From: Evan Hunt Date: Sat, 11 Oct 2025 01:27:41 +0000 (-0700) Subject: remove "bindkeys-file" option X-Git-Tag: v9.21.15~70^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a373671f5ecf56d8905ea73b462abc348414d332;p=thirdparty%2Fbind9.git remove "bindkeys-file" option The bindkeys-file option was only used for testing purposes, and has now been replaced with a "-T bindkeys=" option for named. --- diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h index 126d248f4d7..fa5fd5581c5 100644 --- a/bin/named/include/named/globals.h +++ b/bin/named/include/named/globals.h @@ -89,9 +89,9 @@ EXTERN unsigned int named_g_debuglevel INIT(0); */ EXTERN cfg_obj_t *named_g_defaultconfig INIT(NULL); EXTERN const cfg_obj_t *named_g_defaultoptions INIT(NULL); -EXTERN const char *named_g_conffile INIT(NAMED_SYSCONFDIR "/named.conf"); -EXTERN const char *named_g_defaultbindkeys INIT(NULL); -EXTERN const char *named_g_keyfile INIT(NAMED_SYSCONFDIR "/rndc.key"); +EXTERN const char *named_g_conffile INIT(NAMED_SYSCONFDIR "/named.conf"); +EXTERN const char *named_g_bindkeysfile INIT(NULL); +EXTERN const char *named_g_keyfile INIT(NAMED_SYSCONFDIR "/rndc.key"); EXTERN bool named_g_conffileset INIT(false); diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h index a39e8bfb9f7..da28b0cf5b4 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h @@ -55,7 +55,6 @@ struct named_server { char *statsfile; /*%< Statistics file name */ char *dumpfile; /*%< Dump file name */ char *secrootsfile; /*%< Secroots file name */ - char *bindkeysfile; /*%< bind.keys file name */ char *recfile; /*%< Recursive file name */ bool version_set; /*%< User has set version */ char *version; /*%< User-specified version */ diff --git a/bin/named/main.c b/bin/named/main.c index 3ec1c2f0e12..ef466ba7a80 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -649,7 +649,7 @@ parse_fuzz_arg(void) { static void parse_T_opt(char *option) { - const char *p; + const char *p = NULL; char *last = NULL; /* * force the server to behave (or misbehave) in @@ -692,6 +692,8 @@ parse_T_opt(char *option) { if (maxudp <= 0) { named_main_earlyfatal("bad maxudp"); } + } else if (!strncmp(option, "bindkeys=", 9)) { + named_g_bindkeysfile = option + 9; } else if (!strncmp(option, "mkeytimers=", 11)) { p = strtok_r(option + 11, "/", &last); if (p == NULL) { diff --git a/bin/named/server.c b/bin/named/server.c index 5bd1e399292..54c271550e2 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -1138,8 +1138,9 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, const cfg_obj_t *builtin_keys = NULL; /* - * If bind.keys exists and is populated, it overrides - * the trust-anchors clause hard-coded in + * If "-T bindkeys=" was used and + * the file has a root key in it, that will + * replace the trust-anchors clause hard-coded in * named_g_defaultconfig. */ if (bindkeys != NULL) { @@ -1147,7 +1148,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, "obtaining root key for view %s " "from '%s'", - view->name, named_g_server->bindkeysfile); + view->name, named_g_bindkeysfile); (void)cfg_map_get(bindkeys, "trust-anchors", &builtin_keys); @@ -8114,9 +8115,8 @@ configure_kasplist(const cfg_obj_t *config, dns_kasplist_t *kasplist, static isc_result_t apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config, - named_server_t *server, bool first_time) { - cfg_obj_t *bindkeys = NULL; - cfg_parser_t *bindkeys_parser = NULL; + cfg_obj_t *bindkeys, named_server_t *server, + bool first_time) { const cfg_obj_t *maps[3]; const cfg_obj_t *obj = NULL; const cfg_obj_t *options = NULL; @@ -8251,48 +8251,6 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config, named_g_http_streams_per_conn = cfg_obj_asuint32(obj); #endif - /* - * If "dnssec-validation auto" is turned on, the root key - * will be used as a default trust anchor. The root key - * is built in, but if bindkeys-file is set, then it will - * be overridden with the key in that file. - */ - obj = NULL; - (void)named_config_get(maps, "bindkeys-file", &obj); - if (obj != NULL) { - setstring(server, &server->bindkeysfile, cfg_obj_asstring(obj)); - INSIST(server->bindkeysfile != NULL); - if (access(server->bindkeysfile, R_OK) != 0) { - isc_log_write(NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "unable to open '%s'; using built-in " - "keys instead", - server->bindkeysfile); - } else { - result = cfg_parser_create(isc_g_mctx, - &bindkeys_parser); - if (result != ISC_R_SUCCESS) { - goto cleanup_bindkeys_parser; - } - - result = cfg_parse_file(bindkeys_parser, - server->bindkeysfile, - &cfg_type_bindkeys, &bindkeys); - if (result != ISC_R_SUCCESS) { - isc_log_write(NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, - ISC_LOG_INFO, - "unable to parse '%s' " - "error '%s'; using " - "built-in keys instead", - server->bindkeysfile, - isc_result_totext(result)); - } - } - } else { - setstring(server, &server->bindkeysfile, NULL); - } - #if defined(HAVE_GEOIP2) /* * Release any previously opened GeoIP2 databases. @@ -8338,7 +8296,7 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config, max, named_g_cpus); result = ISC_R_RANGE; - goto cleanup_bindkeys_parser; + goto cleanup_tls; } softquota = max - margin; } else { @@ -8363,7 +8321,7 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config, aclctx, isc_g_mctx, &server->sctx->blackholeacl); if (result != ISC_R_SUCCESS) { - goto cleanup_bindkeys_parser; + goto cleanup_tls; } if (server->sctx->blackholeacl != NULL) { @@ -9287,14 +9245,7 @@ cleanup_portsets: isc_portset_destroy(isc_g_mctx, &v6portset); isc_portset_destroy(isc_g_mctx, &v4portset); -cleanup_bindkeys_parser: - if (bindkeys_parser != NULL) { - if (bindkeys != NULL) { - cfg_obj_destroy(bindkeys_parser, &bindkeys); - } - cfg_parser_destroy(&bindkeys_parser); - } - +cleanup_tls: /* * Detach the TLS client context (whether the one created at the * begining of this function, or the previous running one) @@ -9347,7 +9298,7 @@ static isc_result_t load_configuration(named_server_t *server, bool first_time) { isc_result_t result; cfg_parser_t *parser = NULL; - cfg_obj_t *config = NULL; + cfg_obj_t *config = NULL, *bindkeys = NULL; isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), "load_configuration"); @@ -9362,10 +9313,44 @@ load_configuration(named_server_t *server, bool first_time) { goto cleanup; } - result = apply_configuration(parser, config, server, first_time); + if (named_g_bindkeysfile != NULL) { + /* + * If "dnssec-validation auto" is turned on, the root key + * will be used as a default trust anchor. The root key + * is built in, but if -Tbindkeys= is used, + * the key is overridden with the key in that file. + */ + if (access(named_g_bindkeysfile, R_OK) != 0) { + isc_log_write(NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, + "unable to open '%s'; using built-in " + "keys instead", + named_g_bindkeysfile); + } else { + cfg_parser_reset(parser); + result = cfg_parse_file(parser, named_g_bindkeysfile, + &cfg_type_bindkeys, &bindkeys); + if (result != ISC_R_SUCCESS) { + isc_log_write(NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, + ISC_LOG_INFO, + "unable to parse '%s' " + "error '%s'; using " + "built-in keys instead", + named_g_bindkeysfile, + isc_result_totext(result)); + } + } + } + + result = apply_configuration(parser, config, bindkeys, server, + first_time); cleanup: - if (config) { + if (bindkeys != NULL) { + cfg_obj_destroy(parser, &bindkeys); + } + if (config != NULL) { cfg_obj_destroy(parser, &config); } cfg_parser_destroy(&parser); @@ -9986,10 +9971,6 @@ named_server_destroy(named_server_t **serverp) { isc_mem_free(server->mctx, server->secrootsfile); isc_mem_free(server->mctx, server->recfile); - if (server->bindkeysfile != NULL) { - isc_mem_free(server->mctx, server->bindkeysfile); - } - if (server->version != NULL) { isc_mem_free(server->mctx, server->version); } diff --git a/bin/tests/system/dnssec/ns4/named.args b/bin/tests/system/dnssec/ns4/named.args new file mode 100644 index 00000000000..66d7dd91314 --- /dev/null +++ b/bin/tests/system/dnssec/ns4/named.args @@ -0,0 +1 @@ +-m record -c named.conf -d 99 -D dnssec-ns4 -g -T maxcachesize=2097152 -T bindkeys=managed.conf diff --git a/bin/tests/system/dnssec/ns4/named.conf.j2 b/bin/tests/system/dnssec/ns4/named.conf.j2 index 7c21e734f2e..b4aa86146a5 100644 --- a/bin/tests/system/dnssec/ns4/named.conf.j2 +++ b/bin/tests/system/dnssec/ns4/named.conf.j2 @@ -35,7 +35,6 @@ options { {% if managed_key %} dnssec-validation auto; - bindkeys-file "managed.conf"; {% else %} dnssec-validation yes; {% endif %} diff --git a/bin/tests/system/mkeys/ns2/named.args b/bin/tests/system/mkeys/ns2/named.args index 175e02c098a..1387f480b06 100644 --- a/bin/tests/system/mkeys/ns2/named.args +++ b/bin/tests/system/mkeys/ns2/named.args @@ -1 +1 @@ --m record -c named.conf -d 99 -D mkeys-ns2 -g -T maxcachesize=2097152 -T mkeytimers=5/10/20 -T tat=1 +-m record -c named.conf -d 99 -D mkeys-ns2 -g -T maxcachesize=2097152 -T mkeytimers=5/10/20 -T tat=1 -T bindkeys=managed.conf diff --git a/bin/tests/system/mkeys/ns2/named.conf.in b/bin/tests/system/mkeys/ns2/named.conf.in index feed9239c1a..0596facdd4d 100644 --- a/bin/tests/system/mkeys/ns2/named.conf.in +++ b/bin/tests/system/mkeys/ns2/named.conf.in @@ -24,7 +24,6 @@ options { recursion yes; notify no; dnssec-validation auto; - bindkeys-file "managed.conf"; servfail-ttl 0; }; diff --git a/bin/tests/system/mkeys/ns3/named.args b/bin/tests/system/mkeys/ns3/named.args index 342cbe328b6..59e443087aa 100644 --- a/bin/tests/system/mkeys/ns3/named.args +++ b/bin/tests/system/mkeys/ns3/named.args @@ -1 +1 @@ --m record -c named.conf -d 99 -D mkeys-ns3 -g -T maxcachesize=2097152 -T mkeytimers=5/10/20 +-m record -c named.conf -d 99 -D mkeys-ns3 -g -T maxcachesize=2097152 -T mkeytimers=5/10/20 -T bindkeys=managed.conf diff --git a/bin/tests/system/mkeys/ns3/named.conf.in b/bin/tests/system/mkeys/ns3/named.conf.in index d590a315f80..d0b90a9680d 100644 --- a/bin/tests/system/mkeys/ns3/named.conf.in +++ b/bin/tests/system/mkeys/ns3/named.conf.in @@ -24,7 +24,6 @@ options { recursion yes; notify no; dnssec-validation auto; - bindkeys-file "managed.conf"; trust-anchor-telemetry no; }; diff --git a/bin/tests/system/mkeys/ns4/named.args b/bin/tests/system/mkeys/ns4/named.args new file mode 100644 index 00000000000..13d33dab2dc --- /dev/null +++ b/bin/tests/system/mkeys/ns4/named.args @@ -0,0 +1 @@ +-m record -c named.conf -d 99 -D mkeys-ns4 -g -T maxcachesize=2097152 -T bindkeys=managed.conf diff --git a/bin/tests/system/mkeys/ns4/named.conf.in b/bin/tests/system/mkeys/ns4/named.conf.in index 1ad75aa0cf2..5748e6a581d 100644 --- a/bin/tests/system/mkeys/ns4/named.conf.in +++ b/bin/tests/system/mkeys/ns4/named.conf.in @@ -24,7 +24,6 @@ options { recursion yes; notify no; dnssec-validation auto; - bindkeys-file "managed.conf"; managed-keys-directory "nope"; }; diff --git a/bin/tests/system/mkeys/ns5/named.conf.in b/bin/tests/system/mkeys/ns5/named.conf.in index 866997102d7..bb10716f799 100644 --- a/bin/tests/system/mkeys/ns5/named.conf.in +++ b/bin/tests/system/mkeys/ns5/named.conf.in @@ -24,7 +24,6 @@ options { recursion yes; notify no; dnssec-validation auto; - bindkeys-file "managed.conf"; servfail-ttl 0; }; diff --git