From: Mark Andrews Date: Thu, 9 Mar 2006 23:46:20 +0000 (+0000) Subject: 2008. [func] It is now posssible to enable/disable DNSSEC X-Git-Tag: v9.4.0a4~22 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=e9724570aaf82b1c29d7df6a76d8fe2e2a07cc88;p=thirdparty%2Fbind9.git 2008. [func] It is now posssible to enable/disable DNSSEC validation from rndc. This is useful for the mobile hosts where the current connection point breaks DNSSEC (firewall/proxy). [RT #15592] rndc validation newstate [view] --- diff --git a/CHANGES b/CHANGES index e3dd6b0e415..af21cfece29 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,10 @@ +2008. [func] It is now posssible to enable/disable DNSSEC + validation from rndc. This is useful for the + mobile hosts where the current connection point + breaks DNSSEC (firewall/proxy). [RT #15592] + + rndc validation newstate [view] + 2007. [func] It is now possible to explicitly enable DNSSEC validation. default dnssec-validation no; to be changed to yes in 9.5.0. [RT #15674] diff --git a/bin/named/control.c b/bin/named/control.c index 9c5bbcd5608..1dbf9f3ff60 100644 --- a/bin/named/control.c +++ b/bin/named/control.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: control.c,v 1.20.10.6 2005/04/29 00:55:52 marka Exp $ */ +/* $Id: control.c,v 1.20.10.7 2006/03/09 23:46:20 marka Exp $ */ /*! \file */ @@ -172,6 +172,8 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { result = ISC_R_SUCCESS; } else if (command_compare(command, NS_COMMAND_NOTIFY)) { result = ns_server_notifycommand(ns_g_server, command, text); + } else if (command_compare(command, NS_COMMAND_VALIDATION)) { + result = ns_server_validation(ns_g_server, command); } else { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_CONTROL, ISC_LOG_WARNING, diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h index 7b32a0dae9e..5b7e5f45f2c 100644 --- a/bin/named/include/named/control.h +++ b/bin/named/include/named/control.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: control.h,v 1.14.18.7 2006/03/02 00:37:21 marka Exp $ */ +/* $Id: control.h,v 1.14.18.8 2006/03/09 23:46:20 marka Exp $ */ #ifndef NAMED_CONTROL_H #define NAMED_CONTROL_H 1 @@ -54,6 +54,7 @@ #define NS_COMMAND_RECURSING "recursing" #define NS_COMMAND_NULL "null" #define NS_COMMAND_NOTIFY "notify" +#define NS_COMMAND_VALIDATION "validation" isc_result_t ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp); diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h index e634b9c2003..54d1dae1716 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.h,v 1.73.18.7 2006/03/02 00:37:21 marka Exp $ */ +/* $Id: server.h,v 1.73.18.8 2006/03/09 23:46:20 marka Exp $ */ #ifndef NAMED_SERVER_H #define NAMED_SERVER_H 1 @@ -221,4 +221,10 @@ ns_server_dumprecursing(ns_server_t *server); void ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr); +/*% + * Enable or disable dnssec validation. + */ +isc_result_t +ns_server_validation(ns_server_t *server, char *args); + #endif /* NAMED_SERVER_H */ diff --git a/bin/named/query.c b/bin/named/query.c index 2956ffc0749..52f259cd0d0 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.257.18.27 2006/03/09 23:38:20 marka Exp $ */ +/* $Id: query.c,v 1.257.18.28 2006/03/09 23:46:20 marka Exp $ */ /*! \file */ @@ -4424,6 +4424,8 @@ ns_query_start(ns_client_t *client) { if (!client->view->enablednssec) { message->flags &= ~DNS_MESSAGEFLAG_CD; client->extflags &= ~DNS_MESSAGEEXTFLAG_DO; + if (client->opt != NULL) + client->opt->ttl &= ~DNS_MESSAGEEXTFLAG_DO; } if ((message->flags & DNS_MESSAGEFLAG_RD) != 0) diff --git a/bin/named/server.c b/bin/named/server.c index dfe1cb84884..e2bd0ca59f8 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.419.18.43 2006/03/09 23:38:20 marka Exp $ */ +/* $Id: server.c,v 1.419.18.44 2006/03/09 23:46:20 marka Exp $ */ /*! \file */ @@ -1552,6 +1552,10 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, result = ns_config_get(maps, "dnssec-must-be-secure", &obj); if (result == ISC_R_SUCCESS) CHECK(mustbesecure(obj, view->resolver)); + } else { + if (view->secroots != NULL) + dns_keytable_detach(&view->secroots); + dns_resolver_resetmustbesecure(view->resolver); } obj = NULL; @@ -4503,6 +4507,59 @@ ns_server_setdebuglevel(ns_server_t *server, char *args) { return (ISC_R_SUCCESS); } +isc_result_t +ns_server_validation(ns_server_t *server, char *args) { + char *ptr, *viewname; + dns_view_t *view; + isc_boolean_t changed = ISC_FALSE; + isc_result_t result; + isc_boolean_t enable; + + /* Skip the command name. */ + ptr = next_token(&args, " \t"); + if (ptr == NULL) + return (ISC_R_UNEXPECTEDEND); + + /* Find out what we are to do. */ + ptr = next_token(&args, " \t"); + if (ptr == NULL) + return (ISC_R_UNEXPECTEDEND); + + if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") || + !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true")) + enable = ISC_TRUE; + else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") || + !