diff --git a/CHANGES b/CHANGES
index 268140e4b2..f5b288231c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,13 @@
+4749. [func] The ISC DLV service has been shut down, and all
+ DLV records have been removed from dlv.isc.org.
+ - Removed references to ISC DLV in documentation
+ - Removed DLV key from bind.keys
+ - No longer use ISC DLV by default in delv
+ - "dnssec-lookaside auto" and configuration of
+ "dnssec-lookaide" with dlv.isc.org as trust
+ anchor are both now fatal errors.
+ [RT #46155]
+
4748. [cleanup] Sprintf to snprintf coversions. [RT #46132]
4747. [func] Synthesis of responses from DNSSEC-verified records.
diff --git a/bin/delv/delv.c b/bin/delv/delv.c
index 2560331143..57b3c491c2 100644
--- a/bin/delv/delv.c
+++ b/bin/delv/delv.c
@@ -574,7 +574,7 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
dns_fixedname_t fkeyname;
dns_name_t *keyname;
isc_result_t result;
- isc_boolean_t match_root, match_dlv;
+ isc_boolean_t match_root = ISC_FALSE, match_dlv = ISC_FALSE;
keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
CHECK(convert_name(&fkeyname, &keyname, keynamestr));
@@ -582,8 +582,10 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
if (!root_validation && !dlv_validation)
return (ISC_R_SUCCESS);
- match_root = dns_name_equal(keyname, anchor_name);
- match_dlv = dns_name_equal(keyname, dlv_name);
+ if (anchor_name)
+ match_root = dns_name_equal(keyname, anchor_name);
+ if (dlv_name)
+ match_dlv = dns_name_equal(keyname, dlv_name);
if (!match_root && !match_dlv)
return (ISC_R_SUCCESS);
@@ -713,14 +715,10 @@ setup_dnsseckeys(dns_client_t *client) {
fatal("out of memory");
}
- if (dlv_anchor == NULL) {
- dlv_anchor = isc_mem_strdup(mctx, "dlv.isc.org");
- if (dlv_anchor == NULL)
- fatal("out of memory");
- }
-
- CHECK(convert_name(&afn, &anchor_name, trust_anchor));
- CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
+ if (trust_anchor != NULL)
+ CHECK(convert_name(&afn, &anchor_name, trust_anchor));
+ if (dlv_anchor != NULL)
+ CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
diff --git a/bin/delv/delv.docbook b/bin/delv/delv.docbook
index e2af68474f..3d61823ce6 100644
--- a/bin/delv/delv.docbook
+++ b/bin/delv/delv.docbook
@@ -99,8 +99,7 @@
By default, responses are validated using built-in DNSSEC trust
- anchors for the root zone (".") and for the ISC DNSSEC lookaside
- validation zone ("dlv.isc.org"). Records returned by
+ anchor for the root zone ("."). Records returned by
delv are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
@@ -202,14 +201,15 @@
Specifies a file from which to read DNSSEC trust anchors.
The default is /etc/bind.keys, which
is included with BIND 9 and contains
- trust anchors for the root zone (".") and for the ISC
- DNSSEC lookaside validation zone ("dlv.isc.org").
+ one or more trust anchors for the root zone (".").
- Keys that do not match the root or DLV trust-anchor
- names are ignored; these key names can be overridden
- using the or
- options.
+ Keys that do not match the root zone name are ignored.
+ An alternate key name can be specified using the
+ options. DNSSEC Lookaside
+ Validation can also be turned on by using the
+ to specify the name of a
+ zone containing DLV records.
Note: When reading the trust anchor file,
@@ -639,11 +639,8 @@
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
- The default is to perform lookaside validation using
- a trust anchor of "dlv.isc.org", for which there is a
- built-in key. If specifying a different name, then
- must be used to specify a file
- containing the DLV key.
+ The option must also be used to specify
+ a file containing the DLV key.
diff --git a/bin/named/config.c b/bin/named/config.c
index 6e20b908a1..6a0075bd7e 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -127,9 +127,6 @@ options {\n\
trust-anchor-telemetry yes;\n\
# use-id-pool ;\n\
# use-ixfr ;\n\
-\n\
- /* DLV */\n\
- dnssec-lookaside . trust-anchor dlv.isc.org;\n\
\n\
/* view */\n\
allow-new-zones no;\n\
@@ -295,8 +292,8 @@ view \"_bind\" chaos {\n\
};\n\
"
"#\n\
-# Default trusted key(s) for builtin DLV support\n\
-# (used if \"dnssec-lookaside auto;\" is set and\n\
+# Default trusted key(s), used if \n\
+# \"dnssec-validation auto;\" is set and\n\
# sysconfdir/bind.keys doesn't exist).\n\
#\n\
# BEGIN MANAGED KEYS\n"
diff --git a/bin/named/server.c b/bin/named/server.c
index 9a0ab4cc04..2d501d03b8 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -884,8 +884,7 @@ keyloaded(dns_view_t *view, const dns_name_t *name) {
static isc_result_t
configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
const cfg_obj_t *config, const cfg_obj_t *bindkeys,
- isc_boolean_t auto_dlv, isc_boolean_t auto_root,
- isc_mem_t *mctx)
+ isc_boolean_t auto_root, isc_mem_t *mctx)
{
isc_result_t result = ISC_R_SUCCESS;
const cfg_obj_t *view_keys = NULL;
@@ -944,65 +943,6 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
return (ISC_R_UNEXPECTED);
}
- if (auto_dlv && view->rdclass == dns_rdataclass_in) {
- const cfg_obj_t *builtin_keys = NULL;
- const cfg_obj_t *builtin_managed_keys = NULL;
-
- /*
- * If bind.keys exists and is populated, it overrides
- * the managed-keys clause hard-coded in named_g_config.
