From: Mark Andrews <marka@isc.org>
Date: Tue, 13 Mar 2018 04:17:22 +0000 (+1100)
Subject: add named.conf option root-key-sentinel
X-Git-Tag: v9.10.8rc1~11^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=468a3bcdac22c1089727e2701906829139250eb7;p=thirdparty%2Fbind9.git

add named.conf option root-key-sentinel

(cherry picked from commit 68e9315c7d3e3800527385be67d6a2e8c8fc6ba0)
(cherry picked from commit ee763ef281e99da4208bb4ee67540c18426585fc)
(cherry picked from commit 9a5f3082879e1d0505d78dbdeaa658e24d1901aa)
---

diff --git a/bin/named/config.c b/bin/named/config.c
index 06ad653e520..22fc82cc3a9 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -177,6 +177,7 @@ options {\n\
 	recursion true;\n\
 	request-ixfr true;\n\
 	rfc2308-type1 no;\n\
+	root-key-sentinel yes;\n\
 #	sortlist <none>\n\
 #	topology <none>\n\
 	transfer-format many-answers;\n\
diff --git a/bin/named/query.c b/bin/named/query.c
index db70c3996b8..cf482c2e77f 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -6722,7 +6722,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	/*
 	 * Setup for root key sentinel processing.
 	 */
-	if (client->query.restarts == 0 &&
+	if (client->view->root_key_sentinel &&
+	    client->query.restarts == 0 &&
 	    (qtype == dns_rdatatype_a ||
 	     qtype == dns_rdatatype_aaaa) &&
 	    (client->message->flags & DNS_MESSAGEFLAG_CD) == 0)
diff --git a/bin/named/server.c b/bin/named/server.c
index a2e14a73d19..f69cba98dc2 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -3401,6 +3401,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	INSIST(result == ISC_R_SUCCESS);
 	view->trust_anchor_telemetry = cfg_obj_asboolean(obj);
 
+	obj = NULL;
+	result = ns_config_get(maps, "root-key-sentinel", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->root_key_sentinel = cfg_obj_asboolean(obj);
+
 	CHECK(configure_view_acl(vconfig, config, ns_g_config,
 				 "allow-query-cache-on", NULL, actx,
 				 ns_g_mctx, &view->cacheonacl));
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 2eb1a132a57..c001d492645 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5855,6 +5855,17 @@ options {
 	      </listitem>
 	    </varlistentry>
 
+	    <varlistentry>
+	      <term><command>root-key-sentinel</command></term>
+	      <listitem>
+		<para>
+		  Respond to root key sentinel probes as described in
+		  draft-ietf-dnsop-kskroll-sentinel-08. The default is
+		  <userinput>yes</userinput>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
 	    <varlistentry>
 	      <term><command>maintain-ixfr-base</command></term>
 	      <listitem>
diff --git a/doc/misc/options b/doc/misc/options
index 04d0b0dd55d..1830b9180a8 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -265,6 +265,7 @@ options {
             min-ns-dots <integer> ] [ qname-wait-recurse <boolean> ];
         rfc2308-type1 <boolean>; // not yet implemented
         root-delegation-only [ exclude { <quoted_string>; ... } ];
+        root-key-sentinel <boolean>;
         rrset-order { [ class <string> ] [ type <string> ] [ name
             <quoted_string> ] <string> <string>; ... };
         secroots-file <quoted_string>;
@@ -538,6 +539,7 @@ view <string> [ <class> ] {
             [ break-dnssec <boolean> ] [ max-policy-ttl <integer> ] [
             min-ns-dots <integer> ] [ qname-wait-recurse <boolean> ];
         rfc2308-type1 <boolean>; // not yet implemented
+        root-key-sentinel <boolean>;
         root-delegation-only [ exclude { <quoted_string>; ... } ];
         rrset-order { [ class <string> ] [ type <string> ] [ name
             <quoted_string> ] <string> <string>; ... };
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index f4cbd26cf97..e6b73e35b6f 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -14,8 +14,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
-
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
 
@@ -128,6 +126,7 @@ struct dns_view {
 	isc_boolean_t			enablevalidation;
 	isc_boolean_t			acceptexpired;
 	isc_boolean_t			trust_anchor_telemetry;
+	isc_boolean_t			root_key_sentinel;
 	dns_transfer_format_t		transfer_format;
 	dns_acl_t *			cacheacl;
 	dns_acl_t *			cacheonacl;
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 8003b34c482..184b0d02a09 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -206,6 +206,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->requestnsid = ISC_FALSE;
 	view->requestsit = ISC_TRUE;
 	view->trust_anchor_telemetry = ISC_TRUE;
+	view->root_key_sentinel = ISC_TRUE;
 	view->new_zone_file = NULL;
 	view->new_zone_config = NULL;
 	view->cfg_destroy = NULL;
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 082d865e577..ece40659cb7 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1639,6 +1639,7 @@ view_clauses[] = {
 	{ "response-policy", &cfg_type_rpz, 0 },
 	{ "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
 	{ "root-delegation-only",  &cfg_type_optional_exclude, 0 },
+	{ "root-key-sentinel", &cfg_type_boolean, 0 },
 	{ "rrset-order", &cfg_type_rrsetorder, 0 },
 	{ "sortlist", &cfg_type_bracketed_aml, 0 },
 	{ "suppress-initial-notify", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },