2008. [func] It is now posssible to enable/disable DNSSEC

validation from rndc.  This is useful for the
                        mobile hosts where the current connection point
                        breaks DNSSEC (firewall/proxy).  [RT #15592]

                                rndc validation newstate [view]

CHANGES

@@ -1,3 +1,10 @@
+2008.	[func]		It is now posssible to enable/disable DNSSEC
+			validation from rndc.  This is useful for the
+			mobile hosts where the current connection point
+			breaks DNSSEC (firewall/proxy).  [RT #15592]
+
+				rndc validation newstate [view]
+
 2007.	[func]		It is now possible to explicitly enable DNSSEC
 			validation.  default dnssec-validation no; to
 			be changed to yes in 9.5.0.  [RT #15674]

bin/named/control.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.c,v 1.26 2005/04/29 00:36:15 marka Exp $ */
+/* $Id: control.c,v 1.27 2006/03/09 23:39:00 marka Exp $ */
 
 /*! \file */
 
@@ -172,6 +172,8 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 		result = ISC_R_SUCCESS;
 	} else if (command_compare(command, NS_COMMAND_NOTIFY)) {
 		result = ns_server_notifycommand(ns_g_server, command, text);
+	} else if (command_compare(command, NS_COMMAND_VALIDATION)) {
+		result = ns_server_validation(ns_g_server, command);
 	} else {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,

bin/named/include/named/control.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.h,v 1.21 2006/03/02 00:37:23 marka Exp $ */
+/* $Id: control.h,v 1.22 2006/03/09 23:39:00 marka Exp $ */
 
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
@@ -54,6 +54,7 @@
 #define NS_COMMAND_RECURSING	"recursing"
 #define NS_COMMAND_NULL		"null"
 #define NS_COMMAND_NOTIFY	"notify"
+#define NS_COMMAND_VALIDATION	"validation"
 
 isc_result_t
 ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp);

bin/named/include/named/server.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.h,v 1.82 2006/03/02 00:37:23 marka Exp $ */
+/* $Id: server.h,v 1.83 2006/03/09 23:39:00 marka Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
@@ -221,4 +221,10 @@ ns_server_dumprecursing(ns_server_t *server);
 void
 ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr);
 
+/*%
+ * Enable or disable dnssec validation.
+ */
+isc_result_t
+ns_server_validation(ns_server_t *server, char *args);
+
 #endif /* NAMED_SERVER_H */

bin/named/query.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.283 2006/03/09 23:21:53 marka Exp $ */
+/* $Id: query.c,v 1.284 2006/03/09 23:39:00 marka Exp $ */
 
 /*! \file */
 
@@ -4424,6 +4424,8 @@ ns_query_start(ns_client_t *client) {
 	if (!client->view->enablednssec) {
 		message->flags &= ~DNS_MESSAGEFLAG_CD;
 		client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
+		if (client->opt != NULL)
+			client->opt->ttl &= ~DNS_MESSAGEEXTFLAG_DO;
 	}
 
 	if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)

bin/named/server.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.461 2006/03/09 23:21:53 marka Exp $ */
+/* $Id: server.c,v 1.462 2006/03/09 23:39:00 marka Exp $ */
 
 /*! \file */
 
@@ -1552,6 +1552,10 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
 		if (result == ISC_R_SUCCESS)
 			CHECK(mustbesecure(obj, view->resolver));
+	} else {
+		if (view->secroots != NULL)
+			dns_keytable_detach(&view->secroots);
+		dns_resolver_resetmustbesecure(view->resolver);
 	}
 
 	obj = NULL;
@@ -4503,6 +4507,59 @@ ns_server_setdebuglevel(ns_server_t *server, char *args) {
 	return (ISC_R_SUCCESS);
 }
 
+isc_result_t
+ns_server_validation(ns_server_t *server, char *args) {
+	char *ptr, *viewname;
+	dns_view_t *view;
+	isc_boolean_t changed = ISC_FALSE;
+	isc_result_t result;
+	isc_boolean_t enable;
+
+	/* Skip the command name. */
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+
+	/* Find out what we are to do. */
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+
+	if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") ||
+	    !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true"))
+		enable = ISC_TRUE;
+	else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") ||
+		 !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false"))
+		enable = ISC_FALSE;
+	else
+		return (DNS_R_SYNTAX);
+
+	/* Look for the view name. */
+	viewname = next_token(&args, " \t");
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
+			continue;
+		result = dns_view_flushcache(view);
+		if (result != ISC_R_SUCCESS)
+			goto out;
+		view->enablevalidation = enable;
+		changed = ISC_TRUE;
+	}
+	if (changed)
+		result = ISC_R_SUCCESS;
+	else
+		result = ISC_R_FAILURE;
+ out:
+	isc_task_endexclusive(server->task);	
+	return (result);
+}
+
 isc_result_t
 ns_server_flushcache(ns_server_t *server, char *args) {
 	char *ptr, *viewname;

bin/rndc/rndc.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.c,v 1.110 2006/03/02 00:37:23 marka Exp $ */
+/* $Id: rndc.c,v 1.111 2006/03/09 23:39:00 marka Exp $ */
 
 /*! \file */
 
@@ -132,6 +132,8 @@ command is one of the following:\n\
 		Flush the given name from the server's cache(s)\n\
   status	Display status of the server.\n\
   recursing	Dump the queries that are currently recursing (named.recursing)\n\
+  validation newstate [view]\n\
+		Enable / disable DNSSEC validation.\n\
   *restart	Restart the server.\n\
 \n\
 * == not yet implemented\n\

lib/dns/validator.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.143 2006/02/26 22:54:47 marka Exp $ */
+/* $Id: validator.c,v 1.144 2006/03/09 23:39:00 marka Exp $ */
 
 /*! \file */
 
@@ -71,9 +71,9 @@
  * validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep ->
  *	dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure
  *
- * \li When called without a rdataset and with DNS_VALIDATOR_DLV:
- * validator_start -> startfinddlvsep -> dlv_validator_start ->
- *	validator_start -> nsecvalidate -> proveunsecure
+ * Note: there isn't a case for DNS_VALIDATOR_DLV here as we want nsecvalidate()
+ * to always validate the authority section even when it does not contain
+ * signatures.
  *
  * validator_start: determines what type of validation to do.
  * validate: attempts to perform a positive validation.
@@ -92,7 +92,6 @@
 						 * have attempted a verify. */
 #define VALATTR_INSECURITY		0x0010	/*%< Attempting proveunsecure. */
 #define VALATTR_DLVTRIED		0x0020	/*%< Looked for a DLV record. */
-#define VALATTR_AUTHNONPENDING		0x0040	/*%< Tidy up pending auth. */
 
 /*!
  * NSEC proofs to be looked for.
@@ -157,18 +156,11 @@ dlv_validator_start(dns_validator_t *val);
 static isc_result_t
 finddlvsep(dns_validator_t *val, isc_boolean_t resume);
 
-static void
-auth_nonpending(dns_message_t *message);
-
 static isc_result_t
 startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure);
 
 /*%
  * Mark the RRsets as a answer.
- *
- * If VALATTR_AUTHNONPENDING is set then this is a negative answer
- * in a insecure zone.  We need to mark any pending RRsets as
- * dns_trust_authauthority answers (this is deferred from resolver.c).
  */
 static inline void
 markanswer(dns_validator_t *val) {
@@ -177,9 +169,6 @@ markanswer(dns_validator_t *val) {
 		val->event->rdataset->trust = dns_trust_answer;
 	if (val->event->sigrdataset != NULL)
 		val->event->sigrdataset->trust = dns_trust_answer;
-	if (val->event->message != NULL &&
-	    (val->attributes & VALATTR_AUTHNONPENDING) != 0)
-		auth_nonpending(val->event->message);
 }
 
 static void
@@ -218,31 +207,6 @@ exit_check(dns_validator_t *val) {
 	return (ISC_TRUE);
 }
 
-/*%
- * Mark pending answers in the authority section as dns_trust_authauthority.
- */
-static void
-auth_nonpending(dns_message_t *message) {
-	isc_result_t result;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-
-	for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
-	{
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link))
-		{
-			if (rdataset->trust == dns_trust_pending)
-				rdataset->trust = dns_trust_authauthority;
-		}
-	}
-}
-
 /*%
  * Look in the NSEC record returned from a DS query to see if there is
  * a NS RRset at this name.  If it is found we are at a delegation point.
@@ -2136,8 +2100,6 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 				    sigrdataset->covers == rdataset->type)
 					break;
 			}
-			if (sigrdataset == NULL)
-				continue;
 			/*
 			 * If a signed zone is missing the zone key, bad
 			 * things could happen.  A query for data in the zone
@@ -2226,7 +2188,6 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 
 	validator_log(val, ISC_LOG_DEBUG(3),
 		      "nonexistence proof(s) not found");
-	val->attributes |= VALATTR_AUTHNONPENDING;
 	val->attributes |= VALATTR_INSECURITY;
 	return (proveunsecure(val, ISC_FALSE));
 }
@@ -2753,7 +2714,8 @@ validator_start(isc_task_t *task, isc_event_t *event) {
 
 	LOCK(&val->lock);
 
-	if ((val->options & DNS_VALIDATOR_DLV) != 0) {
+	if ((val->options & DNS_VALIDATOR_DLV) != 0 &&
+	     val->event->rdataset != NULL) {
 		validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV");
 		result = startfinddlvsep(val, dns_rootname);
 	} else if (val->event->rdataset != NULL &&