3001. [func] Added a default trust anchor for the root zone, which

can be switched on by setting "dnssec-validation auto;" in the named.conf options. [RT #21727]
2025-08-30 14:07:59 +00:00 · 2011-01-03 23:45:08 +00:00
parent f098c65191
commit 79bf7c874b
16 changed files with 452 additions and 90 deletions
--- a/4
+++ b/4
@@ -1,3 +1,7 @@
 3001.	[func]		Added a default trust anchor for the root zone, which
 			can be switched on by setting "dnssec-validation auto;"
 			in the named.conf options. [RT #21727]
 3000.	[bug]		More TKEY/GSS fixes:
 			 - nsupdate can now get the default realm from
 			   the user's Kerberos principal
--- a/bin/named/bind.keys.h
+++ b/bin/named/bind.keys.h
@@ -3,19 +3,97 @@
 * From bind.keys 1.6 2010/06/20 07:15:28 marka Exp  
 */
 #define TRUSTED_KEYS "\
 # The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
 # which are included as part of BIND 9.  As of the current release, the only\n\
 # trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
 # the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\").  Trust anchors\n\
 # for any other zones MUST be configured elsewhere; if they are configured\n\
 # here, they will not be recognized or used by named.\n\
 #\n\
 # The built-in trust anchors are provided for convenience of configuration.\n\
 # They are not activated within named.conf unless specifically switched on.\n\
 # To use the built-in root key, set \"dnssec-validation auto;\" in\n\
 # named.conf options.  To use the built-in DLV key, set\n\
 # \"dnssec-lookaside auto;\".  Without these options being set,\n\
 # the keys in this file are ignored.\n\
 #\n\
 # This file is NOT expected to be user-configured.\n\
 #\n\
 # These keys are current as of January 2011.  If any key fails to\n\
 # initialize correctly, it may have expired.  In that event you should\n\
 # replace this file with a current version.  The latest version of\n\
 # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
 \n\
 trusted-keys {\n\
-        # NOTE: This key is current as of October 2009.\n\
+	# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
-        # If it fails to initialize correctly, it may have expired;\n\
+        # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
-        # see https://www.isc.org/solutions/dlv for a replacement.\n\
+        # in named.conf.\n\
-	dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
+	dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
 		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
 		1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
 		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
 		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
 		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
 		TDN0YUuWrBNh\";\n\
 \n\
 	# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
 	# for current trust anchor information.\n\
        # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
        # in named.conf.\n\
 	. 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
 		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
 		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
 		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
 		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
 		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
 		QxA+Uk1ihz0=\";\n\
 };\n\
 "
 #define MANAGED_KEYS "\
 # The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
 # which are included as part of BIND 9.  As of the current release, the only\n\
 # trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
 # the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\").  Trust anchors\n\
 # for any other zones MUST be configured elsewhere; if they are configured\n\
 # here, they will not be recognized or used by named.\n\
 #\n\
 # The built-in trust anchors are provided for convenience of configuration.\n\
 # They are not activated within named.conf unless specifically switched on.\n\
 # To use the built-in root key, set \"dnssec-validation auto;\" in\n\
 # named.conf options.  To use the built-in DLV key, set\n\
 # \"dnssec-lookaside auto;\".  Without these options being set,\n\
 # the keys in this file are ignored.\n\
 #\n\
 # This file is NOT expected to be user-configured.\n\
 #\n\
 # These keys are current as of January 2011.  If any key fails to\n\
 # initialize correctly, it may have expired.  In that event you should\n\
 # replace this file with a current version.  The latest version of\n\
 # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
 \n\
 managed-keys {\n\
-        # NOTE: This key is current as of October 2009.\n\
+	# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
-        # If it fails to initialize correctly, it may have expired;\n\
+        # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
-        # see https://www.isc.org/solutions/dlv for a replacement.\n\
+        # in named.conf.\n\
-	dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
+	dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
 		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
 		1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
 		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
 		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
 		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
 		TDN0YUuWrBNh\";\n\
 \n\
 	# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
 	# for current trust anchor information.\n\
        # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
        # in named.conf.\n\
 	. initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
 		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
 		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
 		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
 		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
 		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
 		QxA+Uk1ihz0=\";\n\
 };\n\
 "
--- a/bin/named/bindkeys.pl
+++ b/bin/named/bindkeys.pl
@@ -14,12 +14,12 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
-# $Id: bindkeys.pl,v 1.5 2010/06/20 23:46:45 tbox Exp $
+# $Id: bindkeys.pl,v 1.6 2011/01/03 23:45:07 each Exp $
 use strict;
 use warnings;
-my $rev = '$Id: bindkeys.pl,v 1.5 2010/06/20 23:46:45 tbox Exp $';
+my $rev = '$Id: bindkeys.pl,v 1.6 2011/01/03 23:45:07 each Exp $';
 $rev =~ s/\$//g;
 $rev =~ s/,v//g;
 $rev =~ s/Id: //;
@@ -31,7 +31,7 @@ while (<>) {
    chomp;
    if (/\/\* .Id:.* \*\//) {
 	$keys = $_;
-        next;
+	next;
    }
    s/\"/\\\"/g;
    s/$/\\n\\/;
@@ -48,7 +48,7 @@ print "/*\n * Generated by $rev \n * From $keys\n */\n";
 my $mkey = '#define MANAGED_KEYS "\\' . "\n" . $lines . "\"\n";
 $lines =~ s/managed-keys/trusted-keys/;
-$lines =~ s/\s+initial-key//;
+$lines =~ s/\s+initial-key//g;
 my $tkey = '#define TRUSTED_KEYS "\\' . "\n" . $lines . "\"\n";
 print $tkey;
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */
-/* $Id: server.c,v 1.591 2010/12/18 01:56:19 each Exp $ */
+/* $Id: server.c,v 1.592 2011/01/03 23:45:07 each Exp $ */
 /*! \file */
@@ -602,7 +602,8 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 static isc_result_t
 load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
-	       dns_view_t *view, isc_boolean_t managed, isc_mem_t *mctx)
+	       dns_view_t *view, isc_boolean_t managed,
 	       dns_name_t *keyname, isc_mem_t *mctx)
 {
 	const cfg_listelt_t *elt, *elt2;
 	const cfg_obj_t *key, *keylist;
@@ -630,6 +631,16 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
 			if (result != ISC_R_SUCCESS)
 				goto cleanup;
 			/*
 			 * If keyname was specified, we only add that key.
 			 */
 			if (keyname != NULL &&
 		  	    !dns_name_equal(keyname, dst_key_name(dstkey)))
 			{
 				dst_key_free(&dstkey);
 				continue;
 			}
 			CHECK(dns_keytable_add(secroots, managed, &dstkey));
 		}
 	}
@@ -653,15 +664,14 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
 static isc_result_t
 configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 			  const cfg_obj_t *config, const cfg_obj_t *bindkeys,
-			  isc_boolean_t auto_dlv, isc_mem_t *mctx)
+			  isc_boolean_t auto_dlv, isc_boolean_t auto_root,
 			  isc_mem_t *mctx)
 {
 	isc_result_t result = ISC_R_SUCCESS;
 	const cfg_obj_t *view_keys = NULL;
 	const cfg_obj_t *global_keys = NULL;
 	const cfg_obj_t *view_managed_keys = NULL;
 	const cfg_obj_t *global_managed_keys = NULL;
 	const cfg_obj_t *builtin_keys = NULL;
 	const cfg_obj_t *builtin_managed_keys = NULL;
 	const cfg_obj_t *maps[4];
 	const cfg_obj_t *voptions = NULL;
 	const cfg_obj_t *options = NULL;
@@ -707,9 +717,12 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	}
 	if (auto_dlv && view->rdclass == dns_rdataclass_in) {
 		const cfg_obj_t *builtin_keys = NULL;
 		const cfg_obj_t *builtin_managed_keys = NULL;
 		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
 			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-			      "using built-in trusted-keys for view %s",
+			      "using built-in DLV key for view %s",
 			      view->name);
 		/*
@@ -730,19 +743,56 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 		if (builtin_keys != NULL)
 			CHECK(load_view_keys(builtin_keys, vconfig, view,
-					     ISC_FALSE, mctx));
+					     ISC_FALSE, view->dlv, mctx));
 		if (builtin_managed_keys != NULL)
 			CHECK(load_view_keys(builtin_managed_keys, vconfig,
-					     view, ISC_TRUE, mctx));
+					     view, ISC_TRUE, view->dlv, mctx));
 	}
-	CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE, mctx));
+	if (auto_root && view->rdclass == dns_rdataclass_in) {
-	CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE, mctx));
+		const cfg_obj_t *builtin_keys = NULL;
 		const cfg_obj_t *builtin_managed_keys = NULL;
 		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
 			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
 			      "using built-in root key for view %s",
 			      view->name);
 		/*
 		 * If bind.keys exists, it overrides the managed-keys
 		 * clause hard-coded in ns_g_config.
 		 */
 		if (bindkeys != NULL) {
 			(void)cfg_map_get(bindkeys, "trusted-keys",
 					  &builtin_keys);
 			(void)cfg_map_get(bindkeys, "managed-keys",
 					  &builtin_managed_keys);
 		} else {
 			(void)cfg_map_get(ns_g_config, "trusted-keys",
 					  &builtin_keys);
 			(void)cfg_map_get(ns_g_config, "managed-keys",
 					  &builtin_managed_keys);
 		}
 		if (builtin_keys != NULL)
 			CHECK(load_view_keys(builtin_keys, vconfig, view,
 					     ISC_FALSE, dns_rootname, mctx));
 		if (builtin_managed_keys != NULL)
 			CHECK(load_view_keys(builtin_managed_keys, vconfig,
 					     view, ISC_TRUE, dns_rootname,
 					     mctx));
 	}
 	CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE,
 			     NULL, mctx));
 	CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE,
 			     NULL, mctx));
 	if (view->rdclass == dns_rdataclass_in) {
 		CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE,
-				     mctx));
+				     NULL, mctx));
 		CHECK(load_view_keys(global_managed_keys, vconfig, view,
-				     ISC_TRUE, mctx));
+				     ISC_TRUE, NULL, mctx));
 	}
 	/*
@@ -1374,6 +1424,7 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
 	isc_stats_t *resstats = NULL;
 	dns_stats_t *resquerystats = NULL;
 	isc_boolean_t auto_dlv = ISC_FALSE;
 	isc_boolean_t auto_root = ISC_FALSE;
 	ns_cache_t *nsc;
 	isc_boolean_t zero_no_soattl;
 	cfg_parser_t *newzones_parser = NULL;
@@ -1740,7 +1791,13 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
 	obj = NULL;
 	result = ns_config_get(maps, "dnssec-validation", &obj);
 	INSIST(result == ISC_R_SUCCESS);
-	view->enablevalidation = cfg_obj_asboolean(obj);
+	if (cfg_obj_isboolean(obj)) {
 		view->enablevalidation = cfg_obj_asboolean(obj);
 	} else {
 		/* If dnssec-validation is not boolean, it must be "auto" */
 		view->enablevalidation = ISC_TRUE;
 		auto_root = ISC_TRUE;
 	}
 	obj = NULL;
 	result = ns_config_get(maps, "max-cache-ttl", &obj);
@@ -2362,24 +2419,6 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
 			dns_name_t *dlv;
 			obj = cfg_listelt_value(element);
 #if 0
 			dns_fixedname_t fixed;
 			dns_name_t *name;
 			/*
 			 * When we support multiple dnssec-lookaside
 			 * entries this is how to find the domain to be
 			 * checked. XXXMPA
 			 */
 			dns_fixedname_init(&fixed);
 			name = dns_fixedname_name(&fixed);
 			str = cfg_obj_asstring(cfg_tuple_get(obj,
 							     "domain"));
 			isc_buffer_init(&b, str, strlen(str));
 			isc_buffer_add(&b, strlen(str));
 			CHECK(dns_name_fromtext(name, &b, dns_rootname,
 						0, NULL));
 #endif
 			str = cfg_obj_asstring(cfg_tuple_get(obj,
 							     "trust-anchor"));
 			isc_buffer_init(&b, str, strlen(str));
@@ -2397,7 +2436,7 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
 	 * "security roots".
 	 */
 	CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys,
-					auto_dlv, mctx));
+					auto_dlv, auto_root, mctx));
 	dns_resolver_resetmustbesecure(view->resolver);
 	obj = NULL;
 	result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
--- a/bin/tests/system/dnssec/README
+++ b/bin/tests/system/dnssec/README
@@ -2,7 +2,7 @@ Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 2000-2002  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-$Id: README,v 1.8 2004/03/05 05:00:08 marka Exp $
+$Id: README,v 1.9 2011/01/03 23:45:07 each Exp $
 The test setup for the DNSSEC tests has a secure root.
