bind.keys.h: bind.keys Makefile
${PERL} ${top_srcdir}/util/bindkeys.pl ${top_srcdir}/bind.keys > $@
-dist_sysconf_DATA = bind.keys
-
.PHONY: doc
EXTRA_DIST = \
+ bind.keys \
util/bindkeys.pl \
contrib \
CHANGES \
RNDC_CONF = .. |rndc_conf| replace:: ``$(sysconfdir)/rndc.conf``
RNDC_KEY = .. |rndc_key| replace:: ``$(sysconfdir)/rndc.key``
NAMED_CONF = .. |named_conf| replace:: ``$(sysconfdir)/named.conf``
-BIND_KEYS = .. |bind_keys| replace:: ``$(sysconfdir)/bind.keys``
NAMED_PID = .. |named_pid| replace:: ``$(runstatedir)/named.pid``
SESSION_KEY = .. |session_key| replace:: ``$(runstatedir)/session.key``
|named_conf| is read by default.
Note: files that :iscman:`named` reads in separate parser contexts, such as
-``rndc.key`` and ``bind.keys``, are not automatically read by
-:program:`named-checkconf`. Configuration errors in these files may cause
-:iscman:`named` to fail to run, even if :program:`named-checkconf` was successful.
-However, :program:`named-checkconf` can be run on these files explicitly.
+``rndc.conf`` or ``rndc.key``, are not automatically read by
+:program:`named-checkconf`. Configuration errors in these files may cause
+:iscman:`named` to fail to run, even if :program:`named-checkconf` was
+successful. However, :program:`named-checkconf` can be run on these files
+explicitly.
Options
~~~~~~~
static dns_master_style_t *style = NULL;
static dns_fixedname_t qfn;
-/* Default bind.keys contents */
+/* Default trust anchors */
static char anchortext[] = TRUST_ANCHORS;
/*
const cfg_obj_t *managed_keys = NULL;
const cfg_obj_t *trust_anchors = NULL;
cfg_obj_t *bindkeys = NULL;
- const char *filename = anchorfile;
if (!root_validation) {
return (ISC_R_SUCCESS);
}
- if (filename == NULL) {
- filename = SYSCONFDIR "/bind.keys";
- }
-
if (trust_anchor == NULL) {
trust_anchor = isc_mem_strdup(mctx, ".");
}
CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
- if (access(filename, R_OK) != 0) {
- if (anchorfile != NULL) {
+ if (anchorfile != NULL) {
+ if (access(anchorfile, R_OK) != 0) {
fatal("Unable to read key file '%s'", anchorfile);
}
- } else {
- result = cfg_parse_file(parser, filename, &cfg_type_bindkeys,
+
+ result = cfg_parse_file(parser, anchorfile, &cfg_type_bindkeys,
&bindkeys);
if (result != ISC_R_SUCCESS) {
- if (anchorfile != NULL) {
- fatal("Unable to load keys from '%s'",
- anchorfile);
- }
+ fatal("Unable to load keys from '%s'", anchorfile);
}
- }
-
- if (bindkeys == NULL) {
+ } else {
isc_buffer_t b;
isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1);
.. option:: -a anchor-file
- This option specifies a file from which to read DNSSEC trust anchors. The default
- is |bind_keys|, which is included with BIND 9 and contains one
- or more trust anchors for the root zone (".").
-
- Keys that do not match the root zone name are ignored. An alternate
- key name can be specified using the :option:`+root` option.
-
- Note: When reading the trust anchor file, :program:`delv` treats ``trust-anchors``,
- ``initial-key``, and ``static-key`` identically. That is, for a managed key,
- it is the *initial* key that is trusted; :rfc:`5011` key management is not
- supported. :program:`delv` does not consult the managed-keys database maintained by
- :iscman:`named`, which means that if either of the keys in |bind_keys| is
- revoked and rolled over, |bind_keys| must be updated to
- use DNSSEC validation in :program:`delv`.
+ This option specifies a file from which to read an alternate
+ DNSSEC root zone trust anchor.
+
+ By default, keys that do not match the root zone name (`.`) are
+ ignored. If an alternate key name is desired, it can be
+ specified using the :option:`+root` option.
+
+ Note: When reading trust anchors, :program:`delv` treats
+ ``trust-anchors``, ``initial-key``, and ``static-key`` identically. That
+ is, for a managed key, it is the *initial* key that is trusted;
+ :rfc:`5011` key management is not supported. :program:`delv` does not
+ consult the managed-keys database maintained by :iscman:`named`. This
+ means that if the default key built in to :program:`delv` is revoked,
+ :program:`delv` must be updated to a newer version in order to continue
+ validating.
.. option:: -b address
Files
~~~~~
-|bind_keys|
-
``/etc/resolv.conf``
See Also
options {\n\
answer-cookie true;\n\
automatic-interface-scan yes;\n\
- bindkeys-file \"" NAMED_SYSCONFDIR "/bind.keys\";\n\
# blackhole {none;};\n\
cookie-algorithm siphash24;\n\
# directory <none>\n\
EXTERN cfg_obj_t *named_g_config INIT(NULL);
EXTERN const cfg_obj_t *named_g_defaults INIT(NULL);
EXTERN const char *named_g_conffile INIT(NAMED_SYSCONFDIR "/named.conf");
-EXTERN const char *named_g_defaultbindkeys INIT(NAMED_SYSCONFDIR "/bind.keys");
+EXTERN const char *named_g_defaultbindkeys INIT(NULL);
EXTERN const char *named_g_keyfile INIT(NAMED_SYSCONFDIR "/rndc.key");
EXTERN dns_tsigkey_t *named_g_sessionkey INIT(NULL);
printf("default paths:\n");
printf(" named configuration: %s\n", named_g_conffile);
printf(" rndc configuration: %s\n", rndcconf);
- printf(" DNSSEC root key: %s\n", named_g_defaultbindkeys);
printf(" nsupdate session key: %s\n", named_g_defaultsessionkeyfile);
printf(" named PID file: %s\n", named_g_defaultpidfile);
printf(" named lock file: %s\n", named_g_defaultlockfile);
#endif
/*
- * If bind.keys exists, load it. If "dnssec-validation auto"
- * is turned on, the root key found there will be used as a
- * default trust anchor.
+ * If "dnssec-validation auto" is turned on, the root key
+ * will be used as a default trust anchor. The root key
+ * is built in, but if bindkeys-file is set, then it will
+ * be overridden with the key in that file.
*/
obj = NULL;
- result = named_config_get(maps, "bindkeys-file", &obj);
- INSIST(result == ISC_R_SUCCESS);
- setstring(server, &server->bindkeysfile, cfg_obj_asstring(obj));
- INSIST(server->bindkeysfile != NULL);
-
- if (access(server->bindkeysfile, R_OK) == 0) {
- isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
- NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
- "reading built-in trust anchors "
- "from file '%s'",
- server->bindkeysfile);
-
- result = cfg_parser_create(named_g_mctx, named_g_lctx,
- &bindkeys_parser);
- if (result != ISC_R_SUCCESS) {
- goto cleanup_config;
- }
-
- result = cfg_parse_file(bindkeys_parser, server->bindkeysfile,
- &cfg_type_bindkeys, &bindkeys);
- if (result != ISC_R_SUCCESS) {
+ (void)named_config_get(maps, "bindkeys-file", &obj);
+ if (obj != NULL) {
+ setstring(server, &server->bindkeysfile, cfg_obj_asstring(obj));
+ INSIST(server->bindkeysfile != NULL);
+ if (access(server->bindkeysfile, R_OK) != 0) {
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
- "unable to parse '%s' error '%s'; using "
- "built-in keys instead",
- server->bindkeysfile,
- isc_result_totext(result));
+ "unable to open '%s'; using built-in "
+ "keys instead",
+ server->bindkeysfile);
+ } else {
+ result = cfg_parser_create(named_g_mctx, named_g_lctx,
+ &bindkeys_parser);
+ if (result != ISC_R_SUCCESS) {
+ goto cleanup_config;
+ }
+
+ result = cfg_parse_file(bindkeys_parser,
+ server->bindkeysfile,
+ &cfg_type_bindkeys, &bindkeys);
+ if (result != ISC_R_SUCCESS) {
+ isc_log_write(
+ named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+ NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+ "unable to parse '%s' "
+ "error '%s'; using "
+ "built-in keys instead",
+ server->bindkeysfile,
+ isc_result_totext(result));
+ }
}
} else {
- isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
- NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
- "unable to open '%s'; using built-in keys "
- "instead",
- server->bindkeysfile);
+ setstring(server, &server->bindkeysfile, NULL);
}
/*
*server = (named_server_t){
.mctx = mctx,
.statsfile = isc_mem_strdup(mctx, "named.stats"),
- .bindkeysfile = isc_mem_strdup(mctx, named_g_defaultbindkeys),
.dumpfile = isc_mem_strdup(mctx, "named_dump.db"),
.secrootsfile = isc_mem_strdup(mctx, "named.secroots"),
.recfile = isc_mem_strdup(mctx, "named.recursing"),
}
isc_mem_free(server->mctx, server->statsfile);
- isc_mem_free(server->mctx, server->bindkeysfile);
isc_mem_free(server->mctx, server->dumpfile);
isc_mem_free(server->mctx, server->secrootsfile);
isc_mem_free(server->mctx, server->recfile);
+ if (server->bindkeysfile != NULL) {
+ isc_mem_free(server->mctx, server->bindkeysfile);
+ }
+
if (server->version != NULL) {
isc_mem_free(server->mctx, server->version);
}
.. |rndc_conf| replace:: ``/etc/rndc.conf``
.. |rndc_key| replace:: ``/etc/rndc.key``
.. |named_conf| replace:: ``/etc/named.conf``
-.. |bind_keys| replace:: ``/etc/bind.keys``
.. |named_pid| replace:: ``/run/named.pid``
.. |session_key| replace:: ``/run/session.key``
"""
found when performing a dynamic update of secure zones, if different
than the current working directory. (Note that this option has no
effect on the paths for files containing non-DNSSEC keys such as
- ``bind.keys``, ``rndc.key``, or ``session.key``.)
+ ``rndc.key``, or ``session.key``.)
.. namedconf:statement:: lmdb-mapsize
:tags: server
This is the pathname of a file to override the built-in trusted keys provided
by :iscman:`named`. See the discussion of :any:`dnssec-validation` for
- details. If not specified, the default is |bind_keys|.
+ details. This is intended for server testing.
.. namedconf:statement:: secroots-file
:tags: dnssec
:any:`managed-keys` or :any:`trusted-keys` statements, both deprecated). If
there is no configured trust anchor, validation does not take place.
- If set to ``no``, DNSSEC validation is disabled.
+ If set to ``no``, DNSSEC validation is disabled. (Note: the resolver
+ will still set the DO bit in outgoing queries indicating that it can
+ accept DNSSEC responses, even if :any:`dnssec-validation` is disabled.)
The default is ``auto``, unless BIND is built with
``configure --disable-auto-validation``, in which case the default is
``yes``.
- The default root trust anchor is stored in the file ``bind.keys``.
- :iscman:`named` loads that key at startup if :any:`dnssec-validation` is
- set to ``auto``. A copy of the file is installed along with BIND 9,
- and is current as of the release date. If the root key expires, a new
- copy of ``bind.keys`` can be downloaded from
- https://www.isc.org/bind-keys.
-
- (To prevent problems if ``bind.keys`` is not found, the current trust
- anchor is also compiled in :iscman:`named`. Relying on this is not
- recommended, however, as it requires :iscman:`named` to be recompiled with
- a new key when the root key expires.)
-
- .. note:: :iscman:`named` loads *only* the root key from ``bind.keys``. The file
- cannot be used to store keys for other zones. The root key in
- ``bind.keys`` is ignored if ``dnssec-validation auto`` is not in
- use.
-
- Whenever the resolver sends out queries to an EDNS-compliant
- server, it always sets the DO bit indicating it can support DNSSEC
- responses, even if :any:`dnssec-validation` is off.
+ The default root trust anchor is compiled into :iscman:`named`
+ and is current as of the release date. If the root key changes, a
+ running BIND server will detect this and roll smoothly to the new
+ key, but newly-installed servers will be unable to start validation,
+ so BIND must be upgraded to a newer version.
.. namedconf:statement:: validate-except
:tags: dnssec
not used to validate answers; it is superseded by the key or keys stored
in the managed-keys database.
-The next time :iscman:`named` runs after an ``initial-key`` or ``initial-ds`` has been *removed*
-from the :any:`trust-anchors` statement (or changed to a ``static-key`` or ``static-ds``), the
-corresponding zone is removed from the managed-keys database, and
-:rfc:`5011` key maintenance is no longer used for that domain.
+The next time :iscman:`named` runs after an ``initial-key`` or
+``initial-ds`` has been *removed* from the :any:`trust-anchors` statement
+(or changed to a ``static-key`` or ``static-ds``), the corresponding zone
+is removed from the managed-keys database, and :rfc:`5011` key maintenance
+is no longer used for that domain.
In the current implementation, the managed-keys database is stored as a
master-format zone file.
:iscman:`named`.)
If the :any:`dnssec-validation` option is set to ``auto``, :iscman:`named`
-automatically initializes an ``initial-key`` for the root zone. The key
-that is used to initialize the key-maintenance process is stored in
-``bind.keys``; the location of this file can be overridden with the
-:any:`bindkeys-file` option. As a fallback in the event no ``bind.keys``
-can be found, the initializing key is also compiled directly into
-:iscman:`named`.
+automatically sets up an ``initial-key`` for the root zone. This
+initializing key is built in to :iscman:`named`, and is current as of the
+release date. When the root zone key changes, a running server will detect
+the change and roll to the new key, but newly-installed servers being run
+for the first time will need to be from a recent enough version of BIND to
+have been built with the current key.
:any:`dnssec-policy` Block Grammar
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
named[32516]: received control channel command 'reload'
named[32516]: loading configuration from '/etc/bind/named.conf'
- named[32516]: reading built-in trusted keys from file '/etc/bind/bind.keys'
named[32516]: using default UDP/IPv4 port range: [1024, 65535]
named[32516]: using default UDP/IPv6 port range: [1024, 65535]
named[32516]: sizing zone task pool based on 6 zones
is sent to the client; if it does not verify, a SERVFAIL is returned to
the client.
-.. [#]
- BIND technically includes two copies of the root key: one is in
- ``bind.keys.h`` and is built into the executable, and one is in
- ``bind.keys`` as a :any:`trust-anchors` statement. The two copies of the
- key are identical.
-
.. _trust_anchors_description:
Trust Anchors
If you followed the recommendation in
:ref:`easy_start_guide_for_recursive_servers`, by setting
:any:`dnssec-validation` to *auto*, there is nothing left to do.
-BIND already includes a copy of the root key (in the file
-``bind.keys``), and automatically updates it when the root key
-changes. [#]_ It looks something like this:
+BIND already includes a copy of the root key, and automatically updates it
+when the root key changes. [#]_ It looks something like this:
::
dnssec-validation yes;
};
-Then, download the root key manually from a trustworthy source, such as
-`<https://www.isc.org/bind-keys>`__. Finally, take the root key you
-manually downloaded and put it into a :any:`trust-anchors` statement as
-shown below:
+Then, download the root key manually from a trustworthy source,
+and put it into a :any:`trust-anchors` statement as shown below:
::
R1AkUTV74bU=";
};
-While this :any:`trust-anchors` statement and the one in the ``bind.keys``
-file appear similar, the definition of the key in ``bind.keys`` has the
-``initial-key`` modifier, whereas in the statement in the configuration
-file, that is replaced by ``static-key``. There is an important
-difference between the two: a key defined with ``static-key`` is always
-trusted until it is deleted from the configuration file. With the
-``initial-key`` modified, keys are only trusted once: for as long as it
-takes to load the managed key database and start the key maintenance
-process. Thereafter, BIND uses the managed keys database
-(``managed-keys.bind.jnl``) as the source of key information.
+While this :any:`trust-anchors` statement looks similar to the built-in
+version above, the built-in key has the ``initial-key`` modifier, whereas
+in the statement in the configuration file, that is replaced by
+``static-key``. There is an important difference between the two: a key
+defined with ``static-key`` is always trusted until it is deleted from the
+configuration file. With the ``initial-key`` modifier, keys are only
+trusted once: for as long as it takes to load the managed key database and
+start the key maintenance process. Thereafter, BIND uses the managed keys
+database (``managed-keys.bind.jnl``) as the source of key information.
.. warning::
.. |rndc_conf| replace:: ``@sysconfdir@/rndc.conf``
.. |rndc_key| replace:: ``@sysconfdir@/rndc.key``
.. |named_conf| replace:: ``@sysconfdir@/named.conf``
-.. |bind_keys| replace:: ``@sysconfdir@/bind.keys``
.. |named_pid| replace:: ``@runstatedir@/named.pid``
.. |session_key| replace:: ``@runstatedir@/session.key``
"""
.INDENT 0.0
.TP
.B \-a anchor\-file
-This option specifies a file from which to read DNSSEC trust anchors. The default
-is \fB@sysconfdir@/bind.keys\fP, which is included with BIND 9 and contains one
-or more trust anchors for the root zone (".").
+This option specifies a file from which to read an alternate
+DNSSEC root zone trust anchor.
.sp
-Keys that do not match the root zone name are ignored. An alternate
-key name can be specified using the \fI\%+root\fP option.
+By default, keys that do not match the root zone name (\fI\&.\fP) are
+ignored. If an alternate key name is desired, it can be
+specified using the \fI\%+root\fP option.
.sp
-Note: When reading the trust anchor file, \fBdelv\fP treats \fBtrust\-anchors\fP,
-\fBinitial\-key\fP, and \fBstatic\-key\fP identically. That is, for a managed key,
-it is the \fIinitial\fP key that is trusted; \fI\%RFC 5011\fP key management is not
-supported. \fBdelv\fP does not consult the managed\-keys database maintained by
-\fI\%named\fP, which means that if either of the keys in \fB@sysconfdir@/bind.keys\fP is
-revoked and rolled over, \fB@sysconfdir@/bind.keys\fP must be updated to
-use DNSSEC validation in \fBdelv\fP\&.
+Note: When reading trust anchors, \fBdelv\fP treats
+\fBtrust\-anchors\fP, \fBinitial\-key\fP, and \fBstatic\-key\fP identically. That
+is, for a managed key, it is the \fIinitial\fP key that is trusted;
+\fI\%RFC 5011\fP key management is not supported. \fBdelv\fP does not
+consult the managed\-keys database maintained by \fI\%named\fP\&. This
+means that if the default key built in to \fBdelv\fP is revoked,
+\fBdelv\fP must be updated to a newer version in order to continue
+validating.
.UNINDENT
.INDENT 0.0
.TP
.UNINDENT
.SH FILES
.sp
-\fB@sysconfdir@/bind.keys\fP
-.sp
\fB/etc/resolv.conf\fP
.SH SEE ALSO
.sp
\fB@sysconfdir@/named.conf\fP is read by default.
.sp
Note: files that \fI\%named\fP reads in separate parser contexts, such as
-\fBrndc.key\fP and \fBbind.keys\fP, are not automatically read by
-\fBnamed\-checkconf\fP\&. Configuration errors in these files may cause
-\fI\%named\fP to fail to run, even if \fBnamed\-checkconf\fP was successful.
-However, \fBnamed\-checkconf\fP can be run on these files explicitly.
+\fBrndc.conf\fP or \fBrndc.key\fP, are not automatically read by
+\fBnamed\-checkconf\fP\&. Configuration errors in these files may cause
+\fI\%named\fP to fail to run, even if \fBnamed\-checkconf\fP was
+successful. However, \fBnamed\-checkconf\fP can be run on these files
+explicitly.
.SH OPTIONS
.INDENT 0.0
.TP
automatic\-interface\-scan <boolean>;
avoid\-v4\-udp\-ports { <portrange>; ... }; // deprecated
avoid\-v6\-udp\-ports { <portrange>; ... }; // deprecated
- bindkeys\-file <quoted_string>;
+ bindkeys\-file <quoted_string>; // test only
blackhole { <address_match_element>; ... };
catalog\-zones { zone <string> [ default\-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source\-v6 ( <ipv6_address> | * ) ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone\-directory <quoted_string> ] [ in\-memory <boolean> ] [ min\-update\-interval <duration> ]; ... };
check\-dup\-records ( fail | warn | ignore );
automatic-interface-scan <boolean>;
avoid-v4-udp-ports { <portrange>; ... }; // deprecated
avoid-v6-udp-ports { <portrange>; ... }; // deprecated
- bindkeys-file <quoted_string>;
+ bindkeys-file <quoted_string>; // test only
blackhole { <address_match_element>; ... };
catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
check-dup-records ( fail | warn | ignore );
CFG_CLAUSEFLAG_DEPRECATED },
{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist,
CFG_CLAUSEFLAG_DEPRECATED },
- { "bindkeys-file", &cfg_type_qstring, 0 },
+ { "bindkeys-file", &cfg_type_qstring, CFG_CLAUSEFLAG_TESTONLY },
{ "blackhole", &cfg_type_bracketed_aml, 0 },
{ "cookie-algorithm", &cfg_type_cookiealg, 0 },
{ "cookie-secret", &cfg_type_sstring, CFG_CLAUSEFLAG_MULTI },
fi
if [ -n "${DESTDIR}" ]; then
- for expected_subdir in bin etc include lib sbin share; do
+ for expected_subdir in bin include lib sbin share; do
echo "${install_dir}/${expected_subdir}" >> "${abs_builddir}/expected_dirs"
done
find "${install_dir}" -maxdepth 1 -mindepth 1 -type d | sort > "${abs_builddir}/existing_dirs"
projects / thirdparty / bind9.git / commitdiff
