[master] de-DLV

4749. [func] The ISC DLV service has been shut down, and all DLV records have been removed from dlv.isc.org. - Removed references to ISC DLV in documentation - Removed DLV key from bind.keys - No longer use ISC DLV by default in delv [RT #46155]
isc-projects · Oct 3, 2017 · f293592 · f293592
1 parent a009d03
commit f293592
Show file tree

Hide file tree

Showing 27 changed files with 207 additions and 569 deletions.
diff --git a/CHANGES b/CHANGES
@@ -1,3 +1,13 @@
+4749.	[func]		The ISC DLV service has been shut down, and all
+			DLV records have been removed from dlv.isc.org.
+			- Removed references to ISC DLV in documentation
+			- Removed DLV key from bind.keys
+			- No longer use ISC DLV by default in delv
+			- "dnssec-lookaside auto" and configuration of
+			  "dnssec-lookaide" with dlv.isc.org as trust
+			  anchor are both now fatal errors.
+			[RT #46155]
+
 4748.	[cleanup]	Sprintf to snprintf coversions. [RT #46132]
 
 4747.	[func]		Synthesis of responses from DNSSEC-verified records.

diff --git a/bin/delv/delv.c b/bin/delv/delv.c
@@ -574,16 +574,18 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
 	dns_fixedname_t fkeyname;
 	dns_name_t *keyname;
 	isc_result_t result;
-	isc_boolean_t match_root, match_dlv;
+	isc_boolean_t match_root = ISC_FALSE, match_dlv = ISC_FALSE;
 
 	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
 	CHECK(convert_name(&fkeyname, &keyname, keynamestr));
 
 	if (!root_validation && !dlv_validation)
 		return (ISC_R_SUCCESS);
 
-	match_root = dns_name_equal(keyname, anchor_name);
-	match_dlv = dns_name_equal(keyname, dlv_name);
+	if (anchor_name)
+		match_root = dns_name_equal(keyname, anchor_name);
+	if (dlv_name)
+		match_dlv = dns_name_equal(keyname, dlv_name);
 
 	if (!match_root && !match_dlv)
 		return (ISC_R_SUCCESS);
@@ -713,14 +715,10 @@ setup_dnsseckeys(dns_client_t *client) {
 			fatal("out of memory");
 	}
 
-	if (dlv_anchor == NULL) {
-		dlv_anchor = isc_mem_strdup(mctx, "dlv.isc.org");
-		if (dlv_anchor == NULL)
-			fatal("out of memory");
-	}
-
-	CHECK(convert_name(&afn, &anchor_name, trust_anchor));
-	CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
+	if (trust_anchor != NULL)
+		CHECK(convert_name(&afn, &anchor_name, trust_anchor));
+	if (dlv_anchor != NULL)
+		CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
 
 	CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
 

diff --git a/bin/delv/delv.docbook b/bin/delv/delv.docbook
@@ -99,8 +99,7 @@
     </para>
     <para>
       By default, responses are validated using built-in DNSSEC trust
-      anchors for the root zone (".") and for the ISC DNSSEC lookaside
-      validation zone ("dlv.isc.org").  Records returned by
+      anchor for the root zone (".").  Records returned by
       <command>delv</command> are either fully validated or
       were not signed.  If validation fails, an explanation of
       the failure is included in the output; the validation process
@@ -202,14 +201,15 @@
 	    Specifies a file from which to read DNSSEC trust anchors.
 	    The default is <filename>/etc/bind.keys</filename>, which
 	    is included with <acronym>BIND</acronym> 9 and contains
-	    trust anchors for the root zone (".") and for the ISC
-	    DNSSEC lookaside validation zone ("dlv.isc.org").
+	    one or more trust anchors for the root zone (".").
 	  </para>
 	  <para>
-	    Keys that do not match the root or DLV trust-anchor
-	    names are ignored; these key names can be overridden
-	    using the <option>+dlv=NAME</option> or
-	    <option>+root=NAME</option> options.
+	    Keys that do not match the root zone name are ignored.
+            An alternate key name can be specified using the
+	    <option>+root=NAME</option> options. DNSSEC Lookaside
+            Validation can also be turned on by using the 
+	    <option>+dlv=NAME</option> to specify the name of a
+            zone containing DLV records.
 	  </para>
 	  <para>
 	    Note: When reading the trust anchor file,
@@ -639,11 +639,8 @@
 	    <para>
 	      Indicates whether to perform DNSSEC lookaside validation,
 	      and if so, specifies the name of the DLV trust anchor.
-	      The default is to perform lookaside validation using
-	      a trust anchor of "dlv.isc.org", for which there is a
-	      built-in key.  If specifying a different name, then
-	      <option>-a</option> must be used to specify a file
-	      containing the DLV key.
+	      The <option>-a</option> option must also be used to specify
+              a file containing the DLV key.
 	    </para>
 	  </listitem>
 	</varlistentry>

diff --git a/bin/named/config.c b/bin/named/config.c
@@ -127,9 +127,6 @@ options {\n\
 	trust-anchor-telemetry yes;\n\
 #	use-id-pool <obsolete>;\n\
 #	use-ixfr <obsolete>;\n\
-\n\
-	/* DLV */\n\
-	dnssec-lookaside . trust-anchor dlv.isc.org;\n\
 \n\
 	/* view */\n\
 	allow-new-zones no;\n\
@@ -295,8 +292,8 @@ view \"_bind\" chaos {\n\
 };\n\
 "
 "#\n\
-#  Default trusted key(s) for builtin DLV support\n\
-#  (used if \"dnssec-lookaside auto;\" is set and\n\
+#  Default trusted key(s), used if \n\
+# \"dnssec-validation auto;\" is set and\n\
 #  sysconfdir/bind.keys doesn't exist).\n\
 #\n\
 # BEGIN MANAGED KEYS\n"

diff --git a/bin/named/server.c b/bin/named/server.c
@@ -884,8 +884,7 @@ keyloaded(dns_view_t *view, const dns_name_t *name) {
 static isc_result_t
 configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 			  const cfg_obj_t *config, const cfg_obj_t *bindkeys,
-			  isc_boolean_t auto_dlv, isc_boolean_t auto_root,
-			  isc_mem_t *mctx)
+			  isc_boolean_t auto_root, isc_mem_t *mctx)
 {
 	isc_result_t result = ISC_R_SUCCESS;
 	const cfg_obj_t *view_keys = NULL;
@@ -944,65 +943,6 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 		return (ISC_R_UNEXPECTED);
 	}
 
-	if (auto_dlv && view->rdclass == dns_rdataclass_in) {
-		const cfg_obj_t *builtin_keys = NULL;
-		const cfg_obj_t *builtin_managed_keys = NULL;
-
-		/*
-		 * If bind.keys exists and is populated, it overrides
-		 * the managed-keys clause hard-coded in named_g_config.
-		 */
-		if (bindkeys != NULL) {
-			isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
-				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
-				      "obtaining DLV key for view %s "
-				      "from '%s'",
-				      view->name, named_g_server->bindkeysfile);
-
-			(void)cfg_map_get(bindkeys, "trusted-keys",
-					  &builtin_keys);
-			(void)cfg_map_get(bindkeys, "managed-keys",
-					  &builtin_managed_keys);
-			if ((builtin_keys == NULL) &&
-			    (builtin_managed_keys == NULL))
-				isc_log_write(named_g_lctx,
-					      DNS_LOGCATEGORY_SECURITY,
-					      NAMED_LOGMODULE_SERVER,
-					      ISC_LOG_WARNING,
-					      "dnssec-lookaside auto: "
-					      "WARNING: key for dlv.isc.org "
-					      "not found");
-		}
-
-		if ((builtin_keys == NULL) &&
-		    (builtin_managed_keys == NULL))
-		{
-			isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
-				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
-				      "using built-in DLV key for view %s",
-				      view->name);
-
-			(void)cfg_map_get(named_g_config, "trusted-keys",
-					  &builtin_keys);
-			(void)cfg_map_get(named_g_config, "managed-keys",
-					  &builtin_managed_keys);
-		}
-
-		if (builtin_keys != NULL)
-			CHECK(load_view_keys(builtin_keys, vconfig, view,
-					     ISC_FALSE, view->dlv, mctx));
-		if (builtin_managed_keys != NULL)
-			CHECK(load_view_keys(builtin_managed_keys, vconfig,
-					     view, ISC_TRUE, view->dlv, mctx));
-		if (!keyloaded(view, view->dlv)) {
-			isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
-				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
-				      "DLV key not loaded");
-			result = ISC_R_FAILURE;
-			goto cleanup;
-		}
-	}
-
 	if (auto_root && view->rdclass == dns_rdataclass_in) {
 		const cfg_obj_t *builtin_keys = NULL;
 		const cfg_obj_t *builtin_managed_keys = NULL;
@@ -3692,7 +3632,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	const cfg_obj_t *disablelist = NULL;
 	isc_stats_t *resstats = NULL;
 	dns_stats_t *resquerystats = NULL;
-	isc_boolean_t auto_dlv = ISC_FALSE;
 	isc_boolean_t auto_root = ISC_FALSE;
 	named_cache_t *nsc;
 	isc_boolean_t zero_no_soattl;
@@ -4993,19 +4932,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	obj = NULL;
 	result = named_config_get(optionmaps, "dnssec-lookaside", &obj);
 	if (result == ISC_R_SUCCESS) {
-		/* If set to "auto", use the version from the defaults */
+		/* "auto" is deprecated, log a warning if seen */
 		const char *dom;
 		dlvobj = cfg_listelt_value(cfg_list_first(obj));
 		dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain"));
 		if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
-			/* If "no", skip; if "auto", use global default */
-			if (!strcasecmp(dom, "no"))
+			/* If "no", skip; if "auto", log warning */
+			if (!strcasecmp(dom, "no")) {
+				result = ISC_R_NOTFOUND;
+			} else if (!strcasecmp(dom, "auto")) {
+				cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+					    "WARNING: the DLV server at "
+					    "'dlv.isc.org' is no longer "
+					    "in service; dnssec-lookaside "
+					    "ignored");
 				result = ISC_R_NOTFOUND;
-			else if (!strcasecmp(dom, "auto")) {
-				auto_dlv = ISC_TRUE;
-				obj = NULL;
-				result = cfg_map_get(named_g_defaults,
-						     "dnssec-lookaside", &obj);
 			}
 		}
 	}
@@ -5015,6 +4956,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 		dns_fixedname_t f;
 		dns_fixedname_init(&f);
 
+		/* Also log a warning if manually configured to dlv.isc.org */
 		iscdlv = dns_fixedname_name(&f);
 		CHECK(dns_name_fromstring(iscdlv, "dlv.isc.org", 0, NULL));
 
@@ -5028,27 +4970,27 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 			dlv = dns_fixedname_name(&view->dlv_fixed);
 			CHECK(dns_name_fromstring(dlv, cfg_obj_asstring(obj),
 						  DNS_NAME_DOWNCASE, NULL));
-			view->dlv = dns_fixedname_name(&view->dlv_fixed);
-
-			if (dns_name_equal(view->dlv, iscdlv)) {
-				if (auto_dlv)
-					obj = dlvobj;
+			if (dns_name_equal(dlv, iscdlv)) {
 				cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
 					    "WARNING: the DLV server at "
-					    "'dlv.isc.org' is expected to "
-					    "cease operation by the end "
-					    "of January 2017");
+					    "'dlv.isc.org' is no longer "
+					    "in service; dnssec-lookaside "
+					    "ignored");
+				view->dlv = NULL;
+			} else {
+				view->dlv = dlv;
 			}
 		}
-	} else
+	} else {
 		view->dlv = NULL;
+	}
 
 	/*
 	 * For now, there is only one kind of trusted keys, the
 	 * "security roots".
 	 */
 	CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys,
-					auto_dlv, auto_root, mctx));
+					auto_root, mctx));
 	dns_resolver_resetmustbesecure(view->resolver);
 	obj = NULL;
 	result = named_config_get(maps, "dnssec-must-be-secure", &obj);
@@ -7604,8 +7546,7 @@ load_configuration(const char *filename, named_server_t *server,
 	/*
 	 * If bind.keys exists, load it.  If "dnssec-validation auto"
 	 * is turned on, the root key found there will be used as a
-	 * default trust anchor, and if "dnssec-lookaside auto" is
-	 * turned on, then the DLV key found there will too.
+	 * default trust anchor.
 	 */
 	obj = NULL;
 	result = named_config_get(maps, "bindkeys-file", &obj);

diff --git a/bin/python/dnssec-checkds.docbook b/bin/python/dnssec-checkds.docbook
@@ -87,9 +87,6 @@
           <para>
             Check for a DLV record in the specified lookaside domain,
             instead of checking for a DS record in the zone's parent.
-            For example, to check for DLV records for "example.com"
-            in ISC's DLV zone, use:
-            <command>dnssec-checkds -l dlv.isc.org example.com</command>
           </para>
         </listitem>
       </varlistentry>

diff --git a/bin/tests/system/checkconf/bad-dlv-auto.conf b/bin/tests/system/checkconf/bad-dlv-auto.conf
@@ -0,0 +1,3 @@
+options {
+	dnssec-lookaside auto;
+};
diff --git a/bin/tests/system/checkconf/bad-dlv-dlv.isc.org.conf b/bin/tests/system/checkconf/bad-dlv-dlv.isc.org.conf
@@ -0,0 +1,3 @@
+options {
+	dnssec-lookaside . trust-anchor dlv.isc.org;
+};
diff --git a/bin/tests/system/checkconf/dnssec.3 b/bin/tests/system/checkconf/dnssec.3
@@ -24,7 +24,7 @@ view view2 {
 
 view view3 {
 	match-clients { none; };
-	dnssec-lookaside auto;
+	dnssec-validation auto;
 };
 
 view view4 {

diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
@@ -80,7 +80,6 @@ view "first" {
 		type master;
 		file "yyy";
 	};
-	dnssec-lookaside auto;
 	dnssec-validation auto;
 	zone-statistics terse;
 };
@@ -111,7 +110,7 @@ view "second" {
 			1.2.3.4;
 		};
 	};
-	dnssec-lookaside "." trust-anchor "dlv.isc.org.";
+	dnssec-lookaside "." trust-anchor "example.org.";
 	dnssec-validation auto;
 	zone-statistics full;
 };

diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
@@ -71,7 +71,7 @@ SAMPLEUPDATE=$TOP/lib/samples/sample-update
 SUBDIRS="acl additional addzone allow_query autosign builtin
 	 cacheclean case catz chain
          checkconf @CHECKDS@ checknames checkzone cookie @COVERAGE@
-         database digdelv dlv dlvauto dlz dlzexternal
+         database digdelv dlv dlz dlzexternal
 	 dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa
 	 emptyzones fetchlimit filter-aaaa formerr geoip glue gost
 	 inline integrity ixfr keepalive @KEYMGR@ legacy limits

diff --git a/bin/tests/system/dlvauto/clean.sh b/bin/tests/system/dlvauto/clean.sh
diff --git a/bin/tests/system/dlvauto/ns1/dlv.isc.org.db.in b/bin/tests/system/dlvauto/ns1/dlv.isc.org.db.in