mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00
Code Issues Releases Wiki Activity

3001. [func] Added a default trust anchor for the root zone, which

Browse Source 
can be switched on by setting "dnssec-validation auto;"
			in the named.conf options. [RT #21727]
This commit is contained in:
Evan Hunt 2011-01-03 23:45:08 +00:00
parent f098c65191
commit 79bf7c874b
16 changed files with 452 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@ -1,3 +1,7 @@
3001. [func] Added a default trust anchor for the root zone, which
can be switched on by setting "dnssec-validation auto;"
in the named.conf options. [RT #21727]
3000. [bug] More TKEY/GSS fixes:
- nsupdate can now get the default realm from
the user's Kerberos principal

94
bin/named/bind.keys.h
View File

@ -3,19 +3,97 @@
* From bind.keys 1.6 2010/06/20 07:15:28 marka Exp
*/
#define TRUSTED_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
# which are included as part of BIND 9. As of the current release, the only\n\
# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\"). Trust anchors\n\
# for any other zones MUST be configured elsewhere; if they are configured\n\
# here, they will not be recognized or used by named.\n\
#\n\
# The built-in trust anchors are provided for convenience of configuration.\n\
# They are not activated within named.conf unless specifically switched on.\n\
# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
# named.conf options. To use the built-in DLV key, set\n\
# \"dnssec-lookaside auto;\". Without these options being set,\n\
# the keys in this file are ignored.\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
# These keys are current as of January 2011. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
\n\
trusted-keys {\n\
# NOTE: This key is current as of October 2009.\n\
# If it fails to initialize correctly, it may have expired;\n\
# see https://www.isc.org/solutions/dlv for a replacement.\n\
dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
# NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
# in named.conf.\n\
dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
TDN0YUuWrBNh\";\n\
\n\
# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
# for current trust anchor information.\n\
# NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
# in named.conf.\n\
. 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
QxA+Uk1ihz0=\";\n\
};\n\
"
#define MANAGED_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
# which are included as part of BIND 9. As of the current release, the only\n\
# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\"). Trust anchors\n\
# for any other zones MUST be configured elsewhere; if they are configured\n\
# here, they will not be recognized or used by named.\n\
#\n\
# The built-in trust anchors are provided for convenience of configuration.\n\
# They are not activated within named.conf unless specifically switched on.\n\
# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
# named.conf options. To use the built-in DLV key, set\n\
# \"dnssec-lookaside auto;\". Without these options being set,\n\
# the keys in this file are ignored.\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
# These keys are current as of January 2011. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
\n\
managed-keys {\n\
# NOTE: This key is current as of October 2009.\n\
# If it fails to initialize correctly, it may have expired;\n\
# see https://www.isc.org/solutions/dlv for a replacement.\n\
dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
# NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
# in named.conf.\n\
dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
TDN0YUuWrBNh\";\n\
\n\
# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
# for current trust anchor information.\n\
# NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
# in named.conf.\n\
. initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
QxA+Uk1ihz0=\";\n\
};\n\
"

8
bin/named/bindkeys.pl
View File

@ -14,12 +14,12 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: bindkeys.pl,v 1.5 2010/06/20 23:46:45 tbox Exp $
# $Id: bindkeys.pl,v 1.6 2011/01/03 23:45:07 each Exp $
use strict;
use warnings;
my $rev = '$Id: bindkeys.pl,v 1.5 2010/06/20 23:46:45 tbox Exp $';
my $rev = '$Id: bindkeys.pl,v 1.6 2011/01/03 23:45:07 each Exp $';
$rev =~ s/\$//g;
$rev =~ s/,v//g;
$rev =~ s/Id: //;
@ -31,7 +31,7 @@ while (<>) {
chomp;
if (/\/\* .Id:.* \*\//) {
$keys = $_;
next;
next;
}
s/\"/\\\"/g;
s/$/\\n\\/;
@ -48,7 +48,7 @@ print "/*\n * Generated by $rev \n * From $keys\n */\n";
my $mkey = '#define MANAGED_KEYS "\\' . "\n" . $lines . "\"\n";
$lines =~ s/managed-keys/trusted-keys/;
$lines =~ s/\s+initial-key//;
$lines =~ s/\s+initial-key//g;
my $tkey = '#define TRUSTED_KEYS "\\' . "\n" . $lines . "\"\n";
print $tkey;

