diff --git a/bin/named/config.c b/bin/named/config.c index 43269b4a3a..a2d2eb7ea7 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -195,6 +195,7 @@ options {\n\ resolver-nonbackoff-tries 3;\n\ resolver-retry-interval 800; /* in milliseconds */\n\ # rfc2308-type1 ;\n\ + root-key-sentinel yes;\n\ servfail-ttl 1;\n\ # sortlist \n\ stale-answer-enable false;\n\ diff --git a/bin/named/server.c b/bin/named/server.c index faf6481778..e037557f6c 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -4682,6 +4682,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, INSIST(result == ISC_R_SUCCESS); view->trust_anchor_telemetry = cfg_obj_asboolean(obj); + obj = NULL; + result = named_config_get(maps, "root-key-sentinel", &obj); + INSIST(result == ISC_R_SUCCESS); + view->root_key_sentinel = cfg_obj_asboolean(obj); + CHECK(configure_view_acl(vconfig, config, named_g_config, "allow-query-cache-on", NULL, actx, named_g_mctx, &view->cacheonacl)); diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index d57aa019bc..d1e8a8d621 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -5845,6 +5845,17 @@ options { + + root-key-sentinel + + + Respond to root key sentinel probes as described in + draft-ietf-dnsop-kskroll-sentinel-08. The default is + yes. + + + + maintain-ixfr-base diff --git a/doc/misc/options b/doc/misc/options index 2604c6c951..6606dc93e1 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -318,6 +318,7 @@ options { } ]; rfc2308-type1 ; // not yet implemented root-delegation-only [ exclude { ; ... } ]; + root-key-sentinel ; rrset-order { [ class ] [ type ] [ name ] ; ... }; secroots-file ; @@ -643,6 +644,7 @@ view [ ] { dnsrps-enable ] [ dnsrps-options { } ]; rfc2308-type1 ; // not yet implemented + root-key-sentinel ; root-delegation-only [ exclude { ; ... } ]; rrset-order { [ class ] [ type ] [ name ] ; ... }; diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h index df49832e5d..3fd4959506 100644 --- a/lib/dns/include/dns/view.h +++ b/lib/dns/include/dns/view.h @@ -125,6 +125,7 @@ struct dns_view { isc_boolean_t requireservercookie; isc_boolean_t synthfromdnssec; isc_boolean_t trust_anchor_telemetry; + isc_boolean_t root_key_sentinel; dns_transfer_format_t transfer_format; dns_acl_t * cacheacl; dns_acl_t * cacheonacl; diff --git a/lib/dns/view.c b/lib/dns/view.c index 049d0fd59f..8fbdd7bf85 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -242,6 +242,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, view->requireservercookie = ISC_FALSE; view->synthfromdnssec = ISC_TRUE; view->trust_anchor_telemetry = ISC_TRUE; + view->root_key_sentinel = ISC_TRUE; view->new_zone_dir = NULL; view->new_zone_file = NULL; view->new_zone_db = NULL; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 710dd12a05..07feeb3713 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1958,6 +1958,7 @@ view_clauses[] = { { "response-policy", &cfg_type_rpz, 0 }, { "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI }, { "root-delegation-only", &cfg_type_optional_exclude, 0 }, + { "root-key-sentinel", &cfg_type_boolean, 0 }, { "rrset-order", &cfg_type_rrsetorder, 0 }, { "send-cookie", &cfg_type_boolean, 0 }, { "servfail-ttl", &cfg_type_ttlval, 0 }, diff --git a/lib/ns/query.c b/lib/ns/query.c index 275b230432..790840f6d1 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -5227,7 +5227,8 @@ ns__query_start(query_ctx_t *qctx) { /* * Setup for root key sentinel processing. */ - if (qctx->client->query.restarts == 0 && + if (qctx->client->view->root_key_sentinel && + qctx->client->query.restarts == 0 && (qctx->qtype == dns_rdatatype_a || qctx->qtype == dns_rdatatype_aaaa) && (qctx->client->message->flags & DNS_MESSAGEFLAG_CD) == 0)