diff options
| author | dougb <dougb@FreeBSD.org> | 2011-02-05 03:14:55 +0000 |
|---|---|---|
| committer | dougb <dougb@FreeBSD.org> | 2011-02-05 03:14:55 +0000 |
| commit | 8287cb3f73a2d36684fdf69f4009f28e17dd3800 (patch) | |
| tree | 601b0776df11a070020ab894b76fd90e36393936 /lib/dns | |
| parent | d2262df647cb68b7a55a79623696e646c546774e (diff) | |
| download | FreeBSD-src-8287cb3f73a2d36684fdf69f4009f28e17dd3800.zip FreeBSD-src-8287cb3f73a2d36684fdf69f4009f28e17dd3800.tar.gz | |
Vendor import of BIND 9.6.3
Diffstat (limited to 'lib/dns')
43 files changed, 649 insertions, 295 deletions
diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in index ef5c12a..dfb8d7f 100644 --- a/lib/dns/Makefile.in +++ b/lib/dns/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2008, 2010 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2003 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.163 2008/09/24 02:46:22 marka Exp $ +# $Id: Makefile.in,v 1.163.50.2 2010-06-09 23:48:16 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -47,11 +47,12 @@ LIBS = @LIBS@ # Alphabetically -DSTOBJS = @DST_EXTRA_OBJS@ \ +OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \ + opensslrsa_link.@O@ + +DSTOBJS = @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ \ dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \ - gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@ \ - openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \ - opensslrsa_link.@O@ + gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@ # Alphabetically DNSOBJS = acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \ @@ -73,12 +74,13 @@ DNSOBJS = acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \ OBJS= ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} # Alphabetically -DSTSRCS = @DST_EXTRA_SRCS@ \ +OPENSSLLINKSRCS = openssl_link.c openssldh_link.c \ + openssldsa_link.c opensslrsa_link.c + +DSTSRCS = @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ \ dst_api.c dst_lib.c dst_parse.c \ dst_result.c gssapi_link.c gssapictx.c \ - hmac_link.c key.c \ - openssl_link.c openssldh_link.c \ - openssldsa_link.c opensslrsa_link.c + hmac_link.c key.c DNSSRCS = acache.c acl.c adb.c byaddr.c \ cache.c callbacks.c compress.c \ diff --git a/lib/dns/adb.c b/lib/dns/adb.c index 28121a7..cd9cadf 100644 --- a/lib/dns/adb.c +++ b/lib/dns/adb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: adb.c,v 1.243.42.4.24.2 2010/08/12 23:46:24 tbox Exp $ */ +/* $Id: adb.c,v 1.243.42.6 2010-08-11 23:45:49 tbox Exp $ */ /*! \file * diff --git a/lib/dns/api b/lib/dns/api index 82e6786..29ebff2 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -1,3 +1,3 @@ -LIBINTERFACE = 58 -LIBREVISION = 0 -LIBAGE = 0 +LIBINTERFACE = 59 +LIBREVISION = 2 +LIBAGE = 1 diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index bbb0a09..97d2657 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -31,7 +31,7 @@ /* * Principal Author: Brian Wellington - * $Id: dst_api.c,v 1.16.12.10 2010/01/15 19:38:53 each Exp $ + * $Id: dst_api.c,v 1.16.12.12 2010-12-09 01:12:55 marka Exp $ */ /*! \file */ @@ -49,6 +49,7 @@ #include <isc/mem.h> #include <isc/once.h> #include <isc/print.h> +#include <isc/refcount.h> #include <isc/random.h> #include <isc/string.h> #include <isc/time.h> @@ -503,6 +504,7 @@ dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx, *keyp = key; return (ISC_R_SUCCESS); + out: if (newfilename != NULL) isc_mem_put(mctx, newfilename, newfilenamelen); @@ -800,9 +802,21 @@ dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { } void +dst_key_attach(dst_key_t *source, dst_key_t **target) { + + REQUIRE(dst_initialized == ISC_TRUE); + REQUIRE(target != NULL && *target == NULL); + REQUIRE(VALID_KEY(source)); + + isc_refcount_increment(&source->refs, NULL); + *target = source; +} + +void dst_key_free(dst_key_t **keyp) { isc_mem_t *mctx; dst_key_t *key; + unsigned int refs; REQUIRE(dst_initialized == ISC_TRUE); REQUIRE(keyp != NULL && VALID_KEY(*keyp)); @@ -810,6 +824,11 @@ dst_key_free(dst_key_t **keyp) { key = *keyp; mctx = key->mctx; + isc_refcount_decrement(&key->refs, &refs); + if (refs != 0) + return; + + isc_refcount_destroy(&key->refs); if (key->keydata.generic != NULL) { INSIST(key->func->destroy != NULL); key->func->destroy(key); @@ -927,14 +946,22 @@ get_key_struct(dns_name_t *name, unsigned int alg, memset(key, 0, sizeof(dst_key_t)); key->magic = KEY_MAGIC; + result = isc_refcount_init(&key->refs, 1); + if (result != ISC_R_SUCCESS) { + isc_mem_put(mctx, key, sizeof(dst_key_t)); + return (NULL); + } + key->key_name = isc_mem_get(mctx, sizeof(dns_name_t)); if (key->key_name == NULL) { + isc_refcount_destroy(&key->refs); isc_mem_put(mctx, key, sizeof(dst_key_t)); return (NULL); } dns_name_init(key->key_name, NULL); result = dns_name_dup(name, mctx, key->key_name); if (result != ISC_R_SUCCESS) { + isc_refcount_destroy(&key->refs); isc_mem_put(mctx, key->key_name, sizeof(dns_name_t)); isc_mem_put(mctx, key, sizeof(dst_key_t)); return (NULL); diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index 1669648..01bf1f2 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dst_internal.h,v 1.11.120.2 2010/01/15 23:47:33 tbox Exp $ */ +/* $Id: dst_internal.h,v 1.11.120.3 2010-12-09 01:12:55 marka Exp $ */ #ifndef DST_DST_INTERNAL_H #define DST_DST_INTERNAL_H 1 @@ -41,6 +41,7 @@ #include <isc/region.h> #include <isc/types.h> #include <isc/md5.h> +#include <isc/refcount.h> #include <isc/sha1.h> #include <isc/sha2.h> #include <isc/hmacmd5.h> @@ -83,6 +84,7 @@ typedef struct dst_hmacsha512_key dst_hmacsha512_key_t; /*% DST Key Structure */ struct dst_key { unsigned int magic; + isc_refcount_t refs; dns_name_t * key_name; /*%< name of the key */ unsigned int key_size; /*%< size of the key in bits */ unsigned int key_proto; /*%< protocols this key is used for */ diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c index 11eadb9..f365a64 100644 --- a/lib/dns/gssapictx.c +++ b/lib/dns/gssapictx.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: gssapictx.c,v 1.12 2008/04/03 06:09:04 tbox Exp $ */ +/* $Id: gssapictx.c,v 1.12.118.5 2010-12-22 02:37:55 marka Exp $ */ #include <config.h> @@ -29,6 +29,7 @@ #include <isc/mem.h> #include <isc/once.h> #include <isc/print.h> +#include <isc/platform.h> #include <isc/random.h> #include <isc/string.h> #include <isc/time.h> @@ -66,6 +67,7 @@ * we include SPNEGO's OID. */ #if defined(GSSAPI) +#include ISC_PLATFORM_KRB5HEADER static unsigned char krb5_mech_oid_bytes[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02 @@ -130,7 +132,7 @@ name_to_gbuffer(dns_name_t *name, isc_buffer_t *buffer, namep = &tname; } - result = dns_name_totext(namep, ISC_FALSE, buffer); + result = dns_name_toprincipal(namep, buffer); isc_buffer_putuint8(buffer, 0); isc_buffer_usedregion(buffer, &r); REGION_TO_GBUFFER(r, *gbuffer); @@ -191,6 +193,54 @@ log_cred(const gss_cred_id_t cred) { } #endif +#ifdef GSSAPI +/* + * check for the most common configuration errors. + * + * The errors checked for are: + * - tkey-gssapi-credential doesn't start with DNS/ + * - the default realm in /etc/krb5.conf and the + * tkey-gssapi-credential bind config option don't match + */ +static void +dst_gssapi_check_config(const char *gss_name) { + const char *p; + krb5_context krb5_ctx; + char *krb5_realm = NULL; + + if (strncasecmp(gss_name, "DNS/", 4) != 0) { + gss_log(ISC_LOG_ERROR, "tkey-gssapi-credential (%s) " + "should start with 'DNS/'", gss_name); + return; + } + + if (krb5_init_context(&krb5_ctx) != 0) { + gss_log(ISC_LOG_ERROR, "Unable to initialise krb5 context"); + return; + } + if (krb5_get_default_realm(krb5_ctx, &krb5_realm) != 0) { + gss_log(ISC_LOG_ERROR, "Unable to get krb5 default realm"); + krb5_free_context(krb5_ctx); + return; + } + p = strchr(gss_name, '/'); + if (p == NULL) { + gss_log(ISC_LOG_ERROR, "badly formatted " + "tkey-gssapi-credentials (%s)", gss_name); + krb5_free_context(krb5_ctx); + return; + } + if (strcasecmp(p + 1, krb5_realm) != 0) { + gss_log(ISC_LOG_ERROR, "default realm from krb5.conf (%s) " + "does not match tkey-gssapi-credential (%s)", + krb5_realm, gss_name); + krb5_free_context(krb5_ctx); + return; + } + krb5_free_context(krb5_ctx); +} +#endif + isc_result_t dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, gss_cred_id_t *cred) @@ -223,6 +273,8 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname); if (gret != GSS_S_COMPLETE) { + dst_gssapi_check_config((char *)array); + gss_log(3, "failed gss_import_name: %s", gss_error_tostring(gret, minor, buf, sizeof(buf))); @@ -254,6 +306,7 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, initiate ? "initiate" : "accept", (char *)gnamebuf.value, gss_error_tostring(gret, minor, buf, sizeof(buf))); + dst_gssapi_check_config((char *)array); return (ISC_R_FAILURE); } @@ -283,12 +336,15 @@ dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name, char rbuf[DNS_NAME_FORMATSIZE]; char *sname; char *rname; + isc_buffer_t buffer; /* * It is far, far easier to write the names we are looking at into * a string, and do string operations on them. */ - dns_name_format(signer, sbuf, sizeof(sbuf)); + isc_buffer_init(&buffer, sbuf, sizeof(sbuf)); + dns_name_toprincipal(signer, &buffer); + isc_buffer_putuint8(&buffer, 0); if (name != NULL) dns_name_format(name, nbuf, sizeof(nbuf)); dns_name_format(realm, rbuf, sizeof(rbuf)); @@ -298,11 +354,11 @@ dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name, * does not exist, we don't have something we like, so we fail our * compare. */ - rname = strstr(sbuf, "\\@"); + rname = strchr(sbuf, '@'); if (rname == NULL) return (isc_boolean_false); *rname = '\0'; - rname += 2; + rname++; /* * Find the host portion of the signer's name. We do this by @@ -352,12 +408,15 @@ dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name, char *sname; char *nname; char *rname; + isc_buffer_t buffer; /* * It is far, far easier to write the names we are looking at into * a string, and do string operations on them. */ - dns_name_format(signer, sbuf, sizeof(sbuf)); + isc_buffer_init(&buffer, sbuf, sizeof(sbuf)); + dns_name_toprincipal(signer, &buffer); + isc_buffer_putuint8(&buffer, 0); if (name != NULL) dns_name_format(name, nbuf, sizeof(nbuf)); dns_name_format(realm, rbuf, sizeof(rbuf)); @@ -367,17 +426,17 @@ dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name, * does not exist, we don't have something we like, so we fail our * compare. */ - rname = strstr(sbuf, "\\@"); + rname = strchr(sbuf, '@'); if (rname == NULL) return (isc_boolean_false); - sname = strstr(sbuf, "\\$"); + sname = strchr(sbuf, '$'); if (sname == NULL) return (isc_boolean_false); /* * Verify that the $ and @ follow one another. */ - if (rname - sname != 2) + if (rname - sname != 1) return (isc_boolean_false); /* @@ -389,8 +448,7 @@ dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name, * machinename$@EXAMPLE.COM * format. */ - *rname = '\0'; - rname += 2; + rname++; *sname = '\0'; sname = sbuf; @@ -488,8 +546,12 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken, gintokenp = NULL; } + /* + * Note that we don't set GSS_C_SEQUENCE_FLAG as Windows DNS + * servers don't like it. + */ flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG | - GSS_C_SEQUENCE_FLAG | GSS_C_INTEG_FLAG; + GSS_C_INTEG_FLAG; gret = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, gssctx, gname, GSS_SPNEGO_MECHANISM, flags, diff --git a/lib/dns/include/dns/diff.h b/lib/dns/include/dns/diff.h index 32886c5..f5e25ee 100644 --- a/lib/dns/include/dns/diff.h +++ b/lib/dns/include/dns/diff.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: diff.h,v 1.15.120.2.24.2 2010/06/04 23:49:23 tbox Exp $ */ +/* $Id: diff.h,v 1.15.120.4 2010-06-04 23:48:25 tbox Exp $ */ #ifndef DNS_DIFF_H #define DNS_DIFF_H 1 diff --git a/lib/dns/include/dns/events.h b/lib/dns/include/dns/events.h index bb61b9d..689566b 100644 --- a/lib/dns/include/dns/events.h +++ b/lib/dns/include/dns/events.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: events.h,v 1.49.332.2 2009/05/07 23:47:12 tbox Exp $ */ +/* $Id: events.h,v 1.49.332.4 2010-05-10 23:48:14 tbox Exp $ */ #ifndef DNS_EVENTS_H #define DNS_EVENTS_H 1 @@ -58,7 +58,7 @@ #define DNS_EVENT_MASTERNEXTZONE (ISC_EVENTCLASS_DNS + 28) #define DNS_EVENT_IOREADY (ISC_EVENTCLASS_DNS + 29) #define DNS_EVENT_LOOKUPDONE (ISC_EVENTCLASS_DNS + 30) -/* #define DNS_EVENT_unused (ISC_EVENTCLASS_DNS + 31) */ +#define DNS_EVENT_RBTDEADNODES (ISC_EVENTCLASS_DNS + 31) #define DNS_EVENT_DISPATCHCONTROL (ISC_EVENTCLASS_DNS + 32) #define DNS_EVENT_REQUESTCONTROL (ISC_EVENTCLASS_DNS + 33) #define DNS_EVENT_DUMPQUANTUM (ISC_EVENTCLASS_DNS + 34) diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h index dc6e525..801c9ac 100644 --- a/lib/dns/include/dns/name.h +++ b/lib/dns/include/dns/name.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: name.h,v 1.126.332.3 2009/12/24 00:34:59 each Exp $ */ +/* $Id: name.h,v 1.126.332.5 2010-07-09 23:45:55 tbox Exp $ */ #ifndef DNS_NAME_H #define DNS_NAME_H 1 @@ -796,9 +796,18 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source, *\li #ISC_R_UNEXPECTEDEND */ +#define DNS_NAME_OMITFINALDOT 0x01U +#define DNS_NAME_MASTERFILE 0x02U /* escape $ and @ */ + +isc_result_t +dns_name_toprincipal(dns_name_t *name, isc_buffer_t *target); + isc_result_t dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot, isc_buffer_t *target); + +isc_result_t +dns_name_totext2(dns_name_t *name, unsigned int options, isc_buffer_t *target); /*%< * Convert 'name' into text format, storing the result in 'target'. * @@ -806,6 +815,12 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot, *\li If 'omit_final_dot' is true, then the final '.' in absolute * names other than the root name will be omitted. * + *\li If DNS_NAME_OMITFINALDOT is set in options, then the final '.' + * in absolute names other than the root name will be omitted. + * + *\li If DNS_NAME_MASTERFILE is set in options, '$' and '@' will also + * be escaped. + * *\li If dns_name_countlabels == 0, the name will be "@", representing the * current origin as described by RFC1035. * diff --git a/lib/dns/include/dns/ncache.h b/lib/dns/include/dns/ncache.h index 00f22a7..0c1d950 100644 --- a/lib/dns/include/dns/ncache.h +++ b/lib/dns/include/dns/ncache.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ncache.h,v 1.25.48.2.10.2 2010/05/14 23:48:44 tbox Exp $ */ +/* $Id: ncache.h,v 1.25.48.4 2010-05-14 23:47:50 tbox Exp $ */ #ifndef DNS_NCACHE_H #define DNS_NCACHE_H 1 diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h index 8104b50..b3a0c1d 100644 --- a/lib/dns/include/dns/rdataset.h +++ b/lib/dns/include/dns/rdataset.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdataset.h,v 1.65.50.2.24.1 2010/03/03 22:06:39 marka Exp $ */ +/* $Id: rdataset.h,v 1.65.50.4 2010-02-25 10:56:41 tbox Exp $ */ #ifndef DNS_RDATASET_H #define DNS_RDATASET_H 1 diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h index 537bf0f..c9034bf 100644 --- a/lib/dns/include/dns/resolver.h +++ b/lib/dns/include/dns/resolver.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.h,v 1.60.56.3.24.1 2010/03/03 22:06:39 marka Exp $ */ +/* $Id: resolver.h,v 1.60.56.5 2010-02-25 10:56:41 tbox Exp $ */ #ifndef DNS_RESOLVER_H #define DNS_RESOLVER_H 1 diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h index fae43e3..74b84d6 100644 --- a/lib/dns/include/dns/result.h +++ b/lib/dns/include/dns/result.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: result.h,v 1.116.228.1 2010/03/03 22:06:39 marka Exp $ */ +/* $Id: result.h,v 1.116.48.2 2010-02-25 10:56:41 tbox Exp $ */ #ifndef DNS_RESULT_H #define DNS_RESULT_H 1 diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h index e8c0e2c..5161fb3 100644 --- a/lib/dns/include/dns/tsig.h +++ b/lib/dns/include/dns/tsig.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tsig.h,v 1.51 2007/06/19 23:47:17 tbox Exp $ */ +/* $Id: tsig.h,v 1.51.332.4 2010-12-09 01:12:55 marka Exp $ */ #ifndef DNS_TSIG_H #define DNS_TSIG_H 1 @@ -62,6 +62,13 @@ struct dns_tsig_keyring { unsigned int writecount; isc_rwlock_t lock; isc_mem_t *mctx; + /* + * LRU list of generated key along with a count of the keys on the + * list and a maximum size. + */ + unsigned int generated; + unsigned int maxgenerated; + ISC_LIST(dns_tsigkey_t) lru; }; struct dns_tsigkey { @@ -77,12 +84,13 @@ struct dns_tsigkey { isc_stdtime_t expire; /*%< end of validity period */ dns_tsig_keyring_t *ring; /*%< the enclosing keyring */ isc_refcount_t refs; /*%< reference counter */ + ISC_LINK(dns_tsigkey_t) link; }; #define dns_tsigkey_identity(tsigkey) \ ((tsigkey) == NULL ? NULL : \ - (tsigkey)->generated ? ((tsigkey)->creator) : \ - (&((tsigkey)->name))) + (tsigkey)->generated ? ((tsigkey)->creator) : \ + (&((tsigkey)->name))) ISC_LANG_BEGINDECLS @@ -109,12 +117,15 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, * allows a transient key with an invalid algorithm to exist long enough * to generate a BADKEY response. * + * If dns_tsigkey_createfromkey is successful a new reference to 'dstkey' + * will have been made. + * * Requires: *\li 'name' is a valid dns_name_t *\li 'algorithm' is a valid dns_name_t *\li 'secret' is a valid pointer *\li 'length' is an integer >= 0 - *\li 'key' is a valid dst key or NULL + *\li 'dstkey' is a valid dst key or NULL *\li 'creator' points to a valid dns_name_t or is NULL *\li 'mctx' is a valid memory context *\li 'ring' is a valid TSIG keyring or NULL diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h index 3fe8378..4e4c195 100644 --- a/lib/dns/include/dns/types.h +++ b/lib/dns/include/dns/types.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: types.h,v 1.130.50.5.10.2 2010/05/14 23:48:44 tbox Exp $ */ +/* $Id: types.h,v 1.130.50.7 2010-05-14 23:47:50 tbox Exp $ */ #ifndef DNS_TYPES_H #define DNS_TYPES_H 1 diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h index 1f9ec74..fb5b834 100644 --- a/lib/dns/include/dns/validator.h +++ b/lib/dns/include/dns/validator.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.h,v 1.41.48.3.24.1 2010/03/03 22:06:39 marka Exp $ */ +/* $Id: validator.h,v 1.41.48.5 2010-02-25 10:56:41 tbox Exp $ */ #ifndef DNS_VALIDATOR_H #define DNS_VALIDATOR_H 1 diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h index 0b4dedc..ec96d4c 100644 --- a/lib/dns/include/dns/view.h +++ b/lib/dns/include/dns/view.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.h,v 1.111.88.4.24.2 2010/09/29 23:46:31 tbox Exp $ */ +/* $Id: view.h,v 1.111.88.6 2010-09-24 08:30:28 tbox Exp $ */ #ifndef DNS_VIEW_H #define DNS_VIEW_H 1 diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index 746b43c..96cb998 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.h,v 1.160.50.6 2009/10/05 21:57:00 each Exp $ */ +/* $Id: zone.h,v 1.160.50.8 2010-12-14 23:46:09 tbox Exp $ */ #ifndef DNS_ZONE_H #define DNS_ZONE_H 1 @@ -1654,7 +1654,7 @@ void dns_zone_setcheckmx(dns_zone_t *zone, dns_checkmxfunc_t checkmx); /*%< * Set the post load integrity callback function 'checkmx'. - * 'checkmx' will be called if the MX is not within the zone. + * 'checkmx' will be called if the MX TARGET is not within the zone. * * Require: * 'zone' to be a valid zone. @@ -1673,8 +1673,8 @@ dns_zone_setchecksrv(dns_zone_t *zone, dns_checkmxfunc_t checksrv); void dns_zone_setcheckns(dns_zone_t *zone, dns_checknsfunc_t checkns); /*%< - * Set the post load integrity callback function 'checkmx'. - * 'checkmx' will be called if the MX is not within the zone. + * Set the post load integrity callback function 'checkns'. + * 'checkns' will be called if the NS TARGET is not within the zone. * * Require: * 'zone' to be a valid zone. diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index de262bd..1a30d2b 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dst.h,v 1.12.50.2 2010/01/15 23:47:34 tbox Exp $ */ +/* $Id: dst.h,v 1.12.50.3 2010-12-09 01:12:55 marka Exp $ */ #ifndef DST_DST_H #define DST_DST_H 1 @@ -509,6 +509,16 @@ dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2); */ void +dst_key_attach(dst_key_t *source, dst_key_t **target); +/* + * Attach to a existing key increasing the reference count. + * + * Requires: + *\li 'source' to be a valid key. + *\li 'target' to be non-NULL and '*target' to be NULL. + */ + +void dst_key_free(dst_key_t **keyp); /*%< * Release all memory associated with the key. diff --git a/lib/dns/journal.c b/lib/dns/journal.c index 933576f..520083e 100644 --- a/lib/dns/journal.c +++ b/lib/dns/journal.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: journal.c,v 1.103.48.6.10.2 2010/11/17 23:46:16 tbox Exp $ */ +/* $Id: journal.c,v 1.103.48.8 2010-11-17 23:45:45 tbox Exp $ */ #include <config.h> diff --git a/lib/dns/message.c b/lib/dns/message.c index 2e34120..4a01178e 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: message.c,v 1.245.50.3 2009/11/24 03:25:53 marka Exp $ */ +/* $Id: message.c,v 1.245.50.7 2010-06-03 05:29:03 marka Exp $ */ /*! \file */ @@ -1531,6 +1531,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, } else if (rdtype == dns_rdatatype_tsig && msg->tsig == NULL) { msg->tsig = rdataset; msg->tsigname = name; + /* Windows doesn't like TSIG names to be compressed. */ + msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS; rdataset = NULL; free_rdataset = ISC_FALSE; free_name = ISC_FALSE; @@ -2478,7 +2480,9 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) { if (msg->opcode != dns_opcode_query && msg->opcode != dns_opcode_notify) want_question_section = ISC_FALSE; - if (want_question_section) { + if (msg->opcode == dns_opcode_update) + first_section = DNS_SECTION_ADDITIONAL; + else if (want_question_section) { if (!msg->question_ok) return (DNS_R_FORMERR); first_section = DNS_SECTION_ANSWER; @@ -3155,7 +3159,8 @@ dns_message_pseudosectiontotext(dns_message_t *msg, ADD_STRING(target, ", flags:"); if ((ps->ttl & DNS_MESSAGEEXTFLAG_DO) != 0) ADD_STRING(target, " do"); - mbz = ps->ttl & ~DNS_MESSAGEEXTFLAG_DO & 0xffff; + mbz = ps->ttl & 0xffff; + mbz &= ~DNS_MESSAGEEXTFLAG_DO; /* Known Flags. */ if (mbz != 0) { ADD_STRING(target, "; MBZ: "); snprintf(buf, sizeof(buf), "%.4x ", mbz); @@ -3173,42 +3178,46 @@ dns_message_pseudosectiontotext(dns_message_t *msg, /* Print EDNS info, if any */ dns_rdata_init(&rdata); dns_rdataset_current(ps, &rdata); - if (rdata.length < 4) - return (ISC_R_SUCCESS); isc_buffer_init(&optbuf, rdata.data, rdata.length); isc_buffer_add(&optbuf, rdata.length); - optcode = isc_buffer_getuint16(&optbuf); - optlen = isc_buffer_getuint16(&optbuf); - - if (optcode == DNS_OPT_NSID) { - ADD_STRING(target, "; NSID"); - } else { - ADD_STRING(target, "; OPT="); - sprintf(buf, "%u", optcode); - ADD_STRING(target, buf); - } - - if (optlen != 0) { - int i; - ADD_STRING(target, ": "); - - optdata = rdata.data + 4; - for (i = 0; i < optlen; i++) { - sprintf(buf, "%02x ", optdata[i]); + while (isc_buffer_remaininglength(&optbuf) != 0) { + INSIST(isc_buffer_remaininglength(&optbuf) >= 4U); + optcode = isc_buffer_getuint16(&optbuf); + optlen = isc_buffer_getuint16(&optbuf); + INSIST(isc_buffer_remaininglength(&optbuf) >= optlen); + + if (optcode == DNS_OPT_NSID) { + ADD_STRING(target, "; NSID"); + } else { + ADD_STRING(target, "; OPT="); + sprintf(buf, "%u", optcode); ADD_STRING(target, buf); } - for (i = 0; i < optlen; i++) { - ADD_STRING(target, " ("); - if (isprint(optdata[i])) - isc_buffer_putmem(target, &optdata[i], - 1); - else - isc_buffer_putstr(target, "."); - ADD_STRING(target, ")"); + + if (optlen != 0) { + int i; + ADD_STRING(target, ": "); + + optdata = isc_buffer_current(&optbuf); + for (i = 0; i < optlen; i++) { + sprintf(buf, "%02x ", optdata[i]); + ADD_STRING(target, buf); + } + for (i = 0; i < optlen; i++) { + ADD_STRING(target, " ("); + if (isprint(optdata[i])) + isc_buffer_putmem(target, + &optdata[i], + 1); + else + isc_buffer_putstr(target, "."); + ADD_STRING(target, ")"); + } + isc_buffer_forward(&optbuf, optlen); } + ADD_STRING(target, "\n"); } - ADD_STRING(target, "\n"); return (ISC_R_SUCCESS); case DNS_PSEUDOSECTION_TSIG: ps = dns_message_gettsig(msg, &name); @@ -3258,21 +3267,26 @@ dns_message_totext(dns_message_t *msg, const dns_master_style_t *style, ADD_STRING(target, ", id: "); snprintf(buf, sizeof(buf), "%6u", msg->id); ADD_STRING(target, buf); - ADD_STRING(target, "\n;; flags: "); + ADD_STRING(target, "\n;; flags:"); if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) - ADD_STRING(target, "qr "); + ADD_STRING(target, " qr"); if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0) - ADD_STRING(target, "aa "); + ADD_STRING(target, " aa"); if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) - ADD_STRING(target, "tc "); + ADD_STRING(target, " tc"); if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) - ADD_STRING(target, "rd "); + ADD_STRING(target, " rd"); if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0) - ADD_STRING(target, "ra "); + ADD_STRING(target, " ra"); if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0) - ADD_STRING(target, "ad "); + ADD_STRING(target, " ad"); if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0) - ADD_STRING(target, "cd "); + ADD_STRING(target, " cd"); + /* + * The final unnamed flag must be zero. + */ + if ((msg->flags & 0x0040U) != 0) + ADD_STRING(target, "; MBZ: 0x4"); if (msg->opcode != dns_opcode_update) { ADD_STRING(target, "; QUESTION: "); } else { diff --git a/lib/dns/name.c b/lib/dns/name.c index f4ea3e9..80864b8 100644 --- a/lib/dns/name.c +++ b/lib/dns/name.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: name.c,v 1.165 2008/04/01 23:47:10 tbox Exp $ */ +/* $Id: name.c,v 1.165.120.3 2010-07-09 05:15:05 each Exp $ */ /*! \file */ @@ -901,7 +901,7 @@ dns_name_getlabelsequence(const dns_name_t *source, REQUIRE(VALID_NAME(source)); REQUIRE(VALID_NAME(target)); REQUIRE(first <= source->labels); - REQUIRE(first + n <= source->labels); + REQUIRE(n <= source->labels - first); /* note first+n could overflow */ REQUIRE(BINDABLE(target)); SETUP_OFFSETS(source, offsets, odata); @@ -1324,6 +1324,21 @@ isc_result_t dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot, isc_buffer_t *target) { + unsigned int options = DNS_NAME_MASTERFILE; + + if (omit_final_dot) + options |= DNS_NAME_OMITFINALDOT; + return (dns_name_totext2(name, options, target)); +} + +isc_result_t +dns_name_toprincipal(dns_name_t *name, isc_buffer_t *target) { + return (dns_name_totext2(name, DNS_NAME_OMITFINALDOT, target)); +} + +isc_result_t +dns_name_totext2(dns_name_t *name, unsigned int options, isc_buffer_t *target) +{ unsigned char *ndata; char *tdata; unsigned int nlen, tlen; @@ -1337,6 +1352,8 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot, dns_name_totextfilter_t totext_filter_proc = NULL; isc_result_t result; #endif + isc_boolean_t omit_final_dot = + ISC_TF(options & DNS_NAME_OMITFINALDOT); /* * This function assumes the name is in proper uncompressed @@ -1412,15 +1429,17 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot, while (count > 0) { c = *ndata; switch (c) { + /* Special modifiers in zone files. */ + case 0x40: /* '@' */ + case 0x24: /* '$' */ + if ((options & DNS_NAME_MASTERFILE) == 0) + goto no_escape; case 0x22: /* '"' */ case 0x28: /* '(' */ case 0x29: /* ')' */ case 0x2E: /* '.' */ case 0x3B: /* ';' */ case 0x5C: /* '\\' */ - /* Special modifiers in zone files. */ - case 0x40: /* '@' */ - case 0x24: /* '$' */ if (trem < 2) return (ISC_R_NOSPACE); *tdata++ = '\\'; @@ -1430,6 +1449,7 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot, trem -= 2; nlen--; break; + no_escape: default: if (c > 0x20 && c < 0x7f) { if (trem == 0) diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c index a194084..5f24683 100644 --- a/lib/dns/ncache.c +++ b/lib/dns/ncache.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ncache.c,v 1.43.336.5 2010/05/19 09:56:44 marka Exp $ */ +/* $Id: ncache.c,v 1.43.48.7 2010-05-19 09:53:46 marka Exp $ */ /*! \file */ diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c index 2dc7d7e..081e3c6 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -31,7 +31,7 @@ /* * Principal Author: Brian Wellington - * $Id: openssl_link.c,v 1.22.112.3 2009/02/11 03:07:01 jinmei Exp $ + * $Id: openssl_link.c,v 1.22.112.5 2010-09-15 12:37:35 tbox Exp $ */ #ifdef OPENSSL @@ -91,7 +91,7 @@ entropy_get(unsigned char *buf, int num) { if (num < 0) return (-1); result = dst__entropy_getdata(buf, (unsigned int) num, ISC_FALSE); - return (result == ISC_R_SUCCESS ? num : -1); + return (result == ISC_R_SUCCESS ? 1 : -1); } static int @@ -105,7 +105,7 @@ entropy_getpseudo(unsigned char *buf, int num) { if (num < 0) return (-1); result = dst__entropy_getdata(buf, (unsigned int) num, ISC_TRUE); - return (result == ISC_R_SUCCESS ? num : -1); + return (result == ISC_R_SUCCESS ? 1 : -1); } static void diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index f61b83b..8932a17 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.270.12.16.10.6 2010/11/16 07:46:23 marka Exp $ */ +/* $Id: rbtdb.c,v 1.270.12.26 2010-12-02 05:09:58 marka Exp $ */ /*! \file */ @@ -2090,6 +2090,34 @@ setnsec3parameters(dns_db_t *db, rbtdb_version_t *version, } static void +cleanup_dead_nodes_callback(isc_task_t *task, isc_event_t *event) { + dns_rbtdb_t *rbtdb = event->ev_arg; + isc_boolean_t again = ISC_FALSE; + unsigned int locknum; + unsigned int refs; + + RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); + for (locknum = 0; locknum < rbtdb->node_lock_count; locknum++) { + NODE_LOCK(&rbtdb->node_locks[locknum].lock, + isc_rwlocktype_write); + cleanup_dead_nodes(rbtdb, locknum); + if (ISC_LIST_HEAD(rbtdb->deadnodes[locknum]) != NULL) + again = ISC_TRUE; + NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, + isc_rwlocktype_write); + } + RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); + if (again) + isc_task_send(task, &event); + else { + isc_event_free(&event); + isc_refcount_decrement(&rbtdb->references, &refs); + if (refs == 0) + maybe_free_rbtdb(rbtdb); + } +} + +static void closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; rbtdb_version_t *version, *cleanup_version, *least_greater; @@ -2289,15 +2317,28 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) { } if (!EMPTY(cleanup_list)) { - /* - * We acquire a tree write lock here in order to make sure - * that stale nodes will be removed in decrement_reference(). - * If we didn't have the lock, those nodes could miss the - * chance to be removed until the server stops. The write lock - * is expensive, but this event should be rare enough to justify - * the cost. - */ - RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); + isc_event_t *event = NULL; + isc_rwlocktype_t tlock = isc_rwlocktype_none; + + if (rbtdb->task != NULL) + event = isc_event_allocate(rbtdb->common.mctx, NULL, + DNS_EVENT_RBTDEADNODES, + cleanup_dead_nodes_callback, + rbtdb, sizeof(isc_event_t)); + if (event == NULL) { + /* + * We acquire a tree write lock here in order to make + * sure that stale nodes will be removed in + * decrement_reference(). If we didn't have the lock, + * those nodes could miss the chance to be removed + * until the server stops. The write lock is + * expensive, but this event should be rare enough + * to justify the cost. + */ + RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); + tlock = isc_rwlocktype_write; + } + for (changed = HEAD(cleanup_list); changed != NULL; changed = next_changed) { @@ -2312,20 +2353,25 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) { * This is a good opportunity to purge any dead nodes, * so use it. */ - cleanup_dead_nodes(rbtdb, rbtnode->locknum); + if (event == NULL) + cleanup_dead_nodes(rbtdb, rbtnode->locknum); if (rollback) rollback_node(rbtnode, serial); decrement_reference(rbtdb, rbtnode, least_serial, - isc_rwlocktype_write, - isc_rwlocktype_write, ISC_FALSE); + isc_rwlocktype_write, tlock, + ISC_FALSE); NODE_UNLOCK(lock, isc_rwlocktype_write); isc_mem_put(rbtdb->common.mctx, changed, sizeof(*changed)); } - RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); + if (event != NULL) { + isc_refcount_increment(&rbtdb->references, NULL); + isc_task_send(rbtdb->task, &event); + } else + RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); } end: diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c index ab9df8b..daaa83a 100644 --- a/lib/dns/rdata.c +++ b/lib/dns/rdata.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdata.c,v 1.199.50.2 2009/02/16 23:47:15 tbox Exp $ */ +/* $Id: rdata.c,v 1.199.50.4 2011-01-13 04:48:21 tbox Exp $ */ /*! \file */ @@ -1135,6 +1135,11 @@ name_prefix(dns_name_t *name, dns_name_t *origin, dns_name_t *target) { if (l1 == l2) goto return_false; + /* Master files should be case preserving. */ + dns_name_getlabelsequence(name, l1 - l2, l2, target); + if (!dns_name_caseequal(origin, target)) + goto return_false; + dns_name_getlabelsequence(name, 0, l1 - l2, target); return (ISC_TRUE); diff --git a/lib/dns/rdata/generic/ipseckey_45.c b/lib/dns/rdata/generic/ipseckey_45.c index 6a58bc9..f971d49 100644 --- a/lib/dns/rdata/generic/ipseckey_45.c +++ b/lib/dns/rdata/generic/ipseckey_45.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2005, 2007, 2009, 2011 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ipseckey_45.c,v 1.4.332.3 2009/09/18 21:55:48 jinmei Exp $ */ +/* $Id: ipseckey_45.c,v 1.4.332.5 2011-01-13 04:48:23 tbox Exp $ */ #ifndef RDATA_GENERIC_IPSECKEY_45_C #define RDATA_GENERIC_IPSECKEY_45_C @@ -120,8 +120,6 @@ static inline isc_result_t totext_ipseckey(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; - dns_name_t prefix; - isc_boolean_t sub; char buf[sizeof("255 ")]; unsigned short num; unsigned short gateway; @@ -130,7 +128,6 @@ totext_ipseckey(ARGS_TOTEXT) { REQUIRE(rdata->length >= 3); dns_name_init(&name, NULL); - dns_name_init(&prefix, NULL); if (rdata->data[1] > 3U) return (ISC_R_NOTIMPLEMENTED); @@ -183,8 +180,7 @@ totext_ipseckey(ARGS_TOTEXT) { case 3: dns_name_fromregion(&name, ®ion); - sub = name_prefix(&name, tctx->origin, &prefix); - RETERR(dns_name_totext(&prefix, sub, target)); + RETERR(dns_name_totext(&name, ISC_FALSE, target)); isc_region_consume(®ion, name_length(&name)); break; } diff --git a/lib/dns/rdata/generic/nsec_47.c b/lib/dns/rdata/generic/nsec_47.c index 7e443d9..ace1035 100644 --- a/lib/dns/rdata/generic/nsec_47.c +++ b/lib/dns/rdata/generic/nsec_47.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2008, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsec_47.c,v 1.11 2008/07/15 23:47:21 tbox Exp $ */ +/* $Id: nsec_47.c,v 1.11.82.2 2011-01-13 04:48:23 tbox Exp $ */ /* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */ @@ -88,20 +88,18 @@ totext_nsec(ARGS_TOTEXT) { isc_region_t sr; unsigned int i, j, k; dns_name_t name; - dns_name_t prefix; - isc_boolean_t sub; unsigned int window, len; REQUIRE(rdata->type == 47); REQUIRE(rdata->length != 0); + UNUSED(tctx); + dns_name_init(&name, NULL); - dns_name_init(&prefix, NULL); dns_rdata_toregion(rdata, &sr); dns_name_fromregion(&name, &sr); isc_region_consume(&sr, name_length(&name)); - sub = name_prefix(&name, tctx->origin, &prefix); - RETERR(dns_name_totext(&prefix, sub, target)); + RETERR(dns_name_totext(&name, ISC_FALSE, target)); for (i = 0; i < sr.length; i += len) { diff --git a/lib/dns/rdata/generic/rrsig_46.c b/lib/dns/rdata/generic/rrsig_46.c index a9af4bd..bcbb05b 100644 --- a/lib/dns/rdata/generic/rrsig_46.c +++ b/lib/dns/rdata/generic/rrsig_46.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rrsig_46.c,v 1.10 2007/06/19 23:47:17 tbox Exp $ */ +/* $Id: rrsig_46.c,v 1.10.332.2 2011-01-13 04:48:23 tbox Exp $ */ /* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */ @@ -134,8 +134,6 @@ totext_rrsig(ARGS_TOTEXT) { unsigned long exp; unsigned long foot; dns_name_t name; - dns_name_t prefix; - isc_boolean_t sub; REQUIRE(rdata->type == 46); REQUIRE(rdata->length != 0); @@ -217,11 +215,9 @@ totext_rrsig(ARGS_TOTEXT) { * Signer. */ dns_name_init(&name, NULL); - dns_name_init(&prefix, NULL); dns_name_fromregion(&name, &sr); isc_region_consume(&sr, name_length(&name)); - sub = name_prefix(&name, tctx->origin, &prefix); - RETERR(dns_name_totext(&prefix, sub, target)); + RETERR(dns_name_totext(&name, ISC_FALSE, target)); /* * Sig. diff --git a/lib/dns/rdatalist.c b/lib/dns/rdatalist.c index 97cef94..e8178a7 100644 --- a/lib/dns/rdatalist.c +++ b/lib/dns/rdatalist.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdatalist.c,v 1.36.338.1 2010/03/03 22:06:39 marka Exp $ */ +/* $Id: rdatalist.c,v 1.36.50.2 2010-02-25 10:56:41 tbox Exp $ */ /*! \file */ diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c index 4361913..c0fcde5 100644 --- a/lib/dns/rdataset.c +++ b/lib/dns/rdataset.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdataset.c,v 1.82.50.2.24.1 2010/03/03 22:06:39 marka Exp $ */ +/* $Id: rdataset.c,v 1.82.50.4 2010-02-25 10:56:41 tbox Exp $ */ /*! \file */ diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c index 8d12eb8..d1a02a0 100644 --- a/lib/dns/rdataslab.c +++ b/lib/dns/rdataslab.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdataslab.c,v 1.48.50.2.24.1 2010/03/03 22:06:39 marka Exp $ */ +/* $Id: rdataslab.c,v 1.48.50.4 2010-02-25 10:56:41 tbox Exp $ */ /*! \file */ diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 8803a05..290bb0f 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.384.14.20.10.3 2010/06/23 23:46:25 tbox Exp $ */ +/* $Id: resolver.c,v 1.384.14.30 2011-01-27 23:45:47 tbox Exp $ */ /*! \file */ @@ -203,6 +203,7 @@ struct fetchctx { isc_sockaddrlist_t bad; isc_sockaddrlist_t edns; isc_sockaddrlist_t edns512; + isc_sockaddrlist_t bad_edns; dns_validator_t *validator; ISC_LIST(dns_validator_t) validators; dns_db_t * cache; @@ -482,7 +483,7 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name, inc_stats(fctx->res, dns_resstatscounter_val); if ((valoptions & DNS_VALIDATOR_DEFER) == 0) { INSIST(fctx->validator == NULL); - fctx->validator = validator; + fctx->validator = validator; } ISC_LIST_APPEND(fctx->validators, validator, link); } else @@ -1559,6 +1560,36 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, } static isc_boolean_t +bad_edns(fetchctx_t *fctx, isc_sockaddr_t *address) { + isc_sockaddr_t *sa; + + for (sa = ISC_LIST_HEAD(fctx->bad_edns); + sa != NULL; + sa = ISC_LIST_NEXT(sa, link)) { + if (isc_sockaddr_equal(sa, address)) + return (ISC_TRUE); + } + + return (ISC_FALSE); +} + +static void +add_bad_edns(fetchctx_t *fctx, isc_sockaddr_t *address) { + isc_sockaddr_t *sa; + + if (bad_edns(fctx, address)) + return; + + sa = isc_mem_get(fctx->res->buckets[fctx->bucketnum].mctx, + sizeof(*sa)); + if (sa == NULL) + return; + + *sa = *address; + ISC_LIST_INITANDAPPEND(fctx->bad_edns, sa, link); +} + +static isc_boolean_t triededns(fetchctx_t *fctx, isc_sockaddr_t *address) { isc_sockaddr_t *sa; @@ -3131,6 +3162,14 @@ fctx_destroy(fetchctx_t *fctx) { isc_mem_put(res->buckets[bucketnum].mctx, sa, sizeof(*sa)); } + for (sa = ISC_LIST_HEAD(fctx->bad_edns); + sa != NULL; + sa = next_sa) { + next_sa = ISC_LIST_NEXT(sa, link); + ISC_LIST_UNLINK(fctx->bad_edns, sa, link); + isc_mem_put(res->buckets[bucketnum].mctx, sa, sizeof(*sa)); + } + isc_timer_detach(&fctx->timer); dns_message_destroy(&fctx->rmessage); dns_message_destroy(&fctx->qmessage); @@ -3501,6 +3540,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, ISC_LIST_INIT(fctx->bad); ISC_LIST_INIT(fctx->edns); ISC_LIST_INIT(fctx->edns512); + ISC_LIST_INIT(fctx->bad_edns); ISC_LIST_INIT(fctx->validators); fctx->validator = NULL; fctx->find = NULL; @@ -3870,14 +3910,6 @@ maybe_destroy(fetchctx_t *fctx) { validator != NULL; validator = next_validator) { next_validator = ISC_LIST_NEXT(validator, link); dns_validator_cancel(validator); - /* - * If this is a active validator wait for the cancel - * to complete before calling dns_validator_destroy(). - */ - if (validator == fctx->validator) - continue; - ISC_LIST_UNLINK(fctx->validators, validator, link); - dns_validator_destroy(&validator); } bucketnum = fctx->bucketnum; @@ -6115,6 +6147,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { unsigned int findoptions; isc_result_t broken_server; badnstype_t broken_type = badns_response; + isc_boolean_t no_response; REQUIRE(VALID_QUERY(query)); fctx = query->fctx; @@ -6137,6 +6170,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { resend = ISC_FALSE; truncated = ISC_FALSE; finish = NULL; + no_response = ISC_FALSE; if (fctx->res->exiting) { result = ISC_R_SHUTTINGDOWN; @@ -6184,7 +6218,9 @@ resquery_response(isc_task_t *task, isc_event_t *event) { /* * If this is a network error on an exclusive query * socket, mark the server as bad so that we won't try - * it for this fetch again. + * it for this fetch again. Also adjust finish and + * no_response so that we penalize this address in SRTT + * adjustment later. */ if (query->exclusivesocket && (devent->result == ISC_R_HOSTUNREACH || @@ -6193,6 +6229,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) { devent->result == ISC_R_CANCELED)) { broken_server = devent->result; broken_type = badns_unreachable; + finish = NULL; + no_response = ISC_TRUE; } } goto done; @@ -6324,6 +6362,25 @@ resquery_response(isc_task_t *task, isc_event_t *event) { * ensured by the dispatch code). */ + /* + * We have an affirmative response to the query and we have + * previously got a response from this server which indicated + * EDNS may not be supported so we can now cache the lack of + * EDNS support. + */ + if (opt == NULL && + (message->rcode == dns_rcode_noerror || + message->rcode == dns_rcode_nxdomain || + message->rcode == dns_rcode_refused || + message->rcode == dns_rcode_yxdomain) && + bad_edns(fctx, &query->addrinfo->sockaddr)) { + char addrbuf[ISC_SOCKADDR_FORMATSIZE]; + isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf, + sizeof(addrbuf)); + dns_adb_changeflags(fctx->adb, query->addrinfo, + DNS_FETCHOPT_NOEDNS0, + DNS_FETCHOPT_NOEDNS0); + } /* * Deal with truncated responses by retrying using TCP. @@ -6379,9 +6436,9 @@ resquery_response(isc_task_t *task, isc_event_t *event) { if (message->rcode != dns_rcode_noerror && message->rcode != dns_rcode_nxdomain) { if (((message->rcode == dns_rcode_formerr || - message->rcode == dns_rcode_notimp) || - (message->rcode == dns_rcode_servfail && - dns_message_getopt(message) == NULL)) && + message->rcode == dns_rcode_notimp) || + (message->rcode == dns_rcode_servfail && + dns_message_getopt(message) == NULL)) && (query->options & DNS_FETCHOPT_NOEDNS0) == 0) { /* * It's very likely they don't like EDNS0. @@ -6397,12 +6454,9 @@ resquery_response(isc_task_t *task, isc_event_t *event) { options |= DNS_FETCHOPT_NOEDNS0; resend = ISC_TRUE; /* - * Remember that they don't like EDNS0. + * Remember that they may not like EDNS0. */ - if (message->rcode != dns_rcode_servfail) - dns_adb_changeflags(fctx->adb, query->addrinfo, - DNS_FETCHOPT_NOEDNS0, - DNS_FETCHOPT_NOEDNS0); + add_bad_edns(fctx, &query->addrinfo->sockaddr); inc_stats(fctx->res, dns_resstatscounter_edns0fail); } else if (message->rcode == dns_rcode_formerr) { if (ISFORWARDER(query->addrinfo)) { @@ -6666,7 +6720,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { * * XXXRTH Don't cancel the query if waiting for validation? */ - fctx_cancelquery(&query, &devent, finish, ISC_FALSE); + fctx_cancelquery(&query, &devent, finish, no_response); if (keep_trying) { if (result == DNS_R_FORMERR) @@ -7389,6 +7443,13 @@ static inline isc_boolean_t fctx_match(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type, unsigned int options) { + /* + * Don't match fetch contexts that are shutting down. + */ + if (fctx->cloned || fctx->state == fetchstate_done || + ISC_LIST_EMPTY(fctx->events)) + return (ISC_FALSE); + if (fctx->type != type || fctx->options != options) return (ISC_FALSE); return (dns_name_equal(&fctx->name, name)); @@ -7523,17 +7584,7 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name, } } - /* - * If we didn't have a fetch, would attach to a done fetch, this - * fetch has already cloned its results, or if the fetch has gone - * "idle" (no one was interested in it), we need to start a new - * fetch instead of joining with the existing one. - */ - if (fctx == NULL || - fctx->state == fetchstate_done || - fctx->cloned || - ISC_LIST_EMPTY(fctx->events)) { - fctx = NULL; + if (fctx == NULL) { result = fctx_create(res, name, type, domain, nameservers, options, bucketnum, &fctx); if (result != ISC_R_SUCCESS) diff --git a/lib/dns/result.c b/lib/dns/result.c index f241ded..2b0457c 100644 --- a/lib/dns/result.c +++ b/lib/dns/result.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: result.c,v 1.125.124.1 2010/03/03 22:06:39 marka Exp $ */ +/* $Id: result.c,v 1.125.48.2 2010-02-25 10:56:41 tbox Exp $ */ /*! \file */ diff --git a/lib/dns/rootns.c b/lib/dns/rootns.c index 3c50a18..d51a0d6 100644 --- a/lib/dns/rootns.c +++ b/lib/dns/rootns.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2008, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rootns.c,v 1.36 2008/09/24 02:46:22 marka Exp $ */ +/* $Id: rootns.c,v 1.36.50.4 2010-06-18 05:37:50 marka Exp $ */ /*! \file */ @@ -71,11 +71,13 @@ static char root_ns[] = "H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53\n" "H.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:1::803F:235\n" "I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17\n" +"I.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:7fe::53\n" "J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30\n" "J.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:C27::2:30\n" "K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129\n" "K.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:7FD::1\n" "L.ROOT-SERVERS.NET. 3600000 IN A 199.7.83.42\n" +"L.ROOT-SERVERS.NET. 604800 IN AAAA 2001:500:3::42\n" "M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33\n" "M.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:DC3::35\n"; diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c index 6ec6209..49c6430 100644 --- a/lib/dns/sdb.c +++ b/lib/dns/sdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sdb.c,v 1.66.48.3.10.1 2010/03/03 22:06:39 marka Exp $ */ +/* $Id: sdb.c,v 1.66.48.6 2010-08-16 05:21:42 marka Exp $ */ /*! \file */ @@ -837,13 +837,6 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, for (i = olabels; i <= nlabels; i++) { /* - * Unless this is an explicit lookup at the origin, don't - * look at the origin. - */ - if (i == olabels && i != nlabels) - continue; - - /* * Look up the next label. */ dns_name_getlabelsequence(name, nlabels - i, i, xname); diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c index f2f7786..6be315a 100644 --- a/lib/dns/sdlz.c +++ b/lib/dns/sdlz.c @@ -50,7 +50,7 @@ * USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sdlz.c,v 1.18.50.3.10.1 2010/03/03 22:06:39 marka Exp $ */ +/* $Id: sdlz.c,v 1.18.50.6 2010-08-16 05:21:42 marka Exp $ */ /*! \file */ @@ -801,13 +801,6 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, for (i = olabels; i <= nlabels; i++) { /* - * Unless this is an explicit lookup at the origin, don't - * look at the origin. - */ - if (i == olabels && i != nlabels) - continue; - - /* * Look up the next label. */ dns_name_getlabelsequence(name, nlabels - i, i, xname); diff --git a/lib/dns/time.c b/lib/dns/time.c index 62414dd..bd8cdc3 100644 --- a/lib/dns/time.c +++ b/lib/dns/time.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: time.c,v 1.31.332.2 2009/01/18 23:47:40 tbox Exp $ */ +/* $Id: time.c,v 1.31.332.4 2010-04-21 23:48:05 tbox Exp $ */ /*! \file */ @@ -24,6 +24,7 @@ #include <stdio.h> #include <isc/string.h> /* Required for HP/UX (and others?) */ #include <time.h> +#include <ctype.h> #include <isc/print.h> #include <isc/region.h> @@ -132,6 +133,14 @@ dns_time64_fromtext(const char *source, isc_int64_t *target) { if (strlen(source) != 14U) return (DNS_R_SYNTAX); + /* + * Confirm the source only consists digits. sscanf() allows some + * minor exceptions. + */ + for (i = 0; i < 14; i++) { + if (!isdigit((unsigned char)source[i])) + return (DNS_R_SYNTAX); + } if (sscanf(source, "%4d%2d%2d%2d%2d%2d", &year, &month, &day, &hour, &minute, &second) != 6) return (DNS_R_SYNTAX); diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index 9e59dfa..7107dd5 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -16,7 +16,7 @@ */ /* - * $Id: tkey.c,v 1.90 2008/04/03 00:45:23 marka Exp $ + * $Id: tkey.c,v 1.90.118.4 2010-12-09 01:12:55 marka Exp $ */ /*! \file */ #include <config.h> @@ -417,10 +417,9 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, } static isc_result_t -process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, - dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx, - dns_rdata_tkey_t *tkeyout, - dns_tsig_keyring_t *ring, dns_namelist_t *namelist) +process_gsstkey(dns_name_t *name, dns_rdata_tkey_t *tkeyin, + dns_tkeyctx_t *tctx, dns_rdata_tkey_t *tkeyout, + dns_tsig_keyring_t *ring) { isc_result_t result = ISC_R_SUCCESS; dst_key_t *dstkey = NULL; @@ -431,9 +430,6 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, isc_buffer_t *outtoken = NULL; gss_ctx_id_t gss_ctx = NULL; - UNUSED(namelist); - UNUSED(signer); - if (tctx->gsscred == NULL) return (ISC_R_NOPERM); @@ -456,18 +452,15 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, if (result == ISC_R_SUCCESS) gss_ctx = dst_key_getgssctx(tsigkey->key); - dns_fixedname_init(&principal); result = dst_gssapi_acceptctx(tctx->gsscred, &intoken, &outtoken, &gss_ctx, dns_fixedname_name(&principal), tctx->mctx); - - if (tsigkey != NULL) - dns_tsigkey_detach(&tsigkey); - if (result == DNS_R_INVALIDTKEY) { + if (tsigkey != NULL) + dns_tsigkey_detach(&tsigkey); tkeyout->error = dns_tsigerror_badkey; tkey_log("process_gsstkey(): dns_tsigerror_badkey"); /* XXXSRA */ return (ISC_R_SUCCESS); @@ -478,20 +471,39 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, * XXXDCL Section 4.1.3: Limit GSS_S_CONTINUE_NEEDED to 10 times. */ + isc_stdtime_get(&now); + if (tsigkey == NULL) { - RETERR(dst_key_fromgssapi(name, gss_ctx, msg->mctx, &dstkey)); +#ifdef GSSAPI + OM_uint32 gret, minor, lifetime; +#endif + isc_uint32_t expire; + + RETERR(dst_key_fromgssapi(name, gss_ctx, ring->mctx, &dstkey)); + /* + * Limit keys to 1 hour or the context's lifetime whichever + * is smaller. + */ + expire = now + 3600; +#ifdef GSSAPI + gret = gss_context_time(&minor, gss_ctx, &lifetime); + if (gret == GSS_S_COMPLETE && now + lifetime < expire) + expire = now + lifetime; +#endif RETERR(dns_tsigkey_createfromkey(name, &tkeyin->algorithm, dstkey, ISC_TRUE, dns_fixedname_name(&principal), - tkeyin->inception, - tkeyin->expire, - ring->mctx, ring, NULL)); + now, expire, ring->mctx, ring, + NULL)); + dst_key_free(&dstkey); + tkeyout->inception = now; + tkeyout->expire = expire; + } else { + tkeyout->inception = tsigkey->inception; + tkeyout->expire = tkeyout->expire; + dns_tsigkey_detach(&tsigkey); } - isc_stdtime_get(&now); - tkeyout->inception = tkeyin->inception; - tkeyout->expire = tkeyin->expire; - if (outtoken) { tkeyout->key = isc_mem_get(tkeyout->mctx, isc_buffer_usedlength(outtoken)); @@ -520,6 +532,9 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, return (ISC_R_SUCCESS); failure: + if (tsigkey != NULL) + dns_tsigkey_detach(&tsigkey); + if (dstkey != NULL) dst_key_free(&dstkey); @@ -533,19 +548,14 @@ failure: } static isc_result_t -process_deletetkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, - dns_rdata_tkey_t *tkeyin, - dns_rdata_tkey_t *tkeyout, - dns_tsig_keyring_t *ring, - dns_namelist_t *namelist) +process_deletetkey(dns_name_t *signer, dns_name_t *name, + dns_rdata_tkey_t *tkeyin, dns_rdata_tkey_t *tkeyout, + dns_tsig_keyring_t *ring) { isc_result_t result; dns_tsigkey_t *tsigkey = NULL; dns_name_t *identity; - UNUSED(msg); - UNUSED(namelist); - result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring); if (result != ISC_R_SUCCESS) { tkeyout->error = dns_tsigerror_badname; @@ -763,16 +773,13 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx, break; case DNS_TKEYMODE_GSSAPI: tkeyout.error = dns_rcode_noerror; - RETERR(process_gsstkey(msg, signer, keyname, &tkeyin, - tctx, &tkeyout, ring, - &namelist)); - + RETERR(process_gsstkey(keyname, &tkeyin, tctx, + &tkeyout, ring)); break; case DNS_TKEYMODE_DELETE: tkeyout.error = dns_rcode_noerror; - RETERR(process_deletetkey(msg, signer, keyname, - &tkeyin, &tkeyout, - ring, &namelist)); + RETERR(process_deletetkey(signer, keyname, &tkeyin, + &tkeyout, ring)); break; case DNS_TKEYMODE_SERVERASSIGNED: case DNS_TKEYMODE_RESOLVERASSIGNED: @@ -1263,7 +1270,6 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg, isc_buffer_init(&intoken, rtkey.key, rtkey.keylen); RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context)); - dstkey = NULL; RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx, &dstkey)); @@ -1271,7 +1277,7 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg, dstkey, ISC_FALSE, NULL, rtkey.inception, rtkey.expire, ring->mctx, ring, outkey)); - + dst_key_free(&dstkey); dns_rdata_freestruct(&rtkey); return (result); @@ -1279,6 +1285,8 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg, /* * XXXSRA This probably leaks memory from rtkey and qtkey. */ + if (dstkey != NULL) + dst_key_free(&dstkey); return (result); } @@ -1365,10 +1373,10 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg, if (win2k == ISC_TRUE) RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata, - DNS_SECTION_ANSWER)); + DNS_SECTION_ANSWER)); else RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata, - DNS_SECTION_ADDITIONAL)); + DNS_SECTION_ADDITIONAL)); RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL)); @@ -1389,7 +1397,6 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg, if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS) return (result); - dstkey = NULL; RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx, &dstkey)); @@ -1406,7 +1413,7 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg, dstkey, ISC_TRUE, NULL, rtkey.inception, rtkey.expire, ring->mctx, ring, outkey)); - + dst_key_free(&dstkey); dns_rdata_freestruct(&rtkey); return (result); @@ -1415,5 +1422,7 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg, * XXXSRA This probably leaks memory from qtkey. */ dns_rdata_freestruct(&rtkey); + if (dstkey != NULL) + dst_key_free(&dstkey); return (result); } diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index 74a7af3..65d32dc 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -16,7 +16,7 @@ */ /* - * $Id: tsig.c,v 1.136 2008/11/04 21:23:14 marka Exp $ + * $Id: tsig.c,v 1.136.18.5 2010-12-09 01:12:55 marka Exp $ */ /*! \file */ #include <config.h> @@ -26,6 +26,7 @@ #include <isc/mem.h> #include <isc/print.h> #include <isc/refcount.h> +#include <isc/serial.h> #include <isc/string.h> /* Required for HP/UX (and others?) */ #include <isc/util.h> #include <isc/time.h> @@ -47,6 +48,10 @@ #define TSIG_MAGIC ISC_MAGIC('T', 'S', 'I', 'G') #define VALID_TSIG_KEY(x) ISC_MAGIC_VALID(x, TSIG_MAGIC) +#ifndef DNS_TSIG_MAXGENERATEDKEYS +#define DNS_TSIG_MAXGENERATEDKEYS 4096 +#endif + #define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR) #define algname_is_allocated(algname) \ ((algname) != dns_tsig_hmacmd5_name && \ @@ -86,6 +91,31 @@ static dns_name_t gsstsig = { }; LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapi_name = &gsstsig; +static void +remove_fromring(dns_tsigkey_t *tkey) { + if (tkey->generated) { + ISC_LIST_UNLINK(tkey->ring->lru, tkey, link); + tkey->ring->generated--; + } + (void)dns_rbt_deletename(tkey->ring->keys, &tkey->name, ISC_FALSE); +} + +static void +adjust_lru(dns_tsigkey_t *tkey) { + if (tkey->generated) { + RWLOCK(&tkey->ring->lock, isc_rwlocktype_write); + /* + * We may have been removed from the LRU list between + * removing the read lock and aquiring the write lock. + */ + if (ISC_LINK_LINKED(tkey, link)) { + ISC_LIST_UNLINK(tkey->ring->lru, tkey, link); + ISC_LIST_APPEND(tkey->ring->lru, tkey, link); + } + RWUNLOCK(&tkey->ring->lock, isc_rwlocktype_write); + } +} + /* * Since Microsoft doesn't follow its own standard, we will use this * alternate name as a second guess. @@ -327,7 +357,9 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, } else tkey->creator = NULL; - tkey->key = dstkey; + tkey->key = NULL; + if (dstkey != NULL) + dst_key_attach(dstkey, &tkey->key); tkey->ring = ring; if (key != NULL) @@ -358,11 +390,24 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, cleanup_ring(ring); ring->writecount = 0; } + ret = dns_rbt_addname(ring->keys, name, tkey); if (ret != ISC_R_SUCCESS) { RWUNLOCK(&ring->lock, isc_rwlocktype_write); goto cleanup_refs; } + + if (tkey->generated) { + /* + * Add the new key to the LRU list and remove the + * least recently used key if there are too many + * keys on the list. + */ + ISC_LIST_INITANDAPPEND(ring->lru, tkey, link); + if (ring->generated++ > ring->maxgenerated) + remove_fromring(ISC_LIST_HEAD(ring->lru)); + } + RWUNLOCK(&ring->lock, isc_rwlocktype_write); } @@ -390,6 +435,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, isc_refcount_decrement(&tkey->refs, NULL); isc_refcount_destroy(&tkey->refs); cleanup_creator: + if (tkey->key != NULL) + dst_key_free(&tkey->key); if (tkey->creator != NULL) { dns_name_free(tkey->creator, mctx); isc_mem_put(mctx, tkey->creator, sizeof(dns_name_t)); @@ -452,9 +499,7 @@ cleanup_ring(dns_tsig_keyring_t *ring) tsig_log(tkey, 2, "tsig expire: deleting"); /* delete the key */ dns_rbtnodechain_invalidate(&chain); - (void)dns_rbt_deletename(ring->keys, - &tkey->name, - ISC_FALSE); + remove_fromring(tkey); goto again; } } @@ -464,7 +509,6 @@ cleanup_ring(dns_tsig_keyring_t *ring) dns_rbtnodechain_invalidate(&chain); return; } - } } @@ -572,7 +616,7 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, result = dns_tsigkey_createfromkey(name, algorithm, dstkey, generated, creator, inception, expire, mctx, ring, key); - if (result != ISC_R_SUCCESS && dstkey != NULL) + if (dstkey != NULL) dst_key_free(&dstkey); return (result); } @@ -629,7 +673,7 @@ dns_tsigkey_setdeleted(dns_tsigkey_t *key) { REQUIRE(key->ring != NULL); RWLOCK(&key->ring->lock, isc_rwlocktype_write); - (void)dns_rbt_deletename(key->ring->keys, &key->name, ISC_FALSE); + remove_fromring(key); RWUNLOCK(&key->ring->lock, isc_rwlocktype_write); } @@ -889,6 +933,9 @@ dns_tsig_sign(dns_message_t *msg) { msg->tsig = dataset; msg->tsigname = owner; + /* Windows does not like the tsig name being compressed. */ + msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS; + return (ISC_R_SUCCESS); cleanup_rdatalist: @@ -1469,19 +1516,30 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name, RWUNLOCK(&ring->lock, isc_rwlocktype_read); return (ISC_R_NOTFOUND); } - if (key->inception != key->expire && key->expire < now) { + if (key->inception != key->expire && isc_serial_lt(key->expire, now)) { /* * The key has expired. */ RWUNLOCK(&ring->lock, isc_rwlocktype_read); RWLOCK(&ring->lock, isc_rwlocktype_write); - (void)dns_rbt_deletename(ring->keys, name, ISC_FALSE); + remove_fromring(key); RWUNLOCK(&ring->lock, isc_rwlocktype_write); return (ISC_R_NOTFOUND); } - +#if 0 + /* + * MPAXXX We really should look at the inception time. + */ + if (key->inception != key->expire && + isc_serial_lt(key->inception, now)) { + RWUNLOCK(&ring->lock, isc_rwlocktype_read); + adjust_lru(key); + return (ISC_R_NOTFOUND); + } +#endif isc_refcount_increment(&key->refs, NULL); RWUNLOCK(&ring->lock, isc_rwlocktype_read); + adjust_lru(key); *tsigkey = key; return (ISC_R_SUCCESS); } @@ -1527,6 +1585,9 @@ dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) { ring->writecount = 0; ring->mctx = NULL; + ring->generated = 0; + ring->maxgenerated = DNS_TSIG_MAXGENERATEDKEYS; + ISC_LIST_INIT(ring->lru); isc_mem_attach(mctx, &ring->mctx); *ringp = ring; diff --git a/lib/dns/validator.c b/lib/dns/validator.c index fc6f454..054c5a6 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.164.12.11.10.7 2010/11/16 01:48:32 marka Exp $ */ +/* $Id: validator.c,v 1.164.12.23 2010-11-16 02:23:44 marka Exp $ */ #include <config.h> @@ -2135,7 +2135,7 @@ dlv_validatezonekey(dns_validator_t *val) { &sigrdata); result = dns_rdata_tostruct(&sigrdata, &sig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); - if (dlv.key_tag != sig.keyid && + if (dlv.key_tag != sig.keyid || dlv.algorithm != sig.algorithm) continue; dstkey = NULL; @@ -2218,6 +2218,17 @@ validatezonekey(dns_validator_t *val) { return (dlv_validatezonekey(val)); if (val->dsset == NULL) { + + /* + * We have a dlv sep. Skip looking up the SEP from + * {trusted,managed}-keys. If the dlv sep is for the + * root then it will have been handled above so we don't + * need to check whether val->event->name is "." prior to + * looking up the DS. + */ + if (val->havedlvsep) + goto find_ds; + /* * First, see if this key was signed by a trusted key. */ @@ -2250,13 +2261,13 @@ validatezonekey(dns_validator_t *val) { val->event->name, found) != ISC_R_SUCCESS) { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, - "must be secure failure, " - "not beneath secure root"); + "must be secure failure, " + "not beneath secure root"); return (DNS_R_MUSTBESECURE); } else validator_log(val, ISC_LOG_DEBUG(3), - "not beneath secure root"); - if (val->view->dlv == NULL || DLVTRIED(val)) { + "not beneath secure root"); + if (val->view->dlv == NULL) { markanswer(val, "validatezonekey (1)"); return (ISC_R_SUCCESS); } @@ -2292,17 +2303,6 @@ validatezonekey(dns_validator_t *val) { } } - /* - * If this is the root name and there was no trusted key, - * give up, since there's no DS at the root. - */ - if (dns_name_equal(event->name, dns_rootname)) { - if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) - return (DNS_R_NOVALIDSIG); - else - return (DNS_R_NOVALIDDS); - } - if (atsep) { /* * We have not found a key to verify this DNSKEY @@ -2323,6 +2323,22 @@ validatezonekey(dns_validator_t *val) { } /* + * If this is the root name and there was no trusted key, + * give up, since there's no DS at the root. + */ + if (dns_name_equal(event->name, dns_rootname)) { + if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) { + validator_log(val, ISC_LOG_DEBUG(3), + "root key failed to validate"); + return (DNS_R_NOVALIDSIG); + } else { + validator_log(val, ISC_LOG_DEBUG(3), + "no trusted root key"); + return (DNS_R_NOVALIDDS); + } + } + find_ds: + /* * Otherwise, try to find the DS record. */ result = view_find(val, val->event->name, dns_rdatatype_ds); @@ -4038,19 +4054,19 @@ dns_validator_cancel(dns_validator_t *validator) { validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel"); - if (validator->event != NULL) { - if (validator->fetch != NULL) - dns_resolver_cancelfetch(validator->fetch); - - if (validator->subvalidator != NULL) - dns_validator_cancel(validator->subvalidator); - if ((validator->options & DNS_VALIDATOR_DEFER) != 0) { - isc_task_t *task = validator->event->ev_sender; - validator->options &= ~DNS_VALIDATOR_DEFER; - isc_event_free((isc_event_t **)&validator->event); - isc_task_detach(&task); - } + if ((validator->attributes & VALATTR_CANCELED) == 0) { validator->attributes |= VALATTR_CANCELED; + if (validator->event != NULL) { + if (validator->fetch != NULL) + dns_resolver_cancelfetch(validator->fetch); + + if (validator->subvalidator != NULL) + dns_validator_cancel(validator->subvalidator); + if ((validator->options & DNS_VALIDATOR_DEFER) != 0) { + validator->options &= ~DNS_VALIDATOR_DEFER; + validator_done(validator, ISC_R_CANCELED); + } + } } UNLOCK(&validator->lock); } diff --git a/lib/dns/view.c b/lib/dns/view.c index 54f0d26..809cc15 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.c,v 1.150.84.3.10.2 2010/09/29 00:03:32 marka Exp $ */ +/* $Id: view.c,v 1.150.84.6 2010-09-24 08:09:08 marka Exp $ */ /*! \file */ diff --git a/lib/dns/zone.c b/lib/dns/zone.c index c21b1f0..108aefb 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.483.36.17 2009/12/21 04:32:42 marka Exp $ */ +/* $Id: zone.c,v 1.483.36.23 2010-12-14 00:48:22 marka Exp $ */ /*! \file */ @@ -1702,6 +1702,12 @@ zone_check_mx(dns_zone_t *zone, dns_db_t *db, dns_name_t *name, int level; /* + * "." means the services does not exist. + */ + if (dns_name_equal(name, dns_rootname)) + return (ISC_TRUE); + + /* * Outside of zone. */ if (!dns_name_issubdomain(name, &zone->origin)) { @@ -3656,6 +3662,7 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, isc_result_t result; dns_dbnode_t *node = NULL; const char *directory = dns_zone_getkeydirectory(zone); + CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); result = dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db), directory, mctx, maxkeys, keys, @@ -3759,7 +3766,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, if (type != dns_rdatatype_dnskey) { result = update_one_rr(db, ver, diff, - DNS_DIFFOP_DEL, name, + DNS_DIFFOP_DELRESIGN, name, rdataset.ttl, &rdata); dns_rdata_reset(&rdata); if (result != ISC_R_SUCCESS) @@ -3801,7 +3808,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, break; } result = update_one_rr(db, ver, diff, - DNS_DIFFOP_DEL, + DNS_DIFFOP_DELRESIGN, name, rdataset.ttl, &rdata); break; @@ -3812,8 +3819,9 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, * delete the RRSIG. */ if (!found) - result = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, - name, rdataset.ttl, &rdata); + result = update_one_rr(db, ver, diff, + DNS_DIFFOP_DELRESIGN, name, + rdataset.ttl, &rdata); dns_rdata_reset(&rdata); if (result != ISC_R_SUCCESS) break; @@ -3877,6 +3885,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN, name, rdataset.ttl, &sig_rdata)); dns_rdata_reset(&sig_rdata); + isc_buffer_init(&buffer, data, sizeof(data)); } failure: @@ -5475,7 +5484,7 @@ del_sig(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, rrsig.keyid != keyid) continue; CHECK(update_one_rr(db, version, diff, - DNS_DIFFOP_DEL, name, + DNS_DIFFOP_DELRESIGN, name, rdataset.ttl, &rdata)); } dns_rdataset_disassociate(&rdataset); @@ -10091,6 +10100,7 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) { isc_sockaddr_t sourceaddr; isc_sockaddr_t masteraddr; isc_time_t now; + const char *soa_before = ""; UNUSED(task); @@ -10118,6 +10128,8 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) { isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr); (void)dns_peerlist_peerbyaddr(zone->view->peers, &masterip, &peer); + if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR)) + soa_before = "SOA before "; /* * Decide whether we should request IXFR or AXFR. */ @@ -10128,8 +10140,12 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) { xfrtype = dns_rdatatype_axfr; } else if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS)) { dns_zone_log(zone, ISC_LOG_DEBUG(1), "ixfr-from-differences " - "set, requesting AXFR from %s", master); - xfrtype = dns_rdatatype_axfr; + "set, requesting %sAXFR from %s", soa_before, + master); + if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR)) + xfrtype = dns_rdatatype_soa; + else + xfrtype = dns_rdatatype_axfr; } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) { dns_zone_log(zone, ISC_LOG_DEBUG(1), "forced reload, requesting AXFR of " @@ -10154,8 +10170,8 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) { } if (use_ixfr == ISC_FALSE) { dns_zone_log(zone, ISC_LOG_DEBUG(1), - "IXFR disabled, requesting AXFR from %s", - master); + "IXFR disabled, requesting %sAXFR from %s", + soa_before, master); if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR)) xfrtype = dns_rdatatype_soa; else |
