diff --git a/CHANGES b/CHANGES index 409c21671b..0ffb200288 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +4801. [func] 'dnssec-lookaside auto;' and 'dnssec-lookaside . + trust-anchor dlv.isc.org;' now elicit warnings rather + than being fatal configuration errors. [RT #46410] + 4800. [bug] When processing delzone, write one zone config per line to the NZF. [RT #46323] @@ -200,7 +204,7 @@ - Removed DLV key from bind.keys - No longer use ISC DLV by default in delv - "dnssec-lookaside auto" and configuration of - "dnssec-lookaide" with dlv.isc.org as trust + "dnssec-lookaide" with dlv.isc.org as the trust anchor are both now fatal errors. [RT #46155] diff --git a/bin/named/server.c b/bin/named/server.c index cfdb0b1cbf..0757785f87 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -4975,11 +4975,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, if (!strcasecmp(dom, "no")) { result = ISC_R_NOTFOUND; } else if (!strcasecmp(dom, "auto")) { - cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING, - "WARNING: the DLV server at " - "'dlv.isc.org' is no longer " - "in service; dnssec-lookaside " - "ignored"); + /* + * Warning logged by libbind9. + */ result = ISC_R_NOTFOUND; } } @@ -5005,11 +5003,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, CHECK(dns_name_fromstring(dlv, cfg_obj_asstring(obj), DNS_NAME_DOWNCASE, NULL)); if (dns_name_equal(dlv, iscdlv)) { - cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING, - "WARNING: the DLV server at " - "'dlv.isc.org' is no longer " - "in service; dnssec-lookaside " - "ignored"); + /* + * Warning logged by libbind9. + */ view->dlv = NULL; } else { view->dlv = dlv; diff --git a/bin/tests/system/checkconf/good-dlv-dlv.example.com.conf b/bin/tests/system/checkconf/good-dlv-dlv.example.com.conf new file mode 100644 index 0000000000..fdcd6eac02 --- /dev/null +++ b/bin/tests/system/checkconf/good-dlv-dlv.example.com.conf @@ -0,0 +1,11 @@ +/* + * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ + +options { + dnssec-lookaside . trust-anchor dlv.example.com; +}; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index cb7c4dde2f..27303aefa3 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -327,5 +327,29 @@ diff good.zonelist checkconf.out$n > diff.out$n || ret=1 if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo "I: check that 'dnssec-lookaside auto;' generates a warning ($n)" +ret=0 +$CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "dnssec-lookaside 'auto' is no longer supported" checkconf.out$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I: check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a warning ($n)" +ret=0 +$CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "dlv.isc.org has been shut down" checkconf.out$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I: check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)" +ret=0 +$CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + echo "I:exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/checkconf/bad-dlv-auto.conf b/bin/tests/system/checkconf/warn-dlv-auto.conf similarity index 100% rename from bin/tests/system/checkconf/bad-dlv-auto.conf rename to bin/tests/system/checkconf/warn-dlv-auto.conf diff --git a/bin/tests/system/checkconf/bad-dlv-dlv.isc.org.conf b/bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf similarity index 100% rename from bin/tests/system/checkconf/bad-dlv-dlv.isc.org.conf rename to bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 296a0f574b..c9cb28e807 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -464,15 +464,15 @@ - The ISC DNSSEC Lookaside Validation (DLV) service has been shut - down; all DLV records in the dlv.isc.org zone have been removed. - References to the service have been removed from BIND documentation. - Lookaside validation is no longer used by default by - delv. The DLV key has been removed from - bind.keys. Setting - dnssec-lookaside to + The ISC DNSSEC Lookaside Validation (DLV) service has + been shut down; all DLV records in the dlv.isc.org zone + have been removed. References to the service have been + removed from BIND documentation. Lookaside validation + is no longer used by default by delv. + The DLV key has been removed from bind.keys. + Setting dnssec-lookaside to auto or to use dlv.isc.org as a trust - anchor is now a fatal configuration error. [RT #46155] + anchor results in a warning being issued. diff --git a/lib/bind9/check.c b/lib/bind9/check.c index b50bc7aa56..214392cd9d 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1183,11 +1183,9 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, continue; } if (!strcasecmp(dlv, "auto")) { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + cfg_obj_log(obj, logctx, ISC_LOG_WARNING, "dnssec-lookaside 'auto' " "is no longer supported"); - if (result == ISC_R_SUCCESS) - result = ISC_R_FAILURE; continue; } } @@ -1242,10 +1240,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, continue; } if (dns_name_equal(&dlviscorg, name)) { - cfg_obj_log(anchor, logctx, ISC_LOG_ERROR, + cfg_obj_log(anchor, logctx, ISC_LOG_WARNING, "dlv.isc.org has been shut down"); - if (result == ISC_R_SUCCESS) - result = ISC_R_FAILURE; continue; } }