mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 14:35:26 +00:00
ARM and log message changes to clarify "insecure response". [rt19400]
This commit is contained in:
Evan Hunt
@@ -18,7 +18,7 @@
|
|||||||
- PERFORMANCE OF THIS SOFTWARE.
|
- PERFORMANCE OF THIS SOFTWARE.
|
||||||
-->
|
-->
|
||||||
|
|
||||||
<!-- File: $Id: Bv9ARM-book.xml,v 1.404 2009/03/13 01:51:50 jinmei Exp $ -->
|
<!-- File: $Id: Bv9ARM-book.xml,v 1.405 2009/03/23 22:30:56 each Exp $ -->
|
||||||
<book xmlns:xi="http://www.w3.org/2001/XInclude">
|
<book xmlns:xi="http://www.w3.org/2001/XInclude">
|
||||||
<title>BIND 9 Administrator Reference Manual</title>
|
<title>BIND 9 Administrator Reference Manual</title>
|
||||||
|
|
||||||
@@ -2445,14 +2445,17 @@ allow-update { key host1-host2. ;};
|
|||||||
To enable <command>named</command> to respond appropriately
|
To enable <command>named</command> to respond appropriately
|
||||||
to DNS requests from DNSSEC aware clients,
|
to DNS requests from DNSSEC aware clients,
|
||||||
<command>dnssec-enable</command> must be set to yes.
|
<command>dnssec-enable</command> must be set to yes.
|
||||||
|
(This is the default setting.)
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
To enable <command>named</command> to validate answers from
|
To enable <command>named</command> to validate answers from
|
||||||
other servers both <command>dnssec-enable</command> and
|
other servers, the <command>dnssec-enable</command> and
|
||||||
<command>dnssec-validation</command> must be set and some
|
<command>dnssec-validation</command> options must both be
|
||||||
<command>trusted-keys</command> must be configured
|
set to yes (the default setting in <acronym>BIND</acronym> 9.5
|
||||||
into <filename>named.conf</filename>.
|
and later), and at least one trust anchor must be configured
|
||||||
|
with a <command>trusted-keys</command> statement in
|
||||||
|
<filename>named.conf</filename>.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
@@ -2531,6 +2534,41 @@ options {
|
|||||||
the root key is not valid.
|
the root key is not valid.
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
When DNSSEC validation is enabled and properly configured,
|
||||||
|
the resolver will reject any answers from signed, secure zones
|
||||||
|
which fail to validate, and will return SERVFAIL to the client.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
Responses may fail to validate for any of several reasons,
|
||||||
|
including missing, expired, or invalid signatures, a key which
|
||||||
|
does not match the DS RRset in the parent zone, or an insecure
|
||||||
|
response from a zone which, according to its parent, should have
|
||||||
|
been secure.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<note>
|
||||||
|
<para>
|
||||||
|
When the validator receives a response from an unsigned zone
|
||||||
|
that has a signed parent, it must confirm with the parent
|
||||||
|
that the zone was intentionally left unsigned. It does
|
||||||
|
this by verifying, via signed and validated NSEC/NSEC3 records,
|
||||||
|
that the parent zone contains no DS records for the child.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
If the validator <emphasis>can</emphasis> prove that the zone
|
||||||
|
is insecure, then the response is accepted. However, if it
|
||||||
|
cannot, then it must assume an insecure response to be a
|
||||||
|
forgery; it rejects the response and logs an error.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
The logged error reads "insecurity proof failed" and
|
||||||
|
"got insecure response; parent indicates it should be secure".
|
||||||
|
(Prior to BIND 9.7, the logged error was "not insecure".
|
||||||
|
This referred to the zone, not the response.)
|
||||||
|
</para>
|
||||||
|
</note>
|
||||||
</sect2>
|
</sect2>
|
||||||
|
|
||||||
</sect1>
|
</sect1>
|
||||||
@@ -2539,10 +2577,9 @@ options {
|
|||||||
|
|
||||||
<para>
|
<para>
|
||||||
<acronym>BIND</acronym> 9 fully supports all currently
|
<acronym>BIND</acronym> 9 fully supports all currently
|
||||||
defined forms of IPv6
|
defined forms of IPv6 name to address and address to name
|
||||||
name to address and address to name lookups. It will also use
|
lookups. It will also use IPv6 addresses to make queries when
|
||||||
IPv6 addresses to make queries when running on an IPv6 capable
|
running on an IPv6 capable system.
|
||||||
system.
|
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
@@ -4325,8 +4362,7 @@ category notify { null; };
|
|||||||
<para>
|
<para>
|
||||||
Lame servers. These are misconfigurations
|
Lame servers. These are misconfigurations
|
||||||
in remote servers, discovered by BIND 9 when trying to
|
in remote servers, discovered by BIND 9 when trying to
|
||||||
query
|
query those servers during resolution.
|
||||||
those servers during resolution.
|
|
||||||
</para>
|
</para>
|
||||||
</entry>
|
</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|||||||
@@ -15,7 +15,7 @@
|
|||||||
* PERFORMANCE OF THIS SOFTWARE.
|
* PERFORMANCE OF THIS SOFTWARE.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* $Id: validator.c,v 1.172 2009/03/17 23:48:02 tbox Exp $ */
|
/* $Id: validator.c,v 1.173 2009/03/23 22:30:57 each Exp $ */
|
||||||
|
|
||||||
#include <config.h>
|
#include <config.h>
|
||||||
|
|
||||||
@@ -3558,7 +3558,7 @@ validator_start(isc_task_t *task, isc_event_t *event) {
|
|||||||
if (result != DNS_R_NOTINSECURE)
|
if (result != DNS_R_NOTINSECURE)
|
||||||
validator_log(val, ISC_LOG_INFO,
|
validator_log(val, ISC_LOG_INFO,
|
||||||
"got insecure response; "
|
"got insecure response; "
|
||||||
"could not prove it was valid");
|
"parent indicates it should be secure");
|
||||||
} else if (val->event->rdataset == NULL &&
|
} else if (val->event->rdataset == NULL &&
|
||||||
val->event->sigrdataset == NULL)
|
val->event->sigrdataset == NULL)
|
||||||
{
|
{
|
||||||
|
|||||||
Reference in New Issue
Block a user