1581. [func] Disable DNSSEC support by default. To enable

DNSSEC specify "enable-dnssec yes;" in named.conf.
2026-06-10 08:10:00 -04:00 · 2004-02-17 03:40:23 +00:00 · 2004-02-17 03:40:23 +00:00 · 89783da064
commit 89783da064
parent 4230c2e85e
15 changed files with 56 additions and 18 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+1581.	[func]		Disable DNSSEC support by default.  To enable
+			DNSSEC specify "enable-dnssec yes;" in named.conf.
+
 1580.	[placeholder]	rt3746a

 1579.	[placeholder]	rt3746a
--- a/bin/named/config.c
+++ b/bin/named/config.c
@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: config.c,v 1.42 2003/04/17 12:11:39 marka Exp $ */
+/* $Id: config.c,v 1.43 2004/02/17 03:40:19 marka Exp $ */

 #include <config.h>

@ -123,6 +123,7 @@ options {\n\
 	check-names master ignore;\n\
 	check-names slave ignore;\n\
 	check-names response ignore;\n\
+	enable-dnssec no; /* Make yes for 9.4. */ \n\
 \n\
 	/* zone */\n\
 	allow-query {any;};\n\
--- a/bin/named/query.c
+++ b/bin/named/query.c
@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: query.c,v 1.253 2004/02/03 00:59:03 marka Exp $ */
+/* $Id: query.c,v 1.254 2004/02/17 03:40:20 marka Exp $ */

 #include <config.h>

@ -3342,6 +3342,14 @@ ns_query_start(ns_client_t *client) {
 	 */
 	client->next = query_next_callback;

+	/*
+	 * Behave as if we don't support DNSSEC if not enabled.
+	 */
+	if (!client->view->enablednssec) {
+		message->flags &= ~DNS_MESSAGEFLAG_CD;
+		client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
+	}
+
 	if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
 		client->query.attributes |= NS_QUERYATTR_WANTRECURSION;
 	
@ -3477,7 +3485,8 @@ ns_query_start(ns_client_t *client) {
 	 * Set AD.  We must clear it if we add non-validated data to a
 	 * response.
 	 */
-	message->flags |= DNS_MESSAGEFLAG_AD;
+	if (client->view->enablednssec)
+		message->flags |= DNS_MESSAGEFLAG_AD;

 	qclient = NULL;
 	ns_client_attach(client, &qclient);
--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: server.c,v 1.411 2004/01/27 02:13:22 marka Exp $ */
+/* $Id: server.c,v 1.412 2004/02/17 03:40:20 marka Exp $ */

 #include <config.h>

@ -1061,13 +1061,19 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	result = ns_config_get(maps, "provide-ixfr", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	view->provideixfr = cfg_obj_asboolean(obj);
+			
+	obj = NULL;
+	result = ns_config_get(maps, "enable-dnssec", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->enablednssec = cfg_obj_asboolean(obj);

 	/*
 	 * For now, there is only one kind of trusted keys, the
 	 * "security roots".
 	 */
-	CHECK(configure_view_dnsseckeys(vconfig, config, mctx,
-				  &view->secroots));
+	if (view->enablednssec)
+		CHECK(configure_view_dnsseckeys(vconfig, config, mctx,
+					        &view->secroots));

 	obj = NULL;
 	result = ns_config_get(maps, "max-cache-ttl", &obj);
@ -1122,7 +1128,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		}
 	} else
 		dns_view_setrootdelonly(view, ISC_FALSE);
-			
+
 	result = ISC_R_SUCCESS;

 cleanup:
--- a/bin/tests/system/dnssec/ns1/named.conf
+++ b/bin/tests/system/dnssec/ns1/named.conf
@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: named.conf,v 1.16 2001/01/09 21:42:47 bwelling Exp $ */
+/* $Id: named.conf,v 1.17 2004/02/17 03:40:20 marka Exp $ */

 // NS1

@ -29,6 +29,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
+	enable-dnssec yes;
 };

 zone "." {
--- a/bin/tests/system/dnssec/ns2/named.conf
+++ b/bin/tests/system/dnssec/ns2/named.conf
@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: named.conf,v 1.19 2002/02/20 03:33:54 marka Exp $ */
+/* $Id: named.conf,v 1.20 2004/02/17 03:40:21 marka Exp $ */

 // NS2

@ -29,6 +29,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
+	enable-dnssec yes;
 };

 zone "." {
--- a/bin/tests/system/dnssec/ns3/named.conf
+++ b/bin/tests/system/dnssec/ns3/named.conf
@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: named.conf,v 1.21 2002/02/20 03:33:58 marka Exp $ */
+/* $Id: named.conf,v 1.22 2004/02/17 03:40:21 marka Exp $ */

 // NS3

@ -29,6 +29,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
+	enable-dnssec yes;
 };

 zone "." {
--- a/bin/tests/system/dnssec/ns4/named.conf
+++ b/bin/tests/system/dnssec/ns4/named.conf
@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: named.conf,v 1.18 2001/01/11 20:41:37 gson Exp $ */
+/* $Id: named.conf,v 1.19 2004/02/17 03:40:21 marka Exp $ */

 // NS4

@ -28,6 +28,7 @@ options {
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	recursion yes;
+	enable-dnssec yes;
 };

 zone "." {
--- a/bin/tests/system/dnssec/ns5/named.conf
+++ b/bin/tests/system/dnssec/ns5/named.conf
@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: named.conf,v 1.16 2001/01/11 20:41:39 gson Exp $ */
+/* $Id: named.conf,v 1.17 2004/02/17 03:40:21 marka Exp $ */

 // NS5

@ -28,6 +28,7 @@ options {
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
 	recursion yes;
+	enable-dnssec yes;
 };

 zone "." {
--- a/bin/tests/system/dnssec/ns6/named.conf
+++ b/bin/tests/system/dnssec/ns6/named.conf
@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: named.conf,v 1.2 2004/01/15 04:09:17 marka Exp $ */
+/* $Id: named.conf,v 1.3 2004/02/17 03:40:22 marka Exp $ */

 // NS6

@ -30,6 +30,7 @@ options {
 	recursion yes;
 	notify yes;
 	disable-algorithms . { DSA; };
+	enable-dnssec yes;
 };

 zone "." {
--- a/bin/tests/system/lwresd/ns1/named.conf
+++ b/bin/tests/system/lwresd/ns1/named.conf
@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: named.conf,v 1.11 2001/01/09 21:43:45 bwelling Exp $ */
+/* $Id: named.conf,v 1.12 2004/02/17 03:40:22 marka Exp $ */

 options {
 	query-source address 10.53.0.1;
@ -27,6 +27,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify no;
+	enable-dnssec yes;
 };

 zone "." {
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@ -2,7 +2,7 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">

-<!-- File: $Id: Bv9ARM-book.xml,v 1.232 2004/01/14 02:06:49 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.233 2004/02/17 03:40:22 marka Exp $ -->

 <book>
 <title>BIND 9 Administrator Reference Manual</title>
@ -2744,6 +2744,7 @@ statement in the <filename>named.conf</filename> file:</para>
    <optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
    <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
    <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> enable-dnssec <replaceable>yes_or_no</replaceable>; </optional>
    <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
    <optional> forwarders { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
    <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ; ... }; </optional>
@ -3324,6 +3325,14 @@ when the serial number on the master is less than what named currently
 has.  The default is <userinput>no</userinput>.
 </para></listitem></varlistentry>

+<varlistentry><term><command>enable-dnssec</command></term>
+<listitem>
+<para>
+Enable DNSSEC support in named.  Unless set to <userinput>yes</userinput>
+named behaves as if it does not support DNSSEC.
+The default is <userinput>no</userinput>.
+</para></listitem></varlistentry>
+
 </variablelist>

 </sect3>
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: view.h,v 1.87 2003/09/30 05:56:17 marka Exp $ */
+/* $Id: view.h,v 1.88 2004/02/17 03:40:23 marka Exp $ */

 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@ -107,6 +107,7 @@ struct dns_view {
 	isc_boolean_t			additionalfromcache;
 	isc_boolean_t			additionalfromauth;
 	isc_boolean_t			minimalresponses;
+	isc_boolean_t			enablednssec;
 	dns_transfer_format_t		transfer_format;
 	dns_acl_t *			queryacl;
 	dns_acl_t *			recursionacl;
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: view.c,v 1.123 2003/10/03 02:19:31 marka Exp $ */
+/* $Id: view.c,v 1.124 2004/02/17 03:40:23 marka Exp $ */

 #include <config.h>

@ -155,6 +155,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->auth_nxdomain = ISC_FALSE; /* Was true in BIND 8 */
 	view->additionalfromcache = ISC_TRUE;
 	view->additionalfromauth = ISC_TRUE;
+	view->enablednssec = ISC_TRUE;
 	view->minimalresponses = ISC_FALSE;
 	view->transfer_format = dns_one_answer;
 	view->queryacl = NULL;
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: namedconf.c,v 1.25 2004/01/14 02:06:51 marka Exp $ */
+/* $Id: namedconf.c,v 1.26 2004/02/17 03:40:23 marka Exp $ */

 #include <config.h>

@ -678,6 +678,7 @@ view_clauses[] = {
 	{ "root-delegation-only",  &cfg_type_optional_exclude, 0 },
 	{ "disable-algorithms", &cfg_type_disablealgorithm,
 	  CFG_CLAUSEFLAG_MULTI },
+	{ "enable-dnssec", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }
 };