From: Wouter Wijngaards Date: Wed, 20 May 2015 06:24:06 +0000 (+0000) Subject: - DLV is going to be decommissioned. Advice to stop using it, and X-Git-Tag: release-1.5.4~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b5f391d845078a33a43ec3c7a29fa79f338c4611;p=thirdparty%2Funbound.git - DLV is going to be decommissioned. Advice to stop using it, and put text in the example configuration and man page to that effect. git-svn-id: file:///svn/unbound/trunk@3424 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/contrib/unbound.spec_fedora b/contrib/unbound.spec_fedora index 6e02a0964..f8b2e7512 100644 --- a/contrib/unbound.spec_fedora +++ b/contrib/unbound.spec_fedora @@ -18,7 +18,6 @@ Source2: unbound.conf Source3: unbound.munin Source4: unbound_munin_ Source5: root.key -Source6: dlv.isc.org.key Patch1: unbound-1.2-glob.patch Group: System Environment/Daemons @@ -140,7 +139,6 @@ rm -rf ${RPM_BUILD_ROOT} %attr(0755,root,root) %dir %{_sysconfdir}/%{name} %ghost %attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name} %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key %{_sbindir}/* %{_mandir}/*/* @@ -178,11 +176,6 @@ exit 0 %post /sbin/chkconfig --add %{name} -# dnssec-conf used to contain our DLV key, but now we include it via unbound -# If unbound had previously been configured with dnssec-configure, we need -# to migrate the location of the DLV key file (to keep DLV enabled, and because -# unbound won't start with a bad location for a DLV key file. -sed -i "s:/etc/pki/dnssec-keys[/]*dlv:/etc/unbound:" %{_sysconfdir}/unbound/unbound.conf %post libs -p /sbin/ldconfig diff --git a/doc/Changelog b/doc/Changelog index 571c980af..08a42e2c3 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +20 May 2015: Wouter + - DLV is going to be decommissioned. Advice to stop using it, and + put text in the example configuration and man page to that effect. + 10 May 2015: Wouter - Change syntax of particular validator error to be easier for machine parse, swap rrset and ip adres info so it looks like: diff --git a/doc/example.conf.in b/doc/example.conf.in index 68a4ef09b..6c54ef2c6 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -362,7 +362,7 @@ server: # File with DLV trusted keys. Same format as trust-anchor-file. # There can be only one DLV configured, it is trusted from root down. - # Download http://ftp.isc.org/www/dlv/dlv.isc.org.key + # DLV is going to be decommissioned. Please do not use it any more. # dlv-anchor-file: "dlv.isc.org.key" # File with trusted keys for validation. Specify more than one file diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 90e375f3a..10939b60a 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -680,14 +680,19 @@ It is possible to use wildcards with this statement, the wildcard is expanded on start and on reload. .TP .B dlv\-anchor\-file: \fI +This option was used during early days DNSSEC deployment when no parent-side +DS record registrations were easily available. Nowadays, it is best to have +DS records registered with the parent zone (many top level zones are signed). File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and DNSKEY entries can be used in the file, in the same format as for \fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more would be slow. The DLV configured is used as a root trusted DLV, this means that it is a lookaside for the root. Default is "", or no dlv anchor file. +DLV is going to be decommissioned. Please do not use it any more. .TP .B dlv\-anchor: \fI<"Resource Record"> Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline. +DLV is going to be decommissioned. Please do not use it any more. .TP .B domain\-insecure: \fI Sets domain name to be insecure, DNSSEC chain of trust is ignored towards diff --git a/validator/validator.c b/validator/validator.c index 3981d4fa1..74068659f 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -1815,6 +1815,8 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq, /** * Init DLV check. + * DLV is going to be decommissioned, but the code is still here for some time. + * * Called when a query is determined by other trust anchors to be insecure * (or indeterminate). Then we look if there is a key in the DLV. * Performs aggressive negative cache check to see if there is no key. diff --git a/winrc/setup.nsi b/winrc/setup.nsi index cd9fc76df..bf47165f3 100644 --- a/winrc/setup.nsi +++ b/winrc/setup.nsi @@ -75,25 +75,6 @@ section "Root anchor - DNSSEC" SectionRootKey AddSize 2 sectionEnd -# the /o means it is not selected by default. -section /o "DLV - dlv.isc.org" SectionDLV - # add estimated size for key (Kb) - AddSize 2 - SetOutPath $INSTDIR - - # libgcc exception lib used by NSISdl plugin (in crosscompile). - File /nonfatal "/oname=$PLUGINSDIR\libgcc_s_sjlj-1.dll" "/usr/i686-w64-mingw32/sys-root/mingw/bin/libgcc_s_sjlj-1.dll" - - NSISdl::download "http://ftp.isc.org/www/dlv/dlv.isc.org.key" "$INSTDIR\dlv.isc.org.key" - Pop $R0 # result from Inetc::get - ${If} $R0 != "success" - MessageBox MB_OK|MB_ICONEXCLAMATION "Download error (ftp.isc.org: $R0), click OK to abort installation" /SD IDOK - SetOutPath "C:\" - RMDir "$INSTDIR" # doesnt work directory in use by us ... - Abort - ${EndIf} -sectionEnd - section "-hidden.postinstall" # copy files setOutPath $INSTDIR @@ -128,25 +109,10 @@ section "-hidden.postinstall" WriteRegStr HKLM "Software\Unbound" "RootAnchor" "" ${EndIf} - # Store DLV choice - SectionGetFlags ${SectionDLV} $R0 - IntOp $R0 $R0 & ${SF_SELECTED} - ${If} $R0 == ${SF_SELECTED} - ClearErrors - FileOpen $R1 "$INSTDIR\service.conf" a - IfErrors done_dlv - FileSeek $R1 0 END - FileWrite $R1 "$\nserver: dlv-anchor-file: $\"$INSTDIR\dlv.isc.org.key$\"$\n" - FileClose $R1 - done_dlv: - WriteRegStr HKLM "Software\Unbound" "CronAction" "$\"$INSTDIR\anchor-update.exe$\" dlv.isc.org $\"$INSTDIR\dlv.isc.org.key$\"" - ${Else} - WriteRegStr HKLM "Software\Unbound" "CronAction" "" - ${EndIf} - # store installation folder WriteRegStr HKLM "Software\Unbound" "InstallLocation" "$INSTDIR" WriteRegStr HKLM "Software\Unbound" "ConfigFile" "$INSTDIR\service.conf" + WriteRegStr HKLM "Software\Unbound" "CronAction" "" WriteRegDWORD HKLM "Software\Unbound" "CronTime" 86400 # uninstaller @@ -177,12 +143,10 @@ sectionEnd # set section descriptions LangString DESC_unbound ${LANG_ENGLISH} "The base unbound DNS(SEC) validating caching resolver. $\r$\n$\r$\nStarted at boot from the Services control panel, logs to the Application Log, and the config file is its Program Files folder." LangString DESC_rootkey ${LANG_ENGLISH} "Set up to use the DNSSEC root trust anchor. It is automatically updated. $\r$\n$\r$\nThis provides the main key that is used for security verification." -LangString DESC_dlv ${LANG_ENGLISH} "Set up to use DLV with dlv.isc.org. Downloads the key during install. $\r$\n$\r$\nIt fetches additional public keys that are used for security verification by querying the isc.org server with names encountered." !insertmacro MUI_FUNCTION_DESCRIPTION_BEGIN !insertmacro MUI_DESCRIPTION_TEXT ${SectionUnbound} $(DESC_unbound) !insertmacro MUI_DESCRIPTION_TEXT ${SectionRootKey} $(DESC_rootkey) - !insertmacro MUI_DESCRIPTION_TEXT ${SectionDLV} $(DESC_dlv) !insertmacro MUI_FUNCTION_DESCRIPTION_END # setup macros for uninstall functions. @@ -214,7 +178,6 @@ section "un.Unbound" Delete "$INSTDIR\unbound-website.url" Delete "$INSTDIR\service.conf" Delete "$INSTDIR\example.conf" - Delete "$INSTDIR\dlv.isc.org.key" Delete "$INSTDIR\root.key" RMDir "$INSTDIR"