@@ -15,3 +15,7 @@ for the root.
 ns5 is a caching-only server, configured with the an incorrect trusted
 key for the root.  It is used for testing failure cases.
 ns6 is a caching-only server configured to use DLV.
 ns7 is used for checking non-cacheable answers.
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -15,9 +15,10 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
-# $Id: clean.sh,v 1.31 2010/12/18 02:12:44 each Exp $
+# $Id: clean.sh,v 1.32 2011/01/03 23:45:07 each Exp $
-rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
+rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed
 rm -f */trusted.conf */managed.conf */tmp* */*.jnl */*.bk
 rm -f ns1/root.db ns2/example.db ns3/secure.example.db
 rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
 rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl
@@ -44,4 +45,4 @@ rm -f ns1/managed.key.id
 rm -f signer/example.db
 rm -f ns2/algroll.db
 rm -f ns3/kskonly.example.db
-
+rm -f ns4/named.conf
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.34 2010/11/16 01:14:51 marka Exp $
+# $Id: sign.sh,v 1.35 2011/01/03 23:45:07 each Exp $
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -39,7 +39,6 @@ cat $infile $keyname.key > $zonefile
 $SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
 # Configure the resolving server with a trusted key.
 cat $keyname.key | grep -v '^; ' | $PERL -n -e '
 local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
 local $key = join("", @rest);
@@ -49,11 +48,23 @@ trusted-keys {
 };
 EOF
 ' > trusted.conf
 # ...or with a managed key.
 cat $keyname.key | grep -v '^; ' | $PERL -n -e '
 local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
 local $key = join("", @rest);
 print <<EOF
 managed-keys {
    "$dn" initial-key $flags $proto $alg "$key";
 };
 EOF
 ' > managed.conf
 cp trusted.conf ../ns2/trusted.conf
 cp trusted.conf ../ns3/trusted.conf
 cp trusted.conf ../ns4/trusted.conf
 cp trusted.conf ../ns6/trusted.conf
 cp trusted.conf ../ns7/trusted.conf
 cp managed.conf ../ns4/managed.conf
 #
 #  Save keyid for managed key id test.
 #
--- a/bin/tests/system/dnssec/ns4/named1.conf
+++ b/bin/tests/system/dnssec/ns4/named1.conf
@@ -0,0 +1,60 @@
 /*
 * Copyright (C) 2004, 2006, 2007, 2010  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2000, 2001  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 * PERFORMANCE OF THIS SOFTWARE.
 */
 /* $Id: named1.conf,v 1.2 2011/01/03 23:45:08 each Exp $ */
 // NS4
 controls { /* empty */ };
 options {
 	query-source address 10.53.0.4;
 	notify-source 10.53.0.4;
 	transfer-source 10.53.0.4;
 	port 5300;
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	recursion yes;
 	acache-enable yes;
 	dnssec-enable yes;
 	dnssec-validation yes;
 	dnssec-must-be-secure mustbesecure.example yes;
        # Note: We only reference the bind.keys file here to confirm that it
        # is *not* being used.  It contains the real root key, and we're
        # using a local toy root zone for the tests, so it wouldn't work.
        # But since dnssec-validation is set to "yes" not "auto", that
        # won't matter.
        bindkeys-file "../../../../../bind.keys";
 };
 key rndc_key {
        secret "1234abcd8765";
        algorithm hmac-md5;
 };
 controls {
        inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
 };
 zone "." {
 	type hint;
 	file "../../common/root.hint";
 };
 include "trusted.conf";
--- a/bin/tests/system/dnssec/ns4/named2.conf
+++ b/bin/tests/system/dnssec/ns4/named2.conf
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */
-/* $Id: named.conf,v 1.30 2010/06/25 23:46:51 tbox Exp $ */
+/* $Id: named2.conf,v 1.2 2011/01/03 23:45:08 each Exp $ */
 // NS4
@@ -32,8 +32,8 @@ options {
 	recursion yes;
 	acache-enable yes;
 	dnssec-enable yes;
-	dnssec-validation yes;
+	dnssec-validation auto;
-	dnssec-must-be-secure mustbesecure.example yes;
+        bindkeys-file "managed.conf";
 };
 key rndc_key {
@@ -49,5 +49,3 @@ zone "." {
 	type hint;
 	file "../../common/root.hint";
 };
 include "trusted.conf";
--- a/bin/tests/system/dnssec/setup.sh
+++ b/bin/tests/system/dnssec/setup.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
-# $Id: setup.sh,v 1.17 2009/10/27 22:25:37 marka Exp $
+# $Id: setup.sh,v 1.18 2011/01/03 23:45:07 each Exp $
 ../../../tools/genrandom 400 random.data
@@ -23,4 +23,6 @@ cd ns1 && sh sign.sh
 echo "a.bogus.example.	A	10.0.0.22" >>../ns3/bogus.example.db.signed
 cd ../ns4 && cp -f named1.conf named.conf
 cd ../ns5 && cp -f trusted.conf.bad trusted.conf
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.71 2010/11/16 01:14:51 marka Exp $
+# $Id: tests.sh,v 1.72 2011/01/03 23:45:07 each Exp $
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -1055,5 +1055,57 @@ else
    echo "I:The DNSSEC update test requires the Net::DNS library." >&2
 fi
 # Reconfigure caching server to use "dnssec-validation auto", and repeat
 # some of the DNSSEC validation tests to ensure that it works correctly.
 echo "I:switching to automatic root key configuration"
 cp ns4/named2.conf ns4/named.conf
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
 sleep 5
 echo "I:checking positive validation NSEC ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
 $DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:checking positive validation NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.nsec3.example. \
 	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth a.nsec3.example. \
 	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:checking positive validation OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.optout.example. \
 	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth a.optout.example. \
 	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:checking negative validation ($n)"
 ret=0
 $DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
 $DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:exit status: $status"
 exit $status
--- a/bind.keys
+++ b/bind.keys
@@ -1,7 +1,46 @@
-/* $Id: bind.keys,v 1.6 2010/06/20 07:15:28 marka Exp $ */
+/* $Id: bind.keys,v 1.7 2011/01/03 23:45:07 each Exp $ */
 # The bind.keys file is used to override the built-in DNSSEC trust anchors
 # which are included as part of BIND 9.  As of the current release, the only
 # trust anchors it contains are those for the DNS root zone ("."), and for
 # the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org").  Trust anchors
 # for any other zones MUST be configured elsewhere; if they are configured
 # here, they will not be recognized or used by named.
 #
 # The built-in trust anchors are provided for convenience of configuration.
 # They are not activated within named.conf unless specifically switched on.
 # To use the built-in root key, set "dnssec-validation auto;" in
 # named.conf options.  To use the built-in DLV key, set
 # "dnssec-lookaside auto;".  Without these options being set,
 # the keys in this file are ignored.
 #
 # This file is NOT expected to be user-configured.
 #
 # These keys are current as of January 2011.  If any key fails to
 # initialize correctly, it may have expired.  In that event you should
 # replace this file with a current version.  The latest version of
 # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
 managed-keys {
-        # NOTE: This key is current as of October 2009.
+	# ISC DLV: See https://www.isc.org/solutions/dlv for details.
-        # If it fails to initialize correctly, it may have expired;
+        # NOTE: This key is activated by setting "dnssec-lookaside auto;"
-        # see https://www.isc.org/solutions/dlv for a replacement.
+        # in named.conf.
-	dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
+	dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
 		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
 		1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
 		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
 		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
 		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
 		TDN0YUuWrBNh";
 	# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
 	# for current trust anchor information.
        # NOTE: This key is activated by setting "dnssec-validation auto;"
        # in named.conf.
 	. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
 		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
 		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
 		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
 		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
 		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
 		QxA+Uk1ihz0=";
 };
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.471 2010/12/25 22:01:35 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.472 2011/01/03 23:45:08 each Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
  <title>BIND 9 Administrator Reference Manual</title>
@@ -2614,13 +2614,23 @@ allow-update { key host1-host2. ;};
 	<para>
 	  To enable <command>named</command> to validate answers from
-	  other servers, the <command>dnssec-enable</command> and
+	  other servers, the <command>dnssec-enable</command> option
-	  <command>dnssec-validation</command> options must both be
+          must be set to <userinput>yes</userinput>, and the
-          set to yes (the default setting in <acronym>BIND</acronym> 9.5
+          <command>dnssec-validation</command> options must be set to 
-          and later), and at least one trust anchor must be configured
+          <userinput>yes</userinput> or <userinput>auto</userinput>.
        </para>
 	<para>
          If <command>dnssec-validation</command> is set to
          <userinput>auto</userinput>, then a default
          trust anchor for the DNS root zone will be used.
          If it is set to <userinput>yes</userinput>, however,
          then at least one trust anchor must be configured
          with a <command>trusted-keys</command> or
          <command>managed-keys</command> statement in
-          <filename>named.conf</filename>.
+          <filename>named.conf</filename>, or DNSSEC validation
          will not occur.  The default setting is
          <userinput>yes</userinput>.
        </para>
 	<para>
@@ -5006,7 +5016,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
    <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
    <optional> ixfr-from-differences (<replaceable>yes_or_no</replaceable> | <constant>master</constant> | <constant>slave</constant>); </optional>
    <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> dnssec-validation (<replaceable>yes_or_no</replaceable> | <constant>auto</constant>); </optional>
    <optional> dnssec-lookaside ( <replaceable>auto</replaceable> | 
                        <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> ); </optional>
    <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
@@ -5487,7 +5497,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                The pathname of a file to override the built-in trusted
 		keys provided by <command>named</command>.
 		See the discussion of <command>dnssec-lookaside</command>
-		for details.  If not specified, the default is
+                and <command>dnssec-validation</command> for details. 
                If not specified, the default is
 		<filename>/etc/bind.keys</filename>.
              </para>
            </listitem>
@@ -5694,10 +5705,10 @@ options {
 	      </para>
              <para>
                The default DLV key is stored in the file
-                <filename>bind.keys</filename>, which
+                <filename>bind.keys</filename>;
-                <command>named</command> loads at startup if
+                <command>named</command> will load that key at
-                <command>dnssec-lookaside</command> is set to
+                startup if <command>dnssec-lookaside</command> is set to
-                <constant>auto</constant>.  A copy of that file is
+                <constant>auto</constant>.  A copy of the file is
                installed along with <acronym>BIND</acronym> 9, and is
                current as of the release date.  If the DLV key expires, a
                new copy of <filename>bind.keys</filename> can be downloaded
@@ -5711,10 +5722,10 @@ options {
                to be recompiled with a new key when the DLV key expires.)
              </para>
              <para>
-                NOTE: Using <filename>bind.keys</filename> to store
+                NOTE: <command>named</command> only loads certain specific
-                locally-configured keys is possible, but not
+                keys from <filename>bind.keys</filename>:  those for the
-                recommended, as the file will be overwritten whenever
+                DLV zone and for the DNS root zone.  The file cannot be
-                <acronym>BIND</acronym> 9 is re-installed or upgraded.
+                used to store keys for other zones.
              </para>
            </listitem>
          </varlistentry>
@@ -6595,7 +6606,15 @@ options {
                  Enable DNSSEC validation in <command>named</command>.
 		  Note <command>dnssec-enable</command> also needs to be
 		  set to <userinput>yes</userinput> to be effective.
-                  The default is <userinput>yes</userinput>.
+                  If set to <userinput>no</userinput>, DNSSEC validation
                  is disabled.  If set to <userinput>auto</userinput>,
                  DNSSEC validation is enabled, and a default
                  trust-anchor for the DNS root zone is used.  If set to
                  <userinput>yes</userinput>, DNSSEC validation is enabled,
                  but a trust anchor must be manually configured using
                  a <command>trusted-keys</command> or
                  <command>managed-keys</command> statement.  The default
                  is <userinput>yes</userinput>.
                </para>
              </listitem>
            </varlistentry>
--- a/lib/isccfg/include/isccfg/grammar.h
+++ b/lib/isccfg/include/isccfg/grammar.h
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */
-/* $Id: grammar.h,v 1.22 2010/08/11 18:14:20 each Exp $ */
+/* $Id: grammar.h,v 1.23 2011/01/03 23:45:08 each Exp $ */
 #ifndef ISCCFG_GRAMMAR_H
 #define ISCCFG_GRAMMAR_H 1
@@ -328,9 +328,15 @@ cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port);
 isc_result_t
 cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 isc_result_t
 cfg_parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 void
 cfg_print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj);
 void
 cfg_print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj);
 void
 cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type);
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */
-/* $Id: namedconf.c,v 1.126 2010/12/18 01:56:23 each Exp $ */
+/* $Id: namedconf.c,v 1.127 2011/01/03 23:45:08 each Exp $ */
 /*! \file */
@@ -658,10 +658,60 @@ static cfg_type_t cfg_type_qstringornone = {
 	NULL, NULL
 };
 /*%
 * A boolean ("yes" or "no"), or the special keyword "auto".
 * Used in the dnssec-validation option.
 */
 static void
 print_auto(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	UNUSED(obj);
 	cfg_print_cstr(pctx, "auto");
 }
 static cfg_type_t cfg_type_auto = {
 	"auto", NULL, print_auto, NULL, &cfg_rep_void, NULL
 };
 static isc_result_t
 parse_boolorauto(cfg_parser_t *pctx, const cfg_type_t *type,
 		    cfg_obj_t **ret)
 {
 	isc_result_t result;
 	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
 	if (pctx->token.type == isc_tokentype_string &&
 	    strcasecmp(TOKEN_STRING(pctx), "auto") == 0)
 		return (cfg_create_obj(pctx, &cfg_type_auto, ret));
 	cfg_ungettoken(pctx);
 	return (cfg_parse_boolean(pctx, type, ret));
 cleanup:
 	return (result);
 }
 static void
 print_boolorauto(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	if (obj->type->rep == &cfg_rep_void)
 		cfg_print_chars(pctx, "auto", 4);
 	else if (obj->value.boolean)
 		cfg_print_chars(pctx, "yes", 3);
 	else
 		cfg_print_chars(pctx, "no", 2);
 }
 static void
 doc_boolorauto(cfg_printer_t *pctx, const cfg_type_t *type) {
 	UNUSED(type);
 	cfg_print_cstr(pctx, "( yes | no | auto )");
 }
 static cfg_type_t cfg_type_boolorauto = {
 	"boolorauto", parse_boolorauto, print_boolorauto,
 	doc_boolorauto, NULL, NULL
 };
 /*%
 * keyword hostname
 */
 static void
 print_hostname(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	UNUSED(obj);
@@ -893,7 +943,6 @@ options_clauses[] = {
 	{ NULL, NULL, 0 }
 };
 static cfg_type_t cfg_type_namelist = {
 	"namelist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
 	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_qstring };
@@ -1046,7 +1095,7 @@ view_clauses[] = {
 	{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
 	{ "dnssec-must-be-secure",  &cfg_type_mustbesecure,
 	  CFG_CLAUSEFLAG_MULTI },
-	{ "dnssec-validation", &cfg_type_boolean, 0 },
+	{ "dnssec-validation", &cfg_type_boolorauto, 0 },
 	{ "dual-stack-servers", &cfg_type_nameportiplist, 0 },
 	{ "edns-udp-size", &cfg_type_uint32, 0 },
 	{ "empty-contact", &cfg_type_astring, 0 },
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */
-/* $Id: parser.c,v 1.137 2010/11/16 05:38:31 marka Exp $ */
+/* $Id: parser.c,v 1.138 2011/01/03 23:45:08 each Exp $ */
 /*! \file */
@@ -868,8 +868,8 @@ cfg_obj_asboolean(const cfg_obj_t *obj) {
 	return (obj->value.boolean);
 }
-static isc_result_t
+isc_result_t
-parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
+cfg_parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 {
 	isc_result_t result;
 	isc_boolean_t value;
@@ -908,8 +908,8 @@ parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 	return (result);
 }
-static void
+void
-print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+cfg_print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	if (obj->value.boolean)
 		cfg_print_chars(pctx, "yes", 3);
 	else
@@ -917,7 +917,7 @@ print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 }
 cfg_type_t cfg_type_boolean = {
-	"boolean", parse_boolean, print_boolean, cfg_doc_terminal,
+	"boolean", cfg_parse_boolean, cfg_print_boolean, cfg_doc_terminal,
 	&cfg_rep_boolean, NULL
 };