option to disable validation under specified names

- added new 'validate-except' option, which configures an NTA with expiry of 0xffffffff. NTAs with that value in the expiry field do not expire, are are not written out when saving the NTA table and are not dumped by rndc secroots
2018-04-30 16:10:17 -07:00
parent 509d71e1aa
commit eaac2057c7
11 changed files with 208 additions and 176 deletions
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -113,9 +113,9 @@ options {
        datasize ( default | unlimited | <sizeval> );
        deallocate-on-exit <boolean>; // obsolete
        deny-answer-addresses { <address_match_element>; ... } [
-            except-from { <quoted_string>; ... } ];
-        deny-answer-aliases { <quoted_string>; ... } [ except-from {
-            <quoted_string>; ... } ];
+            except-from { <string>; ... } ];
+        deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
+            } ];
        dialup ( notify | notify-passive | passive | refresh | <boolean> );
        directory <quoted_string>;
        disable-algorithms <string> { <string>;
@@ -146,15 +146,13 @@ options {
        dnssec-secure-to-insecure <boolean>;
        dnssec-update-mode ( maintain | no-resign );
        dnssec-validation ( yes | no | auto );
-        dnstap { ( all | auth | client | forwarder |
-            resolver ) [ ( query | response ) ]; ... }; // not configured
-        dnstap-identity ( <quoted_string> | none |
-            hostname ); // not configured
-        dnstap-output ( file | unix ) <quoted_string> [
-            size ( unlimited | <size> ) ] [ versions (
-            unlimited | <integer> ) ] [ suffix ( increment
-            | timestamp ) ]; // not configured
-        dnstap-version ( <quoted_string> | none ); // not configured
+        dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
+            response ) ]; ... };
+        dnstap-identity ( <quoted_string> | none | hostname );
+        dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited |
+            <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
+            increment | timestamp ) ];
+        dnstap-version ( <quoted_string> | none );
        dscp <integer>;
        dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
            <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
@@ -178,14 +176,14 @@ options {
        forward ( first | only );
        forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
            | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
-        fstrm-set-buffer-hint <integer>; // not configured
-        fstrm-set-flush-timeout <integer>; // not configured
-        fstrm-set-input-queue-size <integer>; // not configured
-        fstrm-set-output-notify-threshold <integer>; // not configured
-        fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
-        fstrm-set-output-queue-size <integer>; // not configured
-        fstrm-set-reopen-interval <ttlval>; // not configured
-        geoip-directory ( <quoted_string> | none ); // not configured
+        fstrm-set-buffer-hint <integer>;
+        fstrm-set-flush-timeout <integer>;
+        fstrm-set-input-queue-size <integer>;
+        fstrm-set-output-notify-threshold <integer>;
+        fstrm-set-output-queue-model ( mpsc | spsc );
+        fstrm-set-output-queue-size <integer>;
+        fstrm-set-reopen-interval <ttlval>;
+        geoip-directory ( <quoted_string> | none );
        geoip-use-ecs <boolean>; // obsolete
        glue-cache <boolean>;
        has-old-clients <boolean>; // obsolete
@@ -321,7 +319,7 @@ options {
            dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
            } ];
        rfc2308-type1 <boolean>; // not yet implemented
-        root-delegation-only [ exclude { <quoted_string>; ... } ];
+        root-delegation-only [ exclude { <string>; ... } ];
        root-key-sentinel <boolean>;
        rrset-order { [ class <string> ] [ type <string> ] [ name
            <quoted_string> ] <string> <string>; ... };
@@ -380,6 +378,7 @@ options {
        use-v4-udp-ports { <portrange>; ... };
        use-v6-udp-ports { <portrange>; ... };
        v6-bias <integer>;
+        validate-except { <string>; ... };
        version ( <quoted_string> | none );
        zero-no-soa-ttl <boolean>;
        zero-no-soa-ttl-cache <boolean>;
@@ -478,9 +477,9 @@ view <string> [ <class> ] {
        cleaning-interval <integer>;
        clients-per-query <integer>;
        deny-answer-addresses { <address_match_element>; ... } [
-            except-from { <quoted_string>; ... } ];
-        deny-answer-aliases { <quoted_string>; ... } [ except-from {
-            <quoted_string>; ... } ];
+            except-from { <string>; ... } ];
+        deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
+            } ];
        dialup ( notify | notify-passive | passive | refresh | <boolean> );
        disable-algorithms <string> { <string>;
            ... }; // may occur multiple times
@@ -514,8 +513,8 @@ view <string> [ <class> ] {
        dnssec-secure-to-insecure <boolean>;
        dnssec-update-mode ( maintain | no-resign );
        dnssec-validation ( yes | no | auto );
-        dnstap { ( all | auth | client | forwarder |
-            resolver ) [ ( query | response ) ]; ... }; // not configured
+        dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
+            response ) ]; ... };
        dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
            <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
            <integer> ] [ dscp <integer> ] | <ipv6_address> [ port
@@ -651,7 +650,7 @@ view <string> [ <class> ] {
            dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
            } ];
        rfc2308-type1 <boolean>; // not yet implemented
-        root-delegation-only [ exclude { <quoted_string>; ... } ];
+        root-delegation-only [ exclude { <string>; ... } ];
        root-key-sentinel <boolean>;
        rrset-order { [ class <string> ] [ type <string> ] [ name
            <quoted_string> ] <string> <string>; ... };
@@ -718,6 +717,7 @@ view <string> [ <class> ] {
        use-alt-transfer-source <boolean>;
        use-queryport-pool <boolean>; // obsolete
        v6-bias <integer>;
+        validate-except { <string>; ... };
        zero-no-soa-ttl <boolean>;
        zero-no-soa-ttl-cache <boolean>;
        zone <string> [ <class> ] {
@@ -805,7 +805,7 @@ view <string> [ <class> ] {
                serial-update-method ( date | increment | unixtime );
                server-addresses { ( <ipv4_address> | <ipv6_address> ) [
                    port <integer> ]; ... };
-                server-names { <quoted_string>; ... };
+                server-names { <string>; ... };
                sig-signing-nodes <integer>;
                sig-signing-signatures <integer>;
                sig-signing-type <integer>;
@@ -910,7 +910,7 @@ zone <string> [ <class> ] {
        serial-update-method ( date | increment | unixtime );
        server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port
            <integer> ]; ... };
-        server-names { <quoted_string>; ... };
+        server-names { <string>; ... };
        sig-signing-nodes <integer>;
        sig-signing-signatures <integer>;
        sig-signing-type <integer>;
--- a/doc/misc/static-stub.zoneopt
+++ b/doc/misc/static-stub.zoneopt
@@ -6,6 +6,6 @@ zone <string> [ <class> ] {
 	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
 	max-records <integer>;
 	server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
-	server-names { <quoted_string>; ... };
+	server-names { <string>; ... };
 	zone-statistics ( full | terse | none | <boolean> );
 };