[master] "rndc validation check"

3512.	[func]		"rndc validation check" reports the current status
			of DNSSEC validation. [RT #21397]

diff --git a/CHANGES b/CHANGES
index 5f2b357b7538393d70ec59a95d3099cdf470055c..2527e5525b9aa01c4af9d49e2956e4572c3af8b8 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3512.  [func]          "rndc validation check" reports the current status
+                       of DNSSEC validation. [RT #21397]
+
 3511.  [doc]           Improve documentation of redirect zones. [RT #32756]
 
 3510.  [func]          "rndc status" and XML statistics channel now report

diff --git a/bin/named/control.c b/bin/named/control.c
index a48e2d1cbc1b0cae6b9c393557d5c813d100c46a..8d85975c4bd6b1e4e97e4e056ab17b5fd98b23c5 100644 (file)
--- a/bin/named/control.c
+++ b/bin/named/control.c
@@ -197,7 +197,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
        } else if (command_compare(command, NS_COMMAND_NOTIFY)) {
                result = ns_server_notifycommand(ns_g_server, command, text);
        } else if (command_compare(command, NS_COMMAND_VALIDATION)) {
-               result = ns_server_validation(ns_g_server, command);
+               result = ns_server_validation(ns_g_server, command, text);
        } else if (command_compare(command, NS_COMMAND_SIGN) ||
                   command_compare(command, NS_COMMAND_LOADKEYS)) {
                result = ns_server_rekey(ns_g_server, command);

diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index dd2679e481a72bcb745b3954ad05091d63f9b1e9..b586f5c4acedb5fb1dc024af03b3883ea623c796 100644 (file)
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -338,7 +338,7 @@ ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr);
  * Enable or disable dnssec validation.
  */
 isc_result_t
-ns_server_validation(ns_server_t *server, char *args);
+ns_server_validation(ns_server_t *server, char *args, isc_buffer_t *text);
 
 /*%
  * Add a zone to a running process

diff --git a/bin/named/server.c b/bin/named/server.c
index c6bba0eb73fc689817963fd4b2967cfe7027df1e..875e750eb98454beec0e876b2e04776cccbe680d 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -7333,12 +7333,12 @@ ns_server_setdebuglevel(ns_server_t *server, char *args) {
 }
 
 isc_result_t
-ns_server_validation(ns_server_t *server, char *args) {
+ns_server_validation(ns_server_t *server, char *args, isc_buffer_t *text) {
        char *ptr, *viewname;
        dns_view_t *view;
        isc_boolean_t changed = ISC_FALSE;
        isc_result_t result;
-       isc_boolean_t enable;
+       isc_boolean_t enable, set = ISC_TRUE, first = ISC_TRUE;
 
        /* Skip the command name. */
        ptr = next_token(&args, " \t");
@@ -7356,7 +7356,9 @@ ns_server_validation(ns_server_t *server, char *args) {
        else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") ||
                 !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false"))
                enable = ISC_FALSE;
-       else
+       else if (!strcasecmp(ptr, "check")) {
+               set = ISC_FALSE;
+       } else
                return (DNS_R_SYNTAX);
 
        /* Look for the view name. */
@@ -7373,10 +7375,40 @@ ns_server_validation(ns_server_t *server, char *args) {
                result = dns_view_flushcache(view);
                if (result != ISC_R_SUCCESS)
                        goto out;
-               view->enablevalidation = enable;
-               changed = ISC_TRUE;
+
+               if (set) {
+                       view->enablevalidation = enable;
+                       changed = ISC_TRUE;
+               } else {
+                       unsigned int n;
+                       if (!first) {
+                               n = snprintf((char *)isc_buffer_used(text),
+                                            isc_buffer_availablelength(text),
+                                            "\n");
+                               if (n >= isc_buffer_availablelength(text)) {
+                                       result = ISC_R_NOSPACE;
+                                       goto out;
+                               }
+                               isc_buffer_add(text, n);
+                       }
+                       first = ISC_FALSE;
+                       n = snprintf((char *)isc_buffer_used(text),
+                                    isc_buffer_availablelength(text),
+                                    "DNSSEC validation is %s (view %s)",
+                                    view->enablevalidation ?
+                                      "enabled" : "disabled",
+                                    view->name);
+                       if (n >= isc_buffer_availablelength(text)) {
+                               result = ISC_R_NOSPACE;
+                               goto out;
+                       }
+                       isc_buffer_add(text, n);
+               }
        }
-       if (changed)
+
+       if (!set)
+               result = ISC_R_SUCCESS;
+       else if (changed)
                result = ISC_R_SUCCESS;
        else
                result = ISC_R_FAILURE;

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index bf4d176cd5a50a527f9a49c01f7083925738bb17..909e6cd29370a5cd44fc62c93645783f109ab3c7 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -1512,14 +1512,16 @@ zone "eng.example.com" {
 
                   <varlistentry>
                     <term><userinput>validation
-                        <optional>on|off</optional>
+                        ( on | off | check )
                         <optional><replaceable>view ...</replaceable></optional>
                     </userinput></term>
                     <listitem>
                       <para>
-                        Enable or disable DNSSEC validation.
+                        Enable, disable, or check the current status of
+                        DNSSEC validation.
                         Note <command>dnssec-enable</command> also needs to be
-                        set to <userinput>yes</userinput> to be effective.
+                        set to <userinput>yes</userinput> or
+                        <userinput>auto</userinput> to be effective.
                         It defaults to enabled.
                       </para>
                     </listitem>