Bug #10832
closedBind DNSSEC validation "deselected" not disabling DNSSEC validation
100%
Description
Bind global settings page, "Forwarder Configuration" - DNSSEC Validation setting.
Bug: The DNSSEC Validation tick-box has no effect, as PFSEnse has root zone keys, so "auto" behaviour is used whether ticked or not.
Explanation: Referencing docs: https://downloads.isc.org/isc/bind9/9.14.12/doc/arm/Bv9ARM.ch04.html#dnssec_config
- If DNSSEC-Validation tickbox is enabled, adds: "dnssec-validation yes;" (wrong as config is missing "trusted-keys" or "managed-keys" statement. )
- If DNSSEC-Validation tickbox is disabled, removes "dnssec-validation" clause altogether. (result: uses trust anchor for the DNS root zone automatically. Same effect as "yes" without trusted-keys/managed-keys)
Suggested fix:
- Change forwarder DNSSEC Validation tickbox to a drop-down selection of [yes|auto|no].
- Default value of "yes" which will result in the same default behaviour as before the change.
- Add a html URL outcall reference to the documentation link for explanation - as linked above.
I recognise the proposed default of "yes" appears to contradict the existing "unticked" - but according to docs (and testing) the actual default behaviour now is equivalent to "yes".
This proposed fix will still allow the operator to add trusted-keys/managed keys for a correctly configured "yes" setup, as well as enabling the "auto" and "no" behaviour without recourse to "advanced options".
[ or, simple fix, remove the tickbox altogether, as is all to easy to get this config setup wrong. ]
Temporary workaround - clear checkbox and add "dnssec-validation no;" in the advanced custom options section. Thank you for having this extra configuration feature!!!
Updated by Viktor Gurov over 4 years ago
Updated by Jim Pingle over 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Dave Tickem over 4 years ago
Renato Botelho wrote:
PR has been merged. Thanks!
Updated to bind 9.14_8, which includes this fix - works as required.
Great fix - thanks!