option to disable validation under specified names

- added new 'validate-except' option, which configures an NTA with expiry of 0xffffffff. NTAs with that value in the expiry field do not expire, are are not written out when saving the NTA table and are not dumped by rndc secroots
2025-09-01 06:55:30 +00:00 · 2018-04-30 16:10:17 -07:00
parent 509d71e1aa
commit eaac2057c7
11 changed files with 208 additions and 176 deletions
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -13,7 +13,7 @@
 <refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
  <info>
-    <date>2018-05-29</date>
+    <date>2018-06-21</date>
  </info>
  <refentryinfo>
    <corpname>ISC</corpname>
@@ -224,9 +224,9 @@ options {
 	coresize ( default | unlimited | <replaceable>sizeval</replaceable> );
 	datasize ( default | unlimited | <replaceable>sizeval</replaceable> );
 	deny-answer-addresses { <replaceable>address_match_element</replaceable>; ... } [
-	    except-from { <replaceable>quoted_string</replaceable>; ... } ];
+	    except-from { <replaceable>string</replaceable>; ... } ];
-	deny-answer-aliases { <replaceable>quoted_string</replaceable>; ... } [ except-from {
+	deny-answer-aliases { <replaceable>string</replaceable>; ... } [ except-from { <replaceable>string</replaceable>; ...
-	    <replaceable>quoted_string</replaceable>; ... } ];
+	    } ];
 	dialup ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
 	directory <replaceable>quoted_string</replaceable>;
 	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>;
@@ -257,14 +257,12 @@ options {
 	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
 	dnssec-update-mode ( maintain | no-resign );
 	dnssec-validation ( yes | no | auto );
-	dnstap { ( all | auth | client | forwarder |
+	dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
-	    resolver ) [ ( query | response ) ]; ... };
+	    response ) ]; ... };
-	dnstap-identity ( <replaceable>quoted_string</replaceable> | none |
+	dnstap-identity ( <replaceable>quoted_string</replaceable> | none | hostname );
-	    hostname );
+	dnstap-output ( file | unix ) <replaceable>quoted_string</replaceable> [ size ( unlimited |
-	dnstap-output ( file | unix ) <replaceable>quoted_string</replaceable> [
+	    <replaceable>size</replaceable> ) ] [ versions ( unlimited | <replaceable>integer</replaceable> ) ] [ suffix (
-	    size ( unlimited | <replaceable>size</replaceable> ) ] [ versions (
+	    increment | timestamp ) ];
 	    unlimited | <replaceable>integer</replaceable> ) ] [ suffix ( increment
 	    | timestamp ) ];
 	dnstap-version ( <replaceable>quoted_string</replaceable> | none );
 	dscp <replaceable>integer</replaceable>;
 	dual-stack-servers [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
@@ -362,7 +360,7 @@ options {
 	preferred-glue <replaceable>string</replaceable>;
 	prefetch <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
 	provide-ixfr <replaceable>boolean</replaceable>;
-	qname-minimization ( strict | relaxed | disabled );
+	qname-minimization ( strict | relaxed | disabled | off );
 	query-source ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port (
 	    <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv4_address</replaceable> | * ) ]
 	    port ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
@@ -413,7 +411,7 @@ options {
 	    nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ] [
 	    dnsrps-enable <replaceable>boolean</replaceable> ] [ dnsrps-options { <replaceable>unspecified-text</replaceable>
 	    } ];
-	root-delegation-only [ exclude { <replaceable>quoted_string</replaceable>; ... } ];
+	root-delegation-only [ exclude { <replaceable>string</replaceable>; ... } ];
 	root-key-sentinel <replaceable>boolean</replaceable>;
 	rrset-order { [ class <replaceable>string</replaceable> ] [ type <replaceable>string</replaceable> ] [ name
 	    <replaceable>quoted_string</replaceable> ] <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
@@ -463,6 +461,7 @@ options {
 	use-v4-udp-ports { <replaceable>portrange</replaceable>; ... };
 	use-v6-udp-ports { <replaceable>portrange</replaceable>; ... };
 	v6-bias <replaceable>integer</replaceable>;
 	validate-except { <replaceable>string</replaceable>; ... };
 	version ( <replaceable>quoted_string</replaceable> | none );
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
@@ -574,9 +573,9 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	cleaning-interval <replaceable>integer</replaceable>;
 	clients-per-query <replaceable>integer</replaceable>;
 	deny-answer-addresses { <replaceable>address_match_element</replaceable>; ... } [
-	    except-from { <replaceable>quoted_string</replaceable>; ... } ];
+	    except-from { <replaceable>string</replaceable>; ... } ];
-	deny-answer-aliases { <replaceable>quoted_string</replaceable>; ... } [ except-from {
+	deny-answer-aliases { <replaceable>string</replaceable>; ... } [ except-from { <replaceable>string</replaceable>; ...
-	    <replaceable>quoted_string</replaceable>; ... } ];
+	    } ];
 	dialup ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
 	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>;
 	    ... };
@@ -610,8 +609,8 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
 	dnssec-update-mode ( maintain | no-resign );
 	dnssec-validation ( yes | no | auto );
-	dnstap { ( all | auth | client | forwarder |
+	dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
-	    resolver ) [ ( query | response ) ]; ... };
+	    response ) ]; ... };
 	dual-stack-servers [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
 	    <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv4_address</replaceable> [ port
 	    <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port
@@ -689,7 +688,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	preferred-glue <replaceable>string</replaceable>;
 	prefetch <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
 	provide-ixfr <replaceable>boolean</replaceable>;
-	qname-minimization ( strict | relaxed | disabled );
+	qname-minimization ( strict | relaxed | disabled | off );
 	query-source ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port (
 	    <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv4_address</replaceable> | * ) ]
 	    port ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
@@ -735,7 +734,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	    nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ] [
 	    dnsrps-enable <replaceable>boolean</replaceable> ] [ dnsrps-options { <replaceable>unspecified-text</replaceable>
 	    } ];
-	root-delegation-only [ exclude { <replaceable>quoted_string</replaceable>; ... } ];
+	root-delegation-only [ exclude { <replaceable>string</replaceable>; ... } ];
 	root-key-sentinel <replaceable>boolean</replaceable>;
 	rrset-order { [ class <replaceable>string</replaceable> ] [ type <replaceable>string</replaceable> ] [ name
 	    <replaceable>quoted_string</replaceable> ] <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
@@ -797,6 +796,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	update-check-ksk <replaceable>boolean</replaceable>;
 	use-alt-transfer-source <replaceable>boolean</replaceable>;
 	v6-bias <replaceable>integer</replaceable>;
 	validate-except { <replaceable>string</replaceable>; ... };
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
 	zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
@@ -878,7 +878,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 		serial-update-method ( date | increment | unixtime );
 		server-addresses { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [
 		    port <replaceable>integer</replaceable> ]; ... };
-		server-names { <replaceable>quoted_string</replaceable>; ... };
+		server-names { <replaceable>string</replaceable>; ... };
 		sig-signing-nodes <replaceable>integer</replaceable>;
 		sig-signing-signatures <replaceable>integer</replaceable>;
 		sig-signing-type <replaceable>integer</replaceable>;
@@ -982,7 +982,7 @@ zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	serial-update-method ( date | increment | unixtime );
 	server-addresses { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port
 	    <replaceable>integer</replaceable> ]; ... };
-	server-names { <replaceable>quoted_string</replaceable>; ... };
+	server-names { <replaceable>string</replaceable>; ... };
 	sig-signing-nodes <replaceable>integer</replaceable>;
 	sig-signing-signatures <replaceable>integer</replaceable>;
 	sig-signing-type <replaceable>integer</replaceable>;
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -3692,6 +3692,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	isc_dscp_t dscp4 = -1, dscp6 = -1;
 	dns_dyndbctx_t *dctx = NULL;
 	unsigned int resolver_param;
 	dns_ntatable_t *ntatable = NULL;
 	const char *qminmode = NULL;
 	REQUIRE(DNS_VIEW_VALID(view));
@@ -5348,8 +5349,35 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 		CHECK(dns_name_fromstring(name, cfg_obj_asstring(obj), 0,
 					  NULL));
 		view->redirectzone = name;
-	} else
+	} else {
 		view->redirectzone = NULL;
 	}
 	/*
 	 * Exceptions to DNSSEC validation.
 	 */
 	obj = NULL;
 	result = named_config_get(maps, "validate-except", &obj);
 	if (result == ISC_R_SUCCESS) {
 		result = dns_view_getntatable(view, &ntatable);
 	}
 	if (result == ISC_R_SUCCESS) {
 		for (element = cfg_list_first(obj);
 		     element != NULL;
 		     element = cfg_list_next(element))
 		{
 			dns_fixedname_t fntaname;
 			dns_name_t *ntaname;
 			ntaname = dns_fixedname_initname(&fntaname);
 			obj = cfg_listelt_value(element);
 			CHECK(dns_name_fromstring(ntaname,
 						  cfg_obj_asstring(obj),
 						  0, NULL));
 			CHECK(dns_ntatable_add(ntatable, ntaname,
 					       true, 0, 0xffffffffU));
 		}
 	}
 #ifdef HAVE_DNSTAP
 	/*
@@ -5362,35 +5390,51 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	result = ISC_R_SUCCESS;
 cleanup:
-	if (clients != NULL)
+	if (ntatable != NULL) {
 		dns_ntatable_detach(&ntatable);
 	}
 	if (clients != NULL) {
 		dns_acl_detach(&clients);
-	if (mapped != NULL)
+	}
 	if (mapped != NULL) {
 		dns_acl_detach(&mapped);
-	if (excluded != NULL)
+	}
 	if (excluded != NULL) {
 		dns_acl_detach(&excluded);
-	if (ring != NULL)
+	}
 	if (ring != NULL) {
 		dns_tsigkeyring_detach(&ring);
-	if (zone != NULL)
+	}
 	if (zone != NULL) {
 		dns_zone_detach(&zone);
-	if (dispatch4 != NULL)
+	}
 	if (dispatch4 != NULL) {
 		dns_dispatch_detach(&dispatch4);
-	if (dispatch6 != NULL)
+	}
 	if (dispatch6 != NULL) {
 		dns_dispatch_detach(&dispatch6);
-	if (resstats != NULL)
+	}
 	if (resstats != NULL) {
 		isc_stats_detach(&resstats);
-	if (resquerystats != NULL)
+	}
 	if (resquerystats != NULL) {
 		dns_stats_detach(&resquerystats);
-	if (order != NULL)
+	}
 	if (order != NULL) {
 		dns_order_detach(&order);
-	if (cmctx != NULL)
+	}
 	if (cmctx != NULL) {
 		isc_mem_detach(&cmctx);
-	if (hmctx != NULL)
+	}
 	if (hmctx != NULL) {
 		isc_mem_detach(&hmctx);
-
+	}
-	if (cache != NULL)
+	if (cache != NULL) {
 		dns_cache_detach(&cache);
-	if (dctx != NULL)
+	}
 	if (dctx != NULL) {
 		dns_dyndb_destroyctx(&dctx);
 	}
 	return (result);
 }
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -65,6 +65,9 @@ options {
 	max-cache-size 20000000000000;
 	nta-lifetime 604800;
 	nta-recheck 604800;
 	validate-except {
 		"corp";
 	};
 	transfer-source 0.0.0.0 dscp 63;
 	zone-statistics none;
 };
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -6646,6 +6646,24 @@ options {
 	      </listitem>
 	    </varlistentry>
 	    <varlistentry>
 	      <term><command>validate-except</command></term>
 	      <listitem>
 		<para>
 		  Specifies a list of domain names at and beneath which DNSSEC
 		  validation should <emphasis>not</emphasis> be performed,
 		  regardless of the presence of a trust anchor at or above
 		  those names.  This may be used, for example, when configuring
 		  a top-level domain intended only for local use, so that the
 		  lack of a secure delegation for that domain in the root zone
 		  will not cause validation failures.  (This is similar
 		  to setting a negative trust anchor, except that it is a
 		  permanent configuration, whereas negative trust anchors
 		  expire and are removed after a set period of time.)
 		</para>
 	      </listitem>
 	    </varlistentry>
 	    <varlistentry>
 	      <term><command>dnssec-accept-expired</command></term>
 	      <listitem>
--- a/doc/arm/options.grammar.xml
+++ b/doc/arm/options.grammar.xml
@@ -63,9 +63,9 @@
 	<command>coresize</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
 	<command>datasize</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
 	<command>deny-answer-addresses</command> { <replaceable>address_match_element</replaceable>; ... } [
-	    <command>except-from</command> { <replaceable>quoted_string</replaceable>; ... } ];
+	    <command>except-from</command> { <replaceable>string</replaceable>; ... } ];
-	<command>deny-answer-aliases</command> { <replaceable>quoted_string</replaceable>; ... } [ except-from {
+	<command>deny-answer-aliases</command> { <replaceable>string</replaceable>; ... } [ except-from { <replaceable>string</replaceable>; ...
-	    <replaceable>quoted_string</replaceable>; ... } ];
+	    } ];
 	<command>dialup</command> ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
 	<command>directory</command> <replaceable>quoted_string</replaceable>;
 	<command>disable-algorithms</command> <replaceable>string</replaceable> { <replaceable>string</replaceable>;
@@ -96,14 +96,12 @@
 	<command>dnssec-secure-to-insecure</command> <replaceable>boolean</replaceable>;
 	<command>dnssec-update-mode</command> ( maintain | no-resign );
 	<command>dnssec-validation</command> ( yes | no | auto );
-	<command>dnstap</command> { ( all | auth | client | forwarder |
+	<command>dnstap</command> { ( all | auth | client | forwarder | resolver ) [ ( query |
-	    <command>resolver</command> ) [ ( query | response ) ]; ... };
+	    <command>response</command> ) ]; ... };
-	<command>dnstap-identity</command> ( <replaceable>quoted_string</replaceable> | none |
+	<command>dnstap-identity</command> ( <replaceable>quoted_string</replaceable> | none | hostname );
-	    <command>hostname</command> );
+	<command>dnstap-output</command> ( file | unix ) <replaceable>quoted_string</replaceable> [ size ( unlimited |
-	<command>dnstap-output</command> ( file | unix ) <replaceable>quoted_string</replaceable> [
+	    <replaceable>size</replaceable> ) ] [ versions ( unlimited | <replaceable>integer</replaceable> ) ] [ suffix (
-	    <command>size</command> ( unlimited | <replaceable>size</replaceable> ) ] [ versions (
+	    <command>increment</command> | timestamp ) ];
 	    <command>unlimited</command> | <replaceable>integer</replaceable> ) ] [ suffix ( increment
 	    | timestamp ) ];
 	<command>dnstap-version</command> ( <replaceable>quoted_string</replaceable> | none );
 	<command>dscp</command> <replaceable>integer</replaceable>;
 	<command>dual-stack-servers</command> [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
@@ -202,7 +200,7 @@
 	<command>preferred-glue</command> <replaceable>string</replaceable>;
 	<command>prefetch</command> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
 	<command>provide-ixfr</command> <replaceable>boolean</replaceable>;
-	<command>qname-minimization</command> ( strict | relaxed | disabled );
+	<command>qname-minimization</command> ( strict | relaxed | disabled | off );
 	<command>query-source</command> ( ( [ address ] ( <replaceable>ipv4_address</replaceable> | * ) [ port (
 	    <replaceable>integer</replaceable> | * ) ] ) | ( [ [ address ] ( <replaceable>ipv4_address</replaceable> | * ) ]
 	    <command>port</command> ( <replaceable>integer</replaceable> | * ) ) ) [ dscp <replaceable>integer</replaceable> ];
@@ -253,7 +251,7 @@
 	    <command>nsip-enable</command> <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ] [
 	    <command>dnsrps-enable</command> <replaceable>boolean</replaceable> ] [ dnsrps-options { <replaceable>unspecified-text</replaceable>
 	    } ];
-	<command>root-delegation-only</command> [ exclude { <replaceable>quoted_string</replaceable>; ... } ];
+	<command>root-delegation-only</command> [ exclude { <replaceable>string</replaceable>; ... } ];
 	<command>root-key-sentinel</command> <replaceable>boolean</replaceable>;
 	<command>rrset-order</command> { [ class <replaceable>string</replaceable> ] [ type <replaceable>string</replaceable> ] [ name
 	    <replaceable>quoted_string</replaceable> ] <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
@@ -303,6 +301,7 @@
 	<command>use-v4-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
 	<command>use-v6-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
 	<command>v6-bias</command> <replaceable>integer</replaceable>;
 	<command>validate-except</command> { <replaceable>string</replaceable>; ... };
 	<command>version</command> ( <replaceable>quoted_string</replaceable> | none );
 	<command>zero-no-soa-ttl</command> <replaceable>boolean</replaceable>;
 	<command>zero-no-soa-ttl-cache</command> <replaceable>boolean</replaceable>;
--- a/doc/arm/static-stub.zoneopt.xml
+++ b/doc/arm/static-stub.zoneopt.xml
@@ -19,7 +19,7 @@
 	<command>forwarders</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ]; ... };
 	<command>max-records</command> <replaceable>integer</replaceable>;
 	<command>server-addresses</command> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ]; ... };
-	<command>server-names</command> { <replaceable>quoted_string</replaceable>; ... };
+	<command>server-names</command> { <replaceable>string</replaceable>; ... };
 	<command>zone-statistics</command> ( full | terse | none | <replaceable>boolean</replaceable> );
 };
 </programlisting>
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -113,9 +113,9 @@ options {
        datasize ( default | unlimited | <sizeval> );
        deallocate-on-exit <boolean>; // obsolete
        deny-answer-addresses { <address_match_element>; ... } [
-            except-from { <quoted_string>; ... } ];
+            except-from { <string>; ... } ];
-        deny-answer-aliases { <quoted_string>; ... } [ except-from {
+        deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
-            <quoted_string>; ... } ];
+            } ];
        dialup ( notify | notify-passive | passive | refresh | <boolean> );
        directory <quoted_string>;
        disable-algorithms <string> { <string>;
@@ -146,15 +146,13 @@ options {
        dnssec-secure-to-insecure <boolean>;
        dnssec-update-mode ( maintain | no-resign );
        dnssec-validation ( yes | no | auto );
-        dnstap { ( all | auth | client | forwarder |
+        dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
-            resolver ) [ ( query | response ) ]; ... }; // not configured
+            response ) ]; ... };
-        dnstap-identity ( <quoted_string> | none |
+        dnstap-identity ( <quoted_string> | none | hostname );
-            hostname ); // not configured
+        dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited |
-        dnstap-output ( file | unix ) <quoted_string> [
+            <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
-            size ( unlimited | <size> ) ] [ versions (
+            increment | timestamp ) ];
-            unlimited | <integer> ) ] [ suffix ( increment
+        dnstap-version ( <quoted_string> | none );
            | timestamp ) ]; // not configured
        dnstap-version ( <quoted_string> | none ); // not configured
        dscp <integer>;
        dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
            <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
@@ -178,14 +176,14 @@ options {
        forward ( first | only );
        forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
            | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
-        fstrm-set-buffer-hint <integer>; // not configured
+        fstrm-set-buffer-hint <integer>;
-        fstrm-set-flush-timeout <integer>; // not configured
+        fstrm-set-flush-timeout <integer>;
-        fstrm-set-input-queue-size <integer>; // not configured
+        fstrm-set-input-queue-size <integer>;
-        fstrm-set-output-notify-threshold <integer>; // not configured
+        fstrm-set-output-notify-threshold <integer>;
-        fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
+        fstrm-set-output-queue-model ( mpsc | spsc );
-        fstrm-set-output-queue-size <integer>; // not configured
+        fstrm-set-output-queue-size <integer>;
-        fstrm-set-reopen-interval <ttlval>; // not configured
+        fstrm-set-reopen-interval <ttlval>;
-        geoip-directory ( <quoted_string> | none ); // not configured
+        geoip-directory ( <quoted_string> | none );
        geoip-use-ecs <boolean>; // obsolete
        glue-cache <boolean>;
        has-old-clients <boolean>; // obsolete
@@ -321,7 +319,7 @@ options {
            dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
            } ];
        rfc2308-type1 <boolean>; // not yet implemented
-        root-delegation-only [ exclude { <quoted_string>; ... } ];
+        root-delegation-only [ exclude { <string>; ... } ];
        root-key-sentinel <boolean>;
        rrset-order { [ class <string> ] [ type <string> ] [ name
            <quoted_string> ] <string> <string>; ... };
@@ -380,6 +378,7 @@ options {
        use-v4-udp-ports { <portrange>; ... };
        use-v6-udp-ports { <portrange>; ... };
        v6-bias <integer>;
        validate-except { <string>; ... };
        version ( <quoted_string> | none );
        zero-no-soa-ttl <boolean>;
        zero-no-soa-ttl-cache <boolean>;
@@ -478,9 +477,9 @@ view <string> [ <class> ] {
        cleaning-interval <integer>;
        clients-per-query <integer>;
        deny-answer-addresses { <address_match_element>; ... } [
-            except-from { <quoted_string>; ... } ];
+            except-from { <string>; ... } ];
-        deny-answer-aliases { <quoted_string>; ... } [ except-from {
+        deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
-            <quoted_string>; ... } ];
+            } ];
        dialup ( notify | notify-passive | passive | refresh | <boolean> );
        disable-algorithms <string> { <string>;
            ... }; // may occur multiple times
@@ -514,8 +513,8 @@ view <string> [ <class> ] {
        dnssec-secure-to-insecure <boolean>;
        dnssec-update-mode ( maintain | no-resign );
        dnssec-validation ( yes | no | auto );
-        dnstap { ( all | auth | client | forwarder |
+        dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
-            resolver ) [ ( query | response ) ]; ... }; // not configured
+            response ) ]; ... };
        dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
            <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
            <integer> ] [ dscp <integer> ] | <ipv6_address> [ port
@@ -651,7 +650,7 @@ view <string> [ <class> ] {
            dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
            } ];
        rfc2308-type1 <boolean>; // not yet implemented
-        root-delegation-only [ exclude { <quoted_string>; ... } ];
+        root-delegation-only [ exclude { <string>; ... } ];
        root-key-sentinel <boolean>;
        rrset-order { [ class <string> ] [ type <string> ] [ name
            <quoted_string> ] <string> <string>; ... };
@@ -718,6 +717,7 @@ view <string> [ <class> ] {
        use-alt-transfer-source <boolean>;
        use-queryport-pool <boolean>; // obsolete
        v6-bias <integer>;
        validate-except { <string>; ... };
        zero-no-soa-ttl <boolean>;
        zero-no-soa-ttl-cache <boolean>;
        zone <string> [ <class> ] {
@@ -805,7 +805,7 @@ view <string> [ <class> ] {
                serial-update-method ( date | increment | unixtime );
                server-addresses { ( <ipv4_address> | <ipv6_address> ) [
                    port <integer> ]; ... };
-                server-names { <quoted_string>; ... };
+                server-names { <string>; ... };
                sig-signing-nodes <integer>;
                sig-signing-signatures <integer>;
                sig-signing-type <integer>;
@@ -910,7 +910,7 @@ zone <string> [ <class> ] {
        serial-update-method ( date | increment | unixtime );
        server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port
            <integer> ]; ... };
-        server-names { <quoted_string>; ... };
+        server-names { <string>; ... };
        sig-signing-nodes <integer>;
        sig-signing-signatures <integer>;
        sig-signing-type <integer>;
--- a/doc/misc/static-stub.zoneopt
+++ b/doc/misc/static-stub.zoneopt
@@ -6,6 +6,6 @@ zone <string> [ <class> ] {
 	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
 	max-records <integer>;
 	server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
-	server-names { <quoted_string>; ... };
+	server-names { <string>; ... };
 	zone-statistics ( full | terse | none | <boolean> );
 };
--- a/lib/dns/include/dns/nta.h
+++ b/lib/dns/include/dns/nta.h
@@ -122,9 +122,12 @@ dns_ntatable_add(dns_ntatable_t *ntatable, const dns_name_t *name,
 		 uint32_t lifetime);
 /*%<
 * Add a negative trust anchor to 'ntatable' for name 'name',
- * which will expire at time 'now' + 'lifetime'.  If 'force' is false,
+ * which will expire at time 'now' + 'lifetime'.  If 'force' is true,
- * then the name will be checked periodically to see if it's bogus;
+ * then the NTA will persist for the entire specified lifetime.
- * if not, then the NTA will be allowed to expire early.
+ * If it is false, then the name will be queried periodically and
 * validation will be attempted to see whether it's still bogus;
 * if validation is successful, the NTA will be allowed to expire
 * early and validation below the NTA will resume.
 *
 * Notes:
 *
--- a/lib/dns/nta.c
+++ b/lib/dns/nta.c
@@ -547,20 +547,28 @@ dns_ntatable_totext(dns_ntatable_t *ntatable, isc_buffer_t **buf) {
 			dns_name_t *name;
 			isc_time_t t;
-			name = dns_fixedname_initname(&fn);
+			/*
-			dns_rbt_fullnamefromnode(node, name);
+			 * Skip "validate-except" entries.
-			dns_name_format(name, nbuf, sizeof(nbuf));
+			 */
-			isc_time_set(&t, n->expiry, 0);
+			if (n->expiry != 0xffffffffU) {
-			isc_time_formattimestamp(&t, tbuf, sizeof(tbuf));
+				name = dns_fixedname_initname(&fn);
 				dns_rbt_fullnamefromnode(node, name);
 				dns_name_format(name, nbuf, sizeof(nbuf));
 				isc_time_set(&t, n->expiry, 0);
 				isc_time_formattimestamp(&t, tbuf,
 							 sizeof(tbuf));
-			snprintf(obuf, sizeof(obuf), "%s%s: %s %s",
+				snprintf(obuf, sizeof(obuf), "%s%s: %s %s",
-				 first ? "" : "\n", nbuf,
+					 first ? "" : "\n", nbuf,
-				 n->expiry <= now ? "expired" : "expiry",
+					 n->expiry <= now
-				 tbuf);
+					  ? "expired"
-			first = false;
+					  : "expiry",
-			result = putstr(buf, obuf);
+					 tbuf);
-			if (result != ISC_R_SUCCESS)
+				first = false;
-				goto cleanup;
+				result = putstr(buf, obuf);
 				if (result != ISC_R_SUCCESS)
 					goto cleanup;
 			}
 		}
 		result = dns_rbtnodechain_next(&chain, NULL, NULL);
 		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
@@ -576,56 +584,6 @@ dns_ntatable_totext(dns_ntatable_t *ntatable, isc_buffer_t **buf) {
 	return (result);
 }
 #if 0
 isc_result_t
 dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) {
 	isc_result_t result;
 	dns_rbtnode_t *node;
 	dns_rbtnodechain_t chain;
 	isc_stdtime_t now;
 	REQUIRE(VALID_NTATABLE(ntatable));
 	isc_stdtime_get(&now);
 	RWLOCK(&ntatable->rwlock, isc_rwlocktype_read);
 	dns_rbtnodechain_init(&chain, ntatable->view->mctx);
 	result = dns_rbtnodechain_first(&chain, ntatable->table, NULL, NULL);
 	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
 		goto cleanup;
 	for (;;) {
 		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
 		if (node->data != NULL) {
 			dns_nta_t *n = (dns_nta_t *) node->data;
 			char nbuf[DNS_NAME_FORMATSIZE], tbuf[80];
 			dns_fixedname_t fn;
 			dns_name_t *name;
 			isc_time_t t;
 			name = dns_fixedname_initname(&fn);
 			dns_rbt_fullnamefromnode(node, name);
 			dns_name_format(name, nbuf, sizeof(nbuf));
 			isc_time_set(&t, n->expiry, 0);
 			isc_time_formattimestamp(&t, tbuf, sizeof(tbuf));
 			fprintf(fp, "%s: %s %s\n", nbuf,
 				n->expiry <= now ? "expired" : "expiry",
 				tbuf);
 		}
 		result = dns_rbtnodechain_next(&chain, NULL, NULL);
 		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
 			if (result == ISC_R_NOMORE)
 				result = ISC_R_SUCCESS;
 			break;
 		}
 	}
   cleanup:
 	dns_rbtnodechain_invalidate(&chain);
 	RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_read);
 	return (result);
 }
 #endif
 isc_result_t
 dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) {
 	isc_result_t result;
@@ -674,35 +632,41 @@ dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp) {
 	for (;;) {
 		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
 		if (node->data != NULL) {
 			isc_buffer_t b;
 			char nbuf[DNS_NAME_FORMATSIZE + 1], tbuf[80];
 			dns_fixedname_t fn;
 			dns_name_t *name;
 			dns_nta_t *n = (dns_nta_t *) node->data;
 			if (n->expiry > now) {
 				isc_buffer_t b;
 				char nbuf[DNS_NAME_FORMATSIZE + 1], tbuf[80];
 				dns_fixedname_t fn;
 				dns_name_t *name;
-				name = dns_fixedname_initname(&fn);
+			/*
-				dns_rbt_fullnamefromnode(node, name);
+			 * Skip this node if the expiry is already in the
-
+			 * past, or if this is a "validate-except" entry.
-				isc_buffer_init(&b, nbuf, sizeof(nbuf));
+			 */
-				result = dns_name_totext(name, false, &b);
+			if (n->expiry <= now || n->expiry == 0xffffffffU) {
-				if (result != ISC_R_SUCCESS)
+				goto skip;
 					goto skip;
 				/* Zero terminate. */
 				isc_buffer_putuint8(&b, 0);
 				isc_buffer_init(&b, tbuf, sizeof(tbuf));
 				dns_time32_totext(n->expiry, &b);
 				/* Zero terminate. */
 				isc_buffer_putuint8(&b, 0);
 				fprintf(fp, "%s %s %s\n", nbuf,
 					n->forced ? "forced" : "regular",
 					tbuf);
 				written = true;
 			}
 			name = dns_fixedname_initname(&fn);
 			dns_rbt_fullnamefromnode(node, name);
 			isc_buffer_init(&b, nbuf, sizeof(nbuf));
 			result = dns_name_totext(name, false, &b);
 			if (result != ISC_R_SUCCESS)
 				goto skip;
 			/* Zero terminate. */
 			isc_buffer_putuint8(&b, 0);
 			isc_buffer_init(&b, tbuf, sizeof(tbuf));
 			dns_time32_totext(n->expiry, &b);
 			/* Zero terminate. */
 			isc_buffer_putuint8(&b, 0);
 			fprintf(fp, "%s %s %s\n", nbuf,
 				n->forced ? "forced" : "regular",
 				tbuf);
 			written = true;
 		}
 	skip:
 		result = dns_rbtnodechain_next(&chain, NULL, NULL);
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1155,7 +1155,7 @@ options_clauses[] = {
 static cfg_type_t cfg_type_namelist = {
 	"namelist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
-	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_qstring
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring
 };
 static keyword_type_t exclude_kw = { "exclude", &cfg_type_namelist };
@@ -1976,6 +1976,7 @@ view_clauses[] = {
 	{ "trust-anchor-telemetry", &cfg_type_boolean,
 	  CFG_CLAUSEFLAG_EXPERIMENTAL },
 	{ "use-queryport-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "validate-except", &cfg_type_namelist, 0 },
 	{ "v6-bias", &cfg_type_uint32, 0 },
 	{ "zero-no-soa-ttl-cache", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }