diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 0c5215bbc7..de2e3650bf 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -2445,14 +2445,17 @@ allow-update { key host1-host2. ;}; To enable named to respond appropriately to DNS requests from DNSSEC aware clients, dnssec-enable must be set to yes. + (This is the default setting.) To enable named to validate answers from - other servers both dnssec-enable and - dnssec-validation must be set and some - trusted-keys must be configured - into named.conf. + other servers, the dnssec-enable and + dnssec-validation options must both be + set to yes (the default setting in BIND 9.5 + and later), and at least one trust anchor must be configured + with a trusted-keys statement in + named.conf. @@ -2531,6 +2534,41 @@ options { the root key is not valid. + + When DNSSEC validation is enabled and properly configured, + the resolver will reject any answers from signed, secure zones + which fail to validate, and will return SERVFAIL to the client. + + + + Responses may fail to validate for any of several reasons, + including missing, expired, or invalid signatures, a key which + does not match the DS RRset in the parent zone, or an insecure + response from a zone which, according to its parent, should have + been secure. + + + + + When the validator receives a response from an unsigned zone + that has a signed parent, it must confirm with the parent + that the zone was intentionally left unsigned. It does + this by verifying, via signed and validated NSEC/NSEC3 records, + that the parent zone contains no DS records for the child. + + + If the validator can prove that the zone + is insecure, then the response is accepted. However, if it + cannot, then it must assume an insecure response to be a + forgery; it rejects the response and logs an error. + + + The logged error reads "insecurity proof failed" and + "got insecure response; parent indicates it should be secure". + (Prior to BIND 9.7, the logged error was "not insecure". + This referred to the zone, not the response.) + + @@ -2539,10 +2577,9 @@ options { BIND 9 fully supports all currently - defined forms of IPv6 - name to address and address to name lookups. It will also use - IPv6 addresses to make queries when running on an IPv6 capable - system. + defined forms of IPv6 name to address and address to name + lookups. It will also use IPv6 addresses to make queries when + running on an IPv6 capable system. @@ -4325,8 +4362,7 @@ category notify { null; }; Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to - query - those servers during resolution. + query those servers during resolution. diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 26aa60c3b9..62cc7246f6 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.172 2009/03/17 23:48:02 tbox Exp $ */ +/* $Id: validator.c,v 1.173 2009/03/23 22:30:57 each Exp $ */ #include @@ -3558,7 +3558,7 @@ validator_start(isc_task_t *task, isc_event_t *event) { if (result != DNS_R_NOTINSECURE) validator_log(val, ISC_LOG_INFO, "got insecure response; " - "could not prove it was valid"); + "parent indicates it should be secure"); } else if (val->event->rdataset == NULL && val->event->sigrdataset == NULL) {