+2007. [func] It is now possible to explicitly enable DNSSEC
+ validation. default dnssec-validation no; to
+ be changed to yes in 9.5.0. [RT #15674]
+
2006. [security] Allow-query-cache and allow-recursion now default
to the builtin acls "localnets" and "localhost".
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: config.c,v 1.47.18.26 2006/03/09 03:40:33 marka Exp $ */
+/* $Id: config.c,v 1.47.18.27 2006/03/09 23:38:20 marka Exp $ */
/*! \file */
use-additional-cache true;\n\
acache-cleaning-interval 60;\n\
max-acache-size 0;\n\
- dnssec-enable no; /* Make yes for 9.4. */ \n\
+ dnssec-enable yes;\n\
+ dnssec-validation no; /* Make yes for 9.5. */ \n\
dnssec-accept-expired no;\n\
clients-per-query 10;\n\
max-clients-per-query 100;\n\
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named.conf.docbook,v 1.1.2.20 2006/03/06 01:38:00 marka Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.1.2.21 2006/03/09 23:38:20 marka Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
dnssec-enable <replaceable>boolean</replaceable>;
+ dnssec-validation <replaceable>boolean</replaceable>;
dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-accept-expired <replaceable>boolean</replaceable>;
root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
dnssec-enable <replaceable>boolean</replaceable>;
+ dnssec-validation <replaceable>boolean</replaceable>;
dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-accept-expired <replaceable>boolean</replaceable>;
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: query.c,v 1.257.18.26 2006/03/03 00:56:53 marka Exp $ */
+/* $Id: query.c,v 1.257.18.27 2006/03/09 23:38:20 marka Exp $ */
/*! \file */
* If the client has requested that DNSSEC checking be disabled,
* allow lookups to return pending data and instruct the resolver
* to return data before validation has completed.
+ *
+ * We don't need to set DNS_DBFIND_PENDINGOK when validation is
+ * disabled as there will be no pending data.
*/
if (message->flags & DNS_MESSAGEFLAG_CD ||
qtype == dns_rdatatype_rrsig)
{
client->query.dboptions |= DNS_DBFIND_PENDINGOK;
client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
- }
+ } else if (!client->view->enablevalidation)
+ client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
/*
* Allow glue NS records to be added to the authority section
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.c,v 1.419.18.42 2006/03/09 03:40:33 marka Exp $ */
+/* $Id: server.c,v 1.419.18.43 2006/03/09 23:38:20 marka Exp $ */
/*! \file */
INSIST(result == ISC_R_SUCCESS);
view->acceptexpired = cfg_obj_asboolean(obj);
+ obj = NULL;
+ result = ns_config_get(maps, "dnssec-validation", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ view->enablevalidation = cfg_obj_asboolean(obj);
+
obj = NULL;
result = ns_config_get(maps, "dnssec-lookaside", &obj);
if (result == ISC_R_SUCCESS) {
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.2.2.2 2004/06/04 02:31:53 marka Exp $ */
+/* $Id: named.conf,v 1.2.2.3 2006/03/09 23:38:20 marka Exp $ */
/*
* Choose a keyname that is unlikely to clash with any real key names.
recursion yes;
notify yes;
dnssec-enable yes;
+ dnssec-validation yes;
dnssec-lookaside "." trust-anchor "dlv.utld";
};
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.20 2004/03/10 02:19:53 marka Exp $ */
+/* $Id: named.conf,v 1.20.18.1 2006/03/09 23:38:20 marka Exp $ */
// NS1
recursion no;
notify yes;
dnssec-enable yes;
+ dnssec-validation yes;
};
zone "." {
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.23.18.1 2004/05/05 01:32:35 marka Exp $ */
+/* $Id: named.conf,v 1.23.18.2 2006/03/09 23:38:20 marka Exp $ */
// NS2
recursion no;
notify yes;
dnssec-enable yes;
+ dnssec-validation yes;
};
zone "." {
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.25.18.2 2004/05/05 01:32:36 marka Exp $ */
+/* $Id: named.conf,v 1.25.18.3 2006/03/09 23:38:20 marka Exp $ */
// NS3
recursion no;
notify yes;
dnssec-enable yes;
+ dnssec-validation yes;
};
zone "." {
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.22.18.1 2004/04/16 00:01:39 marka Exp $ */
+/* $Id: named.conf,v 1.22.18.2 2006/03/09 23:38:20 marka Exp $ */
// NS4
listen-on-v6 { none; };
recursion yes;
dnssec-enable yes;
+ dnssec-validation yes;
dnssec-must-be-secure mustbesecure.example yes;
};
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.20 2004/03/10 02:19:54 marka Exp $ */
+/* $Id: named.conf,v 1.20.18.1 2006/03/09 23:38:20 marka Exp $ */
// NS5
listen-on-v6 { none; };
recursion yes;
dnssec-enable yes;
+ dnssec-validation yes;
};
zone "." {
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.6.18.1 2004/06/04 02:31:53 marka Exp $ */
+/* $Id: named.conf,v 1.6.18.2 2006/03/09 23:38:20 marka Exp $ */
// NS6
notify yes;
disable-algorithms . { DSA; };
dnssec-enable yes;
+ dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv;
};
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.15 2004/03/10 02:19:54 marka Exp $ */
+/* $Id: named.conf,v 1.15.18.1 2006/03/09 23:38:20 marka Exp $ */
controls { /* empty */ };
recursion no;
notify no;
dnssec-enable yes;
+ dnssec-validation yes;
};
zone "." {
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.55 2006/03/09 03:40:33 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.56 2006/03/09 23:38:20 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
<optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
<optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
<optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
<optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
<para>
Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>
named behaves as if it does not support DNSSEC.
+ The default is <userinput>yes</userinput>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>dnssec-validation</command></term>
+ <listitem>
+ <para>
+ Enable DNSSEC validation in named.
+ Note <command>dnssec-enable</command> also needs to be
+ set to <userinput>yes</userinput> to be effective.
The default is <userinput>no</userinput>.
</para>
</listitem>
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check.c,v 1.44.18.28 2006/03/06 01:38:01 marka Exp $ */
+/* $Id: check.c,v 1.44.18.29 2006/03/09 23:38:21 marka Exp $ */
/*! \file */
isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult = ISC_R_SUCCESS;
cfg_aclconfctx_t actx;
+ cfg_obj_t *obj;
+ isc_boolean_t enablednssec, enablevalidation;
/*
* Check that all zone statements are syntactically correct and
result = ISC_R_FAILURE;
}
+ /*
+ * Check that dnssec-enable/dnssec-validation are sensible.
+ */
+ obj = NULL;
+ if (voptions != NULL)
+ (void)cfg_map_get(voptions, "dnssec-enable", &obj);
+ if (obj == NULL)
+ (void)cfg_map_get(config, "dnssec-enable", &obj);
+ if (obj == NULL)
+ enablednssec = ISC_TRUE;
+ else
+ enablednssec = cfg_obj_asboolean(obj);
+
+ obj = NULL;
+ if (voptions != NULL)
+ (void)cfg_map_get(voptions, "dnssec-validation", &obj);
+ if (obj == NULL)
+ (void)cfg_map_get(config, "dnssec-validation", &obj);
+ if (obj == NULL)
+ enablevalidation = ISC_FALSE; /* XXXMPA Change for 9.5. */
+ else
+ enablevalidation = cfg_obj_asboolean(obj);
+
+ if (enablevalidation && !enablednssec)
+ cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+ "'dnssec-validation yes;' and 'dnssec-enable no;'");
+
if (voptions != NULL)
tresult = check_options(voptions, logctx, mctx);
else
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: view.h,v 1.91.18.8 2006/01/05 00:10:44 marka Exp $ */
+/* $Id: view.h,v 1.91.18.9 2006/03/09 23:38:21 marka Exp $ */
#ifndef DNS_VIEW_H
#define DNS_VIEW_H 1
isc_boolean_t additionalfromauth;
isc_boolean_t minimalresponses;
isc_boolean_t enablednssec;
+ isc_boolean_t enablevalidation;
isc_boolean_t acceptexpired;
dns_transfer_format_t transfer_format;
dns_acl_t * queryacl;
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: resolver.c,v 1.284.18.45 2006/02/17 00:42:10 marka Exp $ */
+/* $Id: resolver.c,v 1.284.18.46 2006/03/09 23:38:21 marka Exp $ */
/*! \file */
/*
* Is DNSSEC validation required for this name?
*/
- result = dns_keytable_issecuredomain(res->view->secroots, name,
- &secure_domain);
- if (result != ISC_R_SUCCESS)
- return (result);
+ if (res->view->enablevalidation) {
+ result = dns_keytable_issecuredomain(res->view->secroots, name,
+ &secure_domain);
+ if (result != ISC_R_SUCCESS)
+ return (result);
- if (!secure_domain && res->view->dlv != NULL) {
- valoptions = DNS_VALIDATOR_DLV;
- secure_domain = ISC_TRUE;
+ if (!secure_domain && res->view->dlv != NULL) {
+ valoptions = DNS_VALIDATOR_DLV;
+ secure_domain = ISC_TRUE;
+ }
}
if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
/*
* Is DNSSEC validation required for this name?
*/
- result = dns_keytable_issecuredomain(res->view->secroots, name,
- &secure_domain);
- if (result != ISC_R_SUCCESS)
- return (result);
+ if (fctx->res->view->enablevalidation) {
+ result = dns_keytable_issecuredomain(res->view->secroots, name,
+ &secure_domain);
+ if (result != ISC_R_SUCCESS)
+ return (result);
- if (!secure_domain && res->view->dlv != NULL) {
- valoptions = DNS_VALIDATOR_DLV;
- secure_domain = ISC_TRUE;
+ if (!secure_domain && res->view->dlv != NULL) {
+ valoptions = DNS_VALIDATOR_DLV;
+ secure_domain = ISC_TRUE;
+ }
}
if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: view.c,v 1.126.18.10 2006/01/05 00:10:43 marka Exp $ */
+/* $Id: view.c,v 1.126.18.11 2006/03/09 23:38:21 marka Exp $ */
/*! \file */
view->additionalfromcache = ISC_TRUE;
view->additionalfromauth = ISC_TRUE;
view->enablednssec = ISC_TRUE;
+ view->enablevalidation = ISC_TRUE;
view->acceptexpired = ISC_FALSE;
view->minimalresponses = ISC_FALSE;
view->transfer_format = dns_one_answer;
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: namedconf.c,v 1.30.18.36 2006/03/06 01:38:01 marka Exp $ */
+/* $Id: namedconf.c,v 1.30.18.37 2006/03/09 23:38:21 marka Exp $ */
/*! \file */
{ "disable-algorithms", &cfg_type_disablealgorithm,
CFG_CLAUSEFLAG_MULTI },
{ "dnssec-enable", &cfg_type_boolean, 0 },
+ { "dnssec-validation", &cfg_type_boolean, 0 },
{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
{ "dnssec-must-be-secure", &cfg_type_mustbesecure,
CFG_CLAUSEFLAG_MULTI },
projects / thirdparty / bind9.git / commitdiff
