BIND DNSSEC validation mode. Implements #10832 #919
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bug: The DNSSEC Validation tick-box has no effect, as PFSEnse has root zone keys, so "auto" behaviour is used whether ticked or not.
Explanation: Referencing docs: https://downloads.isc.org/isc/bind9/9.14.12/doc/arm/Bv9ARM.ch04.html#dnssec_config
If DNSSEC-Validation tickbox is enabled, adds: "dnssec-validation yes;" (wrong as config is missing "trusted-keys" or "managed-keys" statement. )
If DNSSEC-Validation tickbox is disabled, removes "dnssec-validation" clause altogether. (result: uses trust anchor for the DNS root zone automatically. Same effect as "yes" without trusted-keys/managed-keys)
Fix:
Change forwarder DNSSEC Validation tickbox to a drop-down selection of [yes|auto|no].
Default is 'Auto' (as current unchecked behavior)
https://downloads.isc.org/isc/bind9/9.14.12/doc/arm/Bv9ARM.ch04.html#dnssec_config: