mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-02 07:35:26 +00:00
Code Issues Releases Wiki Activity

Set "dnssec-validation auto" by default

Browse Source 
- the default setting for dnssec-validation is now "auto", which
  activates DNSSEC validation using the IANA root key.  The old behavior
  can be restored by explicitly setting "dnssec-validation yes", which
  "yes", which activates DNSSEC validation only if keys are explicitly
  configured in named.conf.
- the ARM has been updated to describe the new behavior
This commit is contained in:
Evan Hunt
2018-05-16 11:58:15 -07:00
committed by Ondřej Surý
parent 1f743fe0da
commit bef18ecac6
7 changed files with 103 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
bin/named/Makefile.in
View File

@@ -130,6 +130,7 @@ config.@O@: config.c
-DDYNDB_LIBDIR=\"@libdir@/bind\" \ -DDYNDB_LIBDIR=\"@libdir@/bind\" \
-DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \ -DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \
-DNAMED_SYSCONFDIR=\"${sysconfdir}\" \ -DNAMED_SYSCONFDIR=\"${sysconfdir}\" \
-DVALIDATION_DEFAULT=\"@VALIDATION_DEFAULT@\" \
-c ${srcdir}/config.c -c ${srcdir}/config.c
server.@O@: server.c server.@O@: server.c

2
bin/named/config.c
View File

@@ -146,7 +146,7 @@ options {\n\
clients-per-query 10;\n\ clients-per-query 10;\n\
dnssec-accept-expired no;\n\ dnssec-accept-expired no;\n\
dnssec-enable yes;\n\ dnssec-enable yes;\n\
dnssec-validation yes; \n" dnssec-validation " VALIDATION_DEFAULT "; \n"
#ifdef HAVE_DNSTAP #ifdef HAVE_DNSTAP
" dnstap-identity hostname;\n" " dnstap-identity hostname;\n"
#endif #endif

14
bind.keys
View File

@@ -4,15 +4,17 @@
# be configured elsewhere; if they are configured here, they will not be # be configured elsewhere; if they are configured here, they will not be
# recognized or used by named. # recognized or used by named.
# #
# The built-in trust anchors are provided for convenience of configuration. # To use the built-in root key, set "dnssec-validation auto;" in the
# They are not activated within named.conf unless specifically switched on. # named.conf options or else leave "dnssec-validation" unset. If
# To use the built-in key, use "dnssec-validation auto;" in the # "dnssec-validation" is set to "yes", then the keys in this file are
# named.conf options. Without this option being set, the keys in this # ignored; keys will need to be explicitly configured in named.conf for
# file are ignored. # validation to work. "auto" is the default setting, unless named is
# built with "configure --disable-auto-validation", in which case the
# default is "yes".
# #
# This file is NOT expected to be user-configured. # This file is NOT expected to be user-configured.
# #
# These keys are current as of October 2017. If any key fails to # These keys are current as of May 2018. If any key fails to
# initialize correctly, it may have expired. In that event you should # initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of # replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.

28
bind.keys.h
View File

@@ -7,15 +7,17 @@
# be configured elsewhere; if they are configured here, they will not be\n\ # be configured elsewhere; if they are configured here, they will not be\n\
# recognized or used by named.\n\ # recognized or used by named.\n\
#\n\ #\n\
# The built-in trust anchors are provided for convenience of configuration.\n\ # To use the built-in root key, set \"dnssec-validation auto;\" in the\n\
# They are not activated within named.conf unless specifically switched on.\n\ # named.conf options or else leave \"dnssec-validation\" unset. If\n\
# To use the built-in key, use \"dnssec-validation auto;\" in the\n\ # \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\
# named.conf options. Without this option being set, the keys in this\n\ # ignored; keys will need to be explicitly configured in named.conf for\n\
# file are ignored.\n\ # validation to work. \"auto\" is the default setting, unless named is\n\
# built with \"configure --disable-auto-validation\", in which case the\n\
# default is \"yes\".\n\
#\n\ #\n\
# This file is NOT expected to be user-configured.\n\ # This file is NOT expected to be user-configured.\n\
#\n\ #\n\
# These keys are current as of October 2017. If any key fails to\n\ # These keys are current as of May 2018. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\ # initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\ # replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\ # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
@@ -60,15 +62,17 @@ trusted-keys {\n\
# be configured elsewhere; if they are configured here, they will not be\n\ # be configured elsewhere; if they are configured here, they will not be\n\
# recognized or used by named.\n\ # recognized or used by named.\n\
#\n\ #\n\
# The built-in trust anchors are provided for convenience of configuration.\n\ # To use the built-in root key, set \"dnssec-validation auto;\" in the\n\
# They are not activated within named.conf unless specifically switched on.\n\ # named.conf options or else leave \"dnssec-validation\" unset. If\n\
# To use the built-in key, use \"dnssec-validation auto;\" in the\n\ # \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\
# named.conf options. Without this option being set, the keys in this\n\ # ignored; keys will need to be explicitly configured in named.conf for\n\
# file are ignored.\n\ # validation to work. \"auto\" is the default setting, unless named is\n\
# built with \"configure --disable-auto-validation\", in which case the\n\
# default is \"yes\".\n\
#\n\ #\n\
# This file is NOT expected to be user-configured.\n\ # This file is NOT expected to be user-configured.\n\
#\n\ #\n\
# These keys are current as of October 2017. If any key fails to\n\ # These keys are current as of May 2018. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\ # initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\ # replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\ # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\

34
configure vendored
View File

@@ -677,6 +677,7 @@ BIND9_ISCCFG_BUILDINCLUDE
BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE
BIND9_ISC_BUILDINCLUDE BIND9_ISC_BUILDINCLUDE
BIND9_TOP_BUILDDIR BIND9_TOP_BUILDDIR
VALIDATION_DEFAULT
UNITTESTS UNITTESTS
ATFLIBS ATFLIBS
ATFBIN ATFBIN
@@ -1039,6 +1040,7 @@ with_libidn2
with_atf with_atf
with_tuning with_tuning
enable_querytrace enable_querytrace
enable_auto_validation
with_dlopen with_dlopen
with_dlz_postgres with_dlz_postgres
with_dlz_mysql with_dlz_mysql
@@ -1715,6 +1717,9 @@ Optional Features:
--enable-dnsrps enable DNS Response Policy Service API --enable-dnsrps enable DNS Response Policy Service API
--enable-dnstap enable dnstap support (requires fstrm, protobuf-c) --enable-dnstap enable dnstap support (requires fstrm, protobuf-c)
--enable-querytrace enable very verbose query trace logging [default=no] --enable-querytrace enable very verbose query trace logging [default=no]
--enable-auto-validation
turn on DNSSEC validation by default, using the IANA
root key [default=yes]
--enable-full-report report values of all configure options --enable-full-report report values of all configure options
Optional Packages: Optional Packages:
@@ -22693,6 +22698,32 @@ $as_echo "no" >&6; }
;; ;;
esac esac
#
# Was --disable-auto-validation specified?
#
# Check whether --enable-auto-validation was given.
if test "${enable_auto_validation+set}" = set; then :
enableval=$enable_auto_validation; want_autoval="$enableval"
else
want_autoval="yes"
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable DNSSEC validation by default" >&5
$as_echo_n "checking whether to enable DNSSEC validation by default... " >&6; }
case "$want_autoval" in
no)
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
VALIDATION_DEFAULT=yes
;;
*)
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
VALIDATION_DEFAULT=auto
;;
esac
# #
# Substitutions # Substitutions
# #
@@ -26446,6 +26477,7 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)" echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)" test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)"
test "no" = "$want_autoval" || echo " DNSSEC validation active by default (--enable-auto-validation)"
echo " Cryptographic library for DNSSEC: $CRYPTOLIB" echo " Cryptographic library for DNSSEC: $CRYPTOLIB"
echo " Dynamically loadable zone (DLZ) drivers:" echo " Dynamically loadable zone (DLZ) drivers:"
@@ -26484,6 +26516,8 @@ report() {
test "yes" = "$enable_fixed" || \ test "yes" = "$enable_fixed" || \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)" echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
test "no" = "$want_autoval" && echo " DNSSEC validation requires configuration (--disable-auto-validation)"
if test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" if test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11"
then then
echo " OpenSSL cryptography/DNSSEC (--with-openssl)" echo " OpenSSL cryptography/DNSSEC (--with-openssl)"