103
bin/named/server.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.591 2010/12/18 01:56:19 each Exp $ */
/* $Id: server.c,v 1.592 2011/01/03 23:45:07 each Exp $ */
/*! \file */
@ -602,7 +602,8 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
static isc_result_t
load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
dns_view_t *view, isc_boolean_t managed, isc_mem_t *mctx)
dns_view_t *view, isc_boolean_t managed,
dns_name_t *keyname, isc_mem_t *mctx)
{
const cfg_listelt_t *elt, *elt2;
const cfg_obj_t *key, *keylist;
@ -630,6 +631,16 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
if (result != ISC_R_SUCCESS)
goto cleanup;
/*
* If keyname was specified, we only add that key.
*/
if (keyname != NULL &&
!dns_name_equal(keyname, dst_key_name(dstkey)))
{
dst_key_free(&dstkey);
continue;
}
CHECK(dns_keytable_add(secroots, managed, &dstkey));
}
}
@ -653,15 +664,14 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
static isc_result_t
configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
const cfg_obj_t *config, const cfg_obj_t *bindkeys,
isc_boolean_t auto_dlv, isc_mem_t *mctx)
isc_boolean_t auto_dlv, isc_boolean_t auto_root,
isc_mem_t *mctx)
{
isc_result_t result = ISC_R_SUCCESS;
const cfg_obj_t *view_keys = NULL;
const cfg_obj_t *global_keys = NULL;
const cfg_obj_t *view_managed_keys = NULL;
const cfg_obj_t *global_managed_keys = NULL;
const cfg_obj_t *builtin_keys = NULL;
const cfg_obj_t *builtin_managed_keys = NULL;
const cfg_obj_t *maps[4];
const cfg_obj_t *voptions = NULL;
const cfg_obj_t *options = NULL;
@ -707,9 +717,12 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
}
if (auto_dlv && view->rdclass == dns_rdataclass_in) {
const cfg_obj_t *builtin_keys = NULL;
const cfg_obj_t *builtin_managed_keys = NULL;
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
"using built-in trusted-keys for view %s",
"using built-in DLV key for view %s",
view->name);
/*
@ -730,19 +743,56 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
if (builtin_keys != NULL)
CHECK(load_view_keys(builtin_keys, vconfig, view,
ISC_FALSE, mctx));
ISC_FALSE, view->dlv, mctx));
if (builtin_managed_keys != NULL)
CHECK(load_view_keys(builtin_managed_keys, vconfig,
view, ISC_TRUE, mctx));
view, ISC_TRUE, view->dlv, mctx));
}
CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE, mctx));
CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE, mctx));
if (auto_root && view->rdclass == dns_rdataclass_in) {
const cfg_obj_t *builtin_keys = NULL;
const cfg_obj_t *builtin_managed_keys = NULL;
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
"using built-in root key for view %s",
view->name);
/*
* If bind.keys exists, it overrides the managed-keys
* clause hard-coded in ns_g_config.
*/
if (bindkeys != NULL) {
(void)cfg_map_get(bindkeys, "trusted-keys",
&builtin_keys);
(void)cfg_map_get(bindkeys, "managed-keys",
&builtin_managed_keys);
} else {
(void)cfg_map_get(ns_g_config, "trusted-keys",
&builtin_keys);
(void)cfg_map_get(ns_g_config, "managed-keys",
&builtin_managed_keys);
}
if (builtin_keys != NULL)
CHECK(load_view_keys(builtin_keys, vconfig, view,
ISC_FALSE, dns_rootname, mctx));
if (builtin_managed_keys != NULL)
CHECK(load_view_keys(builtin_managed_keys, vconfig,
view, ISC_TRUE, dns_rootname,
mctx));
}
CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE,
NULL, mctx));
CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE,
NULL, mctx));
if (view->rdclass == dns_rdataclass_in) {
CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE,
mctx));
NULL, mctx));
CHECK(load_view_keys(global_managed_keys, vconfig, view,
ISC_TRUE, mctx));
ISC_TRUE, NULL, mctx));
}
/*
@ -1374,6 +1424,7 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
isc_stats_t *resstats = NULL;
dns_stats_t *resquerystats = NULL;
isc_boolean_t auto_dlv = ISC_FALSE;
isc_boolean_t auto_root = ISC_FALSE;
ns_cache_t *nsc;
isc_boolean_t zero_no_soattl;
cfg_parser_t *newzones_parser = NULL;
@ -1740,7 +1791,13 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
obj = NULL;
result = ns_config_get(maps, "dnssec-validation", &obj);
INSIST(result == ISC_R_SUCCESS);
view->enablevalidation = cfg_obj_asboolean(obj);
if (cfg_obj_isboolean(obj)) {
view->enablevalidation = cfg_obj_asboolean(obj);
} else {
/* If dnssec-validation is not boolean, it must be "auto" */
view->enablevalidation = ISC_TRUE;
auto_root = ISC_TRUE;
}
obj = NULL;
result = ns_config_get(maps, "max-cache-ttl", &obj);
@ -2362,24 +2419,6 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
dns_name_t *dlv;
obj = cfg_listelt_value(element);
#if 0
dns_fixedname_t fixed;
dns_name_t *name;
/*
* When we support multiple dnssec-lookaside
* entries this is how to find the domain to be
* checked. XXXMPA
*/
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
str = cfg_obj_asstring(cfg_tuple_get(obj,
"domain"));
isc_buffer_init(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
CHECK(dns_name_fromtext(name, &b, dns_rootname,
0, NULL));
#endif
str = cfg_obj_asstring(cfg_tuple_get(obj,
"trust-anchor"));
isc_buffer_init(&b, str, strlen(str));
@ -2397,7 +2436,7 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
* "security roots".
*/
CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys,
auto_dlv, mctx));
auto_dlv, auto_root, mctx));
dns_resolver_resetmustbesecure(view->resolver);
obj = NULL;
result = ns_config_get(maps, "dnssec-must-be-secure", &obj);

6
bin/tests/system/dnssec/README
View File

@ -2,7 +2,7 @@ Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 2000-2002 Internet Software Consortium.
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
$Id: README,v 1.8 2004/03/05 05:00:08 marka Exp $
$Id: README,v 1.9 2011/01/03 23:45:07 each Exp $
The test setup for the DNSSEC tests has a secure root.
@ -15,3 +15,7 @@ for the root.
ns5 is a caching-only server, configured with the an incorrect trusted
key for the root. It is used for testing failure cases.
ns6 is a caching-only server configured to use DLV.
ns7 is used for checking non-cacheable answers.

7
bin/tests/system/dnssec/clean.sh
View File

@ -15,9 +15,10 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.31 2010/12/18 02:12:44 each Exp $
# $Id: clean.sh,v 1.32 2011/01/03 23:45:07 each Exp $
rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed
rm -f */trusted.conf */managed.conf */tmp* */*.jnl */*.bk
rm -f ns1/root.db ns2/example.db ns3/secure.example.db
rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl
@ -44,4 +45,4 @@ rm -f ns1/managed.key.id
rm -f signer/example.db
rm -f ns2/algroll.db
rm -f ns3/kskonly.example.db
rm -f ns4/named.conf

15
bin/tests/system/dnssec/ns1/sign.sh
View File

@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.34 2010/11/16 01:14:51 marka Exp $
# $Id: sign.sh,v 1.35 2011/01/03 23:45:07 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
@ -39,7 +39,6 @@ cat $infile $keyname.key > $zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
# Configure the resolving server with a trusted key.
cat $keyname.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
local $key = join("", @rest);
@ -49,11 +48,23 @@ trusted-keys {
};
EOF
' > trusted.conf
# ...or with a managed key.
cat $keyname.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
local $key = join("", @rest);
print <<EOF
managed-keys {
"$dn" initial-key $flags $proto $alg "$key";
};
EOF
' > managed.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf
cp trusted.conf ../ns6/trusted.conf
cp trusted.conf ../ns7/trusted.conf
cp managed.conf ../ns4/managed.conf
#
# Save keyid for managed key id test.
#

60
bin/tests/system/dnssec/ns4/named1.conf Normal file
View File

@ -0,0 +1,60 @@
/*
* Copyright (C) 2004, 2006, 2007, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named1.conf,v 1.2 2011/01/03 23:45:08 each Exp $ */
// NS4
controls { /* empty */ };
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-must-be-secure mustbesecure.example yes;
# Note: We only reference the bind.keys file here to confirm that it
# is *not* being used. It contains the real root key, and we're
# using a local toy root zone for the tests, so it wouldn't work.
# But since dnssec-validation is set to "yes" not "auto", that
# won't matter.
bindkeys-file "../../../../../bind.keys";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-md5;
};
controls {
inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "../../common/root.hint";
};
include "trusted.conf";

8
bin/tests/system/dnssec/ns4/named.conf → bin/tests/system/dnssec/ns4/named2.conf
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.30 2010/06/25 23:46:51 tbox Exp $ */
/* $Id: named2.conf,v 1.2 2011/01/03 23:45:08 each Exp $ */
// NS4
@ -32,8 +32,8 @@ options {
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-must-be-secure mustbesecure.example yes;
dnssec-validation auto;
bindkeys-file "managed.conf";
};
key rndc_key {
@ -49,5 +49,3 @@ zone "." {
type hint;
file "../../common/root.hint";
};
include "trusted.conf";

4
bin/tests/system/dnssec/setup.sh
View File

@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: setup.sh,v 1.17 2009/10/27 22:25:37 marka Exp $
# $Id: setup.sh,v 1.18 2011/01/03 23:45:07 each Exp $
../../../tools/genrandom 400 random.data
@ -23,4 +23,6 @@ cd ns1 && sh sign.sh
echo "a.bogus.example. A 10.0.0.22" >>../ns3/bogus.example.db.signed
cd ../ns4 && cp -f named1.conf named.conf
cd ../ns5 && cp -f trusted.conf.bad trusted.conf

54
bin/tests/system/dnssec/tests.sh
View File

@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.71 2010/11/16 01:14:51 marka Exp $
# $Id: tests.sh,v 1.72 2011/01/03 23:45:07 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
@ -1055,5 +1055,57 @@ else
echo "I:The DNSSEC update test requires the Net::DNS library." >&2
fi
# Reconfigure caching server to use "dnssec-validation auto", and repeat
# some of the DNSSEC validation tests to ensure that it works correctly.
echo "I:switching to automatic root key configuration"
cp ns4/named2.conf ns4/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
sleep 5
echo "I:checking positive validation NSEC ($n)"
ret=0
$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking positive validation NSEC3 ($n)"
ret=0
$DIG $DIGOPTS +noauth a.nsec3.example. \
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.nsec3.example. \
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking positive validation OPTOUT ($n)"
ret=0
$DIG $DIGOPTS +noauth a.optout.example. \
@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.optout.example. \
@10.53.0.4 a > dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking negative validation ($n)"
ret=0
$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status

49
bind.keys
View File

@ -1,7 +1,46 @@
/* $Id: bind.keys,v 1.6 2010/06/20 07:15:28 marka Exp $ */
/* $Id: bind.keys,v 1.7 2011/01/03 23:45:07 each Exp $ */
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9. As of the current release, the only
# trust anchors it contains are those for the DNS root zone ("."), and for
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
# for any other zones MUST be configured elsewhere; if they are configured
# here, they will not be recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
# To use the built-in root key, set "dnssec-validation auto;" in
# named.conf options. To use the built-in DLV key, set
# "dnssec-lookaside auto;". Without these options being set,
# the keys in this file are ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of January 2011. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
managed-keys {
# NOTE: This key is current as of October 2009.
# If it fails to initialize correctly, it may have expired;
# see https://www.isc.org/solutions/dlv for a replacement.
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
# ISC DLV: See https://www.isc.org/solutions/dlv for details.
# NOTE: This key is activated by setting "dnssec-lookaside auto;"
# in named.conf.
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh";
# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
# NOTE: This key is activated by setting "dnssec-validation auto;"
# in named.conf.
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
};

