3209. [func] Add "dnssec-lookaside 'off'". [RT #24858]

author Mark Andrews <marka@isc.org>

Mon, 7 Nov 2011 00:14:11 +0000 (00:14 +0000)

committer Mark Andrews <marka@isc.org>

Mon, 7 Nov 2011 00:14:11 +0000 (00:14 +0000)
author Mark Andrews <marka@isc.org>
Mon, 7 Nov 2011 00:14:11 +0000 (00:14 +0000)
committer Mark Andrews <marka@isc.org>
Mon, 7 Nov 2011 00:14:11 +0000 (00:14 +0000)
diff --git a/CHANGES b/CHANGES

index 77fd0746c54bfa6764709dbe117a0f5ca988c990..93fdd6fb98052ae8d2885cdcb05a5af6168e610d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+3209.  [func]          Add "dnssec-lookaside 'off'".  [RT #24858]
+
  3208.  [bug]           'dig -y' handle unknown tsig alorithm better.
                         [RT #25522]
  
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook

index 104a46c26e5e46939b56e100fd18ca443d04ef70..f13b197108b94dffaa86effc56620067a1011c9a 100644 (file)
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -17,7 +17,7 @@
   - PERFORMANCE OF THIS SOFTWARE.
  -->
  
-<!-- $Id: named.conf.docbook,v 1.53 2011/09/06 22:29:32 smann Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.54 2011/11/07 00:14:10 marka Exp $ -->
  <refentry>
    <refentryinfo>
      <date>Aug 13, 2004</date>
@@ -285,8 +285,7 @@ options {
         disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
         dnssec-enable <replaceable>boolean</replaceable>;
         dnssec-validation <replaceable>boolean</replaceable>;
-       dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
-       dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
+       dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>off</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
         dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
         dnssec-accept-expired <replaceable>boolean</replaceable>;
  
@@ -474,7 +473,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
         disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
         dnssec-enable <replaceable>boolean</replaceable>;
         dnssec-validation <replaceable>boolean</replaceable>;
-       dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
+       dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>off</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
         dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
         dnssec-accept-expired <replaceable>boolean</replaceable>;
  
diff --git a/bin/named/server.c b/bin/named/server.c

index 79169b85f70fbe5d51570e5407aa116332d9796b..729fe91769a919b584d12e4999860ac12313178c 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
   * PERFORMANCE OF THIS SOFTWARE.
   */
  
-/* $Id: server.c,v 1.628 2011/11/03 23:46:26 tbox Exp $ */
+/* $Id: server.c,v 1.629 2011/11/07 00:14:10 marka Exp $ */
  
  /*! \file */
  
@@ -2604,14 +2604,19 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
         if (result == ISC_R_SUCCESS) {
                 /* If set to "auto", use the version from the defaults */
                 const cfg_obj_t *dlvobj;
+               const char *dom;
                 dlvobj = cfg_listelt_value(cfg_list_first(obj));
-               if (!strcmp(cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain")),
-                           "auto") &&
-                   cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
-                       auto_dlv = ISC_TRUE;
-                       obj = NULL;
-                       result = cfg_map_get(ns_g_defaults,
-                                            "dnssec-lookaside", &obj);
+               dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain"));
+               if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
+                       /* If "no", skip; if "auto", use global default */
+                       if (!strcasecmp(dom, "no"))
+                               result = ISC_R_NOTFOUND;
+                       else if (!strcasecmp(dom, "auto")) {
+                               auto_dlv = ISC_TRUE;
+                               obj = NULL;
+                               result = cfg_map_get(ns_g_defaults,
+                                                    "dnssec-lookaside", &obj);
+                       }
                 }
         }
  
@@ -2850,7 +2855,8 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
                         CHECK(dns_zone_create(&zone, mctx));
                         CHECK(dns_zone_setorigin(zone, name));
                         dns_zone_setview(zone, view);
-                       CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
+                       CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr,
+                                                    zone));
                         dns_zone_setclass(zone, view->rdclass);
                         dns_zone_settype(zone, dns_zone_master);
                         dns_zone_setstats(zone, ns_g_server->zonestats);
diff --git a/bin/tests/system/checkconf/dnssec.2 b/bin/tests/system/checkconf/dnssec.2

index 573e385c00a7250389c3c54d3af1b0351bc5976e..876ee4a43b987ef19585d2fbcce261f148b4d513 100644 (file)
--- a/bin/tests/system/checkconf/dnssec.2
+++ b/bin/tests/system/checkconf/dnssec.2
@@ -14,7 +14,7 @@
   * PERFORMANCE OF THIS SOFTWARE.
   */
  
-/* $Id: dnssec.2,v 1.4 2011/05/08 07:12:47 marka Exp $ */
+/* $Id: dnssec.2,v 1.5 2011/11/07 00:14:11 marka Exp $ */
  
  options {
          dnssec-enable no;
@@ -29,3 +29,8 @@ view view2 {
          match-clients { none; };
          dnssec-validation auto;
  };
+
+view view3 {
+        match-clients { none; };
+        auto-dnssec maintain;
+};
diff --git a/bin/tests/system/checkconf/dnssec.3 b/bin/tests/system/checkconf/dnssec.3

index 3d2b4da207eac589dde40fd24454ecc056c76df7..17679bdb8c82e5bf79d039a8e3303d81f169e733 100644 (file)
--- a/bin/tests/system/checkconf/dnssec.3
+++ b/bin/tests/system/checkconf/dnssec.3
@@ -14,7 +14,7 @@
   * PERFORMANCE OF THIS SOFTWARE.
   */
  
-/* $Id: dnssec.3,v 1.4 2011/05/08 07:12:48 marka Exp $ */
+/* $Id: dnssec.3,v 1.5 2011/11/07 00:14:11 marka Exp $ */
  
  options {
          dnssec-validation no;
@@ -29,3 +29,18 @@ view view2 {
          match-clients { none; };
          dnssec-enable yes;
  };
+
+view view3 {
+        match-clients { none; };
+        dnssec-lookaside auto;
+};
+
+view view4 {
+        match-clients { none; };
+        dnssec-lookaside no;
+};
+
+view view5 {
+        match-clients { none; };
+        auto-dnssec off;
+};
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh

index 79806a2109df2b4a11303f32c3694c3f6d9078ea..85c7cb8d5e4227cb25ca376d33606eb86cb843d0 100644 (file)
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -12,7 +12,7 @@
  # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  # PERFORMANCE OF THIS SOFTWARE.
  
-# $Id: tests.sh,v 1.7 2011/05/07 23:47:28 tbox Exp $
+# $Id: tests.sh,v 1.8 2011/11/07 00:14:11 marka Exp $
  
  SYSTEMTESTTOP=..
  . $SYSTEMTESTTOP/conf.sh
@@ -43,6 +43,7 @@ status=`expr $status + $ret`
  echo "I: checking named-checkconf dnssec warnings"
  ret=0
  $CHECKCONF dnssec.1 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1
+$CHECKCONF dnssec.2 2>&1 | grep 'auto-dnssec may only be ' > /dev/null || ret=1
  $CHECKCONF dnssec.2 2>&1 | grep 'validation auto.*enable no' > /dev/null || ret=1
  $CHECKCONF dnssec.2 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1
  # this one should have no warnings
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml

index 158e1d4bd7ecb9c71f680649d7c85ceeab6d1ea4..ce791374479be4a3d26573b87667808eef7e668a 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
   - PERFORMANCE OF THIS SOFTWARE.
  -->
  
-<!-- File: $Id: Bv9ARM-book.xml,v 1.514 2011/11/04 02:25:17 tbox Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.515 2011/11/07 00:14:11 marka Exp $ -->
  <book xmlns:xi="http://www.w3.org/2001/XInclude">
    <title>BIND 9 Administrator Reference Manual</title>
  
@@ -5154,7 +5154,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
      <optional> ixfr-from-differences (<replaceable>yes_or_no</replaceable> | <constant>master</constant> | <constant>slave</constant>); </optional>
      <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
      <optional> dnssec-validation (<replaceable>yes_or_no</replaceable> | <constant>auto</constant>); </optional>
-    <optional> dnssec-lookaside ( <replaceable>auto</replaceable> | 
+    <optional> dnssec-lookaside ( <replaceable>auto</replaceable> |
+                       <replaceable>off</replaceable> |
                          <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> ); </optional>
      <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
      <optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
@@ -5835,6 +5836,11 @@ options {
                 values for the DLV domain and trust anchor will be
                 used, along with a built-in key for validation.
               </para>
+             <para>
+               If <command>dnssec-lookaside</command> is set to
+               <userinput>off</userinput>, then dnssec-lookaside
+               is not used.
+             </para>
                <para>
                  The default DLV key is stored in the file
                  <filename>bind.keys</filename>;
diff --git a/lib/bind9/check.c b/lib/bind9/check.c

index 07b1cdcd27ed8f7f0303fffe9c13afc0cd923272..188234f82353c1d9bf8692f8fa00c356b6576225 100644 (file)
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
   * PERFORMANCE OF THIS SOFTWARE.
   */
  
-/* $Id: check.c,v 1.137 2011/10/29 00:15:56 each Exp $ */
+/* $Id: check.c,v 1.138 2011/11/07 00:14:11 marka Exp $ */
  
  /*! \file */
  
@@ -671,8 +671,17 @@ typedef struct {
         unsigned int max;
  } intervaltable;
  
+typedef enum {
+       optlevel_config,
+       optlevel_options,
+       optlevel_view,
+       optlevel_zone
+} optlevel_t;
+
  static isc_result_t
-check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
+check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
+             optlevel_t optlevel)
+{
         isc_result_t result = ISC_R_SUCCESS;
         isc_result_t tresult;
         unsigned int i;
@@ -844,19 +853,23 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
                      element = cfg_list_next(element))
                 {
                         const char *dlv;
-                       const cfg_obj_t *anchor;
+                       const cfg_obj_t *dlvobj, *anchor;
  
                         obj = cfg_listelt_value(element);
  
-                       dlv = cfg_obj_asstring(cfg_tuple_get(obj, "domain"));
                         anchor = cfg_tuple_get(obj, "trust-anchor");
+                       dlvobj = cfg_tuple_get(obj, "domain");
+                       dlv = cfg_obj_asstring(dlvobj);
  
                         /*
-                        * If domain is "auto" and trust anchor is missing,
-                        * skip remaining tests
+                        * If domain is "auto" or "no" and trust anchor
+                        * is missing, skip remaining tests
                          */
-                       if (!strcmp(dlv, "auto") && cfg_obj_isvoid(anchor))
-                               continue;
+                       if (cfg_obj_isvoid(anchor)) {
+                               if (!strcasecmp(dlv, "no") ||
+                                   !strcasecmp(dlv, "auto"))
+                                       continue;
+                       }
  
                         isc_buffer_init(&b, dlv, strlen(dlv));
                         isc_buffer_add(&b, strlen(dlv));
@@ -908,8 +921,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
                         } else {
                                 cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
                                         "dnssec-lookaside requires "
-                                       "either 'auto' or a domain and "
-                                       "trust anchor");
+                                       "either 'auto' or 'no', or a "
+                                       "domain and trust anchor");
                                 if (result == ISC_R_SUCCESS)
                                         result = ISC_R_FAILURE;
                         }
@@ -919,6 +932,21 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
                         isc_symtab_destroy(&symtab);
         }
  
+       /*
+        * Check auto-dnssec at the view/options level
+        */
+       obj = NULL;
+       (void)cfg_map_get(options, "auto-dnssec", &obj);
+       if (obj != NULL) {
+               const char *arg = cfg_obj_asstring(obj);
+               if (optlevel != optlevel_zone && strcasecmp(arg, "off") != 0) {
+                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                   "auto-dnssec may only be activated at the "
+                                   "zone level");
+                       result = ISC_R_FAILURE;
+               }
+       }
+
         /*
          * Check dnssec-must-be-secure.
          */
@@ -1664,7 +1692,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
         /*
          * Check various options.
          */
-       tresult = check_options(zoptions, logctx, mctx);
+       tresult = check_options(zoptions, logctx, mctx, optlevel_zone);
         if (tresult != ISC_R_SUCCESS)
                 result = tresult;
  
@@ -2297,13 +2325,16 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
                                 result = tresult;
                 }
         }
+
         /*
          * Check options.
          */
         if (voptions != NULL)
-               tresult = check_options(voptions, logctx, mctx);
+               tresult = check_options(voptions, logctx, mctx,
+                                       optlevel_view);
         else
-               tresult = check_options(config, logctx, mctx);
+               tresult = check_options(config, logctx, mctx,
+                                       optlevel_config);
         if (tresult != ISC_R_SUCCESS)
                 result = tresult;
  
@@ -2594,7 +2625,8 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
         (void)cfg_map_get(config, "options", &options);
  
         if (options != NULL &&
-           check_options(options, logctx, mctx) != ISC_R_SUCCESS)
+           check_options(options, logctx, mctx,
+                         optlevel_options) != ISC_R_SUCCESS)
                 result = ISC_R_FAILURE;
  
         if (bind9_check_logging(config, logctx, mctx) != ISC_R_SUCCESS)
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c

index a5f9dc50f5a6051fca1825ebb5f056db45da06c1..90f87a4ebcc9b1c88384d0467bc52e4cc48be3cd 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
   * PERFORMANCE OF THIS SOFTWARE.
   */
  
-/* $Id: namedconf.c,v 1.142 2011/10/13 01:32:34 vjs Exp $ */
+/* $Id: namedconf.c,v 1.143 2011/11/07 00:14:11 marka Exp $ */
  
  /*! \file */
  
@@ -1158,7 +1158,7 @@ print_lookaside(cfg_printer_t *pctx, const cfg_obj_t *obj)
  static void
  doc_lookaside(cfg_printer_t *pctx, const cfg_type_t *type) {
         UNUSED(type);
-       cfg_print_cstr(pctx, "( <string> trust-anchor <string> | auto )");
+       cfg_print_cstr(pctx, "( <string> trust-anchor <string> | auto | no )");
  }
  
  static keyword_type_t trustanchor_kw = { "trust-anchor", &cfg_type_astring };
@@ -1362,6 +1362,7 @@ zone_clauses[] = {
         { "also-notify", &cfg_type_namesockaddrkeylist, 0 },
         { "alt-transfer-source", &cfg_type_sockaddr4wild, 0 },
         { "alt-transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
+       { "auto-dnssec", &cfg_type_autodnssec, 0 },
         { "check-dup-records", &cfg_type_checkmode, 0 },
         { "check-integrity", &cfg_type_boolean, 0 },
         { "check-mx", &cfg_type_checkmode, 0 },
@@ -1436,7 +1437,6 @@ zone_only_clauses[] = {
          */
         { "check-names", &cfg_type_checkmode, 0 },
         { "ixfr-from-differences", &cfg_type_boolean, 0 },
-       { "auto-dnssec", &cfg_type_autodnssec, 0 },
         { "server-addresses", &cfg_type_bracketed_sockaddrlist, 0 },
         { "server-names", &cfg_type_namelist, 0 },
         { NULL, NULL, 0 }
author	Mark Andrews <marka@isc.org>
	Mon, 7 Nov 2011 00:14:11 +0000 (00:14 +0000)
committer	Mark Andrews <marka@isc.org>
	Mon, 7 Nov 2011 00:14:11 +0000 (00:14 +0000)
CHANGES		patch \| blob \| blame \| history
bin/named/named.conf.docbook		patch \| blob \| blame \| history
bin/named/server.c		patch \| blob \| blame \| history
bin/tests/system/checkconf/dnssec.2		patch \| blob \| blame \| history
bin/tests/system/checkconf/dnssec.3		patch \| blob \| blame \| history
bin/tests/system/checkconf/tests.sh		patch \| blob \| blame \| history
doc/arm/Bv9ARM-book.xml		patch \| blob \| blame \| history
lib/bind9/check.c		patch \| blob \| blame \| history
lib/isccfg/namedconf.c		patch \| blob \| blame \| history