From cfe92110ce4eaf19f7f3255d2961710879bdc9dd Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 9 Mar 2006 23:21:54 +0000
Subject: [PATCH] 2007.   [func]          It is now possible to explicitly
 enable DNSSEC                         validation.  default dnssec-validation
 no; to                         be changed to yes in 9.5.0.  [RT #15674]

---
 CHANGES                                |  4 +++
 bin/named/config.c                     |  5 ++--
 bin/named/named.conf.docbook           |  4 ++-
 bin/named/query.c                      |  8 ++++--
 bin/named/server.c                     |  7 +++++-
 bin/tests/system/dlv/ns5/named.conf    |  3 ++-
 bin/tests/system/dnssec/ns1/named.conf |  3 ++-
 bin/tests/system/dnssec/ns2/named.conf |  3 ++-
 bin/tests/system/dnssec/ns3/named.conf |  3 ++-
 bin/tests/system/dnssec/ns4/named.conf |  3 ++-
 bin/tests/system/dnssec/ns5/named.conf |  3 ++-
 bin/tests/system/dnssec/ns6/named.conf |  3 ++-
 bin/tests/system/lwresd/ns1/named.conf |  3 ++-
 doc/arm/Bv9ARM-book.xml                | 15 +++++++++++-
 lib/bind9/check.c                      | 31 ++++++++++++++++++++++-
 lib/dns/include/dns/view.h             |  3 ++-
 lib/dns/resolver.c                     | 34 ++++++++++++++------------
 lib/dns/view.c                         |  3 ++-
 lib/isccfg/namedconf.c                 |  3 ++-
 19 files changed, 107 insertions(+), 34 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6dfae786e8..294b8cf2b1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2007.	[func]		It is now possible to explicitly enable DNSSEC
+			validation.  default dnssec-validation no; to
+			be changed to yes in 9.5.0.  [RT #15674]
+
 2006.	[security]	Allow-query-cache and allow-recursion now default
 			to the builtin acls "localnets" and "localhost".
 
diff --git a/bin/named/config.c b/bin/named/config.c
index c20e6019a1..198322b794 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.72 2006/03/09 03:30:18 marka Exp $ */
+/* $Id: config.c,v 1.73 2006/03/09 23:21:53 marka Exp $ */
 
 /*! \file */
 
@@ -135,7 +135,8 @@ options {\n\
 	use-additional-cache true;\n\
 	acache-cleaning-interval 60;\n\
 	max-acache-size 0;\n\
-	dnssec-enable no; /* Make yes for 9.4. */ \n\
+	dnssec-enable yes;\n\
+	dnssec-validation no; /* Make yes for 9.5. */ \n\
 	dnssec-accept-expired no;\n\
 	clients-per-query 10;\n\
 	max-clients-per-query 100;\n\
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index 3bc7561627..1ba25acf88 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.conf.docbook,v 1.20 2006/03/06 01:27:51 marka Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.21 2006/03/09 23:21:53 marka Exp $ -->
 <refentry>
   <refentryinfo>
     <date>Aug 13, 2004</date>
@@ -263,6 +263,7 @@ options {
 	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
 	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
 	dnssec-enable <replaceable>boolean</replaceable>;
+	dnssec-validation <replaceable>boolean</replaceable>;
 	dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
 	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
 	dnssec-accept-expired <replaceable>boolean</replaceable>;
@@ -410,6 +411,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
 	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
 	dnssec-enable <replaceable>boolean</replaceable>;
+	dnssec-validation <replaceable>boolean</replaceable>;
 	dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
 	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
 	dnssec-accept-expired <replaceable>boolean</replaceable>;
diff --git a/bin/named/query.c b/bin/named/query.c
index 6981cd4e52..e8d3ca7f74 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.282 2006/03/03 00:43:34 marka Exp $ */
+/* $Id: query.c,v 1.283 2006/03/09 23:21:53 marka Exp $ */
 
 /*! \file */
 
@@ -4527,13 +4527,17 @@ ns_query_start(ns_client_t *client) {
 	 * If the client has requested that DNSSEC checking be disabled,
 	 * allow lookups to return pending data and instruct the resolver
 	 * to return data before validation has completed.
+	 *
+	 * We don't need to set DNS_DBFIND_PENDINGOK when validation is
+	 * disabled as there will be no pending data.
 	 */
 	if (message->flags & DNS_MESSAGEFLAG_CD ||
 	    qtype == dns_rdatatype_rrsig)
 	{
 		client->query.dboptions |= DNS_DBFIND_PENDINGOK;
 		client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
-	}
+	} else if (!client->view->enablevalidation)
+		client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
 
 	/*
 	 * Allow glue NS records to be added to the authority section
diff --git a/bin/named/server.c b/bin/named/server.c
index 7fdbdaf5ff..8b5dbe2a2b 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.460 2006/03/09 03:30:18 marka Exp $ */
+/* $Id: server.c,v 1.461 2006/03/09 23:21:53 marka Exp $ */
 
 /*! \file */
 
@@ -1493,6 +1493,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	INSIST(result == ISC_R_SUCCESS);
 	view->acceptexpired = cfg_obj_asboolean(obj);
 
+	obj = NULL;
+	result = ns_config_get(maps, "dnssec-validation", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->enablevalidation = cfg_obj_asboolean(obj);
+
 	obj = NULL;
 	result = ns_config_get(maps, "dnssec-lookaside", &obj);
 	if (result == ISC_R_SUCCESS) {
diff --git a/bin/tests/system/dlv/ns5/named.conf b/bin/tests/system/dlv/ns5/named.conf
index ebe0cb426a..3cdf71493a 100644
--- a/bin/tests/system/dlv/ns5/named.conf
+++ b/bin/tests/system/dlv/ns5/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.3 2004/06/04 02:31:41 marka Exp $ */
+/* $Id: named.conf,v 1.4 2006/03/09 23:21:53 marka Exp $ */
 
 /*
  * Choose a keyname that is unlikely to clash with any real key names.
@@ -58,6 +58,7 @@ options {
 	recursion yes;
 	notify yes;
 	dnssec-enable yes;
+	dnssec-validation yes;
 	dnssec-lookaside "." trust-anchor "dlv.utld";
 };
 
diff --git a/bin/tests/system/dnssec/ns1/named.conf b/bin/tests/system/dnssec/ns1/named.conf
index 833e9375d7..f27ebaf39f 100644
--- a/bin/tests/system/dnssec/ns1/named.conf
+++ b/bin/tests/system/dnssec/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.20 2004/03/10 02:19:53 marka Exp $ */
+/* $Id: named.conf,v 1.21 2006/03/09 23:21:53 marka Exp $ */
 
 // NS1
 
@@ -32,6 +32,7 @@ options {
 	recursion no;
 	notify yes;
 	dnssec-enable yes;
+	dnssec-validation yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/dnssec/ns2/named.conf b/bin/tests/system/dnssec/ns2/named.conf
index 66f33bf692..abb3b20d63 100644
--- a/bin/tests/system/dnssec/ns2/named.conf
+++ b/bin/tests/system/dnssec/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.24 2004/05/05 01:32:57 marka Exp $ */
+/* $Id: named.conf,v 1.25 2006/03/09 23:21:53 marka Exp $ */
 
 // NS2
 
@@ -32,6 +32,7 @@ options {
 	recursion no;
 	notify yes;
 	dnssec-enable yes;
+	dnssec-validation yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf
index 71e88928e8..6455101b32 100644
--- a/bin/tests/system/dnssec/ns3/named.conf
+++ b/bin/tests/system/dnssec/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.27 2004/05/05 01:32:57 marka Exp $ */
+/* $Id: named.conf,v 1.28 2006/03/09 23:21:53 marka Exp $ */
 
 // NS3
 
@@ -32,6 +32,7 @@ options {
 	recursion no;
 	notify yes;
 	dnssec-enable yes;
+	dnssec-validation yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/dnssec/ns4/named.conf b/bin/tests/system/dnssec/ns4/named.conf
index 040e481e4c..25b4138d8e 100644
--- a/bin/tests/system/dnssec/ns4/named.conf
+++ b/bin/tests/system/dnssec/ns4/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.23 2004/04/15 23:40:23 marka Exp $ */
+/* $Id: named.conf,v 1.24 2006/03/09 23:21:53 marka Exp $ */
 
