upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-02-20 00:10:43 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

[master] de-DLV

Browse source 
4749.	[func]		The ISC DLV service has been shut down, and all
			DLV records have been removed from dlv.isc.org.
			- Removed references to ISC DLV in documentation
			- Removed DLV key from bind.keys
			- No longer use ISC DLV by default in delv
			[RT #46155]
This commit is contained in:
Evan Hunt 2017-10-03 00:28:31 -07:00
parent a009d03a1a
commit f29359299a
27 changed files with 207 additions and 569 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
CHANGES
View file

@ -1,3 +1,13 @@
4749. [func] The ISC DLV service has been shut down, and all
DLV records have been removed from dlv.isc.org.
- Removed references to ISC DLV in documentation
- Removed DLV key from bind.keys
- No longer use ISC DLV by default in delv
- "dnssec-lookaside auto" and configuration of
"dnssec-lookaide" with dlv.isc.org as trust
anchor are both now fatal errors.
[RT #46155]
4748. [cleanup] Sprintf to snprintf coversions. [RT #46132]
4747. [func] Synthesis of responses from DNSSEC-verified records.

20
bin/delv/delv.c
View file

@ -574,7 +574,7 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
dns_fixedname_t fkeyname;
dns_name_t *keyname;
isc_result_t result;
isc_boolean_t match_root, match_dlv;
isc_boolean_t match_root = ISC_FALSE, match_dlv = ISC_FALSE;
keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
CHECK(convert_name(&fkeyname, &keyname, keynamestr));
@ -582,8 +582,10 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
if (!root_validation && !dlv_validation)
return (ISC_R_SUCCESS);
match_root = dns_name_equal(keyname, anchor_name);
match_dlv = dns_name_equal(keyname, dlv_name);
if (anchor_name)
match_root = dns_name_equal(keyname, anchor_name);
if (dlv_name)
match_dlv = dns_name_equal(keyname, dlv_name);
if (!match_root && !match_dlv)
return (ISC_R_SUCCESS);
@ -713,14 +715,10 @@ setup_dnsseckeys(dns_client_t *client) {
fatal("out of memory");
}
if (dlv_anchor == NULL) {
dlv_anchor = isc_mem_strdup(mctx, "dlv.isc.org");
if (dlv_anchor == NULL)
fatal("out of memory");
}
CHECK(convert_name(&afn, &anchor_name, trust_anchor));
CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
if (trust_anchor != NULL)
CHECK(convert_name(&afn, &anchor_name, trust_anchor));
if (dlv_anchor != NULL)
CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
CHECK(cfg_parser_create(mctx, dns_lctx, &parser));

23
bin/delv/delv.docbook
View file

@ -99,8 +99,7 @@
</para>
<para>
By default, responses are validated using built-in DNSSEC trust
anchors for the root zone (".") and for the ISC DNSSEC lookaside
validation zone ("dlv.isc.org"). Records returned by
anchor for the root zone ("."). Records returned by
<command>delv</command> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
@ -202,14 +201,15 @@
Specifies a file from which to read DNSSEC trust anchors.
The default is <filename>/etc/bind.keys</filename>, which
is included with <acronym>BIND</acronym> 9 and contains
trust anchors for the root zone (".") and for the ISC
DNSSEC lookaside validation zone ("dlv.isc.org").
one or more trust anchors for the root zone (".").
</para>
<para>
Keys that do not match the root or DLV trust-anchor
names are ignored; these key names can be overridden
using the <option>+dlv=NAME</option> or
<option>+root=NAME</option> options.
Keys that do not match the root zone name are ignored.
An alternate key name can be specified using the
<option>+root=NAME</option> options. DNSSEC Lookaside
Validation can also be turned on by using the
<option>+dlv=NAME</option> to specify the name of a
zone containing DLV records.
</para>
<para>
Note: When reading the trust anchor file,
@ -639,11 +639,8 @@
<para>
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
The default is to perform lookaside validation using
a trust anchor of "dlv.isc.org", for which there is a
built-in key. If specifying a different name, then
<option>-a</option> must be used to specify a file
containing the DLV key.
The <option>-a</option> option must also be used to specify
a file containing the DLV key.
</para>
</listitem>
</varlistentry>

7
bin/named/config.c
View file

@ -127,9 +127,6 @@ options {\n\
trust-anchor-telemetry yes;\n\
# use-id-pool <obsolete>;\n\
# use-ixfr <obsolete>;\n\
\n\
/* DLV */\n\
dnssec-lookaside . trust-anchor dlv.isc.org;\n\
\n\
/* view */\n\
allow-new-zones no;\n\
@ -295,8 +292,8 @@ view \"_bind\" chaos {\n\
};\n\
"
"#\n\
# Default trusted key(s) for builtin DLV support\n\
# (used if \"dnssec-lookaside auto;\" is set and\n\
# Default trusted key(s), used if \n\
# \"dnssec-validation auto;\" is set and\n\
# sysconfdir/bind.keys doesn't exist).\n\
#\n\
# BEGIN MANAGED KEYS\n"

105
bin/named/server.c
View file

@ -884,8 +884,7 @@ keyloaded(dns_view_t *view, const dns_name_t *name) {
static isc_result_t
configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
const cfg_obj_t *config, const cfg_obj_t *bindkeys,
isc_boolean_t auto_dlv, isc_boolean_t auto_root,
isc_mem_t *mctx)
isc_boolean_t auto_root, isc_mem_t *mctx)
{
isc_result_t result = ISC_R_SUCCESS;
const cfg_obj_t *view_keys = NULL;
@ -944,65 +943,6 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
return (ISC_R_UNEXPECTED);
}
if (auto_dlv && view->rdclass == dns_rdataclass_in) {
const cfg_obj_t *builtin_keys = NULL;
const cfg_obj_t *builtin_managed_keys = NULL;
/*
* If bind.keys exists and is populated, it overrides
* the managed-keys clause hard-coded in named_g_config.
*/
if (bindkeys != NULL) {
isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
"obtaining DLV key for view %s "
"from '%s'",
view->name, named_g_server->bindkeysfile);
(void)cfg_map_get(bindkeys, "trusted-keys",
&builtin_keys);
(void)cfg_map_get(bindkeys, "managed-keys",
&builtin_managed_keys);
if ((builtin_keys == NULL) &&
(builtin_managed_keys == NULL))
isc_log_write(named_g_lctx,
DNS_LOGCATEGORY_SECURITY,
NAMED_LOGMODULE_SERVER,
ISC_LOG_WARNING,
"dnssec-lookaside auto: "
"WARNING: key for dlv.isc.org "
"not found");
}
if ((builtin_keys == NULL) &&
(builtin_managed_keys == NULL))
{
isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
"using built-in DLV key for view %s",
view->name);
(void)cfg_map_get(named_g_config, "trusted-keys",
&builtin_keys);
(void)cfg_map_get(named_g_config, "managed-keys",
&builtin_managed_keys);
}
if (builtin_keys != NULL)
CHECK(load_view_keys(builtin_keys, vconfig, view,
ISC_FALSE, view->dlv, mctx));
if (builtin_managed_keys != NULL)
CHECK(load_view_keys(builtin_managed_keys, vconfig,
view, ISC_TRUE, view->dlv, mctx));
if (!keyloaded(view, view->dlv)) {
isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
"DLV key not loaded");
result = ISC_R_FAILURE;
goto cleanup;
}
}
if (auto_root && view->rdclass == dns_rdataclass_in) {
const cfg_obj_t *builtin_keys = NULL;
const cfg_obj_t *builtin_managed_keys = NULL;
@ -3692,7 +3632,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
const cfg_obj_t *disablelist = NULL;
isc_stats_t *resstats = NULL;
dns_stats_t *resquerystats = NULL;
isc_boolean_t auto_dlv = ISC_FALSE;
isc_boolean_t auto_root = ISC_FALSE;
named_cache_t *nsc;
isc_boolean_t zero_no_soattl;
@ -4993,19 +4932,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
obj = NULL;
result = named_config_get(optionmaps, "dnssec-lookaside", &obj);
if (result == ISC_R_SUCCESS) {
/* If set to "auto", use the version from the defaults */
/* "auto" is deprecated, log a warning if seen */
const char *dom;
dlvobj = cfg_listelt_value(cfg_list_first(obj));
dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain"));
if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
/* If "no", skip; if "auto", use global default */
if (!strcasecmp(dom, "no"))
/* If "no", skip; if "auto", log warning */
if (!strcasecmp(dom, "no")) {
result = ISC_R_NOTFOUND;
} else if (!strcasecmp(dom, "auto")) {
cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
"WARNING: the DLV server at "
"'dlv.isc.org' is no longer "
"in service; dnssec-lookaside "
"ignored");
result = ISC_R_NOTFOUND;
else if (!strcasecmp(dom, "auto")) {
auto_dlv = ISC_TRUE;
obj = NULL;
result = cfg_map_get(named_g_defaults,
"dnssec-lookaside", &obj);
}
}
}
@ -5015,6 +4956,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
dns_fixedname_t f;
dns_fixedname_init(&f);
/* Also log a warning if manually configured to dlv.isc.org */
iscdlv = dns_fixedname_name(&f);
CHECK(dns_name_fromstring(iscdlv, "dlv.isc.org", 0, NULL));
@ -5028,27 +4970,27 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
dlv = dns_fixedname_name(&view->dlv_fixed);
CHECK(dns_name_fromstring(dlv, cfg_obj_asstring(obj),
DNS_NAME_DOWNCASE, NULL));
view->dlv = dns_fixedname_name(&view->dlv_fixed);
if (dns_name_equal(view->dlv, iscdlv)) {
if (auto_dlv)
obj = dlvobj;
if (dns_name_equal(dlv, iscdlv)) {
cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
"WARNING: the DLV server at "
"'dlv.isc.org' is expected to "
"cease operation by the end "
"of January 2017");
"'dlv.isc.org' is no longer "
"in service; dnssec-lookaside "
"ignored");
view->dlv = NULL;
} else {
view->dlv = dlv;
}
}
} else
} else {
view->dlv = NULL;
}
/*
* For now, there is only one kind of trusted keys, the
* "security roots".
*/
CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys,
auto_dlv, auto_root, mctx));
auto_root, mctx));
dns_resolver_resetmustbesecure(view->resolver);
obj = NULL;
result = named_config_get(maps, "dnssec-must-be-secure", &obj);
@ -7604,8 +7546,7 @@ load_configuration(const char *filename, named_server_t *server,
/*
* If bind.keys exists, load it. If "dnssec-validation auto"
* is turned on, the root key found there will be used as a
* default trust anchor, and if "dnssec-lookaside auto" is
* turned on, then the DLV key found there will too.
* default trust anchor.
*/
obj = NULL;
result = named_config_get(maps, "bindkeys-file", &obj);

3
bin/python/dnssec-checkds.docbook
View file

@ -87,9 +87,6 @@
<para>
Check for a DLV record in the specified lookaside domain,
instead of checking for a DS record in the zone's parent.
For example, to check for DLV records for "example.com"
in ISC's DLV zone, use:
<command>dnssec-checkds -l dlv.isc.org example.com</command>
</para>
</listitem>
</varlistentry>

3
bin/tests/system/checkconf/bad-dlv-auto.conf Normal file
View file

@ -0,0 +1,3 @@
options {
dnssec-lookaside auto;
};

3
bin/tests/system/checkconf/bad-dlv-dlv.isc.org.conf Normal file
View file

@ -0,0 +1,3 @@
options {
dnssec-lookaside . trust-anchor dlv.isc.org;
};

2
bin/tests/system/checkconf/dnssec.3
View file

@ -24,7 +24,7 @@ view view2 {
view view3 {
match-clients { none; };
dnssec-lookaside auto;
dnssec-validation auto;
};
view view4 {

3
bin/tests/system/checkconf/good.conf
View file

@ -80,7 +80,6 @@ view "first" {
type master;
file "yyy";
};
dnssec-lookaside auto;
dnssec-validation auto;
zone-statistics terse;
};
@ -111,7 +110,7 @@ view "second" {
1.2.3.4;
};
};
dnssec-lookaside "." trust-anchor "dlv.isc.org.";
dnssec-lookaside "." trust-anchor "example.org.";
dnssec-validation auto;
zone-statistics full;
};

2
bin/tests/system/conf.sh.in
View file

@ -71,7 +71,7 @@ SAMPLEUPDATE=$TOP/lib/samples/sample-update
SUBDIRS="acl additional addzone allow_query autosign builtin
cacheclean case catz chain
checkconf @CHECKDS@ checknames checkzone cookie @COVERAGE@
database digdelv dlv dlvauto dlz dlzexternal
database digdelv dlv dlz dlzexternal
dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa
emptyzones fetchlimit filter-aaaa formerr geoip glue gost
inline integrity ixfr keepalive @KEYMGR@ legacy limits

20
bin/tests/system/dlvauto/clean.sh
View file

@ -1,20 +0,0 @@
# Copyright (C) 2011, 2012, 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
rm -f ns1/K*
rm -f ns1/*.signed
rm -f ns1/*.db
rm -f ns1/bind.keys
rm -f ns1/*.mkeys.jnl
rm -f ns1/*.mkeys
rm -f */named.run
rm -f */named.memstats
rm -f ns1/dsset-*.
rm -f ns2/*.mkeys
rm -f ns2/*.mkeys.jnl
rm -f dig.out.ns?.test*
rm -f ns2/named.secroots
rm -f ns*/named.lock

17
bin/tests/system/dlvauto/ns1/dlv.isc.org.db.in
View file

@ -1,17 +0,0 @@
; Copyright (C) 2011, 2016 Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
; $Id: dlv.isc.org.db.in,v 1.2 2011/03/01 22:44:04 marka Exp $
$TTL 300
@ IN SOA a.root-servers.nil. hostmaster.isc.org. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
@ NS a.root-servers.nil.

37
bin/tests/system/dlvauto/ns1/named.conf
View file

@ -1,37 +0,0 @@
/*
* Copyright (C) 2011, 2016 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.2 2011/03/01 22:44:04 marka Exp $ */
// NS1
controls { /* empty */ };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
type master;
file "root.db";
};
zone "dlv.isc.org" {
type master;
file "dlv.isc.org.db.signed";
};

20
bin/tests/system/dlvauto/ns1/root.db.in
View file

@ -1,20 +0,0 @@
; Copyright (C) 2011, 2016 Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
; $Id: root.db.in,v 1.2 2011/03/01 22:44:04 marka Exp $
$TTL 300
. IN SOA gson.nominum.com. a.root.servers.nil. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
dlv.isc.org. NS a.root-servers.nil.

44
bin/tests/system/dlvauto/ns1/sign.sh
View file

@ -1,44 +0,0 @@
#!/bin/sh -e
#
# Copyright (C) 2011, 2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
zone=dlv.isc.org
infile=dlv.isc.org.db.in
zonefile=dlv.isc.org.db
dlvkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
cat $infile $dlvkey.key > $zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
zone=.
infile=root.db.in
zonefile=root.db
rootkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
cat $infile $rootkey.key > $zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
# Create bind.keys file for the use of the resolving server
echo "managed-keys {" > bind.keys
cat $dlvkey.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
local $key = join("", @rest);
print <<EOF
"$dn" initial-key $flags $proto $alg "$key";
EOF
' >> bind.keys
cat $rootkey.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
local $key = join("", @rest);
print <<EOF
"$dn" initial-key $flags $proto $alg "$key";
EOF
' >> bind.keys
echo "};" >> bind.keys

53
bin/tests/system/dlvauto/ns2/named.conf
View file

@ -1,53 +0,0 @@
/*
* Copyright (C) 2011, 2013, 2016 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.3 2011/03/03 16:16:47 each Exp $ */
// NS2
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
notify no;
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file "../ns1/bind.keys";
dnssec-lookaside "auto";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
view "in" {
recursion yes;
zone "." {
type hint;
file "../../common/root.hint";
};
};
view "ch" ch {
match-clients { 127.0.0.1; };
};
view "unused" {
match-clients { none; };
};

12
bin/tests/system/dlvauto/prereq.sh
View file

@ -1,12 +0,0 @@
#!/bin/sh
#
# Copyright (C) 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
exec $SHELL ../testcrypto.sh

16
bin/tests/system/dlvauto/setup.sh
View file

@ -1,16 +0,0 @@
#!/bin/sh -e
#
# Copyright (C) 2011, 2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
$SHELL clean.sh
test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
cd ns1 && $SHELL sign.sh

58
bin/tests/system/dlvauto/tests.sh
View file

@ -1,58 +0,0 @@
# Copyright (C) 2011, 2012, 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
status=0
n=1
echo "I:checking that a warning was logged about the ISC DLV service ($n)"
ret=0
warnings=`grep "WARNING: the DLV server at 'dlv.isc.org'" ns2/named.run`
[ -z "$warnings" ] && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
#
# When this was initialy reported there was a REQUIRE failure on restarting.
#
n=`expr $n + 1`
echo "I:checking dnssec-lookaside "'"auto"'"; with views of multiple classes ($n)"
if [ -s ns2/named.pid ]
then
ret=0
$PERL $SYSTEMTESTTOP/stop.pl . ns2 || ret=1
sleep 1
(cd ns2; $NAMED -g -d 100 -X named.lock -c named.conf >> named.run 2>&1 & )
sleep 2
$DIG $DIGOPTS soa . @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
else
echo "I:failed"
status=1
fi
n=`expr $n + 1`
echo "I:checking that only the DLV key was imported from bind.keys ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 secroots 2>&1 | sed 's/^/I:ns2 /'
linecount=`grep "\./RSAMD5/.* ; managed" ns2/named.secroots | wc -l`
[ "$linecount" -eq 0 ] || ret=1
linecount=`grep "dlv.isc.org/RSAMD5/.* ; managed" ns2/named.secroots | wc -l`
[ "$linecount" -eq 2 ] || ret=1
linecount=`cat ns2/named.secroots | wc -l`
[ "$linecount" -eq 25 ] || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
[ $status -eq 0 ] || exit 1

43
bind.keys
View file

@ -1,45 +1,26 @@
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9. As of the current release, the only
# trust anchors it contains are those for the DNS root zone ("."), and for
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
# for any other zones MUST be configured elsewhere; if they are configured
# here, they will not be recognized or used by named.
# which are included as part of BIND 9. The only trust anchors it contains
# are for the DNS root zone ("."). Trust anchors for any other zones MUST
# be configured elsewhere; if they are configured here, they will not be
# recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
# To use the built-in root key, set "dnssec-validation auto;" in
# named.conf options. To use the built-in DLV key, set
# "dnssec-lookaside auto;". Without these options being set,
# the keys in this file are ignored.
# To use the built-in key, use "dnssec-validation auto;" in the
# named.conf options. Without this option being set, the keys in this
# file are ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of Feburary 2017. If any key fails to
# These keys are current as of October 2017. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
#
# See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information for the root zone.
managed-keys {
# ISC DLV: See https://www.isc.org/solutions/dlv for details.
#
# NOTE: The ISC DLV zone is being phased out as of February 2017;
# the key will remain in place but the zone will be otherwise empty.
# Configuring "dnssec-lookaside auto;" to activate this key is
# harmless, but is no longer useful and is not recommended.
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh";
# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
#
# These keys are activated by setting "dnssec-validation auto;"
# in named.conf.
#
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
@ -52,7 +33,7 @@ managed-keys {
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
# This key (20326) is to be published in the root zone in 2017.
# This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
# being set up for the first time can use the contents of this

86
bind.keys.h
View file

@ -1,46 +1,27 @@
#define TRUSTED_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
# which are included as part of BIND 9. As of the current release, the only\n\
# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\"). Trust anchors\n\
# for any other zones MUST be configured elsewhere; if they are configured\n\
# here, they will not be recognized or used by named.\n\
# which are included as part of BIND 9. The only trust anchors it contains\n\
# are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\
# be configured elsewhere; if they are configured here, they will not be\n\
# recognized or used by named.\n\
#\n\
# The built-in trust anchors are provided for convenience of configuration.\n\
# They are not activated within named.conf unless specifically switched on.\n\
# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
# named.conf options. To use the built-in DLV key, set\n\
# \"dnssec-lookaside auto;\". Without these options being set,\n\
# the keys in this file are ignored.\n\
# To use the built-in key, use \"dnssec-validation auto;\" in the\n\
# named.conf options. Without this option being set, the keys in this\n\
# file are ignored.\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
# These keys are current as of Feburary 2017. If any key fails to\n\
# These keys are current as of October 2017. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
#\n\
# See https://data.iana.org/root-anchors/root-anchors.xml\n\
# for current trust anchor information for the root zone.\n\
\n\
trusted-keys {\n\
# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
#\n\
# NOTE: The ISC DLV zone is being phased out as of February 2017;\n\
# the key will remain in place but the zone will be otherwise empty.\n\
# Configuring \"dnssec-lookaside auto;\" to activate this key is\n\
# harmless, but is no longer useful and is not recommended.\n\
dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
TDN0YUuWrBNh\";\n\
\n\
# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml\n\
# for current trust anchor information.\n\
#\n\
# These keys are activated by setting \"dnssec-validation auto;\"\n\
# in named.conf.\n\
#\n\
# This key (19036) is to be phased out starting in 2017. It will\n\
# remain in the root zone for some time after its successor key\n\
# has been added. It will remain this file until it is removed from\n\
@ -53,7 +34,7 @@ trusted-keys {\n\
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
QxA+Uk1ihz0=\";\n\
\n\
# This key (20326) is to be published in the root zone in 2017.\n\
# This key (20326) was published in the root zone in 2017.\n\
# Servers which were already using the old key (19036) should\n\
# roll seamlessly to this new one via RFC 5011 rollover. Servers\n\
# being set up for the first time can use the contents of this\n\
@ -72,47 +53,28 @@ trusted-keys {\n\
#define MANAGED_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
# which are included as part of BIND 9. As of the current release, the only\n\
# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\"). Trust anchors\n\
# for any other zones MUST be configured elsewhere; if they are configured\n\
# here, they will not be recognized or used by named.\n\
# which are included as part of BIND 9. The only trust anchors it contains\n\
# are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\
# be configured elsewhere; if they are configured here, they will not be\n\
# recognized or used by named.\n\
#\n\
# The built-in trust anchors are provided for convenience of configuration.\n\
# They are not activated within named.conf unless specifically switched on.\n\
# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
# named.conf options. To use the built-in DLV key, set\n\
# \"dnssec-lookaside auto;\". Without these options being set,\n\
# the keys in this file are ignored.\n\
# To use the built-in key, use \"dnssec-validation auto;\" in the\n\
# named.conf options. Without this option being set, the keys in this\n\
# file are ignored.\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
# These keys are current as of Feburary 2017. If any key fails to\n\
# These keys are current as of October 2017. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
#\n\
# See https://data.iana.org/root-anchors/root-anchors.xml\n\
# for current trust anchor information for the root zone.\n\
\n\
managed-keys {\n\
# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
#\n\
# NOTE: The ISC DLV zone is being phased out as of February 2017;\n\
# the key will remain in place but the zone will be otherwise empty.\n\
# Configuring \"dnssec-lookaside auto;\" to activate this key is\n\
# harmless, but is no longer useful and is not recommended.\n\
dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
TDN0YUuWrBNh\";\n\
\n\
# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml\n\
# for current trust anchor information.\n\
#\n\
# These keys are activated by setting \"dnssec-validation auto;\"\n\
# in named.conf.\n\
#\n\
# This key (19036) is to be phased out starting in 2017. It will\n\
# remain in the root zone for some time after its successor key\n\
# has been added. It will remain this file until it is removed from\n\
@ -125,7 +87,7 @@ managed-keys {\n\
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
QxA+Uk1ihz0=\";\n\
\n\
# This key (20326) is to be published in the root zone in 2017.\n\
# This key (20326) was published in the root zone in 2017.\n\
# Servers which were already using the old key (19036) should\n\
# roll seamlessly to this new one via RFC 5011 rollover. Servers\n\
# being set up for the first time can use the contents of this\n\

104
doc/arm/Bv9ARM-book.xml
View file

@ -5183,9 +5183,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<para>
The pathname of a file to override the built-in trusted
keys provided by <command>named</command>.
See the discussion of <command>dnssec-lookaside</command>
and <command>dnssec-validation</command> for details.
If not specified, the default is
See the discussion of <command>dnssec-validation</command>
for details. If not specified, the default is
<filename>/etc/bind.keys</filename>.
</para>
</listitem>
@ -5434,40 +5433,18 @@ options {
record validates a DNSKEY (similarly to the way a DS
record does) the DNSKEY RRset is deemed to be trusted.
</para>
<para>
If <command>dnssec-lookaside</command> is set to
<userinput>auto</userinput>, then built-in default
values for the DLV domain and trust anchor will be
used, along with a built-in key for validation.
</para>
<para>
If <command>dnssec-lookaside</command> is set to
<userinput>no</userinput>, then dnssec-lookaside
is not used.
</para>
<para>
The default DLV key is stored in the file
<filename>bind.keys</filename>;
<command>named</command> will load that key at
startup if <command>dnssec-lookaside</command> is set to
<constant>auto</constant>. A copy of the file is
installed along with <acronym>BIND</acronym> 9, and is
current as of the release date. If the DLV key expires, a
new copy of <filename>bind.keys</filename> can be downloaded
from <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/solutions/dlv/">https://www.isc.org/solutions/dlv/</link>.
</para>
<para>
(To prevent problems if <filename>bind.keys</filename> is
not found, the current key is also compiled in to
<command>named</command>. Relying on this is not
recommended, however, as it requires <command>named</command>
to be recompiled with a new key when the DLV key expires.)
</para>
<para>
NOTE: <command>named</command> only loads certain specific
keys from <filename>bind.keys</filename>: those for the
DLV zone and for the DNS root zone. The file cannot be
used to store keys for other zones.
NOTE: The ISC-provided DLV service at
<literal>dlv.isc.org</literal>, has been shut down.
The <command>dnssec-lookaside auto;</command>
configuration option, which set <command>named</command>
up to use ISC DLV with minimal configuration, has
accordingly been removed.
</para>
</listitem>
</varlistentry>
@ -5484,7 +5461,7 @@ options {
be accepted. The specified domain must be under a
<command>trusted-keys</command> or
<command>managed-keys</command> statement, or
<command>dnssec-lookaside</command> must be active.
<command>dnssec-validation auto</command> must be active.
</para>
</listitem>
</varlistentry>
@ -6605,9 +6582,8 @@ options {
Causes <command>named</command> to send specially-formed
queries once per day to domains for which trust anchors
have been configured via <command>trusted-keys</command>,
<command>managed-keys</command>,
<command>dnssec-validation auto</command>, or
<command>dnssec-lookaside auto</command>.
<command>managed-keys</command>, or
<command>dnssec-validation auto</command>.
</para>
<para>
The query name used for these queries has the
@ -6909,16 +6885,44 @@ options {
Note <command>dnssec-enable</command> also needs to be
set to <userinput>yes</userinput> to be effective.
If set to <userinput>no</userinput>, DNSSEC validation
is disabled. If set to <userinput>auto</userinput>,
DNSSEC validation is enabled, and a default
trust-anchor for the DNS root zone is used. If set to
<userinput>yes</userinput>, DNSSEC validation is enabled,
but a trust anchor must be manually configured using
a <command>trusted-keys</command> or
<command>managed-keys</command> statement. The default
is disabled.
</para>
<para>
If set to <userinput>auto</userinput>, DNSSEC validation
is enabled, and a default trust anchor for the DNS root
zone is used. If set to <userinput>yes</userinput>,
DNSSEC validation is enabled, but a trust anchor must be
manually configured using a <command>trusted-keys</command>
or <command>managed-keys</command> statement. The default
is <userinput>yes</userinput>.
</para>
<para>
The default root trust anchor is stored in the file
<filename>bind.keys</filename>.
<command>named</command> will load that key at
startup if <command>dnssec-validation</command> is
set to <constant>auto</constant>. A copy of the file is
installed along with BIND 9, and is current as of the
release date. If the root key expires, a new copy of
<filename>bind.keys</filename> can be downloaded
from <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/bind-keys">https://www.isc.org/bind-keys</link>.
</para>
<para>
To prevent problems if <filename>bind.keys</filename> is
not found, the current trust anchor is also compiled in
to <command>named</command>. Relying on this is not
recommended, however, as it requires <command>named</command>
to be recompiled with a new key when the root key expires.)
</para>
<note>
<para>
<command>named</command> <emphasis>only</emphasis>
loads the root key from <filename>bind.keys</filename>.
The file cannot be used to store keys for other zones.
The root key in <filename>bind.keys</filename> is ignored
if <command>dnssec-validation auto</command> is not in
use.
</para>
<para>
Whenever the resolver sends out queries to an
EDNS-compliant server, it always sets the DO bit
@ -11544,15 +11548,13 @@ example.com CNAME rpz-tcp-only.
If the <command>dnssec-validation</command> option is
set to <userinput>auto</userinput>, <command>named</command>
will automatically initialize a managed key for the
root zone. Similarly, if the <command>dnssec-lookaside</command>
option is set to <userinput>auto</userinput>,
<command>named</command> will automatically initialize
a managed key for the zone <literal>dlv.isc.org</literal>.
(Note: The ISC DLV service is expected to cease operation by
the end of 2017.) In both cases, the key that is used to
initialize the key maintenance process is built into
<command>named</command>, and can be overridden from
<command>bindkeys-file</command>.
root zone. The key that is used to initialize the key
maintenance process is stored in <filename>bind.keys</filename>;
the location of this file can be overridden with the
<command>bindkeys-file</command> option. As a fallback
in the event no <filename>bind.keys</filename> can be
found, the initializing key is also compiled directly
into <command>named</command>.
</para>
</section>

13
doc/arm/notes.xml
View file

@ -421,6 +421,19 @@
<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
<itemizedlist>
<listitem>
<para>
The ISC DNSSEC Lookaside Validation (DLV) service has been shut
down; all DLV records in the dlv.isc.org zone have been removed.
References to the service have been removed from BIND documentation.
Lookaside validation is no longer used by default by
<command>delv</command>. The DLV key has been removed from
<filename>bind.keys</command>. Setting
<command>dnssec-lookaside</command> set to
<command>auto</command> or to use dlv.isc.org as a trust
anchor is now a fatal configuration error. [RT #46155]
</para>
</listitem>
<listitem>
<para>
The lightweight resolver daemon and library (<command>lwresd</command>

55
lib/bind9/check.c
View file

@ -49,6 +49,11 @@
#include <bind9/check.h>
static unsigned char dlviscorg_ndata[] = "\003dlv\003isc\003org";
static unsigned char dlviscorg_offsets[] = { 0, 4, 8, 12 };
static const dns_name_t dlviscorg =
DNS_NAME_INITABSOLUTE(dlviscorg_ndata, dlviscorg_offsets);
static isc_result_t
fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, isc_boolean_t writeable,
isc_log_t *logctxlogc);
@ -1174,9 +1179,17 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
* is missing, skip remaining tests
*/
if (cfg_obj_isvoid(anchor)) {
if (!strcasecmp(dlv, "no") ||
!strcasecmp(dlv, "auto"))
if (!strcasecmp(dlv, "no")) {
continue;
}
if (!strcasecmp(dlv, "auto")) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"dnssec-lookaside 'auto' "
"is no longer supported");
if (result == ISC_R_SUCCESS)
result = ISC_R_FAILURE;
continue;
}
}
tresult = dns_name_fromstring(name, dlv, 0, NULL);
@ -1189,7 +1202,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
if (symtab != NULL) {
tresult = nameexist(obj, dlv, 1, symtab,
"dnssec-lookaside '%s': "
"already exists previous "
"already exists; previous "
"definition: %s:%u",
logctx, mctx);
if (tresult != ISC_R_SUCCESS &&
@ -1209,23 +1222,31 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
result = ISC_R_FAILURE;
}
if (!cfg_obj_isvoid(anchor)) {
dlv = cfg_obj_asstring(anchor);
tresult = check_name(dlv);
if (tresult != ISC_R_SUCCESS) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"bad domain name '%s'",
dlv);
if (result == ISC_R_SUCCESS)
result = tresult;
}
} else {
if (cfg_obj_isvoid(anchor)) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"dnssec-lookaside requires "
"either 'auto' or 'no', or a "
"domain and trust anchor");
"dnssec-lookaside requires "
"either or 'no' or a "
"domain and trust anchor");
if (result == ISC_R_SUCCESS)
result = ISC_R_FAILURE;
continue;
}
dlv = cfg_obj_asstring(anchor);
tresult = dns_name_fromstring(name, dlv, 0, NULL);
if (tresult != ISC_R_SUCCESS) {
cfg_obj_log(anchor, logctx, ISC_LOG_ERROR,
"bad domain name '%s'", dlv);
if (result == ISC_R_SUCCESS)
result = tresult;
continue;
}
if (dns_name_equal(&dlviscorg, name)) {
cfg_obj_log(anchor, logctx, ISC_LOG_ERROR,
"dlv.isc.org has been shut down");
if (result == ISC_R_SUCCESS)
result = ISC_R_FAILURE;
continue;
}
}

8
lib/dns/include/dns/client.h
View file

@ -278,10 +278,10 @@ isc_result_t
dns_client_setdlv(dns_client_t *client, dns_rdataclass_t rdclass,
const char *dlvname);
/*%<
* Specify a name to use for DNSSEC lookaside validation (e.g.,
* "dlv.isc.org"). If a trusted key has been added for that name,
* then DLV will be used during validation. If 'dlvname' is NULL,
* then DLV will no longer be used for this client.
* Specify a name to use for DNSSEC lookaside validation.
* If a trusted key has been added for that name, then DLV will be
* used during validation. If 'dlvname' is NULL, then DLV will no
* longer be used for this client.
*
* Requires:
*

9
util/copyrights
View file

@ -1088,15 +1088,6 @@
./bin/tests/system/dlv/prereq.sh SH 2014,2016
./bin/tests/system/dlv/setup.sh SH 2004,2007,2009,2011,2012,2014,2016,2017
./bin/tests/system/dlv/tests.sh SH 2004,2007,2010,2011,2012,2016
./bin/tests/system/dlvauto/clean.sh SH 2011,2012,2014,2016
./bin/tests/system/dlvauto/ns1/dlv.isc.org.db.in ZONE 2011,2016
./bin/tests/system/dlvauto/ns1/named.conf CONF-C 2011,2016
./bin/tests/system/dlvauto/ns1/root.db.in ZONE 2011,2016
./bin/tests/system/dlvauto/ns1/sign.sh SH 2011,2012,2014,2016,2017
./bin/tests/system/dlvauto/ns2/named.conf CONF-C 2011,2013,2016
./bin/tests/system/dlvauto/prereq.sh SH 2014,2016
./bin/tests/system/dlvauto/setup.sh SH 2011,2012,2014,2016,2017
./bin/tests/system/dlvauto/tests.sh SH 2011,2012,2014,2016
./bin/tests/system/dlz/.gitignore X 2012
./bin/tests/system/dlz/clean.sh SH 2010,2012,2014,2016
./bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.= TXT.BRIEF 2015,2016