23
configure.in
View File

@@ -4732,6 +4732,26 @@ no)
;; ;;
esac esac
#
# Was --disable-auto-validation specified?
#
AC_ARG_ENABLE(auto-validation,
AS_HELP_STRING([--enable-auto-validation],
[turn on DNSSEC validation by default, using the IANA root key [default=yes]]),
want_autoval="$enableval", want_autoval="yes")
AC_MSG_CHECKING([whether to enable DNSSEC validation by default])
case "$want_autoval" in
no)
AC_MSG_RESULT(no)
VALIDATION_DEFAULT=yes
;;
*)
AC_MSG_RESULT(yes)
VALIDATION_DEFAULT=auto
;;
esac
AC_SUBST(VALIDATION_DEFAULT)
# #
# Substitutions # Substitutions
# #
@@ -5365,6 +5385,7 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)" echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)" test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)"
test "no" = "$want_autoval" || echo " DNSSEC validation active by default (--enable-auto-validation)"
echo " Cryptographic library for DNSSEC: $CRYPTOLIB" echo " Cryptographic library for DNSSEC: $CRYPTOLIB"
echo " Dynamically loadable zone (DLZ) drivers:" echo " Dynamically loadable zone (DLZ) drivers:"
@@ -5403,6 +5424,8 @@ report() {
test "yes" = "$enable_fixed" || \ test "yes" = "$enable_fixed" || \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)" echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
test "no" = "$want_autoval" && echo " DNSSEC validation requires configuration (--disable-auto-validation)"
if test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" if test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11"
then then
echo " OpenSSL cryptography/DNSSEC (--with-openssl)" echo " OpenSSL cryptography/DNSSEC (--with-openssl)"

32
doc/arm/Bv9ARM-book.xml
View File

@@ -2207,28 +2207,36 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
To enable <command>named</command> to respond appropriately To enable <command>named</command> to respond appropriately
to DNS requests from DNSSEC aware clients, to DNS requests from DNSSEC aware clients,
<command>dnssec-enable</command> must be set to yes. <command>dnssec-enable</command> must be set to yes.
(This is the default setting.) This is the default setting.
</para> </para>
<para> <para>
To enable <command>named</command> to validate answers from To enable <command>named</command> to validate answers from
other servers, the <command>dnssec-enable</command> option other servers, the <command>dnssec-enable</command> option
must be set to <userinput>yes</userinput>, and the must be set to <userinput>yes</userinput>, and the
<command>dnssec-validation</command> options must be set to <command>dnssec-validation</command> option must be set to
<userinput>yes</userinput> or <userinput>auto</userinput>. either <userinput>yes</userinput> or <userinput>auto</userinput>.
</para> </para>
<para> <para>
When <command>dnssec-validation</command> is set to
<userinput>auto</userinput>, a trust anchor for the DNS
root zone will automatically be used. This trust anchor is
provided as part of BIND and is kept up to date using RFC 5011
key management.
If <command>dnssec-validation</command> is set to If <command>dnssec-validation</command> is set to
<userinput>auto</userinput>, then a default <userinput>yes</userinput>, then
trust anchor for the DNS root zone will be used. DNSSEC validation only occurs if
If it is set to <userinput>yes</userinput>, however, at least one trust anchor has been explicitly configured
then at least one trust anchor must be configured in <filename>named.conf</filename>,
with a <command>trusted-keys</command> or using a <command>trusted-keys</command> or
<command>managed-keys</command> statement in <command>managed-keys</command> statement.
<filename>named.conf</filename>, or DNSSEC validation If <command>dnssec-validation</command> is set to
will not occur. The default setting is <userinput>no</userinput>, then DNSSEC validation will
<userinput>yes</userinput>. not occur.
The default is <userinput>auto</userinput> unless BIND is
built with <command>configure --disable-auto-validation</command>,
in which case the default is <userinput>yes</userinput>.
</para> </para>
<para> <para>