From 15b0ff5036fd5a9a26458e965e2cfbe523905317 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Fri, 10 Oct 2025 17:41:07 -0700 Subject: [PATCH 1/2] clean up bind.keys the comments in the bind.keys file were outdated; the file now only exists to be converted into bind.keys.h and compiled into named and delv. some tests also referenced it, and have been cleaned up, since the keys in it are already built into named. --- bin/tests/system/dnssec/ns4/named.conf.j2 | 6 ------ bin/tests/system/journal/ns1/named.conf.in | 1 - bin/tests/system/journal/ns2/named.conf.in | 1 - bind.keys | 24 ++++------------------ 4 files changed, 4 insertions(+), 28 deletions(-) diff --git a/bin/tests/system/dnssec/ns4/named.conf.j2 b/bin/tests/system/dnssec/ns4/named.conf.j2 index bc3e2fd87b..7c21e734f2 100644 --- a/bin/tests/system/dnssec/ns4/named.conf.j2 +++ b/bin/tests/system/dnssec/ns4/named.conf.j2 @@ -37,13 +37,7 @@ options { dnssec-validation auto; bindkeys-file "managed.conf"; {% else %} - # Note: We only reference the bind.keys file here to - # confirm that it is *not* being used. It contains the - # real root key, and we're using a local toy root zone for - # the tests, so it wouldn't work. But dnssec-validation - # is set to "yes" not "auto", so that won't matter. dnssec-validation yes; - bindkeys-file "../../../../../bind.keys"; {% endif %} disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; diff --git a/bin/tests/system/journal/ns1/named.conf.in b/bin/tests/system/journal/ns1/named.conf.in index fc16127ccb..479686fdb2 100644 --- a/bin/tests/system/journal/ns1/named.conf.in +++ b/bin/tests/system/journal/ns1/named.conf.in @@ -21,7 +21,6 @@ options { listen-on { 10.53.0.1; }; listen-on-v6 { none; }; dnssec-validation auto; - bindkeys-file "../../../../../bind.keys"; minimal-responses no; recursion no; notify yes; diff --git a/bin/tests/system/journal/ns2/named.conf.in b/bin/tests/system/journal/ns2/named.conf.in index e0fd9d8295..2bf78fe432 100644 --- a/bin/tests/system/journal/ns2/named.conf.in +++ b/bin/tests/system/journal/ns2/named.conf.in @@ -21,7 +21,6 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; dnssec-validation auto; - bindkeys-file "../../../../../bind.keys"; minimal-responses no; recursion no; notify yes; diff --git a/bind.keys b/bind.keys index dffbea5d6b..4cead78f16 100644 --- a/bind.keys +++ b/bind.keys @@ -9,27 +9,11 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -# The bind.keys file is used to override the built-in DNSSEC trust anchors -# which are included as part of BIND 9. The only trust anchors it contains -# are for the DNS root zone ("."). Trust anchors for any other zones MUST -# be configured elsewhere; if they are configured here, they will not be -# recognized or used by named. +# This file contains trust anchors for the DNS root zone (".") which are +# compiled into named and delv. No other trust anchors can be configured +# here. # -# To use the built-in root key, set "dnssec-validation auto;" in the -# named.conf options, or else leave "dnssec-validation" unset. If -# "dnssec-validation" is set to "yes", then the keys in this file are -# ignored; keys will need to be explicitly configured in named.conf for -# validation to work. "auto" is the default setting, unless named is -# built with "configure --disable-auto-validation", in which case the -# default is "yes". -# -# This file is NOT expected to be user-configured. -# -# Servers being set up for the first time can use the contents of this file -# as initializing keys; thereafter, the keys in the managed key database -# will be trusted and maintained automatically. -# -# These keys are current as of November 2024. If any key fails to +# These keys are current as of October 2025. If any key fails to # initialize correctly, it may have expired. This should not occur if # BIND is kept up to date. # From a373671f5ecf56d8905ea73b462abc348414d332 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Fri, 