- */
- if (bindkeys != NULL) {
- isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
- NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
- "obtaining DLV key for view %s "
- "from '%s'",
- view->name, named_g_server->bindkeysfile);
-
- (void)cfg_map_get(bindkeys, "trusted-keys",
- &builtin_keys);
- (void)cfg_map_get(bindkeys, "managed-keys",
- &builtin_managed_keys);
- if ((builtin_keys == NULL) &&
- (builtin_managed_keys == NULL))
- isc_log_write(named_g_lctx,
- DNS_LOGCATEGORY_SECURITY,
- NAMED_LOGMODULE_SERVER,
- ISC_LOG_WARNING,
- "dnssec-lookaside auto: "
- "WARNING: key for dlv.isc.org "
- "not found");
- }
-
- if ((builtin_keys == NULL) &&
- (builtin_managed_keys == NULL))
- {
- isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
- NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
- "using built-in DLV key for view %s",
- view->name);
-
- (void)cfg_map_get(named_g_config, "trusted-keys",
- &builtin_keys);
- (void)cfg_map_get(named_g_config, "managed-keys",
- &builtin_managed_keys);
- }
-
- if (builtin_keys != NULL)
- CHECK(load_view_keys(builtin_keys, vconfig, view,
- ISC_FALSE, view->dlv, mctx));
- if (builtin_managed_keys != NULL)
- CHECK(load_view_keys(builtin_managed_keys, vconfig,
- view, ISC_TRUE, view->dlv, mctx));
- if (!keyloaded(view, view->dlv)) {
- isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
- NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
- "DLV key not loaded");
- result = ISC_R_FAILURE;
- goto cleanup;
- }
- }
-
if (auto_root && view->rdclass == dns_rdataclass_in) {
const cfg_obj_t *builtin_keys = NULL;
const cfg_obj_t *builtin_managed_keys = NULL;
@@ -3692,7 +3632,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
const cfg_obj_t *disablelist = NULL;
isc_stats_t *resstats = NULL;
dns_stats_t *resquerystats = NULL;
- isc_boolean_t auto_dlv = ISC_FALSE;
isc_boolean_t auto_root = ISC_FALSE;
named_cache_t *nsc;
isc_boolean_t zero_no_soattl;
@@ -4993,19 +4932,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
obj = NULL;
result = named_config_get(optionmaps, "dnssec-lookaside", &obj);
if (result == ISC_R_SUCCESS) {
- /* If set to "auto", use the version from the defaults */
+ /* "auto" is deprecated, log a warning if seen */
const char *dom;
dlvobj = cfg_listelt_value(cfg_list_first(obj));
dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain"));
if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
- /* If "no", skip; if "auto", use global default */
- if (!strcasecmp(dom, "no"))
+ /* If "no", skip; if "auto", log warning */
+ if (!strcasecmp(dom, "no")) {
+ result = ISC_R_NOTFOUND;
+ } else if (!strcasecmp(dom, "auto")) {
+ cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+ "WARNING: the DLV server at "
+ "'dlv.isc.org' is no longer "
+ "in service; dnssec-lookaside "
+ "ignored");
result = ISC_R_NOTFOUND;
- else if (!strcasecmp(dom, "auto")) {
- auto_dlv = ISC_TRUE;
- obj = NULL;
- result = cfg_map_get(named_g_defaults,
- "dnssec-lookaside", &obj);
}
}
}
@@ -5015,6 +4956,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
dns_fixedname_t f;
dns_fixedname_init(&f);
+ /* Also log a warning if manually configured to dlv.isc.org */
iscdlv = dns_fixedname_name(&f);
CHECK(dns_name_fromstring(iscdlv, "dlv.isc.org", 0, NULL));
@@ -5028,27 +4970,27 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
dlv = dns_fixedname_name(&view->dlv_fixed);
CHECK(dns_name_fromstring(dlv, cfg_obj_asstring(obj),
DNS_NAME_DOWNCASE, NULL));
- view->dlv = dns_fixedname_name(&view->dlv_fixed);
-
- if (dns_name_equal(view->dlv, iscdlv)) {
- if (auto_dlv)
- obj = dlvobj;
+ if (dns_name_equal(dlv, iscdlv)) {
cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
"WARNING: the DLV server at "
- "'dlv.isc.org' is expected to "
- "cease operation by the end "
- "of January 2017");
+ "'dlv.isc.org' is no longer "
+ "in service; dnssec-lookaside "
+ "ignored");
+ view->dlv = NULL;
+ } else {
+ view->dlv = dlv;
}
}
- } else
+ } else {
view->dlv = NULL;
+ }
/*
* For now, there is only one kind of trusted keys, the
* "security roots".
*/
CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys,
- auto_dlv, auto_root, mctx));
+ auto_root, mctx));
dns_resolver_resetmustbesecure(view->resolver);
obj = NULL;
result = named_config_get(maps, "dnssec-must-be-secure", &obj);
@@ -7604,8 +7546,7 @@ load_configuration(const char *filename, named_server_t *server,
/*
* If bind.keys exists, load it. If "dnssec-validation auto"
* is turned on, the root key found there will be used as a
- * default trust anchor, and if "dnssec-lookaside auto" is
- * turned on, then the DLV key found there will too.
+ * default trust anchor.
*/
obj = NULL;
result = named_config_get(maps, "bindkeys-file", &obj);
diff --git a/bin/python/dnssec-checkds.docbook b/bin/python/dnssec-checkds.docbook
index cce5dc3bb3..c143216229 100644
--- a/bin/python/dnssec-checkds.docbook
+++ b/bin/python/dnssec-checkds.docbook
@@ -87,9 +87,6 @@
Check for a DLV record in the specified lookaside domain,
instead of checking for a DS record in the zone's parent.
- For example, to check for DLV records for "example.com"
- in ISC's DLV zone, use:
- dnssec-checkds -l dlv.isc.org example.com
diff --git a/bin/tests/system/checkconf/bad-dlv-auto.conf b/bin/tests/system/checkconf/bad-dlv-auto.conf
new file mode 100644
index 0000000000..07379c9675
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dlv-auto.conf
@@ -0,0 +1,3 @@
+options {
+ dnssec-lookaside auto;
+};
diff --git a/bin/tests/system/checkconf/bad-dlv-dlv.isc.org.conf b/bin/tests/system/checkconf/bad-dlv-dlv.isc.org.conf
new file mode 100644
index 0000000000..07e606ab7e
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dlv-dlv.isc.org.conf
@@ -0,0 +1,3 @@
+options {
+ dnssec-lookaside . trust-anchor dlv.isc.org;
+};
diff --git a/bin/tests/system/checkconf/dnssec.3 b/bin/tests/system/checkconf/dnssec.3
index e66119307f..54d7dacb40 100644
--- a/bin/tests/system/checkconf/dnssec.3
+++ b/bin/tests/system/checkconf/dnssec.3
@@ -24,7 +24,7 @@ view view2 {
view view3 {
match-clients { none; };
- dnssec-lookaside auto;
+ dnssec-validation auto;
};
view view4 {
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index f11032b10b..f68ffb9b2c 100644
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -80,7 +80,6 @@ view "first" {
type master;
file "yyy";
};
- dnssec-lookaside auto;
dnssec-validation auto;
zone-statistics terse;
};
@@ -111,7 +110,7 @@ view "second" {
1.2.3.4;
};
};
- dnssec-lookaside "." trust-anchor "dlv.isc.org.";
+ dnssec-lookaside "." trust-anchor "example.org.";
dnssec-validation auto;
zone-statistics full;
};
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 5e05378321..61df6750d5 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -71,7 +71,7 @@ SAMPLEUPDATE=$TOP/lib/samples/sample-update
SUBDIRS="acl additional addzone allow_query autosign builtin
cacheclean case catz chain
checkconf @CHECKDS@ checknames checkzone cookie @COVERAGE@
- database digdelv dlv dlvauto dlz dlzexternal
+ database digdelv dlv dlz dlzexternal
dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa
emptyzones fetchlimit filter-aaaa formerr geoip glue gost
inline integrity ixfr keepalive @KEYMGR@ legacy limits
diff --git a/bin/tests/system/dlvauto/clean.sh b/bin/tests/system/dlvauto/clean.sh
deleted file mode 100644
index e9577e1db9..0000000000
--- a/bin/tests/system/dlvauto/clean.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-# Copyright (C) 2011, 2012, 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-rm -f ns1/K*
-rm -f ns1/*.signed
-rm -f ns1/*.db
-rm -f ns1/bind.keys
-rm -f ns1/*.mkeys.jnl
-rm -f ns1/*.mkeys
-rm -f */named.run
-rm -f */named.memstats
-rm -f ns1/dsset-*.
