check-wildcard yes;\n\
dialup no;\n\
dnssec-loadkeys-interval 60;\n\
- dnssec-update-mode maintain;\n\
# forward <none>\n\
# forwarders <none>\n\
# inline-signing no;\n\
}
/* Next resign event */
- if (secure &&
- (zonetype == dns_zone_primary ||
- (zonetype == dns_zone_secondary && hasraw)) &&
- ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_NORESIGN) == 0))
+ if (secure && (zonetype == dns_zone_primary ||
+ (zonetype == dns_zone_secondary && hasraw)))
{
dns_name_t *name;
dns_fixedname_t fixed;
dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNORESRVCNAME,
ignore);
- obj = NULL;
- result = cfg_map_get(zoptions, "dnssec-update-mode", &obj);
- if (result == ISC_R_SUCCESS) {
- const char *arg = cfg_obj_asstring(obj);
- if (strcasecmp(arg, "no-resign") == 0) {
- dns_zone_setkeyopt(zone, DNS_ZONEKEY_NORESIGN,
- true);
- } else if (strcasecmp(arg, "maintain") == 0) {
- /* Default */
- } else {
- UNREACHABLE();
- }
- }
-
obj = NULL;
result = named_config_get(maps, "serial-update-method", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
type primary;
file "nsec3.db";
dnssec-policy "test";
- dnssec-update-mode maintain;
inline-signing no;
};
ret=0
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1
-grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
-grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
rm -f ./dsfromkey.out.*
rm -f ./keygen.err
rm -f ./named.secroots.test*
-rm -f ./nosign.before
rm -f ./ns*/*.nta
rm -f ./ns*/managed-keys.bind ./ns*/managed-keys.bind.jnl ./ns*/*.mkeys*
rm -f ./ns*/named.lock
rm -f ./ns3/dnskey-unsupported.example.db.tmp
rm -f ./ns3/dynamic.example.db ./ns3/dynamic.example.db.signed.jnl
rm -f ./ns3/expired.example.db ./ns3/update-nsec3.example.db
-rm -f ./ns3/expiring.example.db ./ns3/nosign.example.db
+rm -f ./ns3/expiring.example.db
rm -f ./ns3/future.example.db ./ns3/trusted-future.key
rm -f ./ns3/inline.example.db.signed
rm -f ./ns3/kskonly.example.db
file "expiring.example.db.signed";
};
-zone "nosign.example" {
- type primary;
- allow-update { any; };
- dnssec-update-mode no-resign;
- file "nosign.example.db.signed";
-};
-
zone "upper.example" {
type primary;
file "upper.example.db.signed";
cp "$infile" "$zonefile"
"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null
-#
-# Zone with signatures about to expire, and dynamic, but configured
-# not to resign with 'auto-resign no;'
-#
-zone="nosign.example."
-infile="nosign.example.db.in"
-zonefile="nosign.example.db"
-signedfile="nosign.example.db.signed"
-kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
-zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
-cp "$infile" "$zonefile"
-"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null
-# preserve a normalized copy of the NS RRSIG for comparison later
-$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \
- awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \
- sed 's/[ ][ ]*/ /g'> ../nosign.before
-
#
# An inline signing zone
#
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
-echo_i "testing new records are signed with 'no-resign' ($n)"
-ret=0
-(
-echo zone nosign.example
-echo server 10.53.0.3 "$PORT"
-echo update add new.nosign.example 300 in txt "hi there"
-echo send
-) | $NSUPDATE
-sleep 1
-dig_with_answeropts +nottlid txt new.nosign.example @10.53.0.3 \
- > dig.out.ns3.test$n 2>&1
-grep RRSIG dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
-n=$((n+1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
-echo_i "testing expiring records aren't resigned with 'no-resign' ($n)"
-ret=0
-dig_with_answeropts +nottlid nosign.example ns @10.53.0.3 | \
- grep RRSIG | sed 's/[ ][ ]*/ /g' > dig.out.ns3.test$n 2>&1
-# the NS RRSIG should not be changed
-diff nosign.before dig.out.ns3.test$n > /dev/null|| ret=1
-n=$((n+1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
-echo_i "testing updates fail with no private key ($n)"
-ret=0
-rm -f ns3/Knosign.example.*.private
-(
-echo zone nosign.example
-echo server 10.53.0.3 "$PORT"
-echo update add fail.nosign.example 300 in txt "reject me"
-echo send
-) | $NSUPDATE > /dev/null 2>&1 && ret=1
-dig_with_answeropts +nottlid fail.nosign.example txt @10.53.0.3 \
- > dig.out.ns3.test$n 2>&1
-[ -s dig.out.ns3.test$n ] && ret=1
-n=$((n+1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
echo_i "testing legacy upper case signer name validation ($n)"
ret=0
$DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa upper.example @10.53.0.4 \
The default is ``none``.
.. namedconf:statement:: dnssec-update-mode
- :tags: dnssec
- :short: Controls the scheduled maintenance of DNSSEC signatures.
-
- If this option is set to its default value of ``maintain`` in a zone
- of :any:`type primary` which is DNSSEC-signed and configured to allow
- dynamic updates (see :ref:`dynamic_update_policies`), and if :iscman:`named` has access
- to the private signing key(s) for the zone, then :iscman:`named`
- automatically signs all new or changed records and maintains signatures
- for the zone by regenerating RRSIG records whenever they approach
- their expiration date.
-
- If the option is changed to ``no-resign``, then :iscman:`named` signs
- all new or changed records, but scheduled maintenance of signatures
- is disabled.
+ :tags: obsolete
- With either of these settings, :iscman:`named` rejects updates to a
- DNSSEC-signed zone when the signing keys are inactive or unavailable
- to :iscman:`named`. (A planned third option, ``external``, will disable all
- automatic signing and allow DNSSEC data to be submitted into a zone
- via dynamic update; this is not yet implemented.)
+ This option no longer has any effect.
.. namedconf:statement:: nta-lifetime
:tags: dnssec
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>; // obsolete
- dnssec-update-mode ( maintain | no-resign );
+ dnssec-update-mode ( maintain | no-resign ); // obsolete
dnssec-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
dnstap-identity ( <quoted_string> | none | hostname ); // not configured
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>; // obsolete
- dnssec-update-mode ( maintain | no-resign );
+ dnssec-update-mode ( maintain | no-resign ); // obsolete
dnssec-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
dnssec-loadkeys-interval <integer>;
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>; // obsolete
- dnssec-update-mode ( maintain | no-resign );
+ dnssec-update-mode ( maintain | no-resign ); // obsolete
file <quoted_string>;
forward ( first | only );
forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
dnssec-dnskey-kskonly <boolean>; // obsolete
dnssec-loadkeys-interval <integer>;
dnssec-policy <string>;
- dnssec-update-mode ( maintain | no-resign );
+ dnssec-update-mode ( maintain | no-resign ); // obsolete
file <quoted_string>;
forward ( first | only );
forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
DNS_ZONEKEY_MAINTAIN = 0x00000002U, /*%< publish/sign on schedule */
DNS_ZONEKEY_CREATE = 0x00000004U, /*%< make keys when needed */
DNS_ZONEKEY_FULLSIGN = 0x00000008U, /*%< roll to new keys immediately */
- DNS_ZONEKEY_NORESIGN = 0x00000010U, /*%< no automatic resigning */
DNS_ZONEKEY___MAX = UINT64_MAX, /* trick to make the ENUM 64-bit wide */
} dns_zonekey_t;
}
is_dynamic = dns_zone_isdynamic(zone, false);
- if (zone->type == dns_zone_primary &&
- !DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_NORESIGN) &&
- is_dynamic && dns_db_issecure(db))
+ if (zone->type == dns_zone_primary && is_dynamic &&
+ dns_db_issecure(db))
{
dns_name_t *name;
dns_fixedname_t fixed;
zonediff_init(&zonediff, &_sig_diff);
/*
- * Zone is frozen or automatic resigning is disabled.
- * Pause for 5 minutes.
+ * Zone is frozen. Pause for 5 minutes.
*/
- if (zone->update_disabled ||
- DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_NORESIGN))
- {
+ if (zone->update_disabled) {
result = ISC_R_FAILURE;
goto failure;
}
"zone");
result = ISC_R_FAILURE;
}
-
- obj = NULL;
- res1 = cfg_map_get(zoptions, "dnssec-update-mode", &obj);
- if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) {
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "dnssec-update-mode: cannot be configured "
- "if dnssec-policy is also set");
- result = ISC_R_FAILURE;
- }
}
/*
{ "dnssec-secure-to-insecure", &cfg_type_boolean,
CFG_ZONE_PRIMARY | CFG_CLAUSEFLAG_OBSOLETE },
{ "dnssec-update-mode", &cfg_type_dnssecupdatemode,
- CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+ CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_OBSOLETE },
{ "forward", &cfg_type_forwardtype,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_STUB |
CFG_ZONE_STATICSTUB | CFG_ZONE_FORWARD },
projects / thirdparty / bind9.git / commitdiff
