Set "dnssec-validation auto" by default

- the default setting for dnssec-validation is now "auto", which activates DNSSEC validation using the IANA root key. The old behavior can be restored by explicitly setting "dnssec-validation yes", which "yes", which activates DNSSEC validation only if keys are explicitly configured in named.conf. - the ARM has been updated to describe the new behavior
2025-08-31 06:25:31 +00:00 · 2018-05-16 11:58:15 -07:00
parent 1f743fe0da
commit bef18ecac6
7 changed files with 103 additions and 31 deletions
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -130,6 +130,7 @@ config.@O@: config.c
 		-DDYNDB_LIBDIR=\"@libdir@/bind\" \
 		-DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \
 		-DNAMED_SYSCONFDIR=\"${sysconfdir}\" \
+		-DVALIDATION_DEFAULT=\"@VALIDATION_DEFAULT@\" \
 		-c ${srcdir}/config.c

 server.@O@: server.c
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -146,7 +146,7 @@ options {\n\
 	clients-per-query 10;\n\
 	dnssec-accept-expired no;\n\
 	dnssec-enable yes;\n\
-	dnssec-validation yes; \n"
+	dnssec-validation " VALIDATION_DEFAULT "; \n"
 #ifdef HAVE_DNSTAP
 "	dnstap-identity hostname;\n"
 #endif
--- a/bind.keys
+++ b/bind.keys
@@ -4,15 +4,17 @@
 # be configured elsewhere; if they are configured here, they will not be
 # recognized or used by named.
 #
-# The built-in trust anchors are provided for convenience of configuration.
-# They are not activated within named.conf unless specifically switched on.
-# To use the built-in key, use "dnssec-validation auto;" in the
-# named.conf options.  Without this option being set, the keys in this
-# file are ignored.
+# To use the built-in root key, set "dnssec-validation auto;" in the
+# named.conf options or else leave "dnssec-validation" unset.  If
+# "dnssec-validation" is set to "yes", then the keys in this file are
+# ignored; keys will need to be explicitly configured in named.conf for
+# validation to work.  "auto" is the default setting, unless named is
+# built with "configure --disable-auto-validation", in which case the
+# default is "yes".
 #
 # This file is NOT expected to be user-configured.
 #
-# These keys are current as of October 2017.  If any key fails to
+# These keys are current as of May 2018.  If any key fails to
 # initialize correctly, it may have expired.  In that event you should
 # replace this file with a current version.  The latest version of
 # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
--- a/bind.keys.h
+++ b/bind.keys.h
@@ -7,15 +7,17 @@
 # be configured elsewhere; if they are configured here, they will not be\n\
 # recognized or used by named.\n\
 #\n\
-# The built-in trust anchors are provided for convenience of configuration.\n\
-# They are not activated within named.conf unless specifically switched on.\n\
-# To use the built-in key, use \"dnssec-validation auto;\" in the\n\
-# named.conf options.  Without this option being set, the keys in this\n\
-# file are ignored.\n\
+# To use the built-in root key, set \"dnssec-validation auto;\" in the\n\
+# named.conf options or else leave \"dnssec-validation\" unset.  If\n\
+# \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\
+# ignored; keys will need to be explicitly configured in named.conf for\n\
+# validation to work.  \"auto\" is the default setting, unless named is\n\
+# built with \"configure --disable-auto-validation\", in which case the\n\
+# default is \"yes\".\n\
 #\n\
 # This file is NOT expected to be user-configured.\n\
 #\n\
-# These keys are current as of October 2017.  If any key fails to\n\
+# These keys are current as of May 2018.  If any key fails to\n\
 # initialize correctly, it may have expired.  In that event you should\n\
 # replace this file with a current version.  The latest version of\n\
 # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
@@ -60,15 +62,17 @@ trusted-keys {\n\
 # be configured elsewhere; if they are configured here, they will not be\n\
 # recognized or used by named.\n\
 #\n\
-# The built-in trust anchors are provided for convenience of configuration.\n\
-# They are not activated within named.conf unless specifically switched on.\n\
-# To use the built-in key, use \"dnssec-validation auto;\" in the\n\
-# named.conf options.  Without this option being set, the keys in this\n\
-# file are ignored.\n\
+# To use the built-in root key, set \"dnssec-validation auto;\" in the\n\
+# named.conf options or else leave \"dnssec-validation\" unset.  If\n\
+# \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\
+# ignored; keys will need to be explicitly configured in named.conf for\n\
+# validation to work.  \"auto\" is the default setting, unless named is\n\
+# built with \"configure --disable-auto-validation\", in which case the\n\
+# default is \"yes\".\n\
 #\n\
 # This file is NOT expected to be user-configured.\n\
 #\n\
-# These keys are current as of October 2017.  If any key fails to\n\
+# These keys are current as of May 2018.  If any key fails to\n\
 # initialize correctly, it may have expired.  In that event you should\n\
 # replace this file with a current version.  The latest version of\n\
 # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
--- a/34
+++ b/34
@@ -677,6 +677,7 @@ BIND9_ISCCFG_BUILDINCLUDE
 BIND9_ISCCC_BUILDINCLUDE
 BIND9_ISC_BUILDINCLUDE
 BIND9_TOP_BUILDDIR
+VALIDATION_DEFAULT
 UNITTESTS
 ATFLIBS
 ATFBIN
@@ -1039,6 +1040,7 @@ with_libidn2
 with_atf
 with_tuning
 enable_querytrace
+enable_auto_validation
 with_dlopen
 with_dlz_postgres
 with_dlz_mysql
@@ -1715,6 +1717,9 @@ Optional Features:
  --enable-dnsrps         enable DNS Response Policy Service API
  --enable-dnstap         enable dnstap support (requires fstrm, protobuf-c)
  --enable-querytrace     enable very verbose query trace logging [default=no]
+  --enable-auto-validation
+                          turn on DNSSEC validation by default, using the IANA
+                          root key [default=yes]
  --enable-full-report    report values of all configure options

 Optional Packages:
@@ -22693,6 +22698,32 @@ $as_echo "no" >&6; }
 	;;
 esac

+#
+# Was --disable-auto-validation specified?
+#
+# Check whether --enable-auto-validation was given.
+if test "${enable_auto_validation+set}" = set; then :
+  enableval=$enable_auto_validation; want_autoval="$enableval"
+else
+  want_autoval="yes"
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable DNSSEC validation by default" >&5
+$as_echo_n "checking whether to enable DNSSEC validation by default... " >&6; }
+case "$want_autoval" in
+no)
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	VALIDATION_DEFAULT=yes
+	;;
+*)
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+	VALIDATION_DEFAULT=auto
+	;;
+esac
+
+
 #
 # Substitutions
 #
@@ -26446,6 +26477,7 @@ report() {
 	echo "    Very verbose query trace logging (--enable-querytrace)"
    test "no" = "$atf" || echo "    Automated Testing Framework (--with-atf)"

+    test "no" = "$want_autoval" || echo "    DNSSEC validation active by default (--enable-auto-validation)"
    echo "    Cryptographic library for DNSSEC: $CRYPTOLIB"

    echo "    Dynamically loadable zone (DLZ) drivers:"
@@ -26484,6 +26516,8 @@ report() {
    test "yes" = "$enable_fixed" || \
 	echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"

+    test "no" = "$want_autoval" && echo "    DNSSEC validation requires configuration (--disable-auto-validation)"
+
    if test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11"
    then
 	echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
--- a/configure.in
+++ b/configure.in
@@ -4732,6 +4732,26 @@ no)
 	;;
 esac

+#
+# Was --disable-auto-validation specified?
+#
+AC_ARG_ENABLE(auto-validation,
+	      AS_HELP_STRING([--enable-auto-validation],
+			     [turn on DNSSEC validation by default, using the IANA root key [default=yes]]),
+	      want_autoval="$enableval", want_autoval="yes")
+AC_MSG_CHECKING([whether to enable DNSSEC validation by default])
+case "$want_autoval" in
+no)
+	AC_MSG_RESULT(no)
+	VALIDATION_DEFAULT=yes
+	;;
+*)
+	AC_MSG_RESULT(yes)
+	VALIDATION_DEFAULT=auto
+	;;
+esac
+AC_SUBST(VALIDATION_DEFAULT)
+
 #
 # Substitutions
 #
@@ -5365,6 +5385,7 @@ report() {
 	echo "    Very verbose query trace logging (--enable-querytrace)"
    test "no" = "$atf" || echo "    Automated Testing Framework (--with-atf)"

+    test "no" = "$want_autoval" || echo "    DNSSEC validation active by default (--enable-auto-validation)"
    echo "    Cryptographic library for DNSSEC: $CRYPTOLIB"

    echo "    Dynamically loadable zone (DLZ) drivers:"
@@ -5403,6 +5424,8 @@ report() {
    test "yes" = "$enable_fixed" || \
 	echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"

+    test "no" = "$want_autoval" && echo "    DNSSEC validation requires configuration (--disable-auto-validation)"
+
    if test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11"
    then
 	echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -2207,28 +2207,36 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	  To enable <command>named</command> to respond appropriately
 	  to DNS requests from DNSSEC aware clients,
 	  <command>dnssec-enable</command> must be set to yes.
-	  (This is the default setting.)
+	  This is the default setting.
 	</para>

 	<para>
 	  To enable <command>named</command> to validate answers from
 	  other servers, the <command>dnssec-enable</command> option
 	  must be set to <userinput>yes</userinput>, and the
-	  <command>dnssec-validation</command> options must be set to
-	  <userinput>yes</userinput> or <userinput>auto</userinput>.
+	  <command>dnssec-validation</command> option must be set to
+	  either <userinput>yes</userinput> or <userinput>auto</userinput>.
 	</para>

 	<para>
+	  When <command>dnssec-validation</command> is set to
+	  <userinput>auto</userinput>, a trust anchor for the DNS
+	  root zone will automatically be used. This trust anchor is
+	  provided as part of BIND and is kept up to date using RFC 5011
+	  key management.
 	  If <command>dnssec-validation</command> is set to
-	  <userinput>auto</userinput>, then a default
-	  trust anchor for the DNS root zone will be used.
-	  If it is set to <userinput>yes</userinput>, however,
-	  then at least one trust anchor must be configured
-	  with a <command>trusted-keys</command> or
-	  <command>managed-keys</command> statement in
-	  <filename>named.conf</filename>, or DNSSEC validation
-	  will not occur.  The default setting is
-	  <userinput>yes</userinput>.
+	  <userinput>yes</userinput>, then
+	  DNSSEC validation only occurs if
+	  at least one trust anchor has been explicitly configured
+	  in <filename>named.conf</filename>,
+	  using a <command>trusted-keys</command> or
+	  <command>managed-keys</command> statement.
+	  If <command>dnssec-validation</command> is set to
+	  <userinput>no</userinput>, then DNSSEC validation will
+	  not occur.
+	  The default is <userinput>auto</userinput> unless BIND is
+	  built with <command>configure --disable-auto-validation</command>,
+	  in which case the default is <userinput>yes</userinput>.
 	</para>

 	<para>