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false")) + enable = ISC_FALSE; + else + return (DNS_R_SYNTAX); + + /* Look for the view name. */ + viewname = next_token(&args, " \t"); + + result = isc_task_beginexclusive(server->task); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + for (view = ISC_LIST_HEAD(server->viewlist); + view != NULL; + view = ISC_LIST_NEXT(view, link)) + { + if (viewname != NULL && strcasecmp(viewname, view->name) != 0) + continue; + result = dns_view_flushcache(view); + if (result != ISC_R_SUCCESS) + goto out; + view->enablevalidation = enable; + changed = ISC_TRUE; + } + if (changed) + result = ISC_R_SUCCESS; + else + result = ISC_R_FAILURE; + out: + isc_task_endexclusive(server->task); + return (result); +} + isc_result_t ns_server_flushcache(ns_server_t *server, char *args) { char *ptr, *viewname; diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index 5a274a21f85..5a79203c063 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rndc.c,v 1.96.18.14 2006/03/02 00:37:21 marka Exp $ */ +/* $Id: rndc.c,v 1.96.18.15 2006/03/09 23:46:20 marka Exp $ */ /*! \file */ @@ -132,6 +132,8 @@ command is one of the following:\n\ Flush the given name from the server's cache(s)\n\ status Display status of the server.\n\ recursing Dump the queries that are currently recursing (named.recursing)\n\ + validation newstate [view]\n\ + Enable / disable DNSSEC validation.\n\ *restart Restart the server.\n\ \n\ * == not yet implemented\n\ diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 608c91618eb..8558637c975 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.119.18.24 2006/02/26 22:59:56 marka Exp $ */ +/* $Id: validator.c,v 1.119.18.25 2006/03/09 23:46:20 marka Exp $ */ /*! \file */ @@ -71,9 +71,9 @@ * validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep -> * dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure * - * \li When called without a rdataset and with DNS_VALIDATOR_DLV: - * validator_start -> startfinddlvsep -> dlv_validator_start -> - * validator_start -> nsecvalidate -> proveunsecure + * Note: there isn't a case for DNS_VALIDATOR_DLV here as we want nsecvalidate() + * to always validate the authority section even when it does not contain + * signatures. * * validator_start: determines what type of validation to do. * validate: attempts to perform a positive validation. @@ -92,7 +92,6 @@ * have attempted a verify. */ #define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */ #define VALATTR_DLVTRIED 0x0020 /*%< Looked for a DLV record. */ -#define VALATTR_AUTHNONPENDING 0x0040 /*%< Tidy up pending auth. */ /*! * NSEC proofs to be looked for. @@ -157,18 +156,11 @@ dlv_validator_start(dns_validator_t *val); static isc_result_t finddlvsep(dns_validator_t *val, isc_boolean_t resume); -static void -auth_nonpending(dns_message_t *message); - static isc_result_t startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure); /*% * Mark the RRsets as a answer. - * - * If VALATTR_AUTHNONPENDING is set then this is a negative answer - * in a insecure zone. We need to mark any pending RRsets as - * dns_trust_authauthority answers (this is deferred from resolver.c). */ static inline void markanswer(dns_validator_t *val) { @@ -177,9 +169,6 @@ markanswer(dns_validator_t *val) { val->event->rdataset->trust = dns_trust_answer; if (val->event->sigrdataset != NULL) val->event->sigrdataset->trust = dns_trust_answer; - if (val->event->message != NULL && - (val->attributes & VALATTR_AUTHNONPENDING) != 0) - auth_nonpending(val->event->message); } static void @@ -218,31 +207,6 @@ exit_check(dns_validator_t *val) { return (ISC_TRUE); } -/*% - * Mark pending answers in the authority section as dns_trust_authauthority. - */ -static void -auth_nonpending(dns_message_t *message) { - isc_result_t result; - dns_name_t *name; - dns_rdataset_t *rdataset; - - for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); - result == ISC_R_SUCCESS; - result = dns_message_nextname(message, DNS_SECTION_AUTHORITY)) - { - name = NULL; - dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); - for (rdataset = ISC_LIST_HEAD(name->list); - rdataset != NULL; - rdataset = ISC_LIST_NEXT(rdataset, link)) - { - if (rdataset->trust == dns_trust_pending) - rdataset->trust = dns_trust_authauthority; - } - } -} - /*% * Look in the NSEC record returned from a DS query to see if there is * a NS RRset at this name. If it is found we are at a delegation point. @@ -2136,8 +2100,6 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) { sigrdataset->covers == rdataset->type) break; } - if (sigrdataset == NULL) - continue; /* * If a signed zone is missing the zone key, bad * things could happen. A query for data in the zone @@ -2226,7 +2188,6 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) { validator_log(val, ISC_LOG_DEBUG(3), "nonexistence proof(s) not found"); - val->attributes |= VALATTR_AUTHNONPENDING; val->attributes |= VALATTR_INSECURITY; return (proveunsecure(val, ISC_FALSE)); } @@ -2753,7 +2714,8 @@ validator_start(isc_task_t *task, isc_event_t *event) { LOCK(&val->lock); - if ((val->options & DNS_VALIDATOR_DLV) != 0) { + if ((val->options & DNS_VALIDATOR_DLV) != 0 && + val->event->rdataset != NULL) { validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV"); result = startfinddlvsep(val, dns_rootname); } else if (val->event->rdataset != NULL &&