Project

General

Profile

Actions

Bug #10832

closed

Bind DNSSEC validation "deselected" not disabling DNSSEC validation

Added by Dave Tickem over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Category:
BIND
Target version:
-
Start date:
08/13/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.4.5-p1
Affected Plus Version:
Affected Architecture:
All

Description

Bind global settings page, "Forwarder Configuration" - DNSSEC Validation setting.

Bug: The DNSSEC Validation tick-box has no effect, as PFSEnse has root zone keys, so "auto" behaviour is used whether ticked or not.

Explanation: Referencing docs: https://downloads.isc.org/isc/bind9/9.14.12/doc/arm/Bv9ARM.ch04.html#dnssec_config

  • If DNSSEC-Validation tickbox is enabled, adds: "dnssec-validation yes;" (wrong as config is missing "trusted-keys" or "managed-keys" statement. )
  • If DNSSEC-Validation tickbox is disabled, removes "dnssec-validation" clause altogether. (result: uses trust anchor for the DNS root zone automatically. Same effect as "yes" without trusted-keys/managed-keys)

Suggested fix:

  1. Change forwarder DNSSEC Validation tickbox to a drop-down selection of [yes|auto|no].
  2. Default value of "yes" which will result in the same default behaviour as before the change.
  3. Add a html URL outcall reference to the documentation link for explanation - as linked above.

I recognise the proposed default of "yes" appears to contradict the existing "unticked" - but according to docs (and testing) the actual default behaviour now is equivalent to "yes".

This proposed fix will still allow the operator to add trusted-keys/managed keys for a correctly configured "yes" setup, as well as enabling the "auto" and "no" behaviour without recourse to "advanced options".

[ or, simple fix, remove the tickbox altogether, as is all to easy to get this config setup wrong. ]

Temporary workaround - clear checkbox and add "dnssec-validation no;" in the advanced custom options section. Thank you for having this extra configuration feature!!!

Actions #2

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Pull Request Review
Actions #3

Updated by Renato Botelho over 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #4

Updated by Dave Tickem over 4 years ago

Renato Botelho wrote:

PR has been merged. Thanks!

Updated to bind 9.14_8, which includes this fix - works as required.

Great fix - thanks!

Actions #5

Updated by Jim Pingle over 4 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF