From 89783da064f4f9bf2e82d2b3941ddeffe2a8c30d Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 17 Feb 2004 03:40:23 +0000
Subject: [PATCH] 1581.   [func]          Disable DNSSEC support by default. 
 To enable                         DNSSEC specify "enable-dnssec yes;" in
 named.conf.

---
 CHANGES                                |  3 +++
 bin/named/config.c                     |  3 ++-
 bin/named/query.c                      | 13 +++++++++++--
 bin/named/server.c                     | 14 ++++++++++----
 bin/tests/system/dnssec/ns1/named.conf |  3 ++-
 bin/tests/system/dnssec/ns2/named.conf |  3 ++-
 bin/tests/system/dnssec/ns3/named.conf |  3 ++-
 bin/tests/system/dnssec/ns4/named.conf |  3 ++-
 bin/tests/system/dnssec/ns5/named.conf |  3 ++-
 bin/tests/system/dnssec/ns6/named.conf |  3 ++-
 bin/tests/system/lwresd/ns1/named.conf |  3 ++-
 doc/arm/Bv9ARM-book.xml                | 11 ++++++++++-
 lib/dns/include/dns/view.h             |  3 ++-
 lib/dns/view.c                         |  3 ++-
 lib/isccfg/namedconf.c                 |  3 ++-
 15 files changed, 56 insertions(+), 18 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9eccc846e9..7183d3c9a4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1581.	[func]		Disable DNSSEC support by default.  To enable
+			DNSSEC specify "enable-dnssec yes;" in named.conf.
+
 1580.	[placeholder]	rt3746a
 
 1579.	[placeholder]	rt3746a
diff --git a/bin/named/config.c b/bin/named/config.c
index 4df6150861..6ef209a424 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.42 2003/04/17 12:11:39 marka Exp $ */
+/* $Id: config.c,v 1.43 2004/02/17 03:40:19 marka Exp $ */
 
 #include <config.h>
 
@@ -123,6 +123,7 @@ options {\n\
 	check-names master ignore;\n\
 	check-names slave ignore;\n\
 	check-names response ignore;\n\
+	enable-dnssec no; /* Make yes for 9.4. */ \n\
 \n\
 	/* zone */\n\
 	allow-query {any;};\n\
diff --git a/bin/named/query.c b/bin/named/query.c
index c571b271c9..838af2ec90 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.253 2004/02/03 00:59:03 marka Exp $ */
+/* $Id: query.c,v 1.254 2004/02/17 03:40:20 marka Exp $ */
 
 #include <config.h>
 
@@ -3342,6 +3342,14 @@ ns_query_start(ns_client_t *client) {
 	 */
 	client->next = query_next_callback;
 
+	/*
+	 * Behave as if we don't support DNSSEC if not enabled.
+	 */
+	if (!client->view->enablednssec) {
+		message->flags &= ~DNS_MESSAGEFLAG_CD;
+		client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
+	}
+
 	if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
 		client->query.attributes |= NS_QUERYATTR_WANTRECURSION;
 	
@@ -3477,7 +3485,8 @@ ns_query_start(ns_client_t *client) {
 	 * Set AD.  We must clear it if we add non-validated data to a
 	 * response.
 	 */
-	message->flags |= DNS_MESSAGEFLAG_AD;
+	if (client->view->enablednssec)
+		message->flags |= DNS_MESSAGEFLAG_AD;
 
 	qclient = NULL;
 	ns_client_attach(client, &qclient);
diff --git a/bin/named/server.c b/bin/named/server.c
index ebb1076eec..d55bd9866d 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.411 2004/01/27 02:13:22 marka Exp $ */
+/* $Id: server.c,v 1.412 2004/02/17 03:40:20 marka Exp $ */
 
 #include <config.h>
 
@@ -1061,13 +1061,19 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	result = ns_config_get(maps, "provide-ixfr", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	view->provideixfr = cfg_obj_asboolean(obj);
+			
+	obj = NULL;
+	result = ns_config_get(maps, "enable-dnssec", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->enablednssec = cfg_obj_asboolean(obj);
 
 	/*
 	 * For now, there is only one kind of trusted keys, the
 	 * "security roots".
 	 */
-	CHECK(configure_view_dnsseckeys(vconfig, config, mctx,
-				  &view->secroots));
+	if (view->enablednssec)
+		CHECK(configure_view_dnsseckeys(vconfig, config, mctx,
+					        &view->secroots));
 
 	obj = NULL;
 	result = ns_config_get(maps, "max-cache-ttl", &obj);
@@ -1122,7 +1128,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		}
 	} else
 		dns_view_setrootdelonly(view, ISC_FALSE);
-			
+
 	result = ISC_R_SUCCESS;
 
  cleanup:
diff --git a/bin/tests/system/dnssec/ns1/named.conf b/bin/tests/system/dnssec/ns1/named.conf
index 02efa28580..463fb77bb7 100644
--- a/bin/tests/system/dnssec/ns1/named.conf
+++ b/bin/tests/system/dnssec/ns1/named.conf
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.16 2001/01/09 21:42:47 bwelling Exp $ */
+/* $Id: named.conf,v 1.17 2004/02/17 03:40:20 marka Exp $ */
 
 // NS1
 
@@ -29,6 +29,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
+	enable-dnssec yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/dnssec/ns2/named.conf b/bin/tests/system/dnssec/ns2/named.conf
index 8b7d80a436..6f464e6c2c 100644
--- a/bin/tests/system/dnssec/ns2/named.conf
+++ b/bin/tests/system/dnssec/ns2/named.conf
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.19 2002/02/20 03:33:54 marka Exp $ */
+/* $Id: named.conf,v 1.20 2004/02/17 03:40:21 marka Exp $ */
 
 // NS2
 
@@ -29,6 +29,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
+	enable-dnssec yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf
index 2fbcb17a4c..5deba648ec 100644
--- a/bin/tests/system/dnssec/ns3/named.conf
+++ b/bin/tests/system/dnssec/ns3/named.conf
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.21 2002/02/20 03:33:58 marka Exp $ */
+/* $Id: named.conf,v 1.22 2004/02/17 03:40:21 marka Exp $ */
 
 // NS3
 
@@ -29,6 +29,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
+	enable-dnssec yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/dnssec/ns4/named.conf b/bin/tests/system/dnssec/ns4/named.conf
index c0b0d5a66a..2f3a7e331b 100644
--- a/bin/tests/system/dnssec/ns4/named.conf
+++ b/bin/tests/system/dnssec/ns4/named.conf
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.18 2001/01/11 20:41:37 gson Exp $ */
+/* $Id: named.conf,v 1.19 2004/02/17 03:40:21 marka Exp $ */
 
 // NS4
 
@@ -28,6 +28,7 @@ options {
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	recursion yes;
+	enable-dnssec yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/dnssec/ns5/named.conf b/bin/tests/system/dnssec/ns5/named.conf
index a0abc3b8a7..b068b895c4 100644
--- a/bin/tests/system/dnssec/ns5/named.conf
+++ b/bin/tests/system/dnssec/ns5/named.conf
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.16 2001/01/11 20:41:39 gson Exp $ */
+/* $Id: named.conf,v 1.17 2004/02/17 03:40:21 marka Exp $ */
 
 // NS5
 
@@ -28,6 +28,7 @@ options {
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
 	recursion yes;
+	enable-dnssec yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/dnssec/ns6/named.conf b/bin/tests/system/dnssec/ns6/named.conf
index 53087c0955..b1b8fb858d 100644
--- a/bin/tests/system/dnssec/ns6/named.conf
+++ b/bin/tests/system/dnssec/ns6/named.conf
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2 2004/01/15 04:09:17 marka Exp $ */
+/* $Id: named.conf,v 1.3 2004/02/17 03:40:22 marka Exp $ */
 
 // NS6
 
@@ -30,6 +30,7 @@ options {
 	recursion yes;
 	notify yes;
 	disable-algorithms . { DSA; };
+	enable-dnssec yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/lwresd/ns1/named.conf b/bin/tests/system/lwresd/ns1/named.conf
index f9c5b9d8dc..f35a313c5a 100644
--- a/bin/tests/system/lwresd/ns1/named.conf
+++ b/bin/tests/system/lwresd/ns1/named.conf
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.11 2001/01/09 21:43:45 bwelling Exp $ */
+/* $Id: named.conf,v 1.12 2004/02/17 03:40:22 marka Exp $ */
 
 options {
 	query-source address 10.53.0.1;
@@ -27,6 +27,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify no;
+	enable-dnssec yes;
 };
 
 zone "." {
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 419272fa02..afa2063eb7 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -2,7 +2,7 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
                "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.232 2004/01/14 02:06:49 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.233 2004/02/17 03:40:22 marka Exp $ -->
 
 <book>
 <title>BIND 9 Administrator Reference Manual</title>
@@ -2744,6 +2744,7 @@ statement in the <filename>named.conf</filename> file:</para>
     <optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
     <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
     <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> enable-dnssec <replaceable>yes_or_no</replaceable>; </optional>
     <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
     <optional> forwarders { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ; ... }; </optional>
@@ -3324,6 +3325,14 @@ when the serial number on the master is less than what named currently
 has.  The default is <userinput>no</userinput>.
 </para></listitem></varlistentry>
 
+<varlistentry><term><command>enable-dnssec</command></term>
+<listitem>
+<para>
+Enable DNSSEC support in named.  Unless set to <userinput>yes</userinput>
+named behaves as if it does not support DNSSEC.
+The default is <userinput>no</userinput>.
+</para></listitem></varlistentry>
+
 </variablelist>
 
 </sect3>
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index 6ef9b03669..e1dae7f1eb 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.h,v 1.87 2003/09/30 05:56:17 marka Exp $ */
+/* $Id: view.h,v 1.88 2004/02/17 03:40:23 marka Exp $ */
 
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -107,6 +107,7 @@ struct dns_view {
 	isc_boolean_t			additionalfromcache;
 	isc_boolean_t			additionalfromauth;
 	isc_boolean_t			minimalresponses;
+	isc_boolean_t			enablednssec;
 	dns_transfer_format_t		transfer_format;
 	dns_acl_t *			queryacl;
 	dns_acl_t *			recursionacl;
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 11e61bfcab..7004e3cbf3 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.123 2003/10/03 02:19:31 marka Exp $ */
+/* $Id: view.c,v 1.124 2004/02/17 03:40:23 marka Exp $ */
 
 #include <config.h>
 
@@ -155,6 +155,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->auth_nxdomain = ISC_FALSE; /* Was true in BIND 8 */
 	view->additionalfromcache = ISC_TRUE;
 	view->additionalfromauth = ISC_TRUE;
+	view->enablednssec = ISC_TRUE;
 	view->minimalresponses = ISC_FALSE;
 	view->transfer_format = dns_one_answer;
 	view->queryacl = NULL;
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index e9bb2f14b6..7f105cac5b 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.25 2004/01/14 02:06:51 marka Exp $ */
+/* $Id: namedconf.c,v 1.26 2004/02/17 03:40:23 marka Exp $ */
 
 #include <config.h>
 
@@ -678,6 +678,7 @@ view_clauses[] = {
 	{ "root-delegation-only",  &cfg_type_optional_exclude, 0 },
 	{ "disable-algorithms", &cfg_type_disablealgorithm,
 	  CFG_CLAUSEFLAG_MULTI },
+	{ "enable-dnssec", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }
 };