remove /etc/bind.keys

the built-in trust anchors in named and delv are sufficent for
validation. named still needs to be able to load trust anchors from
a bind.keys file for testing purposes, but it doesn't need to be
the default behavior.

we now only load trust anchors from a file if explicitly specified
via the "bindkeys-file" option in named or the "-a" command line
argument to delv. documentation has been cleaned up to remove references
to /etc/bind.keys.

Closes #3850.

Author: each

Makefile.am

@@ -12,11 +12,10 @@ CLEANFILES = bind.keys.h
 bind.keys.h: bind.keys Makefile
 	${PERL} ${top_srcdir}/util/bindkeys.pl ${top_srcdir}/bind.keys > $@
 
-dist_sysconf_DATA = bind.keys
-
 .PHONY: doc
 
 EXTRA_DIST =			\
+	bind.keys		\
 	util/bindkeys.pl	\
 	contrib			\
 	CHANGES			\

Makefile.docs

@@ -14,7 +14,6 @@ LF = \n
 RNDC_CONF = .. |rndc_conf| replace:: ``$(sysconfdir)/rndc.conf``
 RNDC_KEY = .. |rndc_key| replace:: ``$(sysconfdir)/rndc.key``
 NAMED_CONF = .. |named_conf| replace:: ``$(sysconfdir)/named.conf``
-BIND_KEYS = .. |bind_keys| replace:: ``$(sysconfdir)/bind.keys``
 NAMED_PID = .. |named_pid| replace:: ``$(runstatedir)/named.pid``
 SESSION_KEY = .. |session_key| replace:: ``$(runstatedir)/session.key``
 

bin/check/named-checkconf.rst

@@ -32,10 +32,11 @@ errors. If no file is specified,
 |named_conf| is read by default.
 
 Note: files that :iscman:`named` reads in separate parser contexts, such as
-``rndc.key`` and ``bind.keys``, are not automatically read by
-:program:`named-checkconf`. Configuration errors in these files may cause
-:iscman:`named` to fail to run, even if :program:`named-checkconf` was successful.
-However, :program:`named-checkconf` can be run on these files explicitly.
+``rndc.conf`` or ``rndc.key``, are not automatically read by
+:program:`named-checkconf`.  Configuration errors in these files may cause
+:iscman:`named` to fail to run, even if :program:`named-checkconf` was
+successful.  However, :program:`named-checkconf` can be run on these files
+explicitly.
 
 Options
 ~~~~~~~

bin/delv/delv.c

@@ -125,7 +125,7 @@ static dns_name_t *anchor_name = NULL;
 static dns_master_style_t *style = NULL;
 static dns_fixedname_t qfn;
 
-/* Default bind.keys contents */
+/* Default trust anchors */
 static char anchortext[] = TRUST_ANCHORS;
 
 /*
@@ -812,16 +812,11 @@ setup_dnsseckeys(dns_client_t *client) {
 	const cfg_obj_t *managed_keys = NULL;
 	const cfg_obj_t *trust_anchors = NULL;
 	cfg_obj_t *bindkeys = NULL;
-	const char *filename = anchorfile;
 
 	if (!root_validation) {
 		return (ISC_R_SUCCESS);
 	}
 
-	if (filename == NULL) {
-		filename = SYSCONFDIR "/bind.keys";
-	}
-
 	if (trust_anchor == NULL) {
 		trust_anchor = isc_mem_strdup(mctx, ".");
 	}
@@ -832,22 +827,17 @@ setup_dnsseckeys(dns_client_t *client) {
 
 	CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
 
-	if (access(filename, R_OK) != 0) {
-		if (anchorfile != NULL) {
+	if (anchorfile != NULL) {
+		if (access(anchorfile, R_OK) != 0) {
 			fatal("Unable to read key file '%s'", anchorfile);
 		}
-	} else {
-		result = cfg_parse_file(parser, filename, &cfg_type_bindkeys,
+
+		result = cfg_parse_file(parser, anchorfile, &cfg_type_bindkeys,
 					&bindkeys);
 		if (result != ISC_R_SUCCESS) {
-			if (anchorfile != NULL) {
-				fatal("Unable to load keys from '%s'",
-				      anchorfile);
-			}
+			fatal("Unable to load keys from '%s'", anchorfile);
 		}
-	}
-
-	if (bindkeys == NULL) {
+	} else {
 		isc_buffer_t b;
 
 		isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1);

bin/delv/delv.rst

@@ -102,20 +102,21 @@ Options
 
 .. option:: -a anchor-file
 
-   This option specifies a file from which to read DNSSEC trust anchors. The default
-   is |bind_keys|, which is included with BIND 9 and contains one
-   or more trust anchors for the root zone (".").
-
-   Keys that do not match the root zone name are ignored. An alternate
-   key name can be specified using the :option:`+root` option.
-
-   Note: When reading the trust anchor file, :program:`delv` treats ``trust-anchors``,
-   ``initial-key``, and ``static-key`` identically. That is, for a managed key,
-   it is the *initial* key that is trusted; :rfc:`5011` key management is not
-   supported. :program:`delv` does not consult the managed-keys database maintained by
-   :iscman:`named`, which means that if either of the keys in |bind_keys| is
-   revoked and rolled over, |bind_keys| must be updated to
-   use DNSSEC validation in :program:`delv`.
+   This option specifies a file from which to read an alternate
+   DNSSEC root zone trust anchor.
+
+   By default, keys that do not match the root zone name (`.`) are
+   ignored. If an alternate key name is desired, it can be
+   specified using the :option:`+root` option.
+
+   Note: When reading trust anchors, :program:`delv` treats
+   ``trust-anchors``, ``initial-key``, and ``static-key`` identically. That
+   is, for a managed key, it is the *initial* key that is trusted;
+   :rfc:`5011` key management is not supported. :program:`delv` does not
+   consult the managed-keys database maintained by :iscman:`named`. This
+   means that if the default key built in to :program:`delv` is revoked,
+   :program:`delv` must be updated to a newer version in order to continue
+   validating.
 
 .. option:: -b address
 
@@ -354,8 +355,6 @@ assign values to options like the timeout interval. They have the form
 Files
 ~~~~~
 
