DLV removal

doc/example.conf.in

@@ -509,11 +509,6 @@ server:
 	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
 	# root-key-sentinel: yes
 
-	# File with DLV trusted keys. Same format as trust-anchor-file.
-	# There can be only one DLV configured, it is trusted from root down.
-	# DLV is going to be decommissioned.  Please do not use it any more.
-	# dlv-anchor-file: "dlv.isc.org.key"
-
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry.
 	# Zone file format, with DS and DNSKEY entries.

doc/unbound.conf.5.in

@@ -1010,21 +1010,6 @@ Send RFC8145 key tag query after trust anchor priming. Default is yes.
 .B root\-key\-sentinel: \fI<yes or no>
 Root key trust anchor sentinel. Default is yes.
 .TP
-.B dlv\-anchor\-file: \fI<filename>
-This option was used during early days DNSSEC deployment when no parent-side
-DS record registrations were easily available.  Nowadays, it is best to have
-DS records registered with the parent zone (many top level zones are signed).
-File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
-DNSKEY entries can be used in the file, in the same format as for
-\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
-would be slow. The DLV configured is used as a root trusted DLV, this
-means that it is a lookaside for the root. Default is "", or no dlv anchor
-file. DLV is going to be decommissioned.  Please do not use it any more.
-.TP
-.B dlv\-anchor: \fI<"Resource Record">
-Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
-DLV is going to be decommissioned.  Please do not use it any more.
-.TP
 .B domain\-insecure: \fI<domain name>
 Sets domain name to be insecure, DNSSEC chain of trust is ignored towards
 the domain name.  So a trust anchor above the domain name can not make the

pythonmod/doc/modules/config.rst

@@ -256,14 +256,6 @@ config_file
    
       Files with trusted DNSKEYs in named.conf format, list.
    
-   .. attribute:: dlv_anchor_file
-   
-      DLV anchor file.
-   
-   .. attribute:: dlv_anchor_list
-   
-      DLV anchor inline.
-
    .. attribute:: max_ttl
    
       The number of seconds maximal TTL used for RRsets and messages.

services/cache/dns.c

@@ -890,9 +890,8 @@ dns_cache_lookup(struct module_env* env,
 		lock_rw_unlock(&rrset->entry.lock);
 	}
 
-	/* construct DS, DNSKEY, DLV messages from rrset cache. */
-	if((qtype == LDNS_RR_TYPE_DS || qtype == LDNS_RR_TYPE_DNSKEY ||
-		qtype == LDNS_RR_TYPE_DLV) &&
+	/* construct DS, DNSKEY messages from rrset cache. */
+	if((qtype == LDNS_RR_TYPE_DS || qtype == LDNS_RR_TYPE_DNSKEY) &&
 		(rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen, 
 		qtype, qclass, 0, now, 0))) {
 		/* if the rrset is from the additional section, and the

smallapp/unbound-checkconf.c

@@ -624,8 +624,6 @@ morechecks(struct config_file* cfg)
 		cfg->auto_trust_anchor_file_list, cfg->chrootdir, cfg);
 	check_chroot_filelist_wild("trusted-keys-file",
 		cfg->trusted_keys_file_list, cfg->chrootdir, cfg);
-	check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file,
-		cfg->chrootdir, cfg);
 #ifdef USE_IPSECMOD
 	if(cfg->ipsecmod_enabled && strstr(cfg->module_conf, "ipsecmod")) {
 		/* only check hook if enabled */

util/config_file.c

@@ -233,8 +233,6 @@ config_create(void)
 	cfg->trusted_keys_file_list = NULL;
 	cfg->trust_anchor_signaling = 1;
 	cfg->root_key_sentinel = 1;
-	cfg->dlv_anchor_file = NULL;
-	cfg->dlv_anchor_list = NULL;
 	cfg->domain_insecure = NULL;
 	cfg->val_date_override = 0;
 	cfg->val_sig_skew_min = 3600; /* at least daylight savings trouble */
@@ -581,8 +579,6 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_STRLIST("trusted-keys-file:", trusted_keys_file_list)
 	else S_YNO("trust-anchor-signaling:", trust_anchor_signaling)
 	else S_YNO("root-key-sentinel:", root_key_sentinel)
-	else S_STR("dlv-anchor-file:", dlv_anchor_file)
-	else S_STRLIST("dlv-anchor:", dlv_anchor_list)
 	else S_STRLIST("domain-insecure:", domain_insecure)
 	else S_NUMBER_OR_ZERO("val-bogus-ttl:", bogus_ttl)
 	else S_YNO("val-clean-additional:", val_clean_additional)
@@ -998,7 +994,6 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_DEC(opt, "unwanted-reply-threshold", unwanted_threshold)
 	else O_YNO(opt, "do-not-query-localhost", donotquery_localhost)
 	else O_STR(opt, "module-config", module_conf)
-	else O_STR(opt, "dlv-anchor-file", dlv_anchor_file)
 	else O_DEC(opt, "val-bogus-ttl", bogus_ttl)
 	else O_YNO(opt, "val-clean-additional", val_clean_additional)
 	else O_DEC(opt, "val-log-level", val_log_level)
@@ -1036,7 +1031,6 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_LST(opt, "trusted-keys-file", trusted_keys_file_list)
 	else O_YNO(opt, "trust-anchor-signaling", trust_anchor_signaling)
 	else O_YNO(opt, "root-key-sentinel", root_key_sentinel)
-	else O_LST(opt, "dlv-anchor", dlv_anchor_list)
 	else O_LST(opt, "control-interface", control_ifs.first)
 	else O_LST(opt, "domain-insecure", domain_insecure)
 	else O_UNS(opt, "val-override-date", val_date_override)
@@ -1462,8 +1456,6 @@ config_delete(struct config_file* cfg)
 	config_delstrlist(cfg->trusted_keys_file_list);
 	config_delstrlist(cfg->trust_anchor_list);
 	config_delstrlist(cfg->domain_insecure);
-	free(cfg->dlv_anchor_file);
-	config_delstrlist(cfg->dlv_anchor_list);
 	config_deldblstrlist(cfg->acls);
 	config_deldblstrlist(cfg->tcp_connection_limits);
 	free(cfg->val_nsec3_key_iterations);

util/config_file.h

@@ -331,10 +331,6 @@ struct config_file {
 	struct config_strlist* auto_trust_anchor_file_list;
 	/** files with trusted DNSKEYs in named.conf format, list */
 	struct config_strlist* trusted_keys_file_list;
-	/** DLV anchor file */
-	char* dlv_anchor_file;
-	/** DLV anchor inline */
-	struct config_strlist* dlv_anchor_list;
 	/** insecure domain list */
 	struct config_strlist* domain_insecure;
 	/** send key tag query */

util/configparser.h

@@ -1,4 +1,4 @@
-/* A Bison parser, made by GNU Bison 3.5.  */
+/* A Bison parser, made by GNU Bison 3.4.1.  */
 
 /* Bison interface for Yacc-like parsers in C
 

util/configparser.y

@@ -1120,15 +1120,13 @@ server_root_hints: VAR_ROOT_HINTS STRING_ARG
 server_dlv_anchor_file: VAR_DLV_ANCHOR_FILE STRING_ARG
 	{
 		OUTYY(("P(server_dlv_anchor_file:%s)\n", $2));
-		free(cfg_parser->cfg->dlv_anchor_file);
-		cfg_parser->cfg->dlv_anchor_file = $2;
+		log_warn("option dlv-anchor-file ignored: DLV is decommissioned");
 	}
 	;
 server_dlv_anchor: VAR_DLV_ANCHOR STRING_ARG
 	{
 		OUTYY(("P(server_dlv_anchor:%s)\n", $2));
-		if(!cfg_strlist_insert(&cfg_parser->cfg->dlv_anchor_list, $2))
-			yyerror("out of memory");
+		log_warn("option dlv-anchor ignored: DLV is decommissioned");
 	}
 	;
 server_auto_trust_anchor_file: VAR_AUTO_TRUST_ANCHOR_FILE STRING_ARG

validator/val_anchor.c

@@ -1030,8 +1030,6 @@ anchors_assemble_rrsets(struct val_anchors* anchors)
 				")", b);
 			(void)rbtree_delete(anchors->tree, &ta->node);
 			lock_basic_unlock(&ta->lock);
-			if(anchors->dlv_anchor == ta)
-				anchors->dlv_anchor = NULL;
 			anchors_delfunc(&ta->node, NULL);
 			ta = next;
 			continue;
@@ -1103,37 +1101,6 @@ anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg)
 			return 0;
 		}
 	}
-	if(cfg->dlv_anchor_file && cfg->dlv_anchor_file[0] != 0) {
-		struct trust_anchor* dlva;
-		nm = cfg->dlv_anchor_file;
-		if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
-			cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
-			nm += strlen(cfg->chrootdir);
-		if(!(dlva = anchor_read_file(anchors, parsebuf,
-			nm, 1))) {
-			log_err("error reading dlv-anchor-file: %s", 
-				cfg->dlv_anchor_file);
-			sldns_buffer_free(parsebuf);
-			return 0;
-		}
-		lock_basic_lock(&anchors->lock);
-		anchors->dlv_anchor = dlva;
-		lock_basic_unlock(&anchors->lock);
-	}
-	for(f = cfg->dlv_anchor_list; f; f = f->next) {
-		struct trust_anchor* dlva;
-		if(!f->str || f->str[0] == 0) /* empty "" */
-			continue;
-		if(!(dlva = anchor_store_str(
-			anchors, parsebuf, f->str))) {
-			log_err("error in dlv-anchor: \"%s\"", f->str);
-			sldns_buffer_free(parsebuf);
-			return 0;
-		}
-		lock_basic_lock(&anchors->lock);
-		anchors->dlv_anchor = dlva;
-		lock_basic_unlock(&anchors->lock);
-	}
 	/* do autr last, so that it sees what anchors are filled by other
 	 * means can can print errors about double config for the name */
 	for(f = cfg->auto_trust_anchor_file_list; f; f = f->next) {

validator/val_anchor.h

@@ -67,8 +67,6 @@ struct val_anchors {
 	 * contents of type trust_anchor.
 	 */
 	rbtree_type* tree;
-	/** The DLV trust anchor (if one is configured, else NULL) */
-	struct trust_anchor* dlv_anchor;
 	/** Autotrust global data, anchors sorted by next probe time */
 	struct autr_global_data* autr;
 };

validator/val_neg.c

@@ -965,108 +965,6 @@ static int neg_closest_data(struct val_neg_zone* zone,
 	}
 }
 
-int val_neg_dlvlookup(struct val_neg_cache* neg, uint8_t* qname, size_t len,
-        uint16_t qclass, struct rrset_cache* rrset_cache, time_t now)
-{
-	/* lookup closest zone */
-	struct val_neg_zone* zone;
-	struct val_neg_data* data;
-	int labs;
-	struct ub_packed_rrset_key* nsec;
-	struct packed_rrset_data* d;
-	uint32_t flags;
-	uint8_t* wc;
-	struct query_info qinfo;
-	if(!neg) return 0;
-
-	log_nametypeclass(VERB_ALGO, "negcache dlvlookup", qname, 
-		LDNS_RR_TYPE_DLV, qclass);
-	
-	labs = dname_count_labels(qname);
-	lock_basic_lock(&neg->lock);
-	zone = neg_closest_zone_parent(neg, qname, len, labs, qclass);
-	while(zone && !zone->in_use)
-		zone = zone->parent;
-	if(!zone) {
-		lock_basic_unlock(&neg->lock);
-		return 0;
-	}
-	log_nametypeclass(VERB_ALGO, "negcache zone", zone->name, 0, 
-		zone->dclass);
-
-	/* DLV is defined to use NSEC only */
-	if(zone->nsec3_hash) {
-		lock_basic_unlock(&neg->lock);
-		return 0;
-	}
-
-	/* lookup closest data record */
-	(void)neg_closest_data(zone, qname, len, labs, &data);
-	while(data && !data->in_use)
-		data = data->parent;
-	if(!data) {
-		lock_basic_unlock(&neg->lock);
-		return 0;
-	}
-	log_nametypeclass(VERB_ALGO, "negcache rr", data->name, 
-		LDNS_RR_TYPE_NSEC, zone->dclass);
-
-	/* lookup rrset in rrset cache */
-	flags = 0;
-	if(query_dname_compare(data->name, zone->name) == 0)
-		flags = PACKED_RRSET_NSEC_AT_APEX;
-	nsec = rrset_cache_lookup(rrset_cache, data->name, data->len,
-		LDNS_RR_TYPE_NSEC, zone->dclass, flags, now, 0);
-
-	/* check if secure and TTL ok */
-	if(!nsec) {
-		lock_basic_unlock(&neg->lock);
-		return 0;
-	}
-	d = (struct packed_rrset_data*)nsec->entry.data;
-	if(!d || now > d->ttl) {
-		lock_rw_unlock(&nsec->entry.lock);
-		/* delete data record if expired */
-		neg_delete_data(neg, data);
-		lock_basic_unlock(&neg->lock);
-		return 0;
-	}
-	if(d->security != sec_status_secure) {
-		lock_rw_unlock(&nsec->entry.lock);
-		neg_delete_data(neg, data);
-		lock_basic_unlock(&neg->lock);
-		return 0;
-	}
-	verbose(VERB_ALGO, "negcache got secure rrset");
-
-	/* check NSEC security */
-	/* check if NSEC proves no DLV type exists */
-	/* check if NSEC proves NXDOMAIN for qname */
-	qinfo.qname = qname;
-	qinfo.qtype = LDNS_RR_TYPE_DLV;
-	qinfo.qclass = qclass;
-	qinfo.local_alias = NULL;
-	if(!nsec_proves_nodata(nsec, &qinfo, &wc) &&
-		!val_nsec_proves_name_error(nsec, qname)) {
-		/* the NSEC is not a denial for the DLV */
-		lock_rw_unlock(&nsec->entry.lock);
-		lock_basic_unlock(&neg->lock);
-		verbose(VERB_ALGO, "negcache not proven");
-		return 0;
-	}
-	/* so the NSEC was a NODATA proof, or NXDOMAIN proof. */
-
-	/* no need to check for wildcard NSEC; no wildcards in DLV repos */
-	/* no need to lookup SOA record for client; no response message */
-
-	lock_rw_unlock(&nsec->entry.lock);
-	/* if OK touch the LRU for neg_data element */
-	neg_lru_touch(neg, data);
-	lock_basic_unlock(&neg->lock);
-	verbose(VERB_ALGO, "negcache DLV denial proven");
-	return 1;
-}
-
 void val_neg_addreferral(struct val_neg_cache* neg, struct reply_info* rep,
 	uint8_t* zone_name)
 {

validator/val_neg.h

@@ -218,26 +218,6 @@ void val_neg_addreply(struct val_neg_cache* neg, struct reply_info* rep);
 void val_neg_addreferral(struct val_neg_cache* neg, struct reply_info* rep,
 	uint8_t* zone);
 
-/**
- * Perform a DLV style lookup
- * During the lookup, we could find out that data has expired. In that
- * case the neg_cache entries are removed, and lookup fails.
- *
- * @param neg: negative cache.
- * @param qname: name to look for
- * @param len: length of qname.
- * @param qclass: class to look in.
- * @param rrset_cache: the rrset cache, for NSEC lookups.
- * @param now: current time for ttl checks.
- * @return 
- *	0 on error
- *	0 if no proof of negative
- *	1 if indeed negative was proven
- *	  thus, qname DLV qclass does not exist.
- */
-int val_neg_dlvlookup(struct val_neg_cache* neg, uint8_t* qname, size_t len,
-	uint16_t qclass, struct rrset_cache* rrset_cache, time_t now);
-
 /**
  * For the given query, try to get a reply out of the negative cache.
  * The reply still needs to be validated.

validator/val_nsec.c

@@ -541,86 +541,3 @@ val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname,
 	}
 	return 0;
 }
-
-/**
- * Find shared topdomain that exists
- */
-static void
-dlv_topdomain(struct ub_packed_rrset_key* nsec, uint8_t* qname,
-	uint8_t** nm, size_t* nm_len)
-{
-	/* make sure reply is part of nm */
-	/* take shared topdomain with left of NSEC. */
-
-	/* because, if empty nonterminal, then right is subdomain of qname.
-	 * and any shared topdomain would be empty nonterminals.
-	 * 
-	 * If nxdomain, then the right is bigger, and could have an 
-	 * interesting shared topdomain, but if it does have one, it is
-	 * an empty nonterminal. An empty nonterminal shared with the left
-	 * one. */
-	int n;
-	uint8_t* common = dname_get_shared_topdomain(qname, nsec->rk.dname);
-	n = dname_count_labels(*nm) - dname_count_labels(common);
-	dname_remove_labels(nm, nm_len, n);
-}
-
-int val_nsec_check_dlv(struct query_info* qinfo,
-        struct reply_info* rep, uint8_t** nm, size_t* nm_len)
-{
-	uint8_t* next;
-	size_t i, nlen;
-	int c;
-	/* we should now have a NOERROR/NODATA or NXDOMAIN message */
-	if(rep->an_numrrsets != 0) {
-		return 0;
-	}
-	/* is this NOERROR ? */
-	if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) {
-		/* it can be a plain NSEC match - go up one more level. */
-		/* or its an empty nonterminal - go up to nonempty level */
-		for(i=0; i<rep->ns_numrrsets; i++) {
-			if(htons(rep->rrsets[i]->rk.type)!=LDNS_RR_TYPE_NSEC ||
-				!nsec_get_next(rep->rrsets[i], &next, &nlen))
-				continue;
-			c = dname_canonical_compare(
-				rep->rrsets[i]->rk.dname, qinfo->qname);
-			if(c == 0) {
-				/* plain match */
-				if(nsec_has_type(rep->rrsets[i],
-					LDNS_RR_TYPE_DLV))
-					return 0;
-				dname_remove_label(nm, nm_len);
-				return 1;
-			} else if(c < 0 && 
-				dname_strict_subdomain_c(next, qinfo->qname)) {
-				/* ENT */
-				dlv_topdomain(rep->rrsets[i], qinfo->qname,
-					nm, nm_len);
-				return 1;
-			}
-		}
-		return 0;
-	}
-
-	/* is this NXDOMAIN ? */
-	if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN) {
-		/* find the qname denial NSEC record. It can tell us
-		 * a closest encloser name; or that we not need bother */
-		for(i=0; i<rep->ns_numrrsets; i++) {
-			if(htons(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_NSEC)
-				continue;
-			if(val_nsec_proves_name_error(rep->rrsets[i], 
-				qinfo->qname)) {
-				log_nametypeclass(VERB_ALGO, "topdomain on",
-					rep->rrsets[i]->rk.dname, 
-					ntohs(rep->rrsets[i]->rk.type), 0);
-				dlv_topdomain(rep->rrsets[i], qinfo->qname,
-					nm, nm_len);
-				return 1;
-			}
-		}
-		return 0;
-	}
-	return 0;
-}

validator/val_nsec.h

@@ -158,19 +158,6 @@ uint8_t* nsec_closest_encloser(uint8_t* qname,
 int val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname, 
 	size_t qnamelen);
 
-/**
- * Determine the DLV result, what to do with NSEC DLV reply.
- * @param qinfo: what was queried for.
- * @param rep: the nonpositive reply.
- * @param nm: dlv lookup name, to adjust for new lookup name (if needed).
- * @param nm_len: length of lookup name.
- * @return 0 on error, 1 if a higher point is found.
- * 	If the higher point is above the dlv repo anchor, the qname does 
- * 	not exist.
- */
-int val_nsec_check_dlv(struct query_info* qinfo,
-	struct reply_info* rep, uint8_t** nm, size_t* nm_len);
-
 /**
  * Determine if an nsec proves an insecure delegation towards the qname.
  * @param nsec: nsec rrset.

validator/validator.h

@@ -137,8 +137,6 @@ enum val_state {
 	VAL_VALIDATE_STATE,
 	/** finish up */
 	VAL_FINISHED_STATE,
-	/** DLV lookup state, processing DLV queries */
-	VAL_DLVLOOKUP_STATE
 };
 
 /**
@@ -217,27 +215,6 @@ struct val_qstate {
 
 	/** true if this state is waiting to prime a trust anchor */
 	int wait_prime_ta;
-
-	/** have we already checked the DLV? */
-	int dlv_checked;
-	/** The name for which the DLV is looked up. For the current message
-	 * or for the current RRset (for CNAME, REFERRAL types).
-	 * If there is signer name, that may be it, else a domain name */
-	uint8_t* dlv_lookup_name;
-	/** length of dlv lookup name */
-	size_t dlv_lookup_name_len;
-	/** Name at which chain of trust stopped with insecure, starting DLV
-	 * DLV must result in chain going further down */
-	uint8_t* dlv_insecure_at;
-	/** length of dlv insecure point name */
-	size_t dlv_insecure_at_len;
-	/** status of DLV lookup. Indication to VAL_DLV_STATE what to do */
-	enum dlv_status {
-		dlv_error, /* server failure */
-		dlv_success, /* got a DLV */
-		dlv_ask_higher, /* ask again */
-		dlv_there_is_no_dlv /* got no DLV, sure of it */
-	} dlv_status;
 };
 
 /**