Merge branch '4373-dnssec-validation-yes-should-fail-without-trust-anchors' into 'main'

'dnssec-validation yes' should fail when no trust anchors are configured Closes #4373 See merge request isc-projects/bind9!8575
2024-02-02 19:55:00 +00:00
parent 308ed1a1ea 85f966a8f6
commit 87942ee0b4
117 changed files with 348 additions and 9 deletions
--- a/5
+++ b/5
@@ -1,3 +1,8 @@
+6335.	[func]		The 'dnssec-validation yes' option now requires an
+			explicitly configured 'trust-anchors' statement (or
+			'managed-keys' or 'trusted-keys' statements, both
+			deprecated). [GL #4373]
+
 6334.	[doc]		Improve ARM parental-agents definition. [GL #4531]

 6333.	[bug]		Fix the DNS_GETDB_STALEFIRST flag, which was defined
--- a/bin/tests/system/additional/ns3/named.conf.in
+++ b/bin/tests/system/additional/ns3/named.conf.in
@@ -26,6 +26,8 @@ options {
 	minimal-responses no;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "root.hint";
--- a/bin/tests/system/cacheclean/ns2/named.conf.in
+++ b/bin/tests/system/cacheclean/ns2/named.conf.in
@@ -25,6 +25,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/chain/ns1/named.conf.in
+++ b/bin/tests/system/chain/ns1/named.conf.in
@@ -24,4 +24,6 @@ options {
 	notify yes;
 };

+trust-anchors { };
+
 zone "." { type primary; file "root.db"; };
--- a/bin/tests/system/chain/ns7/named.conf.in
+++ b/bin/tests/system/chain/ns7/named.conf.in
@@ -30,6 +30,8 @@ options {
 	};
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/checkconf/bad-no-trusted-key.conf
+++ b/bin/tests/system/checkconf/bad-no-trusted-key.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-validation yes;
+};
--- a/bin/tests/system/checkconf/good-empty-trust-anchors.conf
+++ b/bin/tests/system/checkconf/good-empty-trust-anchors.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-validation yes;
+};
+
+trust-anchors {};
--- a/bin/tests/system/checkconf/good-empty-trusted-keys.conf
+++ b/bin/tests/system/checkconf/good-empty-trusted-keys.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-validation yes;
+};
+
+trusted-keys {};
--- a/bin/tests/system/checkconf/good-nonempty-trust-anchors.conf
+++ b/bin/tests/system/checkconf/good-nonempty-trust-anchors.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-validation yes;
+};
+
+trust-anchors {
+    example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
+};
--- a/bin/tests/system/checkconf/good-nonempty-trusted-keys.conf
+++ b/bin/tests/system/checkconf/good-nonempty-trusted-keys.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-validation yes;
+};
+
+trusted-keys {
+	example. 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
+		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
+		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
+		kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
+		fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
+		WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
+		NQyrszHhWUU=";
+};
--- a/bin/tests/system/checknames/ns2/named.conf.in
+++ b/bin/tests/system/checknames/ns2/named.conf.in
@@ -25,6 +25,8 @@ options {
 	notify yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "root.hints";
--- a/bin/tests/system/checknames/ns3/named.conf.in
+++ b/bin/tests/system/checknames/ns3/named.conf.in
@@ -25,6 +25,8 @@ options {
 	notify yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "root.hints";
--- a/bin/tests/system/checknames/ns4/named.conf.in
+++ b/bin/tests/system/checknames/ns4/named.conf.in
@@ -26,6 +26,8 @@ options {
 	notify yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "root.hints";
--- a/bin/tests/system/checknames/ns5/named.conf.in
+++ b/bin/tests/system/checknames/ns5/named.conf.in
@@ -26,6 +26,8 @@ options {
 	notify yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "root.hints";
--- a/bin/tests/system/cipher-suites/ns1/named.conf.in
+++ b/bin/tests/system/cipher-suites/ns1/named.conf.in
@@ -69,6 +69,8 @@ options {
 	transfers-out 100;
 };

+trust-anchors { };
+
 zone "." {
 	type primary;
 	file "root.db";
--- a/bin/tests/system/cipher-suites/ns2/named.conf.in
+++ b/bin/tests/system/cipher-suites/ns2/named.conf.in
@@ -39,6 +39,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "../../_common/root.hint";
--- a/bin/tests/system/cipher-suites/ns3/named.conf.in
+++ b/bin/tests/system/cipher-suites/ns3/named.conf.in
@@ -39,6 +39,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "../../_common/root.hint";
--- a/bin/tests/system/cipher-suites/ns4/named.conf.in
+++ b/bin/tests/system/cipher-suites/ns4/named.conf.in
@@ -39,6 +39,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "../../_common/root.hint";
--- a/bin/tests/system/cipher-suites/ns5/named.conf.in
+++ b/bin/tests/system/cipher-suites/ns5/named.conf.in
@@ -39,6 +39,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "../../_common/root.hint";
--- a/bin/tests/system/cookie/ns1/named.conf.in
+++ b/bin/tests/system/cookie/ns1/named.conf.in
@@ -49,6 +49,8 @@ options {
 	nocookie-udp-size 512;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "root.hint";
--- a/bin/tests/system/cookie/ns3/named.conf.in
+++ b/bin/tests/system/cookie/ns3/named.conf.in
@@ -41,6 +41,8 @@ options {
 	require-server-cookie yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "root.hint";
--- a/bin/tests/system/cookie/ns4/named.conf.in
+++ b/bin/tests/system/cookie/ns4/named.conf.in
@@ -35,6 +35,8 @@ options {
 	require-server-cookie yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "root.hint";
--- a/bin/tests/system/cookie/ns5/named.conf.in
+++ b/bin/tests/system/cookie/ns5/named.conf.in
@@ -36,6 +36,8 @@ options {
 	require-server-cookie yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "root.hint";
--- a/bin/tests/system/cookie/ns6/named.conf.in
+++ b/bin/tests/system/cookie/ns6/named.conf.in
@@ -35,6 +35,8 @@ options {
 	require-server-cookie yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "root.hint";
--- a/bin/tests/system/cookie/ns8/named.conf.in
+++ b/bin/tests/system/cookie/ns8/named.conf.in
@@ -33,6 +33,8 @@ options {
 	require-server-cookie yes;
 };

+trust-anchors { };
+
 server 10.53.0.7 { require-cookie yes; };

 zone "example" {
--- a/bin/tests/system/database/ns1/named1.conf.in
+++ b/bin/tests/system/database/ns1/named1.conf.in
@@ -35,6 +35,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 zone "database" {
 	type primary;
 	database "_builtin empty localhost. hostmaster.isc.org.";
--- a/bin/tests/system/database/ns1/named2.conf.in
+++ b/bin/tests/system/database/ns1/named2.conf.in
@@ -35,6 +35,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 zone "database" {
 	type primary;
 	database "_builtin empty localhost. marka.isc.org.";
--- a/bin/tests/system/dns64/ns1/named.conf1.in
+++ b/bin/tests/system/dns64/ns1/named.conf1.in
@@ -42,6 +42,8 @@ options {
 	};
 };

+trust-anchors { };
+
 zone "." {
 	type primary;
 	file "root.db";
--- a/bin/tests/system/dns64/ns1/named.conf2.in
+++ b/bin/tests/system/dns64/ns1/named.conf2.in
@@ -45,6 +45,8 @@ options {
 	};
 };

+trust-anchors { };
+
 zone "." {
 	type primary;
 	file "root.db";
--- a/bin/tests/system/dns64/ns1/named.conf3.in
+++ b/bin/tests/system/dns64/ns1/named.conf3.in
@@ -34,6 +34,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 zone "." {
 	type primary;
 	file "root.db";
--- a/bin/tests/system/dns64/ns2/named.conf.in
+++ b/bin/tests/system/dns64/ns2/named.conf.in
@@ -60,6 +60,8 @@ options {
 	response-policy { zone "rpz"; };
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "../../_common/root.hint";
--- a/bin/tests/system/dns64/ns3/named.conf.in
+++ b/bin/tests/system/dns64/ns3/named.conf.in
@@ -40,6 +40,8 @@ options {
 	};
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "hints";
--- a/bin/tests/system/dns64/ns4/named.conf.in
+++ b/bin/tests/system/dns64/ns4/named.conf.in
@@ -30,6 +30,8 @@ options {
 	recursion no;
 };

+trust-anchors { };
+
 zone "." {
 	type master;
 	file "root.db";
--- a/bin/tests/system/dnstap/ns1/named.conf.in
+++ b/bin/tests/system/dnstap/ns1/named.conf.in
@@ -32,6 +32,8 @@ options {
 	qname-minimization disabled;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/dnstap/ns2/named.conf.in
+++ b/bin/tests/system/dnstap/ns2/named.conf.in
@@ -32,6 +32,8 @@ options {
 	qname-minimization disabled;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/dnstap/ns3/named.conf.in
+++ b/bin/tests/system/dnstap/ns3/named.conf.in
@@ -33,6 +33,8 @@ options {
 	qname-minimization disabled;
 };

+trust-anchors { };
+
 server 10.53.0.1 { tcp-only yes; };

 key rndc_key {
--- a/bin/tests/system/dnstap/ns4/named.conf.in
+++ b/bin/tests/system/dnstap/ns4/named.conf.in
@@ -32,6 +32,8 @@ options {
 	qname-minimization disabled;
 };

+trust-anchors { };
+
 server 10.53.0.1 { tcp-only yes; };

 key rndc_key {
--- a/bin/tests/system/doth/ns1/named.conf.in
+++ b/bin/tests/system/doth/ns1/named.conf.in
@@ -100,6 +100,8 @@ options {
 	transfers-out 100;
 };

+trust-anchors { };
+
 zone "." {
 	type primary;
 	file "root.db";
--- a/bin/tests/system/doth/ns2/named.conf.in
+++ b/bin/tests/system/doth/ns2/named.conf.in
@@ -53,6 +53,8 @@ options {
 	transfers-out 100;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "../../_common/root.hint";
--- a/bin/tests/system/doth/ns3/named.conf.in
+++ b/bin/tests/system/doth/ns3/named.conf.in
@@ -46,6 +46,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "../../_common/root.hint";
--- a/bin/tests/system/doth/ns4/named.conf.in
+++ b/bin/tests/system/doth/ns4/named.conf.in
@@ -54,6 +54,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "../../_common/root.hint";
--- a/bin/tests/system/doth/ns5/named.conf.in
+++ b/bin/tests/system/doth/ns5/named.conf.in
@@ -42,6 +42,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "../../_common/root.hint";
--- a/bin/tests/system/fetchlimit/ns3/named1.conf.in
+++ b/bin/tests/system/fetchlimit/ns3/named1.conf.in
@@ -28,6 +28,8 @@ options {
 	fetches-per-server 400;
 };

+trust-anchors { };
+
 server 10.53.0.4 {
 	edns no;
 };
--- a/bin/tests/system/fetchlimit/ns3/named2.conf.in
+++ b/bin/tests/system/fetchlimit/ns3/named2.conf.in
@@ -26,6 +26,8 @@ options {
 	fetches-per-zone 40;
 };

+trust-anchors { };
+
 server 10.53.0.4 {
 	edns no;
 };
--- a/bin/tests/system/fetchlimit/ns3/named3.conf.in
+++ b/bin/tests/system/fetchlimit/ns3/named3.conf.in
@@ -26,6 +26,8 @@ options {
 	recursive-clients 400;
 };

+trust-anchors { };
+
 server 10.53.0.4 {
 	edns no;
 };
--- a/bin/tests/system/fetchlimit/ns5/named1.conf.in
+++ b/bin/tests/system/fetchlimit/ns5/named1.conf.in
@@ -27,6 +27,8 @@ options {
 	max-clients-per-query 10;
 };

+trust-anchors { };
+
 server 10.53.0.4 {
 	edns no;
 };
--- a/bin/tests/system/fetchlimit/ns5/named2.conf.in
+++ b/bin/tests/system/fetchlimit/ns5/named2.conf.in
@@ -30,6 +30,8 @@ options {
 	max-clients-per-query 10;
 };

+trust-anchors { };
+
 server 10.53.0.4 {
 	edns no;
 };
--- a/bin/tests/system/filter-aaaa/ns1/named1.conf.in
+++ b/bin/tests/system/filter-aaaa/ns1/named1.conf.in
@@ -25,6 +25,8 @@ options {
 	minimal-responses no;
 };

+trust-anchors { };
+
 acl filterees { 10.53.0.1; };

 plugin query "../../../../plugins/.libs/filter-aaaa.so" {
--- a/bin/tests/system/filter-aaaa/ns1/named2.conf.in
+++ b/bin/tests/system/filter-aaaa/ns1/named2.conf.in
@@ -25,6 +25,8 @@ options {
 	minimal-responses no;
 };

+trust-anchors { };
+
 plugin query "../../../../plugins/.libs/filter-aaaa.so" {
 	filter-aaaa-on-v6 yes;
 	filter-aaaa { fd92:7065:b8e:ffff::1; };
--- a/bin/tests/system/forward/ns3/named1.conf.in
+++ b/bin/tests/system/forward/ns3/named1.conf.in
@@ -27,6 +27,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/forward/ns4/named.conf.in
+++ b/bin/tests/system/forward/ns4/named.conf.in
@@ -27,6 +27,8 @@ options {
 	minimal-responses yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "root.db";
--- a/bin/tests/system/forward/ns5/named.conf.in
+++ b/bin/tests/system/forward/ns5/named.conf.in
@@ -25,6 +25,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "root.db";
--- a/bin/tests/system/forward/ns7/named.conf.in
+++ b/bin/tests/system/forward/ns7/named.conf.in
@@ -24,6 +24,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "root.db";
--- a/bin/tests/system/forward/ns8/named.conf.in
+++ b/bin/tests/system/forward/ns8/named.conf.in
@@ -24,6 +24,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "root.db";
--- a/bin/tests/system/hooks/ns1/named.conf.in
+++ b/bin/tests/system/hooks/ns1/named.conf.in
@@ -24,6 +24,8 @@ options {
 	minimal-responses no;
 };

+trust-anchors { };
+
 plugin query "../driver/.libs/test-async.so";

 key rndc_key {
--- a/bin/tests/system/legacy/ns1/named1.conf.in
+++ b/bin/tests/system/legacy/ns1/named1.conf.in
@@ -23,6 +23,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/masterfile/ns2/named.conf.in
+++ b/bin/tests/system/masterfile/ns2/named.conf.in
@@ -26,6 +26,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "../../_common/root.hint";
--- a/bin/tests/system/mkeys/ns1/named1.conf.in
+++ b/bin/tests/system/mkeys/ns1/named1.conf.in
@@ -32,6 +32,8 @@ options {
 	allow-query { allowed; };
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/mkeys/ns1/named2.conf.in
+++ b/bin/tests/system/mkeys/ns1/named2.conf.in
@@ -32,6 +32,8 @@ options {
 	allow-query { allowed; };
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/mkeys/ns1/named3.conf.in
+++ b/bin/tests/system/mkeys/ns1/named3.conf.in
@@ -26,6 +26,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/nsupdate/ns3/named.conf.in
+++ b/bin/tests/system/nsupdate/ns3/named.conf.in
@@ -26,6 +26,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/pipelined/ns2/named.conf.in
+++ b/bin/tests/system/pipelined/ns2/named.conf.in
@@ -24,6 +24,8 @@ options {
 	notify yes;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/pipelined/ns3/named.conf.in
+++ b/bin/tests/system/pipelined/ns3/named.conf.in
@@ -24,6 +24,8 @@ options {
 	notify yes;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/pipelined/ns4/named.conf.in
+++ b/bin/tests/system/pipelined/ns4/named.conf.in
@@ -25,6 +25,8 @@ options {
 	notify yes;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/proxy/ns1/named.conf.in
+++ b/bin/tests/system/proxy/ns1/named.conf.in
@@ -54,6 +54,8 @@ options {
 	tcp-initial-timeout 1200;
 };

+trust-anchors { };
+
 zone "example0" {
 	type primary;
 	file "example.db";
--- a/bin/tests/system/proxy/ns3/named.conf.in
+++ b/bin/tests/system/proxy/ns3/named.conf.in
@@ -49,6 +49,8 @@ options {
 	tcp-initial-timeout 1200;
 };

+trust-anchors { };
+
 zone "example" {
 	type primary;
 	file "example.db";
--- a/bin/tests/system/reclimit/ns3/named1.conf.in
+++ b/bin/tests/system/reclimit/ns3/named1.conf.in
@@ -27,6 +27,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/reclimit/ns3/named2.conf.in
+++ b/bin/tests/system/reclimit/ns3/named2.conf.in
@@ -27,6 +27,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/reclimit/ns3/named3.conf.in
+++ b/bin/tests/system/reclimit/ns3/named3.conf.in
@@ -28,6 +28,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/reclimit/ns3/named4.conf.in
+++ b/bin/tests/system/reclimit/ns3/named4.conf.in
@@ -28,6 +28,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/redirect/ns1/named.conf.in
+++ b/bin/tests/system/redirect/ns1/named.conf.in
@@ -28,6 +28,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 zone "." {
 	type primary;
 	file "root.db";
@@ -53,5 +55,3 @@ zone "." {
 	file "redirect.db";
 	allow-query { !10.53.0.2; !10.53.0.4; any; };
 };
-
-// include "trusted.conf";
--- a/bin/tests/system/redirect/ns2/named.conf.in
+++ b/bin/tests/system/redirect/ns2/named.conf.in
@@ -31,6 +31,8 @@ options {

 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/redirect/ns3/named.conf.in
+++ b/bin/tests/system/redirect/ns3/named.conf.in
@@ -26,6 +26,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 zone "." {
 	type primary;
 	file "root.db";
@@ -50,5 +52,3 @@ zone "redirect" {
 	type primary;
 	file "redirect.db";
 };
-
-// include "trusted.conf";
--- a/bin/tests/system/redirect/ns4/named.conf.in
+++ b/bin/tests/system/redirect/ns4/named.conf.in
@@ -31,6 +31,8 @@ options {
 	nxdomain-redirect "redirect";
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/resolver/ns1/named.conf.in
+++ b/bin/tests/system/resolver/ns1/named.conf.in
@@ -31,6 +31,8 @@ options {
 	attach-cache "globalcache";
 };

+trust-anchors { };
+
 server 10.53.0.3 {
 	tcp-only yes;
 };
--- a/bin/tests/system/resolver/ns5/named.conf.in
+++ b/bin/tests/system/resolver/ns5/named.conf.in
@@ -27,6 +27,8 @@ options {
 	prefetch 4 10;
 };

+include "trusted.conf";
+
 server 10.53.0.7 {
 	edns-version 0;
 };
--- a/bin/tests/system/resolver/ns7/named1.conf.in
+++ b/bin/tests/system/resolver/ns7/named1.conf.in
@@ -34,6 +34,8 @@ options {
 	edns-udp-size 4096;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/resolver/ns7/named2.conf.in
+++ b/bin/tests/system/resolver/ns7/named2.conf.in
@@ -34,6 +34,8 @@ options {
 	edns-udp-size 4096;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/resolver/ns9/named.conf.in
+++ b/bin/tests/system/resolver/ns9/named.conf.in
@@ -24,6 +24,8 @@ options {
 	qname-minimization off;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/rndc/ns4/named.conf.in
+++ b/bin/tests/system/rndc/ns4/named.conf.in
@@ -20,6 +20,8 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 view normal {
 	match-clients { any; };

--- a/bin/tests/system/rpz/ns3/named.conf.in
+++ b/bin/tests/system/rpz/ns3/named.conf.in
@@ -64,6 +64,8 @@ options {
 	notify-delay 0;
 };

+trust-anchors { };
+
 logging { category rpz { default_debug; }; };

 key rndc_key {
--- a/bin/tests/system/rpz/ns8/named.conf.in
+++ b/bin/tests/system/rpz/ns8/named.conf.in
@@ -46,6 +46,8 @@ options {
 	notify-delay 0;
 };

+trust-anchors { };
+
 logging { category rpz { default_debug; }; };

 key rndc_key {
--- a/bin/tests/system/rpz/ns9/named.conf.in
+++ b/bin/tests/system/rpz/ns9/named.conf.in
@@ -40,6 +40,8 @@ options {
 	notify-delay 0;
 };

+trust-anchors { };
+
 logging { category rpz { default_debug; }; };

 key rndc_key {
--- a/bin/tests/system/rpzrecurse/ns2/named.conf.header.in
+++ b/bin/tests/system/rpzrecurse/ns2/named.conf.header.in
@@ -30,6 +30,8 @@ options {
 	include "../dnsrps.conf";
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/rpzrecurse/ns3/named1.conf.in
+++ b/bin/tests/system/rpzrecurse/ns3/named1.conf.in
@@ -36,6 +36,8 @@ options {
 	include "../dnsrps.conf";
 };

+trust-anchors { };
+
 zone "policy" { type primary; file "policy.db"; };

 zone "example.tld" { type primary; file "example.db"; };
--- a/bin/tests/system/rpzrecurse/ns3/named2.conf.in
+++ b/bin/tests/system/rpzrecurse/ns3/named2.conf.in
@@ -35,6 +35,8 @@ options {
 	include "../dnsrps.conf";
 };

+trust-anchors { };
+
 zone "policy" { type primary; file "policy.db"; };

 zone "example.tld" { type primary; file "example.db"; };
--- a/bin/tests/system/rpzrecurse/ns3/named3.conf.in
+++ b/bin/tests/system/rpzrecurse/ns3/named3.conf.in
@@ -33,6 +33,8 @@ options {
 	include "../dnsrps.conf";
 };

+trust-anchors { };
+
 zone "policy" { type primary; file "policy.db"; };

 zone "example.tld" { type primary; file "example.db"; };
--- a/bin/tests/system/rrl/ns1/named.conf.in
+++ b/bin/tests/system/rrl/ns1/named.conf.in
@@ -25,4 +25,6 @@ options {
 	dnssec-validation yes;
 };

+trust-anchors { };
+
 zone "." {type primary; file "root.db";};
--- a/bin/tests/system/rrl/ns2/named.conf.in
+++ b/bin/tests/system/rrl/ns2/named.conf.in
@@ -36,6 +36,8 @@ options {
 	};
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/rrl/ns3/named.conf.in
+++ b/bin/tests/system/rrl/ns3/named.conf.in
@@ -43,6 +43,8 @@ options {

 };

+trust-anchors { };
+
 zone "." { type hint; file "hints"; };

 zone "tld3."{ type primary; file "tld3.db"; };
--- a/bin/tests/system/rrl/ns4/named.conf.in
+++ b/bin/tests/system/rrl/ns4/named.conf.in
@@ -38,6 +38,8 @@ options {
 	};
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/rrsetorder/ns3/named.conf.in
+++ b/bin/tests/system/rrsetorder/ns3/named.conf.in
@@ -32,6 +32,8 @@ options {
 	};
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "../../_common/root.hint";
--- a/bin/tests/system/rrsetorder/ns4/named.conf.in
+++ b/bin/tests/system/rrsetorder/ns4/named.conf.in
@@ -28,6 +28,8 @@ options {

 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "../../_common/root.hint";
--- a/bin/tests/system/rrsetorder/ns5/named.conf.in
+++ b/bin/tests/system/rrsetorder/ns5/named.conf.in
@@ -24,6 +24,8 @@ options {
 	notify yes;
 };

+trust-anchors { };
+
 zone "." {
 	type hint;
 	file "../../_common/root.hint";
--- a/bin/tests/system/statistics/ns2/named.conf.in
+++ b/bin/tests/system/statistics/ns2/named.conf.in
@@ -24,6 +24,8 @@ options {
 	notify yes;
 };

+trust-anchors { };
+
 statistics-channels {
 	inet 10.53.0.2 port @EXTRAPORT1@ allow { any; };
 };
--- a/bin/tests/system/statistics/ns3/named.conf.in
+++ b/bin/tests/system/statistics/ns3/named.conf.in
@@ -27,6 +27,8 @@ options {
 	zone-statistics yes;
 };

+trust-anchors { };
+
 statistics-channels {
 	inet 10.53.0.3 port @EXTRAPORT1@ allow { any; };
 };
--- a/bin/tests/system/stress/ns3/named.conf.in
+++ b/bin/tests/system/stress/ns3/named.conf.in
@@ -26,6 +26,8 @@ options {
 	notify yes;
 };

+trust-anchors { };
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/stress/ns4/named.conf.in
+++ b/bin/tests/system/stress/ns4/named.conf.in
@@ -26,6 +26,8 @@ options {
 	notify yes;
 };

+trust-anchors { };
+
 zone "zone000000.example" {
 	type secondary;
 	file "zone000000.example.bk";
--- a/bin/tests/system/transport-acl/ns1/named.conf.in
+++ b/bin/tests/system/transport-acl/ns1/named.conf.in
@@ -68,6 +68,8 @@ options {
 	tcp-initial-timeout 1200;
 };

+trust-anchors { };
+
 zone "example0" {
 	type primary;
 	file "example.db";
--- a/bin/tests/system/transport-change/ns1/named-http-plain-proxy.conf.in
+++ b/bin/tests/system/transport-change/ns1/named-http-plain-proxy.conf.in
@@ -40,6 +40,8 @@ options {
 	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
 };

+trust-anchors { };
+
 zone "example" {
 	type primary;
 	file "example.db";
--- a/Show More
+++ b/Show More