From: Evan Hunt <each@isc.org>
Date: Mon, 30 Apr 2018 23:10:17 +0000 (-0700)
Subject: option to disable validation under specified names
X-Git-Tag: v9.13.3~58^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eaac2057c7881b051b52bcd3948a9ede449e63e6;p=thirdparty%2Fbind9.git

option to disable validation under specified names

- added new 'validate-except' option, which configures an NTA with
  expiry of 0xffffffff.  NTAs with that value in the expiry field do not
  expire, are are not written out when saving the NTA table and are not
  dumped by rndc secroots
---

diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index 8587f7283cd..0a6c7bde3e2 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -13,7 +13,7 @@
 
 <refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
   <info>
-    <date>2018-05-29</date>
+    <date>2018-06-21</date>
   </info>
   <refentryinfo>
     <corpname>ISC</corpname>
@@ -224,9 +224,9 @@ options {
 	coresize ( default | unlimited | <replaceable>sizeval</replaceable> );
 	datasize ( default | unlimited | <replaceable>sizeval</replaceable> );
 	deny-answer-addresses { <replaceable>address_match_element</replaceable>; ... } [
-	    except-from { <replaceable>quoted_string</replaceable>; ... } ];
-	deny-answer-aliases { <replaceable>quoted_string</replaceable>; ... } [ except-from {
-	    <replaceable>quoted_string</replaceable>; ... } ];
+	    except-from { <replaceable>string</replaceable>; ... } ];
+	deny-answer-aliases { <replaceable>string</replaceable>; ... } [ except-from { <replaceable>string</replaceable>; ...
+	    } ];
 	dialup ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
 	directory <replaceable>quoted_string</replaceable>;
 	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>;
@@ -257,14 +257,12 @@ options {
 	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
 	dnssec-update-mode ( maintain | no-resign );
 	dnssec-validation ( yes | no | auto );
-	dnstap { ( all | auth | client | forwarder |
-	    resolver ) [ ( query | response ) ]; ... };
-	dnstap-identity ( <replaceable>quoted_string</replaceable> | none |
-	    hostname );
-	dnstap-output ( file | unix ) <replaceable>quoted_string</replaceable> [
-	    size ( unlimited | <replaceable>size</replaceable> ) ] [ versions (
-	    unlimited | <replaceable>integer</replaceable> ) ] [ suffix ( increment
-	    | timestamp ) ];
+	dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
+	    response ) ]; ... };
+	dnstap-identity ( <replaceable>quoted_string</replaceable> | none | hostname );
+	dnstap-output ( file | unix ) <replaceable>quoted_string</replaceable> [ size ( unlimited |
+	    <replaceable>size</replaceable> ) ] [ versions ( unlimited | <replaceable>integer</replaceable> ) ] [ suffix (
+	    increment | timestamp ) ];
 	dnstap-version ( <replaceable>quoted_string</replaceable> | none );
 	dscp <replaceable>integer</replaceable>;
 	dual-stack-servers [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
@@ -362,7 +360,7 @@ options {
 	preferred-glue <replaceable>string</replaceable>;
 	prefetch <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
 	provide-ixfr <replaceable>boolean</replaceable>;
-	qname-minimization ( strict | relaxed | disabled );
+	qname-minimization ( strict | relaxed | disabled | off );
 	query-source ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port (
 	    <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv4_address</replaceable> | * ) ]
 	    port ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
@@ -413,7 +411,7 @@ options {
 	    nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ] [
 	    dnsrps-enable <replaceable>boolean</replaceable> ] [ dnsrps-options { <replaceable>unspecified-text</replaceable>
 	    } ];
-	root-delegation-only [ exclude { <replaceable>quoted_string</replaceable>; ... } ];
+	root-delegation-only [ exclude { <replaceable>string</replaceable>; ... } ];
 	root-key-sentinel <replaceable>boolean</replaceable>;
 	rrset-order { [ class <replaceable>string</replaceable> ] [ type <replaceable>string</replaceable> ] [ name
 	    <replaceable>quoted_string</replaceable> ] <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
@@ -463,6 +461,7 @@ options {
 	use-v4-udp-ports { <replaceable>portrange</replaceable>; ... };
 	use-v6-udp-ports { <replaceable>portrange</replaceable>; ... };
 	v6-bias <replaceable>integer</replaceable>;
+	validate-except { <replaceable>string</replaceable>; ... };
 	version ( <replaceable>quoted_string</replaceable> | none );
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
@@ -574,9 +573,9 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	cleaning-interval <replaceable>integer</replaceable>;
 	clients-per-query <replaceable>integer</replaceable>;
 	deny-answer-addresses { <replaceable>address_match_element</replaceable>; ... } [
-	    except-from { <replaceable>quoted_string</replaceable>; ... } ];
-	deny-answer-aliases { <replaceable>quoted_string</replaceable>; ... } [ except-from {
-	    <replaceable>quoted_string</replaceable>; ... } ];
+	    except-from { <replaceable>string</replaceable>; ... } ];
+	deny-answer-aliases { <replaceable>string</replaceable>; ... } [ except-from { <replaceable>string</replaceable>; ...
+	    } ];
 	dialup ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
 	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>;
 	    ... };
@@ -610,8 +609,8 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
 	dnssec-update-mode ( maintain | no-resign );
 	dnssec-validation ( yes | no | auto );
-	dnstap { ( all | auth | client | forwarder |
-	    resolver ) [ ( query | response ) ]; ... };
+	dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
+	    response ) ]; ... };
 	dual-stack-servers [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
 	    <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv4_address</replaceable> [ port
 	    <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port
@@ -689,7 +688,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	preferred-glue <replaceable>string</replaceable>;
 	prefetch <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
 	provide-ixfr <replaceable>boolean</replaceable>;
-	qname-minimization ( strict | relaxed | disabled );
+	qname-minimization ( strict | relaxed | disabled | off );
 	query-source ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port (
 	    <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv4_address</replaceable> | * ) ]
 	    port ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
@@ -735,7 +734,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	    nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ] [
 	    dnsrps-enable <replaceable>boolean</replaceable> ] [ dnsrps-options { <replaceable>unspecified-text</replaceable>
 	    } ];
-	root-delegation-only [ exclude { <replaceable>quoted_string</replaceable>; ... } ];
+	root-delegation-only [ exclude { <replaceable>string</replaceable>; ... } ];
 	root-key-sentinel <replaceable>boolean</replaceable>;
 	rrset-order { [ class <replaceable>string</replaceable> ] [ type <replaceable>string</replaceable> ] [ name
 	    <replaceable>quoted_string</replaceable> ] <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
@@ -797,6 +796,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	update-check-ksk <replaceable>boolean</replaceable>;
 	use-alt-transfer-source <replaceable>boolean</replaceable>;
 	v6-bias <replaceable>integer</replaceable>;
+	validate-except { <replaceable>string</replaceable>; ... };
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
 	zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
@@ -878,7 +878,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 		serial-update-method ( date | increment | unixtime );
 		server-addresses { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [
 		    port <replaceable>integer</replaceable> ]; ... };
-		server-names { <replaceable>quoted_string</replaceable>; ... };
+		server-names { <replaceable>string</replaceable>; ... };
 		sig-signing-nodes <replaceable>integer</replaceable>;
 		sig-signing-signatures <replaceable>integer</replaceable>;
 		sig-signing-type <replaceable>integer</replaceable>;
@@ -982,7 +982,7 @@ zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	serial-update-method ( date | increment | unixtime );
 	server-addresses { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port
 	    <replaceable>integer</replaceable> ]; ... };
-	server-names { <replaceable>quoted_string</replaceable>; ... };
+	server-names { <replaceable>string</replaceable>; ... };
 	sig-signing-nodes <replaceable>integer</replaceable>;
 	sig-signing-signatures <replaceable>integer</replaceable>;
 	sig-signing-type <replaceable>integer</replaceable>;
diff --git a/bin/named/server.c b/bin/named/server.c
index 4660ad557df..2145578736a 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -3692,6 +3692,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	isc_dscp_t dscp4 = -1, dscp6 = -1;
 	dns_dyndbctx_t *dctx = NULL;
 	unsigned int resolver_param;
+	dns_ntatable_t *ntatable = NULL;
 	const char *qminmode = NULL;
 
