diff --git a/CHANGES b/CHANGES index b22f5d1b96..0ec9c507d6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +3001. [func] Added a default trust anchor for the root zone, which + can be switched on by setting "dnssec-validation auto;" + in the named.conf options. [RT #21727] + 3000. [bug] More TKEY/GSS fixes: - nsupdate can now get the default realm from the user's Kerberos principal diff --git a/bin/named/bind.keys.h b/bin/named/bind.keys.h index e023a7842f..bae6ecc2df 100644 --- a/bin/named/bind.keys.h +++ b/bin/named/bind.keys.h @@ -3,19 +3,97 @@ * From bind.keys 1.6 2010/06/20 07:15:28 marka Exp */ #define TRUSTED_KEYS "\ +# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\ +# which are included as part of BIND 9. As of the current release, the only\n\ +# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\ +# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\"). Trust anchors\n\ +# for any other zones MUST be configured elsewhere; if they are configured\n\ +# here, they will not be recognized or used by named.\n\ +#\n\ +# The built-in trust anchors are provided for convenience of configuration.\n\ +# They are not activated within named.conf unless specifically switched on.\n\ +# To use the built-in root key, set \"dnssec-validation auto;\" in\n\ +# named.conf options. To use the built-in DLV key, set\n\ +# \"dnssec-lookaside auto;\". Without these options being set,\n\ +# the keys in this file are ignored.\n\ +#\n\ +# This file is NOT expected to be user-configured.\n\ +#\n\ +# These keys are current as of January 2011. If any key fails to\n\ +# initialize correctly, it may have expired. In that event you should\n\ +# replace this file with a current version. The latest version of\n\ +# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\ +\n\ trusted-keys {\n\ - # NOTE: This key is current as of October 2009.\n\ - # If it fails to initialize correctly, it may have expired;\n\ - # see https://www.isc.org/solutions/dlv for a replacement.\n\ - dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\ + # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\ + # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\ + # in named.conf.\n\ + dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\ + brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\ + 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\ + ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\ + Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\ + QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\ + TDN0YUuWrBNh\";\n\ +\n\ + # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\ + # for current trust anchor information.\n\ + # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\ + # in named.conf.\n\ + . 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\ + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\ + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\ + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\ + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\ + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\ + QxA+Uk1ihz0=\";\n\ };\n\ " #define MANAGED_KEYS "\ +# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\ +# which are included as part of BIND 9. As of the current release, the only\n\ +# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\ +# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\"). Trust anchors\n\ +# for any other zones MUST be configured elsewhere; if they are configured\n\ +# here, they will not be recognized or used by named.\n\ +#\n\ +# The built-in trust anchors are provided for convenience of configuration.\n\ +# They are not activated within named.conf unless specifically switched on.\n\ +# To use the built-in root key, set \"dnssec-validation auto;\" in\n\ +# named.conf options. To use the built-in DLV key, set\n\ +# \"dnssec-lookaside auto;\". Without these options being set,\n\ +# the keys in this file are ignored.\n\ +#\n\ +# This file is NOT expected to be user-configured.\n\ +#\n\ +# These keys are current as of January 2011. If any key fails to\n\ +# initialize correctly, it may have expired. In that event you should\n\ +# replace this file with a current version. The latest version of\n\ +# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\ +\n\ managed-keys {\n\ - # NOTE: This key is current as of October 2009.\n\ - # If it fails to initialize correctly, it may have expired;\n\ - # see https://www.isc.org/solutions/dlv for a replacement.\n\ - dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\ + # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\ + # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\ + # in named.conf.\n\ + dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\ + brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\ + 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\ + ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\ + Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\ + QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\ + TDN0YUuWrBNh\";\n\ +\n\ + # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\ + # for current trust anchor information.\n\ + # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\ + # in named.conf.\n\ + . initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\ + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\ + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\ + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\ + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\ + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\ + QxA+Uk1ihz0=\";\n\ };\n\ " diff --git a/bin/named/bindkeys.pl b/bin/named/bindkeys.pl index 762f396094..4a3677e0c1 100755 --- a/bin/named/bindkeys.pl +++ b/bin/named/bindkeys.pl @@ -14,12 +14,12 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: bindkeys.pl,v 1.5 2010/06/20 23:46:45 tbox Exp $ +# $Id: bindkeys.pl,v 1.6 2011/01/03 23:45:07 each Exp $ use strict; use warnings; -my $rev = '$Id: bindkeys.pl,v 1.5 2010/06/20 23:46:45 tbox Exp $'; +my $rev = '$Id: bindkeys.pl,v 1.6 2011/01/03 23:45:07 each Exp $'; $rev =~ s/\$//g; $rev =~ s/,v//g; $rev =~ s/Id: //; @@ -31,7 +31,7 @@ while (<>) { chomp; if (/\/\* .Id:.* \*\//) { $keys = $_; - next; + next; } s/\"/\\\"/g; s/$/\\n\\/; @@ -48,7 +48,7 @@ print "/*\n * Generated by $rev \n * From $keys\n */\n"; my $mkey = '#define MANAGED_KEYS "\\' . "\n" . $lines . "\"\n"; $lines =~ s/managed-keys/trusted-keys/; -$lines =~ s/\s+initial-key//; +$lines =~ s/\s+initial-key//g; my $tkey = '#define TRUSTED_KEYS "\\' . "\n" . $lines . "\"\n"; print $tkey; diff --git a/bin/named/server.c b/bin/named/server.c index f0aa5d1e24..ecf4a77dfc 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.591 2010/12/18 01:56:19 each Exp $ */ +/* $Id: server.c,v 1.592 2011/01/03 23:45:07 each Exp $ */ /*! \file */ @@ -602,7 +602,8 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key, static isc_result_t load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig, - dns_view_t *view, isc_boolean_t managed, isc_mem_t *mctx) + dns_view_t *view, isc_boolean_t managed, + dns_name_t *keyname, isc_mem_t *mctx) { const cfg_listelt_t *elt, *elt2; const cfg_obj_t *key, *keylist; @@ -630,6 +631,16 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig, if (result != ISC_R_SUCCESS) goto cleanup; + /* + * If keyname was specified, we only add that key. + */ + if (keyname != NULL && + !dns_name_equal(keyname, dst_key_name(dstkey))) + { + dst_key_free(&dstkey); + continue; + } + CHECK(dns_keytable_add(secroots, managed, &dstkey)); } } @@ -653,15 +664,14 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig, static isc_result_t configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, const cfg_obj_t *config, const cfg_obj_t *bindkeys, - isc_boolean_t auto_dlv, isc_mem_t *mctx) + isc_boolean_t auto_dlv, isc_boolean_t auto_root, + isc_mem_t *mctx) { isc_result_t result = ISC_R_SUCCESS; const cfg_obj_t *view_keys = NULL; const cfg_obj_t *global_keys = NULL; const cfg_obj_t *view_managed_keys = NULL; const cfg_obj_t *global_managed_keys = NULL; - const cfg_obj_t *builtin_keys = NULL; - const cfg_obj_t *builtin_managed_keys = NULL; const cfg_obj_t *maps[4]; const cfg_obj_t *voptions = NULL; const cfg_obj_t *options = NULL; @@ -707,9 +717,12 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, } if (auto_dlv && view->rdclass == dns_rdataclass_in) { + const cfg_obj_t *builtin_keys = NULL; + const cfg_obj_t *builtin_managed_keys = NULL; + isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_SERVER, ISC_LOG_WARNING, - "using built-in trusted-keys for view %s", + "using built-in DLV key for view %s", view->name); /* @@ -730,19 +743,56 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, if (builtin_keys != NULL) CHECK(load_view_keys(builtin_keys, vconfig, view, - ISC_FALSE, mctx)); + ISC_FALSE, view->dlv, mctx)); if (builtin_managed_keys != NULL) CHECK(load_view_keys(builtin_managed_keys, vconfig, - view, ISC_TRUE, mctx)); + view, ISC_TRUE, view->dlv, mctx)); } - CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE, mctx)); - CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE, mctx)); + if (auto_root && view->rdclass == dns_rdataclass_in) { + const cfg_obj_t *builtin_keys = NULL; + const cfg_obj_t *builtin_managed_keys = NULL; + + isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_SERVER, ISC_LOG_WARNING, + "using built-in root key for view %s", + view->name); + + /* + * If bind.keys exists, it overrides the managed-keys + * clause hard-coded in ns_g_config. + */ + if (bindkeys != NULL) { + (void)cfg_map_get(bindkeys, "trusted-keys", + &builtin_keys); + (void)cfg_map_get(bindkeys, "managed-keys", + &builtin_managed_keys); + } else { + (void)cfg_map_get(ns_g_config, "trusted-keys", + &builtin_keys); + (void)cfg_map_get(ns_g_config, "managed-keys", + &builtin_managed_keys); + } + + if (builtin_keys != NULL) + CHECK(load_view_keys(builtin_keys, vconfig, view, + ISC_FALSE, dns_rootname, mctx)); + if (builtin_managed_keys != NULL) + CHECK(load_view_keys(builtin_managed_keys, vconfig, + view, ISC_TRUE, dns_rootname, + mctx)); + } + + CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE, + NULL, mctx)); + CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE, + NULL, mctx)); + if (view->rdclass == dns_rdataclass_in) { CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE, - mctx)); + NULL, mctx)); CHECK(load_view_keys(global_managed_keys, vconfig, view, - ISC_TRUE, mctx)); + ISC_TRUE, NULL, mctx)); } /* @@ -1374,6 +1424,7 @@ configure_view(dns_view_t *view, cfg_parser_t* parser, isc_stats_t *resstats = NULL; dns_stats_t *resquerystats = NULL; isc_boolean_t auto_dlv = ISC_FALSE; + isc_boolean_t auto_root = ISC_FALSE; ns_cache_t *nsc; isc_boolean_t zero_no_soattl; cfg_parser_t *newzones_parser = NULL; @@ -1740,7 +1791,13 @@ configure_view(dns_view_t *view, cfg_parser_t* parser, obj = NULL; result = ns_config_get(maps, "dnssec-validation", &obj); INSIST(result == ISC_R_SUCCESS); - view->enablevalidation = cfg_obj_asboolean(obj); + if (cfg_obj_isboolean(obj)) { + view->enablevalidation = cfg_obj_asboolean(obj); + } else { + /* If dnssec-validation is not boolean, it must be "auto" */ + view->enablevalidation = ISC_TRUE; + auto_root = ISC_TRUE; + } obj = NULL; result = ns_config_get(maps, "max-cache-ttl", &obj); @@ -2362,24 +2419,6 @@ configure_view(dns_view_t *view, cfg_parser_t* parser, dns_name_t *dlv; obj = cfg_listelt_value(element); -#if 0 - dns_fixedname_t fixed; - dns_name_t *name; - - /* - * When we support multiple dnssec-lookaside - * entries this is how to find the domain to be - * checked. XXXMPA - */ - dns_fixedname_init(&fixed); - name = dns_fixedname_name(&fixed); - str = cfg_obj_asstring(cfg_tuple_get(obj, - "domain")); - isc_buffer_init(&b, str, strlen(str)); - isc_buffer_add(&b, strlen(str)); - CHECK(dns_name_fromtext(name, &b, dns_rootname, - 0, NULL)); -#endif str = cfg_obj_asstring(cfg_tuple_get(obj, "trust-anchor")); isc_buffer_init(&b, str, strlen(str)); @@ -2397,7 +2436,7 @@ configure_view(dns_view_t *view, cfg_parser_t* parser, * "security roots". */ CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys, - auto_dlv, mctx)); + auto_dlv, auto_root, mctx)); dns_resolver_resetmustbesecure(view->resolver); obj = NULL; result = ns_config_get(maps, "dnssec-must-be-secure", &obj); diff --git a/bin/tests/system/dnssec/README b/bin/tests/system/dnssec/README index 63ea49a874..5c419872fc 100644 --- a/bin/tests/system/dnssec/README +++ b/bin/tests/system/dnssec/README @@ -2,7 +2,7 @@ Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 2000-2002 Internet Software Consortium. See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. -$Id: README,v 1.8 2004/03/05 05:00:08 marka Exp $ +$Id: README,v 1.9 2011/01/03 23:45:07 each Exp $ The test setup for the DNSSEC tests has a secure root. @@ -15,3 +15,7 @@ for the root. ns5 is a caching-only server, configured with the an incorrect trusted key for the root. It is used for testing failure cases. + +ns6 is a caching-only server configured to use DLV. + +ns7 is used for checking non-cacheable answers. diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index 9975ce7572..08a191f0c0 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -15,9 +15,10 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.31 2010/12/18 02:12:44 each Exp $ +# $Id: clean.sh,v 1.32 2011/01/03 23:45:07 each Exp $ -rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk +rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed +rm -f */trusted.conf */managed.conf */tmp* */*.jnl */*.bk rm -f ns1/root.db ns2/example.db ns3/secure.example.db rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl @@ -44,4 +45,4 @@ rm -f ns1/managed.key.id rm -f signer/example.db rm -f ns2/algroll.db rm -f ns3/kskonly.example.db - +rm -f ns4/named.conf diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 0fbfd5f28b..f82b3b9edd 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.34 2010/11/16 01:14:51 marka Exp $ +# $Id: sign.sh,v 1.35 2011/01/03 23:45:07 each Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -39,7 +39,6 @@ cat $infile $keyname.key > $zonefile $SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null # Configure the resolving server with a trusted key. - cat $keyname.key | grep -v '^; ' | $PERL -n -e ' local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; local $key = join("", @rest); @@ -49,11 +48,23 @@ trusted-keys { }; EOF ' > trusted.conf + +# ...or with a managed key. +cat $keyname.key | grep -v '^; ' | $PERL -n -e ' +local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; +local $key = join("", @rest); +print < managed.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf cp trusted.conf ../ns6/trusted.conf cp trusted.conf ../ns7/trusted.conf +cp managed.conf ../ns4/managed.conf # # Save keyid for managed key id test. # diff --git a/bin/tests/system/dnssec/ns4/named1.conf b/bin/tests/system/dnssec/ns4/named1.conf new file mode 100644 index 0000000000..b05741c8be --- /dev/null +++ b/bin/tests/system/dnssec/ns4/named1.conf @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2004, 2006, 2007, 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001 Internet Software Consortium. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named1.conf,v 1.2 2011/01/03 23:45:08 each Exp $ */ + +// NS4 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + acache-enable yes; + dnssec-enable yes; + dnssec-validation yes; + dnssec-must-be-secure mustbesecure.example yes; + + # Note: We only reference the bind.keys file here to confirm that it + # is *not* being used. It contains the real root key, and we're + # using a local toy root zone for the tests, so it wouldn't work. + # But since dnssec-validation is set to "yes" not "auto", that + # won't matter. + bindkeys-file "../../../../../bind.keys"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-md5; +}; + +controls { + inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns4/named.conf b/bin/tests/system/dnssec/ns4/named2.conf similarity index 89% rename from bin/tests/system/dnssec/ns4/named.conf rename to bin/tests/system/dnssec/ns4/named2.conf index 51693d31c0..013dfaf504 100644 --- a/bin/tests/system/dnssec/ns4/named.conf +++ b/bin/tests/system/dnssec/ns4/named2.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.30 2010/06/25 23:46:51 tbox Exp $ */ +/* $Id: named2.conf,v 1.2 2011/01/03 23:45:08 each Exp $ */ // NS4 @@ -32,8 +32,8 @@ options { recursion yes; acache-enable yes; dnssec-enable yes; - dnssec-validation yes; - dnssec-must-be-secure mustbesecure.example yes; + dnssec-validation auto; + bindkeys-file "managed.conf"; }; key rndc_key { @@ -49,5 +49,3 @@ zone "." { type hint; file "../../common/root.hint"; }; - -include "trusted.conf"; diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh index ca77f30a7d..ad9f4aeac0 100644 --- a/bin/tests/system/dnssec/setup.sh +++ b/bin/tests/system/dnssec/setup.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.17 2009/10/27 22:25:37 marka Exp $ +# $Id: setup.sh,v 1.18 2011/01/03 23:45:07 each Exp $ ../../../tools/genrandom 400 random.data @@ -23,4 +23,6 @@ cd ns1 && sh sign.sh echo "a.bogus.example. A 10.0.0.22" >>../ns3/bogus.example.db.signed +cd ../ns4 && cp -f named1.conf named.conf cd ../ns5 && cp -f trusted.conf.bad trusted.conf + diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 55a03c9828..76efc7e4f6 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.71 2010/11/16 01:14:51 marka Exp $ +# $Id: tests.sh,v 1.72 2011/01/03 23:45:07 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -1055,5 +1055,57 @@ else echo "I:The DNSSEC update test requires the Net::DNS library." >&2 fi +# Reconfigure caching server to use "dnssec-validation auto", and repeat +# some of the DNSSEC validation tests to ensure that it works correctly. +echo "I:switching to automatic root key configuration" +cp ns4/named2.conf ns4/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /' +sleep 5 + +echo "I:checking positive validation NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking positive validation NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking positive validation OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking negative validation ($n)" +ret=0 +$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/bind.keys b/bind.keys index ece6424cc0..068a8ce8c2 100644 --- a/bind.keys +++ b/bind.keys @@ -1,7 +1,46 @@ -/* $Id: bind.keys,v 1.6 2010/06/20 07:15:28 marka Exp $ */ +/* $Id: bind.keys,v 1.7 2011/01/03 23:45:07 each Exp $ */ +# The bind.keys file is used to override the built-in DNSSEC trust anchors +# which are included as part of BIND 9. As of the current release, the only +# trust anchors it contains are those for the DNS root zone ("."), and for +# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors +# for any other zones MUST be configured elsewhere; if they are configured +# here, they will not be recognized or used by named. +# +# The built-in trust anchors are provided for convenience of configuration. +# They are not activated within named.conf unless specifically switched on. +# To use the built-in root key, set "dnssec-validation auto;" in +# named.conf options. To use the built-in DLV key, set +# "dnssec-lookaside auto;". Without these options being set, +# the keys in this file are ignored. +# +# This file is NOT expected to be user-configured. +# +# These keys are current as of January 2011. If any key fails to +# initialize correctly, it may have expired. In that event you should +# replace this file with a current version. The latest version of +# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. + managed-keys { - # NOTE: This key is current as of October 2009. - # If it fails to initialize correctly, it may have expired; - # see https://www.isc.org/solutions/dlv for a replacement. - dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh"; + # ISC DLV: See https://www.isc.org/solutions/dlv for details. + # NOTE: This key is activated by setting "dnssec-lookaside auto;" + # in named.conf. + dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 + brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ + 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 + ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk + Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM + QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt + TDN0YUuWrBNh"; + + # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml + # for current trust anchor information. + # NOTE: This key is activated by setting "dnssec-validation auto;" + # in named.conf. + . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; }; diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 0112412e6c..4a47b9903c 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -2614,13 +2614,23 @@ allow-update { key host1-host2. ;}; To enable named to validate answers from - other servers, the dnssec-enable and - dnssec-validation options must both be - set to yes (the default setting in BIND 9.5 - and later), and at least one trust anchor must be configured + other servers, the dnssec-enable option + must be set to yes, and the + dnssec-validation options must be set to + yes or auto. + + + + If dnssec-validation is set to + auto, then a default + trust anchor for the DNS root zone will be used. + If it is set to yes, however, + then at least one trust anchor must be configured with a trusted-keys or managed-keys statement in - named.conf. + named.conf, or DNSSEC validation + will not occur. The default setting is + yes. @@ -5006,7 +5016,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] maintain-ixfr-base yes_or_no; ixfr-from-differences (yes_or_no | master | slave); dnssec-enable yes_or_no; - dnssec-validation yes_or_no; + dnssec-validation (yes_or_no | auto); dnssec-lookaside ( auto | domain trust-anchor domain ); dnssec-must-be-secure domain yes_or_no; @@ -5487,7 +5497,8 @@ badresp:1,adberr:0,findfail:0,valfail:0] The pathname of a file to override the built-in trusted keys provided by named. See the discussion of dnssec-lookaside - for details. If not specified, the default is + and dnssec-validation for details. + If not specified, the default is /etc/bind.keys. @@ -5694,10 +5705,10 @@ options { The default DLV key is stored in the file - bind.keys, which - named loads at startup if - dnssec-lookaside is set to - auto. A copy of that file is + bind.keys; + named will load that key at + startup if dnssec-lookaside is set to + auto. A copy of the file is installed along with BIND 9, and is current as of the release date. If the DLV key expires, a new copy of bind.keys can be downloaded @@ -5711,10 +5722,10 @@ options { to be recompiled with a new key when the DLV key expires.) - NOTE: Using bind.keys to store - locally-configured keys is possible, but not - recommended, as the file will be overwritten whenever - BIND 9 is re-installed or upgraded. + NOTE: named only loads certain specific + keys from bind.keys: those for the + DLV zone and for the DNS root zone. The file cannot be + used to store keys for other zones. @@ -6595,7 +6606,15 @@ options { Enable DNSSEC validation in named. Note dnssec-enable also needs to be set to yes to be effective. - The default is yes. + If set to no, DNSSEC validation + is disabled. If set to auto, + DNSSEC validation is enabled, and a default + trust-anchor for the DNS root zone is used. If set to + yes, DNSSEC validation is enabled, + but a trust anchor must be manually configured using + a trusted-keys or + managed-keys statement. The default + is yes. diff --git a/lib/isccfg/include/isccfg/grammar.h b/lib/isccfg/include/isccfg/grammar.h index 93ebe8dee4..33b97a1db4 100644 --- a/lib/isccfg/include/isccfg/grammar.h +++ b/lib/isccfg/include/isccfg/grammar.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: grammar.h,v 1.22 2010/08/11 18:14:20 each Exp $ */ +/* $Id: grammar.h,v 1.23 2011/01/03 23:45:08 each Exp $ */ #ifndef ISCCFG_GRAMMAR_H #define ISCCFG_GRAMMAR_H 1 @@ -328,9 +328,15 @@ cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port); isc_result_t cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret); +isc_result_t +cfg_parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret); + void cfg_print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj); +void +cfg_print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj); + void cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type); diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 5bd2b21ae9..92d3ba36bc 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: namedconf.c,v 1.126 2010/12/18 01:56:23 each Exp $ */ +/* $Id: namedconf.c,v 1.127 2011/01/03 23:45:08 each Exp $ */ /*! \file */ @@ -658,10 +658,60 @@ static cfg_type_t cfg_type_qstringornone = { NULL, NULL }; +/*% + * A boolean ("yes" or "no"), or the special keyword "auto". + * Used in the dnssec-validation option. + */ +static void +print_auto(cfg_printer_t *pctx, const cfg_obj_t *obj) { + UNUSED(obj); + cfg_print_cstr(pctx, "auto"); +} + +static cfg_type_t cfg_type_auto = { + "auto", NULL, print_auto, NULL, &cfg_rep_void, NULL +}; + +static isc_result_t +parse_boolorauto(cfg_parser_t *pctx, const cfg_type_t *type, + cfg_obj_t **ret) +{ + isc_result_t result; + + CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING)); + if (pctx->token.type == isc_tokentype_string && + strcasecmp(TOKEN_STRING(pctx), "auto") == 0) + return (cfg_create_obj(pctx, &cfg_type_auto, ret)); + cfg_ungettoken(pctx); + return (cfg_parse_boolean(pctx, type, ret)); + cleanup: + return (result); +} + +static void +print_boolorauto(cfg_printer_t *pctx, const cfg_obj_t *obj) { + if (obj->type->rep == &cfg_rep_void) + cfg_print_chars(pctx, "auto", 4); + else if (obj->value.boolean) + cfg_print_chars(pctx, "yes", 3); + else + cfg_print_chars(pctx, "no", 2); +} + +static void +doc_boolorauto(cfg_printer_t *pctx, const cfg_type_t *type) { + UNUSED(type); + cfg_print_cstr(pctx, "( yes | no | auto )"); +} + +static cfg_type_t cfg_type_boolorauto = { + "boolorauto", parse_boolorauto, print_boolorauto, + doc_boolorauto, NULL, NULL +}; + /*% * keyword hostname */ - static void print_hostname(cfg_printer_t *pctx, const cfg_obj_t *obj) { UNUSED(obj); @@ -893,7 +943,6 @@ options_clauses[] = { { NULL, NULL, 0 } }; - static cfg_type_t cfg_type_namelist = { "namelist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_qstring }; @@ -1046,7 +1095,7 @@ view_clauses[] = { { "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI }, { "dnssec-must-be-secure", &cfg_type_mustbesecure, CFG_CLAUSEFLAG_MULTI }, - { "dnssec-validation", &cfg_type_boolean, 0 }, + { "dnssec-validation", &cfg_type_boolorauto, 0 }, { "dual-stack-servers", &cfg_type_nameportiplist, 0 }, { "edns-udp-size", &cfg_type_uint32, 0 }, { "empty-contact", &cfg_type_astring, 0 }, diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c index d443cd7120..f3c48c8503 100644 --- a/lib/isccfg/parser.c +++ b/lib/isccfg/parser.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: parser.c,v 1.137 2010/11/16 05:38:31 marka Exp $ */ +/* $Id: parser.c,v 1.138 2011/01/03 23:45:08 each Exp $ */ /*! \file */ @@ -868,8 +868,8 @@ cfg_obj_asboolean(const cfg_obj_t *obj) { return (obj->value.boolean); } -static isc_result_t -parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) +isc_result_t +cfg_parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { isc_result_t result; isc_boolean_t value; @@ -908,8 +908,8 @@ parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) return (result); } -static void -print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) { +void +cfg_print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) { if (obj->value.boolean) cfg_print_chars(pctx, "yes", 3); else @@ -917,7 +917,7 @@ print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) { } cfg_type_t cfg_type_boolean = { - "boolean", parse_boolean, print_boolean, cfg_doc_terminal, + "boolean", cfg_parse_boolean, cfg_print_boolean, cfg_doc_terminal, &cfg_rep_boolean, NULL };