view->acceptexpired = cfg_obj_asboolean(obj);
obj = NULL;
- result = named_config_get(maps, "dnssec-validation", &obj);
+ result = named_config_get(maps, "dnssec-enable", &obj);
INSIST(result == ISC_R_SUCCESS);
- if (cfg_obj_isboolean(obj)) {
- view->enablevalidation = cfg_obj_asboolean(obj);
- } else {
- /* If dnssec-validation is not boolean, it must be "auto" */
- view->enablevalidation = true;
- auto_root = true;
+ view->enablednssec = cfg_obj_asboolean(obj);
+
+ obj = NULL;
+ /* 'optionmaps', not 'maps': don't check named_g_defaults yet */
+ (void)named_config_get(optionmaps, "dnssec-validation", &obj);
+ if (obj == NULL) {
+ /*
+ * If dnssec-enable is yes, then we default to
+ * VALIDATION_DEFAULT as set in config.c. Otherwise
+ * we default to "no".
+ */
+ if (view->enablednssec) {
+ (void)cfg_map_get(named_g_defaults,
+ "dnssec-validation", &obj);
+ INSIST(obj != NULL);
+ } else {
+ view->enablevalidation = false;
+ }
+ }
+ if (obj != NULL) {
+ if (cfg_obj_isboolean(obj)) {
+ view->enablevalidation = cfg_obj_asboolean(obj);
+ } else {
+ /*
+ * If dnssec-validation is set but not boolean,
+ * then it must be "auto"
+ */
+ view->enablevalidation = true;
+ auto_root = true;
+ }
}
obj = NULL;
view->prefetch_eligible = view->prefetch_trigger + 6;
}
- obj = NULL;
- result = named_config_get(maps, "dnssec-enable", &obj);
- INSIST(result == ISC_R_SUCCESS);
- view->enablednssec = cfg_obj_asboolean(obj);
-
obj = NULL;
result = named_config_get(optionmaps, "dnssec-lookaside", &obj);
if (result == ISC_R_SUCCESS) {
</section>
- <section xml:id="dnssec_config"><info><title>Configuring Servers</title></info>
-
+ <section xml:id="dnssec_config"><info><title>Configuring Servers for DNSSEC</title></info>
<para>
To enable <command>named</command> to respond appropriately
- to DNS requests from DNSSEC aware clients,
- <command>dnssec-enable</command> must be set to yes.
- This is the default setting.
+ to DNS requests from DNSSEC-aware clients,
+ <command>dnssec-enable</command> must be set to
+ <userinput>yes</userinput>. This is the default setting.
</para>
-
<para>
- To enable <command>named</command> to validate answers from
- other servers, the <command>dnssec-enable</command> option
- must be set to <userinput>yes</userinput>, and the
+ To enable <command>named</command> to validate answers
+ received from other servers, the
<command>dnssec-validation</command> option must be set to
either <userinput>yes</userinput> or <userinput>auto</userinput>.
</para>
-
<para>
When <command>dnssec-validation</command> is set to
<userinput>auto</userinput>, a trust anchor for the DNS
root zone will automatically be used. This trust anchor is
provided as part of BIND and is kept up to date using RFC 5011
key management.
- If <command>dnssec-validation</command> is set to
- <userinput>yes</userinput>, then
- DNSSEC validation only occurs if
- at least one trust anchor has been explicitly configured
- in <filename>named.conf</filename>,
+ </para>
+ <para>
+ When <command>dnssec-validation</command> is set to
+ <userinput>yes</userinput>, DNSSEC validation will only occur
+ if at least one trust anchor has been explicitly configured
+ in <filename>named.conf</filename>
using a <command>trusted-keys</command> or
<command>managed-keys</command> statement.
- If <command>dnssec-validation</command> is set to
- <userinput>no</userinput>, then DNSSEC validation will
- not occur.
+ </para>
+ <para>
+ When <command>dnssec-validation</command> is set to
+ <userinput>no</userinput>, DNSSEC validation will not occur.
+ </para>
+ <para>
The default is <userinput>auto</userinput> unless BIND is
built with <command>configure --disable-auto-validation</command>,
in which case the default is <userinput>yes</userinput>.
</para>
+ <para>
+ If <command>dnssec-enable</command> is set to
+ <userinput>no</userinput>, then the default for
+ <command>dnssec-validation</command> is also changed to
+ <userinput>no</userinput>. If
+ <command>dnssec-validation</command> is set to
+ <userinput>yes</userinput>, the server will
+ perform DNSSEC validation internally, but will not return
+ signatures when queried - but it will not be turned on
+ automatically.
+ </para>
<para>
<command>trusted-keys</command> are copies of DNSKEY RRs
<term><command>dnssec-validation</command></term>
<listitem>
<para>
- Enable DNSSEC validation in <command>named</command>.
- Note <command>dnssec-enable</command> also needs to be
- set to <userinput>yes</userinput> to be effective.
+ This enables DNSSEC validation in <command>named</command>.
+ Note that <command>dnssec-enable</command> also needs to
+ be set to <userinput>yes</userinput> for signatures to be
+ returned to the client along with validated answers.
+ </para>
+ <para>
+ If set to <userinput>auto</userinput>,
+ DNSSEC validation is enabled, and a default trust anchor
+ for the DNS root zone is used.
+ </para>
+ <para>
+ If set to <userinput>yes</userinput>, DNSSEC validation is
+ enabled, but a trust anchor must be manually configured
+ using a <command>trusted-keys</command>
+ or <command>managed-keys</command> statement; if there
+ is no configured trust anchor, validation will not take
+ place.
+ </para>
+ <para>
If set to <userinput>no</userinput>, DNSSEC validation
is disabled.
</para>
- <para>
- If set to <userinput>auto</userinput>, DNSSEC validation
- is enabled, and a default trust anchor for the DNS root
- zone is used. If set to <userinput>yes</userinput>,
- DNSSEC validation is enabled, but a trust anchor must be
- manually configured using a <command>trusted-keys</command>
- or <command>managed-keys</command> statement. The default
- is <userinput>yes</userinput>.
+ <para>
+ The default is <userinput>auto</userinput>, unless
+ BIND is built with
+ <command>configure --disable-auto-validation</command>,
+ in which case the default is <userinput>yes</userinput>.
+ If <command>dnssec-enable</command> is set to
+ <userinput>no</userinput>, then the default for
+ <command>dnssec-validation</command> is also
+ <userinput>no</userinput>. Validation can still be turned on
+ if desired - this results in a server that performs DNSSEC
+ validation but does not return signatures when queried -
+ but it will not be turned on automatically.
</para>
<para>
The default root trust anchor is stored in the file
<filename>bind.keys</filename>.
<command>named</command> will load that key at
startup if <command>dnssec-validation</command> is
- set to <constant>auto</constant>. A copy of the file is
+ set to <userinput>auto</userinput>. A copy of the file is
installed along with BIND 9, and is current as of the
release date. If the root key expires, a new copy of
<filename>bind.keys</filename> can be downloaded
from <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/bind-keys">https://www.isc.org/bind-keys</link>.
</para>
<para>
- To prevent problems if <filename>bind.keys</filename> is
+ (To prevent problems if <filename>bind.keys</filename> is
not found, the current trust anchor is also compiled in
to <command>named</command>. Relying on this is not
recommended, however, as it requires <command>named</command>
</para>
<note>
<para>
- <command>named</command> <emphasis>only</emphasis>
- loads the root key from <filename>bind.keys</filename>.
+ <command>named</command> loads <emphasis>only</emphasis>
+ the root key from <filename>bind.keys</filename>.
The file cannot be used to store keys for other zones.
The root key in <filename>bind.keys</filename> is ignored
if <command>dnssec-validation auto</command> is not in
projects / thirdparty / bind9.git / commitdiff