a/bin/tests/system/mkeys/ns5/named1.args b/bin/tests/system/mkeys/ns5/named1.args index cd9a2283ed9..48724e9f539 100644 --- a/bin/tests/system/mkeys/ns5/named1.args +++ b/bin/tests/system/mkeys/ns5/named1.args @@ -1 +1 @@ --m record -c named.conf -d 99 -g -T maxcachesize=2097152 +-m record -c named.conf -d 99 -g -T maxcachesize=2097152 -T mkeys=managed.conf diff --git a/bin/tests/system/mkeys/ns5/named2.args b/bin/tests/system/mkeys/ns5/named2.args index a2514480879..54cffb80c54 100644 --- a/bin/tests/system/mkeys/ns5/named2.args +++ b/bin/tests/system/mkeys/ns5/named2.args @@ -1 +1 @@ --m record -c named.conf -d 99 -g -T maxcachesize=2097152 -T mkeytimers=2/20/40 +-m record -c named.conf -d 99 -g -T maxcachesize=2097152 -T bindkeys=managed.conf -T mkeytimers=2/20/40 diff --git a/bin/tests/system/mkeys/ns7/named.args b/bin/tests/system/mkeys/ns7/named.args new file mode 100644 index 00000000000..cff7a1bf6c0 --- /dev/null +++ b/bin/tests/system/mkeys/ns7/named.args @@ -0,0 +1 @@ +-m record -c named.conf -d 99 -D mkeys-ns7 -g -T maxcachesize=2097152 -T bindkeys=managed.conf diff --git a/bin/tests/system/mkeys/ns7/named.conf.in b/bin/tests/system/mkeys/ns7/named.conf.in index 7ccf59ef604..17c8985172b 100644 --- a/bin/tests/system/mkeys/ns7/named.conf.in +++ b/bin/tests/system/mkeys/ns7/named.conf.in @@ -24,7 +24,6 @@ options { recursion yes; notify no; dnssec-validation auto; - bindkeys-file "managed.conf"; }; key rndc_key { diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 110d34cf08c..8f29cdcba7e 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1501,14 +1501,6 @@ default is used. default is ``named.stats`` in the server's current directory. The format of the file is described in :ref:`statsfile`. -.. namedconf:statement:: bindkeys-file - :tags: dnssec - :short: Specifies the pathname of a file to override the built-in trusted keys provided by :iscman:`named`. - - This is the pathname of a file to override the built-in trusted keys provided - by :iscman:`named`. See the discussion of :any:`dnssec-validation` for - details. This is intended for server testing. - .. namedconf:statement:: secroots-file :tags: dnssec :short: Specifies the pathname of the file where the server dumps security roots, when using :option:`rndc secroots`. diff --git a/doc/misc/options b/doc/misc/options index c5a5193183c..39b7d2f4a96 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -84,7 +84,6 @@ options { attach-cache ; auth-nxdomain ; automatic-interface-scan ; - bindkeys-file ; // test only blackhole { ; ... }; catalog-zones { zone [ default-primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... } ] [ zone-directory ] [ in-memory ] [ min-update-interval ]; ... }; check-dup-records ( fail | warn | ignore ); diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index f6df82d9952..4b022cefe28 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1194,7 +1194,8 @@ static cfg_clausedef_t namedconf_or_view_clauses[] = { }; /*% - * Clauses that can occur in the bind.keys file. + * Clauses that can occur in a trust anchor file (previously + * called bind.keys). */ static cfg_clausedef_t bindkeys_clauses[] = { { "managed-keys", &cfg_type_dnsseckeys, @@ -1218,7 +1219,7 @@ static cfg_clausedef_t options_clauses[] = { { "automatic-interface-scan", &cfg_type_boolean, 0 }, { "avoid-v4-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT }, { "avoid-v6-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT }, - { "bindkeys-file", &cfg_type_qstring, CFG_CLAUSEFLAG_TESTONLY }, + { "bindkeys-file", &cfg_type_qstring, CFG_CLAUSEFLAG_ANCIENT }, { "blackhole", &cfg_type_bracketed_aml, 0 }, { "cookie-algorithm", &cfg_type_cookiealg, 0 }, { "cookie-secret", &cfg_type_sstring, CFG_CLAUSEFLAG_MULTI },