%2Fbind9.git

add named.conf option root-key-sentinel

(cherry picked from commit 68e9315c7d3e3800527385be67d6a2e8c8fc6ba0)
(cherry picked from commit ee763ef281e99da4208bb4ee67540c18426585fc)
(cherry picked from commit 9a5f3082879e1d0505d78dbdeaa658e24d1901aa)
(cherry picked from commit 468a3bcdac22c1089727e2701906829139250eb7)
---

diff --git a/bin/named/config.c b/bin/named/config.c
index f74dd486d95..2532d0d8792 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -164,6 +164,7 @@ options {\n\
 	recursion true;\n\
 	request-ixfr true;\n\
 	rfc2308-type1 no;\n\
+	root-key-sentinel yes;\n\
 #	sortlist <none>\n\
 #	topology <none>\n\
 	transfer-format many-answers;\n\
diff --git a/bin/named/query.c b/bin/named/query.c
index 364b5a50a05..a2f248ad6d3 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -6105,7 +6105,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	/*
 	 * Setup for root key sentinel processing.
 	 */
-	if (client->query.restarts == 0 &&
+	if (client->view->root_key_sentinel &&
+	    client->query.restarts == 0 &&
 	    (qtype == dns_rdatatype_a ||
 	     qtype == dns_rdatatype_aaaa) &&
 	    (client->message->flags & DNS_MESSAGEFLAG_CD) == 0)
diff --git a/bin/named/server.c b/bin/named/server.c
index 108d126b620..5f5c39c3080 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -3115,6 +3115,15 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	else
 		INSIST(0);
 
+	obj = NULL;
+	result = ns_config_get(maps, "root-key-sentinel", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->root_key_sentinel = cfg_obj_asboolean(obj);
+
+	CHECK(configure_view_acl(vconfig, config, ns_g_config,
+				 "allow-query-cache-on", NULL, actx,
+				 ns_g_mctx, &view->cacheonacl));
+
 	/*
 	 * Set sources where additional data and CNAME/DNAME
 	 * targets for authoritative answers may be found.
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 795eed67406..e3335d9f736 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5659,6 +5659,17 @@ options {
 	      </listitem>
 	    </varlistentry>
 
+	    <varlistentry>
+	      <term><command>root-key-sentinel</command></term>
+	      <listitem>
+		<para>
+		  Respond to root key sentinel probes as described in
+		  draft-ietf-dnsop-kskroll-sentinel-08. The default is
+		  <userinput>yes</userinput>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
 	    <varlistentry>
 	      <term><command>maintain-ixfr-base</command></term>
 	      <listitem>
diff --git a/doc/misc/options b/doc/misc/options
index 09cd32c2873..b9b8b87e759 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -230,6 +230,7 @@ options {
             max-policy-ttl <integer> ] [ min-ns-dots <integer> ];
         rfc2308-type1 <boolean>; // not yet implemented
         root-delegation-only [ exclude { <quoted_string>; ... } ];
+        root-key-sentinel <boolean>;
         rrset-order { [ class <string> ] [ type <string> ] [ name
             <quoted_string> ] <string> <string>; ... };
         secroots-file <quoted_string>;
@@ -462,6 +463,7 @@ view <string> [ <class> ] {
             ... } [ recursive-only <boolean> ] [ break-dnssec <boolean> ] [
             max-policy-ttl <integer> ] [ min-ns-dots <integer> ];
         rfc2308-type1 <boolean>; // not yet implemented
+        root-key-sentinel <boolean>;
         root-delegation-only [ exclude { <quoted_string>; ... } ];
         rrset-order { [ class <string> ] [ type <string> ] [ name
             <quoted_string> ] <string> <string>; ... };
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index d4de397fc28..9c5e795d652 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -14,8 +14,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
-
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
 
@@ -126,6 +124,7 @@ struct dns_view {
 	isc_boolean_t			enablednssec;
 	isc_boolean_t			enablevalidation;
 	isc_boolean_t			acceptexpired;
+	isc_boolean_t			root_key_sentinel;
 	dns_transfer_format_t		transfer_format;
 	dns_acl_t *			cacheacl;
 	dns_acl_t *			cacheonacl;
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 762c968e51f..d2c55281242 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -202,6 +202,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->managed_keys = NULL;
 	view->redirect = NULL;
 #ifdef BIND9
+	view->root_key_sentinel = ISC_TRUE;
 	view->new_zone_file = NULL;
 	view->new_zone_config = NULL;
 	view->cfg_destroy = NULL;
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index dc5ede9a3bb..7af5c090653 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1515,6 +1515,7 @@ view_clauses[] = {
 	{ "response-policy", &cfg_type_rpz, 0 },
 	{ "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
 	{ "root-delegation-only",  &cfg_type_optional_exclude, 0 },
+	{ "root-key-sentinel", &cfg_type_boolean, 0 },
 	{ "rrset-order", &cfg_type_rrsetorder, 0 },
 	{ "sortlist", &cfg_type_bracketed_aml, 0 },
 	{ "suppress-initial-notify", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },