diff options
Diffstat (limited to 'bin')
30 files changed, 457 insertions, 218 deletions
diff --git a/bin/check/check-tool.c b/bin/check/check-tool.c index 396f105..ed9224b 100644 --- a/bin/check/check-tool.c +++ b/bin/check/check-tool.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.c,v 1.35.36.3.24.2 2010/09/07 23:46:25 tbox Exp $ */ +/* $Id: check-tool.c,v 1.35.36.5 2010-09-07 23:46:05 tbox Exp $ */ /*! \file */ diff --git a/bin/check/check-tool.h b/bin/check/check-tool.h index 0128926..f9273ff 100644 --- a/bin/check/check-tool.h +++ b/bin/check/check-tool.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.h,v 1.14.628.2 2010/09/07 23:46:26 tbox Exp $ */ +/* $Id: check-tool.h,v 1.14.334.2 2010-09-07 23:46:05 tbox Exp $ */ #ifndef CHECK_TOOL_H #define CHECK_TOOL_H diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c index 7ed1043..20983b5 100644 --- a/bin/check/named-checkconf.c +++ b/bin/check/named-checkconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkconf.c,v 1.46.222.2.24.2 2010/09/07 23:46:26 tbox Exp $ */ +/* $Id: named-checkconf.c,v 1.46.222.4 2010-09-07 23:46:05 tbox Exp $ */ /*! \file */ diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c index 1fa015a..3b86e57 100644 --- a/bin/check/named-checkzone.c +++ b/bin/check/named-checkzone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkzone.c,v 1.51.34.4.10.2 2010/09/07 23:46:26 tbox Exp $ */ +/* $Id: named-checkzone.c,v 1.51.34.6 2010-09-07 23:46:06 tbox Exp $ */ /*! \file */ diff --git a/bin/dig/dig.c b/bin/dig/dig.c index f740a1d..7de934b 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.225.26.4 2009/05/06 10:18:33 fdupont Exp $ */ +/* $Id: dig.c,v 1.225.26.7 2010-05-13 00:43:37 marka Exp $ */ /*! \file */ @@ -306,6 +306,8 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) { ADD_STRING(buf, " "); } result = dns_rdata_totext(rdata, NULL, buf); + if (result == ISC_R_NOSPACE) + return (result); check_result(result, "dns_rdata_totext"); if (query->lookup->identify) { TIME_NOW(&now); @@ -328,10 +330,8 @@ short_answer(dns_message_t *msg, dns_messagetextflag_t flags, { dns_name_t *name; dns_rdataset_t *rdataset; - isc_buffer_t target; isc_result_t result, loopresult; dns_name_t empty_name; - char t[4096]; dns_rdata_t rdata = DNS_RDATA_INIT; UNUSED(flags); @@ -347,8 +347,6 @@ short_answer(dns_message_t *msg, dns_messagetextflag_t flags, name = NULL; dns_message_currentname(msg, DNS_SECTION_ANSWER, &name); - isc_buffer_init(&target, t, sizeof(t)); - for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { @@ -357,6 +355,8 @@ short_answer(dns_message_t *msg, dns_messagetextflag_t flags, dns_rdataset_current(rdataset, &rdata); result = say_message(&rdata, query, buf); + if (result == ISC_R_NOSPACE) + return (result); check_result(result, "say_message"); loopresult = dns_rdataset_next(rdataset); dns_rdata_reset(&rdata); @@ -505,6 +505,8 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { printf(" ad"); if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0) printf(" cd"); + if ((msg->flags & 0x0040U) != 0) + printf("; MBZ: 0x4"); printf("; QUERY: %u, ANSWER: %u, " "AUTHORITY: %u, ADDITIONAL: %u\n", diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index d730c0e..df5a0c0 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dighost.c,v 1.311.70.11 2009/11/10 17:27:13 each Exp $ */ +/* $Id: dighost.c,v 1.311.70.17 2010-12-09 01:12:54 marka Exp $ */ /*! \file * \note @@ -246,7 +246,7 @@ isc_result_t opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp); isc_result_t removetmpkey(isc_mem_t *mctx, const char *file); void clean_trustedkey(void); -void insert_trustedkey(dst_key_t * key); +void insert_trustedkey(dst_key_t **key); #if DIG_SIGCHASE_BU isc_result_t getneededrr(dns_message_t *msg); void sigchase_bottom_up(dns_message_t *msg); @@ -970,7 +970,6 @@ setup_file_key(void) { keynametext, isc_result_totext(result)); goto failure; } - dstkey = NULL; failure: if (dstkey != NULL) dst_key_free(&dstkey); @@ -990,12 +989,21 @@ make_searchlist_entry(char *domain) { } static void +clear_searchlist(void) { + dig_searchlist_t *search; + while ((search = ISC_LIST_HEAD(search_list)) != NULL) { + ISC_LIST_UNLINK(search_list, search, link); + isc_mem_free(mctx, search); + } +} + +static void create_search_list(lwres_conf_t *confdata) { int i; dig_searchlist_t *search; debug("create_search_list()"); - ISC_LIST_INIT(search_list); + clear_searchlist(); for (i = 0; i < confdata->searchnxt; i++) { search = make_searchlist_entry(confdata->search[i]); @@ -1038,7 +1046,7 @@ setup_system(void) { else { /* No search list. Use the domain name if any */ if (lwconf->domainname != NULL) { domain = make_searchlist_entry(lwconf->domainname); - ISC_LIST_INITANDAPPEND(search_list, domain, link); + ISC_LIST_APPEND(search_list, domain, link); domain = NULL; } } @@ -1093,15 +1101,6 @@ setup_system(void) { } -static void -clear_searchlist(void) { - dig_searchlist_t *search; - while ((search = ISC_LIST_HEAD(search_list)) != NULL) { - ISC_LIST_UNLINK(search_list, search, link); - isc_mem_free(mctx, search); - } -} - /*% * Override the search list derived from resolv.conf by 'domain'. */ @@ -1201,14 +1200,15 @@ add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_uint16_t edns, if (dnssec) rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO; if (nsid) { - unsigned char data[4]; - isc_buffer_t buf; - - isc_buffer_init(&buf, data, sizeof(data)); - isc_buffer_putuint16(&buf, DNS_OPT_NSID); - isc_buffer_putuint16(&buf, 0); - rdata->data = data; - rdata->length = sizeof(data); + isc_buffer_t *b = NULL; + + result = isc_buffer_allocate(mctx, &b, 4); + check_result(result, "isc_buffer_allocate"); + isc_buffer_putuint16(b, DNS_OPT_NSID); + isc_buffer_putuint16(b, 0); + rdata->data = isc_buffer_base(b); + rdata->length = isc_buffer_usedlength(b); + dns_message_takebuffer(msg, &b); } else { rdata->data = NULL; rdata->length = 0; @@ -2218,6 +2218,15 @@ force_timeout(dig_lookup_t *l, dig_query_t *query) { isc_result_totext(ISC_R_NOMEMORY)); } isc_task_send(global_task, &event); + + /* + * The timer may have expired if, for example, get_address() takes + * long time and the timer was running on a different thread. + * We need to cancel the possible timeout event not to confuse + * ourselves due to the duplicate events. + */ + if (l->timer != NULL) + isc_timer_detach(&l->timer); } @@ -2241,7 +2250,7 @@ send_tcp_connect(dig_query_t *query) { query->waiting_connect = ISC_TRUE; query->lookup->current_query = query; result = get_address(query->servname, port, &query->sockaddr); - if (result == ISC_R_NOTFOUND) { + if (result != ISC_R_SUCCESS) { /* * This servname doesn't have an address. Try the next server * by triggering an immediate 'timeout' (we lie, but the effect @@ -2323,7 +2332,7 @@ send_udp(dig_query_t *query) { /* XXX Check the sense of this, need assertion? */ query->waiting_connect = ISC_FALSE; result = get_address(query->servname, port, &query->sockaddr); - if (result == ISC_R_NOTFOUND) { + if (result != ISC_R_SUCCESS) { /* This servname doesn't have an address. */ force_timeout(l, query); return; @@ -3858,14 +3867,15 @@ sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers, } void -insert_trustedkey(dst_key_t * key) +insert_trustedkey(dst_key_t **keyp) { - if (key == NULL) + if (*keyp == NULL) return; if (tk_list.nb_tk >= MAX_TRUSTED_KEY) return; - tk_list.key[tk_list.nb_tk++] = key; + tk_list.key[tk_list.nb_tk++] = *keyp; + *keyp = NULL; return; } @@ -4039,11 +4049,12 @@ get_trusted_key(isc_mem_t *mctx) fclose(fp); return (ISC_R_FAILURE); } - insert_trustedkey(key); #if 0 dst_key_tofile(key, DST_TYPE_PUBLIC,"/tmp"); #endif - key = NULL; + insert_trustedkey(&key); + if (key != NULL) + dst_key_free(&key); } return (ISC_R_SUCCESS); } diff --git a/bin/dig/host.c b/bin/dig/host.c index 1a7d174..ab0be99 100644 --- a/bin/dig/host.c +++ b/bin/dig/host.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: host.c,v 1.116.216.3.10.2 2010/10/19 23:46:25 tbox Exp $ */ +/* $Id: host.c,v 1.116.216.5 2010-10-19 23:45:58 tbox Exp $ */ /*! \file */ diff --git a/bin/dig/nslookup.1 b/bin/dig/nslookup.1 index 68b419a..a8331f9 100644 --- a/bin/dig/nslookup.1 +++ b/bin/dig/nslookup.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007, 2010 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -12,7 +12,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: nslookup.1,v 1.14.354.1 2009/07/11 01:55:20 tbox Exp $ +.\" $Id: nslookup.1,v 1.14.354.2 2010-02-23 01:56:02 tbox Exp $ .\" .hy 0 .ad l @@ -54,7 +54,13 @@ when the first argument is a hyphen (\-) and the second argument is the host nam Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server. .PP Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type: -.sp .RS 4 .nf nslookup \-query=hinfo \-timeout=10 .fi .RE +.sp +.RS 4 +.nf +nslookup \-query=hinfo \-timeout=10 +.fi +.RE +.sp .SH "INTERACTIVE COMMANDS" .PP \fBhost\fR [server] @@ -248,5 +254,5 @@ Try the next nameserver if a nameserver responds with SERVFAIL or a referral (no .PP Andrew Cherenson .SH "COPYRIGHT" -Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007, 2010 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook index 6c94809..fb6e706 100644 --- a/bin/dig/nslookup.docbook +++ b/bin/dig/nslookup.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007, 2010 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: nslookup.docbook,v 1.16 2007/06/18 23:47:17 tbox Exp $ --> +<!-- $Id: nslookup.docbook,v 1.16.334.2 2010-02-22 23:47:53 tbox Exp $ --> <!-- - Copyright (c) 1985, 1989 - The Regents of the University of California. All rights reserved. @@ -73,6 +73,7 @@ <year>2005</year> <year>2006</year> <year>2007</year> + <year>2010</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> </docinfo> @@ -129,11 +130,11 @@ arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type: - <informalexample> + <!-- <informalexample> produces bad nroff. --> <programlisting> nslookup -query=hinfo -timeout=10 </programlisting> - </informalexample> + <!-- </informalexample> --> </para> </refsect1> diff --git a/bin/dig/nslookup.html b/bin/dig/nslookup.html index 3984a16..bff3528 100644 --- a/bin/dig/nslookup.html +++ b/bin/dig/nslookup.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007, 2010 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -13,7 +13,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: nslookup.html,v 1.21.354.1 2009/07/11 01:55:20 tbox Exp $ --> +<!-- $Id: nslookup.html,v 1.21.354.2 2010-02-23 01:56:02 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -31,7 +31,7 @@ <div class="cmdsynopsis"><p><code class="command">nslookup</code> [<code class="option">-option</code>] [name | -] [server]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543355"></a><h2>DESCRIPTION</h2> +<a name="id2543358"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">Nslookup</strong></span> is a program to query Internet domain name servers. <span><strong class="command">Nslookup</strong></span> has two modes: interactive and non-interactive. Interactive mode allows @@ -43,7 +43,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543371"></a><h2>ARGUMENTS</h2> +<a name="id2543374"></a><h2>ARGUMENTS</h2> <p> Interactive mode is entered in the following cases: </p> @@ -68,15 +68,17 @@ arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type: - </p> -<div class="informalexample"><pre class="programlisting"> + + </p> +<pre class="programlisting"> nslookup -query=hinfo -timeout=10 -</pre></div> +</pre> <p> + </p> </div> <div class="refsect1" lang="en"> -<a name="id2543413"></a><h2>INTERACTIVE COMMANDS</h2> +<a name="id2543418"></a><h2>INTERACTIVE COMMANDS</h2> <div class="variablelist"><dl> <dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt> <dd> @@ -286,19 +288,19 @@ nslookup -query=hinfo -timeout=10 </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2546279"></a><h2>FILES</h2> +<a name="id2546284"></a><h2>FILES</h2> <p><code class="filename">/etc/resolv.conf</code> </p> </div> <div class="refsect1" lang="en"> -<a name="id2546291"></a><h2>SEE ALSO</h2> +<a name="id2546296"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>, <span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2546325"></a><h2>Author</h2> +<a name="id2546330"></a><h2>Author</h2> <p> Andrew Cherenson </p> diff --git a/bin/dnssec/dnssec-dsfromkey.8 b/bin/dnssec/dnssec-dsfromkey.8 index 4d4cbc9..c49ccdc 100644 --- a/bin/dnssec/dnssec-dsfromkey.8 +++ b/bin/dnssec/dnssec-dsfromkey.8 @@ -1,18 +1,18 @@ -.\" Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") -.\" +.\" Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") +.\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-dsfromkey.8,v 1.5 2008/11/08 01:11:47 tbox Exp $ +.\" $Id: dnssec-dsfromkey.8,v 1.5.14.1 2010-05-19 02:06:11 tbox Exp $ .\" .hy 0 .ad l diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html index bc0273d..6186481 100644 --- a/bin/dnssec/dnssec-dsfromkey.html +++ b/bin/dnssec/dnssec-dsfromkey.html @@ -1,20 +1,19 @@ <!-- - - Copyright (C) 2008, 2010 Internet Systems Consortium, Inc. ("ISC") - - + - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: dnssec-dsfromkey.html,v 1.5.110.2 2010/03/03 23:32:17 tbox Exp $ --> +<!-- $Id: dnssec-dsfromkey.html,v 1.5.14.1 2010-05-19 02:06:11 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -33,14 +32,14 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dir</code></em></code>] {dnsname}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543421"></a><h2>DESCRIPTION</h2> +<a name="id2543424"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-dsfromkey</strong></span> outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s). </p> </div> <div class="refsect1" lang="en"> -<a name="id2543433"></a><h2>OPTIONS</h2> +<a name="id2543435"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-1</span></dt> <dd><p> @@ -81,7 +80,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543561"></a><h2>EXAMPLE</h2> +<a name="id2543563"></a><h2>EXAMPLE</h2> <p> To build the SHA-256 DS RR from the <strong class="userinput"><code>Kexample.com.+003+26160</code></strong> @@ -96,7 +95,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543591"></a><h2>FILES</h2> +<a name="id2543593"></a><h2>FILES</h2> <p> The keyfile can be designed by the key identification <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name @@ -110,13 +109,13 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543626"></a><h2>CAVEAT</h2> +<a name="id2543628"></a><h2>CAVEAT</h2> <p> A keyfile error can give a "file not found" even if the file exists. </p> </div> <div class="refsect1" lang="en"> -<a name="id2543636"></a><h2>SEE ALSO</h2> +<a name="id2543638"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, @@ -125,7 +124,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543672"></a><h2>AUTHOR</h2> +<a name="id2543674"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html index 2ef83d2..ad2a562 100644 --- a/bin/dnssec/dnssec-keyfromlabel.html +++ b/bin/dnssec/dnssec-keyfromlabel.html @@ -13,7 +13,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-keyfromlabel.html,v 1.5.44.3.4.1 2010/03/03 22:19:19 tbox Exp $ --> +<!-- $Id: dnssec-keyfromlabel.html,v 1.5.44.3 2010-01-16 01:55:32 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -31,7 +31,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543414"></a><h2>DESCRIPTION</h2> +<a name="id2543416"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-keyfromlabel</strong></span> gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 @@ -39,7 +39,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543426"></a><h2>OPTIONS</h2> +<a name="id2543428"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd> @@ -120,7 +120,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543629"></a><h2>GENERATED KEY FILES</h2> +<a name="id2543632"></a><h2>GENERATED KEY FILES</h2> <p> When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes successfully, @@ -161,7 +161,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543702"></a><h2>SEE ALSO</h2> +<a name="id2543704"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, @@ -169,7 +169,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543735"></a><h2>AUTHOR</h2> +<a name="id2543737"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index 0e9255a..7ca7d57 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-keygen.html,v 1.32.44.4.4.1 2010/03/03 22:19:19 tbox Exp $ --> +<!-- $Id: dnssec-keygen.html,v 1.32.44.4 2010-01-16 01:55:32 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -32,7 +32,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543481"></a><h2>DESCRIPTION</h2> +<a name="id2543483"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-keygen</strong></span> generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -45,7 +45,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543499"></a><h2>OPTIONS</h2> +<a name="id2543501"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd> @@ -155,7 +155,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543834"></a><h2>GENERATED KEYS</h2> +<a name="id2543836"></a><h2>GENERATED KEYS</h2> <p> When <span><strong class="command">dnssec-keygen</strong></span> completes successfully, @@ -201,7 +201,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543916"></a><h2>EXAMPLE</h2> +<a name="id2543918"></a><h2>EXAMPLE</h2> <p> To generate a 768-bit DSA key for the domain <strong class="userinput"><code>example.com</code></strong>, the following command would be @@ -222,7 +222,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544028"></a><h2>SEE ALSO</h2> +<a name="id2544030"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 2539</em>, @@ -231,7 +231,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544059"></a><h2>AUTHOR</h2> +<a name="id2544061"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index eec6110..b8f4d66 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.209.12.18 2009/11/03 23:47:45 tbox Exp $ */ +/* $Id: dnssec-signzone.c,v 1.209.12.20 2010-06-03 23:47:48 tbox Exp $ */ /*! \file */ @@ -1606,6 +1606,15 @@ verifyzone(void) { result = dns_dbiterator_current(dbiter, &node, name); check_dns_dbiterator_current(result); + if (!dns_name_issubdomain(name, gorigin)) { + dns_db_detachnode(gdb, &node); + result = dns_dbiterator_next(dbiter); + if (result == ISC_R_NOMORE) + done = ISC_TRUE; + else + check_result(result, "dns_dbiterator_next()"); + continue; + } if (delegation(name, node, NULL)) { zonecut = dns_fixedname_name(&fzonecut); dns_name_copy(name, zonecut, NULL); @@ -1931,6 +1940,40 @@ add_ds(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t nsttl) { } } +/* + * Remove records of the given type and their signatures. + */ +static void +remove_records(dns_dbnode_t *node, dns_rdatatype_t which) { + isc_result_t result; + dns_rdatatype_t type, covers; + dns_rdatasetiter_t *rdsiter = NULL; + dns_rdataset_t rdataset; + + dns_rdataset_init(&rdataset); + + /* + * Delete any NSEC records at the apex. + */ + result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + check_result(result, "dns_db_allrdatasets()"); + for (result = dns_rdatasetiter_first(rdsiter); + result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(rdsiter)) { + dns_rdatasetiter_current(rdsiter, &rdataset); + type = rdataset.type; + covers = rdataset.covers; + dns_rdataset_disassociate(&rdataset); + if (type == which || covers == which) { + result = dns_db_deleterdataset(gdb, node, gversion, + type, covers); + check_result(result, "dns_db_deleterdataset()"); + continue; + } + } + dns_rdatasetiter_destroy(&rdsiter); +} + /*% * Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records. */ @@ -1990,35 +2033,25 @@ nsecify(void) { result = dns_dbiterator_first(dbiter); check_result(result, "dns_dbiterator_first()"); - result = dns_dbiterator_current(dbiter, &node, name); - check_dns_dbiterator_current(result); - /* - * Delete any NSEC3PARAM records at the apex. - */ - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); - check_result(result, "dns_db_allrdatasets()"); - for (result = dns_rdatasetiter_first(rdsiter); - result == ISC_R_SUCCESS; - result = dns_rdatasetiter_next(rdsiter)) { - dns_rdatasetiter_current(rdsiter, &rdataset); - type = rdataset.type; - covers = rdataset.covers; - dns_rdataset_disassociate(&rdataset); - if (type == dns_rdatatype_nsec3param || - covers == dns_rdatatype_nsec3param) { - result = dns_db_deleterdataset(gdb, node, gversion, - type, covers); - check_result(result, - "dns_db_deleterdataset(nsec3param/rrsig)"); - continue; - } - } - dns_rdatasetiter_destroy(&rdsiter); - dns_db_detachnode(gdb, &node); - while (!done) { result = dns_dbiterator_current(dbiter, &node, name); check_dns_dbiterator_current(result); + /* + * Skip out-of-zone records. + */ + if (!dns_name_issubdomain(name, gorigin)) { + result = dns_dbiterator_next(dbiter); + if (result == ISC_R_NOMORE) + done = ISC_TRUE; + else + check_result(result, "dns_dbiterator_next()"); + dns_db_detachnode(gdb, &node); + continue; + } + + if (dns_name_equal(name, gorigin)) + remove_records(node, dns_rdatatype_nsec3param); + if (delegation(name, node, &nsttl)) { zonecut = dns_fixedname_name(&fzonecut); dns_name_copy(name, zonecut, NULL); @@ -2299,8 +2332,6 @@ nsec3ify(unsigned int hashalg, unsigned int iterations, dns_fixedname_t fname, fnextname, fzonecut; dns_name_t *name, *nextname, *zonecut; dns_rdataset_t rdataset; - dns_rdatasetiter_t *rdsiter = NULL; - dns_rdatatype_t type, covers; int order; isc_boolean_t active; isc_boolean_t done = ISC_FALSE; @@ -2325,35 +2356,25 @@ nsec3ify(unsigned int hashalg, unsigned int iterations, result = dns_dbiterator_first(dbiter); check_result(result, "dns_dbiterator_first()"); - result = dns_dbiterator_current(dbiter, &node, name); - check_dns_dbiterator_current(result); - /* - * Delete any NSEC records at the apex. - */ - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); - check_result(result, "dns_db_allrdatasets()"); - for (result = dns_rdatasetiter_first(rdsiter); - result == ISC_R_SUCCESS; - result = dns_rdatasetiter_next(rdsiter)) { - dns_rdatasetiter_current(rdsiter, &rdataset); - type = rdataset.type; - covers = rdataset.covers; - dns_rdataset_disassociate(&rdataset); - if (type == dns_rdatatype_nsec || - covers == dns_rdatatype_nsec) { - result = dns_db_deleterdataset(gdb, node, gversion, - type, covers); - check_result(result, - "dns_db_deleterdataset(nsec3param/rrsig)"); - continue; - } - } - dns_rdatasetiter_destroy(&rdsiter); - dns_db_detachnode(gdb, &node); - while (!done) { result = dns_dbiterator_current(dbiter, &node, name); check_dns_dbiterator_current(result); + /* + * Skip out-of-zone records. + */ + if (!dns_name_issubdomain(name, gorigin)) { + result = dns_dbiterator_next(dbiter); + if (result == ISC_R_NOMORE) + done = ISC_TRUE; + else + check_result(result, "dns_dbiterator_next()"); + dns_db_detachnode(gdb, &node); + continue; + } + + if (dns_name_equal(name, gorigin)) + remove_records(node, dns_rdatatype_nsec); + result = dns_dbiterator_next(dbiter); nextnode = NULL; while (result == ISC_R_SUCCESS) { @@ -2470,6 +2491,18 @@ nsec3ify(unsigned int hashalg, unsigned int iterations, while (!done) { result = dns_dbiterator_current(dbiter, &node, name); check_dns_dbiterator_current(result); + /* + * Skip out-of-zone records. + */ + if (!dns_name_issubdomain(name, gorigin)) { + result = dns_dbiterator_next(dbiter); + if (result == ISC_R_NOMORE) + done = ISC_TRUE; + else + check_result(result, "dns_dbiterator_next()"); + dns_db_detachnode(gdb, &node); + continue; + } result = dns_dbiterator_next(dbiter); nextnode = NULL; while (result == ISC_R_SUCCESS) { diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html index c37b6f5..1d4ecff 100644 --- a/bin/dnssec/dnssec-signzone.html +++ b/bin/dnssec/dnssec-signzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-signzone.html,v 1.33.44.8.10.1 2010/03/03 22:19:19 tbox Exp $ --> +<!