 	REQUIRE(DNS_VIEW_VALID(view));
@@ -5348,8 +5349,35 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 		CHECK(dns_name_fromstring(name, cfg_obj_asstring(obj), 0,
 					  NULL));
 		view->redirectzone = name;
-	} else
+	} else {
 		view->redirectzone = NULL;
+	}
+
+	/*
+	 * Exceptions to DNSSEC validation.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "validate-except", &obj);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_view_getntatable(view, &ntatable);
+	}
+	if (result == ISC_R_SUCCESS) {
+		for (element = cfg_list_first(obj);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			dns_fixedname_t fntaname;
+			dns_name_t *ntaname;
+
+			ntaname = dns_fixedname_initname(&fntaname);
+			obj = cfg_listelt_value(element);
+			CHECK(dns_name_fromstring(ntaname,
+						  cfg_obj_asstring(obj),
+						  0, NULL));
+			CHECK(dns_ntatable_add(ntatable, ntaname,
+					       true, 0, 0xffffffffU));
+		}
+	}
 
 #ifdef HAVE_DNSTAP
 	/*
@@ -5362,35 +5390,51 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	result = ISC_R_SUCCESS;
 
  cleanup:
-	if (clients != NULL)
+	if (ntatable != NULL) {
+		dns_ntatable_detach(&ntatable);
+	}
+	if (clients != NULL) {
 		dns_acl_detach(&clients);
-	if (mapped != NULL)
+	}
+	if (mapped != NULL) {
 		dns_acl_detach(&mapped);
-	if (excluded != NULL)
+	}
+	if (excluded != NULL) {
 		dns_acl_detach(&excluded);
-	if (ring != NULL)
+	}
+	if (ring != NULL) {
 		dns_tsigkeyring_detach(&ring);
-	if (zone != NULL)
+	}
+	if (zone != NULL) {
 		dns_zone_detach(&zone);
-	if (dispatch4 != NULL)
+	}
+	if (dispatch4 != NULL) {
 		dns_dispatch_detach(&dispatch4);
-	if (dispatch6 != NULL)
+	}
+	if (dispatch6 != NULL) {
 		dns_dispatch_detach(&dispatch6);
-	if (resstats != NULL)
+	}
+	if (resstats != NULL) {
 		isc_stats_detach(&resstats);
-	if (resquerystats != NULL)
+	}
+	if (resquerystats != NULL) {
 		dns_stats_detach(&resquerystats);
-	if (order != NULL)
+	}
+	if (order != NULL) {
 		dns_order_detach(&order);
-	if (cmctx != NULL)
+	}
+	if (cmctx != NULL) {
 		isc_mem_detach(&cmctx);
-	if (hmctx != NULL)
+	}
+	if (hmctx != NULL) {
 		isc_mem_detach(&hmctx);
-
-	if (cache != NULL)
+	}
+	if (cache != NULL) {
 		dns_cache_detach(&cache);
-	if (dctx != NULL)
+	}
+	if (dctx != NULL) {
 		dns_dyndb_destroyctx(&dctx);
+	}
 
 	return (result);
 }
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index 6d58e43550f..8fb844fb2fd 100644
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -65,6 +65,9 @@ options {
 	max-cache-size 20000000000000;
 	nta-lifetime 604800;
 	nta-recheck 604800;
+	validate-except {
+		"corp";
+	};
 	transfer-source 0.0.0.0 dscp 63;
 	zone-statistics none;
 };
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index a0e195efd14..0ee094c4a64 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -6646,6 +6646,24 @@ options {
 	      </listitem>
 	    </varlistentry>
 
+	    <varlistentry>
+	      <term><command>validate-except</command></term>
+	      <listitem>
+		<para>
+		  Specifies a list of domain names at and beneath which DNSSEC
+		  validation should <emphasis>not</emphasis> be performed,
+		  regardless of the presence of a trust anchor at or above
+		  those names.  This may be used, for example, when configuring
+		  a top-level domain intended only for local use, so that the
+		  lack of a secure delegation for that domain in the root zone
+		  will not cause validation failures.  (This is similar
+		  to setting a negative trust anchor, except that it is a
+		  permanent configuration, whereas negative trust anchors
+		  expire and are removed after a set period of time.)
+		</para>
+	      </listitem>
+	    </varlistentry>
+
 	    <varlistentry>
 	      <term><command>dnssec-accept-expired</command></term>
 	      <listitem>
diff --git a/doc/arm/options.grammar.xml b/doc/arm/options.grammar.xml
index ef3f33ce9bb..41c115c4a0f 100644
--- a/doc/arm/options.grammar.xml
+++ b/doc/arm/options.grammar.xml
@@ -63,9 +63,9 @@
 	<command>coresize</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
 	<command>datasize</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
 	<command>deny-answer-addresses</command> { <replaceable>address_match_element</replaceable>; ... } [
-	    <command>except-from</command> { <replaceable>quoted_string</replaceable>; ... } ];
-	<command>deny-answer-aliases</command> { <replaceable>quoted_string</replaceable>; ... } [ except-from {
-	    <replaceable>quoted_string</replaceable>; ... } ];
+	    <command>except-from</command> { <replaceable>string</replaceable>; ... } ];
+	<command>deny-answer-aliases</command> { <replaceable>string</replaceable>; ... } [ except-from { <replaceable>string</replaceable>; ...
+	    } ];
 	<command>dialup</command> ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
 	<command>directory</command> <replaceable>quoted_string</replaceable>;
 	<command>disable-algorithms</command> <replaceable>string</replaceable> { <replaceable>string</replaceable>;
@@ -96,14 +96,12 @@
 	<command>dnssec-secure-to-insecure</command> <replaceable>boolean</replaceable>;
 	<command>dnssec-update-mode</command> ( maintain | no-resign );
 	<command>dnssec-validation</command> ( yes | no | auto );
-	<command>dnstap</command> { ( all | auth | client | forwarder |
-	    <command>resolver</command> ) [ ( query | response ) ]; ... };
-	<command>dnstap-identity</command> ( <replaceable>quoted_string</replaceable> | none |
-	    <command>hostname</command> );
-	<command>dnstap-output</command> ( file | unix ) <replaceable>quoted_string</replaceable> [
-	    <command>size</command> ( unlimited | <replaceable>size</replaceable> ) ] [ versions (
-	    <command>unlimited</command> | <replaceable>integer</replaceable> ) ] [ suffix ( increment
-	    | timestamp ) ];
+	<command>dnstap</command> { ( all | auth | client | forwarder | resolver ) [ ( query |
+	    <command>response</command> ) ]; ... };
+	<command>dnstap-identity</command> ( <replaceable>quoted_string</replaceable> | none | hostname );
+	<command>dnstap-output</command> ( file | unix ) <replaceable>quoted_string</replaceable> [ size ( unlimited |
+	    <replaceable>size</replaceable> ) ] [ versions ( unlimited | <replaceable>integer</replaceable> ) ] [ suffix (
+	    <command>increment</command> | timestamp ) ];
 	<command>dnstap-version</command> ( <replaceable>quoted_string</replaceable> | none );
 	<command>dscp</command> <replaceable>integer</replaceable>;
 	<command>dual-stack-servers</command> [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
@@ -202,7 +200,7 @@
 	<command>preferred-glue</command> <replaceable>string</replaceable>;
 	<command>prefetch</command> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
 	<command>provide-ixfr</command> <replaceable>boolean</replaceable>;
-	<command>qname-minimization</command> ( strict | relaxed | disabled );
+	<command>qname-minimization</command> ( strict | relaxed | disabled | off );
 	<command>query-source</command> ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port (
 	    <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv4_address</replaceable> | * ) ]
 	    <command>port</command> ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
@@ -253,7 +251,7 @@
 	    <command>nsip-enable</command> <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ] [
 	    <command>dnsrps-enable</command> <replaceable>boolean</replaceable> ] [ dnsrps-options { <replaceable>unspecified-text</replaceable>
 	    } ];
-	<command>root-delegation-only</command> [ exclude { <replaceable>quoted_string</replaceable>; ... } ];
+	<command>root-delegation-only</command> [ exclude { <replaceable>string</replaceable>; ... } ];
 	<command>root-key-sentinel</command> <replaceable>boolean</replaceable>;
 	<command>rrset-order</command> { [ class <replaceable>string</replaceable> ] [ type <replaceable>string</replaceable> ] [ name
 	    <replaceable>quoted_string</replaceable> ] <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
@@ -303,6 +301,7 @@
 	<command>use-v4-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
 	<command>use-v6-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
 	<command>v6-bias</command> <replaceable>integer</replaceable>;
+	<command>validate-except</command> { <replaceable>string</replaceable>; ... };
 	<command>version</command> ( <replaceable>quoted_string</replaceable> | none );
 	<command>zero-no-soa-ttl</command> <replaceable>boolean</replaceable>;
 	<command>zero-no-soa-ttl-cache</command> <replaceable>boolean</replaceable>;
diff --git a/doc/arm/static-stub.zoneopt.xml b/doc/arm/static-stub.zoneopt.xml
index 84e9bb0f41d..4aadf689367 100644
--- a/doc/arm/static-stub.zoneopt.xml
+++ b/doc/arm/static-stub.zoneopt.xml
@@ -19,7 +19,7 @@
 	<command>forwarders</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ]; ... };
 	<command>max-records</command> <replaceable>integer</replaceable>;
 	<command>server-addresses</command> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ]; ... };
-	<command>server-names</command> { <replaceable>quoted_string</replaceable>; ... };
+	<command>server-names</command> { <replaceable>string</replaceable>; ... };
 	<command>zone-statistics</command> ( full | terse | none | <replaceable>boolean</replaceable> );
 };
 </programlisting>
diff --git a/doc/misc/options b/doc/misc/options
index 41686fb475b..c0ad48b30a0 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -113,9 +113,9 @@ options {
         datasize ( default | unlimited | <sizeval> );
         deallocate-on-exit <boolean>; // obsolete
         deny-answer-addresses { <address_match_element>; ... } [
-            except-from { <quoted_string>; ... } ];
-        deny-answer-aliases { <quoted_string>; ... } [ except-from {
-            <quoted_string>; ... } ];
+            except-from { <string>; ... } ];
+        deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
+            } ];
         dialup ( notify | notify-passive | passive | refresh | <boolean> );
         directory <quoted_string>;
         disable-algorithms <string> { <string>;
@@ -146,15 +146,13 @@ options {
         dnssec-secure-to-insecure <boolean>;
         dnssec-update-mode ( maintain | no-resign );
         dnssec-validation ( yes | no | auto );
-        dnstap { ( all | auth | client | forwarder |
-            resolver ) [ ( query | response ) ]; ... }; // not configured
-        dnstap-identity ( <quoted_string> | none |
-            hostname ); // not configured
-        dnstap-output ( file | unix ) <quoted_string> [
-            size ( unlimited | <size> ) ] [ versions (
-            unlimited | <integer> ) ] [ suffix ( increment
-            | timestamp ) ]; // not configured
-        dnstap-version ( <quoted_string> | none ); // not configured
+        dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
+            response ) ]; ... };
+        dnstap-identity ( <quoted_string> | none | hostname );
+        dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited |
+            <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
+            increment | timestamp ) ];
+        dnstap-version ( <quoted_string> | none );
         dscp <integer>;
         dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
             <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
@@ -178,14 +176,14 @@ options {
         forward ( first | only );
         forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
             | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
-        fstrm-set-buffer-hint <integer>; // not configured
-        fstrm-set-flush-timeout <integer>; // not configured
-        fstrm-set-input-queue-size <integer>; // not configured
-        fstrm-set-output-notify-threshold <integer>; // not configured
-        fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
-        fstrm-set-output-queue-size <integer>; // not configured
-        fstrm-set-reopen-interval <ttlval>; // not configured
-        geoip-directory ( <quoted_string> | none ); // not configured
+        fstrm-set-buffer-hint <integer>;
+        fstrm-set-flush-timeout <integer>;
+        fstrm-set-input-queue-size <integer>;
+        fstrm-set-output-notify-threshold <integer>;
+        fstrm-set-output-queue-model ( mpsc | spsc );
+        fstrm-set-output-queue-size <integer>;
+        fstrm-set-reopen-interval <ttlval>;
+        geoip-directory ( <quoted_string> | none );
         geoip-use-ecs <boolean>; // obsolete
         glue-cache <boolean>;
         has-old-clients <boolean>; // obsolete
@@ -321,7 +319,7 @@ options {
             dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
             } ];
         rfc2308-type1 <boolean>; // not yet implemented
-        root-delegation-only [ exclude { <quoted_string>; ... } ];
+        root-delegation-only [ exclude { <string>; ... } ];
         root-key-sentinel <boolean>;
         rrset-order { [ class <string> ] [ type <string> ] [ name
             <quoted_string> ] <string> <string>; ... };
