+4749. [func] The ISC DLV service has been shut down, and all
+ DLV records have been removed from dlv.isc.org.
+ - Removed references to ISC DLV in documentation
+ - Removed DLV key from bind.keys
+ - No longer use ISC DLV by default in delv
+ - "dnssec-lookaside auto" and configuration of
+ "dnssec-lookaide" with dlv.isc.org as trust
+ anchor are both now fatal errors.
+ [RT #46155]
+
4748. [cleanup] Sprintf to snprintf coversions. [RT #46132]
4747. [func] Synthesis of responses from DNSSEC-verified records.
dns_fixedname_t fkeyname;
dns_name_t *keyname;
isc_result_t result;
- isc_boolean_t match_root, match_dlv;
+ isc_boolean_t match_root = ISC_FALSE, match_dlv = ISC_FALSE;
keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
CHECK(convert_name(&fkeyname, &keyname, keynamestr));
if (!root_validation && !dlv_validation)
return (ISC_R_SUCCESS);
- match_root = dns_name_equal(keyname, anchor_name);
- match_dlv = dns_name_equal(keyname, dlv_name);
+ if (anchor_name)
+ match_root = dns_name_equal(keyname, anchor_name);
+ if (dlv_name)
+ match_dlv = dns_name_equal(keyname, dlv_name);
if (!match_root && !match_dlv)
return (ISC_R_SUCCESS);
fatal("out of memory");
}
- if (dlv_anchor == NULL) {
- dlv_anchor = isc_mem_strdup(mctx, "dlv.isc.org");
- if (dlv_anchor == NULL)
- fatal("out of memory");
- }
-
- CHECK(convert_name(&afn, &anchor_name, trust_anchor));
- CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
+ if (trust_anchor != NULL)
+ CHECK(convert_name(&afn, &anchor_name, trust_anchor));
+ if (dlv_anchor != NULL)
+ CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
</para>
<para>
By default, responses are validated using built-in DNSSEC trust
- anchors for the root zone (".") and for the ISC DNSSEC lookaside
- validation zone ("dlv.isc.org"). Records returned by
+ anchor for the root zone ("."). Records returned by
<command>delv</command> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
Specifies a file from which to read DNSSEC trust anchors.
The default is <filename>/etc/bind.keys</filename>, which
is included with <acronym>BIND</acronym> 9 and contains
- trust anchors for the root zone (".") and for the ISC
- DNSSEC lookaside validation zone ("dlv.isc.org").
+ one or more trust anchors for the root zone (".").
</para>
<para>
- Keys that do not match the root or DLV trust-anchor
- names are ignored; these key names can be overridden
- using the <option>+dlv=NAME</option> or
- <option>+root=NAME</option> options.
+ Keys that do not match the root zone name are ignored.
+ An alternate key name can be specified using the
+ <option>+root=NAME</option> options. DNSSEC Lookaside
+ Validation can also be turned on by using the
+ <option>+dlv=NAME</option> to specify the name of a
+ zone containing DLV records.
</para>
<para>
Note: When reading the trust anchor file,
<para>
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
- The default is to perform lookaside validation using
- a trust anchor of "dlv.isc.org", for which there is a
- built-in key. If specifying a different name, then
- <option>-a</option> must be used to specify a file
- containing the DLV key.
+ The <option>-a</option> option must also be used to specify
+ a file containing the DLV key.
</para>
</listitem>
</varlistentry>
trust-anchor-telemetry yes;\n\
# use-id-pool <obsolete>;\n\
# use-ixfr <obsolete>;\n\
-\n\
- /* DLV */\n\
- dnssec-lookaside . trust-anchor dlv.isc.org;\n\
\n\
/* view */\n\
allow-new-zones no;\n\
};\n\
"
"#\n\
-# Default trusted key(s) for builtin DLV support\n\
-# (used if \"dnssec-lookaside auto;\" is set and\n\
+# Default trusted key(s), used if \n\
+# \"dnssec-validation auto;\" is set and\n\
# sysconfdir/bind.keys doesn't exist).\n\
#\n\
# BEGIN MANAGED KEYS\n"
static isc_result_t
configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
const cfg_obj_t *config, const cfg_obj_t *bindkeys,
- isc_boolean_t auto_dlv, isc_boolean_t auto_root,
- isc_mem_t *mctx)
+ isc_boolean_t auto_root, isc_mem_t *mctx)
{
isc_result_t result = ISC_R_SUCCESS;
const cfg_obj_t *view_keys = NULL;
return (ISC_R_UNEXPECTED);
}
- if (auto_dlv && view->rdclass == dns_rdataclass_in) {
- const cfg_obj_t *builtin_keys = NULL;
- const cfg_obj_t *builtin_managed_keys = NULL;
-
- /*
- * If bind.keys exists and is populated, it overrides
- * the managed-keys clause hard-coded in named_g_config.
- */
- if (bindkeys != NULL) {
- isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
- NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
- "obtaining DLV key for view %s "
- "from '%s'",
- view->name, named_g_server->bindkeysfile);
-
- (void)cfg_map_get(bindkeys, "trusted-keys",
- &builtin_keys);
- (void)cfg_map_get(bindkeys, "managed-keys",
- &builtin_managed_keys);
- if ((builtin_keys == NULL) &&
- (builtin_managed_keys == NULL))
- isc_log_write(named_g_lctx,
- DNS_LOGCATEGORY_SECURITY,
- NAMED_LOGMODULE_SERVER,
- ISC_LOG_WARNING,
- "dnssec-lookaside auto: "
- "WARNING: key for dlv.isc.org "
- "not found");
- }
-
- if ((builtin_keys == NULL) &&
- (builtin_managed_keys == NULL))
- {
- isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
- NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
- "using built-in DLV key for view %s",
- view->name);
-
- (void)cfg_map_get(named_g_config, "trusted-keys",
- &builtin_keys);
- (void)cfg_map_get(named_g_config, "managed-keys",
- &builtin_managed_keys);
- }
-
- if (builtin_keys != NULL)
- CHECK(load_view_keys(builtin_keys, vconfig, view,
- ISC_FALSE, view->dlv, mctx));
- if (builtin_managed_keys != NULL)
- CHECK(load_view_keys(builtin_managed_keys, vconfig,
- view, ISC_TRUE, view->dlv, mctx));
- if (!keyloaded(view, view->dlv)) {
- isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
- NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
- "DLV key not loaded");
- result = ISC_R_FAILURE;
- goto cleanup;
- }
- }
-
if (auto_root && view->rdclass == dns_rdataclass_in) {
const cfg_obj_t *builtin_keys = NULL;
const cfg_obj_t *builtin_managed_keys = NULL;
const cfg_obj_t *disablelist = NULL;
isc_stats_t *resstats = NULL;
dns_stats_t *resquerystats = NULL;
- isc_boolean_t auto_dlv = ISC_FALSE;
isc_boolean_t auto_root = ISC_FALSE;
named_cache_t *nsc;
isc_boolean_t zero_no_soattl;
obj = NULL;
result = named_config_get(optionmaps, "dnssec-lookaside", &obj);
if (result == ISC_R_SUCCESS) {
- /* If set to "auto", use the version from the defaults */
+ /* "auto" is deprecated, log a warning if seen */
const char *dom;
dlvobj = cfg_listelt_value(cfg_list_first(obj));
dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain"));
if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
- /* If "no", skip; if "auto", use global default */
- if (!strcasecmp(dom, "no"))
+ /* If "no", skip; if "auto", log warning */
+ if (!strcasecmp(dom, "no")) {
+ result = ISC_R_NOTFOUND;
+ } else if (!strcasecmp(dom, "auto")) {
+ cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+ "WARNING: the DLV server at "
+ "'dlv.isc.org' is no longer "
+ "in service; dnssec-lookaside "
+ "ignored");
result = ISC_R_NOTFOUND;
- else if (!strcasecmp(dom, "auto")) {
- auto_dlv = ISC_TRUE;
- obj = NULL;
- result = cfg_map_get(named_g_defaults,
- "dnssec-lookaside", &obj);
}
}
}
dns_fixedname_t f;
dns_fixedname_init(&f);
+ /* Also log a warning if manually configured to dlv.isc.org */
iscdlv = dns_fixedname_name(&f);
CHECK(dns_name_fromstring(iscdlv, "dlv.isc.org", 0, NULL));
dlv = dns_fixedname_name(&view->dlv_fixed);
CHECK(dns_name_fromstring(dlv, cfg_obj_asstring(obj),
DNS_NAME_DOWNCASE, NULL));
- view->dlv = dns_fixedname_name(&view->dlv_fixed);
-
- if (dns_name_equal(view->dlv, iscdlv)) {
- if (auto_dlv)
- obj = dlvobj;
+ if (dns_name_equal(dlv, iscdlv)) {
cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
"WARNING: the DLV server at "
- "'dlv.isc.org' is expected to "
- "cease operation by the end "
- "of January 2017");
+ "'dlv.isc.org' is no longer "
+ "in service; dnssec-lookaside "
+ "ignored");
+ view->dlv = NULL;
+ } else {
+ view->dlv = dlv;
}
}
- } else
+ } else {
view->dlv = NULL;
+ }
/*
* For now, there is only one kind of trusted keys, the
* "security roots".
*/
CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys,
- auto_dlv, auto_root, mctx));
+ auto_root, mctx));
dns_resolver_resetmustbesecure(view->resolver);
obj = NULL;
result = named_config_get(maps, "dnssec-must-be-secure", &obj);
/*
* If bind.keys exists, load it. If "dnssec-validation auto"
* is turned on, the root key found there will be used as a
- * default trust anchor, and if "dnssec-lookaside auto" is
- * turned on, then the DLV key found there will too.
+ * default trust anchor.
*/
obj = NULL;
result = named_config_get(maps, "bindkeys-file", &obj);
<para>
Check for a DLV record in the specified lookaside domain,
instead of checking for a DS record in the zone's parent.
- For example, to check for DLV records for "example.com"
- in ISC's DLV zone, use:
- <command>dnssec-checkds -l dlv.isc.org example.com</command>
</para>
</listitem>
</varlistentry>
--- /dev/null
+options {
+ dnssec-lookaside auto;
+};
--- /dev/null
+options {
+ dnssec-lookaside . trust-anchor dlv.isc.org;
+};
view view3 {
match-clients { none; };
- dnssec-lookaside auto;
+ dnssec-validation auto;
};
view view4 {
type master;
file "yyy";
};
- dnssec-lookaside auto;
dnssec-validation auto;
zone-statistics terse;
};
1.2.3.4;
};
};
- dnssec-lookaside "." trust-anchor "dlv.isc.org.";
+ dnssec-lookaside "." trust-anchor "example.org.";
dnssec-validation auto;
zone-statistics full;
};
SUBDIRS="acl additional addzone allow_query autosign builtin
cacheclean case catz chain
checkconf @CHECKDS@ checknames checkzone cookie @COVERAGE@
- database digdelv dlv dlvauto dlz dlzexternal
+ database digdelv dlv dlz dlzexternal
dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa
emptyzones fetchlimit filter-aaaa formerr geoip glue gost
inline integrity ixfr keepalive @KEYMGR@ legacy limits
+++ /dev/null
-# Copyright (C) 2011, 2012, 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-rm -f ns1/K*
-rm -f ns1/*.signed
-rm -f ns1/*.db
-rm -f ns1/bind.keys
-rm -f ns1/*.mkeys.jnl
-rm -f ns1/*.mkeys
-rm -f */named.run
-rm -f */named.memstats
-rm -f ns1/dsset-*.
-rm -f ns2/*.mkeys
-rm -f ns2/*.mkeys.jnl
-rm -f dig.out.ns?.test*
-rm -f ns2/named.secroots
-rm -f ns*/named.lock
+++ /dev/null
-; Copyright (C) 2011, 2016 Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-; $Id: dlv.isc.org.db.in,v 1.2 2011/03/01 22:44:04 marka Exp $
-
-$TTL 300
-@ IN SOA a.root-servers.nil. hostmaster.isc.org. (
- 2000042100 ; serial
- 600 ; refresh
- 600 ; retry
- 1200 ; expire
- 600 ; minimum
- )
-@ NS a.root-servers.nil.
+++ /dev/null
-/*
- * Copyright (C) 2011, 2016 Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-
-/* $Id: named.conf,v 1.2 2011/03/01 22:44:04 marka Exp $ */
-
-// NS1
-
-controls { /* empty */ };
-
-options {
- query-source address 10.53.0.1;
- notify-source 10.53.0.1;
- transfer-source 10.53.0.1;
- port 5300;
- pid-file "named.pid";
- listen-on { 10.53.0.1; };
- listen-on-v6 { none; };
- recursion no;
- notify yes;
- dnssec-enable yes;
- dnssec-validation yes;
-};
-
-zone "." {
- type master;
- file "root.db";
-};
-
-zone "dlv.isc.org" {
- type master;
- file "dlv.isc.org.db.signed";
-};
+++ /dev/null
-; Copyright (C) 2011, 2016 Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-; $Id: root.db.in,v 1.2 2011/03/01 22:44:04 marka Exp $
-
-$TTL 300
-. IN SOA gson.nominum.com. a.root.servers.nil. (
- 2000042100 ; serial
- 600 ; refresh
- 600 ; retry
- 1200 ; expire
- 600 ; minimum
- )
-. NS a.root-servers.nil.
-a.root-servers.nil. A 10.53.0.1
-
-dlv.isc.org. NS a.root-servers.nil.
+++ /dev/null
-#!/bin/sh -e
-#
-# Copyright (C) 2011, 2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SYSTEMTESTTOP=../..
-. $SYSTEMTESTTOP/conf.sh
-
-zone=dlv.isc.org
-infile=dlv.isc.org.db.in
-zonefile=dlv.isc.org.db
-
-dlvkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
-cat $infile $dlvkey.key > $zonefile
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
-
-zone=.
-infile=root.db.in
-zonefile=root.db
-
-rootkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
-cat $infile $rootkey.key > $zonefile
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
-
-# Create bind.keys file for the use of the resolving server
-echo "managed-keys {" > bind.keys
-cat $dlvkey.key | grep -v '^; ' | $PERL -n -e '
-local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
-local $key = join("", @rest);
-print <<EOF
- "$dn" initial-key $flags $proto $alg "$key";
-EOF
-' >> bind.keys
-cat $rootkey.key | grep -v '^; ' | $PERL -n -e '
-local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
-local $key = join("", @rest);
-print <<EOF
- "$dn" initial-key $flags $proto $alg "$key";
-EOF
-' >> bind.keys
-echo "};" >> bind.keys
+++ /dev/null
-/*
- * Copyright (C) 2011, 2013, 2016 Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-
-/* $Id: named.conf,v 1.3 2011/03/03 16:16:47 each Exp $ */
-
-// NS2
-
-controls { /* empty */ };
-
-options {
- query-source address 10.53.0.2;
- notify-source 10.53.0.2;
- transfer-source 10.53.0.2;
- port 5300;
- pid-file "named.pid";
- listen-on { 10.53.0.2; };
- listen-on-v6 { none; };
- notify no;
- dnssec-enable yes;
- dnssec-validation yes;
- bindkeys-file "../ns1/bind.keys";
- dnssec-lookaside "auto";
-};
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm hmac-sha256;
-};
-
-controls {
- inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
-};
-
-view "in" {
- recursion yes;
- zone "." {
- type hint;
- file "../../common/root.hint";
- };
-};
-
-view "ch" ch {
- match-clients { 127.0.0.1; };
-};
-
-view "unused" {
- match-clients { none; };
-};
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-exec $SHELL ../testcrypto.sh
+++ /dev/null
-#!/bin/sh -e
-#
-# Copyright (C) 2011, 2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-$SHELL clean.sh
-
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
-cd ns1 && $SHELL sign.sh
+++ /dev/null
-# Copyright (C) 2011, 2012, 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
-
-status=0
-n=1
-
-echo "I:checking that a warning was logged about the ISC DLV service ($n)"
-ret=0
-warnings=`grep "WARNING: the DLV server at 'dlv.isc.org'" ns2/named.run`
-[ -z "$warnings" ] && ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-#
-# When this was initialy reported there was a REQUIRE failure on restarting.
-#
-n=`expr $n + 1`
-echo "I:checking dnssec-lookaside "'"auto"'"; with views of multiple classes ($n)"
-if [ -s ns2/named.pid ]
-then
- ret=0
- $PERL $SYSTEMTESTTOP/stop.pl . ns2 || ret=1
- sleep 1
- (cd ns2; $NAMED -g -d 100 -X named.lock -c named.conf >> named.run 2>&1 & )
- sleep 2
- $DIG $DIGOPTS soa . @10.53.0.2 > dig.out.ns2.test$n || ret=1
- grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
- if [ $ret != 0 ]; then echo "I:failed"; fi
- status=`expr $status + $ret`
-else
- echo "I:failed"
- status=1
-fi
-
-n=`expr $n + 1`
-echo "I:checking that only the DLV key was imported from bind.keys ($n)"
-ret=0
-$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 secroots 2>&1 | sed 's/^/I:ns2 /'
-linecount=`grep "\./RSAMD5/.* ; managed" ns2/named.secroots | wc -l`
-[ "$linecount" -eq 0 ] || ret=1
-linecount=`grep "dlv.isc.org/RSAMD5/.* ; managed" ns2/named.secroots | wc -l`
-[ "$linecount" -eq 2 ] || ret=1
-linecount=`cat ns2/named.secroots | wc -l`
-[ "$linecount" -eq 25 ] || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-echo "I:exit status: $status"
-[ $status -eq 0 ] || exit 1
# The bind.keys file is used to override the built-in DNSSEC trust anchors
-# which are included as part of BIND 9. As of the current release, the only
-# trust anchors it contains are those for the DNS root zone ("."), and for
-# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
-# for any other zones MUST be configured elsewhere; if they are configured
-# here, they will not be recognized or used by named.
+# which are included as part of BIND 9. The only trust anchors it contains
+# are for the DNS root zone ("."). Trust anchors for any other zones MUST
+# be configured elsewhere; if they are configured here, they will not be
+# recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
-# To use the built-in root key, set "dnssec-validation auto;" in
-# named.conf options. To use the built-in DLV key, set
-# "dnssec-lookaside auto;". Without these options being set,
-# the keys in this file are ignored.
+# To use the built-in key, use "dnssec-validation auto;" in the
+# named.conf options. Without this option being set, the keys in this
+# file are ignored.
#
# This file is NOT expected to be user-configured.
#
-# These keys are current as of Feburary 2017. If any key fails to
+# These keys are current as of October 2017. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
+#
+# See https://data.iana.org/root-anchors/root-anchors.xml
+# for current trust anchor information for the root zone.
managed-keys {
- # ISC DLV: See https://www.isc.org/solutions/dlv for details.
- #
- # NOTE: The ISC DLV zone is being phased out as of February 2017;
- # the key will remain in place but the zone will be otherwise empty.
- # Configuring "dnssec-lookaside auto;" to activate this key is
- # harmless, but is no longer useful and is not recommended.
- dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
- brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
- 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
- ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
- Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
- QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
- TDN0YUuWrBNh";
-
- # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
- # for current trust anchor information.
- #
- # These keys are activated by setting "dnssec-validation auto;"
- # in named.conf.
- #
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
- # This key (20326) is to be published in the root zone in 2017.
+ # This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
# being set up for the first time can use the contents of this
#define TRUSTED_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
-# which are included as part of BIND 9. As of the current release, the only\n\
-# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
-# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\"). Trust anchors\n\
-# for any other zones MUST be configured elsewhere; if they are configured\n\
-# here, they will not be recognized or used by named.\n\
+# which are included as part of BIND 9. The only trust anchors it contains\n\
+# are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\
+# be configured elsewhere; if they are configured here, they will not be\n\
+# recognized or used by named.\n\
#\n\
# The built-in trust anchors are provided for convenience of configuration.\n\
# They are not activated within named.conf unless specifically switched on.\n\
-# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
-# named.conf options. To use the built-in DLV key, set\n\
-# \"dnssec-lookaside auto;\". Without these options being set,\n\
-# the keys in this file are ignored.\n\
+# To use the built-in key, use \"dnssec-validation auto;\" in the\n\
+# named.conf options. Without this option being set, the keys in this\n\
+# file are ignored.\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
-# These keys are current as of Feburary 2017. If any key fails to\n\
+# These keys are current as of October 2017. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
+#\n\
+# See https://data.iana.org/root-anchors/root-anchors.xml\n\
+# for current trust anchor information for the root zone.\n\
\n\
trusted-keys {\n\
- # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
- #\n\
- # NOTE: The ISC DLV zone is being phased out as of February 2017;\n\
- # the key will remain in place but the zone will be otherwise empty.\n\
- # Configuring \"dnssec-lookaside auto;\" to activate this key is\n\
- # harmless, but is no longer useful and is not recommended.\n\
- dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
- brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
- 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
- ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
- Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
- QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
- TDN0YUuWrBNh\";\n\
-\n\
- # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml\n\
- # for current trust anchor information.\n\
- #\n\
- # These keys are activated by setting \"dnssec-validation auto;\"\n\
- # in named.conf.\n\
- #\n\
# This key (19036) is to be phased out starting in 2017. It will\n\
# remain in the root zone for some time after its successor key\n\
# has been added. It will remain this file until it is removed from\n\
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
QxA+Uk1ihz0=\";\n\
\n\
- # This key (20326) is to be published in the root zone in 2017.\n\
+ # This key (20326) was published in the root zone in 2017.\n\
# Servers which were already using the old key (19036) should\n\
# roll seamlessly to this new one via RFC 5011 rollover. Servers\n\
# being set up for the first time can use the contents of this\n\
#define MANAGED_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
-# which are included as part of BIND 9. As of the current release, the only\n\
-# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
-# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\"). Trust anchors\n\
-# for any other zones MUST be configured elsewhere; if they are configured\n\
-# here, they will not be recognized or used by named.\n\
+# which are included as part of BIND 9. The only trust anchors it contains\n\
+# are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\
+# be configured elsewhere; if they are configured here, they will not be\n\
+# recognized or used by named.\n\
#\n\
# The built-in trust anchors are provided for convenience of configuration.\n\
# They are not activated within named.conf unless specifically switched on.\n\
-# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
-# named.conf options. To use the built-in DLV key, set\n\
-# \"dnssec-lookaside auto;\". Without these options being set,\n\
-# the keys in this file are ignored.\n\
+# To use the built-in key, use \"dnssec-validation auto;\" in the\n\
+# named.conf options. Without this option being set, the keys in this\n\
+# file are ignored.\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
-# These keys are current as of Feburary 2017. If any key fails to\n\
+# These keys are current as of October 2017. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
+#\n\
+# See https://data.iana.org/root-anchors/root-anchors.xml\n\
+# for current trust anchor information for the root zone.\n\
\n\
managed-keys {\n\
- # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
- #\n\
- # NOTE: The ISC DLV zone is being phased out as of February 2017;\n\
- # the key will remain in place but the zone will be otherwise empty.\n\
- # Configuring \"dnssec-lookaside auto;\" to activate this key is\n\
- # harmless, but is no longer useful and is not recommended.\n\
- dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
- brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
- 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
- ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
- Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
- QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
- TDN0YUuWrBNh\";\n\
-\n\
- # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml\n\
- # for current trust anchor information.\n\
- #\n\
- # These keys are activated by setting \"dnssec-validation auto;\"\n\
- # in named.conf.\n\
- #\n\
# This key (19036) is to be phased out starting in 2017. It will\n\
# remain in the root zone for some time after its successor key\n\
# has been added. It will remain this file until it is removed from\n\
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
QxA+Uk1ihz0=\";\n\
\n\
- # This key (20326) is to be published in the root zone in 2017.\n\
+ # This key (20326) was published in the root zone in 2017.\n\
# Servers which were already using the old key (19036) should\n\
# roll seamlessly to this new one via RFC 5011 rollover. Servers\n\
# being set up for the first time can use the contents of this\n\
<para>
The pathname of a file to override the built-in trusted
keys provided by <command>named</command>.
- See the discussion of <command>dnssec-lookaside</command>
- and <command>dnssec-validation</command> for details.
- If not specified, the default is
+ See the discussion of <command>dnssec-validation</command>
+ for details. If not specified, the default is
<filename>/etc/bind.keys</filename>.
</para>
</listitem>
record validates a DNSKEY (similarly to the way a DS
record does) the DNSKEY RRset is deemed to be trusted.
</para>
- <para>
- If <command>dnssec-lookaside</command> is set to
- <userinput>auto</userinput>, then built-in default
- values for the DLV domain and trust anchor will be
- used, along with a built-in key for validation.
- </para>
<para>
If <command>dnssec-lookaside</command> is set to
<userinput>no</userinput>, then dnssec-lookaside
is not used.
</para>
<para>
- The default DLV key is stored in the file
- <filename>bind.keys</filename>;
- <command>named</command> will load that key at
- startup if <command>dnssec-lookaside</command> is set to
- <constant>auto</constant>. A copy of the file is
- installed along with <acronym>BIND</acronym> 9, and is
- current as of the release date. If the DLV key expires, a
- new copy of <filename>bind.keys</filename> can be downloaded
- from <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/solutions/dlv/">https://www.isc.org/solutions/dlv/</link>.
- </para>
- <para>
- (To prevent problems if <filename>bind.keys</filename> is
- not found, the current key is also compiled in to
- <command>named</command>. Relying on this is not
- recommended, however, as it requires <command>named</command>
- to be recompiled with a new key when the DLV key expires.)
- </para>
- <para>
- NOTE: <command>named</command> only loads certain specific
- keys from <filename>bind.keys</filename>: those for the
- DLV zone and for the DNS root zone. The file cannot be
- used to store keys for other zones.
+ NOTE: The ISC-provided DLV service at
+ <literal>dlv.isc.org</literal>, has been shut down.
+ The <command>dnssec-lookaside auto;</command>
+ configuration option, which set <command>named</command>
+ up to use ISC DLV with minimal configuration, has
+ accordingly been removed.
</para>
</listitem>
</varlistentry>
be accepted. The specified domain must be under a
<command>trusted-keys</command> or
<command>managed-keys</command> statement, or
- <command>dnssec-lookaside</command> must be active.
+ <command>dnssec-validation auto</command> must be active.
</para>
</listitem>
</varlistentry>
Causes <command>named</command> to send specially-formed
queries once per day to domains for which trust anchors
have been configured via <command>trusted-keys</command>,
- <command>managed-keys</command>,
- <command>dnssec-validation auto</command>, or
- <command>dnssec-lookaside auto</command>.
+ <command>managed-keys</command>, or
+ <command>dnssec-validation auto</command>.
</para>
<para>
The query name used for these queries has the
Note <command>dnssec-enable</command> also needs to be
set to <userinput>yes</userinput> to be effective.
If set to <userinput>no</userinput>, DNSSEC validation
- is disabled. If set to <userinput>auto</userinput>,
- DNSSEC validation is enabled, and a default
- trust-anchor for the DNS root zone is used. If set to
- <userinput>yes</userinput>, DNSSEC validation is enabled,
- but a trust anchor must be manually configured using
- a <command>trusted-keys</command> or
- <command>managed-keys</command> statement. The default
+ is disabled.
+ </para>
+ <para>
+ If set to <userinput>auto</userinput>, DNSSEC validation
+ is enabled, and a default trust anchor for the DNS root
+ zone is used. If set to <userinput>yes</userinput>,
+ DNSSEC validation is enabled, but a trust anchor must be
+ manually configured using a <command>trusted-keys</command>
+ or <command>managed-keys</command> statement. The default
is <userinput>yes</userinput>.
</para>
+ <para>
+ The default root trust anchor is stored in the file
+ <filename>bind.keys</filename>.
+ <command>named</command> will load that key at
+ startup if <command>dnssec-validation</command> is
+ set to <constant>auto</constant>. A copy of the file is
+ installed along with BIND 9, and is current as of the
+ release date. If the root key expires, a new copy of
+ <filename>bind.keys</filename> can be downloaded
+ from <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="\ 2https://www.isc.org/bind-keys">https://www.isc.org/bind-keys</link>.
+ </para>
+ <para>
+ To prevent problems if <filename>bind.keys</filename> is
+ not found, the current trust anchor is also compiled in
+ to <command>named</command>. Relying on this is not
+ recommended, however, as it requires <command>named</command>
+ to be recompiled with a new key when the root key expires.)
+ </para>
<note>
+ <para>
+ <command>named</command> <emphasis>only</emphasis>
+ loads the root key from <filename>bind.keys</filename>.
+ The file cannot be used to store keys for other zones.
+ The root key in <filename>bind.keys</filename> is ignored
+ if <command>dnssec-validation auto</command> is not in
+ use.
+ </para>
<para>
Whenever the resolver sends out queries to an
EDNS-compliant server, it always sets the DO bit
If the <command>dnssec-validation</command> option is
set to <userinput>auto</userinput>, <command>named</command>
will automatically initialize a managed key for the
- root zone. Similarly, if the <command>dnssec-lookaside</command>
- option is set to <userinput>auto</userinput>,
- <command>named</command> will automatically initialize
- a managed key for the zone <literal>dlv.isc.org</literal>.
- (Note: The ISC DLV service is expected to cease operation by
- the end of 2017.) In both cases, the key that is used to
- initialize the key maintenance process is built into
- <command>named</command>, and can be overridden from
- <command>bindkeys-file</command>.
+ root zone. The key that is used to initialize the key
+ maintenance process is stored in <filename>bind.keys</filename>;
+ the location of this file can be overridden with the
+ <command>bindkeys-file</command> option. As a fallback
+ in the event no <filename>bind.keys</filename> can be
+ found, the initializing key is also compiled directly
+ into <command>named</command>.
</para>
</section>
<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
<itemizedlist>
+ <listitem>
+ <para>
+ The ISC DNSSEC Lookaside Validation (DLV) service has been shut
+ down; all DLV records in the dlv.isc.org zone have been removed.
+ References to the service have been removed from BIND documentation.
+ Lookaside validation is no longer used by default by
+ <command>delv</command>. The DLV key has been removed from
+ <filename>bind.keys</command>. Setting
+ <command>dnssec-lookaside</command> set to
+ <command>auto</command> or to use dlv.isc.org as a trust
+ anchor is now a fatal configuration error. [RT #46155]
+ </para>
+ </listitem>
<listitem>
<para>
The lightweight resolver daemon and library (<command>lwresd</command>
#include <bind9/check.h>
+static unsigned char dlviscorg_ndata[] = "\003dlv\003isc\003org";
+static unsigned char dlviscorg_offsets[] = { 0, 4, 8, 12 };
+static const dns_name_t dlviscorg =
+ DNS_NAME_INITABSOLUTE(dlviscorg_ndata, dlviscorg_offsets);
+
static isc_result_t
fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, isc_boolean_t writeable,
isc_log_t *logctxlogc);
* is missing, skip remaining tests
*/
if (cfg_obj_isvoid(anchor)) {
- if (!strcasecmp(dlv, "no") ||
- !strcasecmp(dlv, "auto"))
+ if (!strcasecmp(dlv, "no")) {
continue;
+ }
+ if (!strcasecmp(dlv, "auto")) {
+ cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+ "dnssec-lookaside 'auto' "
+ "is no longer supported");
+ if (result == ISC_R_SUCCESS)
+ result = ISC_R_FAILURE;
+ continue;
+ }
}
tresult = dns_name_fromstring(name, dlv, 0, NULL);
if (symtab != NULL) {
tresult = nameexist(obj, dlv, 1, symtab,
"dnssec-lookaside '%s': "
- "already exists previous "
+ "already exists; previous "
"definition: %s:%u",
logctx, mctx);
if (tresult != ISC_R_SUCCESS &&
result = ISC_R_FAILURE;
}
- if (!cfg_obj_isvoid(anchor)) {
- dlv = cfg_obj_asstring(anchor);
- tresult = check_name(dlv);
- if (tresult != ISC_R_SUCCESS) {
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "bad domain name '%s'",
- dlv);
- if (result == ISC_R_SUCCESS)
- result = tresult;
- }
- } else {
+ if (cfg_obj_isvoid(anchor)) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "dnssec-lookaside requires "
- "either 'auto' or 'no', or a "
- "domain and trust anchor");
+ "dnssec-lookaside requires "
+ "either or 'no' or a "
+ "domain and trust anchor");
if (result == ISC_R_SUCCESS)
result = ISC_R_FAILURE;
+ continue;
+ }
+
+ dlv = cfg_obj_asstring(anchor);
+ tresult = dns_name_fromstring(name, dlv, 0, NULL);
+ if (tresult != ISC_R_SUCCESS) {
+ cfg_obj_log(anchor, logctx, ISC_LOG_ERROR,
+ "bad domain name '%s'", dlv);
+ if (result == ISC_R_SUCCESS)
+ result = tresult;
+ continue;
+ }
+ if (dns_name_equal(&dlviscorg, name)) {
+ cfg_obj_log(anchor, logctx, ISC_LOG_ERROR,
+ "dlv.isc.org has been shut down");
+ if (result == ISC_R_SUCCESS)
+ result = ISC_R_FAILURE;
+ continue;
}
}
dns_client_setdlv(dns_client_t *client, dns_rdataclass_t rdclass,
const char *dlvname);
/*%<
- * Specify a name to use for DNSSEC lookaside validation (e.g.,
- * "dlv.isc.org"). If a trusted key has been added for that name,
- * then DLV will be used during validation. If 'dlvname' is NULL,
- * then DLV will no longer be used for this client.
+ * Specify a name to use for DNSSEC lookaside validation.
+ * If a trusted key has been added for that name, then DLV will be
+ * used during validation. If 'dlvname' is NULL, then DLV will no
+ * longer be used for this client.
*
* Requires:
*
./bin/tests/system/dlv/prereq.sh SH 2014,2016
./bin/tests/system/dlv/setup.sh SH 2004,2007,2009,2011,2012,2014,2016,2017
./bin/tests/system/dlv/tests.sh SH 2004,2007,2010,2011,2012,2016
-./bin/tests/system/dlvauto/clean.sh SH 2011,2012,2014,2016
-./bin/tests/system/dlvauto/ns1/dlv.isc.org.db.in ZONE 2011,2016
-./bin/tests/system/dlvauto/ns1/named.conf CONF-C 2011,2016
-./bin/tests/system/dlvauto/ns1/root.db.in ZONE 2011,2016
-./bin/tests/system/dlvauto/ns1/sign.sh SH 2011,2012,2014,2016,2017
-./bin/tests/system/dlvauto/ns2/named.conf CONF-C 2011,2013,2016
-./bin/tests/system/dlvauto/prereq.sh SH 2014,2016
-./bin/tests/system/dlvauto/setup.sh SH 2011,2012,2014,2016,2017
-./bin/tests/system/dlvauto/tests.sh SH 2011,2012,2014,2016
./bin/tests/system/dlz/.gitignore X 2012
./bin/tests/system/dlz/clean.sh SH 2010,2012,2014,2016
./bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.= TXT.BRIEF 2015,2016
projects / thirdparty / bind9.git / commitdiff
