diff --git a/CHANGES b/CHANGES index 007e5d2e32..b8cafb1958 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5276. [func] DNSSEC Lookaside Validation (DLV) is now obsolete; + all code enabling its use has been removed from the + validator, "delv", and the DNSSEC tools. [GL #7] + 5275. [bug] Mark DS records included in referral messages with trust level "pending" so that they can be validated and cached immediately, with no need to diff --git a/bin/delv/delv.c b/bin/delv/delv.c index d2573f4827..0411abc7e4 100644 --- a/bin/delv/delv.c +++ b/bin/delv/delv.c @@ -125,18 +125,16 @@ static bool static bool cdflag = false, no_sigs = false, - root_validation = true, - dlv_validation = true; + root_validation = true; static bool use_tcp = false; static char *anchorfile = NULL; static char *trust_anchor = NULL; -static char *dlv_anchor = NULL; static int num_keys = 0; -static dns_fixedname_t afn, dfn; -static dns_name_t *anchor_name = NULL, *dlv_name = NULL; +static dns_fixedname_t afn; +static dns_name_t *anchor_name = NULL; /* Default bind.keys contents */ static char anchortext[] = DNSSEC_KEYS; @@ -161,7 +159,7 @@ usage(void) { " q-opt is one of:\n" " -x dot-notation (shortcut for reverse lookups)\n" " -d level (set debugging level)\n" -" -a anchor-file (specify root and dlv trust anchors)\n" +" -a anchor-file (specify root trust anchor)\n" " -b address[#port] (bind to source address/port)\n" " -p port (specify port number)\n" " -q name (specify query name)\n" @@ -181,7 +179,8 @@ usage(void) { " +[no]comments (Control display of comment lines)\n" " +[no]rrcomments (Control display of per-record " "comments)\n" -" +[no]unknownformat (Print RDATA in RFC 3597 \"unknown\" format)\n" +" +[no]unknownformat (Print RDATA in RFC 3597 " + "\"unknown\" format)\n" " +[no]short (Short form answer)\n" " +[no]split=## (Split hex/base64 fields into chunks)\n" " +[no]tcp (TCP mode)\n" @@ -190,7 +189,7 @@ usage(void) { " +[no]rtrace (Trace resolver fetches)\n" " +[no]mtrace (Trace messages received)\n" " +[no]vtrace (Trace validation process)\n" -" +[no]dlv (DNSSEC lookaside validation anchor)\n" +" +[no]dlv (Obsolete)\n" " +[no]root (DNSSEC validation trust anchor)\n" " +[no]dnssec (Display DNSSEC records)\n" " -h (print help and exit)\n" @@ -381,10 +380,9 @@ print_status(dns_rdataset_t *rdataset) { tstr = "glue data"; break; case dns_trust_answer: - if (root_validation || dlv_validation) + if (root_validation) { tstr = "unsigned answer"; - else - tstr = "answer not validated"; + } break; case dns_trust_authauthority: tstr = "authority data"; @@ -575,30 +573,30 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) { dns_fixedname_t fkeyname; dns_name_t *keyname; isc_result_t result; - bool match_root = false, match_dlv = false; + bool match_root = false; keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name")); CHECK(convert_name(&fkeyname, &keyname, keynamestr)); - if (!root_validation && !dlv_validation) + if (!root_validation) { return (ISC_R_SUCCESS); + } - if (anchor_name) + if (anchor_name) { match_root = dns_name_equal(keyname, anchor_name); - if (dlv_name) - match_dlv = dns_name_equal(keyname, dlv_name); + } - if (!match_root && !match_dlv) + if (!match_root) { return (ISC_R_SUCCESS); - if ((!root_validation && match_root) || (!dlv_validation && match_dlv)) + } + if (!root_validation && match_root) { return (ISC_R_SUCCESS); + } - if (match_root) + if (match_root) { delv_log(ISC_LOG_DEBUG(3), "adding trust anchor %s", trust_anchor); - if (match_dlv) - delv_log(ISC_LOG_DEBUG(3), "adding DLV trust anchor %s", - dlv_anchor); + } flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags")); proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol")); @@ -697,7 +695,7 @@ setup_dnsseckeys(dns_client_t *client) { cfg_obj_t *bindkeys = NULL; const char *filename = anchorfile; - if (!root_validation && !dlv_validation) { + if (!root_validation) { return (ISC_R_SUCCESS); } @@ -719,9 +717,6 @@ setup_dnsseckeys(dns_client_t *client) { if (trust_anchor != NULL) { CHECK(convert_name(&afn, &anchor_name, trust_anchor)); } - if (dlv_anchor != NULL) { - CHECK(convert_name(&dfn, &dlv_name, dlv_anchor)); - } CHECK(cfg_parser_create(mctx, dns_lctx, &parser)); @@ -772,11 +767,6 @@ setup_dnsseckeys(dns_client_t *client) { fatal("No trusted keys were loaded"); } - if (dlv_validation) { - dns_client_setdlv(client, dns_rdataclass_in, dlv_anchor); - } - - cleanup: if (bindkeys != NULL) { cfg_obj_destroy(parser, &bindkeys); @@ -1024,11 +1014,10 @@ plus_option(char *option) { switch (cmd[1]) { case 'l': /* dlv */ FULLCHECK("dlv"); - if (state && no_sigs) - break; - dlv_validation = state; - if (value != NULL) { - dlv_anchor = isc_mem_strdup(mctx, value); + if (state) { + fprintf(stderr, "Invalid option: " + "+dlv is obsolete\n"); + exit(1); } break; case 'n': /* dnssec */ @@ -1213,7 +1202,6 @@ dash_option(char *option, char *next, bool *open_type_class) { /* NOTREACHED */ case 'i': no_sigs = true; - dlv_validation = false; root_validation = false; break; case 'm': @@ -1648,14 +1636,18 @@ main(int argc, char *argv[]) { /* Set up resolution options */ resopt = DNS_CLIENTRESOPT_ALLOWRUN | DNS_CLIENTRESOPT_NOCDFLAG; - if (no_sigs) + if (no_sigs) { resopt |= DNS_CLIENTRESOPT_NODNSSEC; - if (!root_validation && !dlv_validation) + } + if (!root_validation) { resopt |= DNS_CLIENTRESOPT_NOVALIDATE; - if (cdflag) + } + if (cdflag) { resopt &= ~DNS_CLIENTRESOPT_NOCDFLAG; - if (use_tcp) + } + if (use_tcp) { resopt |= DNS_CLIENTRESOPT_TCP; + } /* Perform resolution */ ISC_LIST_INIT(namelist); @@ -1680,8 +1672,6 @@ main(int argc, char *argv[]) { dns_client_freeresanswer(client, &namelist); cleanup: - if (dlv_anchor != NULL) - isc_mem_free(mctx, dlv_anchor); if (trust_anchor != NULL) isc_mem_free(mctx, trust_anchor); if (anchorfile != NULL) diff --git a/bin/delv/delv.docbook b/bin/delv/delv.docbook index d30bedd55f..78eb6feb04 100644 --- a/bin/delv/delv.docbook +++ b/bin/delv/delv.docbook @@ -96,7 +96,7 @@ delv will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow - CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records + CNAME or DNAME chains, and queries for DNSKEY and DS records to establish a chain of trust for DNSSEC validation. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and @@ -211,10 +211,7 @@ Keys that do not match the root zone name are ignored. An alternate key name can be specified using the - options. DNSSEC Lookaside - Validation can also be turned on by using the - to specify the name of a - zone containing DLV records. + options. Note: When reading the trust anchor file, @@ -620,8 +617,7 @@ request DNSSEC records or whether to validate them. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of - or and - . + or . @@ -630,7 +626,7 @@ - Indicates whether to perform conventional (non-lookaside) + Indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor. The default is to validate using a trust anchor of "." (the root zone), for which there is @@ -641,18 +637,6 @@ - - - - - Indicates whether to perform DNSSEC lookaside validation, - and if so, specifies the name of the DLV trust anchor. - The option must also be used to specify - a file containing the DLV key. - - - - diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index 5ea294b93e..d6f44d8566 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -208,8 +208,7 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size, } static void -logkey(dns_rdata_t *rdata) -{ +logkey(dns_rdata_t *rdata) { isc_result_t result; dst_key_t *key = NULL; isc_buffer_t buf; @@ -228,9 +227,7 @@ logkey(dns_rdata_t *rdata) } static void -emit(dns_dsdigest_t dt, bool showall, char *lookaside, - bool cds, dns_rdata_t *rdata) -{ +emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) { isc_result_t result; unsigned char buf[DNS_DS_BUFFERSIZE]; char text_buf[DST_KEY_MAXTEXTSIZE]; @@ -262,18 +259,6 @@ emit(dns_dsdigest_t dt, bool showall, char *lookaside, if (result != ISC_R_SUCCESS) fatal("can't print name"); - /* Add lookaside origin, if set */ - if (lookaside != NULL) { - if (isc_buffer_availablelength(&nameb) < strlen(lookaside)) - fatal("DLV origin '%s' is too long", lookaside); - isc_buffer_putstr(&nameb, lookaside); - if (lookaside[strlen(lookaside) - 1] != '.') { - if (isc_buffer_availablelength(&nameb) < 1) - fatal("DLV origin '%s' is too long", lookaside); - isc_buffer_putstr(&nameb, "."); - } - } - result = dns_rdata_tofmttext(&ds, (dns_name_t *) NULL, 0, 0, 0, "", &textb); @@ -293,26 +278,24 @@ emit(dns_dsdigest_t dt, bool showall, char *lookaside, isc_buffer_usedregion(&classb, &r); printf("%.*s", (int)r.length, r.base); - if (lookaside == NULL) { - if (cds) - printf(" CDS "); - else - printf(" DS "); - } else - printf(" DLV "); + if (cds) { + printf(" CDS "); + } else { + printf(" DS "); + } isc_buffer_usedregion(&textb, &r); printf("%.*s\n", (int)r.length, r.base); } static void -emits(bool showall, char *lookaside, bool cds, dns_rdata_t *rdata) { +emits(bool showall, bool cds, dns_rdata_t *rdata) { unsigned i, n; n = sizeof(dtype)/sizeof(dtype[0]); for (i = 0; i < n; i++) { if (dtype[i] != 0) { - emit(dtype[i], showall, lookaside, cds, rdata); + emit(dtype[i], showall, cds, rdata); } } } @@ -338,12 +321,11 @@ usage(void) { " -f zonefile: read keys from a zone file\n" " -h: print help information\n" " -K directory: where to find key or keyset files\n" -" -l zone: print DLV records in the given lookaside zone\n" " -s: read keys from keyset- file\n" " -T: TTL of output records (omitted by default)\n" " -v level: verbosity\n" " -V: print version information\n"); - fprintf(stderr, "Output: DS, DLV, or CDS RRs\n"); + fprintf(stderr, "Output: DS or CDS RRs\n"); exit (-1); } @@ -352,7 +334,6 @@ int main(int argc, char **argv) { char *classname = NULL; char *filename = NULL, *dir = NULL, *namestr; - char *lookaside = NULL; char *endp; int ch; bool cds = false; @@ -397,9 +378,6 @@ main(int argc, char **argv) { add_dtype(strtodsdigest(isc_commandline_argument)); break; case 'C': - if (lookaside != NULL) - fatal("lookaside and CDS are mutually" - " exclusive"); cds = true; break; case 'c': @@ -418,12 +396,7 @@ main(int argc, char **argv) { filename = isc_commandline_argument; break; case 'l': - if (cds) - fatal("lookaside and CDS are mutually" - " exclusive"); - lookaside = isc_commandline_argument; - if (strlen(lookaside) == 0U) - fatal("lookaside must be a non-empty string"); + fatal("-l option (DLV lookaside) is obsolete"); break; case 's': usekeyset = true; @@ -528,7 +501,7 @@ main(int argc, char **argv) { logkey(&rdata); } - emits(showall, lookaside, cds, &rdata); + emits(showall, cds, &rdata); } } else { unsigned char key_buf[DST_KEY_MAXSIZE]; @@ -536,7 +509,7 @@ main(int argc, char **argv) { loadkey(argv[isc_commandline_index], key_buf, DST_KEY_MAXSIZE, &rdata); - emits(showall, lookaside, cds, &rdata); + emits(showall, cds, &rdata); } if (dns_rdataset_isassociated(&rdataset)) { diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook index d67e404178..a1104ead2f 100644 --- a/bin/dnssec/dnssec-dsfromkey.docbook +++ b/bin/dnssec/dnssec-dsfromkey.docbook @@ -112,10 +112,8 @@ The dnssec-dsfromkey command outputs DS (Delegation - Signer) resource records (RRs) and other similarly-constructed RRs: - with the option it outputs DLV (DNSSEC Lookaside - Validation) RRs; or with the it outputs CDS (Child - DS) RRs. + Signer) resource records (RRs), or CDS (Child DS) RRs with the + option. @@ -212,9 +210,7 @@ -C - Generate CDS records rather than DS records. This is mutually - exclusive with the option for generating DLV - records. + Generate CDS records rather than DS records. @@ -260,19 +256,6 @@ - - -l domain - - - Generate a DLV set instead of a DS set. The specified - domain is appended to the name for each - record in the set. - This is mutually exclusive with the option - for generating CDS records. - - - - -s @@ -362,7 +345,6 @@ , BIND 9 Administrator Reference Manual, RFC 3658 (DS RRs), - RFC 4431 (DLV RRs), RFC 4509 (SHA-256 for DS RRs), RFC 6605 (SHA-384 for DS RRs), RFC 7344 (CDS and CDNSKEY RRs). diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 8fc7080a46..e06f09c23c 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -163,8 +163,6 @@ static bool removefile = false; static bool generateds = false; static bool ignore_kskflag = false; static bool keyset_kskonly = false; -static dns_name_t *dlv = NULL; -static dns_fixedname_t dlv_fixed; static dns_master_style_t *dsstyle = NULL; static unsigned int serialformat = SOA_SERIAL_KEEP; static unsigned int hash_length = 0; @@ -2906,7 +2904,6 @@ writeset(const char *prefix, dns_rdatatype_t type) { dns_dbversion_t *dbversion = NULL; dns_diff_t diff; dns_difftuple_t *tuple = NULL; - dns_fixedname_t fixed; dns_name_t *name; dns_rdata_t rdata, ds; bool have_ksk = false; @@ -2939,18 +2936,7 @@ writeset(const char *prefix, dns_rdatatype_t type) { dns_diff_init(mctx, &diff); - if (type == dns_rdatatype_dlv) { - dns_name_t tname; - unsigned int labels; - - dns_name_init(&tname, NULL); - name = dns_fixedname_initname(&fixed); - labels = dns_name_countlabels(gorigin); - dns_name_getlabelsequence(gorigin, 0, labels - 1, &tname); - result = dns_name_concatenate(&tname, dlv, name, NULL); - check_result(result, "dns_name_concatenate"); - } else - name = gorigin; + name = gorigin; for (key = ISC_LIST_HEAD(keylist); key != NULL; @@ -2991,8 +2977,6 @@ writeset(const char *prefix, dns_rdatatype_t type) { DNS_DSDIGEST_SHA256, dsbuf, &ds); check_result(result, "dns_ds_buildrdata"); - if (type == dns_rdatatype_dlv) - ds.type = dns_rdatatype_dlv; result = dns_difftuple_create(mctx, DNS_DIFFOP_ADDRESIGN, name, 0, &ds, &tuple); @@ -3130,7 +3114,6 @@ usage(void) { "\t\twith older versions of dnssec-signzone -g\n"); fprintf(stderr, "\t-n ncpus (number of cpus present)\n"); fprintf(stderr, "\t-k key_signing_key\n"); - fprintf(stderr, "\t-l lookasidezone\n"); fprintf(stderr, "\t-3 NSEC3 salt\n"); fprintf(stderr, "\t-H NSEC3 iterations (10)\n"); fprintf(stderr, "\t-A NSEC3 optout\n"); @@ -3206,8 +3189,6 @@ main(int argc, char *argv[]) { int tempfilelen = 0; dns_rdataclass_t rdclass; isc_task_t **tasks = NULL; - isc_buffer_t b; - int len; hashlist_t hashlist; bool make_keyset = false; bool set_salt = false; @@ -3385,14 +3366,7 @@ main(int argc, char *argv[]) { break; case 'l': - len = strlen(isc_commandline_argument); - isc_buffer_init(&b, isc_commandline_argument, len); - isc_buffer_add(&b, len); - - dlv = dns_fixedname_initname(&dlv_fixed); - result = dns_name_fromtext(dlv, &b, dns_rootname, 0, - NULL); - check_result(result, "dns_name_fromtext(dlv)"); + fatal("-l option (DLV lookaside) is obsolete"); break; case 'M': @@ -3798,10 +3772,8 @@ main(int argc, char *argv[]) { if (!nokeys) { writeset("dsset-", dns_rdatatype_ds); - if (make_keyset) + if (make_keyset) { writeset("keyset-", dns_rdatatype_dnskey); - if (dlv != NULL) { - writeset("dlvset-", dns_rdatatype_dlv); } } diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook index 986bc990a4..dea47a0b22 100644 --- a/bin/dnssec/dnssec-signzone.docbook +++ b/bin/dnssec/dnssec-signzone.docbook @@ -224,16 +224,6 @@ - - -l domain - - - Generate a DLV set in addition to the key (DNSKEY) and DS sets. - The domain is appended to the name of the records. - - - - -M maxttl diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook index 61d6225e77..a013873e18 100644 --- a/bin/named/named.conf.docbook +++ b/bin/named/named.conf.docbook @@ -13,7 +13,7 @@ - 2019-06-28 + 2019-08-07 ISC @@ -154,7 +154,6 @@ logging { - MANAGED-KEYS Deprecated - see DNSSEC-KEYS. @@ -253,9 +252,6 @@ options { dnssec-accept-expired boolean; dnssec-dnskey-kskonly boolean; dnssec-loadkeys-interval integer; - dnssec-lookaside ( string - trust-anchor string | - auto | no ); deprecated dnssec-must-be-secure string boolean; dnssec-secure-to-insecure boolean; dnssec-update-mode ( maintain | no-resign ); @@ -614,9 +610,6 @@ view string [ class ] { initial-key ) integer integer integer quoted_string; ... }; dnssec-loadkeys-interval integer; - dnssec-lookaside ( string - trust-anchor string | - auto | no ); deprecated dnssec-must-be-secure string boolean; dnssec-secure-to-insecure boolean; dnssec-update-mode ( maintain | no-resign ); @@ -866,7 +859,6 @@ view string [ class ] { masters [ port integer ] [ dscp integer ] { ( masters | ipv4_address [ port integer ] | ipv6_address [ port integer ] ) [ key string ]; ... }; - max-ixfr-log-size ( default | unlimited | max-journal-size ( default | unlimited | sizeval ); max-records integer; max-refresh-time integer; @@ -886,7 +878,6 @@ view string [ class ] { notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ]; notify-to-soa boolean; - pubkey integer integer integer request-expire boolean; request-ixfr boolean; serial-update-method ( date | increment | unixtime ); diff --git a/bin/named/server.c b/bin/named/server.c index ea187d50ad..11a9bd4844 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -3783,7 +3783,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, const cfg_obj_t *zonelist; const cfg_obj_t *dlzlist; const cfg_obj_t *dlz; - const cfg_obj_t *dlvobj = NULL; unsigned int dlzargc; char **dlzargv; const cfg_obj_t *dyndb_list, *plugin_list; @@ -4614,7 +4613,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, } /* - * Set supported DS/DLV digest types. + * Set supported DS digest types. */ dns_resolver_reset_ds_digests(view->resolver); disabled = NULL; @@ -5204,57 +5203,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, view->prefetch_eligible = view->prefetch_trigger + 6; } - obj = NULL; - result = named_config_get(optionmaps, "dnssec-lookaside", &obj); - if (result == ISC_R_SUCCESS) { - /* "auto" is deprecated, log a warning if seen */ - const char *dom; - dlvobj = cfg_listelt_value(cfg_list_first(obj)); - dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain")); - if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) { - /* If "no", skip; if "auto", log warning */ - if (!strcasecmp(dom, "no")) { - result = ISC_R_NOTFOUND; - } else if (!strcasecmp(dom, "auto")) { - /* - * Warning logged by libbind9. - */ - result = ISC_R_NOTFOUND; - } - } - } - - if (result == ISC_R_SUCCESS) { - dns_name_t *dlv, *iscdlv; - dns_fixedname_t f; - - /* Also log a warning if manually configured to dlv.isc.org */ - iscdlv = dns_fixedname_initname(&f); - CHECK(dns_name_fromstring(iscdlv, "dlv.isc.org", 0, NULL)); - - for (element = cfg_list_first(obj); - element != NULL; - element = cfg_list_next(element)) - { - obj = cfg_listelt_value(element); - obj = cfg_tuple_get(obj, "trust-anchor"); - - dlv = dns_fixedname_name(&view->dlv_fixed); - CHECK(dns_name_fromstring(dlv, cfg_obj_asstring(obj), - DNS_NAME_DOWNCASE, NULL)); - if (dns_name_equal(dlv, iscdlv)) { - /* - * Warning logged by libbind9. - */ - view->dlv = NULL; - } else { - view->dlv = dlv; - } - } - } else { - view->dlv = NULL; - } - /* * For now, there is only one kind of trusted keys, the * "security roots". diff --git a/bin/python/dnssec-checkds.docbook b/bin/python/dnssec-checkds.docbook index bc18b616f6..b4af540655 100644 --- a/bin/python/dnssec-checkds.docbook +++ b/bin/python/dnssec-checkds.docbook @@ -59,9 +59,8 @@ DESCRIPTION dnssec-checkds - verifies the correctness of Delegation Signer (DS) or DNSSEC - Lookaside Validation (DLV) resource records for keys in a specified - zone. + verifies the correctness of Delegation Signer (DS) + resource records for keys in a specified zone. @@ -74,7 +73,7 @@ Specify a digest algorithm to use when converting the - zone's DNSKEY records to expected DS or DLV records. This + zone's DNSKEY records to expected DS records. This option can be repeated, so that multiple records are checked for each DNSKEY record. @@ -98,16 +97,6 @@ - - -l domain - - - Check for a DLV record in the specified lookaside domain, - instead of checking for a DS record in the zone's parent. - - - - -s file diff --git a/bin/python/isc/checkds.py.in b/bin/python/isc/checkds.py.in index f20d6bf564..0d71629436 100644 --- a/bin/python/isc/checkds.py.in +++ b/bin/python/isc/checkds.py.in @@ -21,7 +21,7 @@ prog = 'dnssec-checkds' ############################################################################ # SECRR class: -# Class for DS/DLV resource record +# Class for DS resource record ############################################################################ class SECRR: hashalgs = {1: 'SHA-1', 2: 'SHA-256', 3: 'GOST', 4: 'SHA-384'} @@ -33,7 +33,7 @@ class SECRR: digest = '' ttl = 0 - def __init__(self, rrtext, dlvname = None): + def __init__(self, rrtext): if not rrtext: raise Exception @@ -45,24 +45,8 @@ class SECRR: if len(fields) < 7: raise Exception - if dlvname: - self.rrtype = "DLV" - self.dlvname = dlvname.lower() - parent = fields[0].lower().strip('.').split('.') - parent.reverse() - dlv = dlvname.split('.') - dlv.reverse() - while len(dlv) != 0 and len(parent) != 0 and parent[0] == dlv[0]: - parent = parent[1:] - dlv = dlv[1:] - if dlv: - raise Exception - parent.reverse() - self.parent = '.'.join(parent) - self.rrname = self.parent + '.' + self.dlvname + '.' - else: - self.rrtype = "DS" - self.rrname = fields[0].lower() + self.rrtype = "DS" + self.rrname = fields[0].lower() fields = fields[1:] if fields[0].upper() in ['IN', 'CH', 'HS']: @@ -91,9 +75,9 @@ class SECRR: ############################################################################ # check: -# Fetch DS/DLV RRset for the given zone from the DNS; fetch DNSKEY +# Fetch DS RRset for the given zone from the DNS; fetch DNSKEY # RRset from the masterfile if specified, or from DNS if not. -# Generate a set of expected DS/DLV records from the DNSKEY RRset, +# Generate a set of expected DS records from the DNSKEY RRset, # and report on congruency. ############################################################################ def check(zone, args): @@ -101,15 +85,13 @@ def check(zone, args): if args.dssetfile: fp = open(args.dssetfile).read() else: - cmd = [args.dig, "+noall", "+answer", "-t", - "dlv" if args.lookaside else "ds", "-q", - zone + "." + args.lookaside if args.lookaside else zone] + cmd = [args.dig, "+noall", "+answer", "-t", "ds", "-q", zone] fp, _ = Popen(cmd, stdout=PIPE).communicate() for line in fp.splitlines(): if type(line) is not str: line = line.decode('ascii') - rrlist.append(SECRR(line, args.lookaside)) + rrlist.append(SECRR(line)) rrlist = sorted(rrlist, key=lambda rr: (rr.keyid, rr.keyalg, rr.hashalg)) klist = [] @@ -117,8 +99,6 @@ def check(zone, args): cmd = [args.dsfromkey] for algo in args.algo: cmd += ['-a', algo] - if args.lookaside: - cmd += ["-l", args.lookaside] if args.masterfile: cmd += ["-f", args.masterfile, zone] @@ -132,7 +112,7 @@ def check(zone, args): for line in fp.splitlines(): if type(line) is not str: line = line.decode('ascii') - klist.append(SECRR(line, args.lookaside)) + klist.append(SECRR(line)) if len(klist) < 1: print("No DNSKEY records found in zone apex") @@ -182,8 +162,6 @@ def parse_args(): type=str, help='path to \'dnssec-dsfromkey\'') parser.add_argument('-f', '--file', dest='masterfile', type=str, help='zone master file') - parser.add_argument('-l', '--lookaside', dest='lookaside', type=str, - help='DLV lookaside zone') parser.add_argument('-s', '--dsset', dest='dssetfile', type=str, help='prepared DSset file') parser.add_argument('-v', '--version', action='version', @@ -191,8 +169,6 @@ def parse_args(): args = parser.parse_args() args.zone = args.zone.strip('.') - if args.lookaside: - args.lookaside = args.lookaside.strip('.') return args diff --git a/bin/tests/cfg_test.c b/bin/tests/cfg_test.c index cb5cf8c614..d16b3bd699 100644 --- a/bin/tests/cfg_test.c +++ b/bin/tests/cfg_test.c @@ -49,7 +49,8 @@ output(void *closure, const char *text, int textlen) { static void usage(void) { fprintf(stderr, "usage: cfg_test --rndc|--named " - "[--grammar] [--memstats] conffile\n"); + "[--grammar] [--zonegrammar] [--active] " + "[--memstats] conffile\n"); exit(1); } @@ -67,6 +68,7 @@ main(int argc, char **argv) { bool memstats = false; char *filename = NULL; unsigned int zonetype = 0; + unsigned int pflags = 0; RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); @@ -98,7 +100,9 @@ main(int argc, char **argv) { usage(); while (argc > 1) { - if (strcmp(argv[1], "--grammar") == 0) { + if (strcmp(argv[1], "--active") == 0) { + pflags |= CFG_PRINTER_ACTIVEONLY; + } else if (strcmp(argv[1], "--grammar") == 0) { grammar = true; } else if (strcmp(argv[1], "--zonegrammar") == 0) { argv++, argc--; @@ -149,13 +153,14 @@ main(int argc, char **argv) { if (grammar) { if (type == NULL) usage(); - cfg_print_grammar(type, output, NULL); + cfg_print_grammar(type, pflags, output, NULL); } else if (zonetype != 0) { - cfg_print_zonegrammar(zonetype, output, NULL); + cfg_print_zonegrammar(zonetype, pflags, output, NULL); } else { if (type == NULL || filename == NULL) usage(); - RUNTIME_CHECK(cfg_parser_create(mctx, lctx, &pctx) == ISC_R_SUCCESS); + RUNTIME_CHECK(cfg_parser_create(mctx, lctx, &pctx) == + ISC_R_SUCCESS); result = cfg_parse_file(pctx, filename, type, &cfg); diff --git a/bin/tests/system/checkconf/check-dlv-ksk-key.conf b/bin/tests/system/checkconf/check-dlv-ksk-key.conf deleted file mode 100644 index 93a0040db0..0000000000 --- a/bin/tests/system/checkconf/check-dlv-ksk-key.conf +++ /dev/null @@ -1,20 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -dnssec-keys { - dlv.isc.org static-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWE - n4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8 - +jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ - 2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnG - xPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mR - x/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWL - KjHzpT59k/VStTDN0YUuWrBNh"; -}; diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf index f080af4087..d4f30a0b0c 100644 --- a/bin/tests/system/checkconf/deprecated.conf +++ b/bin/tests/system/checkconf/deprecated.conf @@ -11,7 +11,6 @@ options { dnssec-validation yes; - dnssec-lookaside . trust-anchor dlv.example.com; }; trusted-keys { diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index d41247a903..9bd631c6b9 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -130,7 +130,6 @@ n=`expr $n + 1` echo_i "checking named-checkconf deprecate warnings ($n)" ret=0 $CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1 -grep "option 'dnssec-lookaside' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -389,7 +388,7 @@ n=`expr $n + 1` echo_i "check that 'dnssec-lookaside auto;' generates a warning ($n)" ret=0 $CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "dnssec-lookaside 'auto' is no longer supported" < checkconf.out$n > /dev/null || ret=1 +grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi status=`expr $status + $ret` @@ -397,17 +396,15 @@ n=`expr $n + 1` echo_i "check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a warning ($n)" ret=0 $CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "dlv.isc.org has been shut down" < checkconf.out$n > /dev/null || ret=1 +grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi status=`expr $status + $ret` n=`expr $n + 1` -echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates only a deprecate warning ($n)" +echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates a warning ($n)" ret=0 -$CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1 -lines=$(wc -l < checkconf.out$n) -if [ $lines != 1 ]; then ret=1; fi -grep "option 'dnssec-lookaside' is deprecated" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF warn-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi status=`expr $status + $ret` @@ -456,14 +453,6 @@ grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi status=`expr $status + $ret` -echo_i "check that the dlv.isc.org KSK generates a warning ($n)" -ret=0 -$CHECKCONF check-dlv-ksk-key.conf > checkconf.out$n 2>/dev/null || ret=1 -[ -s checkconf.out$n ] || ret=1 -grep "trust anchor for dlv.isc.org is present" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` - echo_i "check that 'geoip-use-ecs no' generates a warning ($n)" ret=0 $CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1 diff --git a/bin/tests/system/checkconf/good-dlv-dlv.example.com.conf b/bin/tests/system/checkconf/warn-dlv-dlv.example.com.conf similarity index 100% rename from bin/tests/system/checkconf/good-dlv-dlv.example.com.conf rename to bin/tests/system/checkconf/warn-dlv-dlv.example.com.conf diff --git a/bin/tests/system/checkds/dig.bat b/bin/tests/system/checkds/dig.bat index bf07a4f153..9465a46025 100755 --- a/bin/tests/system/checkds/dig.bat +++ b/bin/tests/system/checkds/dig.bat @@ -9,8 +9,6 @@ if "%arg:~0,1%" == "+" goto next if "%arg%" == "-t" goto next if "%arg%" == "ds" goto ds if "%arg%" == "DS" goto ds -if "%arg%" == "dlv" goto dlv -if "%arg%" == "DLV" goto dlv if "%arg%" == "dnskey" goto dnskey if "%arg%" == "DNSKEY" goto dnskey set file=%arg% @@ -20,10 +18,6 @@ goto next set ext=ds goto next -:dlv -set ext=dlv -goto next - :dnskey set ext=dnskey goto next diff --git a/bin/tests/system/checkds/dig.pl b/bin/tests/system/checkds/dig.pl index 35cf973e5d..7312f02421 100644 --- a/bin/tests/system/checkds/dig.pl +++ b/bin/tests/system/checkds/dig.pl @@ -24,10 +24,6 @@ foreach $arg (@ARGV) { $ext = "ds"; next; } - if ($arg =~ /^dlv$/i) { - $ext = "dlv"; - next; - } if ($arg =~ /^dnskey$/i) { $ext = "dnskey"; next; diff --git a/bin/tests/system/checkds/dig.sh b/bin/tests/system/checkds/dig.sh index 41354fa627..e6fd84e2f0 100755 --- a/bin/tests/system/checkds/dig.sh +++ b/bin/tests/system/checkds/dig.sh @@ -14,7 +14,6 @@ while [ "$#" != 0 ]; do +*) shift ;; -t) shift ;; DS|ds) ext=ds ; shift ;; - DLV|dlv) ext=dlv ; shift ;; DNSKEY|dnskey) ext=dnskey ; shift ;; *) file=$1 ; shift ;; esac diff --git a/bin/tests/system/checkds/missing.example.dlv.example.dlv.db b/bin/tests/system/checkds/missing.example.dlv.example.dlv.db deleted file mode 100644 index 5dd94621c6..0000000000 --- a/bin/tests/system/checkds/missing.example.dlv.example.dlv.db +++ /dev/null @@ -1,2 +0,0 @@ -missing.example.dlv.example. 3600 IN DLV 12892 5 1 9D4CD60491D372207FA584D2EE460CC51D7FF8A7 -missing.example.dlv.example. 3600 IN DLV 12892 5 2 EF59E5C70BC4153B7DB4C11F9C36B729577DA71474E0A5C9B8875173 6E583200 diff --git a/bin/tests/system/checkds/none.example.dlv.example.dlv.db b/bin/tests/system/checkds/none.example.dlv.example.dlv.db deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/bin/tests/system/checkds/ok.example.dlv.example.dlv.db b/bin/tests/system/checkds/ok.example.dlv.example.dlv.db deleted file mode 100644 index 5896bcc7b4..0000000000 --- a/bin/tests/system/checkds/ok.example.dlv.example.dlv.db +++ /dev/null @@ -1,2 +0,0 @@ -ok.example.dlv.example. 3600 IN DLV 12892 5 1 7AA4A3F416C2F2391FB7AB0D434F762CD62D1390 -ok.example.dlv.example. 3600 IN DLV 12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13 diff --git a/bin/tests/system/checkds/tests.sh b/bin/tests/system/checkds/tests.sh index 1d46bc53c4..b205d25cde 100644 --- a/bin/tests/system/checkds/tests.sh +++ b/bin/tests/system/checkds/tests.sh @@ -43,24 +43,6 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking for correct DLV, looking up key via 'dig' ($n)" -ret=0 -$CHECKDS -l dlv.example ok.example > checkds.out.$n 2>&1 || ret=1 -grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking for correct DLV, obtaining key from file ($n)" -ret=0 -$CHECKDS -l dlv.example -f ok.example.dnskey.db ok.example > checkds.out.$n 2>&1 || ret=1 -grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - echo_i "checking for incorrect DS, looking up key via 'dig' ($n)" ret=0 $CHECKDS wrong.example > checkds.out.$n 2>&1 || ret=1 @@ -79,24 +61,6 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking for incorrect DLV, looking up key via 'dig' ($n)" -ret=0 -$CHECKDS -l dlv.example wrong.example > checkds.out.$n 2>&1 || ret=1 -grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking for incorrect DLV, obtaining key from file ($n)" -ret=0 -$CHECKDS -l dlv.example -f wrong.example.dnskey.db wrong.example > checkds.out.$n 2>&1 || ret=1 -grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - echo_i "checking for partially missing DS, looking up key via 'dig' ($n)" ret=0 $CHECKDS missing.example > checkds.out.$n 2>&1 && ret=1 @@ -119,28 +83,6 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking for partially missing DLV, looking up key via 'dig' ($n)" -ret=0 -$CHECKDS -l dlv.example missing.example > checkds.out.$n 2>&1 && ret=1 -grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking for partially missing DLV, obtaining key from file ($n)" -ret=0 -$CHECKDS -l dlv.example -f missing.example.dnskey.db missing.example > checkds.out.$n 2>&1 && ret=1 -grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - echo_i "checking for entirely missing DS, looking up key via 'dig' ($n)" ret=0 $CHECKDS none.example > checkds.out.$n 2>&1 && ret=1 @@ -159,24 +101,6 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking for entirely missing DLV, looking up key via 'dig' ($n)" -ret=0 -$CHECKDS -l dlv.example none.example > checkds.out.$n 2>&1 && ret=1 -grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1 -grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking for entirely missing DLV, obtaining key from file ($n)" -ret=0 -$CHECKDS -l dlv.example -f none.example.dnskey.db none.example > checkds.out.$n 2>&1 && ret=1 -grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1 -grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - echo_i "checking with prepared dsset file ($n)" ret=0 $CHECKDS -f prep.example.db -s prep.example.ds.db prep.example > checkds.out.$n 2>&1 || ret=1 diff --git a/bin/tests/system/checkds/wrong.example.dlv.example.dlv.db b/bin/tests/system/checkds/wrong.example.dlv.example.dlv.db deleted file mode 100644 index 096969b415..0000000000 --- a/bin/tests/system/checkds/wrong.example.dlv.example.dlv.db +++ /dev/null @@ -1,2 +0,0 @@ -wrong.example.dlv.example. 3600 IN DLV 1192 5 1 684BB5119673C9272A0A7582AF8576561B5D80EC -wrong.example.dlv.example. 3600 IN DLV 1192 5 2 14E4A873360E512CD2E8C2C331C4472F5EDAB0736669901F4D42E976 3D7B1F5C diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common index 613c0cd72b..d1efc192d4 100644 --- a/bin/tests/system/conf.sh.common +++ b/bin/tests/system/conf.sh.common @@ -59,7 +59,7 @@ PARALLEL_COMMON="dnssec rpzrecurse serve-stale \ acl additional addzone allow-query auth autosign \ builtin cacheclean case catz cds chain \ checkconf checknames checkzone \ - cookie database digdelv dlv dlz dlzexternal \ + cookie database digdelv dlz dlzexternal \ dns64 dscp dsdigest dyndb \ ednscompliance emptyzones \ fetchlimit filter-aaaa formerr forward \ diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh index b0f655b739..0a0509f9be 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh @@ -55,7 +55,7 @@ check_ttl_range() { # using delv insecure mode as not testing dnssec here delv_with_opts() { - "$DELV" +noroot +nodlv -p "$PORT" "$@" + "$DELV" +noroot -p "$PORT" "$@" } KEYID="$(cat ns2/keyid)" diff --git a/bin/tests/system/dlv/clean.sh b/bin/tests/system/dlv/clean.sh deleted file mode 100644 index 9f3f1cb8c1..0000000000 --- a/bin/tests/system/dlv/clean.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -rm -f ns*/named.run -rm -f ns*/named.conf -rm -f ns1/K* -rm -f ns1/dsset-* -rm -f ns1/*.signed -rm -f ns1/signer.err -rm -f ns1/root.db -rm -f ns1/trusted.conf -rm -f ns2/K* -rm -f ns2/dlvset-* -rm -f ns2/dsset-* -rm -f ns2/*.signed -rm -f ns2/*.pre -rm -f ns2/signer.err -rm -f ns2/druz.db -rm -f ns3/K* -rm -f ns3/*.db -rm -f ns3/*.signed ns3/*.signed.tmp -rm -f ns3/dlvset-* -rm -f ns3/dsset-* -rm -f ns3/keyset-* -rm -f ns3/trusted*.conf -rm -f ns3/signer.err -rm -f ns5/trusted*.conf -rm -f ns6/K* -rm -f ns6/*.db -rm -f ns6/*.signed -rm -f ns6/dsset-* -rm -f ns6/signer.err -rm -f ns7/trusted*.conf ns8/trusted*.conf -rm -f */named.memstats -rm -f dig.out.ns*.test* -rm -f ns*/named.lock -rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/dlv/ns1/named.conf.in b/bin/tests/system/dlv/ns1/named.conf.in deleted file mode 100644 index e628dbe36d..0000000000 --- a/bin/tests/system/dlv/ns1/named.conf.in +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - notify yes; -}; - -zone "." { type master; file "root.signed"; }; -zone "rootservers.utld" { type master; file "rootservers.utld.db"; }; diff --git a/bin/tests/system/dlv/ns1/root.db.in b/bin/tests/system/dlv/ns1/root.db.in deleted file mode 100644 index f4faa25d3e..0000000000 --- a/bin/tests/system/dlv/ns1/root.db.in +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 120 -@ SOA ns.rootservers.utld hostmaster.ns.rootservers.utld ( - 1 3600 1200 604800 60 ) -@ NS ns.rootservers.utld -ns A 10.53.0.1 -; -; A zone that is unsigned (utld=unsigned tld) that will include a second level -; zone that acts as a DLV. -; -utld NS ns.utld -ns.utld A 10.53.0.2 -; -; A zone that has a bad DNSKEY RRset but has good DLV records for its child -; zones. -; -druz NS ns.druz -ns.druz A 10.53.0.2 diff --git a/bin/tests/system/dlv/ns1/rootservers.utld.db b/bin/tests/system/dlv/ns1/rootservers.utld.db deleted file mode 100644 index 8491ed0e30..0000000000 --- a/bin/tests/system/dlv/ns1/rootservers.utld.db +++ /dev/null @@ -1,13 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 120 -@ SOA ns hostmaster.ns 1 3600 1200 604800 60 -@ NS ns -ns A 10.53.0.1 diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh deleted file mode 100755 index 487d609a7f..0000000000 --- a/bin/tests/system/dlv/ns1/sign.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -SYSTEMTESTTOP=../.. -. $SYSTEMTESTTOP/conf.sh - -SYSTESTDIR=dlv - -(cd ../ns2 && $SHELL -e ./sign.sh || exit 1) - -echo_i "dlv/ns1/sign.sh" - -zone=. -infile=root.db.in -zonefile=root.db -outfile=root.signed - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err - -echo_i "signed $zone" - -keyfile_to_static_keys $keyname2 > trusted.conf -cp trusted.conf ../ns5 -cp trusted.conf ../ns7 -cp trusted.conf ../ns8 diff --git a/bin/tests/system/dlv/ns2/druz.db.in b/bin/tests/system/dlv/ns2/druz.db.in deleted file mode 100644 index 4e0f892a53..0000000000 --- a/bin/tests/system/dlv/ns2/druz.db.in +++ /dev/null @@ -1,47 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 120 -@ SOA ns hostmaster.ns 1 3600 1200 604800 60 -@ NS ns -ns A 10.53.0.2 -; -rootservers NS ns.rootservers -ns.rootservers A 10.53.0.1 -; -; -child1 NS ns.child1 -ns.child1 A 10.53.0.3 -; -child2 NS ns.child2 -ns.child2 A 10.53.0.4 -; -child3 NS ns.child3 -ns.child3 A 10.53.0.3 -; -child4 NS ns.child4 -ns.child4 A 10.53.0.3 -; -child5 NS ns.child5 -ns.child5 A 10.53.0.3 -; -child6 NS ns.child6 -ns.child6 A 10.53.0.4 -; -child7 NS ns.child7 -ns.child7 A 10.53.0.3 -; -child8 NS ns.child8 -ns.child8 A 10.53.0.3 -; -child9 NS ns.child9 -ns.child9 A 10.53.0.3 -; -child10 NS ns.child10 -ns.child10 A 10.53.0.3 diff --git a/bin/tests/system/dlv/ns2/hints b/bin/tests/system/dlv/ns2/hints deleted file mode 100644 index 381e86b152..0000000000 --- a/bin/tests/system/dlv/ns2/hints +++ /dev/null @@ -1,11 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -. 0 NS ns.rootservers.utld. -ns.rootservers.utld. 0 A 10.53.0.1 diff --git a/bin/tests/system/dlv/ns2/named.conf.in b/bin/tests/system/dlv/ns2/named.conf.in deleted file mode 100644 index e10a9899b2..0000000000 --- a/bin/tests/system/dlv/ns2/named.conf.in +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.2; - notify-source 10.53.0.2; - transfer-source 10.53.0.2; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.2; }; - listen-on-v6 { none; }; - recursion no; - notify yes; -}; - -/* Root hints. */ -zone "." { type hint; file "hints"; }; - -/* - * A zone that is unsigned (utld=unsigned tld) that will include a second level - * zone that acts as a DLV. - */ -zone "utld" { type master; file "utld.db"; }; - -/* - * A zone that has a bad DNSKEY RRset but has good DLV records for its child - * zones. - */ -zone "druz" { type master; file "druz.signed"; }; diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh deleted file mode 100755 index 8367725735..0000000000 --- a/bin/tests/system/dlv/ns2/sign.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -SYSTEMTESTTOP=../.. -. $SYSTEMTESTTOP/conf.sh - -SYSTESTDIR=dlv - -(cd ../ns3 && $SHELL -e ./sign.sh || exit 1) - -echo_i "dlv/ns2/sign.sh" - -zone=druz. -infile=druz.db.in -zonefile=druz.db -outfile=druz.pre -dlvzone=utld. - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -l $dlvzone -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err - -$CHECKZONE -q -D -i none druz druz.pre | -sed '/IN DNSKEY/s/\([a-z0-9A-Z+/]\{10\}\)[a-z0-9A-Z+/]\{16\}/\1XXXXXXXXXXXXXXXX/'> druz.signed - -echo_i "signed $zone" diff --git a/bin/tests/system/dlv/ns2/utld.db b/bin/tests/system/dlv/ns2/utld.db deleted file mode 100644 index 4369968b0f..0000000000 --- a/bin/tests/system/dlv/ns2/utld.db +++ /dev/null @@ -1,61 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 120 -@ SOA ns hostmaster.ns 1 3600 1200 604800 60 -@ NS ns -ns A 10.53.0.2 -; -rootservers NS ns.rootservers -ns.rootservers A 10.53.0.1 -; -dlv NS ns.dlv -ns.dlv A 10.53.0.3 -; -disabled-algorithm-dlv NS ns.disabled-algorithm-dlv -ns.disabled-algorithm-dlv A 10.53.0.3 -; -unsupported-algorithm-dlv NS ns.unsupported-algorithm-dlv -ns.unsupported-algorithm-dlv A 10.53.0.3 -; -child1 NS ns.child1 -ns.child1 A 10.53.0.3 -; -child2 NS ns.child2 -ns.child2 A 10.53.0.4 -; -child3 NS ns.child3 -ns.child3 A 10.53.0.3 -; -child4 NS ns.child4 -ns.child4 A 10.53.0.3 -; -child5 NS ns.child5 -ns.child5 A 10.53.0.3 -; -child6 NS ns.child6 -ns.child6 A 10.53.0.4 -; -child7 NS ns.child7 -ns.child7 A 10.53.0.3 -; -child8 NS ns.child8 -ns.child8 A 10.53.0.3 -; -child9 NS ns.child9 -ns.child9 A 10.53.0.3 -; -child10 NS ns.child10 -ns.child10 A 10.53.0.3 -; -disabled-algorithm NS ns.disabled-algorithm -ns.disabled-algorithm A 10.53.0.3 -; -unsupported-algorithm NS ns.unsupported-algorithm -ns.unsupported-algorithm A 10.53.0.3 diff --git a/bin/tests/system/dlv/ns3/child.db.in b/bin/tests/system/dlv/ns3/child.db.in deleted file mode 100644 index 11df807ab7..0000000000 --- a/bin/tests/system/dlv/ns3/child.db.in +++ /dev/null @@ -1,17 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 120 -@ SOA ns hostmaster.ns 1 3600 1200 604800 60 -@ NS ns -ns A 10.53.0.3 -foo TXT foo -bar TXT bar -grand NS ns.grand -ns.grand A 10.53.0.6 diff --git a/bin/tests/system/dlv/ns3/dlv.db.in b/bin/tests/system/dlv/ns3/dlv.db.in deleted file mode 100644 index fdc8ce9901..0000000000 --- a/bin/tests/system/dlv/ns3/dlv.db.in +++ /dev/null @@ -1,13 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 120 -@ SOA ns hostmaster.ns 1 3600 1200 604800 60 -@ NS ns -ns A 10.53.0.3 diff --git a/bin/tests/system/dlv/ns3/hints b/bin/tests/system/dlv/ns3/hints deleted file mode 100644 index 381e86b152..0000000000 --- a/bin/tests/system/dlv/ns3/hints +++ /dev/null @@ -1,11 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -. 0 NS ns.rootservers.utld. -ns.rootservers.utld. 0 A 10.53.0.1 diff --git a/bin/tests/system/dlv/ns3/named.conf.in b/bin/tests/system/dlv/ns3/named.conf.in deleted file mode 100644 index fc42a5571a..0000000000 --- a/bin/tests/system/dlv/ns3/named.conf.in +++ /dev/null @@ -1,141 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.3; - notify-source 10.53.0.3; - transfer-source 10.53.0.3; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.3; }; - listen-on-v6 { none; }; - recursion no; - notify yes; -}; - -/* Root hints. */ -zone "." { type hint; file "hints"; }; - -/* DLV zone below unsigned TLD. */ -zone "dlv.utld" { type master; file "dlv.utld.signed"; }; - -/* DLV zone signed with a disabled algorithm below unsigned TLD. */ -zone "disabled-algorithm-dlv.utld." { - type master; - file "disabled-algorithm-dlv.utld.signed"; -}; - -/* DLV zone signed with an unsupported algorithm below unsigned TLD. */ -zone "unsupported-algorithm-dlv.utld." { - type master; - file "unsupported-algorithm-dlv.utld.signed"; -}; - -/* Signed zone below unsigned TLD with DLV entry. */ -zone "child1.utld" { type master; file "child1.signed"; }; - -/* - * Signed zone below unsigned TLD with DLV entry in DLV zone that is signed - * with a disabled algorithm. - */ -zone "child3.utld" { type master; file "child3.signed"; }; - -/* - * Signed zone below unsigned TLD with DLV entry. This one is slightly - * different because its children (the grandchildren) don't have a DS record in - * this zone. The grandchild zones are served by ns6. - * - */ -zone "child4.utld" { type master; file "child4.signed"; }; - -/* - * Signed zone below unsigned TLD with DLV entry in DLV zone that is signed - * with an unsupported algorithm. - */ -zone "child5.utld" { type master; file "child5.signed"; }; - -/* Signed zone below unsigned TLD without DLV entry. */ -zone "child7.utld" { type master; file "child7.signed"; }; - -/* - * Signed zone below unsigned TLD without DLV entry and no DS records for the - * grandchildren. - */ -zone "child8.utld" { type master; file "child8.signed"; }; - -/* Signed zone below unsigned TLD with DLV entry. */ -zone "child9.utld" { type master; file "child9.signed"; }; - -/* Unsigned zone below an unsigned TLD with DLV entry. */ -zone "child10.utld" { type master; file "child.db.in"; }; - -/* - * Zone signed with a disabled algorithm (an algorithm that is disabled in - * one of the test resolvers) with DLV entry. - */ -zone "disabled-algorithm.utld" { - type master; - file "disabled-algorithm.utld.signed"; -}; - -/* Zone signed with an unsupported algorithm with DLV entry. */ -zone "unsupported-algorithm.utld" { - type master; - file "unsupported-algorithm.utld.signed"; -}; - -/* - * Signed zone below signed TLD with good DLV entry but no chain of - * trust. - */ -zone "child1.druz" { type master; file "child1.druz.signed"; }; - -/* - * Signed zone below signed TLD with good DLV entry but no chain of - * trust. The DLV zone is signed with a disabled algorithm. - */ -zone "child3.druz" { type master; file "child3.druz.signed"; }; - -/* - * Signed zone below signed TLD with good DLV entry but no chain of - * trust. Also there are no DS records for the grandchildren. - */ -zone "child4.druz" { type master; file "child4.druz.signed"; }; - -/* - * Signed zone below signed TLD with good DLV entry but no chain of - * trust. The DLV zone is signed with an unsupported algorithm. - */ -zone "child5.druz" { type master; file "child5.druz.signed"; }; - -/* - * Signed zone below signed TLD without DLV entry, and no chain of - * trust. - */ -zone "child7.druz" { type master; file "child7.druz.signed"; }; - -/* - * Signed zone below signed TLD without DLV entry and no DS set. Also DS - * records for the grandchildren are not included in the zone. - */ -zone "child8.druz" { type master; file "child8.druz.signed"; }; - -/* - * Signed zone below signed TLD with good DLV entry but no DS set. Also DS - * records for the grandchildren are not included in the zone. - */ -zone "child9.druz" { type master; file "child9.druz.signed"; }; - -/* - * Unsigned zone below signed TLD with good DLV entry but no chain of - * trust. - */ -zone "child10.druz" { type master; file "child.db.in"; }; diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh deleted file mode 100755 index 3c8fbdc5d0..0000000000 --- a/bin/tests/system/dlv/ns3/sign.sh +++ /dev/null @@ -1,397 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -SYSTEMTESTTOP=../.. -. $SYSTEMTESTTOP/conf.sh - -(cd ../ns6 && $SHELL -e ./sign.sh) - -echo_i "dlv/ns3/sign.sh" - -dlvzone="dlv.utld" -dlvsets= -dssets= - -disableddlvzone="disabled-algorithm-dlv.utld" -disableddlvsets= -disableddssets= - -unsupporteddlvzone="unsupported-algorithm-dlv.utld" -unsupporteddlvsets= -unsupporteddssets= - -# Signed zone below unsigned TLD with DLV entry. -zone=child1.utld -infile=child.db.in -zonefile=child1.utld.db -outfile=child1.signed -dlvsets="$dlvsets dlvset-${zone}${TP}" - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -dsfilename=../ns6/dsset-grand.${zone}${TP} -cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile - -$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed -# with a disabled algorithm. -zone=child3.utld -infile=child.db.in -zonefile=child3.utld.db -outfile=child3.signed -disableddlvsets="$disableddlvsets dlvset-${zone}${TP}" - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -dsfilename=../ns6/dsset-grand.${zone}${TP} -cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile - -$SIGNER -O full -l $disableddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -# Signed zone below unsigned TLD with DLV entry. This one is slightly -# different because its children (the grandchildren) don't have a DS record in -# this zone. The grandchild zones are served by ns6. -zone=child4.utld -infile=child.db.in -zonefile=child4.utld.db -outfile=child4.signed -dlvsets="$dlvsets dlvset-${zone}${TP}" - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed -# with an unsupported algorithm. -zone=child5.utld -infile=child.db.in -zonefile=child5.utld.db -outfile=child5.signed -unsupporteddlvsets="$unsupporteddlvsets dlvset-${zone}${TP}" - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -dsfilename=../ns6/dsset-grand.${zone}${TP} -cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile - -$SIGNER -O full -l $unsupporteddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - -# Signed zone below unsigned TLD without DLV entry. -zone=child7.utld -infile=child.db.in -zonefile=child7.utld.db -outfile=child7.signed - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -dsfilename=../ns6/dsset-grand.${zone}${TP} -cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile - -$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -# Signed zone below unsigned TLD without DLV entry and no DS records for the -# grandchildren. -zone=child8.utld -infile=child.db.in -zonefile=child8.utld.db -outfile=child8.signed - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - -# Signed zone below unsigned TLD with DLV entry. -zone=child9.utld -infile=child.db.in -zonefile=child9.utld.db -outfile=child9.signed -dlvsets="$dlvsets dlvset-${zone}${TP}" - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - -# Unsigned zone below an unsigned TLD with DLV entry. We still need to sign -# the zone to generate the DLV set. -zone=child10.utld -infile=child.db.in -zonefile=child10.utld.db -outfile=child10.signed -dlvsets="$dlvsets dlvset-${zone}${TP}" - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -# Zone signed with a disabled algorithm (an algorithm that is disabled in -# one of the test resolvers) with DLV entry. -zone=disabled-algorithm.utld -infile=child.db.in -zonefile=disabled-algorithm.utld.db -outfile=disabled-algorithm.utld.signed -dlvsets="$dlvsets dlvset-${zone}${TP}" - -keyname1=`$KEYGEN -a $DISABLED_ALGORITHM -b $DISABLED_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DISABLED_ALGORITHM -b $DISABLED_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -O full -l $dlvzone -o $zone -f ${outfile} $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -# Zone signed with an unsupported algorithm with DLV entry. -zone=unsupported-algorithm.utld -infile=child.db.in -zonefile=unsupported-algorithm.utld.db -outfile=unsupported-algorithm.utld.signed -dlvsets="$dlvsets dlvset-${zone}${TP}" - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -O full -l $dlvzone -o $zone -f ${outfile}.tmp $zonefile > /dev/null 2> signer.err || cat signer.err -awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${outfile}.tmp > $outfile - -cp ${keyname2}.key ${keyname2}.tmp -awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key -cp dlvset-${zone}${TP} dlvset-${zone}tmp -awk '$3 == "DLV" { $5 = 255 } { print }' dlvset-${zone}tmp > dlvset-${zone}${TP} - -echo_i "signed $zone" - -# Signed zone below signed TLD with DLV entry and DS set. -zone=child1.druz -infile=child.db.in -zonefile=child1.druz.db -outfile=child1.druz.signed -dlvsets="$dlvsets dlvset-${zone}${TP}" -dssets="$dssets dsset-${zone}${TP}" - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -dsfilename=../ns6/dsset-grand.${zone}${TP} -cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile - -$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -# Signed zone below signed TLD with DLV entry and DS set. The DLV zone is -# signed with a disabled algorithm. -zone=child3.druz -infile=child.db.in -zonefile=child3.druz.db -outfile=child3.druz.signed -disableddlvsets="$disableddlvsets dlvset-${zone}${TP}" -disableddssets="$disableddssets dsset-${zone}${TP}" - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -dsfilename=../ns6/dsset-grand.${zone}${TP} -cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile - -$SIGNER -O full -l $disableddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -# Signed zone below signed TLD with DLV entry and DS set, but missing -# DS records for the grandchildren. -zone=child4.druz -infile=child.db.in -zonefile=child4.druz.db -outfile=child4.druz.signed -dlvsets="$dlvsets dlvset-${zone}${TP}" -dssets="$dssets dsset-${zone}${TP}" - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -# Signed zone below signed TLD with DLV entry and DS set. The DLV zone is -# signed with an unsupported algorithm algorithm. -zone=child5.druz -infile=child.db.in -zonefile=child5.druz.db -outfile=child5.druz.signed -unsupporteddlvsets="$unsupporteddlvsets dlvset-${zone}${TP}" -unsupporteddssets="$unsupportedssets dsset-${zone}${TP}" - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -dsfilename=../ns6/dsset-grand.${zone}${TP} -cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile - -$SIGNER -O full -l $unsupporteddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -# Signed zone below signed TLD without DLV entry, but with normal DS set. -zone=child7.druz -infile=child.db.in -zonefile=child7.druz.db -outfile=child7.druz.signed -dssets="$dssets dsset-${zone}${TP}" - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -dsfilename=../ns6/dsset-grand.${zone}${TP} -cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile - -$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -# Signed zone below signed TLD without DLV entry and no DS set. Also DS -# records for the grandchildren are not included in the zone. -zone=child8.druz -infile=child.db.in -zonefile=child8.druz.db -outfile=child8.druz.signed - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -# Signed zone below signed TLD with DLV entry but no DS set. Also DS -# records for the grandchildren are not included in the zone. -zone=child9.druz -infile=child.db.in -zonefile=child9.druz.db -outfile=child9.druz.signed -dlvsets="$dlvsets dlvset-${zone}${TP}" - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -# Unsigned zone below signed TLD with DLV entry and DS set. We still need to -# sign the zone to generate the DS sets. -zone=child10.druz -infile=child.db.in -zonefile=child10.druz.db -outfile=child10.druz.signed -dlvsets="$dlvsets dlvset-${zone}${TP}" -dssets="$dssets dsset-${zone}${TP}" - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - -cp $dssets ../ns2 -cp $disableddssets ../ns2 -cp $unsupporteddssets ../ns2 - -# DLV zones -infile=dlv.db.in -for zone in dlv.utld disabled-algorithm-dlv.utld unsupported-algorithm-dlv.utld -do - zonefile="${zone}.db" - outfile="${zone}.signed" - - case $zone in - "dlv.utld") - algorithm=$DEFAULT_ALGORITHM - bits=$DEFAULT_BITS - dlvfiles=$dlvsets - ;; - "disabled-algorithm-dlv.utld") - algorithm=$DISABLED_ALGORITHM - bits=$DISABLED_BITS - dlvfiles=$disableddlvsets - ;; - "unsupported-algorithm-dlv.utld") - algorithm=$DEFAULT_ALGORITHM - bits=$DEFAULT_BITS - dlvfiles=$unsupporteddlvsets - ;; - esac - - keyname1=`$KEYGEN -a $algorithm -b $bits -n zone $zone 2> /dev/null` - keyname2=`$KEYGEN -f KSK -a $algorithm -b $bits -n zone $zone 2> /dev/null` - - cat $infile $dlvfiles $keyname1.key $keyname2.key >$zonefile - - case $zone in - "dlv.utld") - $SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err - keyfile_to_static_keys $keyname2 > ../ns5/trusted-dlv.conf - ;; - "disabled-algorithm-dlv.utld") - $SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err - keyfile_to_static_keys $keyname2 > ../ns8/trusted-dlv-disabled.conf - ;; - "unsupported-algorithm-dlv.utld") - cp ${keyname2}.key ${keyname2}.tmp - $SIGNER -O full -o $zone -f ${outfile}.tmp $zonefile > /dev/null 2> signer.err || cat signer.err - awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${outfile}.tmp > $outfile - awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key - keyfile_to_static_keys $keyname2 > ../ns7/trusted-dlv-unsupported.conf - ;; - esac - - echo_i "signed $zone" -done diff --git a/bin/tests/system/dlv/ns4/child.db b/bin/tests/system/dlv/ns4/child.db deleted file mode 100644 index c123f70a95..0000000000 --- a/bin/tests/system/dlv/ns4/child.db +++ /dev/null @@ -1,34 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 120 -@ SOA ns hostmaster.ns 1 3600 1200 604800 60 -@ NS ns -ns A 10.53.0.3 -; -rootservers NS ns.rootservers -ns.rootservers A 10.53.0.1 -; -child1 NS ns.child1 -ns.child1 A 10.53.0.3 -; -child2 NS ns.child2 -ns.child2 A 10.53.0.4 -; -child3 NS ns.child3 -ns.child3 A 10.53.0.3 -; -child4 NS ns.child4 -ns.child4 A 10.53.0.3 -; -child5 NS ns.child5 -ns.child5 A 10.53.0.3 -; -child6 NS ns.child5 -ns.child6 A 10.53.0.4 diff --git a/bin/tests/system/dlv/ns4/hints b/bin/tests/system/dlv/ns4/hints deleted file mode 100644 index 381e86b152..0000000000 --- a/bin/tests/system/dlv/ns4/hints +++ /dev/null @@ -1,11 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -. 0 NS ns.rootservers.utld. -ns.rootservers.utld. 0 A 10.53.0.1 diff --git a/bin/tests/system/dlv/ns4/named.conf.in b/bin/tests/system/dlv/ns4/named.conf.in deleted file mode 100644 index a98dd6b92b..0000000000 --- a/bin/tests/system/dlv/ns4/named.conf.in +++ /dev/null @@ -1,26 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.4; - notify-source 10.53.0.4; - transfer-source 10.53.0.4; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.4; }; - listen-on-v6 { none; }; - recursion no; - notify yes; -}; - -zone "." { type hint; file "hints"; }; -zone "child2.utld" { type master; file "child.db"; }; -zone "child6.utld" { type master; file "child.db"; }; diff --git a/bin/tests/system/dlv/ns5/hints b/bin/tests/system/dlv/ns5/hints deleted file mode 100644 index 381e86b152..0000000000 --- a/bin/tests/system/dlv/ns5/hints +++ /dev/null @@ -1,11 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -. 0 NS ns.rootservers.utld. -ns.rootservers.utld. 0 A 10.53.0.1 diff --git a/bin/tests/system/dlv/ns5/named.conf.in b/bin/tests/system/dlv/ns5/named.conf.in deleted file mode 100644 index 88ef997771..0000000000 --- a/bin/tests/system/dlv/ns5/named.conf.in +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -include "trusted.conf"; -include "trusted-dlv.conf"; - -options { - query-source address 10.53.0.5; - notify-source 10.53.0.5; - transfer-source 10.53.0.5; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.5; }; - listen-on-v6 { none; }; - recursion yes; - notify yes; - dnssec-validation yes; - dnssec-lookaside "." trust-anchor "dlv.utld"; - disable-algorithms "utld." { @DISABLED_ALGORITHM@; }; -}; - -zone "." { type hint; file "hints"; }; diff --git a/bin/tests/system/dlv/ns5/rndc.conf b/bin/tests/system/dlv/ns5/rndc.conf deleted file mode 100644 index 02bce92708..0000000000 --- a/bin/tests/system/dlv/ns5/rndc.conf +++ /dev/null @@ -1,20 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -key "cc64b3d1db63fc88d7cb5d2f9f57d258" { - algorithm hmac-sha256; - secret "34f88008d07deabbe65bd01f1d233d47"; -}; - -options { - default-server 10.53.0.5; - default-port 5353; -}; diff --git a/bin/tests/system/dlv/ns6/child.db.in b/bin/tests/system/dlv/ns6/child.db.in deleted file mode 100644 index 09a942ed5f..0000000000 --- a/bin/tests/system/dlv/ns6/child.db.in +++ /dev/null @@ -1,15 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 120 -@ SOA ns hostmaster.ns6 1 3600 1200 604800 60 -@ NS ns -ns A 10.53.0.6 -foo TXT foo -bar TXT bar diff --git a/bin/tests/system/dlv/ns6/hints b/bin/tests/system/dlv/ns6/hints deleted file mode 100644 index 381e86b152..0000000000 --- a/bin/tests/system/dlv/ns6/hints +++ /dev/null @@ -1,11 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -. 0 NS ns.rootservers.utld. -ns.rootservers.utld. 0 A 10.53.0.1 diff --git a/bin/tests/system/dlv/ns6/named.conf.in b/bin/tests/system/dlv/ns6/named.conf.in deleted file mode 100644 index 15583c2a4c..0000000000 --- a/bin/tests/system/dlv/ns6/named.conf.in +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.6; - notify-source 10.53.0.6; - transfer-source 10.53.0.6; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.6; }; - listen-on-v6 { none; }; - recursion no; - notify yes; -}; - -zone "." { type hint; file "hints"; }; -zone "grand.child1.utld" { type master; file "grand.child1.signed"; }; -zone "grand.child3.utld" { type master; file "grand.child3.signed"; }; -zone "grand.child4.utld" { type master; file "grand.child4.signed"; }; -zone "grand.child5.utld" { type master; file "grand.child5.signed"; }; -zone "grand.child7.utld" { type master; file "grand.child7.signed"; }; -zone "grand.child8.utld" { type master; file "grand.child8.signed"; }; -zone "grand.child9.utld" { type master; file "grand.child9.signed"; }; -zone "grand.child10.utld" { type master; file "grand.child10.signed"; }; -zone "grand.child1.druz" { type master; file "grand.child1.druz.signed"; }; -zone "grand.child3.druz" { type master; file "grand.child3.druz.signed"; }; -zone "grand.child4.druz" { type master; file "grand.child4.druz.signed"; }; -zone "grand.child5.druz" { type master; file "grand.child5.druz.signed"; }; -zone "grand.child7.druz" { type master; file "grand.child7.druz.signed"; }; -zone "grand.child8.druz" { type master; file "grand.child8.druz.signed"; }; -zone "grand.child9.druz" { type master; file "grand.child9.druz.signed"; }; -zone "grand.child10.druz" { type master; file "grand.child10.druz.signed"; }; diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh deleted file mode 100755 index 65f5f5d42b..0000000000 --- a/bin/tests/system/dlv/ns6/sign.sh +++ /dev/null @@ -1,251 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -SYSTEMTESTTOP=../.. -. $SYSTEMTESTTOP/conf.sh - -SYSTESTDIR=dlv - -echo_i "dlv/ns6/sign.sh" - -zone=grand.child1.utld. -infile=child.db.in -zonefile=grand.child1.utld.db -outfile=grand.child1.signed - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -zone=grand.child3.utld. -infile=child.db.in -zonefile=grand.child3.utld.db -outfile=grand.child3.signed -dlvzone=dlv.utld. - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -zone=grand.child4.utld. -infile=child.db.in -zonefile=grand.child4.utld.db -outfile=grand.child4.signed -dlvzone=dlv.utld. - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -zone=grand.child5.utld. -infile=child.db.in -zonefile=grand.child5.utld.db -outfile=grand.child5.signed -dlvzone=dlv.utld. - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -zone=grand.child7.utld. -infile=child.db.in -zonefile=grand.child7.utld.db -outfile=grand.child7.signed -dlvzone=dlv.utld. - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -zone=grand.child8.utld. -infile=child.db.in -zonefile=grand.child8.utld.db -outfile=grand.child8.signed -dlvzone=dlv.utld. - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -zone=grand.child9.utld. -infile=child.db.in -zonefile=grand.child9.utld.db -outfile=grand.child9.signed -dlvzone=dlv.utld. - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - -zone=grand.child10.utld. -infile=child.db.in -zonefile=grand.child10.utld.db -outfile=grand.child10.signed -dlvzone=dlv.utld. - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - -zone=grand.child1.druz. -infile=child.db.in -zonefile=grand.child1.druz.db -outfile=grand.child1.druz.signed - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -zone=grand.child3.druz. -infile=child.db.in -zonefile=grand.child3.druz.db -outfile=grand.child3.druz.signed -dlvzone=dlv.druz. - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -zone=grand.child4.druz. -infile=child.db.in -zonefile=grand.child4.druz.db -outfile=grand.child4.druz.signed -dlvzone=dlv.druz. - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -zone=grand.child5.druz. -infile=child.db.in -zonefile=grand.child5.druz.db -outfile=grand.child5.druz.signed -dlvzone=dlv.druz. - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -zone=grand.child7.druz. -infile=child.db.in -zonefile=grand.child7.druz.db -outfile=grand.child7.druz.signed -dlvzone=dlv.druz. - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -zone=grand.child8.druz. -infile=child.db.in -zonefile=grand.child8.druz.db -outfile=grand.child8.druz.signed -dlvzone=dlv.druz. - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - - -zone=grand.child9.druz. -infile=child.db.in -zonefile=grand.child9.druz.db -outfile=grand.child9.druz.signed -dlvzone=dlv.druz. - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - -zone=grand.child10.druz. -infile=child.db.in -zonefile=grand.child10.druz.db -outfile=grand.child10.druz.signed -dlvzone=dlv.druz. - -keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key >$zonefile - -$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" diff --git a/bin/tests/system/dlv/ns7/hints b/bin/tests/system/dlv/ns7/hints deleted file mode 100644 index cdf0f26f78..0000000000 --- a/bin/tests/system/dlv/ns7/hints +++ /dev/null @@ -1,12 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -. 0 NS ns.rootservers.utld. -ns.rootservers.utld. 0 A 10.53.0.1 - diff --git a/bin/tests/system/dlv/ns7/named.conf.in b/bin/tests/system/dlv/ns7/named.conf.in deleted file mode 100644 index fd9c7c8aaa..0000000000 --- a/bin/tests/system/dlv/ns7/named.conf.in +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -include "trusted.conf"; -include "trusted-dlv-unsupported.conf"; - -options { - query-source address 10.53.0.7; - notify-source 10.53.0.7; - transfer-source 10.53.0.7; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.7; }; - listen-on-v6 { none; }; - recursion yes; - notify yes; - dnssec-enable yes; - dnssec-validation yes; - dnssec-lookaside "." trust-anchor "unsupported-algorithm-dlv.utld"; -}; - -zone "." { type hint; file "hints"; }; - diff --git a/bin/tests/system/dlv/ns8/hints b/bin/tests/system/dlv/ns8/hints deleted file mode 100644 index cdf0f26f78..0000000000 --- a/bin/tests/system/dlv/ns8/hints +++ /dev/null @@ -1,12 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -. 0 NS ns.rootservers.utld. -ns.rootservers.utld. 0 A 10.53.0.1 - diff --git a/bin/tests/system/dlv/ns8/named.conf.in b/bin/tests/system/dlv/ns8/named.conf.in deleted file mode 100644 index 6e58019fe1..0000000000 --- a/bin/tests/system/dlv/ns8/named.conf.in +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -include "trusted.conf"; -include "trusted-dlv-disabled.conf"; - -options { - query-source address 10.53.0.8; - notify-source 10.53.0.8; - transfer-source 10.53.0.8; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.8; }; - listen-on-v6 { none; }; - recursion yes; - notify yes; - dnssec-enable yes; - dnssec-validation yes; - dnssec-lookaside "." trust-anchor "disabled-algorithm-dlv.utld"; - disable-algorithms "disabled-algorithm-dlv.utld." { @DISABLED_ALGORITHM@; }; -}; - -zone "." { type hint; file "hints"; }; - diff --git a/bin/tests/system/dlv/setup.sh b/bin/tests/system/dlv/setup.sh deleted file mode 100644 index e1bd565745..0000000000 --- a/bin/tests/system/dlv/setup.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -SYSTEMTESTTOP=.. -. $SYSTEMTESTTOP/conf.sh - -$SHELL clean.sh - -copy_setports ns1/named.conf.in ns1/named.conf -copy_setports ns2/named.conf.in ns2/named.conf -copy_setports ns3/named.conf.in ns3/named.conf -copy_setports ns4/named.conf.in ns4/named.conf -copy_setports ns5/named.conf.in ns5/named.conf -copy_setports ns6/named.conf.in ns6/named.conf -copy_setports ns7/named.conf.in ns7/named.conf -copy_setports ns8/named.conf.in ns8/named.conf - -(cd ns1 && $SHELL -e sign.sh) diff --git a/bin/tests/system/dlv/tests.sh b/bin/tests/system/dlv/tests.sh deleted file mode 100644 index a3046303a7..0000000000 --- a/bin/tests/system/dlv/tests.sh +++ /dev/null @@ -1,111 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -SYSTEMTESTTOP=.. -. $SYSTEMTESTTOP/conf.sh - -status=0 -n=0 - -rm -f dig.out.* - -DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" - -echo_i "checking that unsigned TLD zone DNSKEY referenced by DLV validates as secure ($n)" -ret=0 -$DIG $DIGOPTS child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking that unsigned TLD child zone DNSKEY referenced by DLV validates as secure ($n)" -ret=0 -$DIG $DIGOPTS grand.child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking that no chain of trust SOA referenced by DLV validates as secure ($n)" -ret=0 -$DIG $DIGOPTS child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking that no chain of trust child SOA referenced by DLV validates as secure ($n)" -ret=0 -$DIG $DIGOPTS grand.child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -# Test that a child zone that is signed with an unsupported algorithm, -# referenced by a good DLV zone, yields an insecure response. -echo_i "checking that unsupported algorithm TXT referenced by DLV validates as insecure ($n)" -ret=0 -$DIG $DIGOPTS foo.unsupported-algorithm.utld txt @10.53.0.3 > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS foo.unsupported-algorithm.utld txt @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -grep -q "foo\.unsupported-algorithm\.utld\..*TXT.*\"foo\"" dig.out.ns5.test$n || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -# Test that a child zone that is signed with a disabled algorithm, -# referenced by a good DLV zone, yields an insecure response. -echo_i "checking that disabled algorithm TXT referenced by DLV validates as insecure ($n)" -ret=0 -$DIG $DIGOPTS foo.disabled-algorithm.utld txt @10.53.0.3 > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS foo.disabled-algorithm.utld txt @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -grep -q "foo\.disabled-algorithm\.utld\..*TXT.*\"foo\"" dig.out.ns5.test$n || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -# Test that a child zone that is signed with a known algorithm, referenced by -# a DLV zone that is signed with a disabled algorithm, yields a bogus -# response. -echo_i "checking that good signed TXT referenced by disabled algorithm DLV validates as bogus ($n)" -ret=0 -$DIG $DIGOPTS foo.child3.utld txt @10.53.0.8 > dig.out.ns8.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -grep -q "foo\.child3\.utld\..*TXT.*\"foo\"" dig.out.ns8.test$n && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -# Test that a child zone that is signed with a known algorithm, referenced by -# a DLV zone that is signed with an unsupported algorithm, yields a bogus -# response. -echo_i "checking that good signed TXT referenced by unsupported algorithm DLV validates as bogus ($n)" -ret=0 -$DIG $DIGOPTS foo.child5.utld txt @10.53.0.7 > dig.out.ns7.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns7.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns7.test$n > /dev/null && ret=1 -grep -q "foo\.child5\.utld\..*TXT.*\"foo\"" dig.out.ns7.test$n && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "exit status: $status" -[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnssec/README b/bin/tests/system/dnssec/README index df83eb14e2..ecc503a780 100644 --- a/bin/tests/system/dnssec/README +++ b/bin/tests/system/dnssec/README @@ -14,9 +14,12 @@ for the root. ns5 is a caching-only server, configured with the an incorrect trusted key for the root. It is used for testing failure cases. -ns6 is a caching-only server configured to use DLV. +ns6 is an caching and authoritative server used for testing unusual +server behaviors such as disabled DNSSEC algorithms. ns7 is used for checking non-cacheable answers. ns8 is a caching-only server, configured with unsupported and disabled algorithms. It is used for testing failure cases. + +ns9 is a forwarding-only server. diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index bee3bbfd62..6745d436d2 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -11,7 +11,7 @@ set -e -rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/dlvset-* ./*/signedkey-* ./*/*.signed +rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/signedkey-* ./*/*.signed rm -f ./*/example.bk rm -f ./*/named.conf rm -f ./*/named.memstats @@ -44,10 +44,8 @@ rm -f ./ns2/cds-auto.secure.db ./ns2/cds-auto.secure.db.jnl rm -f ./ns2/cds-kskonly.secure.db rm -f ./ns2/cds-update.secure.db ./ns2/cds-update.secure.db.jnl rm -f ./ns2/cds.secure.db ./ns2/cds-x.secure.db -rm -f ./ns2/dlv.db rm -f ./ns2/in-addr.arpa.db rm -f ./ns2/nsec3chain-test.db -rm -f ./ns2/private.secure.example.db rm -f ./ns2/single-nsec3.db rm -f ./ns2/updatecheck-kskonly.secure.* rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db diff --git a/bin/tests/system/dnssec/ns1/root.db.in b/bin/tests/system/dnssec/ns1/root.db.in index 7fdbab9c4e..a446619cae 100644 --- a/bin/tests/system/dnssec/ns1/root.db.in +++ b/bin/tests/system/dnssec/ns1/root.db.in @@ -20,8 +20,6 @@ a.root-servers.nil. A 10.53.0.1 example. NS ns2.example. ns2.example. A 10.53.0.2 -dlv. NS ns2.dlv. -ns2.dlv. A 10.53.0.2 algroll. NS ns2.algroll. ns2.algroll. A 10.53.0.2 managed. NS ns2.managed. diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 631411a9f2..385d3100a7 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -25,7 +25,6 @@ zonefile=root.db echo_i "ns1/sign.sh" cp "../ns2/dsset-example$TP" . -cp "../ns2/dsset-dlv$TP" . cp "../ns2/dsset-in-addr.arpa$TP" . grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll$TP" > "dsset-algroll$TP" diff --git a/bin/tests/system/dnssec/ns2/dlv.db.in b/bin/tests/system/dnssec/ns2/dlv.db.in deleted file mode 100644 index 836359dc56..0000000000 --- a/bin/tests/system/dnssec/ns2/dlv.db.in +++ /dev/null @@ -1,19 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2000042407 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns2 -ns2 A 10.53.0.2 diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in index 7a4bcf0cdc..ebef86da9c 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.in +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -40,11 +40,6 @@ zone "." { file "../../common/root.hint"; }; -zone "dlv" { - type master; - file "dlv.db.signed"; -}; - zone "trusted" { type master; file "trusted.db.signed"; @@ -61,12 +56,6 @@ zone "example" { allow-update { any; }; }; -zone "private.secure.example" { - type master; - file "private.secure.example.db.signed"; - allow-update { any; }; -}; - zone "insecure.secure.example" { type master; file "insecure.secure.example.db"; diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index c90f620e86..7413d7e3e1 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -136,31 +136,6 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zon cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" "$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 -# Sign the privately secure file - -privzone=private.secure.example -privinfile=private.secure.example.db.in -privzonefile=private.secure.example.db - -privkeyname=$("$KEYGEN" -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone "$privzone") - -cat "$privinfile" "$privkeyname.key" > "$privzonefile" - -"$SIGNER" -P -g -o "$privzone" -l dlv "$privzonefile" > /dev/null 2>&1 - -# Sign the DLV secure zone. - -dlvzone=dlv. -dlvinfile=dlv.db.in -dlvzonefile=dlv.db -dlvsetfile="dlvset-${privzone}${TP}" - -dlvkeyname=$("$KEYGEN" -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone "$dlvzone") - -cat "$dlvinfile" "$dlvkeyname.key" "$dlvsetfile" > "$dlvzonefile" - -"$SIGNER" -P -g -o "$dlvzone" "$dlvzonefile" > /dev/null 2>&1 - # Sign the badparam secure file zone=badparam. diff --git a/bin/tests/system/dnssec/ns6/named.conf.in b/bin/tests/system/dnssec/ns6/named.conf.in index 61a7cce5a4..29279c2f98 100644 --- a/bin/tests/system/dnssec/ns6/named.conf.in +++ b/bin/tests/system/dnssec/ns6/named.conf.in @@ -23,7 +23,6 @@ options { notify yes; disable-algorithms . { @ALTERNATIVE_ALGORITHM@; }; dnssec-validation yes; - dnssec-lookaside . trust-anchor dlv; }; zone "." { diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 243b0a6426..54be389d55 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1212,34 +1212,6 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "checking that positive validation in a privately secure zone works ($n)" -ret=0 -dig_with_opts +noauth a.private.secure.example. a @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.private.secure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "checking that negative validation in a privately secure zone works ($n)" -ret=0 -dig_with_opts +noauth q.private.secure.example. a @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth q.private.secure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 -digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - echo_i "checking that lookups succeed after disabling an algorithm ($n)" ret=0 dig_with_opts +noauth example. SOA @10.53.0.2 \ @@ -1253,28 +1225,6 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "checking privately secure to nxdomain works ($n)" -ret=0 -dig_with_opts +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 -grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "checking privately secure wildcard to nxdomain works ($n)" -ret=0 -dig_with_opts +noauth a.wild.private.secure.example. SOA @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 -grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - echo_i "checking a non-cachable NODATA works ($n)" ret=0 dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.7 \ @@ -1299,21 +1249,6 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -# -# private.secure.example is served by the same server as its -# grand parent and there is not a secure delegation from secure.example -# to private.secure.example. In addition secure.example is using a -# algorithm which the validation does not support. -# -echo_i "checking dnssec-lookaside-validation works ($n)" -ret=0 -dig_with_opts private.secure.example. SOA @10.53.0.6 \ - > dig.out.ns6.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - echo_i "checking that we can load a rfc2535 signed zone ($n)" ret=0 dig_with_opts rfc2535.example. SOA @10.53.0.2 \ @@ -2433,7 +2368,7 @@ status=$((status+ret)) echo_i "checking that DS at a RFC 1918 empty zone lookup succeeds ($n)" ret=0 dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.6 >dig.out.ns6.test$n || ret=1 +dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.4 >dig.out.ns6.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 n=$((n+1)) diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh index b1b17e1a9d..44e27ed488 100755 --- a/bin/tests/system/filter-aaaa/ns1/sign.sh +++ b/bin/tests/system/filter-aaaa/ns1/sign.sh @@ -14,8 +14,6 @@ SYSTEMTESTTOP=../.. SYSTESTDIR=filter-aaaa -dlvsets= - zone=signed. infile=signed.db.in zonefile=signed.db.signed diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh index 20cc4a3f1b..a5019690b2 100755 --- a/bin/tests/system/filter-aaaa/ns4/sign.sh +++ b/bin/tests/system/filter-aaaa/ns4/sign.sh @@ -14,8 +14,6 @@ SYSTEMTESTTOP=../.. SYSTESTDIR=filter-aaaa -dlvsets= - zone=signed. infile=signed.db.in zonefile=signed.db.signed diff --git a/bin/tests/system/wildcard/ns1/named.conf.in b/bin/tests/system/wildcard/ns1/named.conf.in index 092ae79fde..bfe8251c40 100644 --- a/bin/tests/system/wildcard/ns1/named.conf.in +++ b/bin/tests/system/wildcard/ns1/named.conf.in @@ -24,8 +24,6 @@ options { zone "." { type master; file "root.db.signed"; }; -zone "dlv" { type master; file "dlv.db.signed"; }; - zone "nsec" { type master; file "nsec.db.signed"; }; zone "private.nsec" { type master; file "private.nsec.db.signed"; }; diff --git a/bin/tests/system/wildcard/ns1/root.db.in b/bin/tests/system/wildcard/ns1/root.db.in index 493140f203..3fcc8a11e1 100644 --- a/bin/tests/system/wildcard/ns1/root.db.in +++ b/bin/tests/system/wildcard/ns1/root.db.in @@ -11,6 +11,5 @@ $TTL 120 @ SOA a.root-servers.nil hostmaster.root-servers.nil 1 1800 900 604800 86400 @ NS a.root-servers.nil a.root-servers.nil A 10.53.0.1 -dlv NS a.root-servers.nil nsec NS a.root-servers.nil nsec3 NS a.root-servers.nil diff --git a/bin/tests/system/wildcard/ns1/sign.sh b/bin/tests/system/wildcard/ns1/sign.sh index de80eb7922..b89331ce3e 100755 --- a/bin/tests/system/wildcard/ns1/sign.sh +++ b/bin/tests/system/wildcard/ns1/sign.sh @@ -16,20 +16,6 @@ SYSTESTDIR=wildcard dssets= -zone=dlv -infile=dlv.db.in -zonefile=dlv.db -outfile=dlv.db.signed -dssets="$dssets dsset-${zone}${TP}" - -keyname1=`$KEYGEN -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null` - -cat $infile $keyname1.key $keyname2.key > $zonefile - -$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err -echo_i "signed $zone" - zone=nsec infile=nsec.db.in zonefile=nsec.db diff --git a/bin/tests/system/wildcard/ns5/named.conf.in b/bin/tests/system/wildcard/ns5/named.conf.in index c54ed2ea19..abe2d5d020 100644 --- a/bin/tests/system/wildcard/ns5/named.conf.in +++ b/bin/tests/system/wildcard/ns5/named.conf.in @@ -20,7 +20,6 @@ options { recursion yes; dnssec-validation yes; notify yes; - dnssec-lookaside . trust-anchor dlv; }; include "../ns1/trusted.conf"; diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 09dca7f4c1..749a3bb4bc 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -2184,11 +2184,11 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; dnssec-signzone - will also produce a keyset and dsset files and optionally a - dlvset file. These are used to provide the parent zone - administrators with the DNSKEYs (or their - corresponding DS records) that are the - secure entry point to the zone. + will also produce a keyset and dsset files. These are used + to provide the parent zone administrators with the + DNSKEYs (or their corresponding + DS records) that are the secure entry + point to the zone. @@ -5069,7 +5069,7 @@ options { disable-ds-digests - Disable the specified DS/DLV digest types at and below the + Disable the specified DS digest types at and below the specified name. Multiple disable-ds-digests statements are allowed. @@ -5084,40 +5084,6 @@ options { - - dnssec-lookaside - - - When set, dnssec-lookaside provides the - validator with an alternate method to validate DNSKEY - records at the top of a zone. When a DNSKEY is at or - below a domain specified by the deepest - dnssec-lookaside, and the normal DNSSEC - validation has left the key untrusted, the trust-anchor - will be appended to the key name and a DLV record will be - looked up to see if it can validate the key. If the DLV - record validates a DNSKEY (similarly to the way a DS - record does) the DNSKEY RRset is deemed to be trusted. - - - If dnssec-lookaside is set to - no, then dnssec-lookaside - is not used. - - - This option is deprecated and its use is discouraged. - - - NOTE: The ISC-provided DLV service at - dlv.isc.org, has been shut down. - The dnssec-lookaside auto; - configuration option, which set named - up to use ISC DLV with minimal configuration, has - accordingly been removed. - - - - dnssec-must-be-secure @@ -13338,7 +13304,7 @@ view external { - A DNS Look-aside Validation record which contains + A DNS Lookaside Validation record which contains the records that are used as trust anchors for zones in a DLV namespace. Described in RFC 4431. diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 38b250662e..231d6fa66e 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -204,8 +204,13 @@ - The dnssec-lookaside option has been deprecated. - The feature still works, but it is discouraged to use it. [GL #7] + DNSSEC Lookaside Validation (DLV) is now obsolete. + The dnssec-lookaside option has been + marked as deprecated; when used in named.conf, + it will generate a warning but will otherwise be ignored. + All code enabling the use of lookaside validation has been removed + from the validator, delv, and the DNSSEC tools. + [GL #7] @@ -216,9 +221,7 @@ named will now log a warning if - a static key is configured for the root zone, or if - any key is configured for "dlv.isc.org", which has been shut - down. [GL #6] + a static key is configured for the root zone. [GL #6] diff --git a/doc/arm/options.grammar.xml b/doc/arm/options.grammar.xml index ed399c07dd..3cd76e6d3d 100644 --- a/doc/arm/options.grammar.xml +++ b/doc/arm/options.grammar.xml @@ -58,7 +58,7 @@ check-srv-cname ( fail | warn | ignore ); check-wildcard boolean; clients-per-query integer; - cookie-algorithm ( aes | sha1 | sha256 ); + cookie-algorithm ( aes | siphash24 ); cookie-secret string; coresize ( default | unlimited | sizeval ); datasize ( default | unlimited | sizeval ); @@ -89,9 +89,6 @@ dnssec-accept-expired boolean; dnssec-dnskey-kskonly boolean; dnssec-loadkeys-interval integer; - dnssec-lookaside ( string - trust-anchor string | - auto | no ); deprecated dnssec-must-be-secure string boolean; dnssec-secure-to-insecure boolean; dnssec-update-mode ( maintain | no-resign ); diff --git a/doc/misc/Makefile.in b/doc/misc/Makefile.in index 0483f587b8..d6a0dcf1d9 100644 --- a/doc/misc/Makefile.in +++ b/doc/misc/Makefile.in @@ -33,26 +33,30 @@ options: FORCE if test -x ${CFG_TEST} ; \ then \ ${CFG_TEST} --named --grammar > $@.raw ; \ - ${CFG_TEST} --zonegrammar master > master.zoneopt ; \ - ${CFG_TEST} --zonegrammar slave > slave.zoneopt ; \ - ${CFG_TEST} --zonegrammar mirror > mirror.zoneopt ; \ - ${CFG_TEST} --zonegrammar forward > forward.zoneopt ; \ - ${CFG_TEST} --zonegrammar hint > hint.zoneopt ; \ - ${CFG_TEST} --zonegrammar stub > stub.zoneopt ; \ - ${CFG_TEST} --zonegrammar static-stub > static-stub.zoneopt ; \ - ${CFG_TEST} --zonegrammar redirect > redirect.zoneopt ; \ - ${CFG_TEST} --zonegrammar delegation-only > delegation-only.zoneopt ; \ - ${CFG_TEST} --zonegrammar in-view > in-view.zoneopt ; \ ${PERL} ${srcdir}/sort-options.pl < $@.raw > $@.sorted ; \ ${PERL} ${srcdir}/format-options.pl < $@.sorted > $@.new ; \ mv -f $@.new $@ ; \ + ${CFG_TEST} --named --grammar --active > $@.raw ; \ + ${PERL} ${srcdir}/sort-options.pl < $@.raw > $@.sorted ; \ + ${PERL} ${srcdir}/format-options.pl < $@.sorted > $@.new ; \ + mv -f $@.new $@.active ; \ rm -f $@.raw $@.sorted ; \ + ${CFG_TEST} --zonegrammar master --active > master.zoneopt ; \ + ${CFG_TEST} --zonegrammar slave --active > slave.zoneopt ; \ + ${CFG_TEST} --zonegrammar mirror --active > mirror.zoneopt ; \ + ${CFG_TEST} --zonegrammar forward --active > forward.zoneopt ; \ + ${CFG_TEST} --zonegrammar hint --active > hint.zoneopt ; \ + ${CFG_TEST} --zonegrammar stub --active > stub.zoneopt ; \ + ${CFG_TEST} --zonegrammar static-stub --active > static-stub.zoneopt ; \ + ${CFG_TEST} --zonegrammar redirect --active > redirect.zoneopt ; \ + ${CFG_TEST} --zonegrammar delegation-only --active > delegation-only.zoneopt ; \ + ${CFG_TEST} --zonegrammar in-view --active > in-view.zoneopt ; \ else \ rm -f $@.new $@.raw $@.sorted ; \ fi docbook: options - ${PERL} docbook-options.pl options > ${top_srcdir}/bin/named/named.conf.docbook + ${PERL} docbook-options.pl options.active > ${top_srcdir}/bin/named/named.conf.docbook ${PERL} docbook-zoneopt.pl master.zoneopt > ${top_srcdir}/doc/arm/master.zoneopt.xml ${PERL} docbook-zoneopt.pl slave.zoneopt > ${top_srcdir}/doc/arm/slave.zoneopt.xml ${PERL} docbook-zoneopt.pl mirror.zoneopt > ${top_srcdir}/doc/arm/mirror.zoneopt.xml @@ -63,14 +67,14 @@ docbook: options ${PERL} docbook-zoneopt.pl redirect.zoneopt > ${top_srcdir}/doc/arm/redirect.zoneopt.xml ${PERL} docbook-zoneopt.pl delegation-only.zoneopt > ${top_srcdir}/doc/arm/delegation-only.zoneopt.xml ${PERL} docbook-zoneopt.pl in-view.zoneopt > ${top_srcdir}/doc/arm/in-view.zoneopt.xml - ${PERL} docbook-grammars.pl options acl > ${top_srcdir}/doc/arm/acl.grammar.xml - ${PERL} docbook-grammars.pl options controls > ${top_srcdir}/doc/arm/controls.grammar.xml - ${PERL} docbook-grammars.pl options key > ${top_srcdir}/doc/arm/key.grammar.xml - ${PERL} docbook-grammars.pl options logging > ${top_srcdir}/doc/arm/logging.grammar.xml - ${PERL} docbook-grammars.pl options masters > ${top_srcdir}/doc/arm/masters.grammar.xml - ${PERL} docbook-grammars.pl options options > ${top_srcdir}/doc/arm/options.grammar.xml - ${PERL} docbook-grammars.pl options server > ${top_srcdir}/doc/arm/server.grammar.xml - ${PERL} docbook-grammars.pl options statistics-channels > ${top_srcdir}/doc/arm/statistics-channels.grammar.xml - ${PERL} docbook-grammars.pl options dnssec-keys > ${top_srcdir}/doc/arm/dnssec-keys.grammar.xml - ${PERL} docbook-grammars.pl options managed-keys > ${top_srcdir}/doc/arm/managed-keys.grammar.xml - ${PERL} docbook-grammars.pl options trusted-keys > ${top_srcdir}/doc/arm/trusted-keys.grammar.xml + ${PERL} docbook-grammars.pl options.active acl > ${top_srcdir}/doc/arm/acl.grammar.xml + ${PERL} docbook-grammars.pl options.active controls > ${top_srcdir}/doc/arm/controls.grammar.xml + ${PERL} docbook-grammars.pl options.active key > ${top_srcdir}/doc/arm/key.grammar.xml + ${PERL} docbook-grammars.pl options.active logging > ${top_srcdir}/doc/arm/logging.grammar.xml + ${PERL} docbook-grammars.pl options.active masters > ${top_srcdir}/doc/arm/masters.grammar.xml + ${PERL} docbook-grammars.pl options.active options > ${top_srcdir}/doc/arm/options.grammar.xml + ${PERL} docbook-grammars.pl options.active server > ${top_srcdir}/doc/arm/server.grammar.xml + ${PERL} docbook-grammars.pl options.active statistics-channels > ${top_srcdir}/doc/arm/statistics-channels.grammar.xml + ${PERL} docbook-grammars.pl options.active dnssec-keys > ${top_srcdir}/doc/arm/dnssec-keys.grammar.xml + ${PERL} docbook-grammars.pl options.active managed-keys > ${top_srcdir}/doc/arm/managed-keys.grammar.xml + ${PERL} docbook-grammars.pl options.active trusted-keys > ${top_srcdir}/doc/arm/trusted-keys.grammar.xml diff --git a/doc/misc/docbook-grammars.pl b/doc/misc/docbook-grammars.pl index 98236beec9..9eb8c81126 100644 --- a/doc/misc/docbook-grammars.pl +++ b/doc/misc/docbook-grammars.pl @@ -59,12 +59,6 @@ while () { $display = 1 } - if (m{// not.*implemented} || m{// obsolete} || - m{// ancient} || m{// test.*only}) - { - next; - } - s{ // not configured}{}; s{ // non-operational}{}; s{ // may occur multiple times,*}{}; diff --git a/doc/misc/docbook-options.pl b/doc/misc/docbook-options.pl index 92f3c78bd4..7d29c0742d 100644 --- a/doc/misc/docbook-options.pl +++ b/doc/misc/docbook-options.pl @@ -120,12 +120,6 @@ while () { my $blank = 0; while () { - if (m{// not.*implemented} || m{// obsolete} || - m{// ancient} || m{// test.*only}) - { - next; - } - s{ // not configured}{}; s{ // non-operational}{}; s{ (// )*may occur multiple times,*}{}; @@ -140,22 +134,22 @@ while () { $HEADING END - if ($1 eq "trusted-keys") { - print <Deprecated - see DNSSEC-KEYS. END - } + } - if ($1 eq "managed-keys") { - print <Deprecated - see DNSSEC-KEYS. END - } + } print < END - } + } if (m{^\s*$} && !$blank) { $blank = 1; diff --git a/doc/misc/docbook-zoneopt.pl b/doc/misc/docbook-zoneopt.pl index 0a1354bba2..14d156be1a 100644 --- a/doc/misc/docbook-zoneopt.pl +++ b/doc/misc/docbook-zoneopt.pl @@ -44,12 +44,6 @@ print <) { - if (m{// not.*implemented} || m{// obsolete} || - m{// ancient} || m{// test.*only}) - { - next; - } - s{ // not configured}{}; s{ // may occur multiple times,*}{}; s{<([a-z0-9_-]+)>}{$1}g; diff --git a/doc/misc/format-options.pl b/doc/misc/format-options.pl index 338d61ebdb..5fa3db11a0 100644 --- a/doc/misc/format-options.pl +++ b/doc/misc/format-options.pl @@ -11,7 +11,7 @@ print < [ ] { notify-source ( | * ) [ port ( | * ) ] [ dscp ]; notify-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; notify-to-soa ; - nsec3-test-zone ; // test only serial-update-method ( date | increment | unixtime ); sig-signing-nodes ; sig-signing-signatures ; diff --git a/doc/misc/options b/doc/misc/options index 15638335e0..f06de0a369 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -1,5 +1,5 @@ -This is a summary of the named.conf options supported by +This is a summary of the named.conf options supported by this version of BIND 9. acl { ; ... }; // may occur multiple times @@ -148,7 +148,7 @@ options { dnssec-loadkeys-interval ; dnssec-lookaside ( trust-anchor | - auto | no ); // may occur multiple times, deprecated + auto | no ); // obsolete, may occur multiple times dnssec-must-be-secure ; // may occur multiple times dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); @@ -193,7 +193,7 @@ options { fstrm-set-output-queue-model ( mpsc | spsc ); // not configured fstrm-set-output-queue-size ; // not configured fstrm-set-reopen-interval ; // not configured - geoip-directory ( | none ); // not configured + geoip-directory ( | none ); geoip-use-ecs ; // obsolete glue-cache ; has-old-clients ; // ancient @@ -214,7 +214,7 @@ options { listen-on-v6 [ port ] [ dscp ] { ; ... }; // may occur multiple times - lmdb-mapsize ; // non-operational + lmdb-mapsize ; lock-file ( | none ); maintain-ixfr-base ; // ancient managed-keys-directory ; @@ -527,7 +527,7 @@ view [ ] { dnssec-loadkeys-interval ; dnssec-lookaside ( trust-anchor | - auto | no ); // may occur multiple times, deprecated + auto | no ); // obsolete, may occur multiple times dnssec-must-be-secure ; // may occur multiple times dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); @@ -565,7 +565,7 @@ view [ ] { }; // may occur multiple times key-directory ; lame-ttl ; - lmdb-mapsize ; // non-operational + lmdb-mapsize ; maintain-ixfr-base ; // ancient managed-keys { ( static-key | initial-key diff --git a/doc/misc/options.active b/doc/misc/options.active new file mode 100644 index 0000000000..9820f026ac --- /dev/null +++ b/doc/misc/options.active @@ -0,0 +1,867 @@ + +This is a summary of the named.conf options supported by +this version of BIND 9. + +acl { ; ... }; // may occur multiple times + +controls { + inet ( | | + * ) [ port ( | * ) ] allow + { ; ... } [ + keys { ; ... } ] [ read-only + ]; // may occur multiple times + unix perm + owner group [ + keys { ; ... } ] [ read-only + ]; // may occur multiple times +}; // may occur multiple times + +dlz { + database ; + search ; +}; // may occur multiple times + +dnssec-keys { ( static-key | + initial-key ) + ; ... }; // may occur multiple times + +dyndb { + }; // may occur multiple times + +key { + algorithm ; + secret ; +}; // may occur multiple times + +logging { + category { ; ... }; // may occur multiple times + channel { + buffered ; + file [ versions ( unlimited | ) ] + [ size ] [ suffix ( increment | timestamp ) ]; + null; + print-category ; + print-severity ; + print-time ( iso8601 | iso8601-utc | local | ); + severity ; + stderr; + syslog [ ]; + }; // may occur multiple times +}; + +managed-keys { ( static-key + | initial-key ) + + ; ... }; // may occur multiple times, deprecated + +masters [ port ] [ dscp + ] { ( | [ + port ] | [ port + ] ) [ key ]; ... }; // may occur multiple times + +options { + allow-new-zones ; + allow-notify { ; ... }; + allow-query { ; ... }; + allow-query-cache { ; ... }; + allow-query-cache-on { ; ... }; + allow-query-on { ; ... }; + allow-recursion { ; ... }; + allow-recursion-on { ; ... }; + allow-transfer { ; ... }; + allow-update { ; ... }; + allow-update-forwarding { ; ... }; + also-notify [ port ] [ dscp ] { ( | + [ port ] | [ port + ] ) [ key ]; ... }; + alt-transfer-source ( | * ) [ port ( | * ) + ] [ dscp ]; + alt-transfer-source-v6 ( | * ) [ port ( | + * ) ] [ dscp ]; + answer-cookie ; + attach-cache ; + auth-nxdomain ; // default changed + auto-dnssec ( allow | maintain | off ); + automatic-interface-scan ; + avoid-v4-udp-ports { ; ... }; + avoid-v6-udp-ports { ; ... }; + bindkeys-file ; + blackhole { ; ... }; + cache-file ; + catalog-zones { zone [ default-masters [ port ] + [ dscp ] { ( | [ port + ] | [ port ] ) [ key + ]; ... } ] [ zone-directory ] [ + in-memory ] [ min-update-interval ]; ... }; + check-dup-records ( fail | warn | ignore ); + check-integrity ; + check-mx ( fail | warn | ignore ); + check-mx-cname ( fail | warn | ignore ); + check-names ( primary | master | + secondary | slave | response ) ( + fail | warn | ignore ); // may occur multiple times + check-sibling ; + check-spf ( warn | ignore ); + check-srv-cname ( fail | warn | ignore ); + check-wildcard ; + clients-per-query ; + cookie-algorithm ( aes | siphash24 ); + cookie-secret ; // may occur multiple times + coresize ( default | unlimited | ); + datasize ( default | unlimited | ); + deny-answer-addresses { ; ... } [ + except-from { ; ... } ]; + deny-answer-aliases { ; ... } [ except-from { ; ... + } ]; + dialup ( notify | notify-passive | passive | refresh | ); + directory ; + disable-algorithms { ; + ... }; // may occur multiple times + disable-ds-digests { ; + ... }; // may occur multiple times + disable-empty-zone ; // may occur multiple times + dns64 { + break-dnssec ; + clients { ; ... }; + exclude { ; ... }; + mapped { ; ... }; + recursive-only ; + suffix ; + }; // may occur multiple times + dns64-contact ; + dns64-server ; + dnskey-sig-validity ; + dnsrps-enable ; // not configured + dnsrps-options { }; // not configured + dnssec-accept-expired ; + dnssec-dnskey-kskonly ; + dnssec-loadkeys-interval ; + dnssec-must-be-secure ; // may occur multiple times + dnssec-secure-to-insecure ; + dnssec-update-mode ( maintain | no-resign ); + dnssec-validation ( yes | no | auto ); + dnstap { ( all | auth | client | forwarder | + resolver | update ) [ ( query | response ) ]; + ... }; // not configured + dnstap-identity ( | none | + hostname ); // not configured + dnstap-output ( file | unix ) [ + size ( unlimited | ) ] [ versions ( + unlimited | ) ] [ suffix ( increment + | timestamp ) ]; // not configured + dnstap-version ( | none ); // not configured + dscp ; + dual-stack-servers [ port ] { ( [ port + ] [ dscp ] | [ port + ] [ dscp ] | [ port + ] [ dscp ] ); ... }; + dump-file ; + edns-udp-size ; + empty-contact ; + empty-server ; + empty-zones-enable ; + fetch-quota-params ; + fetches-per-server [ ( drop | fail ) ]; + fetches-per-zone [ ( drop | fail ) ]; + files ( default | unlimited | ); + flush-zones-on-shutdown ; + forward ( first | only ); + forwarders [ port ] [ dscp ] { ( + | ) [ port ] [ dscp ]; ... }; + fstrm-set-buffer-hint ; // not configured + fstrm-set-flush-timeout ; // not configured + fstrm-set-input-queue-size ; // not configured + fstrm-set-output-notify-threshold ; // not configured + fstrm-set-output-queue-model ( mpsc | spsc ); // not configured + fstrm-set-output-queue-size ; // not configured + fstrm-set-reopen-interval ; // not configured + geoip-directory ( | none ); + glue-cache ; + heartbeat-interval ; + hostname ( | none ); + inline-signing ; + interface-interval ; + ixfr-from-differences ( primary | master | secondary | slave | + ); + keep-response-order { ; ... }; + key-directory ; + lame-ttl ; + listen-on [ port ] [ dscp + ] { + ; ... }; // may occur multiple times + listen-on-v6 [ port ] [ dscp + ] { + ; ... }; // may occur multiple times + lmdb-mapsize ; + lock-file ( | none ); + managed-keys-directory ; + masterfile-format ( map | raw | text ); + masterfile-style ( full | relative ); + match-mapped-addresses ; + max-cache-size ( default | unlimited | | ); + max-cache-ttl ; + max-clients-per-query ; + max-journal-size ( default | unlimited | ); + max-ncache-ttl ; + max-records ; + max-recursion-depth ; + max-recursion-queries ; + max-refresh-time ; + max-retry-time ; + max-rsa-exponent-size ; + max-stale-ttl ; + max-transfer-idle-in ; + max-transfer-idle-out ; + max-transfer-time-in ; + max-transfer-time-out ; + max-udp-size ; + max-zone-ttl ( unlimited | ); + memstatistics ; + memstatistics-file ; + message-compression ; + min-cache-ttl ; + min-ncache-ttl ; + min-refresh-time ; + min-retry-time ; + minimal-any ; + minimal-responses ( no-auth | no-auth-recursive | ); + multi-master ; + new-zones-directory ; + no-case-compress { ; ... }; + nocookie-udp-size ; + notify ( explicit | master-only | ); + notify-delay ; + notify-rate ; + notify-source ( | * ) [ port ( | * ) ] [ + dscp ]; + notify-source-v6 ( | * ) [ port ( | * ) ] + [ dscp ]; + notify-to-soa ; + nta-lifetime ; + nta-recheck ; + nxdomain-redirect ; + pid-file ( | none ); + port ; + preferred-glue ; + prefetch [ ]; + provide-ixfr ; + qname-minimization ( strict | relaxed | disabled | off ); + query-source ( ( [ address ] ( | * ) [ port ( + | * ) ] ) | ( [ [ address ] ( | * ) ] + port ( | * ) ) ) [ dscp ]; + query-source-v6 ( ( [ address ] ( | * ) [ port ( + | * ) ] ) | ( [ [ address ] ( | * ) ] + port ( | * ) ) ) [ dscp ]; + querylog ; + random-device ( | none ); + rate-limit { + all-per-second ; + errors-per-second ; + exempt-clients { ; ... }; + ipv4-prefix-length ; + ipv6-prefix-length ; + log-only ; + max-table-size ; + min-table-size ; + nodata-per-second ; + nxdomains-per-second ; + qps-scale ; + referrals-per-second ; + responses-per-second ; + slip ; + window ; + }; + recursing-file ; + recursion ; + recursive-clients ; + request-expire ; + request-ixfr ; + request-nsid ; + require-server-cookie ; + reserved-sockets ; + resolver-nonbackoff-tries ; + resolver-query-timeout ; + resolver-retry-interval ; + response-padding { ; ... } block-size + ; + response-policy { zone [ add-soa ] [ log + ] [ max-policy-ttl ] [ min-update-interval + ] [ policy ( cname | disabled | drop | given | no-op | + nodata | nxdomain | passthru | tcp-only ) ] [ + recursive-only ] [ nsip-enable ] [ + nsdname-enable ]; ... } [ add-soa ] [ + break-dnssec ] [ max-policy-ttl ] [ + min-update-interval ] [ min-ns-dots ] [ + nsip-wait-recurse ] [ qname-wait-recurse ] + [ recursive-only ] [ nsip-enable ] [ + nsdname-enable ] [ dnsrps-enable ] [ + dnsrps-options { } ]; + root-delegation-only [ exclude { ; ... } ]; + root-key-sentinel ; + rrset-order { [ class ] [ type ] [ name + ] ; ... }; + secroots-file ; + send-cookie ; + serial-query-rate ; + serial-update-method ( date | increment | unixtime ); + server-id ( | none | hostname ); + servfail-ttl ; + session-keyalg ; + session-keyfile ( | none ); + session-keyname ; + sig-signing-nodes ; + sig-signing-signatures ; + sig-signing-type ; + sig-validity-interval [ ]; + sortlist { ; ... }; + stacksize ( default | unlimited | ); + stale-answer-enable ; + stale-answer-ttl ; + startup-notify-rate ; + statistics-file ; + synth-from-dnssec ; + tcp-advertised-timeout ; + tcp-clients ; + tcp-idle-timeout ; + tcp-initial-timeout ; + tcp-keepalive-timeout ; + tcp-listen-queue ; + tkey-dhkey ; + tkey-domain ; + tkey-gssapi-credential ; + tkey-gssapi-keytab ; + transfer-format ( many-answers | one-answer ); + transfer-message-size ; + transfer-source ( | * ) [ port ( | * ) ] [ + dscp ]; + transfer-source-v6 ( | * ) [ port ( | * ) + ] [ dscp ]; + transfers-in ; + transfers-out ; + transfers-per-ns ; + trust-anchor-telemetry ; // experimental + try-tcp-refresh ; + update-check-ksk ; + use-alt-transfer-source ; + use-v4-udp-ports { ; ... }; + use-v6-udp-ports { ; ... }; + v6-bias ; + validate-except { ; ... }; + version ( | none ); + zero-no-soa-ttl ; + zero-no-soa-ttl-cache ; + zone-statistics ( full | terse | none | ); +}; + +plugin ( query ) [ { + } ]; // may occur multiple times + +server { + bogus ; + edns ; + edns-udp-size ; + edns-version ; + keys ; + max-udp-size ; + notify-source ( | * ) [ port ( | * ) ] [ + dscp ]; + notify-source-v6 ( | * ) [ port ( | * ) ] + [ dscp ]; + padding ; + provide-ixfr ; + query-source ( ( [ address ] ( | * ) [ port ( + | * ) ] ) | ( [ [ address ] ( | * ) ] + port ( | * ) ) ) [ dscp ]; + query-source-v6 ( ( [ address ] ( | * ) [ port ( + | * ) ] ) | ( [ [ address ] ( | * ) ] + port ( | * ) ) ) [ dscp ]; + request-expire ; + request-ixfr ; + request-nsid ; + send-cookie ; + tcp-keepalive ; + tcp-only ; + transfer-format ( many-answers | one-answer ); + transfer-source ( | * ) [ port ( | * ) ] [ + dscp ]; + transfer-source-v6 ( | * ) [ port ( | * ) + ] [ dscp ]; + transfers ; +}; // may occur multiple times + +statistics-channels { + inet ( | | + * ) [ port ( | * ) ] [ + allow { ; ... + } ]; // may occur multiple times +}; // may occur multiple times + +trusted-keys { + + ; ... }; // may occur multiple times, deprecated + +view [ ] { + allow-new-zones ; + allow-notify { ; ... }; + allow-query { ; ... }; + allow-query-cache { ; ... }; + allow-query-cache-on { ; ... }; + allow-query-on { ; ... }; + allow-recursion { ; ... }; + allow-recursion-on { ; ... }; + allow-transfer { ; ... }; + allow-update { ; ... }; + allow-update-forwarding { ; ... }; + also-notify [ port ] [ dscp ] { ( | + [ port ] | [ port + ] ) [ key ]; ... }; + alt-transfer-source ( | * ) [ port ( | * ) + ] [ dscp ]; + alt-transfer-source-v6 ( | * ) [ port ( | + * ) ] [ dscp ]; + attach-cache ; + auth-nxdomain ; // default changed + auto-dnssec ( allow | maintain | off ); + cache-file ; + catalog-zones { zone [ default-masters [ port ] + [ dscp ] { ( | [ port + ] | [ port ] ) [ key + ]; ... } ] [ zone-directory ] [ + in-memory ] [ min-update-interval ]; ... }; + check-dup-records ( fail | warn | ignore ); + check-integrity ; + check-mx ( fail | warn | ignore ); + check-mx-cname ( fail | warn | ignore ); + check-names ( primary | master | + secondary | slave | response ) ( + fail | warn | ignore ); // may occur multiple times + check-sibling ; + check-spf ( warn | ignore ); + check-srv-cname ( fail | warn | ignore ); + check-wildcard ; + clients-per-query ; + deny-answer-addresses { ; ... } [ + except-from { ; ... } ]; + deny-answer-aliases { ; ... } [ except-from { ; ... + } ]; + dialup ( notify | notify-passive | passive | refresh | ); + disable-algorithms { ; + ... }; // may occur multiple times + disable-ds-digests { ; + ... }; // may occur multiple times + disable-empty-zone ; // may occur multiple times + dlz { + database ; + search ; + }; // may occur multiple times + dns64 { + break-dnssec ; + clients { ; ... }; + exclude { ; ... }; + mapped { ; ... }; + recursive-only ; + suffix ; + }; // may occur multiple times + dns64-contact ; + dns64-server ; + dnskey-sig-validity ; + dnsrps-enable ; // not configured + dnsrps-options { }; // not configured + dnssec-accept-expired ; + dnssec-dnskey-kskonly ; + dnssec-keys { ( static-key | + initial-key ) + ; ... }; // may occur multiple times + dnssec-loadkeys-interval ; + dnssec-must-be-secure ; // may occur multiple times + dnssec-secure-to-insecure ; + dnssec-update-mode ( maintain | no-resign ); + dnssec-validation ( yes | no | auto ); + dnstap { ( all | auth | client | forwarder | + resolver | update ) [ ( query | response ) ]; + ... }; // not configured + dual-stack-servers [ port ] { ( [ port + ] [ dscp ] | [ port + ] [ dscp ] | [ port + ] [ dscp ] ); ... }; + dyndb { + }; // may occur multiple times + edns-udp-size ; + empty-contact ; + empty-server ; + empty-zones-enable ; + fetch-quota-params ; + fetches-per-server [ ( drop | fail ) ]; + fetches-per-zone [ ( drop | fail ) ]; + forward ( first | only ); + forwarders [ port ] [ dscp ] { ( + | ) [ port ] [ dscp ]; ... }; + glue-cache ; + inline-signing ; + ixfr-from-differences ( primary | master | secondary | slave | + ); + key { + algorithm ; + secret ; + }; // may occur multiple times + key-directory ; + lame-ttl ; + lmdb-mapsize ; + managed-keys { ( + static-key | initial-key + ) + + ; ... }; // may occur multiple times, deprecated + masterfile-format ( map | raw | text ); + masterfile-style ( full | relative ); + match-clients { ; ... }; + match-destinations { ; ... }; + match-recursive-only ; + max-cache-size ( default | unlimited | | ); + max-cache-ttl ; + max-clients-per-query ; + max-journal-size ( default | unlimited | ); + max-ncache-ttl ; + max-records ; + max-recursion-depth ; + max-recursion-queries ; + max-refresh-time ; + max-retry-time ; + max-stale-ttl ; + max-transfer-idle-in ; + max-transfer-idle-out ; + max-transfer-time-in ; + max-transfer-time-out ; + max-udp-size ; + max-zone-ttl ( unlimited | ); + message-compression ; + min-cache-ttl ; + min-ncache-ttl ; + min-refresh-time ; + min-retry-time ; + minimal-any ; + minimal-responses ( no-auth | no-auth-recursive | ); + multi-master ; + new-zones-directory ; + no-case-compress { ; ... }; + nocookie-udp-size ; + notify ( explicit | master-only | ); + notify-delay ; + notify-source ( | * ) [ port ( | * ) ] [ + dscp ]; + notify-source-v6 ( | * ) [ port ( | * ) ] + [ dscp ]; + notify-to-soa ; + nta-lifetime ; + nta-recheck ; + nxdomain-redirect ; + plugin ( query ) [ { + } ]; // may occur multiple times + preferred-glue ; + prefetch [ ]; + provide-ixfr ; + qname-minimization ( strict | relaxed | disabled | off ); + query-source ( ( [ address ] ( | * ) [ port ( + | * ) ] ) | ( [ [ address ] ( | * ) ] + port ( | * ) ) ) [ dscp ]; + query-source-v6 ( ( [ address ] ( | * ) [ port ( + | * ) ] ) | ( [ [ address ] ( | * ) ] + port ( | * ) ) ) [ dscp ]; + rate-limit { + all-per-second ; + errors-per-second ; + exempt-clients { ; ... }; + ipv4-prefix-length ; + ipv6-prefix-length ; + log-only ; + max-table-size ; + min-table-size ; + nodata-per-second ; + nxdomains-per-second ; + qps-scale ; + referrals-per-second ; + responses-per-second ; + slip ; + window ; + }; + recursion ; + request-expire ; + request-ixfr ; + request-nsid ; + require-server-cookie ; + resolver-nonbackoff-tries ; + resolver-query-timeout ; + resolver-retry-interval ; + response-padding { ; ... } block-size + ; + response-policy { zone [ add-soa ] [ log + ] [ max-policy-ttl ] [ min-update-interval + ] [ policy ( cname | disabled | drop | given | no-op | + nodata | nxdomain | passthru | tcp-only ) ] [ + recursive-only ] [ nsip-enable ] [ + nsdname-enable ]; ... } [ add-soa ] [ + break-dnssec ] [ max-policy-ttl ] [ + min-update-interval ] [ min-ns-dots ] [ + nsip-wait-recurse ] [ qname-wait-recurse ] + [ recursive-only ] [ nsip-enable ] [ + nsdname-enable ] [ dnsrps-enable ] [ + dnsrps-options { } ]; + root-delegation-only [ exclude { ; ... } ]; + root-key-sentinel ; + rrset-order { [ class ] [ type ] [ name + ] ; ... }; + send-cookie ; + serial-update-method ( date | increment | unixtime ); + server { + bogus ; + edns ; + edns-udp-size ; + edns-version ; + keys ; + max-udp-size ; + notify-source ( | * ) [ port ( | * + ) ] [ dscp ]; + notify-source-v6 ( | * ) [ port ( + | * ) ] [ dscp ]; + padding ; + provide-ixfr ; + query-source ( ( [ address ] ( | * ) [ port + ( | * ) ] ) | ( [ [ address ] ( + | * ) ] port ( | * ) ) ) [ + dscp ]; + query-source-v6 ( ( [ address ] ( | * ) [ + port ( | * ) ] ) | ( [ [ address ] ( + | * ) ] port ( | * ) ) ) [ + dscp ]; + request-expire ; + request-ixfr ; + request-nsid ; + send-cookie ; + tcp-keepalive ; + tcp-only ; + transfer-format ( many-answers | one-answer ); + transfer-source ( | * ) [ port ( | + * ) ] [ dscp ]; + transfer-source-v6 ( | * ) [ port ( + | * ) ] [ dscp ]; + transfers ; + }; // may occur multiple times + servfail-ttl ; + sig-signing-nodes ; + sig-signing-signatures ; + sig-signing-type ; + sig-validity-interval [ ]; + sortlist { ; ... }; + stale-answer-enable ; + stale-answer-ttl ; + synth-from-dnssec ; + transfer-format ( many-answers | one-answer ); + transfer-source ( | * ) [ port ( | * ) ] [ + dscp ]; + transfer-source-v6 ( | * ) [ port ( | * ) + ] [ dscp ]; + trust-anchor-telemetry ; // experimental + trusted-keys { + + + ; ... }; // may occur multiple times, deprecated + try-tcp-refresh ; + update-check-ksk ; + use-alt-transfer-source ; + v6-bias ; + validate-except { ; ... }; + zero-no-soa-ttl ; + zero-no-soa-ttl-cache ; + zone [ ] { + allow-notify { ; ... }; + allow-query { ; ... }; + allow-query-on { ; ... }; + allow-transfer { ; ... }; + allow-update { ; ... }; + allow-update-forwarding { ; ... }; + also-notify [ port ] [ dscp ] { ( + | [ port ] | + [ port ] ) [ key ]; + ... }; + alt-transfer-source ( | * ) [ port ( + | * ) ] [ dscp ]; + alt-transfer-source-v6 ( | * ) [ port ( + | * ) ] [ dscp ]; + auto-dnssec ( allow | maintain | off ); + check-dup-records ( fail | warn | ignore ); + check-integrity ; + check-mx ( fail | warn | ignore ); + check-mx-cname ( fail | warn | ignore ); + check-names ( fail | warn | ignore ); + check-sibling ; + check-spf ( warn | ignore ); + check-srv-cname ( fail | warn | ignore ); + check-wildcard ; + database ; + delegation-only ; + dialup ( notify | notify-passive | passive | refresh | + ); + dlz ; + dnskey-sig-validity ; + dnssec-dnskey-kskonly ; + dnssec-loadkeys-interval ; + dnssec-secure-to-insecure ; + dnssec-update-mode ( maintain | no-resign ); + file ; + forward ( first | only ); + forwarders [ port ] [ dscp ] { ( + | ) [ port ] [ + dscp ]; ... }; + in-view ; + inline-signing ; + ixfr-from-differences ; + journal ; + key-directory ; + masterfile-format ( map | raw | text ); + masterfile-style ( full | relative ); + masters [ port ] [ dscp ] { ( + | [ port ] | [ + port ] ) [ key ]; ... }; + max-journal-size ( default | unlimited | ); + max-records ; + max-refresh-time ; + max-retry-time ; + max-transfer-idle-in ; + max-transfer-idle-out ; + max-transfer-time-in ; + max-transfer-time-out ; + max-zone-ttl ( unlimited | ); + min-refresh-time ; + min-retry-time ; + multi-master ; + notify ( explicit | master-only | ); + notify-delay ; + notify-source ( | * ) [ port ( | * + ) ] [ dscp ]; + notify-source-v6 ( | * ) [ port ( + | * ) ] [ dscp ]; + notify-to-soa ; + request-expire ; + request-ixfr ; + serial-update-method ( date | increment | unixtime ); + server-addresses { ( | ); ... }; + server-names { ; ... }; + sig-signing-nodes ; + sig-signing-signatures ; + sig-signing-type ; + sig-validity-interval [ ]; + transfer-source ( | * ) [ port ( | + * ) ] [ dscp ]; + transfer-source-v6 ( | * ) [ port ( + | * ) ] [ dscp ]; + try-tcp-refresh ; + type ( primary | master | secondary | slave | mirror | + delegation-only | forward | hint | redirect | + static-stub | stub ); + update-check-ksk ; + update-policy ( local | { ( deny | grant ) ( + 6to4-self | external | krb5-self | krb5-selfsub | + krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | + name | self | selfsub | selfwild | subdomain | tcp-self + | wildcard | zonesub ) [ ] ; ... }; + use-alt-transfer-source ; + zero-no-soa-ttl ; + zone-statistics ( full | terse | none | ); + }; // may occur multiple times + zone-statistics ( full | terse | none | ); +}; // may occur multiple times + +zone [ ] { + allow-notify { ; ... }; + allow-query { ; ... }; + allow-query-on { ; ... }; + allow-transfer { ; ... }; + allow-update { ; ... }; + allow-update-forwarding { ; ... }; + also-notify [ port ] [ dscp ] { ( | + [ port ] | [ port + ] ) [ key ]; ... }; + alt-transfer-source ( | * ) [ port ( | * ) + ] [ dscp ]; + alt-transfer-source-v6 ( | * ) [ port ( | + * ) ] [ dscp ]; + auto-dnssec ( allow | maintain | off ); + check-dup-records ( fail | warn | ignore ); + check-integrity ; + check-mx ( fail | warn | ignore ); + check-mx-cname ( fail | warn | ignore ); + check-names ( fail | warn | ignore ); + check-sibling ; + check-spf ( warn | ignore ); + check-srv-cname ( fail | warn | ignore ); + check-wildcard ; + database ; + delegation-only ; + dialup ( notify | notify-passive | passive | refresh | ); + dlz ; + dnskey-sig-validity ; + dnssec-dnskey-kskonly ; + dnssec-loadkeys-interval ; + dnssec-secure-to-insecure ; + dnssec-update-mode ( maintain | no-resign ); + file ; + forward ( first | only ); + forwarders [ port ] [ dscp ] { ( + | ) [ port ] [ dscp ]; ... }; + in-view ; + inline-signing ; + ixfr-from-differences ; + journal ; + key-directory ; + masterfile-format ( map | raw | text ); + masterfile-style ( full | relative ); + masters [ port ] [ dscp ] { ( | + [ port ] | [ port + ] ) [ key ]; ... }; + max-journal-size ( default | unlimited | ); + max-records ; + max-refresh-time ; + max-retry-time ; + max-transfer-idle-in ; + max-transfer-idle-out ; + max-transfer-time-in ; + max-transfer-time-out ; + max-zone-ttl ( unlimited | ); + min-refresh-time ; + min-retry-time ; + multi-master ; + notify ( explicit | master-only | ); + notify-delay ; + notify-source ( | * ) [ port ( | * ) ] [ + dscp ]; + notify-source-v6 ( | * ) [ port ( | * ) ] + [ dscp ]; + notify-to-soa ; + request-expire ; + request-ixfr ; + serial-update-method ( date | increment | unixtime ); + server-addresses { ( | ); ... }; + server-names { ; ... }; + sig-signing-nodes ; + sig-signing-signatures ; + sig-signing-type ; + sig-validity-interval [ ]; + transfer-source ( | * ) [ port ( | * ) ] [ + dscp ]; + transfer-source-v6 ( | * ) [ port ( | * ) + ] [ dscp ]; + try-tcp-refresh ; + type ( primary | master | secondary | slave | mirror | + delegation-only | forward | hint | redirect | static-stub | + stub ); + update-check-ksk ; + update-policy ( local | { ( deny | grant ) ( 6to4-self | + external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self + | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild + | subdomain | tcp-self | wildcard | zonesub ) [ ] + ; ... }; + use-alt-transfer-source ; + zero-no-soa-ttl ; + zone-statistics ( full | terse | none | ); +}; // may occur multiple times + diff --git a/doc/misc/slave.zoneopt b/doc/misc/slave.zoneopt index 248823a88b..750392f254 100644 --- a/doc/misc/slave.zoneopt +++ b/doc/misc/slave.zoneopt @@ -43,7 +43,6 @@ zone [ ] { notify-source ( | * ) [ port ( | * ) ] [ dscp ]; notify-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; notify-to-soa ; - nsec3-test-zone ; // test only request-expire ; request-ixfr ; sig-signing-nodes ; diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 976235626a..a90fa15830 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -58,11 +58,6 @@ #include -static unsigned char dlviscorg_ndata[] = "\003dlv\003isc\003org"; -static unsigned char dlviscorg_offsets[] = { 0, 4, 8, 12 }; -static dns_name_t const dlviscorg = - DNS_NAME_INITABSOLUTE(dlviscorg_ndata, dlviscorg_offsets); - static isc_result_t fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, bool writeable, isc_log_t *logctxlogc); @@ -858,9 +853,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, const cfg_obj_t *resignobj = NULL; const cfg_listelt_t *element; isc_symtab_t *symtab = NULL; - dns_fixedname_t fixed; const char *str; - dns_name_t *name; isc_buffer_t b; uint32_t lifetime = 3600; const char *ccalg = "siphash24"; @@ -1069,7 +1062,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, } /* - * Set supported DS/DLV digest types. + * Set supported DS digest types. */ obj = NULL; (void)cfg_map_get(options, "disable-ds-digests", &obj); @@ -1085,107 +1078,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, } } - name = dns_fixedname_initname(&fixed); - - /* - * Check the DLV zone name. - */ - obj = NULL; - (void)cfg_map_get(options, "dnssec-lookaside", &obj); - if (obj != NULL) { - tresult = isc_symtab_create(mctx, 100, freekey, mctx, - false, &symtab); - if (tresult != ISC_R_SUCCESS) - result = tresult; - for (element = cfg_list_first(obj); - element != NULL; - element = cfg_list_next(element)) - { - const char *dlv; - const cfg_obj_t *dlvobj, *anchor; - - obj = cfg_listelt_value(element); - - anchor = cfg_tuple_get(obj, "trust-anchor"); - dlvobj = cfg_tuple_get(obj, "domain"); - dlv = cfg_obj_asstring(dlvobj); - - /* - * If domain is "auto" or "no" and trust anchor - * is missing, skip remaining tests - */ - if (cfg_obj_isvoid(anchor)) { - if (!strcasecmp(dlv, "no")) { - continue; - } - if (!strcasecmp(dlv, "auto")) { - cfg_obj_log(obj, logctx, ISC_LOG_WARNING, - "dnssec-lookaside 'auto' " - "is no longer supported"); - continue; - } - } - - tresult = dns_name_fromstring(name, dlv, 0, NULL); - if (tresult != ISC_R_SUCCESS) { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "bad domain name '%s'", dlv); - result = tresult; - continue; - } - if (symtab != NULL) { - tresult = nameexist(obj, dlv, 1, symtab, - "dnssec-lookaside '%s': " - "already exists; previous " - "definition: %s:%u", - logctx, mctx); - if (tresult != ISC_R_SUCCESS && - result == ISC_R_SUCCESS) - result = tresult; - } - - /* - * XXXMPA to be removed when multiple lookaside - * namespaces are supported. - */ - if (!dns_name_equal(dns_rootname, name)) { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "dnssec-lookaside '%s': " - "non-root not yet supported", dlv); - if (result == ISC_R_SUCCESS) - result = ISC_R_FAILURE; - } - - if (cfg_obj_isvoid(anchor)) { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "dnssec-lookaside requires " - "either or 'no' or a " - "domain and trust anchor"); - if (result == ISC_R_SUCCESS) - result = ISC_R_FAILURE; - continue; - } - - dlv = cfg_obj_asstring(anchor); - tresult = dns_name_fromstring(name, dlv, 0, NULL); - if (tresult != ISC_R_SUCCESS) { - cfg_obj_log(anchor, logctx, ISC_LOG_ERROR, - "bad domain name '%s'", dlv); - if (result == ISC_R_SUCCESS) - result = tresult; - continue; - } - if (dns_name_equal(&dlviscorg, name)) { - cfg_obj_log(anchor, logctx, ISC_LOG_WARNING, - "dlv.isc.org has been shut down"); - continue; - } - } - - if (symtab != NULL) - isc_symtab_destroy(&symtab); - } - /* * Check auto-dnssec at the view/options level */ @@ -3058,7 +2950,6 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions, #define ROOT_KSK_ANY 0x03 #define ROOT_KSK_2010 0x04 #define ROOT_KSK_2017 0x08 -#define DLV_KSK_KEY 0x10 static isc_result_t check_trusted_key(const cfg_obj_t *key, bool managed, @@ -3235,13 +3126,6 @@ check_trusted_key(const cfg_obj_t *key, bool managed, } } - /* - * Flag any use of dlv.isc.org, regardless of content. - */ - if (dns_name_equal(keyname, &dlviscorg)) { - *keyflags |= DLV_KSK_KEY; - } - return (result); } @@ -3830,14 +3714,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, "with initial-key instead."); } - if ((flags & DLV_KSK_KEY) != 0) { - cfg_obj_log(check_keys[i], logctx, - ISC_LOG_WARNING, - "trust anchor for dlv.isc.org " - "is present; dlv.isc.org has " - "been shut down"); - } - tflags |= flags; } } @@ -3908,14 +3784,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, "the updated 2017 key"); } - if ((flags & DLV_KSK_KEY) != 0) { - cfg_obj_log(check_keys[i], logctx, - ISC_LOG_WARNING, - "trust anchor for dlv.isc.org " - "is present; dlv.isc.org has " - "been shut down"); - } - dflags |= flags; } } diff --git a/lib/dns/client.c b/lib/dns/client.c index 8e765d989f..96d45093bb 100644 --- a/lib/dns/client.c +++ b/lib/dns/client.c @@ -706,46 +706,6 @@ dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass, return (result); } -isc_result_t -dns_client_setdlv(dns_client_t *client, dns_rdataclass_t rdclass, - const char *dlvname) -{ - isc_result_t result; - isc_buffer_t b; - dns_view_t *view = NULL; - - REQUIRE(DNS_CLIENT_VALID(client)); - - LOCK(&client->lock); - result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME, - rdclass, &view); - UNLOCK(&client->lock); - if (result != ISC_R_SUCCESS) - goto cleanup; - - if (dlvname == NULL) - view->dlv = NULL; - else { - dns_name_t *newdlv; - - isc_buffer_constinit(&b, dlvname, strlen(dlvname)); - isc_buffer_add(&b, strlen(dlvname)); - newdlv = dns_fixedname_name(&view->dlv_fixed); - result = dns_name_fromtext(newdlv, &b, dns_rootname, - DNS_NAME_DOWNCASE, NULL); - if (result != ISC_R_SUCCESS) - goto cleanup; - - view->dlv = dns_fixedname_name(&view->dlv_fixed); - } - - cleanup: - if (view != NULL) - dns_view_detach(&view); - - return (result); -} - static isc_result_t getrdataset(isc_mem_t *mctx, dns_rdataset_t **rdatasetp) { dns_rdataset_t *rdataset; diff --git a/lib/dns/include/dns/client.h b/lib/dns/include/dns/client.h index b0ed77c97e..d661e2deba 100644 --- a/lib/dns/include/dns/client.h +++ b/lib/dns/include/dns/client.h @@ -271,26 +271,6 @@ dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass, *\li Anything else Failure. */ -isc_result_t -dns_client_setdlv(dns_client_t *client, dns_rdataclass_t rdclass, - const char *dlvname); -/*%< - * Specify a name to use for DNSSEC lookaside validation. - * If a trusted key has been added for that name, then DLV will be - * used during validation. If 'dlvname' is NULL, then DLV will no - * longer be used for this client. - * - * Requires: - * - *\li 'client' is a valid client. - * - * Returns: - * - *\li #ISC_R_SUCCESS On success. - * - *\li Anything else Failure. - */ - isc_result_t dns_client_resolve(dns_client_t *client, const dns_name_t *name, dns_rdataclass_t rdclass, dns_rdatatype_t type, diff --git a/lib/dns/include/dns/dsdigest.h b/lib/dns/include/dns/dsdigest.h index b029ecd405..e513ae4875 100644 --- a/lib/dns/include/dns/dsdigest.h +++ b/lib/dns/include/dns/dsdigest.h @@ -24,7 +24,7 @@ ISC_LANG_BEGINDECLS isc_result_t dns_dsdigest_fromtext(dns_dsdigest_t *dsdigestp, isc_textregion_t *source); /*%< - * Convert the text 'source' refers to into a DS/DLV digest type value. + * Convert the text 'source' refers to into a DS digest type value. * The text may contain either a mnemonic digest name or a decimal * digest number. * @@ -42,7 +42,7 @@ dns_dsdigest_fromtext(dns_dsdigest_t *dsdigestp, isc_textregion_t *source); isc_result_t dns_dsdigest_totext(dns_dsdigest_t dsdigest, isc_buffer_t *target); /*%< - * Put a textual representation of the DS/DLV digest type 'dsdigest' + * Put a textual representation of the DS digest type 'dsdigest' * into 'target'. * * Requires: diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h index 3a074a8481..57fa237e58 100644 --- a/lib/dns/include/dns/resolver.h +++ b/lib/dns/include/dns/resolver.h @@ -483,7 +483,7 @@ dns_resolver_reset_algorithms(dns_resolver_t *resolver); void dns_resolver_reset_ds_digests(dns_resolver_t *resolver); /*%< - * Clear the disabled DS/DLV digest types. + * Clear the disabled DS digest types. */ isc_result_t @@ -503,7 +503,7 @@ isc_result_t dns_resolver_disable_ds_digest(dns_resolver_t *resolver, const dns_name_t *name, unsigned int digest_type); /*%< - * Mark the given DS/DLV digest type as disabled and below 'name'. + * Mark the given DS digest type as disabled and below 'name'. * Valid types are less than 256. * * Returns: diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h index 81e46d8fd3..51c62239d1 100644 --- a/lib/dns/include/dns/validator.h +++ b/lib/dns/include/dns/validator.h @@ -26,8 +26,6 @@ * the view and may fetch RRset to complete trust chains. It implements * DNSSEC as specified in RFC 4033, 4034 and 4035. * - * It can also optionally implement ISC's DNSSEC look-aside validation. - * * Correct operation is critical to preventing spoofed answers from secure * zones being accepted. * @@ -152,11 +150,7 @@ struct dns_validator { dns_fixedname_t nearest; dns_fixedname_t closest; ISC_LINK(dns_validator_t) link; - dns_rdataset_t dlv; - dns_fixedname_t dlvsep; - bool havedlvsep; - bool mustbesecure; - unsigned int dlvlabels; + bool mustbesecure; unsigned int depth; unsigned int authcount; unsigned int authfail; @@ -166,7 +160,7 @@ struct dns_validator { /*% * dns_validator_create() options. */ -#define DNS_VALIDATOR_DLV 0x0001U +/* obsolete: #define DNS_VALIDATOR_DLV 0x0001U */ #define DNS_VALIDATOR_DEFER 0x0002U #define DNS_VALIDATOR_NOCDFLAG 0x0004U #define DNS_VALIDATOR_NONTA 0x0008U /*% Ignore NTA table */ @@ -210,11 +204,6 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, * Its 'result' field will be ISC_R_SUCCESS iff the * response was successfully proven to be either secure or * part of a known insecure domain. - * - * options: - * If DNS_VALIDATOR_DLV is set the caller knows there is not a - * trusted key and the validator should immediately attempt to validate - * the answer by looking for an appropriate DLV RRset. */ void diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h index 785627225a..626d776dd5 100644 --- a/lib/dns/include/dns/view.h +++ b/lib/dns/include/dns/view.h @@ -168,8 +168,6 @@ struct dns_view { bool rootdelonly; dns_namelist_t * rootexclude; bool checknames; - dns_name_t * dlv; - dns_fixedname_t dlv_fixed; uint16_t maxudp; dns_ttl_t staleanswerttl; dns_stale_answer_t staleanswersok; /* rndc setting */ diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 6a38e277cf..7dbfdc57a5 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -2446,10 +2446,6 @@ resquery_send(resquery_t *query) { if (result != ISC_R_SUCCESS) { secure_domain = false; } - if (res->view->dlv != NULL) { - secure_domain = true; - } - if (secure_domain || (ISFORWARDER(query->addrinfo) && ntacovered)) { @@ -3714,7 +3710,6 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { result = isc_time_nowplusinterval(&expire, &i); if (badcache && (fctx->type == dns_rdatatype_dnskey || - fctx->type == dns_rdatatype_dlv || fctx->type == dns_rdatatype_ds) && result == ISC_R_SUCCESS) dns_resolver_addbadcache(res, &fctx->name, @@ -5488,7 +5483,6 @@ validated(isc_task_t *task, isc_event_t *event) { tresult = isc_time_nowplusinterval(&expire, &i); if (negative && (fctx->type == dns_rdatatype_dnskey || - fctx->type == dns_rdatatype_dlv || fctx->type == dns_rdatatype_ds) && tresult == ISC_R_SUCCESS) dns_resolver_addbadcache(res, &fctx->name, @@ -5929,11 +5923,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, if (result != ISC_R_SUCCESS) { return (result); } - - if (!secure_domain && res->view->dlv != NULL) { - valoptions |= DNS_VALIDATOR_DLV; - secure_domain = true; - } } if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0) { @@ -6523,11 +6512,6 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, now, checknta, NULL, &secure_domain); if (result != ISC_R_SUCCESS) return (result); - - if (!secure_domain && res->view->dlv != NULL) { - valoptions |= DNS_VALIDATOR_DLV; - secure_domain = true; - } } if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0) diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 34b2524310..5e256436fc 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -45,38 +45,20 @@ * Basic processing sequences. * * \li When called with rdataset and sigrdataset: - * validator_start -> validate -> proveunsecure -> startfinddlvsep -> - * dlv_validator_start -> validator_start -> validate -> proveunsecure + * validator_start -> validate -> proveunsecure * * validator_start -> validate -> nsecvalidate (secure wildcard answer) * - * \li When called with rdataset, sigrdataset and with DNS_VALIDATOR_DLV: - * validator_start -> startfinddlvsep -> dlv_validator_start -> - * validator_start -> validate -> proveunsecure - * * \li When called with rdataset: - * validator_start -> proveunsecure -> startfinddlvsep -> - * dlv_validator_start -> validator_start -> proveunsecure - * - * \li When called with rdataset and with DNS_VALIDATOR_DLV: - * validator_start -> startfinddlvsep -> dlv_validator_start -> - * validator_start -> proveunsecure + * validator_start -> proveunsecure * * \li When called without a rdataset: - * validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep -> - * dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure - * - * Note: there isn't a case for DNS_VALIDATOR_DLV here as we want nsecvalidate() - * to always validate the authority section even when it does not contain - * signatures. + * validator_start -> nsecvalidate -> proveunsecure * * validator_start: determines what type of validation to do. * validate: attempts to perform a positive validation. * proveunsecure: attempts to prove the answer comes from a unsecure zone. * nsecvalidate: attempts to prove a negative response. - * startfinddlvsep: starts the DLV record lookup. - * dlv_validator_start: resets state and restarts the lookup using the - * DLV RRset found by startfinddlvsep. */ #define VALIDATOR_MAGIC ISC_MAGIC('V', 'a', 'l', '?') @@ -86,8 +68,7 @@ #define VALATTR_CANCELED 0x0002 /*%< Canceled. */ #define VALATTR_TRIEDVERIFY 0x0004 /*%< We have found a key and * have attempted a verify. */ -#define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */ -#define VALATTR_DLVTRIED 0x0020 /*%< Looked for a DLV record. */ +#define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */ /*! * NSEC proofs to be looked for. @@ -113,7 +94,6 @@ #define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0) #define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0) #define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0) -#define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0) #define FOUNDNODATA(val) ((val->attributes & VALATTR_FOUNDNODATA) != 0) #define FOUNDNOQNAME(val) ((val->attributes & VALATTR_FOUNDNOQNAME) != 0) #define FOUNDNOWILDCARD(val) ((val->attributes & VALATTR_FOUNDNOWILDCARD) != 0) @@ -159,18 +139,6 @@ validator_logcreate(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, const char *caller, const char *operation); -static isc_result_t -dlv_validatezonekey(dns_validator_t *val); - -static void -dlv_validator_start(dns_validator_t *val); - -static isc_result_t -finddlvsep(dns_validator_t *val, bool resume); - -static isc_result_t -startfinddlvsep(dns_validator_t *val, const dns_name_t *unsecure); - /*% * Mark the RRsets as a answer. */ @@ -228,38 +196,6 @@ exit_check(dns_validator_t *val) { return (true); } -/* - * Check that we have atleast one supported algorithm in the DLV RRset. - */ -static inline bool -dlv_algorithm_supported(dns_validator_t *val) { - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_dlv_t dlv; - isc_result_t result; - - for (result = dns_rdataset_first(&val->dlv); - result == ISC_R_SUCCESS; - result = dns_rdataset_next(&val->dlv)) { - dns_rdata_reset(&rdata); - dns_rdataset_current(&val->dlv, &rdata); - result = dns_rdata_tostruct(&rdata, &dlv, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - if (!dns_resolver_algorithm_supported(val->view->resolver, - val->event->name, - dlv.algorithm)) - continue; - - if (!dns_resolver_ds_digest_supported(val->view->resolver, - val->event->name, - dlv.digest_type)) - continue; - - return (true); - } - return (false); -} - /*% * Look in the NSEC record returned from a DS query to see if there is * a NS RRset at this name. If it is found we are at a delegation point. @@ -595,14 +531,9 @@ dsfetched2(isc_task_t *task, isc_event_t *event) { "must be secure failure, no DS" " and this is a delegation"); validator_done(val, DNS_R_MUSTBESECURE); - } else if (val->view->dlv == NULL || DLVTRIED(val)) { - markanswer(val, "dsfetched2"); - validator_done(val, ISC_R_SUCCESS); - } else { - result = startfinddlvsep(val, tname); - if (result != DNS_R_WAIT) - validator_done(val, result); } + markanswer(val, "dsfetched2"); + validator_done(val, ISC_R_SUCCESS); } else { result = proveunsecure(val, false, true); if (result != DNS_R_WAIT) @@ -755,11 +686,9 @@ dsvalidated(isc_task_t *task, isc_event_t *event) { "must be secure failure, no DS " "and this is a delegation"); result = DNS_R_MUSTBESECURE; - } else if (val->view->dlv == NULL || DLVTRIED(val)) { - markanswer(val, "dsvalidated"); - result = ISC_R_SUCCESS;; - } else - result = startfinddlvsep(val, name); + } + markanswer(val, "dsvalidated"); + result = ISC_R_SUCCESS;; } else if ((val->attributes & VALATTR_INSECURITY) != 0) { result = proveunsecure(val, have_dsset, true); } else @@ -950,9 +879,6 @@ authvalidated(isc_task_t *task, isc_event_t *event) { /*% * Looks for the requested name and type in the view (zones and cache). * - * When looking for a DLV record also checks to make sure the NSEC record - * returns covers the query name as part of aggressive negative caching. - * * Returns: * \li ISC_R_SUCCESS * \li ISC_R_NOTFOUND @@ -966,14 +892,9 @@ static inline isc_result_t view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { dns_fixedname_t fixedname; dns_name_t *foundname; - dns_rdata_nsec_t nsec; - dns_rdata_t rdata = DNS_RDATA_INIT; isc_result_t result; unsigned int options; isc_time_t now; - char buf1[DNS_NAME_FORMATSIZE]; - char buf2[DNS_NAME_FORMATSIZE]; - char buf3[DNS_NAME_FORMATSIZE]; char namebuf[DNS_NAME_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; @@ -993,8 +914,6 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { } options = DNS_DBFIND_PENDINGOK; - if (type == dns_rdatatype_dlv) - options |= DNS_DBFIND_COVERINGNSEC; foundname = dns_fixedname_initname(&fixedname); result = dns_view_find(val->view, name, type, 0, options, false, false, NULL, NULL, foundname, @@ -1005,74 +924,6 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { dns_rdataset_disassociate(&val->frdataset); if (dns_rdataset_isassociated(&val->fsigrdataset)) dns_rdataset_disassociate(&val->fsigrdataset); - } else if (result == DNS_R_COVERINGNSEC) { - validator_log(val, ISC_LOG_DEBUG(3), "DNS_R_COVERINGNSEC"); - /* - * Check if the returned NSEC covers the name. - */ - INSIST(type == dns_rdatatype_dlv); - if (val->frdataset.trust != dns_trust_secure) { - validator_log(val, ISC_LOG_DEBUG(3), - "covering nsec: trust %s", - dns_trust_totext(val->frdataset.trust)); - goto notfound; - } - result = dns_rdataset_first(&val->frdataset); - if (result != ISC_R_SUCCESS) - goto notfound; - dns_rdataset_current(&val->frdataset, &rdata); - if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) && - !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) { - /* Parent NSEC record. */ - if (dns_name_issubdomain(name, foundname)) { - validator_log(val, ISC_LOG_DEBUG(3), - "covering nsec: for parent"); - goto notfound; - } - } - result = dns_rdata_tostruct(&rdata, &nsec, NULL); - if (result != ISC_R_SUCCESS) - goto notfound; - if (dns_name_compare(foundname, &nsec.next) >= 0) { - /* End of zone chain. */ - if (!dns_name_issubdomain(name, &nsec.next)) { - /* - * XXXMPA We could look for a parent NSEC - * at nsec.next and if found retest with - * this NSEC. - */ - dns_rdata_freestruct(&nsec); - validator_log(val, ISC_LOG_DEBUG(3), - "covering nsec: not in zone"); - goto notfound; - } - } else if (dns_name_compare(name, &nsec.next) >= 0) { - /* - * XXXMPA We could check if this NSEC is at a zone - * apex and if the qname is not below it and look for - * a parent NSEC with the same name. This requires - * that we can cache both NSEC records which we - * currently don't support. - */ - dns_rdata_freestruct(&nsec); - validator_log(val, ISC_LOG_DEBUG(3), - "covering nsec: not in range"); - goto notfound; - } - if (isc_log_wouldlog(dns_lctx,ISC_LOG_DEBUG(3))) { - dns_name_format(name, buf1, sizeof buf1); - dns_name_format(foundname, buf2, sizeof buf2); - dns_name_format(&nsec.next, buf3, sizeof buf3); - validator_log(val, ISC_LOG_DEBUG(3), - "covering nsec found: '%s' '%s' '%s'", - buf1, buf2, buf3); - } - if (dns_rdataset_isassociated(&val->frdataset)) - dns_rdataset_disassociate(&val->frdataset); - if (dns_rdataset_isassociated(&val->fsigrdataset)) - dns_rdataset_disassociate(&val->fsigrdataset); - dns_rdata_freestruct(&nsec); - result = DNS_R_NCACHENXDOMAIN; } else if (result != ISC_R_SUCCESS && result != DNS_R_NCACHENXDOMAIN && result != DNS_R_NCACHENXRRSET && @@ -1332,7 +1183,7 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) { { /* * We know the key but haven't validated it yet or - * we have a key of trust answer but a DS/DLV + * we have a key of trust answer but a DS * record for the zone may have been added. */ result = create_validator(val, &siginfo->signer, @@ -1790,137 +1641,6 @@ keyfromds(dns_validator_t *val, dns_rdataset_t *rdataset, dns_rdata_t *dsrdata, return (result); } -/*% - * Validate the DNSKEY RRset by looking for a DNSKEY that matches a - * DLV record and that also verifies the DNSKEY RRset. - */ -static isc_result_t -dlv_validatezonekey(dns_validator_t *val) { - dns_rdata_dlv_t dlv; - dns_rdata_t dlvrdata = DNS_RDATA_INIT; - dns_rdata_t keyrdata = DNS_RDATA_INIT; - dns_rdataset_t trdataset; - bool supported_algorithm; - isc_result_t result; - char digest_types[256]; - - validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey"); - - /* - * Look through the DLV record and find the keys that can sign the - * key set and the matching signature. For each such key, attempt - * verification. - */ - supported_algorithm = false; - - /* - * If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we - * are required to prefer it over DNS_DSDIGEST_SHA1. This in - * practice means that we need to ignore DNS_DSDIGEST_SHA1 if a - * DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present. - */ - memset(digest_types, 1, sizeof(digest_types)); - for (result = dns_rdataset_first(&val->dlv); - result == ISC_R_SUCCESS; - result = dns_rdataset_next(&val->dlv)) { - dns_rdata_reset(&dlvrdata); - dns_rdataset_current(&val->dlv, &dlvrdata); - result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - if (!dns_resolver_ds_digest_supported(val->view->resolver, - val->event->name, - dlv.digest_type)) - continue; - - if (!dns_resolver_algorithm_supported(val->view->resolver, - val->event->name, - dlv.algorithm)) - continue; - - if ((dlv.digest_type == DNS_DSDIGEST_SHA256 && - dlv.length == ISC_SHA256_DIGESTLENGTH) || - (dlv.digest_type == DNS_DSDIGEST_SHA384 && - dlv.length == ISC_SHA384_DIGESTLENGTH)) - { - digest_types[DNS_DSDIGEST_SHA1] = 0; - break; - } - } - - for (result = dns_rdataset_first(&val->dlv); - result == ISC_R_SUCCESS; - result = dns_rdataset_next(&val->dlv)) - { - dns_rdata_reset(&dlvrdata); - dns_rdataset_current(&val->dlv, &dlvrdata); - result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - if (digest_types[dlv.digest_type] == 0) - continue; - - if (!dns_resolver_ds_digest_supported(val->view->resolver, - val->event->name, - dlv.digest_type)) - continue; - - if (!dns_resolver_algorithm_supported(val->view->resolver, - val->event->name, - dlv.algorithm)) - continue; - - supported_algorithm = true; - - dns_rdataset_init(&trdataset); - dns_rdataset_clone(val->event->rdataset, &trdataset); - - /* - * Convert to DLV to DS and find matching DNSKEY. - */ - dlvrdata.type = dns_rdatatype_ds; - result = keyfromds(val, &trdataset, &dlvrdata, - dlv.digest_type, dlv.key_tag, - dlv.algorithm, &keyrdata); - if (result != ISC_R_SUCCESS) { - dns_rdataset_disassociate(&trdataset); - validator_log(val, ISC_LOG_DEBUG(3), - "no DNSKEY matching DLV"); - continue; - } - - validator_log(val, ISC_LOG_DEBUG(3), - "Found matching DLV record: checking for signature"); - /* - * Check that this DNSKEY signed the DNSKEY rrset. - */ - result = checkkey(val, &keyrdata, dlv.key_tag, dlv.algorithm); - - dns_rdataset_disassociate(&trdataset); - if (result == ISC_R_SUCCESS) - break; - validator_log(val, ISC_LOG_DEBUG(3), - "no RRSIG matching DLV key"); - } - if (result == ISC_R_SUCCESS) { - marksecure(val->event); - validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (dlv)"); - return (result); - } else if (result == ISC_R_NOMORE && !supported_algorithm) { - if (val->mustbesecure) { - validator_log(val, ISC_LOG_WARNING, - "must be secure failure," - "no supported algorithm/digest (dlv)"); - return (DNS_R_MUSTBESECURE); - } - validator_log(val, ISC_LOG_DEBUG(3), - "no supported algorithm/digest (dlv)"); - markanswer(val, "dlv_validatezonekey (2)"); - return (ISC_R_SUCCESS); - } else - return (DNS_R_NOVALIDSIG); -} - /*% * Attempts positive response validation of an RRset containing zone keys * (i.e. a DNSKEY rrset). @@ -1953,22 +1673,7 @@ validatezonekey(dns_validator_t *val) { event = val->event; - if (val->havedlvsep && val->dlv.trust >= dns_trust_secure && - dns_name_equal(event->name, dns_fixedname_name(&val->dlvsep))) - return (dlv_validatezonekey(val)); - if (val->dsset == NULL) { - - /* - * We have a dlv sep. Skip looking up the SEP from - * {trusted,managed}-keys. If the dlv sep is for the - * root then it will have been handled above so we don't - * need to check whether val->event->name is "." prior to - * looking up the DS. - */ - if (val->havedlvsep) - goto find_ds; - /* * First, see if this key was signed by a trusted key. */ @@ -2005,11 +1710,8 @@ validatezonekey(dns_validator_t *val) { } else validator_log(val, ISC_LOG_DEBUG(3), "not beneath secure root"); - if (val->view->dlv == NULL) { - markanswer(val, "validatezonekey (1)"); - return (ISC_R_SUCCESS); - } - return (startfinddlvsep(val, dns_rootname)); + markanswer(val, "validatezonekey (1)"); + return (ISC_R_SUCCESS); } if (result == DNS_R_PARTIALMATCH || result == ISC_R_SUCCESS) @@ -2079,7 +1781,7 @@ validatezonekey(dns_validator_t *val) { return (DNS_R_NOVALIDDS); } } - find_ds: + /* * Otherwise, try to find the DS record. */ @@ -2157,11 +1859,8 @@ validatezonekey(dns_validator_t *val) { " insecure DS"); return (DNS_R_MUSTBESECURE); } - if (val->view->dlv == NULL || DLVTRIED(val)) { - markanswer(val, "validatezonekey (2)"); - return (ISC_R_SUCCESS); - } - return (startfinddlvsep(val, val->event->name)); + markanswer(val, "validatezonekey (2)"); + return (ISC_R_SUCCESS); } /* @@ -2904,355 +2603,12 @@ check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) { return (false); } -static void -dlvvalidated(isc_task_t *task, isc_event_t *event) { - dns_validatorevent_t *devent; - dns_validator_t *val; - isc_result_t eresult; - bool want_destroy; - - UNUSED(task); - INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE); - - devent = (dns_validatorevent_t *)event; - val = devent->ev_arg; - eresult = devent->result; - - isc_event_free(&event); - dns_validator_destroy(&val->subvalidator); - - INSIST(val->event != NULL); - - validator_log(val, ISC_LOG_DEBUG(3), "in dlvvalidated"); - LOCK(&val->lock); - if (CANCELED(val)) { - validator_done(val, ISC_R_CANCELED); - } else if (eresult == ISC_R_SUCCESS) { - validator_log(val, ISC_LOG_DEBUG(3), - "dlvset with trust %s", - dns_trust_totext(val->frdataset.trust)); - dns_rdataset_clone(&val->frdataset, &val->dlv); - val->havedlvsep = true; - if (dlv_algorithm_supported(val)) - dlv_validator_start(val); - else { - markanswer(val, "dlvvalidated"); - validator_done(val, ISC_R_SUCCESS); - } - } else { - if (eresult != DNS_R_BROKENCHAIN) { - if (dns_rdataset_isassociated(&val->frdataset)) - dns_rdataset_expire(&val->frdataset); - if (dns_rdataset_isassociated(&val->fsigrdataset)) - dns_rdataset_expire(&val->fsigrdataset); - } - validator_log(val, ISC_LOG_DEBUG(3), - "dlvvalidated: got %s", - isc_result_totext(eresult)); - validator_done(val, DNS_R_BROKENCHAIN); - } - want_destroy = exit_check(val); - UNLOCK(&val->lock); - if (want_destroy) - destroy(val); -} - -/*% - * Callback from fetching a DLV record. - * - * Resumes the DLV lookup process. - */ -static void -dlvfetched(isc_task_t *task, isc_event_t *event) { - char namebuf[DNS_NAME_FORMATSIZE]; - dns_fetchevent_t *devent; - dns_validator_t *val; - bool want_destroy; - isc_result_t eresult; - isc_result_t result; - dns_fetch_t *fetch; - - UNUSED(task); - INSIST(event->ev_type == DNS_EVENT_FETCHDONE); - devent = (dns_fetchevent_t *)event; - val = devent->ev_arg; - eresult = devent->result; - - /* Free resources which are not of interest. */ - if (devent->node != NULL) - dns_db_detachnode(devent->db, &devent->node); - if (devent->db != NULL) - dns_db_detach(&devent->db); - if (dns_rdataset_isassociated(&val->fsigrdataset)) - dns_rdataset_disassociate(&val->fsigrdataset); - isc_event_free(&event); - - INSIST(val->event != NULL); - validator_log(val, ISC_LOG_DEBUG(3), "in dlvfetched: %s", - dns_result_totext(eresult)); - - LOCK(&val->lock); - fetch = val->fetch; - val->fetch = NULL; - if (eresult == ISC_R_SUCCESS) { - dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf, - sizeof(namebuf)); - dns_rdataset_clone(&val->frdataset, &val->dlv); - val->havedlvsep = true; - if (dlv_algorithm_supported(val)) { - validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", - namebuf); - dlv_validator_start(val); - } else { - validator_log(val, ISC_LOG_DEBUG(3), - "DLV %s found with no supported algorithms", - namebuf); - markanswer(val, "dlvfetched (1)"); - validator_done(val, ISC_R_SUCCESS); - } - } else if (eresult == DNS_R_NXRRSET || - eresult == DNS_R_NXDOMAIN || - eresult == DNS_R_NCACHENXRRSET || - eresult == DNS_R_NCACHENXDOMAIN) { - result = finddlvsep(val, true); - if (result == ISC_R_SUCCESS) { - if (dlv_algorithm_supported(val)) { - dns_name_format(dns_fixedname_name(&val->dlvsep), - namebuf, sizeof(namebuf)); - validator_log(val, ISC_LOG_DEBUG(3), - "DLV %s found", namebuf); - dlv_validator_start(val); - } else { - validator_log(val, ISC_LOG_DEBUG(3), - "DLV %s found with no supported " - "algorithms", namebuf); - markanswer(val, "dlvfetched (2)"); - validator_done(val, ISC_R_SUCCESS); - } - } else if (result == ISC_R_NOTFOUND) { - validator_log(val, ISC_LOG_DEBUG(3), "DLV not found"); - markanswer(val, "dlvfetched (3)"); - validator_done(val, ISC_R_SUCCESS); - } else { - validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s", - dns_result_totext(result)); - if (result != DNS_R_WAIT) - validator_done(val, result); - } - } else { - validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s", - dns_result_totext(eresult)); - validator_done(val, eresult); - } - want_destroy = exit_check(val); - UNLOCK(&val->lock); - if (fetch != NULL) - dns_resolver_destroyfetch(&fetch); - if (want_destroy) - destroy(val); -} - -/*% - * Start the DLV lookup process. - * - * Returns - * \li ISC_R_SUCCESS - * \li DNS_R_WAIT - * \li Others on validation failures. - */ -static isc_result_t -startfinddlvsep(dns_validator_t *val, const dns_name_t *unsecure) { - char namebuf[DNS_NAME_FORMATSIZE]; - isc_result_t result; - - INSIST(!DLVTRIED(val)); - - val->attributes |= VALATTR_DLVTRIED; - - dns_name_format(unsecure, namebuf, sizeof(namebuf)); - validator_log(val, ISC_LOG_DEBUG(3), - "plain DNSSEC returns unsecure (%s): looking for DLV", - namebuf); - - if (dns_name_issubdomain(val->event->name, val->view->dlv)) { - validator_log(val, ISC_LOG_WARNING, "must be secure failure, " - " %s is under DLV (startfinddlvsep)", namebuf); - return (DNS_R_MUSTBESECURE); - } - - val->dlvlabels = dns_name_countlabels(unsecure) - 1; - result = finddlvsep(val, false); - if (result == ISC_R_NOTFOUND) { - validator_log(val, ISC_LOG_DEBUG(3), "DLV not found"); - markanswer(val, "startfinddlvsep (1)"); - return (ISC_R_SUCCESS); - } - if (result == DNS_R_NTACOVERED) { - validator_log(val, ISC_LOG_DEBUG(3), "DLV covered by NTA"); - validator_done(val, ISC_R_SUCCESS); - return (ISC_R_SUCCESS); - } - if (result != ISC_R_SUCCESS) { - validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s", - dns_result_totext(result)); - return (result); - } - dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf, - sizeof(namebuf)); - if (dlv_algorithm_supported(val)) { - validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf); - dlv_validator_start(val); - return (DNS_R_WAIT); - } - validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported " - "algorithms", namebuf); - markanswer(val, "startfinddlvsep (2)"); - validator_done(val, ISC_R_SUCCESS); - return (ISC_R_SUCCESS); -} - -/*% - * Continue the DLV lookup process. - * - * Returns - * \li ISC_R_SUCCESS - * \li ISC_R_NOTFOUND - * \li DNS_R_WAIT - * \li Others on validation failure. - */ -static isc_result_t -finddlvsep(dns_validator_t *val, bool resume) { - char namebuf[DNS_NAME_FORMATSIZE]; - dns_fixedname_t dlvfixed; - dns_name_t *dlvname; - dns_name_t *dlvsep; - dns_name_t noroot; - isc_result_t result; - unsigned int labels; - - INSIST(val->view->dlv != NULL); - - if (!resume) { - if (dns_name_issubdomain(val->event->name, val->view->dlv)) { - dns_name_format(val->event->name, namebuf, - sizeof(namebuf)); - validator_log(val, ISC_LOG_WARNING, - "must be secure failure, " - "%s is under DLV (finddlvsep)", namebuf); - return (DNS_R_MUSTBESECURE); - } - - dlvsep = dns_fixedname_initname(&val->dlvsep); - dns_name_copy(val->event->name, dlvsep, NULL); - /* - * If this is a response to a DS query, we need to look in - * the parent zone for the trust anchor. - */ - if (val->event->type == dns_rdatatype_ds) { - labels = dns_name_countlabels(dlvsep); - if (labels == 0) - return (ISC_R_NOTFOUND); - dns_name_getlabelsequence(dlvsep, 1, labels - 1, - dlvsep); - } - } else { - dlvsep = dns_fixedname_name(&val->dlvsep); - labels = dns_name_countlabels(dlvsep); - dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep); - } - dns_name_init(&noroot, NULL); - dlvname = dns_fixedname_initname(&dlvfixed); - labels = dns_name_countlabels(dlvsep); - if (labels == 0) - return (ISC_R_NOTFOUND); - dns_name_getlabelsequence(dlvsep, 0, labels - 1, &noroot); - result = dns_name_concatenate(&noroot, val->view->dlv, dlvname, NULL); - while (result == ISC_R_NOSPACE) { - labels = dns_name_countlabels(dlvsep); - dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep); - dns_name_getlabelsequence(dlvsep, 0, labels - 2, &noroot); - result = dns_name_concatenate(&noroot, val->view->dlv, - dlvname, NULL); - } - if (result != ISC_R_SUCCESS) { - validator_log(val, ISC_LOG_DEBUG(2), "DLV concatenate failed"); - return (DNS_R_NOVALIDSIG); - } - - if (((val->options & DNS_VALIDATOR_NONTA) == 0) && - dns_view_ntacovers(val->view, val->start, dlvname, val->view->dlv)) - return (DNS_R_NTACOVERED); - - while (dns_name_countlabels(dlvname) >= - dns_name_countlabels(val->view->dlv) + val->dlvlabels) { - dns_name_format(dlvname, namebuf, sizeof(namebuf)); - validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV %s", - namebuf); - result = view_find(val, dlvname, dns_rdatatype_dlv); - if (result == ISC_R_SUCCESS) { - if (DNS_TRUST_PENDING(val->frdataset.trust) && - dns_rdataset_isassociated(&val->fsigrdataset)) - { - dns_fixedname_init(&val->fname); - dns_name_copy(dlvname, - dns_fixedname_name(&val->fname), - NULL); - result = create_validator(val, - dns_fixedname_name(&val->fname), - dns_rdatatype_dlv, - &val->frdataset, - &val->fsigrdataset, - dlvvalidated, - "finddlvsep"); - if (result != ISC_R_SUCCESS) - return (result); - return (DNS_R_WAIT); - } - if (val->frdataset.trust < dns_trust_secure) { - validator_log(val, ISC_LOG_DEBUG(3), - "DLV not validated"); - return (DNS_R_NOVALIDSIG); - } - val->havedlvsep = true; - dns_rdataset_clone(&val->frdataset, &val->dlv); - return (ISC_R_SUCCESS); - } - if (result == ISC_R_NOTFOUND) { - result = create_fetch(val, dlvname, dns_rdatatype_dlv, - dlvfetched, "finddlvsep"); - if (result != ISC_R_SUCCESS) - return (result); - return (DNS_R_WAIT); - } - if (result != DNS_R_NXRRSET && - result != DNS_R_NXDOMAIN && - result != DNS_R_EMPTYNAME && - result != DNS_R_NCACHENXRRSET && - result != DNS_R_NCACHENXDOMAIN) - return (result); - /* - * Strip first labels from both dlvsep and dlvname. - */ - labels = dns_name_countlabels(dlvsep); - if (labels == 0) - break; - dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep); - labels = dns_name_countlabels(dlvname); - dns_name_getlabelsequence(dlvname, 1, labels - 1, dlvname); - } - return (ISC_R_NOTFOUND); -} - /*% * proveunsecure walks down from the SEP looking for a break in the * chain of trust. That occurs when we can prove the DS record does * not exist at a delegation point or the DS exists at a delegation * but we don't support the algorithm/digest. * - * If DLV is active and we look for a DLV record at or below the - * point we go insecure. If found we restart the validation process. - * If not found or DLV isn't active we mark the response as a answer. - * * Returns: * \li ISC_R_SUCCESS val->event->name is in a unsecure zone * \li DNS_R_WAIT validation is in progress. @@ -3264,8 +2620,7 @@ finddlvsep(dns_validator_t *val, bool resume) { * \li DNS_R_BROKENCHAIN */ static isc_result_t -proveunsecure(dns_validator_t *val, bool have_ds, bool resume) -{ +proveunsecure(dns_validator_t *val, bool have_ds, bool resume) { isc_result_t result; dns_fixedname_t fixedsecroot; dns_name_t *secroot; @@ -3273,42 +2628,36 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) char namebuf[DNS_NAME_FORMATSIZE]; dns_name_t *found; dns_fixedname_t fixedfound; + unsigned int labels; secroot = dns_fixedname_initname(&fixedsecroot); found = dns_fixedname_initname(&fixedfound); - if (val->havedlvsep) - dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL); - else { - unsigned int labels; - dns_name_copy(val->event->name, secroot, NULL); - /* - * If this is a response to a DS query, we need to look in - * the parent zone for the trust anchor. - */ + dns_name_copy(val->event->name, secroot, NULL); + /* + * If this is a response to a DS query, we need to look in + * the parent zone for the trust anchor. + */ - labels = dns_name_countlabels(secroot); - if (val->event->type == dns_rdatatype_ds && labels > 1U) - dns_name_getlabelsequence(secroot, 1, labels - 1, - secroot); - result = dns_keytable_finddeepestmatch(val->keytable, - secroot, secroot); - if (result == ISC_R_NOTFOUND) { - if (val->mustbesecure) { - validator_log(val, ISC_LOG_WARNING, - "must be secure failure, " - "not beneath secure root"); - result = DNS_R_MUSTBESECURE; - goto out; - } else - validator_log(val, ISC_LOG_DEBUG(3), - "not beneath secure root"); - if (val->view->dlv == NULL || DLVTRIED(val)) { - markanswer(val, "proveunsecure (1)"); - return (ISC_R_SUCCESS); - } - return (startfinddlvsep(val, dns_rootname)); - } else if (result != ISC_R_SUCCESS) - return (result); + labels = dns_name_countlabels(secroot); + if (val->event->type == dns_rdatatype_ds && labels > 1U) + dns_name_getlabelsequence(secroot, 1, labels - 1, + secroot); + result = dns_keytable_finddeepestmatch(val->keytable, + secroot, secroot); + if (result == ISC_R_NOTFOUND) { + if (val->mustbesecure) { + validator_log(val, ISC_LOG_WARNING, + "must be secure failure, " + "not beneath secure root"); + result = DNS_R_MUSTBESECURE; + goto out; + } else + validator_log(val, ISC_LOG_DEBUG(3), + "not beneath secure root"); + markanswer(val, "proveunsecure (1)"); + return (ISC_R_SUCCESS); + } else if (result != ISC_R_SUCCESS) { + return (result); } if (!resume) { @@ -3322,18 +2671,17 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) * If we have a DS rdataset and it is secure then check if * the DS rdataset has a supported algorithm combination. * If not this is an insecure delegation as far as this - * resolver is concerned. Fall back to DLV if available. + * resolver is concerned. */ if (have_ds && val->frdataset.trust >= dns_trust_secure && !check_ds(val, dns_fixedname_name(&val->fname), - &val->frdataset)) { + &val->frdataset)) + { dns_name_format(dns_fixedname_name(&val->fname), namebuf, sizeof(namebuf)); - if ((val->view->dlv == NULL || DLVTRIED(val)) && - val->mustbesecure) { + if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, - "must be secure failure at '%s', " - "can't fall back to DLV", + "must be secure failure at '%s'", namebuf); result = DNS_R_MUSTBESECURE; goto out; @@ -3341,13 +2689,9 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) validator_log(val, ISC_LOG_DEBUG(3), "no supported algorithm/digest (%s/DS)", namebuf); - if (val->view->dlv == NULL || DLVTRIED(val)) { - markanswer(val, "proveunsecure (2)"); - result = ISC_R_SUCCESS; - goto out; - } - return(startfinddlvsep(val, - dns_fixedname_name(&val->fname))); + markanswer(val, "proveunsecure (2)"); + result = ISC_R_SUCCESS; + goto out; } val->labels++; } @@ -3407,11 +2751,8 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) "no DS at zone cut"); return (DNS_R_MUSTBESECURE); } - if (val->view->dlv == NULL || DLVTRIED(val)) { - markanswer(val, "proveunsecure (3)"); - return (ISC_R_SUCCESS); - } - return (startfinddlvsep(val, tname)); + markanswer(val, "proveunsecure (3)"); + return (ISC_R_SUCCESS); } if (val->frdataset.trust < dns_trust_secure) { /* @@ -3434,11 +2775,8 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) namebuf); return (DNS_R_MUSTBESECURE); } - if (val->view->dlv == NULL || DLVTRIED(val)) { - markanswer(val, "proveunsecure (4)"); - return (ISC_R_SUCCESS); - } - return (startfinddlvsep(val, tname)); + markanswer(val, "proveunsecure (4)"); + return (ISC_R_SUCCESS); } continue; } else if (result == DNS_R_CNAME) { @@ -3475,14 +2813,9 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) result = DNS_R_MUSTBESECURE; goto out; } - if (val->view->dlv == NULL || - DLVTRIED(val)) { - markanswer(val, - "proveunsecure (5)"); - result = ISC_R_SUCCESS; - goto out; - } - return(startfinddlvsep(val, tname)); + markanswer(val, "proveunsecure (5)"); + result = ISC_R_SUCCESS; + goto out; } continue; } @@ -3520,8 +2853,9 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) } else if (DNS_TRUST_PENDING(val->frdataset.trust) || DNS_TRUST_ANSWER(val->frdataset.trust)) { /* - * If we have "trust == answer" then this namespace - * has switched from insecure to should be secure. + * If we have "trust == answer" then this + * namespace has switched from insecure to + * should be secure. */ result = create_validator(val, tname, dns_rdatatype_ds, @@ -3571,25 +2905,6 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) return (result); } -/*% - * Reset state and revalidate the answer using DLV. - */ -static void -dlv_validator_start(dns_validator_t *val) { - isc_event_t *event; - - validator_log(val, ISC_LOG_DEBUG(3), "dlv_validator_start"); - - /* - * Reset state and try again. - */ - val->attributes &= VALATTR_DLVTRIED; - val->options &= ~DNS_VALIDATOR_DLV; - - event = (isc_event_t *)val->event; - isc_task_send(val->task, &event); -} - /*% * Start the validation process. * @@ -3618,19 +2933,11 @@ validator_start(isc_task_t *task, isc_event_t *event) { if (val->event == NULL) return; - if (DLVTRIED(val)) - validator_log(val, ISC_LOG_DEBUG(3), "restarting using DLV"); - else - validator_log(val, ISC_LOG_DEBUG(3), "starting"); + validator_log(val, ISC_LOG_DEBUG(3), "starting"); LOCK(&val->lock); - if ((val->options & DNS_VALIDATOR_DLV) != 0 && - val->event->rdataset != NULL) { - validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV"); - result = startfinddlvsep(val, dns_rootname); - } else if (val->event->rdataset != NULL && - val->event->sigrdataset != NULL) { + if (val->event->rdataset != NULL && val->event->sigrdataset != NULL) { isc_result_t saved_result; /* @@ -3780,9 +3087,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, val->currentset = NULL; val->keyset = NULL; val->dsset = NULL; - dns_rdataset_init(&val->dlv); val->seensig = false; - val->havedlvsep = false; val->depth = 0; val->authcount = 0; val->authfail = 0; @@ -3880,8 +3185,6 @@ destroy(dns_validator_t *val) { dns_keytable_detach(&val->keytable); if (val->subvalidator != NULL) dns_validator_destroy(&val->subvalidator); - if (val->havedlvsep) - dns_rdataset_disassociate(&val->dlv); if (dns_rdataset_isassociated(&val->frdataset)) dns_rdataset_disassociate(&val->frdataset); if (dns_rdataset_isassociated(&val->fsigrdataset)) diff --git a/lib/dns/view.c b/lib/dns/view.c index 461722bd6a..cf6550b29d 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -205,7 +205,6 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, view->dstport = 53; view->preferred_glue = 0; view->flush = false; - view->dlv = NULL; view->maxudp = 0; view->staleanswerttl = 1; view->staleanswersok = dns_stale_answer_conf; @@ -216,7 +215,6 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, view->maxbits = 0; view->rpzs = NULL; view->catzs = NULL; - dns_fixedname_init(&view->dlv_fixed); view->managed_keys = NULL; view->redirect = NULL; view->redirectzone = NULL; diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in index d1733f49a8..f0645696c0 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in @@ -147,7 +147,6 @@ dns_client_freeupdate dns_client_mctx dns_client_request dns_client_resolve -dns_client_setdlv dns_client_setservers dns_client_startrequest dns_client_startresolve diff --git a/lib/isccfg/include/isccfg/cfg.h b/lib/isccfg/include/isccfg/cfg.h index c8b3a08ad0..35729a4991 100644 --- a/lib/isccfg/include/isccfg/cfg.h +++ b/lib/isccfg/include/isccfg/cfg.h @@ -485,6 +485,10 @@ cfg_printx(const cfg_obj_t *obj, unsigned int flags, #define CFG_PRINTER_XKEY 0x1 /* '?' out shared keys. */ #define CFG_PRINTER_ONELINE 0x2 /* print config as a single line */ +#define CFG_PRINTER_ACTIVEONLY 0x4 /* print only active configuration + options, omitting ancient, + obsolete, nonimplemented, + and test-only options. */ /*%< * Print the configuration object 'obj' by repeatedly calling the @@ -496,7 +500,7 @@ cfg_printx(const cfg_obj_t *obj, unsigned int flags, */ void -cfg_print_grammar(const cfg_type_t *type, +cfg_print_grammar(const cfg_type_t *type, unsigned int flags, void (*f)(void *closure, const char *text, int textlen), void *closure); /*%< diff --git a/lib/isccfg/include/isccfg/grammar.h b/lib/isccfg/include/isccfg/grammar.h index ffc594759d..e931282a0f 100644 --- a/lib/isccfg/include/isccfg/grammar.h +++ b/lib/isccfg/include/isccfg/grammar.h @@ -550,7 +550,7 @@ cfg_clause_validforzone(const char *name, unsigned int ztype); */ void -cfg_print_zonegrammar(const unsigned int zonetype, +cfg_print_zonegrammar(const unsigned int zonetype, unsigned int flags, void (*f)(void *closure, const char *text, int textlen), void *closure); /*%< diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index bf7e3a5bca..09877f6952 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1876,7 +1876,7 @@ view_clauses[] = { { "dnssec-accept-expired", &cfg_type_boolean, 0 }, { "dnssec-enable", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE }, { "dnssec-lookaside", &cfg_type_lookaside, - CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED }, + CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_OBSOLETE }, { "dnssec-must-be-secure", &cfg_type_mustbesecure, CFG_CLAUSEFLAG_MULTI }, { "dnssec-validation", &cfg_type_boolorauto, 0 }, @@ -3851,7 +3851,7 @@ cfg_clause_validforzone(const char *name, unsigned int ztype) { } void -cfg_print_zonegrammar(const unsigned int zonetype, +cfg_print_zonegrammar(const unsigned int zonetype, unsigned int flags, void (*f)(void *closure, const char *text, int textlen), void *closure) { @@ -3866,7 +3866,7 @@ cfg_print_zonegrammar(const unsigned int zonetype, pctx.f = f; pctx.closure = closure; pctx.indent = 0; - pctx.flags = 0; + pctx.flags = flags; memmove(clauses, zone_clauses, sizeof(zone_clauses)); memmove(clauses + sizeof(zone_clauses)/sizeof(zone_clauses[0]) - 1, @@ -3922,8 +3922,17 @@ cfg_print_zonegrammar(const unsigned int zonetype, } for (clause = clauses; clause->name != NULL; clause++) { + if (((pctx.flags & CFG_PRINTER_ACTIVEONLY) != 0) && + (((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0) || + ((clause->flags & CFG_CLAUSEFLAG_ANCIENT) != 0) || + ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0) || + ((clause->flags & CFG_CLAUSEFLAG_TESTONLY) != 0))) + { + continue; + } if ((clause->flags & zonetype) == 0 || - strcasecmp(clause->name, "type") == 0) { + strcasecmp(clause->name, "type") == 0) + { continue; } cfg_print_indent(&pctx); diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c index 453e18cd5d..06b5134080 100644 --- a/lib/isccfg/parser.c +++ b/lib/isccfg/parser.c @@ -2312,6 +2312,14 @@ cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type) { for (clauseset = type->of; *clauseset != NULL; clauseset++) { for (clause = *clauseset; clause->name != NULL; clause++) { + if (((pctx->flags & CFG_PRINTER_ACTIVEONLY) != 0) && + (((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0) || + ((clause->flags & CFG_CLAUSEFLAG_ANCIENT) != 0) || + ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0) || + ((clause->flags & CFG_CLAUSEFLAG_TESTONLY) != 0))) + { + continue; + } cfg_print_cstr(pctx, clause->name); cfg_print_cstr(pctx, " "); cfg_doc_obj(pctx, clause->type); @@ -2359,6 +2367,14 @@ cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type) { for (clauseset = type->of; *clauseset != NULL; clauseset++) { for (clause = *clauseset; clause->name != NULL; clause++) { + if (((pctx->flags & CFG_PRINTER_ACTIVEONLY) != 0) && + (((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0) || + ((clause->flags & CFG_CLAUSEFLAG_ANCIENT) != 0) || + ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0) || + ((clause->flags & CFG_CLAUSEFLAG_TESTONLY) != 0))) + { + continue; + } cfg_print_indent(pctx); cfg_print_cstr(pctx, clause->name); if (clause->type->print != cfg_print_void) @@ -3460,7 +3476,7 @@ cfg_doc_terminal(cfg_printer_t *pctx, const cfg_type_t *type) { } void -cfg_print_grammar(const cfg_type_t *type, +cfg_print_grammar(const cfg_type_t *type, unsigned int flags, void (*f)(void *closure, const char *text, int textlen), void *closure) { @@ -3469,7 +3485,7 @@ cfg_print_grammar(const cfg_type_t *type, pctx.f = f; pctx.closure = closure; pctx.indent = 0; - pctx.flags = 0; + pctx.flags = flags; cfg_doc_obj(&pctx, type); } diff --git a/lib/samples/Makefile-postinstall.in b/lib/samples/Makefile-postinstall.in index 8992ced646..f87f4c93d9 100644 --- a/lib/samples/Makefile-postinstall.in +++ b/lib/samples/Makefile-postinstall.in @@ -24,14 +24,13 @@ LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@ SUBDIRS = TARGETS = sample@EXEEXT@ sample-async@EXEEXT@ sample-gai@EXEEXT@ \ - sample-update@EXEEXT@ sample-request@EXEEXT@ nsprobe@EXEEXT@ \ - dlvchecks@EXEEXT@ + sample-update@EXEEXT@ sample-request@EXEEXT@ nsprobe@EXEEXT@ OBJS = sample.@O@ sample-async.@O@ sample-gai.@O@ sample-update.@O@ \ - sample-request.@O@ nsprobe.@O@ dlvchecks.@O@ + sample-request.@O@ nsprobe.@O@ SRCS = sample.c sample-async.c sample-gai.c sample-update.c \ - sample-request.c nsprobe.c dlvchecks..c + sample-request.c nsprobe.c @BIND9_MAKE_RULES@ @@ -63,9 +62,5 @@ nsprobe@EXEEXT@: nsprobe.@O@ ${DEPLIBS} ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ nsprobe.@O@ ${LIBS} -dlvchecks@EXEEXT@: dlvchecks.@O@ ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - dlvchecks.@O@ ${LIBS} - clean distclean maintainer-clean:: rm -f ${TARGETS} diff --git a/util/copyrights b/util/copyrights index ce505528e3..6585a7c037 100644 --- a/util/copyrights +++ b/util/copyrights @@ -426,20 +426,16 @@ ./bin/tests/system/checkds/dig.bat BAT 2016,2018,2019 ./bin/tests/system/checkds/dig.pl PERL 2014,2016,2017,2018,2019 ./bin/tests/system/checkds/dig.sh SH 2012,2013,2016,2017,2018,2019 -./bin/tests/system/checkds/missing.example.dlv.example.dlv.db X 2012,2018,2019 ./bin/tests/system/checkds/missing.example.dnskey.db X 2012,2018,2019 ./bin/tests/system/checkds/missing.example.ds.db X 2012,2018,2019 -./bin/tests/system/checkds/none.example.dlv.example.dlv.db X 2012,2018,2019 ./bin/tests/system/checkds/none.example.dnskey.db X 2012,2018,2019 ./bin/tests/system/checkds/none.example.ds.db X 2012,2018,2019 -./bin/tests/system/checkds/ok.example.dlv.example.dlv.db X 2012,2018,2019 ./bin/tests/system/checkds/ok.example.dnskey.db X 2012,2018,2019 ./bin/tests/system/checkds/ok.example.ds.db X 2012,2018,2019 ./bin/tests/system/checkds/prep.example.db X 2017,2018,2019 ./bin/tests/system/checkds/prep.example.ds.db X 2017,2018,2019 ./bin/tests/system/checkds/setup.sh SH 2012,2013,2014,2016,2018,2019 ./bin/tests/system/checkds/tests.sh SH 2012,2013,2014,2016,2017,2018,2019 -./bin/tests/system/checkds/wrong.example.dlv.example.dlv.db X 2012,2018,2019 ./bin/tests/system/checkds/wrong.example.dnskey.db X 2012,2018,2019 ./bin/tests/system/checkds/wrong.example.ds.db X 2012,2018,2019 ./bin/tests/system/checknames/clean.sh SH 2004,2007,2012,2014,2015,2016,2018,2019 @@ -506,13 +502,6 @@ ./bin/tests/system/digdelv/setup.sh SH 2018,2019 ./bin/tests/system/digdelv/tests.sh SH 2015,2016,2017,2018,2019 ./bin/tests/system/ditch.pl PERL 2015,2016,2018,2019 -./bin/tests/system/dlv/clean.sh SH 2004,2007,2010,2011,2012,2014,2016,2018,2019 -./bin/tests/system/dlv/ns1/sign.sh SH 2011,2012,2014,2016,2018,2019 -./bin/tests/system/dlv/ns2/sign.sh SH 2011,2012,2014,2016,2018,2019 -./bin/tests/system/dlv/ns3/sign.sh SH 2004,2007,2009,2010,2011,2012,2014,2016,2018,2019 -./bin/tests/system/dlv/ns6/sign.sh SH 2010,2011,2012,2014,2016,2018,2019 -./bin/tests/system/dlv/setup.sh SH 2004,2007,2009,2011,2012,2014,2016,2017,2018,2019 -./bin/tests/system/dlv/tests.sh SH 2004,2007,2010,2011,2012,2016,2018,2019 ./bin/tests/system/dlz/clean.sh SH 2010,2012,2014,2016,2018,2019 ./bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.= TXT.BRIEF 2015,2016,2018,2019 ./bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/NS=10=example.com.= TXT.BRIEF 2015,2016,2018,2019 @@ -1539,6 +1528,7 @@ ./doc/misc/migration-4to9 TXT.BRIEF 2001,2004,2016,2018,2019 ./doc/misc/mirror.zoneopt X 2018,2019 ./doc/misc/options X 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019 +./doc/misc/options.active X 2019 ./doc/misc/redirect.zoneopt X 2018,2019 ./doc/misc/rfc-compliance TXT.BRIEF 2001,2004,2015,2016,2018,2019 ./doc/misc/roadmap TXT.BRIEF 2000,2001,2004,2016,2017,2018,2019