+2572. [func] Simplify DLV configuration, with a new option
+ "dnssec-lookaside auto;" This is the equivalent
+ of "dnssec-lookaside . trust-anchor dlv.isc.org;"
+ plus setting a trusted-key for dlv.isc.org.
+
+ Note: The trusted key is hard-coded into named,
+ but is also stored in (and can be overridden
+ by) $sysconfdir/bind.keys. As the ISC DLV key
+ rolls over it can be kept up to date by replacing
+ the bind.keys file with a key downloaded from
+ https://www.isc.org/solutions/dlv. [RT #18685]
+
2571. [func] Add a new tool "arpaname" which translates IP addresses
to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
[RT #18976]
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.54 2009/02/18 23:47:48 tbox Exp $
+# $Id: Makefile.in,v 1.55 2009/03/04 02:42:30 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
install:: isc-config.sh installdirs
${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
${INSTALL_DATA} ${srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
+ ${INSTALL_SCRIPT} bind.keys ${DESTDIR}${sysconfdir}
tags:
rm -f TAGS
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.101 2008/09/23 17:25:47 jinmei Exp $
+# $Id: Makefile.in,v 1.102 2009/03/04 02:42:30 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
-DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
-config.@O@: config.c
+bind.keys.h: ${top_srcdir}/bind.keys
+ ${PERL} ${srcdir}/bindkeys.pl < $< > $@
+
+config.@O@: config.c bind.keys.h
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
+ -DNS_SYSCONFDIR=\"${sysconfdir}\" \
-c ${srcdir}/config.c
named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
rm -f ${MANOBJS}
clean distclean maintainer-clean::
- rm -f ${TARGETS} ${OBJS}
+ rm -f ${TARGETS} ${OBJS} bind.keys.h
bind9.xsl.h: bind9.xsl convertxsl.pl
${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h
--- /dev/null
+#define TRUSTED_KEYS "\
+trusted-keys {\n\
+ # NOTE: This key expires September 2009 \n\
+ # Go to https://www.isc.org/solutions/dlv to download a replacement\n\
+ dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
+};\n\
+"
--- /dev/null
+#!/usr/bin/env perl
+#
+# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: bindkeys.pl,v 1.2 2009/03/04 02:42:30 each Exp $
+
+use strict;
+use warnings;
+
+my $lines = '#define TRUSTED_KEYS "\\' . "\n";
+
+while (<>) {
+ chomp;
+ s/\"/\\\"/g;
+ s/$/\\n\\/;
+ $lines .= $_ . "\n";
+}
+
+$lines .= '"' . "\n";
+print $lines;
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: config.c,v 1.93 2008/11/06 05:30:24 marka Exp $ */
+/* $Id: config.c,v 1.94 2009/03/04 02:42:30 each Exp $ */
/*! \file */
#include <named/config.h>
#include <named/globals.h>
+#include "bind.keys.h"
+
/*% default configuration */
static char defaultconf[] = "\
options {\n\
multiple-cnames no;\n\
# named-xfer <obsolete>;\n\
# pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
+ bindkeys-file \"" NS_SYSCONFDIR "/bind.keys\";\n\
port 53;\n\
recursing-file \"named.recursing\";\n\
"
max-udp-size 4096;\n\
request-nsid false;\n\
reserved-sockets 512;\n\
+\n\
+ /* DLV */\n\
+ dnssec-lookaside . trust-anchor dlv.isc.org;\n\
\n\
/* view */\n\
allow-notify {none;};\n\
database \"_builtin id\";\n\
};\n\
};\n\
+"
+
+"#\n\
+# Default trusted key(s) for builtin DLV support\n\
+# (used if \"dnssec-lookaside auto;\" is set and\n\
+# sysconfdir/bind.keys doesn't exist).\n\
+#\n\
+# BEGIN TRUSTED KEYS\n"
+
+/* Imported from bind.keys.h: */
+TRUSTED_KEYS
+
+"# END TRUSTED KEYS\n\
";
isc_result_t
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: globals.h,v 1.80 2008/11/16 22:49:18 marka Exp $ */
+/* $Id: globals.h,v 1.81 2009/03/04 02:42:30 each Exp $ */
#ifndef NAMED_GLOBALS_H
#define NAMED_GLOBALS_H 1
EXTERN const cfg_obj_t * ns_g_defaults INIT(NULL);
EXTERN const char * ns_g_conffile INIT(NS_SYSCONFDIR
"/named.conf");
+EXTERN cfg_obj_t * ns_g_bindkeys INIT(NULL);
EXTERN const char * ns_g_keyfile INIT(NS_SYSCONFDIR
"/rndc.key");
EXTERN const char * lwresd_g_conffile INIT(NS_SYSCONFDIR
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.h,v 1.96 2009/01/27 22:29:58 jinmei Exp $ */
+/* $Id: server.h,v 1.97 2009/03/04 02:42:30 each Exp $ */
#ifndef NAMED_SERVER_H
#define NAMED_SERVER_H 1
dns_acl_t *blackholeacl;
char * statsfile; /*%< Statistics file name */
char * dumpfile; /*%< Dump file name */
+ char * bindkeysfile; /*%< bind.keys file name */
char * recfile; /*%< Recursive file name */
isc_boolean_t version_set; /*%< User has set version */
char * version; /*%< User-specified version */
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: main.c,v 1.168 2009/01/17 23:47:42 tbox Exp $ */
+/* $Id: main.c,v 1.169 2009/03/04 02:42:30 each Exp $ */
/*! \file */
absolute_conffile,
sizeof(absolute_conffile));
if (result != ISC_R_SUCCESS)
- ns_main_earlyfatal("could not construct absolute path of "
- "configuration file: %s",
+ ns_main_earlyfatal("could not construct absolute path "
+ "of configuration file: %s",
isc_result_totext(result));
ns_g_conffile = absolute_conffile;
}
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.c,v 1.528 2009/02/16 05:08:43 marka Exp $ */
+/* $Id: server.c,v 1.529 2009/03/04 02:42:30 each Exp $ */
/*! \file */
return (result);
}
+
+static void
+configure_view_dnsseckeylist(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
+ dns_keytable_t *keytable, isc_mem_t *mctx)
+{
+ const cfg_listelt_t *elt, *elt2;
+ const cfg_obj_t *key;
+ const cfg_obj_t *keylist;
+ isc_result_t result;
+
+ for (elt = cfg_list_first(keys);
+ elt != NULL;
+ elt = cfg_list_next(elt)) {
+ keylist = cfg_listelt_value(elt);
+
+ for (elt2 = cfg_list_first(keylist);
+ elt2 != NULL;
+ elt2 = cfg_list_next(elt2)) {
+ key = cfg_listelt_value(elt2);
+ CHECK(configure_view_dnsseckey(vconfig, key,
+ keytable, mctx));
+ }
+ }
+
+ cleanup:
+ return;
+}
+
/*%
- * Configure DNSSEC keys for a view. Currently used only for
- * the security roots.
+ * Configure DNSSEC keys for a view. Currently used only for the security
+ * roots.
*
* The per-view configuration values and the server-global defaults are read
* from 'vconfig' and 'config'. The variable to be configured is '*target'.
*/
static isc_result_t
-configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config,
+configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config,
+ const cfg_obj_t *bindkeys, isc_boolean_t auto_dlv,
isc_mem_t *mctx, dns_keytable_t **target)
{
- isc_result_t result;
- const cfg_obj_t *keys = NULL;
+ const cfg_obj_t *view_keys = NULL;
+ const cfg_obj_t *global_keys = NULL;
+ const cfg_obj_t *builtin_keys = NULL;
+ const cfg_obj_t *maps[4];
const cfg_obj_t *voptions = NULL;
- const cfg_listelt_t *element, *element2;
- const cfg_obj_t *keylist;
- const cfg_obj_t *key;
+ const cfg_obj_t *options = NULL;
dns_keytable_t *keytable = NULL;
+ isc_result_t result;
+ int i = 0;
CHECK(dns_keytable_create(mctx, &keytable));
- if (vconfig != NULL)
+ if (vconfig != NULL) {
voptions = cfg_tuple_get(vconfig, "options");
+ if (voptions != NULL) {
+ (void)cfg_map_get(voptions, "trusted-keys", &view_keys);
+ maps[i++] = voptions;
+ }
+ }
- keys = NULL;
- if (voptions != NULL)
- (void)cfg_map_get(voptions, "trusted-keys", &keys);
- if (keys == NULL)
- (void)cfg_map_get(config, "trusted-keys", &keys);
-
- for (element = cfg_list_first(keys);
- element != NULL;
- element = cfg_list_next(element))
- {
- keylist = cfg_listelt_value(element);
- for (element2 = cfg_list_first(keylist);
- element2 != NULL;
- element2 = cfg_list_next(element2))
- {
- key = cfg_listelt_value(element2);
- CHECK(configure_view_dnsseckey(vconfig, key,
- keytable, mctx));
+ if (config != NULL) {
+ (void)cfg_map_get(config, "trusted-keys", &global_keys);
+ (void)cfg_map_get(config, "options", &options);
+ if (options != NULL) {
+ maps[i++] = options;
}
}
+ maps[i++] = ns_g_defaults;
+ maps[i] = NULL;
+
+ if (auto_dlv) {
+ isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
+ NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+ "using built-in trusted-keys");
+
+ /*
+ * If bind.keys exists, it overrides the trusted-keys
+ * clause hard-coded in ns_g_config.
+ */
+ if (bindkeys != NULL)
+ (void)cfg_map_get(bindkeys, "trusted-keys",
+ &builtin_keys);
+ else
+ (void)cfg_map_get(ns_g_config, "trusted-keys",
+ &builtin_keys);
+
+ configure_view_dnsseckeylist(builtin_keys, vconfig,
+ keytable, mctx);
+ }
+
+ configure_view_dnsseckeylist(global_keys, vconfig, keytable, mctx);
+ configure_view_dnsseckeylist(view_keys, vconfig, keytable, mctx);
+
dns_keytable_detach(target);
*target = keytable; /* Transfer ownership. */
keytable = NULL;
- result = ISC_R_SUCCESS;
cleanup:
- return (result);
+ return (ISC_R_SUCCESS);
}
static isc_result_t
static isc_result_t
configure_view(dns_view_t *view, const cfg_obj_t *config,
const cfg_obj_t *vconfig, ns_cachelist_t *cachelist,
- isc_mem_t *mctx, cfg_aclconfctx_t *actx,
- isc_boolean_t need_hints)
+ const cfg_obj_t *bindkeys, isc_mem_t *mctx,
+ cfg_aclconfctx_t *actx, isc_boolean_t need_hints)
{
const cfg_obj_t *maps[4];
const cfg_obj_t *cfgmaps[3];
+ const cfg_obj_t *optionmaps[3];
const cfg_obj_t *options = NULL;
const cfg_obj_t *voptions = NULL;
const cfg_obj_t *forwardtype;
dns_dispatch_t *dispatch6 = NULL;
isc_boolean_t reused_cache = ISC_FALSE;
isc_boolean_t shared_cache = ISC_FALSE;
- int i;
+ int i = 0, j = 0, k = 0;
const char *str;
const char *cachename = NULL;
dns_order_t *order = NULL;
const cfg_obj_t *disablelist = NULL;
isc_stats_t *resstats = NULL;
dns_stats_t *resquerystats = NULL;
+ isc_boolean_t auto_dlv = ISC_FALSE;
ns_cache_t *nsc;
isc_boolean_t zero_no_soattl;
if (config != NULL)
(void)cfg_map_get(config, "options", &options);
- i = 0;
+ /*
+ * maps: view options, options, defaults
+ * cfgmaps: view options, config
+ * optionmaps: view options, options
+ */
if (vconfig != NULL) {
voptions = cfg_tuple_get(vconfig, "options");
maps[i++] = voptions;
+ optionmaps[j++] = voptions;
+ cfgmaps[k++] = voptions;
}
- if (options != NULL)
+ if (options != NULL) {
maps[i++] = options;
+ optionmaps[j++] = options;
+ }
+
maps[i++] = ns_g_defaults;
maps[i] = NULL;
-
- i = 0;
- if (voptions != NULL)
- cfgmaps[i++] = voptions;
+ optionmaps[j] = NULL;
if (config != NULL)
- cfgmaps[i++] = config;
- cfgmaps[i] = NULL;
+ cfgmaps[k++] = config;
+ cfgmaps[k] = NULL;
if (!strcmp(viewname, "_default")) {
sep = "";
view->enablednssec = cfg_obj_asboolean(obj);
obj = NULL;
- result = ns_config_get(maps, "dnssec-lookaside", &obj);
+ result = ns_config_get(optionmaps, "dnssec-lookaside", &obj);
+ if (result == ISC_R_SUCCESS) {
+ /* If set to "auto", use the version from the defaults */
+ const cfg_obj_t *dlvobj;
+ dlvobj = cfg_listelt_value(cfg_list_first(obj));
+ if (!strcmp(cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain")),
+ "auto") &&
+ cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
+ auto_dlv = ISC_TRUE;
+ obj = NULL;
+ result = cfg_map_get(ns_g_defaults,
+ "dnssec-lookaside", &obj);
+ }
+ }
+
if (result == ISC_R_SUCCESS) {
for (element = cfg_list_first(obj);
element != NULL;
* For now, there is only one kind of trusted keys, the
* "security roots".
*/
- CHECK(configure_view_dnsseckeys(vconfig, config, mctx,
- &view->secroots));
+ CHECK(configure_view_dnsseckeys(vconfig, config, bindkeys, auto_dlv,
+ mctx, &view->secroots));
dns_resolver_resetmustbesecure(view->resolver);
obj = NULL;
result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
ztypestr = cfg_obj_asstring(typeobj);
/*
- * "hints zones" aren't zones. If we've got one,
+ * "hints zones" aren't zones. If we've got one,
* configure it and return.
*/
if (strcasecmp(ztypestr, "hint") == 0) {
isc_boolean_t first_time)
{
cfg_aclconfctx_t aclconfctx;
- cfg_obj_t *config;
- cfg_parser_t *parser = NULL;
+ cfg_obj_t *config = NULL, *bindkeys = NULL;
+ cfg_parser_t *conf_parser = NULL, *bindkeys_parser = NULL;
const cfg_listelt_t *element;
const cfg_obj_t *builtin_views;
const cfg_obj_t *maps[3];
if (first_time) {
CHECK(ns_config_parsedefaults(ns_g_parser, &ns_g_config));
RUNTIME_CHECK(cfg_map_get(ns_g_config, "options",
- &ns_g_defaults) ==
- ISC_R_SUCCESS);
+ &ns_g_defaults) == ISC_R_SUCCESS);
}
/*
NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
ISC_LOG_INFO, "loading configuration from '%s'",
filename);
- CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &parser));
- cfg_parser_setcallback(parser, directory_callback, NULL);
- result = cfg_parse_file(parser, filename, &cfg_type_namedconf,
- &config);
+ CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
+ cfg_parser_setcallback(conf_parser, directory_callback, NULL);
+ result = cfg_parse_file(conf_parser, filename,
+ &cfg_type_namedconf, &config);
}
/*
NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
ISC_LOG_INFO, "loading configuration from '%s'",
lwresd_g_resolvconffile);
- if (parser != NULL)
- cfg_parser_destroy(&parser);
- CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &parser));
- result = ns_lwresd_parseeresolvconf(ns_g_mctx, parser,
+ if (conf_parser != NULL)
+ cfg_parser_destroy(&conf_parser);
+ CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
+ result = ns_lwresd_parseeresolvconf(ns_g_mctx, conf_parser,
&config);
}
CHECK(result);
maps[i++] = ns_g_defaults;
maps[i++] = NULL;
+ /*
+ * If bind.keys exists, load it. If "dnssec-lookaside auto"
+ * is turned on, the keys found there will be used as default
+ * trust anchors.
+ */
+ obj = NULL;
+ result = ns_config_get(maps, "bindkeys-file", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ CHECKM(setstring(server, &server->bindkeysfile,
+ cfg_obj_asstring(obj)), "strdup");
+
+ if (access(server->bindkeysfile, R_OK) == 0) {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+ NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+ "reading built-in trusted "
+ "keys from file '%s'", server->bindkeysfile);
+
+ CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx,
+ &bindkeys_parser));
+
+ result = cfg_parse_file(bindkeys_parser, server->bindkeysfile,
+ &cfg_type_bindkeys, &bindkeys);
+ CHECK(result);
+ }
+
/*
* Set process limits, which (usually) needs to be done as root.
*/
/*
* Check if max number of open sockets that the system allows is
- * sufficiently large. Failing this condition is not necessarily fatal,
+ * sufficiently large. Failing this condition is not necessarily fatal,
* but may cause subsequent runtime failures for a busy recursive
* server.
*/
CHECK(create_view(vconfig, &viewlist, &view));
INSIST(view != NULL);
- CHECK(configure_view(view, config, vconfig, &cachelist,
+ CHECK(configure_view(view, config, vconfig,
+ &cachelist, bindkeys,
ns_g_mctx, &aclconfctx, ISC_TRUE));
dns_view_freeze(view);
dns_view_detach(&view);
* In either case, we need to configure and freeze it.
*/
CHECK(create_view(NULL, &viewlist, &view));
- CHECK(configure_view(view, config, NULL, &cachelist, ns_g_mctx,
- &aclconfctx, ISC_TRUE));
+ CHECK(configure_view(view, config, NULL,
+ &cachelist, bindkeys,
+ ns_g_mctx, &aclconfctx, ISC_TRUE));
dns_view_freeze(view);
dns_view_detach(&view);
}
{
const cfg_obj_t *vconfig = cfg_listelt_value(element);
CHECK(create_view(vconfig, &viewlist, &view));
- CHECK(configure_view(view, config, vconfig, &cachelist,
+ CHECK(configure_view(view, config, vconfig,
+ &cachelist, bindkeys,
ns_g_mctx, &aclconfctx, ISC_FALSE));
dns_view_freeze(view);
dns_view_detach(&view);
cfg_aclconfctx_destroy(&aclconfctx);
- if (parser != NULL) {
+ if (conf_parser != NULL) {
if (config != NULL)
- cfg_obj_destroy(parser, &config);
- cfg_parser_destroy(&parser);
+ cfg_obj_destroy(conf_parser, &config);
+ cfg_parser_destroy(&conf_parser);
+ }
+
+ if (bindkeys_parser != NULL) {
+ if (bindkeys != NULL)
+ cfg_obj_destroy(bindkeys_parser, &bindkeys);
+ cfg_parser_destroy(&bindkeys_parser);
}
if (view != NULL)
"isc_stats_create");
isc_socketmgr_setstats(ns_g_socketmgr, server->sockstats);
+ server->bindkeysfile = isc_mem_strdup(server->mctx, "bind.keys");
+ CHECKFATAL(server->bindkeysfile == NULL ? ISC_R_NOMEMORY :
+ ISC_R_SUCCESS,
+ "isc_mem_strdup");
+
server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
"isc_mem_strdup");
isc_stats_detach(&server->sockstats);
isc_mem_free(server->mctx, server->statsfile);
+ isc_mem_free(server->mctx, server->bindkeysfile);
isc_mem_free(server->mctx, server->dumpfile);
isc_mem_free(server->mctx, server->recfile);
--- /dev/null
+trusted-keys {
+ # NOTE: This key expires September 2009
+ # Go to https://www.isc.org/solutions/dlv to download a replacement
+ dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
+};
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.400 2009/03/03 01:36:17 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.401 2009/03/04 02:42:30 each Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
<optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
<optional> cache-file <replaceable>path_name</replaceable>; </optional>
<optional> dump-file <replaceable>path_name</replaceable>; </optional>
+ <optional> bindkeys-file <replaceable>path_name</replaceable>; </optional>
<optional> memstatistics <replaceable>yes_or_no</replaceable>; </optional>
<optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
<optional> pid-file <replaceable>path_name</replaceable>; </optional>
<optional> ixfr-from-differences (<replaceable>yes_or_no</replaceable> | <constant>master</constant> | <constant>slave</constant>); </optional>
<optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
- <optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
+ <optional> dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> ); </optional>
<optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
<optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
<optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><command>bindkeys-file</command></term>
+ <listitem>
+ <para>
+ The pathname of a file to override the built-in trusted
+ keys provided by named. See the discussion of
+ <command>dnssec-lookaside</command> for details.
+ If not specified, the default is
+ <filename>/etc/bind.keys</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><command>port</command></term>
<listitem>
<term><command>dnssec-lookaside</command></term>
<listitem>
<para>
- When set, <command>dnssec-lookaside</command>
- provides the
- validator with an alternate method to validate DNSKEY records
- at the
- top of a zone. When a DNSKEY is at or below a domain
- specified by the
- deepest <command>dnssec-lookaside</command>, and
- the normal DNSSEC validation
- has left the key untrusted, the trust-anchor will be append to
- the key
- name and a DLV record will be looked up to see if it can
- validate the
- key. If the DLV record validates a DNSKEY (similarly to the
- way a DS
- record does) the DNSKEY RRset is deemed to be trusted.
+ When set, <command>dnssec-lookaside</command> provides the
+ validator with an alternate method to validate DNSKEY
+ records at the top of a zone. When a DNSKEY is at or
+ below a domain specified by the deepest
+ <command>dnssec-lookaside</command>, and the normal dnssec
+ validation has left the key untrusted, the trust-anchor
+ will be append to the key name and a DLV record will be
+ looked up to see if it can validate the key. If the DLV
+ record validates a DNSKEY (similarly to the way a DS record
+ does) the DNSKEY RRset is deemed to be trusted.
+ </para>
+ <para>
+ If <command>dnssec-lookaside</command> is set to
+ "auto", then built-in default values for
+ the domain and trust anchor will be used, along
+ with a built-in key for validation.
+ </para>
+ <para>
+ NOTE: Since the built-in key may expire, it can be
+ overridden without recompiling named by placing a new key
+ in the file <filename>bind.keys</command>.
</para>
</listitem>
</varlistentry>
<term><command>dnssec-must-be-secure</command></term>
<listitem>
<para>
- Specify hierarchies which must be or may not be secure (signed and
- validated).
- If <userinput>yes</userinput>, then <command>named</command> will only accept
- answers if they
- are secure.
- If <userinput>no</userinput>, then normal DNSSEC validation
- applies
- allowing for insecure answers to be accepted.
- The specified domain must be under a <command>trusted-key</command> or
- <command>dnssec-lookaside</command> must be
- active.
+ Specify hierarchies which must be or may not be secure
+ (signed and validated). If <userinput>yes</userinput>,
+ then <command>named</command> will only accept answers if
+ they are secure. If <userinput>no</userinput>, then normal
+ DNSSEC validation applies allowing for insecure answers to
+ be accepted. The specified domain must be under a
+ <command>trusted-key</command> or
+ <command>dnssec-lookaside</command> must be active.
</para>
</listitem>
</varlistentry>
in the key data, so the configuration may be split up into
multiple lines.
</para>
+ <para>
+ <command>trusted-keys</command> may be set at the top level
+ of <filename>named.conf</filename> or within a view. If it is
+ set in both places, they are additive: keys defined at the top
+ level are inherited by all views, but keys defined in a view
+ are only used within that view.
+ </para>
+ <para>
+ In addition to keys specified in
+ <command>trusted-keys</command> statements, if the
+ <command>dnssec-lookaside</command> option is set to "auto",
+ named will also load a built-in trusted key for dlv.isc.org.
+ </para>
</sect2>
<sect2 id="view_statement_grammar">
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check.c,v 1.98 2009/02/17 03:40:28 marka Exp $ */
+/* $Id: check.c,v 1.99 2009/03/04 02:42:31 each Exp $ */
/*! \file */
element = cfg_list_next(element))
{
const char *dlv;
+ const cfg_obj_t *anchor;
obj = cfg_listelt_value(element);
dlv = cfg_obj_asstring(cfg_tuple_get(obj, "domain"));
+ anchor = cfg_tuple_get(obj, "trust-anchor");
+
+ /*
+ * If domain is "auto" and trust anchor is missing,
+ * skip remaining tests
+ */
+ if (!strcmp(dlv, "auto") && cfg_obj_isvoid(anchor))
+ continue;
+
isc_buffer_init(&b, dlv, strlen(dlv));
isc_buffer_add(&b, strlen(dlv));
tresult = dns_name_fromtext(name, &b, dns_rootname,
if (result == ISC_R_SUCCESS)
result = ISC_R_FAILURE;
}
- dlv = cfg_obj_asstring(cfg_tuple_get(obj,
- "trust-anchor"));
- isc_buffer_init(&b, dlv, strlen(dlv));
- isc_buffer_add(&b, strlen(dlv));
- tresult = dns_name_fromtext(name, &b, dns_rootname,
- ISC_TRUE, NULL);
- if (tresult != ISC_R_SUCCESS) {
+
+ if(!cfg_obj_isvoid(anchor)) {
+ dlv = cfg_obj_asstring(anchor);
+ isc_buffer_init(&b, dlv, strlen(dlv));
+ isc_buffer_add(&b, strlen(dlv));
+ tresult = dns_name_fromtext(name, &b,
+ dns_rootname,
+ ISC_TRUE, NULL);
+ if (tresult != ISC_R_SUCCESS) {
+ cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+ "bad domain name '%s'",
+ dlv);
+ if (result == ISC_R_SUCCESS)
+ result = tresult;
+ }
+ } else {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "bad domain name '%s'", dlv);
+ "dnssec-lookaside requires "
+ "either 'auto' or a domain and "
+ "trust anchor");
if (result == ISC_R_SUCCESS)
- result = tresult;
+ result = ISC_R_FAILURE;
}
}
+
if (symtab != NULL)
isc_symtab_destroy(&symtab);
}
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: namedconf.h,v 1.9 2007/06/19 23:47:22 tbox Exp $ */
+/* $Id: namedconf.h,v 1.10 2009/03/04 02:42:31 each Exp $ */
#ifndef ISCCFG_NAMEDCONF_H
#define ISCCFG_NAMEDCONF_H 1
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_namedconf;
/*%< A complete named.conf file. */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_bindkeys;
+/*%< A bind.keys file. */
+
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndcconf;
/*%< A complete rndc.conf file. */
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: namedconf.c,v 1.94 2009/01/09 23:47:46 tbox Exp $ */
+/* $Id: namedconf.c,v 1.95 2009/03/04 02:42:31 each Exp $ */
/*! \file */
{ NULL, NULL, 0 }
};
+/*%
+ * Clauses that can occur in the bind.keys file.
+ */
+static cfg_clausedef_t
+bindkeys_clauses[] = {
+ { "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI },
+ { NULL, NULL, 0 }
+};
+
/*%
* Clauses that can be found within the 'options' statement.
*/
{ "use-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
{ "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
+ { "bindkeys-file", &cfg_type_qstring, 0 },
{ "blackhole", &cfg_type_bracketed_aml, 0 },
{ "coresize", &cfg_type_size, 0 },
{ "datasize", &cfg_type_size, 0 },
static keyword_type_t trustanchor_kw = { "trust-anchor", &cfg_type_astring };
-static cfg_type_t cfg_type_trustanchor = {
- "trust-anchor", parse_keyvalue, print_keyvalue, doc_keyvalue,
- &cfg_rep_string, &trustanchor_kw
+static cfg_type_t cfg_type_optional_trustanchor = {
+ "optional_trustanchor", parse_optional_keyvalue, print_keyvalue,
+ doc_keyvalue, &cfg_rep_string, &trustanchor_kw
};
static cfg_tuplefielddef_t lookaside_fields[] = {
{ "domain", &cfg_type_astring, 0 },
- { "trust-anchor", &cfg_type_trustanchor, 0 },
+ { "trust-anchor", &cfg_type_optional_trustanchor, 0 },
{ NULL, NULL, 0 }
};
namedconf_or_view_clauses,
NULL
};
-
LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_namedconf = {
"namedconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
&cfg_rep_map, namedconf_clausesets
};
+/*% The bind.keys syntax (trusted-keys only). */
+static cfg_clausedef_t *
+bindkeys_clausesets[] = {
+ bindkeys_clauses,
+ NULL
+};
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_bindkeys = {
+ "bindkeys", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+ &cfg_rep_map, bindkeys_clausesets
+};
+
/*% The "options" statement syntax. */
static cfg_clausedef_t *
projects / thirdparty / bind9.git / commitdiff