-rm -f ns2/*.mkeys
-rm -f ns2/*.mkeys.jnl
-rm -f dig.out.ns?.test*
-rm -f ns2/named.secroots
-rm -f ns*/named.lock
diff --git a/bin/tests/system/dlvauto/ns1/dlv.isc.org.db.in b/bin/tests/system/dlvauto/ns1/dlv.isc.org.db.in
deleted file mode 100644
index 942d08b6d9..0000000000
--- a/bin/tests/system/dlvauto/ns1/dlv.isc.org.db.in
+++ /dev/null
@@ -1,17 +0,0 @@
-; Copyright (C) 2011, 2016 Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-; $Id: dlv.isc.org.db.in,v 1.2 2011/03/01 22:44:04 marka Exp $
-
-$TTL 300
-@ IN SOA a.root-servers.nil. hostmaster.isc.org. (
- 2000042100 ; serial
- 600 ; refresh
- 600 ; retry
- 1200 ; expire
- 600 ; minimum
- )
-@ NS a.root-servers.nil.
diff --git a/bin/tests/system/dlvauto/ns1/named.conf b/bin/tests/system/dlvauto/ns1/named.conf
deleted file mode 100644
index 9d5187a4ab..0000000000
--- a/bin/tests/system/dlvauto/ns1/named.conf
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Copyright (C) 2011, 2016 Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-
-/* $Id: named.conf,v 1.2 2011/03/01 22:44:04 marka Exp $ */
-
-// NS1
-
-controls { /* empty */ };
-
-options {
- query-source address 10.53.0.1;
- notify-source 10.53.0.1;
- transfer-source 10.53.0.1;
- port 5300;
- pid-file "named.pid";
- listen-on { 10.53.0.1; };
- listen-on-v6 { none; };
- recursion no;
- notify yes;
- dnssec-enable yes;
- dnssec-validation yes;
-};
-
-zone "." {
- type master;
- file "root.db";
-};
-
-zone "dlv.isc.org" {
- type master;
- file "dlv.isc.org.db.signed";
-};
diff --git a/bin/tests/system/dlvauto/ns1/root.db.in b/bin/tests/system/dlvauto/ns1/root.db.in
deleted file mode 100644
index 69759e09b9..0000000000
--- a/bin/tests/system/dlvauto/ns1/root.db.in
+++ /dev/null
@@ -1,20 +0,0 @@
-; Copyright (C) 2011, 2016 Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-; $Id: root.db.in,v 1.2 2011/03/01 22:44:04 marka Exp $
-
-$TTL 300
-. IN SOA gson.nominum.com. a.root.servers.nil. (
- 2000042100 ; serial
- 600 ; refresh
- 600 ; retry
- 1200 ; expire
- 600 ; minimum
- )
-. NS a.root-servers.nil.
-a.root-servers.nil. A 10.53.0.1
-
-dlv.isc.org. NS a.root-servers.nil.
diff --git a/bin/tests/system/dlvauto/ns1/sign.sh b/bin/tests/system/dlvauto/ns1/sign.sh
deleted file mode 100644
index c597b3c8df..0000000000
--- a/bin/tests/system/dlvauto/ns1/sign.sh
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/bin/sh -e
-#
-# Copyright (C) 2011, 2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SYSTEMTESTTOP=../..
-. $SYSTEMTESTTOP/conf.sh
-
-zone=dlv.isc.org
-infile=dlv.isc.org.db.in
-zonefile=dlv.isc.org.db
-
-dlvkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
-cat $infile $dlvkey.key > $zonefile
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
-
-zone=.
-infile=root.db.in
-zonefile=root.db
-
-rootkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
-cat $infile $rootkey.key > $zonefile
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
-
-# Create bind.keys file for the use of the resolving server
-echo "managed-keys {" > bind.keys
-cat $dlvkey.key | grep -v '^; ' | $PERL -n -e '
-local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
-local $key = join("", @rest);
-print <> bind.keys
-cat $rootkey.key | grep -v '^; ' | $PERL -n -e '
-local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
-local $key = join("", @rest);
-print <> bind.keys
-echo "};" >> bind.keys
diff --git a/bin/tests/system/dlvauto/ns2/named.conf b/bin/tests/system/dlvauto/ns2/named.conf
deleted file mode 100644
index 4c05f74902..0000000000
--- a/bin/tests/system/dlvauto/ns2/named.conf
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2011, 2013, 2016 Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-
-/* $Id: named.conf,v 1.3 2011/03/03 16:16:47 each Exp $ */
-
-// NS2
-
-controls { /* empty */ };
-
-options {
- query-source address 10.53.0.2;
- notify-source 10.53.0.2;
- transfer-source 10.53.0.2;
- port 5300;
- pid-file "named.pid";
- listen-on { 10.53.0.2; };
- listen-on-v6 { none; };
- notify no;
- dnssec-enable yes;
- dnssec-validation yes;
- bindkeys-file "../ns1/bind.keys";
- dnssec-lookaside "auto";
-};
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm hmac-sha256;
-};
-
-controls {
- inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
-};
-
-view "in" {
- recursion yes;
- zone "." {
- type hint;
- file "../../common/root.hint";
- };
-};
-
-view "ch" ch {
- match-clients { 127.0.0.1; };
-};
-
-view "unused" {
- match-clients { none; };
-};
diff --git a/bin/tests/system/dlvauto/prereq.sh b/bin/tests/system/dlvauto/prereq.sh
deleted file mode 100644
index 0eacf1db84..0000000000
--- a/bin/tests/system/dlvauto/prereq.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/sh
-#
-# Copyright (C) 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-exec $SHELL ../testcrypto.sh
diff --git a/bin/tests/system/dlvauto/setup.sh b/bin/tests/system/dlvauto/setup.sh
deleted file mode 100644
index b912ce6057..0000000000
--- a/bin/tests/system/dlvauto/setup.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/sh -e
-#
-# Copyright (C) 2011, 2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-$SHELL clean.sh
-
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
-cd ns1 && $SHELL sign.sh
diff --git a/bin/tests/system/dlvauto/tests.sh b/bin/tests/system/dlvauto/tests.sh
deleted file mode 100644
index 00f53ca46f..0000000000
--- a/bin/tests/system/dlvauto/tests.sh
+++ /dev/null
@@ -1,58 +0,0 @@
-# Copyright (C) 2011, 2012, 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
-
-status=0
-n=1
-
-echo "I:checking that a warning was logged about the ISC DLV service ($n)"
-ret=0
-warnings=`grep "WARNING: the DLV server at 'dlv.isc.org'" ns2/named.run`
-[ -z "$warnings" ] && ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-#
-# When this was initialy reported there was a REQUIRE failure on restarting.
-#
-n=`expr $n + 1`
-echo "I:checking dnssec-lookaside "'"auto"'"; with views of multiple classes ($n)"
-if [ -s ns2/named.pid ]
-then
- ret=0
- $PERL $SYSTEMTESTTOP/stop.pl . ns2 || ret=1
- sleep 1
- (cd ns2; $NAMED -g -d 100 -X named.lock -c named.conf >> named.run 2>&1 & )
- sleep 2
- $DIG $DIGOPTS soa . @10.53.0.2 > dig.out.ns2.test$n || ret=1
- grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
- if [ $ret != 0 ]; then echo "I:failed"; fi
- status=`expr $status + $ret`
-else
- echo "I:failed"
- status=1
-fi
-
-n=`expr $n + 1`
-echo "I:checking that only the DLV key was imported from bind.keys ($n)"
-ret=0
-$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 secroots 2>&1 | sed 's/^/I:ns2 /'
-linecount=`grep "\./RSAMD5/.* ; managed" ns2/named.secroots | wc -l`
-[ "$linecount" -eq 0 ] || ret=1
-linecount=`grep "dlv.isc.org/RSAMD5/.* ; managed" ns2/named.secroots | wc -l`
-[ "$linecount" -eq 2 ] || ret=1
-linecount=`cat ns2/named.secroots | wc -l`
-[ "$linecount" -eq 25 ] || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-echo "I:exit status: $status"
-[ $status -eq 0 ] || exit 1
diff --git a/bind.keys b/bind.keys
index db22d4bc03..5e5a32ba9c 100644
--- a/bind.keys
+++ b/bind.keys
@@ -1,45 +1,26 @@
# The bind.keys file is used to override the built-in DNSSEC trust anchors
-# which are included as part of BIND 9. As of the current release, the only
-# trust anchors it contains are those for the DNS root zone ("."), and for
-# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
-# for any other zones MUST be configured elsewhere; if they are configured
-# here, they will not be recognized or used by named.
+# which are included as part of BIND 9. The only trust anchors it contains
+# are for the DNS root zone ("."). Trust anchors for any other zones MUST
+# be configured elsewhere; if they are configured here, they will not be
+# recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
-# To use the built-in root key, set "dnssec-validation auto;" in
-# named.conf options. To use the built-in DLV key, set
-# "dnssec-lookaside auto;". Without these options being set,
-# the keys in this file are ignored.
+# To use the built-in key, use "dnssec-validation auto;" in the
+# named.conf options. Without this option being set, the keys in this
+# file are ignored.
#
# This file is NOT expected to be user-configured.
#
-# These keys are current as of Feburary 2017. If any key fails to
+# These keys are current as of October 2017. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
+#
+# See https://data.iana.org/root-anchors/root-anchors.xml
+# for current trust anchor information for the root zone.
managed-keys {
- # ISC DLV: See https://www.isc.org/solutions/dlv for details.
- #
- # NOTE: The ISC DLV zone is being phased out as of February 2017;
- # the key will remain in place but the zone will be otherwise empty.
- # Configuring "dnssec-lookaside auto;" to activate this key is
- # harmless, but is no longer useful and is not recommended.
- dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
- brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
- 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
- ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
- Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
- QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
- TDN0YUuWrBNh";
-
- # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
- # for current trust anchor information.
- #
- # These keys are activated by setting "dnssec-validation auto;"
- # in named.conf.
- #
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
@@ -52,7 +33,7 @@ managed-keys {
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
- # This key (20326) is to be published in the root zone in 2017.
+ # This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
# being set up for the first time can use the contents of this
diff --git a/bind.keys.h b/bind.keys.h
index 50d298cffc..0c4b4771c0 100644
--- a/bind.keys.h
+++ b/bind.keys.h
@@ -1,46 +1,27 @@
#define TRUSTED_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
-# which are included as part of BIND 9. As of the current release, the only\n\
-# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
-# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\"). Trust anchors\n\
-# for any other zones MUST be configured elsewhere; if they are configured\n\
-# here, they will not be recognized or used by named.\n\
+# which are included as part of BIND 9. The only trust anchors it contains\n\
+# are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\
+# be configured elsewhere; if they are configured here, they will not be\n\
+# recognized or used by named.\n\
#\n\
# The built-in trust anchors are provided for convenience of configuration.\n\
# They are not activated within named.conf unless specifically switched on.\n\
-# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
-# named.conf options. To use the built-in DLV key, set\n\
-# \"dnssec-lookaside auto;\". Without these options being set,\n\
-# the keys in this file are ignored.\n\
+# To use the built-in key, use \"dnssec-validation auto;\" in the\n\
+# named.conf options. Without this option being set, the keys in this\n\
+# file are ignored.\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
-# These keys are current as of Feburary 2017. If any key fails to\n\
+# These keys are current as of October 2017. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
+#\n\
+# See https://data.iana.org/root-anchors/root-anchors.xml\n\
+# for current trust anchor information for the root zone.\n\
\n\
trusted-keys {\n\
- # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
- #\n\
- # NOTE: The ISC DLV zone is being phased out as of February 2017;\n\
- # the key will remain in place but the zone will be otherwise empty.\n\
- # Configuring \"dnssec-lookaside auto;\" to activate this key is\n\
- # harmless, but is no longer useful and is not recommended.\n\
- dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
- brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
- 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
- ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
- Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
- QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
- TDN0YUuWrBNh\";\n\
-\n\
- # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml\n\
- # for current trust anchor information.\n\
- #\n\
- # These keys are activated by setting \"dnssec-validation auto;\"\n\
- # in named.conf.\n\
- #\n\
# This key (19036) is to be phased out starting in 2017. It will\n\
# remain in the root zone for some time after its successor key\n\
# has been added. It will remain this file until it is removed from\n\
@@ -53,7 +34,7 @@ trusted-keys {\n\
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
QxA+Uk1ihz0=\";\n\
\n\
- # This key (20326) is to be published in the root zone in 2017.\n\
+ # This key (20326) was published in the root zone in 2017.\n\
# Servers which were already using the old key (19036) should\n\
# roll seamlessly to this new one via RFC 5011 rollover. Servers\n\
# being set up for the first time can use the contents of this\n\
@@ -72,47 +53,28 @@ trusted-keys {\n\
#define MANAGED_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
-# which are included as part of BIND 9. As of the current release, the only\n\
-# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
-# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\"). Trust anchors\n\
-# for any other zones MUST be configured elsewhere; if they are configured\n\
-# here, they will not be recognized or used by named.\n\
+# which are included as part of BIND 9. The only trust anchors it contains\n\
+# are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\
+# be configured elsewhere; if they are configured here, they will not be\n\
+# recognized or used by named.\n\
#\n\
# The built-in trust anchors are provided for convenience of configuration.\n\
# They are not activated within named.conf unless specifically switched on.\n\
-# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
-# named.conf options. To use the built-in DLV key, set\n\
-# \"dnssec-lookaside auto;\". Without these options being set,\n\
-# the keys in this file are ignored.\n\
+# To use the built-in key, use \"dnssec-validation auto;\" in the\n\
+# named.conf options. Without this option being set, the keys in this\n\
+# file are ignored.\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
-# These keys are current as of Feburary 2017. If any key fails to\n\
+# These keys are current as of October 2017. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
+#\n\
+# See https://data.iana.org/root-anchors/root-anchors.xml\n\
+# for current trust anchor information for the root zone.\n\
\n\
managed-keys {\n\
- # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
- #\n\
- # NOTE: The ISC DLV zone is being phased out as of February 2017;\n\
- # the key will remain in place but the zone will be otherwise empty.\n\
- # Configuring \"dnssec-lookaside auto;\" to activate this key is\n\
- # harmless, but is no longer useful and is not recommended.\n\
- dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
- brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
- 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
- ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
- Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
- QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
- TDN0YUuWrBNh\";\n\
-\n\
- # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml\n\
- # for current trust anchor information.\n\
- #\n\
- # These keys are activated by setting \"dnssec-validation auto;\"\n\
- # in named.conf.\n\
- #\n\
# This key (19036) is to be phased out starting in 2017. It will\n\
# remain in the root zone for some time after its successor key\n\
# has been added. It will remain this file until it is removed from\n\
@@ -125,7 +87,7 @@ managed-keys {\n\
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
QxA+Uk1ihz0=\";\n\
\n\
- # This key (20326) is to be published in the root zone in 2017.\n\
+ # This key (20326) was published in the root zone in 2017.\n\
# Servers which were already using the old key (19036) should\n\
# roll seamlessly to this new one via RFC 5011 rollover. Servers\n\
# being set up for the first time can use the contents of this\n\
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 0499e91b9c..0341d76f6d 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5183,9 +5183,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
The pathname of a file to override the built-in trusted
keys provided by named.
- See the discussion of dnssec-lookaside
- and dnssec-validation for details.
- If not specified, the default is
+ See the discussion of dnssec-validation
+ for details. If not specified, the default is
/etc/bind.keys.
@@ -5434,40 +5433,18 @@ options {
record validates a DNSKEY (similarly to the way a DS
record does) the DNSKEY RRset is deemed to be trusted.
-
- If dnssec-lookaside is set to
- auto, then built-in default
- values for the DLV domain and trust anchor will be
- used, along with a built-in key for validation.
-
If dnssec-lookaside is set to
no, then dnssec-lookaside
is not used.
- The default DLV key is stored in the file
- bind.keys;
- named will load that key at
- startup if dnssec-lookaside is set to
- auto. A copy of the file is
- installed along with BIND 9, and is
- current as of the release date. If the DLV key expires, a
- new copy of bind.keys can be downloaded
- from https://www.isc.org/solutions/dlv/.
-
-
- (To prevent problems if bind.keys is
- not found, the current key is also compiled in to
- named. Relying on this is not
- recommended, however, as it requires named
- to be recompiled with a new key when the DLV key expires.)
-
-
- NOTE: named only loads certain specific
- keys from bind.keys: those for the
- DLV zone and for the DNS root zone. The file cannot be
- used to store keys for other zones.
+ NOTE: The ISC-provided DLV service at
+ dlv.isc.org, has been shut down.
+ The dnssec-lookaside auto;
+ configuration option, which set named
+ up to use ISC DLV with minimal configuration, has
+ accordingly been removed.
@@ -5484,7 +5461,7 @@ options {
be accepted. The specified domain must be under a
trusted-keys or
managed-keys statement, or
- dnssec-lookaside must be active.
+ dnssec-validation auto must be active.
@@ -6605,9 +6582,8 @@ options {
Causes named to send specially-formed
queries once per day to domains for which trust anchors
have been configured via trusted-keys,
- managed-keys,
- dnssec-validation auto, or
- dnssec-lookaside auto.
+ managed-keys, or
+ dnssec-validation auto.
The query name used for these queries has the
@@ -6909,16 +6885,44 @@ options {
Note dnssec-enable also needs to be
set to yes to be effective.
If set to no, DNSSEC validation
- is disabled. If set to auto,
- DNSSEC validation is enabled, and a default
- trust-anchor for the DNS root zone is used. If set to
- yes, DNSSEC validation is enabled,
- but a trust anchor must be manually configured using
- a trusted-keys or
- managed-keys statement. The default
+ is disabled.
+
+
+ If set to auto, DNSSEC validation
+ is enabled, and a default trust anchor for the DNS root
+ zone is used. If set to yes,
+ DNSSEC validation is enabled, but a trust anchor must be
+ manually configured using a trusted-keys
+ or managed-keys statement. The default
is yes.
+
+ The default root trust anchor is stored in the file
+ bind.keys.
+ named will load that key at
+ startup if dnssec-validation is
+ set to auto. A copy of the file is
+ installed along with BIND 9, and is current as of the
+ release date. If the root key expires, a new copy of
+ bind.keys can be downloaded
+ from https://www.isc.org/bind-keys.
+
+
+ To prevent problems if bind.keys is
+ not found, the current trust anchor is also compiled in
+ to named. Relying on this is not
+ recommended, however, as it requires named
+ to be recompiled with a new key when the root key expires.)
+
+
+ namedonly
+ loads the root key from bind.keys.
+ The file cannot be used to store keys for other zones.
+ The root key in bind.keys is ignored
+ if dnssec-validation auto is not in
+ use.
+
Whenever the resolver sends out queries to an
EDNS-compliant server, it always sets the DO bit
@@ -11544,15 +11548,13 @@ example.com CNAME rpz-tcp-only.
If the dnssec-validation option is
set to auto, named
will automatically initialize a managed key for the
- root zone. Similarly, if the dnssec-lookaside
- option is set to auto,
- named will automatically initialize
- a managed key for the zone dlv.isc.org.
- (Note: The ISC DLV service is expected to cease operation by
- the end of 2017.) In both cases, the key that is used to
- initialize the key maintenance process is built into
- named, and can be overridden from
- bindkeys-file.
+ root zone. The key that is used to initialize the key
+ maintenance process is stored in bind.keys;
+ the location of this file can be overridden with the
+ bindkeys-file option. As a fallback
+ in the event no bind.keys can be
+ found, the initializing key is also compiled directly
+ into named.
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index b9be4c7bd7..93d912c1bb 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -421,6 +421,19 @@
Feature Changes
+
+
+ The ISC DNSSEC Lookaside Validation (DLV) service has been shut
+ down; all DLV records in the dlv.isc.org zone have been removed.
+ References to the service have been removed from BIND documentation.
+ Lookaside validation is no longer used by default by
+ delv. The DLV key has been removed from
+ bind.keys. Setting
+ dnssec-lookaside set to
+ auto or to use dlv.isc.org as a trust
+ anchor is now a fatal configuration error. [RT #46155]
+
+
The lightweight resolver daemon and library (lwresd
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index a196c922bd..b50bc7aa56 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -49,6 +49,11 @@
#include
+static unsigned char dlviscorg_ndata[] = "\003dlv\003isc\003org";
+static unsigned char dlviscorg_offsets[] = { 0, 4, 8, 12 };
+static const dns_name_t dlviscorg =
+ DNS_NAME_INITABSOLUTE(dlviscorg_ndata, dlviscorg_offsets);
+
static isc_result_t
fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, isc_boolean_t writeable,
isc_log_t *logctxlogc);
@@ -1174,9 +1179,17 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
* is missing, skip remaining tests
*/
if (cfg_obj_isvoid(anchor)) {
- if (!strcasecmp(dlv, "no") ||
- !strcasecmp(dlv, "auto"))
+ if (!strcasecmp(dlv, "no")) {
continue;
+ }
+ if (!strcasecmp(dlv, "auto")) {
+ cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+ "dnssec-lookaside 'auto' "
+ "is no longer supported");
+ if (result == ISC_R_SUCCESS)
+ result = ISC_R_FAILURE;
+ continue;
+ }
}
tresult = dns_name_fromstring(name, dlv, 0, NULL);
@@ -1189,7 +1202,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
if (symtab != NULL) {
tresult = nameexist(obj, dlv, 1, symtab,
"dnssec-lookaside '%s': "
- "already exists previous "
+ "already exists; previous "
"definition: %s:%u",
logctx, mctx);
if (tresult != ISC_R_SUCCESS &&
@@ -1209,23 +1222,31 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
result = ISC_R_FAILURE;
}
- if (!cfg_obj_isvoid(anchor)) {
- dlv = cfg_obj_asstring(anchor);
- tresult = check_name(dlv);
- if (tresult != ISC_R_SUCCESS) {
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "bad domain name '%s'",
- dlv);
- if (result == ISC_R_SUCCESS)
- result = tresult;
- }
- } else {
+ if (cfg_obj_isvoid(anchor)) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "dnssec-lookaside requires "
- "either 'auto' or 'no', or a "
- "domain and trust anchor");
+ "dnssec-lookaside requires "
+ "either or 'no' or a "
+ "domain and trust anchor");
if (result == ISC_R_SUCCESS)
result = ISC_R_FAILURE;
+ continue;
+ }
+
+ dlv = cfg_obj_asstring(anchor);
+ tresult = dns_name_fromstring(name, dlv, 0, NULL);
+ if (tresult != ISC_R_SUCCESS) {
+ cfg_obj_log(anchor, logctx, ISC_LOG_ERROR,
+ "bad domain name '%s'", dlv);
+ if (result == ISC_R_SUCCESS)
+ result = tresult;
+ continue;
+ }
+ if (dns_name_equal(&dlviscorg, name)) {
+ cfg_obj_log(anchor, logctx, ISC_LOG_ERROR,
+ "dlv.isc.org has been shut down");
+ if (result == ISC_R_SUCCESS)
+ result = ISC_R_FAILURE;
+ continue;
}
}
diff --git a/lib/dns/include/dns/client.h b/lib/dns/include/dns/client.h
index 837b206b5a..61e6bc094d 100644
--- a/lib/dns/include/dns/client.h
+++ b/lib/dns/include/dns/client.h
@@ -278,10 +278,10 @@ isc_result_t
dns_client_setdlv(dns_client_t *client, dns_rdataclass_t rdclass,
const char *dlvname);
/*%<
- * Specify a name to use for DNSSEC lookaside validation (e.g.,
- * "dlv.isc.org"). If a trusted key has been added for that name,
- * then DLV will be used during validation. If 'dlvname' is NULL,
- * then DLV will no longer be used for this client.
+ * Specify a name to use for DNSSEC lookaside validation.
+ * If a trusted key has been added for that name, then DLV will be
+ * used during validation. If 'dlvname' is NULL, then DLV will no
+ * longer be used for this client.
*
* Requires:
*
diff --git a/util/copyrights b/util/copyrights
index ba470881d3..8b39f6c707 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1088,15 +1088,6 @@
./bin/tests/system/dlv/prereq.sh SH 2014,2016
./bin/tests/system/dlv/setup.sh SH 2004,2007,2009,2011,2012,2014,2016,2017
./bin/tests/system/dlv/tests.sh SH 2004,2007,2010,2011,2012,2016
-./bin/tests/system/dlvauto/clean.sh SH 2011,2012,2014,2016
-./bin/tests/system/dlvauto/ns1/dlv.isc.org.db.in ZONE 2011,2016
-./bin/tests/system/dlvauto/ns1/named.conf CONF-C 2011,2016
-./bin/tests/system/dlvauto/ns1/root.db.in ZONE 2011,2016
-./bin/tests/system/dlvauto/ns1/sign.sh SH 2011,2012,2014,2016,2017
-./bin/tests/system/dlvauto/ns2/named.conf CONF-C 2011,2013,2016
-./bin/tests/system/dlvauto/prereq.sh SH 2014,2016
-./bin/tests/system/dlvauto/setup.sh SH 2011,2012,2014,2016,2017
-./bin/tests/system/dlvauto/tests.sh SH 2011,2012,2014,2016
./bin/tests/system/dlz/.gitignore X 2012
./bin/tests/system/dlz/clean.sh SH 2010,2012,2014,2016
./bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.= TXT.BRIEF 2015,2016