+2008. [func] It is now posssible to enable/disable DNSSEC
+ validation from rndc. This is useful for the
+ mobile hosts where the current connection point
+ breaks DNSSEC (firewall/proxy). [RT #15592]
+
+ rndc validation newstate [view]
+
2007. [func] It is now possible to explicitly enable DNSSEC
validation. default dnssec-validation no; to
be changed to yes in 9.5.0. [RT #15674]
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: control.c,v 1.20.10.6 2005/04/29 00:55:52 marka Exp $ */
+/* $Id: control.c,v 1.20.10.7 2006/03/09 23:46:20 marka Exp $ */
/*! \file */
result = ISC_R_SUCCESS;
} else if (command_compare(command, NS_COMMAND_NOTIFY)) {
result = ns_server_notifycommand(ns_g_server, command, text);
+ } else if (command_compare(command, NS_COMMAND_VALIDATION)) {
+ result = ns_server_validation(ns_g_server, command);
} else {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: control.h,v 1.14.18.7 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: control.h,v 1.14.18.8 2006/03/09 23:46:20 marka Exp $ */
#ifndef NAMED_CONTROL_H
#define NAMED_CONTROL_H 1
#define NS_COMMAND_RECURSING "recursing"
#define NS_COMMAND_NULL "null"
#define NS_COMMAND_NOTIFY "notify"
+#define NS_COMMAND_VALIDATION "validation"
isc_result_t
ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp);
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.h,v 1.73.18.7 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: server.h,v 1.73.18.8 2006/03/09 23:46:20 marka Exp $ */
#ifndef NAMED_SERVER_H
#define NAMED_SERVER_H 1
void
ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr);
+/*%
+ * Enable or disable dnssec validation.
+ */
+isc_result_t
+ns_server_validation(ns_server_t *server, char *args);
+
#endif /* NAMED_SERVER_H */
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: query.c,v 1.257.18.27 2006/03/09 23:38:20 marka Exp $ */
+/* $Id: query.c,v 1.257.18.28 2006/03/09 23:46:20 marka Exp $ */
/*! \file */
if (!client->view->enablednssec) {
message->flags &= ~DNS_MESSAGEFLAG_CD;
client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
+ if (client->opt != NULL)
+ client->opt->ttl &= ~DNS_MESSAGEEXTFLAG_DO;
}
if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.c,v 1.419.18.43 2006/03/09 23:38:20 marka Exp $ */
+/* $Id: server.c,v 1.419.18.44 2006/03/09 23:46:20 marka Exp $ */
/*! \file */
result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
if (result == ISC_R_SUCCESS)
CHECK(mustbesecure(obj, view->resolver));
+ } else {
+ if (view->secroots != NULL)
+ dns_keytable_detach(&view->secroots);
+ dns_resolver_resetmustbesecure(view->resolver);
}
obj = NULL;
return (ISC_R_SUCCESS);
}
+isc_result_t
+ns_server_validation(ns_server_t *server, char *args) {
+ char *ptr, *viewname;
+ dns_view_t *view;
+ isc_boolean_t changed = ISC_FALSE;
+ isc_result_t result;
+ isc_boolean_t enable;
+
+ /* Skip the command name. */
+ ptr = next_token(&args, " \t");
+ if (ptr == NULL)
+ return (ISC_R_UNEXPECTEDEND);
+
+ /* Find out what we are to do. */
+ ptr = next_token(&args, " \t");
+ if (ptr == NULL)
+ return (ISC_R_UNEXPECTEDEND);
+
+ if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") ||
+ !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true"))
+ enable = ISC_TRUE;
+ else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") ||
+ !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false"))
+ enable = ISC_FALSE;
+ else
+ return (DNS_R_SYNTAX);
+
+ /* Look for the view name. */
+ viewname = next_token(&args, " \t");
+
+ result = isc_task_beginexclusive(server->task);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ for (view = ISC_LIST_HEAD(server->viewlist);
+ view != NULL;
+ view = ISC_LIST_NEXT(view, link))
+ {
+ if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
+ continue;
+ result = dns_view_flushcache(view);
+ if (result != ISC_R_SUCCESS)
+ goto out;
+ view->enablevalidation = enable;
+ changed = ISC_TRUE;
+ }
+ if (changed)
+ result = ISC_R_SUCCESS;
+ else
+ result = ISC_R_FAILURE;
+ out:
+ isc_task_endexclusive(server->task);
+ return (result);
+}
+
isc_result_t
ns_server_flushcache(ns_server_t *server, char *args) {
char *ptr, *viewname;
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rndc.c,v 1.96.18.14 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: rndc.c,v 1.96.18.15 2006/03/09 23:46:20 marka Exp $ */
/*! \file */
Flush the given name from the server's cache(s)\n\
status Display status of the server.\n\
recursing Dump the queries that are currently recursing (named.recursing)\n\
+ validation newstate [view]\n\
+ Enable / disable DNSSEC validation.\n\
*restart Restart the server.\n\
\n\
* == not yet implemented\n\
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.c,v 1.119.18.24 2006/02/26 22:59:56 marka Exp $ */
+/* $Id: validator.c,v 1.119.18.25 2006/03/09 23:46:20 marka Exp $ */
/*! \file */
* validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep ->
* dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure
*
- * \li When called without a rdataset and with DNS_VALIDATOR_DLV:
- * validator_start -> startfinddlvsep -> dlv_validator_start ->
- * validator_start -> nsecvalidate -> proveunsecure
+ * Note: there isn't a case for DNS_VALIDATOR_DLV here as we want nsecvalidate()
+ * to always validate the authority section even when it does not contain
+ * signatures.
*
* validator_start: determines what type of validation to do.
* validate: attempts to perform a positive validation.
* have attempted a verify. */
#define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */
#define VALATTR_DLVTRIED 0x0020 /*%< Looked for a DLV record. */
-#define VALATTR_AUTHNONPENDING 0x0040 /*%< Tidy up pending auth. */
/*!
* NSEC proofs to be looked for.
static isc_result_t
finddlvsep(dns_validator_t *val, isc_boolean_t resume);
-static void
-auth_nonpending(dns_message_t *message);
-
static isc_result_t
startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure);
/*%
* Mark the RRsets as a answer.
- *
- * If VALATTR_AUTHNONPENDING is set then this is a negative answer
- * in a insecure zone. We need to mark any pending RRsets as
- * dns_trust_authauthority answers (this is deferred from resolver.c).
*/
static inline void
markanswer(dns_validator_t *val) {
val->event->rdataset->trust = dns_trust_answer;
if (val->event->sigrdataset != NULL)
val->event->sigrdataset->trust = dns_trust_answer;
- if (val->event->message != NULL &&
- (val->attributes & VALATTR_AUTHNONPENDING) != 0)
- auth_nonpending(val->event->message);
}
static void
return (ISC_TRUE);
}
-/*%
- * Mark pending answers in the authority section as dns_trust_authauthority.
- */
-static void
-auth_nonpending(dns_message_t *message) {
- isc_result_t result;
- dns_name_t *name;
- dns_rdataset_t *rdataset;
-
- for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
- result == ISC_R_SUCCESS;
- result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
- {
- name = NULL;
- dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
- for (rdataset = ISC_LIST_HEAD(name->list);
- rdataset != NULL;
- rdataset = ISC_LIST_NEXT(rdataset, link))
- {
- if (rdataset->trust == dns_trust_pending)
- rdataset->trust = dns_trust_authauthority;
- }
- }
-}
-
/*%
* Look in the NSEC record returned from a DS query to see if there is
* a NS RRset at this name. If it is found we are at a delegation point.
sigrdataset->covers == rdataset->type)
break;
}
- if (sigrdataset == NULL)
- continue;
/*
* If a signed zone is missing the zone key, bad
* things could happen. A query for data in the zone
validator_log(val, ISC_LOG_DEBUG(3),
"nonexistence proof(s) not found");
- val->attributes |= VALATTR_AUTHNONPENDING;
val->attributes |= VALATTR_INSECURITY;
return (proveunsecure(val, ISC_FALSE));
}
LOCK(&val->lock);
- if ((val->options & DNS_VALIDATOR_DLV) != 0) {
+ if ((val->options & DNS_VALIDATOR_DLV) != 0 &&
+ val->event->rdataset != NULL) {
validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV");
result = startfinddlvsep(val, dns_rootname);
} else if (val->event->rdataset != NULL &&
projects / thirdparty / bind9.git / commitdiff