-|bind_keys|
-
 ``/etc/resolv.conf``
 
 See Also

bin/named/config.c

@@ -49,7 +49,6 @@ static char defaultconf[] = "\
 options {\n\
 	answer-cookie true;\n\
 	automatic-interface-scan yes;\n\
-	bindkeys-file \"" NAMED_SYSCONFDIR "/bind.keys\";\n\
 #	blackhole {none;};\n\
 	cookie-algorithm siphash24;\n\
 #	directory <none>\n\

bin/named/include/named/globals.h

@@ -97,7 +97,7 @@ EXTERN unsigned int named_g_debuglevel	     INIT(0);
 EXTERN cfg_obj_t *named_g_config	   INIT(NULL);
 EXTERN const cfg_obj_t *named_g_defaults   INIT(NULL);
 EXTERN const char *named_g_conffile	   INIT(NAMED_SYSCONFDIR "/named.conf");
-EXTERN const char *named_g_defaultbindkeys INIT(NAMED_SYSCONFDIR "/bind.keys");
+EXTERN const char *named_g_defaultbindkeys INIT(NULL);
 EXTERN const char *named_g_keyfile	   INIT(NAMED_SYSCONFDIR "/rndc.key");
 
 EXTERN dns_tsigkey_t *named_g_sessionkey    INIT(NULL);

bin/named/main.c

@@ -667,7 +667,6 @@ printversion(bool verbose) {
 	printf("default paths:\n");
 	printf("  named configuration:  %s\n", named_g_conffile);
 	printf("  rndc configuration:   %s\n", rndcconf);
-	printf("  DNSSEC root key:      %s\n", named_g_defaultbindkeys);
 	printf("  nsupdate session key: %s\n", named_g_defaultsessionkeyfile);
 	printf("  named PID file:       %s\n", named_g_defaultpidfile);
 	printf("  named lock file:      %s\n", named_g_defaultlockfile);

bin/named/server.c

@@ -8510,45 +8510,45 @@ load_configuration(const char *filename, named_server_t *server,
 #endif
 
 	/*
-	 * If bind.keys exists, load it.  If "dnssec-validation auto"
-	 * is turned on, the root key found there will be used as a
-	 * default trust anchor.
+	 * If "dnssec-validation auto" is turned on, the root key
+	 * will be used as a default trust anchor. The root key
+	 * is built in, but if bindkeys-file is set, then it will
+	 * be overridden with the key in that file.
 	 */
 	obj = NULL;
-	result = named_config_get(maps, "bindkeys-file", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	setstring(server, &server->bindkeysfile, cfg_obj_asstring(obj));
-	INSIST(server->bindkeysfile != NULL);
-
-	if (access(server->bindkeysfile, R_OK) == 0) {
-		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
-			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "reading built-in trust anchors "
-			      "from file '%s'",
-			      server->bindkeysfile);
-
-		result = cfg_parser_create(named_g_mctx, named_g_lctx,
-					   &bindkeys_parser);
-		if (result != ISC_R_SUCCESS) {
-			goto cleanup_config;
-		}
-
-		result = cfg_parse_file(bindkeys_parser, server->bindkeysfile,
-					&cfg_type_bindkeys, &bindkeys);
-		if (result != ISC_R_SUCCESS) {
+	(void)named_config_get(maps, "bindkeys-file", &obj);
+	if (obj != NULL) {
+		setstring(server, &server->bindkeysfile, cfg_obj_asstring(obj));
+		INSIST(server->bindkeysfile != NULL);
+		if (access(server->bindkeysfile, R_OK) != 0) {
 			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
 				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
-				      "unable to parse '%s' error '%s'; using "
-				      "built-in keys instead",
-				      server->bindkeysfile,
-				      isc_result_totext(result));
+				      "unable to open '%s'; using built-in "
+				      "keys instead",
+				      server->bindkeysfile);
+		} else {
+			result = cfg_parser_create(named_g_mctx, named_g_lctx,
+						   &bindkeys_parser);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup_config;
+			}
+
+			result = cfg_parse_file(bindkeys_parser,
+						server->bindkeysfile,
+						&cfg_type_bindkeys, &bindkeys);
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(
+					named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+					NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+					"unable to parse '%s' "
+					"error '%s'; using "
+					"built-in keys instead",
+					server->bindkeysfile,
+					isc_result_totext(result));
+			}
 		}
 	} else {
-		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
-			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "unable to open '%s'; using built-in keys "
-			      "instead",
-			      server->bindkeysfile);
+		setstring(server, &server->bindkeysfile, NULL);
 	}
 
 	/*
@@ -10270,7 +10270,6 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
 	*server = (named_server_t){
 		.mctx = mctx,
 		.statsfile = isc_mem_strdup(mctx, "named.stats"),
-		.bindkeysfile = isc_mem_strdup(mctx, named_g_defaultbindkeys),
 		.dumpfile = isc_mem_strdup(mctx, "named_dump.db"),
 		.secrootsfile = isc_mem_strdup(mctx, "named.secroots"),
 		.recfile = isc_mem_strdup(mctx, "named.recursing"),
@@ -10382,11 +10381,14 @@ named_server_destroy(named_server_t **serverp) {
 	}
 
 	isc_mem_free(server->mctx, server->statsfile);
-	isc_mem_free(server->mctx, server->bindkeysfile);
 	isc_mem_free(server->mctx, server->dumpfile);
 	isc_mem_free(server->mctx, server->secrootsfile);
 	isc_mem_free(server->mctx, server->recfile);
 
+	if (server->bindkeysfile != NULL) {
+		isc_mem_free(server->mctx, server->bindkeysfile);
+	}
+
 	if (server->version != NULL) {
 		isc_mem_free(server->mctx, server->version);
 	}

doc/arm/conf.py

@@ -184,7 +184,6 @@ def setup(app):
 .. |rndc_conf| replace:: ``/etc/rndc.conf``
 .. |rndc_key| replace:: ``/etc/rndc.key``
 .. |named_conf| replace:: ``/etc/named.conf``
-.. |bind_keys| replace:: ``/etc/bind.keys``
 .. |named_pid| replace:: ``/run/named.pid``
 .. |session_key| replace:: ``/run/session.key``
 """

doc/arm/reference.rst

@@ -1323,7 +1323,7 @@ default is used.
    found when performing a dynamic update of secure zones, if different
    than the current working directory. (Note that this option has no
    effect on the paths for files containing non-DNSSEC keys such as
-   ``bind.keys``, ``rndc.key``, or ``session.key``.)
+   ``rndc.key``, or ``session.key``.)
 
 .. namedconf:statement:: lmdb-mapsize
    :tags: server
@@ -1515,7 +1515,7 @@ default is used.
 
    This is the pathname of a file to override the built-in trusted keys provided
    by :iscman:`named`. See the discussion of :any:`dnssec-validation` for
-   details. If not specified, the default is |bind_keys|.
+   details. This is intended for server testing.
 
 .. namedconf:statement:: secroots-file
    :tags: dnssec
@@ -2609,32 +2609,19 @@ Boolean Options
    :any:`managed-keys` or :any:`trusted-keys` statements, both deprecated). If
    there is no configured trust anchor, validation does not take place.
 
-   If set to ``no``, DNSSEC validation is disabled.
+   If set to ``no``, DNSSEC validation is disabled. (Note: the resolver
+   will still set the DO bit in outgoing queries indicating that it can
+   accept DNSSEC responses, even if :any:`dnssec-validation` is disabled.)
 
    The default is ``auto``, unless BIND is built with
    ``configure --disable-auto-validation``, in which case the default is
    ``yes``.
 
-   The default root trust anchor is stored in the file ``bind.keys``.
-   :iscman:`named` loads that key at startup if :any:`dnssec-validation` is
-   set to ``auto``. A copy of the file is installed along with BIND 9,
-   and is current as of the release date. If the root key expires, a new
-   copy of ``bind.keys`` can be downloaded from
-   https://www.isc.org/bind-keys.
-
-   (To prevent problems if ``bind.keys`` is not found, the current trust
-   anchor is also compiled in :iscman:`named`. Relying on this is not
-   recommended, however, as it requires :iscman:`named` to be recompiled with
-   a new key when the root key expires.)
-
-   .. note:: :iscman:`named` loads *only* the root key from ``bind.keys``. The file
-         cannot be used to store keys for other zones. The root key in
-         ``bind.keys`` is ignored if ``dnssec-validation auto`` is not in
-         use.
-
-         Whenever the resolver sends out queries to an EDNS-compliant
-         server, it always sets the DO bit indicating it can support DNSSEC
-         responses, even if :any:`dnssec-validation` is off.
+   The default root trust anchor is compiled into :iscman:`named` 
+   and is current as of the release date. If the root key changes, a
+   running BIND server will detect this and roll smoothly to the new
+   key, but newly-installed servers will be unable to start validation,
+   so BIND must be upgraded to a newer version.
 
 .. namedconf:statement:: validate-except
    :tags: dnssec
@@ -6164,10 +6151,11 @@ simply moves on. The key specified in the :any:`trust-anchors` statement is
 not used to validate answers; it is superseded by the key or keys stored
 in the managed-keys database.
 
-The next time :iscman:`named` runs after an ``initial-key`` or ``initial-ds`` has been *removed*
-from the :any:`trust-anchors` statement (or changed to a ``static-key`` or ``static-ds``), the
-corresponding zone is removed from the managed-keys database, and
-:rfc:`5011` key maintenance is no longer used for that domain.
+The next time :iscman:`named` runs after an ``initial-key`` or
+``initial-ds`` has been *removed* from the :any:`trust-anchors` statement
+(or changed to a ``static-key`` or ``static-ds``), the corresponding zone
+is removed from the managed-keys database, and :rfc:`5011` key maintenance
+is no longer used for that domain.
 
 In the current implementation, the managed-keys database is stored as a
 master-format zone file.
@@ -6189,12 +6177,12 @@ others, the working directory should be always be writable by
 :iscman:`named`.)
 
 If the :any:`dnssec-validation` option is set to ``auto``, :iscman:`named`
-automatically initializes an ``initial-key`` for the root zone. The key
-that is used to initialize the key-maintenance process is stored in
-``bind.keys``; the location of this file can be overridden with the
-:any:`bindkeys-file` option. As a fallback in the event no ``bind.keys``
-can be found, the initializing key is also compiled directly into
-:iscman:`named`.
+automatically sets up an ``initial-key`` for the root zone. This
+initializing key is built in to :iscman:`named`, and is current as of the
+release date.  When the root zone key changes, a running server will detect
+the change and roll to the new key, but newly-installed servers being run
+for the first time will need to be from a recent enough version of BIND to
+have been built with the current key.
 
 :any:`dnssec-policy` Block Grammar
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

doc/dnssec-guide/troubleshooting.rst

@@ -422,7 +422,6 @@ reload`` with the key files missing from the key directory:
 
    named[32516]: received control channel command 'reload'
    named[32516]: loading configuration from '/etc/bind/named.conf'
-   named[32516]: reading built-in trusted keys from file '/etc/bind/bind.keys'
    named[32516]: using default UDP/IPv4 port range: [1024, 65535]
    named[32516]: using default UDP/IPv6 port range: [1024, 65535]
    named[32516]: sizing zone task pool based on 6 zones