10 Oct 2025 18:27:41 -0700 Subject: [PATCH 2/2] remove "bindkeys-file" option The bindkeys-file option was only used for testing purposes, and has now been replaced with a "-T bindkeys=" option for named. --- bin/named/include/named/globals.h | 6 +- bin/named/include/named/server.h | 1 - bin/named/main.c | 4 +- bin/named/server.c | 111 +++++++++------------- bin/tests/system/dnssec/ns4/named.args | 1 + bin/tests/system/dnssec/ns4/named.conf.j2 | 1 - bin/tests/system/mkeys/ns2/named.args | 2 +- bin/tests/system/mkeys/ns2/named.conf.in | 1 - bin/tests/system/mkeys/ns3/named.args | 2 +- bin/tests/system/mkeys/ns3/named.conf.in | 1 - bin/tests/system/mkeys/ns4/named.args | 1 + bin/tests/system/mkeys/ns4/named.conf.in | 1 - bin/tests/system/mkeys/ns5/named.conf.in | 1 - bin/tests/system/mkeys/ns5/named1.args | 2 +- bin/tests/system/mkeys/ns5/named2.args | 2 +- bin/tests/system/mkeys/ns7/named.args | 1 + bin/tests/system/mkeys/ns7/named.conf.in | 1 - doc/arm/reference.rst | 8 -- doc/misc/options | 1 - lib/isccfg/namedconf.c | 5 +- 20 files changed, 62 insertions(+), 91 deletions(-) create mode 100644 bin/tests/system/dnssec/ns4/named.args create mode 100644 bin/tests/system/mkeys/ns4/named.args create mode 100644 bin/tests/system/mkeys/ns7/named.args diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h index 126d248f4d..fa5fd5581c 100644 --- a/bin/named/include/named/globals.h +++ b/bin/named/include/named/globals.h @@ -89,9 +89,9 @@ EXTERN unsigned int named_g_debuglevel INIT(0); */ EXTERN cfg_obj_t *named_g_defaultconfig INIT(NULL); EXTERN const cfg_obj_t *named_g_defaultoptions INIT(NULL); -EXTERN const char *named_g_conffile INIT(NAMED_SYSCONFDIR "/named.conf"); -EXTERN const char *named_g_defaultbindkeys INIT(NULL); -EXTERN const char *named_g_keyfile INIT(NAMED_SYSCONFDIR "/rndc.key"); +EXTERN const char *named_g_conffile INIT(NAMED_SYSCONFDIR "/named.conf"); +EXTERN const char *named_g_bindkeysfile INIT(NULL); +EXTERN const char *named_g_keyfile INIT(NAMED_SYSCONFDIR "/rndc.key"); EXTERN bool named_g_conffileset INIT(false); diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h index a39e8bfb9f..da28b0cf5b 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h @@ -55,7 +55,6 @@ struct named_server { char *statsfile; /*%< Statistics file name */ char *dumpfile; /*%< Dump file name */ char *secrootsfile; /*%< Secroots file name */ - char *bindkeysfile; /*%< bind.keys file name */ char *recfile; /*%< Recursive file name */ bool version_set; /*%< User has set version */ char *version; /*%< User-specified version */ diff --git a/bin/named/main.c b/bin/named/main.c index 3ec1c2f0e1..ef466ba7a8 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -649,7 +649,7 @@ parse_fuzz_arg(void) { static void parse_T_opt(char *option) { - const char *p; + const char *p = NULL; char *last = NULL; /* * force the server to behave (or misbehave) in @@ -692,6 +692,8 @@ parse_T_opt(char *option) { if (maxudp <= 0) { named_main_earlyfatal("bad maxudp"); } + } else if (!strncmp(option, "bindkeys=", 9)) { + named_g_bindkeysfile = option + 9; } else if (!strncmp(option, "mkeytimers=", 11)) { p = strtok_r(option + 11, "/", &last); if (p == NULL) { diff --git a/bin/named/server.c b/bin/named/server.c index 5bd1e39929..54c271550e 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -1138,8 +1138,9 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, const cfg_obj_t *builtin_keys = NULL; /* - * If bind.keys exists and is populated, it overrides - * the trust-anchors clause hard-coded in + * If "-T bindkeys=" was used and + * the file has a root key in it, that will + * replace the trust-anchors clause hard-coded in * named_g_defaultconfig. */ if (bindkeys != NULL) { @@ -1147,7 +1148,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, "obtaining root key for view %s " "from '%s'", - view->name, named_g_server->bindkeysfile); + view->name, named_g_bindkeysfile); (void)cfg_map_get(bindkeys, "trust-anchors", &builtin_keys); @@ -8114,9 +8115,8 @@ configure_kasplist(const cfg_obj_t *config, dns_kasplist_t *kasplist, static isc_result_t apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config, - named_server_t *server, bool first_time) { - cfg_obj_t *bindkeys = NULL; - cfg_parser_t *bindkeys_parser = NULL; + cfg_obj_t *bindkeys, named_server_t *server, + bool first_time) { const cfg_obj_t *maps[3]; const cfg_obj_t *obj = NULL; const cfg_obj_t *options = NULL; @@ -8251,48 +8251,6 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config, named_g_http_streams_per_conn = cfg_obj_asuint32(obj); #endif - /* - * If "dnssec-validation auto" is turned on, the root key - * will be used as a default trust anchor. The root key - * is built in, but if bindkeys-file is set, then it will - * be overridden with the key in that file. - */ - obj = NULL; - (void)named_config_get(maps, "bindkeys-file", &obj); - if (obj != NULL) { - setstring(server, &server->bindkeysfile, cfg_obj_asstring(obj)); - INSIST(server->bindkeysfile != NULL); - if (access(server->bindkeysfile, R_OK) != 0) { - isc_log_write(NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "unable to open '%s'; using built-in " - "keys instead", - server->bindkeysfile); - } else { - result = cfg_parser_create(isc_g_mctx, - &bindkeys_parser); - if (result != ISC_R_SUCCESS) { - goto cleanup_bindkeys_parser; - } - - result = cfg_parse_file(bindkeys_parser, - server->bindkeysfile, - &cfg_type_bindkeys, &bindkeys); - if (result != ISC_R_SUCCESS) { - isc_log_write(NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, - ISC_LOG_INFO, - "unable to parse '%s' " - "error '%s'; using " - "built-in keys instead", - server->bindkeysfile, - isc_result_totext(result)); - } - } - } else { - setstring(server, &server->bindkeysfile, NULL); - } - #if defined(HAVE_GEOIP2) /* * Release any previously opened GeoIP2 databases. @@ -8338,7 +8296,7 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config, max, named_g_cpus); result = ISC_R_RANGE; - goto cleanup_bindkeys_parser; + goto cleanup_tls; } softquota = max - margin; } else { @@ -8363,7 +8321,7 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config, aclctx, isc_g_mctx, &server->sctx->blackholeacl); if (result != ISC_R_SUCCESS) { - goto cleanup_bindkeys_parser; + goto cleanup_tls; } if (server->sctx->blackholeacl != NULL) { @@ -9287,14 +9245,7 @@ cleanup_portsets: isc_portset_destroy(isc_g_mctx, &v6portset); isc_portset_destroy(isc_g_mctx, &v4portset); -cleanup_bindkeys_parser: - if (bindkeys_parser != NULL) { - if (bindkeys != NULL) { - cfg_obj_destroy(bindkeys_parser, &bindkeys); - } - cfg_parser_destroy(&bindkeys_parser); - } - +cleanup_tls: /* * Detach the TLS client context (whether the one created at the * begining of this function, or the previous running one) @@ -9347,7 +9298,7 @@ static isc_result_t load_configuration(named_server_t *server, bool first_time) { isc_result_t result; cfg_parser_t *parser = NULL; - cfg_obj_t *config = NULL; + cfg_obj_t *config = NULL, *bindkeys = NULL; isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), "load_configuration"); @@ -9362,10 +9313,44 @@ load_configuration(named_server_t *server, bool first_time) { goto cleanup; } - result = apply_configuration(parser, config, server, first_time); + if (named_g_bindkeysfile != NULL) { + /* + * If "dnssec-validation auto" is turned on, the root key + * will be used as a default trust anchor. The root key + * is built in, but if -Tbindkeys= is used, + * the key is overridden with the key in that file. + */ + if (access(named_g_bindkeysfile, R_OK) != 0) { + isc_log_write(NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, + "unable to open '%s'; using built-in " + "keys instead", + named_g_bindkeysfile); + } else { + cfg_parser_reset(parser); + result = cfg_parse_file(parser, named_g_bindkeysfile, + &cfg_type_bindkeys, &bindkeys); + if (result != ISC_R_SUCCESS) { + isc_log_write(NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, + ISC_LOG_INFO, + "unable to parse '%s' " + "error '%s'; using " + "built-in keys instead", + named_g_bindkeysfile, + isc_result_totext(result)); + } + } + } + + result = apply_configuration(parser, config, bindkeys, server, + first_time); cleanup: - if (config) { + if (bindkeys != NULL) { + cfg_obj_destroy(parser, &bindkeys); + } + if (config != NULL) { cfg_obj_destroy(parser, &config); } cfg_parser_destroy(&parser); @@ -9986,10 +9971,6 @@ named_server_destroy(named_server_t **serverp) { isc_mem_free(server->mctx, server->secrootsfile); isc_mem_free(server->mctx, server->recfile); - if (server->bindkeysfile != NULL) { - isc_mem_free(server->mctx, server->bindkeysfile); - } - if (server->version != NULL) { isc_mem_free(server->mctx, server->version); } diff --git a/bin/tests/system/dnssec/ns4/named.args b/bin/tests/system/dnssec/ns4/named.args new file mode 100644 index 0000000000..66d7dd9131 --- /dev/null +++ b/bin/tests/system/dnssec/ns4/named.args @@ -0,0 +1 @@ +-m record -c named.conf -d 99 -D dnssec-ns4 -g -T maxcachesize=2097152 -T bindkeys=managed.conf diff --git a/bin/tests/system/dnssec/ns4/named.conf.j2 b/bin/tests/system/dnssec/ns4/named.conf.j2 index 7c21e734f2..b4aa86146a 100644 --- a/bin/tests/system/dnssec/ns4/named.conf.j2 +++ b/bin/tests/system/dnssec/ns4/named.conf.j2 @@ -35,7 +35,6 @@ options { {% if managed_key %} dnssec-validation auto; - bindkeys-file "managed.conf"; {% else %} dnssec-validation yes; {% endif %} diff --git a/bin/tests/system/mkeys/ns2/named.args b/bin/tests/system/mkeys/ns2/named.args index 175e02c098..1387f480b0 100644 --- a/bin/tests/system/mkeys/ns2/named.args +++ b/bin/tests/system/mkeys/ns2/named.args @@ -1 +1 @@ --m record -c named.conf -d 99 -D mkeys-ns2 -g -T maxcachesize=2097152 -T mkeytimers=5/10/20 -T tat=1 +-m record -c named.conf -d 99 -D mkeys-ns2 -g -T maxcachesize=2097152 -T mkeytimers=5/10/20 -T tat=1 -T bindkeys=managed.conf diff --git a/bin/tests/system/mkeys/ns2/named.conf.in b/bin/tests/system/mkeys/ns2/named.conf.in index feed9239c1..0596facdd4 100644 --- a/bin/tests/system/mkeys/ns2/named.conf.in +++ b/bin/tests/system/mkeys/ns2/named.conf.in @@ -24,7 +24,6 @@ options { recursion yes; notify no; dnssec-validation auto; - bindkeys-file "managed.conf"; servfail-ttl 0; }; diff --git a/bin/tests/system/mkeys/ns3/named.args b/bin/tests/system/mkeys/ns3/named.args index 342cbe328b..59e443087a 100644 --- a/bin/tests/system/mkeys/ns3/named.args +++ b/bin/tests/system/mkeys/ns3/named.args @@ -1 +1 @@ --m record -c named.conf -d 99 -D mkeys-ns3 -g -T maxcachesize=2097152 -T mkeytimers=5/10/20 +-m record -c named.conf -d 99 -D mkeys-ns3 -g -T maxcachesize=2097152 -T mkeytimers=5/10/20 -T bindkeys=managed.conf diff --git a/bin/tests/system/mkeys/ns3/named.conf.in b/bin/tests/system/mkeys/ns3/named.conf.in index d590a315f8..d0b90a9680 100644 --- a/bin/tests/system/mkeys/ns3/named.conf.in +++ b/bin/tests/system/mkeys/ns3/named.conf.in @@ -24,7 +24,6 @@ options { recursion yes; notify no; dnssec-validation auto; - bindkeys-file "managed.conf"; trust-anchor-telemetry no; }; diff --git a/bin/tests/system/mkeys/ns4/named.args b/bin/tests/system/mkeys/ns4/named.args new file mode 100644 index 0000000000..13d33dab2d --- /dev/null +++ b/bin/tests/system/mkeys/ns4/named.args @@ -0,0 +1 @@ +-m record -c named.conf -d 99 -D mkeys-ns4 -g -T maxcachesize=2097152 -T bindkeys=managed.conf diff --git a/bin/tests/system/mkeys/ns4/named.conf.in b/bin/tests/system/mkeys/ns4/named.conf.in index 1ad75aa0cf..5748e6a581 100644 --- a/bin/tests/system/mkeys/ns4/named.conf.in +++ b/bin/tests/system/mkeys/ns4/named.conf.in @@ -24,7 +24,6 @@ options { recursion yes; notify no; dnssec-validation auto; - bindkeys-file "managed.conf"; managed-keys-directory "nope"; }; diff --git a/bin/tests/system/mkeys/ns5/named.conf.in b/bin/tests/system/mkeys/ns5/named.conf.in index 866997102d..bb10716f79 100644 --- a/bin/tests/system/mkeys/ns5/named.conf.in +++ b/bin/tests/system/mkeys/ns5/named.conf.in @@ -24,7 +24,6 @@ options { recursion yes; notify no; dnssec-validation auto; - bindkeys-file "managed.conf"; servfail-ttl 0; }; diff --git a/bin/tests/system/mkeys/ns5/named1.args b/bin/tests/system/mkeys/ns5/named1.args index cd9a2283ed..48724e9f53 100644 --- a/bin/tests/system/mkeys/ns5/named1.args +++ b/bin/tests/system/mkeys/ns5/named1.args @@ -1 +1 @@ --m record -c named.conf -d 99 -g -T maxcachesize=2097152 +-m record -c named.conf -d 99 -g -T maxcachesize=2097152 -T mkeys=managed.conf diff --git a/bin/tests/system/mkeys/ns5/named2.args b/bin/tests/system/mkeys/ns5/named2.args index a251448087..54cffb80c5 100644 --- a/bin/tests/system/mkeys/ns5/named2.args +++ b/bin/tests/system/mkeys/ns5/named2.args @@ -1 +1 @@ --m record -c named.conf -d 99 -g -T maxcachesize=2097152 -T mkeytimers=2/20/40 +-m record -c named.conf -d 99 -g -T maxcachesize=2097152 -T bindkeys=managed.conf -T mkeytimers=2/20/40 diff --git a/bin/tests/system/mkeys/ns7/named.args b/bin/tests/system/mkeys/ns7/named.args new file mode 100644 index 0000000000..cff7a1bf6c --- /dev/null +++ b/bin/tests/system/mkeys/ns7/named.args @@ -0,0 +1 @@ +-m record -c named.conf -d 99 -D mkeys-ns7 -g -T maxcachesize=2097152 -T bindkeys=managed.conf diff --git a/bin/tests/system/mkeys/ns7/named.conf.in b/bin/tests/system/mkeys/ns7/named.conf.in index 7ccf59ef60..17c8985172 100644 --- a/bin/tests/system/mkeys/ns7/named.conf.in +++ b/bin/tests/system/mkeys/ns7/named.conf.in @@ -24,7 +24,6 @@ options { recursion yes; notify no; dnssec-validation auto; - bindkeys-file "managed.conf"; }; key rndc_key { diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 110d34cf08..8f29cdcba7 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1501,14 +1501,6 @@ default is used. default is ``named.stats`` in the server's current directory. The format of the file is described in :ref:`statsfile`. -.. namedconf:statement:: bindkeys-file - :tags: dnssec - :short: Specifies the pathname of a file to override the built-in trusted keys provided by :iscman:`named`. - - This is the pathname of a file to override the built-in trusted keys provided - by :iscman:`named`. See the discussion of :any:`dnssec-validation` for - details. This is intended for server testing. - .. namedconf:statement:: secroots-file :tags: dnssec :short: Specifies the pathname of the file where the server dumps security roots, when using :option:`rndc secroots`. diff --git a/doc/misc/options b/doc/misc/options index c5a5193183..39b7d2f4a9 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -84,7 +84,6 @@ options { attach-cache ; auth-nxdomain ; automatic-interface-scan ; - bindkeys-file ; // test only blackhole { ; ... }; catalog-zones { zone [ default-primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... } ] [ zone-directory ] [ in-memory ] [ min-update-interval ]; ... }; check-dup-records ( fail | warn | ignore ); diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index f6df82d995..4b022cefe2 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1194,7 +1194,8 @@ static cfg_clausedef_t namedconf_or_view_clauses[] = { }; /*% - * Clauses that can occur in the bind.keys file. + * Clauses that can occur in a trust anchor file (previously + * called bind.keys). */ static cfg_clausedef_t bindkeys_clauses[] = { { "managed-keys", &cfg_type_dnsseckeys, @@ -1218,7 +1219,7 @@ static cfg_clausedef_t options_clauses[] = { { "automatic-interface-scan", &cfg_type_boolean, 0 }, { "avoid-v4-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT }, { "avoid-v6-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT }, - { "bindkeys-file", &cfg_type_qstring, CFG_CLAUSEFLAG_TESTONLY }, + { "bindkeys-file", &cfg_type_qstring, CFG_CLAUSEFLAG_ANCIENT }, { "blackhole", &cfg_type_bracketed_aml, 0 }, { "cookie-algorithm", &cfg_type_cookiealg, 0 }, { "cookie-secret", &cfg_type_sstring, CFG_CLAUSEFLAG_MULTI },