53
doc/arm/Bv9ARM-book.xml
View File

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.471 2010/12/25 22:01:35 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.472 2011/01/03 23:45:08 each Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@ -2614,13 +2614,23 @@ allow-update { key host1-host2. ;};
<para>
To enable <command>named</command> to validate answers from
other servers, the <command>dnssec-enable</command> and
<command>dnssec-validation</command> options must both be
set to yes (the default setting in <acronym>BIND</acronym> 9.5
and later), and at least one trust anchor must be configured
other servers, the <command>dnssec-enable</command> option
must be set to <userinput>yes</userinput>, and the
<command>dnssec-validation</command> options must be set to
<userinput>yes</userinput> or <userinput>auto</userinput>.
</para>
<para>
If <command>dnssec-validation</command> is set to
<userinput>auto</userinput>, then a default
trust anchor for the DNS root zone will be used.
If it is set to <userinput>yes</userinput>, however,
then at least one trust anchor must be configured
with a <command>trusted-keys</command> or
<command>managed-keys</command> statement in
<filename>named.conf</filename>.
<filename>named.conf</filename>, or DNSSEC validation
will not occur. The default setting is
<userinput>yes</userinput>.
</para>
<para>
@ -5006,7 +5016,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
<optional> ixfr-from-differences (<replaceable>yes_or_no</replaceable> | <constant>master</constant> | <constant>slave</constant>); </optional>
<optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-validation (<replaceable>yes_or_no</replaceable> | <constant>auto</constant>); </optional>
<optional> dnssec-lookaside ( <replaceable>auto</replaceable> |
<replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> ); </optional>
<optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
@ -5487,7 +5497,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
The pathname of a file to override the built-in trusted
keys provided by <command>named</command>.
See the discussion of <command>dnssec-lookaside</command>
for details. If not specified, the default is
and <command>dnssec-validation</command> for details.
If not specified, the default is
<filename>/etc/bind.keys</filename>.
</para>
</listitem>
@ -5694,10 +5705,10 @@ options {
</para>
<para>
The default DLV key is stored in the file
<filename>bind.keys</filename>, which
<command>named</command> loads at startup if
<command>dnssec-lookaside</command> is set to
<constant>auto</constant>. A copy of that file is
<filename>bind.keys</filename>;
<command>named</command> will load that key at
startup if <command>dnssec-lookaside</command> is set to
<constant>auto</constant>. A copy of the file is
installed along with <acronym>BIND</acronym> 9, and is
current as of the release date. If the DLV key expires, a
new copy of <filename>bind.keys</filename> can be downloaded
@ -5711,10 +5722,10 @@ options {
to be recompiled with a new key when the DLV key expires.)
</para>
<para>
NOTE: Using <filename>bind.keys</filename> to store
locally-configured keys is possible, but not
recommended, as the file will be overwritten whenever
<acronym>BIND</acronym> 9 is re-installed or upgraded.
NOTE: <command>named</command> only loads certain specific
keys from <filename>bind.keys</filename>: those for the
DLV zone and for the DNS root zone. The file cannot be
used to store keys for other zones.
</para>
</listitem>
</varlistentry>
@ -6595,7 +6606,15 @@ options {
Enable DNSSEC validation in <command>named</command>.
Note <command>dnssec-enable</command> also needs to be
set to <userinput>yes</userinput> to be effective.
The default is <userinput>yes</userinput>.
If set to <userinput>no</userinput>, DNSSEC validation
is disabled. If set to <userinput>auto</userinput>,
DNSSEC validation is enabled, and a default
trust-anchor for the DNS root zone is used. If set to
<userinput>yes</userinput>, DNSSEC validation is enabled,
but a trust anchor must be manually configured using
a <command>trusted-keys</command> or
<command>managed-keys</command> statement. The default
is <userinput>yes</userinput>.
</para>
</listitem>
</varlistentry>

8
lib/isccfg/include/isccfg/grammar.h
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: grammar.h,v 1.22 2010/08/11 18:14:20 each Exp $ */
/* $Id: grammar.h,v 1.23 2011/01/03 23:45:08 each Exp $ */
#ifndef ISCCFG_GRAMMAR_H
#define ISCCFG_GRAMMAR_H 1
@ -328,9 +328,15 @@ cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port);
isc_result_t
cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
isc_result_t
cfg_parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
void
cfg_print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj);
void
cfg_print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj);
void
cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type);

57
lib/isccfg/namedconf.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: namedconf.c,v 1.126 2010/12/18 01:56:23 each Exp $ */
/* $Id: namedconf.c,v 1.127 2011/01/03 23:45:08 each Exp $ */
/*! \file */
@ -658,10 +658,60 @@ static cfg_type_t cfg_type_qstringornone = {
NULL, NULL
};
/*%
* A boolean ("yes" or "no"), or the special keyword "auto".
* Used in the dnssec-validation option.
*/
static void
print_auto(cfg_printer_t *pctx, const cfg_obj_t *obj) {
UNUSED(obj);
cfg_print_cstr(pctx, "auto");
}
static cfg_type_t cfg_type_auto = {
"auto", NULL, print_auto, NULL, &cfg_rep_void, NULL
};
static isc_result_t
parse_boolorauto(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret)
{
isc_result_t result;
CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
if (pctx->token.type == isc_tokentype_string &&
strcasecmp(TOKEN_STRING(pctx), "auto") == 0)
return (cfg_create_obj(pctx, &cfg_type_auto, ret));
cfg_ungettoken(pctx);
return (cfg_parse_boolean(pctx, type, ret));
cleanup:
return (result);
}
static void
print_boolorauto(cfg_printer_t *pctx, const cfg_obj_t *obj) {
if (obj->type->rep == &cfg_rep_void)
cfg_print_chars(pctx, "auto", 4);
else if (obj->value.boolean)
cfg_print_chars(pctx, "yes", 3);
else
cfg_print_chars(pctx, "no", 2);
}
static void
doc_boolorauto(cfg_printer_t *pctx, const cfg_type_t *type) {
UNUSED(type);
cfg_print_cstr(pctx, "( yes | no | auto )");
}
static cfg_type_t cfg_type_boolorauto = {
"boolorauto", parse_boolorauto, print_boolorauto,
doc_boolorauto, NULL, NULL
};
/*%
* keyword hostname
*/
static void
print_hostname(cfg_printer_t *pctx, const cfg_obj_t *obj) {
UNUSED(obj);
@ -893,7 +943,6 @@ options_clauses[] = {
{ NULL, NULL, 0 }
};
static cfg_type_t cfg_type_namelist = {
"namelist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_qstring };
@ -1046,7 +1095,7 @@ view_clauses[] = {
{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
{ "dnssec-must-be-secure", &cfg_type_mustbesecure,
CFG_CLAUSEFLAG_MULTI },
{ "dnssec-validation", &cfg_type_boolean, 0 },
{ "dnssec-validation", &cfg_type_boolorauto, 0 },
{ "dual-stack-servers", &cfg_type_nameportiplist, 0 },
{ "edns-udp-size", &cfg_type_uint32, 0 },
{ "empty-contact", &cfg_type_astring, 0 },

12
lib/isccfg/parser.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: parser.c,v 1.137 2010/11/16 05:38:31 marka Exp $ */
/* $Id: parser.c,v 1.138 2011/01/03 23:45:08 each Exp $ */
/*! \file */
@ -868,8 +868,8 @@ cfg_obj_asboolean(const cfg_obj_t *obj) {
return (obj->value.boolean);
}
static isc_result_t
parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
isc_result_t
cfg_parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
{
isc_result_t result;
isc_boolean_t value;
@ -908,8 +908,8 @@ parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
return (result);
}
static void
print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) {
void
cfg_print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) {
if (obj->value.boolean)
cfg_print_chars(pctx, "yes", 3);
else
@ -917,7 +917,7 @@ print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) {
}
cfg_type_t cfg_type_boolean = {
"boolean", parse_boolean, print_boolean, cfg_doc_terminal,
"boolean", cfg_parse_boolean, cfg_print_boolean, cfg_doc_terminal,
&cfg_rep_boolean, NULL
};