diff options
| author | dougb <dougb@FreeBSD.org> | 2009-05-31 05:42:58 +0000 |
|---|---|---|
| committer | dougb <dougb@FreeBSD.org> | 2009-05-31 05:42:58 +0000 |
| commit | 1e9abbf9ca25c8e19cbc0405a365df5433813cd6 (patch) | |
| tree | 21a5399cf53ce4f1ffedece1c1700a317f190f2e /contrib/bind9/bin | |
| parent | 9babfe9f9b2fa8b533dad4a39b00918df9809aa7 (diff) | |
| parent | fd553238c94c3abfef11bfdfc5cb05b32cbe5f76 (diff) | |
| download | FreeBSD-src-1e9abbf9ca25c8e19cbc0405a365df5433813cd6.zip FreeBSD-src-1e9abbf9ca25c8e19cbc0405a365df5433813cd6.tar.gz | |
Update BIND to version 9.6.1rc1. This version has better performance and
lots of new features compared to 9.4.x, including:
Full NSEC3 support
Automatic zone re-signing
New update-policy methods tcp-self and 6to4-self
DHCID support.
More detailed statistics counters including those supported in BIND 8.
Faster ACL processing.
Efficient LRU cache-cleaning mechanism.
NSID support.
Diffstat (limited to 'contrib/bind9/bin')
140 files changed, 10996 insertions, 1815 deletions
diff --git a/contrib/bind9/bin/Makefile.in b/contrib/bind9/bin/Makefile.in index 2e29f94..ef28e0c 100644 --- a/contrib/bind9/bin/Makefile.in +++ b/contrib/bind9/bin/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.23 2004/03/05 04:57:10 marka Exp $ +# $Id: Makefile.in,v 1.25 2007/06/19 23:46:59 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/contrib/bind9/bin/check/Makefile.in b/contrib/bind9/bin/check/Makefile.in index cd9ecf6..06f5541 100644 --- a/contrib/bind9/bin/check/Makefile.in +++ b/contrib/bind9/bin/check/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.24.18.6 2006/06/09 00:54:08 marka Exp $ +# $Id: Makefile.in,v 1.32 2007/06/19 23:46:59 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/contrib/bind9/bin/check/check-tool.c b/contrib/bind9/bin/check/check-tool.c index 2136a63..e0a7208 100644 --- a/contrib/bind9/bin/check/check-tool.c +++ b/contrib/bind9/bin/check/check-tool.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.c,v 1.10.18.20 2008/10/24 01:43:17 tbox Exp $ */ +/* $Id: check-tool.c,v 1.35.36.3 2009/01/20 02:03:18 marka Exp $ */ /*! \file */ @@ -24,16 +24,17 @@ #include <stdio.h> #include "check-tool.h" -#include <isc/util.h> - #include <isc/buffer.h> #include <isc/log.h> -#include <isc/net.h> +#include <isc/mem.h> #include <isc/netdb.h> +#include <isc/net.h> #include <isc/region.h> #include <isc/stdio.h> #include <isc/string.h> +#include <isc/symtab.h> #include <isc/types.h> +#include <isc/util.h> #include <dns/fixedname.h> #include <dns/log.h> @@ -69,6 +70,15 @@ goto cleanup; \ } while (0) +#define ERR_IS_CNAME 1 +#define ERR_NO_ADDRESSES 2 +#define ERR_LOOKUP_FAILURE 3 +#define ERR_EXTRA_A 4 +#define ERR_EXTRA_AAAA 5 +#define ERR_MISSING_GLUE 5 +#define ERR_IS_MXCNAME 6 +#define ERR_IS_SRVCNAME 7 + static const char *dbtype[] = { "rbt" }; int debug = 0; @@ -105,9 +115,62 @@ static isc_logcategory_t categories[] = { { "queries", 0 }, { "unmatched", 0 }, { "update-security", 0 }, + { "query-errors", 0 }, { NULL, 0 } }; +static isc_symtab_t *symtab = NULL; +static isc_mem_t *sym_mctx; + +static void +freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) { + UNUSED(type); + UNUSED(value); + isc_mem_free(userarg, key); +} + +static void +add(char *key, int value) { + isc_result_t result; + isc_symvalue_t symvalue; + + if (sym_mctx == NULL) { + result = isc_mem_create(0, 0, &sym_mctx); + if (result != ISC_R_SUCCESS) + return; + } + + if (symtab == NULL) { + result = isc_symtab_create(sym_mctx, 100, freekey, sym_mctx, + ISC_FALSE, &symtab); + if (result != ISC_R_SUCCESS) + return; + } + + key = isc_mem_strdup(sym_mctx, key); + if (key == NULL) + return; + + symvalue.as_pointer = NULL; + result = isc_symtab_define(symtab, key, value, symvalue, + isc_symexists_reject); + if (result != ISC_R_SUCCESS) + isc_mem_free(sym_mctx, key); +} + +static isc_boolean_t +logged(char *key, int value) { + isc_result_t result; + + if (symtab == NULL) + return (ISC_FALSE); + + result = isc_symtab_lookup(symtab, key, value, NULL); + if (result == ISC_R_SUCCESS) + return (ISC_TRUE); + return (ISC_FALSE); +} + static isc_boolean_t checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner, dns_rdataset_t *a, dns_rdataset_t *aaaa) @@ -156,29 +219,39 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner, cur->ai_next != NULL) cur = cur->ai_next; if (cur != NULL && cur->ai_canonname != NULL && - strcasecmp(ai->ai_canonname, namebuf) != 0) { + strcasecmp(cur->ai_canonname, namebuf) != 0 && + !logged(namebuf, ERR_IS_CNAME)) { dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' (out of zone) " - "is a CNAME (illegal)", - ownerbuf, namebuf); + "is a CNAME '%s' (illegal)", + ownerbuf, namebuf, + cur->ai_canonname); /* XXX950 make fatal for 9.5.0 */ /* answer = ISC_FALSE; */ + add(namebuf, ERR_IS_CNAME); } break; case EAI_NONAME: #if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) case EAI_NODATA: #endif - dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' (out of zone) " - "has no addresses records (A or AAAA)", - ownerbuf, namebuf); + if (!logged(namebuf, ERR_NO_ADDRESSES)) { + dns_zone_log(zone, ISC_LOG_ERROR, + "%s/NS '%s' (out of zone) " + "has no addresses records (A or AAAA)", + ownerbuf, namebuf); + add(namebuf, ERR_NO_ADDRESSES); + } /* XXX950 make fatal for 9.5.0 */ return (ISC_TRUE); default: - dns_zone_log(zone, ISC_LOG_WARNING, - "getaddrinfo(%s) failed: %s", - namebuf, gai_strerror(result)); + if (!logged(namebuf, ERR_LOOKUP_FAILURE)) { + dns_zone_log(zone, ISC_LOG_WARNING, + "getaddrinfo(%s) failed: %s", + namebuf, gai_strerror(result)); + add(namebuf, ERR_LOOKUP_FAILURE); + } return (ISC_TRUE); } if (a == NULL || aaaa == NULL) @@ -201,12 +274,13 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner, break; } } - if (!match) { + if (!match && !logged(namebuf, ERR_EXTRA_A)) { dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' " "extra GLUE A record (%s)", ownerbuf, namebuf, inet_ntop(AF_INET, rdata.data, addrbuf, sizeof(addrbuf))); + add(namebuf, ERR_EXTRA_A); /* XXX950 make fatal for 9.5.0 */ /* answer = ISC_FALSE; */ } @@ -230,12 +304,13 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner, break; } } - if (!match) { + if (!match && !logged(namebuf, ERR_EXTRA_AAAA)) { dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' " "extra GLUE AAAA record (%s)", ownerbuf, namebuf, inet_ntop(AF_INET6, rdata.data, addrbuf, sizeof(addrbuf))); + add(namebuf, ERR_EXTRA_AAAA); /* XXX950 make fatal for 9.5.0. */ /* answer = ISC_FALSE; */ } @@ -247,42 +322,48 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner, /* * Check that all addresses appear in the glue. */ - for (cur = ai; cur != NULL; cur = cur->ai_next) { - switch (cur->ai_family) { - case AF_INET: - rdataset = a; - ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr; - type = "A"; - break; - case AF_INET6: - rdataset = aaaa; - ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr; - type = "AAAA"; - break; - default: - continue; - } - match = ISC_FALSE; - if (dns_rdataset_isassociated(rdataset)) - result = dns_rdataset_first(rdataset); - else - result = ISC_R_FAILURE; - while (result == ISC_R_SUCCESS && !match) { - dns_rdataset_current(rdataset, &rdata); - if (memcmp(ptr, rdata.data, rdata.length) == 0) - match = ISC_TRUE; - dns_rdata_reset(&rdata); - result = dns_rdataset_next(rdataset); - } - if (!match) { - dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' " - "missing GLUE %s record (%s)", - ownerbuf, namebuf, type, - inet_ntop(cur->ai_family, ptr, - addrbuf, sizeof(addrbuf))); - /* XXX950 make fatal for 9.5.0. */ - /* answer = ISC_FALSE; */ + if (!logged(namebuf, ERR_MISSING_GLUE)) { + isc_boolean_t missing_glue = ISC_FALSE; + for (cur = ai; cur != NULL; cur = cur->ai_next) { + switch (cur->ai_family) { + case AF_INET: + rdataset = a; + ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr; + type = "A"; + break; + case AF_INET6: + rdataset = aaaa; + ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr; + type = "AAAA"; + break; + default: + continue; + } + match = ISC_FALSE; + if (dns_rdataset_isassociated(rdataset)) + result = dns_rdataset_first(rdataset); + else + result = ISC_R_FAILURE; + while (result == ISC_R_SUCCESS && !match) { + dns_rdataset_current(rdataset, &rdata); + if (memcmp(ptr, rdata.data, rdata.length) == 0) + match = ISC_TRUE; + dns_rdata_reset(&rdata); + result = dns_rdataset_next(rdataset); + } + if (!match) { + dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' " + "missing GLUE %s record (%s)", + ownerbuf, namebuf, type, + inet_ntop(cur->ai_family, ptr, + addrbuf, sizeof(addrbuf))); + /* XXX950 make fatal for 9.5.0. */ + /* answer = ISC_FALSE; */ + missing_glue = ISC_TRUE; + } } + if (missing_glue) + add(namebuf, ERR_MISSING_GLUE); } freeaddrinfo(ai); return (answer); @@ -332,10 +413,15 @@ checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) { if ((zone_options & DNS_ZONEOPT_WARNMXCNAME) != 0) level = ISC_LOG_WARNING; if ((zone_options & DNS_ZONEOPT_IGNOREMXCNAME) == 0) { - dns_zone_log(zone, ISC_LOG_WARNING, - "%s/MX '%s' (out of zone) " - "is a CNAME (illegal)", - ownerbuf, namebuf); + if (!logged(namebuf, ERR_IS_MXCNAME)) { + dns_zone_log(zone, level, + "%s/MX '%s' (out of zone)" + " is a CNAME '%s' " + "(illegal)", + ownerbuf, namebuf, + cur->ai_canonname); + add(namebuf, ERR_IS_MXCNAME); + } if (level == ISC_LOG_ERROR) answer = ISC_FALSE; } @@ -347,16 +433,23 @@ checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) { #if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) case EAI_NODATA: #endif - dns_zone_log(zone, ISC_LOG_ERROR, "%s/MX '%s' (out of zone) " - "has no addresses records (A or AAAA)", - ownerbuf, namebuf); + if (!logged(namebuf, ERR_NO_ADDRESSES)) { + dns_zone_log(zone, ISC_LOG_ERROR, + "%s/MX '%s' (out of zone) " + "has no addresses records (A or AAAA)", + ownerbuf, namebuf); + add(namebuf, ERR_NO_ADDRESSES); + } /* XXX950 make fatal for 9.5.0. */ return (ISC_TRUE); default: - dns_zone_log(zone, ISC_LOG_WARNING, + if (!logged(namebuf, ERR_LOOKUP_FAILURE)) { + dns_zone_log(zone, ISC_LOG_WARNING, "getaddrinfo(%s) failed: %s", namebuf, gai_strerror(result)); + add(namebuf, ERR_LOOKUP_FAILURE); + } return (ISC_TRUE); } #else @@ -405,10 +498,14 @@ checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) { if ((zone_options & DNS_ZONEOPT_WARNSRVCNAME) != 0) level = ISC_LOG_WARNING; if ((zone_options & DNS_ZONEOPT_IGNORESRVCNAME) == 0) { - dns_zone_log(zone, level, - "%s/SRV '%s' (out of zone) " - "is a CNAME (illegal)", - ownerbuf, namebuf); + if (!logged(namebuf, ERR_IS_SRVCNAME)) { + dns_zone_log(zone, level, "%s/SRV '%s'" + " (out of zone) is a " + "CNAME '%s' (illegal)", + ownerbuf, namebuf, + cur->ai_canonname); + add(namebuf, ERR_IS_SRVCNAME); + } if (level == ISC_LOG_ERROR) answer = ISC_FALSE; } @@ -420,16 +517,23 @@ checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) { #if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) case EAI_NODATA: #endif - dns_zone_log(zone, ISC_LOG_ERROR, "%s/SRV '%s' (out of zone) " - "has no addresses records (A or AAAA)", - ownerbuf, namebuf); + if (!logged(namebuf, ERR_NO_ADDRESSES)) { + dns_zone_log(zone, ISC_LOG_ERROR, + "%s/SRV '%s' (out of zone) " + "has no addresses records (A or AAAA)", + ownerbuf, namebuf); + add(namebuf, ERR_NO_ADDRESSES); + } /* XXX950 make fatal for 9.5.0. */ return (ISC_TRUE); default: - dns_zone_log(zone, ISC_LOG_WARNING, - "getaddrinfo(%s) failed: %s", - namebuf, gai_strerror(result)); + if (!logged(namebuf, ERR_LOOKUP_FAILURE)) { + dns_zone_log(zone, ISC_LOG_WARNING, + "getaddrinfo(%s) failed: %s", + namebuf, gai_strerror(result)); + add(namebuf, ERR_LOOKUP_FAILURE); + } return (ISC_TRUE); } #else @@ -438,7 +542,7 @@ checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) { } isc_result_t -setup_logging(isc_mem_t *mctx, isc_log_t **logp) { +setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) { isc_logdestination_t destination; isc_logconfig_t *logconfig = NULL; isc_log_t *log = NULL; @@ -450,7 +554,7 @@ setup_logging(isc_mem_t *mctx, isc_log_t **logp) { dns_log_setcontext(log); cfg_log_init(log); - destination.file.stream = stdout; + destination.file.stream = errout; destination.file.name = NULL; destination.file.versions = ISC_LOG_ROLLNEVER; destination.file.maximum_size = 0; @@ -534,14 +638,14 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename, FILE *output = stdout; if (debug) { - if (filename != NULL) + if (filename != NULL && strcmp(filename, "-") != 0) fprintf(stderr, "dumping \"%s\" to \"%s\"\n", zonename, filename); else fprintf(stderr, "dumping \"%s\"\n", zonename); } - if (filename != NULL) { + if (filename != NULL && strcmp(filename, "-") != 0) { result = isc_stdio_open(filename, "w+", &output); if (result != ISC_R_SUCCESS) { @@ -553,7 +657,7 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename, result = dns_zone_dumptostream2(zone, output, fileformat, style); - if (filename != NULL) + if (output != stdout) (void)isc_stdio_close(output); return (result); diff --git a/contrib/bind9/bin/check/check-tool.h b/contrib/bind9/bin/check/check-tool.h index ef9017f..b0ba7e0 100644 --- a/contrib/bind9/bin/check/check-tool.h +++ b/contrib/bind9/bin/check/check-tool.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.h,v 1.7.18.4 2005/06/20 01:19:25 marka Exp $ */ +/* $Id: check-tool.h,v 1.14 2007/06/18 23:47:17 tbox Exp $ */ #ifndef CHECK_TOOL_H #define CHECK_TOOL_H @@ -23,6 +23,7 @@ /*! \file */ #include <isc/lang.h> +#include <isc/stdio.h> #include <isc/types.h> #include <dns/masterdump.h> @@ -31,7 +32,7 @@ ISC_LANG_BEGINDECLS isc_result_t -setup_logging(isc_mem_t *mctx, isc_log_t **logp); +setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp); isc_result_t load_zone(isc_mem_t *mctx, const char *zonename, const char *filename, diff --git a/contrib/bind9/bin/check/named-checkconf.8 b/contrib/bind9/bin/check/named-checkconf.8 index 364e6b9..852b133 100644 --- a/contrib/bind9/bin/check/named-checkconf.8 +++ b/contrib/bind9/bin/check/named-checkconf.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named-checkconf.8,v 1.16.18.13 2007/06/20 02:26:58 marka Exp $ +.\" $Id: named-checkconf.8,v 1.30 2007/06/20 02:27:32 marka Exp $ .\" .hy 0 .ad l @@ -33,13 +33,18 @@ named\-checkconf \- named configuration file syntax checking tool .SH "SYNOPSIS" .HP 16 -\fBnamed\-checkconf\fR [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-z\fR] +\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-z\fR] .SH "DESCRIPTION" .PP \fBnamed\-checkconf\fR checks the syntax, but not the semantics, of a named configuration file. .SH "OPTIONS" .PP +\-h +.RS 4 +Print the usage summary and exit. +.RE +.PP \-t \fIdirectory\fR .RS 4 Chroot to diff --git a/contrib/bind9/bin/check/named-checkconf.c b/contrib/bind9/bin/check/named-checkconf.c index 96efd79..eba0d93 100644 --- a/contrib/bind9/bin/check/named-checkconf.c +++ b/contrib/bind9/bin/check/named-checkconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkconf.c,v 1.28.18.16 2007/11/26 23:46:18 tbox Exp $ */ +/* $Id: named-checkconf.c,v 1.46.222.2 2009/02/16 23:47:15 tbox Exp $ */ /*! \file */ @@ -47,6 +47,8 @@ #include "check-tool.h" +static const char *program = "named-checkconf"; + isc_log_t *logc = NULL; #define CHECK(r)\ @@ -59,9 +61,9 @@ isc_log_t *logc = NULL; /*% usage */ static void usage(void) { - fprintf(stderr, "usage: named-checkconf [-j] [-v] [-z] [-t directory] " - "[named.conf]\n"); - exit(1); + fprintf(stderr, "usage: %s [-h] [-j] [-v] [-z] [-t directory] " + "[named.conf]\n", program); + exit(1); } /*% directory callback */ @@ -171,9 +173,9 @@ configure_zone(const char *vclass, const char *view, zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name")); classobj = cfg_tuple_get(zconfig, "class"); - if (!cfg_obj_isstring(classobj)) - zclass = vclass; - else + if (!cfg_obj_isstring(classobj)) + zclass = vclass; + else zclass = cfg_obj_asstring(classobj); zoptions = cfg_tuple_get(zconfig, "options"); @@ -192,9 +194,9 @@ configure_zone(const char *vclass, const char *view, return (ISC_R_FAILURE); if (strcasecmp(cfg_obj_asstring(typeobj), "master") != 0) return (ISC_R_SUCCESS); - cfg_map_get(zoptions, "database", &dbobj); - if (dbobj != NULL) - return (ISC_R_SUCCESS); + cfg_map_get(zoptions, "database", &dbobj); + if (dbobj != NULL) + return (ISC_R_SUCCESS); cfg_map_get(zoptions, "file", &fileobj); if (fileobj == NULL) return (ISC_R_FAILURE); @@ -285,8 +287,8 @@ configure_zone(const char *vclass, const char *view, } else INSIST(0); } else { - zone_options |= DNS_ZONEOPT_CHECKNAMES; - zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL; + zone_options |= DNS_ZONEOPT_CHECKNAMES; + zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL; } masterformat = dns_masterformat_text; @@ -397,8 +399,10 @@ main(int argc, char **argv) { int exit_status = 0; isc_entropy_t *ectx = NULL; isc_boolean_t load_zones = ISC_FALSE; - - while ((c = isc_commandline_parse(argc, argv, "djt:vz")) != EOF) { + + isc_commandline_errprint = ISC_FALSE; + + while ((c = isc_commandline_parse(argc, argv, "dhjt:vz")) != EOF) { switch (c) { case 'd': debug++; @@ -415,12 +419,6 @@ main(int argc, char **argv) { isc_result_totext(result)); exit(1); } - result = isc_dir_chdir("/"); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "isc_dir_chdir: %s\n", - isc_result_totext(result)); - exit(1); - } break; case 'v': @@ -434,11 +432,22 @@ main(int argc, char **argv) { dochecksrv = ISC_FALSE; break; - default: + case '?': + if (isc_commandline_option != '?') + fprintf(stderr, "%s: invalid argument -%c\n", + program, isc_commandline_option); + case 'h': usage(); + + default: + fprintf(stderr, "%s: unhandled option -%c\n", + program, isc_commandline_option); + exit(1); } } + if (isc_commandline_index + 1 < argc) + usage(); if (argv[isc_commandline_index] != NULL) conffile = argv[isc_commandline_index]; if (conffile == NULL || conffile[0] == '\0') @@ -446,7 +455,7 @@ main(int argc, char **argv) { RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); - RUNTIME_CHECK(setup_logging(mctx, &logc) == ISC_R_SUCCESS); + RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS); RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS); RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE) diff --git a/contrib/bind9/bin/check/named-checkconf.docbook b/contrib/bind9/bin/check/named-checkconf.docbook index af7a73d..5359239 100644 --- a/contrib/bind9/bin/check/named-checkconf.docbook +++ b/contrib/bind9/bin/check/named-checkconf.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named-checkconf.docbook,v 1.8.18.10 2007/08/28 07:19:55 tbox Exp $ --> +<!-- $Id: named-checkconf.docbook,v 1.19 2007/06/19 06:58:03 marka Exp $ --> <refentry id="man.named-checkconf"> <refentryinfo> <date>June 14, 2000</date> @@ -53,6 +53,7 @@ <refsynopsisdiv> <cmdsynopsis> <command>named-checkconf</command> + <arg><option>-h</option></arg> <arg><option>-v</option></arg> <arg><option>-j</option></arg> <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg> @@ -74,6 +75,15 @@ <variablelist> <varlistentry> + <term>-h</term> + <listitem> + <para> + Print the usage summary and exit. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>-t <replaceable class="parameter">directory</replaceable></term> <listitem> <para> diff --git a/contrib/bind9/bin/check/named-checkconf.html b/contrib/bind9/bin/check/named-checkconf.html index 910df0d..34bec80 100644 --- a/contrib/bind9/bin/check/named-checkconf.html +++ b/contrib/bind9/bin/check/named-checkconf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named-checkconf.html,v 1.9.18.20 2007/06/20 02:26:58 marka Exp $ --> +<!-- $Id: named-checkconf.html,v 1.30 2007/06/20 02:27:32 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -29,18 +29,22 @@ </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div> +<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543383"></a><h2>DESCRIPTION</h2> +<a name="id2543387"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">named-checkconf</strong></span> checks the syntax, but not the semantics, of a named configuration file. </p> </div> <div class="refsect1" lang="en"> -<a name="id2543395"></a><h2>OPTIONS</h2> +<a name="id2543399"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> +<dt><span class="term">-h</span></dt> +<dd><p> + Print the usage summary and exit. + </p></dd> <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt> <dd><p> Chroot to <code class="filename">directory</code> so that @@ -70,21 +74,21 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543489"></a><h2>RETURN VALUES</h2> +<a name="id2543507"></a><h2>RETURN VALUES</h2> <p><span><strong class="command">named-checkconf</strong></span> returns an exit status of 1 if errors were detected and 0 otherwise. </p> </div> <div class="refsect1" lang="en"> -<a name="id2543500"></a><h2>SEE ALSO</h2> +<a name="id2543518"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2543530"></a><h2>AUTHOR</h2> +<a name="id2543548"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/contrib/bind9/bin/check/named-checkzone.8 b/contrib/bind9/bin/check/named-checkzone.8 index bd538ac..5520da3 100644 --- a/contrib/bind9/bin/check/named-checkzone.8 +++ b/contrib/bind9/bin/check/named-checkzone.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2002 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named-checkzone.8,v 1.18.18.23 2007/06/20 02:26:58 marka Exp $ +.\" $Id: named-checkzone.8,v 1.42.334.1 2009/01/23 01:53:33 tbox Exp $ .\" .hy 0 .ad l @@ -33,7 +33,7 @@ named\-checkzone, named\-compilezone \- zone file validity checking or converting tool .SH "SYNOPSIS" .HP 16 -\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename} +\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename} .HP 18 \fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename} .SH "DESCRIPTION" @@ -58,6 +58,11 @@ configuration file. Enable debugging. .RE .PP +\-h +.RS 4 +Print the usage summary and exit. +.RE +.PP \-q .RS 4 Quiet mode \- exit code only. @@ -77,7 +82,7 @@ When loading the zone file read the journal if it exists. .PP \-c \fIclass\fR .RS 4 -Specify the class of the zone. If not specified "IN" is assumed. +Specify the class of the zone. If not specified, "IN" is assumed. .RE .PP \-i \fImode\fR @@ -188,7 +193,11 @@ Specify whether NS records should be checked to see if they are addresses. Possi \-o \fIfilename\fR .RS 4 Write zone output to -\fIfilename\fR. This is mandatory for +\fIfilename\fR. If +\fIfilename\fR +is +\fI\-\fR +then write to standard out. This is mandatory for \fBnamed\-compilezone\fR. .RE .PP @@ -263,7 +272,7 @@ BIND 9 Administrator Reference Manual. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007, 2009 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000\-2002 Internet Software Consortium. .br diff --git a/contrib/bind9/bin/check/named-checkzone.c b/contrib/bind9/bin/check/named-checkzone.c index f16053b..e91cbea 100644 --- a/contrib/bind9/bin/check/named-checkzone.c +++ b/contrib/bind9/bin/check/named-checkzone.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkzone.c,v 1.29.18.21 2008/10/24 01:43:17 tbox Exp $ */ +/* $Id: named-checkzone.c,v 1.51.34.2 2009/02/16 23:47:15 tbox Exp $ */ /*! \file */ @@ -106,6 +106,7 @@ main(int argc, char **argv) { const char *outputformatstr = NULL; dns_masterformat_t inputformat = dns_masterformat_text; dns_masterformat_t outputformat = dns_masterformat_text; + FILE *errout = stdout; outputstyle = &dns_master_style_full; @@ -140,8 +141,10 @@ main(int argc, char **argv) { #define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0) + isc_commandline_errprint = ISC_FALSE; + while ((c = isc_commandline_parse(argc, argv, - "c:df:i:jk:m:n:qs:t:o:vw:DF:M:S:W:")) + "c:df:hi:jk:m:n:qs:t:o:vw:DF:M:S:W:")) != EOF) { switch (c) { case 'c': @@ -265,12 +268,6 @@ main(int argc, char **argv) { isc_result_totext(result)); exit(1); } - result = isc_dir_chdir("/"); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "isc_dir_chdir: %s\n", - isc_result_totext(result)); - exit(1); - } break; case 's': @@ -343,17 +340,17 @@ main(int argc, char **argv) { zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD; break; - default: + case '?': + if (isc_commandline_option != '?') + fprintf(stderr, "%s: invalid argument -%c\n", + prog_name, isc_commandline_option); + case 'h': usage(); - } - } - if (progmode == progmode_compile) { - dumpzone = 1; /* always dump */ - if (output_filename == NULL) { - fprintf(stderr, - "output file required, but not specified\n"); - usage(); + default: + fprintf(stderr, "%s: unhandled option -%c\n", + prog_name, isc_commandline_option); + exit(1); } } @@ -390,12 +387,36 @@ main(int argc, char **argv) { } } - if (isc_commandline_index + 2 > argc) + if (progmode == progmode_compile) { + dumpzone = 1; /* always dump */ + if (output_filename == NULL) { + fprintf(stderr, + "output file required, but not specified\n"); + usage(); + } + } + + if (output_filename != NULL) + dumpzone = 1; + + /* + * If we are outputing to stdout then send the informational + * output to stderr. + */ + if (dumpzone && + (output_filename == NULL || + strcmp(output_filename, "-") == 0 || + strcmp(output_filename, "/dev/fd/1") == 0 || + strcmp(output_filename, "/dev/stdout") == 0)) + errout = stderr; + + if (isc_commandline_index + 2 != argc) usage(); RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); if (!quiet) - RUNTIME_CHECK(setup_logging(mctx, &lctx) == ISC_R_SUCCESS); + RUNTIME_CHECK(setup_logging(mctx, errout, &lctx) + == ISC_R_SUCCESS); RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS); RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE) == ISC_R_SUCCESS); @@ -409,17 +430,17 @@ main(int argc, char **argv) { if (result == ISC_R_SUCCESS && dumpzone) { if (!quiet && progmode == progmode_compile) { - fprintf(stdout, "dump zone to %s...", output_filename); - fflush(stdout); + fprintf(errout, "dump zone to %s...", output_filename); + fflush(errout); } result = dump_zone(origin, zone, output_filename, outputformat, outputstyle); if (!quiet && progmode == progmode_compile) - fprintf(stdout, "done\n"); + fprintf(errout, "done\n"); } if (!quiet && result == ISC_R_SUCCESS) - fprintf(stdout, "OK\n"); + fprintf(errout, "OK\n"); destroy(); if (lctx != NULL) isc_log_destroy(&lctx); diff --git a/contrib/bind9/bin/check/named-checkzone.docbook b/contrib/bind9/bin/check/named-checkzone.docbook index 11b85ef..d863447 100644 --- a/contrib/bind9/bin/check/named-checkzone.docbook +++ b/contrib/bind9/bin/check/named-checkzone.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2002 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named-checkzone.docbook,v 1.11.18.21 2007/08/28 07:19:55 tbox Exp $ --> +<!-- $Id: named-checkzone.docbook,v 1.34.334.2 2009/01/22 23:47:04 tbox Exp $ --> <refentry id="man.named-checkzone"> <refentryinfo> <date>June 13, 2000</date> @@ -36,6 +36,7 @@ <year>2005</year> <year>2006</year> <year>2007</year> + <year>2009</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -56,6 +57,7 @@ <cmdsynopsis> <command>named-checkzone</command> <arg><option>-d</option></arg> + <arg><option>-h</option></arg> <arg><option>-j</option></arg> <arg><option>-q</option></arg> <arg><option>-v</option></arg> @@ -137,6 +139,15 @@ </varlistentry> <varlistentry> + <term>-h</term> + <listitem> + <para> + Print the usage summary and exit. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>-q</term> <listitem> <para> @@ -168,7 +179,7 @@ <term>-c <replaceable class="parameter">class</replaceable></term> <listitem> <para> - Specify the class of the zone. If not specified "IN" is assumed. + Specify the class of the zone. If not specified, "IN" is assumed. </para> </listitem> </varlistentry> @@ -301,6 +312,8 @@ <listitem> <para> Write zone output to <filename>filename</filename>. + If <filename>filename</filename> is <filename>-</filename> then + write to standard out. This is mandatory for <command>named-compilezone</command>. </para> </listitem> diff --git a/contrib/bind9/bin/check/named-checkzone.html b/contrib/bind9/bin/check/named-checkzone.html index 0e1015d..71dc445 100644 --- a/contrib/bind9/bin/check/named-checkzone.html +++ b/contrib/bind9/bin/check/named-checkzone.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2002 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named-checkzone.html,v 1.11.18.30 2007/06/20 02:26:58 marka Exp $ --> +<!-- $Id: named-checkzone.html,v 1.42.334.1 2009/01/23 01:53:33 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -29,11 +29,11 @@ </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div> +<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div> <div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543665"></a><h2>DESCRIPTION</h2> +<a name="id2543672"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">named-checkzone</strong></span> checks the syntax and integrity of a zone file. It performs the same checks as <span><strong class="command">named</strong></span> does when loading a @@ -53,12 +53,16 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543700"></a><h2>OPTIONS</h2> +<a name="id2543707"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-d</span></dt> <dd><p> Enable debugging. </p></dd> +<dt><span class="term">-h</span></dt> +<dd><p> + Print the usage summary and exit. + </p></dd> <dt><span class="term">-q</span></dt> <dd><p> Quiet mode - exit code only. @@ -74,7 +78,7 @@ </p></dd> <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> <dd><p> - Specify the class of the zone. If not specified "IN" is assumed. + Specify the class of the zone. If not specified, "IN" is assumed. </p></dd> <dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt> <dd> @@ -169,6 +173,8 @@ <dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt> <dd><p> Write zone output to <code class="filename">filename</code>. + If <code class="filename">filename</code> is <code class="filename">-</code> then + write to standard out. This is mandatory for <span><strong class="command">named-compilezone</strong></span>. </p></dd> <dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt> @@ -233,14 +239,14 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544299"></a><h2>RETURN VALUES</h2> +<a name="id2544328"></a><h2>RETURN VALUES</h2> <p><span><strong class="command">named-checkzone</strong></span> returns an exit status of 1 if errors were detected and 0 otherwise. </p> </div> <div class="refsect1" lang="en"> -<a name="id2544311"></a><h2>SEE ALSO</h2> +<a name="id2544340"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>, <em class="citetitle">RFC 1035</em>, @@ -248,7 +254,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544344"></a><h2>AUTHOR</h2> +<a name="id2544373"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/contrib/bind9/bin/dig/Makefile.in b/contrib/bind9/bin/dig/Makefile.in index 836b7f2..bc9d34f 100644 --- a/contrib/bind9/bin/dig/Makefile.in +++ b/contrib/bind9/bin/dig/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2002 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.33.18.6 2005/09/09 14:11:04 marka Exp $ +# $Id: Makefile.in,v 1.41 2007/06/19 23:46:59 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/contrib/bind9/bin/dig/dig.1 b/contrib/bind9/bin/dig/dig.1 index c9df21e..f7f4370 100644 --- a/contrib/bind9/bin/dig/dig.1 +++ b/contrib/bind9/bin/dig/dig.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dig.1,v 1.23.18.24 2008/10/14 01:30:11 tbox Exp $ +.\" $Id: dig.1,v 1.50.44.2 2009/02/03 01:52:10 tbox Exp $ .\" .hy 0 .ad l @@ -291,7 +291,7 @@ A synonym for .PP \fB+[no]adflag\fR .RS 4 -Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness. +Set [do not set] the AD (authentic data) bit in the query. This requests the server to return whether all of the answer and authority sections have all been validated as secure according to the security policy of the server. AD=1 indicates that all records have been validated as secure and the answer is not from a OPT\-OUT range. AD=0 indicate that some part of the answer was insecure or not validated. .RE .PP \fB+[no]cdflag\fR @@ -480,7 +480,7 @@ Chase DNSSEC signature chains. Requires dig be compiled with \-DDIG_SIGCHASE. Specifies a file containing trusted keys to be used with \fB+sigchase\fR. Each DNSKEY record must be on its own line. .sp -If not specified +If not specified, \fBdig\fR will look for \fI/etc/trusted\-key.key\fR @@ -495,6 +495,11 @@ Requires dig be compiled with \-DDIG_SIGCHASE. .RS 4 When chasing DNSSEC signature chains perform a top\-down validation. Requires dig be compiled with \-DDIG_SIGCHASE. .RE +.PP +\fB+[no]nsid\fR +.RS 4 +Include an EDNS name server ID request when sending a query. +.RE .SH "MULTIPLE QUERIES" .PP The BIND 9 implementation of @@ -557,7 +562,7 @@ RFC1035. .PP There are probably too many query options. .SH "COPYRIGHT" -Copyright \(co 2004\-2008 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000\-2003 Internet Software Consortium. .br diff --git a/contrib/bind9/bin/dig/dig.c b/contrib/bind9/bin/dig/dig.c index 5cde9c4..f740a1d 100644 --- a/contrib/bind9/bin/dig/dig.c +++ b/contrib/bind9/bin/dig/dig.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.186.18.33 2008/10/15 02:19:18 marka Exp $ */ +/* $Id: dig.c,v 1.225.26.4 2009/05/06 10:18:33 fdupont Exp $ */ /*! \file */ @@ -111,6 +111,24 @@ static const char * const rcodetext[] = { "BADVERS" }; +/*% safe rcodetext[] */ +static char * +rcode_totext(dns_rcode_t rcode) +{ + static char buf[sizeof("?65535")]; + union { + const char *consttext; + char *deconsttext; + } totext; + + if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) { + snprintf(buf, sizeof(buf), "?%u", rcode); + totext.deconsttext = buf; + } else + totext.consttext = rcodetext[rcode]; + return totext.deconsttext; +} + /*% print usage */ static void print_usage(FILE *fp) { @@ -195,6 +213,7 @@ help(void) { " +[no]identify (ID responders in short answers)\n" " +[no]trace (Trace delegation down from root)\n" " +[no]dnssec (Request DNSSEC records)\n" +" +[no]nsid (Request Name Server ID)\n" #ifdef DIG_SIGCHASE " +[no]sigchase (Chase DNSSEC signatures)\n" " +trusted-key=#### (Trusted Key when chasing DNSSEC sigs)\n" @@ -468,7 +487,8 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { if (headers) { printf(";; ->>HEADER<<- opcode: %s, status: %s, " "id: %u\n", - opcodetext[msg->opcode], rcodetext[msg->rcode], + opcodetext[msg->opcode], + rcode_totext(msg->rcode), msg->id); printf(";; flags:"); if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) @@ -640,9 +660,9 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) { } if (first) { snprintf(append, sizeof(append), - ";; global options: %s %s\n", - short_form ? "short_form" : "", - printcmd ? "printcmd" : ""); + ";; global options:%s%s\n", + short_form ? " +short" : "", + printcmd ? " +cmd" : ""); first = ISC_FALSE; remaining = sizeof(lookup->cmdline) - strlen(lookup->cmdline) - 1; @@ -800,7 +820,9 @@ plus_option(char *option, isc_boolean_t is_batchfile, switch (cmd[1]) { case 'e': /* defname */ FULLCHECK("defname"); - usesearch = state; + if (!lookup->trace) { + usesearch = state; + } break; case 'n': /* dnssec */ FULLCHECK("dnssec"); @@ -842,7 +864,7 @@ plus_option(char *option, isc_boolean_t is_batchfile, lookup->identify = state; break; case 'g': /* ignore */ - default: /* Inherets default for compatibility */ + default: /* Inherits default for compatibility */ FULLCHECK("ignore"); lookup->ignore = ISC_TRUE; } @@ -861,21 +883,33 @@ plus_option(char *option, isc_boolean_t is_batchfile, goto invalid_option; ndots = parse_uint(value, "ndots", MAXNDOTS); break; - case 's': /* nssearch */ - FULLCHECK("nssearch"); - lookup->ns_search_only = state; - if (state) { - lookup->trace_root = ISC_TRUE; - lookup->recurse = ISC_TRUE; - lookup->identify = ISC_TRUE; - lookup->stats = ISC_FALSE; - lookup->comments = ISC_FALSE; - lookup->section_additional = ISC_FALSE; - lookup->section_authority = ISC_FALSE; - lookup->section_question = ISC_FALSE; - lookup->rdtype = dns_rdatatype_ns; - lookup->rdtypeset = ISC_TRUE; - short_form = ISC_TRUE; + case 's': + switch (cmd[2]) { + case 'i': /* nsid */ + FULLCHECK("nsid"); + if (state && lookup->edns == -1) + lookup->edns = 0; + lookup->nsid = state; + break; + case 's': /* nssearch */ + FULLCHECK("nssearch"); + lookup->ns_search_only = state; + if (state) { + lookup->trace_root = ISC_TRUE; + lookup->recurse = ISC_TRUE; + lookup->identify = ISC_TRUE; + lookup->stats = ISC_FALSE; + lookup->comments = ISC_FALSE; + lookup->section_additional = ISC_FALSE; + lookup->section_authority = ISC_FALSE; + lookup->section_question = ISC_FALSE; + lookup->rdtype = dns_rdatatype_ns; + lookup->rdtypeset = ISC_TRUE; + short_form = ISC_TRUE; + } + break; + default: + goto invalid_option; } break; default: @@ -928,7 +962,9 @@ plus_option(char *option, isc_boolean_t is_batchfile, switch (cmd[1]) { case 'e': /* search */ FULLCHECK("search"); - usesearch = state; + if (!lookup->trace) { + usesearch = state; + } break; case 'h': if (cmd[2] != 'o') @@ -949,8 +985,10 @@ plus_option(char *option, isc_boolean_t is_batchfile, break; case 'w': /* showsearch */ FULLCHECK("showsearch"); - showsearch = state; - usesearch = state; + if (!lookup->trace) { + showsearch = state; + usesearch = state; + } break; default: goto invalid_option; @@ -1009,6 +1047,7 @@ plus_option(char *option, isc_boolean_t is_batchfile, lookup->section_additional = ISC_FALSE; lookup->section_authority = ISC_TRUE; lookup->section_question = ISC_FALSE; + usesearch = ISC_FALSE; } break; case 'i': /* tries */ @@ -1254,6 +1293,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, MAXSERIAL); (*lookup)->section_question = plusquest; (*lookup)->comments = pluscomm; + (*lookup)->tcp_mode = ISC_TRUE; } else { (*lookup)->rdtype = rdtype; (*lookup)->rdtypeset = ISC_TRUE; @@ -1594,6 +1634,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, lookup->section_question = plusquest; lookup->comments = pluscomm; + lookup->tcp_mode = ISC_TRUE; } else { lookup->rdtype = rdtype; lookup->rdtypeset = ISC_TRUE; diff --git a/contrib/bind9/bin/dig/dig.docbook b/contrib/bind9/bin/dig/dig.docbook index 92be180..f987465b 100644 --- a/contrib/bind9/bin/dig/dig.docbook +++ b/contrib/bind9/bin/dig/dig.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dig.docbook,v 1.17.18.24 2008/10/14 00:54:40 marka Exp $ --> +<!-- $Id: dig.docbook,v 1.42.44.3 2009/02/02 04:42:48 marka Exp $ --> <refentry id="man.dig"> <refentryinfo> @@ -43,6 +43,7 @@ <year>2006</year> <year>2007</year> <year>2008</year> + <year>2009</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -449,17 +450,19 @@ <varlistentry> <term><option>+[no]adflag</option></term> - <listitem> - <para> - Set [do not set] the AD (authentic data) bit in the query. The - AD bit - currently has a standard meaning only in responses, not in - queries, - but the ability to set the bit in the query is provided for - completeness. - </para> - </listitem> - </varlistentry> + <listitem> + <para> + Set [do not set] the AD (authentic data) bit in the + query. This requests the server to return whether + all of the answer and authority sections have all + been validated as secure according to the security + policy of the server. AD=1 indicates that all records + have been validated as secure and the answer is not + from a OPT-OUT range. AD=0 indicate that some part + of the answer was insecure or not validated. + </para> + </listitem> + </varlistentry> <varlistentry> <term><option>+[no]cdflag</option></term> @@ -816,7 +819,7 @@ on its own line. </para> <para> - If not specified <command>dig</command> will look for + If not specified, <command>dig</command> will look for <filename>/etc/trusted-key.key</filename> then <filename>trusted-key.key</filename> in the current directory. </para> @@ -837,6 +840,14 @@ </listitem> </varlistentry> + <varlistentry> + <term><option>+[no]nsid</option></term> + <listitem> + <para> + Include an EDNS name server ID request when sending a query. + </para> + </listitem> + </varlistentry> </variablelist> diff --git a/contrib/bind9/bin/dig/dig.html b/contrib/bind9/bin/dig/dig.html index a8c4594..11b55cc 100644 --- a/contrib/bind9/bin/dig/dig.html +++ b/contrib/bind9/bin/dig/dig.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dig.html,v 1.13.18.30 2008/10/14 01:30:11 tbox Exp $ --> +<!-- $Id: dig.html,v 1.45.44.2 2009/02/03 01:52:10 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -34,7 +34,7 @@ <div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543515"></a><h2>DESCRIPTION</h2> +<a name="id2543518"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dig</strong></span> (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -80,7 +80,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543589"></a><h2>SIMPLE USAGE</h2> +<a name="id2543592"></a><h2>SIMPLE USAGE</h2> <p> A typical invocation of <span><strong class="command">dig</strong></span> looks like: </p> @@ -126,7 +126,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543680"></a><h2>OPTIONS</h2> +<a name="id2543683"></a><h2>OPTIONS</h2> <p> The <code class="option">-b</code> option sets the source IP address of the query to <em class="parameter"><code>address</code></em>. This must be a valid @@ -230,7 +230,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544028"></a><h2>QUERY OPTIONS</h2> +<a name="id2544032"></a><h2>QUERY OPTIONS</h2> <p><span><strong class="command">dig</strong></span> provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -308,13 +308,15 @@ </p></dd> <dt><span class="term"><code class="option">+[no]adflag</code></span></dt> <dd><p> - Set [do not set] the AD (authentic data) bit in the query. The - AD bit - currently has a standard meaning only in responses, not in - queries, - but the ability to set the bit in the query is provided for - completeness. - </p></dd> + Set [do not set] the AD (authentic data) bit in the + query. This requests the server to return whether + all of the answer and authority sections have all + been validated as secure according to the security + policy of the server. AD=1 indicates that all records + have been validated as secure and the answer is not + from a OPT-OUT range. AD=0 indicate that some part + of the answer was insecure or not validated. + </p></dd> <dt><span class="term"><code class="option">+[no]cdflag</code></span></dt> <dd><p> Set [do not set] the CD (checking disabled) bit in the query. @@ -529,7 +531,7 @@ on its own line. </p> <p> - If not specified <span><strong class="command">dig</strong></span> will look for + If not specified, <span><strong class="command">dig</strong></span> will look for <code class="filename">/etc/trusted-key.key</code> then <code class="filename">trusted-key.key</code> in the current directory. </p> @@ -543,13 +545,17 @@ validation. Requires dig be compiled with -DDIG_SIGCHASE. </p></dd> +<dt><span class="term"><code class="option">+[no]nsid</code></span></dt> +<dd><p> + Include an EDNS name server ID request when sending a query. + </p></dd> </dl></div> <p> </p> </div> <div class="refsect1" lang="en"> -<a name="id2545149"></a><h2>MULTIPLE QUERIES</h2> +<a name="id2545166"></a><h2>MULTIPLE QUERIES</h2> <p> The BIND 9 implementation of <span><strong class="command">dig </strong></span> supports @@ -595,7 +601,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </p> </div> <div class="refsect1" lang="en"> -<a name="id2545211"></a><h2>IDN SUPPORT</h2> +<a name="id2545228"></a><h2>IDN SUPPORT</h2> <p> If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -609,14 +615,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </p> </div> <div class="refsect1" lang="en"> -<a name="id2545234"></a><h2>FILES</h2> +<a name="id2545251"></a><h2>FILES</h2> <p><code class="filename">/etc/resolv.conf</code> </p> <p><code class="filename">${HOME}/.digrc</code> </p> </div> <div class="refsect1" lang="en"> -<a name="id2545251"></a><h2>SEE ALSO</h2> +<a name="id2545336"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, @@ -624,7 +630,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </p> </div> <div class="refsect1" lang="en"> -<a name="id2545356"></a><h2>BUGS</h2> +<a name="id2545373"></a><h2>BUGS</h2> <p> There are probably too many query options. </p> diff --git a/contrib/bind9/bin/dig/dighost.c b/contrib/bind9/bin/dig/dighost.c index 8736c0c..470261c 100644 --- a/contrib/bind9/bin/dig/dighost.c +++ b/contrib/bind9/bin/dig/dighost.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dighost.c,v 1.259.18.49 2008/07/23 23:33:02 marka Exp $ */ +/* $Id: dighost.c,v 1.311.70.8 2009/02/25 02:39:21 marka Exp $ */ /*! \file * \note @@ -583,6 +583,11 @@ copy_server_list(lwres_conf_t *confdata, dig_serverlist_t *dest) { for (i = 0; i < confdata->nsnext; i++) { af = addr2af(confdata->nameservers[i].family); + if (af == AF_INET && !have_ipv4) + continue; + if (af == AF_INET6 && !have_ipv6) + continue; + lwres_net_ntop(af, confdata->nameservers[i].address, tmp, sizeof(tmp)); newsrv = make_server(tmp, tmp); @@ -724,6 +729,7 @@ make_empty_lookup(void) { looknew->servfail_stops = ISC_TRUE; looknew->besteffort = ISC_TRUE; looknew->dnssec = ISC_FALSE; + looknew->nsid = ISC_FALSE; #ifdef DIG_SIGCHASE looknew->sigchase = ISC_FALSE; #if DIG_SIGCHASE_TD @@ -770,7 +776,7 @@ make_empty_lookup(void) { * the query list, since it will be regenerated by the setup_lookup() * function, nor does it queue up the new lookup for processing. * Caution: If you don't clone the servers, you MUST clone the server - * list seperately from somewhere else, or construct it by hand. + * list separately from somewhere else, or construct it by hand. */ dig_lookup_t * clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) { @@ -803,6 +809,7 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) { looknew->servfail_stops = lookold->servfail_stops; looknew->besteffort = lookold->besteffort; looknew->dnssec = lookold->dnssec; + looknew->nsid = lookold->nsid; #ifdef DIG_SIGCHASE looknew->sigchase = lookold->sigchase; #if DIG_SIGCHASE_TD @@ -1004,10 +1011,18 @@ void setup_system(void) { dig_searchlist_t *domain = NULL; lwres_result_t lwresult; + unsigned int lwresflags; debug("setup_system()"); - lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, 1); + lwresflags = LWRES_CONTEXT_SERVERMODE; + if (have_ipv4) + lwresflags |= LWRES_CONTEXT_USEIPV4; + if (have_ipv6) + lwresflags |= LWRES_CONTEXT_USEIPV6; + + lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, + lwresflags); if (lwresult != LWRES_R_SUCCESS) fatal("lwres_context_create failed"); @@ -1033,8 +1048,10 @@ setup_system(void) { debug("ndots is %d.", ndots); } + copy_server_list(lwconf, &server_list); + /* If we don't find a nameserver fall back to localhost */ - if (lwconf->nsnext == 0) { + if (ISC_LIST_EMPTY(server_list)) { if (have_ipv4) { lwresult = add_nameserver(lwconf, "127.0.0.1", AF_INET); if (lwresult != ISC_R_SUCCESS) @@ -1045,10 +1062,9 @@ setup_system(void) { if (lwresult != ISC_R_SUCCESS) fatal("add_nameserver failed"); } - } - if (ISC_LIST_EMPTY(server_list)) copy_server_list(lwconf, &server_list); + } #ifdef WITH_IDN initialize_idn(); @@ -1155,11 +1171,11 @@ setup_libs(void) { /*% * Add EDNS0 option record to a message. Currently, the only supported - * options are UDP buffer size and the DO bit. + * options are UDP buffer size, the DO bit, and NSID request. */ static void add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_uint16_t edns, - isc_boolean_t dnssec) + isc_boolean_t dnssec, isc_boolean_t nsid) { dns_rdataset_t *rdataset = NULL; dns_rdatalist_t *rdatalist = NULL; @@ -1182,8 +1198,19 @@ add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_uint16_t edns, rdatalist->ttl = edns << 16; if (dnssec) rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO; - rdata->data = NULL; - rdata->length = 0; + if (nsid) { + unsigned char data[4]; + isc_buffer_t buf; + + isc_buffer_init(&buf, data, sizeof(data)); + isc_buffer_putuint16(&buf, DNS_OPT_NSID); + isc_buffer_putuint16(&buf, 0); + rdata->data = data; + rdata->length = sizeof(data); + } else { + rdata->data = NULL; + rdata->length = 0; + } ISC_LIST_INIT(rdatalist->rdata); ISC_LIST_APPEND(rdatalist->rdata, rdata, link); dns_rdatalist_tordataset(rdatalist, rdataset); @@ -1387,7 +1414,7 @@ start_lookup(void) { key_name) == ISC_TRUE) trustedkey = tk_list.key[i]; /* - * Verifier que la temp est bien la plus basse + * Verify temp is really the lowest * WARNING */ } @@ -1848,7 +1875,7 @@ setup_lookup(dig_lookup_t *lookup) { &lookup->name); dns_message_puttempname(lookup->sendmsg, &lookup->oname); - fatal("Origin '%s' is not in legal name syntax (%s)", + fatal("'%s' is not in legal name syntax (%s)", lookup->origin->origin, isc_result_totext(result)); } @@ -1953,12 +1980,15 @@ setup_lookup(dig_lookup_t *lookup) { if ((lookup->rdtype == dns_rdatatype_axfr) || (lookup->rdtype == dns_rdatatype_ixfr)) { - lookup->doing_xfr = ISC_TRUE; /* - * Force TCP mode if we're doing an xfr. - * XXX UDP ixfr's would be useful + * Force TCP mode if we're doing an axfr. */ - lookup->tcp_mode = ISC_TRUE; + if (lookup->rdtype == dns_rdatatype_axfr) { + lookup->doing_xfr = ISC_TRUE; + lookup->tcp_mode = ISC_TRUE; + } else if (lookup->tcp_mode) { + lookup->doing_xfr = ISC_TRUE; + } } add_question(lookup->sendmsg, lookup->name, lookup->rdclass, @@ -1995,7 +2025,7 @@ setup_lookup(dig_lookup_t *lookup) { if (lookup->edns < 0) lookup->edns = 0; add_opt(lookup->sendmsg, lookup->udpsize, - lookup->edns, lookup->dnssec); + lookup->edns, lookup->dnssec, lookup->nsid); } result = dns_message_rendersection(lookup->sendmsg, @@ -2175,6 +2205,21 @@ bringup_timer(dig_query_t *query, unsigned int default_timeout) { } static void +force_timeout(dig_lookup_t *l, dig_query_t *query) { + isc_event_t *event; + + event = isc_event_allocate(mctx, query, ISC_TIMEREVENT_IDLE, + connect_timeout, l, + sizeof(isc_event_t)); + if (event == NULL) { + fatal("isc_event_allocate: %s", + isc_result_totext(ISC_R_NOMEMORY)); + } + isc_task_send(global_task, &event); +} + + +static void connect_done(isc_task_t *task, isc_event_t *event); /*% @@ -2193,7 +2238,16 @@ send_tcp_connect(dig_query_t *query) { l = query->lookup; query->waiting_connect = ISC_TRUE; query->lookup->current_query = query; - get_address(query->servname, port, &query->sockaddr); + result = get_address(query->servname, port, &query->sockaddr); + if (result == ISC_R_NOTFOUND) { + /* + * This servname doesn't have an address. Try the next server + * by triggering an immediate 'timeout' (we lie, but the effect + * is the same). + */ + force_timeout(l, query); + return; + } if (specified_source && (isc_sockaddr_pf(&query->sockaddr) != @@ -2266,7 +2320,12 @@ send_udp(dig_query_t *query) { if (!query->recv_made) { /* XXX Check the sense of this, need assertion? */ query->waiting_connect = ISC_FALSE; - get_address(query->servname, port, &query->sockaddr); + result = get_address(query->servname, port, &query->sockaddr); + if (result == ISC_R_NOTFOUND) { + /* This servname doesn't have an address. */ + force_timeout(l, query); + return; + } result = isc_socket_create(socketmgr, isc_sockaddr_pf(&query->sockaddr), @@ -2337,8 +2396,14 @@ connect_timeout(isc_task_t *task, isc_event_t *event) { cq = query->lookup->current_query; if (!l->tcp_mode) send_udp(ISC_LIST_NEXT(cq, link)); - else + else { + isc_socket_cancel(query->sock, NULL, + ISC_SOCKCANCEL_ALL); + isc_socket_detach(&query->sock); + sockcount--; + debug("sockcount=%d", sockcount); send_tcp_connect(ISC_LIST_NEXT(cq, link)); + } UNLOCK_LOOKUP; return; } @@ -2892,18 +2957,8 @@ recv_done(isc_task_t *task, isc_event_t *event) { if (result == ISC_R_SUCCESS && (msgflags & DNS_MESSAGEFLAG_QR) == 0) printf(";; Warning: query response not set\n"); - if (!match) { - isc_buffer_invalidate(&query->recvbuf); - isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE); - ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link); - result = isc_socket_recvv(query->sock, &query->recvlist, 1, - global_task, recv_done, query); - check_result(result, "isc_socket_recvv"); - recvcount++; - isc_event_free(&event); - UNLOCK_LOOKUP; - return; - } + if (!match) + goto udp_mismatch; result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg); check_result(result, "dns_message_create"); @@ -2958,6 +3013,52 @@ recv_done(isc_task_t *task, isc_event_t *event) { UNLOCK_LOOKUP; return; } + if (msg->counts[DNS_SECTION_QUESTION] != 0) { + match = ISC_TRUE; + for (result = dns_message_firstname(msg, DNS_SECTION_QUESTION); + result == ISC_R_SUCCESS && match; + result = dns_message_nextname(msg, DNS_SECTION_QUESTION)) { + dns_name_t *name = NULL; + dns_rdataset_t *rdataset; + + dns_message_currentname(msg, DNS_SECTION_QUESTION, + &name); + for (rdataset = ISC_LIST_HEAD(name->list); + rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) { + if (l->rdtype != rdataset->type || + l->rdclass != rdataset->rdclass || + !dns_name_equal(l->name, name)) { + char namestr[DNS_NAME_FORMATSIZE]; + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + char classbuf[DNS_RDATACLASS_FORMATSIZE]; + dns_name_format(name, namestr, + sizeof(namestr)); + dns_rdatatype_format(rdataset->type, + typebuf, + sizeof(typebuf)); + dns_rdataclass_format(rdataset->rdclass, + classbuf, + sizeof(classbuf)); + printf(";; Question section mismatch: " + "got %s/%s/%s\n", + namestr, typebuf, classbuf); + match = ISC_FALSE; + } + } + } + if (!match) { + dns_message_destroy(&msg); + if (l->tcp_mode) { + isc_event_free(&event); + clear_query(query); + check_next_lookup(l); + UNLOCK_LOOKUP; + return; + } else + goto udp_mismatch; + } + } if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0 && !l->ignore && !l->tcp_mode) { printf(";; Truncated, retrying in TCP mode.\n"); @@ -3212,6 +3313,19 @@ recv_done(isc_task_t *task, isc_event_t *event) { } isc_event_free(&event); UNLOCK_LOOKUP; + return; + + udp_mismatch: + isc_buffer_invalidate(&query->recvbuf); + isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE); + ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link); + result = isc_socket_recvv(query->sock, &query->recvlist, 1, + global_task, recv_done, query); + check_result(result, "isc_socket_recvv"); + recvcount++; + isc_event_free(&event); + UNLOCK_LOOKUP; + return; } /*% @@ -3219,7 +3333,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { * used in looking up server names, etc... and needs to use system-supplied * routines, since they may be using a non-DNS system for these lookups. */ -void +isc_result_t get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) { int count; isc_result_t result; @@ -3228,9 +3342,11 @@ get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) { result = bind9_getaddresses(host, port, sockaddr, 1, &count); isc_app_unblock(); if (result != ISC_R_SUCCESS) - fatal("couldn't get address for '%s': %s", - host, isc_result_totext(result)); + return (result); + INSIST(count == 1); + + return (ISC_R_SUCCESS); } /*% @@ -3284,7 +3400,7 @@ cancel_all(void) { isc_timer_detach(¤t_lookup->timer); q = ISC_LIST_HEAD(current_lookup->q); while (q != NULL) { - debug("cancelling query %p, belonging to %p", + debug("canceling query %p, belonging to %p", q, current_lookup); nq = ISC_LIST_NEXT(q, link); if (q->sock != NULL) { @@ -3600,7 +3716,7 @@ dns_rdataset_t * search_type(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) { dns_rdataset_t *rdataset; dns_rdata_sig_t siginfo; - dns_rdata_t sigrdata; + dns_rdata_t sigrdata = DNS_RDATA_INIT; isc_result_t result; for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; @@ -3610,7 +3726,6 @@ search_type(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) { return (rdataset); } else if ((type == dns_rdatatype_rrsig) && (rdataset->type == dns_rdatatype_rrsig)) { - dns_rdata_init(&sigrdata); result = dns_rdataset_first(rdataset); check_result(result, "empty rdataset"); dns_rdataset_current(rdataset, &sigrdata); @@ -4133,7 +4248,7 @@ isc_result_t grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset) { isc_result_t result; - dns_rdata_t sigrdata; + dns_rdata_t sigrdata = DNS_RDATA_INIT; dns_rdata_sig_t siginfo; result = dns_rdataset_first(sigrdataset); @@ -4153,6 +4268,7 @@ grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset) } dns_rdata_freestruct(&siginfo); + dns_rdata_reset(&sigrdata); } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS); @@ -4239,7 +4355,7 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx) { isc_result_t result; - dns_rdata_t rdata; + dns_rdata_t rdata = DNS_RDATA_INIT; dst_key_t *trustedKey = NULL; dst_key_t *dnsseckey = NULL; int i; @@ -4249,7 +4365,6 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, result = dns_rdataset_first(rdataset); check_result(result, "empty rdataset"); - dns_rdata_init(&rdata); do { dns_rdataset_current(rdataset, &rdata); @@ -4299,7 +4414,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx) { isc_result_t result; - dns_rdata_t keyrdata; + dns_rdata_t keyrdata = DNS_RDATA_INIT; dst_key_t *dnsseckey = NULL; result = dns_rdataset_first(keyrdataset); @@ -4322,6 +4437,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, return (ISC_R_SUCCESS); } dst_key_free(&dnsseckey); + dns_rdata_reset(&keyrdata); } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS); dns_rdata_reset(&keyrdata); @@ -4335,7 +4451,7 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx) { isc_result_t result; - dns_rdata_t sigrdata; + dns_rdata_t sigrdata = DNS_RDATA_INIT; dns_rdata_sig_t siginfo; result = dns_rdataset_first(sigrdataset); @@ -4373,6 +4489,7 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, } } dns_rdata_freestruct(&siginfo); + dns_rdata_reset(&sigrdata); } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS); @@ -4387,25 +4504,23 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dns_rdataset_t *dsrdataset, isc_mem_t *mctx) { isc_result_t result; - dns_rdata_t keyrdata; - dns_rdata_t newdsrdata; - dns_rdata_t dsrdata; + dns_rdata_t keyrdata = DNS_RDATA_INIT; + dns_rdata_t newdsrdata = DNS_RDATA_INIT; + dns_rdata_t dsrdata = DNS_RDATA_INIT; dns_rdata_ds_t dsinfo; dst_key_t *dnsseckey = NULL; unsigned char dsbuf[DNS_DS_BUFFERSIZE]; result = dns_rdataset_first(dsrdataset); check_result(result, "empty DSset dataset"); - dns_rdata_init(&dsrdata); do { dns_rdataset_current(dsrdataset, &dsrdata); result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL); - check_result(result, "dns_rdata_tostruct for DS"); + check_result(result, "dns_rdata_tostruct for DS"); result = dns_rdataset_first(keyrdataset); check_result(result, "empty KEY dataset"); - dns_rdata_init(&keyrdata); do { dns_rdataset_current(keyrdataset, &keyrdata); @@ -4420,7 +4535,6 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, * id of DNSKEY referenced by the DS */ if (dsinfo.key_tag == dst_key_id(dnsseckey)) { - dns_rdata_init(&newdsrdata); result = dns_ds_buildrdata(name, &keyrdata, dsinfo.digest_type, @@ -4468,14 +4582,16 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dns_rdata_reset(&newdsrdata); } dst_key_free(&dnsseckey); + dns_rdata_reset(&keyrdata); dnsseckey = NULL; } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS); - dns_rdata_reset(&keyrdata); + dns_rdata_reset(&dsrdata); } while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS); -#if 0 - dns_rdata_reset(&dsrdata); WARNING -#endif + + dns_rdata_reset(&keyrdata); + dns_rdata_reset(&newdsrdata); + dns_rdata_reset(&dsrdata); return (ISC_R_NOTFOUND); } @@ -4868,7 +4984,7 @@ getneededrr(dns_message_t *msg) { isc_result_t result; dns_name_t *name = NULL; - dns_rdata_t sigrdata; + dns_rdata_t sigrdata = DNS_RDATA_INIT; dns_rdata_sig_t siginfo; isc_boolean_t true = ISC_TRUE; @@ -4922,7 +5038,6 @@ getneededrr(dns_message_t *msg) /* first find the DNSKEY name */ result = dns_rdataset_first(chase_sigrdataset); check_result(result, "empty RRSIG dataset"); - dns_rdata_init(&sigrdata); dns_rdataset_current(chase_sigrdataset, &sigrdata); result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); check_result(result, "sigrdata tostruct siginfo"); @@ -5300,6 +5415,7 @@ prove_nx_domain(dns_message_t *msg, } dns_rdata_freestruct(&nsecstruct); + dns_rdata_reset(&nsec); } } while (dns_message_nextname(msg, DNS_SECTION_AUTHORITY) == ISC_R_SUCCESS); @@ -5367,7 +5483,7 @@ prove_nx(dns_message_t *msg, dns_name_t *name, dns_rdataclass_t class, isc_result_t ret; dns_rdataset_t *nsecset = NULL; - printf("We want to prove the non-existance of a type of rdata %d" + printf("We want to prove the non-existence of a type of rdata %d" " or of the zone: \n", type); if ((ret = dns_message_firstname(msg, DNS_SECTION_AUTHORITY)) diff --git a/contrib/bind9/bin/dig/host.1 b/contrib/bind9/bin/dig/host.1 index 9993c0e..eebdad8 100644 --- a/contrib/bind9/bin/dig/host.1 +++ b/contrib/bind9/bin/dig/host.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2002 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: host.1,v 1.14.18.16 2008/04/06 01:31:04 tbox Exp $ +.\" $Id: host.1,v 1.29.114.1 2009/01/23 01:53:33 tbox Exp $ .\" .hy 0 .ad l @@ -132,7 +132,7 @@ option enables \fBhost\fR to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers. .PP -By default +By default, \fBhost\fR uses UDP when making queries. The \fB\-T\fR @@ -154,7 +154,7 @@ option is used to select the query type. \fItype\fR can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, \fBhost\fR -automatically selects an appropriate query type. By default it looks for A, AAAA, and MX records, but if the +automatically selects an appropriate query type. By default, it looks for A, AAAA, and MX records, but if the \fB\-C\fR option was given, queries will be made for SOA records, and if \fIname\fR @@ -213,7 +213,7 @@ runs. \fBdig\fR(1), \fBnamed\fR(8). .SH "COPYRIGHT" -Copyright \(co 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000\-2002 Internet Software Consortium. .br diff --git a/contrib/bind9/bin/dig/host.c b/contrib/bind9/bin/dig/host.c index 33025d5..9f30206 100644 --- a/contrib/bind9/bin/dig/host.c +++ b/contrib/bind9/bin/dig/host.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: host.c,v 1.94.18.19 2007/08/28 07:19:55 tbox Exp $ */ +/* $Id: host.c,v 1.116.216.2 2009/05/06 23:47:18 tbox Exp $ */ /*! \file */ @@ -124,6 +124,23 @@ struct rtype rtypes[] = { { 0, NULL } }; +static char * +rcode_totext(dns_rcode_t rcode) +{ + static char buf[sizeof("?65535")]; + union { + const char *consttext; + char *deconsttext; + } totext; + + if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) { + snprintf(buf, sizeof(buf), "?%u", rcode); + totext.deconsttext = buf; + } else + totext.consttext = rcodetext[rcode]; + return totext.deconsttext; +} + static void show_usage(void) { fputs( @@ -270,10 +287,10 @@ printsection(dns_message_t *msg, dns_section_t sectionid, if (query->lookup->rdtype == dns_rdatatype_axfr && !((!list_addresses && (list_type == dns_rdatatype_any || - rdataset->type == list_type)) || + rdataset->type == list_type)) || (list_addresses && (rdataset->type == dns_rdatatype_a || - rdataset->type == dns_rdatatype_aaaa || + rdataset->type == dns_rdatatype_aaaa || rdataset->type == dns_rdatatype_ns || rdataset->type == dns_rdatatype_ptr)))) continue; @@ -377,7 +394,7 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) { dns_rdata_t rdata = DNS_RDATA_INIT; unsigned int i = msg->counts[DNS_SECTION_ANSWER]; - while (i-- > 0) { + while (i-- > 0) { rdataset = NULL; result = dns_message_findname(msg, DNS_SECTION_ANSWER, qname, dns_rdatatype_cname, 0, NULL, @@ -429,7 +446,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { printf("Host %s not found: %d(%s)\n", (msg->rcode != dns_rcode_nxdomain) ? namestr : query->lookup->textname, msg->rcode, - rcodetext[msg->rcode]); + rcode_totext(msg->rcode)); return (ISC_R_SUCCESS); } @@ -451,7 +468,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { sizeof(lookup->textname)); lookup->textname[sizeof(lookup->textname)-1] = 0; lookup->rdtype = dns_rdatatype_aaaa; - lookup->rdtypeset = ISC_TRUE; + lookup->rdtypeset = ISC_TRUE; lookup->origin = NULL; lookup->retries = tries; ISC_LIST_APPEND(lookup_list, lookup, link); @@ -462,7 +479,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { sizeof(lookup->textname)); lookup->textname[sizeof(lookup->textname)-1] = 0; lookup->rdtype = dns_rdatatype_mx; - lookup->rdtypeset = ISC_TRUE; + lookup->rdtypeset = ISC_TRUE; lookup->origin = NULL; lookup->retries = tries; ISC_LIST_APPEND(lookup_list, lookup, link); @@ -471,7 +488,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { if (!short_form) { printf(";; ->>HEADER<<- opcode: %s, status: %s, id: %u\n", - opcodetext[msg->opcode], rcodetext[msg->rcode], + opcodetext[msg->opcode], rcode_totext(msg->rcode), msg->id); printf(";; flags: "); if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) { @@ -689,6 +706,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { lookup->tcp_mode = ISC_TRUE; } else if (rdtype == dns_rdatatype_ixfr) { lookup->ixfr_serial = serial; + lookup->tcp_mode = ISC_TRUE; list_type = rdtype; #ifdef WITH_IDN } else if (rdtype == dns_rdatatype_a || @@ -837,7 +855,7 @@ main(int argc, char **argv) { ISC_LIST_INIT(lookup_list); ISC_LIST_INIT(server_list); ISC_LIST_INIT(search_list); - + fatalexit = 1; #ifdef WITH_IDN idnoptions = IDN_ASCCHECK; diff --git a/contrib/bind9/bin/dig/host.docbook b/contrib/bind9/bin/dig/host.docbook index 2c0ad3d..3e75b05 100644 --- a/contrib/bind9/bin/dig/host.docbook +++ b/contrib/bind9/bin/dig/host.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2002 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: host.docbook,v 1.5.18.13 2008/04/05 23:46:04 tbox Exp $ --> +<!-- $Id: host.docbook,v 1.18.114.2 2009/01/22 23:47:05 tbox Exp $ --> <refentry id="man.host"> <refentryinfo> @@ -42,6 +42,7 @@ <year>2005</year> <year>2007</year> <year>2008</year> + <year>2009</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -180,7 +181,7 @@ </para> <para> - By default <command>host</command> uses UDP when making + By default, <command>host</command> uses UDP when making queries. The <option>-T</option> option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that @@ -200,7 +201,7 @@ NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, <command>host</command> automatically selects an appropriate query - type. By default it looks for A, AAAA, and MX records, but if the + type. By default, it looks for A, AAAA, and MX records, but if the <option>-C</option> option was given, queries will be made for SOA records, and if <parameter>name</parameter> is a dotted-decimal IPv4 diff --git a/contrib/bind9/bin/dig/host.html b/contrib/bind9/bin/dig/host.html index 88cd830..f210731 100644 --- a/contrib/bind9/bin/dig/host.html +++ b/contrib/bind9/bin/dig/host.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2002 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: host.html,v 1.7.18.22 2008/04/06 01:31:04 tbox Exp $ --> +<!-- $Id: host.html,v 1.28.114.1 2009/01/23 01:53:33 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -32,7 +32,7 @@ <div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543431"></a><h2>DESCRIPTION</h2> +<a name="id2543434"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">host</strong></span> is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -130,7 +130,7 @@ referrals to other name servers. </p> <p> - By default <span><strong class="command">host</strong></span> uses UDP when making + By default, <span><strong class="command">host</strong></span> uses UDP when making queries. The <code class="option">-T</code> option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that @@ -148,7 +148,7 @@ NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, <span><strong class="command">host</strong></span> automatically selects an appropriate query - type. By default it looks for A, AAAA, and MX records, but if the + type. By default, it looks for A, AAAA, and MX records, but if the <code class="option">-C</code> option was given, queries will be made for SOA records, and if <em class="parameter"><code>name</code></em> is a dotted-decimal IPv4 @@ -184,7 +184,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543797"></a><h2>IDN SUPPORT</h2> +<a name="id2543800"></a><h2>IDN SUPPORT</h2> <p> If <span><strong class="command">host</strong></span> has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -198,12 +198,12 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543819"></a><h2>FILES</h2> +<a name="id2543822"></a><h2>FILES</h2> <p><code class="filename">/etc/resolv.conf</code> </p> </div> <div class="refsect1" lang="en"> -<a name="id2543831"></a><h2>SEE ALSO</h2> +<a name="id2543834"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>. </p> diff --git a/contrib/bind9/bin/dig/include/dig/dig.h b/contrib/bind9/bin/dig/include/dig/dig.h index 02ae4d2..d9ee757 100644 --- a/contrib/bind9/bin/dig/include/dig/dig.h +++ b/contrib/bind9/bin/dig/include/dig/dig.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.h,v 1.82.18.23 2007/08/28 07:19:55 tbox Exp $ */ +/* $Id: dig.h,v 1.107.120.2 2009/01/06 23:47:26 tbox Exp $ */ #ifndef DIG_H #define DIG_H @@ -102,7 +102,7 @@ typedef struct dig_searchlist dig_searchlist_t; /*% The dig_lookup structure */ struct dig_lookup { isc_boolean_t - pending, /*%< Pending a successful answer */ + pending, /*%< Pending a successful answer */ waiting_connect, doing_xfr, ns_search_only, /*%< dig +nssearch, host -C */ @@ -129,27 +129,28 @@ struct dig_lookup { need_search, done_as_is, besteffort, - dnssec; + dnssec, + nsid; /*% Name Server ID (RFC 5001) */ #ifdef DIG_SIGCHASE isc_boolean_t sigchase; #if DIG_SIGCHASE_TD - isc_boolean_t do_topdown, - trace_root_sigchase, - rdtype_sigchaseset, - rdclass_sigchaseset; + isc_boolean_t do_topdown, + trace_root_sigchase, + rdtype_sigchaseset, + rdclass_sigchaseset; /* Name we are going to validate RRset */ - char textnamesigchase[MXNAME]; + char textnamesigchase[MXNAME]; #endif #endif - + char textname[MXNAME]; /*% Name we're going to be looking up */ char cmdline[MXNAME]; dns_rdatatype_t rdtype; dns_rdatatype_t qrdtype; #if DIG_SIGCHASE_TD - dns_rdatatype_t rdtype_sigchase; - dns_rdatatype_t qrdtype_sigchase; - dns_rdataclass_t rdclass_sigchase; + dns_rdatatype_t rdtype_sigchase; + dns_rdatatype_t qrdtype_sigchase; + dns_rdataclass_t rdclass_sigchase; #endif dns_rdataclass_t rdclass; isc_boolean_t rdtypeset; @@ -231,7 +232,7 @@ struct dig_searchlist { }; #ifdef DIG_SIGCHASE struct dig_message { - dns_message_t *msg; + dns_message_t *msg; ISC_LINK(dig_message_t) link; }; #endif @@ -249,7 +250,7 @@ extern dig_searchlistlist_t search_list; extern unsigned int extrabytes; extern isc_boolean_t check_ra, have_ipv4, have_ipv6, specified_source, - usesearch, showsearch, qr; + usesearch, showsearch, qr; extern in_port_t port; extern unsigned int timeout; extern isc_mem_t *mctx; @@ -284,7 +285,7 @@ extern int idnoptions; /* * Routines in dighost.c. */ -void +isc_result_t get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr); isc_result_t diff --git a/contrib/bind9/bin/dig/nslookup.1 b/contrib/bind9/bin/dig/nslookup.1 index a453c2f..2d19534 100644 --- a/contrib/bind9/bin/dig/nslookup.1 +++ b/contrib/bind9/bin/dig/nslookup.1 @@ -12,7 +12,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: nslookup.1,v 1.1.10.14 2007/05/16 06:11:27 marka Exp $ +.\" $Id: nslookup.1,v 1.14 2007/05/16 06:12:01 marka Exp $ .\" .hy 0 .ad l diff --git a/contrib/bind9/bin/dig/nslookup.c b/contrib/bind9/bin/dig/nslookup.c index 3327c6e..5679626 100644 --- a/contrib/bind9/bin/dig/nslookup.c +++ b/contrib/bind9/bin/dig/nslookup.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nslookup.c,v 1.101.18.15 2007/08/28 07:19:55 tbox Exp $ */ +/* $Id: nslookup.c,v 1.117.334.4 2009/05/06 11:41:57 fdupont Exp $ */ #include <config.h> @@ -26,6 +26,7 @@ #include <isc/commandline.h> #include <isc/event.h> #include <isc/parseint.h> +#include <isc/print.h> #include <isc/string.h> #include <isc/timer.h> #include <isc/util.h> @@ -129,6 +130,23 @@ static const char *rtypetext[] = { static void flush_lookup_list(void); static void getinput(isc_task_t *task, isc_event_t *event); +static char * +rcode_totext(dns_rcode_t rcode) +{ + static char buf[sizeof("?65535")]; + union { + const char *consttext; + char *deconsttext; + } totext; + + if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) { + snprintf(buf, sizeof(buf), "?%u", rcode); + totext.deconsttext = buf; + } else + totext.consttext = rcodetext[rcode]; + return totext.deconsttext; +} + void dighost_shutdown(void) { isc_event_t *event = global_event; @@ -385,14 +403,14 @@ trying(char *frm, dig_lookup_t *lookup) { isc_result_t printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { - char servtext[ISC_SOCKADDR_FORMATSIZE]; + char servtext[ISC_SOCKADDR_FORMATSIZE]; debug("printmessage()"); isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext)); printf("Server:\t\t%s\n", query->userarg); printf("Address:\t%s\n", servtext); - + puts(""); if (!short_form) { @@ -412,7 +430,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { nametext, sizeof(nametext)); printf("** server can't find %s: %s\n", (msg->rcode != dns_rcode_nxdomain) ? nametext : - query->lookup->textname, rcodetext[msg->rcode]); + query->lookup->textname, rcode_totext(msg->rcode)); debug("returning with rcode == 0"); return (ISC_R_SUCCESS); } @@ -441,13 +459,16 @@ show_settings(isc_boolean_t full, isc_boolean_t serv_only) { dig_server_t *srv; isc_sockaddr_t sockaddr; dig_searchlist_t *listent; + isc_result_t result; srv = ISC_LIST_HEAD(server_list); while (srv != NULL) { char sockstr[ISC_SOCKADDR_FORMATSIZE]; - get_address(srv->servername, port, &sockaddr); + result = get_address(srv->servername, port, &sockaddr); + check_result(result, "get_address"); + isc_sockaddr_format(&sockaddr, sockstr, sizeof(sockstr)); printf("Default server: %s\nAddress: %s\n", srv->userarg, sockstr); @@ -505,7 +526,7 @@ testclass(char *typetext) { tr.base = typetext; tr.length = strlen(typetext); result = dns_rdataclass_fromtext(&rdclass, &tr); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) return (ISC_TRUE); else { printf("unknown query class: %s\n", typetext); @@ -603,7 +624,7 @@ setoption(char *opt) { set_timeout(&opt[8]); } else if (strncasecmp(opt, "t=", 2) == 0) { set_timeout(&opt[2]); - } else if (strncasecmp(opt, "rec", 3) == 0) { + } else if (strncasecmp(opt, "rec", 3) == 0) { recurse = ISC_TRUE; } else if (strncasecmp(opt, "norec", 5) == 0) { recurse = ISC_FALSE; @@ -611,21 +632,21 @@ setoption(char *opt) { set_tries(&opt[6]); } else if (strncasecmp(opt, "ret=", 4) == 0) { set_tries(&opt[4]); - } else if (strncasecmp(opt, "def", 3) == 0) { + } else if (strncasecmp(opt, "def", 3) == 0) { usesearch = ISC_TRUE; } else if (strncasecmp(opt, "nodef", 5) == 0) { usesearch = ISC_FALSE; - } else if (strncasecmp(opt, "vc", 3) == 0) { + } else if (strncasecmp(opt, "vc", 3) == 0) { tcpmode = ISC_TRUE; } else if (strncasecmp(opt, "novc", 5) == 0) { tcpmode = ISC_FALSE; - } else if (strncasecmp(opt, "deb", 3) == 0) { + } else if (strncasecmp(opt, "deb", 3) == 0) { short_form = ISC_FALSE; showsearch = ISC_TRUE; } else if (strncasecmp(opt, "nodeb", 5) == 0) { short_form = ISC_TRUE; showsearch = ISC_FALSE; - } else if (strncasecmp(opt, "d2", 2) == 0) { + } else if (strncasecmp(opt, "d2", 2) == 0) { debugging = ISC_TRUE; } else if (strncasecmp(opt, "nod2", 4) == 0) { debugging = ISC_FALSE; @@ -640,7 +661,7 @@ setoption(char *opt) { } else if (strncasecmp(opt, "nofail", 3) == 0) { nofail=ISC_TRUE; } else { - printf("*** Invalid option: %s\n", opt); + printf("*** Invalid option: %s\n", opt); } } diff --git a/contrib/bind9/bin/dig/nslookup.docbook b/contrib/bind9/bin/dig/nslookup.docbook index dff5fa3..6c94809 100644 --- a/contrib/bind9/bin/dig/nslookup.docbook +++ b/contrib/bind9/bin/dig/nslookup.docbook @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: nslookup.docbook,v 1.4.2.13 2007/08/28 07:19:55 tbox Exp $ --> +<!-- $Id: nslookup.docbook,v 1.16 2007/06/18 23:47:17 tbox Exp $ --> <!-- - Copyright (c) 1985, 1989 - The Regents of the University of California. All rights reserved. diff --git a/contrib/bind9/bin/dig/nslookup.html b/contrib/bind9/bin/dig/nslookup.html index 46ae43c..0f38176 100644 --- a/contrib/bind9/bin/dig/nslookup.html +++ b/contrib/bind9/bin/dig/nslookup.html @@ -13,7 +13,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: nslookup.html,v 1.1.10.21 2007/05/16 06:11:27 marka Exp $ --> +<!-- $Id: nslookup.html,v 1.21 2007/05/16 06:12:01 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> diff --git a/contrib/bind9/bin/dnssec/Makefile.in b/contrib/bind9/bin/dnssec/Makefile.in index b94dca7..d59a38fb 100644 --- a/contrib/bind9/bin/dnssec/Makefile.in +++ b/contrib/bind9/bin/dnssec/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2002 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.26.18.4 2005/05/02 00:26:11 marka Exp $ +# $Id: Makefile.in,v 1.35 2008/11/07 02:28:49 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -39,20 +39,32 @@ DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ # Alphabetically -TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ +TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \ + dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ OBJS = dnssectool.@O@ -SRCS = dnssec-keygen.c dnssec-signzone.c dnssectool.c +SRCS = dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \ + dnssec-signzone.c dnssectool.c -MANPAGES = dnssec-keygen.8 dnssec-signzone.8 +MANPAGES = dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \ + dnssec-signzone.8 -HTMLPAGES = dnssec-keygen.html dnssec-signzone.html +HTMLPAGES = dnssec-dsfromkey.html dnssec-keyfromlabel.html \ + dnssec-keygen.html dnssec-signzone.html MANOBJS = ${MANPAGES} ${HTMLPAGES} @BIND9_MAKE_RULES@ +dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-dsfromkey.@O@ ${OBJS} ${LIBS} + +dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-keyfromlabel.@O@ ${OBJS} ${LIBS} + dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ dnssec-keygen.@O@ ${OBJS} ${LIBS} diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 new file mode 100644 index 0000000..4d4cbc9 --- /dev/null +++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 @@ -0,0 +1,124 @@ +.\" Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") +.\" +.\" Permission to use, copy, modify, and/or distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $Id: dnssec-dsfromkey.8,v 1.5 2008/11/08 01:11:47 tbox Exp $ +.\" +.hy 0 +.ad l +.\" Title: dnssec\-dsfromkey +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> +.\" Date: November 29, 2008 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" +.TH "DNSSEC\-DSFROMKEY" "8" "November 29, 2008" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +dnssec\-dsfromkey \- DNSSEC DS RR generation tool +.SH "SYNOPSIS" +.HP 17 +\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] {keyfile} +.HP 17 +\fBdnssec\-dsfromkey\fR {\-s} [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdir\fR\fR] {dnsname} +.SH "DESCRIPTION" +.PP +\fBdnssec\-dsfromkey\fR +outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s). +.SH "OPTIONS" +.PP +\-1 +.RS 4 +Use SHA\-1 as the digest algorithm (the default is to use both SHA\-1 and SHA\-256). +.RE +.PP +\-2 +.RS 4 +Use SHA\-256 as the digest algorithm. +.RE +.PP +\-a \fIalgorithm\fR +.RS 4 +Select the digest algorithm. The value of +\fBalgorithm\fR +must be one of SHA\-1 (SHA1) or SHA\-256 (SHA256). These values are case insensitive. +.RE +.PP +\-v \fIlevel\fR +.RS 4 +Sets the debugging level. +.RE +.PP +\-s +.RS 4 +Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. Following options make sense only in this mode. +.RE +.PP +\-c \fIclass\fR +.RS 4 +Specifies the DNS class (default is IN), useful only in the keyset mode. +.RE +.PP +\-d \fIdirectory\fR +.RS 4 +Look for +\fIkeyset\fR +files in +\fBdirectory\fR +as the directory, ignored when not in the keyset mode. +.RE +.SH "EXAMPLE" +.PP +To build the SHA\-256 DS RR from the +\fBKexample.com.+003+26160\fR +keyfile name, the following command would be issued: +.PP +\fBdnssec\-dsfromkey \-2 Kexample.com.+003+26160\fR +.PP +The command would print something like: +.PP +\fBexample.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94\fR +.SH "FILES" +.PP +The keyfile can be designed by the key identification +\fIKnnnn.+aaa+iiiii\fR +or the full file name +\fIKnnnn.+aaa+iiiii.key\fR +as generated by +dnssec\-keygen(8). +.PP +The keyset file name is built from the +\fBdirectory\fR, the string +\fIkeyset\-\fR +and the +\fBdnsname\fR. +.SH "CAVEAT" +.PP +A keyfile error can give a "file not found" even if the file exists. +.SH "SEE ALSO" +.PP +\fBdnssec\-keygen\fR(8), +\fBdnssec\-signzone\fR(8), +BIND 9 Administrator Reference Manual, +RFC 3658, +RFC 4509. +.SH "AUTHOR" +.PP +Internet Systems Consortium +.SH "COPYRIGHT" +Copyright \(co 2008 Internet Systems Consortium, Inc. ("ISC") +.br diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c new file mode 100644 index 0000000..653aa3e --- /dev/null +++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c @@ -0,0 +1,396 @@ +/* + * Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: dnssec-dsfromkey.c,v 1.2.14.3 2009/03/02 02:54:15 marka Exp $ */ + +/*! \file */ + +#include <config.h> + +#include <stdlib.h> + +#include <isc/buffer.h> +#include <isc/commandline.h> +#include <isc/entropy.h> +#include <isc/hash.h> +#include <isc/mem.h> +#include <isc/print.h> +#include <isc/string.h> +#include <isc/util.h> + +#include <dns/db.h> +#include <dns/dbiterator.h> +#include <dns/ds.h> +#include <dns/fixedname.h> +#include <dns/log.h> +#include <dns/name.h> +#include <dns/rdata.h> +#include <dns/rdataclass.h> +#include <dns/rdataset.h> +#include <dns/rdatasetiter.h> +#include <dns/rdatatype.h> +#include <dns/result.h> + +#include <dst/dst.h> + +#include "dnssectool.h" + +const char *program = "dnssec-dsfromkey"; +int verbose; + +static dns_rdataclass_t rdclass; +static dns_fixedname_t fixed; +static dns_name_t *name = NULL; +static dns_db_t *db = NULL; +static dns_dbnode_t *node = NULL; +static dns_rdataset_t keyset; +static isc_mem_t *mctx = NULL; + +static void +loadkeys(char *dirname, char *setname) +{ + isc_result_t result; + char filename[1024]; + isc_buffer_t buf; + + dns_rdataset_init(&keyset); + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + + isc_buffer_init(&buf, setname, strlen(setname)); + isc_buffer_add(&buf, strlen(setname)); + result = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL); + if (result != ISC_R_SUCCESS) + fatal("can't convert DNS name %s", setname); + + isc_buffer_init(&buf, filename, sizeof(filename)); + if (dirname != NULL) { + isc_buffer_putstr(&buf, dirname); + if (dirname[strlen(dirname) - 1] != '/') + isc_buffer_putstr(&buf, "/"); + } + isc_buffer_putstr(&buf, "keyset-"); + result = dns_name_tofilenametext(name, ISC_FALSE, &buf); + check_result(result, "dns_name_tofilenametext()"); + if (isc_buffer_availablelength(&buf) == 0) + fatal("name %s too long", setname); + isc_buffer_putuint8(&buf, 0); + + result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, + rdclass, 0, NULL, &db); + if (result != ISC_R_SUCCESS) + fatal("can't create database"); + + result = dns_db_load(db, filename); + if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) + fatal("can't load %s: %s", filename, isc_result_totext(result)); + + result = dns_db_findnode(db, name, ISC_FALSE, &node); + if (result != ISC_R_SUCCESS) + fatal("can't find %s node in %s", setname, filename); + + result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, + 0, 0, &keyset, NULL); + if (result == ISC_R_NOTFOUND) + fatal("no DNSKEY RR for %s in %s", setname, filename); + else if (result != ISC_R_SUCCESS) + fatal("dns_db_findrdataset"); +} + +static void +loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size, + dns_rdata_t *rdata) +{ + isc_result_t result; + dst_key_t *key = NULL; + isc_buffer_t keyb; + isc_region_t r; + + dns_rdataset_init(&keyset); + dns_rdata_init(rdata); + + isc_buffer_init(&keyb, key_buf, key_buf_size); + + result = dst_key_fromnamedfile(filename, DST_TYPE_PUBLIC, mctx, &key); + if (result != ISC_R_SUCCESS) + fatal("invalid keyfile name %s: %s", + filename, isc_result_totext(result)); + + if (verbose > 2) { + char keystr[KEY_FORMATSIZE]; + + key_format(key, keystr, sizeof(keystr)); + fprintf(stderr, "%s: %s\n", program, keystr); + } + + result = dst_key_todns(key, &keyb); + if (result != ISC_R_SUCCESS) + fatal("can't decode key"); + + isc_buffer_usedregion(&keyb, &r); + dns_rdata_fromregion(rdata, dst_key_class(key), + dns_rdatatype_dnskey, &r); + + rdclass = dst_key_class(key); + + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + result = dns_name_copy(dst_key_name(key), name, NULL); + if (result != ISC_R_SUCCESS) + fatal("can't copy name"); + + dst_key_free(&key); +} + +static void +logkey(dns_rdata_t *rdata) +{ + isc_result_t result; + dst_key_t *key = NULL; + isc_buffer_t buf; + char keystr[KEY_FORMATSIZE]; + + isc_buffer_init(&buf, rdata->data, rdata->length); + isc_buffer_add(&buf, rdata->length); + result = dst_key_fromdns(name, rdclass, &buf, mctx, &key); + if (result != ISC_R_SUCCESS) + return; + + key_format(key, keystr, sizeof(keystr)); + fprintf(stderr, "%s: %s\n", program, keystr); + + dst_key_free(&key); +} + +static void +emitds(unsigned int dtype, dns_rdata_t *rdata) +{ + isc_result_t result; + unsigned char buf[DNS_DS_BUFFERSIZE]; + char text_buf[DST_KEY_MAXTEXTSIZE]; + char class_buf[10]; + isc_buffer_t textb, classb; + isc_region_t r; + dns_rdata_t ds; + + isc_buffer_init(&textb, text_buf, sizeof(text_buf)); + isc_buffer_init(&classb, class_buf, sizeof(class_buf)); + + dns_rdata_init(&ds); + + result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds); + if (result != ISC_R_SUCCESS) + fatal("can't build DS"); + + result = dns_rdata_totext(&ds, (dns_name_t *) NULL, &textb); + if (result != ISC_R_SUCCESS) + fatal("can't print DS rdata"); + + result = dns_rdataclass_totext(rdclass, &classb); + if (result != ISC_R_SUCCESS) + fatal("can't print DS class"); + + result = dns_name_print(name, stdout); + if (result != ISC_R_SUCCESS) + fatal("can't print DS name"); + + putchar(' '); + + isc_buffer_usedregion(&classb, &r); + fwrite(r.base, 1, r.length, stdout); + + printf(" DS "); + + isc_buffer_usedregion(&textb, &r); + fwrite(r.base, 1, r.length, stdout); + putchar('\n'); +} + +static void +usage(void) { + fprintf(stderr, "Usage:\n"); + fprintf(stderr, " %s options keyfile\n\n", program); + fprintf(stderr, " %s options [-c class] [-d dir] -s dnsname\n\n", + program); + fprintf(stderr, "Version: %s\n", VERSION); + fprintf(stderr, "Options:\n"); + fprintf(stderr, " -v <verbose level>\n"); + fprintf(stderr, " -1: use SHA-1\n"); + fprintf(stderr, " -2: use SHA-256\n"); + fprintf(stderr, " -a algorithm: use algorithm\n"); + fprintf(stderr, "Keyset options:\n"); + fprintf(stderr, " -s: keyset mode\n"); + fprintf(stderr, " -c class\n"); + fprintf(stderr, " -d directory\n"); + fprintf(stderr, "Output: DS RRs\n"); + + exit (-1); +} + +int +main(int argc, char **argv) { + char *algname = NULL, *classname = NULL, *dirname = NULL; + char *endp; + int ch; + unsigned int dtype = DNS_DSDIGEST_SHA1; + isc_boolean_t both = ISC_TRUE; + isc_boolean_t usekeyset = ISC_FALSE; + isc_result_t result; + isc_log_t *log = NULL; + isc_entropy_t *ectx = NULL; + dns_rdata_t rdata; + + dns_rdata_init(&rdata); + + if (argc == 1) + usage(); + + result = isc_mem_create(0, 0, &mctx); + if (result != ISC_R_SUCCESS) + fatal("out of memory"); + + dns_result_register(); + + isc_commandline_errprint = ISC_FALSE; + + while ((ch = isc_commandline_parse(argc, argv, + "12a:c:d:sv:h")) != -1) { + switch (ch) { + case '1': + dtype = DNS_DSDIGEST_SHA1; + both = ISC_FALSE; + break; + case '2': + dtype = DNS_DSDIGEST_SHA256; + both = ISC_FALSE; + break; + case 'a': + algname = isc_commandline_argument; + both = ISC_FALSE; + break; + case 'c': + classname = isc_commandline_argument; + break; + case 'd': + dirname = isc_commandline_argument; + break; + case 's': + usekeyset = ISC_TRUE; + break; + case 'v': + verbose = strtol(isc_commandline_argument, &endp, 0); + if (*endp != '\0') + fatal("-v must be followed by a number"); + break; + case '?': + if (isc_commandline_option != '?') + fprintf(stderr, "%s: invalid argument -%c\n", + program, isc_commandline_option); + /* Falls into */ + case 'h': + usage(); + + default: + fprintf(stderr, "%s: unhandled option -%c\n", + program, isc_commandline_option); + exit(1); + } + } + + if (algname != NULL) { + if (strcasecmp(algname, "SHA1") == 0 || + strcasecmp(algname, "SHA-1") == 0) + dtype = DNS_DSDIGEST_SHA1; + else if (strcasecmp(algname, "SHA256") == 0 || + strcasecmp(algname, "SHA-256") == 0) + dtype = DNS_DSDIGEST_SHA256; + else + fatal("unknown algorithm %s", algname); + } + + rdclass = strtoclass(classname); + + if (argc < isc_commandline_index + 1) + fatal("the key file name was not specified"); + if (argc > isc_commandline_index + 1) + fatal("extraneous arguments"); + + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); + result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); + if (result != ISC_R_SUCCESS) + fatal("could not initialize hash"); + result = dst_lib_init(mctx, ectx, + ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + if (result != ISC_R_SUCCESS) + fatal("could not initialize dst"); + isc_entropy_stopcallbacksources(ectx); + + setup_logging(verbose, mctx, &log); + + if (usekeyset) { + loadkeys(dirname, argv[isc_commandline_index]); + + for (result = dns_rdataset_first(&keyset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&keyset)) { + dns_rdata_init(&rdata); + dns_rdataset_current(&keyset, &rdata); + + if (verbose > 2) + logkey(&rdata); + + if (both) { + emitds(DNS_DSDIGEST_SHA1, &rdata); + emitds(DNS_DSDIGEST_SHA256, &rdata); + } else + emitds(dtype, &rdata); + } + } else { + unsigned char key_buf[DST_KEY_MAXSIZE]; + + loadkey(argv[isc_commandline_index], key_buf, + DST_KEY_MAXSIZE, &rdata); + + if (both) { + emitds(DNS_DSDIGEST_SHA1, &rdata); + emitds(DNS_DSDIGEST_SHA256, &rdata); + } else + emitds(dtype, &rdata); + } + + if (dns_rdataset_isassociated(&keyset)) + dns_rdataset_disassociate(&keyset); + if (node != NULL) + dns_db_detachnode(db, &node); + if (db != NULL) + dns_db_detach(&db); + cleanup_logging(&log); + dst_lib_destroy(); + isc_hash_destroy(); + cleanup_entropy(&ectx); + dns_name_destroy(); + if (verbose > 10) + isc_mem_stats(mctx, stdout); + isc_mem_destroy(&mctx); + + fflush(stdout); + if (ferror(stdout)) { + fprintf(stderr, "write error\n"); + return (1); + } else + return (0); +} diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook new file mode 100644 index 0000000..c2c6b85 --- /dev/null +++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook @@ -0,0 +1,214 @@ +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" + [<!ENTITY mdash "—">]> +<!-- + - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<!-- $Id: dnssec-dsfromkey.docbook,v 1.6 2008/11/07 13:54:11 jreed Exp $ --> +<refentry id="man.dnssec-dsfromkey"> + <refentryinfo> + <date>November 29, 2008</date> + </refentryinfo> + + <refmeta> + <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo>BIND9</refmiscinfo> + </refmeta> + + <refnamediv> + <refname><application>dnssec-dsfromkey</application></refname> + <refpurpose>DNSSEC DS RR generation tool</refpurpose> + </refnamediv> + + <docinfo> + <copyright> + <year>2008</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + </docinfo> + + <refsynopsisdiv> + <cmdsynopsis> + <command>dnssec-dsfromkey</command> + <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> + <arg><option>-1</option></arg> + <arg><option>-2</option></arg> + <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg> + <arg choice="req">keyfile</arg> + </cmdsynopsis> + <cmdsynopsis> + <command>dnssec-dsfromkey</command> + <arg choice="req">-s</arg> + <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> + <arg><option>-1</option></arg> + <arg><option>-2</option></arg> + <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg> + <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> + <arg><option>-d <replaceable class="parameter">dir</replaceable></option></arg> + <arg choice="req">dnsname</arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1> + <title>DESCRIPTION</title> + <para><command>dnssec-dsfromkey</command> + outputs the Delegation Signer (DS) resource record (RR), as defined in + RFC 3658 and RFC 4509, for the given key(s). + </para> + </refsect1> + + <refsect1> + <title>OPTIONS</title> + + <variablelist> + <varlistentry> + <term>-1</term> + <listitem> + <para> + Use SHA-1 as the digest algorithm (the default is to use + both SHA-1 and SHA-256). + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-2</term> + <listitem> + <para> + Use SHA-256 as the digest algorithm. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-a <replaceable class="parameter">algorithm</replaceable></term> + <listitem> + <para> + Select the digest algorithm. The value of + <option>algorithm</option> must be one of SHA-1 (SHA1) or + SHA-256 (SHA256). These values are case insensitive. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-v <replaceable class="parameter">level</replaceable></term> + <listitem> + <para> + Sets the debugging level. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-s</term> + <listitem> + <para> + Keyset mode: in place of the keyfile name, the argument is + the DNS domain name of a keyset file. Following options make sense + only in this mode. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-c <replaceable class="parameter">class</replaceable></term> + <listitem> + <para> + Specifies the DNS class (default is IN), useful only + in the keyset mode. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-d <replaceable class="parameter">directory</replaceable></term> + <listitem> + <para> + Look for <filename>keyset</filename> files in + <option>directory</option> as the directory, ignored when + not in the keyset mode. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1> + <title>EXAMPLE</title> + <para> + To build the SHA-256 DS RR from the + <userinput>Kexample.com.+003+26160</userinput> + keyfile name, the following command would be issued: + </para> + <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput> + </para> + <para> + The command would print something like: + </para> + <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput> + </para> + </refsect1> + + <refsect1> + <title>FILES</title> + <para> + The keyfile can be designed by the key identification + <filename>Knnnn.+aaa+iiiii</filename> or the full file name + <filename>Knnnn.+aaa+iiiii.key</filename> as generated by + <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>. + </para> + <para> + The keyset file name is built from the <option>directory</option>, + the string <filename>keyset-</filename> and the + <option>dnsname</option>. + </para> + </refsect1> + + <refsect1> + <title>CAVEAT</title> + <para> + A keyfile error can give a "file not found" even if the file exists. + </para> + </refsect1> + + <refsect1> + <title>SEE ALSO</title> + <para><citerefentry> + <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citetitle>BIND 9 Administrator Reference Manual</citetitle>, + <citetitle>RFC 3658</citetitle>, + <citetitle>RFC 4509</citetitle>. + </para> + </refsect1> + + <refsect1> + <title>AUTHOR</title> + <para><corpauthor>Internet Systems Consortium</corpauthor> + </para> + </refsect1> + +</refentry><!-- + - Local variables: + - mode: sgml + - End: +--> diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html new file mode 100644 index 0000000..72dfd3a --- /dev/null +++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html @@ -0,0 +1,133 @@ +<!-- + - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<!-- $Id: dnssec-dsfromkey.html,v 1.5 2008/11/08 01:11:47 tbox Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>dnssec-dsfromkey</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">dnssec-dsfromkey</span> — DNSSEC DS RR generation tool</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] {keyfile}</p></div> +<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dir</code></em></code>] {dnsname}</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2543424"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">dnssec-dsfromkey</strong></span> + outputs the Delegation Signer (DS) resource record (RR), as defined in + RFC 3658 and RFC 4509, for the given key(s). + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543435"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-1</span></dt> +<dd><p> + Use SHA-1 as the digest algorithm (the default is to use + both SHA-1 and SHA-256). + </p></dd> +<dt><span class="term">-2</span></dt> +<dd><p> + Use SHA-256 as the digest algorithm. + </p></dd> +<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> +<dd><p> + Select the digest algorithm. The value of + <code class="option">algorithm</code> must be one of SHA-1 (SHA1) or + SHA-256 (SHA256). These values are case insensitive. + </p></dd> +<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> +<dd><p> + Sets the debugging level. + </p></dd> +<dt><span class="term">-s</span></dt> +<dd><p> + Keyset mode: in place of the keyfile name, the argument is + the DNS domain name of a keyset file. Following options make sense + only in this mode. + </p></dd> +<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> +<dd><p> + Specifies the DNS class (default is IN), useful only + in the keyset mode. + </p></dd> +<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt> +<dd><p> + Look for <code class="filename">keyset</code> files in + <code class="option">directory</code> as the directory, ignored when + not in the keyset mode. + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2543563"></a><h2>EXAMPLE</h2> +<p> + To build the SHA-256 DS RR from the + <strong class="userinput"><code>Kexample.com.+003+26160</code></strong> + keyfile name, the following command would be issued: + </p> +<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong> + </p> +<p> + The command would print something like: + </p> +<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543593"></a><h2>FILES</h2> +<p> + The keyfile can be designed by the key identification + <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name + <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by + <span class="refentrytitle">dnssec-keygen</span>(8). + </p> +<p> + The keyset file name is built from the <code class="option">directory</code>, + the string <code class="filename">keyset-</code> and the + <code class="option">dnsname</code>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543628"></a><h2>CAVEAT</h2> +<p> + A keyfile error can give a "file not found" even if the file exists. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543638"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>, + <em class="citetitle">RFC 3658</em>, + <em class="citetitle">RFC 4509</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543674"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 new file mode 100644 index 0000000..6222058 --- /dev/null +++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 @@ -0,0 +1,149 @@ +.\" Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $Id: dnssec-keyfromlabel.8,v 1.6 2008/11/08 01:11:47 tbox Exp $ +.\" +.hy 0 +.ad l +.\" Title: dnssec\-keyfromlabel +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> +.\" Date: February 8, 2008 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" +.TH "DNSSEC\-KEYFROMLABEL" "8" "February 8, 2008" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +dnssec\-keyfromlabel \- DNSSEC key generation tool +.SH "SYNOPSIS" +.HP 20 +\fBdnssec\-keyfromlabel\fR {\-a\ \fIalgorithm\fR} {\-l\ \fIlabel\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-k\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name} +.SH "DESCRIPTION" +.PP +\fBdnssec\-keyfromlabel\fR +gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. +.SH "OPTIONS" +.PP +\-a \fIalgorithm\fR +.RS 4 +Selects the cryptographic algorithm. The value of +\fBalgorithm\fR +must be one of RSAMD5 (RSA) or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). These values are case insensitive. +.sp +Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. +.sp +Note 2: DH automatically sets the \-k flag. +.RE +.PP +\-l \fIlabel\fR +.RS 4 +Specifies the label of keys in the crypto hardware (PKCS#11 device). +.RE +.PP +\-n \fInametype\fR +.RS 4 +Specifies the owner type of the key. The value of +\fBnametype\fR +must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. +.RE +.PP +\-c \fIclass\fR +.RS 4 +Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used. +.RE +.PP +\-f \fIflag\fR +.RS 4 +Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY. +.RE +.PP +\-h +.RS 4 +Prints a short summary of the options and arguments to +\fBdnssec\-keygen\fR. +.RE +.PP +\-k +.RS 4 +Generate KEY records rather than DNSKEY records. +.RE +.PP +\-p \fIprotocol\fR +.RS 4 +Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors. +.RE +.PP +\-t \fItype\fR +.RS 4 +Indicates the use of the key. +\fBtype\fR +must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data. +.RE +.PP +\-v \fIlevel\fR +.RS 4 +Sets the debugging level. +.RE +.SH "GENERATED KEY FILES" +.PP +When +\fBdnssec\-keyfromlabel\fR +completes successfully, it prints a string of the form +\fIKnnnn.+aaa+iiiii\fR +to the standard output. This is an identification string for the key files it has generated. +.TP 4 +\(bu +\fInnnn\fR +is the key name. +.TP 4 +\(bu +\fIaaa\fR +is the numeric representation of the algorithm. +.TP 4 +\(bu +\fIiiiii\fR +is the key identifier (or footprint). +.PP +\fBdnssec\-keyfromlabel\fR +creates two files, with names based on the printed string. +\fIKnnnn.+aaa+iiiii.key\fR +contains the public key, and +\fIKnnnn.+aaa+iiiii.private\fR +contains the private key. +.PP +The +\fI.key\fR +file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement). +.PP +The +\fI.private\fR +file contains algorithm specific fields. For obvious security reasons, this file does not have general read permission. +.SH "SEE ALSO" +.PP +\fBdnssec\-keygen\fR(8), +\fBdnssec\-signzone\fR(8), +BIND 9 Administrator Reference Manual, +RFC 2539, +RFC 2845, +RFC 4033. +.SH "AUTHOR" +.PP +Internet Systems Consortium +.SH "COPYRIGHT" +Copyright \(co 2008 Internet Systems Consortium, Inc. ("ISC") +.br diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c new file mode 100644 index 0000000..e7587c3 --- /dev/null +++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c @@ -0,0 +1,327 @@ +/* + * Copyright (C) 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: dnssec-keyfromlabel.c,v 1.4 2008/09/24 02:46:21 marka Exp $ */ + +/*! \file */ + +#include <config.h> + +#include <stdlib.h> + +#include <isc/buffer.h> +#include <isc/commandline.h> +#include <isc/entropy.h> +#include <isc/mem.h> +#include <isc/region.h> +#include <isc/string.h> +#include <isc/util.h> + +#include <dns/fixedname.h> +#include <dns/keyvalues.h> +#include <dns/log.h> +#include <dns/name.h> +#include <dns/rdataclass.h> +#include <dns/result.h> +#include <dns/secalg.h> + +#include <dst/dst.h> + +#include "dnssectool.h" + +#define MAX_RSA 4096 /* should be long enough... */ + +const char *program = "dnssec-keyfromlabel"; +int verbose; + +static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |" + " NSEC3DSA | NSEC3RSASHA1"; + +static void +usage(void) { + fprintf(stderr, "Usage:\n"); + fprintf(stderr, " %s -a alg -l label [options] name\n\n", + program); + fprintf(stderr, "Version: %s\n", VERSION); + fprintf(stderr, "Required options:\n"); + fprintf(stderr, " -a algorithm: %s\n", algs); + fprintf(stderr, " -l label: label of the key\n"); + fprintf(stderr, " name: owner of the key\n"); + fprintf(stderr, "Other options:\n"); + fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n"); + fprintf(stderr, " (DNSKEY generation defaults to ZONE\n"); + fprintf(stderr, " -c <class> (default: IN)\n"); + fprintf(stderr, " -f keyflag: KSK\n"); + fprintf(stderr, " -t <type>: " + "AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF " + "(default: AUTHCONF)\n"); + fprintf(stderr, " -p <protocol>: " + "default: 3 [dnssec]\n"); + fprintf(stderr, " -v <verbose level>\n"); + fprintf(stderr, " -k : generate a TYPE=KEY key\n"); + fprintf(stderr, "Output:\n"); + fprintf(stderr, " K<name>+<alg>+<id>.key, " + "K<name>+<alg>+<id>.private\n"); + + exit (-1); +} + +int +main(int argc, char **argv) { + char *algname = NULL, *nametype = NULL, *type = NULL; + char *classname = NULL; + char *endp; + dst_key_t *key = NULL, *oldkey; + dns_fixedname_t fname; + dns_name_t *name; + isc_uint16_t flags = 0, ksk = 0; + dns_secalg_t alg; + isc_boolean_t null_key = ISC_FALSE; + isc_mem_t *mctx = NULL; + int ch; + int protocol = -1, signatory = 0; + isc_result_t ret; + isc_textregion_t r; + char filename[255]; + isc_buffer_t buf; + isc_log_t *log = NULL; + isc_entropy_t *ectx = NULL; + dns_rdataclass_t rdclass; + int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC; + char *label = NULL; + + if (argc == 1) + usage(); + + RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); + + dns_result_register(); + + isc_commandline_errprint = ISC_FALSE; + + while ((ch = isc_commandline_parse(argc, argv, + "a:c:f:kl:n:p:t:v:h")) != -1) + { + switch (ch) { + case 'a': + algname = isc_commandline_argument; + break; + case 'c': + classname = isc_commandline_argument; + break; + case 'f': + if (strcasecmp(isc_commandline_argument, "KSK") == 0) + ksk = DNS_KEYFLAG_KSK; + else + fatal("unknown flag '%s'", + isc_commandline_argument); + break; + case 'k': + options |= DST_TYPE_KEY; + break; + case 'l': + label = isc_commandline_argument; + break; + case 'n': + nametype = isc_commandline_argument; + break; + case 'p': + protocol = strtol(isc_commandline_argument, &endp, 10); + if (*endp != '\0' || protocol < 0 || protocol > 255) + fatal("-p must be followed by a number " + "[0..255]"); + break; + case 't': + type = isc_commandline_argument; + break; + case 'v': + verbose = strtol(isc_commandline_argument, &endp, 0); + if (*endp != '\0') + fatal("-v must be followed by a number"); + break; + + case '?': + if (isc_commandline_option != '?') + fprintf(stderr, "%s: invalid argument -%c\n", + program, isc_commandline_option); + case 'h': + usage(); + + default: + fprintf(stderr, "%s: unhandled option -%c\n", + program, isc_commandline_option); + exit(1); + } + } + + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); + ret = dst_lib_init(mctx, ectx, + ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + if (ret != ISC_R_SUCCESS) + fatal("could not initialize dst"); + + setup_logging(verbose, mctx, &log); + + if (label == NULL) + fatal("the key label was not specified"); + if (argc < isc_commandline_index + 1) + fatal("the key name was not specified"); + if (argc > isc_commandline_index + 1) + fatal("extraneous arguments"); + + if (algname == NULL) + fatal("no algorithm was specified"); + if (strcasecmp(algname, "RSA") == 0) { + fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n" + "If you still wish to use RSA (RSAMD5) please " + "specify \"-a RSAMD5\"\n"); + return (1); + } else { + r.base = algname; + r.length = strlen(algname); + ret = dns_secalg_fromtext(&alg, &r); + if (ret != ISC_R_SUCCESS) + fatal("unknown algorithm %s", algname); + if (alg == DST_ALG_DH) + options |= DST_TYPE_KEY; + } + + if (type != NULL && (options & DST_TYPE_KEY) != 0) { + if (strcasecmp(type, "NOAUTH") == 0) + flags |= DNS_KEYTYPE_NOAUTH; + else if (strcasecmp(type, "NOCONF") == 0) + flags |= DNS_KEYTYPE_NOCONF; + else if (strcasecmp(type, "NOAUTHCONF") == 0) { + flags |= (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF); + } + else if (strcasecmp(type, "AUTHCONF") == 0) + /* nothing */; + else + fatal("invalid type %s", type); + } + + if (nametype == NULL) { + if ((options & DST_TYPE_KEY) != 0) /* KEY */ + fatal("no nametype specified"); + flags |= DNS_KEYOWNER_ZONE; /* DNSKEY */ + } else if (strcasecmp(nametype, "zone") == 0) + flags |= DNS_KEYOWNER_ZONE; + else if ((options & DST_TYPE_KEY) != 0) { /* KEY */ + if (strcasecmp(nametype, "host") == 0 || + strcasecmp(nametype, "entity") == 0) + flags |= DNS_KEYOWNER_ENTITY; + else if (strcasecmp(nametype, "user") == 0) + flags |= DNS_KEYOWNER_USER; + else + fatal("invalid KEY nametype %s", nametype); + } else if (strcasecmp(nametype, "other") != 0) /* DNSKEY */ + fatal("invalid DNSKEY nametype %s", nametype); + + rdclass = strtoclass(classname); + + if ((options & DST_TYPE_KEY) != 0) /* KEY */ + flags |= signatory; + else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */ + flags |= ksk; + + if (protocol == -1) + protocol = DNS_KEYPROTO_DNSSEC; + else if ((options & DST_TYPE_KEY) == 0 && + protocol != DNS_KEYPROTO_DNSSEC) + fatal("invalid DNSKEY protocol: %d", protocol); + + if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) { + if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0) + fatal("specified null key with signing authority"); + } + + if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE && + alg == DNS_KEYALG_DH) + fatal("a key with algorithm '%s' cannot be a zone key", + algname); + + dns_fixedname_init(&fname); + name = dns_fixedname_name(&fname); + isc_buffer_init(&buf, argv[isc_commandline_index], + strlen(argv[isc_commandline_index])); + isc_buffer_add(&buf, strlen(argv[isc_commandline_index])); + ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL); + if (ret != ISC_R_SUCCESS) + fatal("invalid key name %s: %s", argv[isc_commandline_index], + isc_result_totext(ret)); + + if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) + null_key = ISC_TRUE; + + isc_buffer_init(&buf, filename, sizeof(filename) - 1); + + /* associate the key */ + ret = dst_key_fromlabel(name, alg, flags, protocol, + rdclass, "", label, NULL, mctx, &key); + isc_entropy_stopcallbacksources(ectx); + + if (ret != ISC_R_SUCCESS) { + char namestr[DNS_NAME_FORMATSIZE]; + char algstr[ALG_FORMATSIZE]; + dns_name_format(name, namestr, sizeof(namestr)); + alg_format(alg, algstr, sizeof(algstr)); + fatal("failed to generate key %s/%s: %s\n", + namestr, algstr, isc_result_totext(ret)); + exit(-1); + } + + /* + * Try to read a key with the same name, alg and id from disk. + * If there is one we must continue generating a new one + * unless we were asked to generate a null key, in which + * case we return failure. + */ + ret = dst_key_fromfile(name, dst_key_id(key), alg, + DST_TYPE_PRIVATE, NULL, mctx, &oldkey); + /* do not overwrite an existing key */ + if (ret == ISC_R_SUCCESS) { + isc_buffer_clear(&buf); + ret = dst_key_buildfilename(key, 0, NULL, &buf); + fprintf(stderr, "%s: %s already exists\n", + program, filename); + dst_key_free(&key); + exit (1); + } + + ret = dst_key_tofile(key, options, NULL); + if (ret != ISC_R_SUCCESS) { + char keystr[KEY_FORMATSIZE]; + key_format(key, keystr, sizeof(keystr)); + fatal("failed to write key %s: %s\n", keystr, + isc_result_totext(ret)); + } + + isc_buffer_clear(&buf); + ret = dst_key_buildfilename(key, 0, NULL, &buf); + printf("%s\n", filename); + dst_key_free(&key); + + cleanup_logging(&log); + cleanup_entropy(&ectx); + dst_lib_destroy(); + dns_name_destroy(); + if (verbose > 10) + isc_mem_stats(mctx, stdout); + isc_mem_destroy(&mctx); + + return (0); +} diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook new file mode 100644 index 0000000..2bcf0a4 --- /dev/null +++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook @@ -0,0 +1,265 @@ +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" + [<!ENTITY mdash "—">]> +<!-- + - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<!-- $Id: dnssec-keyfromlabel.docbook,v 1.6 2008/11/07 13:54:11 jreed Exp $ --> +<refentry id="man.dnssec-keyfromlabel"> + <refentryinfo> + <date>February 8, 2008</date> + </refentryinfo> + + <refmeta> + <refentrytitle><application>dnssec-keyfromlabel</application></refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo>BIND9</refmiscinfo> + </refmeta> + + <refnamediv> + <refname><application>dnssec-keyfromlabel</application></refname> + <refpurpose>DNSSEC key generation tool</refpurpose> + </refnamediv> + + <docinfo> + <copyright> + <year>2008</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + </docinfo> + + <refsynopsisdiv> + <cmdsynopsis> + <command>dnssec-keyfromlabel</command> + <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg> + <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg> + <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> + <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg> + <arg><option>-k</option></arg> + <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg> + <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg> + <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg> + <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> + <arg choice="req">name</arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1> + <title>DESCRIPTION</title> + <para><command>dnssec-keyfromlabel</command> + gets keys with the given label from a crypto hardware and builds + key files for DNSSEC (Secure DNS), as defined in RFC 2535 + and RFC 4034. + </para> + </refsect1> + + <refsect1> + <title>OPTIONS</title> + + <variablelist> + <varlistentry> + <term>-a <replaceable class="parameter">algorithm</replaceable></term> + <listitem> + <para> + Selects the cryptographic algorithm. The value of + <option>algorithm</option> must be one of RSAMD5 (RSA) + or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). + These values are case insensitive. + </para> + <para> + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, and DSA is recommended. + </para> + <para> + Note 2: DH automatically sets the -k flag. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-l <replaceable class="parameter">label</replaceable></term> + <listitem> + <para> + Specifies the label of keys in the crypto hardware + (PKCS#11 device). + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-n <replaceable class="parameter">nametype</replaceable></term> + <listitem> + <para> + Specifies the owner type of the key. The value of + <option>nametype</option> must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are + case insensitive. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-c <replaceable class="parameter">class</replaceable></term> + <listitem> + <para> + Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-f <replaceable class="parameter">flag</replaceable></term> + <listitem> + <para> + Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flag is KSK (Key Signing Key) DNSKEY. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-h</term> + <listitem> + <para> + Prints a short summary of the options and arguments to + <command>dnssec-keygen</command>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-k</term> + <listitem> + <para> + Generate KEY records rather than DNSKEY records. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-p <replaceable class="parameter">protocol</replaceable></term> + <listitem> + <para> + Sets the protocol value for the generated key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-t <replaceable class="parameter">type</replaceable></term> + <listitem> + <para> + Indicates the use of the key. <option>type</option> must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-v <replaceable class="parameter">level</replaceable></term> + <listitem> + <para> + Sets the debugging level. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1> + <title>GENERATED KEY FILES</title> + <para> + When <command>dnssec-keyfromlabel</command> completes + successfully, + it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename> + to the standard output. This is an identification string for + the key files it has generated. + </para> + <itemizedlist> + <listitem> + <para><filename>nnnn</filename> is the key name. + </para> + </listitem> + <listitem> + <para><filename>aaa</filename> is the numeric representation + of the + algorithm. + </para> + </listitem> + <listitem> + <para><filename>iiiii</filename> is the key identifier (or + footprint). + </para> + </listitem> + </itemizedlist> + <para><command>dnssec-keyfromlabel</command> + creates two files, with names based + on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename> + contains the public key, and + <filename>Knnnn.+aaa+iiiii.private</filename> contains the + private + key. + </para> + <para> + The <filename>.key</filename> file contains a DNS KEY record + that + can be inserted into a zone file (directly or with a $INCLUDE + statement). + </para> + <para> + The <filename>.private</filename> file contains algorithm + specific + fields. For obvious security reasons, this file does not have + general read permission. + </para> + </refsect1> + + <refsect1> + <title>SEE ALSO</title> + <para><citerefentry> + <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citetitle>BIND 9 Administrator Reference Manual</citetitle>, + <citetitle>RFC 2539</citetitle>, + <citetitle>RFC 2845</citetitle>, + <citetitle>RFC 4033</citetitle>. + </para> + </refsect1> + + <refsect1> + <title>AUTHOR</title> + <para><corpauthor>Internet Systems Consortium</corpauthor> + </para> + </refsect1> + +</refentry><!-- + - Local variables: + - mode: sgml + - End: +--> diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html new file mode 100644 index 0000000..cbea64b --- /dev/null +++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html @@ -0,0 +1,171 @@ +<!-- + - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<!-- $Id: dnssec-keyfromlabel.html,v 1.5 2008/10/15 01:11:35 tbox Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>dnssec-keyfromlabel</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2543413"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">dnssec-keyfromlabel</strong></span> + gets keys with the given label from a crypto hardware and builds + key files for DNSSEC (Secure DNS), as defined in RFC 2535 + and RFC 4034. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543425"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> +<dd> +<p> + Selects the cryptographic algorithm. The value of + <code class="option">algorithm</code> must be one of RSAMD5 (RSA) + or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). + These values are case insensitive. + </p> +<p> + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, and DSA is recommended. + </p> +<p> + Note 2: DH automatically sets the -k flag. + </p> +</dd> +<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt> +<dd><p> + Specifies the label of keys in the crypto hardware + (PKCS#11 device). + </p></dd> +<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt> +<dd><p> + Specifies the owner type of the key. The value of + <code class="option">nametype</code> must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are + case insensitive. + </p></dd> +<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> +<dd><p> + Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. + </p></dd> +<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt> +<dd><p> + Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flag is KSK (Key Signing Key) DNSKEY. + </p></dd> +<dt><span class="term">-h</span></dt> +<dd><p> + Prints a short summary of the options and arguments to + <span><strong class="command">dnssec-keygen</strong></span>. + </p></dd> +<dt><span class="term">-k</span></dt> +<dd><p> + Generate KEY records rather than DNSKEY records. + </p></dd> +<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt> +<dd><p> + Sets the protocol value for the generated key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. + </p></dd> +<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt> +<dd><p> + Indicates the use of the key. <code class="option">type</code> must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. + </p></dd> +<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> +<dd><p> + Sets the debugging level. + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2543619"></a><h2>GENERATED KEY FILES</h2> +<p> + When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes + successfully, + it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code> + to the standard output. This is an identification string for + the key files it has generated. + </p> +<div class="itemizedlist"><ul type="disc"> +<li><p><code class="filename">nnnn</code> is the key name. + </p></li> +<li><p><code class="filename">aaa</code> is the numeric representation + of the + algorithm. + </p></li> +<li><p><code class="filename">iiiii</code> is the key identifier (or + footprint). + </p></li> +</ul></div> +<p><span><strong class="command">dnssec-keyfromlabel</strong></span> + creates two files, with names based + on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code> + contains the public key, and + <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the + private + key. + </p> +<p> + The <code class="filename">.key</code> file contains a DNS KEY record + that + can be inserted into a zone file (directly or with a $INCLUDE + statement). + </p> +<p> + The <code class="filename">.private</code> file contains algorithm + specific + fields. For obvious security reasons, this file does not have + general read permission. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543691"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>, + <em class="citetitle">RFC 2539</em>, + <em class="citetitle">RFC 2845</em>, + <em class="citetitle">RFC 4033</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543731"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.8 b/contrib/bind9/bin/dnssec/dnssec-keygen.8 index e667ba9..13db3d9 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.8 +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-keygen.8,v 1.23.18.16 2008/10/16 01:29:40 tbox Exp $ +.\" $Id: dnssec-keygen.8,v 1.40 2008/10/15 01:11:35 tbox Exp $ .\" .hy 0 .ad l @@ -44,7 +44,7 @@ generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It .RS 4 Selects the cryptographic algorithm. The value of \fBalgorithm\fR -must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive. +must be one of RSAMD5 (RSA) or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive. .sp Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory. .sp @@ -60,7 +60,7 @@ Specifies the number of bits in the key. The choice of key size depends on the a .RS 4 Specifies the owner type of the key. The value of \fBnametype\fR -must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. +must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. Defaults to ZONE for DNSKEY generation. .RE .PP \-c \fIclass\fR diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.c b/contrib/bind9/bin/dnssec/dnssec-keygen.c index 0b57f6d..614d388 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.c +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.c @@ -1,6 +1,19 @@ /* - * Portions Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE + * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR + * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * * Portions Copyright (C) 1995-2000 by Network Associates, Inc. * * Permission to use, copy, modify, and/or distribute this software for any @@ -16,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keygen.c,v 1.66.18.10 2007/08/28 07:19:55 tbox Exp $ */ +/* $Id: dnssec-keygen.c,v 1.81 2008/09/25 04:02:38 tbox Exp $ */ /*! \file */ @@ -49,8 +62,9 @@ const char *program = "dnssec-keygen"; int verbose; -static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5 |" - " HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 | " +static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | NSEC3DSA |" + " NSEC3RSASHA1 | HMAC-MD5 |" + " HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 |" " HMAC-SHA384 | HMAC-SHA512"; static isc_boolean_t @@ -61,7 +75,7 @@ dsa_size_ok(int size) { static void usage(void) { fprintf(stderr, "Usage:\n"); - fprintf(stderr, " %s -a alg -b bits -n type [options] name\n\n", + fprintf(stderr, " %s -a alg -b bits [-n type] [options] name\n\n", program); fprintf(stderr, "Version: %s\n", VERSION); fprintf(stderr, "Required options:\n"); @@ -69,8 +83,10 @@ usage(void) { fprintf(stderr, " -b key size, in bits:\n"); fprintf(stderr, " RSAMD5:\t\t[512..%d]\n", MAX_RSA); fprintf(stderr, " RSASHA1:\t\t[512..%d]\n", MAX_RSA); + fprintf(stderr, " NSEC3RSASHA1:\t\t[512..%d]\n", MAX_RSA); fprintf(stderr, " DH:\t\t[128..4096]\n"); fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n"); + fprintf(stderr, " NSEC3DSA:\t\t[512..1024] and divisible by 64\n"); fprintf(stderr, " HMAC-MD5:\t[1..512]\n"); fprintf(stderr, " HMAC-SHA1:\t[1..160]\n"); fprintf(stderr, " HMAC-SHA224:\t[1..224]\n"); @@ -78,6 +94,7 @@ usage(void) { fprintf(stderr, " HMAC-SHA384:\t[1..384]\n"); fprintf(stderr, " HMAC-SHA512:\t[1..512]\n"); fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n"); + fprintf(stderr, " (DNSKEY generation defaults to ZONE\n"); fprintf(stderr, " name: owner of the key\n"); fprintf(stderr, "Other options:\n"); fprintf(stderr, " -c <class> (default: IN)\n"); @@ -134,8 +151,10 @@ main(int argc, char **argv) { dns_result_register(); + isc_commandline_errprint = ISC_FALSE; + while ((ch = isc_commandline_parse(argc, argv, - "a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1) + "a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1) { switch (ch) { case 'a': @@ -202,12 +221,17 @@ main(int argc, char **argv) { fatal("-v must be followed by a number"); break; + case '?': + if (isc_commandline_option != '?') + fprintf(stderr, "%s: invalid argument -%c\n", + program, isc_commandline_option); case 'h': usage(); + default: - fprintf(stderr, "%s: invalid argument -%c\n", - program, ch); - usage(); + fprintf(stderr, "%s: unhandled option -%c\n", + program, isc_commandline_option); + exit(1); } } @@ -282,6 +306,7 @@ main(int argc, char **argv) { switch (alg) { case DNS_KEYALG_RSAMD5: case DNS_KEYALG_RSASHA1: + case DNS_KEYALG_NSEC3RSASHA1: if (size != 0 && (size < 512 || size > MAX_RSA)) fatal("RSA key size %d out of range", size); break; @@ -290,6 +315,7 @@ main(int argc, char **argv) { fatal("DH key size %d out of range", size); break; case DNS_KEYALG_DSA: + case DNS_KEYALG_NSEC3DSA: if (size != 0 && !dsa_size_ok(size)) fatal("invalid DSS key size: %d", size); break; @@ -349,18 +375,20 @@ main(int argc, char **argv) { break; } - if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1) && - rsa_exp != 0) + if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 || + alg == DNS_KEYALG_NSEC3RSASHA1) && rsa_exp != 0) fatal("specified RSA exponent for a non-RSA key"); if (alg != DNS_KEYALG_DH && generator != 0) fatal("specified DH generator for a non-DH key"); - if (nametype == NULL) - fatal("no nametype specified"); - if (strcasecmp(nametype, "zone") == 0) + if (nametype == NULL) { + if ((options & DST_TYPE_KEY) != 0) /* KEY / HMAC */ + fatal("no nametype specified"); + flags |= DNS_KEYOWNER_ZONE; /* DNSKEY */ + } else if (strcasecmp(nametype, "zone") == 0) flags |= DNS_KEYOWNER_ZONE; - else if ((options & DST_TYPE_KEY) != 0) { /* KEY */ + else if ((options & DST_TYPE_KEY) != 0) { /* KEY / HMAC */ if (strcasecmp(nametype, "host") == 0 || strcasecmp(nametype, "entity") == 0) flags |= DNS_KEYOWNER_ENTITY; @@ -373,7 +401,7 @@ main(int argc, char **argv) { rdclass = strtoclass(classname); - if ((options & DST_TYPE_KEY) != 0) /* KEY */ + if ((options & DST_TYPE_KEY) != 0) /* KEY / HMAC */ flags |= signatory; else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */ flags |= ksk; diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook index ec7b69b..c267a1b 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-keygen.docbook,v 1.7.18.13 2008/10/15 23:46:06 tbox Exp $ --> +<!-- $Id: dnssec-keygen.docbook,v 1.22 2008/10/14 14:32:50 jreed Exp $ --> <refentry id="man.dnssec-keygen"> <refentryinfo> <date>June 30, 2000</date> @@ -92,13 +92,13 @@ <para> Selects the cryptographic algorithm. The value of <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1, - DSA, DH (Diffie Hellman), or HMAC-MD5. These values - are case insensitive. + DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5. + These values are case insensitive. </para> <para> Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, - and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. + algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is + mandatory. </para> <para> Note 2: HMAC-MD5 and DH automatically set the -k flag. @@ -130,8 +130,8 @@ zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are - case insensitive. + These values are case insensitive. Defaults to ZONE for DNSKEY + generation. </para> </listitem> </varlistentry> diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.html b/contrib/bind9/bin/dnssec/dnssec-keygen.html index e0b0bfe..696ef88 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.html +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-keygen.html,v 1.9.18.22 2008/10/16 01:29:40 tbox Exp $ --> +<!-- $Id: dnssec-keygen.html,v 1.32 2008/10/15 01:11:35 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -47,13 +47,13 @@ <p> Selects the cryptographic algorithm. The value of <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1, - DSA, DH (Diffie Hellman), or HMAC-MD5. These values - are case insensitive. + DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5. + These values are case insensitive. </p> <p> Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, - and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. + algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is + mandatory. </p> <p> Note 2: HMAC-MD5 and DH automatically set the -k flag. @@ -76,8 +76,8 @@ zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are - case insensitive. + These values are case insensitive. Defaults to ZONE for DNSKEY + generation. </p></dd> <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> <dd><p> diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.8 b/contrib/bind9/bin/dnssec/dnssec-signzone.8 index 680960a..ca0ed36 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.8 +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-signzone.8,v 1.28.18.19 2008/10/16 01:29:40 tbox Exp $ +.\" $Id: dnssec-signzone.8,v 1.47 2008/10/15 01:11:35 tbox Exp $ .\" .hy 0 .ad l @@ -33,7 +33,7 @@ dnssec\-signzone \- DNSSEC zone signing tool .SH "SYNOPSIS" .HP 16 -\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {zonefile} [key...] +\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...] .SH "DESCRIPTION" .PP \fBdnssec\-signzone\fR @@ -212,6 +212,21 @@ Sets the debugging level. Ignore KSK flag on key when determining what to sign. .RE .PP +\-3 \fIsalt\fR +.RS 4 +Generate a NSEC3 chain with the given hex encoded salt. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain. +.RE +.PP +\-H \fIiterations\fR +.RS 4 +When generating a NSEC3 chain use this many interations. The default is 100. +.RE +.PP +\-A +.RS 4 +When generating a NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations. +.RE +.PP zonefile .RS 4 The file containing the zone to be signed. diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.c b/contrib/bind9/bin/dnssec/dnssec-signzone.c index 9b49169..1da280f 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.c +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.c @@ -1,6 +1,19 @@ /* - * Portions Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE + * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR + * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * * Portions Copyright (C) 1995-2000 by Network Associates, Inc. * * Permission to use, copy, modify, and/or distribute this software for any @@ -16,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.177.18.26 2008/06/02 23:46:01 tbox Exp $ */ +/* $Id: dnssec-signzone.c,v 1.209.12.3 2009/01/18 23:25:15 marka Exp $ */ /*! \file */ @@ -26,11 +39,13 @@ #include <time.h> #include <isc/app.h> +#include <isc/base32.h> #include <isc/commandline.h> #include <isc/entropy.h> #include <isc/event.h> #include <isc/file.h> #include <isc/hash.h> +#include <isc/hex.h> #include <isc/mem.h> #include <isc/mutex.h> #include <isc/os.h> @@ -38,10 +53,11 @@ #include <isc/random.h> #include <isc/serial.h> #include <isc/stdio.h> +#include <isc/stdlib.h> #include <isc/string.h> #include <isc/task.h> -#include <isc/util.h> #include <isc/time.h> +#include <isc/util.h> #include <dns/db.h> #include <dns/dbiterator.h> @@ -54,7 +70,9 @@ #include <dns/master.h> #include <dns/masterdump.h> #include <dns/nsec.h> +#include <dns/nsec3.h> #include <dns/rdata.h> +#include <dns/rdatalist.h> #include <dns/rdataset.h> #include <dns/rdataclass.h> #include <dns/rdatasetiter.h> @@ -71,6 +89,13 @@ const char *program = "dnssec-signzone"; int verbose; +typedef struct hashlist hashlist_t; + +static int nsec_datatype = dns_rdatatype_nsec; + +#define IS_NSEC3 (nsec_datatype == dns_rdatatype_nsec3) +#define OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0) + #define BUFSIZE 2048 #define MAXDSKEYS 8 @@ -125,6 +150,7 @@ static dns_dbversion_t *gversion; /* The database version */ static dns_dbiterator_t *gdbiter; /* The database iterator */ static dns_rdataclass_t gclass; /* The class */ static dns_name_t *gorigin; /* The database origin */ +static int nsec3flags = 0; static isc_task_t *master = NULL; static unsigned int ntasks = 0; static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE; @@ -136,6 +162,8 @@ static dns_name_t *dlv = NULL; static dns_fixedname_t dlv_fixed; static dns_master_style_t *dsstyle = NULL; static unsigned int serialformat = SOA_SERIAL_KEEP; +static unsigned int hash_length = 0; +static isc_boolean_t unknownalg = ISC_FALSE; #define INCSTAT(counter) \ if (printstats) { \ @@ -147,19 +175,8 @@ static unsigned int serialformat = SOA_SERIAL_KEEP; static void sign(isc_task_t *task, isc_event_t *event); - -static inline void -set_bit(unsigned char *array, unsigned int index, unsigned int bit) { - unsigned int shift, mask; - - shift = 7 - (index % 8); - mask = 1 << shift; - - if (bit != 0) - array[index / 8] |= mask; - else - array[index / 8] &= (~mask & 0xFF); -} +static isc_boolean_t +nsec3only(dns_dbnode_t *node); static void dumpnode(dns_name_t *name, dns_dbnode_t *node) { @@ -549,6 +566,169 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, isc_mem_put(mctx, nowsignedby, arraysize * sizeof(isc_boolean_t)); } +struct hashlist { + unsigned char *hashbuf; + size_t entries; + size_t size; + size_t length; +}; + +static void +hashlist_init(hashlist_t *l, unsigned int nodes, unsigned int length) { + + l->entries = 0; + l->length = length + 1; + + if (nodes != 0) { + l->size = nodes; + l->hashbuf = malloc(l->size * l->length); + if (l->hashbuf == NULL) + l->size = 0; + } else { + l->size = 0; + l->hashbuf = NULL; + } +} + +static void +hashlist_add(hashlist_t *l, const unsigned char *hash, size_t len) +{ + + REQUIRE(len <= l->length); + + if (l->entries == l->size) { + l->size = l->size * 2 + 100; + l->hashbuf = realloc(l->hashbuf, l->size * l->length); + } + memset(l->hashbuf + l->entries * l->length, 0, l->length); + memcpy(l->hashbuf + l->entries * l->length, hash, len); + l->entries++; +} + +static void +hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, + unsigned int hashalg, unsigned int iterations, + const unsigned char *salt, size_t salt_length, + isc_boolean_t speculative) +{ + char nametext[DNS_NAME_FORMATSIZE]; + unsigned char hash[NSEC3_MAX_HASH_LENGTH + 1]; + unsigned int len; + size_t i; + + len = isc_iterated_hash(hash, hashalg, iterations, salt, salt_length, + name->ndata, name->length); + if (verbose) { + dns_name_format(name, nametext, sizeof nametext); + for (i = 0 ; i < len; i++) + fprintf(stderr, "%02x", hash[i]); + fprintf(stderr, " %s\n", nametext); + } + hash[len++] = speculative ? 1 : 0; + hashlist_add(l, hash, len); +} + +static int +hashlist_comp(const void *a, const void *b) { + return (memcmp(a, b, hash_length + 1)); +} + +static void +hashlist_sort(hashlist_t *l) { + qsort(l->hashbuf, l->entries, l->length, hashlist_comp); +} + +static isc_boolean_t +hashlist_hasdup(hashlist_t *l) { + unsigned char *current; + unsigned char *next = l->hashbuf; + size_t entries = l->entries; + + /* + * Skip initial speculative wild card hashs. + */ + while (entries > 0U && next[l->length-1] != 0U) { + next += l->length; + entries--; + } + + current = next; + while (entries-- > 1U) { + next += l->length; + if (next[l->length-1] != 0) + continue; + if (memcmp(current, next, l->length - 1) == 0) + return (ISC_TRUE); + current = next; + } + return (ISC_FALSE); +} + +static const unsigned char * +hashlist_findnext(const hashlist_t *l, + const unsigned char hash[NSEC3_MAX_HASH_LENGTH]) +{ + unsigned int entries = l->entries; + const unsigned char *next = bsearch(hash, l->hashbuf, l->entries, + l->length, hashlist_comp); + INSIST(next != NULL); + + do { + if (next < l->hashbuf + (l->entries - 1) * l->length) + next += l->length; + else + next = l->hashbuf; + if (next[l->length - 1] == 0) + break; + } while (entries-- > 1); + INSIST(entries != 0); + return (next); +} + +static isc_boolean_t +hashlist_exists(const hashlist_t *l, + const unsigned char hash[NSEC3_MAX_HASH_LENGTH]) +{ + if (bsearch(hash, l->hashbuf, l->entries, l->length, hashlist_comp)) + return (ISC_TRUE); + else + return (ISC_FALSE); +} + +static void +addnowildcardhash(hashlist_t *l, /*const*/ dns_name_t *name, + unsigned int hashalg, unsigned int iterations, + const unsigned char *salt, size_t salt_length) +{ + dns_fixedname_t fixed; + dns_name_t *wild; + dns_dbnode_t *node = NULL; + isc_result_t result; + char namestr[DNS_NAME_FORMATSIZE]; + + dns_fixedname_init(&fixed); + wild = dns_fixedname_name(&fixed); + + result = dns_name_concatenate(dns_wildcardname, name, wild, NULL); + if (result == ISC_R_NOSPACE) + return; + check_result(result,"addnowildcardhash: dns_name_concatenate()"); + + result = dns_db_findnode(gdb, wild, ISC_FALSE, &node); + if (result == ISC_R_SUCCESS) { + dns_db_detachnode(gdb, &node); + return; + } + + if (verbose) { + dns_name_format(wild, namestr, sizeof(namestr)); + fprintf(stderr, "adding no-wildcardhash for %s\n", namestr); + } + + hashlist_add_dns_name(l, wild, hashalg, iterations, salt, salt_length, + ISC_TRUE); +} + static void opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass, dns_db_t **dbp) @@ -665,91 +845,6 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) { } static isc_boolean_t -nsec_setbit(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdatatype_t type, - unsigned int val) -{ - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_nsec_t nsec; - unsigned int newlen; - unsigned char bitmap[8192 + 512]; - unsigned char nsecdata[8192 + 512 + DNS_NAME_MAXWIRE]; - isc_boolean_t answer = ISC_FALSE; - unsigned int i, len, window; - int octet; - - result = dns_rdataset_first(rdataset); - check_result(result, "dns_rdataset_first()"); - dns_rdataset_current(rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &nsec, NULL); - check_result(result, "dns_rdata_tostruct"); - - INSIST(nsec.len <= sizeof(bitmap)); - - newlen = 0; - - memset(bitmap, 0, sizeof(bitmap)); - for (i = 0; i < nsec.len; i += len) { - INSIST(i + 2 <= nsec.len); - window = nsec.typebits[i]; - len = nsec.typebits[i+1]; - i += 2; - INSIST(len > 0 && len <= 32); - INSIST(i + len <= nsec.len); - memmove(&bitmap[window * 32 + 512], &nsec.typebits[i], len); - } - set_bit(bitmap + 512, type, val); - for (window = 0; window < 256; window++) { - for (octet = 31; octet >= 0; octet--) - if (bitmap[window * 32 + 512 + octet] != 0) - break; - if (octet < 0) - continue; - bitmap[newlen] = window; - bitmap[newlen + 1] = octet + 1; - newlen += 2; - /* - * Overlapping move. - */ - memmove(&bitmap[newlen], &bitmap[window * 32 + 512], octet + 1); - newlen += octet + 1; - } - if (newlen != nsec.len || - memcmp(nsec.typebits, bitmap, newlen) != 0) { - dns_rdata_t newrdata = DNS_RDATA_INIT; - isc_buffer_t b; - dns_diff_t diff; - dns_difftuple_t *tuple = NULL; - - dns_diff_init(mctx, &diff); - result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL, name, - rdataset->ttl, &rdata, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - - nsec.typebits = bitmap; - nsec.len = newlen; - isc_buffer_init(&b, nsecdata, sizeof(nsecdata)); - result = dns_rdata_fromstruct(&newrdata, rdata.rdclass, - dns_rdatatype_nsec, &nsec, - &b); - check_result(result, "dns_rdata_fromstruct"); - - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, - name, rdataset->ttl, - &newrdata, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - result = dns_diff_apply(&diff, gdb, gversion); - check_result(result, "dns_difftuple_apply"); - dns_diff_clear(&diff); - answer = ISC_TRUE; - } - dns_rdata_freestruct(&nsec); - return (answer); -} - -static isc_boolean_t delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) { dns_rdataset_t nsset; isc_result_t result; @@ -769,10 +864,25 @@ delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) { return (ISC_TF(result == ISC_R_SUCCESS)); } +static isc_boolean_t +secure(dns_name_t *name, dns_dbnode_t *node) { + dns_rdataset_t dsset; + isc_result_t result; + + if (dns_name_equal(name, gorigin)) + return (ISC_FALSE); + + dns_rdataset_init(&dsset); + result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_ds, + 0, 0, &dsset, NULL); + if (dns_rdataset_isassociated(&dsset)) + dns_rdataset_disassociate(&dsset); + + return (ISC_TF(result == ISC_R_SUCCESS)); +} + /*% - * Signs all records at a name. This mostly just signs each set individually, - * but also adds the RRSIG bit to any NSECs generated earlier, deals with - * parent/child KEY signatures, and handles other exceptional cases. + * Signs all records at a name. */ static void signname(dns_dbnode_t *node, dns_name_t *name) { @@ -780,89 +890,19 @@ signname(dns_dbnode_t *node, dns_name_t *name) { dns_rdataset_t rdataset; dns_rdatasetiter_t *rdsiter; isc_boolean_t isdelegation = ISC_FALSE; - isc_boolean_t hasds = ISC_FALSE; - isc_boolean_t changed = ISC_FALSE; dns_diff_t del, add; char namestr[DNS_NAME_FORMATSIZE]; - isc_uint32_t nsttl = 0; + dns_rdataset_init(&rdataset); dns_name_format(name, namestr, sizeof(namestr)); /* * Determine if this is a delegation point. */ - if (delegation(name, node, &nsttl)) + if (delegation(name, node, NULL)) isdelegation = ISC_TRUE; /* - * If this is a delegation point, look for a DS set. - */ - if (isdelegation) { - dns_rdataset_t dsset; - dns_rdataset_t sigdsset; - - dns_rdataset_init(&dsset); - dns_rdataset_init(&sigdsset); - result = dns_db_findrdataset(gdb, node, gversion, - dns_rdatatype_ds, - 0, 0, &dsset, &sigdsset); - if (result == ISC_R_SUCCESS) { - dns_rdataset_disassociate(&dsset); - if (generateds) { - result = dns_db_deleterdataset(gdb, node, - gversion, - dns_rdatatype_ds, - 0); - check_result(result, "dns_db_deleterdataset"); - } else - hasds = ISC_TRUE; - } - if (generateds) { - result = loadds(name, nsttl, &dsset); - if (result == ISC_R_SUCCESS) { - result = dns_db_addrdataset(gdb, node, - gversion, 0, - &dsset, 0, NULL); - check_result(result, "dns_db_addrdataset"); - hasds = ISC_TRUE; - dns_rdataset_disassociate(&dsset); - if (dns_rdataset_isassociated(&sigdsset)) - dns_rdataset_disassociate(&sigdsset); - } else if (dns_rdataset_isassociated(&sigdsset)) { - result = dns_db_deleterdataset(gdb, node, - gversion, - dns_rdatatype_rrsig, - dns_rdatatype_ds); - check_result(result, "dns_db_deleterdataset"); - dns_rdataset_disassociate(&sigdsset); - } - } else if (dns_rdataset_isassociated(&sigdsset)) - dns_rdataset_disassociate(&sigdsset); - } - - /* - * Make sure that NSEC bits are appropriately set. - */ - dns_rdataset_init(&rdataset); - RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion, - dns_rdatatype_nsec, 0, 0, &rdataset, - NULL) == ISC_R_SUCCESS); - if (!nokeys) - changed = nsec_setbit(name, &rdataset, dns_rdatatype_rrsig, 1); - if (changed) { - dns_rdataset_disassociate(&rdataset); - RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion, - dns_rdatatype_nsec, 0, 0, - &rdataset, - NULL) == ISC_R_SUCCESS); - } - if (hasds) - (void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 1); - else - (void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 0); - dns_rdataset_disassociate(&rdataset); - - /* * Now iterate through the rdatasets. */ dns_diff_init(mctx, &del); @@ -884,7 +924,7 @@ signname(dns_dbnode_t *node, dns_name_t *name) { * isn't a DS record. */ if (isdelegation) { - if (rdataset.type != dns_rdatatype_nsec && + if (rdataset.type != nsec_datatype && rdataset.type != dns_rdatatype_ds) goto skip; } else if (rdataset.type == dns_rdatatype_ds) { @@ -938,6 +978,7 @@ active_node(dns_dbnode_t *node) { while (result == ISC_R_SUCCESS) { dns_rdatasetiter_current(rdsiter, &rdataset); if (rdataset.type != dns_rdatatype_nsec && + rdataset.type != dns_rdatatype_nsec3 && rdataset.type != dns_rdatatype_rrsig) active = ISC_TRUE; dns_rdataset_disassociate(&rdataset); @@ -950,7 +991,7 @@ active_node(dns_dbnode_t *node) { fatal("rdataset iteration failed: %s", isc_result_totext(result)); - if (!active) { + if (!active && nsec_datatype == dns_rdatatype_nsec) { /*% * The node is empty of everything but NSEC / RRSIG records. */ @@ -1009,6 +1050,32 @@ active_node(dns_dbnode_t *node) { fatal("rdataset iteration failed: %s", isc_result_totext(result)); dns_rdatasetiter_destroy(&rdsiter2); + +#if 0 + /* + * Delete all NSEC records and RRSIG(NSEC) if we are in + * NSEC3 mode and vica versa. + */ + for (result = dns_rdatasetiter_first(rdsiter2); + result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(rdsiter2)) { + dns_rdatasetiter_current(rdsiter, &rdataset); + type = rdataset.type; + covers = rdataset.covers; + if (type == dns_rdatatype_rrsig) + type = covers; + dns_rdataset_disassociate(&rdataset); + if (type == nsec_datatype || + (type != dns_rdatatype_nsec && + type != dns_rdatatype_nsec3)) + continue; + if (covers != 0) + type = dns_rdatatype_rrsig; + result = dns_db_deleterdataset(gdb, node, gversion, + type, covers); + check_result(result, "dns_db_deleterdataset()"); + } +#endif } dns_rdatasetiter_destroy(&rdsiter); @@ -1169,11 +1236,8 @@ presign(void) { isc_result_t result; gdbiter = NULL; - result = dns_db_createiterator(gdb, ISC_FALSE, &gdbiter); + result = dns_db_createiterator(gdb, 0, &gdbiter); check_result(result, "dns_db_createiterator()"); - - result = dns_dbiterator_first(gdbiter); - check_result(result, "dns_dbiterator_first()"); } /*% @@ -1186,6 +1250,8 @@ postsign(void) { /*% * Sign the apex of the zone. + * Note the origin may not be the first node if there are out of zone + * records. */ static void signapex(void) { @@ -1196,13 +1262,15 @@ signapex(void) { dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); + result = dns_dbiterator_seek(gdbiter, gorigin); + check_result(result, "dns_dbiterator_seek()"); result = dns_dbiterator_current(gdbiter, &node, name); check_result(result, "dns_dbiterator_current()"); signname(node, name); dumpnode(name, node); cleannode(gdb, gversion, node); dns_db_detachnode(gdb, &node); - result = dns_dbiterator_next(gdbiter); + result = dns_dbiterator_first(gdbiter); if (result == ISC_R_NOMORE) finished = ISC_TRUE; else if (result != ISC_R_SUCCESS) @@ -1223,6 +1291,8 @@ assignwork(isc_task_t *task, isc_task_t *worker) { dns_rdataset_t nsec; isc_boolean_t found; isc_result_t result; + static dns_name_t *zonecut = NULL; /* Protected by namelock. */ + static dns_fixedname_t fzonecut; /* Protected by namelock. */ static unsigned int ended = 0; /* Protected by namelock. */ if (shuttingdown) @@ -1250,19 +1320,51 @@ assignwork(isc_task_t *task, isc_task_t *worker) { if (result != ISC_R_SUCCESS) fatal("failure iterating database: %s", isc_result_totext(result)); + /* + * The origin was handled by signapex(). + */ + if (dns_name_equal(name, gorigin)) { + dns_db_detachnode(gdb, &node); + goto next; + } + /* + * Sort the zone data from the glue and out-of-zone data. + * For NSEC zones nodes with zone data have NSEC records. + * For NSEC3 zones the NSEC3 nodes are zone data but + * outside of the zone name space. For the rest we need + * to track the bottom of zone cuts. + * Nodes which don't need to be signed are dumped here. + */ dns_rdataset_init(&nsec); result = dns_db_findrdataset(gdb, node, gversion, - dns_rdatatype_nsec, 0, 0, + nsec_datatype, 0, 0, &nsec, NULL); - if (result == ISC_R_SUCCESS) - found = ISC_TRUE; - else - dumpnode(name, node); if (dns_rdataset_isassociated(&nsec)) dns_rdataset_disassociate(&nsec); - if (!found) + if (result == ISC_R_SUCCESS) { + found = ISC_TRUE; + } else if (nsec_datatype == dns_rdatatype_nsec3) { + if (dns_name_issubdomain(name, gorigin) && + (zonecut == NULL || + !dns_name_issubdomain(name, zonecut))) { + if (delegation(name, node, NULL)) { + dns_fixedname_init(&fzonecut); + zonecut = dns_fixedname_name(&fzonecut); + dns_name_copy(name, zonecut, NULL); + if (!OPTOUT(nsec3flags) || + secure(name, node)) + found = ISC_TRUE; + } else + found = ISC_TRUE; + } + } + + if (!found) { + dumpnode(name, node); dns_db_detachnode(gdb, &node); + } + next: result = dns_dbiterator_next(gdbiter); if (result == ISC_R_NOMORE) { finished = ISC_TRUE; @@ -1348,6 +1450,43 @@ sign(isc_task_t *task, isc_event_t *event) { } /*% + * Update / remove the DS RRset. Preserve RRSIG(DS) if possible. + */ +static void +add_ds(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t nsttl) { + dns_rdataset_t dsset; + dns_rdataset_t sigdsset; + isc_result_t result; + + dns_rdataset_init(&dsset); + dns_rdataset_init(&sigdsset); + result = dns_db_findrdataset(gdb, node, gversion, + dns_rdatatype_ds, + 0, 0, &dsset, &sigdsset); + if (result == ISC_R_SUCCESS) { + dns_rdataset_disassociate(&dsset); + result = dns_db_deleterdataset(gdb, node, gversion, + dns_rdatatype_ds, 0); + check_result(result, "dns_db_deleterdataset"); + } + result = loadds(name, nsttl, &dsset); + if (result == ISC_R_SUCCESS) { + result = dns_db_addrdataset(gdb, node, gversion, 0, + &dsset, 0, NULL); + check_result(result, "dns_db_addrdataset"); + dns_rdataset_disassociate(&dsset); + if (dns_rdataset_isassociated(&sigdsset)) + dns_rdataset_disassociate(&sigdsset); + } else if (dns_rdataset_isassociated(&sigdsset)) { + result = dns_db_deleterdataset(gdb, node, gversion, + dns_rdatatype_rrsig, + dns_rdatatype_ds); + check_result(result, "dns_db_deleterdataset"); + dns_rdataset_disassociate(&sigdsset); + } +} + +/*% * Generate NSEC records for the zone. */ static void @@ -1358,6 +1497,7 @@ nsecify(void) { dns_name_t *name, *nextname, *zonecut; isc_boolean_t done = ISC_FALSE; isc_result_t result; + isc_uint32_t nsttl = 0; dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); @@ -1366,7 +1506,7 @@ nsecify(void) { dns_fixedname_init(&fzonecut); zonecut = NULL; - result = dns_db_createiterator(gdb, ISC_FALSE, &dbiter); + result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter); check_result(result, "dns_db_createiterator()"); result = dns_dbiterator_first(dbiter); @@ -1374,9 +1514,11 @@ nsecify(void) { while (!done) { dns_dbiterator_current(dbiter, &node, name); - if (delegation(name, node, NULL)) { + if (delegation(name, node, &nsttl)) { zonecut = dns_fixedname_name(&fzonecut); dns_name_copy(name, zonecut, NULL); + if (generateds) + add_ds(name, node, nsttl); } result = dns_dbiterator_next(dbiter); nextnode = NULL; @@ -1419,6 +1561,451 @@ nsecify(void) { } /*% + * Does this node only contain NSEC3 records or RRSIG records or is empty. + */ +static isc_boolean_t +nsec3only(dns_dbnode_t *node) { + dns_rdatasetiter_t *rdsiter = NULL; + isc_result_t result; + dns_rdataset_t rdataset; + isc_boolean_t answer = ISC_TRUE; + + dns_rdataset_init(&rdataset); + result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + check_result(result, "dns_db_allrdatasets()"); + result = dns_rdatasetiter_first(rdsiter); + while (result == ISC_R_SUCCESS) { + dns_rdatasetiter_current(rdsiter, &rdataset); + if (rdataset.type != dns_rdatatype_nsec3 && + rdataset.type != dns_rdatatype_rrsig) { + answer = ISC_FALSE; + result = ISC_R_NOMORE; + } else + result = dns_rdatasetiter_next(rdsiter); + dns_rdataset_disassociate(&rdataset); + } + if (result != ISC_R_NOMORE) + fatal("rdataset iteration failed: %s", + isc_result_totext(result)); + dns_rdatasetiter_destroy(&rdsiter); + return (answer); +} + +static void +addnsec3param(const unsigned char *salt, size_t salt_length, + unsigned int iterations) +{ + dns_dbnode_t *node = NULL; + dns_rdata_nsec3param_t nsec3param; + unsigned char nsec3parambuf[5 + 255]; + dns_rdatalist_t rdatalist; + dns_rdataset_t rdataset; + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_buffer_t b; + isc_result_t result; + + dns_rdataset_init(&rdataset); + + nsec3param.common.rdclass = gclass; + nsec3param.common.rdtype = dns_rdatatype_nsec3param; + ISC_LINK_INIT(&nsec3param.common, link); + nsec3param.mctx = NULL; + nsec3param.flags = 0; + nsec3param.hash = unknownalg ? DNS_NSEC3_UNKNOWNALG : dns_hash_sha1; + nsec3param.iterations = iterations; + nsec3param.salt_length = salt_length; + DE_CONST(salt, nsec3param.salt); + + isc_buffer_init(&b, nsec3parambuf, sizeof(nsec3parambuf)); + result = dns_rdata_fromstruct(&rdata, gclass, + dns_rdatatype_nsec3param, + &nsec3param, &b); + rdatalist.rdclass = rdata.rdclass; + rdatalist.type = rdata.type; + rdatalist.covers = 0; + rdatalist.ttl = 0; + ISC_LIST_INIT(rdatalist.rdata); + ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); + result = dns_rdatalist_tordataset(&rdatalist, &rdataset); + check_result(result, "dns_rdatalist_tordataset()"); + + result = dns_db_findnode(gdb, gorigin, ISC_TRUE, &node); + check_result(result, "dns_db_find(gorigin)"); + result = dns_db_addrdataset(gdb, node, gversion, 0, &rdataset, + DNS_DBADD_MERGE, NULL); + if (result == DNS_R_UNCHANGED) + result = ISC_R_SUCCESS; + check_result(result, "addnsec3param: dns_db_addrdataset()"); + dns_db_detachnode(gdb, &node); +} + +static void +addnsec3(dns_name_t *name, dns_dbnode_t *node, + const unsigned char *salt, size_t salt_length, + unsigned int iterations, hashlist_t *hashlist, + dns_ttl_t ttl) +{ + unsigned char hash[NSEC3_MAX_HASH_LENGTH]; + const unsigned char *nexthash; + unsigned char nsec3buffer[DNS_NSEC3_BUFFERSIZE]; + dns_fixedname_t hashname; + dns_rdatalist_t rdatalist; + dns_rdataset_t rdataset; + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_result_t result; + dns_dbnode_t *nsec3node = NULL; + char namebuf[DNS_NAME_FORMATSIZE]; + size_t hash_length; + + dns_name_format(name, namebuf, sizeof(namebuf)); + + dns_fixedname_init(&hashname); + dns_rdataset_init(&rdataset); + + dns_name_downcase(name, name, NULL); + result = dns_nsec3_hashname(&hashname, hash, &hash_length, + name, gorigin, dns_hash_sha1, iterations, + salt, salt_length); + check_result(result, "addnsec3: dns_nsec3_hashname()"); + nexthash = hashlist_findnext(hashlist, hash); + result = dns_nsec3_buildrdata(gdb, gversion, node, + unknownalg ? + DNS_NSEC3_UNKNOWNALG : dns_hash_sha1, + nsec3flags, iterations, + salt, salt_length, + nexthash, ISC_SHA1_DIGESTLENGTH, + nsec3buffer, &rdata); + check_result(result, "addnsec3: dns_nsec3_buildrdata()"); + rdatalist.rdclass = rdata.rdclass; + rdatalist.type = rdata.type; + rdatalist.covers = 0; + rdatalist.ttl = ttl; + ISC_LIST_INIT(rdatalist.rdata); + ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); + result = dns_rdatalist_tordataset(&rdatalist, &rdataset); + check_result(result, "dns_rdatalist_tordataset()"); + result = dns_db_findnsec3node(gdb, dns_fixedname_name(&hashname), + ISC_TRUE, &nsec3node); + check_result(result, "addnsec3: dns_db_findnode()"); + result = dns_db_addrdataset(gdb, nsec3node, gversion, 0, &rdataset, + 0, NULL); + if (result == DNS_R_UNCHANGED) + result = ISC_R_SUCCESS; + check_result(result, "addnsec3: dns_db_addrdataset()"); + dns_db_detachnode(gdb, &nsec3node); +} + +/*% + * Clean out NSEC3 record and RRSIG(NSEC3) that are not in the hash list. + * + * Extract the hash from the first label of 'name' then see if it + * is in hashlist. If 'name' is not in the hashlist then delete the + * any NSEC3 records which have the same parameters as the chain we + * are building. + * + * XXXMPA Should we also check that it of the form <hash>.<origin>? + */ +static void +nsec3clean(dns_name_t *name, dns_dbnode_t *node, + unsigned int hashalg, unsigned int iterations, + const unsigned char *salt, size_t salt_length, hashlist_t *hashlist) +{ + dns_label_t label; + dns_rdata_nsec3_t nsec3; + dns_rdata_t rdata, delrdata; + dns_rdatalist_t rdatalist; + dns_rdataset_t rdataset, delrdataset; + isc_boolean_t delete_rrsigs = ISC_FALSE; + isc_buffer_t target; + isc_result_t result; + unsigned char hash[NSEC3_MAX_HASH_LENGTH + 1]; + + /* + * Get the first label. + */ + dns_name_getlabel(name, 0, &label); + + /* + * We want just the label contents. + */ + isc_region_consume(&label, 1); + + /* + * Decode base32hex string. + */ + isc_buffer_init(&target, hash, sizeof(hash) - 1); + result = isc_base32hex_decoderegion(&label, &target); + if (result != ISC_R_SUCCESS) + return; + + hash[isc_buffer_usedlength(&target)] = 0; + + if (hashlist_exists(hashlist, hash)) + return; + + /* + * Verify that the NSEC3 parameters match the current ones + * otherwise we are dealing with a different NSEC3 chain. + */ + dns_rdataset_init(&rdataset); + dns_rdataset_init(&delrdataset); + + result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_nsec3, + 0, 0, &rdataset, NULL); + if (result != ISC_R_SUCCESS) + return; + + /* + * Delete any matching NSEC3 records which have parameters that + * match the NSEC3 chain we are building. + */ + for (result = dns_rdataset_first(&rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) { + dns_rdata_init(&rdata); + dns_rdataset_current(&rdataset, &rdata); + dns_rdata_tostruct(&rdata, &nsec3, NULL); + if (nsec3.hash == hashalg && + nsec3.iterations == iterations && + nsec3.salt_length == salt_length && + !memcmp(nsec3.salt, salt, salt_length)) + break; + rdatalist.rdclass = rdata.rdclass; + rdatalist.type = rdata.type; + rdatalist.covers = 0; + rdatalist.ttl = rdataset.ttl; + ISC_LIST_INIT(rdatalist.rdata); + dns_rdata_init(&delrdata); + dns_rdata_clone(&rdata, &delrdata); + ISC_LIST_APPEND(rdatalist.rdata, &delrdata, link); + result = dns_rdatalist_tordataset(&rdatalist, &delrdataset); + check_result(result, "dns_rdatalist_tordataset()"); + result = dns_db_subtractrdataset(gdb, node, gversion, + &delrdataset, 0, NULL); + dns_rdataset_disassociate(&delrdataset); + if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) + check_result(result, "dns_db_subtractrdataset(NSEC3)"); + delete_rrsigs = ISC_TRUE; + } + dns_rdataset_disassociate(&rdataset); + if (result != ISC_R_NOMORE) + check_result(result, "dns_rdataset_first/next"); + + if (!delete_rrsigs) + return; + /* + * Delete the NSEC3 RRSIGs + */ + result = dns_db_deleterdataset(gdb, node, gversion, + dns_rdatatype_rrsig, + dns_rdatatype_nsec3); + if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) + check_result(result, "dns_db_deleterdataset(RRSIG(NSEC3))"); +} + +/* + * Generate NSEC3 records for the zone. + */ +static void +nsec3ify(unsigned int hashalg, unsigned int iterations, + const unsigned char *salt, size_t salt_length, hashlist_t *hashlist) +{ + dns_dbiterator_t *dbiter = NULL; + dns_dbnode_t *node = NULL, *nextnode = NULL; + dns_fixedname_t fname, fnextname, fzonecut; + dns_name_t *name, *nextname, *zonecut; + isc_boolean_t done = ISC_FALSE; + isc_result_t result; + isc_boolean_t active; + isc_uint32_t nsttl = 0; + unsigned int count, nlabels; + int order; + + dns_fixedname_init(&fname); + name = dns_fixedname_name(&fname); + dns_fixedname_init(&fnextname); + nextname = dns_fixedname_name(&fnextname); + dns_fixedname_init(&fzonecut); + zonecut = NULL; + + /* + * Walk the zone generating the hash names. + */ + result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter); + check_result(result, "dns_db_createiterator()"); + + result = dns_dbiterator_first(dbiter); + check_result(result, "dns_dbiterator_first()"); + + while (!done) { + dns_dbiterator_current(dbiter, &node, name); + result = dns_dbiterator_next(dbiter); + nextnode = NULL; + while (result == ISC_R_SUCCESS) { + result = dns_dbiterator_current(dbiter, &nextnode, + nextname); + if (result != ISC_R_SUCCESS) + break; + active = active_node(nextnode); + if (!active) { + dns_db_detachnode(gdb, &nextnode); + result = dns_dbiterator_next(dbiter); + continue; + } + if (!dns_name_issubdomain(nextname, gorigin) || + (zonecut != NULL && + dns_name_issubdomain(nextname, zonecut))) { + dns_db_detachnode(gdb, &nextnode); + result = dns_dbiterator_next(dbiter); + continue; + } + if (delegation(nextname, nextnode, &nsttl)) { + zonecut = dns_fixedname_name(&fzonecut); + dns_name_copy(nextname, zonecut, NULL); + if (generateds) + add_ds(nextname, nextnode, nsttl); + if (OPTOUT(nsec3flags) && + !secure(nextname, nextnode)) { + dns_db_detachnode(gdb, &nextnode); + result = dns_dbiterator_next(dbiter); + continue; + } + } + dns_db_detachnode(gdb, &nextnode); + break; + } + if (result == ISC_R_NOMORE) { + dns_name_copy(gorigin, nextname, NULL); + done = ISC_TRUE; + } else if (result != ISC_R_SUCCESS) + fatal("iterating through the database failed: %s", + isc_result_totext(result)); + dns_name_downcase(name, name, NULL); + hashlist_add_dns_name(hashlist, name, hashalg, iterations, + salt, salt_length, ISC_FALSE); + dns_db_detachnode(gdb, &node); + /* + * Add hashs for empty nodes. Use closest encloser logic. + * The closest encloser either has data or is a empty + * node for another <name,nextname> span so we don't add + * it here. Empty labels on nextname are within the span. + */ + dns_name_downcase(nextname, nextname, NULL); + dns_name_fullcompare(name, nextname, &order, &nlabels); + addnowildcardhash(hashlist, name, hashalg, iterations, + salt, salt_length); + count = dns_name_countlabels(nextname); + while (count > nlabels + 1) { + count--; + dns_name_split(nextname, count, NULL, nextname); + hashlist_add_dns_name(hashlist, nextname, hashalg, + iterations, salt, salt_length, + ISC_FALSE); + addnowildcardhash(hashlist, nextname, hashalg, + iterations, salt, salt_length); + } + } + dns_dbiterator_destroy(&dbiter); + + /* + * We have all the hashes now so we can sort them. + */ + hashlist_sort(hashlist); + + /* + * Check for duplicate hashes. If found the salt needs to + * be changed. + */ + if (hashlist_hasdup(hashlist)) + fatal("Duplicate hash detected. Pick a different salt."); + + /* + * Generate the nsec3 records. + */ + zonecut = NULL; + done = ISC_FALSE; + + addnsec3param(salt, salt_length, iterations); + + result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter); + check_result(result, "dns_db_createiterator()"); + + result = dns_dbiterator_first(dbiter); + check_result(result, "dns_dbiterator_first()"); + + while (!done) { + dns_dbiterator_current(dbiter, &node, name); + result = dns_dbiterator_next(dbiter); + nextnode = NULL; + while (result == ISC_R_SUCCESS) { + result = dns_dbiterator_current(dbiter, &nextnode, + nextname); + if (result != ISC_R_SUCCESS) + break; + /* + * Cleanout NSEC3 RRsets which don't exist in the + * hash table. + */ + nsec3clean(nextname, nextnode, hashalg, iterations, + salt, salt_length, hashlist); + /* + * Skip NSEC3 only nodes when looking for the next + * node in the zone. Also skips now empty nodes. + */ + if (nsec3only(nextnode)) { + dns_db_detachnode(gdb, &nextnode); + result = dns_dbiterator_next(dbiter); + continue; + } + if (!dns_name_issubdomain(nextname, gorigin) || + (zonecut != NULL && + dns_name_issubdomain(nextname, zonecut))) { + dns_db_detachnode(gdb, &nextnode); + result = dns_dbiterator_next(dbiter); + continue; + } + if (delegation(nextname, nextnode, NULL)) { + zonecut = dns_fixedname_name(&fzonecut); + dns_name_copy(nextname, zonecut, NULL); + if (OPTOUT(nsec3flags) && + !secure(nextname, nextnode)) { + dns_db_detachnode(gdb, &nextnode); + result = dns_dbiterator_next(dbiter); + continue; + } + } + dns_db_detachnode(gdb, &nextnode); + break; + } + if (result == ISC_R_NOMORE) { + dns_name_copy(gorigin, nextname, NULL); + done = ISC_TRUE; + } else if (result != ISC_R_SUCCESS) + fatal("iterating through the database failed: %s", + isc_result_totext(result)); + /* + * We need to pause here to release the lock on the database. + */ + dns_dbiterator_pause(dbiter); + addnsec3(name, node, salt, salt_length, iterations, + hashlist, zonettl); + dns_db_detachnode(gdb, &node); + /* + * Add NSEC3's for empty nodes. Use closest encloser logic. + */ + dns_name_fullcompare(name, nextname, &order, &nlabels); + count = dns_name_countlabels(nextname); + while (count > nlabels + 1) { + count--; + dns_name_split(nextname, count, NULL, nextname); + addnsec3(nextname, NULL, salt, salt_length, + iterations, hashlist, zonettl); + } + } + dns_dbiterator_destroy(&dbiter); +} + +/*% * Load the zone file from disk */ static void @@ -1788,6 +2375,9 @@ usage(void) { fprintf(stderr, "\t-n ncpus (number of cpus present)\n"); fprintf(stderr, "\t-k key_signing_key\n"); fprintf(stderr, "\t-l lookasidezone\n"); + fprintf(stderr, "\t-3 salt (NSEC3 salt)\n"); + fprintf(stderr, "\t-H iterations (NSEC3 iterations)\n"); + fprintf(stderr, "\t-A (NSEC3 optout)\n"); fprintf(stderr, "\t-z:\t"); fprintf(stderr, "ignore KSK flag in DNSKEYs"); @@ -1852,6 +2442,36 @@ main(int argc, char *argv[]) { isc_task_t **tasks = NULL; isc_buffer_t b; int len; + unsigned int iterations = 100U; + const unsigned char *salt = NULL; + size_t salt_length = 0; + unsigned char saltbuf[255]; + hashlist_t hashlist; + +#define CMDLINE_FLAGS "3:aAc:d:e:f:ghH:i:I:j:k:l:m:n:N:o:O:pr:s:StUv:z" + + /* + * Process memory debugging argument first. + */ + while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { + switch (ch) { + case 'm': + if (strcasecmp(isc_commandline_argument, "record") == 0) + isc_mem_debugging |= ISC_MEM_DEBUGRECORD; + if (strcasecmp(isc_commandline_argument, "trace") == 0) + isc_mem_debugging |= ISC_MEM_DEBUGTRACE; + if (strcasecmp(isc_commandline_argument, "usage") == 0) + isc_mem_debugging |= ISC_MEM_DEBUGUSAGE; + if (strcasecmp(isc_commandline_argument, "size") == 0) + isc_mem_debugging |= ISC_MEM_DEBUGSIZE; + if (strcasecmp(isc_commandline_argument, "mctx") == 0) + isc_mem_debugging |= ISC_MEM_DEBUGCTX; + break; + default: + break; + } + } + isc_commandline_reset = ISC_TRUE; masterstyle = &dns_master_style_explicitttl; @@ -1863,10 +2483,34 @@ main(int argc, char *argv[]) { dns_result_register(); - while ((ch = isc_commandline_parse(argc, argv, - "ac:d:e:f:ghi:I:j:k:l:n:N:o:O:pr:s:Stv:z")) - != -1) { + isc_commandline_errprint = ISC_FALSE; + + while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { switch (ch) { + case '3': + if (strcmp(isc_commandline_argument, "-")) { + isc_buffer_t target; + char *sarg; + + sarg = isc_commandline_argument; + isc_buffer_init(&target, saltbuf, + sizeof(saltbuf)); + result = isc_hex_decodestring(sarg, &target); + check_result(result, + "isc_hex_decodestring(salt)"); + salt = saltbuf; + salt_length = isc_buffer_usedlength(&target); + } else { + salt = saltbuf; + salt_length = 0; + } + nsec_datatype = dns_rdatatype_nsec3; + break; + + case 'A': + nsec3flags |= DNS_NSEC3FLAG_OPTOUT; + break; + case 'a': tryverify = ISC_TRUE; break; @@ -1891,11 +2535,19 @@ main(int argc, char *argv[]) { generateds = ISC_TRUE; break; + case '?': + if (isc_commandline_option != '?') + fprintf(stderr, "%s: invalid argument -%c\n", + program, isc_commandline_option); case 'h': - default: usage(); break; + default: + fprintf(stderr, "%s: unhandled option -%c\n", + program, isc_commandline_option); + exit(1); + case 'i': endp = NULL; cycle = strtol(isc_commandline_argument, &endp, 0); @@ -1934,6 +2586,9 @@ main(int argc, char *argv[]) { dskeyfile[ndskeys++] = isc_commandline_argument; break; + case 'm': + break; + case 'n': endp = NULL; ntasks = strtol(isc_commandline_argument, &endp, 0); @@ -1945,6 +2600,15 @@ main(int argc, char *argv[]) { serialformatstr = isc_commandline_argument; break; + case 'H': + iterations = strtoul(isc_commandline_argument, + &endp, 0); + if (*endp != '\0') + fatal("iterations must be numeric"); + if (iterations > 0xffffU) + fatal("iterations too big"); + break; + case 'o': origin = isc_commandline_argument; break; @@ -1975,6 +2639,10 @@ main(int argc, char *argv[]) { printstats = ISC_TRUE; break; + case 'U': /* Undocumented for testing only. */ + unknownalg = ISC_TRUE; + break; + case 'v': endp = NULL; verbose = strtol(isc_commandline_argument, &endp, 0); @@ -2018,7 +2686,7 @@ main(int argc, char *argv[]) { cycle = (endtime - starttime) / 4; if (ntasks == 0) - ntasks = isc_os_ncpus(); + ntasks = isc_os_ncpus() * 2; vbprintf(4, "using %d cpus\n", ntasks); rdclass = strtoclass(classname); @@ -2082,7 +2750,6 @@ main(int argc, char *argv[]) { 0, 24, 0, 0, 0, 8, mctx); check_result(result, "dns_master_stylecreate"); - gdb = NULL; TIME_NOW(&timer_start); loadzone(file, origin, rdclass, &gdb); @@ -2090,6 +2757,18 @@ main(int argc, char *argv[]) { gclass = dns_db_class(gdb); zonettl = soattl(); + if (IS_NSEC3) { + isc_boolean_t answer; + hash_length = dns_nsec3_hashlength(dns_hash_sha1); + hashlist_init(&hashlist, dns_db_nodecount(gdb) * 2, + hash_length); + result = dns_nsec_nseconly(gdb, gversion, &answer); + check_result(result, "dns_nsec_nseconly"); + if (answer) + fatal("NSEC3 generation requested with " + "NSEC only DNSKEY"); + } + ISC_LIST_INIT(keylist); if (argc == 0) { @@ -2106,6 +2785,9 @@ main(int argc, char *argv[]) { fatal("cannot load dnskey %s: %s", argv[i], isc_result_totext(result)); + if (!dns_name_equal(gorigin, dst_key_name(newkey))) + fatal("key %s not at origin\n", argv[i]); + key = ISC_LIST_HEAD(keylist); while (key != NULL) { dst_key_t *dkey = key->key; @@ -2143,6 +2825,9 @@ main(int argc, char *argv[]) { fatal("cannot load dnskey %s: %s", dskeyfile[i], isc_result_totext(result)); + if (!dns_name_equal(gorigin, dst_key_name(newkey))) + fatal("key %s not at origin\n", dskeyfile[i]); + key = ISC_LIST_HEAD(keylist); while (key != NULL) { dst_key_t *dkey = key->key; @@ -2176,6 +2861,15 @@ main(int argc, char *argv[]) { nokeys = ISC_TRUE; } + if (IS_NSEC3) { + unsigned int max; + result = dns_nsec3_maxiterations(gdb, NULL, mctx, &max); + check_result(result, "dns_nsec3_maxiterations()"); + if (iterations > max) + fatal("NSEC3 iterations too big for weakest DNSKEY " + "strength. Maximum iterations allowed %u.", max); + } + warnifallksk(gdb); gversion = NULL; @@ -2195,7 +2889,11 @@ main(int argc, char *argv[]) { break; } - nsecify(); + if (IS_NSEC3) + nsec3ify(dns_hash_sha1, iterations, salt, salt_length, + &hashlist); + else + nsecify(); if (!nokeys) { writeset("keyset-", dns_rdatatype_dnskey); diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook index 67eacc1..2f26ba4 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-signzone.docbook,v 1.10.18.19 2008/10/15 23:46:06 tbox Exp $ --> +<!-- $Id: dnssec-signzone.docbook,v 1.31 2008/10/14 14:28:25 jreed Exp $ --> <refentry id="man.dnssec-signzone"> <refentryinfo> <date>June 30, 2000</date> @@ -77,6 +77,9 @@ <arg><option>-t</option></arg> <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> <arg><option>-z</option></arg> + <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg> + <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg> + <arg><option>-A</option></arg> <arg choice="req">zonefile</arg> <arg rep="repeat">key</arg> </cmdsynopsis> @@ -400,6 +403,38 @@ </varlistentry> <varlistentry> + <term>-3 <replaceable class="parameter">salt</replaceable></term> + <listitem> + <para> + Generate a NSEC3 chain with the given hex encoded salt. + A dash (<replaceable class="parameter">salt</replaceable>) can + be used to indicate that no salt is to be used when generating the NSEC3 chain. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-H <replaceable class="parameter">iterations</replaceable></term> + <listitem> + <para> + When generating a NSEC3 chain use this many interations. The + default is 100. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-A</term> + <listitem> + <para> + When generating a NSEC3 chain set the OPTOUT flag on all + NSEC3 records and do not generate NSEC3 records for insecure + delegations. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>zonefile</term> <listitem> <para> diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.html b/contrib/bind9/bin/dnssec/dnssec-signzone.html index 18d851d..6548d84 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.html +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-signzone.html,v 1.8.18.25 2008/10/16 01:29:40 tbox Exp $ --> +<!-- $Id: dnssec-signzone.html,v 1.33 2008/10/15 01:11:35 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -29,10 +29,10 @@ </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div> +<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543529"></a><h2>DESCRIPTION</h2> +<a name="id2543550"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-signzone</strong></span> signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -43,7 +43,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543544"></a><h2>OPTIONS</h2> +<a name="id2543565"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a</span></dt> <dd><p> @@ -226,6 +226,23 @@ <dd><p> Ignore KSK flag on key when determining what to sign. </p></dd> +<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt> +<dd><p> + Generate a NSEC3 chain with the given hex encoded salt. + A dash (<em class="replaceable"><code>salt</code></em>) can + be used to indicate that no salt is to be used when generating the NSEC3 chain. + </p></dd> +<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt> +<dd><p> + When generating a NSEC3 chain use this many interations. The + default is 100. + </p></dd> +<dt><span class="term">-A</span></dt> +<dd><p> + When generating a NSEC3 chain set the OPTOUT flag on all + NSEC3 records and do not generate NSEC3 records for insecure + delegations. + </p></dd> <dt><span class="term">zonefile</span></dt> <dd><p> The file containing the zone to be signed. @@ -241,7 +258,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544330"></a><h2>EXAMPLE</h2> +<a name="id2544404"></a><h2>EXAMPLE</h2> <p> The following command signs the <strong class="userinput"><code>example.com</code></strong> zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span> @@ -270,14 +287,14 @@ db.example.com.signed %</pre> </div> <div class="refsect1" lang="en"> -<a name="id2544381"></a><h2>SEE ALSO</h2> +<a name="id2544523"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 4033</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2544406"></a><h2>AUTHOR</h2> +<a name="id2544548"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/contrib/bind9/bin/dnssec/dnssectool.c b/contrib/bind9/bin/dnssec/dnssectool.c index 4f95540..e933a06 100644 --- a/contrib/bind9/bin/dnssec/dnssectool.c +++ b/contrib/bind9/bin/dnssec/dnssectool.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssectool.c,v 1.40.18.3 2005/07/01 03:55:28 marka Exp $ */ +/* $Id: dnssectool.c,v 1.45 2007/06/19 23:46:59 tbox Exp $ */ /*! \file */ diff --git a/contrib/bind9/bin/dnssec/dnssectool.h b/contrib/bind9/bin/dnssec/dnssectool.h index c5f3648..ee476f4 100644 --- a/contrib/bind9/bin/dnssec/dnssectool.h +++ b/contrib/bind9/bin/dnssec/dnssectool.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssectool.h,v 1.18 2004/03/05 04:57:41 marka Exp $ */ +/* $Id: dnssectool.h,v 1.22 2008/09/25 04:02:38 tbox Exp $ */ #ifndef DNSSECTOOL_H #define DNSSECTOOL_H 1 @@ -41,7 +41,7 @@ vbprintf(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3); void type_format(const dns_rdatatype_t type, char *cp, unsigned int size); -#define TYPE_FORMATSIZE 10 +#define TYPE_FORMATSIZE 20 void alg_format(const dns_secalg_t alg, char *cp, unsigned int size); diff --git a/contrib/bind9/bin/named/Makefile.in b/contrib/bind9/bin/named/Makefile.in index a809e59c..4d800a6 100644 --- a/contrib/bind9/bin/named/Makefile.in +++ b/contrib/bind9/bin/named/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2002 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.80.18.7 2005/09/05 00:18:10 marka Exp $ +# $Id: Makefile.in,v 1.101 2008/09/23 17:25:47 jinmei Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -21,6 +21,8 @@ top_srcdir = @top_srcdir@ @BIND9_VERSION@ +@BIND9_CONFIGARGS@ + @BIND9_MAKE_INCLUDES@ # @@ -38,7 +40,7 @@ DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ -CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include \ +CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @@ -75,7 +77,7 @@ TARGETS = named@EXEEXT@ lwresd@EXEEXT@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ controlconf.@O@ interfacemgr.@O@ \ listenlist.@O@ log.@O@ logconf.@O@ main.@O@ notify.@O@ \ - query.@O@ server.@O@ sortlist.@O@ \ + query.@O@ server.@O@ sortlist.@O@ statschannel.@O@ \ tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ zoneconf.@O@ \ lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ @@ -87,7 +89,7 @@ UOBJS = unix/os.@O@ SRCS = builtin.c client.c config.c control.c \ controlconf.c interfacemgr.c \ listenlist.c log.c logconf.c main.c notify.c \ - query.c server.c sortlist.c \ + query.c server.c sortlist.c statschannel.c \ tkeyconf.c tsigconf.c update.c xfrout.c \ zoneconf.c \ lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ @@ -105,6 +107,7 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} main.@O@: main.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -DVERSION=\"${VERSION}\" \ + -DCONFIGARGS="\"${CONFIGARGS}\"" \ -DNS_LOCALSTATEDIR=\"${localstatedir}\" \ -DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c @@ -130,6 +133,12 @@ docclean manclean maintainer-clean:: clean distclean maintainer-clean:: rm -f ${TARGETS} ${OBJS} +bind9.xsl.h: bind9.xsl convertxsl.pl + ${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h + +depend: bind9.xsl.h +statschannel.@O@: bind9.xsl.h + installdirs: $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 diff --git a/contrib/bind9/bin/named/bind9.xsl b/contrib/bind9/bin/named/bind9.xsl new file mode 100644 index 0000000..2cadbfd --- /dev/null +++ b/contrib/bind9/bin/named/bind9.xsl @@ -0,0 +1,492 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + - Copyright (C) 2006-2009 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<!-- $Id: bind9.xsl,v 1.19.82.2 2009/01/29 23:47:43 tbox Exp $ --> + +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns="http://www.w3.org/1999/xhtml"> + <xsl:template match="isc/bind/statistics"> + <html> + <head> + <style type="text/css"> +body { + font-family: sans-serif; + background-color: #ffffff; + color: #000000; +} + +table { + border-collapse: collapse; +} + +tr.rowh { + text-align: center; + border: 1px solid #000000; + background-color: #8080ff; + color: #ffffff; +} + +tr.row { + text-align: right; + border: 1px solid #000000; + background-color: teal; + color: #ffffff; +} + +tr.lrow { + text-align: left; + border: 1px solid #000000; + background-color: teal; + color: #ffffff; +} + +td, th { + padding-right: 5px; + padding-left: 5px; +} + +.header h1 { + background-color: teal; + color: #ffffff; + padding: 4px; +} + +.content { + background-color: #ffffff; + color: #000000; + padding: 4px; +} + +.item { + padding: 4px; + align: right; +} + +.value { + padding: 4px; + font-weight: bold; +} + +div.statcounter h2 { + text-align: center; + font-size: large; + border: 1px solid #000000; + background-color: #8080ff; + color: #ffffff; +} + +div.statcounter dl { + float: left; + margin-top: 0; + margin-bottom: 0; + margin-left: 0; + margin-right: 0; +} + +div.statcounter dt { + width: 200px; + text-align: center; + font-weight: bold; + border: 0.5px solid #000000; + background-color: #8080ff; + color: #ffffff; +} + +div.statcounter dd { + width: 200px; + text-align: right; + border: 0.5px solid #000000; + background-color: teal; + color: #ffffff; + margin-left: 0; + margin-right: 0; +} + +div.statcounter br { + clear: left; +} + </style> + <title>BIND 9 Statistics</title> + </head> + <body> + <div class="header"> + <h1>Bind 9 Configuration and Statistics</h1> + </div> + + <br/> + + <table> + <tr class="rowh"><th colspan="2">Times</th></tr> + <tr class="lrow"> + <td>boot-time</td> + <td><xsl:value-of select="server/boot-time"/></td> + </tr> + <tr class="lrow"> + <td>current-time</td> + <td><xsl:value-of select="server/current-time"/></td> + </tr> + </table> + + <br/> + + <table> + <tr class="rowh"><th colspan="2">Incoming Requests</th></tr> + <xsl:for-each select="server/requests/opcode"> + <tr class="lrow"> + <td><xsl:value-of select="name"/></td> + <td><xsl:value-of select="counter"/></td> + </tr> + </xsl:for-each> + </table> + + <br/> + + <table> + <tr class="rowh"><th colspan="2">Incoming Queries</th></tr> + <xsl:for-each select="server/queries-in/rdtype"> + <tr class="lrow"> + <td><xsl:value-of select="name"/></td> + <td><xsl:value-of select="counter"/></td> + </tr> + </xsl:for-each> + </table> + + <br/> + + <xsl:for-each select="views/view"> + <table> + <tr class="rowh"> + <th colspan="2">Outgoing Queries from View <xsl:value-of select="name"/></th> + </tr> + <xsl:for-each select="rdtype"> + <tr class="lrow"> + <td><xsl:value-of select="name"/></td> + <td><xsl:value-of select="counter"/></td> + </tr> + </xsl:for-each> + </table> + <br/> + </xsl:for-each> + + <br/> + + <div class="statcounter"> + <h2>Server Statistics</h2> + <xsl:for-each select="server/nsstat"> + <dl> + <dt><xsl:value-of select="name"/></dt> + <dd><xsl:value-of select="counter"/></dd> + </dl> + </xsl:for-each> + <br/> + </div> + + <div class="statcounter"> + <h2>Zone Maintenance Statistics</h2> + <xsl:for-each select="server/zonestat"> + <dl> + <dt><xsl:value-of select="name"/></dt> + <dd><xsl:value-of select="counter"/></dd> + </dl> + </xsl:for-each> + <br /> + </div> + + <div class="statcounter"> + <h2>Resolver Statistics (Common)</h2> + <xsl:for-each select="server/resstat"> + <dl> + <dt><xsl:value-of select="name"/></dt> + <dd><xsl:value-of select="counter"/></dd> + </dl> + </xsl:for-each> + <br /> + </div> + + <xsl:for-each select="views/view"> + <div class="statcounter"> + <h2>Resolver Statistics for View <xsl:value-of select="name"/></h2> + <xsl:for-each select="resstat"> + <dl> + <dt><xsl:value-of select="name"/></dt> + <dd><xsl:value-of select="counter"/></dd> + </dl> + </xsl:for-each> + <br /> + </div> + </xsl:for-each> + + <br /> + + <xsl:for-each select="views/view"> + <table> + <tr class="rowh"> + <th colspan="2">Cache DB RRsets for View <xsl:value-of select="name"/></th> + </tr> + <xsl:for-each select="cache/rrset"> + <tr class="lrow"> + <td><xsl:value-of select="name"/></td> + <td><xsl:value-of select="counter"/></td> + </tr> + </xsl:for-each> + </table> + <br/> + </xsl:for-each> + + <div class="statcounter"> + <h2>Socket I/O Statistics</h2> + <xsl:for-each select="server/sockstat"> + <dl> + <dt><xsl:value-of select="name"/></dt> + <dd><xsl:value-of select="counter"/></dd> + </dl> + </xsl:for-each> + <br/> + </div> + + <br/> + + <xsl:for-each select="views/view"> + <table> + <tr class="rowh"> + <th colspan="10">Zones for View <xsl:value-of select="name"/></th> + </tr> + <tr class="rowh"> + <th>Name</th> + <th>Class</th> + <th>Serial</th> + <th>Success</th> + <th>Referral</th> + <th>NXRRSET</th> + <th>NXDOMAIN</th> + <th>Failure</th> + <th>XfrReqDone</th> + <th>XfrRej</th> + </tr> + <xsl:for-each select="zones/zone"> + <tr class="lrow"> + <td> + <xsl:value-of select="name"/> + </td> + <td> + <xsl:value-of select="rdataclass"/> + </td> + <td> + <xsl:value-of select="serial"/> + </td> + <td> + <xsl:value-of select="counters/QrySuccess"/> + </td> + <td> + <xsl:value-of select="counters/QryReferral"/> + </td> + <td> + <xsl:value-of select="counters/QryNxrrset"/> + </td> + <td> + <xsl:value-of select="counters/QryNXDOMAIN"/> + </td> + <td> + <xsl:value-of select="counters/QryFailure"/> + </td> + <td> + <xsl:value-of select="counters/XfrReqDone"/> + </td> + <td> + <xsl:value-of select="counters/XfrRej"/> + </td> + </tr> + </xsl:for-each> + </table> + <br/> + </xsl:for-each> + + <br/> + + <table> + <tr class="rowh"> + <th colspan="7">Network Status</th> + </tr> + <tr class="rowh"> + <th>ID</th> + <th>Name</th> + <th>Type</th> + <th>References</th> + <th>LocalAddress</th> + <th>PeerAddress</th> + <th>State</th> + </tr> + <xsl:for-each select="socketmgr/sockets/socket"> + <tr class="lrow"> + <td> + <xsl:value-of select="id"/> + </td> + <td> + <xsl:value-of select="name"/> + </td> + <td> + <xsl:value-of select="type"/> + </td> + <td> + <xsl:value-of select="references"/> + </td> + <td> + <xsl:value-of select="local-address"/> + </td> + <td> + <xsl:value-of select="peer-address"/> + </td> + <td> + <xsl:for-each select="states"> + <xsl:value-of select="."/> + </xsl:for-each> + </td> + </tr> + </xsl:for-each> + </table> + <br/> + <table> + <tr class="rowh"> + <th colspan="2">Task Manager Configuration</th> + </tr> + <tr class="lrow"> + <td>Thread-Model</td> + <td> + <xsl:value-of select="taskmgr/thread-model/type"/> + </td> + </tr> + <tr class="lrow"> + <td>Worker Threads</td> + <td> + <xsl:value-of select="taskmgr/thread-model/worker-threads"/> + </td> + </tr> + <tr class="lrow"> + <td>Default Quantum</td> + <td> + <xsl:value-of select="taskmgr/thread-model/default-quantum"/> + </td> + </tr> + <tr class="lrow"> + <td>Tasks Running</td> + <td> + <xsl:value-of select="taskmgr/thread-model/tasks-running"/> + </td> + </tr> + </table> + <br/> + <table> + <tr class="rowh"> + <th colspan="5">Tasks</th> + </tr> + <tr class="rowh"> + <th>ID</th> + <th>Name</th> + <th>References</th> + <th>State</th> + <th>Quantum</th> + </tr> + <xsl:for-each select="taskmgr/tasks/task"> + <tr class="lrow"> + <td> + <xsl:value-of select="id"/> + </td> + <td> + <xsl:value-of select="name"/> + </td> + <td> + <xsl:value-of select="references"/> + </td> + <td> + <xsl:value-of select="state"/> + </td> + <td> + <xsl:value-of select="quantum"/> + </td> + </tr> + </xsl:for-each> + </table> + <br /> + <table> + <tr class="rowh"> + <th colspan="4">Memory Usage Summary</th> + </tr> + <xsl:for-each select="memory/summary/*"> + <tr class="lrow"> + <td><xsl:value-of select="name()"/></td> + <td><xsl:value-of select="."/></td> + </tr> + </xsl:for-each> + </table> + <br /> + <table> + <tr class="rowh"> + <th colspan="10">Memory Contexts</th> + </tr> + <tr class="rowh"> + <th>ID</th> + <th>Name</th> + <th>References</th> + <th>TotalUse</th> + <th>InUse</th> + <th>MaxUse</th> + <th>BlockSize</th> + <th>Pools</th> + <th>HiWater</th> + <th>LoWater</th> + </tr> + <xsl:for-each select="memory/contexts/context"> + <tr class="lrow"> + <td> + <xsl:value-of select="id"/> + </td> + <td> + <xsl:value-of select="name"/> + </td> + <td> + <xsl:value-of select="references"/> + </td> + <td> + <xsl:value-of select="total"/> + </td> + <td> + <xsl:value-of select="inuse"/> + </td> + <td> + <xsl:value-of select="maxinuse"/> + </td> + <td> + <xsl:value-of select="blocksize"/> + </td> + <td> + <xsl:value-of select="pools"/> + </td> + <td> + <xsl:value-of select="hiwater"/> + </td> + <td> + <xsl:value-of select="lowater"/> + </td> + </tr> + </xsl:for-each> + </table> + + </body> + </html> + </xsl:template> +</xsl:stylesheet> diff --git a/contrib/bind9/bin/named/bind9.xsl.h b/contrib/bind9/bin/named/bind9.xsl.h new file mode 100644 index 0000000..e42fda0 --- /dev/null +++ b/contrib/bind9/bin/named/bind9.xsl.h @@ -0,0 +1,497 @@ +/* + * Generated by convertxsl.pl 1.14 2008/07/17 23:43:26 jinmei Exp + * From bind9.xsl 1.19.82.2 2009/01/29 23:47:43 tbox Exp + */ +static char xslmsg[] = + "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" + "<!--\n" + " - Copyright (C) 2006-2009 Internet Systems Consortium, Inc. (\"ISC\")\n" + " -\n" + " - Permission to use, copy, modify, and/or distribute this software for any\n" + " - purpose with or without fee is hereby granted, provided that the above\n" + " - copyright notice and this permission notice appear in all copies.\n" + " -\n" + " - THE SOFTWARE IS PROVIDED \"AS IS\" AND ISC DISCLAIMS ALL WARRANTIES WITH\n" + " - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY\n" + " - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,\n" + " - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM\n" + " - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE\n" + " - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR\n" + " - PERFORMANCE OF THIS SOFTWARE.\n" + "-->\n" + "\n" + "<!-- \045Id: bind9.xsl,v 1.19.82.2 2009/01/29 23:47:43 tbox Exp \045 -->\n" + "\n" + "<xsl:stylesheet version=\"1.0\"\n" + " xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\n" + " xmlns=\"http://www.w3.org/1999/xhtml\">\n" + " <xsl:template match=\"isc/bind/statistics\">\n" + " <html>\n" + " <head>\n" + " <style type=\"text/css\">\n" + "body {\n" + " font-family: sans-serif;\n" + " background-color: #ffffff;\n" + " color: #000000;\n" + "}\n" + "\n" + "table {\n" + " border-collapse: collapse;\n" + "}\n" + "\n" + "tr.rowh {\n" + " text-align: center;\n" + " border: 1px solid #000000;\n" + " background-color: #8080ff;\n" + " color: #ffffff;\n" + "}\n" + "\n" + "tr.row {\n" + " text-align: right;\n" + " border: 1px solid #000000;\n" + " background-color: teal;\n" + " color: #ffffff;\n" + "}\n" + "\n" + "tr.lrow {\n" + " text-align: left;\n" + " border: 1px solid #000000;\n" + " background-color: teal;\n" + " color: #ffffff;\n" + "}\n" + "\n" + "td, th {\n" + " padding-right: 5px;\n" + " padding-left: 5px;\n" + "}\n" + "\n" + ".header h1 {\n" + " background-color: teal;\n" + " color: #ffffff;\n" + " padding: 4px;\n" + "}\n" + "\n" + ".content {\n" + " background-color: #ffffff;\n" + " color: #000000;\n" + " padding: 4px;\n" + "}\n" + "\n" + ".item {\n" + " padding: 4px;\n" + " align: right;\n" + "}\n" + "\n" + ".value {\n" + " padding: 4px;\n" + " font-weight: bold;\n" + "}\n" + "\n" + "div.statcounter h2 {\n" + " text-align: center;\n" + " font-size: large;\n" + " border: 1px solid #000000;\n" + " background-color: #8080ff;\n" + " color: #ffffff;\n" + "}\n" + "\n" + "div.statcounter dl {\n" + " float: left;\n" + " margin-top: 0;\n" + " margin-bottom: 0;\n" + " margin-left: 0;\n" + " margin-right: 0;\n" + "}\n" + "\n" + "div.statcounter dt {\n" + " width: 200px;\n" + " text-align: center;\n" + " font-weight: bold;\n" + " border: 0.5px solid #000000;\n" + " background-color: #8080ff;\n" + " color: #ffffff;\n" + "}\n" + "\n" + "div.statcounter dd {\n" + " width: 200px;\n" + " text-align: right;\n" + " border: 0.5px solid #000000;\n" + " background-color: teal;\n" + " color: #ffffff;\n" + " margin-left: 0;\n" + " margin-right: 0;\n" + "}\n" + "\n" + "div.statcounter br {\n" + " clear: left;\n" + "}\n" + " </style>\n" + " <title>BIND 9 Statistics</title>\n" + " </head>\n" + " <body>\n" + " <div class=\"header\">\n" + " <h1>Bind 9 Configuration and Statistics</h1>\n" + " </div>\n" + "\n" + " <br/>\n" + "\n" + " <table>\n" + " <tr class=\"rowh\"><th colspan=\"2\">Times</th></tr>\n" + " <tr class=\"lrow\">\n" + " <td>boot-time</td>\n" + " <td><xsl:value-of select=\"server/boot-time\"/></td>\n" + " </tr>\n" + " <tr class=\"lrow\">\n" + " <td>current-time</td>\n" + " <td><xsl:value-of select=\"server/current-time\"/></td>\n" + " </tr>\n" + " </table>\n" + "\n" + " <br/>\n" + "\n" + " <table>\n" + " <tr class=\"rowh\"><th colspan=\"2\">Incoming Requests</th></tr>\n" + " <xsl:for-each select=\"server/requests/opcode\">\n" + " <tr class=\"lrow\">\n" + " <td><xsl:value-of select=\"name\"/></td>\n" + " <td><xsl:value-of select=\"counter\"/></td>\n" + " </tr>\n" + " </xsl:for-each>\n" + " </table>\n" + "\n" + " <br/>\n" + "\n" + " <table>\n" + " <tr class=\"rowh\"><th colspan=\"2\">Incoming Queries</th></tr>\n" + " <xsl:for-each select=\"server/queries-in/rdtype\">\n" + " <tr class=\"lrow\">\n" + " <td><xsl:value-of select=\"name\"/></td>\n" + " <td><xsl:value-of select=\"counter\"/></td>\n" + " </tr>\n" + " </xsl:for-each>\n" + " </table>\n" + "\n" + " <br/>\n" + "\n" + " <xsl:for-each select=\"views/view\">\n" + " <table>\n" + " <tr class=\"rowh\">\n" + " <th colspan=\"2\">Outgoing Queries from View <xsl:value-of select=\"name\"/></th>\n" + " </tr>\n" + " <xsl:for-each select=\"rdtype\">\n" + " <tr class=\"lrow\">\n" + " <td><xsl:value-of select=\"name\"/></td>\n" + " <td><xsl:value-of select=\"counter\"/></td>\n" + " </tr>\n" + " </xsl:for-each>\n" + " </table>\n" + " <br/>\n" + " </xsl:for-each>\n" + "\n" + " <br/>\n" + "\n" + " <div class=\"statcounter\">\n" + " <h2>Server Statistics</h2>\n" + " <xsl:for-each select=\"server/nsstat\">\n" + " <dl>\n" + " <dt><xsl:value-of select=\"name\"/></dt>\n" + " <dd><xsl:value-of select=\"counter\"/></dd>\n" + " </dl>\n" + " </xsl:for-each>\n" + " <br/>\n" + " </div>\n" + "\n" + " <div class=\"statcounter\">\n" + " <h2>Zone Maintenance Statistics</h2>\n" + " <xsl:for-each select=\"server/zonestat\">\n" + " <dl>\n" + " <dt><xsl:value-of select=\"name\"/></dt>\n" + " <dd><xsl:value-of select=\"counter\"/></dd>\n" + " </dl>\n" + " </xsl:for-each>\n" + " <br />\n" + " </div>\n" + "\n" + " <div class=\"statcounter\">\n" + " <h2>Resolver Statistics (Common)</h2>\n" + " <xsl:for-each select=\"server/resstat\">\n" + " <dl>\n" + " <dt><xsl:value-of select=\"name\"/></dt>\n" + " <dd><xsl:value-of select=\"counter\"/></dd>\n" + " </dl>\n" + " </xsl:for-each>\n" + " <br />\n" + " </div>\n" + "\n" + " <xsl:for-each select=\"views/view\">\n" + " <div class=\"statcounter\">\n" + " <h2>Resolver Statistics for View <xsl:value-of select=\"name\"/></h2>\n" + " <xsl:for-each select=\"resstat\">\n" + " <dl>\n" + " <dt><xsl:value-of select=\"name\"/></dt>\n" + " <dd><xsl:value-of select=\"counter\"/></dd>\n" + " </dl>\n" + " </xsl:for-each>\n" + " <br />\n" + " </div>\n" + " </xsl:for-each>\n" + "\n" + " <br />\n" + "\n" + " <xsl:for-each select=\"views/view\">\n" + " <table>\n" + " <tr class=\"rowh\">\n" + " <th colspan=\"2\">Cache DB RRsets for View <xsl:value-of select=\"name\"/></th>\n" + " </tr>\n" + " <xsl:for-each select=\"cache/rrset\">\n" + " <tr class=\"lrow\">\n" + " <td><xsl:value-of select=\"name\"/></td>\n" + " <td><xsl:value-of select=\"counter\"/></td>\n" + " </tr>\n" + " </xsl:for-each>\n" + " </table>\n" + " <br/>\n" + " </xsl:for-each>\n" + "\n" + " <div class=\"statcounter\">\n" + " <h2>Socket I/O Statistics</h2>\n" + " <xsl:for-each select=\"server/sockstat\">\n" + " <dl>\n" + " <dt><xsl:value-of select=\"name\"/></dt>\n" + " <dd><xsl:value-of select=\"counter\"/></dd>\n" + " </dl>\n" + " </xsl:for-each>\n" + " <br/>\n" + " </div>\n" + "\n" + " <br/>\n" + "\n" + " <xsl:for-each select=\"views/view\">\n" + " <table>\n" + " <tr class=\"rowh\">\n" + " <th colspan=\"10\">Zones for View <xsl:value-of select=\"name\"/></th>\n" + " </tr>\n" + " <tr class=\"rowh\">\n" + " <th>Name</th>\n" + " <th>Class</th>\n" + " <th>Serial</th>\n" + " <th>Success</th>\n" + " <th>Referral</th>\n" + " <th>NXRRSET</th>\n" + " <th>NXDOMAIN</th>\n" + " <th>Failure</th>\n" + " <th>XfrReqDone</th>\n" + " <th>XfrRej</th>\n" + " </tr>\n" + " <xsl:for-each select=\"zones/zone\">\n" + " <tr class=\"lrow\">\n" + " <td>\n" + " <xsl:value-of select=\"name\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"rdataclass\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"serial\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"counters/QrySuccess\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"counters/QryReferral\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"counters/QryNxrrset\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"counters/QryNXDOMAIN\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"counters/QryFailure\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"counters/XfrReqDone\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"counters/XfrRej\"/>\n" + " </td>\n" + " </tr>\n" + " </xsl:for-each>\n" + " </table>\n" + " <br/>\n" + " </xsl:for-each>\n" + "\n" + " <br/>\n" + "\n" + " <table>\n" + " <tr class=\"rowh\">\n" + " <th colspan=\"7\">Network Status</th>\n" + " </tr>\n" + " <tr class=\"rowh\">\n" + " <th>ID</th>\n" + " <th>Name</th>\n" + " <th>Type</th>\n" + " <th>References</th>\n" + " <th>LocalAddress</th>\n" + " <th>PeerAddress</th>\n" + " <th>State</th>\n" + " </tr>\n" + " <xsl:for-each select=\"socketmgr/sockets/socket\">\n" + " <tr class=\"lrow\">\n" + " <td>\n" + " <xsl:value-of select=\"id\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"name\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"type\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"references\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"local-address\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"peer-address\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:for-each select=\"states\">\n" + " <xsl:value-of select=\".\"/>\n" + " </xsl:for-each>\n" + " </td>\n" + " </tr>\n" + " </xsl:for-each>\n" + " </table>\n" + " <br/>\n" + " <table>\n" + " <tr class=\"rowh\">\n" + " <th colspan=\"2\">Task Manager Configuration</th>\n" + " </tr>\n" + " <tr class=\"lrow\">\n" + " <td>Thread-Model</td>\n" + " <td>\n" + " <xsl:value-of select=\"taskmgr/thread-model/type\"/>\n" + " </td>\n" + " </tr>\n" + " <tr class=\"lrow\">\n" + " <td>Worker Threads</td>\n" + " <td>\n" + " <xsl:value-of select=\"taskmgr/thread-model/worker-threads\"/>\n" + " </td>\n" + " </tr>\n" + " <tr class=\"lrow\">\n" + " <td>Default Quantum</td>\n" + " <td>\n" + " <xsl:value-of select=\"taskmgr/thread-model/default-quantum\"/>\n" + " </td>\n" + " </tr>\n" + " <tr class=\"lrow\">\n" + " <td>Tasks Running</td>\n" + " <td>\n" + " <xsl:value-of select=\"taskmgr/thread-model/tasks-running\"/>\n" + " </td>\n" + " </tr>\n" + " </table>\n" + " <br/>\n" + " <table>\n" + " <tr class=\"rowh\">\n" + " <th colspan=\"5\">Tasks</th>\n" + " </tr>\n" + " <tr class=\"rowh\">\n" + " <th>ID</th>\n" + " <th>Name</th>\n" + " <th>References</th>\n" + " <th>State</th>\n" + " <th>Quantum</th>\n" + " </tr>\n" + " <xsl:for-each select=\"taskmgr/tasks/task\">\n" + " <tr class=\"lrow\">\n" + " <td>\n" + " <xsl:value-of select=\"id\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"name\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"references\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"state\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"quantum\"/>\n" + " </td>\n" + " </tr>\n" + " </xsl:for-each>\n" + " </table>\n" + " <br />\n" + " <table>\n" + " <tr class=\"rowh\">\n" + " <th colspan=\"4\">Memory Usage Summary</th>\n" + " </tr>\n" + " <xsl:for-each select=\"memory/summary/*\">\n" + " <tr class=\"lrow\">\n" + " <td><xsl:value-of select=\"name()\"/></td>\n" + " <td><xsl:value-of select=\".\"/></td>\n" + " </tr>\n" + " </xsl:for-each>\n" + " </table>\n" + " <br />\n" + " <table>\n" + " <tr class=\"rowh\">\n" + " <th colspan=\"10\">Memory Contexts</th>\n" + " </tr>\n" + " <tr class=\"rowh\">\n" + " <th>ID</th>\n" + " <th>Name</th>\n" + " <th>References</th>\n" + " <th>TotalUse</th>\n" + " <th>InUse</th>\n" + " <th>MaxUse</th>\n" + " <th>BlockSize</th>\n" + " <th>Pools</th>\n" + " <th>HiWater</th>\n" + " <th>LoWater</th>\n" + " </tr>\n" + " <xsl:for-each select=\"memory/contexts/context\">\n" + " <tr class=\"lrow\">\n" + " <td>\n" + " <xsl:value-of select=\"id\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"name\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"references\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"total\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"inuse\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"maxinuse\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"blocksize\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"pools\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"hiwater\"/>\n" + " </td>\n" + " <td>\n" + " <xsl:value-of select=\"lowater\"/>\n" + " </td>\n" + " </tr>\n" + " </xsl:for-each>\n" + " </table>\n" + "\n" + " </body>\n" + " </html>\n" + " </xsl:template>\n" + "</xsl:stylesheet>\n"; diff --git a/contrib/bind9/bin/named/builtin.c b/contrib/bind9/bin/named/builtin.c index 06cbd4a..7927737 100644 --- a/contrib/bind9/bin/named/builtin.c +++ b/contrib/bind9/bin/named/builtin.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: builtin.c,v 1.5.18.5 2005/08/23 04:12:38 marka Exp $ */ +/* $Id: builtin.c,v 1.12 2007/06/19 23:46:59 tbox Exp $ */ /*! \file * \brief diff --git a/contrib/bind9/bin/named/client.c b/contrib/bind9/bin/named/client.c index 03cfdb6..ae5386c 100644 --- a/contrib/bind9/bin/named/client.c +++ b/contrib/bind9/bin/named/client.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.219.18.31 2008/05/22 23:46:03 tbox Exp $ */ +/* $Id: client.c,v 1.259.12.3 2009/01/29 22:40:33 jinmei Exp $ */ #include <config.h> @@ -24,6 +24,7 @@ #include <isc/once.h> #include <isc/platform.h> #include <isc/print.h> +#include <isc/stats.h> #include <isc/stdio.h> #include <isc/string.h> #include <isc/task.h> @@ -41,6 +42,7 @@ #include <dns/rdatalist.h> #include <dns/rdataset.h> #include <dns/resolver.h> +#include <dns/stats.h> #include <dns/tsig.h> #include <dns/view.h> #include <dns/zone.h> @@ -48,6 +50,7 @@ #include <named/interfacemgr.h> #include <named/log.h> #include <named/notify.h> +#include <named/os.h> #include <named/server.h> #include <named/update.h> @@ -119,9 +122,9 @@ struct ns_clientmgr { isc_mutex_t lock; /* Locked by lock. */ isc_boolean_t exiting; - client_list_t active; /*%< Active clients */ - client_list_t recursing; /*%< Recursing clients */ - client_list_t inactive; /*%< To be recycled */ + client_list_t active; /*%< Active clients */ + client_list_t recursing; /*%< Recursing clients */ + client_list_t inactive; /*%< To be recycled */ #if NMCTXS > 0 /*%< mctx pool for clients. */ unsigned int nextmctx; @@ -463,6 +466,8 @@ exit_check(ns_client_t *client) { if (client->state == client->newstate) { client->newstate = NS_CLIENTSTATE_MAX; + if (client->needshutdown) + isc_task_shutdown(client->task); goto unlock; } } @@ -519,6 +524,14 @@ exit_check(ns_client_t *client) { CTRACE("free"); client->magic = 0; + /* + * Check that there are no other external references to + * the memory context. + */ + if (ns_g_clienttest && isc_mem_references(client->mctx) != 1) { + isc_mem_stats(client->mctx, stderr); + INSIST(0); + } isc_mem_putanddetach(&client->mctx, client, sizeof(*client)); goto unlock; @@ -592,6 +605,7 @@ client_shutdown(isc_task_t *task, isc_event_t *event) { } client->newstate = NS_CLIENTSTATE_FREED; + client->needshutdown = ISC_FALSE; (void)exit_check(client); } @@ -640,11 +654,11 @@ ns_client_checkactive(ns_client_t *client) { /* * This client object should normally go inactive * at this point, but if we have fewer active client - * objects than desired due to earlier quota exhaustion, + * objects than desired due to earlier quota exhaustion, * keep it active to make up for the shortage. */ isc_boolean_t need_another_client = ISC_FALSE; - if (TCP_CLIENT(client)) { + if (TCP_CLIENT(client) && !ns_g_clienttest) { LOCK(&client->interface->lock); if (client->interface->ntcpcurrent < client->interface->ntcptarget) @@ -906,6 +920,7 @@ ns_client_send(ns_client_t *client) { unsigned char sendbuf[SEND_BUFFER_SIZE]; unsigned int dnssec_opts; unsigned int preferred_glue; + isc_boolean_t opt_included = ISC_FALSE; REQUIRE(NS_CLIENT_VALID(client)); @@ -943,11 +958,10 @@ ns_client_send(ns_client_t *client) { result = dns_message_renderbegin(client->message, &cctx, &buffer); if (result != ISC_R_SUCCESS) goto done; + if (client->opt != NULL) { result = dns_message_setopt(client->message, client->opt); - /* - * XXXRTH dns_message_setopt() should probably do this... - */ + opt_included = ISC_TRUE; client->opt = NULL; if (result != ISC_R_SUCCESS) goto done; @@ -1003,6 +1017,25 @@ ns_client_send(ns_client_t *client) { result = client_sendpkg(client, &tcpbuffer); } else result = client_sendpkg(client, &buffer); + + /* update statistics (XXXJT: is it okay to access message->xxxkey?) */ + isc_stats_increment(ns_g_server->nsstats, dns_nsstatscounter_response); + if (opt_included) { + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_edns0out); + } + if (client->message->tsigkey != NULL) { + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_tsigout); + } + if (client->message->sig0key != NULL) { + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_sig0out); + } + if ((client->message->flags & DNS_MESSAGEFLAG_TC) != 0) + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_truncatedresp); + if (result == ISC_R_SUCCESS) return; @@ -1179,11 +1212,46 @@ client_addopt(ns_client_t *client) { */ rdatalist->ttl = (client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE); - /* - * No EDNS options in the default case. - */ - rdata->data = NULL; - rdata->length = 0; + /* Set EDNS options if applicable */ + if (client->attributes & NS_CLIENTATTR_WANTNSID && + (ns_g_server->server_id != NULL || + ns_g_server->server_usehostname)) { + /* + * Space required for NSID data: + * 2 bytes for opt code + * + 2 bytes for NSID length + * + NSID itself + */ + char nsid[BUFSIZ], *nsidp; + isc_buffer_t *buffer = NULL; + + if (ns_g_server->server_usehostname) { + isc_result_t result; + result = ns_os_gethostname(nsid, sizeof(nsid)); + if (result != ISC_R_SUCCESS) { + goto no_nsid; + } + nsidp = nsid; + } else + nsidp = ns_g_server->server_id; + + rdata->length = strlen(nsidp) + 4; + result = isc_buffer_allocate(client->mctx, &buffer, + rdata->length); + if (result != ISC_R_SUCCESS) + goto no_nsid; + + isc_buffer_putuint16(buffer, DNS_OPT_NSID); + isc_buffer_putuint16(buffer, strlen(nsidp)); + isc_buffer_putstr(buffer, nsidp); + rdata->data = buffer->base; + dns_message_takebuffer(client->message, &buffer); + } else { +no_nsid: + rdata->data = NULL; + rdata->length = 0; + } + rdata->rdclass = rdatalist->rdclass; rdata->type = rdatalist->type; rdata->flags = 0; @@ -1218,7 +1286,7 @@ allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl) { * delivered to 'myview'. * * We run this unlocked as both the view list and the interface list - * are updated when the approprite task has exclusivity. + * are updated when the appropriate task has exclusivity. */ isc_boolean_t ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey, @@ -1253,14 +1321,14 @@ ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey, isc_boolean_t match; isc_result_t result; - tsig = &mykey->name; - result = dns_view_gettsig(view, tsig, &key); + result = dns_view_gettsig(view, &mykey->name, &key); if (result != ISC_R_SUCCESS) continue; match = dst_key_compare(mykey->key, key->key); dns_tsigkey_detach(&key); if (!match) continue; + tsig = dns_tsigkey_identity(mykey); } if (allowed(&netsrc, tsig, view->matchclients) && @@ -1284,13 +1352,16 @@ client_request(isc_task_t *task, isc_event_t *event) { isc_buffer_t tbuffer; dns_view_t *view; dns_rdataset_t *opt; - isc_boolean_t ra; /* Recursion available. */ + dns_name_t *signame; + isc_boolean_t ra; /* Recursion available. */ isc_netaddr_t netaddr; isc_netaddr_t destaddr; int match; dns_messageid_t id; unsigned int flags; isc_boolean_t notimp; + dns_rdata_t rdata; + isc_uint16_t optcode; REQUIRE(event != NULL); client = event->ev_arg; @@ -1440,6 +1511,20 @@ client_request(isc_task_t *task, isc_event_t *event) { } /* + * Update some statistics counters. Don't count responses. + */ + if (isc_sockaddr_pf(&client->peeraddr) == PF_INET) { + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_requestv4); + } else { + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_requestv6); + } + if (TCP_CLIENT(client)) + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_tcp); + + /* * It's a request. Parse it. */ result = dns_message_parse(client->message, buffer, 0); @@ -1452,6 +1537,8 @@ client_request(isc_task_t *task, isc_event_t *event) { goto cleanup; } + dns_opcodestats_increment(ns_g_server->opcodestats, + client->message->opcode); switch (client->message->opcode) { case dns_opcode_query: case dns_opcode_update: @@ -1499,12 +1586,35 @@ client_request(isc_task_t *task, isc_event_t *event) { */ client->ednsversion = (opt->ttl & 0x00FF0000) >> 16; if (client->ednsversion > 0) { + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_badednsver); result = client_addopt(client); if (result == ISC_R_SUCCESS) result = DNS_R_BADVERS; ns_client_error(client, result); goto cleanup; } + + /* Check for NSID request */ + result = dns_rdataset_first(opt); + if (result == ISC_R_SUCCESS) { + dns_rdata_init(&rdata); + dns_rdataset_current(opt, &rdata); + if (rdata.length >= 2) { + isc_buffer_t nsidbuf; + isc_buffer_init(&nsidbuf, + rdata.data, rdata.length); + isc_buffer_add(&nsidbuf, rdata.length); + optcode = isc_buffer_getuint16(&nsidbuf); + if (optcode == DNS_OPT_NSID) + client->attributes |= + NS_CLIENTATTR_WANTNSID; + } + } + + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_edns0in); + /* * Create an OPT for our reply. */ @@ -1591,10 +1701,11 @@ client_request(isc_task_t *task, isc_event_t *event) { client->message->rdclass == dns_rdataclass_any) { dns_name_t *tsig = NULL; + sigresult = dns_message_rechecksig(client->message, view); if (sigresult == ISC_R_SUCCESS) - tsig = client->message->tsigname; + tsig = dns_tsigkey_identity(client->message->tsigkey); if (allowed(&netaddr, tsig, view->matchclients) && allowed(&destaddr, tsig, view->matchdestinations) && @@ -1648,6 +1759,17 @@ client_request(isc_task_t *task, isc_event_t *event) { client->signer = NULL; dns_name_init(&client->signername, NULL); result = dns_message_signer(client->message, &client->signername); + if (result != ISC_R_NOTFOUND) { + signame = NULL; + if (dns_message_gettsig(client->message, &signame) != NULL) { + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_tsigin); + } else { + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_sig0in); + } + + } if (result == ISC_R_SUCCESS) { ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), @@ -1664,24 +1786,42 @@ client_request(isc_task_t *task, isc_event_t *event) { } else { char tsigrcode[64]; isc_buffer_t b; - dns_name_t *name = NULL; dns_rcode_t status; isc_result_t tresult; /* There is a signature, but it is bad. */ - if (dns_message_gettsig(client->message, &name) != NULL) { + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_invalidsig); + signame = NULL; + if (dns_message_gettsig(client->message, &signame) != NULL) { char namebuf[DNS_NAME_FORMATSIZE]; - dns_name_format(name, namebuf, sizeof(namebuf)); + char cnamebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(signame, namebuf, sizeof(namebuf)); status = client->message->tsigstatus; isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1); tresult = dns_tsigrcode_totext(status, &b); INSIST(tresult == ISC_R_SUCCESS); tsigrcode[isc_buffer_usedlength(&b)] = '\0'; - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, - "request has invalid signature: " - "TSIG %s: %s (%s)", namebuf, - isc_result_totext(result), tsigrcode); + if (client->message->tsigkey->generated) { + dns_name_format(client->message->tsigkey->creator, + cnamebuf, sizeof(cnamebuf)); + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, + ISC_LOG_ERROR, + "request has invalid signature: " + "TSIG %s (%s): %s (%s)", namebuf, + cnamebuf, + isc_result_totext(result), + tsigrcode); + } else { + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, + ISC_LOG_ERROR, + "request has invalid signature: " + "TSIG %s: %s (%s)", namebuf, + isc_result_totext(result), + tsigrcode); + } } else { status = client->message->sig0status; isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1); @@ -1715,9 +1855,17 @@ client_request(isc_task_t *task, isc_event_t *event) { ra = ISC_FALSE; if (client->view->resolver != NULL && client->view->recursion == ISC_TRUE && - ns_client_checkaclsilent(client, client->view->recursionacl, + ns_client_checkaclsilent(client, NULL, + client->view->recursionacl, + ISC_TRUE) == ISC_R_SUCCESS && + ns_client_checkaclsilent(client, NULL, + client->view->queryacl, + ISC_TRUE) == ISC_R_SUCCESS && + ns_client_checkaclsilent(client, &client->interface->addr, + client->view->recursiononacl, ISC_TRUE) == ISC_R_SUCCESS && - ns_client_checkaclsilent(client, client->view->queryacl, + ns_client_checkaclsilent(client, &client->interface->addr, + client->view->queryonacl, ISC_TRUE) == ISC_R_SUCCESS) ra = ISC_TRUE; @@ -1804,13 +1952,17 @@ client_timeout(isc_task_t *task, isc_event_t *event) { static isc_result_t get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp) { isc_mem_t *clientmctx; -#if NMCTXS > 0 isc_result_t result; -#endif /* * Caller must be holding the manager lock. */ + if (ns_g_clienttest) { + result = isc_mem_create(0, 0, mctxp); + if (result == ISC_R_SUCCESS) + isc_mem_setname(*mctxp, "client", NULL); + return (result); + } #if NMCTXS > 0 INSIST(manager->nextmctx < NMCTXS); clientmctx = manager->mctxpool[manager->nextmctx]; @@ -1818,6 +1970,7 @@ get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp) { result = isc_mem_create(0, 0, &clientmctx); if (result != ISC_R_SUCCESS) return (result); + isc_mem_setname(clientmctx, "client", NULL); manager->mctxpool[manager->nextmctx] = clientmctx; } @@ -1966,6 +2119,8 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { if (result != ISC_R_SUCCESS) goto cleanup_query; + client->needshutdown = ns_g_clienttest; + CTRACE("create"); *clientp = client; @@ -2056,6 +2211,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) { */ if (nevent->result == ISC_R_SUCCESS) { client->tcpsocket = nevent->newsocket; + isc_socket_setname(client->tcpsocket, "client-tcp", NULL); client->state = NS_CLIENTSTATE_READING; INSIST(client->recursionquota == NULL); @@ -2068,7 +2224,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) { } else { /* * XXXRTH What should we do? We're trying to accept but - * it didn't work. If we just give up, then TCP + * it didn't work. If we just give up, then TCP * service may eventually stop. * * For now, we just go idle. @@ -2115,7 +2271,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) { * Let a new client take our place immediately, before * we wait for a request packet. If we don't, * telnetting to port 53 (once per CPU) will - * deny service to legititmate TCP clients. + * deny service to legitimate TCP clients. */ result = isc_quota_attach(&ns_g_server->tcpquota, &client->tcpquota); @@ -2149,7 +2305,7 @@ client_accept(ns_client_t *client) { isc_result_totext(result)); /* * XXXRTH What should we do? We're trying to accept but - * it didn't work. If we just give up, then TCP + * it didn't work. If we just give up, then TCP * service may eventually stop. * * For now, we just go idle. @@ -2386,7 +2542,9 @@ ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n, * Allocate a client. First try to get a recycled one; * if that fails, make a new one. */ - client = ISC_LIST_HEAD(manager->inactive); + client = NULL; + if (!ns_g_clienttest) + client = ISC_LIST_HEAD(manager->inactive); if (client != NULL) { MTRACE("recycle"); ISC_LIST_UNLINK(manager->inactive, client, link); @@ -2442,8 +2600,8 @@ ns_client_getsockaddr(ns_client_t *client) { } isc_result_t -ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl, - isc_boolean_t default_allow) +ns_client_checkaclsilent(ns_client_t *client, isc_sockaddr_t *sockaddr, + dns_acl_t *acl, isc_boolean_t default_allow) { isc_result_t result; int match; @@ -2456,11 +2614,16 @@ ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl, goto deny; } - isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); + + if (sockaddr == NULL) + isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); + else + isc_netaddr_fromsockaddr(&netaddr, sockaddr); result = dns_acl_match(&netaddr, client->signer, acl, &ns_g_server->aclenv, &match, NULL); + if (result != ISC_R_SUCCESS) goto deny; /* Internal error, already logged. */ if (match > 0) @@ -2475,12 +2638,12 @@ ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl, } isc_result_t -ns_client_checkacl(ns_client_t *client, +ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr, const char *opname, dns_acl_t *acl, isc_boolean_t default_allow, int log_level) { isc_result_t result = - ns_client_checkaclsilent(client, acl, default_allow); + ns_client_checkaclsilent(client, sockaddr, acl, default_allow); if (result == ISC_R_SUCCESS) ns_client_log(client, DNS_LOGCATEGORY_SECURITY, @@ -2503,7 +2666,7 @@ ns_client_name(ns_client_t *client, char *peerbuf, size_t len) { void ns_client_logv(ns_client_t *client, isc_logcategory_t *category, - isc_logmodule_t *module, int level, const char *fmt, va_list ap) + isc_logmodule_t *module, int level, const char *fmt, va_list ap) { char msgbuf[2048]; char peerbuf[ISC_SOCKADDR_FORMATSIZE]; diff --git a/contrib/bind9/bin/named/config.c b/contrib/bind9/bin/named/config.c index 233d9e0..8b96050 100644 --- a/contrib/bind9/bin/named/config.c +++ b/contrib/bind9/bin/named/config.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.c,v 1.47.18.35 2008/09/04 08:03:07 marka Exp $ */ +/* $Id: config.c,v 1.93.14.2 2009/03/17 23:47:28 tbox Exp $ */ /*! \file */ @@ -69,7 +69,7 @@ options {\n\ memstatistics-file \"named.memstats\";\n\ multiple-cnames no;\n\ # named-xfer <obsolete>;\n\ -# pid-file \"" NS_LOCALSTATEDIR "/named.pid\"; /* or /lwresd.pid */\n\ +# pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\ port 53;\n\ recursing-file \"named.recursing\";\n\ " @@ -99,13 +99,16 @@ options {\n\ use-ixfr true;\n\ edns-udp-size 4096;\n\ max-udp-size 4096;\n\ + request-nsid false;\n\ reserved-sockets 512;\n\ \n\ /* view */\n\ allow-notify {none;};\n\ allow-update-forwarding {none;};\n\ allow-query-cache { localnets; localhost; };\n\ + allow-query-cache-on { any; };\n\ allow-recursion { localnets; localhost; };\n\ + allow-recursion-on { any; };\n\ # allow-v6-synthesis <obsolete>;\n\ # sortlist <none>\n\ # topology <none>\n\ @@ -122,7 +125,7 @@ options {\n\ query-source-v6 address *;\n\ notify-source *;\n\ notify-source-v6 *;\n\ - cleaning-interval 60;\n\ + cleaning-interval 0; /* now meaningless */\n\ min-roots 2;\n\ lame-ttl 600;\n\ max-ncache-ttl 10800; /* 3 hours */\n\ @@ -135,21 +138,24 @@ options {\n\ check-mx warn;\n\ acache-enable no;\n\ acache-cleaning-interval 60;\n\ - max-acache-size 0;\n\ + max-acache-size 16M;\n\ dnssec-enable yes;\n\ - dnssec-validation no; /* Make yes for 9.5. */ \n\ + dnssec-validation yes; \n\ dnssec-accept-expired no;\n\ clients-per-query 10;\n\ max-clients-per-query 100;\n\ zero-no-soa-ttl-cache no;\n\ + nsec3-test-zone no;\n\ " " /* zone */\n\ allow-query {any;};\n\ + allow-query-on {any;};\n\ allow-transfer {any;};\n\ notify yes;\n\ # also-notify <none>\n\ notify-delay 5;\n\ + notify-to-soa no;\n\ dialup no;\n\ # forward <none>\n\ # forwarders <none>\n\ @@ -169,6 +175,9 @@ options {\n\ min-refresh-time 300;\n\ multi-master no;\n\ sig-validity-interval 30; /* days */\n\ + sig-signing-nodes 100;\n\ + sig-signing-signatures 10;\n\ + sig-signing-type 65534;\n\ zone-statistics false;\n\ max-journal-size unlimited;\n\ ixfr-from-differences false;\n\ @@ -179,6 +188,7 @@ options {\n\ check-srv-cname warn;\n\ zero-no-soa-ttl yes;\n\ update-check-ksk yes;\n\ + try-tcp-refresh yes; /* BIND 8 compat */\n\ };\n\ " diff --git a/contrib/bind9/bin/named/control.c b/contrib/bind9/bin/named/control.c index 3f2d52e..8bd8f6c 100644 --- a/contrib/bind9/bin/named/control.c +++ b/contrib/bind9/bin/named/control.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: control.c,v 1.20.10.10 2007/09/13 23:46:26 tbox Exp $ */ +/* $Id: control.c,v 1.33 2007/09/13 04:45:18 each Exp $ */ /*! \file */ @@ -63,6 +63,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { isccc_sexpr_t *data; char *command; isc_result_t result; + int log_level; #ifdef HAVE_LIBSCF ns_smf_want_disable = 0; #endif @@ -83,14 +84,20 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { return (result); } + /* + * Compare the 'command' parameter against all known control commands. + */ + if (command_compare(command, NS_COMMAND_NULL) || + command_compare(command, NS_COMMAND_STATUS)) { + log_level = ISC_LOG_DEBUG(1); + } else { + log_level = ISC_LOG_INFO; + } isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_CONTROL, ISC_LOG_DEBUG(1), + NS_LOGMODULE_CONTROL, log_level, "received control channel command '%s'", command); - /* - * Compare the 'command' parameter against all known control commands. - */ if (command_compare(command, NS_COMMAND_RELOAD)) { result = ns_server_reloadcommand(ns_g_server, command, text); } else if (command_compare(command, NS_COMMAND_RECONFIG)) { @@ -158,6 +165,10 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { result = ns_server_flushname(ns_g_server, command); } else if (command_compare(command, NS_COMMAND_STATUS)) { result = ns_server_status(ns_g_server, text); + } else if (command_compare(command, NS_COMMAND_TSIGLIST)) { + result = ns_server_tsiglist(ns_g_server, text); + } else if (command_compare(command, NS_COMMAND_TSIGDELETE)) { + result = ns_server_tsigdelete(ns_g_server, command, text); } else if (command_compare(command, NS_COMMAND_FREEZE)) { result = ns_server_freeze(ns_g_server, ISC_TRUE, command); } else if (command_compare(command, NS_COMMAND_UNFREEZE) || diff --git a/contrib/bind9/bin/named/controlconf.c b/contrib/bind9/bin/named/controlconf.c index e8e36f3..766f013 100644 --- a/contrib/bind9/bin/named/controlconf.c +++ b/contrib/bind9/bin/named/controlconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: controlconf.c,v 1.40.18.14 2008/07/23 23:33:02 marka Exp $ */ +/* $Id: controlconf.c,v 1.60 2008/07/23 23:27:54 marka Exp $ */ /*! \file */ @@ -597,6 +597,7 @@ control_newconn(isc_task_t *task, isc_event_t *event) { } sock = nevent->newsocket; + isc_socket_setname(sock, "control", NULL); (void)isc_socket_getpeername(sock, &peeraddr); if (listener->type == isc_sockettype_tcp && !address_ok(&peeraddr, listener->acl)) { @@ -1007,7 +1008,7 @@ update_listener(ns_controls_t *cp, controllistener_t **listenerp, if (control != NULL && type == isc_sockettype_tcp) { allow = cfg_tuple_get(control, "allow"); result = cfg_acl_fromconfig(allow, config, ns_g_lctx, - aclconfctx, listener->mctx, + aclconfctx, listener->mctx, 0, &new_acl); } else { result = dns_acl_any(listener->mctx, &new_acl); @@ -1094,7 +1095,8 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp, if (control != NULL && type == isc_sockettype_tcp) { allow = cfg_tuple_get(control, "allow"); result = cfg_acl_fromconfig(allow, config, ns_g_lctx, - aclconfctx, mctx, &new_acl); + aclconfctx, mctx, 0, + &new_acl); } else { result = dns_acl_any(mctx, &new_acl); } @@ -1143,6 +1145,8 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp, result = isc_socket_create(ns_g_socketmgr, isc_sockaddr_pf(&listener->address), type, &listener->sock); + if (result == ISC_R_SUCCESS) + isc_socket_setname(listener->sock, "control", NULL); if (result == ISC_R_SUCCESS) result = isc_socket_bind(listener->sock, &listener->address, diff --git a/contrib/bind9/bin/named/convertxsl.pl b/contrib/bind9/bin/named/convertxsl.pl new file mode 100755 index 0000000..87550b3 --- /dev/null +++ b/contrib/bind9/bin/named/convertxsl.pl @@ -0,0 +1,57 @@ +#!/usr/bin/env perl +# +# Copyright (C) 2006-2008 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: convertxsl.pl,v 1.14 2008/07/17 23:43:26 jinmei Exp $ + +use strict; +use warnings; + +my $rev = '$Id: convertxsl.pl,v 1.14 2008/07/17 23:43:26 jinmei Exp $'; +$rev =~ s/\$//g; +$rev =~ s/,v//g; +$rev =~ s/Id: //; + +my $xsl = "unknown"; +my $lines = ''; + +while (<>) { + chomp; + # pickout the id for comment. + $xsl = $_ if (/<!-- .Id:.* -->/); + # convert Id string to a form not recognisable by cvs. + $_ =~ s/<!-- .Id:(.*). -->/<!-- \\045Id: $1\\045 -->/; + s/[\ \t]+/ /g; + s/\>\ \</\>\</g; + s/\"/\\\"/g; + s/^/\t\"/; + s/$/\\n\"/; + if ($lines eq "") { + $lines .= $_; + } else { + $lines .= "\n" . $_; + } +} + +$xsl =~ s/\$//g; +$xsl =~ s/<!-- Id: //; +$xsl =~ s/ -->.*//; +$xsl =~ s/,v//; + +print "/*\n * Generated by $rev \n * From $xsl\n */\n"; +print 'static char xslmsg[] =',"\n"; +print $lines; + +print ';', "\n"; diff --git a/contrib/bind9/bin/named/include/named/builtin.h b/contrib/bind9/bin/named/include/named/builtin.h index 37a3e76..a5185ba 100644 --- a/contrib/bind9/bin/named/include/named/builtin.h +++ b/contrib/bind9/bin/named/include/named/builtin.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: builtin.h,v 1.2.18.2 2005/04/29 00:15:34 marka Exp $ */ +/* $Id: builtin.h,v 1.6 2007/06/19 23:46:59 tbox Exp $ */ #ifndef NAMED_BUILTIN_H #define NAMED_BUILTIN_H 1 diff --git a/contrib/bind9/bin/named/include/named/client.h b/contrib/bind9/bin/named/include/named/client.h index 0cf7985..3ebed3f 100644 --- a/contrib/bind9/bin/named/include/named/client.h +++ b/contrib/bind9/bin/named/include/named/client.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.h,v 1.69.18.9 2006/06/06 00:11:41 marka Exp $ */ +/* $Id: client.h,v 1.86.120.2 2009/01/18 23:47:34 tbox Exp $ */ #ifndef NAMED_CLIENT_H #define NAMED_CLIENT_H 1 @@ -24,7 +24,7 @@ ***** Module Info *****/ -/*! \file +/*! \file * \brief * This module defines two objects, ns_client_t and ns_clientmgr_t. * @@ -97,6 +97,13 @@ struct ns_client { int nupdates; int nctls; int references; + isc_boolean_t needshutdown; /* + * Used by clienttest to get + * the client to go from + * inactive to free state + * by shutting down the + * client's task. + */ unsigned int attributes; isc_task_t * task; dns_view_t * view; @@ -155,10 +162,11 @@ struct ns_client { #define NS_CLIENT_VALID(c) ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC) #define NS_CLIENTATTR_TCP 0x01 -#define NS_CLIENTATTR_RA 0x02 /*%< Client gets recusive service */ +#define NS_CLIENTATTR_RA 0x02 /*%< Client gets recursive service */ #define NS_CLIENTATTR_PKTINFO 0x04 /*%< pktinfo is valid */ #define NS_CLIENTATTR_MULTICAST 0x08 /*%< recv'd from multicast */ #define NS_CLIENTATTR_WANTDNSSEC 0x10 /*%< include dnssec records */ +#define NS_CLIENTATTR_WANTNSID 0x20 /*%< include nameserver ID */ extern unsigned int ns_client_requests; @@ -266,7 +274,9 @@ ns_client_getsockaddr(ns_client_t *client); */ isc_result_t -ns_client_checkaclsilent(ns_client_t *client,dns_acl_t *acl, +ns_client_checkaclsilent(ns_client_t *client, + isc_sockaddr_t *sockaddr, + dns_acl_t *acl, isc_boolean_t default_allow); /*% @@ -274,6 +284,8 @@ ns_client_checkaclsilent(ns_client_t *client,dns_acl_t *acl, * * Check the current client request against 'acl'. If 'acl' * is NULL, allow the request iff 'default_allow' is ISC_TRUE. + * If netaddr is NULL, check the ACL against client->peeraddr; + * otherwise check it against netaddr. * * Notes: *\li This is appropriate for checking allow-update, @@ -284,6 +296,7 @@ ns_client_checkaclsilent(ns_client_t *client,dns_acl_t *acl, * * Requires: *\li 'client' points to a valid client. + *\li 'sockaddr' points to a valid address, or is NULL. *\li 'acl' points to a valid ACL, or is NULL. * * Returns: @@ -294,18 +307,19 @@ ns_client_checkaclsilent(ns_client_t *client,dns_acl_t *acl, isc_result_t ns_client_checkacl(ns_client_t *client, + isc_sockaddr_t *sockaddr, const char *opname, dns_acl_t *acl, isc_boolean_t default_allow, int log_level); /*% - * Like ns_client_checkacl, but also logs the outcome of the - * check at log level 'log_level' if denied, and at debug 3 - * if approved. Log messages will refer to the request as - * an 'opname' request. + * Like ns_client_checkaclsilent, except the outcome of the check is + * logged at log level 'log_level' if denied, and at debug 3 if approved. + * Log messages will refer to the request as an 'opname' request. * * Requires: - *\li Those of ns_client_checkaclsilent(), and: - * + *\li 'client' points to a valid client. + *\li 'sockaddr' points to a valid address, or is NULL. + *\li 'acl' points to a valid ACL, or is NULL. *\li 'opname' points to a null-terminated string. */ @@ -352,8 +366,8 @@ ns_client_qnamereplace(ns_client_t *client, dns_name_t *name); isc_boolean_t ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey, - isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr, - dns_rdataclass_t rdclass, void *arg); + isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr, + dns_rdataclass_t rdclass, void *arg); /*% * Isself callback. */ diff --git a/contrib/bind9/bin/named/include/named/config.h b/contrib/bind9/bin/named/include/named/config.h index e8e6038..f7ceed8 100644 --- a/contrib/bind9/bin/named/include/named/config.h +++ b/contrib/bind9/bin/named/include/named/config.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001, 2002 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.h,v 1.6.18.6 2006/02/28 03:10:47 marka Exp $ */ +/* $Id: config.h,v 1.14 2007/06/19 23:46:59 tbox Exp $ */ #ifndef NAMED_CONFIG_H #define NAMED_CONFIG_H 1 diff --git a/contrib/bind9/bin/named/include/named/control.h b/contrib/bind9/bin/named/include/named/control.h index 5b7e5f4..d382ffe 100644 --- a/contrib/bind9/bin/named/include/named/control.h +++ b/contrib/bind9/bin/named/include/named/control.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: control.h,v 1.14.18.8 2006/03/09 23:46:20 marka Exp $ */ +/* $Id: control.h,v 1.25 2007/06/19 23:46:59 tbox Exp $ */ #ifndef NAMED_CONTROL_H #define NAMED_CONTROL_H 1 @@ -47,6 +47,8 @@ #define NS_COMMAND_FLUSH "flush" #define NS_COMMAND_FLUSHNAME "flushname" #define NS_COMMAND_STATUS "status" +#define NS_COMMAND_TSIGLIST "tsig-list" +#define NS_COMMAND_TSIGDELETE "tsig-delete" #define NS_COMMAND_FREEZE "freeze" #define NS_COMMAND_UNFREEZE "unfreeze" #define NS_COMMAND_THAW "thaw" diff --git a/contrib/bind9/bin/named/include/named/globals.h b/contrib/bind9/bin/named/include/named/globals.h index 9c86afd..6040dc3 100644 --- a/contrib/bind9/bin/named/include/named/globals.h +++ b/contrib/bind9/bin/named/include/named/globals.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: globals.h,v 1.64.18.6 2008/10/24 01:43:17 tbox Exp $ */ +/* $Id: globals.h,v 1.80 2008/11/16 22:49:18 marka Exp $ */ #ifndef NAMED_GLOBALS_H #define NAMED_GLOBALS_H 1 @@ -42,6 +42,10 @@ #define INIT(v) #endif +#ifndef NS_RUN_PID_DIR +#define NS_RUN_PID_DIR 1 +#endif + EXTERN isc_mem_t * ns_g_mctx INIT(NULL); EXTERN unsigned int ns_g_cpus INIT(0); EXTERN isc_taskmgr_t * ns_g_taskmgr INIT(NULL); @@ -59,6 +63,7 @@ EXTERN isc_timermgr_t * ns_g_timermgr INIT(NULL); EXTERN isc_socketmgr_t * ns_g_socketmgr INIT(NULL); EXTERN cfg_parser_t * ns_g_parser INIT(NULL); EXTERN const char * ns_g_version INIT(VERSION); +EXTERN const char * ns_g_configargs INIT(CONFIGARGS); EXTERN in_port_t ns_g_port INIT(0); EXTERN in_port_t lwresd_g_listenport INIT(0); @@ -107,13 +112,26 @@ EXTERN const char * ns_g_chrootdir INIT(NULL); EXTERN isc_boolean_t ns_g_foreground INIT(ISC_FALSE); EXTERN isc_boolean_t ns_g_logstderr INIT(ISC_FALSE); +#if NS_RUN_PID_DIR +EXTERN const char * ns_g_defaultpidfile INIT(NS_LOCALSTATEDIR + "/run/named/" + "named.pid"); +EXTERN const char * lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR + "/run/lwresd/" + "lwresd.pid"); +#else EXTERN const char * ns_g_defaultpidfile INIT(NS_LOCALSTATEDIR "/run/named.pid"); EXTERN const char * lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR - "/run/lwresd.pid"); + "/run/lwresd.pid"); +#endif + EXTERN const char * ns_g_username INIT(NULL); EXTERN int ns_g_listen INIT(3); +EXTERN isc_time_t ns_g_boottime; +EXTERN isc_boolean_t ns_g_memstatistics INIT(ISC_FALSE); +EXTERN isc_boolean_t ns_g_clienttest INIT(ISC_FALSE); #undef EXTERN #undef INIT diff --git a/contrib/bind9/bin/named/include/named/interfacemgr.h b/contrib/bind9/bin/named/include/named/interfacemgr.h index 42279ff..2724c39 100644 --- a/contrib/bind9/bin/named/include/named/interfacemgr.h +++ b/contrib/bind9/bin/named/include/named/interfacemgr.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: interfacemgr.h,v 1.26.18.4 2005/04/27 05:00:35 sra Exp $ */ +/* $Id: interfacemgr.h,v 1.33 2007/06/19 23:46:59 tbox Exp $ */ #ifndef NAMED_INTERFACEMGR_H #define NAMED_INTERFACEMGR_H 1 diff --git a/contrib/bind9/bin/named/include/named/listenlist.h b/contrib/bind9/bin/named/include/named/listenlist.h index cdca026..9e65d5d 100644 --- a/contrib/bind9/bin/named/include/named/listenlist.h +++ b/contrib/bind9/bin/named/include/named/listenlist.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: listenlist.h,v 1.11.18.2 2005/04/29 00:15:34 marka Exp $ */ +/* $Id: listenlist.h,v 1.15 2007/06/19 23:46:59 tbox Exp $ */ #ifndef NAMED_LISTENLIST_H #define NAMED_LISTENLIST_H 1 diff --git a/contrib/bind9/bin/named/include/named/log.h b/contrib/bind9/bin/named/include/named/log.h index 6d6e648..444fe50 100644 --- a/contrib/bind9/bin/named/include/named/log.h +++ b/contrib/bind9/bin/named/include/named/log.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: log.h,v 1.21.18.2 2005/04/29 00:15:35 marka Exp $ */ +/* $Id: log.h,v 1.25.332.2 2009/01/07 23:47:16 tbox Exp $ */ #ifndef NAMED_LOG_H #define NAMED_LOG_H 1 @@ -36,6 +36,7 @@ #define NS_LOGCATEGORY_QUERIES (&ns_g_categories[4]) #define NS_LOGCATEGORY_UNMATCHED (&ns_g_categories[5]) #define NS_LOGCATEGORY_UPDATE_SECURITY (&ns_g_categories[6]) +#define NS_LOGCATEGORY_QUERY_EERRORS (&ns_g_categories[7]) /* * Backwards compatibility. diff --git a/contrib/bind9/bin/named/include/named/logconf.h b/contrib/bind9/bin/named/include/named/logconf.h index 79df5c6..0354345 100644 --- a/contrib/bind9/bin/named/include/named/logconf.h +++ b/contrib/bind9/bin/named/include/named/logconf.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: logconf.h,v 1.11.18.4 2006/03/02 00:37:21 marka Exp $ */ +/* $Id: logconf.h,v 1.17 2007/06/19 23:46:59 tbox Exp $ */ #ifndef NAMED_LOGCONF_H #define NAMED_LOGCONF_H 1 diff --git a/contrib/bind9/bin/named/include/named/lwaddr.h b/contrib/bind9/bin/named/include/named/lwaddr.h index 552d1d4..962aa91 100644 --- a/contrib/bind9/bin/named/include/named/lwaddr.h +++ b/contrib/bind9/bin/named/include/named/lwaddr.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwaddr.h,v 1.4.18.2 2005/04/29 00:15:35 marka Exp $ */ +/* $Id: lwaddr.h,v 1.8 2007/06/19 23:46:59 tbox Exp $ */ /*! \file */ diff --git a/contrib/bind9/bin/named/include/named/lwdclient.h b/contrib/bind9/bin/named/include/named/lwdclient.h index 591b86c..f0ab057 100644 --- a/contrib/bind9/bin/named/include/named/lwdclient.h +++ b/contrib/bind9/bin/named/include/named/lwdclient.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdclient.h,v 1.14.18.2 2005/04/29 00:15:36 marka Exp $ */ +/* $Id: lwdclient.h,v 1.18.332.2 2009/01/18 23:47:34 tbox Exp $ */ #ifndef NAMED_LWDCLIENT_H #define NAMED_LWDCLIENT_H 1 @@ -39,7 +39,7 @@ #define LWRD_SHUTDOWN (LWRD_EVENTCLASS + 0x0001) -/*% Lighweight Resolver Daemon Client */ +/*% Lightweight Resolver Daemon Client */ struct ns_lwdclient { isc_sockaddr_t address; /*%< where to reply */ struct in6_pktinfo pktinfo; diff --git a/contrib/bind9/bin/named/include/named/lwresd.h b/contrib/bind9/bin/named/include/named/lwresd.h index ef93fcd..565e58d 100644 --- a/contrib/bind9/bin/named/include/named/lwresd.h +++ b/contrib/bind9/bin/named/include/named/lwresd.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwresd.h,v 1.13.18.4 2006/03/02 00:37:21 marka Exp $ */ +/* $Id: lwresd.h,v 1.19 2007/06/19 23:46:59 tbox Exp $ */ #ifndef NAMED_LWRESD_H #define NAMED_LWRESD_H 1 diff --git a/contrib/bind9/bin/named/include/named/lwsearch.h b/contrib/bind9/bin/named/include/named/lwsearch.h index b85e401..c1b4f48 100644 --- a/contrib/bind9/bin/named/include/named/lwsearch.h +++ b/contrib/bind9/bin/named/include/named/lwsearch.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwsearch.h,v 1.5.18.2 2005/04/29 00:15:36 marka Exp $ */ +/* $Id: lwsearch.h,v 1.9 2007/06/19 23:46:59 tbox Exp $ */ #ifndef NAMED_LWSEARCH_H #define NAMED_LWSEARCH_H 1 diff --git a/contrib/bind9/bin/named/include/named/main.h b/contrib/bind9/bin/named/include/named/main.h index dd4fe8c..e834539 100644 --- a/contrib/bind9/bin/named/include/named/main.h +++ b/contrib/bind9/bin/named/include/named/main.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: main.h,v 1.11.18.2 2005/04/29 00:15:37 marka Exp $ */ +/* $Id: main.h,v 1.15 2007/06/19 23:46:59 tbox Exp $ */ #ifndef NAMED_MAIN_H #define NAMED_MAIN_H 1 diff --git a/contrib/bind9/bin/named/include/named/notify.h b/contrib/bind9/bin/named/include/named/notify.h index 106d70c..e8df0a1 100644 --- a/contrib/bind9/bin/named/include/named/notify.h +++ b/contrib/bind9/bin/named/include/named/notify.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: notify.h,v 1.10.18.2 2005/04/29 00:15:37 marka Exp $ */ +/* $Id: notify.h,v 1.14.332.2 2009/01/18 23:47:34 tbox Exp $ */ #ifndef NAMED_NOTIFY_H #define NAMED_NOTIFY_H 1 @@ -41,7 +41,7 @@ void ns_notify_start(ns_client_t *client); /*%< - * Examines the incoming message to determine apporiate zone. + * Examines the incoming message to determine appropriate zone. * Returns FORMERR if there is not exactly one question. * Returns REFUSED if we do not serve the listed zone. * Pass the message to the zone module for processing diff --git a/contrib/bind9/bin/named/include/named/ns_smf_globals.h b/contrib/bind9/bin/named/include/named/ns_smf_globals.h index 06df2ba..3a35743 100644 --- a/contrib/bind9/bin/named/include/named/ns_smf_globals.h +++ b/contrib/bind9/bin/named/include/named/ns_smf_globals.h @@ -1,7 +1,7 @@ /* - * Copyright (C) 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ns_smf_globals.h,v 1.2.2.4 2005/05/13 01:32:46 marka Exp $ */ +/* $Id: ns_smf_globals.h,v 1.7 2007/06/19 23:46:59 tbox Exp $ */ #ifndef NS_SMF_GLOBALS_H #define NS_SMF_GLOBALS_H 1 diff --git a/contrib/bind9/bin/named/include/named/query.h b/contrib/bind9/bin/named/include/named/query.h index 741212f..500b577 100644 --- a/contrib/bind9/bin/named/include/named/query.h +++ b/contrib/bind9/bin/named/include/named/query.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.h,v 1.36.18.2 2005/04/29 00:15:37 marka Exp $ */ +/* $Id: query.h,v 1.40 2007/06/19 23:46:59 tbox Exp $ */ #ifndef NAMED_QUERY_H #define NAMED_QUERY_H 1 diff --git a/contrib/bind9/bin/named/include/named/server.h b/contrib/bind9/bin/named/include/named/server.h index 54d1dae..43eccc4 100644 --- a/contrib/bind9/bin/named/include/named/server.h +++ b/contrib/bind9/bin/named/include/named/server.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.h,v 1.73.18.8 2006/03/09 23:46:20 marka Exp $ */ +/* $Id: server.h,v 1.93.120.2 2009/01/29 23:47:44 tbox Exp $ */ #ifndef NAMED_SERVER_H #define NAMED_SERVER_H 1 @@ -23,13 +23,14 @@ /*! \file */ #include <isc/log.h> -#include <isc/sockaddr.h> #include <isc/magic.h> -#include <isc/types.h> #include <isc/quota.h> +#include <isc/sockaddr.h> +#include <isc/types.h> +#include <isc/xml.h> -#include <dns/types.h> #include <dns/acl.h> +#include <dns/types.h> #include <named/types.h> @@ -62,7 +63,7 @@ struct ns_server { isc_boolean_t server_usehostname; char * server_id; /*%< User-specified server id */ - /*% + /*% * Current ACL environment. This defines the * current values of the localhost and localnets * ACLs. @@ -90,18 +91,74 @@ struct ns_server { isc_boolean_t flushonshutdown; isc_boolean_t log_queries; /*%< For BIND 8 compatibility */ - isc_uint64_t * querystats; /*%< Query statistics counters */ + isc_stats_t * nsstats; /*%< Server statistics */ + dns_stats_t * rcvquerystats; /*% Incoming query statistics */ + dns_stats_t * opcodestats; /*%< Incoming message statistics */ + isc_stats_t * zonestats; /*% Zone management statistics */ + isc_stats_t * resolverstats; /*% Resolver statistics */ + isc_stats_t * sockstats; /*%< Socket statistics */ ns_controls_t * controls; /*%< Control channels */ unsigned int dispatchgen; ns_dispatchlist_t dispatches; dns_acache_t *acache; + + ns_statschannellist_t statschannels; }; #define NS_SERVER_MAGIC ISC_MAGIC('S','V','E','R') #define NS_SERVER_VALID(s) ISC_MAGIC_VALID(s, NS_SERVER_MAGIC) +/*% + * Server statistics counters. Used as isc_statscounter_t values. + */ +enum { + dns_nsstatscounter_requestv4 = 0, + dns_nsstatscounter_requestv6 = 1, + dns_nsstatscounter_edns0in = 2, + dns_nsstatscounter_badednsver = 3, + dns_nsstatscounter_tsigin = 4, + dns_nsstatscounter_sig0in = 5, + dns_nsstatscounter_invalidsig = 6, + dns_nsstatscounter_tcp = 7, + + dns_nsstatscounter_authrej = 8, + dns_nsstatscounter_recurserej = 9, + dns_nsstatscounter_xfrrej = 10, + dns_nsstatscounter_updaterej = 11, + + dns_nsstatscounter_response = 12, + dns_nsstatscounter_truncatedresp = 13, + dns_nsstatscounter_edns0out = 14, + dns_nsstatscounter_tsigout = 15, + dns_nsstatscounter_sig0out = 16, + + dns_nsstatscounter_success = 17, + dns_nsstatscounter_authans = 18, + dns_nsstatscounter_nonauthans = 19, + dns_nsstatscounter_referral = 20, + dns_nsstatscounter_nxrrset = 21, + dns_nsstatscounter_servfail = 22, + dns_nsstatscounter_formerr = 23, + dns_nsstatscounter_nxdomain = 24, + dns_nsstatscounter_recursion = 25, + dns_nsstatscounter_duplicate = 26, + dns_nsstatscounter_dropped = 27, + dns_nsstatscounter_failure = 28, + + dns_nsstatscounter_xfrdone = 29, + + dns_nsstatscounter_updatereqfwd = 30, + dns_nsstatscounter_updaterespfwd = 31, + dns_nsstatscounter_updatefwdfail = 32, + dns_nsstatscounter_updatedone = 33, + dns_nsstatscounter_updatefail = 34, + dns_nsstatscounter_updatebadprereq = 35, + + dns_nsstatscounter_max = 36 +}; + void ns_server_create(isc_mem_t *mctx, ns_server_t **serverp); /*%< @@ -204,6 +261,18 @@ isc_result_t ns_server_status(ns_server_t *server, isc_buffer_t *text); /*% + * Report a list of dynamic and static tsig keys, per view. + */ +isc_result_t +ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text); + +/*% + * Delete a specific key (with optional view). + */ +isc_result_t +ns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t *text); + +/*% * Enable or disable updates for a zone. */ isc_result_t diff --git a/contrib/bind9/bin/named/include/named/sortlist.h b/contrib/bind9/bin/named/include/named/sortlist.h index f849be2..b9f6076 100644 --- a/contrib/bind9/bin/named/include/named/sortlist.h +++ b/contrib/bind9/bin/named/include/named/sortlist.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sortlist.h,v 1.5.18.4 2006/03/02 00:37:21 marka Exp $ */ +/* $Id: sortlist.h,v 1.11 2007/06/19 23:46:59 tbox Exp $ */ #ifndef NAMED_SORTLIST_H #define NAMED_SORTLIST_H 1 diff --git a/contrib/bind9/bin/named/include/named/statschannel.h b/contrib/bind9/bin/named/include/named/statschannel.h new file mode 100644 index 0000000..0c36d8c --- /dev/null +++ b/contrib/bind9/bin/named/include/named/statschannel.h @@ -0,0 +1,61 @@ +/* + * Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: statschannel.h,v 1.3 2008/04/03 05:55:51 marka Exp $ */ + +#ifndef NAMED_STATSCHANNEL_H +#define NAMED_STATSCHANNEL_H 1 + +/*! \file + * \brief + * The statistics channels built-in the name server. + */ + +#include <isccc/types.h> + +#include <isccfg/aclconf.h> + +#include <named/types.h> + +#define NS_STATSCHANNEL_HTTPPORT 80 + +isc_result_t +ns_statschannels_configure(ns_server_t *server, const cfg_obj_t *config, + cfg_aclconfctx_t *aclconfctx); +/*%< + * [Re]configure the statistics channels. + * + * If it is no longer there but was previously configured, destroy + * it here. + * + * If the IP address or port has changed, destroy the old server + * and create a new one. + */ + + +void +ns_statschannels_shutdown(ns_server_t *server); +/*%< + * Initiate shutdown of all the statistics channel listeners. + */ + +isc_result_t +ns_stats_dump(ns_server_t *server, FILE *fp); +/*%< + * Dump statistics counters managed by the server to the file fp. + */ + +#endif /* NAMED_STATSCHANNEL_H */ diff --git a/contrib/bind9/bin/named/include/named/tkeyconf.h b/contrib/bind9/bin/named/include/named/tkeyconf.h index 946944d..02bd718 100644 --- a/contrib/bind9/bin/named/include/named/tkeyconf.h +++ b/contrib/bind9/bin/named/include/named/tkeyconf.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tkeyconf.h,v 1.10.18.4 2006/03/02 00:37:21 marka Exp $ */ +/* $Id: tkeyconf.h,v 1.16 2007/06/19 23:46:59 tbox Exp $ */ #ifndef NS_TKEYCONF_H #define NS_TKEYCONF_H 1 diff --git a/contrib/bind9/bin/named/include/named/tsigconf.h b/contrib/bind9/bin/named/include/named/tsigconf.h index a18eede..49ad82a 100644 --- a/contrib/bind9/bin/named/include/named/tsigconf.h +++ b/contrib/bind9/bin/named/include/named/tsigconf.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tsigconf.h,v 1.10.18.4 2006/03/02 00:37:21 marka Exp $ */ +/* $Id: tsigconf.h,v 1.16 2007/06/19 23:46:59 tbox Exp $ */ #ifndef NS_TSIGCONF_H #define NS_TSIGCONF_H 1 diff --git a/contrib/bind9/bin/named/include/named/types.h b/contrib/bind9/bin/named/include/named/types.h index abc25d5..eb25520 100644 --- a/contrib/bind9/bin/named/include/named/types.h +++ b/contrib/bind9/bin/named/include/named/types.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: types.h,v 1.21.18.2 2005/04/29 00:15:38 marka Exp $ */ +/* $Id: types.h,v 1.29 2008/01/17 23:46:59 tbox Exp $ */ #ifndef NAMED_TYPES_H #define NAMED_TYPES_H 1 @@ -28,6 +28,8 @@ typedef struct ns_client ns_client_t; typedef struct ns_clientmgr ns_clientmgr_t; typedef struct ns_query ns_query_t; typedef struct ns_server ns_server_t; +typedef struct ns_xmld ns_xmld_t; +typedef struct ns_xmldmgr ns_xmldmgr_t; typedef struct ns_interface ns_interface_t; typedef struct ns_interfacemgr ns_interfacemgr_t; typedef struct ns_lwresd ns_lwresd_t; @@ -39,5 +41,6 @@ typedef struct ns_lwsearchctx ns_lwsearchctx_t; typedef struct ns_controls ns_controls_t; typedef struct ns_dispatch ns_dispatch_t; typedef ISC_LIST(ns_dispatch_t) ns_dispatchlist_t; - +typedef struct ns_statschannel ns_statschannel_t; +typedef ISC_LIST(ns_statschannel_t) ns_statschannellist_t; #endif /* NAMED_TYPES_H */ diff --git a/contrib/bind9/bin/named/include/named/update.h b/contrib/bind9/bin/named/include/named/update.h index 37daa95..a34570c 100644 --- a/contrib/bind9/bin/named/include/named/update.h +++ b/contrib/bind9/bin/named/include/named/update.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.h,v 1.9.18.2 2005/04/29 00:15:39 marka Exp $ */ +/* $Id: update.h,v 1.13 2007/06/19 23:46:59 tbox Exp $ */ #ifndef NAMED_UPDATE_H #define NAMED_UPDATE_H 1 diff --git a/contrib/bind9/bin/named/include/named/xfrout.h b/contrib/bind9/bin/named/include/named/xfrout.h index 82e0e66..4bb79a3 100644 --- a/contrib/bind9/bin/named/include/named/xfrout.h +++ b/contrib/bind9/bin/named/include/named/xfrout.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: xfrout.h,v 1.8.18.2 2005/04/29 00:15:39 marka Exp $ */ +/* $Id: xfrout.h,v 1.12 2007/06/19 23:46:59 tbox Exp $ */ #ifndef NAMED_XFROUT_H #define NAMED_XFROUT_H 1 diff --git a/contrib/bind9/bin/named/include/named/zoneconf.h b/contrib/bind9/bin/named/include/named/zoneconf.h index 61737a2..b973013 100644 --- a/contrib/bind9/bin/named/include/named/zoneconf.h +++ b/contrib/bind9/bin/named/include/named/zoneconf.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.h,v 1.19.18.5 2006/03/02 00:37:21 marka Exp $ */ +/* $Id: zoneconf.h,v 1.26 2007/06/19 23:46:59 tbox Exp $ */ #ifndef NS_ZONECONF_H #define NS_ZONECONF_H 1 diff --git a/contrib/bind9/bin/named/interfacemgr.c b/contrib/bind9/bin/named/interfacemgr.c index 08d33d9..46eb96e 100644 --- a/contrib/bind9/bin/named/interfacemgr.c +++ b/contrib/bind9/bin/named/interfacemgr.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: interfacemgr.c,v 1.76.18.11 2008/07/23 23:33:02 marka Exp $ */ +/* $Id: interfacemgr.c,v 1.93.70.2 2009/01/18 23:47:34 tbox Exp $ */ /*! \file */ @@ -304,6 +304,7 @@ ns_interface_accepttcp(ns_interface_t *ifp) { isc_result_totext(result)); goto tcp_socket_failure; } + isc_socket_setname(ifp->tcpsocket, "dispatcher", NULL); #ifndef ISC_ALLOW_MAPPED isc_socket_ipv6only(ifp->tcpsocket, ISC_TRUE); #endif @@ -483,7 +484,7 @@ static isc_result_t clearacl(isc_mem_t *mctx, dns_acl_t **aclp) { dns_acl_t *newacl = NULL; isc_result_t result; - result = dns_acl_create(mctx, 10, &newacl); + result = dns_acl_create(mctx, 0, &newacl); if (result != ISC_R_SUCCESS) return (result); dns_acl_detach(aclp); @@ -494,36 +495,31 @@ clearacl(isc_mem_t *mctx, dns_acl_t **aclp) { static isc_boolean_t listenon_is_ip6_any(ns_listenelt_t *elt) { - if (elt->acl->length != 1) - return (ISC_FALSE); - if (elt->acl->elements[0].negative == ISC_FALSE && - elt->acl->elements[0].type == dns_aclelementtype_any) - return (ISC_TRUE); /* listen-on-v6 { any; } */ - return (ISC_FALSE); /* All others */ + REQUIRE(elt && elt->acl); + return dns_acl_isany(elt->acl); } static isc_result_t setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) { isc_result_t result; - dns_aclelement_t elt; - unsigned int family; unsigned int prefixlen; + isc_netaddr_t *netaddr; - family = interface->address.family; + netaddr = &interface->address; - elt.type = dns_aclelementtype_ipprefix; - elt.negative = ISC_FALSE; - elt.u.ip_prefix.address = interface->address; - elt.u.ip_prefix.prefixlen = (family == AF_INET) ? 32 : 128; - result = dns_acl_appendelement(mgr->aclenv.localhost, &elt); + /* First add localhost address */ + prefixlen = (netaddr->family == AF_INET) ? 32 : 128; + result = dns_iptable_addprefix(mgr->aclenv.localhost->iptable, + netaddr, prefixlen, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); + /* Then add localnets prefix */ result = isc_netaddr_masktoprefixlen(&interface->netmask, &prefixlen); - /* Non contigious netmasks not allowed by IPv6 arch. */ - if (result != ISC_R_SUCCESS && family == AF_INET6) + /* Non contiguous netmasks not allowed by IPv6 arch. */ + if (result != ISC_R_SUCCESS && netaddr->family == AF_INET6) return (result); if (result != ISC_R_SUCCESS) { @@ -533,17 +529,14 @@ setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) { "localnets ACL: %s", interface->name, isc_result_totext(result)); - } else { - elt.u.ip_prefix.prefixlen = prefixlen; - if (dns_acl_elementmatch(mgr->aclenv.localnets, &elt, - NULL) == ISC_R_NOTFOUND) { - result = dns_acl_appendelement(mgr->aclenv.localnets, - &elt); - if (result != ISC_R_SUCCESS) - return (result); - } + return (ISC_R_SUCCESS); } + result = dns_iptable_addprefix(mgr->aclenv.localnets->iptable, + netaddr, prefixlen, ISC_TRUE); + if (result != ISC_R_SUCCESS) + return (result); + return (ISC_R_SUCCESS); } @@ -803,7 +796,9 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, (void)dns_acl_match(&listen_netaddr, NULL, ele->acl, NULL, &match, NULL); - if (match > 0 && ele->port == le->port) + if (match > 0 && + (ele->port == le->port || + ele->port == 0)) break; else match = 0; diff --git a/contrib/bind9/bin/named/listenlist.c b/contrib/bind9/bin/named/listenlist.c index 7e70ac9..513fe9c 100644 --- a/contrib/bind9/bin/named/listenlist.c +++ b/contrib/bind9/bin/named/listenlist.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: listenlist.c,v 1.10.18.2 2005/04/29 00:15:22 marka Exp $ */ +/* $Id: listenlist.c,v 1.14 2007/06/19 23:46:59 tbox Exp $ */ /*! \file */ diff --git a/contrib/bind9/bin/named/log.c b/contrib/bind9/bin/named/log.c index af75bab..359ab9f 100644 --- a/contrib/bind9/bin/named/log.c +++ b/contrib/bind9/bin/named/log.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: log.c,v 1.37.18.6 2006/06/09 00:54:08 marka Exp $ */ +/* $Id: log.c,v 1.46.334.3 2009/01/07 01:50:14 jinmei Exp $ */ /*! \file */ @@ -33,7 +33,7 @@ /*% * When adding a new category, be sure to add the appropriate - * #define to <named/log.h> and to update the list in + * \#define to <named/log.h> and to update the list in * bin/check/check-tool.c. */ static isc_logcategory_t categories[] = { @@ -44,12 +44,13 @@ static isc_logcategory_t categories[] = { { "queries", 0 }, { "unmatched", 0 }, { "update-security", 0 }, + { "query-errors", 0 }, { NULL, 0 } }; /*% * When adding a new module, be sure to add the appropriate - * #define to <dns/log.h>. + * \#define to <dns/log.h>. */ static isc_logmodule_t modules[] = { { "main", 0 }, @@ -120,7 +121,7 @@ ns_log_setdefaultchannels(isc_logconfig_t *lcfg) { /* * By default, the logging library makes "default_debug" log to * stderr. In BIND, we want to override this and log to named.run - * instead, unless the the -g option was given. + * instead, unless the -g option was given. */ if (! ns_g_logstderr) { destination.file.stream = NULL; diff --git a/contrib/bind9/bin/named/logconf.c b/contrib/bind9/bin/named/logconf.c index ce815f4..e324965 100644 --- a/contrib/bind9/bin/named/logconf.c +++ b/contrib/bind9/bin/named/logconf.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: logconf.c,v 1.35.18.5 2006/03/02 00:37:21 marka Exp $ */ +/* $Id: logconf.c,v 1.42 2007/06/19 23:46:59 tbox Exp $ */ /*! \file */ diff --git a/contrib/bind9/bin/named/lwaddr.c b/contrib/bind9/bin/named/lwaddr.c index 02e8f4d..ed7880a 100644 --- a/contrib/bind9/bin/named/lwaddr.c +++ b/contrib/bind9/bin/named/lwaddr.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwaddr.c,v 1.4.18.4 2008/01/11 23:45:59 tbox Exp $ */ +/* $Id: lwaddr.c,v 1.10 2008/01/11 23:46:56 tbox Exp $ */ /*! \file */ diff --git a/contrib/bind9/bin/named/lwdclient.c b/contrib/bind9/bin/named/lwdclient.c index 68069ed..a843134 100644 --- a/contrib/bind9/bin/named/lwdclient.c +++ b/contrib/bind9/bin/named/lwdclient.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdclient.c,v 1.17.18.2 2005/04/29 00:15:23 marka Exp $ */ +/* $Id: lwdclient.c,v 1.22 2007/06/18 23:47:18 tbox Exp $ */ /*! \file */ @@ -102,6 +102,7 @@ ns_lwdclientmgr_create(ns_lwreslistener_t *listener, unsigned int nclients, result = isc_task_create(taskmgr, 0, &cm->task); if (result != ISC_R_SUCCESS) goto errout; + isc_task_setname(cm->task, "lwdclient", NULL); /* * This MUST be last, since there is no way to cancel an onshutdown... diff --git a/contrib/bind9/bin/named/lwderror.c b/contrib/bind9/bin/named/lwderror.c index db25824..33f247a 100644 --- a/contrib/bind9/bin/named/lwderror.c +++ b/contrib/bind9/bin/named/lwderror.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwderror.c,v 1.8.18.2 2005/04/29 00:15:24 marka Exp $ */ +/* $Id: lwderror.c,v 1.12 2007/06/19 23:46:59 tbox Exp $ */ /*! \file */ diff --git a/contrib/bind9/bin/named/lwdgabn.c b/contrib/bind9/bin/named/lwdgabn.c index 454d4df..dec1e1a 100644 --- a/contrib/bind9/bin/named/lwdgabn.c +++ b/contrib/bind9/bin/named/lwdgabn.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdgabn.c,v 1.15.18.5 2006/03/02 00:37:21 marka Exp $ */ +/* $Id: lwdgabn.c,v 1.22 2007/06/19 23:46:59 tbox Exp $ */ /*! \file */ diff --git a/contrib/bind9/bin/named/lwdgnba.c b/contrib/bind9/bin/named/lwdgnba.c index a54d443..dfc2ad6 100644 --- a/contrib/bind9/bin/named/lwdgnba.c +++ b/contrib/bind9/bin/named/lwdgnba.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdgnba.c,v 1.16.18.4 2008/01/14 23:45:59 tbox Exp $ */ +/* $Id: lwdgnba.c,v 1.22 2008/01/14 23:46:56 tbox Exp $ */ /*! \file */ diff --git a/contrib/bind9/bin/named/lwdgrbn.c b/contrib/bind9/bin/named/lwdgrbn.c index c1b2b1e..b54e83d 100644 --- a/contrib/bind9/bin/named/lwdgrbn.c +++ b/contrib/bind9/bin/named/lwdgrbn.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdgrbn.c,v 1.13.18.5 2006/12/07 23:57:58 marka Exp $ */ +/* $Id: lwdgrbn.c,v 1.20 2007/06/19 23:46:59 tbox Exp $ */ /*! \file */ diff --git a/contrib/bind9/bin/named/lwdnoop.c b/contrib/bind9/bin/named/lwdnoop.c index 69cc957..14d8e0c 100644 --- a/contrib/bind9/bin/named/lwdnoop.c +++ b/contrib/bind9/bin/named/lwdnoop.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdnoop.c,v 1.7.18.4 2008/01/22 23:27:05 tbox Exp $ */ +/* $Id: lwdnoop.c,v 1.13 2008/01/22 23:28:04 tbox Exp $ */ /*! \file */ diff --git a/contrib/bind9/bin/named/lwresd.8 b/contrib/bind9/bin/named/lwresd.8 index 827edcd..c0862aa 100644 --- a/contrib/bind9/bin/named/lwresd.8 +++ b/contrib/bind9/bin/named/lwresd.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwresd.8,v 1.15.18.13 2008/10/17 01:29:23 tbox Exp $ +.\" $Id: lwresd.8,v 1.29.14.1 2009/01/23 01:53:33 tbox Exp $ .\" .hy 0 .ad l @@ -42,7 +42,7 @@ is the daemon providing name lookup services to clients that use the BIND 9 ligh \fBlwresd\fR listens for resolver queries on a UDP port on the IPv4 loopback interface, 127.0.0.1. This means that \fBlwresd\fR -can only be used by processes running on the local machine. By default UDP port number 921 is used for lightweight resolver requests and responses. +can only be used by processes running on the local machine. By default, UDP port number 921 is used for lightweight resolver requests and responses. .PP Incoming lightweight resolver requests are decoded by the server which then resolves them using the DNS protocol. When the DNS lookup completes, \fBlwresd\fR @@ -125,7 +125,7 @@ Run the server in the foreground and force all logging to Use \fIpid\-file\fR as the PID file instead of the default, -\fI/var/run/lwresd.pid\fR. +\fI/var/run/lwresd/lwresd.pid\fR. .RE .PP \-m \fIflag\fR @@ -217,7 +217,7 @@ The default process\-id file. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000, 2001 Internet Software Consortium. .br diff --git a/contrib/bind9/bin/named/lwresd.c b/contrib/bind9/bin/named/lwresd.c index 8a89b1c..4e245fd 100644 --- a/contrib/bind9/bin/named/lwresd.c +++ b/contrib/bind9/bin/named/lwresd.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwresd.c,v 1.46.18.10 2008/07/23 23:33:02 marka Exp $ */ +/* $Id: lwresd.c,v 1.58 2008/07/23 23:27:54 marka Exp $ */ /*! \file * \brief diff --git a/contrib/bind9/bin/named/lwresd.docbook b/contrib/bind9/bin/named/lwresd.docbook index 6dd2c40..8d9985a 100644 --- a/contrib/bind9/bin/named/lwresd.docbook +++ b/contrib/bind9/bin/named/lwresd.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: lwresd.docbook,v 1.7.18.10 2008/10/16 23:46:00 tbox Exp $ --> +<!-- $Id: lwresd.docbook,v 1.18.14.2 2009/01/22 23:47:05 tbox Exp $ --> <refentry> <refentryinfo> <date>June 30, 2000</date> @@ -41,6 +41,7 @@ <year>2005</year> <year>2007</year> <year>2008</year> + <year>2009</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -87,7 +88,7 @@ listens for resolver queries on a UDP port on the IPv4 loopback interface, 127.0.0.1. This means that <command>lwresd</command> can only be used by - processes running on the local machine. By default UDP port + processes running on the local machine. By default, UDP port number 921 is used for lightweight resolver requests and responses. </para> @@ -199,7 +200,7 @@ <para> Use <replaceable class="parameter">pid-file</replaceable> as the PID file instead of the default, - <filename>/var/run/lwresd.pid</filename>. + <filename>/var/run/lwresd/lwresd.pid</filename>. </para> </listitem> </varlistentry> diff --git a/contrib/bind9/bin/named/lwresd.html b/contrib/bind9/bin/named/lwresd.html index 463e6b0..4c2b059 100644 --- a/contrib/bind9/bin/named/lwresd.html +++ b/contrib/bind9/bin/named/lwresd.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: lwresd.html,v 1.5.18.19 2008/10/17 01:29:23 tbox Exp $ --> +<!-- $Id: lwresd.html,v 1.25.14.1 2009/01/23 01:53:33 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -32,7 +32,7 @@ <div class="cmdsynopsis"><p><code class="command">lwresd</code> [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-4</code>] [<code class="option">-6</code>]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543464"></a><h2>DESCRIPTION</h2> +<a name="id2543467"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">lwresd</strong></span> is the daemon providing name lookup services to clients that use the BIND 9 lightweight resolver @@ -44,7 +44,7 @@ listens for resolver queries on a UDP port on the IPv4 loopback interface, 127.0.0.1. This means that <span><strong class="command">lwresd</strong></span> can only be used by - processes running on the local machine. By default UDP port + processes running on the local machine. By default, UDP port number 921 is used for lightweight resolver requests and responses. </p> @@ -67,7 +67,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543511"></a><h2>OPTIONS</h2> +<a name="id2543514"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-4</span></dt> <dd><p> @@ -115,7 +115,7 @@ <dd><p> Use <em class="replaceable"><code>pid-file</code></em> as the PID file instead of the default, - <code class="filename">/var/run/lwresd.pid</code>. + <code class="filename">/var/run/lwresd/lwresd.pid</code>. </p></dd> <dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt> <dd><p> @@ -197,7 +197,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543928"></a><h2>FILES</h2> +<a name="id2543931"></a><h2>FILES</h2> <div class="variablelist"><dl> <dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt> <dd><p> @@ -210,14 +210,14 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543968"></a><h2>SEE ALSO</h2> +<a name="id2543971"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>, <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2544002"></a><h2>AUTHOR</h2> +<a name="id2544005"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/contrib/bind9/bin/named/lwsearch.c b/contrib/bind9/bin/named/lwsearch.c index 4a61f96..6754c98 100644 --- a/contrib/bind9/bin/named/lwsearch.c +++ b/contrib/bind9/bin/named/lwsearch.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwsearch.c,v 1.8.18.3 2005/07/12 01:22:17 marka Exp $ */ +/* $Id: lwsearch.c,v 1.13 2007/06/19 23:46:59 tbox Exp $ */ /*! \file */ diff --git a/contrib/bind9/bin/named/main.c b/contrib/bind9/bin/named/main.c index d8b0a33..f97ab45 100644 --- a/contrib/bind9/bin/named/main.c +++ b/contrib/bind9/bin/named/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: main.c,v 1.136.18.21 2008/10/24 01:28:08 marka Exp $ */ +/* $Id: main.c,v 1.166.34.3 2009/04/03 20:18:59 marka Exp $ */ /*! \file */ @@ -139,7 +139,7 @@ assertion_failed(const char *file, int line, isc_assertiontype_t type, if (ns_g_lctx != NULL) { /* - * Reset the assetion callback in case it is the log + * Reset the assertion callback in case it is the log * routines causing the assertion. */ isc_assertion_setcallback(NULL); @@ -359,7 +359,7 @@ parse_command_line(int argc, char *argv[]) { isc_commandline_errprint = ISC_FALSE; while ((ch = isc_commandline_parse(argc, argv, "46c:C:d:fgi:lm:n:N:p:P:" - "sS:t:u:vx:")) != -1) { + "sS:t:T:u:vVx:")) != -1) { switch (ch) { case '4': if (disable4) @@ -446,14 +446,31 @@ parse_command_line(int argc, char *argv[]) { /* XXXJAB should we make a copy? */ ns_g_chrootdir = isc_commandline_argument; break; + case 'T': + /* + * clienttest: make clients single shot with their + * own memory context. + */ + if (strcmp(isc_commandline_argument, "clienttest") == 0) + ns_g_clienttest = ISC_TRUE; + else + fprintf(stderr, "unknown -T flag '%s\n", + isc_commandline_argument); + break; case 'u': ns_g_username = isc_commandline_argument; break; case 'v': printf("BIND %s\n", ns_g_version); exit(0); + case 'V': + printf("BIND %s built with %s\n", ns_g_version, + ns_g_configargs); + exit(0); case '?': usage(); + if (isc_commandline_option == '?') + exit(0); ns_main_earlyfatal("unknown option '-%c'", isc_commandline_option); default: @@ -661,6 +678,9 @@ setup(void) { ISC_LOG_NOTICE, "starting BIND %s%s", ns_g_version, saved_command_line); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, + ISC_LOG_NOTICE, "built with %s", ns_g_configargs); + /* * Get the initial resource limits. */ @@ -705,6 +725,14 @@ setup(void) { ns_g_conffile = absolute_conffile; } + /* + * Record the server's startup time. + */ + result = isc_time_now(&ns_g_boottime); + if (result != ISC_R_SUCCESS) + ns_main_earlyfatal("isc_time_now() failed: %s", + isc_result_totext(result)); + result = create_managers(); if (result != ISC_R_SUCCESS) ns_main_earlyfatal("create_managers() failed: %s", @@ -719,7 +747,7 @@ setup(void) { #ifdef DLZ /* - * Registyer any DLZ drivers. + * Register any DLZ drivers. */ result = dlz_drivers_init(); if (result != ISC_R_SUCCESS) @@ -851,10 +879,10 @@ main(int argc, char *argv[]) { * strings named.core | grep "named version:" */ strlcat(version, -#ifdef __DATE__ - "named version: BIND " VERSION " (" __DATE__ ")", -#else +#if defined(NO_VERSION_DATE) || !defined(__DATE__) "named version: BIND " VERSION, +#else + "named version: BIND " VERSION " (" __DATE__ ")", #endif sizeof(version)); result = isc_file_progname(*argv, program_name, sizeof(program_name)); @@ -892,6 +920,7 @@ main(int argc, char *argv[]) { if (result != ISC_R_SUCCESS) ns_main_earlyfatal("isc_mem_create() failed: %s", isc_result_totext(result)); + isc_mem_setname(ns_g_mctx, "main", NULL); setup(); @@ -937,7 +966,8 @@ main(int argc, char *argv[]) { isc_mem_stats(ns_g_mctx, stdout); isc_mutex_stats(stdout); } - if (memstats != NULL) { + + if (ns_g_memstatistics && memstats != NULL) { FILE *fp = NULL; result = isc_stdio_open(memstats, "w", &fp); if (result == ISC_R_SUCCESS) { diff --git a/contrib/bind9/bin/named/named.8 b/contrib/bind9/bin/named/named.8 index 9487dac..3408403 100644 --- a/contrib/bind9/bin/named/named.8 +++ b/contrib/bind9/bin/named/named.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named.8,v 1.20.18.16 2008/09/01 02:29:00 tbox Exp $ +.\" $Id: named.8,v 1.38 2008/11/07 01:11:19 tbox Exp $ .\" .hy 0 .ad l @@ -33,7 +33,7 @@ named \- Internet domain name server .SH "SYNOPSIS" .HP 6 -\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR] +\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR] .SH "DESCRIPTION" .PP \fBnamed\fR @@ -186,6 +186,11 @@ is run on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since previou Report the version number and exit. .RE .PP +\-V +.RS 4 +Report the version number and build options, and exit. +.RE +.PP \-x \fIcache\-file\fR .RS 4 Load data from @@ -226,7 +231,7 @@ BIND 9 Administrator Reference Manual. The default configuration file. .RE .PP -\fI/var/run/named.pid\fR +\fI/var/run/named/named.pid\fR .RS 4 The default process\-id file. .RE diff --git a/contrib/bind9/bin/named/named.conf.5 b/contrib/bind9/bin/named/named.conf.5 index a2ccbe0..039c795 100644 --- a/contrib/bind9/bin/named/named.conf.5 +++ b/contrib/bind9/bin/named/named.conf.5 @@ -12,7 +12,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named.conf.5,v 1.1.2.27 2008/09/05 01:32:08 tbox Exp $ +.\" $Id: named.conf.5,v 1.36 2008/09/25 04:45:04 tbox Exp $ .\" .hy 0 .ad l @@ -193,6 +193,7 @@ options { use\-ixfr \fIboolean\fR; version ( \fIquoted_string\fR | none ); allow\-recursion { \fIaddress_match_element\fR; ... }; + allow\-recursion\-on { \fIaddress_match_element\fR; ... }; sortlist { \fIaddress_match_element\fR; ... }; topology { \fIaddress_match_element\fR; ... }; // not implemented auth\-nxdomain \fIboolean\fR; // default changed @@ -209,14 +210,17 @@ options { additional\-from\-cache \fIboolean\fR; query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; + use\-queryport\-pool \fIboolean\fR; + queryport\-pool\-ports \fIinteger\fR; + queryport\-pool\-updateinterval \fIinteger\fR; cleaning\-interval \fIinteger\fR; min\-roots \fIinteger\fR; // not implemented lame\-ttl \fIinteger\fR; max\-ncache\-ttl \fIinteger\fR; max\-cache\-ttl \fIinteger\fR; transfer\-format ( many\-answers | one\-answer ); - max\-cache\-size \fIsize_no_default\fR; - max\-acache\-size \fIsize_no_default\fR; + max\-cache\-size \fIsize\fR; + max\-acache\-size \fIsize\fR; clients\-per\-query \fInumber\fR; max\-clients\-per\-query \fInumber\fR; check\-names ( master | slave | response ) @@ -249,7 +253,9 @@ options { dialup \fIdialuptype\fR; ixfr\-from\-differences \fIixfrdiff\fR; allow\-query { \fIaddress_match_element\fR; ... }; + allow\-query\-on { \fIaddress_match_element\fR; ... }; allow\-query\-cache { \fIaddress_match_element\fR; ... }; + allow\-query\-cache\-on { \fIaddress_match_element\fR; ... }; allow\-transfer { \fIaddress_match_element\fR; ... }; allow\-update { \fIaddress_match_element\fR; ... }; allow\-update\-forwarding { \fIaddress_match_element\fR; ... }; @@ -259,6 +265,7 @@ options { notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-delay \fIseconds\fR; + notify\-to\-soa \fIboolean\fR; also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ... }; allow\-notify { \fIaddress_match_element\fR; ... }; @@ -277,6 +284,10 @@ options { min\-refresh\-time \fIinteger\fR; multi\-master \fIboolean\fR; sig\-validity\-interval \fIinteger\fR; + sig\-re\-signing\-interval \fIinteger\fR; + sig\-signing\-nodes \fIinteger\fR; + sig\-signing\-signatures \fIinteger\fR; + sig\-signing\-type \fIinteger\fR; transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; transfer\-source\-v6 ( \fIipv6_address\fR | * ) @@ -288,8 +299,10 @@ options { use\-alt\-transfer\-source \fIboolean\fR; zone\-statistics \fIboolean\fR; key\-directory \fIquoted_string\fR; + try\-tcp\-refresh \fIboolean\fR; zero\-no\-soa\-ttl \fIboolean\fR; zero\-no\-soa\-ttl\-cache \fIboolean\fR; + nsec3\-test\-zone \fIboolean\fR; // testing only allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete deallocate\-on\-exit \fIboolean\fR; // obsolete fake\-iquery \fIboolean\fR; // obsolete @@ -327,6 +340,7 @@ view \fIstring\fR \fIoptional_class\fR { \fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; ... }; allow\-recursion { \fIaddress_match_element\fR; ... }; + allow\-recursion\-on { \fIaddress_match_element\fR; ... }; sortlist { \fIaddress_match_element\fR; ... }; topology { \fIaddress_match_element\fR; ... }; // not implemented auth\-nxdomain \fIboolean\fR; // default changed @@ -343,14 +357,17 @@ view \fIstring\fR \fIoptional_class\fR { additional\-from\-cache \fIboolean\fR; query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; + use\-queryport\-pool \fIboolean\fR; + queryport\-pool\-ports \fIinteger\fR; + queryport\-pool\-updateinterval \fIinteger\fR; cleaning\-interval \fIinteger\fR; min\-roots \fIinteger\fR; // not implemented lame\-ttl \fIinteger\fR; max\-ncache\-ttl \fIinteger\fR; max\-cache\-ttl \fIinteger\fR; transfer\-format ( many\-answers | one\-answer ); - max\-cache\-size \fIsize_no_default\fR; - max\-acache\-size \fIsize_no_default\fR; + max\-cache\-size \fIsize\fR; + max\-acache\-size \fIsize\fR; clients\-per\-query \fInumber\fR; max\-clients\-per\-query \fInumber\fR; check\-names ( master | slave | response ) @@ -383,7 +400,9 @@ view \fIstring\fR \fIoptional_class\fR { dialup \fIdialuptype\fR; ixfr\-from\-differences \fIixfrdiff\fR; allow\-query { \fIaddress_match_element\fR; ... }; + allow\-query\-on { \fIaddress_match_element\fR; ... }; allow\-query\-cache { \fIaddress_match_element\fR; ... }; + allow\-query\-cache\-on { \fIaddress_match_element\fR; ... }; allow\-transfer { \fIaddress_match_element\fR; ... }; allow\-update { \fIaddress_match_element\fR; ... }; allow\-update\-forwarding { \fIaddress_match_element\fR; ... }; @@ -393,6 +412,7 @@ view \fIstring\fR \fIoptional_class\fR { notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-delay \fIseconds\fR; + notify\-to\-soa \fIboolean\fR; also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ... }; allow\-notify { \fIaddress_match_element\fR; ... }; @@ -421,6 +441,7 @@ view \fIstring\fR \fIoptional_class\fR { [ port ( \fIinteger\fR | * ) ]; use\-alt\-transfer\-source \fIboolean\fR; zone\-statistics \fIboolean\fR; + try\-tcp\-refresh \fIboolean\fR; key\-directory \fIquoted_string\fR; zero\-no\-soa\-ttl \fIboolean\fR; zero\-no\-soa\-ttl\-cache \fIboolean\fR; @@ -456,12 +477,15 @@ zone \fIstring\fR \fIoptional_class\fR { journal \fIquoted_string\fR; zero\-no\-soa\-ttl \fIboolean\fR; allow\-query { \fIaddress_match_element\fR; ... }; + allow\-query\-on { \fIaddress_match_element\fR; ... }; allow\-transfer { \fIaddress_match_element\fR; ... }; allow\-update { \fIaddress_match_element\fR; ... }; allow\-update\-forwarding { \fIaddress_match_element\fR; ... }; update\-policy { ( grant | deny ) \fIstring\fR - ( name | subdomain | wildcard | self ) \fIstring\fR + ( name | subdomain | wildcard | self | selfsub | selfwild | + krb5\-self | ms\-self | krb5\-subdomain | ms\-subdomain | + tcp\-self | 6to4\-self ) \fIstring\fR \fIrrtypelist\fR; ... }; update\-check\-ksk \fIboolean\fR; @@ -470,6 +494,7 @@ zone \fIstring\fR \fIoptional_class\fR { notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-delay \fIseconds\fR; + notify\-to\-soa \fIboolean\fR; also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ... }; allow\-notify { \fIaddress_match_element\fR; ... }; @@ -498,7 +523,9 @@ zone \fIstring\fR \fIoptional_class\fR { [ port ( \fIinteger\fR | * ) ]; use\-alt\-transfer\-source \fIboolean\fR; zone\-statistics \fIboolean\fR; + try\-tcp\-refresh \fIboolean\fR; key\-directory \fIquoted_string\fR; + nsec3\-test\-zone \fIboolean\fR; // testing only ixfr\-base \fIquoted_string\fR; // obsolete ixfr\-tmp\-file \fIquoted_string\fR; // obsolete maintain\-ixfr\-base \fIboolean\fR; // obsolete diff --git a/contrib/bind9/bin/named/named.conf.docbook b/contrib/bind9/bin/named/named.conf.docbook index 32aa537..a4a8044 100644 --- a/contrib/bind9/bin/named/named.conf.docbook +++ b/contrib/bind9/bin/named/named.conf.docbook @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.conf.docbook,v 1.1.2.31 2008/09/04 23:46:08 tbox Exp $ --> +<!-- $Id: named.conf.docbook,v 1.39 2008/09/24 02:46:21 marka Exp $ --> <refentry> <refentryinfo> <date>Aug 13, 2004</date> @@ -221,6 +221,7 @@ options { use-ixfr <replaceable>boolean</replaceable>; version ( <replaceable>quoted_string</replaceable> | none ); allow-recursion { <replaceable>address_match_element</replaceable>; ... }; + allow-recursion-on { <replaceable>address_match_element</replaceable>; ... }; sortlist { <replaceable>address_match_element</replaceable>; ... }; topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented auth-nxdomain <replaceable>boolean</replaceable>; // default changed @@ -237,14 +238,17 @@ options { additional-from-cache <replaceable>boolean</replaceable>; query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; + use-queryport-pool <replaceable>boolean</replaceable>; + queryport-pool-ports <replaceable>integer</replaceable>; + queryport-pool-updateinterval <replaceable>integer</replaceable>; cleaning-interval <replaceable>integer</replaceable>; min-roots <replaceable>integer</replaceable>; // not implemented lame-ttl <replaceable>integer</replaceable>; max-ncache-ttl <replaceable>integer</replaceable>; max-cache-ttl <replaceable>integer</replaceable>; transfer-format ( many-answers | one-answer ); - max-cache-size <replaceable>size_no_default</replaceable>; - max-acache-size <replaceable>size_no_default</replaceable>; + max-cache-size <replaceable>size</replaceable>; + max-acache-size <replaceable>size</replaceable>; clients-per-query <replaceable>number</replaceable>; max-clients-per-query <replaceable>number</replaceable>; check-names ( master | slave | response ) @@ -280,7 +284,9 @@ options { ixfr-from-differences <replaceable>ixfrdiff</replaceable>; allow-query { <replaceable>address_match_element</replaceable>; ... }; + allow-query-on { <replaceable>address_match_element</replaceable>; ... }; allow-query-cache { <replaceable>address_match_element</replaceable>; ... }; + allow-query-cache-on { <replaceable>address_match_element</replaceable>; ... }; allow-transfer { <replaceable>address_match_element</replaceable>; ... }; allow-update { <replaceable>address_match_element</replaceable>; ... }; allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... }; @@ -291,6 +297,7 @@ options { notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; notify-delay <replaceable>seconds</replaceable>; + notify-to-soa <replaceable>boolean</replaceable>; also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ... }; allow-notify { <replaceable>address_match_element</replaceable>; ... }; @@ -310,7 +317,12 @@ options { max-refresh-time <replaceable>integer</replaceable>; min-refresh-time <replaceable>integer</replaceable>; multi-master <replaceable>boolean</replaceable>; + sig-validity-interval <replaceable>integer</replaceable>; + sig-re-signing-interval <replaceable>integer</replaceable>; + sig-signing-nodes <replaceable>integer</replaceable>; + sig-signing-signatures <replaceable>integer</replaceable>; + sig-signing-type <replaceable>integer</replaceable>; transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; @@ -325,9 +337,12 @@ options { zone-statistics <replaceable>boolean</replaceable>; key-directory <replaceable>quoted_string</replaceable>; + try-tcp-refresh <replaceable>boolean</replaceable>; zero-no-soa-ttl <replaceable>boolean</replaceable>; zero-no-soa-ttl-cache <replaceable>boolean</replaceable>; + nsec3-test-zone <replaceable>boolean</replaceable>; // testing only + allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete deallocate-on-exit <replaceable>boolean</replaceable>; // obsolete fake-iquery <replaceable>boolean</replaceable>; // obsolete @@ -370,6 +385,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> }; allow-recursion { <replaceable>address_match_element</replaceable>; ... }; + allow-recursion-on { <replaceable>address_match_element</replaceable>; ... }; sortlist { <replaceable>address_match_element</replaceable>; ... }; topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented auth-nxdomain <replaceable>boolean</replaceable>; // default changed @@ -386,14 +402,17 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> additional-from-cache <replaceable>boolean</replaceable>; query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; + use-queryport-pool <replaceable>boolean</replaceable>; + queryport-pool-ports <replaceable>integer</replaceable>; + queryport-pool-updateinterval <replaceable>integer</replaceable>; cleaning-interval <replaceable>integer</replaceable>; min-roots <replaceable>integer</replaceable>; // not implemented lame-ttl <replaceable>integer</replaceable>; max-ncache-ttl <replaceable>integer</replaceable>; max-cache-ttl <replaceable>integer</replaceable>; transfer-format ( many-answers | one-answer ); - max-cache-size <replaceable>size_no_default</replaceable>; - max-acache-size <replaceable>size_no_default</replaceable>; + max-cache-size <replaceable>size</replaceable>; + max-acache-size <replaceable>size</replaceable>; clients-per-query <replaceable>number</replaceable>; max-clients-per-query <replaceable>number</replaceable>; check-names ( master | slave | response ) @@ -429,7 +448,9 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> ixfr-from-differences <replaceable>ixfrdiff</replaceable>; allow-query { <replaceable>address_match_element</replaceable>; ... }; + allow-query-on { <replaceable>address_match_element</replaceable>; ... }; allow-query-cache { <replaceable>address_match_element</replaceable>; ... }; + allow-query-cache-on { <replaceable>address_match_element</replaceable>; ... }; allow-transfer { <replaceable>address_match_element</replaceable>; ... }; allow-update { <replaceable>address_match_element</replaceable>; ... }; allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... }; @@ -440,6 +461,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; notify-delay <replaceable>seconds</replaceable>; + notify-to-soa <replaceable>boolean</replaceable>; also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ... }; allow-notify { <replaceable>address_match_element</replaceable>; ... }; @@ -473,6 +495,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> use-alt-transfer-source <replaceable>boolean</replaceable>; zone-statistics <replaceable>boolean</replaceable>; + try-tcp-refresh <replaceable>boolean</replaceable>; key-directory <replaceable>quoted_string</replaceable>; zero-no-soa-ttl <replaceable>boolean</replaceable>; zero-no-soa-ttl-cache <replaceable>boolean</replaceable>; @@ -512,12 +535,15 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> zero-no-soa-ttl <replaceable>boolean</replaceable>; allow-query { <replaceable>address_match_element</replaceable>; ... }; + allow-query-on { <replaceable>address_match_element</replaceable>; ... }; allow-transfer { <replaceable>address_match_element</replaceable>; ... }; allow-update { <replaceable>address_match_element</replaceable>; ... }; allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... }; update-policy { ( grant | deny ) <replaceable>string</replaceable> - ( name | subdomain | wildcard | self ) <replaceable>string</replaceable> + ( name | subdomain | wildcard | self | selfsub | selfwild | + krb5-self | ms-self | krb5-subdomain | ms-subdomain | + tcp-self | 6to4-self ) <replaceable>string</replaceable> <replaceable>rrtypelist</replaceable>; ... }; update-check-ksk <replaceable>boolean</replaceable>; @@ -527,6 +553,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; notify-delay <replaceable>seconds</replaceable>; + notify-to-soa <replaceable>boolean</replaceable>; also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ... }; allow-notify { <replaceable>address_match_element</replaceable>; ... }; @@ -560,8 +587,11 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> use-alt-transfer-source <replaceable>boolean</replaceable>; zone-statistics <replaceable>boolean</replaceable>; + try-tcp-refresh <replaceable>boolean</replaceable>; key-directory <replaceable>quoted_string</replaceable>; + nsec3-test-zone <replaceable>boolean</replaceable>; // testing only + ixfr-base <replaceable>quoted_string</replaceable>; // obsolete ixfr-tmp-file <replaceable>quoted_string</replaceable>; // obsolete maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete diff --git a/contrib/bind9/bin/named/named.conf.html b/contrib/bind9/bin/named/named.conf.html index f729988..7bbbd0a 100644 --- a/contrib/bind9/bin/named/named.conf.html +++ b/contrib/bind9/bin/named/named.conf.html @@ -13,7 +13,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.conf.html,v 1.1.2.36 2008/09/05 01:32:08 tbox Exp $ --> +<!-- $Id: named.conf.html,v 1.45 2008/09/25 04:45:04 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -191,6 +191,7 @@ options {<br> use-ixfr <em class="replaceable"><code>boolean</code></em>;<br> version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br> allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br> auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br> @@ -207,14 +208,17 @@ options {<br> additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br> query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br> + queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br> + queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br> cleaning-interval <em class="replaceable"><code>integer</code></em>;<br> min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br> lame-ttl <em class="replaceable"><code>integer</code></em>;<br> max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br> max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br> transfer-format ( many-answers | one-answer );<br> - max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br> - max-acache-size <em class="replaceable"><code>size_no_default</code></em>;<br> + max-cache-size <em class="replaceable"><code>size</code></em>;<br> + max-acache-size <em class="replaceable"><code>size</code></em>;<br> clients-per-query <em class="replaceable"><code>number</code></em>;<br> max-clients-per-query <em class="replaceable"><code>number</code></em>;<br> check-names ( master | slave | response )<br> @@ -250,7 +254,9 @@ options {<br> ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br> <br> allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> @@ -261,6 +267,7 @@ options {<br> notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> notify-delay <em class="replaceable"><code>seconds</code></em>;<br> + notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br> also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br> allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> @@ -280,7 +287,12 @@ options {<br> max-refresh-time <em class="replaceable"><code>integer</code></em>;<br> min-refresh-time <em class="replaceable"><code>integer</code></em>;<br> multi-master <em class="replaceable"><code>boolean</code></em>;<br> +<br> sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br> + sig-re-signing-interval <em class="replaceable"><code>integer</code></em>;<br> + sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br> + sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br> + sig-signing-type <em class="replaceable"><code>integer</code></em>;<br> <br> transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br> [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> @@ -295,9 +307,12 @@ options {<br> <br> zone-statistics <em class="replaceable"><code>boolean</code></em>;<br> key-directory <em class="replaceable"><code>quoted_string</code></em>;<br> + try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br> zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br> zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br> <br> + nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // testing only<br> +<br> allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br> deallocate-on-exit <em class="replaceable"><code>boolean</code></em>; // obsolete<br> fake-iquery <em class="replaceable"><code>boolean</code></em>; // obsolete<br> @@ -314,7 +329,7 @@ options {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2544407"></a><h2>VIEW</h2> +<a name="id2544452"></a><h2>VIEW</h2> <div class="literallayout"><p><br> view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br> match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> @@ -339,6 +354,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c };<br> <br> allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br> auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br> @@ -355,14 +371,17 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br> query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br> + queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br> + queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br> cleaning-interval <em class="replaceable"><code>integer</code></em>;<br> min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br> lame-ttl <em class="replaceable"><code>integer</code></em>;<br> max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br> max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br> transfer-format ( many-answers | one-answer );<br> - max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br> - max-acache-size <em class="replaceable"><code>size_no_default</code></em>;<br> + max-cache-size <em class="replaceable"><code>size</code></em>;<br> + max-acache-size <em class="replaceable"><code>size</code></em>;<br> clients-per-query <em class="replaceable"><code>number</code></em>;<br> max-clients-per-query <em class="replaceable"><code>number</code></em>;<br> check-names ( master | slave | response )<br> @@ -398,7 +417,9 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br> <br> allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> @@ -409,6 +430,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> notify-delay <em class="replaceable"><code>seconds</code></em>;<br> + notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br> also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br> allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> @@ -442,6 +464,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br> <br> zone-statistics <em class="replaceable"><code>boolean</code></em>;<br> + try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br> key-directory <em class="replaceable"><code>quoted_string</code></em>;<br> zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br> zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br> @@ -454,7 +477,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2544972"></a><h2>ZONE</h2> +<a name="id2545113"></a><h2>ZONE</h2> <div class="literallayout"><p><br> zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br> type ( master | slave | stub | hint |<br> @@ -480,12 +503,15 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br> <br> allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> update-policy {<br> ( grant | deny ) <em class="replaceable"><code>string</code></em><br> - ( name | subdomain | wildcard | self ) <em class="replaceable"><code>string</code></em><br> + ( name | subdomain | wildcard | self | selfsub | selfwild |<br> + krb5-self | ms-self | krb5-subdomain | ms-subdomain |<br> + tcp-self | 6to4-self ) <em class="replaceable"><code>string</code></em><br> <em class="replaceable"><code>rrtypelist</code></em>; ...<br> };<br> update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br> @@ -495,6 +521,7 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> notify-delay <em class="replaceable"><code>seconds</code></em>;<br> + notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br> also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br> allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> @@ -528,8 +555,11 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br> <br> zone-statistics <em class="replaceable"><code>boolean</code></em>;<br> + try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br> key-directory <em class="replaceable"><code>quoted_string</code></em>;<br> <br> + nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // testing only<br> +<br> ixfr-base <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br> ixfr-tmp-file <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br> maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br> @@ -539,12 +569,12 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2545325"></a><h2>FILES</h2> +<a name="id2545410"></a><h2>FILES</h2> <p><code class="filename">/etc/named.conf</code> </p> </div> <div class="refsect1" lang="en"> -<a name="id2545337"></a><h2>SEE ALSO</h2> +<a name="id2545421"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, diff --git a/contrib/bind9/bin/named/named.docbook b/contrib/bind9/bin/named/named.docbook index 15d554c..f47eae1 100644 --- a/contrib/bind9/bin/named/named.docbook +++ b/contrib/bind9/bin/named/named.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.docbook,v 1.7.18.14 2008/08/21 23:46:01 tbox Exp $ --> +<!-- $Id: named.docbook,v 1.23 2008/11/06 05:30:24 marka Exp $ --> <refentry id="man.named"> <refentryinfo> <date>June 30, 2000</date> @@ -69,6 +69,7 @@ <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg> <arg><option>-u <replaceable class="parameter">user</replaceable></option></arg> <arg><option>-v</option></arg> + <arg><option>-V</option></arg> <arg><option>-x <replaceable class="parameter">cache-file</replaceable></option></arg> </cmdsynopsis> </refsynopsisdiv> @@ -300,6 +301,15 @@ </varlistentry> <varlistentry> + <term>-V</term> + <listitem> + <para> + Report the version number and build options, and exit. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>-x <replaceable class="parameter">cache-file</replaceable></term> <listitem> <para> @@ -381,7 +391,7 @@ </varlistentry> <varlistentry> - <term><filename>/var/run/named.pid</filename></term> + <term><filename>/var/run/named/named.pid</filename></term> <listitem> <para> The default process-id file. diff --git a/contrib/bind9/bin/named/named.html b/contrib/bind9/bin/named/named.html index ed4f16a..23c9a7c 100644 --- a/contrib/bind9/bin/named/named.html +++ b/contrib/bind9/bin/named/named.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.html,v 1.6.18.22 2008/09/01 02:29:00 tbox Exp $ --> +<!-- $Id: named.html,v 1.30 2008/11/07 01:11:19 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -29,10 +29,10 @@ </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div> +<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543464"></a><h2>DESCRIPTION</h2> +<a name="id2543468"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">named</strong></span> is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -47,7 +47,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543489"></a><h2>OPTIONS</h2> +<a name="id2543493"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-4</span></dt> <dd><p> @@ -198,6 +198,10 @@ <dd><p> Report the version number and exit. </p></dd> +<dt><span class="term">-V</span></dt> +<dd><p> + Report the version number and build options, and exit. + </p></dd> <dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt> <dd> <p> @@ -216,7 +220,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543911"></a><h2>SIGNALS</h2> +<a name="id2543928"></a><h2>SIGNALS</h2> <p> In routine operation, signals should not be used to control the nameserver; <span><strong class="command">rndc</strong></span> should be used @@ -237,7 +241,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543959"></a><h2>CONFIGURATION</h2> +<a name="id2543976"></a><h2>CONFIGURATION</h2> <p> The <span><strong class="command">named</strong></span> configuration file is too complex to describe in detail here. A complete description is provided @@ -246,20 +250,20 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543976"></a><h2>FILES</h2> +<a name="id2543993"></a><h2>FILES</h2> <div class="variablelist"><dl> <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt> <dd><p> The default configuration file. </p></dd> -<dt><span class="term"><code class="filename">/var/run/named.pid</code></span></dt> +<dt><span class="term"><code class="filename">/var/run/named/named.pid</code></span></dt> <dd><p> The default process-id file. </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544016"></a><h2>SEE ALSO</h2> +<a name="id2544033"></a><h2>SEE ALSO</h2> <p><em class="citetitle">RFC 1033</em>, <em class="citetitle">RFC 1034</em>, <em class="citetitle">RFC 1035</em>, @@ -272,7 +276,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544086"></a><h2>AUTHOR</h2> +<a name="id2544171"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/contrib/bind9/bin/named/notify.c b/contrib/bind9/bin/named/notify.c index db2be71..de52b8c 100644 --- a/contrib/bind9/bin/named/notify.c +++ b/contrib/bind9/bin/named/notify.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: notify.c,v 1.30.18.3 2005/04/29 00:15:26 marka Exp $ */ +/* $Id: notify.c,v 1.37 2007/06/19 23:46:59 tbox Exp $ */ #include <config.h> @@ -25,6 +25,7 @@ #include <dns/message.h> #include <dns/rdataset.h> #include <dns/result.h> +#include <dns/tsig.h> #include <dns/view.h> #include <dns/zone.h> #include <dns/zt.h> @@ -80,7 +81,7 @@ ns_notify_start(ns_client_t *client) { dns_zone_t *zone = NULL; char namebuf[DNS_NAME_FORMATSIZE]; char tsigbuf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")]; - dns_name_t *tsigname; + dns_tsigkey_t *tsigkey; /* * Interpret the question section. @@ -119,10 +120,20 @@ ns_notify_start(ns_client_t *client) { goto formerr; } - tsigname = NULL; - if (dns_message_gettsig(request, &tsigname) != NULL) { - dns_name_format(tsigname, namebuf, sizeof(namebuf)); - snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s'", namebuf); + tsigkey = dns_message_gettsigkey(request); + if (tsigkey != NULL) { + dns_name_format(&tsigkey->name, namebuf, sizeof(namebuf)); + + if (tsigkey->generated) { + char cnamebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(tsigkey->creator, cnamebuf, + sizeof(cnamebuf)); + snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s' (%s)", + namebuf, cnamebuf); + } else { + snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s'", + namebuf); + } } else tsigbuf[0] = '\0'; dns_name_format(zonename, namebuf, sizeof(namebuf)); diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c index 5cafbc9..ffd9b35 100644 --- a/contrib/bind9/bin/named/query.c +++ b/contrib/bind9/bin/named/query.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.257.18.46 2008/10/15 22:33:01 marka Exp $ */ +/* $Id: query.c,v 1.313.20.7 2009/03/13 01:38:51 marka Exp $ */ /*! \file */ @@ -23,7 +23,9 @@ #include <string.h> +#include <isc/hex.h> #include <isc/mem.h> +#include <isc/stats.h> #include <isc/util.h> #include <dns/adb.h> @@ -36,6 +38,7 @@ #include <dns/events.h> #include <dns/message.h> #include <dns/ncache.h> +#include <dns/nsec3.h> #include <dns/order.h> #include <dns/rdata.h> #include <dns/rdataclass.h> @@ -89,6 +92,10 @@ #define SECURE(c) (((c)->query.attributes & \ NS_QUERYATTR_SECURE) != 0) +/*% No QNAME Proof? */ +#define NOQNAME(r) (((r)->attributes & \ + DNS_RDATASETATTR_NOQNAME) != 0) + #if 0 #define CTRACE(m) isc_log_write(ns_g_lctx, \ NS_LOGCATEGORY_CLIENT, \ @@ -114,68 +121,96 @@ typedef struct client_additionalctx { dns_rdataset_t *rdataset; } client_additionalctx_t; -static void +static isc_result_t query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype); static isc_boolean_t validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset); +static void +query_findclosestnsec3(dns_name_t *qname, dns_db_t *db, + dns_dbversion_t *version, ns_client_t *client, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, + dns_name_t *fname, isc_boolean_t exact, + dns_name_t *found); + +static inline void +log_queryerror(ns_client_t *client, isc_result_t result, int line, int level); + /*% * Increment query statistics counters. */ static inline void -inc_stats(ns_client_t *client, dns_statscounter_t counter) { +inc_stats(ns_client_t *client, isc_statscounter_t counter) { dns_zone_t *zone = client->query.authzone; - REQUIRE(counter < DNS_STATS_NCOUNTERS); - - ns_g_server->querystats[counter]++; + isc_stats_increment(ns_g_server->nsstats, counter); if (zone != NULL) { - isc_uint64_t *zonestats = dns_zone_getstatscounters(zone); + isc_stats_t *zonestats = dns_zone_getrequeststats(zone); if (zonestats != NULL) - zonestats[counter]++; + isc_stats_increment(zonestats, counter); } } static void query_send(ns_client_t *client) { - dns_statscounter_t counter; + isc_statscounter_t counter; + if ((client->message->flags & DNS_MESSAGEFLAG_AA) == 0) + inc_stats(client, dns_nsstatscounter_nonauthans); + else + inc_stats(client, dns_nsstatscounter_authans); if (client->message->rcode == dns_rcode_noerror) { if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER])) { if (client->query.isreferral) { - counter = dns_statscounter_referral; + counter = dns_nsstatscounter_referral; } else { - counter = dns_statscounter_nxrrset; + counter = dns_nsstatscounter_nxrrset; } } else { - counter = dns_statscounter_success; + counter = dns_nsstatscounter_success; } } else if (client->message->rcode == dns_rcode_nxdomain) { - counter = dns_statscounter_nxdomain; + counter = dns_nsstatscounter_nxdomain; } else { /* We end up here in case of YXDOMAIN, and maybe others */ - counter = dns_statscounter_failure; + counter = dns_nsstatscounter_failure; } inc_stats(client, counter); ns_client_send(client); } static void -query_error(ns_client_t *client, isc_result_t result) { - inc_stats(client, dns_statscounter_failure); +query_error(ns_client_t *client, isc_result_t result, int line) { + int loglevel = ISC_LOG_DEBUG(3); + + switch (result) { + case DNS_R_SERVFAIL: + loglevel = ISC_LOG_DEBUG(1); + inc_stats(client, dns_nsstatscounter_servfail); + break; + case DNS_R_FORMERR: + inc_stats(client, dns_nsstatscounter_formerr); + break; + default: + inc_stats(client, dns_nsstatscounter_failure); + break; + } + + log_queryerror(client, result, line, loglevel); + ns_client_error(client, result); } static void query_next(ns_client_t *client, isc_result_t result) { if (result == DNS_R_DUPLICATE) - inc_stats(client, dns_statscounter_duplicate); + inc_stats(client, dns_nsstatscounter_duplicate); else if (result == DNS_R_DROP) - inc_stats(client, dns_statscounter_dropped); + inc_stats(client, dns_nsstatscounter_dropped); else - inc_stats(client, dns_statscounter_failure); + inc_stats(client, dns_nsstatscounter_failure); ns_client_next(client, result); } @@ -640,7 +675,8 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name, if (check_acl) { isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0); - result = ns_client_checkaclsilent(client, queryacl, ISC_TRUE); + result = ns_client_checkaclsilent(client, NULL, queryacl, + ISC_TRUE); if (log) { char msg[NS_CLIENT_ACLMSGSIZE("query")]; if (result == ISC_R_SUCCESS) { @@ -804,7 +840,7 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0); char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")]; - result = ns_client_checkaclsilent(client, + result = ns_client_checkaclsilent(client, NULL, client->view->queryacl, ISC_TRUE); if (result == ISC_R_SUCCESS) { @@ -940,7 +976,7 @@ query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, zonep, dbp, versionp); #endif - /* If successfull, Transfer ownership of zone. */ + /* If successful, Transfer ownership of zone. */ if (result == ISC_R_SUCCESS) { #ifdef DLZ *zonep = zone; @@ -1086,8 +1122,12 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { result = dns_db_find(db, name, version, type, client->query.dboptions, client->now, &node, fname, rdataset, sigrdataset); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { + if (sigrdataset != NULL && !dns_db_issecure(db) && + dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); goto found; + } if (dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); @@ -1157,7 +1197,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { goto cleanup; /* - * Don't poision caches using the bailiwick protection model. + * Don't poison caches using the bailiwick protection model. */ if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb))) goto cleanup; @@ -1631,7 +1671,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { goto cleanup; /* - * Don't poision caches using the bailiwick protection model. + * Don't poison caches using the bailiwick protection model. */ if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb))) goto cleanup; @@ -2024,7 +2064,7 @@ query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version, eresult = DNS_R_SERVFAIL; goto cleanup; } - if (WANTDNSSEC(client)) { + if (WANTDNSSEC(client) && dns_db_issecure(db)) { sigrdataset = query_newrdataset(client); if (sigrdataset == NULL) { eresult = DNS_R_SERVFAIL; @@ -2142,7 +2182,7 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { eresult = DNS_R_SERVFAIL; goto cleanup; } - if (WANTDNSSEC(client)) { + if (WANTDNSSEC(client) && dns_db_issecure(db)) { sigrdataset = query_newrdataset(client); if (sigrdataset == NULL) { CTRACE("query_addns: query_newrdataset failed"); @@ -2268,7 +2308,8 @@ query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname, */ static void mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name, - dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) + isc_uint32_t ttl, dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset) { isc_result_t result; dns_dbnode_t *node = NULL; @@ -2282,6 +2323,18 @@ mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name, result = dns_db_findnode(db, name, ISC_TRUE, &node); if (result != ISC_R_SUCCESS) return; + /* + * Bound the validated ttls then minimise. + */ + if (sigrdataset->ttl > ttl) + sigrdataset->ttl = ttl; + if (rdataset->ttl > ttl) + rdataset->ttl = ttl; + if (rdataset->ttl > sigrdataset->ttl) + rdataset->ttl = sigrdataset->ttl; + else + sigrdataset->ttl = rdataset->ttl; + (void)dns_db_addrdataset(db, node, NULL, client->now, rdataset, 0, NULL); (void)dns_db_addrdataset(db, node, NULL, client->now, sigrdataset, @@ -2291,7 +2344,7 @@ mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name, /* * Find the secure key that corresponds to rrsig. - * Note: 'keyrdataset' maintains state between sucessive calls, + * Note: 'keyrdataset' maintains state between successive calls, * there may be multiple keys with the same keyid. * Return ISC_FALSE if we have exhausted all the possible keys. */ @@ -2405,8 +2458,9 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, client->view->acceptexpired)) { dst_key_free(&key); dns_rdataset_disassociate(&keyrdataset); - mark_secure(client, db, name, rdataset, - sigrdataset); + mark_secure(client, db, name, + rrsig.originalttl, + rdataset, sigrdataset); return (ISC_TRUE); } dst_key_free(&key); @@ -2592,12 +2646,36 @@ query_addbestns(ns_client_t *client) { } static void +fixrdataset(ns_client_t *client, dns_rdataset_t **rdataset) { + if (*rdataset == NULL) + *rdataset = query_newrdataset(client); + else if (dns_rdataset_isassociated(*rdataset)) + dns_rdataset_disassociate(*rdataset); +} + +static void +fixfname(ns_client_t *client, dns_name_t **fname, isc_buffer_t **dbuf, + isc_buffer_t *nbuf) +{ + if (*fname == NULL) { + *dbuf = query_getnamebuf(client); + if (*dbuf == NULL) + return; + *fname = query_newname(client, *dbuf, nbuf); + } +} + +static void query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node, - dns_dbversion_t *version) + dns_dbversion_t *version, dns_name_t *name) { + dns_fixedname_t fixed; + dns_name_t *fname = NULL; dns_name_t *rname; dns_rdataset_t *rdataset, *sigrdataset; + isc_buffer_t *dbuf, b; isc_result_t result; + unsigned int count; CTRACE("query_addds"); rname = NULL; @@ -2618,16 +2696,17 @@ query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node, result = dns_db_findrdataset(db, node, version, dns_rdatatype_ds, 0, client->now, rdataset, sigrdataset); /* - * If we didn't find it, look for an NSEC. */ + * If we didn't find it, look for an NSEC. + */ if (result == ISC_R_NOTFOUND) result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec, 0, client->now, rdataset, sigrdataset); if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) - goto cleanup; + goto addnsec3; if (!dns_rdataset_isassociated(rdataset) || !dns_rdataset_isassociated(sigrdataset)) - goto cleanup; + goto addnsec3; /* * We've already added the NS record, so if the name's not there, @@ -2649,12 +2728,60 @@ query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node, ISC_LIST_APPEND(rname->list, sigrdataset, link); rdataset = NULL; sigrdataset = NULL; + return; + + addnsec3: + if (dns_db_iscache(db)) + goto cleanup; + /* + * Add the NSEC3 which proves the DS does not exist. + */ + dbuf = query_getnamebuf(client); + if (dbuf == NULL) + goto cleanup; + fname = query_newname(client, dbuf, &b); + dns_fixedname_init(&fixed); + if (dns_rdataset_isassociated(rdataset)) + dns_rdataset_disassociate(rdataset); + if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); + query_findclosestnsec3(name, db, version, client, rdataset, + sigrdataset, fname, ISC_TRUE, + dns_fixedname_name(&fixed)); + if (!dns_rdataset_isassociated(rdataset)) + goto cleanup; + query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf, + DNS_SECTION_AUTHORITY); + /* + * Did we find the closest provable encloser instead? + * If so add the nearest to the closest provable encloser. + */ + if (!dns_name_equal(name, dns_fixedname_name(&fixed))) { + count = dns_name_countlabels(dns_fixedname_name(&fixed)) + 1; + dns_name_getlabelsequence(name, + dns_name_countlabels(name) - count, + count, dns_fixedname_name(&fixed)); + fixfname(client, &fname, &dbuf, &b); + fixrdataset(client, &rdataset); + fixrdataset(client, &sigrdataset); + if (fname == NULL || rdataset == NULL || sigrdataset == NULL) + goto cleanup; + query_findclosestnsec3(dns_fixedname_name(&fixed), db, version, + client, rdataset, sigrdataset, fname, + ISC_FALSE, NULL); + if (!dns_rdataset_isassociated(rdataset)) + goto cleanup; + query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf, + DNS_SECTION_AUTHORITY); + } cleanup: if (rdataset != NULL) query_putrdataset(client, &rdataset); if (sigrdataset != NULL) query_putrdataset(client, &sigrdataset); + if (fname != NULL) + query_releasename(client, &fname); } static void @@ -2669,12 +2796,14 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, dns_name_t *wname; dns_dbnode_t *node; unsigned int options; - unsigned int olabels, nlabels; + unsigned int olabels, nlabels, labels; isc_result_t result; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_nsec_t nsec; isc_boolean_t have_wname; int order; + dns_fixedname_t cfixed; + dns_name_t *cname; CTRACE("query_addwildcardproof"); fname = NULL; @@ -2683,7 +2812,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, node = NULL; /* - * Get the NOQNAME proof then if !ispositve + * Get the NOQNAME proof then if !ispositive * get the NOWILDCARD proof. * * DNS_DBFIND_NOWILD finds the NSEC records that covers the @@ -2745,7 +2874,115 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, 0, &node, fname, rdataset, sigrdataset); if (node != NULL) dns_db_detachnode(db, &node); - if (result == DNS_R_NXDOMAIN) { + + if (!dns_rdataset_isassociated(rdataset)) { + /* + * No NSEC proof available, return NSEC3 proofs instead. + */ + dns_fixedname_init(&cfixed); + cname = dns_fixedname_name(&cfixed); + /* + * Find the closest encloser. + */ + dns_name_copy(name, cname, NULL); + while (result == DNS_R_NXDOMAIN) { + labels = dns_name_countlabels(cname) - 1; + dns_name_split(cname, labels, NULL, cname); + result = dns_db_find(db, cname, version, + dns_rdatatype_nsec, + options, 0, NULL, fname, + NULL, NULL); + } + /* + * Add closest (provable) encloser NSEC3. + */ + query_findclosestnsec3(cname, db, NULL, client, rdataset, + sigrdataset, fname, ISC_TRUE, cname); + if (!dns_rdataset_isassociated(rdataset)) + goto cleanup; + query_addrrset(client, &fname, &rdataset, &sigrdataset, + dbuf, DNS_SECTION_AUTHORITY); + + /* + * Replace resources which were consumed by query_addrrset. + */ + if (fname == NULL) { + dbuf = query_getnamebuf(client); + if (dbuf == NULL) + goto cleanup; + fname = query_newname(client, dbuf, &b); + } + + if (rdataset == NULL) + rdataset = query_newrdataset(client); + else if (dns_rdataset_isassociated(rdataset)) + dns_rdataset_disassociate(rdataset); + + if (sigrdataset == NULL) + sigrdataset = query_newrdataset(client); + else if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); + + if (fname == NULL || rdataset == NULL || sigrdataset == NULL) + goto cleanup; + /* + * Add no qname proof. + */ + labels = dns_name_countlabels(cname) + 1; + if (dns_name_countlabels(name) == labels) + dns_name_copy(name, wname, NULL); + else + dns_name_split(name, labels, NULL, wname); + + query_findclosestnsec3(wname, db, NULL, client, rdataset, + sigrdataset, fname, ISC_FALSE, NULL); + if (!dns_rdataset_isassociated(rdataset)) + goto cleanup; + query_addrrset(client, &fname, &rdataset, &sigrdataset, + dbuf, DNS_SECTION_AUTHORITY); + + if (ispositive) + goto cleanup; + + /* + * Replace resources which were consumed by query_addrrset. + */ + if (fname == NULL) { + dbuf = query_getnamebuf(client); + if (dbuf == NULL) + goto cleanup; + fname = query_newname(client, dbuf, &b); + } + + if (rdataset == NULL) + rdataset = query_newrdataset(client); + else if (dns_rdataset_isassociated(rdataset)) + dns_rdataset_disassociate(rdataset); + + if (sigrdataset == NULL) + sigrdataset = query_newrdataset(client); + else if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); + + if (fname == NULL || rdataset == NULL || sigrdataset == NULL) + goto cleanup; + /* + * Add the no wildcard proof. + */ + result = dns_name_concatenate(dns_wildcardname, + cname, wname, NULL); + if (result != ISC_R_SUCCESS) + goto cleanup; + + query_findclosestnsec3(wname, db, NULL, client, rdataset, + sigrdataset, fname, ISC_FALSE, NULL); + if (!dns_rdataset_isassociated(rdataset)) + goto cleanup; + query_addrrset(client, &fname, &rdataset, &sigrdataset, + dbuf, DNS_SECTION_AUTHORITY); + + goto cleanup; + } else if (result == DNS_R_NXDOMAIN) { if (!ispositive) result = dns_rdataset_first(rdataset); if (result == ISC_R_SUCCESS) { @@ -2822,6 +3059,7 @@ query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db, if (sigrdatasetp == NULL) return; + sigrdataset = *sigrdatasetp; if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset)) return; @@ -2862,8 +3100,12 @@ query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db, static void query_resume(isc_task_t *task, isc_event_t *event) { dns_fetchevent_t *devent = (dns_fetchevent_t *)event; + dns_fetch_t *fetch; ns_client_t *client; - isc_boolean_t fetch_cancelled, client_shuttingdown; + isc_boolean_t fetch_canceled, client_shuttingdown; + isc_result_t result; + isc_logcategory_t *logcategory = NS_LOGCATEGORY_QUERY_EERRORS; + int errorloglevel; /* * Resume a query after recursion. @@ -2884,30 +3126,31 @@ query_resume(isc_task_t *task, isc_event_t *event) { */ INSIST(devent->fetch == client->query.fetch); client->query.fetch = NULL; - fetch_cancelled = ISC_FALSE; + fetch_canceled = ISC_FALSE; /* * Update client->now. */ isc_stdtime_get(&client->now); } else { /* - * This is a fetch completion event for a cancelled fetch. + * This is a fetch completion event for a canceled fetch. * Clean up and don't resume the find. */ - fetch_cancelled = ISC_TRUE; + fetch_canceled = ISC_TRUE; } UNLOCK(&client->query.fetchlock); INSIST(client->query.fetch == NULL); client->query.attributes &= ~NS_QUERYATTR_RECURSING; - dns_resolver_destroyfetch(&devent->fetch); + fetch = devent->fetch; + devent->fetch = NULL; /* * If this client is shutting down, or this transaction * has timed out, do not resume the find. */ client_shuttingdown = ns_client_shuttingdown(client); - if (fetch_cancelled || client_shuttingdown) { + if (fetch_canceled || client_shuttingdown) { if (devent->node != NULL) dns_db_detachnode(devent->db, &devent->node); if (devent->db != NULL) @@ -2916,8 +3159,8 @@ query_resume(isc_task_t *task, isc_event_t *event) { if (devent->sigrdataset != NULL) query_putrdataset(client, &devent->sigrdataset); isc_event_free(&event); - if (fetch_cancelled) - query_error(client, DNS_R_SERVFAIL); + if (fetch_canceled) + query_error(client, DNS_R_SERVFAIL, __LINE__); else query_next(client, ISC_R_CANCELED); /* @@ -2925,8 +3168,22 @@ query_resume(isc_task_t *task, isc_event_t *event) { */ ns_client_detach(&client); } else { - query_find(client, devent, 0); + result = query_find(client, devent, 0); + if (result != ISC_R_SUCCESS) { + if (result == DNS_R_SERVFAIL) + errorloglevel = ISC_LOG_DEBUG(2); + else + errorloglevel = ISC_LOG_DEBUG(4); + if (isc_log_wouldlog(ns_g_lctx, errorloglevel)) { + dns_resolver_logfetch(fetch, ns_g_lctx, + logcategory, + NS_LOGMODULE_QUERY, + errorloglevel, ISC_FALSE); + } + } } + + dns_resolver_destroyfetch(&fetch); } static isc_result_t @@ -2938,7 +3195,7 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain, isc_sockaddr_t *peeraddr; if (!resuming) - inc_stats(client, dns_statscounter_recursion); + inc_stats(client, dns_nsstatscounter_recursion); /* * We are about to recurse, which means that this client will @@ -3053,6 +3310,7 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain, do { \ eresult = r; \ want_restart = ISC_FALSE; \ + line = __LINE__; \ } while (0) /* @@ -3144,35 +3402,60 @@ static void query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) { isc_buffer_t *dbuf, b; dns_name_t *fname; - dns_rdataset_t *nsec, *nsecsig; + dns_rdataset_t *neg, *negsig; isc_result_t result = ISC_R_NOMEMORY; CTRACE("query_addnoqnameproof"); fname = NULL; - nsec = NULL; - nsecsig = NULL; + neg = NULL; + negsig = NULL; dbuf = query_getnamebuf(client); if (dbuf == NULL) goto cleanup; fname = query_newname(client, dbuf, &b); - nsec = query_newrdataset(client); - nsecsig = query_newrdataset(client); - if (fname == NULL || nsec == NULL || nsecsig == NULL) + neg = query_newrdataset(client); + negsig = query_newrdataset(client); + if (fname == NULL || neg == NULL || negsig == NULL) goto cleanup; - result = dns_rdataset_getnoqname(rdataset, fname, nsec, nsecsig); + result = dns_rdataset_getnoqname(rdataset, fname, neg, negsig); RUNTIME_CHECK(result == ISC_R_SUCCESS); - query_addrrset(client, &fname, &nsec, &nsecsig, dbuf, + query_addrrset(client, &fname, &neg, &negsig, dbuf, + DNS_SECTION_AUTHORITY); + + if ((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) == 0) + goto cleanup; + + if (fname == NULL) { + dbuf = query_getnamebuf(client); + if (dbuf == NULL) + goto cleanup; + fname = query_newname(client, dbuf, &b); + } + if (neg == NULL) + neg = query_newrdataset(client); + else if (dns_rdataset_isassociated(neg)) + dns_rdataset_disassociate(neg); + if (negsig == NULL) + negsig = query_newrdataset(client); + else if (dns_rdataset_isassociated(negsig)) + dns_rdataset_disassociate(negsig); + if (fname == NULL || neg == NULL || negsig == NULL) + goto cleanup; + result = dns_rdataset_getclosest(rdataset, fname, neg, negsig); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + query_addrrset(client, &fname, &neg, &negsig, dbuf, DNS_SECTION_AUTHORITY); cleanup: - if (nsec != NULL) - query_putrdataset(client, &nsec); - if (nsecsig != NULL) - query_putrdataset(client, &nsecsig); + if (neg != NULL) + query_putrdataset(client, &neg); + if (negsig != NULL) + query_putrdataset(client, &negsig); if (fname != NULL) query_releasename(client, &fname); } @@ -3292,8 +3575,7 @@ warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) { RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_rdataset_current(&found, &rdata); result = dns_rdata_tostruct(&rdata, &soa, NULL); - if (result != ISC_R_SUCCESS) - return; + RUNTIME_CHECK(result == ISC_R_SUCCESS); if (dns_name_equal(&soa.origin, &prisoner) && dns_name_equal(&soa.contact, &hostmaster)) { char buf[DNS_NAME_FORMATSIZE]; @@ -3310,12 +3592,101 @@ warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) { } } +static void +query_findclosestnsec3(dns_name_t *qname, dns_db_t *db, + dns_dbversion_t *version, ns_client_t *client, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, + dns_name_t *fname, isc_boolean_t exact, + dns_name_t *found) +{ + unsigned char salt[256]; + size_t salt_length = sizeof(salt); + isc_uint16_t iterations; + isc_result_t result; + unsigned int dboptions; + dns_fixedname_t fixed; + dns_hash_t hash; + dns_name_t name; + int order; + unsigned int count; + dns_rdata_nsec3_t nsec3; + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_boolean_t optout; + + salt_length = sizeof(salt); + result = dns_db_getnsec3parameters(db, version, &hash, NULL, + &iterations, salt, &salt_length); + if (result != ISC_R_SUCCESS) + return; + + dns_name_init(&name, NULL); + dns_name_clone(qname, &name); + + /* + * Map unknown algorithm to known value. + */ + if (hash == DNS_NSEC3_UNKNOWNALG) + hash = 1; + + again: + dns_fixedname_init(&fixed); + result = dns_nsec3_hashname(&fixed, NULL, NULL, &name, + dns_db_origin(db), hash, + iterations, salt, salt_length); + if (result != ISC_R_SUCCESS) + return; + + dboptions = client->query.dboptions | DNS_DBFIND_FORCENSEC3; + result = dns_db_find(db, dns_fixedname_name(&fixed), version, + dns_rdatatype_nsec3, dboptions, client->now, + NULL, fname, rdataset, sigrdataset); + + if (result == DNS_R_NXDOMAIN) { + if (!dns_rdataset_isassociated(rdataset)) { + return; + } + result = dns_rdataset_first(rdataset); + INSIST(result == ISC_R_SUCCESS); + dns_rdataset_current(rdataset, &rdata); + dns_rdata_tostruct(&rdata, &nsec3, NULL); + dns_rdata_reset(&rdata); + optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0); + if (found != NULL && optout && + dns_name_fullcompare(&name, dns_db_origin(db), &order, + &count) == dns_namereln_subdomain) { + dns_rdataset_disassociate(rdataset); + if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); + count = dns_name_countlabels(&name) - 1; + dns_name_getlabelsequence(&name, 1, count, &name); + ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, + NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), + "looking for closest provable encloser"); + goto again; + } + if (exact) + ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, + NS_LOGMODULE_QUERY, ISC_LOG_WARNING, + "expected a exact match NSEC3, got " + "a covering record"); + + } else if (result != ISC_R_SUCCESS) { + return; + } else if (!exact) + ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, + NS_LOGMODULE_QUERY, ISC_LOG_WARNING, + "expected covering NSEC3, got an exact match"); + if (found != NULL) + dns_name_copy(&name, found, NULL); + return; +} + /* * Do the bulk of query processing for the current query of 'client'. * If 'event' is non-NULL, we are returning from recursion and 'qtype' * is ignored. Otherwise, 'qtype' is the query type. */ -static void +static isc_result_t query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) { dns_db_t *db, *zdb; @@ -3336,7 +3707,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) isc_result_t result, eresult; dns_fixedname_t fixed; dns_fixedname_t wildcardname; - dns_dbversion_t *version; + dns_dbversion_t *version, *zversion; dns_zone_t *zone; dns_rdata_cname_t cname; dns_rdata_dname_t dname; @@ -3344,6 +3715,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) isc_boolean_t empty_wild; dns_rdataset_t *noqname; isc_boolean_t resuming; + int line = -1; CTRACE("query_find"); @@ -3361,6 +3733,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) zrdataset = NULL; sigrdataset = NULL; zsigrdataset = NULL; + zversion = NULL; node = NULL; db = NULL; zdb = NULL; @@ -3500,6 +3873,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) } if (result != ISC_R_SUCCESS) { if (result == DNS_R_REFUSED) { + if (WANTRECURSION(client)) { + inc_stats(client, + dns_nsstatscounter_recurserej); + } else + inc_stats(client, dns_nsstatscounter_authrej); if (!PARTIALANSWER(client)) QUERY_ERROR(DNS_R_REFUSED); } else @@ -3544,7 +3922,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } - if (WANTDNSSEC(client)) { + if (WANTDNSSEC(client) && (!is_zone || dns_db_issecure(db))) { sigrdataset = query_newrdataset(client); if (sigrdataset == NULL) { QUERY_ERROR(DNS_R_SERVFAIL); @@ -3685,6 +4063,12 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * We're authoritative for an ancestor of QNAME. */ if (!USECACHE(client) || !RECURSIONOK(client)) { + dns_fixedname_t fixed; + + dns_fixedname_init(&fixed); + dns_name_copy(fname, + dns_fixedname_name(&fixed), NULL); + /* * If we don't have a cache, this is the best * answer. @@ -3718,8 +4102,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) &rdataset, sigrdatasetp, dbuf, DNS_SECTION_AUTHORITY); client->query.gluedb = NULL; - if (WANTDNSSEC(client) && dns_db_issecure(db)) - query_addds(client, db, node, version); + if (WANTDNSSEC(client)) + query_addds(client, db, node, version, + dns_fixedname_name(&fixed)); } else { /* * We might have a better answer or delegation @@ -3738,6 +4123,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) zsigrdataset = sigrdataset; sigrdataset = NULL; dns_db_detachnode(db, &node); + zversion = version; version = NULL; db = NULL; dns_db_attach(client->view->cachedb, &db); @@ -3771,6 +4157,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) zrdataset = NULL; sigrdataset = zsigrdataset; zsigrdataset = NULL; + version = zversion; + zversion = NULL; /* * We don't clean up zdb here because we * may still need it. It will get cleaned @@ -3799,6 +4187,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) else QUERY_ERROR(DNS_R_SERVFAIL); } else { + dns_fixedname_t fixed; + + dns_fixedname_init(&fixed); + dns_name_copy(fname, + dns_fixedname_name(&fixed), NULL); /* * This is the best answer. */ @@ -3825,7 +4218,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) client->query.attributes &= ~NS_QUERYATTR_CACHEGLUEOK; if (WANTDNSSEC(client)) - query_addds(client, db, node, version); + query_addds(client, db, node, version, + dns_fixedname_name(&fixed)); } } goto cleanup; @@ -3834,6 +4228,80 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* FALLTHROUGH */ case DNS_R_NXRRSET: INSIST(is_zone); + /* + * Look for a NSEC3 record if we don't have a NSEC record. + */ + if (!dns_rdataset_isassociated(rdataset) && + WANTDNSSEC(client)) { + if ((fname->attributes & DNS_NAMEATTR_WILDCARD) == 0) { + dns_name_t *found; + dns_name_t *qname; + + dns_fixedname_init(&fixed); + found = dns_fixedname_name(&fixed); + qname = client->query.qname; + + query_findclosestnsec3(qname, db, version, + client, rdataset, + sigrdataset, fname, + ISC_TRUE, found); + /* + * Did we find the closest provable encloser + * instead? If so add the nearest to the + * closest provable encloser. + */ + if (found && + dns_rdataset_isassociated(rdataset) && + !dns_name_equal(qname, found)) + { + unsigned int count; + unsigned int skip; + + /* + * Add the closest provable encloser. + */ + query_addrrset(client, &fname, + &rdataset, &sigrdataset, + dbuf, + DNS_SECTION_AUTHORITY); + + count = dns_name_countlabels(found) + + 1; + skip = dns_name_countlabels(qname) - + count; + dns_name_getlabelsequence(qname, skip, + count, + found); + + fixfname(client, &fname, &dbuf, &b); + fixrdataset(client, &rdataset); + fixrdataset(client, &sigrdataset); + if (fname == NULL || + rdataset == NULL || + sigrdataset == NULL) { + QUERY_ERROR(DNS_R_SERVFAIL); + goto cleanup; + } + /* + * 'nearest' doesn't exist so + * 'exist' is set to ISC_FALSE. + */ + query_findclosestnsec3(found, db, + version, + client, + rdataset, + sigrdataset, + fname, + ISC_FALSE, + NULL); + } + } else { + query_releasename(client, &fname); + query_addwildcardproof(client, db, version, + client->query.qname, + ISC_FALSE); + } + } if (dns_rdataset_isassociated(rdataset)) { /* * If we've got a NSEC record, we need to save the @@ -3841,7 +4309,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * below, and it needs to use the name buffer. */ query_keepname(client, fname, dbuf); - } else { + } else if (fname != NULL) { /* * We're not going to use fname, and need to release * our hold on the name buffer so query_addsoa() @@ -3867,9 +4335,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) &sigrdataset); } goto cleanup; + case DNS_R_EMPTYWILD: empty_wild = ISC_TRUE; /* FALLTHROUGH */ + case DNS_R_NXDOMAIN: INSIST(is_zone); if (dns_rdataset_isassociated(rdataset)) { @@ -3879,7 +4349,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * below, and it needs to use the name buffer. */ query_keepname(client, fname, dbuf); - } else { + } else if (fname != NULL) { /* * We're not going to use fname, and need to release * our hold on the name buffer so query_addsoa() @@ -3905,19 +4375,19 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) QUERY_ERROR(result); goto cleanup; } - /* - * Add NSEC record if we found one. - */ - if (dns_rdataset_isassociated(rdataset)) { - if (WANTDNSSEC(client)) { + + if (WANTDNSSEC(client)) { + /* + * Add NSEC record if we found one. + */ + if (dns_rdataset_isassociated(rdataset)) query_addrrset(client, &fname, &rdataset, &sigrdataset, NULL, DNS_SECTION_AUTHORITY); - query_addwildcardproof(client, db, version, - client->query.qname, - ISC_FALSE); - } + query_addwildcardproof(client, db, version, + client->query.qname, ISC_FALSE); } + /* * Set message rcode. */ @@ -3926,6 +4396,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) else client->message->rcode = dns_rcode_nxdomain; goto cleanup; + case DNS_R_NCACHENXDOMAIN: case DNS_R_NCACHENXRRSET: INSIST(!is_zone); @@ -3954,6 +4425,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) fname = NULL; rdataset = NULL; goto cleanup; + case DNS_R_CNAME: /* * Keep a copy of the rdataset. We have to do this because @@ -3976,8 +4448,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) NULL); need_wildcardproof = ISC_TRUE; } - if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 && - WANTDNSSEC(client)) + if (NOQNAME(rdataset) && WANTDNSSEC(client)) noqname = rdataset; else noqname = NULL; @@ -4185,17 +4656,32 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) result = dns_rdatasetiter_first(rdsiter); while (result == ISC_R_SUCCESS) { dns_rdatasetiter_current(rdsiter, rdataset); - if ((qtype == dns_rdatatype_any || + if (is_zone && qtype == dns_rdatatype_any && + !dns_db_issecure(db) && + dns_rdatatype_isdnssec(rdataset->type)) { + /* + * The zone is transitioning from insecure + * to secure. Hide the dnssec records from + * ANY queries. + */ + dns_rdataset_disassociate(rdataset); + } else if ((qtype == dns_rdatatype_any || rdataset->type == qtype) && rdataset->type != 0) { + if (NOQNAME(rdataset) && WANTDNSSEC(client)) + noqname = rdataset; + else + noqname = NULL; query_addrrset(client, fname != NULL ? &fname : &tname, &rdataset, NULL, NULL, DNS_SECTION_ANSWER); + if (noqname != NULL) + query_addnoqnameproof(client, noqname); n++; INSIST(tname != NULL); /* - * rdataset is non-NULL only in certain pathological - * cases involving DNAMEs. + * rdataset is non-NULL only in certain + * pathological cases involving DNAMEs. */ if (rdataset != NULL) query_putrdataset(client, &rdataset); @@ -4214,7 +4700,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (fname != NULL) dns_message_puttempname(client->message, &fname); - if (n == 0) { + if (n == 0 && is_zone) { /* * We didn't match any rdatasets. */ @@ -4275,8 +4761,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) sigrdatasetp = &sigrdataset; else sigrdatasetp = NULL; - if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 && - WANTDNSSEC(client)) + if (NOQNAME(rdataset) && WANTDNSSEC(client)) noqname = rdataset; else noqname = NULL; @@ -4388,7 +4873,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * or if the client requested recursion and thus wanted * the complete answer, send an error response. */ - query_error(client, eresult); + INSIST(line >= 0); + query_error(client, eresult, line); } ns_client_detach(&client); } else if (!RECURSING(client)) { @@ -4405,7 +4891,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * is in the glue sort it to the start of the additional * section. */ - if (client->message->counts[DNS_SECTION_ANSWER] == 0 && + if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER]) && client->message->rcode == dns_rcode_noerror && (qtype == dns_rdatatype_a || qtype == dns_rdatatype_aaaa)) answer_in_glue(client, qtype); @@ -4414,14 +4900,26 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) client->view->auth_nxdomain == ISC_TRUE) client->message->flags |= DNS_MESSAGEFLAG_AA; + /* + * If the response is somehow unexpected for the client and this + * is a result of recursion, return an error to the caller + * to indicate it may need to be logged. + */ + if (resuming && + (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER]) || + client->message->rcode != dns_rcode_noerror)) + eresult = ISC_R_FAILURE; + query_send(client); ns_client_detach(&client); } CTRACE("query_find: done"); + + return (eresult); } static inline void -log_query(ns_client_t *client) { +log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) { char namebuf[DNS_NAME_FORMATSIZE]; char typename[DNS_RDATATYPE_FORMATSIZE]; char classname[DNS_RDATACLASS_FORMATSIZE]; @@ -4438,10 +4936,54 @@ log_query(ns_client_t *client) { dns_rdatatype_format(rdataset->type, typename, sizeof(typename)); ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY, - level, "query: %s %s %s %s%s%s", namebuf, classname, + level, "query: %s %s %s %s%s%s%s%s", namebuf, classname, typename, WANTRECURSION(client) ? "+" : "-", (client->signer != NULL) ? "S": "", - (client->opt != NULL) ? "E" : ""); + (client->opt != NULL) ? "E" : "", + ((extflags & DNS_MESSAGEEXTFLAG_DO) != 0) ? "D" : "", + ((flags & DNS_MESSAGEFLAG_CD) != 0) ? "C" : ""); +} + +static inline void +log_queryerror(ns_client_t *client, isc_result_t result, int line, int level) { + char namebuf[DNS_NAME_FORMATSIZE]; + char typename[DNS_RDATATYPE_FORMATSIZE]; + char classname[DNS_RDATACLASS_FORMATSIZE]; + const char *namep, *typep, *classp, *sep1, *sep2; + dns_rdataset_t *rdataset; + + if (!isc_log_wouldlog(ns_g_lctx, level)) + return; + + namep = typep = classp = sep1 = sep2 = ""; + + /* + * Query errors can happen for various reasons. In some cases we cannot + * even assume the query contains a valid question section, so we should + * expect exceptional cases. + */ + if (client->query.origqname != NULL) { + dns_name_format(client->query.origqname, namebuf, + sizeof(namebuf)); + namep = namebuf; + sep1 = " for "; + + rdataset = ISC_LIST_HEAD(client->query.origqname->list); + if (rdataset != NULL) { + dns_rdataclass_format(rdataset->rdclass, classname, + sizeof(classname)); + classp = classname; + dns_rdatatype_format(rdataset->type, typename, + sizeof(typename)); + typep = typename; + sep2 = "/"; + } + } + + ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS, NS_LOGMODULE_QUERY, + level, "query failed (%s)%s%s%s%s%s%s at %s:%d", + isc_result_totext(result), sep1, namep, sep2, + classp, sep2, typep, __FILE__, line); } void @@ -4451,11 +4993,19 @@ ns_query_start(ns_client_t *client) { dns_rdataset_t *rdataset; ns_client_t *qclient; dns_rdatatype_t qtype; + unsigned int saved_extflags = client->extflags; + unsigned int saved_flags = client->message->flags; isc_boolean_t want_ad; CTRACE("ns_query_start"); /* + * Test only. + */ + if (ns_g_clienttest && (client->attributes & NS_CLIENTATTR_TCP) == 0) + RUNTIME_CHECK(ns_client_replace(client) == ISC_R_SUCCESS); + + /* * Ensure that appropriate cleanups occur. */ client->next = query_next_callback; @@ -4504,7 +5054,7 @@ ns_query_start(ns_client_t *client) { */ result = dns_message_firstname(message, DNS_SECTION_QUESTION); if (result != ISC_R_SUCCESS) { - query_error(client, result); + query_error(client, result, __LINE__); return; } dns_message_currentname(message, DNS_SECTION_QUESTION, @@ -4517,20 +5067,20 @@ ns_query_start(ns_client_t *client) { * There's more than one QNAME in the question * section. */ - query_error(client, DNS_R_FORMERR); + query_error(client, DNS_R_FORMERR, __LINE__); } else - query_error(client, result); + query_error(client, result, __LINE__); return; } if (ns_g_server->log_queries) - log_query(client); + log_query(client, saved_flags, saved_extflags); /* * Check for multiple question queries, since edns1 is dead. */ if (message->counts[DNS_SECTION_QUESTION] > 1) { - query_error(client, DNS_R_FORMERR); + query_error(client, DNS_R_FORMERR, __LINE__); return; } @@ -4540,6 +5090,7 @@ ns_query_start(ns_client_t *client) { rdataset = ISC_LIST_HEAD(client->query.qname->list); INSIST(rdataset != NULL); qtype = rdataset->type; + dns_rdatatypestats_increment(ns_g_server->rcvquerystats, qtype); if (dns_rdatatype_ismeta(qtype)) { switch (qtype) { case dns_rdatatype_any: @@ -4550,7 +5101,7 @@ ns_query_start(ns_client_t *client) { return; case dns_rdatatype_maila: case dns_rdatatype_mailb: - query_error(client, DNS_R_NOTIMP); + query_error(client, DNS_R_NOTIMP, __LINE__); return; case dns_rdatatype_tkey: result = dns_tkey_processquery(client->message, @@ -4559,15 +5110,22 @@ ns_query_start(ns_client_t *client) { if (result == ISC_R_SUCCESS) query_send(client); else - query_error(client, result); + query_error(client, result, __LINE__); return; default: /* TSIG, etc. */ - query_error(client, DNS_R_FORMERR); + query_error(client, DNS_R_FORMERR, __LINE__); return; } } /* + * Turn on minimal response for DNSKEY queries. + */ + if (qtype == dns_rdatatype_dnskey) + client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | + NS_QUERYATTR_NOADDITIONAL); + + /* * If the client has requested that DNSSEC checking be disabled, * allow lookups to return pending data and instruct the resolver * to return data before validation has completed. @@ -4623,5 +5181,5 @@ ns_query_start(ns_client_t *client) { qclient = NULL; ns_client_attach(client, &qclient); - query_find(qclient, NULL, qtype); + (void)query_find(qclient, NULL, qtype); } diff --git a/contrib/bind9/bin/named/server.c b/contrib/bind9/bin/named/server.c index 784ff94..e685e18 100644 --- a/contrib/bind9/bin/named/server.c +++ b/contrib/bind9/bin/named/server.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.419.18.68 2008/09/04 23:46:08 tbox Exp $ */ +/* $Id: server.c,v 1.520.12.7 2009/01/30 03:53:38 marka Exp $ */ /*! \file */ @@ -30,17 +30,20 @@ #include <isc/entropy.h> #include <isc/file.h> #include <isc/hash.h> +#include <isc/httpd.h> #include <isc/lex.h> #include <isc/parseint.h> #include <isc/portset.h> #include <isc/print.h> #include <isc/resource.h> #include <isc/socket.h> +#include <isc/stats.h> #include <isc/stdio.h> #include <isc/string.h> #include <isc/task.h> #include <isc/timer.h> #include <isc/util.h> +#include <isc/xml.h> #include <isccfg/namedconf.h> @@ -63,6 +66,7 @@ #include <dns/order.h> #include <dns/peer.h> #include <dns/portlist.h> +#include <dns/rbt.h> #include <dns/rdataclass.h> #include <dns/rdataset.h> #include <dns/rdatastruct.h> @@ -71,6 +75,7 @@ #include <dns/secalg.h> #include <dns/stats.h> #include <dns/tkey.h> +#include <dns/tsig.h> #include <dns/view.h> #include <dns/zone.h> #include <dns/zt.h> @@ -88,6 +93,7 @@ #include <named/main.h> #include <named/os.h> #include <named/server.h> +#include <named/statschannel.h> #include <named/tkeyconf.h> #include <named/tsigconf.h> #include <named/zoneconf.h> @@ -101,12 +107,12 @@ * using it has a 'result' variable and a 'cleanup' label. */ #define CHECK(op) \ - do { result = (op); \ - if (result != ISC_R_SUCCESS) goto cleanup; \ + do { result = (op); \ + if (result != ISC_R_SUCCESS) goto cleanup; \ } while (0) #define CHECKM(op, msg) \ - do { result = (op); \ + do { result = (op); \ if (result != ISC_R_SUCCESS) { \ isc_log_write(ns_g_lctx, \ NS_LOGCATEGORY_GENERAL, \ @@ -119,7 +125,7 @@ } while (0) \ #define CHECKMF(op, msg, file) \ - do { result = (op); \ + do { result = (op); \ if (result != ISC_R_SUCCESS) { \ isc_log_write(ns_g_lctx, \ NS_LOGCATEGORY_GENERAL, \ @@ -132,7 +138,7 @@ } while (0) \ #define CHECKFATAL(op, msg) \ - do { result = (op); \ + do { result = (op); \ if (result != ISC_R_SUCCESS) \ fatal(msg, result); \ } while (0) \ @@ -209,7 +215,7 @@ static const struct { /* Local IPv6 Unicast Addresses */ { "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE }, { "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE }, - /* LOCALLY ASSIGNED LOCAL ADDRES S SCOPE */ + /* LOCALLY ASSIGNED LOCAL ADDRESS SCOPE */ { "D.F.IP6.ARPA", ISC_FALSE }, { "8.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ { "9.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ @@ -251,9 +257,8 @@ static void end_reserved_dispatches(ns_server_t *server, isc_boolean_t all); /*% - * Configure a single view ACL at '*aclp'. Get its configuration by - * calling 'getvcacl' (for per-view configuration) and maybe 'getscacl' - * (for a global default). + * Configure a single view ACL at '*aclp'. Get its configuration from + * 'vconfig' (for per-view configuration) and maybe from 'config' */ static isc_result_t configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config, @@ -280,12 +285,56 @@ configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config, (void)ns_config_get(maps, aclname, &aclobj); if (aclobj == NULL) /* - * No value available. *aclp == NULL. + * No value available. *aclp == NULL. */ return (ISC_R_SUCCESS); result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, - actx, mctx, aclp); + actx, mctx, 0, aclp); + + return (result); +} + + +/*% + * Configure a sortlist at '*aclp'. Essentially the same as + * configure_view_acl() except it calls cfg_acl_fromconfig with a + * nest_level value of 2. + */ +static isc_result_t +configure_view_sortlist(const cfg_obj_t *vconfig, const cfg_obj_t *config, + cfg_aclconfctx_t *actx, isc_mem_t *mctx, + dns_acl_t **aclp) +{ + isc_result_t result; + const cfg_obj_t *maps[3]; + const cfg_obj_t *aclobj = NULL; + int i = 0; + + if (*aclp != NULL) + dns_acl_detach(aclp); + if (vconfig != NULL) + maps[i++] = cfg_tuple_get(vconfig, "options"); + if (config != NULL) { + const cfg_obj_t *options = NULL; + (void)cfg_map_get(config, "options", &options); + if (options != NULL) + maps[i++] = options; + } + maps[i] = NULL; + + (void)ns_config_get(maps, "sortlist", &aclobj); + if (aclobj == NULL) + return (ISC_R_SUCCESS); + + /* + * Use a nest level of 3 for the "top level" of the sortlist; + * this means each entry in the top three levels will be stored + * as lists of separate, nested ACLs, rather than merged together + * into IP tables as is usually done with ACLs. + */ + result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, + actx, mctx, 3, aclp); return (result); } @@ -398,7 +447,7 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key, * the security roots. * * The per-view configuration values and the server-global defaults are read - * from 'vconfig' and 'config'. The variable to be configured is '*target'. + * from 'vconfig' and 'config'. The variable to be configured is '*target'. */ static isc_result_t configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config, @@ -694,6 +743,11 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { CHECK(dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj))); obj = NULL; + (void)cfg_map_get(cpeer, "request-nsid", &obj); + if (obj != NULL) + CHECK(dns_peer_setrequestnsid(peer, cfg_obj_asboolean(obj))); + + obj = NULL; (void)cfg_map_get(cpeer, "edns", &obj); if (obj != NULL) CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj))); @@ -901,6 +955,41 @@ check_dbtype(dns_zone_t **zonep, unsigned int dbtypec, const char **dbargv, isc_mem_free(mctx, argv); } +static isc_result_t +setquerystats(dns_zone_t *zone, isc_mem_t *mctx, isc_boolean_t on) { + isc_result_t result; + isc_stats_t *zoneqrystats; + + zoneqrystats = NULL; + if (on) { + result = isc_stats_create(mctx, &zoneqrystats, + dns_nsstatscounter_max); + if (result != ISC_R_SUCCESS) + return (result); + } + dns_zone_setrequeststats(zone, zoneqrystats); + if (zoneqrystats != NULL) + isc_stats_detach(&zoneqrystats); + + return (ISC_R_SUCCESS); +} + +static isc_boolean_t +cache_reusable(dns_view_t *originview, dns_view_t *view, + isc_boolean_t new_zero_no_soattl) +{ + if (originview->checknames != view->checknames || + dns_resolver_getzeronosoattl(originview->resolver) != + new_zero_no_soattl || + originview->acceptexpired != view->acceptexpired || + originview->enablevalidation != view->enablevalidation || + originview->maxcachettl != view->maxcachettl || + originview->maxncachettl != view->maxncachettl) { + return (ISC_FALSE); + } + + return (ISC_TRUE); +} /* * Configure 'view' according to 'vconfig', taking defaults from 'config' @@ -947,7 +1036,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, const char *str; dns_order_t *order = NULL; isc_uint32_t udpsize; - unsigned int check = 0; + unsigned int resopts = 0; dns_zone_t *zone = NULL; isc_uint32_t max_clients_per_query; const char *sep = ": view "; @@ -956,6 +1045,9 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, isc_boolean_t rfc1918; isc_boolean_t empty_zones_enable; const cfg_obj_t *disablelist = NULL; + isc_stats_t *resstats = NULL; + dns_stats_t *resquerystats = NULL; + isc_boolean_t zero_no_soattl; REQUIRE(DNS_VIEW_VALID(view)); @@ -1005,6 +1097,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, CHECK(isc_mem_create(0, 0, &cmctx)); CHECK(dns_acache_create(&view->acache, cmctx, ns_g_taskmgr, ns_g_timermgr)); + isc_mem_setname(cmctx, "acache", NULL); isc_mem_detach(&cmctx); } if (view->acache != NULL) { @@ -1096,17 +1189,70 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, #endif /* + * Obtain configuration parameters that affect the decision of whether + * we can reuse/share an existing cache. + */ + /* Check-names. */ + obj = NULL; + result = ns_checknames_get(maps, "response", &obj); + INSIST(result == ISC_R_SUCCESS); + + str = cfg_obj_asstring(obj); + if (strcasecmp(str, "fail") == 0) { + resopts |= DNS_RESOLVER_CHECKNAMES | + DNS_RESOLVER_CHECKNAMESFAIL; + view->checknames = ISC_TRUE; + } else if (strcasecmp(str, "warn") == 0) { + resopts |= DNS_RESOLVER_CHECKNAMES; + view->checknames = ISC_FALSE; + } else if (strcasecmp(str, "ignore") == 0) { + view->checknames = ISC_FALSE; + } else + INSIST(0); + + obj = NULL; + result = ns_config_get(maps, "zero-no-soa-ttl-cache", &obj); + INSIST(result == ISC_R_SUCCESS); + zero_no_soattl = cfg_obj_asboolean(obj); + + obj = NULL; + result = ns_config_get(maps, "dnssec-accept-expired", &obj); + INSIST(result == ISC_R_SUCCESS); + view->acceptexpired = cfg_obj_asboolean(obj); + + obj = NULL; + result = ns_config_get(maps, "dnssec-validation", &obj); + INSIST(result == ISC_R_SUCCESS); + view->enablevalidation = cfg_obj_asboolean(obj); + + obj = NULL; + result = ns_config_get(maps, "max-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->maxcachettl = cfg_obj_asuint32(obj); + + obj = NULL; + result = ns_config_get(maps, "max-ncache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->maxncachettl = cfg_obj_asuint32(obj); + if (view->maxncachettl > 7 * 24 * 3600) + view->maxncachettl = 7 * 24 * 3600; + + /* * Configure the view's cache. Try to reuse an existing * cache if possible, otherwise create a new cache. * Note that the ADB is not preserved in either case. + * When a matching view is found, the associated statistics are + * also retrieved and reused. * - * XXX Determining when it is safe to reuse a cache is - * tricky. When the view's configuration changes, the cached - * data may become invalid because it reflects our old - * view of the world. As more view attributes become - * configurable, we will have to add code here to check - * whether they have changed in ways that could - * invalidate the cache. + * XXX Determining when it is safe to reuse a cache is tricky. + * When the view's configuration changes, the cached data may become + * invalid because it reflects our old view of the world. We check + * some of the configuration parameters that could invalidate the cache, + * but there are other configuration options that should be checked. + * For example, if a view uses a forwarder, changes in the forwarder + * configuration may invalidate the cache. At the moment, it's the + * administrator's responsibility to ensure these configuration options + * don't invalidate reusing. */ result = dns_viewlist_find(&ns_g_server->viewlist, view->name, view->rdclass, @@ -1114,17 +1260,29 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) goto cleanup; if (pview != NULL) { - INSIST(pview->cache != NULL); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(3), - "reusing existing cache"); - reused_cache = ISC_TRUE; - dns_cache_attach(pview->cache, &cache); + if (cache_reusable(pview, view, zero_no_soattl)) { + INSIST(pview->cache != NULL); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(3), + "reusing existing cache"); + reused_cache = ISC_TRUE; + dns_cache_attach(pview->cache, &cache); + } else { + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), + "cache cannot be reused for view %s " + "due to configuration parameter mismatch", + view->name); + } + dns_view_getresstats(pview, &resstats); + dns_view_getresquerystats(pview, &resquerystats); dns_view_detach(&pview); - } else { + } + if (cache == NULL) { CHECK(isc_mem_create(0, 0, &cmctx)); CHECK(dns_cache_create(cmctx, ns_g_taskmgr, ns_g_timermgr, view->rdclass, "rbt", 0, NULL, &cache)); + isc_mem_setname(cmctx, "cache", NULL); } dns_view_setcache(view, cache); @@ -1170,27 +1328,6 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, dns_cache_detach(&cache); /* - * Check-names. - */ - obj = NULL; - result = ns_checknames_get(maps, "response", &obj); - INSIST(result == ISC_R_SUCCESS); - - str = cfg_obj_asstring(obj); - if (strcasecmp(str, "fail") == 0) { - check = DNS_RESOLVER_CHECKNAMES | - DNS_RESOLVER_CHECKNAMESFAIL; - view->checknames = ISC_TRUE; - } else if (strcasecmp(str, "warn") == 0) { - check = DNS_RESOLVER_CHECKNAMES; - view->checknames = ISC_FALSE; - } else if (strcasecmp(str, "ignore") == 0) { - check = 0; - view->checknames = ISC_FALSE; - } else - INSIST(0); - - /* * Resolver. * * XXXRTH Hardwired number of tasks. @@ -1210,9 +1347,18 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, } CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31, ns_g_socketmgr, ns_g_timermgr, - check, ns_g_dispatchmgr, + resopts, ns_g_dispatchmgr, dispatch4, dispatch6)); + if (resstats == NULL) { + CHECK(isc_stats_create(mctx, &resstats, + dns_resstatscounter_max)); + } + dns_view_setresstats(view, resstats); + if (resquerystats == NULL) + CHECK(dns_rdatatypestats_create(mctx, &resquerystats)); + dns_view_setresquerystats(view, resquerystats); + /* * Set the ADB cache size to 1/8th of the max-cache-size. */ @@ -1235,11 +1381,6 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, lame_ttl = 1800; dns_resolver_setlamettl(view->resolver, lame_ttl); - obj = NULL; - result = ns_config_get(maps, "zero-no-soa-ttl-cache", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_resolver_setzeronosoattl(view->resolver, cfg_obj_asboolean(obj)); - /* * Set the resolver's EDNS UDP size. */ @@ -1460,28 +1601,26 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, } /* - * Set "allow-query-cache" and "allow-recursion" acls if + * Set "allow-query-cache", "allow-query-cache-on", + * "allow-recursion", and "allow-recursion-on" acls if * configured in named.conf. */ CHECK(configure_view_acl(vconfig, config, "allow-query-cache", actx, ns_g_mctx, &view->queryacl)); - - if (strcmp(view->name, "_bind") != 0) + CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on", + actx, ns_g_mctx, &view->queryonacl)); + if (view->queryonacl == NULL) + CHECK(configure_view_acl(NULL, ns_g_config, + "allow-query-cache-on", actx, + ns_g_mctx, &view->queryonacl)); + if (strcmp(view->name, "_bind") != 0) { CHECK(configure_view_acl(vconfig, config, "allow-recursion", - actx, ns_g_mctx, &view->recursionacl)); - - /* - * Warning if both "recursion no;" and allow-recursion are active - * except for "allow-recursion { none; };". - */ - if (!view->recursion && view->recursionacl != NULL && - (view->recursionacl->length != 1 || - view->recursionacl->elements[0].type != dns_aclelementtype_any || - view->recursionacl->elements[0].negative != ISC_TRUE)) - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_WARNING, - "both \"recursion no;\" and \"allow-recursion\" " - "active%s%s", forview, viewname); + actx, ns_g_mctx, + &view->recursionacl)); + CHECK(configure_view_acl(vconfig, config, "allow-recursion-on", + actx, ns_g_mctx, + &view->recursiononacl)); + } /* * "allow-query-cache" inherits from "allow-recursion" if set, @@ -1491,25 +1630,66 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, */ if (view->queryacl == NULL && view->recursionacl != NULL) dns_acl_attach(view->recursionacl, &view->queryacl); - if (view->queryacl == NULL) + if (view->queryacl == NULL && view->recursion) CHECK(configure_view_acl(vconfig, config, "allow-query", actx, ns_g_mctx, &view->queryacl)); - if (view->recursionacl == NULL && view->queryacl != NULL) + if (view->recursion && + view->recursionacl == NULL && view->queryacl != NULL) dns_acl_attach(view->queryacl, &view->recursionacl); /* - * Set default "allow-recursion" and "allow-query-cache" acls. + * Set default "allow-recursion", "allow-recursion-on" and + * "allow-query-cache" acls. */ if (view->recursionacl == NULL && view->recursion) - CHECK(configure_view_acl(NULL, ns_g_config, "allow-recursion", - actx, ns_g_mctx, &view->recursionacl)); - if (view->queryacl == NULL) CHECK(configure_view_acl(NULL, ns_g_config, - "allow-query-cache", actx, - ns_g_mctx, &view->queryacl)); + "allow-recursion", + actx, ns_g_mctx, + &view->recursionacl)); + if (view->recursiononacl == NULL && view->recursion) + CHECK(configure_view_acl(NULL, ns_g_config, + "allow-recursion-on", + actx, ns_g_mctx, + &view->recursiononacl)); + if (view->queryacl == NULL) { + if (view->recursion) + CHECK(configure_view_acl(NULL, ns_g_config, + "allow-query-cache", actx, + ns_g_mctx, &view->queryacl)); + else { + if (view->queryacl != NULL) + dns_acl_detach(&view->queryacl); + CHECK(dns_acl_none(ns_g_mctx, &view->queryacl)); + } + } + + /* + * Configure sortlist, if set + */ + CHECK(configure_view_sortlist(vconfig, config, actx, ns_g_mctx, + &view->sortlist)); - CHECK(configure_view_acl(vconfig, config, "sortlist", - actx, ns_g_mctx, &view->sortlist)); + /* + * Configure default allow-transfer, allow-notify, allow-update + * and allow-update-forwarding ACLs, if set, so they can be + * inherited by zones. + */ + if (view->notifyacl == NULL) + CHECK(configure_view_acl(NULL, ns_g_config, + "allow-notify", actx, + ns_g_mctx, &view->notifyacl)); + if (view->transferacl == NULL) + CHECK(configure_view_acl(NULL, ns_g_config, + "allow-transfer", actx, + ns_g_mctx, &view->transferacl)); + if (view->updateacl == NULL) + CHECK(configure_view_acl(NULL, ns_g_config, + "allow-update", actx, + ns_g_mctx, &view->updateacl)); + if (view->upfwdacl == NULL) + CHECK(configure_view_acl(NULL, ns_g_config, + "allow-update-forwarding", actx, + ns_g_mctx, &view->upfwdacl)); obj = NULL; result = ns_config_get(maps, "request-ixfr", &obj); @@ -1522,6 +1702,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, view->provideixfr = cfg_obj_asboolean(obj); obj = NULL; + result = ns_config_get(maps, "request-nsid", &obj); + INSIST(result == ISC_R_SUCCESS); + view->requestnsid = cfg_obj_asboolean(obj); + + obj = NULL; result = ns_config_get(maps, "max-clients-per-query", &obj); INSIST(result == ISC_R_SUCCESS); max_clients_per_query = cfg_obj_asuint32(obj); @@ -1539,16 +1724,6 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, view->enablednssec = cfg_obj_asboolean(obj); obj = NULL; - result = ns_config_get(maps, "dnssec-accept-expired", &obj); - INSIST(result == ISC_R_SUCCESS); - view->acceptexpired = cfg_obj_asboolean(obj); - - obj = NULL; - result = ns_config_get(maps, "dnssec-validation", &obj); - INSIST(result == ISC_R_SUCCESS); - view->enablevalidation = cfg_obj_asboolean(obj); - - obj = NULL; result = ns_config_get(maps, "dnssec-lookaside", &obj); if (result == ISC_R_SUCCESS) { for (element = cfg_list_first(obj); @@ -1603,18 +1778,6 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, CHECK(mustbesecure(obj, view->resolver)); obj = NULL; - result = ns_config_get(maps, "max-cache-ttl", &obj); - INSIST(result == ISC_R_SUCCESS); - view->maxcachettl = cfg_obj_asuint32(obj); - - obj = NULL; - result = ns_config_get(maps, "max-ncache-ttl", &obj); - INSIST(result == ISC_R_SUCCESS); - view->maxncachettl = cfg_obj_asuint32(obj); - if (view->maxncachettl > 7 * 24 * 3600) - view->maxncachettl = 7 * 24 * 3600; - - obj = NULL; result = ns_config_get(maps, "preferred-glue", &obj); if (result == ISC_R_SUCCESS) { str = cfg_obj_asstring(obj); @@ -1690,6 +1853,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, const char *empty_dbtype[4] = { "_builtin", "empty", NULL, NULL }; int empty_dbtypec = 4; + isc_boolean_t zonestats_on; dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); @@ -1724,6 +1888,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, } else empty_dbtype[3] = "."; + obj = NULL; + result = ns_config_get(maps, "zone-statistics", &obj); + INSIST(result == ISC_R_SUCCESS); + zonestats_on = cfg_obj_asboolean(obj); + logit = ISC_TRUE; for (empty = empty_zones[empty_zone].zone; empty != NULL; @@ -1748,6 +1917,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, */ (void)dns_view_findzone(view, name, &zone); if (zone != NULL) { + CHECK(setquerystats(zone, mctx, zonestats_on)); dns_zone_detach(&zone); continue; } @@ -1798,6 +1968,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, if (zone != NULL) { dns_zone_setview(zone, view); CHECK(dns_view_addzone(view, zone)); + CHECK(setquerystats(zone, mctx, + zonestats_on)); dns_zone_detach(&zone); continue; } @@ -1809,14 +1981,18 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone)); dns_zone_setclass(zone, view->rdclass); dns_zone_settype(zone, dns_zone_master); + dns_zone_setstats(zone, ns_g_server->zonestats); CHECK(dns_zone_setdbtype(zone, empty_dbtypec, empty_dbtype)); if (view->queryacl != NULL) dns_zone_setqueryacl(zone, view->queryacl); + if (view->queryonacl != NULL) + dns_zone_setqueryonacl(zone, view->queryonacl); dns_zone_setdialup(zone, dns_dialuptype_no); dns_zone_setnotifytype(zone, dns_notifytype_no); dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE); + CHECK(setquerystats(zone, mctx, zonestats_on)); CHECK(dns_view_addzone(view, zone)); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, @@ -1835,6 +2011,10 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, dns_dispatch_detach(&dispatch4); if (dispatch6 != NULL) dns_dispatch_detach(&dispatch6); + if (resstats != NULL) + isc_stats_detach(&resstats); + if (resquerystats != NULL) + dns_stats_detach(&resquerystats); if (order != NULL) dns_order_detach(&order); if (cmctx != NULL) @@ -1959,6 +2139,8 @@ configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin, isc_result_t result; in_port_t port; + ISC_LIST_INIT(addresses); + /* * Determine which port to send forwarded requests to. */ @@ -1984,8 +2166,6 @@ configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin, if (forwarders != NULL) faddresses = cfg_tuple_get(forwarders, "addresses"); - ISC_LIST_INIT(addresses); - for (element = cfg_list_first(faddresses); element != NULL; element = cfg_list_next(element)) @@ -2283,6 +2463,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, if (view->acache != NULL) dns_zone_setacache(zone, view->acache); CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone)); + dns_zone_setstats(zone, ns_g_server->zonestats); } /* @@ -2398,25 +2579,23 @@ add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr, { ns_listenelt_t *lelt = NULL; dns_acl_t *src_acl = NULL; - dns_aclelement_t aelt; isc_result_t result; isc_sockaddr_t any_sa6; + isc_netaddr_t netaddr; REQUIRE(isc_sockaddr_pf(addr) == AF_INET6); isc_sockaddr_any6(&any_sa6); if (!isc_sockaddr_equal(&any_sa6, addr) && (wcardport_ok || isc_sockaddr_getport(addr) != 0)) { - aelt.type = dns_aclelementtype_ipprefix; - aelt.negative = ISC_FALSE; - aelt.u.ip_prefix.prefixlen = 128; - isc_netaddr_fromin6(&aelt.u.ip_prefix.address, - &addr->type.sin6.sin6_addr); + isc_netaddr_fromin6(&netaddr, &addr->type.sin6.sin6_addr); - result = dns_acl_create(mctx, 1, &src_acl); + result = dns_acl_create(mctx, 0, &src_acl); if (result != ISC_R_SUCCESS) return (result); - result = dns_acl_appendelement(src_acl, &aelt); + + result = dns_iptable_addprefix(src_acl->iptable, + &netaddr, 128, ISC_TRUE); if (result != ISC_R_SUCCESS) goto clean; @@ -2900,6 +3079,9 @@ load_configuration(const char *filename, ns_server_t *server, INSIST(result == ISC_R_SUCCESS); server->aclenv.match_mapped = cfg_obj_asboolean(obj); + CHECKM(ns_statschannels_configure(ns_g_server, config, &aclconfctx), + "configuring statistics server(s)"); + /* * Configure sets of UDP query source ports. */ @@ -3059,11 +3241,13 @@ load_configuration(const char *filename, ns_server_t *server, ns_g_mctx, &listenon); } else if (!ns_g_lwresdonly) { + isc_boolean_t enable; /* * Not specified, use default. */ + enable = ISC_TF(isc_net_probeipv4() != ISC_R_SUCCESS); CHECK(ns_listenlist_default(ns_g_mctx, listen_port, - ISC_FALSE, &listenon)); + enable, &listenon)); } if (listenon != NULL) { ns_interfacemgr_setlistenon6(server->interfacemgr, @@ -3370,8 +3554,17 @@ load_configuration(const char *filename, ns_server_t *server, obj = NULL; if (options != NULL && - cfg_map_get(options, "memstatistics-file", &obj) == ISC_R_SUCCESS) + cfg_map_get(options, "memstatistics", &obj) == ISC_R_SUCCESS) + ns_g_memstatistics = cfg_obj_asboolean(obj); + else + ns_g_memstatistics = + ISC_TF((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0); + + obj = NULL; + if (ns_config_get(maps, "memstatistics-file", &obj) == ISC_R_SUCCESS) ns_main_setmemstats(cfg_obj_asstring(obj)); + else if (ns_g_memstatistics) + ns_main_setmemstats("named.memstats"); else ns_main_setmemstats(NULL); @@ -3415,8 +3608,12 @@ load_configuration(const char *filename, ns_server_t *server, result = ns_config_get(maps, "server-id", &obj); server->server_usehostname = ISC_FALSE; if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) { - server->server_usehostname = ISC_TRUE; + /* The parser translates "hostname" to ISC_TRUE */ + server->server_usehostname = cfg_obj_asboolean(obj); + result = setstring(server, &server->server_id, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); } else if (result == ISC_R_SUCCESS) { + /* Found a quoted string */ CHECKM(setoptstring(server, &server->server_id, obj), "strdup"); } else { result = setstring(server, &server->server_id, NULL); @@ -3555,6 +3752,8 @@ run_server(isc_task_t *task, isc_event_t *event) { &ns_g_dispatchmgr), "creating dispatch manager"); + dns_dispatchmgr_setstats(ns_g_dispatchmgr, server->resolverstats); + CHECKFATAL(ns_interfacemgr_create(ns_g_mctx, ns_g_taskmgr, ns_g_socketmgr, ns_g_dispatchmgr, &server->interfacemgr), @@ -3622,6 +3821,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) { ISC_LOG_INFO, "shutting down%s", flush ? ": flushing changes" : ""); + ns_statschannels_shutdown(server); ns_controls_shutdown(server->controls); end_reserved_dispatches(server, ISC_TRUE); @@ -3742,7 +3942,16 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { server->statsfile = isc_mem_strdup(server->mctx, "named.stats"); CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS, "isc_mem_strdup"); - server->querystats = NULL; + server->nsstats = NULL; + server->rcvquerystats = NULL; + server->opcodestats = NULL; + server->zonestats = NULL; + server->resolverstats = NULL; + server->sockstats = NULL; + CHECKFATAL(isc_stats_create(server->mctx, &server->sockstats, + isc_sockstatscounter_max), + "isc_stats_create"); + isc_socketmgr_setstats(ns_g_socketmgr, server->sockstats); server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db"); CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS, @@ -3759,8 +3968,24 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { server->server_usehostname = ISC_FALSE; server->server_id = NULL; - CHECKFATAL(dns_stats_alloccounters(ns_g_mctx, &server->querystats), - "dns_stats_alloccounters"); + CHECKFATAL(isc_stats_create(ns_g_mctx, &server->nsstats, + dns_nsstatscounter_max), + "dns_stats_create (server)"); + + CHECKFATAL(dns_rdatatypestats_create(ns_g_mctx, + &server->rcvquerystats), + "dns_stats_create (rcvquery)"); + + CHECKFATAL(dns_opcodestats_create(ns_g_mctx, &server->opcodestats), + "dns_stats_create (opcode)"); + + CHECKFATAL(isc_stats_create(ns_g_mctx, &server->zonestats, + dns_zonestatscounter_max), + "dns_stats_create (zone)"); + + CHECKFATAL(isc_stats_create(ns_g_mctx, &server->resolverstats, + dns_resstatscounter_max), + "dns_stats_create (resolver)"); server->flushonshutdown = ISC_FALSE; server->log_queries = ISC_FALSE; @@ -3771,6 +3996,8 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { server->dispatchgen = 0; ISC_LIST_INIT(server->dispatches); + ISC_LIST_INIT(server->statschannels); + server->magic = NS_SERVER_MAGIC; *serverp = server; } @@ -3782,7 +4009,12 @@ ns_server_destroy(ns_server_t **serverp) { ns_controls_destroy(&server->controls); - dns_stats_freecounters(server->mctx, &server->querystats); + isc_stats_detach(&server->nsstats); + dns_stats_detach(&server->rcvquerystats); + dns_stats_detach(&server->opcodestats); + isc_stats_detach(&server->zonestats); + isc_stats_detach(&server->resolverstats); + isc_stats_detach(&server->sockstats); isc_mem_free(server->mctx, server->statsfile); isc_mem_free(server->mctx, server->dumpfile); @@ -3936,13 +4168,17 @@ loadconfig(ns_server_t *server) { result = load_configuration(ns_g_lwresdonly ? lwresd_g_conffile : ns_g_conffile, server, ISC_FALSE); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { end_reserved_dispatches(server, ISC_FALSE); - else + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "reloading configuration succeeded"); + } else { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "reloading configuration failed: %s", isc_result_totext(result)); + } return (result); } @@ -3952,12 +4188,16 @@ reload(ns_server_t *server) { CHECK(loadconfig(server)); result = load_zones(server, ISC_FALSE); - if (result != ISC_R_SUCCESS) { + if (result == ISC_R_SUCCESS) + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "reloading zones succeeded"); + else isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "reloading zones failed: %s", isc_result_totext(result)); - } + cleanup: return (result); } @@ -3968,12 +4208,16 @@ reconfig(ns_server_t *server) { CHECK(loadconfig(server)); result = load_new_zones(server, ISC_FALSE); - if (result != ISC_R_SUCCESS) { + if (result == ISC_R_SUCCESS) + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "any newly configured zones are now loaded"); + else isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "loading new zones failed: %s", isc_result_totext(result)); - } + cleanup: ; } @@ -3987,6 +4231,9 @@ ns_server_reload(isc_task_t *task, isc_event_t *event) { INSIST(task = server->task); UNUSED(task); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "received SIGHUP signal to reload zones"); (void)reload(server); LOCK(&server->reload_event_lock); @@ -4068,23 +4315,28 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) { result = dns_rdataclass_fromtext(&rdclass, &r); if (result != ISC_R_SUCCESS) goto fail1; - } else { + } else rdclass = dns_rdataclass_in; - } - if (viewtxt == NULL) - viewtxt = "_default"; - result = dns_viewlist_find(&server->viewlist, viewtxt, - rdclass, &view); - if (result != ISC_R_SUCCESS) - goto fail1; + if (viewtxt == NULL) { + result = dns_viewlist_findzone(&server->viewlist, + dns_fixedname_name(&name), + ISC_TF(classtxt == NULL), + rdclass, zonep); + } else { + result = dns_viewlist_find(&server->viewlist, viewtxt, + rdclass, &view); + if (result != ISC_R_SUCCESS) + goto fail1; + + result = dns_zt_find(view->zonetable, dns_fixedname_name(&name), + 0, NULL, zonep); + dns_view_detach(&view); + } - result = dns_zt_find(view->zonetable, dns_fixedname_name(&name), - 0, NULL, zonep); /* Partial match? */ if (result != ISC_R_SUCCESS && *zonep != NULL) dns_zone_detach(zonep); - dns_view_detach(&view); fail1: return (result); } @@ -4313,7 +4565,8 @@ ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, return (result); result = cfg_acl_fromconfig(cfg_tuple_get(listener, "acl"), - config, ns_g_lctx, actx, mctx, &delt->acl); + config, ns_g_lctx, actx, mctx, 0, + &delt->acl); if (result != ISC_R_SUCCESS) { ns_listenelt_destroy(delt); return (result); @@ -4325,61 +4578,26 @@ ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, isc_result_t ns_server_dumpstats(ns_server_t *server) { isc_result_t result; - dns_zone_t *zone, *next; - isc_stdtime_t now; FILE *fp = NULL; - int i; - int ncounters; - - isc_stdtime_get(&now); CHECKMF(isc_stdio_open(server->statsfile, "a", &fp), "could not open statistics dump file", server->statsfile); - ncounters = DNS_STATS_NCOUNTERS; - fprintf(fp, "+++ Statistics Dump +++ (%lu)\n", (unsigned long)now); - - for (i = 0; i < ncounters; i++) - fprintf(fp, "%s %" ISC_PRINT_QUADFORMAT "u\n", - dns_statscounter_names[i], - server->querystats[i]); - - zone = NULL; - for (result = dns_zone_first(server->zonemgr, &zone); - result == ISC_R_SUCCESS; - next = NULL, result = dns_zone_next(zone, &next), zone = next) - { - isc_uint64_t *zonestats = dns_zone_getstatscounters(zone); - if (zonestats != NULL) { - char zonename[DNS_NAME_FORMATSIZE]; - dns_view_t *view; - char *viewname; - - dns_name_format(dns_zone_getorigin(zone), - zonename, sizeof(zonename)); - view = dns_zone_getview(zone); - viewname = view->name; - for (i = 0; i < ncounters; i++) { - fprintf(fp, "%s %" ISC_PRINT_QUADFORMAT - "u %s", - dns_statscounter_names[i], - zonestats[i], - zonename); - if (strcmp(viewname, "_default") != 0) - fprintf(fp, " %s", viewname); - fprintf(fp, "\n"); - } - } - } - if (result == ISC_R_NOMORE) - result = ISC_R_SUCCESS; + result = ns_stats_dump(server, fp); CHECK(result); - fprintf(fp, "--- Statistics Dump --- (%lu)\n", (unsigned long)now); - cleanup: if (fp != NULL) (void)isc_stdio_close(fp); + if (result == ISC_R_SUCCESS) + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "dumpstats complete"); + else + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_ERROR, + "dumpstats failed: %s", + dns_result_totext(result)); return (result); } @@ -4564,7 +4782,7 @@ dumpdone(void *arg, isc_result_t result) { cleanup: if (result != ISC_R_SUCCESS) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_INFO, + NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "dumpdb failed: %s", dns_result_totext(result)); dumpcontext_destroy(dctx); } @@ -4661,6 +4879,15 @@ ns_server_dumprecursing(ns_server_t *server) { cleanup: if (fp != NULL) result = isc_stdio_close(fp); + if (result == ISC_R_SUCCESS) + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "dumprecursing complete"); + else + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_ERROR, + "dumprecursing failed: %s", + dns_result_totext(result)); return (result); } @@ -4690,6 +4917,9 @@ ns_server_setdebuglevel(ns_server_t *server, char *args) { ns_g_debuglevel = (unsigned int)newlevel; } isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "debug level is now %d", ns_g_debuglevel); return (ISC_R_SUCCESS); } @@ -4774,15 +5004,33 @@ ns_server_flushcache(ns_server_t *server, char *args) { continue; found = ISC_TRUE; result = dns_view_flushcache(view); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { flushed = ISC_FALSE; + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_ERROR, + "flushing cache in view '%s' failed: %s", + view->name, isc_result_totext(result)); + } } if (flushed && found) { + if (viewname != NULL) + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "flushing cache in view '%s' succeeded", + viewname); + else + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "flushing caches in all views succeeded"); result = ISC_R_SUCCESS; } else { - if (!found) + if (!found) { + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_ERROR, + "flushing cache in view '%s' failed: " + "view not found", viewname); result = ISC_R_NOTFOUND; - else + } else result = ISC_R_FAILURE; } isc_task_endexclusive(server->task); @@ -4833,15 +5081,36 @@ ns_server_flushname(ns_server_t *server, char *args) { continue; found = ISC_TRUE; result = dns_view_flushname(view, name); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { flushed = ISC_FALSE; + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_ERROR, + "flushing name '%s' in cache view '%s' " + "failed: %s", target, view->name, + isc_result_totext(result)); + } } - if (flushed && found) + if (flushed && found) { + if (viewname != NULL) + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "flushing name '%s' in cache view '%s' " + "succeeded", target, viewname); + else + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "flushing name '%s' in all cache views " + "succeeded", target); result = ISC_R_SUCCESS; - else if (!found) - result = ISC_R_NOTFOUND; - else + } else { + if (!found) + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_ERROR, + "flushing name '%s' in cache view '%s' " + "failed: view not found", target, + viewname); result = ISC_R_FAILURE; + } isc_task_endexclusive(server->task); return (result); } @@ -4850,7 +5119,16 @@ isc_result_t ns_server_status(ns_server_t *server, isc_buffer_t *text) { int zonecount, xferrunning, xferdeferred, soaqueries; unsigned int n; + const char *ob = "", *cb = "", *alt = ""; + if (ns_g_server->version_set) { + ob = " ("; + cb = ")"; + if (ns_g_server->version == NULL) + alt = "version.bind/txt/ch disabled"; + else + alt = ns_g_server->version; + } zonecount = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_ANY); xferrunning = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_XFERRUNNING); @@ -4858,8 +5136,14 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) { DNS_ZONESTATE_XFERDEFERRED); soaqueries = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_SOAQUERY); + n = snprintf((char *)isc_buffer_used(text), isc_buffer_availablelength(text), + "version: %s%s%s%s\n" +#ifdef ISC_PLATFORM_USETHREADS + "CPUs found: %u\n" + "worker threads: %u\n" +#endif "number of zones: %u\n" "debug level: %d\n" "xfers running: %u\n" @@ -4869,6 +5153,10 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) { "recursive clients: %d/%d/%d\n" "tcp clients: %d/%d\n" "server is up and running", + ns_g_version, ob, alt, cb, +#ifdef ISC_PLATFORM_USETHREADS + ns_g_cpus_detected, ns_g_cpus, +#endif zonecount, ns_g_debuglevel, xferrunning, xferdeferred, soaqueries, server->log_queries ? "ON" : "OFF", server->recursionquota.used, server->recursionquota.soft, @@ -4880,6 +5168,235 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) { return (ISC_R_SUCCESS); } +static isc_result_t +delete_keynames(dns_tsig_keyring_t *ring, char *target, + unsigned int *foundkeys) +{ + char namestr[DNS_NAME_FORMATSIZE]; + isc_result_t result; + dns_rbtnodechain_t chain; + dns_name_t foundname; + dns_fixedname_t fixedorigin; + dns_name_t *origin; + dns_rbtnode_t *node; + dns_tsigkey_t *tkey; + + dns_name_init(&foundname, NULL); + dns_fixedname_init(&fixedorigin); + origin = dns_fixedname_name(&fixedorigin); + + again: + dns_rbtnodechain_init(&chain, ring->mctx); + result = dns_rbtnodechain_first(&chain, ring->keys, &foundname, + origin); + if (result == ISC_R_NOTFOUND) { + dns_rbtnodechain_invalidate(&chain); + return (ISC_R_SUCCESS); + } + if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) { + dns_rbtnodechain_invalidate(&chain); + return (result); + } + + for (;;) { + node = NULL; + dns_rbtnodechain_current(&chain, &foundname, origin, &node); + tkey = node->data; + + if (tkey != NULL) { + if (!tkey->generated) + goto nextkey; + + dns_name_format(&tkey->name, namestr, sizeof(namestr)); + if (strcmp(namestr, target) == 0) { + (*foundkeys)++; + dns_rbtnodechain_invalidate(&chain); + (void)dns_rbt_deletename(ring->keys, + &tkey->name, + ISC_FALSE); + goto again; + } + } + + nextkey: + result = dns_rbtnodechain_next(&chain, &foundname, origin); + if (result == ISC_R_NOMORE) + break; + if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) { + dns_rbtnodechain_invalidate(&chain); + return (result); + } + } + + return (ISC_R_SUCCESS); +} + +isc_result_t +ns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t *text) { + isc_result_t result; + unsigned int n; + dns_view_t *view; + unsigned int foundkeys = 0; + char *target; + char *viewname; + + (void)next_token(&command, " \t"); /* skip command name */ + target = next_token(&command, " \t"); + if (target == NULL) + return (ISC_R_UNEXPECTEDEND); + viewname = next_token(&command, " \t"); + + result = isc_task_beginexclusive(server->task); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + for (view = ISC_LIST_HEAD(server->viewlist); + view != NULL; + view = ISC_LIST_NEXT(view, link)) { + if (viewname == NULL || strcmp(view->name, viewname) == 0) { + RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_write); + result = delete_keynames(view->dynamickeys, target, + &foundkeys); + RWUNLOCK(&view->dynamickeys->lock, + isc_rwlocktype_write); + if (result != ISC_R_SUCCESS) { + isc_task_endexclusive(server->task); + return (result); + } + } + } + isc_task_endexclusive(server->task); + + n = snprintf((char *)isc_buffer_used(text), + isc_buffer_availablelength(text), + "%d tsig keys deleted.\n", foundkeys); + if (n >= isc_buffer_availablelength(text)) { + isc_task_endexclusive(server->task); + return (ISC_R_NOSPACE); + } + isc_buffer_add(text, n); + + return (ISC_R_SUCCESS); +} + +static isc_result_t +list_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t *text, + unsigned int *foundkeys) +{ + char namestr[DNS_NAME_FORMATSIZE]; + char creatorstr[DNS_NAME_FORMATSIZE]; + isc_result_t result; + dns_rbtnodechain_t chain; + dns_name_t foundname; + dns_fixedname_t fixedorigin; + dns_name_t *origin; + dns_rbtnode_t *node; + dns_tsigkey_t *tkey; + unsigned int n; + const char *viewname; + + if (view != NULL) + viewname = view->name; + else + viewname = "(global)"; + + dns_name_init(&foundname, NULL); + dns_fixedname_init(&fixedorigin); + origin = dns_fixedname_name(&fixedorigin); + dns_rbtnodechain_init(&chain, ring->mctx); + result = dns_rbtnodechain_first(&chain, ring->keys, &foundname, + origin); + if (result == ISC_R_NOTFOUND) { + dns_rbtnodechain_invalidate(&chain); + return (ISC_R_SUCCESS); + } + if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) { + dns_rbtnodechain_invalidate(&chain); + return (result); + } + + for (;;) { + node = NULL; + dns_rbtnodechain_current(&chain, &foundname, origin, &node); + tkey = node->data; + + if (tkey != NULL) { + (*foundkeys)++; + dns_name_format(&tkey->name, namestr, sizeof(namestr)); + if (tkey->generated) { + dns_name_format(tkey->creator, creatorstr, + sizeof(creatorstr)); + n = snprintf((char *)isc_buffer_used(text), + isc_buffer_availablelength(text), + "view \"%s\"; type \"dynamic\"; key \"%s\"; creator \"%s\";\n", + viewname, namestr, creatorstr); + } else { + n = snprintf((char *)isc_buffer_used(text), + isc_buffer_availablelength(text), + "view \"%s\"; type \"static\"; key \"%s\";\n", + viewname, namestr); + } + if (n >= isc_buffer_availablelength(text)) { + dns_rbtnodechain_invalidate(&chain); + return (ISC_R_NOSPACE); + } + isc_buffer_add(text, n); + } + result = dns_rbtnodechain_next(&chain, &foundname, origin); + if (result == ISC_R_NOMORE) + break; + if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) { + dns_rbtnodechain_invalidate(&chain); + return (result); + } + } + + return (ISC_R_SUCCESS); +} + +isc_result_t +ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) { + isc_result_t result; + unsigned int n; + dns_view_t *view; + unsigned int foundkeys = 0; + + result = isc_task_beginexclusive(server->task); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + for (view = ISC_LIST_HEAD(server->viewlist); + view != NULL; + view = ISC_LIST_NEXT(view, link)) { + RWLOCK(&view->statickeys->lock, isc_rwlocktype_read); + result = list_keynames(view, view->statickeys, text, + &foundkeys); + RWUNLOCK(&view->statickeys->lock, isc_rwlocktype_read); + if (result != ISC_R_SUCCESS) { + isc_task_endexclusive(server->task); + return (result); + } + RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_read); + result = list_keynames(view, view->dynamickeys, text, + &foundkeys); + RWUNLOCK(&view->dynamickeys->lock, isc_rwlocktype_read); + if (result != ISC_R_SUCCESS) { + isc_task_endexclusive(server->task); + return (result); + } + } + isc_task_endexclusive(server->task); + + if (foundkeys == 0) { + n = snprintf((char *)isc_buffer_used(text), + isc_buffer_availablelength(text), + "no tsig keys found.\n"); + if (n >= isc_buffer_availablelength(text)) { + isc_task_endexclusive(server->task); + return (ISC_R_NOSPACE); + } + isc_buffer_add(text, n); + } + + return (ISC_R_SUCCESS); +} + /* * Act on a "freeze" or "thaw" command from the command channel. */ diff --git a/contrib/bind9/bin/named/sortlist.c b/contrib/bind9/bin/named/sortlist.c index 28f0360..daefa07 100644 --- a/contrib/bind9/bin/named/sortlist.c +++ b/contrib/bind9/bin/named/sortlist.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sortlist.c,v 1.9.18.4 2006/03/02 00:37:21 marka Exp $ */ +/* $Id: sortlist.c,v 1.17 2007/09/14 01:46:05 marka Exp $ */ /*! \file */ @@ -51,15 +51,19 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, const dns_aclelement_t *matched_elt = NULL; if (e->type == dns_aclelementtype_nestedacl) { - dns_acl_t *inner = e->u.nestedacl; + dns_acl_t *inner = e->nestedacl; - if (inner->length < 1 || inner->length > 2) + if (inner->length == 0) + try_elt = e; + else if (inner->length > 2) goto dont_sort; - if (inner->elements[0].negative) + else if (inner->elements[0].negative) goto dont_sort; - try_elt = &inner->elements[0]; - if (inner->length == 2) - order_elt = &inner->elements[1]; + else { + try_elt = &inner->elements[0]; + if (inner->length == 2) + order_elt = &inner->elements[1]; + } } else { /* * BIND 8 allows bare elements at the top level @@ -74,7 +78,7 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, if (order_elt != NULL) { if (order_elt->type == dns_aclelementtype_nestedacl) { - *argp = order_elt->u.nestedacl; + *argp = order_elt->nestedacl; return (NS_SORTLISTTYPE_2ELEMENT); } else if (order_elt->type == dns_aclelementtype_localhost && diff --git a/contrib/bind9/bin/named/statschannel.c b/contrib/bind9/bin/named/statschannel.c new file mode 100644 index 0000000..81f40bb --- /dev/null +++ b/contrib/bind9/bin/named/statschannel.c @@ -0,0 +1,1355 @@ +/* + * Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: statschannel.c,v 1.14.64.6 2009/02/17 03:43:07 marka Exp $ */ + +/*! \file */ + +#include <config.h> + +#include <isc/buffer.h> +#include <isc/httpd.h> +#include <isc/mem.h> +#include <isc/once.h> +#include <isc/print.h> +#include <isc/socket.h> +#include <isc/stats.h> +#include <isc/task.h> + +#include <dns/db.h> +#include <dns/opcode.h> +#include <dns/resolver.h> +#include <dns/rdataclass.h> +#include <dns/rdatatype.h> +#include <dns/stats.h> +#include <dns/view.h> +#include <dns/zt.h> + +#include <named/log.h> +#include <named/server.h> +#include <named/statschannel.h> + +#include "bind9.xsl.h" + +struct ns_statschannel { + /* Unlocked */ + isc_httpdmgr_t *httpdmgr; + isc_sockaddr_t address; + isc_mem_t *mctx; + + /* + * Locked by channel lock: can be referenced and modified by both + * the server task and the channel task. + */ + isc_mutex_t lock; + dns_acl_t *acl; + + /* Locked by server task */ + ISC_LINK(struct ns_statschannel) link; +}; + +typedef enum { statsformat_file, statsformat_xml } statsformat_t; + +typedef struct +stats_dumparg { + statsformat_t type; + void *arg; /* type dependent argument */ + int ncounters; /* used for general statistics */ + int *counterindices; /* used for general statistics */ + isc_uint64_t *countervalues; /* used for general statistics */ +} stats_dumparg_t; + +static isc_once_t once = ISC_ONCE_INIT; + +/*% + * Statistics descriptions. These could be statistically initialized at + * compile time, but we configure them run time in the init_desc() function + * below so that they'll be less susceptible to counter name changes. + */ +static const char *nsstats_desc[dns_nsstatscounter_max]; +static const char *resstats_desc[dns_resstatscounter_max]; +static const char *zonestats_desc[dns_zonestatscounter_max]; +static const char *sockstats_desc[isc_sockstatscounter_max]; +#ifdef HAVE_LIBXML2 +static const char *nsstats_xmldesc[dns_nsstatscounter_max]; +static const char *resstats_xmldesc[dns_resstatscounter_max]; +static const char *zonestats_xmldesc[dns_zonestatscounter_max]; +static const char *sockstats_xmldesc[isc_sockstatscounter_max]; +#else +#define nsstats_xmldesc NULL +#define resstats_xmldesc NULL +#define zonestats_xmldesc NULL +#define sockstats_xmldesc NULL +#endif /* HAVE_LIBXML2 */ + +/*% + * Mapping arrays to represent statistics counters in the order of our + * preference, regardless of the order of counter indices. For example, + * nsstats_desc[nsstats_index[0]] will be the description that is shown first. + */ +static int nsstats_index[dns_nsstatscounter_max]; +static int resstats_index[dns_resstatscounter_max]; +static int zonestats_index[dns_zonestatscounter_max]; +static int sockstats_index[isc_sockstatscounter_max]; + +static inline void +set_desc(int counter, int maxcounter, const char *fdesc, const char **fdescs, + const char *xdesc, const char **xdescs) +{ + REQUIRE(counter < maxcounter); + REQUIRE(fdescs[counter] == NULL); +#ifdef HAVE_LIBXML2 + REQUIRE(xdescs[counter] == NULL); +#endif + + fdescs[counter] = fdesc; +#ifdef HAVE_LIBXML2 + xdescs[counter] = xdesc; +#else + UNUSED(xdesc); + UNUSED(xdescs); +#endif +} + +static void +init_desc(void) { + int i; + + /* Initialize name server statistics */ + memset((void *)nsstats_desc, 0, + dns_nsstatscounter_max * sizeof(nsstats_desc[0])); +#ifdef HAVE_LIBXML2 + memset((void *)nsstats_xmldesc, 0, + dns_nsstatscounter_max * sizeof(nsstats_xmldesc[0])); +#endif + +#define SET_NSSTATDESC(counterid, desc, xmldesc) \ + do { \ + set_desc(dns_nsstatscounter_ ## counterid, \ + dns_nsstatscounter_max, \ + desc, nsstats_desc, xmldesc, nsstats_xmldesc); \ + nsstats_index[i++] = dns_nsstatscounter_ ## counterid; \ + } while (0) + + i = 0; + SET_NSSTATDESC(requestv4, "IPv4 requests received", "Requestv4"); + SET_NSSTATDESC(requestv6, "IPv6 requests received", "Requestv6"); + SET_NSSTATDESC(edns0in, "requests with EDNS(0) received", "ReqEdns0"); + SET_NSSTATDESC(badednsver, + "requests with unsupported EDNS version received", + "ReqBadEDNSVer"); + SET_NSSTATDESC(tsigin, "requests with TSIG received", "ReqTSIG"); + SET_NSSTATDESC(sig0in, "requests with SIG(0) received", "ReqSIG0"); + SET_NSSTATDESC(invalidsig, "requests with invalid signature", + "ReqBadSIG"); + SET_NSSTATDESC(tcp, "TCP requests received", "ReqTCP"); + SET_NSSTATDESC(authrej, "auth queries rejected", "AuthQryRej"); + SET_NSSTATDESC(recurserej, "recursive queries rejected", "RecQryRej"); + SET_NSSTATDESC(xfrrej, "transfer requests rejected", "XfrRej"); + SET_NSSTATDESC(updaterej, "update requests rejected", "UpdateRej"); + SET_NSSTATDESC(response, "responses sent", "Response"); + SET_NSSTATDESC(truncatedresp, "truncated responses sent", + "TruncatedResp"); + SET_NSSTATDESC(edns0out, "responses with EDNS(0) sent", "RespEDNS0"); + SET_NSSTATDESC(tsigout, "responses with TSIG sent", "RespTSIG"); + SET_NSSTATDESC(sig0out, "responses with SIG(0) sent", "RespSIG0"); + SET_NSSTATDESC(success, "queries resulted in successful answer", + "QrySuccess"); + SET_NSSTATDESC(authans, "queries resulted in authoritative answer", + "QryAuthAns"); + SET_NSSTATDESC(nonauthans, + "queries resulted in non authoritative answer", + "QryNoauthAns"); + SET_NSSTATDESC(referral, "queries resulted in referral answer", + "QryReferral"); + SET_NSSTATDESC(nxrrset, "queries resulted in nxrrset", "QryNxrrset"); + SET_NSSTATDESC(servfail, "queries resulted in SERVFAIL", "QrySERVFAIL"); + SET_NSSTATDESC(formerr, "queries resulted in FORMERR", "QryFORMERR"); + SET_NSSTATDESC(nxdomain, "queries resulted in NXDOMAIN", "QryNXDOMAIN"); + SET_NSSTATDESC(recursion, "queries caused recursion","QryRecursion"); + SET_NSSTATDESC(duplicate, "duplicate queries received", "QryDuplicate"); + SET_NSSTATDESC(dropped, "queries dropped", "QryDropped"); + SET_NSSTATDESC(failure, "other query failures", "QryFailure"); + SET_NSSTATDESC(xfrdone, "requested transfers completed", "XfrReqDone"); + SET_NSSTATDESC(updatereqfwd, "update requests forwarded", + "UpdateReqFwd"); + SET_NSSTATDESC(updaterespfwd, "update responses forwarded", + "UpdateRespFwd"); + SET_NSSTATDESC(updatefwdfail, "update forward failed", "UpdateFwdFail"); + SET_NSSTATDESC(updatedone, "updates completed", "UpdateDone"); + SET_NSSTATDESC(updatefail, "updates failed", "UpdateFail"); + SET_NSSTATDESC(updatebadprereq, + "updates rejected due to prerequisite failure", + "UpdateBadPrereq"); + INSIST(i == dns_nsstatscounter_max); + + /* Initialize resolver statistics */ + memset((void *)resstats_desc, 0, + dns_resstatscounter_max * sizeof(resstats_desc[0])); +#ifdef HAVE_LIBXML2 + memset((void *)resstats_xmldesc, 0, + dns_resstatscounter_max * sizeof(resstats_xmldesc[0])); +#endif + +#define SET_RESSTATDESC(counterid, desc, xmldesc) \ + do { \ + set_desc(dns_resstatscounter_ ## counterid, \ + dns_resstatscounter_max, \ + desc, resstats_desc, xmldesc, resstats_xmldesc); \ + resstats_index[i++] = dns_resstatscounter_ ## counterid; \ + } while (0) + + i = 0; + SET_RESSTATDESC(queryv4, "IPv4 queries sent", "Queryv4"); + SET_RESSTATDESC(queryv6, "IPv6 queries sent", "Queryv6"); + SET_RESSTATDESC(responsev4, "IPv4 responses received", "Responsev4"); + SET_RESSTATDESC(responsev6, "IPv6 responses received", "Responsev6"); + SET_RESSTATDESC(nxdomain, "NXDOMAIN received", "NXDOMAIN"); + SET_RESSTATDESC(servfail, "SERVFAIL received", "SERVFAIL"); + SET_RESSTATDESC(formerr, "FORMERR received", "FORMERR"); + SET_RESSTATDESC(othererror, "other errors received", "OtherError"); + SET_RESSTATDESC(edns0fail, "EDNS(0) query failures", "EDNS0Fail"); + SET_RESSTATDESC(mismatch, "mismatch responses received", "Mismatch"); + SET_RESSTATDESC(truncated, "truncated responses received", "Truncated"); + SET_RESSTATDESC(lame, "lame delegations received", "Lame"); + SET_RESSTATDESC(retry, "query retries", "Retry"); + SET_RESSTATDESC(dispabort, "queries aborted due to quota", + "QueryAbort"); + SET_RESSTATDESC(dispsockfail, "failures in opening query sockets", + "QuerySockFail"); + SET_RESSTATDESC(querytimeout, "query timeouts", "QueryTimeout"); + SET_RESSTATDESC(gluefetchv4, "IPv4 NS address fetches", "GlueFetchv4"); + SET_RESSTATDESC(gluefetchv6, "IPv6 NS address fetches", "GlueFetchv6"); + SET_RESSTATDESC(gluefetchv4fail, "IPv4 NS address fetch failed", + "GlueFetchv4Fail"); + SET_RESSTATDESC(gluefetchv6fail, "IPv6 NS address fetch failed", + "GlueFetchv6Fail"); + SET_RESSTATDESC(val, "DNSSEC validation attempted", "ValAttempt"); + SET_RESSTATDESC(valsuccess, "DNSSEC validation succeeded", "ValOk"); + SET_RESSTATDESC(valnegsuccess, "DNSSEC NX validation succeeded", + "ValNegOk"); + SET_RESSTATDESC(valfail, "DNSSEC validation failed", "ValFail"); + SET_RESSTATDESC(queryrtt0, "queries with RTT < " + DNS_RESOLVER_QRYRTTCLASS0STR "ms", + "QryRTT" DNS_RESOLVER_QRYRTTCLASS0STR); + SET_RESSTATDESC(queryrtt1, "queries with RTT " + DNS_RESOLVER_QRYRTTCLASS0STR "-" + DNS_RESOLVER_QRYRTTCLASS1STR "ms", + "QryRTT" DNS_RESOLVER_QRYRTTCLASS1STR); + SET_RESSTATDESC(queryrtt2, "queries with RTT " + DNS_RESOLVER_QRYRTTCLASS1STR "-" + DNS_RESOLVER_QRYRTTCLASS2STR "ms", + "QryRTT" DNS_RESOLVER_QRYRTTCLASS2STR); + SET_RESSTATDESC(queryrtt3, "queries with RTT " + DNS_RESOLVER_QRYRTTCLASS2STR "-" + DNS_RESOLVER_QRYRTTCLASS3STR "ms", + "QryRTT" DNS_RESOLVER_QRYRTTCLASS3STR); + SET_RESSTATDESC(queryrtt4, "queries with RTT " + DNS_RESOLVER_QRYRTTCLASS3STR "-" + DNS_RESOLVER_QRYRTTCLASS4STR "ms", + "QryRTT" DNS_RESOLVER_QRYRTTCLASS4STR); + SET_RESSTATDESC(queryrtt5, "queries with RTT > " + DNS_RESOLVER_QRYRTTCLASS4STR "ms", + "QryRTT" DNS_RESOLVER_QRYRTTCLASS4STR "+"); + INSIST(i == dns_resstatscounter_max); + + /* Initialize zone statistics */ + memset((void *)zonestats_desc, 0, + dns_zonestatscounter_max * sizeof(zonestats_desc[0])); +#ifdef HAVE_LIBXML2 + memset((void *)zonestats_xmldesc, 0, + dns_zonestatscounter_max * sizeof(zonestats_xmldesc[0])); +#endif + +#define SET_ZONESTATDESC(counterid, desc, xmldesc) \ + do { \ + set_desc(dns_zonestatscounter_ ## counterid, \ + dns_zonestatscounter_max, \ + desc, zonestats_desc, xmldesc, zonestats_xmldesc); \ + zonestats_index[i++] = dns_zonestatscounter_ ## counterid; \ + } while (0) + + i = 0; + SET_ZONESTATDESC(notifyoutv4, "IPv4 notifies sent", "NotifyOutv4"); + SET_ZONESTATDESC(notifyoutv6, "IPv6 notifies sent", "NotifyOutv6"); + SET_ZONESTATDESC(notifyinv4, "IPv4 notifies received", "NotifyInv4"); + SET_ZONESTATDESC(notifyinv6, "IPv6 notifies received", "NotifyInv6"); + SET_ZONESTATDESC(notifyrej, "notifies rejected", "NotifyRej"); + SET_ZONESTATDESC(soaoutv4, "IPv4 SOA queries sent", "SOAOutv4"); + SET_ZONESTATDESC(soaoutv6, "IPv6 SOA queries sent", "SOAOutv6"); + SET_ZONESTATDESC(axfrreqv4, "IPv4 AXFR requested", "AXFRReqv4"); + SET_ZONESTATDESC(axfrreqv6, "IPv6 AXFR requested", "AXFRReqv6"); + SET_ZONESTATDESC(ixfrreqv4, "IPv4 IXFR requested", "IXFRReqv4"); + SET_ZONESTATDESC(ixfrreqv6, "IPv6 IXFR requested", "IXFRReqv6"); + SET_ZONESTATDESC(xfrsuccess, "transfer requests succeeded","XfrSuccess"); + SET_ZONESTATDESC(xfrfail, "transfer requests failed", "XfrFail"); + INSIST(i == dns_zonestatscounter_max); + + /* Initialize socket statistics */ + memset((void *)sockstats_desc, 0, + isc_sockstatscounter_max * sizeof(sockstats_desc[0])); +#ifdef HAVE_LIBXML2 + memset((void *)sockstats_xmldesc, 0, + isc_sockstatscounter_max * sizeof(sockstats_xmldesc[0])); +#endif + +#define SET_SOCKSTATDESC(counterid, desc, xmldesc) \ + do { \ + set_desc(isc_sockstatscounter_ ## counterid, \ + isc_sockstatscounter_max, \ + desc, sockstats_desc, xmldesc, sockstats_xmldesc); \ + sockstats_index[i++] = isc_sockstatscounter_ ## counterid; \ + } while (0) + + i = 0; + SET_SOCKSTATDESC(udp4open, "UDP/IPv4 sockets opened", "UDP4Open"); + SET_SOCKSTATDESC(udp6open, "UDP/IPv6 sockets opened", "UDP6Open"); + SET_SOCKSTATDESC(tcp4open, "TCP/IPv4 sockets opened", "TCP4Open"); + SET_SOCKSTATDESC(tcp6open, "TCP/IPv6 sockets opened", "TCP6Open"); + SET_SOCKSTATDESC(unixopen, "Unix domain sockets opened", "UnixOpen"); + SET_SOCKSTATDESC(udp4openfail, "UDP/IPv4 socket open failures", + "UDP4OpenFail"); + SET_SOCKSTATDESC(udp6openfail, "UDP/IPv6 socket open failures", + "UDP6OpenFail"); + SET_SOCKSTATDESC(tcp4openfail, "TCP/IPv4 socket open failures", + "TCP4OpenFail"); + SET_SOCKSTATDESC(tcp6openfail, "TCP/IPv6 socket open failures", + "TCP6OpenFail"); + SET_SOCKSTATDESC(unixopenfail, "Unix domain socket open failures", + "UnixOpenFail"); + SET_SOCKSTATDESC(udp4close, "UDP/IPv4 sockets closed", "UDP4Close"); + SET_SOCKSTATDESC(udp6close, "UDP/IPv6 sockets closed", "UDP6Close"); + SET_SOCKSTATDESC(tcp4close, "TCP/IPv4 sockets closed", "TCP4Close"); + SET_SOCKSTATDESC(tcp6close, "TCP/IPv6 sockets closed", "TCP6Close"); + SET_SOCKSTATDESC(unixclose, "Unix domain sockets closed", "UnixClose"); + SET_SOCKSTATDESC(fdwatchclose, "FDwatch sockets closed", + "FDWatchClose"); + SET_SOCKSTATDESC(udp4bindfail, "UDP/IPv4 socket bind failures", + "UDP4BindFail"); + SET_SOCKSTATDESC(udp6bindfail, "UDP/IPv6 socket bind failures", + "UDP6BindFail"); + SET_SOCKSTATDESC(tcp4bindfail, "TCP/IPv4 socket bind failures", + "TCP4BindFail"); + SET_SOCKSTATDESC(tcp6bindfail, "TCP/IPv6 socket bind failures", + "TCP6BindFail"); + SET_SOCKSTATDESC(unixbindfail, "Unix domain socket bind failures", + "UnixBindFail"); + SET_SOCKSTATDESC(fdwatchbindfail, "FDwatch socket bind failures", + "FdwatchBindFail"); + SET_SOCKSTATDESC(udp4connectfail, "UDP/IPv4 socket connect failures", + "UDP4ConnFail"); + SET_SOCKSTATDESC(udp6connectfail, "UDP/IPv6 socket connect failures", + "UDP6ConnFail"); + SET_SOCKSTATDESC(tcp4connectfail, "TCP/IPv4 socket connect failures", + "TCP4ConnFail"); + SET_SOCKSTATDESC(tcp6connectfail, "TCP/IPv6 socket connect failures", + "TCP6ConnFail"); + SET_SOCKSTATDESC(unixconnectfail, "Unix domain socket connect failures", + "UnixConnFail"); + SET_SOCKSTATDESC(fdwatchconnectfail, "FDwatch socket connect failures", + "FDwatchConnFail"); + SET_SOCKSTATDESC(udp4connect, "UDP/IPv4 connections established", + "UDP4Conn"); + SET_SOCKSTATDESC(udp6connect, "UDP/IPv6 connections established", + "UDP6Conn"); + SET_SOCKSTATDESC(tcp4connect, "TCP/IPv4 connections established", + "TCP4Conn"); + SET_SOCKSTATDESC(tcp6connect, "TCP/IPv6 connections established", + "TCP6Conn"); + SET_SOCKSTATDESC(unixconnect, "Unix domain connections established", + "UnixConn"); + SET_SOCKSTATDESC(fdwatchconnect, + "FDwatch domain connections established", + "FDwatchConn"); + SET_SOCKSTATDESC(tcp4acceptfail, "TCP/IPv4 connection accept failures", + "TCP4AcceptFail"); + SET_SOCKSTATDESC(tcp6acceptfail, "TCP/IPv6 connection accept failures", + "TCP6AcceptFail"); + SET_SOCKSTATDESC(unixacceptfail, + "Unix domain connection accept failures", + "UnixAcceptFail"); + SET_SOCKSTATDESC(tcp4accept, "TCP/IPv4 connections accepted", + "TCP4Accept"); + SET_SOCKSTATDESC(tcp6accept, "TCP/IPv6 connections accepted", + "TCP6Accept"); + SET_SOCKSTATDESC(unixaccept, "Unix domain connections accepted", + "UnixAccept"); + SET_SOCKSTATDESC(udp4sendfail, "UDP/IPv4 send errors", "UDP4SendErr"); + SET_SOCKSTATDESC(udp6sendfail, "UDP/IPv6 send errors", "UDP6SendErr"); + SET_SOCKSTATDESC(tcp4sendfail, "TCP/IPv4 send errors", "TCP4SendErr"); + SET_SOCKSTATDESC(tcp6sendfail, "TCP/IPv6 send errors", "TCP6SendErr"); + SET_SOCKSTATDESC(unixsendfail, "Unix domain send errors", + "UnixSendErr"); + SET_SOCKSTATDESC(fdwatchsendfail, "FDwatch send errors", + "FDwatchSendErr"); + SET_SOCKSTATDESC(udp4recvfail, "UDP/IPv4 recv errors", "UDP4RecvErr"); + SET_SOCKSTATDESC(udp6recvfail, "UDP/IPv6 recv errors", "UDP6RecvErr"); + SET_SOCKSTATDESC(tcp4recvfail, "TCP/IPv4 recv errors", "TCP4RecvErr"); + SET_SOCKSTATDESC(tcp6recvfail, "TCP/IPv6 recv errors", "TCP6RecvErr"); + SET_SOCKSTATDESC(unixrecvfail, "Unix domain recv errors", + "UnixRecvErr"); + SET_SOCKSTATDESC(fdwatchrecvfail, "FDwatch recv errors", + "FDwatchRecvErr"); + INSIST(i == isc_sockstatscounter_max); + + /* Sanity check */ + for (i = 0; i < dns_nsstatscounter_max; i++) + INSIST(nsstats_desc[i] != NULL); + for (i = 0; i < dns_resstatscounter_max; i++) + INSIST(resstats_desc[i] != NULL); + for (i = 0; i < dns_zonestatscounter_max; i++) + INSIST(zonestats_desc[i] != NULL); + for (i = 0; i < isc_sockstatscounter_max; i++) + INSIST(sockstats_desc[i] != NULL); +#ifdef HAVE_LIBXML2 + for (i = 0; i < dns_nsstatscounter_max; i++) + INSIST(nsstats_xmldesc[i] != NULL); + for (i = 0; i < dns_resstatscounter_max; i++) + INSIST(resstats_xmldesc[i] != NULL); + for (i = 0; i < dns_zonestatscounter_max; i++) + INSIST(zonestats_xmldesc[i] != NULL); + for (i = 0; i < isc_sockstatscounter_max; i++) + INSIST(sockstats_xmldesc[i] != NULL); +#endif +} + +/*% + * Dump callback functions. + */ +static void +generalstat_dump(isc_statscounter_t counter, isc_uint64_t val, void *arg) { + stats_dumparg_t *dumparg = arg; + + REQUIRE(counter < dumparg->ncounters); + dumparg->countervalues[counter] = val; +} + +static void +dump_counters(isc_stats_t *stats, statsformat_t type, void *arg, + const char *category, const char **desc, int ncounters, + int *indices, isc_uint64_t *values, int options) +{ + int i, index; + isc_uint64_t value; + stats_dumparg_t dumparg; + FILE *fp; +#ifdef HAVE_LIBXML2 + xmlTextWriterPtr writer; +#endif + +#ifndef HAVE_LIBXML2 + UNUSED(category); +#endif + + dumparg.type = type; + dumparg.ncounters = ncounters; + dumparg.counterindices = indices; + dumparg.countervalues = values; + + memset(values, 0, sizeof(values[0]) * ncounters); + isc_stats_dump(stats, generalstat_dump, &dumparg, options); + + for (i = 0; i < ncounters; i++) { + index = indices[i]; + value = values[index]; + + if (value == 0 && (options & ISC_STATSDUMP_VERBOSE) == 0) + continue; + + switch (dumparg.type) { + case statsformat_file: + fp = arg; + fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s\n", + value, desc[index]); + break; + case statsformat_xml: +#ifdef HAVE_LIBXML2 + writer = arg; + + if (category != NULL) { + xmlTextWriterStartElement(writer, + ISC_XMLCHAR + category); + xmlTextWriterStartElement(writer, + ISC_XMLCHAR "name"); + xmlTextWriterWriteString(writer, ISC_XMLCHAR + desc[index]); + xmlTextWriterEndElement(writer); /* name */ + + xmlTextWriterStartElement(writer, ISC_XMLCHAR + "counter"); + } else { + xmlTextWriterStartElement(writer, ISC_XMLCHAR + desc[index]); + } + xmlTextWriterWriteFormatString(writer, + "%" ISC_PRINT_QUADFORMAT + "u", value); + xmlTextWriterEndElement(writer); /* counter */ + if (category != NULL) + xmlTextWriterEndElement(writer); /* category */ +#endif + break; + } + } +} + +static void +rdtypestat_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) { + char typebuf[64]; + const char *typestr; + stats_dumparg_t *dumparg = arg; + FILE *fp; +#ifdef HAVE_LIBXML2 + xmlTextWriterPtr writer; +#endif + + if ((DNS_RDATASTATSTYPE_ATTR(type) & DNS_RDATASTATSTYPE_ATTR_OTHERTYPE) + == 0) { + dns_rdatatype_format(DNS_RDATASTATSTYPE_BASE(type), typebuf, + sizeof(typebuf)); + typestr = typebuf; + } else + typestr = "Others"; + + switch (dumparg->type) { + case statsformat_file: + fp = dumparg->arg; + fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s\n", val, typestr); + break; + case statsformat_xml: +#ifdef HAVE_LIBXML2 + writer = dumparg->arg; + + xmlTextWriterStartElement(writer, ISC_XMLCHAR "rdtype"); + + xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"); + xmlTextWriterWriteString(writer, ISC_XMLCHAR typestr); + xmlTextWriterEndElement(writer); /* name */ + + xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"); + xmlTextWriterWriteFormatString(writer, + "%" ISC_PRINT_QUADFORMAT "u", + val); + xmlTextWriterEndElement(writer); /* counter */ + + xmlTextWriterEndElement(writer); /* rdtype */ +#endif + break; + } +} + +static void +rdatasetstats_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) { + stats_dumparg_t *dumparg = arg; + FILE *fp; + char typebuf[64]; + const char *typestr; + isc_boolean_t nxrrset = ISC_FALSE; +#ifdef HAVE_LIBXML2 + xmlTextWriterPtr writer; +#endif + + if ((DNS_RDATASTATSTYPE_ATTR(type) & DNS_RDATASTATSTYPE_ATTR_NXDOMAIN) + != 0) { + typestr = "NXDOMAIN"; + } else if ((DNS_RDATASTATSTYPE_ATTR(type) & + DNS_RDATASTATSTYPE_ATTR_OTHERTYPE) != 0) { + typestr = "Others"; + } else { + dns_rdatatype_format(DNS_RDATASTATSTYPE_BASE(type), typebuf, + sizeof(typebuf)); + typestr = typebuf; + } + + if ((DNS_RDATASTATSTYPE_ATTR(type) & DNS_RDATASTATSTYPE_ATTR_NXRRSET) + != 0) + nxrrset = ISC_TRUE; + + switch (dumparg->type) { + case statsformat_file: + fp = dumparg->arg; + fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s%s\n", val, + nxrrset ? "!" : "", typestr); + break; + case statsformat_xml: +#ifdef HAVE_LIBXML2 + writer = dumparg->arg; + + xmlTextWriterStartElement(writer, ISC_XMLCHAR "rrset"); + xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"); + xmlTextWriterWriteFormatString(writer, "%s%s", + nxrrset ? "!" : "", typestr); + xmlTextWriterEndElement(writer); /* name */ + + xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"); + xmlTextWriterWriteFormatString(writer, + "%" ISC_PRINT_QUADFORMAT "u", + val); + xmlTextWriterEndElement(writer); /* counter */ + + xmlTextWriterEndElement(writer); /* rrset */ +#endif + break; + } +} + +static void +opcodestat_dump(dns_opcode_t code, isc_uint64_t val, void *arg) { + FILE *fp = arg; + isc_buffer_t b; + char codebuf[64]; + stats_dumparg_t *dumparg = arg; +#ifdef HAVE_LIBXML2 + xmlTextWriterPtr writer; +#endif + + isc_buffer_init(&b, codebuf, sizeof(codebuf) - 1); + dns_opcode_totext(code, &b); + codebuf[isc_buffer_usedlength(&b)] = '\0'; + + switch (dumparg->type) { + case statsformat_file: + fp = dumparg->arg; + fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s\n", val, codebuf); + break; + case statsformat_xml: +#ifdef HAVE_LIBXML2 + writer = dumparg->arg; + + xmlTextWriterStartElement(writer, ISC_XMLCHAR "opcode"); + + xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"); + xmlTextWriterWriteString(writer, ISC_XMLCHAR codebuf); + xmlTextWriterEndElement(writer); /* name */ + + xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"); + xmlTextWriterWriteFormatString(writer, + "%" ISC_PRINT_QUADFORMAT "u", + val); + xmlTextWriterEndElement(writer); /* counter */ + + xmlTextWriterEndElement(writer); /* opcode */ +#endif + break; + } +} + +#ifdef HAVE_LIBXML2 + +/* XXXMLG below here sucks. */ + +#define TRY(a) do { result = (a); INSIST(result == ISC_R_SUCCESS); } while(0); +#define TRY0(a) do { xmlrc = (a); INSIST(xmlrc >= 0); } while(0); + +static isc_result_t +zone_xmlrender(dns_zone_t *zone, void *arg) { + char buf[1024 + 32]; /* sufficiently large for zone name and class */ + dns_rdataclass_t rdclass; + isc_uint32_t serial; + xmlTextWriterPtr writer = arg; + isc_stats_t *zonestats; + isc_uint64_t nsstat_values[dns_nsstatscounter_max]; + + xmlTextWriterStartElement(writer, ISC_XMLCHAR "zone"); + + dns_zone_name(zone, buf, sizeof(buf)); + xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"); + xmlTextWriterWriteString(writer, ISC_XMLCHAR buf); + xmlTextWriterEndElement(writer); + + rdclass = dns_zone_getclass(zone); + dns_rdataclass_format(rdclass, buf, sizeof(buf)); + xmlTextWriterStartElement(writer, ISC_XMLCHAR "rdataclass"); + xmlTextWriterWriteString(writer, ISC_XMLCHAR buf); + xmlTextWriterEndElement(writer); + + serial = dns_zone_getserial(zone); + xmlTextWriterStartElement(writer, ISC_XMLCHAR "serial"); + xmlTextWriterWriteFormatString(writer, "%u", serial); + xmlTextWriterEndElement(writer); + + zonestats = dns_zone_getrequeststats(zone); + if (zonestats != NULL) { + xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"); + dump_counters(zonestats, statsformat_xml, writer, NULL, + nsstats_xmldesc, dns_nsstatscounter_max, + nsstats_index, nsstat_values, + ISC_STATSDUMP_VERBOSE); + xmlTextWriterEndElement(writer); /* counters */ + } + + xmlTextWriterEndElement(writer); /* zone */ + + return (ISC_R_SUCCESS); +} + +static void +generatexml(ns_server_t *server, int *buflen, xmlChar **buf) { + char boottime[sizeof "yyyy-mm-ddThh:mm:ssZ"]; + char nowstr[sizeof "yyyy-mm-ddThh:mm:ssZ"]; + isc_time_t now; + xmlTextWriterPtr writer; + xmlDocPtr doc; + int xmlrc; + dns_view_t *view; + stats_dumparg_t dumparg; + dns_stats_t *cachestats; + isc_uint64_t nsstat_values[dns_nsstatscounter_max]; + isc_uint64_t resstat_values[dns_resstatscounter_max]; + isc_uint64_t zonestat_values[dns_zonestatscounter_max]; + isc_uint64_t sockstat_values[isc_sockstatscounter_max]; + + isc_time_now(&now); + isc_time_formatISO8601(&ns_g_boottime, boottime, sizeof boottime); + isc_time_formatISO8601(&now, nowstr, sizeof nowstr); + + writer = xmlNewTextWriterDoc(&doc, 0); + TRY0(xmlTextWriterStartDocument(writer, NULL, "UTF-8", NULL)); + TRY0(xmlTextWriterWritePI(writer, ISC_XMLCHAR "xml-stylesheet", + ISC_XMLCHAR "type=\"text/xsl\" href=\"/bind9.xsl\"")); + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "isc")); + TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version", + ISC_XMLCHAR "1.0")); + + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "bind")); + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics")); + TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version", + ISC_XMLCHAR "2.0")); + + /* Set common fields for statistics dump */ + dumparg.type = statsformat_xml; + dumparg.arg = writer; + + /* + * Start by rendering the views we know of here. For each view we + * know of, call its rendering function. + */ + view = ISC_LIST_HEAD(server->viewlist); + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "views")); + while (view != NULL) { + xmlTextWriterStartElement(writer, ISC_XMLCHAR "view"); + + xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"); + xmlTextWriterWriteString(writer, ISC_XMLCHAR view->name); + xmlTextWriterEndElement(writer); + + xmlTextWriterStartElement(writer, ISC_XMLCHAR "zones"); + dns_zt_apply(view->zonetable, ISC_FALSE, zone_xmlrender, + writer); + xmlTextWriterEndElement(writer); + + if (view->resquerystats != NULL) { + dns_rdatatypestats_dump(view->resquerystats, + rdtypestat_dump, &dumparg, 0); + } + + if (view->resstats != NULL) { + dump_counters(view->resstats, statsformat_xml, writer, + "resstat", resstats_xmldesc, + dns_resstatscounter_max, resstats_index, + resstat_values, ISC_STATSDUMP_VERBOSE); + } + + cachestats = dns_db_getrrsetstats(view->cachedb); + if (cachestats != NULL) { + xmlTextWriterStartElement(writer, + ISC_XMLCHAR "cache"); + dns_rdatasetstats_dump(cachestats, rdatasetstats_dump, + &dumparg, 0); + xmlTextWriterEndElement(writer); /* cache */ + } + + xmlTextWriterEndElement(writer); /* view */ + + view = ISC_LIST_NEXT(view, link); + } + TRY0(xmlTextWriterEndElement(writer)); /* views */ + + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "socketmgr")); + isc_socketmgr_renderxml(ns_g_socketmgr, writer); + TRY0(xmlTextWriterEndElement(writer)); /* socketmgr */ + + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "taskmgr")); + isc_taskmgr_renderxml(ns_g_taskmgr, writer); + TRY0(xmlTextWriterEndElement(writer)); /* taskmgr */ + + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "server")); + xmlTextWriterStartElement(writer, ISC_XMLCHAR "boot-time"); + xmlTextWriterWriteString(writer, ISC_XMLCHAR boottime); + xmlTextWriterEndElement(writer); + xmlTextWriterStartElement(writer, ISC_XMLCHAR "current-time"); + xmlTextWriterWriteString(writer, ISC_XMLCHAR nowstr); + xmlTextWriterEndElement(writer); + + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "requests")); + dns_opcodestats_dump(server->opcodestats, opcodestat_dump, &dumparg, + 0); + xmlTextWriterEndElement(writer); /* requests */ + + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "queries-in")); + dns_rdatatypestats_dump(server->rcvquerystats, rdtypestat_dump, + &dumparg, 0); + xmlTextWriterEndElement(writer); /* queries-in */ + + dump_counters(server->nsstats, statsformat_xml, writer, + "nsstat", nsstats_xmldesc, dns_nsstatscounter_max, + nsstats_index, nsstat_values, ISC_STATSDUMP_VERBOSE); + + dump_counters(server->zonestats, statsformat_xml, writer, "zonestat", + zonestats_xmldesc, dns_zonestatscounter_max, + zonestats_index, zonestat_values, ISC_STATSDUMP_VERBOSE); + + /* + * Most of the common resolver statistics entries are 0, so we don't + * use the verbose dump here. + */ + dump_counters(server->resolverstats, statsformat_xml, writer, "resstat", + resstats_xmldesc, dns_resstatscounter_max, resstats_index, + resstat_values, 0); + + dump_counters(server->sockstats, statsformat_xml, writer, "sockstat", + sockstats_xmldesc, isc_sockstatscounter_max, + sockstats_index, sockstat_values, ISC_STATSDUMP_VERBOSE); + + xmlTextWriterEndElement(writer); /* server */ + + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "memory")); + isc_mem_renderxml(writer); + TRY0(xmlTextWriterEndElement(writer)); /* memory */ + + TRY0(xmlTextWriterEndElement(writer)); /* statistics */ + TRY0(xmlTextWriterEndElement(writer)); /* bind */ + TRY0(xmlTextWriterEndElement(writer)); /* isc */ + + TRY0(xmlTextWriterEndDocument(writer)); + + xmlFreeTextWriter(writer); + + xmlDocDumpFormatMemoryEnc(doc, buf, buflen, "UTF-8", 1); + xmlFreeDoc(doc); +} + +static void +wrap_xmlfree(isc_buffer_t *buffer, void *arg) { + UNUSED(arg); + + xmlFree(isc_buffer_base(buffer)); +} + +static isc_result_t +render_index(const char *url, const char *querystring, void *arg, + unsigned int *retcode, const char **retmsg, const char **mimetype, + isc_buffer_t *b, isc_httpdfree_t **freecb, + void **freecb_args) +{ + unsigned char *msg; + int msglen; + ns_server_t *server = arg; + + UNUSED(url); + UNUSED(querystring); + + generatexml(server, &msglen, &msg); + + *retcode = 200; + *retmsg = "OK"; + *mimetype = "text/xml"; + isc_buffer_reinit(b, msg, msglen); + isc_buffer_add(b, msglen); + *freecb = wrap_xmlfree; + *freecb_args = NULL; + + return (ISC_R_SUCCESS); +} + +#endif /* HAVE_LIBXML2 */ + +static isc_result_t +render_xsl(const char *url, const char *querystring, void *args, + unsigned int *retcode, const char **retmsg, const char **mimetype, + isc_buffer_t *b, isc_httpdfree_t **freecb, + void **freecb_args) +{ + UNUSED(url); + UNUSED(querystring); + UNUSED(args); + + *retcode = 200; + *retmsg = "OK"; + *mimetype = "text/xslt+xml"; + isc_buffer_reinit(b, xslmsg, strlen(xslmsg)); + isc_buffer_add(b, strlen(xslmsg)); + *freecb = NULL; + *freecb_args = NULL; + + return (ISC_R_SUCCESS); +} + +static void +shutdown_listener(ns_statschannel_t *listener) { + char socktext[ISC_SOCKADDR_FORMATSIZE]; + isc_sockaddr_format(&listener->address, socktext, sizeof(socktext)); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,NS_LOGMODULE_SERVER, + ISC_LOG_NOTICE, "stopping statistics channel on %s", + socktext); + + isc_httpdmgr_shutdown(&listener->httpdmgr); +} + +static isc_boolean_t +client_ok(const isc_sockaddr_t *fromaddr, void *arg) { + ns_statschannel_t *listener = arg; + isc_netaddr_t netaddr; + char socktext[ISC_SOCKADDR_FORMATSIZE]; + int match; + + REQUIRE(listener != NULL); + + isc_netaddr_fromsockaddr(&netaddr, fromaddr); + + LOCK(&listener->lock); + if (dns_acl_match(&netaddr, NULL, listener->acl, &ns_g_server->aclenv, + &match, NULL) == ISC_R_SUCCESS && match > 0) { + UNLOCK(&listener->lock); + return (ISC_TRUE); + } + UNLOCK(&listener->lock); + + isc_sockaddr_format(fromaddr, socktext, sizeof(socktext)); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_WARNING, + "rejected statistics connection from %s", socktext); + + return (ISC_FALSE); +} + +static void +destroy_listener(void *arg) { + ns_statschannel_t *listener = arg; + + REQUIRE(listener != NULL); + REQUIRE(!ISC_LINK_LINKED(listener, link)); + + /* We don't have to acquire the lock here since it's already unlinked */ + dns_acl_detach(&listener->acl); + + DESTROYLOCK(&listener->lock); + isc_mem_putanddetach(&listener->mctx, listener, sizeof(*listener)); +} + +static isc_result_t +add_listener(ns_server_t *server, ns_statschannel_t **listenerp, + const cfg_obj_t *listen_params, const cfg_obj_t *config, + isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx, + const char *socktext) +{ + isc_result_t result; + ns_statschannel_t *listener; + isc_task_t *task = NULL; + isc_socket_t *sock = NULL; + const cfg_obj_t *allow; + dns_acl_t *new_acl = NULL; + + listener = isc_mem_get(server->mctx, sizeof(*listener)); + if (listener == NULL) + return (ISC_R_NOMEMORY); + + listener->httpdmgr = NULL; + listener->address = *addr; + listener->acl = NULL; + listener->mctx = NULL; + ISC_LINK_INIT(listener, link); + + result = isc_mutex_init(&listener->lock); + if (result != ISC_R_SUCCESS) { + isc_mem_put(server->mctx, listener, sizeof(*listener)); + return (ISC_R_FAILURE); + } + + isc_mem_attach(server->mctx, &listener->mctx); + + allow = cfg_tuple_get(listen_params, "allow"); + if (allow != NULL && cfg_obj_islist(allow)) { + result = cfg_acl_fromconfig(allow, config, ns_g_lctx, + aclconfctx, listener->mctx, 0, + &new_acl); + } else + result = dns_acl_any(listener->mctx, &new_acl); + if (result != ISC_R_SUCCESS) + goto cleanup; + dns_acl_attach(new_acl, &listener->acl); + dns_acl_detach(&new_acl); + + result = isc_task_create(ns_g_taskmgr, 0, &task); + if (result != ISC_R_SUCCESS) + goto cleanup; + isc_task_setname(task, "statchannel", NULL); + + result = isc_socket_create(ns_g_socketmgr, isc_sockaddr_pf(addr), + isc_sockettype_tcp, &sock); + if (result != ISC_R_SUCCESS) + goto cleanup; + isc_socket_setname(sock, "statchannel", NULL); + +#ifndef ISC_ALLOW_MAPPED + isc_socket_ipv6only(sock, ISC_TRUE); +#endif + + result = isc_socket_bind(sock, addr, ISC_SOCKET_REUSEADDRESS); + if (result != ISC_R_SUCCESS) + goto cleanup; + + result = isc_httpdmgr_create(server->mctx, sock, task, client_ok, + destroy_listener, listener, ns_g_timermgr, + &listener->httpdmgr); + if (result != ISC_R_SUCCESS) + goto cleanup; + +#ifdef HAVE_LIBXML2 + isc_httpdmgr_addurl(listener->httpdmgr, "/", render_index, server); +#endif + isc_httpdmgr_addurl(listener->httpdmgr, "/bind9.xsl", render_xsl, + server); + + *listenerp = listener; + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_NOTICE, + "statistics channel listening on %s", socktext); + +cleanup: + if (result != ISC_R_SUCCESS) { + if (listener->acl != NULL) + dns_acl_detach(&listener->acl); + DESTROYLOCK(&listener->lock); + isc_mem_putanddetach(&listener->mctx, listener, + sizeof(*listener)); + } + if (task != NULL) + isc_task_detach(&task); + if (sock != NULL) + isc_socket_detach(&sock); + + return (result); +} + +static void +update_listener(ns_server_t *server, ns_statschannel_t **listenerp, + const cfg_obj_t *listen_params, const cfg_obj_t *config, + isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx, + const char *socktext) +{ + ns_statschannel_t *listener; + const cfg_obj_t *allow = NULL; + dns_acl_t *new_acl = NULL; + isc_result_t result = ISC_R_SUCCESS; + + for (listener = ISC_LIST_HEAD(server->statschannels); + listener != NULL; + listener = ISC_LIST_NEXT(listener, link)) + if (isc_sockaddr_equal(addr, &listener->address)) + break; + + if (listener == NULL) { + *listenerp = NULL; + return; + } + + /* + * Now, keep the old access list unless a new one can be made. + */ + allow = cfg_tuple_get(listen_params, "allow"); + if (allow != NULL && cfg_obj_islist(allow)) { + result = cfg_acl_fromconfig(allow, config, ns_g_lctx, + aclconfctx, listener->mctx, 0, + &new_acl); + } else + result = dns_acl_any(listener->mctx, &new_acl); + + if (result == ISC_R_SUCCESS) { + LOCK(&listener->lock); + + dns_acl_detach(&listener->acl); + dns_acl_attach(new_acl, &listener->acl); + dns_acl_detach(&new_acl); + + UNLOCK(&listener->lock); + } else { + cfg_obj_log(listen_params, ns_g_lctx, ISC_LOG_WARNING, + "couldn't install new acl for " + "statistics channel %s: %s", + socktext, isc_result_totext(result)); + } + + *listenerp = listener; +} + +isc_result_t +ns_statschannels_configure(ns_server_t *server, const cfg_obj_t *config, + cfg_aclconfctx_t *aclconfctx) +{ + ns_statschannel_t *listener, *listener_next; + ns_statschannellist_t new_listeners; + const cfg_obj_t *statschannellist = NULL; + const cfg_listelt_t *element, *element2; + char socktext[ISC_SOCKADDR_FORMATSIZE]; + + RUNTIME_CHECK(isc_once_do(&once, init_desc) == ISC_R_SUCCESS); + + ISC_LIST_INIT(new_listeners); + + /* + * Get the list of named.conf 'statistics-channels' statements. + */ + (void)cfg_map_get(config, "statistics-channels", &statschannellist); + + /* + * Run through the new address/port list, noting sockets that are + * already being listened on and moving them to the new list. + * + * Identifying duplicate addr/port combinations is left to either + * the underlying config code, or to the bind attempt getting an + * address-in-use error. + */ + if (statschannellist != NULL) { +#ifndef HAVE_LIBXML2 + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_WARNING, + "statistics-channels specified but not effective " + "due to missing XML library"); +#endif + + for (element = cfg_list_first(statschannellist); + element != NULL; + element = cfg_list_next(element)) { + const cfg_obj_t *statschannel; + const cfg_obj_t *listenercfg = NULL; + + statschannel = cfg_listelt_value(element); + (void)cfg_map_get(statschannel, "inet", + &listenercfg); + if (listenercfg == NULL) + continue; + + for (element2 = cfg_list_first(listenercfg); + element2 != NULL; + element2 = cfg_list_next(element2)) { + const cfg_obj_t *listen_params; + const cfg_obj_t *obj; + isc_sockaddr_t addr; + + listen_params = cfg_listelt_value(element2); + + obj = cfg_tuple_get(listen_params, "address"); + addr = *cfg_obj_assockaddr(obj); + if (isc_sockaddr_getport(&addr) == 0) + isc_sockaddr_setport(&addr, NS_STATSCHANNEL_HTTPPORT); + + isc_sockaddr_format(&addr, socktext, + sizeof(socktext)); + + isc_log_write(ns_g_lctx, + NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, + ISC_LOG_DEBUG(9), + "processing statistics " + "channel %s", + socktext); + + update_listener(server, &listener, + listen_params, config, &addr, + aclconfctx, socktext); + + if (listener != NULL) { + /* + * Remove the listener from the old + * list, so it won't be shut down. + */ + ISC_LIST_UNLINK(server->statschannels, + listener, link); + } else { + /* + * This is a new listener. + */ + isc_result_t r; + + r = add_listener(server, &listener, + listen_params, config, + &addr, aclconfctx, + socktext); + if (r != ISC_R_SUCCESS) { + cfg_obj_log(listen_params, + ns_g_lctx, + ISC_LOG_WARNING, + "couldn't allocate " + "statistics channel" + " %s: %s", + socktext, + isc_result_totext(r)); + } + } + + if (listener != NULL) + ISC_LIST_APPEND(new_listeners, listener, + link); + } + } + } + + for (listener = ISC_LIST_HEAD(server->statschannels); + listener != NULL; + listener = listener_next) { + listener_next = ISC_LIST_NEXT(listener, link); + ISC_LIST_UNLINK(server->statschannels, listener, link); + shutdown_listener(listener); + } + + ISC_LIST_APPENDLIST(server->statschannels, new_listeners, link); + return (ISC_R_SUCCESS); +} + +void +ns_statschannels_shutdown(ns_server_t *server) { + ns_statschannel_t *listener; + + while ((listener = ISC_LIST_HEAD(server->statschannels)) != NULL) { + ISC_LIST_UNLINK(server->statschannels, listener, link); + shutdown_listener(listener); + } +} + +isc_result_t +ns_stats_dump(ns_server_t *server, FILE *fp) { + isc_stdtime_t now; + isc_result_t result; + dns_view_t *view; + dns_zone_t *zone, *next; + stats_dumparg_t dumparg; + isc_uint64_t nsstat_values[dns_nsstatscounter_max]; + isc_uint64_t resstat_values[dns_resstatscounter_max]; + isc_uint64_t zonestat_values[dns_zonestatscounter_max]; + isc_uint64_t sockstat_values[isc_sockstatscounter_max]; + + RUNTIME_CHECK(isc_once_do(&once, init_desc) == ISC_R_SUCCESS); + + /* Set common fields */ + dumparg.type = statsformat_file; + dumparg.arg = fp; + + isc_stdtime_get(&now); + fprintf(fp, "+++ Statistics Dump +++ (%lu)\n", (unsigned long)now); + + fprintf(fp, "++ Incoming Requests ++\n"); + dns_opcodestats_dump(server->opcodestats, opcodestat_dump, &dumparg, 0); + + fprintf(fp, "++ Incoming Queries ++\n"); + dns_rdatatypestats_dump(server->rcvquerystats, rdtypestat_dump, + &dumparg, 0); + + fprintf(fp, "++ Outgoing Queries ++\n"); + for (view = ISC_LIST_HEAD(server->viewlist); + view != NULL; + view = ISC_LIST_NEXT(view, link)) { + if (view->resquerystats == NULL) + continue; + if (strcmp(view->name, "_default") == 0) + fprintf(fp, "[View: default]\n"); + else + fprintf(fp, "[View: %s]\n", view->name); + dns_rdatatypestats_dump(view->resquerystats, rdtypestat_dump, + &dumparg, 0); + } + + fprintf(fp, "++ Name Server Statistics ++\n"); + dump_counters(server->nsstats, statsformat_file, fp, NULL, + nsstats_desc, dns_nsstatscounter_max, nsstats_index, + nsstat_values, 0); + + fprintf(fp, "++ Zone Maintenance Statistics ++\n"); + dump_counters(server->zonestats, statsformat_file, fp, NULL, + zonestats_desc, dns_zonestatscounter_max, + zonestats_index, zonestat_values, 0); + + fprintf(fp, "++ Resolver Statistics ++\n"); + fprintf(fp, "[Common]\n"); + dump_counters(server->resolverstats, statsformat_file, fp, NULL, + resstats_desc, dns_resstatscounter_max, resstats_index, + resstat_values, 0); + for (view = ISC_LIST_HEAD(server->viewlist); + view != NULL; + view = ISC_LIST_NEXT(view, link)) { + if (view->resstats == NULL) + continue; + if (strcmp(view->name, "_default") == 0) + fprintf(fp, "[View: default]\n"); + else + fprintf(fp, "[View: %s]\n", view->name); + dump_counters(view->resstats, statsformat_file, fp, NULL, + resstats_desc, dns_resstatscounter_max, + resstats_index, resstat_values, 0); + } + + fprintf(fp, "++ Cache DB RRsets ++\n"); + for (view = ISC_LIST_HEAD(server->viewlist); + view != NULL; + view = ISC_LIST_NEXT(view, link)) { + dns_stats_t *cachestats; + + cachestats = dns_db_getrrsetstats(view->cachedb); + if (cachestats == NULL) + continue; + if (strcmp(view->name, "_default") == 0) + fprintf(fp, "[View: default]\n"); + else + fprintf(fp, "[View: %s]\n", view->name); + dns_rdatasetstats_dump(cachestats, rdatasetstats_dump, &dumparg, + 0); + } + + fprintf(fp, "++ Socket I/O Statistics ++\n"); + dump_counters(server->sockstats, statsformat_file, fp, NULL, + sockstats_desc, isc_sockstatscounter_max, sockstats_index, + sockstat_values, 0); + + fprintf(fp, "++ Per Zone Query Statistics ++\n"); + zone = NULL; + for (result = dns_zone_first(server->zonemgr, &zone); + result == ISC_R_SUCCESS; + next = NULL, result = dns_zone_next(zone, &next), zone = next) + { + isc_stats_t *zonestats = dns_zone_getrequeststats(zone); + if (zonestats != NULL) { + char zonename[DNS_NAME_FORMATSIZE]; + + dns_name_format(dns_zone_getorigin(zone), + zonename, sizeof(zonename)); + view = dns_zone_getview(zone); + + fprintf(fp, "[%s", zonename); + if (strcmp(view->name, "_default") != 0) + fprintf(fp, " (view: %s)", view->name); + fprintf(fp, "]\n"); + + dump_counters(zonestats, statsformat_file, fp, NULL, + nsstats_desc, dns_nsstatscounter_max, + nsstats_index, nsstat_values, 0); + } + } + + fprintf(fp, "--- Statistics Dump --- (%lu)\n", (unsigned long)now); + + return (ISC_R_SUCCESS); /* this function currently always succeeds */ +} diff --git a/contrib/bind9/bin/named/tkeyconf.c b/contrib/bind9/bin/named/tkeyconf.c index 3c843ac..82cf573 100644 --- a/contrib/bind9/bin/named/tkeyconf.c +++ b/contrib/bind9/bin/named/tkeyconf.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tkeyconf.c,v 1.20.18.6 2006/03/02 00:37:21 marka Exp $ */ +/* $Id: tkeyconf.c,v 1.29 2007/06/19 23:46:59 tbox Exp $ */ /*! \file */ @@ -42,6 +42,13 @@ goto failure; \ } while (0) +#include<named/log.h> +#define LOG(msg) \ + isc_log_write(ns_g_lctx, \ + NS_LOGCATEGORY_GENERAL, \ + NS_LOGMODULE_SERVER, \ + ISC_LOG_ERROR, \ + "%s", msg) isc_result_t ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, @@ -100,6 +107,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, result = cfg_map_get(options, "tkey-gssapi-credential", &obj); if (result == ISC_R_SUCCESS) { s = cfg_obj_asstring(obj); + isc_buffer_init(&b, s, strlen(s)); isc_buffer_add(&b, strlen(s)); dns_fixedname_init(&fname); diff --git a/contrib/bind9/bin/named/tsigconf.c b/contrib/bind9/bin/named/tsigconf.c index 7fa7fe5..b3c6e02 100644 --- a/contrib/bind9/bin/named/tsigconf.c +++ b/contrib/bind9/bin/named/tsigconf.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tsigconf.c,v 1.22.18.6 2006/02/28 03:10:47 marka Exp $ */ +/* $Id: tsigconf.c,v 1.30 2007/06/19 23:46:59 tbox Exp $ */ /*! \file */ diff --git a/contrib/bind9/bin/named/unix/Makefile.in b/contrib/bind9/bin/named/unix/Makefile.in index a18351a..5092834 100644 --- a/contrib/bind9/bin/named/unix/Makefile.in +++ b/contrib/bind9/bin/named/unix/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1999-2001 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.8 2004/03/05 04:58:01 marka Exp $ +# $Id: Makefile.in,v 1.10 2007/06/19 23:46:59 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/contrib/bind9/bin/named/unix/include/named/os.h b/contrib/bind9/bin/named/unix/include/named/os.h index 6c603dc..d03bf75 100644 --- a/contrib/bind9/bin/named/unix/include/named/os.h +++ b/contrib/bind9/bin/named/unix/include/named/os.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.h,v 1.22.18.5 2008/10/24 01:43:17 tbox Exp $ */ +/* $Id: os.h,v 1.29 2008/10/24 01:44:48 tbox Exp $ */ #ifndef NS_OS_H #define NS_OS_H 1 diff --git a/contrib/bind9/bin/named/unix/os.c b/contrib/bind9/bin/named/unix/os.c index ad26a8e..5e6b98f 100644 --- a/contrib/bind9/bin/named/unix/os.c +++ b/contrib/bind9/bin/named/unix/os.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.c,v 1.66.18.17 2008/10/24 01:43:17 tbox Exp $ */ +/* $Id: os.c,v 1.89.12.5 2009/03/02 03:03:54 marka Exp $ */ /*! \file */ @@ -70,7 +70,7 @@ static int devnullfd = -1; /* * Linux defines: * (T) HAVE_LINUXTHREADS - * (C) HAVE_LINUX_CAPABILITY_H + * (C) HAVE_SYS_CAPABILITY_H (or HAVE_LINUX_CAPABILITY_H) * (P) HAVE_SYS_PRCTL_H * The possible cases are: * none: setuid() normally @@ -117,16 +117,9 @@ static int dfd[2] = { -1, -1 }; static isc_boolean_t non_root = ISC_FALSE; static isc_boolean_t non_root_caps = ISC_FALSE; -#if defined(HAVE_CAPSET) -#undef _POSIX_SOURCE #ifdef HAVE_SYS_CAPABILITY_H #include <sys/capability.h> #else -#include <linux/capability.h> -int capset(cap_user_header_t hdrp, const cap_user_data_t datap); -#endif -#include <sys/prctl.h> -#else /*% * We define _LINUX_FS_H to prevent it from being included. We don't need * anything from it, and the files it includes cause warnings with 2.2 @@ -134,9 +127,15 @@ int capset(cap_user_header_t hdrp, const cap_user_data_t datap); * and <string.h>) on 2.3 kernels. */ #define _LINUX_FS_H - -#include <sys/syscall.h> /* Required for syscall(). */ -#include <linux/capability.h> /* Required for _LINUX_CAPABILITY_VERSION. */ +#include <linux/capability.h> +#include <syscall.h> +#ifndef SYS_capset +#ifndef __NR_capset +#include <asm/unistd.h> /* Slackware 4.0 needs this. */ +#endif /* __NR_capset */ +#define SYS_capset __NR_capset +#endif /* SYS_capset */ +#endif /* HAVE_SYS_CAPABILITY_H */ #ifdef HAVE_SYS_PRCTL_H #include <sys/prctl.h> /* Required for prctl(). */ @@ -153,23 +152,24 @@ int capset(cap_user_header_t hdrp, const cap_user_data_t datap); #endif /* HAVE_SYS_PRCTL_H */ -#ifndef SYS_capset -#ifndef __NR_capset -#include <asm/unistd.h> /* Slackware 4.0 needs this. */ -#endif -#define SYS_capset __NR_capset -#endif -#endif +#ifdef HAVE_LIBCAP +#define SETCAPS_FUNC "cap_set_proc " +#else +typedef unsigned int cap_t; +#define SETCAPS_FUNC "syscall(capset) " +#endif /* HAVE_LIBCAP */ static void -linux_setcaps(unsigned int caps) { +linux_setcaps(cap_t caps) { +#ifndef HAVE_LIBCAP struct __user_cap_header_struct caphead; struct __user_cap_data_struct cap; +#endif char strbuf[ISC_STRERRORSIZE]; if ((getuid() != 0 && !non_root_caps) || non_root) return; - +#ifndef HAVE_LIBCAP memset(&caphead, 0, sizeof(caphead)); caphead.version = _LINUX_CAPABILITY_VERSION; caphead.pid = 0; @@ -177,46 +177,89 @@ linux_setcaps(unsigned int caps) { cap.effective = caps; cap.permitted = caps; cap.inheritable = 0; -#ifdef HAVE_CAPSET - if (capset(&caphead, &cap) < 0 ) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - ns_main_earlyfatal("capset failed: %s:" - " please ensure that the capset kernel" - " module is loaded. see insmod(8)", - strbuf); - } +#endif +#ifdef HAVE_LIBCAP + if (cap_set_proc(caps) < 0) { #else if (syscall(SYS_capset, &caphead, &cap) < 0) { +#endif isc__strerror(errno, strbuf, sizeof(strbuf)); - ns_main_earlyfatal("syscall(capset) failed: %s:" + ns_main_earlyfatal(SETCAPS_FUNC "failed: %s:" " please ensure that the capset kernel" " module is loaded. see insmod(8)", strbuf); } -#endif } +#ifdef HAVE_LIBCAP +#define SET_CAP(flag) \ + do { \ + capval = (flag); \ + cap_flag_value_t curval; \ + err = cap_get_flag(curcaps, capval, CAP_PERMITTED, &curval); \ + if (err != -1 && curval) { \ + err = cap_set_flag(caps, CAP_EFFECTIVE, 1, &capval, CAP_SET); \ + if (err == -1) { \ + isc__strerror(errno, strbuf, sizeof(strbuf)); \ + ns_main_earlyfatal("cap_set_proc failed: %s", strbuf); \ + } \ + \ + err = cap_set_flag(caps, CAP_PERMITTED, 1, &capval, CAP_SET); \ + if (err == -1) { \ + isc__strerror(errno, strbuf, sizeof(strbuf)); \ + ns_main_earlyfatal("cap_set_proc failed: %s", strbuf); \ + } \ + } \ + } while (0) +#define INIT_CAP \ + do { \ + caps = cap_init(); \ + if (caps == NULL) { \ + isc__strerror(errno, strbuf, sizeof(strbuf)); \ + ns_main_earlyfatal("cap_init failed: %s", strbuf); \ + } \ + curcaps = cap_get_proc(); \ + if (curcaps == NULL) { \ + isc__strerror(errno, strbuf, sizeof(strbuf)); \ + ns_main_earlyfatal("cap_get_proc failed: %s", strbuf); \ + } \ + } while (0) +#define FREE_CAP \ + { \ + cap_free(caps); \ + cap_free(curcaps); \ + } while (0) +#else +#define SET_CAP(flag) do { caps |= (1 << (flag)); } while (0) +#define INIT_CAP do { caps = 0; } while (0) +#endif /* HAVE_LIBCAP */ + static void linux_initialprivs(void) { - unsigned int caps; + cap_t caps; +#ifdef HAVE_LIBCAP + cap_t curcaps; + cap_value_t capval; + char strbuf[ISC_STRERRORSIZE]; + int err; +#endif /*% * We don't need most privileges, so we drop them right away. * Later on linux_minprivs() will be called, which will drop our * capabilities to the minimum needed to run the server. */ - - caps = 0; + INIT_CAP; /* * We need to be able to bind() to privileged ports, notably port 53! */ - caps |= (1 << CAP_NET_BIND_SERVICE); + SET_CAP(CAP_NET_BIND_SERVICE); /* * We need chroot() initially too. */ - caps |= (1 << CAP_SYS_CHROOT); + SET_CAP(CAP_SYS_CHROOT); #if defined(HAVE_SYS_PRCTL_H) || !defined(HAVE_LINUXTHREADS) /* @@ -225,19 +268,19 @@ linux_initialprivs(void) { * tried) or we're not using threads. If either of these is * true, we want the setuid capability. */ - caps |= (1 << CAP_SETUID); + SET_CAP(CAP_SETUID); #endif /* * Since we call initgroups, we need this. */ - caps |= (1 << CAP_SETGID); + SET_CAP(CAP_SETGID); /* * Without this, we run into problems reading a configuration file * owned by a non-root user and non-world-readable on startup. */ - caps |= (1 << CAP_DAC_READ_SEARCH); + SET_CAP(CAP_DAC_READ_SEARCH); /* * XXX We might want to add CAP_SYS_RESOURCE, though it's not @@ -246,15 +289,26 @@ linux_initialprivs(void) { * of files, the stack size, data size, and core dump size to * support named.conf options, this is now being added to test. */ - caps |= (1 << CAP_SYS_RESOURCE); + SET_CAP(CAP_SYS_RESOURCE); linux_setcaps(caps); + +#ifdef HAVE_LIBCAP + FREE_CAP; +#endif } static void linux_minprivs(void) { - unsigned int caps; + cap_t caps; +#ifdef HAVE_LIBCAP + cap_t curcaps; + cap_value_t capval; + char strbuf[ISC_STRERRORSIZE]; + int err; +#endif + INIT_CAP; /*% * Drop all privileges except the ability to bind() to privileged * ports. @@ -263,8 +317,7 @@ linux_minprivs(void) { * chroot() could be used to escape from the chrooted area. */ - caps = 0; - caps |= (1 << CAP_NET_BIND_SERVICE); + SET_CAP(CAP_NET_BIND_SERVICE); /* * XXX We might want to add CAP_SYS_RESOURCE, though it's not @@ -273,9 +326,13 @@ linux_minprivs(void) { * of files, the stack size, data size, and core dump size to * support named.conf options, this is now being added to test. */ - caps |= (1 << CAP_SYS_RESOURCE); + SET_CAP(CAP_SYS_RESOURCE); linux_setcaps(caps); + +#ifdef HAVE_LIBCAP + FREE_CAP; +#endif } #ifdef HAVE_SYS_PRCTL_H @@ -405,10 +462,12 @@ ns_os_started(void) { char buf = 0; /* - * Signal to the parent that we stated successfully. + * Signal to the parent that we started successfully. */ if (dfd[0] != -1 && dfd[1] != -1) { - write(dfd[1], &buf, 1); + if (write(dfd[1], &buf, 1) != 1) + ns_main_earlyfatal("unable to signal parent that we " + "otherwise started successfully."); close(dfd[1]); dfd[0] = dfd[1] = -1; } @@ -448,10 +507,14 @@ ns_os_chroot(const char *root) { ns_smf_chroot = 0; #endif if (root != NULL) { +#ifdef HAVE_CHROOT if (chroot(root) < 0) { isc__strerror(errno, strbuf, sizeof(strbuf)); ns_main_earlyfatal("chroot(): %s", strbuf); } +#else + ns_main_earlyfatal("chroot(): disabled"); +#endif if (chdir("/") < 0) { isc__strerror(errno, strbuf, sizeof(strbuf)); ns_main_earlyfatal("chdir(/): %s", strbuf); @@ -584,7 +647,8 @@ safe_open(const char *filename, isc_boolean_t append) { fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); else { - (void)unlink(filename); + if (unlink(filename) < 0 && errno != ENOENT) + return (-1); fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); } @@ -593,13 +657,54 @@ safe_open(const char *filename, isc_boolean_t append) { static void cleanup_pidfile(void) { + int n; if (pidfile != NULL) { - (void)unlink(pidfile); + n = unlink(pidfile); + if (n == -1 && errno != ENOENT) + ns_main_earlywarning("unlink '%s': failed", pidfile); free(pidfile); } pidfile = NULL; } +static int +mkdirpath(char *filename, void (*report)(const char *, ...)) { + char *slash = strrchr(filename, '/'); + char strbuf[ISC_STRERRORSIZE]; + unsigned int mode; + + if (slash != NULL && slash != filename) { + struct stat sb; + *slash = '\0'; + + if (stat(filename, &sb) == -1) { + if (errno != ENOENT) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + (*report)("couldn't stat '%s': %s", filename, + strbuf); + goto error; + } + if (mkdirpath(filename, report) == -1) + goto error; + mode = S_IRUSR | S_IWUSR | S_IXUSR; /* u=rwx */ + mode |= S_IRGRP | S_IXGRP; /* g=rx */ + mode |= S_IROTH | S_IXOTH; /* o=rx */ + if (mkdir(filename, mode) == -1) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + (*report)("couldn't mkdir '%s': %s", filename, + strbuf); + goto error; + } + } + *slash = '/'; + } + return (0); + + error: + *slash = '/'; + return (-1); +} + void ns_os_writepidfile(const char *filename, isc_boolean_t first_time) { int fd; @@ -627,9 +732,19 @@ ns_os_writepidfile(const char *filename, isc_boolean_t first_time) { (*report)("couldn't malloc '%s': %s", filename, strbuf); return; } + /* This is safe. */ strcpy(pidfile, filename); + /* + * Make the containing directory if it doesn't exist. + */ + if (mkdirpath(pidfile, report) == -1) { + free(pidfile); + pidfile = NULL; + return; + } + fd = safe_open(filename, ISC_FALSE); if (fd < 0) { isc__strerror(errno, strbuf, sizeof(strbuf)); diff --git a/contrib/bind9/bin/named/update.c b/contrib/bind9/bin/named/update.c index fb6dec2..ff07311 100644 --- a/contrib/bind9/bin/named/update.c +++ b/contrib/bind9/bin/named/update.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,11 +15,14 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.109.18.27 2008/02/07 03:16:08 marka Exp $ */ +/* $Id: update.c,v 1.151.12.5 2009/04/30 07:03:37 marka Exp $ */ #include <config.h> +#include <isc/netaddr.h> #include <isc/print.h> +#include <isc/serial.h> +#include <isc/stats.h> #include <isc/string.h> #include <isc/taskpool.h> #include <isc/util.h> @@ -34,6 +37,7 @@ #include <dns/keyvalues.h> #include <dns/message.h> #include <dns/nsec.h> +#include <dns/nsec3.h> #include <dns/rdataclass.h> #include <dns/rdataset.h> #include <dns/rdatasetiter.h> @@ -47,6 +51,7 @@ #include <named/client.h> #include <named/log.h> +#include <named/server.h> #include <named/update.h> /*! \file @@ -55,9 +60,9 @@ */ /* - XXX TODO: - - document strict minimality -*/ + * XXX TODO: + * - document strict minimality + */ /**************************************************************************/ @@ -69,7 +74,7 @@ /*% * Log level for low-level debug tracing. */ -#define LOGLEVEL_DEBUG ISC_LOG_DEBUG(8) +#define LOGLEVEL_DEBUG ISC_LOG_DEBUG(8) /*% * Check an operation for failure. These macros all assume that @@ -77,8 +82,8 @@ * label. */ #define CHECK(op) \ - do { result = (op); \ - if (result != ISC_R_SUCCESS) goto failure; \ + do { result = (op); \ + if (result != ISC_R_SUCCESS) goto failure; \ } while (0) /*% @@ -112,11 +117,16 @@ case DNS_R_NXRRSET: \ _what = "unsuccessful"; \ } \ - update_log(client, zone, LOGLEVEL_PROTOCOL, \ - "update %s: %s (%s)", _what, \ - msg, isc_result_totext(result)); \ + update_log(client, zone, LOGLEVEL_PROTOCOL, \ + "update %s: %s (%s)", _what, \ + msg, isc_result_totext(result)); \ if (result != ISC_R_SUCCESS) goto failure; \ } while (0) +#define PREREQFAILC(code, msg) \ + do { \ + inc_stats(zone, dns_nsstatscounter_updatebadprereq); \ + FAILC(code, msg); \ + } while (0) #define FAILN(code, name, msg) \ do { \ @@ -132,12 +142,17 @@ if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { \ char _nbuf[DNS_NAME_FORMATSIZE]; \ dns_name_format(name, _nbuf, sizeof(_nbuf)); \ - update_log(client, zone, LOGLEVEL_PROTOCOL, \ + update_log(client, zone, LOGLEVEL_PROTOCOL, \ "update %s: %s: %s (%s)", _what, _nbuf, \ msg, isc_result_totext(result)); \ } \ if (result != ISC_R_SUCCESS) goto failure; \ } while (0) +#define PREREQFAILN(code, name, msg) \ + do { \ + inc_stats(zone, dns_nsstatscounter_updatebadprereq); \ + FAILN(code, name, msg); \ + } while (0) #define FAILNT(code, name, type, msg) \ do { \ @@ -155,13 +170,19 @@ char _tbuf[DNS_RDATATYPE_FORMATSIZE]; \ dns_name_format(name, _nbuf, sizeof(_nbuf)); \ dns_rdatatype_format(type, _tbuf, sizeof(_tbuf)); \ - update_log(client, zone, LOGLEVEL_PROTOCOL, \ + update_log(client, zone, LOGLEVEL_PROTOCOL, \ "update %s: %s/%s: %s (%s)", \ _what, _nbuf, _tbuf, msg, \ isc_result_totext(result)); \ } \ if (result != ISC_R_SUCCESS) goto failure; \ } while (0) +#define PREREQFAILNT(code, name, type, msg) \ + do { \ + inc_stats(zone, dns_nsstatscounter_updatebadprereq); \ + FAILNT(code, name, type, msg); \ + } while (0) + /*% * Fail unconditionally and log as a server error. * The test against ISC_R_SUCCESS is there to keep the Solaris compiler @@ -171,26 +192,31 @@ do { \ result = (code); \ update_log(client, zone, LOGLEVEL_PROTOCOL, \ - "error: %s: %s", \ - msg, isc_result_totext(result)); \ + "error: %s: %s", \ + msg, isc_result_totext(result)); \ if (result != ISC_R_SUCCESS) goto failure; \ } while (0) +/* + * Return TRUE if NS_CLIENTATTR_TCP is set in the attributes other FALSE. + */ +#define TCPCLIENT(client) (((client)->attributes & NS_CLIENTATTR_TCP) != 0) + /**************************************************************************/ typedef struct rr rr_t; struct rr { /* dns_name_t name; */ - isc_uint32_t ttl; - dns_rdata_t rdata; + isc_uint32_t ttl; + dns_rdata_t rdata; }; typedef struct update_event update_event_t; struct update_event { ISC_EVENT_COMMON(update_event_t); - dns_zone_t *zone; + dns_zone_t *zone; isc_result_t result; dns_message_t *answer; }; @@ -240,9 +266,38 @@ update_log(ns_client_t *client, dns_zone_t *zone, namebuf, classbuf, message); } +/*% + * Increment updated-related statistics counters. + */ +static inline void +inc_stats(dns_zone_t *zone, isc_statscounter_t counter) { + isc_stats_increment(ns_g_server->nsstats, counter); + + if (zone != NULL) { + isc_stats_t *zonestats = dns_zone_getrequeststats(zone); + if (zonestats != NULL) + isc_stats_increment(zonestats, counter); + } +} + +/*% + * Override the default acl logging when checking whether a client + * can update the zone or whether we can forward the request to the + * master based on IP address. + * + * 'message' contains the type of operation that is being attempted. + * 'slave' indicates if this is a slave zone. If 'acl' is NULL then + * log at debug=3. + * If the zone has no access controls configured ('acl' == NULL && + * 'has_ssutable == ISC_FALS) log the attempt at info, otherwise + * at error. + * + * If the request was signed log that we received it. + */ static isc_result_t checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message, - dns_name_t *zonename, isc_boolean_t slave) + dns_name_t *zonename, isc_boolean_t slave, + isc_boolean_t has_ssutable) { char namebuf[DNS_NAME_FORMATSIZE]; char classbuf[DNS_RDATACLASS_FORMATSIZE]; @@ -254,12 +309,21 @@ checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message, result = DNS_R_NOTIMP; level = ISC_LOG_DEBUG(3); msg = "disabled"; - } else - result = ns_client_checkaclsilent(client, acl, ISC_FALSE); + } else { + result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE); + if (result == ISC_R_SUCCESS) { + level = ISC_LOG_DEBUG(3); + msg = "approved"; + } else if (acl == NULL && !has_ssutable) { + level = ISC_LOG_INFO; + } + } - if (result == ISC_R_SUCCESS) { - level = ISC_LOG_DEBUG(3); - msg = "approved"; + if (client->signer != NULL) { + dns_name_format(client->signer, namebuf, sizeof(namebuf)); + ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, + NS_LOGMODULE_UPDATE, ISC_LOG_INFO, + "signer \"%s\" %s", namebuf, msg); } dns_name_format(zonename, namebuf, sizeof(namebuf)); @@ -267,8 +331,8 @@ checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message, sizeof(classbuf)); ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, - NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s", - message, namebuf, classbuf, msg); + NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s", + message, namebuf, classbuf, msg); return (result); } @@ -277,12 +341,11 @@ checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message, * update in 'diff'. * * Ensures: - * \li '*tuple' == NULL. Either the tuple is freed, or its - * ownership has been transferred to the diff. + * \li '*tuple' == NULL. Either the tuple is freed, or its + * ownership has been transferred to the diff. */ static isc_result_t -do_one_tuple(dns_difftuple_t **tuple, - dns_db_t *db, dns_dbversion_t *ver, +do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff) { dns_diff_t temp_diff; @@ -292,6 +355,7 @@ do_one_tuple(dns_difftuple_t **tuple, * Create a singleton diff. */ dns_diff_init(diff->mctx, &temp_diff); + temp_diff.resign = diff->resign; ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); /* @@ -320,7 +384,7 @@ do_one_tuple(dns_difftuple_t **tuple, * update in 'diff'. * * Ensures: - * \li 'updates' is empty. + * \li 'updates' is empty. */ static isc_result_t do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver, @@ -341,8 +405,8 @@ do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver, static isc_result_t update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff, - dns_diffop_t op, dns_name_t *name, - dns_ttl_t ttl, dns_rdata_t *rdata) + dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl, + dns_rdata_t *rdata) { dns_difftuple_t *tuple = NULL; isc_result_t result; @@ -423,11 +487,8 @@ foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) { * If 'action' returns an error, abort iteration and return the error. */ static isc_result_t -foreach_rrset(dns_db_t *db, - dns_dbversion_t *ver, - dns_name_t *name, - rrset_func *action, - void *action_data) +foreach_rrset(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + rrset_func *action, void *action_data) { isc_result_t result; dns_dbnode_t *node; @@ -482,11 +543,8 @@ foreach_rrset(dns_db_t *db, * and return the error. */ static isc_result_t -foreach_node_rr(dns_db_t *db, - dns_dbversion_t *ver, - dns_name_t *name, - rr_func *rr_action, - void *rr_action_data) +foreach_node_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + rr_func *rr_action, void *rr_action_data) { foreach_node_rr_ctx_t ctx; ctx.rr_action = rr_action; @@ -506,12 +564,8 @@ foreach_node_rr(dns_db_t *db, * If 'action' returns an error, abort iteration and return the error. */ static isc_result_t -foreach_rr(dns_db_t *db, - dns_dbversion_t *ver, - dns_name_t *name, - dns_rdatatype_t type, - dns_rdatatype_t covers, - rr_func *rr_action, +foreach_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + dns_rdatatype_t type, dns_rdatatype_t covers, rr_func *rr_action, void *rr_action_data) { @@ -524,7 +578,11 @@ foreach_rr(dns_db_t *db, rr_action, rr_action_data)); node = NULL; - result = dns_db_findnode(db, name, ISC_FALSE, &node); + if (type == dns_rdatatype_nsec3 || + (type == dns_rdatatype_rrsig && covers == dns_rdatatype_nsec3)) + result = dns_db_findnsec3node(db, name, ISC_FALSE, &node); + else + result = dns_db_findnode(db, name, ISC_FALSE, &node); if (result == ISC_R_NOTFOUND) return (ISC_R_SUCCESS); if (result != ISC_R_SUCCESS) @@ -597,9 +655,9 @@ rrset_exists_action(void *data, rr_t *rr) { * This would be more readable as "do { if ... } while(0)", * but that form generates tons of warnings on Solaris 2.6. */ -#define RETURN_EXISTENCE_FLAG \ - return ((result == ISC_R_EXISTS) ? \ - (*exists = ISC_TRUE, ISC_R_SUCCESS) : \ +#define RETURN_EXISTENCE_FLAG \ + return ((result == ISC_R_EXISTS) ? \ + (*exists = ISC_TRUE, ISC_R_SUCCESS) : \ ((result == ISC_R_SUCCESS) ? \ (*exists = ISC_FALSE, ISC_R_SUCCESS) : \ result)) @@ -609,8 +667,8 @@ rrset_exists_action(void *data, rr_t *rr) { * to false otherwise. */ static isc_result_t -rrset_exists(dns_db_t *db, dns_dbversion_t *ver, - dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers, +rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + dns_rdatatype_t type, dns_rdatatype_t covers, isc_boolean_t *exists) { isc_result_t result; @@ -620,6 +678,45 @@ rrset_exists(dns_db_t *db, dns_dbversion_t *ver, } /*% + * Set '*visible' to true if the RRset exists and is part of the + * visible zone. Otherwise '*visible' is set to false unless a + * error occurs. + */ +static isc_result_t +rrset_visible(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + dns_rdatatype_t type, isc_boolean_t *visible) +{ + isc_result_t result; + dns_fixedname_t fixed; + + dns_fixedname_init(&fixed); + result = dns_db_find(db, name, ver, type, DNS_DBFIND_NOWILD, + (isc_stdtime_t) 0, NULL, + dns_fixedname_name(&fixed), NULL, NULL); + switch (result) { + case ISC_R_SUCCESS: + *visible = ISC_TRUE; + break; + /* + * Glue, obscured, deleted or replaced records. + */ + case DNS_R_DELEGATION: + case DNS_R_DNAME: + case DNS_R_CNAME: + case DNS_R_NXDOMAIN: + case DNS_R_NXRRSET: + case DNS_R_EMPTYNAME: + case DNS_R_COVERINGNSEC: + *visible = ISC_FALSE; + result = ISC_R_SUCCESS; + break; + default: + break; + } + return (result); +} + +/*% * Helper function for cname_incompatible_rrset_exists. */ static isc_result_t @@ -695,8 +792,22 @@ name_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, RETURN_EXISTENCE_FLAG; } +/* + * 'ssu_check_t' is used to pass the arguments to + * dns_ssutable_checkrules() to the callback function + * ssu_checkrule(). + */ typedef struct { - dns_name_t *name, *signer; + /* The ownername of the record to be updated. */ + dns_name_t *name; + + /* The signature's name if the request was signed. */ + dns_name_t *signer; + + /* The address of the client if the request was received via TCP. */ + isc_netaddr_t *tcpaddr; + + /* The ssu table to check against. */ dns_ssutable_t *table; } ssu_check_t; @@ -713,13 +824,15 @@ ssu_checkrule(void *data, dns_rdataset_t *rrset) { rrset->type == dns_rdatatype_nsec) return (ISC_R_SUCCESS); result = dns_ssutable_checkrules(ssuinfo->table, ssuinfo->signer, - ssuinfo->name, rrset->type); + ssuinfo->name, ssuinfo->tcpaddr, + rrset->type); return (result == ISC_TRUE ? ISC_R_SUCCESS : ISC_R_FAILURE); } static isc_boolean_t ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, - dns_ssutable_t *ssutable, dns_name_t *signer) + dns_ssutable_t *ssutable, dns_name_t *signer, + isc_netaddr_t *tcpaddr) { isc_result_t result; ssu_check_t ssuinfo; @@ -727,6 +840,7 @@ ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, ssuinfo.name = name; ssuinfo.table = ssutable; ssuinfo.signer = signer; + ssuinfo.tcpaddr = tcpaddr; result = foreach_rrset(db, ver, name, ssu_checkrule, &ssuinfo); return (ISC_TF(result == ISC_R_SUCCESS)); } @@ -738,8 +852,8 @@ ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, * In the RFC2136 section 3.2.5, this is the pseudocode involving * a variable called "temp", a mapping of <name, type> tuples to rrsets. * - * Here, we represent the "temp" data structure as (non-minimial) "dns_diff_t" - * where each typle has op==DNS_DIFFOP_EXISTS. + * Here, we represent the "temp" data structure as (non-minimal) "dns_diff_t" + * where each tuple has op==DNS_DIFFOP_EXISTS. */ @@ -754,7 +868,7 @@ temp_append(dns_diff_t *diff, dns_name_t *name, dns_rdata_t *rdata) { REQUIRE(DNS_DIFF_VALID(diff)); CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_EXISTS, - name, 0, rdata, &tuple)); + name, 0, rdata, &tuple)); ISC_LIST_APPEND(diff->tuples, tuple, link); failure: return (result); @@ -974,13 +1088,14 @@ typedef struct { /*% * Return true iff 'db_rr' is neither a SOA nor an NS RR nor - * an RRSIG nor a NSEC. + * an RRSIG nor an NSEC3PARAM nor a NSEC. */ static isc_boolean_t type_not_soa_nor_ns_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { UNUSED(update_rr); return ((db_rr->type != dns_rdatatype_soa && db_rr->type != dns_rdatatype_ns && + db_rr->type != dns_rdatatype_nsec3param && db_rr->type != dns_rdatatype_rrsig && db_rr->type != dns_rdatatype_nsec) ? ISC_TRUE : ISC_FALSE); @@ -1008,6 +1123,16 @@ true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { } /*% + * Return true if the record is a RRSIG. + */ +static isc_boolean_t +rrsig_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { + UNUSED(update_rr); + return ((db_rr->type == dns_rdatatype_rrsig) ? + ISC_TRUE : ISC_FALSE); +} + +/*% * Return true iff the two RRs have identical rdata. */ static isc_boolean_t @@ -1027,9 +1152,17 @@ rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { * * RFC2136 does not mention NSEC or DNAME, but multiple NSECs or DNAMEs * make little sense, so we replace those, too. + * + * Additionally replace RRSIG that have been generated by the same key + * for the same type. This simplifies refreshing a offline KSK by not + * requiring that the old RRSIG be deleted. It also simplifies key + * rollover by only requiring that the new RRSIG be added. */ static isc_boolean_t replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { + dns_rdata_rrsig_t updatesig, dbsig; + isc_result_t result; + if (db_rr->type != update_rr->type) return (ISC_FALSE); if (db_rr->type == dns_rdatatype_cname) @@ -1040,18 +1173,46 @@ replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { return (ISC_TRUE); if (db_rr->type == dns_rdatatype_nsec) return (ISC_TRUE); + if (db_rr->type == dns_rdatatype_rrsig) { + /* + * Replace existing RRSIG with the same keyid, + * covered and algorithm. + */ + result = dns_rdata_tostruct(db_rr, &dbsig, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + result = dns_rdata_tostruct(update_rr, &updatesig, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + if (dbsig.keyid == updatesig.keyid && + dbsig.covered == updatesig.covered && + dbsig.algorithm == updatesig.algorithm) + return (ISC_TRUE); + } if (db_rr->type == dns_rdatatype_wks) { /* * Compare the address and protocol fields only. These * form the first five bytes of the RR data. Do a * raw binary comparison; unpacking the WKS RRs using - * dns_rdata_tostruct() might be cleaner in some ways, - * but it would require us to pass around an mctx. + * dns_rdata_tostruct() might be cleaner in some ways. */ INSIST(db_rr->length >= 5 && update_rr->length >= 5); return (memcmp(db_rr->data, update_rr->data, 5) == 0 ? ISC_TRUE : ISC_FALSE); } + + if (db_rr->type == dns_rdatatype_nsec3param) { + if (db_rr->length != update_rr->length) + return (ISC_FALSE); + INSIST(db_rr->length >= 4 && update_rr->length >= 4); + /* + * Replace records added in this UPDATE request. + */ + if (db_rr->data[0] == update_rr->data[0] && + db_rr->data[1] & DNS_NSEC3FLAG_UPDATE && + update_rr->data[1] & DNS_NSEC3FLAG_UPDATE && + memcmp(db_rr->data+2, update_rr->data+2, + update_rr->length - 2) == 0) + return (ISC_TRUE); + } return (ISC_FALSE); } @@ -1080,14 +1241,9 @@ delete_if_action(void *data, rr_t *rr) { * deletions in 'diff'. */ static isc_result_t -delete_if(rr_predicate *predicate, - dns_db_t *db, - dns_dbversion_t *ver, - dns_name_t *name, - dns_rdatatype_t type, - dns_rdatatype_t covers, - dns_rdata_t *update_rr, - dns_diff_t *diff) +delete_if(rr_predicate *predicate, dns_db_t *db, dns_dbversion_t *ver, + dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers, + dns_rdata_t *update_rr, dns_diff_t *diff) { conditional_delete_ctx_t ctx; ctx.predicate = predicate; @@ -1144,10 +1300,8 @@ add_rr_prepare_action(void *data, rr_t *rr) { * be deleted before the update RR is added. */ if (replaces_p(ctx->update_rr, &rr->rdata)) { - CHECK(dns_difftuple_create(ctx->del_diff.mctx, - DNS_DIFFOP_DEL, ctx->name, - rr->ttl, - &rr->rdata, + CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL, + ctx->name, rr->ttl, &rr->rdata, &tuple)); dns_diff_append(&ctx->del_diff, &tuple); return (ISC_R_SUCCESS); @@ -1158,18 +1312,15 @@ add_rr_prepare_action(void *data, rr_t *rr) { * its TTL must be adjusted. */ if (rr->ttl != ctx->update_rr_ttl) { - CHECK(dns_difftuple_create(ctx->del_diff.mctx, - DNS_DIFFOP_DEL, ctx->name, - rr->ttl, - &rr->rdata, + CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL, + ctx->name, rr->ttl, &rr->rdata, &tuple)); dns_diff_append(&ctx->del_diff, &tuple); if (!equal) { CHECK(dns_difftuple_create(ctx->add_diff.mctx, DNS_DIFFOP_ADD, ctx->name, ctx->update_rr_ttl, - &rr->rdata, - &tuple)); + &rr->rdata, &tuple)); dns_diff_append(&ctx->add_diff, &tuple); } } @@ -1191,10 +1342,9 @@ add_rr_prepare_action(void *data, rr_t *rr) { */ static void get_current_rr(dns_message_t *msg, dns_section_t section, - dns_rdataclass_t zoneclass, - dns_name_t **name, dns_rdata_t *rdata, dns_rdatatype_t *covers, - dns_ttl_t *ttl, - dns_rdataclass_t *update_class) + dns_rdataclass_t zoneclass, dns_name_t **name, + dns_rdata_t *rdata, dns_rdatatype_t *covers, + dns_ttl_t *ttl, dns_rdataclass_t *update_class) { dns_rdataset_t *rdataset; isc_result_t result; @@ -1279,8 +1429,7 @@ increment_soa_serial(dns_db_t *db, dns_dbversion_t *ver, */ static isc_result_t check_soa_increment(dns_db_t *db, dns_dbversion_t *ver, - dns_rdata_t *update_rdata, - isc_boolean_t *ok) + dns_rdata_t *update_rdata, isc_boolean_t *ok) { isc_uint32_t db_serial; isc_uint32_t update_serial; @@ -1337,7 +1486,7 @@ namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected) dns_fixedname_init(&fixedname); child = dns_fixedname_name(&fixedname); - CHECK(dns_db_createiterator(db, ISC_FALSE, &dbit)); + CHECK(dns_db_createiterator(db, DNS_DB_NONSEC3, &dbit)); for (result = dns_dbiterator_seek(dbit, name); result == ISC_R_SUCCESS; @@ -1367,8 +1516,10 @@ static isc_result_t is_non_nsec_action(void *data, dns_rdataset_t *rrset) { UNUSED(data); if (!(rrset->type == dns_rdatatype_nsec || + rrset->type == dns_rdatatype_nsec3 || (rrset->type == dns_rdatatype_rrsig && - rrset->covers == dns_rdatatype_nsec))) + (rrset->covers == dns_rdatatype_nsec || + rrset->covers == dns_rdatatype_nsec3)))) return (ISC_R_EXISTS); return (ISC_R_SUCCESS); } @@ -1386,8 +1537,7 @@ non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, isc_boolean_t *exists) { isc_result_t result; - result = foreach_rrset(db, ver, name, - is_non_nsec_action, NULL); + result = foreach_rrset(db, ver, name, is_non_nsec_action, NULL); RETURN_EXISTENCE_FLAG; } @@ -1425,10 +1575,9 @@ uniqify_name_list(dns_diff_t *list) { return (result); } - static isc_result_t -is_glue(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, - isc_boolean_t *flag) +is_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + isc_boolean_t *flag, isc_boolean_t *cut, isc_boolean_t *unsecure) { isc_result_t result; dns_fixedname_t foundname; @@ -1438,20 +1587,44 @@ is_glue(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, (isc_stdtime_t) 0, NULL, dns_fixedname_name(&foundname), NULL, NULL); - if (result == ISC_R_SUCCESS) { - *flag = ISC_FALSE; + if (result == ISC_R_SUCCESS || result == DNS_R_EMPTYNAME) { + *flag = ISC_TRUE; + *cut = ISC_FALSE; + if (unsecure != NULL) + *unsecure = ISC_FALSE; return (ISC_R_SUCCESS); } else if (result == DNS_R_ZONECUT) { - /* - * We are at the zonecut. The name will have an NSEC, but - * non-delegation will be omitted from the type bit map. - */ - *flag = ISC_FALSE; - return (ISC_R_SUCCESS); - } else if (result == DNS_R_GLUE || result == DNS_R_DNAME) { *flag = ISC_TRUE; + *cut = ISC_TRUE; + if (unsecure != NULL) { + /* + * We are at the zonecut. Check to see if there + * is a DS RRset. + */ + if (dns_db_find(db, name, ver, dns_rdatatype_ds, 0, + (isc_stdtime_t) 0, NULL, + dns_fixedname_name(&foundname), + NULL, NULL) == DNS_R_NXRRSET) + *unsecure = ISC_TRUE; + else + *unsecure = ISC_FALSE; + } + return (ISC_R_SUCCESS); + } else if (result == DNS_R_GLUE || result == DNS_R_DNAME || + result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) { + *flag = ISC_FALSE; + *cut = ISC_FALSE; + if (unsecure != NULL) + *unsecure = ISC_FALSE; return (ISC_R_SUCCESS); } else { + /* + * Silence compiler. + */ + *flag = ISC_FALSE; + *cut = ISC_FALSE; + if (unsecure != NULL) + *unsecure = ISC_FALSE; return (result); } } @@ -1471,8 +1644,9 @@ next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, dns_dbiterator_t *dbit = NULL; isc_boolean_t has_nsec; unsigned int wraps = 0; + isc_boolean_t secure = dns_db_issecure(db); - CHECK(dns_db_createiterator(db, ISC_FALSE, &dbit)); + CHECK(dns_db_createiterator(db, 0, &dbit)); CHECK(dns_dbiterator_seek(dbit, oldname)); do { @@ -1508,9 +1682,29 @@ next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, * we must pause the iterator first. */ CHECK(dns_dbiterator_pause(dbit)); - CHECK(rrset_exists(db, ver, newname, - dns_rdatatype_nsec, 0, &has_nsec)); - + if (secure) { + CHECK(rrset_exists(db, ver, newname, + dns_rdatatype_nsec, 0, &has_nsec)); + } else { + dns_fixedname_t ffound; + dns_name_t *found; + dns_fixedname_init(&ffound); + found = dns_fixedname_name(&ffound); + result = dns_db_find(db, newname, ver, + dns_rdatatype_soa, + DNS_DBFIND_NOWILD, 0, NULL, found, + NULL, NULL); + if (result == ISC_R_SUCCESS || + result == DNS_R_EMPTYNAME || + result == DNS_R_NXRRSET || + result == DNS_R_CNAME || + (result == DNS_R_DELEGATION && + dns_name_equal(newname, found))) { + has_nsec = ISC_TRUE; + result = ISC_R_SUCCESS; + } else if (result != DNS_R_NXDOMAIN) + break; + } } while (! has_nsec); failure: if (dbit != NULL) @@ -1519,6 +1713,35 @@ next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, return (result); } +static isc_boolean_t +has_opt_bit(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) { + isc_result_t result; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_t rdataset; + isc_boolean_t has_bit = ISC_FALSE; + + dns_rdataset_init(&rdataset); + CHECK(dns_db_findrdataset(db, node, version, dns_rdatatype_nsec, + dns_rdatatype_none, 0, &rdataset, NULL)); + CHECK(dns_rdataset_first(&rdataset)); + dns_rdataset_current(&rdataset, &rdata); + has_bit = dns_nsec_typepresent(&rdata, dns_rdatatype_opt); + failure: + if (dns_rdataset_isassociated(&rdataset)) + dns_rdataset_disassociate(&rdataset); + return (has_bit); +} + +static void +set_bit(unsigned char *array, unsigned int index) { + unsigned int shift, bit; + + shift = 7 - (index % 8); + bit = 1 << shift; + + array[index / 8] |= bit; +} + /*% * Add a NSEC record for "name", recording the change in "diff". * The existing NSEC is removed. @@ -1550,6 +1773,24 @@ add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, CHECK(dns_db_findnode(db, name, ISC_FALSE, &node)); dns_rdata_init(&rdata); CHECK(dns_nsec_buildrdata(db, ver, node, target, buffer, &rdata)); + /* + * Preserve the status of the OPT bit in the origin's NSEC record. + */ + if (dns_name_equal(dns_db_origin(db), name) && + has_opt_bit(db, ver, node)) + { + isc_region_t region; + dns_name_t next; + + dns_name_init(&next, NULL); + dns_rdata_toregion(&rdata, ®ion); + dns_name_fromregion(&next, ®ion); + isc_region_consume(®ion, next.length); + INSIST(region.length > (2 + dns_rdatatype_opt / 8) && + region.base[0] == 0 && + region.base[1] > dns_rdatatype_opt / 8); + set_bit(region.base + 2, dns_rdatatype_opt); + } dns_db_detachnode(db, &node); /* @@ -1576,7 +1817,8 @@ add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, */ static isc_result_t add_placeholder_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, - dns_diff_t *diff) { + dns_diff_t *diff) +{ isc_result_t result; dns_difftuple_t *tuple = NULL; isc_region_t r; @@ -1655,7 +1897,7 @@ static isc_result_t add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys, - isc_mem_t *mctx, isc_stdtime_t inception, isc_stdtime_t expire, + isc_stdtime_t inception, isc_stdtime_t expire, isc_boolean_t check_ksk) { isc_result_t result; @@ -1666,15 +1908,18 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, unsigned char data[1024]; /* XXX */ unsigned int i; isc_boolean_t added_sig = ISC_FALSE; + isc_mem_t *mctx = client->mctx; dns_rdataset_init(&rdataset); isc_buffer_init(&buffer, data, sizeof(data)); /* Get the rdataset to sign. */ - CHECK(dns_db_findnode(db, name, ISC_FALSE, &node)); + if (type == dns_rdatatype_nsec3) + CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node)); + else + CHECK(dns_db_findnode(db, name, ISC_FALSE, &node)); CHECK(dns_db_findrdataset(db, node, ver, type, 0, - (isc_stdtime_t) 0, - &rdataset, NULL)); + (isc_stdtime_t) 0, &rdataset, NULL)); dns_db_detachnode(db, &node); for (i = 0; i < nkeys; i++) { @@ -1693,7 +1938,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, /* Update the database and journal with the RRSIG. */ /* XXX inefficient - will cause dataset merging */ - CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, name, + CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN, name, rdataset.ttl, &sig_rdata)); dns_rdata_reset(&sig_rdata); added_sig = ISC_TRUE; @@ -1713,13 +1958,156 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, return (result); } +/* + * Delete expired RRsigs and any RRsigs we are about to re-sign. + * See also zone.c:del_sigs(). + */ +static isc_result_t +del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys) +{ + isc_result_t result; + dns_dbnode_t *node = NULL; + dns_rdataset_t rdataset; + dns_rdata_t rdata = DNS_RDATA_INIT; + unsigned int i; + dns_rdata_rrsig_t rrsig; + isc_boolean_t found; + + dns_rdataset_init(&rdataset); + + result = dns_db_findnode(db, name, ISC_FALSE, &node); + if (result == ISC_R_NOTFOUND) + return (ISC_R_SUCCESS); + if (result != ISC_R_SUCCESS) + goto failure; + result = dns_db_findrdataset(db, node, ver, dns_rdatatype_rrsig, + dns_rdatatype_dnskey, (isc_stdtime_t) 0, + &rdataset, NULL); + dns_db_detachnode(db, &node); + + if (result == ISC_R_NOTFOUND) + return (ISC_R_SUCCESS); + if (result != ISC_R_SUCCESS) + goto failure; + + for (result = dns_rdataset_first(&rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) { + dns_rdataset_current(&rdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &rrsig, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + found = ISC_FALSE; + for (i = 0; i < nkeys; i++) { + if (rrsig.keyid == dst_key_id(keys[i])) { + found = ISC_TRUE; + if (!dst_key_isprivate(keys[i])) { + /* + * The re-signing code in zone.c + * will mark this as offline. + * Just skip the record for now. + */ + break; + } + result = update_one_rr(db, ver, diff, + DNS_DIFFOP_DEL, name, + rdataset.ttl, &rdata); + break; + } + } + /* + * If there is not a matching DNSKEY then delete the RRSIG. + */ + if (!found) + result = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, + name, rdataset.ttl, &rdata); + dns_rdata_reset(&rdata); + if (result != ISC_R_SUCCESS) + break; + } + dns_rdataset_disassociate(&rdataset); + if (result == ISC_R_NOMORE) + result = ISC_R_SUCCESS; +failure: + if (node != NULL) + dns_db_detachnode(db, &node); + return (result); +} + +static isc_result_t +add_exposed_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, + dns_dbversion_t *ver, dns_name_t *name, isc_boolean_t cut, + dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys, + isc_stdtime_t inception, isc_stdtime_t expire, + isc_boolean_t check_ksk) +{ + isc_result_t result; + dns_dbnode_t *node; + dns_rdatasetiter_t *iter; + + node = NULL; + result = dns_db_findnode(db, name, ISC_FALSE, &node); + if (result == ISC_R_NOTFOUND) + return (ISC_R_SUCCESS); + if (result != ISC_R_SUCCESS) + return (result); + + iter = NULL; + result = dns_db_allrdatasets(db, node, ver, + (isc_stdtime_t) 0, &iter); + if (result != ISC_R_SUCCESS) + goto cleanup_node; + + for (result = dns_rdatasetiter_first(iter); + result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(iter)) + { + dns_rdataset_t rdataset; + dns_rdatatype_t type; + isc_boolean_t flag; + + dns_rdataset_init(&rdataset); + dns_rdatasetiter_current(iter, &rdataset); + type = rdataset.type; + dns_rdataset_disassociate(&rdataset); + + /* + * We don't need to sign unsigned NSEC records at the cut + * as they are handled elsewhere. + */ + if ((type == dns_rdatatype_rrsig) || + (cut && type != dns_rdatatype_ds)) + continue; + result = rrset_exists(db, ver, name, dns_rdatatype_rrsig, + type, &flag); + if (result != ISC_R_SUCCESS) + goto cleanup_iterator; + if (flag) + continue;; + result = add_sigs(client, zone, db, ver, name, type, diff, + keys, nkeys, inception, expire, check_ksk); + if (result != ISC_R_SUCCESS) + goto cleanup_iterator; + } + if (result == ISC_R_NOMORE) + result = ISC_R_SUCCESS; + + cleanup_iterator: + dns_rdatasetiter_destroy(&iter); + + cleanup_node: + dns_db_detachnode(db, &node); + + return (result); +} + /*% - * Update RRSIG and NSEC records affected by an update. The original - * update, including the SOA serial update but exluding the RRSIG & NSEC + * Update RRSIG, NSEC and NSEC3 records affected by an update. The original + * update, including the SOA serial update but excluding the RRSIG & NSEC * changes, is in "diff" and has already been applied to "newver" of "db". * The database version prior to the update is "oldver". * - * The necessary RRSIG and NSEC changes will be applied to "newver" + * The necessary RRSIG, NSEC and NSEC3 changes will be applied to "newver" * and added (as a minimal diff) to "diff". * * The RRSIGs generated will be valid for 'sigvalidityinterval' seconds. @@ -1727,7 +2115,8 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, static isc_result_t update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *oldver, dns_dbversion_t *newver, - dns_diff_t *diff, isc_uint32_t sigvalidityinterval) + dns_diff_t *diff, isc_uint32_t sigvalidityinterval, + isc_boolean_t *deleted_zsk) { isc_result_t result; dns_difftuple_t *t; @@ -1747,11 +2136,14 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, dns_rdataset_t rdataset; dns_dbnode_t *node = NULL; isc_boolean_t check_ksk; + isc_boolean_t unsecure; + isc_boolean_t cut; dns_diff_init(client->mctx, &diffnames); dns_diff_init(client->mctx, &affected); dns_diff_init(client->mctx, &sig_diff); + sig_diff.resign = dns_zone_getsigresigninginterval(zone); dns_diff_init(client->mctx, &nsec_diff); dns_diff_init(client->mctx, &nsec_mindiff); @@ -1770,16 +2162,35 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, /* * Do we look at the KSK flag on the DNSKEY to determining which * keys sign which RRsets? First check the zone option then - * check the keys flags to make sure atleast one has a ksk set + * check the keys flags to make sure at least one has a ksk set * and one doesn't. */ check_ksk = ISC_TF((dns_zone_getoptions(zone) & DNS_ZONEOPT_UPDATECHECKKSK) != 0); - if (check_ksk) + /* + * If we are not checking the ZSK flag then all DNSKEY's are + * already signing all RRsets so we don't need to trigger special + * changes. + */ + if (*deleted_zsk && (!check_ksk || !ksk_sanity(db, oldver))) + *deleted_zsk = ISC_FALSE; + + if (check_ksk) { check_ksk = ksk_sanity(db, newver); + if (!check_ksk && ksk_sanity(db, oldver)) + update_log(client, zone, ISC_LOG_WARNING, + "disabling update-check-ksk"); + } /* - * Get the NSEC's TTL from the SOA MINIMUM field. + * If we have deleted a ZSK and we we still have some ZSK's + * we don't need to convert the KSK's to a ZSK's. + */ + if (*deleted_zsk && check_ksk) + *deleted_zsk = ISC_FALSE; + + /* + * Get the NSEC/NSEC3 TTL from the SOA MINIMUM field. */ CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); dns_rdataset_init(&rdataset); @@ -1823,21 +2234,27 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, * Delete all old RRSIGs covering this type, since they * are all invalid when the signed RRset has changed. * We may not be able to recreate all of them - tough. + * Special case changes to the zone's DNSKEY records + * to support offline KSKs. */ - CHECK(delete_if(true_p, db, newver, name, - dns_rdatatype_rrsig, type, - NULL, &sig_diff)); + if (type == dns_rdatatype_dnskey) + del_keysigs(db, newver, name, &sig_diff, + zone_keys, nkeys); + else + CHECK(delete_if(true_p, db, newver, name, + dns_rdatatype_rrsig, type, + NULL, &sig_diff)); /* - * If this RRset still exists after the update, + * If this RRset is still visible after the update, * add a new signature for it. */ - CHECK(rrset_exists(db, newver, name, type, 0, &flag)); + CHECK(rrset_visible(db, newver, name, type, &flag)); if (flag) { CHECK(add_sigs(client, zone, db, newver, name, type, &sig_diff, zone_keys, - nkeys, client->mctx, inception, - expire, check_ksk)); + nkeys, inception, expire, + check_ksk)); } skip: /* Skip any other updates to the same RRset. */ @@ -1849,6 +2266,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, } } } + update_log(client, zone, ISC_LOG_DEBUG(3), "updated data signatures"); /* Remove orphaned NSECs and RRSIG NSECs. */ for (t = ISC_LIST_HEAD(diffnames.tuples); @@ -1862,6 +2280,19 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, NULL, &sig_diff)); } } + update_log(client, zone, ISC_LOG_DEBUG(3), + "removed any orphaned NSEC records"); + + /* + * If we don't have a NSEC record at the origin then we need to + * update the NSEC3 records. + */ + CHECK(rrset_exists(db, newver, dns_db_origin(db), dns_rdatatype_nsec, + 0, &flag)); + if (!flag) + goto update_nsec3; + + update_log(client, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC chain"); /* * When a name is created or deleted, its predecessor needs to @@ -1944,27 +2375,34 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, t = ISC_LIST_NEXT(t, link)) { isc_boolean_t exists; - CHECK(name_exists(db, newver, &t->name, &exists)); + dns_name_t *name = &t->name; + + CHECK(name_exists(db, newver, name, &exists)); if (! exists) continue; - CHECK(is_glue(db, newver, &t->name, &flag)); - if (flag) { + CHECK(is_active(db, newver, name, &flag, &cut, NULL)); + if (!flag) { /* * This name is obscured. Delete any * existing NSEC record. */ - CHECK(delete_if(true_p, db, newver, &t->name, + CHECK(delete_if(true_p, db, newver, name, dns_rdatatype_nsec, 0, NULL, &nsec_diff)); + CHECK(delete_if(rrsig_p, db, newver, name, + dns_rdatatype_any, 0, NULL, diff)); } else { /* * This name is not obscured. It should have a NSEC. */ - CHECK(rrset_exists(db, newver, &t->name, + CHECK(rrset_exists(db, newver, name, dns_rdatatype_nsec, 0, &flag)); if (! flag) - CHECK(add_placeholder_nsec(db, newver, &t->name, - diff)); + CHECK(add_placeholder_nsec(db, newver, name, + diff)); + CHECK(add_exposed_sigs(client, zone, db, newver, name, + cut, diff, zone_keys, nkeys, + inception, expire, check_ksk)); } } @@ -2010,6 +2448,9 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, dns_diff_appendminimal(&nsec_mindiff, &t); } + update_log(client, zone, ISC_LOG_DEBUG(3), + "signing rebuilt NSEC chain"); + /* Update RRSIG NSECs. */ for (t = ISC_LIST_HEAD(nsec_mindiff.tuples); t != NULL; @@ -2022,7 +2463,139 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, } else if (t->op == DNS_DIFFOP_ADD) { CHECK(add_sigs(client, zone, db, newver, &t->name, dns_rdatatype_nsec, &sig_diff, - zone_keys, nkeys, client->mctx, + zone_keys, nkeys, inception, expire, + check_ksk)); + } else { + INSIST(0); + } + } + + update_nsec3: + + /* Record our changes for the journal. */ + while ((t = ISC_LIST_HEAD(sig_diff.tuples)) != NULL) { + ISC_LIST_UNLINK(sig_diff.tuples, t, link); + dns_diff_appendminimal(diff, &t); + } + while ((t = ISC_LIST_HEAD(nsec_mindiff.tuples)) != NULL) { + ISC_LIST_UNLINK(nsec_mindiff.tuples, t, link); + dns_diff_appendminimal(diff, &t); + } + + INSIST(ISC_LIST_EMPTY(sig_diff.tuples)); + INSIST(ISC_LIST_EMPTY(nsec_diff.tuples)); + INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples)); + + /* + * Check if we have any active NSEC3 chains by looking for a + * NSEC3PARAM RRset. + */ + CHECK(rrset_exists(db, newver, dns_db_origin(db), + dns_rdatatype_nsec3param, 0, &flag)); + if (!flag) { + update_log(client, zone, ISC_LOG_DEBUG(3), + "no NSEC3 chains to rebuild"); + goto failure; + } + + update_log(client, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC3 chains"); + + dns_diff_clear(&diffnames); + dns_diff_clear(&affected); + + CHECK(dns_diff_sort(diff, temp_order)); + + /* + * Find names potentially affected by delegation changes + * (obscured by adding an NS or DNAME, or unobscured by + * removing one). + */ + t = ISC_LIST_HEAD(diff->tuples); + while (t != NULL) { + dns_name_t *name = &t->name; + + isc_boolean_t ns_existed, dname_existed; + isc_boolean_t ns_exists, dname_exists; + + if (t->rdata.type == dns_rdatatype_nsec || + t->rdata.type == dns_rdatatype_rrsig) { + t = ISC_LIST_NEXT(t, link); + continue; + } + + CHECK(namelist_append_name(&affected, name)); + + CHECK(rrset_exists(db, oldver, name, dns_rdatatype_ns, 0, + &ns_existed)); + CHECK(rrset_exists(db, oldver, name, dns_rdatatype_dname, 0, + &dname_existed)); + CHECK(rrset_exists(db, newver, name, dns_rdatatype_ns, 0, + &ns_exists)); + CHECK(rrset_exists(db, newver, name, dns_rdatatype_dname, 0, + &dname_exists)); + + if ((ns_exists || dname_exists) == (ns_existed || dname_existed)) + goto nextname; + /* + * There was a delegation change. Mark all subdomains + * of t->name as potentially needing a NSEC3 update. + */ + CHECK(namelist_append_subdomain(db, name, &affected)); + + nextname: + while (t != NULL && dns_name_equal(&t->name, name)) + t = ISC_LIST_NEXT(t, link); + } + + for (t = ISC_LIST_HEAD(affected.tuples); + t != NULL; + t = ISC_LIST_NEXT(t, link)) { + dns_name_t *name = &t->name; + + unsecure = ISC_FALSE; /* Silence compiler warning. */ + CHECK(is_active(db, newver, name, &flag, &cut, &unsecure)); + + if (!flag) { + CHECK(delete_if(rrsig_p, db, newver, name, + dns_rdatatype_any, 0, NULL, diff)); + CHECK(dns_nsec3_delnsec3s(db, newver, name, + &nsec_diff)); + } else { + CHECK(add_exposed_sigs(client, zone, db, newver, name, + cut, diff, zone_keys, nkeys, + inception, expire, check_ksk)); + CHECK(dns_nsec3_addnsec3s(db, newver, name, nsecttl, + unsecure, &nsec_diff)); + } + } + + /* + * Minimize the set of NSEC3 updates so that we don't + * have to regenerate the RRSIG NSEC3s for NSEC3s that were + * replaced with identical ones. + */ + while ((t = ISC_LIST_HEAD(nsec_diff.tuples)) != NULL) { + ISC_LIST_UNLINK(nsec_diff.tuples, t, link); + dns_diff_appendminimal(&nsec_mindiff, &t); + } + + update_log(client, zone, ISC_LOG_DEBUG(3), + "signing rebuilt NSEC3 chain"); + + /* Update RRSIG NSEC3s. */ + for (t = ISC_LIST_HEAD(nsec_mindiff.tuples); + t != NULL; + t = ISC_LIST_NEXT(t, link)) + { + if (t->op == DNS_DIFFOP_DEL) { + CHECK(delete_if(true_p, db, newver, &t->name, + dns_rdatatype_rrsig, + dns_rdatatype_nsec3, + NULL, &sig_diff)); + } else if (t->op == DNS_DIFFOP_ADD) { + CHECK(add_sigs(client, zone, db, newver, &t->name, + dns_rdatatype_nsec3, + &sig_diff, zone_keys, nkeys, inception, expire, check_ksk)); } else { INSIST(0); @@ -2127,8 +2700,7 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) { */ result = dns_message_firstname(request, DNS_SECTION_ZONE); if (result != ISC_R_SUCCESS) - FAILC(DNS_R_FORMERR, - "update zone section empty"); + FAILC(DNS_R_FORMERR, "update zone section empty"); /* * The zone section must contain exactly one "question", and @@ -2153,8 +2725,7 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) { result = dns_zt_find(client->view->zonetable, zonename, 0, NULL, &zone); if (result != ISC_R_SUCCESS) - FAILC(DNS_R_NOTAUTH, - "not authoritative for update zone"); + FAILC(DNS_R_NOTAUTH, "not authoritative for update zone"); switch(dns_zone_gettype(zone)) { case dns_zone_master: @@ -2168,16 +2739,20 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) { break; case dns_zone_slave: CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone), - "update forwarding", zonename, ISC_TRUE)); + "update forwarding", zonename, ISC_TRUE, + ISC_FALSE)); CHECK(send_forward_event(client, zone)); break; default: - FAILC(DNS_R_NOTAUTH, - "not authoritative for update zone"); + FAILC(DNS_R_NOTAUTH, "not authoritative for update zone"); } return; failure: + if (result == DNS_R_REFUSED) { + INSIST(dns_zone_gettype(zone) == dns_zone_slave); + inc_stats(zone, dns_nsstatscounter_updaterej); + } /* * We failed without having sent an update event to the zone. * We are still in the client task context, so we can @@ -2190,36 +2765,44 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) { /*% * DS records are not allowed to exist without corresponding NS records, - * draft-ietf-dnsext-delegation-signer-11.txt, 2.2 Protocol Change, + * RFC 3658, 2.2 Protocol Change, * "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex". */ static isc_result_t remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) { isc_result_t result; - isc_boolean_t ns_exists, ds_exists; - dns_difftuple_t *t; + isc_boolean_t ns_exists; + dns_difftuple_t *tupple; + dns_diff_t temp_diff; - for (t = ISC_LIST_HEAD(diff->tuples); - t != NULL; - t = ISC_LIST_NEXT(t, link)) { - if (t->op != DNS_DIFFOP_ADD || - t->rdata.type != dns_rdatatype_ns) - continue; - CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0, - &ns_exists)); - if (ns_exists) + dns_diff_init(diff->mctx, &temp_diff); + + for (tupple = ISC_LIST_HEAD(diff->tuples); + tupple != NULL; + tupple = ISC_LIST_NEXT(tupple, link)) { + if (!((tupple->op == DNS_DIFFOP_DEL && + tupple->rdata.type == dns_rdatatype_ns) || + (tupple->op == DNS_DIFFOP_ADD && + tupple->rdata.type == dns_rdatatype_ds))) continue; - CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ds, 0, - &ds_exists)); - if (!ds_exists) + CHECK(rrset_exists(db, newver, &tupple->name, + dns_rdatatype_ns, 0, &ns_exists)); + if (ns_exists && + !dns_name_equal(&tupple->name, dns_db_origin(db))) continue; - CHECK(delete_if(true_p, db, newver, &t->name, - dns_rdatatype_ds, 0, NULL, diff)); + CHECK(delete_if(true_p, db, newver, &tupple->name, + dns_rdatatype_ds, 0, NULL, &temp_diff)); } - return (ISC_R_SUCCESS); + result = ISC_R_SUCCESS; failure: + for (tupple = ISC_LIST_HEAD(temp_diff.tuples); + tupple != NULL; + tupple = ISC_LIST_HEAD(temp_diff.tuples)) { + ISC_LIST_UNLINK(temp_diff.tuples, tupple, link); + dns_diff_appendminimal(diff, &tupple); + } return (result); } @@ -2329,6 +2912,463 @@ check_mx(ns_client_t *client, dns_zone_t *zone, return (ok ? ISC_R_SUCCESS : DNS_R_REFUSED); } +static isc_result_t +rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + const dns_rdata_t *rdata, isc_boolean_t *flag) +{ + dns_rdataset_t rdataset; + dns_dbnode_t *node = NULL; + isc_result_t result; + + dns_rdataset_init(&rdataset); + if (rdata->type == dns_rdatatype_nsec3) + CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node)); + else + CHECK(dns_db_findnode(db, name, ISC_FALSE, &node)); + result = dns_db_findrdataset(db, node, ver, rdata->type, 0, + (isc_stdtime_t) 0, &rdataset, NULL); + if (result == ISC_R_NOTFOUND) { + *flag = ISC_FALSE; + result = ISC_R_SUCCESS; + goto failure; + } + + for (result = dns_rdataset_first(&rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) { + dns_rdata_t myrdata = DNS_RDATA_INIT; + dns_rdataset_current(&rdataset, &myrdata); + if (!dns_rdata_compare(&myrdata, rdata)) + break; + } + dns_rdataset_disassociate(&rdataset); + if (result == ISC_R_SUCCESS) { + *flag = ISC_TRUE; + } else if (result == ISC_R_NOMORE) { + *flag = ISC_FALSE; + result = ISC_R_SUCCESS; + } + + failure: + if (node != NULL) + dns_db_detachnode(db, &node); + return (result); +} + +static isc_result_t +get_iterations(dns_db_t *db, dns_dbversion_t *ver, unsigned int *iterationsp) { + dns_dbnode_t *node = NULL; + dns_rdata_nsec3param_t nsec3param; + dns_rdataset_t rdataset; + isc_result_t result; + unsigned int iterations = 0; + + dns_rdataset_init(&rdataset); + + result = dns_db_getoriginnode(db, &node); + if (result != ISC_R_SUCCESS) + return (result); + result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, + 0, (isc_stdtime_t) 0, &rdataset, NULL); + dns_db_detachnode(db, &node); + if (result == ISC_R_NOTFOUND) + goto success; + if (result != ISC_R_SUCCESS) + goto failure; + + for (result = dns_rdataset_first(&rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_current(&rdataset, &rdata); + CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); + if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) + continue; + if (nsec3param.iterations > iterations) + iterations = nsec3param.iterations; + } + if (result != ISC_R_NOMORE) + goto failure; + + success: + *iterationsp = iterations; + result = ISC_R_SUCCESS; + + failure: + if (dns_rdataset_isassociated(&rdataset)) + dns_rdataset_disassociate(&rdataset); + return (result); +} + +/* + * Prevent the zone entering a inconsistent state where + * NSEC only DNSKEYs are present with NSEC3 chains. + */ +static isc_result_t +check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, + dns_dbversion_t *ver, dns_diff_t *diff) +{ + dns_diff_t temp_diff; + dns_diffop_t op; + dns_difftuple_t *tuple, *newtuple = NULL, *next; + isc_boolean_t flag; + isc_result_t result; + unsigned int iterations = 0, max; + + dns_diff_init(diff->mctx, &temp_diff); + + CHECK(dns_nsec_nseconly(db, ver, &flag)); + + if (flag) + CHECK(dns_nsec3_active(db, ver, ISC_FALSE, &flag)); + if (flag) { + update_log(client, zone, ISC_LOG_WARNING, + "NSEC only DNSKEYs and NSEC3 chains not allowed"); + } else { + CHECK(get_iterations(db, ver, &iterations)); + CHECK(dns_nsec3_maxiterations(db, ver, client->mctx, &max)); + if (iterations > max) { + flag = ISC_TRUE; + update_log(client, zone, ISC_LOG_WARNING, + "too many NSEC3 iterations (%u) for " + "weakest DNSKEY (%u)", iterations, max); + } + } + if (flag) { + for (tuple = ISC_LIST_HEAD(diff->tuples); + tuple != NULL; + tuple = next) { + next = ISC_LIST_NEXT(tuple, link); + if (tuple->rdata.type != dns_rdatatype_dnskey && + tuple->rdata.type != dns_rdatatype_nsec3param) + continue; + op = (tuple->op == DNS_DIFFOP_DEL) ? + DNS_DIFFOP_ADD : DNS_DIFFOP_DEL; + CHECK(dns_difftuple_create(temp_diff.mctx, op, + &tuple->name, tuple->ttl, + &tuple->rdata, &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, &temp_diff)); + INSIST(newtuple == NULL); + } + for (tuple = ISC_LIST_HEAD(temp_diff.tuples); + tuple != NULL; + tuple = ISC_LIST_HEAD(temp_diff.tuples)) { + ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); + dns_diff_appendminimal(diff, &tuple); + } + } + + + failure: + dns_diff_clear(&temp_diff); + return (result); +} + +#ifdef ALLOW_NSEC3PARAM_UPDATE +/* + * Delay NSEC3PARAM changes as they need to be applied to the whole zone. + */ +static isc_result_t +add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, + dns_name_t *name, dns_dbversion_t *ver, dns_diff_t *diff) +{ + isc_result_t result = ISC_R_SUCCESS; + dns_difftuple_t *tuple, *newtuple = NULL, *next; + dns_rdata_t rdata = DNS_RDATA_INIT; + unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; + dns_diff_t temp_diff; + dns_diffop_t op; + isc_boolean_t flag; + + update_log(client, zone, ISC_LOG_DEBUG(3), + "checking for NSEC3PARAM changes"); + + dns_diff_init(diff->mctx, &temp_diff); + + /* + * Extract NSEC3PARAM tuples from list. + */ + for (tuple = ISC_LIST_HEAD(diff->tuples); + tuple != NULL; + tuple = next) { + + next = ISC_LIST_NEXT(tuple, link); + + if (tuple->rdata.type != dns_rdatatype_nsec3param || + !dns_name_equal(name, &tuple->name)) + continue; + ISC_LIST_UNLINK(diff->tuples, tuple, link); + ISC_LIST_APPEND(temp_diff.tuples, tuple, link); + } + + for (tuple = ISC_LIST_HEAD(temp_diff.tuples); + tuple != NULL; tuple = next) { + + if (tuple->op == DNS_DIFFOP_ADD) { + next = ISC_LIST_NEXT(tuple, link); + while (next != NULL) { + unsigned char *next_data = next->rdata.data; + unsigned char *tuple_data = tuple->rdata.data; + if (next_data[0] != tuple_data[0] || + /* Ignore flags. */ + next_data[2] != tuple_data[2] || + next_data[3] != tuple_data[3] || + next_data[4] != tuple_data[4] || + !memcmp(&next_data[5], &tuple_data[5], + tuple_data[4])) { + next = ISC_LIST_NEXT(next, link); + continue; + } + op = (next->op == DNS_DIFFOP_DEL) ? + DNS_DIFFOP_ADD : DNS_DIFFOP_DEL; + CHECK(dns_difftuple_create(diff->mctx, op, + name, next->ttl, + &next->rdata, + &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + ISC_LIST_UNLINK(temp_diff.tuples, next, link); + dns_diff_appendminimal(diff, &next); + next = ISC_LIST_NEXT(tuple, link); + } + + INSIST(tuple->rdata.data[1] & DNS_NSEC3FLAG_UPDATE); + + /* + * See if we already have a CREATE request in progress. + */ + dns_rdata_clone(&tuple->rdata, &rdata); + INSIST(rdata.length <= sizeof(buf)); + memcpy(buf, rdata.data, rdata.length); + buf[1] |= DNS_NSEC3FLAG_CREATE; + buf[1] &= ~DNS_NSEC3FLAG_UPDATE; + rdata.data = buf; + + CHECK(rr_exists(db, ver, name, &rdata, &flag)); + + if (!flag) { + CHECK(dns_difftuple_create(diff->mctx, + DNS_DIFFOP_ADD, + name, tuple->ttl, + &rdata, + &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + } + /* + * Remove the temporary add record. + */ + CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, + name, tuple->ttl, + &tuple->rdata, &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + next = ISC_LIST_NEXT(tuple, link); + ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); + dns_diff_appendminimal(diff, &tuple); + dns_rdata_reset(&rdata); + } else + next = ISC_LIST_NEXT(tuple, link); + } + + /* + * Reverse any pending changes. + */ + for (tuple = ISC_LIST_HEAD(temp_diff.tuples); + tuple != NULL; tuple = next) { + next = ISC_LIST_NEXT(tuple, link); + if ((tuple->rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) { + op = (tuple->op == DNS_DIFFOP_DEL) ? + DNS_DIFFOP_ADD : DNS_DIFFOP_DEL; + CHECK(dns_difftuple_create(diff->mctx, op, name, + tuple->ttl, &tuple->rdata, + &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); + dns_diff_appendminimal(diff, &tuple); + } + } + + /* + * Convert deletions into delayed deletions. + */ + for (tuple = ISC_LIST_HEAD(temp_diff.tuples); + tuple != NULL; tuple = next) { + next = ISC_LIST_NEXT(tuple, link); + /* + * See if we already have a REMOVE request in progress. + */ + dns_rdata_clone(&tuple->rdata, &rdata); + INSIST(rdata.length <= sizeof(buf)); + memcpy(buf, rdata.data, rdata.length); + buf[1] |= DNS_NSEC3FLAG_REMOVE; + rdata.data = buf; + + CHECK(rr_exists(db, ver, name, &rdata, &flag)); + + if (!flag) { + CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, + name, tuple->ttl, &rdata, + &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + } + CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, + tuple->ttl, &tuple->rdata, + &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); + dns_diff_appendminimal(diff, &tuple); + dns_rdata_reset(&rdata); + } + + result = ISC_R_SUCCESS; + failure: + dns_diff_clear(&temp_diff); + return (result); +} +#endif + +/* + * Add records to cause the delayed signing of the zone by added DNSKEY + * to remove the RRSIG records generated by a deleted DNSKEY. + */ +static isc_result_t +add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver, + dns_rdatatype_t privatetype, dns_diff_t *diff) +{ + dns_difftuple_t *tuple, *newtuple = NULL; + dns_rdata_dnskey_t dnskey; + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_boolean_t flag; + isc_region_t r; + isc_result_t result = ISC_R_SUCCESS; + isc_uint16_t keyid; + unsigned char buf[5]; + + for (tuple = ISC_LIST_HEAD(diff->tuples); + tuple != NULL; + tuple = ISC_LIST_NEXT(tuple, link)) { + if (tuple->rdata.type != dns_rdatatype_dnskey) + continue; + + dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL); + if ((dnskey.flags & + (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH)) + != DNS_KEYOWNER_ZONE) + continue; + + dns_rdata_toregion(&tuple->rdata, &r); + keyid = dst_region_computeid(&r, dnskey.algorithm); + + buf[0] = dnskey.algorithm; + buf[1] = (keyid & 0xff00) >> 8; + buf[2] = (keyid & 0xff); + buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1; + buf[4] = 0; + rdata.data = buf; + rdata.length = sizeof(buf); + rdata.type = privatetype; + rdata.rdclass = tuple->rdata.rdclass; + + CHECK(rr_exists(db, ver, name, &rdata, &flag)); + if (flag) + continue; + CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, + name, 0, &rdata, &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + INSIST(newtuple == NULL); + /* + * Remove any record which says this operation has already + * completed. + */ + buf[4] = 1; + CHECK(rr_exists(db, ver, name, &rdata, &flag)); + if (flag) { + CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, + name, 0, &rdata, &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + INSIST(newtuple == NULL); + } + } + failure: + return (result); +} + +#ifdef ALLOW_NSEC3PARAM_UPDATE +/* + * Mark all NSEC3 chains for deletion without creating a NSEC chain as + * a side effect of deleting the last chain. + */ +static isc_result_t +delete_chains(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin, + dns_diff_t *diff) +{ + dns_dbnode_t *node = NULL; + dns_difftuple_t *tuple = NULL; + dns_name_t next; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_t rdataset; + isc_boolean_t flag; + isc_result_t result = ISC_R_SUCCESS; + unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; + + dns_name_init(&next, NULL); + dns_rdataset_init(&rdataset); + + result = dns_db_getoriginnode(db, &node); + if (result != ISC_R_SUCCESS) + return (result); + + /* + * Cause all NSEC3 chains to be deleted. + */ + result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, + 0, (isc_stdtime_t) 0, &rdataset, NULL); + if (result == ISC_R_NOTFOUND) + goto success; + if (result != ISC_R_SUCCESS) + goto failure; + + for (result = dns_rdataset_first(&rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) { + dns_rdataset_current(&rdataset, &rdata); + INSIST(rdata.length <= sizeof(buf)); + memcpy(buf, rdata.data, rdata.length); + + if (buf[1] == (DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC)) { + dns_rdata_reset(&rdata); + continue; + } + + CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, + origin, 0, &rdata, &tuple)); + CHECK(do_one_tuple(&tuple, db, ver, diff)); + INSIST(tuple == NULL); + + buf[1] = DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC; + rdata.data = buf; + + CHECK(rr_exists(db, ver, origin, &rdata, &flag)); + + if (!flag) { + CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, + origin, 0, &rdata, &tuple)); + CHECK(do_one_tuple(&tuple, db, ver, diff)); + INSIST(tuple == NULL); + } + dns_rdata_reset(&rdata); + } + if (result != ISC_R_NOMORE) + goto failure; + success: + result = ISC_R_SUCCESS; + + failure: + if (dns_rdataset_isassociated(&rdataset)) + dns_rdataset_disassociate(&rdataset); + dns_db_detachnode(db, &node); + return (result); +} +#endif + static void update_action(isc_task_t *task, isc_event_t *event) { update_event_t *uev = (update_event_t *) event; @@ -2339,8 +3379,8 @@ update_action(isc_task_t *task, isc_event_t *event) { dns_db_t *db = NULL; dns_dbversion_t *oldver = NULL; dns_dbversion_t *ver = NULL; - dns_diff_t diff; /* Pending updates. */ - dns_diff_t temp; /* Pending RR existence assertions. */ + dns_diff_t diff; /* Pending updates. */ + dns_diff_t temp; /* Pending RR existence assertions. */ isc_boolean_t soa_serial_changed = ISC_FALSE; isc_mem_t *mctx = client->mctx; dns_rdatatype_t covers; @@ -2351,6 +3391,15 @@ update_action(isc_task_t *task, isc_event_t *event) { dns_fixedname_t tmpnamefixed; dns_name_t *tmpname = NULL; unsigned int options; + isc_boolean_t deleted_zsk; + dns_difftuple_t *tuple; + dns_rdata_dnskey_t dnskey; +#ifdef ALLOW_NSEC3PARAM_UPDATE + unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; +#endif +#if !defined(ALLOW_SECURE_TO_INSECURE) || !defined(ALLOW_INSECURE_TO_SECURE) + isc_boolean_t had_dnskey; +#endif INSIST(event->ev_type == DNS_EVENT_UPDATE); @@ -2382,54 +3431,59 @@ update_action(isc_task_t *task, isc_event_t *event) { &name, &rdata, &covers, &ttl, &update_class); if (ttl != 0) - FAILC(DNS_R_FORMERR, "prerequisite TTL is not zero"); + PREREQFAILC(DNS_R_FORMERR, + "prerequisite TTL is not zero"); if (! dns_name_issubdomain(name, zonename)) - FAILN(DNS_R_NOTZONE, name, - "prerequisite name is out of zone"); + PREREQFAILN(DNS_R_NOTZONE, name, + "prerequisite name is out of zone"); if (update_class == dns_rdataclass_any) { if (rdata.length != 0) - FAILC(DNS_R_FORMERR, + PREREQFAILC(DNS_R_FORMERR, "class ANY prerequisite " "RDATA is not empty"); if (rdata.type == dns_rdatatype_any) { CHECK(name_exists(db, ver, name, &flag)); if (! flag) { - FAILN(DNS_R_NXDOMAIN, name, - "'name in use' prerequisite " - "not satisfied"); + PREREQFAILN(DNS_R_NXDOMAIN, name, + "'name in use' " + "prerequisite not " + "satisfied"); } } else { CHECK(rrset_exists(db, ver, name, rdata.type, covers, &flag)); if (! flag) { /* RRset does not exist. */ - FAILNT(DNS_R_NXRRSET, name, rdata.type, + PREREQFAILNT(DNS_R_NXRRSET, name, rdata.type, "'rrset exists (value independent)' " "prerequisite not satisfied"); } } } else if (update_class == dns_rdataclass_none) { if (rdata.length != 0) - FAILC(DNS_R_FORMERR, - "class NONE prerequisite " - "RDATA is not empty"); + PREREQFAILC(DNS_R_FORMERR, + "class NONE prerequisite " + "RDATA is not empty"); if (rdata.type == dns_rdatatype_any) { CHECK(name_exists(db, ver, name, &flag)); if (flag) { - FAILN(DNS_R_YXDOMAIN, name, - "'name not in use' prerequisite " - "not satisfied"); + PREREQFAILN(DNS_R_YXDOMAIN, name, + "'name not in use' " + "prerequisite not " + "satisfied"); } } else { CHECK(rrset_exists(db, ver, name, rdata.type, covers, &flag)); if (flag) { /* RRset exists. */ - FAILNT(DNS_R_YXRRSET, name, rdata.type, - "'rrset does not exist' " - "prerequisite not satisfied"); + PREREQFAILNT(DNS_R_YXRRSET, name, + rdata.type, + "'rrset does not exist' " + "prerequisite not " + "satisfied"); } } } else if (update_class == zoneclass) { @@ -2442,7 +3496,7 @@ update_action(isc_task_t *task, isc_event_t *event) { FAIL(ISC_R_UNEXPECTED); } } else { - FAILC(DNS_R_FORMERR, "malformed prerequisite"); + PREREQFAILC(DNS_R_FORMERR, "malformed prerequisite"); } } if (result != ISC_R_NOMORE) @@ -2484,13 +3538,15 @@ update_action(isc_task_t *task, isc_event_t *event) { result = ISC_R_SUCCESS; if (ssutable == NULL) CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone), - "update", zonename, ISC_FALSE)); - else if (client->signer == NULL) + "update", zonename, ISC_FALSE, ISC_FALSE)); + else if (client->signer == NULL && !TCPCLIENT(client)) CHECK(checkupdateacl(client, NULL, "update", zonename, - ISC_FALSE)); + ISC_FALSE, ISC_TRUE)); if (dns_zone_getupdatedisabled(zone)) - FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled"); + FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled " + "because the zone is frozen. Use " + "'rndc thaw' to re-enable updates."); /* * Perform the Update Section Prescan. @@ -2546,29 +3602,47 @@ update_action(isc_task_t *task, isc_event_t *event) { * is forbidden from updating NSEC records." */ if (dns_db_issecure(db)) { - if (rdata.type == dns_rdatatype_nsec) { + if (rdata.type == dns_rdatatype_nsec3) { + FAILC(DNS_R_REFUSED, + "explicit NSEC3 updates are not allowed " + "in secure zones"); + } else if (rdata.type == dns_rdatatype_nsec) { FAILC(DNS_R_REFUSED, "explicit NSEC updates are not allowed " "in secure zones"); - } - else if (rdata.type == dns_rdatatype_rrsig) { + } else if (rdata.type == dns_rdatatype_rrsig && + !dns_name_equal(name, zonename)) { FAILC(DNS_R_REFUSED, - "explicit RRSIG updates are currently not " - "supported in secure zones"); + "explicit RRSIG updates are currently " + "not supported in secure zones except " + "at the apex"); } } - if (ssutable != NULL && client->signer != NULL) { + if (ssutable != NULL) { + isc_netaddr_t *tcpaddr, netaddr; + /* + * If this is a TCP connection then pass the + * address of the client through for tcp-self + * and 6to4-self otherwise pass NULL. This + * provides weak address based authentication. + */ + if (TCPCLIENT(client)) { + isc_netaddr_fromsockaddr(&netaddr, + &client->peeraddr); + tcpaddr = &netaddr; + } else + tcpaddr = NULL; if (rdata.type != dns_rdatatype_any) { if (!dns_ssutable_checkrules(ssutable, client->signer, - name, rdata.type)) + name, tcpaddr, + rdata.type)) FAILC(DNS_R_REFUSED, "rejected by secure update"); - } - else { + } else { if (!ssu_checkall(db, ver, name, ssutable, - client->signer)) + client->signer, tcpaddr)) FAILC(DNS_R_REFUSED, "rejected by secure update"); } @@ -2613,12 +3687,17 @@ update_action(isc_task_t *task, isc_event_t *event) { typebuf); continue; } - if (rdata.type == dns_rdatatype_ns && + if ((rdata.type == dns_rdatatype_ns || + rdata.type == dns_rdatatype_dname) && dns_name_iswildcard(name)) { + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + + dns_rdatatype_format(rdata.type, typebuf, + sizeof(typebuf)); update_log(client, zone, LOGLEVEL_PROTOCOL, - "attempt to add wildcard NS record" - "ignored"); + "attempt to add wildcard %s record " + "ignored", typebuf); continue; } if (rdata.type == dns_rdatatype_cname) { @@ -2671,6 +3750,43 @@ update_action(isc_task_t *task, isc_event_t *event) { } soa_serial_changed = ISC_TRUE; } + +#ifdef ALLOW_NSEC3PARAM_UPDATE + if (rdata.type == dns_rdatatype_nsec3param) { + /* + * Ignore attempts to add NSEC3PARAM records + * with any flags other than OPTOUT. + */ + if ((rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) { + update_log(client, zone, + LOGLEVEL_PROTOCOL, + "attempt to add NSEC3PARAM " + "record with non OPTOUT " + "flag"); + continue; + } + + /* + * Set the NSEC3CHAIN creation flag. + */ + INSIST(rdata.length <= sizeof(buf)); + memcpy(buf, rdata.data, rdata.length); + buf[1] |= DNS_NSEC3FLAG_UPDATE; + rdata.data = buf; + /* + * Force the TTL to zero for NSEC3PARAM records. + */ + ttl = 0; + } +#else + if (rdata.type == dns_rdatatype_nsec3param) { + update_log(client, zone, LOGLEVEL_PROTOCOL, + "attempt to add NSEC3PARAM " + "record ignored"); + continue; + }; +#endif + if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 && dns_name_internalwildcard(name)) { char namestr[DNS_NAME_FORMATSIZE]; @@ -2688,8 +3804,7 @@ update_action(isc_task_t *task, isc_event_t *event) { sizeof(namestr)); dns_rdatatype_format(rdata.type, typestr, sizeof(typestr)); - update_log(client, zone, - LOGLEVEL_PROTOCOL, + update_log(client, zone, LOGLEVEL_PROTOCOL, "adding an RR at '%s' %s", namestr, typestr); } @@ -2714,8 +3829,10 @@ update_action(isc_task_t *task, isc_event_t *event) { dns_diff_clear(&ctx.del_diff); dns_diff_clear(&ctx.add_diff); } else { - CHECK(do_diff(&ctx.del_diff, db, ver, &diff)); - CHECK(do_diff(&ctx.add_diff, db, ver, &diff)); + CHECK(do_diff(&ctx.del_diff, db, ver, + &diff)); + CHECK(do_diff(&ctx.add_diff, db, ver, + &diff)); CHECK(update_one_rr(db, ver, &diff, DNS_DIFFOP_ADD, name, ttl, &rdata)); @@ -2745,11 +3862,17 @@ update_action(isc_task_t *task, isc_event_t *event) { dns_rdatatype_any, 0, &rdata, &diff)); } +#ifndef ALLOW_NSEC3PARAM_UPDATE + } else if (rdata.type == dns_rdatatype_nsec3param) { + update_log(client, zone, LOGLEVEL_PROTOCOL, + "attempt to delete a NSEC3PARAM " + "records ignored"); + continue; +#endif } else if (dns_name_equal(name, zonename) && (rdata.type == dns_rdatatype_soa || rdata.type == dns_rdatatype_ns)) { - update_log(client, zone, - LOGLEVEL_PROTOCOL, + update_log(client, zone, LOGLEVEL_PROTOCOL, "attempt to delete all SOA " "or NS records ignored"); continue; @@ -2812,6 +3935,14 @@ update_action(isc_task_t *task, isc_event_t *event) { FAIL(result); /* + * Check that any changes to DNSKEY/NSEC3PARAM records make sense. + * If they don't then back out all changes to DNSKEY/NSEC3PARAM + * records. + */ + if (! ISC_LIST_EMPTY(diff.tuples)) + CHECK(check_dnssec(client, zone, db, ver, &diff)); + + /* * If any changes were made, increment the SOA serial number, * update RRSIGs and NSECs (if zone is secure), and write the update * to the journal. @@ -2819,6 +3950,7 @@ update_action(isc_task_t *task, isc_event_t *event) { if (! ISC_LIST_EMPTY(diff.tuples)) { char *journalfile; dns_journal_t *journal; + isc_boolean_t has_dnskey; /* * Increment the SOA serial, but only if it was not @@ -2832,14 +3964,61 @@ update_action(isc_task_t *task, isc_event_t *event) { CHECK(remove_orphaned_ds(db, ver, &diff)); - if (dns_db_issecure(db)) { + CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey, + 0, &has_dnskey)); + +#if !defined(ALLOW_SECURE_TO_INSECURE) || !defined(ALLOW_INSECURE_TO_SECURE) + CHECK(rrset_exists(db, oldver, zonename, dns_rdatatype_dnskey, + 0, &had_dnskey)); + +#ifndef ALLOW_SECURE_TO_INSECURE + if (had_dnskey && !has_dnskey) { + update_log(client, zone, LOGLEVEL_PROTOCOL, + "update rejected: all DNSKEY records " + "removed"); + result = DNS_R_REFUSED; + goto failure; + } +#endif +#ifndef ALLOW_INSECURE_TO_SECURE + if (!had_dnskey && has_dnskey) { + update_log(client, zone, LOGLEVEL_PROTOCOL, + "update rejected: DNSKEY record added"); + result = DNS_R_REFUSED; + goto failure; + } +#endif +#endif + + CHECK(add_signing_records(db, zonename, ver, + dns_zone_getprivatetype(zone), + &diff)); + +#ifdef ALLOW_NSEC3PARAM_UPDATE + CHECK(add_nsec3param_records(client, zone, db, zonename, + ver, &diff)); +#endif + + if (!has_dnskey) { + /* + * We are transitioning from secure to insecure. + * Cause all NSEC3 chains to be deleted. When the + * the last signature for the DNSKEY records are + * remove any NSEC chain present will also be removed. + */ +#ifdef ALLOW_NSEC3PARAM_UPDATE + CHECK(delete_chains(db, ver, zonename, &diff)); +#endif + } else if (has_dnskey && dns_db_isdnssec(db)) { + isc_uint32_t interval; + interval = dns_zone_getsigvalidityinterval(zone); result = update_signatures(client, zone, db, oldver, - ver, &diff, - dns_zone_getsigvalidityinterval(zone)); + ver, &diff, interval, + &deleted_zsk); if (result != ISC_R_SUCCESS) { update_log(client, zone, ISC_LOG_ERROR, - "RRSIG/NSEC update failed: %s", + "RRSIG/NSEC/NSEC3 update failed: %s", isc_result_totext(result)); goto failure; } @@ -2872,6 +4051,7 @@ update_action(isc_task_t *task, isc_event_t *event) { */ update_log(client, zone, LOGLEVEL_DEBUG, "committing update transaction"); + dns_db_closeversion(db, &ver, ISC_TRUE); /* @@ -2883,6 +4063,71 @@ update_action(isc_task_t *task, isc_event_t *event) { * Notify slaves of the change we just made. */ dns_zone_notify(zone); + + /* + * Cause the zone to be signed with the key that we + * have just added or have the corresponding signatures + * deleted. + * + * Note: we are already committed to this course of action. + */ + for (tuple = ISC_LIST_HEAD(diff.tuples); + tuple != NULL; + tuple = ISC_LIST_NEXT(tuple, link)) { + isc_region_t r; + dns_secalg_t algorithm; + isc_uint16_t keyid; + + if (tuple->rdata.type != dns_rdatatype_dnskey) + continue; + + dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL); + if ((dnskey.flags & + (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH)) + != DNS_KEYOWNER_ZONE) + continue; + + dns_rdata_toregion(&tuple->rdata, &r); + algorithm = dnskey.algorithm; + keyid = dst_region_computeid(&r, algorithm); + + result = dns_zone_signwithkey(zone, algorithm, keyid, + ISC_TF(tuple->op == DNS_DIFFOP_DEL)); + if (result != ISC_R_SUCCESS) { + update_log(client, zone, ISC_LOG_ERROR, + "dns_zone_signwithkey failed: %s", + dns_result_totext(result)); + } + } + +#ifdef ALLOW_NSEC3PARAM_UPDATE + /* + * Cause the zone to add/delete NSEC3 chains for the + * deferred NSEC3PARAM changes. + * + * Note: we are already committed to this course of action. + */ + for (tuple = ISC_LIST_HEAD(diff.tuples); + tuple != NULL; + tuple = ISC_LIST_NEXT(tuple, link)) { + dns_rdata_nsec3param_t nsec3param; + + if (tuple->rdata.type != dns_rdatatype_nsec3param || + tuple->op != DNS_DIFFOP_ADD) + continue; + + dns_rdata_tostruct(&tuple->rdata, &nsec3param, NULL); + if (nsec3param.flags == 0) + continue; + + result = dns_zone_addnsec3chain(zone, &nsec3param); + if (result != ISC_R_SUCCESS) { + update_log(client, zone, ISC_LOG_ERROR, + "dns_zone_addnsec3chain failed: %s", + dns_result_totext(result)); + } + } +#endif } else { update_log(client, zone, LOGLEVEL_DEBUG, "redundant request"); dns_db_closeversion(db, &ver, ISC_TRUE); @@ -2891,6 +4136,9 @@ update_action(isc_task_t *task, isc_event_t *event) { goto common; failure: + if (result == DNS_R_REFUSED) + inc_stats(zone, dns_nsstatscounter_updaterej); + /* * The reason for failure should have been logged at this point. */ @@ -2913,11 +4161,10 @@ update_action(isc_task_t *task, isc_event_t *event) { if (ssutable != NULL) dns_ssutable_detach(&ssutable); - if (zone != NULL) - dns_zone_detach(&zone); - isc_task_detach(&task); uev->result = result; + if (zone != NULL) + INSIST(uev->zone == zone); /* we use this later */ uev->ev_type = DNS_EVENT_UPDATEDONE; uev->ev_action = updatedone_action; isc_task_send(client->task, &event); @@ -2935,6 +4182,19 @@ updatedone_action(isc_task_t *task, isc_event_t *event) { INSIST(task == client->task); INSIST(client->nupdates > 0); + switch (uev->result) { + case ISC_R_SUCCESS: + inc_stats(uev->zone, dns_nsstatscounter_updatedone); + break; + case DNS_R_REFUSED: + inc_stats(uev->zone, dns_nsstatscounter_updaterej); + break; + default: + inc_stats(uev->zone, dns_nsstatscounter_updatefail); + break; + } + if (uev->zone != NULL) + dns_zone_detach(&uev->zone); client->nupdates--; respond(client, uev->result); isc_event_free(&event); @@ -2963,17 +4223,21 @@ static void forward_callback(void *arg, isc_result_t result, dns_message_t *answer) { update_event_t *uev = arg; ns_client_t *client = uev->ev_arg; + dns_zone_t *zone = uev->zone; if (result != ISC_R_SUCCESS) { INSIST(answer == NULL); uev->ev_type = DNS_EVENT_UPDATEDONE; uev->ev_action = forward_fail; + inc_stats(zone, dns_nsstatscounter_updatefwdfail); } else { uev->ev_type = DNS_EVENT_UPDATEDONE; uev->ev_action = forward_done; uev->answer = answer; + inc_stats(zone, dns_nsstatscounter_updaterespfwd); } isc_task_send(client->task, ISC_EVENT_PTR(&uev)); + dns_zone_detach(&zone); } static void @@ -3004,8 +4268,10 @@ forward_action(isc_task_t *task, isc_event_t *event) { uev->ev_type = DNS_EVENT_UPDATEDONE; uev->ev_action = forward_fail; isc_task_send(client->task, &event); - } - dns_zone_detach(&zone); + inc_stats(zone, dns_nsstatscounter_updatefwdfail); + dns_zone_detach(&zone); + } else + inc_stats(zone, dns_nsstatscounter_updatereqfwd); isc_task_detach(&task); } diff --git a/contrib/bind9/bin/named/xfrout.c b/contrib/bind9/bin/named/xfrout.c index 9fe90a2..0aa6f79 100644 --- a/contrib/bind9/bin/named/xfrout.c +++ b/contrib/bind9/bin/named/xfrout.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: xfrout.c,v 1.115.18.8 2006/03/05 23:58:51 marka Exp $ */ +/* $Id: xfrout.c,v 1.131.26.4 2009/01/29 22:40:34 jinmei Exp $ */ #include <config.h> @@ -23,6 +23,7 @@ #include <isc/mem.h> #include <isc/timer.h> #include <isc/print.h> +#include <isc/stats.h> #include <isc/util.h> #include <dns/db.h> @@ -40,6 +41,7 @@ #include <dns/rdatasetiter.h> #include <dns/result.h> #include <dns/soa.h> +#include <dns/stats.h> #include <dns/timer.h> #include <dns/tsig.h> #include <dns/view.h> @@ -51,7 +53,7 @@ #include <named/server.h> #include <named/xfrout.h> -/*! \file +/*! \file * \brief * Outgoing AXFR and IXFR. */ @@ -86,7 +88,7 @@ ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, \ NS_LOGMODULE_XFER_OUT, ISC_LOG_INFO, \ "bad zone transfer request: %s (%s)", \ - msg, isc_result_totext(code)); \ + msg, isc_result_totext(code)); \ if (result != ISC_R_SUCCESS) goto failure; \ } while (0) @@ -100,12 +102,12 @@ ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, \ NS_LOGMODULE_XFER_OUT, ISC_LOG_INFO, \ "bad zone transfer request: '%s/%s': %s (%s)", \ - _buf1, _buf2, msg, isc_result_totext(code)); \ + _buf1, _buf2, msg, isc_result_totext(code)); \ if (result != ISC_R_SUCCESS) goto failure; \ } while (0) #define CHECK(op) \ - do { result = (op); \ + do { result = (op); \ if (result != ISC_R_SUCCESS) goto failure; \ } while (0) @@ -121,12 +123,12 @@ typedef struct db_rr_iterator db_rr_iterator_t; struct db_rr_iterator { isc_result_t result; dns_db_t *db; - dns_dbiterator_t *dbit; + dns_dbiterator_t *dbit; dns_dbversion_t *ver; isc_stdtime_t now; dns_dbnode_t *node; dns_fixedname_t fixedname; - dns_rdatasetiter_t *rdatasetit; + dns_rdatasetiter_t *rdatasetit; dns_rdataset_t rdataset; dns_rdata_t rdata; }; @@ -148,6 +150,16 @@ db_rr_iterator_current(db_rr_iterator_t *it, dns_name_t **name, static void db_rr_iterator_destroy(db_rr_iterator_t *it); +static inline void +inc_stats(dns_zone_t *zone, isc_statscounter_t counter) { + isc_stats_increment(ns_g_server->nsstats, counter); + if (zone != NULL) { + isc_stats_t *zonestats = dns_zone_getrequeststats(zone); + if (zonestats != NULL) + isc_stats_increment(zonestats, counter); + } +} + static isc_result_t db_rr_iterator_init(db_rr_iterator_t *it, dns_db_t *db, dns_dbversion_t *ver, isc_stdtime_t now) @@ -158,7 +170,7 @@ db_rr_iterator_init(db_rr_iterator_t *it, dns_db_t *db, dns_dbversion_t *ver, it->ver = ver; it->now = now; it->node = NULL; - result = dns_db_createiterator(it->db, ISC_FALSE, &it->dbit); + result = dns_db_createiterator(it->db, 0, &it->dbit); if (result != ISC_R_SUCCESS) return (result); it->rdatasetit = NULL; @@ -303,6 +315,11 @@ log_rr(dns_name_t *name, dns_rdata_t *rdata, isc_uint32_t ttl) { rdl.type = rdata->type; rdl.rdclass = rdata->rdclass; rdl.ttl = ttl; + if (rdata->type == dns_rdatatype_sig || + rdata->type == dns_rdatatype_rrsig) + rdl.covers = dns_rdata_covers(rdata); + else + rdl.covers = dns_rdatatype_none; ISC_LIST_INIT(rdl.rdata); ISC_LINK_INIT(&rdl, link); dns_rdataset_init(&rds); @@ -326,7 +343,7 @@ log_rr(dns_name_t *name, dns_rdata_t *rdata, isc_uint32_t ttl) { INSIST(buf.used >= 1 && ((char *) buf.base)[buf.used - 1] == '\n'); buf.used--; - + isc_log_write(XFROUT_RR_LOGARGS, "%.*s", (int)isc_buffer_usedlength(&buf), (char *)isc_buffer_base(&buf)); @@ -818,6 +835,7 @@ typedef struct { dns_name_t *qname; /* Question name of request */ dns_rdatatype_t qtype; /* dns_rdatatype_{a,i}xfr */ dns_rdataclass_t qclass; + dns_zone_t *zone; /* (necessary for stats) */ dns_db_t *db; dns_dbversion_t *ver; isc_quota_t *quota; @@ -841,7 +859,7 @@ typedef struct { static isc_result_t xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id, dns_name_t *qname, dns_rdatatype_t qtype, - dns_rdataclass_t qclass, + dns_rdataclass_t qclass, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, isc_quota_t *quota, rrstream_t *stream, dns_tsigkey_t *tsigkey, isc_buffer_t *lasttsig, @@ -969,7 +987,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { /* * Normal zone table does not have a match. Try the DLZ database */ - if (client->view->dlzdatabase != NULL) { + if (client->view->dlzdatabase != NULL) { result = dns_dlzallowzonexfr(client->view, question_name, &client->peeraddr, &db); @@ -1006,7 +1024,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { } else { /* - * not DLZ and not in normal zone table, we are + * not DLZ and not in normal zone table, we are * not authoritative */ FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", @@ -1090,9 +1108,9 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { #endif ns_client_aclmsg("zone transfer", question_name, reqtype, client->view->rdclass, msg, sizeof(msg)); - CHECK(ns_client_checkacl(client, msg, - dns_zone_getxfracl(zone), ISC_TRUE, - ISC_LOG_ERROR)); + CHECK(ns_client_checkacl(client, NULL, msg, + dns_zone_getxfracl(zone), + ISC_TRUE, ISC_LOG_ERROR)); #ifdef DLZ } #endif @@ -1191,7 +1209,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { } /* - * Bracket the the data stream with SOAs. + * Bracket the data stream with SOAs. */ CHECK(soa_rrstream_create(mctx, db, ver, &soa_stream)); CHECK(compound_rrstream_create(mctx, &soa_stream, &data_stream, @@ -1210,26 +1228,28 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { #ifdef DLZ if (is_dlz) - CHECK(xfrout_ctx_create(mctx, client, request->id, question_name, - reqtype, question_class, db, ver, quota, - stream, dns_message_gettsigkey(request), - tsigbuf, - 3600, - 3600, - (format == dns_many_answers) ? - ISC_TRUE : ISC_FALSE, - &xfr)); - else + CHECK(xfrout_ctx_create(mctx, client, request->id, question_name, + reqtype, question_class, zone, db, ver, + quota, stream, + dns_message_gettsigkey(request), + tsigbuf, + 3600, + 3600, + (format == dns_many_answers) ? + ISC_TRUE : ISC_FALSE, + &xfr)); + else #endif - CHECK(xfrout_ctx_create(mctx, client, request->id, question_name, - reqtype, question_class, db, ver, quota, - stream, dns_message_gettsigkey(request), - tsigbuf, - dns_zone_getmaxxfrout(zone), - dns_zone_getidleout(zone), - (format == dns_many_answers) ? - ISC_TRUE : ISC_FALSE, - &xfr)); + CHECK(xfrout_ctx_create(mctx, client, request->id, question_name, + reqtype, question_class, zone, db, ver, + quota, stream, + dns_message_gettsigkey(request), + tsigbuf, + dns_zone_getmaxxfrout(zone), + dns_zone_getidleout(zone), + (format == dns_many_answers) ? + ISC_TRUE : ISC_FALSE, + &xfr)); xfr->mnemonic = mnemonic; stream = NULL; @@ -1261,6 +1281,8 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { result = ISC_R_SUCCESS; failure: + if (result == DNS_R_REFUSED) + inc_stats(zone, dns_nsstatscounter_xfrrej); if (quota != NULL) isc_quota_detach("a); if (current_soa_tuple != NULL) @@ -1291,7 +1313,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { static isc_result_t xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id, dns_name_t *qname, dns_rdatatype_t qtype, - dns_rdataclass_t qclass, + dns_rdataclass_t qclass, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, isc_quota_t *quota, rrstream_t *stream, dns_tsigkey_t *tsigkey, isc_buffer_t *lasttsig, unsigned int maxtime, @@ -1314,8 +1336,11 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id, xfr->qname = qname; xfr->qtype = qtype; xfr->qclass = qclass; + xfr->zone = NULL; xfr->db = NULL; xfr->ver = NULL; + if (zone != NULL) /* zone will be NULL if it's DLZ */ + dns_zone_attach(zone, &xfr->zone); dns_db_attach(db, &xfr->db); dns_db_attachversion(db, ver, &xfr->ver); xfr->end_of_stream = ISC_FALSE; @@ -1399,7 +1424,7 @@ failure: * * Requires: * The stream iterator is initialized and points at an RR, - * or possiby at the end of the stream (that is, the + * or possibly at the end of the stream (that is, the * _first method of the iterator has been called). */ static void @@ -1573,6 +1598,11 @@ sendstream(xfrout_ctx_t *xfr) { msgrdl->type = rdata->type; msgrdl->rdclass = rdata->rdclass; msgrdl->ttl = ttl; + if (rdata->type == dns_rdatatype_sig || + rdata->type == dns_rdatatype_rrsig) + msgrdl->covers = dns_rdata_covers(rdata); + else + msgrdl->covers = dns_rdatatype_none; ISC_LINK_INIT(msgrdl, link); ISC_LIST_INIT(msgrdl->rdata); ISC_LIST_APPEND(msgrdl->rdata, msgrdata, link); @@ -1663,7 +1693,7 @@ sendstream(xfrout_ctx_t *xfr) { * iterators before returning from the event handler. */ xfr->stream->methods->pause(xfr->stream); - + if (result == ISC_R_SUCCESS) return; @@ -1691,6 +1721,8 @@ xfrout_ctx_destroy(xfrout_ctx_t **xfrp) { isc_quota_detach(&xfr->quota); if (xfr->ver != NULL) dns_db_closeversion(xfr->db, &xfr->ver, ISC_FALSE); + if (xfr->zone != NULL) + dns_zone_detach(&xfr->zone); if (xfr->db != NULL) dns_db_detach(&xfr->db); @@ -1724,6 +1756,7 @@ xfrout_senddone(isc_task_t *task, isc_event_t *event) { sendstream(xfr); } else { /* End of zone transfer stream. */ + inc_stats(xfr->zone, dns_nsstatscounter_xfrdone); xfrout_log(xfr, ISC_LOG_INFO, "%s ended", xfr->mnemonic); ns_client_next(xfr->client, ISC_R_SUCCESS); xfrout_ctx_destroy(&xfr); diff --git a/contrib/bind9/bin/named/zoneconf.c b/contrib/bind9/bin/named/zoneconf.c index a0c1bab..641831d 100644 --- a/contrib/bind9/bin/named/zoneconf.c +++ b/contrib/bind9/bin/named/zoneconf.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.c,v 1.110.18.23 2006/05/16 03:39:57 marka Exp $ */ +/* $Id: zoneconf.c,v 1.147.50.2 2009/01/29 23:47:44 tbox Exp $ */ /*% */ @@ -25,6 +25,7 @@ #include <isc/file.h> #include <isc/mem.h> #include <isc/print.h> +#include <isc/stats.h> #include <isc/string.h> /* Required for HP/UX (and others?) */ #include <isc/util.h> @@ -34,6 +35,7 @@ #include <dns/name.h> #include <dns/rdatatype.h> #include <dns/ssu.h> +#include <dns/stats.h> #include <dns/view.h> #include <dns/zone.h> @@ -44,6 +46,15 @@ #include <named/server.h> #include <named/zoneconf.h> +/* ACLs associated with zone */ +typedef enum { + allow_notify, + allow_query, + allow_transfer, + allow_update, + allow_update_forwarding +} acl_type_t; + /*% * These are BIND9 server defaults, not necessarily identical to the * library defaults defined in zone.c. @@ -59,19 +70,69 @@ */ static isc_result_t configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, - const cfg_obj_t *config, const char *aclname, - cfg_aclconfctx_t *actx, dns_zone_t *zone, + const cfg_obj_t *config, acl_type_t acltype, + cfg_aclconfctx_t *actx, dns_zone_t *zone, void (*setzacl)(dns_zone_t *, dns_acl_t *), void (*clearzacl)(dns_zone_t *)) { isc_result_t result; - const cfg_obj_t *maps[5]; + const cfg_obj_t *maps[5] = {NULL, NULL, NULL, NULL, NULL}; const cfg_obj_t *aclobj = NULL; int i = 0; - dns_acl_t *dacl = NULL; + dns_acl_t **aclp = NULL, *acl = NULL; + const char *aclname; + dns_view_t *view; + + view = dns_zone_getview(zone); + + switch (acltype) { + case allow_notify: + if (view != NULL) + aclp = &view->notifyacl; + aclname = "allow-notify"; + break; + case allow_query: + if (view != NULL) + aclp = &view->queryacl; + aclname = "allow-query"; + break; + case allow_transfer: + if (view != NULL) + aclp = &view->transferacl; + aclname = "allow-transfer"; + break; + case allow_update: + if (view != NULL) + aclp = &view->updateacl; + aclname = "allow-update"; + break; + case allow_update_forwarding: + if (view != NULL) + aclp = &view->upfwdacl; + aclname = "allow-update-forwarding"; + break; + default: + INSIST(0); + return (ISC_R_FAILURE); + } - if (zconfig != NULL) - maps[i++] = cfg_tuple_get(zconfig, "options"); + /* First check to see if ACL is defined within the zone */ + if (zconfig != NULL) { + maps[0] = cfg_tuple_get(zconfig, "options"); + ns_config_get(maps, aclname, &aclobj); + if (aclobj != NULL) { + aclp = NULL; + goto parse_acl; + } + } + + /* Failing that, see if there's a default ACL already in the view */ + if (aclp != NULL && *aclp != NULL) { + (*setzacl)(zone, *aclp); + return (ISC_R_SUCCESS); + } + + /* Check for default ACLs that haven't been parsed yet */ if (vconfig != NULL) maps[i++] = cfg_tuple_get(vconfig, "options"); if (config != NULL) { @@ -89,12 +150,18 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, return (ISC_R_SUCCESS); } +parse_acl: result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, actx, - dns_zone_getmctx(zone), &dacl); + dns_zone_getmctx(zone), 0, &acl); if (result != ISC_R_SUCCESS) return (result); - (*setzacl)(zone, dacl); - dns_acl_detach(&dacl); + (*setzacl)(zone, acl); + + /* Set the view default now */ + if (aclp != NULL) + dns_acl_attach(acl, aclp); + + dns_acl_detach(&acl); return (ISC_R_SUCCESS); } @@ -158,6 +225,18 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) { mtype = DNS_SSUMATCHTYPE_SELFSUB; else if (strcasecmp(str, "selfwild") == 0) mtype = DNS_SSUMATCHTYPE_SELFWILD; + else if (strcasecmp(str, "ms-self") == 0) + mtype = DNS_SSUMATCHTYPE_SELFMS; + else if (strcasecmp(str, "krb5-self") == 0) + mtype = DNS_SSUMATCHTYPE_SELFKRB5; + else if (strcasecmp(str, "ms-subdomain") == 0) + mtype = DNS_SSUMATCHTYPE_SUBDOMAINMS; + else if (strcasecmp(str, "krb5-subdomain") == 0) + mtype = DNS_SSUMATCHTYPE_SUBDOMAINKRB5; + else if (strcasecmp(str, "tcp-self") == 0) + mtype = DNS_SSUMATCHTYPE_TCPSELF; + else if (strcasecmp(str, "6to4-self") == 0) + mtype = DNS_SSUMATCHTYPE_6TO4SELF; else INSIST(0); @@ -264,11 +343,11 @@ strtoargvsub(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp, unsigned int n) { isc_result_t result; - + /* Discard leading whitespace. */ while (*s == ' ' || *s == '\t') s++; - + if (*s == '\0') { /* We have reached the end of the string. */ *argcp = n; @@ -353,6 +432,9 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, isc_boolean_t warn = ISC_FALSE, ignore = ISC_FALSE; isc_boolean_t ixfrdiff; dns_masterformat_t masterformat; + isc_stats_t *zoneqrystats; + isc_boolean_t zonestats_on; + int seconds; i = 0; if (zconfig != NULL) { @@ -443,14 +525,14 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, if (ztype == dns_zone_slave) RETERR(configure_zone_acl(zconfig, vconfig, config, - "allow-notify", ac, zone, + allow_notify, ac, zone, dns_zone_setnotifyacl, dns_zone_clearnotifyacl)); /* * XXXAG This probably does not make sense for stubs. */ RETERR(configure_zone_acl(zconfig, vconfig, config, - "allow-query", ac, zone, + allow_query, ac, zone, dns_zone_setqueryacl, dns_zone_clearqueryacl)); @@ -480,7 +562,15 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, obj = NULL; result = ns_config_get(maps, "zone-statistics", &obj); INSIST(result == ISC_R_SUCCESS); - RETERR(dns_zone_setstatistics(zone, cfg_obj_asboolean(obj))); + zonestats_on = cfg_obj_asboolean(obj); + zoneqrystats = NULL; + if (zonestats_on) { + RETERR(isc_stats_create(mctx, &zoneqrystats, + dns_nsstatscounter_max)); + } + dns_zone_setrequeststats(zone, zoneqrystats); + if (zoneqrystats != NULL) + isc_stats_detach(&zoneqrystats); /* * Configure master functionality. This applies @@ -536,10 +626,16 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, RETERR(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj))); ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); + obj = NULL; + result = ns_config_get(maps, "notify-to-soa", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setoption(zone, DNS_ZONEOPT_NOTIFYTOSOA, + cfg_obj_asboolean(obj)); + dns_zone_setisself(zone, ns_client_isself, NULL); RETERR(configure_zone_acl(zconfig, vconfig, config, - "allow-transfer", ac, zone, + allow_transfer, ac, zone, dns_zone_setxfracl, dns_zone_clearxfracl)); @@ -614,13 +710,19 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, obj = NULL; result = ns_config_get(maps, "check-sibling", &obj); INSIST(result == ISC_R_SUCCESS); - dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSIBLING, + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSIBLING, cfg_obj_asboolean(obj)); obj = NULL; result = ns_config_get(maps, "zero-no-soa-ttl", &obj); INSIST(result == ISC_R_SUCCESS); dns_zone_setzeronosoattl(zone, cfg_obj_asboolean(obj)); + + obj = NULL; + result = ns_config_get(maps, "nsec3-test-zone", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setoption(zone, DNS_ZONEOPT_NSEC3TESTZONE, + cfg_obj_asboolean(obj)); } /* @@ -630,10 +732,10 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, if (ztype == dns_zone_master) { dns_acl_t *updateacl; RETERR(configure_zone_acl(zconfig, vconfig, config, - "allow-update", ac, zone, + allow_update, ac, zone, dns_zone_setupdateacl, dns_zone_clearupdateacl)); - + updateacl = dns_zone_getupdateacl(zone); if (updateacl != NULL && dns_acl_isinsecure(updateacl)) isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY, @@ -641,14 +743,32 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, "zone '%s' allows updates by IP " "address, which is insecure", zname); - + RETERR(configure_zone_ssutable(zoptions, zone)); obj = NULL; result = ns_config_get(maps, "sig-validity-interval", &obj); INSIST(result == ISC_R_SUCCESS); - dns_zone_setsigvalidityinterval(zone, - cfg_obj_asuint32(obj) * 86400); + { + const cfg_obj_t *validity, *resign; + + validity = cfg_tuple_get(obj, "validity"); + seconds = cfg_obj_asuint32(validity) * 86400; + dns_zone_setsigvalidityinterval(zone, seconds); + + resign = cfg_tuple_get(obj, "re-sign"); + if (cfg_obj_isvoid(resign)) { + seconds /= 4; + } else { + if (seconds > 7 * 86400) + seconds = cfg_obj_asuint32(resign) * + 86400; + else + seconds = cfg_obj_asuint32(resign) * + 3600; + } + dns_zone_setsigresigninginterval(zone, seconds); + } obj = NULL; result = ns_config_get(maps, "key-directory", &obj); @@ -664,6 +784,39 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } obj = NULL; + result = ns_config_get(maps, "sig-signing-signatures", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setsignatures(zone, cfg_obj_asuint32(obj)); + + obj = NULL; + result = ns_config_get(maps, "sig-signing-nodes", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setnodes(zone, cfg_obj_asuint32(obj)); + + obj = NULL; + result = ns_config_get(maps, "sig-signing-type", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setprivatetype(zone, cfg_obj_asuint32(obj)); + + obj = NULL; + result = ns_config_get(maps, "update-check-ksk", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK, + cfg_obj_asboolean(obj)); + + } else if (ztype == dns_zone_slave) { + RETERR(configure_zone_acl(zconfig, vconfig, config, + allow_update_forwarding, ac, zone, + dns_zone_setforwardacl, + dns_zone_clearforwardacl)); + } + + + /*% + * Primary master functionality. + */ + if (ztype == dns_zone_master) { + obj = NULL; result = ns_config_get(maps, "check-wildcard", &obj); if (result == ISC_R_SUCCESS) check = cfg_obj_asboolean(obj); @@ -689,7 +842,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, obj = NULL; result = ns_config_get(maps, "check-integrity", &obj); INSIST(obj != NULL); - dns_zone_setoption(zone, DNS_ZONEOPT_CHECKINTEGRITY, + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKINTEGRITY, cfg_obj_asboolean(obj)); obj = NULL; @@ -721,59 +874,6 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, INSIST(0); dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn); dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore); - - obj = NULL; - result = ns_config_get(maps, "update-check-ksk", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK, - cfg_obj_asboolean(obj)); - } - - /* - * Configure update-related options. These apply to - * primary masters only. - */ - if (ztype == dns_zone_master) { - dns_acl_t *updateacl; - RETERR(configure_zone_acl(zconfig, vconfig, config, - "allow-update", ac, zone, - dns_zone_setupdateacl, - dns_zone_clearupdateacl)); - - updateacl = dns_zone_getupdateacl(zone); - if (updateacl != NULL && dns_acl_isinsecure(updateacl)) - isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_SERVER, ISC_LOG_WARNING, - "zone '%s' allows updates by IP " - "address, which is insecure", - zname); - - RETERR(configure_zone_ssutable(zoptions, zone)); - - obj = NULL; - result = ns_config_get(maps, "sig-validity-interval", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zone_setsigvalidityinterval(zone, - cfg_obj_asuint32(obj) * 86400); - - obj = NULL; - result = ns_config_get(maps, "key-directory", &obj); - if (result == ISC_R_SUCCESS) { - filename = cfg_obj_asstring(obj); - if (!isc_file_isabsolute(filename)) { - cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, - "key-directory '%s' " - "is not absolute", filename); - return (ISC_R_FAILURE); - } - RETERR(dns_zone_setkeydirectory(zone, filename)); - } - - } else if (ztype == dns_zone_slave) { - RETERR(configure_zone_acl(zconfig, vconfig, config, - "allow-update-forwarding", ac, zone, - dns_zone_setforwardacl, - dns_zone_clearforwardacl)); } /* @@ -876,6 +976,10 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, alt = cfg_obj_asboolean(obj); dns_zone_setoption(zone, DNS_ZONEOPT_USEALTXFRSRC, alt); + obj = NULL; + (void)ns_config_get(maps, "try-tcp-refresh", &obj); + dns_zone_setoption(zone, DNS_ZONEOPT_TRYTCPREFRESH, + cfg_obj_asboolean(obj)); break; default: diff --git a/contrib/bind9/bin/nsupdate/Makefile.in b/contrib/bind9/bin/nsupdate/Makefile.in index 713ec30..6d65697 100644 --- a/contrib/bind9/bin/nsupdate/Makefile.in +++ b/contrib/bind9/bin/nsupdate/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2008 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2006-2008 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.22.18.3 2008/08/29 23:46:16 tbox Exp $ +# $Id: Makefile.in,v 1.29 2008/08/29 23:47:22 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -24,9 +24,9 @@ top_srcdir = @top_srcdir@ @BIND9_MAKE_INCLUDES@ CINCLUDES = ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ - ${ISC_INCLUDES} + ${ISC_INCLUDES} @DST_GSSAPI_INC@ -CDEFINES = +CDEFINES = @USE_GSSAPI@ CWARNINGS = LWRESLIBS = ../../lib/lwres/liblwres.@A@ diff --git a/contrib/bind9/bin/nsupdate/nsupdate.1 b/contrib/bind9/bin/nsupdate/nsupdate.1 index 454f505..b0688a3 100644 --- a/contrib/bind9/bin/nsupdate/nsupdate.1 +++ b/contrib/bind9/bin/nsupdate/nsupdate.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: nsupdate.1,v 1.1.4.2 2008/09/01 02:29:00 tbox Exp $ +.\" $Id: nsupdate.1,v 1.3.48.2 2009/03/10 01:54:11 tbox Exp $ .\" .hy 0 .ad l @@ -33,7 +33,7 @@ nsupdate \- Dynamic DNS update utility .SH "SYNOPSIS" .HP 9 -\fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-v\fR] [filename] +\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [filename] .SH "DESCRIPTION" .PP \fBnsupdate\fR @@ -53,7 +53,14 @@ option makes \fBnsupdate\fR operate in debug mode. This provides tracing information about the update requests that are made and the replies received from the name server. .PP -Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931. TSIG relies on a shared secret that should only be known to +The +\fB\-D\fR +option makes +\fBnsupdate\fR +report additional debugging information to +\fB\-d\fR. +.PP +Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931 or GSS\-TSIG as described in RFC3645. TSIG relies on a shared secret that should only be known to \fBnsupdate\fR and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance, suitable \fBkey\fR @@ -64,7 +71,7 @@ statements would be added to so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server. \fBnsupdate\fR does not read -\fI/etc/named.conf\fR. +\fI/etc/named.conf\fR. GSS\-TSIG uses Kerberos credentials. .PP \fBnsupdate\fR uses the @@ -96,7 +103,15 @@ The \fB\-k\fR may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC\-MD5 key. .PP -By default +The +\fB\-g\fR +and +\fB\-o\fR +specify that GSS\-TSIG is to be used. The +\fB\-o\fR +should only be used with old Microsoft Windows 2000 servers. +.PP +By default, \fBnsupdate\fR uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. The \fB\-v\fR @@ -115,6 +130,16 @@ option sets the UDP retry interval. The default is 3 seconds. If zero, the inter The \fB\-r\fR option sets the number of UDP retries. The default is 3. If zero, only one update request will be made. +.PP +The +\fB\-R \fR\fB\fIrandomdev\fR\fR +option specifies a source of randomness. If the operating system does not provide a +\fI/dev/random\fR +or equivalent device, the default source of randomness is keyboard input. +\fIrandomdev\fR +specifies the name of a character device or file containing random data to be used instead of the default. The special value +\fIkeyboard\fR +indicates that keyboard input should be used. This option may be specified multiple times. .SH "INPUT FORMAT" .PP \fBnsupdate\fR @@ -168,6 +193,13 @@ is specified, the default class is \fIIN\fR. .RE .PP +\fBttl\fR {seconds} +.RS 4 +Specify the default time to live for records to be added. The value +\fInone\fR +will clear the default ttl. +.RE +.PP \fBkey\fR {name} {secret} .RS 4 Specifies that all updates are to be TSIG\-signed using the @@ -271,6 +303,11 @@ Sends the current message. This is equivalent to entering a blank line. Displays the answer. .RE .PP +\fBdebug\fR +.RS 4 +Turn on debugging. +.RE +.PP Lines beginning with a semicolon are comments and are ignored. .SH "EXAMPLES" .PP @@ -342,7 +379,7 @@ base\-64 encoding of HMAC\-MD5 key created by .PP The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases. .SH "COPYRIGHT" -Copyright \(co 2004\-2008 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000\-2003 Internet Software Consortium. .br diff --git a/contrib/bind9/bin/nsupdate/nsupdate.c b/contrib/bind9/bin/nsupdate/nsupdate.c index 88749e6..6cf4cf4 100644 --- a/contrib/bind9/bin/nsupdate/nsupdate.c +++ b/contrib/bind9/bin/nsupdate/nsupdate.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsupdate.c,v 1.130.18.22 2008/01/17 23:45:58 tbox Exp $ */ +/* $Id: nsupdate.c,v 1.163.48.3 2009/04/30 07:12:49 marka Exp $ */ /*! \file */ @@ -35,8 +35,10 @@ #include <isc/event.h> #include <isc/hash.h> #include <isc/lex.h> +#include <isc/log.h> #include <isc/mem.h> #include <isc/parseint.h> +#include <isc/random.h> #include <isc/region.h> #include <isc/sockaddr.h> #include <isc/socket.h> @@ -52,6 +54,7 @@ #include <dns/dnssec.h> #include <dns/events.h> #include <dns/fixedname.h> +#include <dns/log.h> #include <dns/masterdump.h> #include <dns/message.h> #include <dns/name.h> @@ -64,6 +67,7 @@ #include <dns/rdatatype.h> #include <dns/request.h> #include <dns/result.h> +#include <dns/tkey.h> #include <dns/tsig.h> #include <dst/dst.h> @@ -71,8 +75,12 @@ #include <lwres/lwres.h> #include <lwres/net.h> +#ifdef GSSAPI +#include <dst/gssapi.h> +#endif #include <bind9/getaddresses.h> + #ifdef HAVE_ADDRINFO #ifdef HAVE_GETADDRINFO #ifdef HAVE_GAISTRERROR @@ -107,9 +115,13 @@ static isc_boolean_t have_ipv4 = ISC_FALSE; static isc_boolean_t have_ipv6 = ISC_FALSE; static isc_boolean_t is_dst_up = ISC_FALSE; static isc_boolean_t usevc = ISC_FALSE; +static isc_boolean_t usegsstsig = ISC_FALSE; +static isc_boolean_t use_win2k_gsstsig = ISC_FALSE; +static isc_boolean_t tried_other_gsstsig = ISC_FALSE; static isc_taskmgr_t *taskmgr = NULL; static isc_task_t *global_task = NULL; static isc_event_t *global_event = NULL; +static isc_log_t *lctx = NULL; static isc_mem_t *mctx = NULL; static dns_dispatchmgr_t *dispatchmgr = NULL; static dns_requestmgr_t *requestmgr = NULL; @@ -120,6 +132,10 @@ static dns_dispatch_t *dispatchv6 = NULL; static dns_message_t *updatemsg = NULL; static dns_fixedname_t fuserzone; static dns_name_t *userzone = NULL; +static dns_name_t *zonename = NULL; +static dns_name_t tmpzonename; +static dns_name_t restart_master; +static dns_tsig_keyring_t *gssring = NULL; static dns_tsigkey_t *tsigkey = NULL; static dst_key_t *sig0key; static lwres_context_t *lwctx = NULL; @@ -129,20 +145,25 @@ static int ns_inuse = 0; static int ns_total = 0; static isc_sockaddr_t *userserver = NULL; static isc_sockaddr_t *localaddr = NULL; +static isc_sockaddr_t *serveraddr = NULL; +static isc_sockaddr_t tempaddr; static char *keystr = NULL, *keyfile = NULL; -static isc_entropy_t *entp = NULL; +static isc_entropy_t *entropy = NULL; static isc_boolean_t shuttingdown = ISC_FALSE; static FILE *input; static isc_boolean_t interactive = ISC_TRUE; static isc_boolean_t seenerror = ISC_FALSE; static const dns_master_style_t *style; static int requests = 0; +static unsigned int logdebuglevel = 0; static unsigned int timeout = 300; static unsigned int udp_timeout = 3; static unsigned int udp_retries = 3; static dns_rdataclass_t defaultclass = dns_rdataclass_in; static dns_rdataclass_t zoneclass = dns_rdataclass_none; static dns_message_t *answer = NULL; +static isc_uint32_t default_ttl = 0; +static isc_boolean_t default_ttl_set = ISC_FALSE; typedef struct nsu_requestinfo { dns_message_t *msg; @@ -161,6 +182,27 @@ debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); static void ddebug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); +#ifdef GSSAPI +static dns_fixedname_t fkname; +static isc_sockaddr_t *kserver = NULL; +static char servicename[DNS_NAME_FORMATSIZE]; +static dns_name_t *keyname; +typedef struct nsu_gssinfo { + dns_message_t *msg; + isc_sockaddr_t *addr; + gss_ctx_id_t context; +} nsu_gssinfo_t; + +static void +start_gssrequest(dns_name_t *master); +static void +send_gssrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr, + dns_message_t *msg, dns_request_t **request, + gss_ctx_id_t context); +static void +recvgss(isc_task_t *task, isc_event_t *event); +#endif /* GSSAPI */ + static void error(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); @@ -169,6 +211,69 @@ error(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); #define STATUS_QUIT (isc_uint16_t)2 #define STATUS_SYNTAX (isc_uint16_t)3 +typedef struct entropysource entropysource_t; + +struct entropysource { + isc_entropysource_t *source; + isc_mem_t *mctx; + ISC_LINK(entropysource_t) link; +}; + +static ISC_LIST(entropysource_t) sources; + +static void +setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) +{ + isc_result_t result; + isc_entropysource_t *source = NULL; + entropysource_t *elt; + int usekeyboard = ISC_ENTROPY_KEYBOARDMAYBE; + + REQUIRE(ectx != NULL); + + if (*ectx == NULL) { + result = isc_entropy_create(mctx, ectx); + if (result != ISC_R_SUCCESS) + fatal("could not create entropy object"); + ISC_LIST_INIT(sources); + } + + if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { + usekeyboard = ISC_ENTROPY_KEYBOARDYES; + randomfile = NULL; + } + + result = isc_entropy_usebestsource(*ectx, &source, randomfile, + usekeyboard); + + if (result != ISC_R_SUCCESS) + fatal("could not initialize entropy source: %s", + isc_result_totext(result)); + + if (source != NULL) { + elt = isc_mem_get(mctx, sizeof(*elt)); + if (elt == NULL) + fatal("out of memory"); + elt->source = source; + elt->mctx = mctx; + ISC_LINK_INIT(elt, link); + ISC_LIST_APPEND(sources, elt, link); + } +} + +static void +cleanup_entropy(isc_entropy_t **ectx) { + entropysource_t *source; + while (!ISC_LIST_EMPTY(sources)) { + source = ISC_LIST_HEAD(sources); + ISC_LIST_UNLINK(sources, source, link); + isc_entropy_destroysource(&source->source); + isc_mem_put(source->mctx, source, sizeof(*source)); + } + isc_entropy_detach(ectx); +} + + static dns_rdataclass_t getzoneclass(void) { if (zoneclass == dns_rdataclass_none) @@ -295,6 +400,13 @@ reset_system(void) { check_result(result, "dns_message_create"); } updatemsg->opcode = dns_opcode_update; + if (usegsstsig) { + if (tsigkey != NULL) + dns_tsigkey_detach(&tsigkey); + if (gssring != NULL) + dns_tsigkeyring_destroy(&gssring); + tried_other_gsstsig = ISC_FALSE; + } } static isc_uint16_t @@ -518,10 +630,7 @@ doshutdown(void) { is_dst_up = ISC_FALSE; } - if (entp != NULL) { - ddebug("Detach from entropy"); - isc_entropy_detach(&entp); - } + cleanup_entropy(&entropy); lwres_conf_clear(lwctx); lwres_context_destroy(&lwctx); @@ -572,6 +681,7 @@ setup_system(void) { lwres_result_t lwresult; unsigned int attrs, attrmask; int i; + isc_logconfig_t *logconfig = NULL; ddebug("setup_system()"); @@ -588,8 +698,17 @@ setup_system(void) { if (!have_ipv4 && !have_ipv6) fatal("could not find either IPv4 or IPv6"); - result = isc_mem_create(0, 0, &mctx); - check_result(result, "isc_mem_create"); + result = isc_log_create(mctx, &lctx, &logconfig); + check_result(result, "isc_log_create"); + + isc_log_setcontext(lctx); + dns_log_init(lctx); + dns_log_setcontext(lctx); + + result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL); + check_result(result, "isc_log_usechannel"); + + isc_log_setdebuglevel(lctx, logdebuglevel); lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, 1); if (lwresult != LWRES_R_SUCCESS) @@ -626,14 +745,13 @@ setup_system(void) { } } - result = isc_entropy_create(mctx, &entp); - check_result(result, "isc_entropy_create"); + setup_entropy(mctx, NULL, &entropy); - result = isc_hash_create(mctx, entp, DNS_NAME_MAXWIRE); + result = isc_hash_create(mctx, entropy, DNS_NAME_MAXWIRE); check_result(result, "isc_hash_create"); isc_hash_init(); - result = dns_dispatchmgr_create(mctx, entp, &dispatchmgr); + result = dns_dispatchmgr_create(mctx, entropy, &dispatchmgr); check_result(result, "dns_dispatchmgr_create"); result = isc_socketmgr_create(mctx, &socketmgr); @@ -651,7 +769,7 @@ setup_system(void) { result = isc_task_onshutdown(global_task, shutdown_program, NULL); check_result(result, "isc_task_onshutdown"); - result = dst_lib_init(mctx, entp, 0); + result = dst_lib_init(mctx, entropy, 0); check_result(result, "dst_lib_init"); is_dst_up = ISC_TRUE; @@ -707,14 +825,47 @@ get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) { INSIST(count == 1); } +#define PARSE_ARGS_FMT "dDMl:y:govk:rR::t:u:" + +static void +pre_parse_args(int argc, char **argv) { + int ch; + + while ((ch = isc_commandline_parse(argc, argv, PARSE_ARGS_FMT)) != -1) { + switch (ch) { + case 'M': /* was -dm */ + debugging = ISC_TRUE; + ddebugging = ISC_TRUE; + memdebugging = ISC_TRUE; + isc_mem_debugging = ISC_MEM_DEBUGTRACE | + ISC_MEM_DEBUGRECORD; + break; + + case '?': + if (isc_commandline_option != '?') + fprintf(stderr, "%s: invalid argument -%c\n", + argv[0], isc_commandline_option); + fprintf(stderr, "usage: nsupdate [-d] " + "[-g | -o | -y keyname:secret | -k keyfile] " + "[-v] [filename]\n"); + exit(1); + + default: + break; + } + } + isc_commandline_reset = ISC_TRUE; + isc_commandline_index = 1; +} + static void -parse_args(int argc, char **argv) { +parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) { int ch; + isc_uint32_t i; isc_result_t result; debug("parse_args"); - while ((ch = isc_commandline_parse(argc, argv, "dDMy:vk:r:t:u:")) != -1) - { + while ((ch = isc_commandline_parse(argc, argv, PARSE_ARGS_FMT)) != -1) { switch (ch) { case 'd': debugging = ISC_TRUE; @@ -723,12 +874,17 @@ parse_args(int argc, char **argv) { debugging = ISC_TRUE; ddebugging = ISC_TRUE; break; - case 'M': /* was -dm */ - debugging = ISC_TRUE; - ddebugging = ISC_TRUE; - memdebugging = ISC_TRUE; - isc_mem_debugging = ISC_MEM_DEBUGTRACE | - ISC_MEM_DEBUGRECORD; + case 'M': + break; + case 'l': + result = isc_parse_uint32(&i, isc_commandline_argument, + 10); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "bad library debug value " + "'%s'\n", isc_commandline_argument); + exit(1); + } + logdebuglevel = i; break; case 'y': keystr = isc_commandline_argument; @@ -739,6 +895,14 @@ parse_args(int argc, char **argv) { case 'k': keyfile = isc_commandline_argument; break; + case 'g': + usegsstsig = ISC_TRUE; + use_win2k_gsstsig = ISC_FALSE; + break; + case 'o': + usegsstsig = ISC_TRUE; + use_win2k_gsstsig = ISC_TRUE; + break; case 't': result = isc_parse_uint32(&timeout, isc_commandline_argument, 10); @@ -767,12 +931,14 @@ parse_args(int argc, char **argv) { exit(1); } break; + + case 'R': + setup_entropy(mctx, isc_commandline_argument, ectx); + break; + default: - fprintf(stderr, "%s: invalid argument -%c\n", - argv[0], ch); - fprintf(stderr, "usage: nsupdate [-d] " - "[-y keyname:secret | -k keyfile] [-v] " - "[filename]\n"); + fprintf(stderr, "%s: unhandled option: %c\n", + argv[0], isc_commandline_option); exit(1); } } @@ -782,6 +948,21 @@ parse_args(int argc, char **argv) { exit(1); } +#ifdef GSSAPI + if (usegsstsig && (keyfile != NULL || keystr != NULL)) { + fprintf(stderr, "%s: cannot specify -g with -k or -y\n", + argv[0]); + exit(1); + } +#else + if (usegsstsig) { + fprintf(stderr, "%s: cannot specify -g or -o, " \ + "program not linked with GSS API Library\n", + argv[0]); + exit(1); + } +#endif + if (argv[isc_commandline_index] != NULL) { if (strcmp(argv[isc_commandline_index], "-") == 0) { input = stdin; @@ -853,7 +1034,7 @@ parse_rdata(char **cmdlinep, dns_rdataclass_t rdataclass, check_result(result, "isc_lex_openbuffer"); result = isc_buffer_allocate(mctx, &buf, MAXWIRE); check_result(result, "isc_buffer_allocate"); - result = dns_rdata_fromtext(rdata, rdataclass, rdatatype, lex, + result = dns_rdata_fromtext(NULL, rdataclass, rdatatype, lex, dns_rootname, 0, mctx, buf, &callbacks); isc_lex_destroy(&lex); @@ -947,8 +1128,7 @@ make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) { result = dns_message_gettemprdata(updatemsg, &rdata); check_result(result, "dns_message_gettemprdata"); - rdata->data = NULL; - rdata->length = 0; + dns_rdata_init(rdata); if (isrrset && ispositive) { retval = parse_rdata(&cmdline, rdataclass, rdatatype, @@ -1209,6 +1389,39 @@ evaluate_zone(char *cmdline) { } static isc_uint16_t +evaluate_ttl(char *cmdline) { + char *word; + isc_result_t result; + isc_uint32_t ttl; + + word = nsu_strsep(&cmdline, " \t\r\n"); + if (*word == 0) { + fprintf(stderr, "could not ttl\n"); + return (STATUS_SYNTAX); + } + + if (!strcasecmp(word, "none")) { + default_ttl = 0; + default_ttl_set = ISC_FALSE; + return (STATUS_MORE); + } + + result = isc_parse_uint32(&ttl, word, 10); + if (result != ISC_R_SUCCESS) + return (STATUS_SYNTAX); + + if (ttl > TTL_MAX) { + fprintf(stderr, "ttl '%s' is out of range (0 to %u)\n", + word, TTL_MAX); + return (STATUS_SYNTAX); + } + default_ttl = ttl; + default_ttl_set = ISC_TRUE; + + return (STATUS_MORE); +} + +static isc_uint16_t evaluate_class(char *cmdline) { char *word; isc_textregion_t r; @@ -1267,10 +1480,7 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) { result = dns_message_gettemprdata(updatemsg, &rdata); check_result(result, "dns_message_gettemprdata"); - rdata->rdclass = 0; - rdata->type = 0; - rdata->data = NULL; - rdata->length = 0; + dns_rdata_init(rdata); /* * If this is an add, read the TTL and verify that it's in range. @@ -1295,6 +1505,9 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) { if (isdelete) { ttl = 0; goto parseclass; + } else if (default_ttl_set) { + ttl = default_ttl; + goto parseclass; } else { fprintf(stderr, "ttl '%s': %s\n", word, isc_result_totext(result)); @@ -1328,8 +1541,9 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) { } region.base = word; region.length = strlen(word); + rdataclass = dns_rdataclass_any; result = dns_rdataclass_fromtext(&rdataclass, ®ion); - if (result == ISC_R_SUCCESS) { + if (result == ISC_R_SUCCESS && rdataclass != dns_rdataclass_any) { if (!setzoneclass(rdataclass)) { fprintf(stderr, "class mismatch: %s\n", word); goto failure; @@ -1469,7 +1683,7 @@ setzone(dns_name_t *zonename) { } static void -show_message(dns_message_t *msg) { +show_message(FILE *stream, dns_message_t *msg, const char *description) { isc_result_t result; isc_buffer_t *buf = NULL; int bufsz; @@ -1497,9 +1711,8 @@ show_message(dns_message_t *msg) { isc_buffer_free(&buf); return; } - printf("Outgoing update query:\n%.*s", - (int)isc_buffer_usedlength(buf), - (char*)isc_buffer_base(buf)); + fprintf(stream, "%s\n%.*s", description, + (int)isc_buffer_usedlength(buf), (char*)isc_buffer_base(buf)); isc_buffer_free(&buf); } @@ -1544,17 +1757,68 @@ get_next_command(void) { return (evaluate_class(cmdline)); if (strcasecmp(word, "send") == 0) return (STATUS_SEND); + if (strcasecmp(word, "debug") == 0) { + if (debugging) + ddebugging = ISC_TRUE; + else + debugging = ISC_TRUE; + return (STATUS_MORE); + } + if (strcasecmp(word, "ttl") == 0) + return (evaluate_ttl(cmdline)); if (strcasecmp(word, "show") == 0) { - show_message(updatemsg); + show_message(stdout, updatemsg, "Outgoing update query:"); return (STATUS_MORE); } if (strcasecmp(word, "answer") == 0) { if (answer != NULL) - show_message(answer); + show_message(stdout, answer, "Answer:"); return (STATUS_MORE); } - if (strcasecmp(word, "key") == 0) + if (strcasecmp(word, "key") == 0) { + usegsstsig = ISC_FALSE; return (evaluate_key(cmdline)); + } + if (strcasecmp(word, "gsstsig") == 0) { +#ifdef GSSAPI + usegsstsig = ISC_TRUE; + use_win2k_gsstsig = ISC_FALSE; +#else + fprintf(stderr, "gsstsig not supported\n"); +#endif + return (STATUS_MORE); + } + if (strcasecmp(word, "oldgsstsig") == 0) { +#ifdef GSSAPI + usegsstsig = ISC_TRUE; + use_win2k_gsstsig = ISC_TRUE; +#else + fprintf(stderr, "gsstsig not supported\n"); +#endif + return (STATUS_MORE); + } + if (strcasecmp(word, "help") == 0) { + fprintf(stdout, +"local address [port] (set local resolver)\n" +"server address [port] (set master server for zone)\n" +"send (send the update request)\n" +"show (show the update request)\n" +"answer (show the answer to the last request)\n" +"quit (quit, any pending update is not sent\n" +"help (display this message_\n" +"key [hmac:]keyname secret (use TSIG to sign the request)\n" +"gsstsig (use GSS_TSIG to sign the request)\n" +"oldgsstsig (use Microsoft's GSS_TSIG to sign the request)\n" +"zone name (set the zone to be updated)\n" +"class CLASS (set the zone's DNS class, e.g. IN (default), CH)\n" +"prereq nxdomain name (does this name not exist)\n" +"prereq yxdomain name (does this name exist)\n" +"prereq nxrrset .... (does this RRset exist)\n" +"prereq yxrrset .... (does this RRset not exist)\n" +"update add .... (add the given record to the zone)\n" +"update delete .... (remove the given record(s) from the zone)\n"); + return (STATUS_MORE); + } fprintf(stderr, "incorrect section name: %s\n", word); return (STATUS_SYNTAX); } @@ -1641,12 +1905,23 @@ update_completed(isc_task_t *task, isc_event_t *event) { DNS_MESSAGEPARSE_PRESERVEORDER); switch (result) { case ISC_R_SUCCESS: + if (answer->verify_attempted) + ddebug("tsig verification successful"); break; case DNS_R_CLOCKSKEW: case DNS_R_EXPECTEDTSIG: case DNS_R_TSIGERRORSET: case DNS_R_TSIGVERIFYFAILURE: case DNS_R_UNEXPECTEDTSIG: + case ISC_R_FAILURE: +#if 0 + if (usegsstsig && answer->rcode == dns_rcode_noerror) { + /* + * For MS DNS that violates RFC 2845, section 4.2 + */ + break; + } +#endif fprintf(stderr, "; TSIG error with server: %s\n", isc_result_totext(result)); seenerror = ISC_TRUE; @@ -1672,32 +1947,15 @@ update_completed(isc_task_t *task, isc_event_t *event) { (int)isc_buffer_usedlength(&b), buf); } } - if (debugging) { - isc_buffer_t *buf = NULL; - int bufsz; - - bufsz = INITTEXT; - do { - if (bufsz > MAXTEXT) { - fprintf(stderr, "could not allocate large " - "enough buffer to display message\n"); - exit(1); - } - if (buf != NULL) - isc_buffer_free(&buf); - result = isc_buffer_allocate(mctx, &buf, bufsz); - check_result(result, "isc_buffer_allocate"); - result = dns_message_totext(answer, style, 0, buf); - bufsz *= 2; - } while (result == ISC_R_NOSPACE); - check_result(result, "dns_message_totext"); - fprintf(stderr, "\nReply from update query:\n%.*s\n", - (int)isc_buffer_usedlength(buf), - (char*)isc_buffer_base(buf)); - isc_buffer_free(&buf); - } + if (debugging) + show_message(stderr, answer, "\nReply from update query:"); + done: dns_request_destroy(&request); + if (usegsstsig) { + dns_name_free(&tmpzonename, mctx); + dns_name_free(&restart_master, mctx); + } isc_event_free(&event); done_update(); } @@ -1726,6 +1984,7 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master, isc_sockaddr_format(master, addrbuf, sizeof(addrbuf)); fprintf(stderr, "Sending update to %s\n", addrbuf); } + result = dns_request_createvia3(requestmgr, updatemsg, srcaddr, master, options, tsigkey, timeout, udp_timeout, udp_retries, global_task, @@ -1733,7 +1992,7 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master, check_result(result, "dns_request_createvia3"); if (debugging) - show_message(updatemsg); + show_message(stdout, updatemsg, "Outgoing update query:"); requests++; } @@ -1751,8 +2010,6 @@ recvsoa(isc_task_t *task, isc_event_t *event) { dns_rdata_t soarr = DNS_RDATA_INIT; int pass = 0; dns_name_t master; - isc_sockaddr_t *serveraddr, tempaddr; - dns_name_t *zonename; nsu_requestinfo_t *reqinfo; dns_message_t *soaquery = NULL; isc_sockaddr_t *addr; @@ -1788,7 +2045,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) { isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf)); fprintf(stderr, "; Communication with %s failed: %s\n", - addrbuf, isc_result_totext(eresult)); + addrbuf, isc_result_totext(eresult)); if (userserver != NULL) fatal("could not talk to specified name server"); else if (++ns_inuse >= lwconf->nsnext) @@ -1837,28 +2094,8 @@ recvsoa(isc_task_t *task, isc_event_t *event) { } check_result(result, "dns_request_getresponse"); section = DNS_SECTION_ANSWER; - if (debugging) { - isc_buffer_t *buf = NULL; - int bufsz; - bufsz = INITTEXT; - do { - if (buf != NULL) - isc_buffer_free(&buf); - if (bufsz > MAXTEXT) { - fprintf(stderr, "could not allocate enough " - "space for debugging message\n"); - exit(1); - } - result = isc_buffer_allocate(mctx, &buf, bufsz); - check_result(result, "isc_buffer_allocate"); - result = dns_message_totext(rcvmsg, style, 0, buf); - } while (result == ISC_R_NOSPACE); - check_result(result, "dns_message_totext"); - fprintf(stderr, "Reply from SOA query:\n%.*s\n", - (int)isc_buffer_usedlength(buf), - (char*)isc_buffer_base(buf)); - isc_buffer_free(&buf); - } + if (debugging) + show_message(stderr, rcvmsg, "Reply from SOA query:"); if (rcvmsg->rcode != dns_rcode_noerror && rcvmsg->rcode != dns_rcode_nxdomain) @@ -1901,12 +2138,9 @@ recvsoa(isc_task_t *task, isc_event_t *event) { if (section == DNS_SECTION_ANSWER) { dns_rdataset_t *tset = NULL; if (dns_message_findtype(name, dns_rdatatype_cname, 0, - &tset) == ISC_R_SUCCESS - || + &tset) == ISC_R_SUCCESS || dns_message_findtype(name, dns_rdatatype_dname, 0, - &tset) == ISC_R_SUCCESS - ) - { + &tset) == ISC_R_SUCCESS ) { seencname = ISC_TRUE; break; } @@ -1966,8 +2200,21 @@ recvsoa(isc_task_t *task, isc_event_t *event) { } dns_rdata_freestruct(&soa); +#ifdef GSSAPI + if (usegsstsig) { + dns_name_init(&tmpzonename, NULL); + dns_name_dup(zonename, mctx, &tmpzonename); + dns_name_init(&restart_master, NULL); + dns_name_dup(&master, mctx, &restart_master); + start_gssrequest(&master); + } else { + send_update(zonename, serveraddr, localaddr); + setzoneclass(dns_rdataclass_none); + } +#else send_update(zonename, serveraddr, localaddr); setzoneclass(dns_rdataclass_none); +#endif dns_message_destroy(&soaquery); dns_request_destroy(&request); @@ -1994,8 +2241,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) { if (userserver != NULL) sendrequest(localaddr, userserver, soaquery, &request); else - sendrequest(localaddr, &servers[ns_inuse], soaquery, - &request); + sendrequest(localaddr, &servers[ns_inuse], soaquery, &request); goto out; } @@ -2019,6 +2265,286 @@ sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr, requests++; } +#ifdef GSSAPI +static void +start_gssrequest(dns_name_t *master) +{ + gss_ctx_id_t context; + isc_buffer_t buf; + isc_result_t result; + isc_uint32_t val = 0; + dns_message_t *rmsg; + dns_request_t *request = NULL; + dns_name_t *servname; + dns_fixedname_t fname; + char namestr[DNS_NAME_FORMATSIZE]; + char keystr[DNS_NAME_FORMATSIZE]; + + debug("start_gssrequest"); + usevc = ISC_TRUE; + + if (gssring != NULL) + dns_tsigkeyring_destroy(&gssring); + gssring = NULL; + result = dns_tsigkeyring_create(mctx, &gssring); + + if (result != ISC_R_SUCCESS) + fatal("dns_tsigkeyring_create failed: %s", + isc_result_totext(result)); + + dns_name_format(master, namestr, sizeof(namestr)); + if (kserver == NULL) { + kserver = isc_mem_get(mctx, sizeof(isc_sockaddr_t)); + if (kserver == NULL) + fatal("out of memory"); + } + if (userserver == NULL) + get_address(namestr, DNSDEFAULTPORT, kserver); + else + (void)memcpy(kserver, userserver, sizeof(isc_sockaddr_t)); + + dns_fixedname_init(&fname); + servname = dns_fixedname_name(&fname); + + result = isc_string_printf(servicename, sizeof(servicename), + "DNS/%s", namestr); + if (result != ISC_R_SUCCESS) + fatal("isc_string_printf(servicename) failed: %s", + isc_result_totext(result)); + isc_buffer_init(&buf, servicename, strlen(servicename)); + isc_buffer_add(&buf, strlen(servicename)); + result = dns_name_fromtext(servname, &buf, dns_rootname, + ISC_FALSE, NULL); + if (result != ISC_R_SUCCESS) + fatal("dns_name_fromtext(servname) failed: %s", + isc_result_totext(result)); + + dns_fixedname_init(&fkname); + keyname = dns_fixedname_name(&fkname); + + isc_random_get(&val); + result = isc_string_printf(keystr, sizeof(keystr), "%u.sig-%s", + val, namestr); + if (result != ISC_R_SUCCESS) + fatal("isc_string_printf(keystr) failed: %s", + isc_result_totext(result)); + isc_buffer_init(&buf, keystr, strlen(keystr)); + isc_buffer_add(&buf, strlen(keystr)); + + result = dns_name_fromtext(keyname, &buf, dns_rootname, + ISC_FALSE, NULL); + if (result != ISC_R_SUCCESS) + fatal("dns_name_fromtext(keyname) failed: %s", + isc_result_totext(result)); + + /* Windows doesn't recognize name compression in the key name. */ + keyname->attributes |= DNS_NAMEATTR_NOCOMPRESS; + + rmsg = NULL; + result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &rmsg); + if (result != ISC_R_SUCCESS) + fatal("dns_message_create failed: %s", + isc_result_totext(result)); + + /* Build first request. */ + + context = GSS_C_NO_CONTEXT; + result = dns_tkey_buildgssquery(rmsg, keyname, servname, NULL, 0, + &context, use_win2k_gsstsig); + if (result == ISC_R_FAILURE) + fatal("Check your Kerberos ticket, it may have expired."); + if (result != ISC_R_SUCCESS) + fatal("dns_tkey_buildgssquery failed: %s", + isc_result_totext(result)); + + send_gssrequest(localaddr, kserver, rmsg, &request, context); +} + +static void +send_gssrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr, + dns_message_t *msg, dns_request_t **request, + gss_ctx_id_t context) +{ + isc_result_t result; + nsu_gssinfo_t *reqinfo; + unsigned int options = 0; + + debug("send_gssrequest"); + reqinfo = isc_mem_get(mctx, sizeof(nsu_gssinfo_t)); + if (reqinfo == NULL) + fatal("out of memory"); + reqinfo->msg = msg; + reqinfo->addr = destaddr; + reqinfo->context = context; + + options |= DNS_REQUESTOPT_TCP; + result = dns_request_createvia3(requestmgr, msg, srcaddr, destaddr, + options, tsigkey, FIND_TIMEOUT * 20, + FIND_TIMEOUT, 3, global_task, recvgss, + reqinfo, request); + check_result(result, "dns_request_createvia3"); + if (debugging) + show_message(stdout, msg, "Outgoing update query:"); + requests++; +} + +static void +recvgss(isc_task_t *task, isc_event_t *event) { + dns_requestevent_t *reqev = NULL; + dns_request_t *request = NULL; + isc_result_t result, eresult; + dns_message_t *rcvmsg = NULL; + nsu_gssinfo_t *reqinfo; + dns_message_t *tsigquery = NULL; + isc_sockaddr_t *addr; + gss_ctx_id_t context; + isc_buffer_t buf; + dns_name_t *servname; + dns_fixedname_t fname; + + UNUSED(task); + + ddebug("recvgss()"); + + requests--; + + REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE); + reqev = (dns_requestevent_t *)event; + request = reqev->request; + eresult = reqev->result; + reqinfo = reqev->ev_arg; + tsigquery = reqinfo->msg; + context = reqinfo->context; + addr = reqinfo->addr; + + if (shuttingdown) { + dns_request_destroy(&request); + dns_message_destroy(&tsigquery); + isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t)); + isc_event_free(&event); + maybeshutdown(); + return; + } + + if (eresult != ISC_R_SUCCESS) { + char addrbuf[ISC_SOCKADDR_FORMATSIZE]; + + isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf)); + fprintf(stderr, "; Communication with %s failed: %s\n", + addrbuf, isc_result_totext(eresult)); + if (userserver != NULL) + fatal("could not talk to specified name server"); + else if (++ns_inuse >= lwconf->nsnext) + fatal("could not talk to any default name server"); + ddebug("Destroying request [%p]", request); + dns_request_destroy(&request); + dns_message_renderreset(tsigquery); + sendrequest(localaddr, &servers[ns_inuse], tsigquery, + &request); + isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t)); + isc_event_free(&event); + return; + } + isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t)); + + isc_event_free(&event); + reqev = NULL; + + ddebug("recvgss creating rcvmsg"); + result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg); + check_result(result, "dns_message_create"); + + result = dns_request_getresponse(request, rcvmsg, + DNS_MESSAGEPARSE_PRESERVEORDER); + check_result(result, "dns_request_getresponse"); + + if (debugging) + show_message(stderr, rcvmsg, + "recvmsg reply from GSS-TSIG query"); + + if (rcvmsg->rcode == dns_rcode_formerr && !tried_other_gsstsig) { + ddebug("recvgss trying %s GSS-TSIG", + use_win2k_gsstsig ? "Standard" : "Win2k"); + if (use_win2k_gsstsig) + use_win2k_gsstsig = ISC_FALSE; + else + use_win2k_gsstsig = ISC_TRUE; + tried_other_gsstsig = ISC_TRUE; + start_gssrequest(&restart_master); + goto done; + } + + if (rcvmsg->rcode != dns_rcode_noerror && + rcvmsg->rcode != dns_rcode_nxdomain) + fatal("response to GSS-TSIG query was unsuccessful"); + + + dns_fixedname_init(&fname); + servname = dns_fixedname_name(&fname); + isc_buffer_init(&buf, servicename, strlen(servicename)); + isc_buffer_add(&buf, strlen(servicename)); + result = dns_name_fromtext(servname, &buf, dns_rootname, + ISC_FALSE, NULL); + check_result(result, "dns_name_fromtext"); + + tsigkey = NULL; + result = dns_tkey_gssnegotiate(tsigquery, rcvmsg, servname, + &context, &tsigkey, gssring, + use_win2k_gsstsig); + switch (result) { + + case DNS_R_CONTINUE: + send_gssrequest(localaddr, kserver, tsigquery, &request, + context); + break; + + case ISC_R_SUCCESS: + /* + * XXXSRA Waaay too much fun here. There's no good + * reason why we need a TSIG here (the people who put + * it into the spec admitted at the time that it was + * not a security issue), and Windows clients don't + * seem to work if named complies with the spec and + * includes the gratuitous TSIG. So we're in the + * bizarre situation of having to choose between + * complying with a useless requirement in the spec + * and interoperating. This is nuts. If we can + * confirm this behavior, we should ask the WG to + * consider removing the requirement for the + * gratuitous TSIG here. For the moment, we ignore + * the TSIG -- this too is a spec violation, but it's + * the least insane thing to do. + */ +#if 0 + /* + * Verify the signature. + */ + rcvmsg->state = DNS_SECTION_ANY; + dns_message_setquerytsig(rcvmsg, NULL); + result = dns_message_settsigkey(rcvmsg, tsigkey); + check_result(result, "dns_message_settsigkey"); + result = dns_message_checksig(rcvmsg, NULL); + ddebug("tsig verification: %s", dns_result_totext(result)); + check_result(result, "dns_message_checksig"); +#endif /* 0 */ + + send_update(&tmpzonename, serveraddr, localaddr); + setzoneclass(dns_rdataclass_none); + break; + + default: + fatal("dns_tkey_negotiategss: %s", isc_result_totext(result)); + } + + done: + dns_request_destroy(&request); + dns_message_destroy(&tsigquery); + + dns_message_destroy(&rcvmsg); + ddebug("Out of recvgss"); +} +#endif + static void start_update(void) { isc_result_t result; @@ -2034,7 +2560,7 @@ start_update(void) { if (answer != NULL) dns_message_destroy(&answer); - if (userzone != NULL && userserver != NULL) { + if (userzone != NULL && userserver != NULL && ! usegsstsig) { send_update(userzone, userserver, localaddr); setzoneclass(dns_rdataclass_none); return; @@ -2096,6 +2622,22 @@ cleanup(void) { if (answer != NULL) dns_message_destroy(&answer); + +#ifdef GSSAPI + if (tsigkey != NULL) { + ddebug("detach tsigkey x%p", tsigkey); + dns_tsigkey_detach(&tsigkey); + } + if (gssring != NULL) { + ddebug("Destroying GSS-TSIG keyring"); + dns_tsigkeyring_destroy(&gssring); + } + if (kserver != NULL) { + isc_mem_put(mctx, kserver, sizeof(isc_sockaddr_t)); + kserver = NULL; + } +#endif + ddebug("Shutting down task manager"); isc_taskmgr_destroy(&taskmgr); @@ -2114,6 +2656,9 @@ cleanup(void) { ddebug("Destroying name state"); dns_name_destroy(); + ddebug("Removing log context"); + isc_log_destroy(&lctx); + ddebug("Destroying memory context"); if (memdebugging) isc_mem_stats(mctx, stderr); @@ -2155,7 +2700,12 @@ main(int argc, char **argv) { isc_app_start(); - parse_args(argc, argv); + pre_parse_args(argc, argv); + + result = isc_mem_create(0, 0, &mctx); + check_result(result, "isc_mem_create"); + + parse_args(argc, argv, mctx, &entropy); setup_system(); diff --git a/contrib/bind9/bin/nsupdate/nsupdate.docbook b/contrib/bind9/bin/nsupdate/nsupdate.docbook index 43fe69a..c42a053 100644 --- a/contrib/bind9/bin/nsupdate/nsupdate.docbook +++ b/contrib/bind9/bin/nsupdate/nsupdate.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -18,18 +18,18 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: nsupdate.docbook,v 1.18.18.12 2008/08/29 23:46:16 tbox Exp $ --> -<refentry> +<!-- $Id: nsupdate.docbook,v 1.34.48.3 2009/03/09 04:21:56 marka Exp $ --> +<refentry id="man.nsupdate"> <refentryinfo> <date>Jun 30, 2000</date> </refentryinfo> <refmeta> - <refentrytitle>nsupdate</refentrytitle> + <refentrytitle><application>nsupdate</application></refentrytitle> <manvolnum>1</manvolnum> <refmiscinfo>BIND9</refmiscinfo> </refmeta> <refnamediv> - <refname>nsupdate</refname> + <refname><application>nsupdate</application></refname> <refpurpose>Dynamic DNS update utility</refpurpose> </refnamediv> @@ -40,6 +40,7 @@ <year>2006</year> <year>2007</year> <year>2008</year> + <year>2009</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -55,13 +56,17 @@ <cmdsynopsis> <command>nsupdate</command> <arg><option>-d</option></arg> + <arg><option>-D</option></arg> <group> + <arg><option>-g</option></arg> + <arg><option>-o</option></arg> <arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></option></arg> <arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg> </group> <arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg> <arg><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg> <arg><option>-r <replaceable class="parameter">udpretries</replaceable></option></arg> + <arg><option>-R <replaceable class="parameter">randomdev</replaceable></option></arg> <arg><option>-v</option></arg> <arg>filename</arg> </cmdsynopsis> @@ -102,31 +107,31 @@ made and the replies received from the name server. </para> <para> - Transaction signatures can be used to authenticate the Dynamic DNS - updates. - These use the TSIG resource record type described in RFC2845 or the - SIG(0) record described in RFC3535 and RFC2931. - TSIG relies on a shared secret that should only be known to - <command>nsupdate</command> and the name server. - Currently, the only supported encryption algorithm for TSIG is - HMAC-MD5, which is defined in RFC 2104. - Once other algorithms are defined for TSIG, applications will need to - ensure they select the appropriate algorithm as well as the key when - authenticating each other. - For instance, suitable - <type>key</type> - and - <type>server</type> - statements would be added to - <filename>/etc/named.conf</filename> - so that the name server can associate the appropriate secret key - and algorithm with the IP address of the - client application that will be using TSIG authentication. - SIG(0) uses public key cryptography. To use a SIG(0) key, the public - key must be stored in a KEY record in a zone served by the name server. - <command>nsupdate</command> - does not read + The <option>-D</option> option makes <command>nsupdate</command> + report additional debugging information to <option>-d</option>. + </para> + <para> + Transaction signatures can be used to authenticate the Dynamic + DNS updates. These use the TSIG resource record type described + in RFC2845 or the SIG(0) record described in RFC3535 and + RFC2931 or GSS-TSIG as described in RFC3645. TSIG relies on + a shared secret that should only be known to + <command>nsupdate</command> and the name server. Currently, + the only supported encryption algorithm for TSIG is HMAC-MD5, + which is defined in RFC 2104. Once other algorithms are + defined for TSIG, applications will need to ensure they select + the appropriate algorithm as well as the key when authenticating + each other. For instance, suitable <type>key</type> and + <type>server</type> statements would be added to + <filename>/etc/named.conf</filename> so that the name server + can associate the appropriate secret key and algorithm with + the IP address of the client application that will be using + TSIG authentication. SIG(0) uses public key cryptography. + To use a SIG(0) key, the public key must be stored in a KEY + record in a zone served by the name server. + <command>nsupdate</command> does not read <filename>/etc/named.conf</filename>. + GSS-TSIG uses Kerberos credentials. </para> <para><command>nsupdate</command> uses the <option>-y</option> or <option>-k</option> option @@ -159,7 +164,12 @@ specified is not an HMAC-MD5 key. </para> <para> - By default + The <option>-g</option> and <option>-o</option> specify that + GSS-TSIG is to be used. The <option>-o</option> should only + be used with old Microsoft Windows 2000 servers. + </para> + <para> + By default, <command>nsupdate</command> uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. @@ -189,6 +199,18 @@ default is 3. If zero, only one update request will be made. </para> + <para> + The <option>-R <replaceable + class="parameter">randomdev</replaceable></option> option + specifies a source of randomness. If the operating system + does not provide a <filename>/dev/random</filename> or + equivalent device, the default source of randomness is keyboard + input. <filename>randomdev</filename> specifies the name of + a character device or file containing random data to be used + instead of the default. The special value + <filename>keyboard</filename> indicates that keyboard input + should be used. This option may be specified multiple times. + </para> </refsect1> <refsect1> @@ -307,6 +329,20 @@ <varlistentry> <term> + <command>ttl</command> + <arg choice="req">seconds</arg> + </term> + <listitem> + <para> + Specify the default time to live for records to be added. + The value <parameter>none</parameter> will clear the default + ttl. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> <command>key</command> <arg choice="req">name</arg> <arg choice="req">secret</arg> @@ -510,6 +546,17 @@ </listitem> </varlistentry> + <varlistentry> + <term> + <command>debug</command> + </term> + <listitem> + <para> + Turn on debugging. + </para> + </listitem> + </varlistentry> + </variablelist> </para> diff --git a/contrib/bind9/bin/nsupdate/nsupdate.html b/contrib/bind9/bin/nsupdate/nsupdate.html index 1fe0f9c..dab7f90 100644 --- a/contrib/bind9/bin/nsupdate/nsupdate.html +++ b/contrib/bind9/bin/nsupdate/nsupdate.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: nsupdate.html,v 1.14.18.23 2008/09/01 02:29:00 tbox Exp $ --> +<!-- $Id: nsupdate.html,v 1.40.48.2 2009/03/10 01:54:11 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -22,17 +22,17 @@ <meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2476275"></a><div class="titlepage"></div> +<a name="man.nsupdate"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> -<p>nsupdate — Dynamic DNS update utility</p> +<p><span class="application">nsupdate</span> — Dynamic DNS update utility</p> </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [[<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-v</code>] [filename]</p></div> +<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543420"></a><h2>DESCRIPTION</h2> +<a name="id2543449"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">nsupdate</strong></span> is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. @@ -66,31 +66,31 @@ made and the replies received from the name server. </p> <p> - Transaction signatures can be used to authenticate the Dynamic DNS - updates. - These use the TSIG resource record type described in RFC2845 or the - SIG(0) record described in RFC3535 and RFC2931. - TSIG relies on a shared secret that should only be known to - <span><strong class="command">nsupdate</strong></span> and the name server. - Currently, the only supported encryption algorithm for TSIG is - HMAC-MD5, which is defined in RFC 2104. - Once other algorithms are defined for TSIG, applications will need to - ensure they select the appropriate algorithm as well as the key when - authenticating each other. - For instance, suitable - <span class="type">key</span> - and - <span class="type">server</span> - statements would be added to - <code class="filename">/etc/named.conf</code> - so that the name server can associate the appropriate secret key - and algorithm with the IP address of the - client application that will be using TSIG authentication. - SIG(0) uses public key cryptography. To use a SIG(0) key, the public - key must be stored in a KEY record in a zone served by the name server. - <span><strong class="command">nsupdate</strong></span> - does not read + The <code class="option">-D</code> option makes <span><strong class="command">nsupdate</strong></span> + report additional debugging information to <code class="option">-d</code>. + </p> +<p> + Transaction signatures can be used to authenticate the Dynamic + DNS updates. These use the TSIG resource record type described + in RFC2845 or the SIG(0) record described in RFC3535 and + RFC2931 or GSS-TSIG as described in RFC3645. TSIG relies on + a shared secret that should only be known to + <span><strong class="command">nsupdate</strong></span> and the name server. Currently, + the only supported encryption algorithm for TSIG is HMAC-MD5, + which is defined in RFC 2104. Once other algorithms are + defined for TSIG, applications will need to ensure they select + the appropriate algorithm as well as the key when authenticating + each other. For instance, suitable <span class="type">key</span> and + <span class="type">server</span> statements would be added to + <code class="filename">/etc/named.conf</code> so that the name server + can associate the appropriate secret key and algorithm with + the IP address of the client application that will be using + TSIG authentication. SIG(0) uses public key cryptography. + To use a SIG(0) key, the public key must be stored in a KEY + record in a zone served by the name server. + <span><strong class="command">nsupdate</strong></span> does not read <code class="filename">/etc/named.conf</code>. + GSS-TSIG uses Kerberos credentials. </p> <p><span><strong class="command">nsupdate</strong></span> uses the <code class="option">-y</code> or <code class="option">-k</code> option @@ -121,7 +121,12 @@ specified is not an HMAC-MD5 key. </p> <p> - By default + The <code class="option">-g</code> and <code class="option">-o</code> specify that + GSS-TSIG is to be used. The <code class="option">-o</code> should only + be used with old Microsoft Windows 2000 servers. + </p> +<p> + By default, <span><strong class="command">nsupdate</strong></span> uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. @@ -151,9 +156,20 @@ default is 3. If zero, only one update request will be made. </p> +<p> + The <code class="option">-R <em class="replaceable"><code>randomdev</code></em></code> option + specifies a source of randomness. If the operating system + does not provide a <code class="filename">/dev/random</code> or + equivalent device, the default source of randomness is keyboard + input. <code class="filename">randomdev</code> specifies the name of + a character device or file containing random data to be used + instead of the default. The special value + <code class="filename">keyboard</code> indicates that keyboard input + should be used. This option may be specified multiple times. + </p> </div> <div class="refsect1" lang="en"> -<a name="id2543649"></a><h2>INPUT FORMAT</h2> +<a name="id2543726"></a><h2>INPUT FORMAT</h2> <p><span><strong class="command">nsupdate</strong></span> reads input from <em class="parameter"><code>filename</code></em> @@ -247,6 +263,15 @@ <em class="parameter"><code>IN</code></em>. </p></dd> <dt><span class="term"> + <span><strong class="command">ttl</strong></span> + {seconds} + </span></dt> +<dd><p> + Specify the default time to live for records to be added. + The value <em class="parameter"><code>none</code></em> will clear the default + ttl. + </p></dd> +<dt><span class="term"> <span><strong class="command">key</strong></span> {name} {secret} @@ -394,6 +419,12 @@ <dd><p> Displays the answer. </p></dd> +<dt><span class="term"> + <span><strong class="command">debug</strong></span> + </span></dt> +<dd><p> + Turn on debugging. + </p></dd> </dl></div> <p> </p> @@ -402,7 +433,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544446"></a><h2>EXAMPLES</h2> +<a name="id2544567"></a><h2>EXAMPLES</h2> <p> The examples below show how <span><strong class="command">nsupdate</strong></span> @@ -456,7 +487,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544490"></a><h2>FILES</h2> +<a name="id2544611"></a><h2>FILES</h2> <div class="variablelist"><dl> <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt> <dd><p> @@ -475,7 +506,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544560"></a><h2>SEE ALSO</h2> +<a name="id2544680"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>, <span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>, <span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>, @@ -488,7 +519,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2542172"></a><h2>BUGS</h2> +<a name="id2542156"></a><h2>BUGS</h2> <p> The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/contrib/bind9/bin/rndc/Makefile.in b/contrib/bind9/bin/rndc/Makefile.in index 3bc72b1..9b0e20d 100644 --- a/contrib/bind9/bin/rndc/Makefile.in +++ b/contrib/bind9/bin/rndc/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.40.18.4 2007/08/28 07:20:01 tbox Exp $ +# $Id: Makefile.in,v 1.44 2007/06/18 23:47:22 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/contrib/bind9/bin/rndc/include/rndc/os.h b/contrib/bind9/bin/rndc/include/rndc/os.h index b5c1d24..253dcba 100644 --- a/contrib/bind9/bin/rndc/include/rndc/os.h +++ b/contrib/bind9/bin/rndc/include/rndc/os.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.h,v 1.5.18.2 2005/04/29 00:15:41 marka Exp $ */ +/* $Id: os.h,v 1.9.332.2 2009/01/18 23:47:35 tbox Exp $ */ /*! \file */ @@ -35,7 +35,7 @@ FILE *safe_create(const char *filename); int set_user(FILE *fd, const char *user); /*%< - * Set the owner of the file refernced by 'fd' to 'user'. + * Set the owner of the file referenced by 'fd' to 'user'. * Returns: * 0 success * -1 insufficient permissions, or 'user' does not exist. diff --git a/contrib/bind9/bin/rndc/rndc-confgen.8 b/contrib/bind9/bin/rndc/rndc-confgen.8 index fe25a7b..440870a 100644 --- a/contrib/bind9/bin/rndc/rndc-confgen.8 +++ b/contrib/bind9/bin/rndc/rndc-confgen.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: rndc-confgen.8,v 1.9.18.11 2007/01/30 00:23:44 marka Exp $ +.\" $Id: rndc-confgen.8,v 1.20 2007/01/30 00:24:59 marka Exp $ .\" .hy 0 .ad l diff --git a/contrib/bind9/bin/rndc/rndc-confgen.c b/contrib/bind9/bin/rndc/rndc-confgen.c index bb7ba81..221135e 100644 --- a/contrib/bind9/bin/rndc/rndc-confgen.c +++ b/contrib/bind9/bin/rndc/rndc-confgen.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rndc-confgen.c,v 1.18.18.5 2008/10/15 23:46:06 tbox Exp $ */ +/* $Id: rndc-confgen.c,v 1.26 2008/10/15 23:47:31 tbox Exp $ */ /*! \file */ @@ -160,6 +160,8 @@ main(int argc, char **argv) { serveraddr = DEFAULT_SERVER; port = DEFAULT_PORT; + isc_commandline_errprint = ISC_FALSE; + while ((ch = isc_commandline_parse(argc, argv, "ab:c:hk:Mmp:r:s:t:u:Vy")) != -1) { switch (ch) { @@ -214,12 +216,17 @@ main(int argc, char **argv) { verbose = ISC_TRUE; break; case '?': - usage(1); + if (isc_commandline_option != '?') { + fprintf(stderr, "%s: invalid argument -%c\n", + program, isc_commandline_option); + usage(1); + } else + usage(0); break; default: - fatal("unexpected error parsing command arguments: " - "got %c\n", ch); - break; + fprintf(stderr, "%s: unhandled option -%c\n", + program, isc_commandline_option); + exit(1); } } diff --git a/contrib/bind9/bin/rndc/rndc-confgen.docbook b/contrib/bind9/bin/rndc/rndc-confgen.docbook index c694f4b..4c51da5 100644 --- a/contrib/bind9/bin/rndc/rndc-confgen.docbook +++ b/contrib/bind9/bin/rndc/rndc-confgen.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc-confgen.docbook,v 1.6.18.7 2007/08/28 07:20:01 tbox Exp $ --> +<!-- $Id: rndc-confgen.docbook,v 1.13 2007/06/18 23:47:25 tbox Exp $ --> <refentry id="man.rndc-confgen"> <refentryinfo> <date>Aug 27, 2001</date> diff --git a/contrib/bind9/bin/rndc/rndc-confgen.html b/contrib/bind9/bin/rndc/rndc-confgen.html index fd40a81..4be87af 100644 --- a/contrib/bind9/bin/rndc/rndc-confgen.html +++ b/contrib/bind9/bin/rndc/rndc-confgen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc-confgen.html,v 1.8.18.17 2007/01/30 00:23:44 marka Exp $ --> +<!-- $Id: rndc-confgen.html,v 1.25 2007/01/30 00:24:59 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> diff --git a/contrib/bind9/bin/rndc/rndc.8 b/contrib/bind9/bin/rndc/rndc.8 index 6858ed7..7f0dea1 100644 --- a/contrib/bind9/bin/rndc/rndc.8 +++ b/contrib/bind9/bin/rndc/rndc.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: rndc.8,v 1.26.18.16 2007/12/14 22:37:16 marka Exp $ +.\" $Id: rndc.8,v 1.42 2007/12/14 22:37:22 marka Exp $ .\" .hy 0 .ad l diff --git a/contrib/bind9/bin/rndc/rndc.c b/contrib/bind9/bin/rndc/rndc.c index 772cc29..c3d4cb7 100644 --- a/contrib/bind9/bin/rndc/rndc.c +++ b/contrib/bind9/bin/rndc/rndc.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rndc.c,v 1.96.18.21 2008/10/15 03:07:19 marka Exp $ */ +/* $Id: rndc.c,v 1.122.44.2 2009/01/18 23:47:35 tbox Exp $ */ /*! \file */ @@ -200,7 +200,7 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) { "* the remote server is using an older version of" " the command protocol,\n" "* this host is not authorized to connect,\n" - "* the clocks are not syncronized, or\n" + "* the clocks are not synchronized, or\n" "* the key is invalid."); if (ccmsg.result != ISC_R_SUCCESS) @@ -263,7 +263,7 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) { "* the remote server is using an older version of" " the command protocol,\n" "* this host is not authorized to connect,\n" - "* the clocks are not syncronized, or\n" + "* the clocks are not synchronized, or\n" "* the key is invalid."); if (ccmsg.result != ISC_R_SUCCESS) @@ -369,7 +369,7 @@ rndc_connected(isc_task_t *task, isc_event_t *event) { r.base = databuf; isccc_ccmsg_init(mctx, sock, &ccmsg); - isccc_ccmsg_setmaxsize(&ccmsg, 1024); + isccc_ccmsg_setmaxsize(&ccmsg, 1024 * 1024); DO("schedule recv", isccc_ccmsg_readmessage(&ccmsg, task, rndc_recvnonce, NULL)); @@ -690,7 +690,9 @@ main(int argc, char **argv) { if (result != ISC_R_SUCCESS) fatal("isc_app_start() failed: %s", isc_result_totext(result)); - while ((ch = isc_commandline_parse(argc, argv, "b:c:k:Mmp:s:Vy:")) + isc_commandline_errprint = ISC_FALSE; + + while ((ch = isc_commandline_parse(argc, argv, "b:c:hk:Mmp:s:Vy:")) != -1) { switch (ch) { case 'b': @@ -741,13 +743,18 @@ main(int argc, char **argv) { break; case '?': + if (isc_commandline_option != '?') { + fprintf(stderr, "%s: invalid argument -%c\n", + program, isc_commandline_option); + usage(1); + } + case 'h': usage(0); break; - default: - fatal("unexpected error parsing command arguments: " - "got %c\n", ch); - break; + fprintf(stderr, "%s: unhandled option -%c\n", + program, isc_commandline_option); + exit(1); } } diff --git a/contrib/bind9/bin/rndc/rndc.conf b/contrib/bind9/bin/rndc/rndc.conf index e303535..67542b9 100644 --- a/contrib/bind9/bin/rndc/rndc.conf +++ b/contrib/bind9/bin/rndc/rndc.conf @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rndc.conf,v 1.8.18.1 2004/06/18 04:39:39 marka Exp $ */ +/* $Id: rndc.conf,v 1.11 2007/06/19 23:46:59 tbox Exp $ */ /* * Sample rndc configuration file. diff --git a/contrib/bind9/bin/rndc/rndc.conf.5 b/contrib/bind9/bin/rndc/rndc.conf.5 index dbeb707..9e9bad4 100644 --- a/contrib/bind9/bin/rndc/rndc.conf.5 +++ b/contrib/bind9/bin/rndc/rndc.conf.5 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: rndc.conf.5,v 1.23.18.15 2007/05/09 13:35:47 marka Exp $ +.\" $Id: rndc.conf.5,v 1.38 2007/05/09 13:35:57 marka Exp $ .\" .hy 0 .ad l diff --git a/contrib/bind9/bin/rndc/rndc.conf.docbook b/contrib/bind9/bin/rndc/rndc.conf.docbook index ebea7af..9de19954 100644 --- a/contrib/bind9/bin/rndc/rndc.conf.docbook +++ b/contrib/bind9/bin/rndc/rndc.conf.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc.conf.docbook,v 1.5.18.12 2007/08/28 07:20:01 tbox Exp $ --> +<!-- $Id: rndc.conf.docbook,v 1.17 2007/06/18 23:47:25 tbox Exp $ --> <refentry id="man.rndc.conf"> <refentryinfo> <date>June 30, 2000</date> diff --git a/contrib/bind9/bin/rndc/rndc.conf.html b/contrib/bind9/bin/rndc/rndc.conf.html index d11f9df..144cd1c 100644 --- a/contrib/bind9/bin/rndc/rndc.conf.html +++ b/contrib/bind9/bin/rndc/rndc.conf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc.conf.html,v 1.6.18.23 2007/05/09 13:35:47 marka Exp $ --> +<!-- $Id: rndc.conf.html,v 1.29 2007/05/09 13:35:57 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> diff --git a/contrib/bind9/bin/rndc/rndc.docbook b/contrib/bind9/bin/rndc/rndc.docbook index f2f0a0d..d407f2b 100644 --- a/contrib/bind9/bin/rndc/rndc.docbook +++ b/contrib/bind9/bin/rndc/rndc.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc.docbook,v 1.8.18.13 2007/12/14 20:53:58 marka Exp $ --> +<!-- $Id: rndc.docbook,v 1.21 2007/12/14 20:39:14 marka Exp $ --> <refentry id="man.rndc"> <refentryinfo> <date>June 30, 2000</date> diff --git a/contrib/bind9/bin/rndc/rndc.html b/contrib/bind9/bin/rndc/rndc.html index c460225..a8d11c4 100644 --- a/contrib/bind9/bin/rndc/rndc.html +++ b/contrib/bind9/bin/rndc/rndc.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc.html,v 1.8.18.23 2007/12/14 22:37:16 marka Exp $ --> +<!-- $Id: rndc.html,v 1.31 2007/12/14 22:37:22 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> diff --git a/contrib/bind9/bin/rndc/unix/Makefile.in b/contrib/bind9/bin/rndc/unix/Makefile.in index 6696c23..31a0532 100644 --- a/contrib/bind9/bin/rndc/unix/Makefile.in +++ b/contrib/bind9/bin/rndc/unix/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.3 2004/03/05 04:58:29 marka Exp $ +# $Id: Makefile.in,v 1.5 2007/06/19 23:46:59 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/contrib/bind9/bin/rndc/unix/os.c b/contrib/bind9/bin/rndc/unix/os.c index f5f6a91..ddf8259 100644 --- a/contrib/bind9/bin/rndc/unix/os.c +++ b/contrib/bind9/bin/rndc/unix/os.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.c,v 1.6.18.2 2005/04/29 00:15:41 marka Exp $ */ +/* $Id: os.c,v 1.10 2007/06/19 23:46:59 tbox Exp $ */ /*! \file */ diff --git a/contrib/bind9/bin/rndc/util.c b/contrib/bind9/bin/rndc/util.c index c64add72..c654462 100644 --- a/contrib/bind9/bin/rndc/util.c +++ b/contrib/bind9/bin/rndc/util.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: util.c,v 1.3.18.2 2005/04/29 00:15:40 marka Exp $ */ +/* $Id: util.c,v 1.7 2007/06/19 23:46:59 tbox Exp $ */ /*! \file */ diff --git a/contrib/bind9/bin/rndc/util.h b/contrib/bind9/bin/rndc/util.h index 6414861..7adcaa5 100644 --- a/contrib/bind9/bin/rndc/util.h +++ b/contrib/bind9/bin/rndc/util.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: util.h,v 1.6.18.2 2005/04/29 00:15:41 marka Exp $ */ +/* $Id: util.h,v 1.10 2007/06/19 23:46:59 tbox Exp $ */ #ifndef RNDC_UTIL_H #define RNDC_UTIL_H 1 |