 // NS4
 
@@ -31,6 +31,7 @@ options {
 	listen-on-v6 { none; };
 	recursion yes;
 	dnssec-enable yes;
+	dnssec-validation yes;
 	dnssec-must-be-secure mustbesecure.example yes;
 };
 
diff --git a/bin/tests/system/dnssec/ns5/named.conf b/bin/tests/system/dnssec/ns5/named.conf
index 29191295a3..09237206be 100644
--- a/bin/tests/system/dnssec/ns5/named.conf
+++ b/bin/tests/system/dnssec/ns5/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.20 2004/03/10 02:19:54 marka Exp $ */
+/* $Id: named.conf,v 1.21 2006/03/09 23:21:53 marka Exp $ */
 
 // NS5
 
@@ -31,6 +31,7 @@ options {
 	listen-on-v6 { none; };
 	recursion yes;
 	dnssec-enable yes;
+	dnssec-validation yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/dnssec/ns6/named.conf b/bin/tests/system/dnssec/ns6/named.conf
index 4fcd5894b4..ed6413196c 100644
--- a/bin/tests/system/dnssec/ns6/named.conf
+++ b/bin/tests/system/dnssec/ns6/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.7 2004/06/04 02:31:41 marka Exp $ */
+/* $Id: named.conf,v 1.8 2006/03/09 23:21:53 marka Exp $ */
 
 // NS6
 
@@ -32,6 +32,7 @@ options {
 	notify yes;
 	disable-algorithms . { DSA; };
 	dnssec-enable yes;
+	dnssec-validation yes;
 	dnssec-lookaside . trust-anchor dlv;
 };
 
diff --git a/bin/tests/system/lwresd/ns1/named.conf b/bin/tests/system/lwresd/ns1/named.conf
index f04aa97c4f..6dbfef307a 100644
--- a/bin/tests/system/lwresd/ns1/named.conf
+++ b/bin/tests/system/lwresd/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.15 2004/03/10 02:19:54 marka Exp $ */
+/* $Id: named.conf,v 1.16 2006/03/09 23:21:54 marka Exp $ */
 
 controls { /* empty */ };
 
@@ -30,6 +30,7 @@ options {
 	recursion no;
 	notify no;
 	dnssec-enable yes;
+	dnssec-validation yes;
 };
 
 zone "." {
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index c3d888ea46..55285f1db0 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.298 2006/03/09 03:30:18 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.299 2006/03/09 23:21:54 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -4393,6 +4393,7 @@ category notify { null; };
     <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
     <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
     <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
     <optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
     <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
     <optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
@@ -5484,6 +5485,18 @@ options {
                 <para>
                   Enable DNSSEC support in named.  Unless set to <userinput>yes</userinput>
                   named behaves as if it does not support DNSSEC.
+                  The default is <userinput>yes</userinput>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>dnssec-validation</command></term>
+              <listitem>
+                <para>
+                  Enable DNSSEC validation in named.
+		  Note <command>dnssec-enable</command> also needs to be
+		  set to <userinput>yes</userinput> to be effective.
                   The default is <userinput>no</userinput>.
                 </para>
               </listitem>
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index cef648a6eb..5e2e3ef760 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.72 2006/03/06 01:27:52 marka Exp $ */
+/* $Id: check.c,v 1.73 2006/03/09 23:21:54 marka Exp $ */
 
 /*! \file */
 
@@ -1394,6 +1394,8 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult = ISC_R_SUCCESS;
 	cfg_aclconfctx_t actx;
+	cfg_obj_t *obj;
+	isc_boolean_t enablednssec, enablevalidation;
 
 	/*
 	 * Check that all zone statements are syntactically correct and
@@ -1499,6 +1501,33 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 			result = ISC_R_FAILURE;
 	}
 
+	/*
+	 * Check that dnssec-enable/dnssec-validation are sensible.
+	 */
+	obj = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "dnssec-enable", &obj);
+	if (obj == NULL)
+		(void)cfg_map_get(config, "dnssec-enable", &obj);
+	if (obj == NULL)
+		enablednssec = ISC_TRUE;
+	else
+		enablednssec = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "dnssec-validation", &obj);
+	if (obj == NULL)
+		(void)cfg_map_get(config, "dnssec-validation", &obj);
+	if (obj == NULL)
+		enablevalidation = ISC_FALSE;	/* XXXMPA Change for 9.5. */
+	else
+		enablevalidation = cfg_obj_asboolean(obj);
+
+	if (enablevalidation && !enablednssec)
+		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+			    "'dnssec-validation yes;' and 'dnssec-enable no;'");
+
 	if (voptions != NULL)
 		tresult = check_options(voptions, logctx, mctx);
 	else
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index fa00fa96bd..debe893a1c 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.h,v 1.100 2006/01/05 00:01:46 marka Exp $ */
+/* $Id: view.h,v 1.101 2006/03/09 23:21:54 marka Exp $ */
 
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -112,6 +112,7 @@ struct dns_view {
 	isc_boolean_t			additionalfromauth;
 	isc_boolean_t			minimalresponses;
 	isc_boolean_t			enablednssec;
+	isc_boolean_t			enablevalidation;
 	isc_boolean_t			acceptexpired;
 	dns_transfer_format_t		transfer_format;
 	dns_acl_t *			queryacl;
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 14c895befa..191552b4f2 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.329 2006/02/17 00:24:21 marka Exp $ */
+/* $Id: resolver.c,v 1.330 2006/03/09 23:21:54 marka Exp $ */
 
 /*! \file */
 
@@ -3536,14 +3536,16 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 	/*
 	 * Is DNSSEC validation required for this name?
 	 */
-	result = dns_keytable_issecuredomain(res->view->secroots, name,
-					     &secure_domain);
-	if (result != ISC_R_SUCCESS)
-		return (result);
+	if (res->view->enablevalidation) {
+		result = dns_keytable_issecuredomain(res->view->secroots, name,
+						     &secure_domain);
+		if (result != ISC_R_SUCCESS)
+			return (result);
 
-	if (!secure_domain && res->view->dlv != NULL) {
-		valoptions = DNS_VALIDATOR_DLV;
-		secure_domain = ISC_TRUE;
+		if (!secure_domain && res->view->dlv != NULL) {
+			valoptions = DNS_VALIDATOR_DLV;
+			secure_domain = ISC_TRUE;
+		}
 	}
 
 	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
@@ -3955,14 +3957,16 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	/*
 	 * Is DNSSEC validation required for this name?
 	 */
-	result = dns_keytable_issecuredomain(res->view->secroots, name,
-					     &secure_domain);
-	if (result != ISC_R_SUCCESS)
-		return (result);
+	if (fctx->res->view->enablevalidation) {
+		result = dns_keytable_issecuredomain(res->view->secroots, name,
+						     &secure_domain);
+		if (result != ISC_R_SUCCESS)
+			return (result);
 
-	if (!secure_domain && res->view->dlv != NULL) {
-		valoptions = DNS_VALIDATOR_DLV;
-		secure_domain = ISC_TRUE;
+		if (!secure_domain && res->view->dlv != NULL) {
+			valoptions = DNS_VALIDATOR_DLV;
+			secure_domain = ISC_TRUE;
+		}
 	}
 
 	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 9dc53a702a..cddcb7a114 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.136 2006/01/05 00:01:46 marka Exp $ */
+/* $Id: view.c,v 1.137 2006/03/09 23:21:54 marka Exp $ */
 
 /*! \file */
 
@@ -160,6 +160,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->additionalfromcache = ISC_TRUE;
 	view->additionalfromauth = ISC_TRUE;
 	view->enablednssec = ISC_TRUE;
+	view->enablevalidation = ISC_TRUE;
 	view->acceptexpired = ISC_FALSE;
 	view->minimalresponses = ISC_FALSE;
 	view->transfer_format = dns_one_answer;
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 84fb1e0b14..a37285d703 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.67 2006/03/06 01:27:52 marka Exp $ */
+/* $Id: namedconf.c,v 1.68 2006/03/09 23:21:54 marka Exp $ */
 
 /*! \file */
 
@@ -768,6 +768,7 @@ view_clauses[] = {
 	{ "disable-algorithms", &cfg_type_disablealgorithm,
 	  CFG_CLAUSEFLAG_MULTI },
 	{ "dnssec-enable", &cfg_type_boolean, 0 },
+	{ "dnssec-validation", &cfg_type_boolean, 0 },
 	{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
 	{ "dnssec-must-be-secure",  &cfg_type_mustbesecure,
 	   CFG_CLAUSEFLAG_MULTI },