@@ -380,6 +378,7 @@ options {
         use-v4-udp-ports { <portrange>; ... };
         use-v6-udp-ports { <portrange>; ... };
         v6-bias <integer>;
+        validate-except { <string>; ... };
         version ( <quoted_string> | none );
         zero-no-soa-ttl <boolean>;
         zero-no-soa-ttl-cache <boolean>;
@@ -478,9 +477,9 @@ view <string> [ <class> ] {
         cleaning-interval <integer>;
         clients-per-query <integer>;
         deny-answer-addresses { <address_match_element>; ... } [
-            except-from { <quoted_string>; ... } ];
-        deny-answer-aliases { <quoted_string>; ... } [ except-from {
-            <quoted_string>; ... } ];
+            except-from { <string>; ... } ];
+        deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
+            } ];
         dialup ( notify | notify-passive | passive | refresh | <boolean> );
         disable-algorithms <string> { <string>;
             ... }; // may occur multiple times
@@ -514,8 +513,8 @@ view <string> [ <class> ] {
         dnssec-secure-to-insecure <boolean>;
         dnssec-update-mode ( maintain | no-resign );
         dnssec-validation ( yes | no | auto );
-        dnstap { ( all | auth | client | forwarder |
-            resolver ) [ ( query | response ) ]; ... }; // not configured
+        dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
+            response ) ]; ... };
         dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
             <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
             <integer> ] [ dscp <integer> ] | <ipv6_address> [ port
@@ -651,7 +650,7 @@ view <string> [ <class> ] {
             dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
             } ];
         rfc2308-type1 <boolean>; // not yet implemented
-        root-delegation-only [ exclude { <quoted_string>; ... } ];
+        root-delegation-only [ exclude { <string>; ... } ];
         root-key-sentinel <boolean>;
         rrset-order { [ class <string> ] [ type <string> ] [ name
             <quoted_string> ] <string> <string>; ... };
@@ -718,6 +717,7 @@ view <string> [ <class> ] {
         use-alt-transfer-source <boolean>;
         use-queryport-pool <boolean>; // obsolete
         v6-bias <integer>;
+        validate-except { <string>; ... };
         zero-no-soa-ttl <boolean>;
         zero-no-soa-ttl-cache <boolean>;
         zone <string> [ <class> ] {
@@ -805,7 +805,7 @@ view <string> [ <class> ] {
                 serial-update-method ( date | increment | unixtime );
                 server-addresses { ( <ipv4_address> | <ipv6_address> ) [
                     port <integer> ]; ... };
-                server-names { <quoted_string>; ... };
+                server-names { <string>; ... };
                 sig-signing-nodes <integer>;
                 sig-signing-signatures <integer>;
                 sig-signing-type <integer>;
@@ -910,7 +910,7 @@ zone <string> [ <class> ] {
         serial-update-method ( date | increment | unixtime );
         server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port
             <integer> ]; ... };
-        server-names { <quoted_string>; ... };
+        server-names { <string>; ... };
         sig-signing-nodes <integer>;
         sig-signing-signatures <integer>;
         sig-signing-type <integer>;
diff --git a/doc/misc/static-stub.zoneopt b/doc/misc/static-stub.zoneopt
index 74abe0b137c..809daf38e73 100644
--- a/doc/misc/static-stub.zoneopt
+++ b/doc/misc/static-stub.zoneopt
@@ -6,6 +6,6 @@ zone <string> [ <class> ] {
 	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
 	max-records <integer>;
 	server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
-	server-names { <quoted_string>; ... };
+	server-names { <string>; ... };
 	zone-statistics ( full | terse | none | <boolean> );
 };
diff --git a/lib/dns/include/dns/nta.h b/lib/dns/include/dns/nta.h
index 8221aade878..21af6499c3e 100644
--- a/lib/dns/include/dns/nta.h
+++ b/lib/dns/include/dns/nta.h
@@ -122,9 +122,12 @@ dns_ntatable_add(dns_ntatable_t *ntatable, const dns_name_t *name,
 		 uint32_t lifetime);
 /*%<
  * Add a negative trust anchor to 'ntatable' for name 'name',
- * which will expire at time 'now' + 'lifetime'.  If 'force' is false,
- * then the name will be checked periodically to see if it's bogus;
- * if not, then the NTA will be allowed to expire early.
+ * which will expire at time 'now' + 'lifetime'.  If 'force' is true,
+ * then the NTA will persist for the entire specified lifetime.
+ * If it is false, then the name will be queried periodically and
+ * validation will be attempted to see whether it's still bogus;
+ * if validation is successful, the NTA will be allowed to expire
+ * early and validation below the NTA will resume.
  *
  * Notes:
  *
diff --git a/lib/dns/nta.c b/lib/dns/nta.c
index 6cede2a6a76..f90a80a909b 100644
--- a/lib/dns/nta.c
+++ b/lib/dns/nta.c
@@ -547,69 +547,28 @@ dns_ntatable_totext(dns_ntatable_t *ntatable, isc_buffer_t **buf) {
 			dns_name_t *name;
 			isc_time_t t;
 
-			name = dns_fixedname_initname(&fn);
-			dns_rbt_fullnamefromnode(node, name);
-			dns_name_format(name, nbuf, sizeof(nbuf));
-			isc_time_set(&t, n->expiry, 0);
-			isc_time_formattimestamp(&t, tbuf, sizeof(tbuf));
-
-			snprintf(obuf, sizeof(obuf), "%s%s: %s %s",
-				 first ? "" : "\n", nbuf,
-				 n->expiry <= now ? "expired" : "expiry",
-				 tbuf);
-			first = false;
-			result = putstr(buf, obuf);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-		}
-		result = dns_rbtnodechain_next(&chain, NULL, NULL);
-		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
-			if (result == ISC_R_NOMORE)
-				result = ISC_R_SUCCESS;
-			break;
-		}
-	}
-
-   cleanup:
-	dns_rbtnodechain_invalidate(&chain);
-	RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_read);
-	return (result);
-}
-
-#if 0
-isc_result_t
-dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) {
-	isc_result_t result;
-	dns_rbtnode_t *node;
-	dns_rbtnodechain_t chain;
-	isc_stdtime_t now;
-
-	REQUIRE(VALID_NTATABLE(ntatable));
-
-	isc_stdtime_get(&now);
-
-	RWLOCK(&ntatable->rwlock, isc_rwlocktype_read);
-	dns_rbtnodechain_init(&chain, ntatable->view->mctx);
-	result = dns_rbtnodechain_first(&chain, ntatable->table, NULL, NULL);
-	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
-		goto cleanup;
-	for (;;) {
-		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
-		if (node->data != NULL) {
-			dns_nta_t *n = (dns_nta_t *) node->data;
-			char nbuf[DNS_NAME_FORMATSIZE], tbuf[80];
-			dns_fixedname_t fn;
-			dns_name_t *name;
-			isc_time_t t;
-
-			name = dns_fixedname_initname(&fn);
-			dns_rbt_fullnamefromnode(node, name);
-			dns_name_format(name, nbuf, sizeof(nbuf));
-			isc_time_set(&t, n->expiry, 0);
-			isc_time_formattimestamp(&t, tbuf, sizeof(tbuf));
-			fprintf(fp, "%s: %s %s\n", nbuf,
-				n->expiry <= now ? "expired" : "expiry",
-				tbuf);
+			/*
+			 * Skip "validate-except" entries.
+			 */
+			if (n->expiry != 0xffffffffU) {
+				name = dns_fixedname_initname(&fn);
+				dns_rbt_fullnamefromnode(node, name);
+				dns_name_format(name, nbuf, sizeof(nbuf));
+				isc_time_set(&t, n->expiry, 0);
+				isc_time_formattimestamp(&t, tbuf,
+							 sizeof(tbuf));
+
+				snprintf(obuf, sizeof(obuf), "%s%s: %s %s",
+					 first ? "" : "\n", nbuf,
+					 n->expiry <= now
+					  ? "expired"
+					  : "expiry",
+					 tbuf);
+				first = false;
+				result = putstr(buf, obuf);
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+			}
 		}
 		result = dns_rbtnodechain_next(&chain, NULL, NULL);
 		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
@@ -624,7 +583,6 @@ dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) {
 	RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_read);
 	return (result);
 }
-#endif
 
 isc_result_t
 dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) {
@@ -674,35 +632,41 @@ dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp) {
 	for (;;) {
 		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
 		if (node->data != NULL) {
+			isc_buffer_t b;
+			char nbuf[DNS_NAME_FORMATSIZE + 1], tbuf[80];
+			dns_fixedname_t fn;
+			dns_name_t *name;
 			dns_nta_t *n = (dns_nta_t *) node->data;
-			if (n->expiry > now) {
-				isc_buffer_t b;
-				char nbuf[DNS_NAME_FORMATSIZE + 1], tbuf[80];
-				dns_fixedname_t fn;
-				dns_name_t *name;
 
-				name = dns_fixedname_initname(&fn);
-				dns_rbt_fullnamefromnode(node, name);
+			/*
+			 * Skip this node if the expiry is already in the
+			 * past, or if this is a "validate-except" entry.
+			 */
+			if (n->expiry <= now || n->expiry == 0xffffffffU) {
+				goto skip;
+			}
 
-				isc_buffer_init(&b, nbuf, sizeof(nbuf));
-				result = dns_name_totext(name, false, &b);
-				if (result != ISC_R_SUCCESS)
-					goto skip;
+			name = dns_fixedname_initname(&fn);
+			dns_rbt_fullnamefromnode(node, name);
 
-				/* Zero terminate. */
-				isc_buffer_putuint8(&b, 0);
+			isc_buffer_init(&b, nbuf, sizeof(nbuf));
+			result = dns_name_totext(name, false, &b);
+			if (result != ISC_R_SUCCESS)
+				goto skip;
 
-				isc_buffer_init(&b, tbuf, sizeof(tbuf));
-				dns_time32_totext(n->expiry, &b);
+			/* Zero terminate. */
+			isc_buffer_putuint8(&b, 0);
 
-				/* Zero terminate. */
-				isc_buffer_putuint8(&b, 0);
+			isc_buffer_init(&b, tbuf, sizeof(tbuf));
+			dns_time32_totext(n->expiry, &b);
 
-				fprintf(fp, "%s %s %s\n", nbuf,
-					n->forced ? "forced" : "regular",
-					tbuf);
-				written = true;
-			}
+			/* Zero terminate. */
+			isc_buffer_putuint8(&b, 0);
+
+			fprintf(fp, "%s %s %s\n", nbuf,
+				n->forced ? "forced" : "regular",
+				tbuf);
+			written = true;
 		}
 	skip:
 		result = dns_rbtnodechain_next(&chain, NULL, NULL);
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 0c026f89911..3f6336d898f 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1155,7 +1155,7 @@ options_clauses[] = {
 
 static cfg_type_t cfg_type_namelist = {
 	"namelist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
-	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_qstring
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring
 };
 
 static keyword_type_t exclude_kw = { "exclude", &cfg_type_namelist };
@@ -1976,6 +1976,7 @@ view_clauses[] = {
 	{ "trust-anchor-telemetry", &cfg_type_boolean,
 	  CFG_CLAUSEFLAG_EXPERIMENTAL },
 	{ "use-queryport-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "validate-except", &cfg_type_namelist, 0 },
 	{ "v6-bias", &cfg_type_uint32, 0 },
 	{ "zero-no-soa-ttl-cache", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }