diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index f48e74928a..bb0ee8d1b4 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -130,6 +130,7 @@ config.@O@: config.c
-DDYNDB_LIBDIR=\"@libdir@/bind\" \
-DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \
-DNAMED_SYSCONFDIR=\"${sysconfdir}\" \
+ -DVALIDATION_DEFAULT=\"@VALIDATION_DEFAULT@\" \
-c ${srcdir}/config.c
server.@O@: server.c
diff --git a/bin/named/config.c b/bin/named/config.c
index 3c99e707ae..057933aecc 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -146,7 +146,7 @@ options {\n\
clients-per-query 10;\n\
dnssec-accept-expired no;\n\
dnssec-enable yes;\n\
- dnssec-validation yes; \n"
+ dnssec-validation " VALIDATION_DEFAULT "; \n"
#ifdef HAVE_DNSTAP
" dnstap-identity hostname;\n"
#endif
diff --git a/bind.keys b/bind.keys
index 5e5a32ba9c..c468c972e6 100644
--- a/bind.keys
+++ b/bind.keys
@@ -4,15 +4,17 @@
# be configured elsewhere; if they are configured here, they will not be
# recognized or used by named.
#
-# The built-in trust anchors are provided for convenience of configuration.
-# They are not activated within named.conf unless specifically switched on.
-# To use the built-in key, use "dnssec-validation auto;" in the
-# named.conf options. Without this option being set, the keys in this
-# file are ignored.
+# To use the built-in root key, set "dnssec-validation auto;" in the
+# named.conf options or else leave "dnssec-validation" unset. If
+# "dnssec-validation" is set to "yes", then the keys in this file are
+# ignored; keys will need to be explicitly configured in named.conf for
+# validation to work. "auto" is the default setting, unless named is
+# built with "configure --disable-auto-validation", in which case the
+# default is "yes".
#
# This file is NOT expected to be user-configured.
#
-# These keys are current as of October 2017. If any key fails to
+# These keys are current as of May 2018. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
diff --git a/bind.keys.h b/bind.keys.h
index 746dfa289d..8e94793a95 100644
--- a/bind.keys.h
+++ b/bind.keys.h
@@ -7,15 +7,17 @@
# be configured elsewhere; if they are configured here, they will not be\n\
# recognized or used by named.\n\
#\n\
-# The built-in trust anchors are provided for convenience of configuration.\n\
-# They are not activated within named.conf unless specifically switched on.\n\
-# To use the built-in key, use \"dnssec-validation auto;\" in the\n\
-# named.conf options. Without this option being set, the keys in this\n\
-# file are ignored.\n\
+# To use the built-in root key, set \"dnssec-validation auto;\" in the\n\
+# named.conf options or else leave \"dnssec-validation\" unset. If\n\
+# \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\
+# ignored; keys will need to be explicitly configured in named.conf for\n\
+# validation to work. \"auto\" is the default setting, unless named is\n\
+# built with \"configure --disable-auto-validation\", in which case the\n\
+# default is \"yes\".\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
-# These keys are current as of October 2017. If any key fails to\n\
+# These keys are current as of May 2018. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
@@ -60,15 +62,17 @@ trusted-keys {\n\
# be configured elsewhere; if they are configured here, they will not be\n\
# recognized or used by named.\n\
#\n\
-# The built-in trust anchors are provided for convenience of configuration.\n\
-# They are not activated within named.conf unless specifically switched on.\n\
-# To use the built-in key, use \"dnssec-validation auto;\" in the\n\
-# named.conf options. Without this option being set, the keys in this\n\
-# file are ignored.\n\
+# To use the built-in root key, set \"dnssec-validation auto;\" in the\n\
+# named.conf options or else leave \"dnssec-validation\" unset. If\n\
+# \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\
+# ignored; keys will need to be explicitly configured in named.conf for\n\
+# validation to work. \"auto\" is the default setting, unless named is\n\
+# built with \"configure --disable-auto-validation\", in which case the\n\
+# default is \"yes\".\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
-# These keys are current as of October 2017. If any key fails to\n\
+# These keys are current as of May 2018. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
diff --git a/configure b/configure
index 539abdf5c7..f99d7cf5d7 100755
--- a/configure
+++ b/configure
@@ -677,6 +677,7 @@ BIND9_ISCCFG_BUILDINCLUDE
BIND9_ISCCC_BUILDINCLUDE
BIND9_ISC_BUILDINCLUDE
BIND9_TOP_BUILDDIR
+VALIDATION_DEFAULT
UNITTESTS
ATFLIBS
ATFBIN
@@ -1039,6 +1040,7 @@ with_libidn2
with_atf
with_tuning
enable_querytrace
+enable_auto_validation
with_dlopen
with_dlz_postgres
with_dlz_mysql
@@ -1715,6 +1717,9 @@ Optional Features:
--enable-dnsrps enable DNS Response Policy Service API
--enable-dnstap enable dnstap support (requires fstrm, protobuf-c)
--enable-querytrace enable very verbose query trace logging [default=no]
+ --enable-auto-validation
+ turn on DNSSEC validation by default, using the IANA
+ root key [default=yes]
--enable-full-report report values of all configure options
Optional Packages:
@@ -22693,6 +22698,32 @@ $as_echo "no" >&6; }
;;
esac
+#
+# Was --disable-auto-validation specified?
+#
+# Check whether --enable-auto-validation was given.
+if test "${enable_auto_validation+set}" = set; then :
+ enableval=$enable_auto_validation; want_autoval="$enableval"
+else
+ want_autoval="yes"
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable DNSSEC validation by default" >&5
+$as_echo_n "checking whether to enable DNSSEC validation by default... " >&6; }
+case "$want_autoval" in
+no)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ VALIDATION_DEFAULT=yes
+ ;;
+*)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ VALIDATION_DEFAULT=auto
+ ;;
+esac
+
+
#
# Substitutions
#
@@ -26446,6 +26477,7 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)"
+ test "no" = "$want_autoval" || echo " DNSSEC validation active by default (--enable-auto-validation)"
echo " Cryptographic library for DNSSEC: $CRYPTOLIB"
echo " Dynamically loadable zone (DLZ) drivers:"
@@ -26484,6 +26516,8 @@ report() {
test "yes" = "$enable_fixed" || \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
+ test "no" = "$want_autoval" && echo " DNSSEC validation requires configuration (--disable-auto-validation)"
+
if test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11"
then
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
diff --git a/configure.in b/configure.in
index 627ddec310..5dd0b2ceb4 100644
--- a/configure.in
+++ b/configure.in
@@ -4732,6 +4732,26 @@ no)
;;
esac
+#
+# Was --disable-auto-validation specified?
+#
+AC_ARG_ENABLE(auto-validation,
+ AS_HELP_STRING([--enable-auto-validation],
+ [turn on DNSSEC validation by default, using the IANA root key [default=yes]]),
+ want_autoval="$enableval", want_autoval="yes")
+AC_MSG_CHECKING([whether to enable DNSSEC validation by default])
+case "$want_autoval" in
+no)
+ AC_MSG_RESULT(no)
+ VALIDATION_DEFAULT=yes
+ ;;
+*)
+ AC_MSG_RESULT(yes)
+ VALIDATION_DEFAULT=auto
+ ;;
+esac
+AC_SUBST(VALIDATION_DEFAULT)
+
#
# Substitutions
#
@@ -5365,6 +5385,7 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)"
+ test "no" = "$want_autoval" || echo " DNSSEC validation active by default (--enable-auto-validation)"
echo " Cryptographic library for DNSSEC: $CRYPTOLIB"
echo " Dynamically loadable zone (DLZ) drivers:"
@@ -5403,6 +5424,8 @@ report() {
test "yes" = "$enable_fixed" || \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
+ test "no" = "$want_autoval" && echo " DNSSEC validation requires configuration (--disable-auto-validation)"
+
if test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11"
then
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 80ce9281b1..ebda5e5690 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -2207,28 +2207,36 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
To enable named to respond appropriately
to DNS requests from DNSSEC aware clients,
dnssec-enable must be set to yes.
- (This is the default setting.)
+ This is the default setting.
To enable named to validate answers from
other servers, the dnssec-enable option
must be set to yes, and the
- dnssec-validation options must be set to
- yes or auto.
+ dnssec-validation option must be set to
+ either yes or auto.
+ When dnssec-validation is set to
+ auto, a trust anchor for the DNS
+ root zone will automatically be used. This trust anchor is
+ provided as part of BIND and is kept up to date using RFC 5011
+ key management.
If dnssec-validation is set to
- auto, then a default
- trust anchor for the DNS root zone will be used.
- If it is set to yes, however,
- then at least one trust anchor must be configured
- with a trusted-keys or
- managed-keys statement in
- named.conf, or DNSSEC validation
- will not occur. The default setting is
- yes.
+ yes, then
+ DNSSEC validation only occurs if
+ at least one trust anchor has been explicitly configured
+ in named.conf,
+ using a trusted-keys or
+ managed-keys statement.
+ If dnssec-validation is set to
+ no, then DNSSEC validation will
+ not occur.
+ The default is auto unless BIND is
+ built with configure --disable-auto-validation,
+ in which case the default is yes.