-- $Id: dnssec-signzone.html,v 1.33.44.8 2009-11-07 01:56:11 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -32,7 +32,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543556"></a><h2>DESCRIPTION</h2> +<a name="id2543558"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-signzone</strong></span> signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -43,7 +43,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543574"></a><h2>OPTIONS</h2> +<a name="id2543576"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a</span></dt> <dd><p> @@ -273,7 +273,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544433"></a><h2>EXAMPLE</h2> +<a name="id2544503"></a><h2>EXAMPLE</h2> <p> The following command signs the <strong class="userinput"><code>example.com</code></strong> zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span> @@ -302,7 +302,7 @@ db.example.com.signed %</pre> </div> <div class="refsect1" lang="en"> -<a name="id2544552"></a><h2>KNOWN BUGS</h2> +<a name="id2544554"></a><h2>KNOWN BUGS</h2> <p> <span><strong class="command">dnssec-signzone</strong></span> was designed so that it could sign a zone partially, using only a subset of the DNSSEC keys @@ -327,14 +327,14 @@ db.example.com.signed </p> </div> <div class="refsect1" lang="en"> -<a name="id2544714"></a><h2>SEE ALSO</h2> +<a name="id2544716"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 4033</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2544739"></a><h2>AUTHOR</h2> +<a name="id2544741"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/bin/named/builtin.c b/bin/named/builtin.c index 7927737..60cb634 100644 --- a/bin/named/builtin.c +++ b/bin/named/builtin.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: builtin.c,v 1.12 2007/06/19 23:46:59 tbox Exp $ */ +/* $Id: builtin.c,v 1.12.334.3 2010-08-03 23:45:47 tbox Exp $ */ /*! \file * \brief @@ -95,7 +95,7 @@ put_txt(dns_sdblookup_t *lookup, const char *text) { static isc_result_t do_version_lookup(dns_sdblookup_t *lookup) { - if (ns_g_server->version_set) { + if (ns_g_server->version_set) { if (ns_g_server->version == NULL) return (ISC_R_SUCCESS); else @@ -132,6 +132,7 @@ do_authors_lookup(dns_sdblookup_t *lookup) { "Michael Graff", "Andreas Gustafsson", "Bob Halley", + "JINMEI Tatuya", "David Lawrence", "Danny Mayer", "Damien Neil", @@ -198,7 +199,7 @@ builtin_authority(const char *zone, void *dbdata, dns_sdblookup_t *lookup) { if (b->contact != NULL) contact = b->contact; } - + result = dns_sdb_putsoa(lookup, server, contact, 0); if (result != ISC_R_SUCCESS) return (ISC_R_FAILURE); @@ -233,7 +234,7 @@ builtin_create(const char *zone, int argc, char **argv, *dbdata = &authors_builtin; else if (strcmp(argv[0], "id") == 0) *dbdata = &id_builtin; - else if (strcmp(argv[0], "empty") == 0) { + else if (strcmp(argv[0], "empty") == 0) { builtin_t *empty; char *server; char *contact; diff --git a/bin/named/client.c b/bin/named/client.c index a0e034a..6236d27 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.259.12.3.24.2 2010/09/29 23:46:31 tbox Exp $ */ +/* $Id: client.c,v 1.259.12.5 2010-09-24 08:30:27 tbox Exp $ */ #include <config.h> diff --git a/bin/named/control.c b/bin/named/control.c index ac1ec42..38115d6 100644 --- a/bin/named/control.c +++ b/bin/named/control.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: control.c,v 1.33.266.2 2009/07/11 23:47:17 tbox Exp $ */ +/* $Id: control.c,v 1.33.266.4 2010-12-03 23:45:46 tbox Exp $ */ /*! \file */ @@ -129,11 +129,16 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { * isc_app_shutdown below. */ #endif + /* Do not flush master files */ ns_server_flushonshutdown(ns_g_server, ISC_FALSE); ns_os_shutdownmsg(command, text); isc_app_shutdown(); result = ISC_R_SUCCESS; } else if (command_compare(command, NS_COMMAND_STOP)) { + /* + * "stop" is the same as "halt" except it does + * flush master files. + */ #ifdef HAVE_LIBSCF if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) { result = ns_smf_add_message(text); diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h index c39fe5e..1d57a18 100644 --- a/bin/named/include/named/globals.h +++ b/bin/named/include/named/globals.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: globals.h,v 1.80.84.2 2010/06/26 23:46:15 tbox Exp $ */ +/* $Id: globals.h,v 1.80.12.3 2010-09-15 12:16:50 marka Exp $ */ #ifndef NAMED_GLOBALS_H #define NAMED_GLOBALS_H 1 @@ -133,6 +133,7 @@ EXTERN isc_time_t ns_g_boottime; EXTERN isc_boolean_t ns_g_memstatistics INIT(ISC_FALSE); EXTERN isc_boolean_t ns_g_clienttest INIT(ISC_FALSE); EXTERN isc_boolean_t ns_g_nosoa INIT(ISC_FALSE); +EXTERN isc_boolean_t ns_g_noaa INIT(ISC_FALSE); #undef EXTERN #undef INIT diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h index 3f019a3..2f00f1e 100644 --- a/bin/named/include/named/query.h +++ b/bin/named/include/named/query.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.h,v 1.40.626.2 2010/09/29 23:46:31 tbox Exp $ */ +/* $Id: query.h,v 1.40.332.2 2010-09-24 08:30:28 tbox Exp $ */ #ifndef NAMED_QUERY_H #define NAMED_QUERY_H 1 diff --git a/bin/named/main.c b/bin/named/main.c index 74bace5..a1d94ff 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: main.c,v 1.166.34.3.24.3 2010/09/06 03:58:32 marka Exp $ */ +/* $Id: main.c,v 1.166.34.7 2010-09-15 12:16:49 marka Exp $ */ /*! \file */ @@ -455,6 +455,8 @@ parse_command_line(int argc, char *argv[]) { ns_g_clienttest = ISC_TRUE; else if (!strcmp(isc_commandline_argument, "nosoa")) ns_g_nosoa = ISC_TRUE; + else if (!strcmp(isc_commandline_argument, "noaa")) + ns_g_noaa = ISC_TRUE; else fprintf(stderr, "unknown -T flag '%s\n", isc_commandline_argument); diff --git a/bin/named/query.c b/bin/named/query.c index 0ba708b..fa34da6 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.313.20.16.10.3 2010/09/29 00:03:32 marka Exp $ */ +/* $Id: query.c,v 1.313.20.24 2010-09-24 08:09:07 marka Exp $ */ /*! \file */ @@ -2796,7 +2796,7 @@ query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node, static void query_addwildcardproof(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, - isc_boolean_t ispositive) + isc_boolean_t ispositive, isc_boolean_t nodata) { isc_buffer_t *dbuf, b; dns_name_t *fname; @@ -2984,7 +2984,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, goto cleanup; query_findclosestnsec3(wname, db, NULL, client, rdataset, - sigrdataset, fname, ISC_FALSE, NULL); + sigrdataset, fname, nodata, NULL); if (!dns_rdataset_isassociated(rdataset)) goto cleanup; query_addrrset(client, &fname, &rdataset, &sigrdataset, @@ -3087,7 +3087,7 @@ query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db, /* XXX */ query_addwildcardproof(client, db, version, client->query.qname, - ISC_TRUE); + ISC_TRUE, ISC_FALSE); /* * We'll need some resources... @@ -4307,7 +4307,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) query_releasename(client, &fname); query_addwildcardproof(client, db, version, client->query.qname, - ISC_FALSE); + ISC_FALSE, ISC_TRUE); } } if (dns_rdataset_isassociated(rdataset)) { @@ -4396,7 +4396,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) &sigrdataset, NULL, DNS_SECTION_AUTHORITY); query_addwildcardproof(client, db, version, - client->query.qname, ISC_FALSE); + client->query.qname, ISC_FALSE, + ISC_FALSE); } /* @@ -4715,7 +4716,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * We didn't match any rdatasets. */ - if (qtype == dns_rdatatype_rrsig && + if ((qtype == dns_rdatatype_rrsig || + qtype == dns_rdatatype_sig) && result == ISC_R_NOMORE) { /* * XXXRTH If this is a secure zone and we @@ -4724,6 +4726,18 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * glue. Ugh. */ if (!is_zone) { + /* + * Note: this is dead code because + * is_zone is always true due to the + * condition above. But naive + * recursion would cause infinite + * attempts of recursion because + * the answer to (RR)SIG queries + * won't be cached. Until we figure + * out what we should do and implement + * it we intentionally keep this code + * dead. + */ authoritative = ISC_FALSE; dns_rdatasetiter_destroy(&rdsiter); if (RECURSIONOK(client)) { @@ -4822,7 +4836,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (need_wildcardproof && dns_db_issecure(db)) query_addwildcardproof(client, db, version, dns_fixedname_name(&wildcardname), - ISC_TRUE); + ISC_TRUE, ISC_FALSE); cleanup: CTRACE("query_find: cleanup"); /* @@ -5189,8 +5203,12 @@ ns_query_start(ns_client_t *client) { /* * Assume authoritative response until it is known to be * otherwise. + * + * If "-T noaa" has been set on the command line don't set + * AA on authoritative answers. */ - message->flags |= DNS_MESSAGEFLAG_AA; + if (!ns_g_noaa) + message->flags |= DNS_MESSAGEFLAG_AA; /* * Set AD. We must clear it if we add non-validated data to a diff --git a/bin/named/server.c b/bin/named/server.c index 5fbe043..bc7fc17 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.520.12.11.10.4 2010/11/16 22:42:03 marka Exp $ */ +/* $Id: server.c,v 1.520.12.21 2011-01-14 23:45:49 tbox Exp $ */ /*! \file */ @@ -205,11 +205,13 @@ static const struct { { "168.192.IN-ADDR.ARPA", ISC_TRUE }, #endif - /* RFC 3330 */ + /* RFC 5735 and RFC 5737 */ { "0.IN-ADDR.ARPA", ISC_FALSE }, /* THIS NETWORK */ { "127.IN-ADDR.ARPA", ISC_FALSE }, /* LOOPBACK */ { "254.169.IN-ADDR.ARPA", ISC_FALSE }, /* LINK LOCAL */ { "2.0.192.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET */ + { "100.51.198.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET 2 */ + { "113.0.203.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET 3 */ { "255.255.255.255.IN-ADDR.ARPA", ISC_FALSE }, /* BROADCAST */ /* Local IPv6 Unicast Addresses */ @@ -222,6 +224,9 @@ static const struct { { "A.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ { "B.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ + /* Example Prefix, RFC 3849. */ + { "8.B.D.0.1.0.0.2.IP6.ARPA", ISC_FALSE }, + { NULL, ISC_FALSE } }; @@ -5277,10 +5282,8 @@ ns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t *text) { n = snprintf((char *)isc_buffer_used(text), isc_buffer_availablelength(text), "%d tsig keys deleted.\n", foundkeys); - if (n >= isc_buffer_availablelength(text)) { - isc_task_endexclusive(server->task); + if (n >= isc_buffer_availablelength(text)) return (ISC_R_NOSPACE); - } isc_buffer_add(text, n); return (ISC_R_SUCCESS); @@ -5396,10 +5399,8 @@ ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) { n = snprintf((char *)isc_buffer_used(text), isc_buffer_availablelength(text), "no tsig keys found.\n"); - if (n >= isc_buffer_availablelength(text)) { - isc_task_endexclusive(server->task); + if (n >= isc_buffer_availablelength(text)) return (ISC_R_NOSPACE); - } isc_buffer_add(text, n); } diff --git a/bin/named/update.c b/bin/named/update.c index 74a192a..1504a44 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.151.12.9 2009/12/30 04:02:56 marka Exp $ */ +/* $Id: update.c,v 1.151.12.11 2010-02-26 23:48:43 tbox Exp $ */ #include <config.h> @@ -1945,6 +1945,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN, name, rdataset.ttl, &sig_rdata)); dns_rdata_reset(&sig_rdata); + isc_buffer_init(&buffer, data, sizeof(data)); added_sig = ISC_TRUE; } if (!added_sig) { diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c index 0aa6f79..e61dc72 100644 --- a/bin/named/xfrout.c +++ b/bin/named/xfrout.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: xfrout.c,v 1.131.26.4 2009/01/29 22:40:34 jinmei Exp $ */ +/* $Id: xfrout.c,v 1.131.26.6 2010-05-27 23:48:18 tbox Exp $ */ #include <config.h> @@ -985,11 +985,13 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { #ifdef DLZ { /* - * Normal zone table does not have a match. Try the DLZ database + * Normal zone table does not have a match. + * Try the DLZ database */ if (client->view->dlzdatabase != NULL) { result = dns_dlzallowzonexfr(client->view, - question_name, &client->peeraddr, + question_name, + &client->peeraddr, &db); if (result == ISC_R_NOPERM) { @@ -1228,9 +1230,9 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { #ifdef DLZ if (is_dlz) - CHECK(xfrout_ctx_create(mctx, client, request->id, question_name, - reqtype, question_class, zone, db, ver, - quota, stream, + CHECK(xfrout_ctx_create(mctx, client, request->id, + question_name, reqtype, question_class, + zone, db, ver, quota, stream, dns_message_gettsigkey(request), tsigbuf, 3600, @@ -1240,9 +1242,9 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { &xfr)); else #endif - CHECK(xfrout_ctx_create(mctx, client, request->id, question_name, - reqtype, question_class, zone, db, ver, - quota, stream, + CHECK(xfrout_ctx_create(mctx, client, request->id, + question_name, reqtype, question_class, + zone, db, ver, quota, stream, dns_message_gettsigkey(request), tsigbuf, dns_zone_getmaxxfrout(zone), diff --git a/bin/nsupdate/nsupdate.1 b/bin/nsupdate/nsupdate.1 index 83fd7d7..6c03486 100644 --- a/bin/nsupdate/nsupdate.1 +++ b/bin/nsupdate/nsupdate.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and/or distribute this software for any @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: nsupdate.1,v 1.3.48.3 2009/07/11 01:55:21 tbox Exp $ +.\" $Id: nsupdate.1,v 1.3.48.4 2010-07-10 02:06:17 tbox Exp $ .\" .hy 0 .ad l @@ -213,6 +213,28 @@ or \fB\-k\fR. .RE .PP +\fBgsstsig\fR +.RS 4 +Use GSS\-TSIG to sign the updated. This is equivalent to specifying +\fB\-g\fR +on the commandline. +.RE +.PP +\fBoldgsstsig\fR +.RS 4 +Use the Windows 2000 version of GSS\-TSIG to sign the updated. This is equivalent to specifying +\fB\-o\fR +on the commandline. +.RE +.PP +\fBrealm\fR {[realm_name]} +.RS 4 +When using GSS\-TSIG use +\fIrealm_name\fR +rather than the default realm in +\fIkrb5.conf\fR. If no realm is specified the saved realm is cleared. +.RE +.PP \fBprereq nxdomain\fR {domain\-name} .RS 4 Requires that no resource record of any type exists with name @@ -379,7 +401,7 @@ base\-64 encoding of HMAC\-MD5 key created by .PP The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases. .SH "COPYRIGHT" -Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2010 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000\-2003 Internet Software Consortium. .br diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 6cf4cf4..d9ee488 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsupdate.c,v 1.163.48.3 2009/04/30 07:12:49 marka Exp $ */ +/* $Id: nsupdate.c,v 1.163.48.15 2010-12-09 04:30:57 tbox Exp $ */ /*! \file */ @@ -38,6 +38,7 @@ #include <isc/log.h> #include <isc/mem.h> #include <isc/parseint.h> +#include <isc/print.h> #include <isc/random.h> #include <isc/region.h> #include <isc/sockaddr.h> @@ -185,6 +186,7 @@ ddebug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); #ifdef GSSAPI static dns_fixedname_t fkname; static isc_sockaddr_t *kserver = NULL; +static char *realm = NULL; static char servicename[DNS_NAME_FORMATSIZE]; static dns_name_t *keyname; typedef struct nsu_gssinfo { @@ -539,7 +541,8 @@ setup_keystr(void) { debug("keycreate"); result = dns_tsigkey_create(keyname, hmacname, secret, secretlen, - ISC_TRUE, NULL, 0, 0, mctx, NULL, &tsigkey); + ISC_FALSE, NULL, 0, 0, mctx, NULL, + &tsigkey); if (result != ISC_R_SUCCESS) fprintf(stderr, "could not create key from %s: %s\n", keystr, dns_result_totext(result)); @@ -550,6 +553,19 @@ setup_keystr(void) { isc_mem_free(mctx, secret); } +static int +basenamelen(const char *file) { + int len = strlen(file); + + if (len > 1 && file[len - 1] == '.') + len -= 1; + else if (len > 8 && strcmp(file + len - 8, ".private") == 0) + len -= 8; + else if (len > 4 && strcmp(file + len - 4, ".key") == 0) + len -= 4; + return (len); +} + static void setup_keyfile(void) { dst_key_t *dstkey = NULL; @@ -558,12 +574,16 @@ setup_keyfile(void) { debug("Creating key..."); + if (sig0key != NULL) + dst_key_free(&sig0key); + result = dst_key_fromnamedfile(keyfile, DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx, &dstkey); if (result != ISC_R_SUCCESS) { - fprintf(stderr, "could not read key from %s: %s\n", - keyfile, isc_result_totext(result)); + fprintf(stderr, "could not read key from %.*s.{private,key}: " + "%s\n", basenamelen(keyfile), keyfile, + isc_result_totext(result)); return; } switch (dst_key_alg(dstkey)) { @@ -591,14 +611,14 @@ setup_keyfile(void) { hmacname, dstkey, ISC_FALSE, NULL, 0, 0, mctx, NULL, &tsigkey); + dst_key_free(&dstkey); if (result != ISC_R_SUCCESS) { fprintf(stderr, "could not create key from %s: %s\n", keyfile, isc_result_totext(result)); - dst_key_free(&dstkey); return; } } else - sig0key = dstkey; + dst_key_attach(dstkey, &sig0key); } static void @@ -1349,7 +1369,7 @@ evaluate_key(char *cmdline) { if (tsigkey != NULL) dns_tsigkey_detach(&tsigkey); result = dns_tsigkey_create(keyname, hmacname, secret, secretlen, - ISC_TRUE, NULL, 0, 0, mctx, NULL, + ISC_FALSE, NULL, 0, 0, mctx, NULL, &tsigkey); isc_mem_free(mctx, secret); if (result != ISC_R_SUCCESS) { @@ -1389,6 +1409,31 @@ evaluate_zone(char *cmdline) { } static isc_uint16_t +evaluate_realm(char *cmdline) { +#ifdef GSSAPI + char *word; + char buf[1024]; + + word = nsu_strsep(&cmdline, " \t\r\n"); + if (*word == 0) { + if (realm != NULL) + isc_mem_free(mctx, realm); + realm = NULL; + return (STATUS_MORE); + } + + snprintf(buf, sizeof(buf), "@%s", word); + realm = isc_mem_strdup(mctx, buf); + if (realm == NULL) + fatal("out of memory"); + return (STATUS_MORE); +#else + UNUSED(cmdline); + return (STATUS_SYNTAX); +#endif +} + +static isc_uint16_t evaluate_ttl(char *cmdline) { char *word; isc_result_t result; @@ -1779,6 +1824,8 @@ get_next_command(void) { usegsstsig = ISC_FALSE; return (evaluate_key(cmdline)); } + if (strcasecmp(word, "realm") == 0) + return (evaluate_realm(cmdline)); if (strcasecmp(word, "gsstsig") == 0) { #ifdef GSSAPI usegsstsig = ISC_TRUE; @@ -1985,6 +2032,10 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master, fprintf(stderr, "Sending update to %s\n", addrbuf); } + /* Windows doesn't like the tsig name to be compressed. */ + if (updatemsg->tsigname) + updatemsg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS; + result = dns_request_createvia3(requestmgr, updatemsg, srcaddr, master, options, tsigkey, timeout, udp_timeout, udp_retries, global_task, @@ -2307,7 +2358,7 @@ start_gssrequest(dns_name_t *master) servname = dns_fixedname_name(&fname); result = isc_string_printf(servicename, sizeof(servicename), - "DNS/%s", namestr); + "DNS/%s%s", namestr, realm ? realm : ""); if (result != ISC_R_SUCCESS) fatal("isc_string_printf(servicename) failed: %s", isc_result_totext(result)); @@ -2347,7 +2398,6 @@ start_gssrequest(dns_name_t *master) isc_result_totext(result)); /* Build first request. */ - context = GSS_C_NO_CONTEXT; result = dns_tkey_buildgssquery(rmsg, keyname, servname, NULL, 0, &context, use_win2k_gsstsig); @@ -2585,6 +2635,7 @@ start_update(void) { dns_name_init(name, NULL); dns_name_clone(userzone, name); } else { + dns_rdataset_t *tmprdataset; result = dns_message_firstname(updatemsg, section); if (result == ISC_R_NOMORE) { section = DNS_SECTION_PREREQUISITE; @@ -2602,6 +2653,19 @@ start_update(void) { dns_message_currentname(updatemsg, section, &firstname); dns_name_init(name, NULL); dns_name_clone(firstname, name); + /* + * Looks to see if the first name references a DS record + * and if that name is not the root remove a label as DS + * records live in the parent zone so we need to start our + * search one label up. + */ + tmprdataset = ISC_LIST_HEAD(firstname->list); + if (section == DNS_SECTION_UPDATE && + !dns_name_equal(firstname, dns_rootname) && + tmprdataset->type == dns_rdatatype_ds) { + unsigned int labels = dns_name_countlabels(name); + dns_name_getlabelsequence(name, 1, labels - 1, name); + } } ISC_LIST_INIT(name->list); @@ -2636,6 +2700,10 @@ cleanup(void) { isc_mem_put(mctx, kserver, sizeof(isc_sockaddr_t)); kserver = NULL; } + if (realm != NULL) { + isc_mem_free(mctx, realm); + realm = NULL; + } #endif ddebug("Shutting down task manager"); diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook index c42a053..4069a2b 100644 --- a/bin/nsupdate/nsupdate.docbook +++ b/bin/nsupdate/nsupdate.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: nsupdate.docbook,v 1.34.48.3 2009/03/09 04:21:56 marka Exp $ --> +<!-- $Id: nsupdate.docbook,v 1.34.48.5 2010-07-09 23:45:50 tbox Exp $ --> <refentry id="man.nsupdate"> <refentryinfo> <date>Jun 30, 2000</date> @@ -41,6 +41,7 @@ <year>2007</year> <year>2008</year> <year>2009</year> + <year>2010</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -360,6 +361,45 @@ <varlistentry> <term> + <command>gsstsig</command> + </term> + <listitem> + <para> + Use GSS-TSIG to sign the updated. This is equivalent to + specifying <option>-g</option> on the commandline. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>oldgsstsig</command> + </term> + <listitem> + <para> + Use the Windows 2000 version of GSS-TSIG to sign the updated. + This is equivalent to specifying <option>-o</option> on the + commandline. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>realm</command> + <arg choice="req"><optional>realm_name</optional></arg> + </term> + <listitem> + <para> + When using GSS-TSIG use <parameter>realm_name</parameter> rather + than the default realm in <filename>krb5.conf</filename>. If no + realm is specified the saved realm is cleared. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> <command>prereq nxdomain</command> <arg choice="req">domain-name</arg> </term> diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html index c655c02..a383617 100644 --- a/bin/nsupdate/nsupdate.html +++ b/bin/nsupdate/nsupdate.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: nsupdate.html,v 1.40.48.3.10.1 2010/03/03 22:19:19 tbox Exp $ --> +<!-- $Id: nsupdate.html,v 1.40.48.4 2010-07-10 02:06:17 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -32,7 +32,7 @@ <div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543447"></a><h2>DESCRIPTION</h2> +<a name="id2543452"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">nsupdate</strong></span> is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. @@ -169,7 +169,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543724"></a><h2>INPUT FORMAT</h2> +<a name="id2543730"></a><h2>INPUT FORMAT</h2> <p><span><strong class="command">nsupdate</strong></span> reads input from <em class="parameter"><code>filename</code></em> @@ -284,6 +284,30 @@ <code class="option">-y</code> or <code class="option">-k</code>. </p></dd> <dt><span class="term"> + <span><strong class="command">gsstsig</strong></span> + </span></dt> +<dd><p> + Use GSS-TSIG to sign the updated. This is equivalent to + specifying <code class="option">-g</code> on the commandline. + </p></dd> +<dt><span class="term"> + <span><strong class="command">oldgsstsig</strong></span> + </span></dt> +<dd><p> + Use the Windows 2000 version of GSS-TSIG to sign the updated. + This is equivalent to specifying <code class="option">-o</code> on the + commandline. + </p></dd> +<dt><span class="term"> + <span><strong class="command">realm</strong></span> + {[<span class="optional">realm_name</span>]} + </span></dt> +<dd><p> + When using GSS-TSIG use <em class="parameter"><code>realm_name</code></em> rather + than the default realm in <code class="filename">krb5.conf</code>. If no + realm is specified the saved realm is cleared. + </p></dd> +<dt><span class="term"> <span><strong class="command">prereq nxdomain</strong></span> {domain-name} </span></dt> @@ -433,7 +457,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544565"></a><h2>EXAMPLES</h2> +<a name="id2544642"></a><h2>EXAMPLES</h2> <p> The examples below show how <span><strong class="command">nsupdate</strong></span> @@ -487,7 +511,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544609"></a><h2>FILES</h2> +<a name="id2544685"></a><h2>FILES</h2> <div class="variablelist"><dl> <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt> <dd><p> @@ -506,7 +530,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544678"></a><h2>SEE ALSO</h2> +<a name="id2544755"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>, <span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>, <span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>, @@ -519,7 +543,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2542154"></a><h2>BUGS</h2> +<a name="id2542163"></a><h2>BUGS</h2> <p> The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library |
