diff options
Diffstat (limited to 'contrib/bind9/bin/named')
66 files changed, 4483 insertions, 1499 deletions
diff --git a/contrib/bind9/bin/named/Makefile.in b/contrib/bind9/bin/named/Makefile.in index 50fb93b..a809e59c 100644 --- a/contrib/bind9/bin/named/Makefile.in +++ b/contrib/bind9/bin/named/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2002 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.74.12.11 2004/09/06 21:47:25 marka Exp $ +# $Id: Makefile.in,v 1.80.18.7 2005/09/05 00:18:10 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -31,12 +31,20 @@ DBDRIVER_SRCS = DBDRIVER_INCLUDES = DBDRIVER_LIBS = +DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers + +DLZDRIVER_OBJS = @DLZ_DRIVER_OBJS@ +DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@ +DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ +DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ + CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include \ ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ - ${DBDRIVER_INCLUDES} + ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} + +CDEFINES = @USE_DLZ@ -CDEFINES = CWARNINGS = DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ @@ -57,13 +65,14 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS} LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ - ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ + ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ SUBDIRS = unix TARGETS = named@EXEEXT@ lwresd@EXEEXT@ -OBJS = aclconf.@O@ builtin.@O@ client.@O@ config.@O@ control.@O@ \ +OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ controlconf.@O@ interfacemgr.@O@ \ listenlist.@O@ log.@O@ logconf.@O@ main.@O@ notify.@O@ \ query.@O@ server.@O@ sortlist.@O@ \ @@ -71,11 +80,11 @@ OBJS = aclconf.@O@ builtin.@O@ client.@O@ config.@O@ control.@O@ \ zoneconf.@O@ \ lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \ - $(DBDRIVER_OBJS) + ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS} UOBJS = unix/os.@O@ -SRCS = aclconf.c builtin.c client.c config.c control.c \ +SRCS = builtin.c client.c config.c control.c \ controlconf.c interfacemgr.c \ listenlist.c log.c logconf.c main.c notify.c \ query.c server.c sortlist.c \ @@ -83,7 +92,7 @@ SRCS = aclconf.c builtin.c client.c config.c control.c \ zoneconf.c \ lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \ - $(DBDRIVER_SRCS) + ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} MANPAGES = named.8 lwresd.8 named.conf.5 @@ -133,3 +142,4 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8 ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 +@DLZ_DRIVER_RULES@ diff --git a/contrib/bind9/bin/named/builtin.c b/contrib/bind9/bin/named/builtin.c index af4d7a3..06cbd4a 100644 --- a/contrib/bind9/bin/named/builtin.c +++ b/contrib/bind9/bin/named/builtin.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,10 +15,11 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: builtin.c,v 1.4.106.4 2004/03/08 04:04:18 marka Exp $ */ +/* $Id: builtin.c,v 1.5.18.5 2005/08/23 04:12:38 marka Exp $ */ -/* - * The built-in "version", "hostname", "id" and "authors" databases. +/*! \file + * \brief + * The built-in "version", "hostname", "id", "authors" and "empty" databases. */ #include <config.h> @@ -26,12 +27,13 @@ #include <string.h> #include <stdio.h> +#include <isc/mem.h> #include <isc/print.h> #include <isc/result.h> #include <isc/util.h> -#include <dns/sdb.h> #include <dns/result.h> +#include <dns/sdb.h> #include <named/builtin.h> #include <named/globals.h> @@ -44,6 +46,7 @@ static isc_result_t do_version_lookup(dns_sdblookup_t *lookup); static isc_result_t do_hostname_lookup(dns_sdblookup_t *lookup); static isc_result_t do_authors_lookup(dns_sdblookup_t *lookup); static isc_result_t do_id_lookup(dns_sdblookup_t *lookup); +static isc_result_t do_empty_lookup(dns_sdblookup_t *lookup); /* * We can't use function pointers as the db_data directly @@ -53,12 +56,15 @@ static isc_result_t do_id_lookup(dns_sdblookup_t *lookup); struct builtin { isc_result_t (*do_lookup)(dns_sdblookup_t *lookup); + char *server; + char *contact; }; -static builtin_t version_builtin = { do_version_lookup }; -static builtin_t hostname_builtin = { do_hostname_lookup }; -static builtin_t authors_builtin = { do_authors_lookup }; -static builtin_t id_builtin = { do_id_lookup }; +static builtin_t version_builtin = { do_version_lookup, NULL, NULL }; +static builtin_t hostname_builtin = { do_hostname_lookup, NULL, NULL }; +static builtin_t authors_builtin = { do_authors_lookup, NULL, NULL }; +static builtin_t id_builtin = { do_id_lookup, NULL, NULL }; +static builtin_t empty_builtin = { do_empty_lookup, NULL, NULL }; static dns_sdbimplementation_t *builtin_impl; @@ -167,16 +173,37 @@ do_id_lookup(dns_sdblookup_t *lookup) { } static isc_result_t +do_empty_lookup(dns_sdblookup_t *lookup) { + + UNUSED(lookup); + return (ISC_R_SUCCESS); +} + +static isc_result_t builtin_authority(const char *zone, void *dbdata, dns_sdblookup_t *lookup) { isc_result_t result; + const char *contact = "hostmaster"; + const char *server = "@"; + builtin_t *b = (builtin_t *) dbdata; UNUSED(zone); UNUSED(dbdata); - result = dns_sdb_putsoa(lookup, "@", "hostmaster", 0); + if (b == &empty_builtin) { + server = "."; + contact = "."; + } else { + if (b->server != NULL) + server = b->server; + if (b->contact != NULL) + contact = b->contact; + } + + result = dns_sdb_putsoa(lookup, server, contact, 0); if (result != ISC_R_SUCCESS) return (ISC_R_FAILURE); - result = dns_sdb_putrr(lookup, "ns", 0, "@"); + + result = dns_sdb_putrr(lookup, "ns", 0, server); if (result != ISC_R_SUCCESS) return (ISC_R_FAILURE); @@ -187,10 +214,17 @@ static isc_result_t builtin_create(const char *zone, int argc, char **argv, void *driverdata, void **dbdata) { + REQUIRE(argc >= 1); + UNUSED(zone); UNUSED(driverdata); - if (argc != 1) + + if (strcmp(argv[0], "empty") == 0) { + if (argc != 3) + return (DNS_R_SYNTAX); + } else if (argc != 1) return (DNS_R_SYNTAX); + if (strcmp(argv[0], "version") == 0) *dbdata = &version_builtin; else if (strcmp(argv[0], "hostname") == 0) @@ -199,17 +233,62 @@ builtin_create(const char *zone, int argc, char **argv, *dbdata = &authors_builtin; else if (strcmp(argv[0], "id") == 0) *dbdata = &id_builtin; - else + else if (strcmp(argv[0], "empty") == 0) { + builtin_t *empty; + char *server; + char *contact; + /* + * We don't want built-in zones to fail. Fallback to + * the static configuration if memory allocation fails. + */ + empty = isc_mem_get(ns_g_mctx, sizeof(*empty)); + server = isc_mem_strdup(ns_g_mctx, argv[1]); + contact = isc_mem_strdup(ns_g_mctx, argv[2]); + if (empty == NULL || server == NULL || contact == NULL) { + *dbdata = &empty_builtin; + if (server != NULL) + isc_mem_free(ns_g_mctx, server); + if (contact != NULL) + isc_mem_free(ns_g_mctx, contact); + if (empty != NULL) + isc_mem_put(ns_g_mctx, empty, sizeof (*empty)); + } else { + memcpy(empty, &empty_builtin, sizeof (empty_builtin)); + empty->server = server; + empty->contact = contact; + *dbdata = empty; + } + } else return (ISC_R_NOTIMPLEMENTED); return (ISC_R_SUCCESS); } +static void +builtin_destroy(const char *zone, void *driverdata, void **dbdata) { + builtin_t *b = (builtin_t *) *dbdata; + + UNUSED(zone); + UNUSED(driverdata); + + /* + * Don't free the static versions. + */ + if (*dbdata == &version_builtin || *dbdata == &hostname_builtin || + *dbdata == &authors_builtin || *dbdata == &id_builtin || + *dbdata == &empty_builtin) + return; + + isc_mem_free(ns_g_mctx, b->server); + isc_mem_free(ns_g_mctx, b->contact); + isc_mem_put(ns_g_mctx, b, sizeof (*b)); +} + static dns_sdbmethods_t builtin_methods = { builtin_lookup, builtin_authority, NULL, /* allnodes */ builtin_create, - NULL /* destroy */ + builtin_destroy }; isc_result_t diff --git a/contrib/bind9/bin/named/client.c b/contrib/bind9/bin/named/client.c index b0ce793..d69e44b 100644 --- a/contrib/bind9/bin/named/client.c +++ b/contrib/bind9/bin/named/client.c @@ -15,13 +15,14 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.176.2.13.4.31 2006/07/22 01:09:38 marka Exp $ */ +/* $Id: client.c,v 1.219.18.20 2006/07/22 01:02:36 marka Exp $ */ #include <config.h> #include <isc/formatcheck.h> #include <isc/mutex.h> #include <isc/once.h> +#include <isc/platform.h> #include <isc/print.h> #include <isc/stdio.h> #include <isc/string.h> @@ -33,12 +34,13 @@ #include <dns/dispatch.h> #include <dns/events.h> #include <dns/message.h> +#include <dns/peer.h> #include <dns/rcode.h> -#include <dns/resolver.h> #include <dns/rdata.h> #include <dns/rdataclass.h> #include <dns/rdatalist.h> #include <dns/rdataset.h> +#include <dns/resolver.h> #include <dns/tsig.h> #include <dns/view.h> #include <dns/zone.h> @@ -53,7 +55,9 @@ *** Client ***/ -/* +/*! \file + * Client Routines + * * Important note! * * All client state changes, other than that from idle to listening, occur @@ -87,6 +91,25 @@ #define SEND_BUFFER_SIZE 4096 #define RECV_BUFFER_SIZE 4096 +#ifdef ISC_PLATFORM_USETHREADS +#define NMCTXS 100 +/*%< + * Number of 'mctx pools' for clients. (Should this be configurable?) + * When enabling threads, we use a pool of memory contexts shared by + * client objects, since concurrent access to a shared context would cause + * heavy contentions. The above constant is expected to be enough for + * completely avoiding contentions among threads for an authoritative-only + * server. + */ +#else +#define NMCTXS 0 +/*%< + * If named with built without thread, simply share manager's context. Using + * a separate context in this case would simply waste memory. + */ +#endif + +/*% nameserver client manager structure */ struct ns_clientmgr { /* Unlocked. */ unsigned int magic; @@ -96,15 +119,20 @@ struct ns_clientmgr { isc_mutex_t lock; /* Locked by lock. */ isc_boolean_t exiting; - client_list_t active; /* Active clients */ - client_list_t recursing; /* Recursing clients */ - client_list_t inactive; /* To be recycled */ + client_list_t active; /*%< Active clients */ + client_list_t recursing; /*%< Recursing clients */ + client_list_t inactive; /*%< To be recycled */ +#if NMCTXS > 0 + /*%< mctx pool for clients. */ + unsigned int nextmctx; + isc_mem_t * mctxpool[NMCTXS]; +#endif }; #define MANAGER_MAGIC ISC_MAGIC('N', 'S', 'C', 'm') #define VALID_MANAGER(m) ISC_MAGIC_VALID(m, MANAGER_MAGIC) -/* +/*! * Client object states. Ordering is significant: higher-numbered * states are generally "more active", meaning that the client can * have more dynamically allocated data, outstanding events, etc. @@ -117,12 +145,12 @@ struct ns_clientmgr { */ #define NS_CLIENTSTATE_FREED 0 -/* +/*%< * The client object no longer exists. */ #define NS_CLIENTSTATE_INACTIVE 1 -/* +/*%< * The client object exists and has a task and timer. * Its "query" struct and sendbuf are initialized. * It is on the client manager's list of inactive clients. @@ -130,7 +158,7 @@ struct ns_clientmgr { */ #define NS_CLIENTSTATE_READY 2 -/* +/*%< * The client object is either a TCP or a UDP one, and * it is associated with a network interface. It is on the * client manager's list of active clients. @@ -143,7 +171,7 @@ struct ns_clientmgr { */ #define NS_CLIENTSTATE_READING 3 -/* +/*%< * The client object is a TCP client object that has received * a connection. It has a tcpsocket, tcpmsg, TCP quota, and an * outstanding TCP read request. This state is not used for @@ -151,14 +179,14 @@ struct ns_clientmgr { */ #define NS_CLIENTSTATE_WORKING 4 -/* +/*%< * The client object has received a request and is working * on it. It has a view, and it may have any of a non-reset OPT, * recursion quota, and an outstanding write request. */ #define NS_CLIENTSTATE_MAX 9 -/* +/*%< * Sentinel value used to indicate "no state". When client->newstate * has this value, we are not attempting to exit the current state. * Must be greater than any valid state. @@ -171,6 +199,8 @@ struct ns_clientmgr { #define NS_CLIENT_DROPPORT 1 #endif +unsigned int ns_client_requests; + static void client_read(ns_client_t *client); static void client_accept(ns_client_t *client); static void client_udprecv(ns_client_t *client); @@ -227,7 +257,7 @@ ns_client_settimeout(ns_client_t *client, unsigned int seconds) { } } -/* +/*% * Check for a deactivation or shutdown request and take appropriate * action. Returns ISC_TRUE if either is in progress; in this case * the caller must no longer use the client object as it may have been @@ -489,7 +519,7 @@ exit_check(ns_client_t *client) { CTRACE("free"); client->magic = 0; - isc_mem_put(client->mctx, client, sizeof(*client)); + isc_mem_putanddetach(&client->mctx, client, sizeof(*client)); goto unlock; } @@ -510,7 +540,7 @@ exit_check(ns_client_t *client) { return (ISC_TRUE); } -/* +/*% * The client's task has received the client's control event * as part of the startup process. */ @@ -536,7 +566,7 @@ client_start(isc_task_t *task, isc_event_t *event) { } -/* +/*% * The client's task has received a shutdown event. */ static void @@ -591,6 +621,7 @@ ns_client_endrequest(ns_client_t *client) { client->udpsize = 512; client->extflags = 0; + client->ednsversion = -1; dns_message_reset(client->message, DNS_MESSAGE_INTENTPARSE); if (client->recursionquota != NULL) @@ -705,7 +736,7 @@ client_senddone(isc_task_t *task, isc_event_t *event) { ns_client_next(client, ISC_R_SUCCESS); } -/* +/*% * We only want to fail with ISC_R_NOSPACE when called from * ns_client_sendraw() and not when called from ns_client_send(), * tcpbuffer is NULL when called from ns_client_sendraw() and @@ -1182,6 +1213,64 @@ allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl) { } /* + * Callback to see if a non-recursive query coming from 'srcaddr' to + * 'destaddr', with optional key 'mykey' for class 'rdclass' would be + * delivered to 'myview'. + * + * We run this unlocked as both the view list and the interface list + * are updated when the approprite task has exclusivity. + */ +isc_boolean_t +ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey, + isc_sockaddr_t *srcaddr, isc_sockaddr_t *dstaddr, + dns_rdataclass_t rdclass, void *arg) +{ + dns_view_t *view; + dns_tsigkey_t *key; + isc_netaddr_t netsrc; + isc_netaddr_t netdst; + + UNUSED(arg); + + if (!ns_interfacemgr_listeningon(ns_g_server->interfacemgr, dstaddr)) + return (ISC_FALSE); + + isc_netaddr_fromsockaddr(&netsrc, srcaddr); + isc_netaddr_fromsockaddr(&netdst, dstaddr); + + for (view = ISC_LIST_HEAD(ns_g_server->viewlist); + view != NULL; + view = ISC_LIST_NEXT(view, link)) { + dns_name_t *tsig = NULL; + + if (view->matchrecursiveonly) + continue; + + if (rdclass != view->rdclass) + continue; + + if (mykey != NULL) { + isc_boolean_t match; + isc_result_t result; + + tsig = &mykey->name; + result = dns_view_gettsig(view, tsig, &key); + if (result != ISC_R_SUCCESS) + continue; + match = dst_key_compare(mykey->key, key->key); + dns_tsigkey_detach(&key); + if (!match) + continue; + } + + if (allowed(&netsrc, tsig, view->matchclients) && + allowed(&netdst, tsig, view->matchdestinations)) + break; + } + return (ISC_TF(view == myview)); +} + +/* * Handle an incoming request event from the socket (UDP case) * or tcpmsg (TCP case). */ @@ -1215,6 +1304,8 @@ client_request(isc_task_t *task, isc_event_t *event) { NS_CLIENTSTATE_READING : NS_CLIENTSTATE_READY); + ns_client_requests++; + if (event->ev_type == ISC_SOCKEVENT_RECVDONE) { INSIST(!TCP_CLIENT(client)); sevent = (isc_socketevent_t *)event; @@ -1384,8 +1475,6 @@ client_request(isc_task_t *task, isc_event_t *event) { */ opt = dns_message_getopt(client->message); if (opt != NULL) { - unsigned int version; - /* * Set the client's UDP buffer size. */ @@ -1404,22 +1493,24 @@ client_request(isc_task_t *task, isc_event_t *event) { client->extflags = (isc_uint16_t)(opt->ttl & 0xFFFF); /* - * Create an OPT for our reply. + * Do we understand this version of EDNS? + * + * XXXRTH need library support for this! */ - result = client_addopt(client); - if (result != ISC_R_SUCCESS) { + client->ednsversion = (opt->ttl & 0x00FF0000) >> 16; + if (client->ednsversion > 0) { + result = client_addopt(client); + if (result == ISC_R_SUCCESS) + result = DNS_R_BADVERS; ns_client_error(client, result); goto cleanup; } - /* - * Do we understand this version of ENDS? - * - * XXXRTH need library support for this! + * Create an OPT for our reply. */ - version = (opt->ttl & 0x00FF0000) >> 16; - if (version != 0) { - ns_client_error(client, DNS_R_BADVERS); + result = client_addopt(client); + if (result != ISC_R_SUCCESS) { + ns_client_error(client, result); goto cleanup; } } @@ -1629,6 +1720,19 @@ client_request(isc_task_t *task, isc_event_t *event) { "recursion not available"); /* + * Adjust maximum UDP response size for this client. + */ + if (client->udpsize > 512) { + dns_peer_t *peer = NULL; + isc_uint16_t udpsize = view->maxudp; + (void) dns_peerlist_peerbyaddr(view->peers, &netaddr, &peer); + if (peer != NULL) + dns_peer_getmaxudp(peer, &udpsize); + if (client->udpsize > udpsize) + client->udpsize = udpsize; + } + + /* * Dispatch the request. */ switch (client->message->opcode) { @@ -1689,9 +1793,42 @@ client_timeout(isc_task_t *task, isc_event_t *event) { } static isc_result_t +get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp) { + isc_mem_t *clientmctx; +#if NMCTXS > 0 + isc_result_t result; +#endif + + /* + * Caller must be holding the manager lock. + */ +#if NMCTXS > 0 + INSIST(manager->nextmctx < NMCTXS); + clientmctx = manager->mctxpool[manager->nextmctx]; + if (clientmctx == NULL) { + result = isc_mem_create(0, 0, &clientmctx); + if (result != ISC_R_SUCCESS) + return (result); + + manager->mctxpool[manager->nextmctx] = clientmctx; + manager->nextmctx++; + if (manager->nextmctx == NMCTXS) + manager->nextmctx = 0; + } +#else + clientmctx = manager->mctx; +#endif + + isc_mem_attach(clientmctx, mctxp); + + return (ISC_R_SUCCESS); +} + +static isc_result_t client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { ns_client_t *client; isc_result_t result; + isc_mem_t *mctx = NULL; /* * Caller must be holding the manager lock. @@ -1703,9 +1840,16 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { REQUIRE(clientp != NULL && *clientp == NULL); - client = isc_mem_get(manager->mctx, sizeof(*client)); - if (client == NULL) + result = get_clientmctx(manager, &mctx); + if (result != ISC_R_SUCCESS) + return (result); + + client = isc_mem_get(mctx, sizeof(*client)); + if (client == NULL) { + isc_mem_detach(&mctx); return (ISC_R_NOMEMORY); + } + client->mctx = mctx; client->task = NULL; result = isc_task_create(manager->taskmgr, 0, &client->task); @@ -1722,7 +1866,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { client->timerset = ISC_FALSE; client->message = NULL; - result = dns_message_create(manager->mctx, DNS_MESSAGE_INTENTPARSE, + result = dns_message_create(client->mctx, DNS_MESSAGE_INTENTPARSE, &client->message); if (result != ISC_R_SUCCESS) goto cleanup_timer; @@ -1730,7 +1874,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { /* XXXRTH Hardwired constants */ client->sendevent = (isc_socketevent_t *) - isc_event_allocate(manager->mctx, client, + isc_event_allocate(client->mctx, client, ISC_SOCKEVENT_SENDDONE, client_senddone, client, sizeof(isc_socketevent_t)); @@ -1739,14 +1883,14 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { goto cleanup_message; } - client->recvbuf = isc_mem_get(manager->mctx, RECV_BUFFER_SIZE); + client->recvbuf = isc_mem_get(client->mctx, RECV_BUFFER_SIZE); if (client->recvbuf == NULL) { result = ISC_R_NOMEMORY; goto cleanup_sendevent; } client->recvevent = (isc_socketevent_t *) - isc_event_allocate(manager->mctx, client, + isc_event_allocate(client->mctx, client, ISC_SOCKEVENT_RECVDONE, client_request, client, sizeof(isc_socketevent_t)); @@ -1756,7 +1900,6 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { } client->magic = NS_CLIENT_MAGIC; - client->mctx = manager->mctx; client->manager = NULL; client->state = NS_CLIENTSTATE_INACTIVE; client->newstate = NS_CLIENTSTATE_MAX; @@ -1778,6 +1921,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { client->opt = NULL; client->udpsize = 512; client->extflags = 0; + client->ednsversion = -1; client->next = NULL; client->shutdown = NULL; client->shutdown_arg = NULL; @@ -1826,7 +1970,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { isc_event_free((isc_event_t **)&client->recvevent); cleanup_recvbuf: - isc_mem_put(manager->mctx, client->recvbuf, RECV_BUFFER_SIZE); + isc_mem_put(client->mctx, client->recvbuf, RECV_BUFFER_SIZE); cleanup_sendevent: isc_event_free((isc_event_t **)&client->sendevent); @@ -1843,7 +1987,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { isc_task_detach(&client->task); cleanup_client: - isc_mem_put(manager->mctx, client, sizeof(*client)); + isc_mem_putanddetach(&client->mctx, client, sizeof(*client)); return (result); } @@ -2096,12 +2240,23 @@ ns_client_replace(ns_client_t *client) { static void clientmgr_destroy(ns_clientmgr_t *manager) { +#if NMCTXS > 0 + int i; +#endif + REQUIRE(ISC_LIST_EMPTY(manager->active)); REQUIRE(ISC_LIST_EMPTY(manager->inactive)); REQUIRE(ISC_LIST_EMPTY(manager->recursing)); MTRACE("clientmgr_destroy"); +#if NMCTXS > 0 + for (i = 0; i < NMCTXS; i++) { + if (manager->mctxpool[i] != NULL) + isc_mem_detach(&manager->mctxpool[i]); + } +#endif + DESTROYLOCK(&manager->lock); manager->magic = 0; isc_mem_put(manager->mctx, manager, sizeof(*manager)); @@ -2113,6 +2268,9 @@ ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, { ns_clientmgr_t *manager; isc_result_t result; +#if NMCTXS > 0 + int i; +#endif manager = isc_mem_get(mctx, sizeof(*manager)); if (manager == NULL) @@ -2129,6 +2287,11 @@ ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, ISC_LIST_INIT(manager->active); ISC_LIST_INIT(manager->inactive); ISC_LIST_INIT(manager->recursing); +#if NMCTXS > 0 + manager->nextmctx = 0; + for (i = 0; i < NMCTXS; i++) + manager->mctxpool[i] = NULL; /* will be created on-demand */ +#endif manager->magic = MANAGER_MAGIC; MTRACE("create"); diff --git a/contrib/bind9/bin/named/config.c b/contrib/bind9/bin/named/config.c index 7b5b99e..6a6d5e3 100644 --- a/contrib/bind9/bin/named/config.c +++ b/contrib/bind9/bin/named/config.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.c,v 1.11.2.4.8.32 2006/02/28 06:32:53 marka Exp $ */ +/* $Id: config.c,v 1.47.18.28 2006/05/03 01:46:40 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -25,6 +27,7 @@ #include <isc/buffer.h> #include <isc/log.h> #include <isc/mem.h> +#include <isc/parseint.h> #include <isc/region.h> #include <isc/result.h> #include <isc/sockaddr.h> @@ -42,6 +45,7 @@ #include <named/config.h> #include <named/globals.h> +/*% default configuration */ static char defaultconf[] = "\ options {\n\ # blackhole {none;};\n" @@ -76,7 +80,7 @@ options {\n\ #endif "\ recursive-clients 1000;\n\ - rrset-order {order cyclic;};\n\ + rrset-order {type NS order random; order cyclic; };\n\ serial-queries 20;\n\ serial-query-rate 20;\n\ server-id none;\n\ @@ -94,11 +98,13 @@ options {\n\ use-id-pool true;\n\ use-ixfr true;\n\ edns-udp-size 4096;\n\ + max-udp-size 4096;\n\ \n\ /* view */\n\ allow-notify {none;};\n\ allow-update-forwarding {none;};\n\ - allow-recursion {any;};\n\ + allow-query-cache { localnets; localhost; };\n\ + allow-recursion { localnets; localhost; };\n\ # allow-v6-synthesis <obsolete>;\n\ # sortlist <none>\n\ # topology <none>\n\ @@ -125,7 +131,16 @@ options {\n\ check-names master fail;\n\ check-names slave warn;\n\ check-names response ignore;\n\ - dnssec-enable no; /* Make yes for 9.4. */ \n\ + check-mx warn;\n\ + acache-enable no;\n\ + acache-cleaning-interval 60;\n\ + max-acache-size 0;\n\ + dnssec-enable yes;\n\ + dnssec-validation no; /* Make yes for 9.5. */ \n\ + dnssec-accept-expired no;\n\ + clients-per-query 10;\n\ + max-clients-per-query 100;\n\ + zero-no-soa-ttl-cache no;\n\ " " /* zone */\n\ @@ -133,6 +148,7 @@ options {\n\ allow-transfer {any;};\n\ notify yes;\n\ # also-notify <none>\n\ + notify-delay 5;\n\ dialup no;\n\ # forward <none>\n\ # forwarders <none>\n\ @@ -155,6 +171,13 @@ options {\n\ zone-statistics false;\n\ max-journal-size unlimited;\n\ ixfr-from-differences false;\n\ + check-wildcard yes;\n\ + check-sibling yes;\n\ + check-integrity yes;\n\ + check-mx-cname warn;\n\ + check-srv-cname warn;\n\ + zero-no-soa-ttl yes;\n\ + update-check-ksk yes;\n\ };\n\ " @@ -258,7 +281,6 @@ ns_config_listcount(const cfg_obj_t *list) { isc_result_t ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass, dns_rdataclass_t *classp) { - const char *str; isc_textregion_t r; isc_result_t result; @@ -266,20 +288,18 @@ ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass, *classp = defclass; return (ISC_R_SUCCESS); } - str = cfg_obj_asstring(classobj); - DE_CONST(str, r.base); - r.length = strlen(str); + DE_CONST(cfg_obj_asstring(classobj), r.base); + r.length = strlen(r.base); result = dns_rdataclass_fromtext(classp, &r); if (result != ISC_R_SUCCESS) cfg_obj_log(classobj, ns_g_lctx, ISC_LOG_ERROR, - "unknown class '%s'", str); + "unknown class '%s'", r.base); return (result); } isc_result_t ns_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype, dns_rdatatype_t *typep) { - const char *str; isc_textregion_t r; isc_result_t result; @@ -287,13 +307,12 @@ ns_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype, *typep = deftype; return (ISC_R_SUCCESS); } - str = cfg_obj_asstring(typeobj); - DE_CONST(str, r.base); - r.length = strlen(str); + DE_CONST(cfg_obj_asstring(typeobj), r.base); + r.length = strlen(r.base); result = dns_rdatatype_fromtext(typep, &r); if (result != ISC_R_SUCCESS) cfg_obj_log(typeobj, ns_g_lctx, ISC_LOG_ERROR, - "unknown type '%s'", str); + "unknown type '%s'", r.base); return (result); } @@ -383,7 +402,7 @@ ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp, static isc_result_t get_masters_def(const cfg_obj_t *cctx, const char *name, - const cfg_obj_t **ret) + const cfg_obj_t **ret) { isc_result_t result; const cfg_obj_t *masters = NULL; @@ -425,7 +444,7 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, dns_fixedname_t fname; isc_sockaddr_t *addrs = NULL; dns_name_t **keys = NULL; - const char **lists = NULL; + struct { const char *name; } *lists = NULL; struct { const cfg_listelt_t *element; in_port_t port; @@ -494,7 +513,7 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, } /* Seen? */ for (j = 0; j < l; j++) - if (strcasecmp(lists[j], listname) == 0) + if (strcasecmp(lists[j].name, listname) == 0) break; if (j < l) continue; @@ -508,7 +527,7 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, } if (tresult != ISC_R_SUCCESS) goto cleanup; - lists[l++] = listname; + lists[l++].name = listname; /* Grow stack? */ if (stackcount == pushed) { void * new; @@ -713,16 +732,65 @@ ns_config_getport(const cfg_obj_t *config, in_port_t *portp) { return (ISC_R_SUCCESS); } +struct keyalgorithms { + const char *str; + enum { hmacnone, hmacmd5, hmacsha1, hmacsha224, + hmacsha256, hmacsha384, hmacsha512 } hmac; + isc_uint16_t size; +} algorithms[] = { + { "hmac-md5", hmacmd5, 128 }, + { "hmac-md5.sig-alg.reg.int", hmacmd5, 0 }, + { "hmac-md5.sig-alg.reg.int.", hmacmd5, 0 }, + { "hmac-sha1", hmacsha1, 160 }, + { "hmac-sha224", hmacsha224, 224 }, + { "hmac-sha256", hmacsha256, 256 }, + { "hmac-sha384", hmacsha384, 384 }, + { "hmac-sha512", hmacsha512, 512 }, + { NULL, hmacnone, 0 } +}; + isc_result_t -ns_config_getkeyalgorithm(const char *str, dns_name_t **name) +ns_config_getkeyalgorithm(const char *str, dns_name_t **name, + isc_uint16_t *digestbits) { - if (strcasecmp(str, "hmac-md5") == 0 || - strcasecmp(str, "hmac-md5.sig-alg.reg.int") == 0 || - strcasecmp(str, "hmac-md5.sig-alg.reg.int.") == 0) - { - if (name != NULL) - *name = dns_tsig_hmacmd5_name; - return (ISC_R_SUCCESS); + int i; + size_t len = 0; + isc_uint16_t bits; + isc_result_t result; + + for (i = 0; algorithms[i].str != NULL; i++) { + len = strlen(algorithms[i].str); + if (strncasecmp(algorithms[i].str, str, len) == 0 && + (str[len] == '\0' || + (algorithms[i].size != 0 && str[len] == '-'))) + break; } - return (ISC_R_NOTFOUND); + if (algorithms[i].str == NULL) + return (ISC_R_NOTFOUND); + if (str[len] == '-') { + result = isc_parse_uint16(&bits, str + len + 1, 10); + if (result != ISC_R_SUCCESS) + return (result); + if (bits > algorithms[i].size) + return (ISC_R_RANGE); + } else if (algorithms[i].size == 0) + bits = 128; + else + bits = algorithms[i].size; + + if (name != NULL) { + switch (algorithms[i].hmac) { + case hmacmd5: *name = dns_tsig_hmacmd5_name; break; + case hmacsha1: *name = dns_tsig_hmacsha1_name; break; + case hmacsha224: *name = dns_tsig_hmacsha224_name; break; + case hmacsha256: *name = dns_tsig_hmacsha256_name; break; + case hmacsha384: *name = dns_tsig_hmacsha384_name; break; + case hmacsha512: *name = dns_tsig_hmacsha512_name; break; + default: + INSIST(0); + } + } + if (digestbits != NULL) + *digestbits = bits; + return (ISC_R_SUCCESS); } diff --git a/contrib/bind9/bin/named/control.c b/contrib/bind9/bin/named/control.c index c9d17ab..e3d54bd 100644 --- a/contrib/bind9/bin/named/control.c +++ b/contrib/bind9/bin/named/control.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: control.c,v 1.7.2.2.2.14 2005/04/29 01:04:47 marka Exp $ */ +/* $Id: control.c,v 1.20.10.8 2006/03/10 00:23:20 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -52,7 +54,7 @@ command_compare(const char *text, const char *command) { return (ISC_FALSE); } -/* +/*% * This function is called to process the incoming command * when a control channel message is received. */ @@ -163,8 +165,15 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { result = ns_server_freeze(ns_g_server, ISC_FALSE, command); } else if (command_compare(command, NS_COMMAND_RECURSING)) { result = ns_server_dumprecursing(ns_g_server); + } else if (command_compare(command, NS_COMMAND_TIMERPOKE)) { + result = ISC_R_SUCCESS; + isc_timermgr_poke(ns_g_timermgr); } else if (command_compare(command, NS_COMMAND_NULL)) { result = ISC_R_SUCCESS; + } else if (command_compare(command, NS_COMMAND_NOTIFY)) { + result = ns_server_notifycommand(ns_g_server, command, text); + } else if (command_compare(command, NS_COMMAND_VALIDATION)) { + result = ns_server_validation(ns_g_server, command); } else { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_CONTROL, ISC_LOG_WARNING, diff --git a/contrib/bind9/bin/named/controlconf.c b/contrib/bind9/bin/named/controlconf.c index b6bcc16..3e36446 100644 --- a/contrib/bind9/bin/named/controlconf.c +++ b/contrib/bind9/bin/named/controlconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: controlconf.c,v 1.28.2.9.2.10 2006/02/28 06:32:53 marka Exp $ */ +/* $Id: controlconf.c,v 1.40.18.10 2006/12/07 04:53:02 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -96,6 +98,10 @@ struct controllistener { isc_boolean_t exiting; controlkeylist_t keys; controlconnectionlist_t connections; + isc_sockettype_t type; + isc_uint32_t perm; + isc_uint32_t owner; + isc_uint32_t group; ISC_LINK(controllistener_t) link; }; @@ -191,6 +197,8 @@ shutdown_listener(controllistener_t *listener) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_CONTROL, ISC_LOG_NOTICE, "stopping command channel on %s", socktext); + if (listener->type == isc_sockettype_unix) + isc_socket_cleanunix(&listener->address, ISC_TRUE); listener->exiting = ISC_TRUE; } @@ -596,7 +604,8 @@ control_newconn(isc_task_t *task, isc_event_t *event) { sock = nevent->newsocket; (void)isc_socket_getpeername(sock, &peeraddr); - if (!address_ok(&peeraddr, listener->acl)) { + if (listener->type == isc_sockettype_tcp && + !address_ok(&peeraddr, listener->acl)) { char socktext[ISC_SOCKADDR_FORMATSIZE]; isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext)); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, @@ -681,7 +690,7 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx, char *newstr = NULL; const char *str; const cfg_obj_t *obj; - controlkey_t *key = NULL; + controlkey_t *key; for (element = cfg_list_first(keylist); element != NULL; @@ -700,7 +709,6 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx, key->secret.length = 0; ISC_LINK_INIT(key, link); ISC_LIST_APPEND(*keyids, key, link); - key = NULL; newstr = NULL; } return (ISC_R_SUCCESS); @@ -708,8 +716,6 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx, cleanup: if (newstr != NULL) isc_mem_free(mctx, newstr); - if (key != NULL) - isc_mem_put(mctx, key, sizeof(*key)); free_controlkeylist(keyids, mctx); return (ISC_R_NOMEMORY); } @@ -751,7 +757,7 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist, algstr = cfg_obj_asstring(algobj); secretstr = cfg_obj_asstring(secretobj); - if (ns_config_getkeyalgorithm(algstr, NULL) != + if (ns_config_getkeyalgorithm(algstr, NULL, NULL) != ISC_R_SUCCESS) { cfg_obj_log(control, ns_g_lctx, @@ -841,7 +847,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) { algstr = cfg_obj_asstring(algobj); secretstr = cfg_obj_asstring(secretobj); - if (ns_config_getkeyalgorithm(algstr, NULL) != ISC_R_SUCCESS) { + if (ns_config_getkeyalgorithm(algstr, NULL, NULL) != ISC_R_SUCCESS) { cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING, "unsupported algorithm '%s' in " @@ -918,8 +924,8 @@ get_key_info(const cfg_obj_t *config, const cfg_obj_t *control, static void update_listener(ns_controls_t *cp, controllistener_t **listenerp, const cfg_obj_t *control, const cfg_obj_t *config, - isc_sockaddr_t *addr, ns_aclconfctx_t *aclconfctx, - const char *socktext) + isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx, + const char *socktext, isc_sockettype_t type) { controllistener_t *listener; const cfg_obj_t *allow; @@ -1004,10 +1010,11 @@ update_listener(ns_controls_t *cp, controllistener_t **listenerp, /* * Now, keep the old access list unless a new one can be made. */ - if (control != NULL) { + if (control != NULL && type == isc_sockettype_tcp) { allow = cfg_tuple_get(control, "allow"); - result = ns_acl_fromconfig(allow, config, aclconfctx, - listener->mctx, &new_acl); + result = cfg_acl_fromconfig(allow, config, ns_g_lctx, + aclconfctx, listener->mctx, + &new_acl); } else { result = dns_acl_any(listener->mctx, &new_acl); } @@ -1029,14 +1036,34 @@ update_listener(ns_controls_t *cp, controllistener_t **listenerp, "command channel %s: %s", socktext, isc_result_totext(result)); + if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) { + isc_uint32_t perm, owner, group; + perm = cfg_obj_asuint32(cfg_tuple_get(control, "perm")); + owner = cfg_obj_asuint32(cfg_tuple_get(control, "owner")); + group = cfg_obj_asuint32(cfg_tuple_get(control, "group")); + result = ISC_R_SUCCESS; + if (listener->perm != perm || listener->owner != owner || + listener->group != group) + result = isc_socket_permunix(&listener->address, perm, + owner, group); + if (result == ISC_R_SUCCESS) { + listener->perm = perm; + listener->owner = owner; + listener->group = group; + } else if (control != NULL) + cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING, + "couldn't update ownership/permission for " + "command channel %s", socktext); + } + *listenerp = listener; } static void add_listener(ns_controls_t *cp, controllistener_t **listenerp, const cfg_obj_t *control, const cfg_obj_t *config, - isc_sockaddr_t *addr, ns_aclconfctx_t *aclconfctx, - const char *socktext) + isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx, + const char *socktext, isc_sockettype_t type) { isc_mem_t *mctx = cp->server->mctx; controllistener_t *listener; @@ -1059,6 +1086,10 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp, listener->listening = ISC_FALSE; listener->exiting = ISC_FALSE; listener->acl = NULL; + listener->type = type; + listener->perm = 0; + listener->owner = 0; + listener->group = 0; ISC_LINK_INIT(listener, link); ISC_LIST_INIT(listener->keys); ISC_LIST_INIT(listener->connections); @@ -1066,10 +1097,10 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp, /* * Make the acl. */ - if (control != NULL) { + if (control != NULL && type == isc_sockettype_tcp) { allow = cfg_tuple_get(control, "allow"); - result = ns_acl_fromconfig(allow, config, aclconfctx, - mctx, &new_acl); + result = cfg_acl_fromconfig(allow, config, ns_g_lctx, + aclconfctx, mctx, &new_acl); } else { result = dns_acl_any(mctx, &new_acl); } @@ -1104,20 +1135,35 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp, if (result == ISC_R_SUCCESS) { int pf = isc_sockaddr_pf(&listener->address); if ((pf == AF_INET && isc_net_probeipv4() != ISC_R_SUCCESS) || +#ifdef ISC_PLATFORM_HAVESYSUNH + (pf == AF_UNIX && isc_net_probeunix() != ISC_R_SUCCESS) || +#endif (pf == AF_INET6 && isc_net_probeipv6() != ISC_R_SUCCESS)) result = ISC_R_FAMILYNOSUPPORT; } + if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) + isc_socket_cleanunix(&listener->address, ISC_FALSE); + if (result == ISC_R_SUCCESS) result = isc_socket_create(ns_g_socketmgr, isc_sockaddr_pf(&listener->address), - isc_sockettype_tcp, - &listener->sock); + type, &listener->sock); if (result == ISC_R_SUCCESS) result = isc_socket_bind(listener->sock, &listener->address); + if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) { + listener->perm = cfg_obj_asuint32(cfg_tuple_get(control, + "perm")); + listener->owner = cfg_obj_asuint32(cfg_tuple_get(control, + "owner")); + listener->group = cfg_obj_asuint32(cfg_tuple_get(control, + "group")); + result = isc_socket_permunix(&listener->address, listener->perm, + listener->owner, listener->group); + } if (result == ISC_R_SUCCESS) result = control_listen(listener); @@ -1154,7 +1200,7 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp, isc_result_t ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config, - ns_aclconfctx_t *aclconfctx) + cfg_aclconfctx_t *aclconfctx) { controllistener_t *listener; controllistenerlist_t new_listeners; @@ -1200,9 +1246,6 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config, * The parser handles BIND 8 configuration file * syntax, so it allows unix phrases as well * inet phrases with no keys{} clause. - * - * "unix" phrases have been reported as - * unsupported by the parser. */ control = cfg_listelt_value(element2); @@ -1223,7 +1266,81 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config, socktext); update_listener(cp, &listener, control, config, - &addr, aclconfctx, socktext); + &addr, aclconfctx, socktext, + isc_sockettype_tcp); + + if (listener != NULL) + /* + * Remove the listener from the old + * list, so it won't be shut down. + */ + ISC_LIST_UNLINK(cp->listeners, + listener, link); + else + /* + * This is a new listener. + */ + add_listener(cp, &listener, control, + config, &addr, aclconfctx, + socktext, + isc_sockettype_tcp); + + if (listener != NULL) + ISC_LIST_APPEND(new_listeners, + listener, link); + } + } + for (element = cfg_list_first(controlslist); + element != NULL; + element = cfg_list_next(element)) { + const cfg_obj_t *controls; + const cfg_obj_t *unixcontrols = NULL; + + controls = cfg_listelt_value(element); + (void)cfg_map_get(controls, "unix", &unixcontrols); + if (unixcontrols == NULL) + continue; + + for (element2 = cfg_list_first(unixcontrols); + element2 != NULL; + element2 = cfg_list_next(element2)) { + const cfg_obj_t *control; + const cfg_obj_t *path; + isc_sockaddr_t addr; + isc_result_t result; + + /* + * The parser handles BIND 8 configuration file + * syntax, so it allows unix phrases as well + * inet phrases with no keys{} clause. + */ + control = cfg_listelt_value(element2); + + path = cfg_tuple_get(control, "path"); + result = isc_sockaddr_frompath(&addr, + cfg_obj_asstring(path)); + if (result != ISC_R_SUCCESS) { + isc_log_write(ns_g_lctx, + NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_CONTROL, + ISC_LOG_DEBUG(9), + "control channel '%s': %s", + cfg_obj_asstring(path), + isc_result_totext(result)); + continue; + } + + isc_log_write(ns_g_lctx, + NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_CONTROL, + ISC_LOG_DEBUG(9), + "processing control channel '%s'", + cfg_obj_asstring(path)); + + update_listener(cp, &listener, control, config, + &addr, aclconfctx, + cfg_obj_asstring(path), + isc_sockettype_unix); if (listener != NULL) /* @@ -1238,7 +1355,8 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config, */ add_listener(cp, &listener, control, config, &addr, aclconfctx, - socktext); + cfg_obj_asstring(path), + isc_sockettype_unix); if (listener != NULL) ISC_LIST_APPEND(new_listeners, @@ -1269,7 +1387,8 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config, isc_sockaddr_format(&addr, socktext, sizeof(socktext)); update_listener(cp, &listener, NULL, NULL, - &addr, NULL, socktext); + &addr, NULL, socktext, + isc_sockettype_tcp); if (listener != NULL) /* @@ -1283,7 +1402,8 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config, * This is a new listener. */ add_listener(cp, &listener, NULL, NULL, - &addr, NULL, socktext); + &addr, NULL, socktext, + isc_sockettype_tcp); if (listener != NULL) ISC_LIST_APPEND(new_listeners, diff --git a/contrib/bind9/bin/named/include/named/builtin.h b/contrib/bind9/bin/named/include/named/builtin.h index 15564bf..37a3e76 100644 --- a/contrib/bind9/bin/named/include/named/builtin.h +++ b/contrib/bind9/bin/named/include/named/builtin.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: builtin.h,v 1.1.204.3 2004/03/08 04:04:20 marka Exp $ */ +/* $Id: builtin.h,v 1.2.18.2 2005/04/29 00:15:34 marka Exp $ */ #ifndef NAMED_BUILTIN_H #define NAMED_BUILTIN_H 1 +/*! \file */ + #include <isc/types.h> isc_result_t ns_builtin_init(void); diff --git a/contrib/bind9/bin/named/include/named/client.h b/contrib/bind9/bin/named/include/named/client.h index f602be8..0cf7985 100644 --- a/contrib/bind9/bin/named/include/named/client.h +++ b/contrib/bind9/bin/named/include/named/client.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.h,v 1.60.2.2.10.12 2006/06/06 00:11:40 marka Exp $ */ +/* $Id: client.h,v 1.69.18.9 2006/06/06 00:11:41 marka Exp $ */ #ifndef NAMED_CLIENT_H #define NAMED_CLIENT_H 1 @@ -24,9 +24,8 @@ ***** Module Info *****/ -/* - * Client - * +/*! \file + * \brief * This module defines two objects, ns_client_t and ns_clientmgr_t. * * An ns_client_t object handles incoming DNS requests from clients @@ -44,12 +43,12 @@ * fully handled (which can be much later), the ns_client_t must be * notified of this by calling one of the following functions * exactly once in the context of its task: - * + * \code * ns_client_send() (sending a non-error response) * ns_client_sendraw() (sending a raw response) * ns_client_error() (sending an error response) * ns_client_next() (sending no response) - * + *\endcode * This will release any resources used by the request and * and allow the ns_client_t to listen for the next request. * @@ -84,6 +83,7 @@ typedef ISC_LIST(ns_client_t) client_list_t; +/*% nameserver client structure */ struct ns_client { unsigned int magic; isc_mem_t * mctx; @@ -116,15 +116,16 @@ struct ns_client { dns_rdataset_t * opt; isc_uint16_t udpsize; isc_uint16_t extflags; + isc_int16_t ednsversion; /* -1 noedns */ void (*next)(ns_client_t *); void (*shutdown)(void *arg, isc_result_t result); void *shutdown_arg; ns_query_t query; isc_stdtime_t requesttime; isc_stdtime_t now; - dns_name_t signername; /* [T]SIG key name */ - dns_name_t * signer; /* NULL if not valid sig */ - isc_boolean_t mortal; /* Die after handling request */ + dns_name_t signername; /*%< [T]SIG key name */ + dns_name_t * signer; /*%< NULL if not valid sig */ + isc_boolean_t mortal; /*%< Die after handling request */ isc_quota_t *tcpquota; isc_quota_t *recursionquota; ns_interface_t *interface; @@ -132,7 +133,7 @@ struct ns_client { isc_boolean_t peeraddr_valid; struct in6_pktinfo pktinfo; isc_event_t ctlevent; - /* + /*% * Information about recent FORMERR response(s), for * FORMERR loop avoidance. This is separate for each * client object rather than global only to avoid @@ -144,7 +145,7 @@ struct ns_client { dns_messageid_t id; } formerrcache; ISC_LINK(ns_client_t) link; - /* + /*% * The list 'link' is part of, or NULL if not on any list. */ client_list_t *list; @@ -154,38 +155,42 @@ struct ns_client { #define NS_CLIENT_VALID(c) ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC) #define NS_CLIENTATTR_TCP 0x01 -#define NS_CLIENTATTR_RA 0x02 /* Client gets recusive service */ -#define NS_CLIENTATTR_PKTINFO 0x04 /* pktinfo is valid */ -#define NS_CLIENTATTR_MULTICAST 0x08 /* recv'd from multicast */ -#define NS_CLIENTATTR_WANTDNSSEC 0x10 /* include dnssec records */ +#define NS_CLIENTATTR_RA 0x02 /*%< Client gets recusive service */ +#define NS_CLIENTATTR_PKTINFO 0x04 /*%< pktinfo is valid */ +#define NS_CLIENTATTR_MULTICAST 0x08 /*%< recv'd from multicast */ +#define NS_CLIENTATTR_WANTDNSSEC 0x10 /*%< include dnssec records */ +extern unsigned int ns_client_requests; /*** *** Functions ***/ -/* +/*% * Note! These ns_client_ routines MUST be called ONLY from the client's * task in order to ensure synchronization. */ void ns_client_send(ns_client_t *client); -/* +/*% * Finish processing the current client request and * send client->message as a response. + * \brief + * Note! These ns_client_ routines MUST be called ONLY from the client's + * task in order to ensure synchronization. */ void ns_client_sendraw(ns_client_t *client, dns_message_t *msg); -/* +/*% * Finish processing the current client request and * send msg as a response using client->message->id for the id. */ void ns_client_error(ns_client_t *client, isc_result_t result); -/* +/*% * Finish processing the current client request and return * an error response to the client. The error response * will have an RCODE determined by 'result'. @@ -193,38 +198,32 @@ ns_client_error(ns_client_t *client, isc_result_t result); void ns_client_next(ns_client_t *client, isc_result_t result); -/* +/*% * Finish processing the current client request, * return no response to the client. */ -void -ns_client_qnamereplace(ns_client_t *client, dns_name_t *name); -/*% - * Replace the qname. - */ - isc_boolean_t ns_client_shuttingdown(ns_client_t *client); -/* +/*% * Return ISC_TRUE iff the client is currently shutting down. */ void ns_client_attach(ns_client_t *source, ns_client_t **target); -/* +/*% * Attach '*targetp' to 'source'. */ void ns_client_detach(ns_client_t **clientp); -/* +/*% * Detach '*clientp' from its client. */ isc_result_t ns_client_replace(ns_client_t *client); -/* +/*% * Try to replace the current client with a new one, so that the * current one can go off and do some lengthy work without * leaving the dispatch/socket without service. @@ -232,20 +231,20 @@ ns_client_replace(ns_client_t *client); void ns_client_settimeout(ns_client_t *client, unsigned int seconds); -/* +/*% * Set a timer in the client to go off in the specified amount of time. */ isc_result_t ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr, ns_clientmgr_t **managerp); -/* +/*% * Create a client manager. */ void ns_clientmgr_destroy(ns_clientmgr_t **managerp); -/* +/*% * Destroy a client manager and all ns_client_t objects * managed by it. */ @@ -253,7 +252,7 @@ ns_clientmgr_destroy(ns_clientmgr_t **managerp); isc_result_t ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n, ns_interface_t *ifp, isc_boolean_t tcp); -/* +/*% * Create up to 'n' clients listening on interface 'ifp'. * If 'tcp' is ISC_TRUE, the clients will listen for TCP connections, * otherwise for UDP requests. @@ -261,7 +260,7 @@ ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n, isc_sockaddr_t * ns_client_getsockaddr(ns_client_t *client); -/* +/*% * Get the socket address of the client whose request is * currently being processed. */ @@ -270,27 +269,27 @@ isc_result_t ns_client_checkaclsilent(ns_client_t *client,dns_acl_t *acl, isc_boolean_t default_allow); -/* +/*% * Convenience function for client request ACL checking. * * Check the current client request against 'acl'. If 'acl' * is NULL, allow the request iff 'default_allow' is ISC_TRUE. * * Notes: - * This is appropriate for checking allow-update, + *\li This is appropriate for checking allow-update, * allow-query, allow-transfer, etc. It is not appropriate * for checking the blackhole list because we treat positive * matches as "allow" and negative matches as "deny"; in * the case of the blackhole list this would be backwards. * * Requires: - * 'client' points to a valid client. - * 'acl' points to a valid ACL, or is NULL. + *\li 'client' points to a valid client. + *\li 'acl' points to a valid ACL, or is NULL. * * Returns: - * ISC_R_SUCCESS if the request should be allowed - * ISC_R_REFUSED if the request should be denied - * No other return values are possible. + *\li ISC_R_SUCCESS if the request should be allowed + * \li ISC_R_REFUSED if the request should be denied + *\li No other return values are possible. */ isc_result_t @@ -298,16 +297,16 @@ ns_client_checkacl(ns_client_t *client, const char *opname, dns_acl_t *acl, isc_boolean_t default_allow, int log_level); -/* +/*% * Like ns_client_checkacl, but also logs the outcome of the * check at log level 'log_level' if denied, and at debug 3 * if approved. Log messages will refer to the request as * an 'opname' request. * * Requires: - * Those of ns_client_checkaclsilent(), and: + *\li Those of ns_client_checkaclsilent(), and: * - * 'opname' points to a null-terminated string. + *\li 'opname' points to a null-terminated string. */ void @@ -330,8 +329,7 @@ ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type, void ns_client_recursing(ns_client_t *client); /*% - * Add client to end of recursing list. If 'killoldest' is true - * kill the oldest recursive client (list head). + * Add client to end of th recursing list. */ void @@ -342,8 +340,22 @@ ns_client_killoldestquery(ns_client_t *client); void ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager); -/* +/*% * Dump the outstanding recursive queries to 'f'. */ +void +ns_client_qnamereplace(ns_client_t *client, dns_name_t *name); +/*% + * Replace the qname. + */ + +isc_boolean_t +ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey, + isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr, + dns_rdataclass_t rdclass, void *arg); +/*% + * Isself callback. + */ + #endif /* NAMED_CLIENT_H */ diff --git a/contrib/bind9/bin/named/include/named/config.h b/contrib/bind9/bin/named/include/named/config.h index 8e5b94a..e8e6038 100644 --- a/contrib/bind9/bin/named/include/named/config.h +++ b/contrib/bind9/bin/named/include/named/config.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001, 2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.h,v 1.4.12.6 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: config.h,v 1.6.18.6 2006/02/28 03:10:47 marka Exp $ */ #ifndef NAMED_CONFIG_H #define NAMED_CONFIG_H 1 +/*! \file */ + #include <isccfg/cfg.h> #include <dns/types.h> @@ -71,6 +73,7 @@ isc_result_t ns_config_getport(const cfg_obj_t *config, in_port_t *portp); isc_result_t -ns_config_getkeyalgorithm(const char *str, dns_name_t **name); +ns_config_getkeyalgorithm(const char *str, dns_name_t **name, + isc_uint16_t *digestbits); #endif /* NAMED_CONFIG_H */ diff --git a/contrib/bind9/bin/named/include/named/control.h b/contrib/bind9/bin/named/include/named/control.h index bdb706e..5b7e5f4 100644 --- a/contrib/bind9/bin/named/include/named/control.h +++ b/contrib/bind9/bin/named/include/named/control.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,18 +15,20 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: control.h,v 1.6.2.2.2.9 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: control.h,v 1.14.18.8 2006/03/09 23:46:20 marka Exp $ */ #ifndef NAMED_CONTROL_H #define NAMED_CONTROL_H 1 -/* +/*! \file + * \brief * The name server command channel. */ #include <isccc/types.h> -#include <named/aclconf.h> +#include <isccfg/aclconf.h> + #include <named/types.h> #define NS_CONTROL_PORT 953 @@ -48,18 +50,21 @@ #define NS_COMMAND_FREEZE "freeze" #define NS_COMMAND_UNFREEZE "unfreeze" #define NS_COMMAND_THAW "thaw" +#define NS_COMMAND_TIMERPOKE "timerpoke" #define NS_COMMAND_RECURSING "recursing" #define NS_COMMAND_NULL "null" +#define NS_COMMAND_NOTIFY "notify" +#define NS_COMMAND_VALIDATION "validation" isc_result_t ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp); -/* +/*%< * Create an initial, empty set of command channels for 'server'. */ void ns_controls_destroy(ns_controls_t **ctrlsp); -/* +/*%< * Destroy a set of command channels. * * Requires: @@ -68,8 +73,8 @@ ns_controls_destroy(ns_controls_t **ctrlsp); isc_result_t ns_controls_configure(ns_controls_t *controls, const cfg_obj_t *config, - ns_aclconfctx_t *aclconfctx); -/* + cfg_aclconfctx_t *aclconfctx); +/*%< * Configure zero or more command channels into 'controls' * as defined in the configuration parse tree 'config'. * The channels will evaluate ACLs in the context of @@ -78,7 +83,7 @@ ns_controls_configure(ns_controls_t *controls, const cfg_obj_t *config, void ns_controls_shutdown(ns_controls_t *controls); -/* +/*%< * Initiate shutdown of all the command channels in 'controls'. */ diff --git a/contrib/bind9/bin/named/include/named/globals.h b/contrib/bind9/bin/named/include/named/globals.h index b8137e8..11f3989 100644 --- a/contrib/bind9/bin/named/include/named/globals.h +++ b/contrib/bind9/bin/named/include/named/globals.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: globals.h,v 1.59.68.7 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: globals.h,v 1.64.18.4 2006/03/02 00:37:21 marka Exp $ */ #ifndef NAMED_GLOBALS_H #define NAMED_GLOBALS_H 1 +/*! \file */ + #include <isc/rwlock.h> #include <isc/log.h> #include <isc/net.h> diff --git a/contrib/bind9/bin/named/include/named/interfacemgr.h b/contrib/bind9/bin/named/include/named/interfacemgr.h index 54bd91c..42279ff 100644 --- a/contrib/bind9/bin/named/include/named/interfacemgr.h +++ b/contrib/bind9/bin/named/include/named/interfacemgr.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: interfacemgr.h,v 1.23.24.7 2004/04/29 01:31:22 marka Exp $ */ +/* $Id: interfacemgr.h,v 1.26.18.4 2005/04/27 05:00:35 sra Exp $ */ #ifndef NAMED_INTERFACEMGR_H #define NAMED_INTERFACEMGR_H 1 @@ -24,24 +24,23 @@ ***** Module Info *****/ -/* - * Interface manager - * +/*! \file + * \brief * The interface manager monitors the operating system's list * of network interfaces, creating and destroying listeners * as needed. * * Reliability: - * No impact expected. + *\li No impact expected. * * Resources: * * Security: - * The server will only be able to bind to the DNS port on + * \li The server will only be able to bind to the DNS port on * newly discovered interfaces if it is running as root. * * Standards: - * The API for scanning varies greatly among operating systems. + *\li The API for scanning varies greatly among operating systems. * This module attempts to hide the differences. */ @@ -65,23 +64,24 @@ #define IFACE_MAGIC ISC_MAGIC('I',':','-',')') #define NS_INTERFACE_VALID(t) ISC_MAGIC_VALID(t, IFACE_MAGIC) -#define NS_INTERFACEFLAG_ANYADDR 0x01U /* bound to "any" address */ +#define NS_INTERFACEFLAG_ANYADDR 0x01U /*%< bound to "any" address */ +/*% The nameserver interface structure */ struct ns_interface { - unsigned int magic; /* Magic number. */ - ns_interfacemgr_t * mgr; /* Interface manager. */ + unsigned int magic; /*%< Magic number. */ + ns_interfacemgr_t * mgr; /*%< Interface manager. */ isc_mutex_t lock; - int references; /* Locked */ - unsigned int generation; /* Generation number. */ - isc_sockaddr_t addr; /* Address and port. */ - unsigned int flags; /* Interface characteristics */ - char name[32]; /* Null terminated. */ - dns_dispatch_t * udpdispatch; /* UDP dispatcher. */ - isc_socket_t * tcpsocket; /* TCP socket. */ - int ntcptarget; /* Desired number of concurrent - TCP accepts */ - int ntcpcurrent; /* Current ditto, locked */ - ns_clientmgr_t * clientmgr; /* Client manager. */ + int references; /*%< Locked */ + unsigned int generation; /*%< Generation number. */ + isc_sockaddr_t addr; /*%< Address and port. */ + unsigned int flags; /*%< Interface characteristics */ + char name[32]; /*%< Null terminated. */ + dns_dispatch_t * udpdispatch; /*%< UDP dispatcher. */ + isc_socket_t * tcpsocket; /*%< TCP socket. */ + int ntcptarget; /*%< Desired number of concurrent + TCP accepts */ + int ntcpcurrent; /*%< Current ditto, locked */ + ns_clientmgr_t * clientmgr; /*%< Client manager. */ ISC_LINK(ns_interface_t) link; }; @@ -94,7 +94,7 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, isc_socketmgr_t *socketmgr, dns_dispatchmgr_t *dispatchmgr, ns_interfacemgr_t **mgrp); -/* +/*% * Create a new interface manager. * * Initially, the new manager will not listen on any interfaces. @@ -113,7 +113,7 @@ ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr); void ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose); -/* +/*% * Scan the operatings system's list of network interfaces * and create listeners when new interfaces are discovered. * Shut down the sockets for interfaces that go away. @@ -126,7 +126,7 @@ ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose); void ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list, isc_boolean_t verbose); -/* +/*% * Similar to ns_interfacemgr_scan(), but this function also tries to see the * need for an explicit listen-on when a list element in 'list' is going to * override an already-listening a wildcard interface. @@ -139,14 +139,14 @@ ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list, void ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value); -/* +/*% * Set the IPv4 "listen-on" list of 'mgr' to 'value'. * The previous IPv4 listen-on list is freed. */ void ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value); -/* +/*% * Set the IPv6 "listen-on" list of 'mgr' to 'value'. * The previous IPv6 listen-on list is freed. */ @@ -162,7 +162,7 @@ ns_interface_detach(ns_interface_t **targetp); void ns_interface_shutdown(ns_interface_t *ifp); -/* +/*% * Stop listening for queries on interface 'ifp'. * May safely be called multiple times. */ @@ -170,4 +170,7 @@ ns_interface_shutdown(ns_interface_t *ifp); void ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr); +isc_boolean_t +ns_interfacemgr_listeningon(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr); + #endif /* NAMED_INTERFACEMGR_H */ diff --git a/contrib/bind9/bin/named/include/named/listenlist.h b/contrib/bind9/bin/named/include/named/listenlist.h index 31e8893..cdca026 100644 --- a/contrib/bind9/bin/named/include/named/listenlist.h +++ b/contrib/bind9/bin/named/include/named/listenlist.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: listenlist.h,v 1.10.208.1 2004/03/06 10:21:24 marka Exp $ */ +/* $Id: listenlist.h,v 1.11.18.2 2005/04/29 00:15:34 marka Exp $ */ #ifndef NAMED_LISTENLIST_H #define NAMED_LISTENLIST_H 1 @@ -24,7 +24,8 @@ ***** Module Info *****/ -/* +/*! \file + * \brief * "Listen lists", as in the "listen-on" configuration statement. */ @@ -62,38 +63,38 @@ struct ns_listenlist { isc_result_t ns_listenelt_create(isc_mem_t *mctx, in_port_t port, dns_acl_t *acl, ns_listenelt_t **target); -/* +/*% * Create a listen-on list element. */ void ns_listenelt_destroy(ns_listenelt_t *elt); -/* +/*% * Destroy a listen-on list element. */ isc_result_t ns_listenlist_create(isc_mem_t *mctx, ns_listenlist_t **target); -/* +/*% * Create a new, empty listen-on list. */ void ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target); -/* +/*% * Attach '*target' to '*source'. */ void ns_listenlist_detach(ns_listenlist_t **listp); -/* +/*% * Detach 'listp'. */ isc_result_t ns_listenlist_default(isc_mem_t *mctx, in_port_t port, isc_boolean_t enabled, ns_listenlist_t **target); -/* +/*% * Create a listen-on list with default contents, matching * all addresses with port 'port' (if 'enabled' is ISC_TRUE), * or no addresses (if 'enabled' is ISC_FALSE). diff --git a/contrib/bind9/bin/named/include/named/log.h b/contrib/bind9/bin/named/include/named/log.h index e8ad1ca..6d6e648 100644 --- a/contrib/bind9/bin/named/include/named/log.h +++ b/contrib/bind9/bin/named/include/named/log.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: log.h,v 1.19.12.3 2004/03/08 04:04:21 marka Exp $ */ +/* $Id: log.h,v 1.21.18.2 2005/04/29 00:15:35 marka Exp $ */ #ifndef NAMED_LOG_H #define NAMED_LOG_H 1 +/*! \file */ + #include <isc/log.h> #include <isc/types.h> @@ -54,7 +56,7 @@ isc_result_t ns_log_init(isc_boolean_t safe); -/* +/*% * Initialize the logging system and set up an initial default * logging default configuration that will be used until the * config file has been read. @@ -66,7 +68,7 @@ ns_log_init(isc_boolean_t safe); isc_result_t ns_log_setdefaultchannels(isc_logconfig_t *lcfg); -/* +/*% * Set up logging channels according to the named defaults, which * may differ from the logging library defaults. Currently, * this just means setting up default_debug. @@ -74,19 +76,19 @@ ns_log_setdefaultchannels(isc_logconfig_t *lcfg); isc_result_t ns_log_setsafechannels(isc_logconfig_t *lcfg); -/* +/*% * Like ns_log_setdefaultchannels(), but omits any logging to files. */ isc_result_t ns_log_setdefaultcategory(isc_logconfig_t *lcfg); -/* +/*% * Set up "category default" to go to the right places. */ isc_result_t ns_log_setunmatchedcategory(isc_logconfig_t *lcfg); -/* +/*% * Set up "category unmatched" to go to the right places. */ diff --git a/contrib/bind9/bin/named/include/named/logconf.h b/contrib/bind9/bin/named/include/named/logconf.h index b92ad31..79df5c6 100644 --- a/contrib/bind9/bin/named/include/named/logconf.h +++ b/contrib/bind9/bin/named/include/named/logconf.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,16 +15,18 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: logconf.h,v 1.10.208.3 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: logconf.h,v 1.11.18.4 2006/03/02 00:37:21 marka Exp $ */ #ifndef NAMED_LOGCONF_H #define NAMED_LOGCONF_H 1 +/*! \file */ + #include <isc/log.h> isc_result_t ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt); -/* +/*%< * Set up the logging configuration in '*logconf' according to * the named.conf data in 'logstmt'. */ diff --git a/contrib/bind9/bin/named/include/named/lwaddr.h b/contrib/bind9/bin/named/include/named/lwaddr.h index 0aa66b7..552d1d4 100644 --- a/contrib/bind9/bin/named/include/named/lwaddr.h +++ b/contrib/bind9/bin/named/include/named/lwaddr.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwaddr.h,v 1.3.208.1 2004/03/06 10:21:24 marka Exp $ */ +/* $Id: lwaddr.h,v 1.4.18.2 2005/04/29 00:15:35 marka Exp $ */ + +/*! \file */ #include <lwres/lwres.h> #include <lwres/net.h> diff --git a/contrib/bind9/bin/named/include/named/lwdclient.h b/contrib/bind9/bin/named/include/named/lwdclient.h index 09d68ff..591b86c 100644 --- a/contrib/bind9/bin/named/include/named/lwdclient.h +++ b/contrib/bind9/bin/named/include/named/lwdclient.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdclient.h,v 1.13.208.1 2004/03/06 10:21:24 marka Exp $ */ +/* $Id: lwdclient.h,v 1.14.18.2 2005/04/29 00:15:36 marka Exp $ */ #ifndef NAMED_LWDCLIENT_H #define NAMED_LWDCLIENT_H 1 +/*! \file */ + #include <isc/event.h> #include <isc/eventclass.h> #include <isc/netaddr.h> @@ -37,23 +39,24 @@ #define LWRD_SHUTDOWN (LWRD_EVENTCLASS + 0x0001) +/*% Lighweight Resolver Daemon Client */ struct ns_lwdclient { - isc_sockaddr_t address; /* where to reply */ + isc_sockaddr_t address; /*%< where to reply */ struct in6_pktinfo pktinfo; isc_boolean_t pktinfo_valid; - ns_lwdclientmgr_t *clientmgr; /* our parent */ + ns_lwdclientmgr_t *clientmgr; /*%< our parent */ ISC_LINK(ns_lwdclient_t) link; unsigned int state; - void *arg; /* packet processing state */ + void *arg; /*%< packet processing state */ /* * Received data info. */ - unsigned char buffer[LWRES_RECVLENGTH]; /* receive buffer */ - isc_uint32_t recvlength; /* length recv'd */ + unsigned char buffer[LWRES_RECVLENGTH]; /*%< receive buffer */ + isc_uint32_t recvlength; /*%< length recv'd */ lwres_lwpacket_t pkt; - /* + /*% * Send data state. If sendbuf != buffer (that is, the send buffer * isn't our receive buffer) it will be freed to the lwres_context_t. */ @@ -61,19 +64,19 @@ struct ns_lwdclient { isc_uint32_t sendlength; isc_buffer_t recv_buffer; - /* + /*% * gabn (get address by name) state info. */ dns_adbfind_t *find; dns_adbfind_t *v4find; dns_adbfind_t *v6find; - unsigned int find_wanted; /* Addresses we want */ + unsigned int find_wanted; /*%< Addresses we want */ dns_fixedname_t query_name; dns_fixedname_t target_name; ns_lwsearchctx_t searchctx; lwres_gabnresponse_t gabn; - /* + /*% * gnba (get name by address) state info. */ lwres_gnbaresponse_t gnba; @@ -81,7 +84,7 @@ struct ns_lwdclient { unsigned int options; isc_netaddr_t na; - /* + /*% * grbn (get rrset by name) state info. * * Note: this also uses target_name and searchctx. @@ -90,7 +93,7 @@ struct ns_lwdclient { dns_lookup_t *lookup; dns_rdatatype_t rdtype; - /* + /*% * Alias and address info. This is copied up to the gabn/gnba * structures eventually. * @@ -103,7 +106,7 @@ struct ns_lwdclient { lwres_addr_t addrs[LWRES_MAX_ADDRS]; }; -/* +/*% * Client states. * * _IDLE The client is not doing anything at all. @@ -156,7 +159,7 @@ struct ns_lwdclient { #define NS_LWDCLIENT_ISSEND(c) \ ((c)->state == NS_LWDCLIENT_STATESEND) -/* +/*% * Overall magic test that means we're not idle. */ #define NS_LWDCLIENT_ISRUNNING(c) (!NS_LWDCLIENT_ISIDLE(c)) @@ -174,17 +177,18 @@ struct ns_lwdclient { #define NS_LWDCLIENT_SETSENDDONE(c) \ ((c)->state = NS_LWDCLIENT_STATESENDDONE) +/*% lightweight daemon client manager */ struct ns_lwdclientmgr { ns_lwreslistener_t *listener; isc_mem_t *mctx; - isc_socket_t *sock; /* socket to use */ + isc_socket_t *sock; /*%< socket to use */ dns_view_t *view; - lwres_context_t *lwctx; /* lightweight proto context */ - isc_task_t *task; /* owning task */ + lwres_context_t *lwctx; /*%< lightweight proto context */ + isc_task_t *task; /*%< owning task */ unsigned int flags; ISC_LINK(ns_lwdclientmgr_t) link; - ISC_LIST(ns_lwdclient_t) idle; /* idle client slots */ - ISC_LIST(ns_lwdclient_t) running; /* running clients */ + ISC_LIST(ns_lwdclient_t) idle; /*%< idle client slots */ + ISC_LIST(ns_lwdclient_t) running; /*%< running clients */ }; #define NS_LWDCLIENTMGR_FLAGRECVPENDING 0x00000001 diff --git a/contrib/bind9/bin/named/include/named/lwresd.h b/contrib/bind9/bin/named/include/named/lwresd.h index 2aa1d55..ef93fcd 100644 --- a/contrib/bind9/bin/named/include/named/lwresd.h +++ b/contrib/bind9/bin/named/include/named/lwresd.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwresd.h,v 1.12.208.3 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: lwresd.h,v 1.13.18.4 2006/03/02 00:37:21 marka Exp $ */ #ifndef NAMED_LWRESD_H #define NAMED_LWRESD_H 1 +/*! \file */ + #include <isc/types.h> #include <isc/sockaddr.h> @@ -52,7 +54,7 @@ struct ns_lwreslistener { ISC_LINK(ns_lwreslistener_t) link; }; -/* +/*% * Configure lwresd. */ isc_result_t @@ -62,7 +64,7 @@ isc_result_t ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx, cfg_obj_t **configp); -/* +/*% * Trigger shutdown. */ void @@ -71,29 +73,36 @@ ns_lwresd_shutdown(void); /* * Manager functions */ +/*% create manager */ isc_result_t ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres, ns_lwresd_t **lwresdp); +/*% attach to manager */ void ns_lwdmanager_attach(ns_lwresd_t *source, ns_lwresd_t **targetp); +/*% detach from manager */ void ns_lwdmanager_detach(ns_lwresd_t **lwresdp); /* * Listener functions */ +/*% attach to listener */ void ns_lwreslistener_attach(ns_lwreslistener_t *source, ns_lwreslistener_t **targetp); +/*% detach from lister */ void ns_lwreslistener_detach(ns_lwreslistener_t **listenerp); +/*% link client manager */ void ns_lwreslistener_unlinkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm); +/*% unlink client manager */ void ns_lwreslistener_linkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm); diff --git a/contrib/bind9/bin/named/include/named/lwsearch.h b/contrib/bind9/bin/named/include/named/lwsearch.h index a864a89..b85e401 100644 --- a/contrib/bind9/bin/named/include/named/lwsearch.h +++ b/contrib/bind9/bin/named/include/named/lwsearch.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwsearch.h,v 1.4.208.1 2004/03/06 10:21:25 marka Exp $ */ +/* $Id: lwsearch.h,v 1.5.18.2 2005/04/29 00:15:36 marka Exp $ */ #ifndef NAMED_LWSEARCH_H #define NAMED_LWSEARCH_H 1 @@ -28,7 +28,8 @@ #include <named/types.h> -/* +/*! \file + * \brief * Lightweight resolver search list types and routines. * * An ns_lwsearchlist_t holds a list of search path elements. @@ -37,6 +38,7 @@ * operation. */ +/*% An ns_lwsearchlist_t holds a list of search path elements. */ struct ns_lwsearchlist { unsigned int magic; @@ -45,7 +47,7 @@ struct ns_lwsearchlist { unsigned int refs; dns_namelist_t names; }; - +/*% An ns_lwsearchctx stores the state of search list during a lookup operation. */ struct ns_lwsearchctx { dns_name_t *relname; dns_name_t *searchname; @@ -57,51 +59,51 @@ struct ns_lwsearchctx { isc_result_t ns_lwsearchlist_create(isc_mem_t *mctx, ns_lwsearchlist_t **listp); -/* +/*%< * Create an empty search list object. */ void ns_lwsearchlist_attach(ns_lwsearchlist_t *source, ns_lwsearchlist_t **target); -/* +/*%< * Attach to a search list object. */ void ns_lwsearchlist_detach(ns_lwsearchlist_t **listp); -/* +/*%< * Detach from a search list object. */ isc_result_t ns_lwsearchlist_append(ns_lwsearchlist_t *list, dns_name_t *name); -/* +/*%< * Append an element to a search list. This creates a copy of the name. */ void ns_lwsearchctx_init(ns_lwsearchctx_t *sctx, ns_lwsearchlist_t *list, dns_name_t *name, unsigned int ndots); -/* +/*%< * Creates a search list context structure. */ void ns_lwsearchctx_first(ns_lwsearchctx_t *sctx); -/* +/*%< * Moves the search list context iterator to the first element, which * is usually the exact name. */ isc_result_t ns_lwsearchctx_next(ns_lwsearchctx_t *sctx); -/* +/*%< * Moves the search list context iterator to the next element. */ isc_result_t ns_lwsearchctx_current(ns_lwsearchctx_t *sctx, dns_name_t *absname); -/* +/*%< * Obtains the current name to be looked up. This involves either * concatenating the name with a search path element, making an * exact name absolute, or doing nothing. diff --git a/contrib/bind9/bin/named/include/named/main.h b/contrib/bind9/bin/named/include/named/main.h index e37b519..dd4fe8c 100644 --- a/contrib/bind9/bin/named/include/named/main.h +++ b/contrib/bind9/bin/named/include/named/main.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: main.h,v 1.8.2.2.8.4 2004/03/08 04:04:21 marka Exp $ */ +/* $Id: main.h,v 1.11.18.2 2005/04/29 00:15:37 marka Exp $ */ #ifndef NAMED_MAIN_H #define NAMED_MAIN_H 1 +/*! \file */ + void ns_main_earlyfatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); diff --git a/contrib/bind9/bin/named/include/named/notify.h b/contrib/bind9/bin/named/include/named/notify.h index 3cb1d85..106d70c 100644 --- a/contrib/bind9/bin/named/include/named/notify.h +++ b/contrib/bind9/bin/named/include/named/notify.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: notify.h,v 1.9.208.1 2004/03/06 10:21:25 marka Exp $ */ +/* $Id: notify.h,v 1.10.18.2 2005/04/29 00:15:37 marka Exp $ */ #ifndef NAMED_NOTIFY_H #define NAMED_NOTIFY_H 1 @@ -27,8 +27,9 @@ *** Module Info ***/ -/* - * RFC 1996 +/*! \file + * \brief + * RFC1996 * A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY) */ @@ -39,7 +40,7 @@ void ns_notify_start(ns_client_t *client); -/* +/*%< * Examines the incoming message to determine apporiate zone. * Returns FORMERR if there is not exactly one question. * Returns REFUSED if we do not serve the listed zone. @@ -47,7 +48,7 @@ ns_notify_start(ns_client_t *client); * and returns the return status. * * Requires - * client to be valid. + *\li client to be valid. */ #endif /* NAMED_NOTIFY_H */ diff --git a/contrib/bind9/bin/named/include/named/ns_smf_globals.h b/contrib/bind9/bin/named/include/named/ns_smf_globals.h index 49aa31d..06df2ba 100644 --- a/contrib/bind9/bin/named/include/named/ns_smf_globals.h +++ b/contrib/bind9/bin/named/include/named/ns_smf_globals.h @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ns_smf_globals.h,v 1.2.4.4 2005/05/13 01:22:33 marka Exp $ */ +/* $Id: ns_smf_globals.h,v 1.2.2.4 2005/05/13 01:32:46 marka Exp $ */ #ifndef NS_SMF_GLOBALS_H #define NS_SMF_GLOBALS_H 1 diff --git a/contrib/bind9/bin/named/include/named/query.h b/contrib/bind9/bin/named/include/named/query.h index 6f348d5..741212f 100644 --- a/contrib/bind9/bin/named/include/named/query.h +++ b/contrib/bind9/bin/named/include/named/query.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.h,v 1.28.2.3.8.6 2004/03/08 04:04:21 marka Exp $ */ +/* $Id: query.h,v 1.36.18.2 2005/04/29 00:15:37 marka Exp $ */ #ifndef NAMED_QUERY_H #define NAMED_QUERY_H 1 +/*! \file */ + #include <isc/types.h> #include <isc/buffer.h> #include <isc/netaddr.h> @@ -28,6 +30,7 @@ #include <named/types.h> +/*% nameserver database version structure */ typedef struct ns_dbversion { dns_db_t *db; dns_dbversion_t *version; @@ -35,6 +38,7 @@ typedef struct ns_dbversion { ISC_LINK(struct ns_dbversion) link; } ns_dbversion_t; +/*% nameserver query structure */ struct ns_query { unsigned int attributes; unsigned int restarts; diff --git a/contrib/bind9/bin/named/include/named/server.h b/contrib/bind9/bin/named/include/named/server.h index 37526c0..54d1dae 100644 --- a/contrib/bind9/bin/named/include/named/server.h +++ b/contrib/bind9/bin/named/include/named/server.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.h,v 1.58.2.1.10.13 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: server.h,v 1.73.18.8 2006/03/09 23:46:20 marka Exp $ */ #ifndef NAMED_SERVER_H #define NAMED_SERVER_H 1 +/*! \file */ + #include <isc/log.h> #include <isc/sockaddr.h> #include <isc/magic.h> @@ -35,7 +37,7 @@ #define NS_EVENT_RELOAD (NS_EVENTCLASS + 0) #define NS_EVENT_CLIENTCONTROL (NS_EVENTCLASS + 1) -/* +/*% * Name server state. Better here than in lots of separate global variables. */ struct ns_server { @@ -49,18 +51,18 @@ struct ns_server { isc_quota_t tcpquota; isc_quota_t recursionquota; dns_acl_t *blackholeacl; - char * statsfile; /* Statistics file name */ - char * dumpfile; /* Dump file name */ - char * recfile; /* Recursive file name */ - isc_boolean_t version_set; /* User has set version */ - char * version; /* User-specified version */ - isc_boolean_t hostname_set; /* User has set hostname */ - char * hostname; /* User-specified hostname */ - /* Use hostname for server id */ + char * statsfile; /*%< Statistics file name */ + char * dumpfile; /*%< Dump file name */ + char * recfile; /*%< Recursive file name */ + isc_boolean_t version_set; /*%< User has set version */ + char * version; /*%< User-specified version */ + isc_boolean_t hostname_set; /*%< User has set hostname */ + char * hostname; /*%< User-specified hostname */ + /*% Use hostname for server id */ isc_boolean_t server_usehostname; - char * server_id; /* User-specified server id */ + char * server_id; /*%< User-specified server id */ - /* + /*% * Current ACL environment. This defines the * current values of the localhost and localnets * ACLs. @@ -77,6 +79,8 @@ struct ns_server { isc_timer_t * interface_timer; isc_timer_t * heartbeat_timer; + isc_timer_t * pps_timer; + isc_uint32_t interface_interval; isc_uint32_t heartbeat_interval; @@ -84,14 +88,15 @@ struct ns_server { isc_event_t * reload_event; isc_boolean_t flushonshutdown; - isc_boolean_t log_queries; /* For BIND 8 compatibility */ + isc_boolean_t log_queries; /*%< For BIND 8 compatibility */ - isc_uint64_t * querystats; /* Query statistics counters */ + isc_uint64_t * querystats; /*%< Query statistics counters */ - ns_controls_t * controls; /* Control channels */ + ns_controls_t * controls; /*%< Control channels */ unsigned int dispatchgen; ns_dispatchlist_t dispatches; - + + dns_acache_t *acache; }; #define NS_SERVER_MAGIC ISC_MAGIC('S','V','E','R') @@ -99,7 +104,7 @@ struct ns_server { void ns_server_create(isc_mem_t *mctx, ns_server_t **serverp); -/* +/*%< * Create a server object with default settings. * This function either succeeds or causes the program to exit * with a fatal error. @@ -107,13 +112,13 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp); void ns_server_destroy(ns_server_t **serverp); -/* +/*%< * Destroy a server object, freeing its memory. */ void ns_server_reloadwanted(ns_server_t *server); -/* +/*%< * Inform a server that a reload is wanted. This function * may be called asynchronously, from outside the server's task. * If a reload is already scheduled or in progress, the call @@ -122,92 +127,104 @@ ns_server_reloadwanted(ns_server_t *server); void ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush); -/* +/*%< * Inform the server that the zones should be flushed to disk on shutdown. */ isc_result_t ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text); -/* +/*%< * Act on a "reload" command from the command channel. */ isc_result_t ns_server_reconfigcommand(ns_server_t *server, char *args); -/* +/*%< * Act on a "reconfig" command from the command channel. */ isc_result_t +ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text); +/*%< + * Act on a "notify" command from the command channel. + */ + +isc_result_t ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text); -/* +/*%< * Act on a "refresh" command from the command channel. */ isc_result_t ns_server_retransfercommand(ns_server_t *server, char *args); -/* +/*%< * Act on a "retransfer" command from the command channel. */ isc_result_t ns_server_togglequerylog(ns_server_t *server); -/* +/*%< * Toggle logging of queries, as in BIND 8. */ -/* +/*% * Dump the current statistics to the statistics file. */ isc_result_t ns_server_dumpstats(ns_server_t *server); -/* +/*% * Dump the current cache to the dump file. */ isc_result_t ns_server_dumpdb(ns_server_t *server, char *args); -/* +/*% * Change or increment the server debug level. */ isc_result_t ns_server_setdebuglevel(ns_server_t *server, char *args); -/* +/*% * Flush the server's cache(s) */ isc_result_t ns_server_flushcache(ns_server_t *server, char *args); -/* +/*% * Flush a particular name from the server's cache(s) */ isc_result_t ns_server_flushname(ns_server_t *server, char *args); -/* +/*% * Report the server's status. */ isc_result_t ns_server_status(ns_server_t *server, isc_buffer_t *text); -/* +/*% * Enable or disable updates for a zone. */ isc_result_t ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args); -/* +/*% * Dump the current recursive queries. */ isc_result_t ns_server_dumprecursing(ns_server_t *server); -/* +/*% * Maintain a list of dispatches that require reserved ports. */ void ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr); +/*% + * Enable or disable dnssec validation. + */ +isc_result_t +ns_server_validation(ns_server_t *server, char *args); + #endif /* NAMED_SERVER_H */ diff --git a/contrib/bind9/bin/named/include/named/sortlist.h b/contrib/bind9/bin/named/include/named/sortlist.h index 9966686..f849be2 100644 --- a/contrib/bind9/bin/named/include/named/sortlist.h +++ b/contrib/bind9/bin/named/include/named/sortlist.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,22 +15,24 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sortlist.h,v 1.4.208.3 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: sortlist.h,v 1.5.18.4 2006/03/02 00:37:21 marka Exp $ */ #ifndef NAMED_SORTLIST_H #define NAMED_SORTLIST_H 1 +/*! \file */ + #include <isc/types.h> #include <dns/types.h> -/* +/*% * Type for callback functions that rank addresses. */ typedef int (*dns_addressorderfunc_t)(const isc_netaddr_t *address, const void *arg); -/* +/*% * Return value type for setup_sortlist. */ typedef enum { @@ -42,7 +44,7 @@ typedef enum { ns_sortlisttype_t ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, const void **argp); -/* +/*%< * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any. * * If a 1-element sortlist item applies, return NS_SORTLISTTYPE_1ELEMENT and @@ -57,14 +59,14 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, int ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg); -/* +/*%< * Find the sort order of 'addr' in 'arg', the matching element * of a 1-element top-level sortlist statement. */ int ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg); -/* +/*%< * Find the sort order of 'addr' in 'arg', a topology-like * ACL forming the second element in a 2-element top-level * sortlist statement. @@ -74,7 +76,7 @@ void ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr, dns_addressorderfunc_t *orderp, const void **argp); -/* +/*%< * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any. * If a sortlist statement applies, return in '*orderp' a pointer to a function * for ranking network addresses based on that sortlist statement, and in diff --git a/contrib/bind9/bin/named/include/named/tkeyconf.h b/contrib/bind9/bin/named/include/named/tkeyconf.h index ac72f3e..946944d 100644 --- a/contrib/bind9/bin/named/include/named/tkeyconf.h +++ b/contrib/bind9/bin/named/include/named/tkeyconf.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tkeyconf.h,v 1.9.208.3 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: tkeyconf.h,v 1.10.18.4 2006/03/02 00:37:21 marka Exp $ */ #ifndef NS_TKEYCONF_H #define NS_TKEYCONF_H 1 +/*! \file */ + #include <isc/types.h> #include <isc/lang.h> @@ -30,20 +32,20 @@ ISC_LANG_BEGINDECLS isc_result_t ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp); -/* +/*%< * Create a TKEY context and configure it, including the default DH key * and default domain, according to 'options'. * * Requires: - * 'cfg' is a valid configuration options object. - * 'mctx' is not NULL - * 'ectx' is not NULL - * 'tctx' is not NULL - * '*tctx' is NULL + *\li 'cfg' is a valid configuration options object. + *\li 'mctx' is not NULL + *\li 'ectx' is not NULL + *\li 'tctx' is not NULL + *\li '*tctx' is NULL * * Returns: - * ISC_R_SUCCESS - * ISC_R_NOMEMORY + *\li ISC_R_SUCCESS + *\li ISC_R_NOMEMORY */ ISC_LANG_ENDDECLS diff --git a/contrib/bind9/bin/named/include/named/tsigconf.h b/contrib/bind9/bin/named/include/named/tsigconf.h index fcb415e..a18eede 100644 --- a/contrib/bind9/bin/named/include/named/tsigconf.h +++ b/contrib/bind9/bin/named/include/named/tsigconf.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tsigconf.h,v 1.9.208.3 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: tsigconf.h,v 1.10.18.4 2006/03/02 00:37:21 marka Exp $ */ #ifndef NS_TSIGCONF_H #define NS_TSIGCONF_H 1 +/*! \file */ + #include <isc/types.h> #include <isc/lang.h> @@ -28,18 +30,18 @@ ISC_LANG_BEGINDECLS isc_result_t ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_tsig_keyring_t **ringp); -/* +/*%< * Create a TSIG key ring and configure it according to the 'key' * statements in the global and view configuration objects. * * Requires: - * 'config' is not NULL. - * 'mctx' is not NULL - * 'ring' is not NULL, and '*ring' is NULL + * \li 'config' is not NULL. + * \li 'mctx' is not NULL + * \li 'ring' is not NULL, and '*ring' is NULL * * Returns: - * ISC_R_SUCCESS - * ISC_R_NOMEMORY + * \li ISC_R_SUCCESS + * \li ISC_R_NOMEMORY */ ISC_LANG_ENDDECLS diff --git a/contrib/bind9/bin/named/include/named/types.h b/contrib/bind9/bin/named/include/named/types.h index eb44c53..abc25d5 100644 --- a/contrib/bind9/bin/named/include/named/types.h +++ b/contrib/bind9/bin/named/include/named/types.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: types.h,v 1.19.208.2 2004/03/06 10:21:26 marka Exp $ */ +/* $Id: types.h,v 1.21.18.2 2005/04/29 00:15:38 marka Exp $ */ #ifndef NAMED_TYPES_H #define NAMED_TYPES_H 1 +/*! \file */ + #include <dns/types.h> typedef struct ns_client ns_client_t; diff --git a/contrib/bind9/bin/named/include/named/update.h b/contrib/bind9/bin/named/include/named/update.h index 4c97235..37daa95 100644 --- a/contrib/bind9/bin/named/include/named/update.h +++ b/contrib/bind9/bin/named/include/named/update.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.h,v 1.8.208.1 2004/03/06 10:21:26 marka Exp $ */ +/* $Id: update.h,v 1.9.18.2 2005/04/29 00:15:39 marka Exp $ */ #ifndef NAMED_UPDATE_H #define NAMED_UPDATE_H 1 @@ -24,7 +24,8 @@ ***** Module Info *****/ -/* +/*! \file + * \brief * RFC2136 Dynamic Update */ diff --git a/contrib/bind9/bin/named/include/named/xfrout.h b/contrib/bind9/bin/named/include/named/xfrout.h index e96ff31..82e0e66 100644 --- a/contrib/bind9/bin/named/include/named/xfrout.h +++ b/contrib/bind9/bin/named/include/named/xfrout.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: xfrout.h,v 1.7.208.1 2004/03/06 10:21:27 marka Exp $ */ +/* $Id: xfrout.h,v 1.8.18.2 2005/04/29 00:15:39 marka Exp $ */ #ifndef NAMED_XFROUT_H #define NAMED_XFROUT_H 1 @@ -24,7 +24,8 @@ ***** Module Info *****/ -/* +/*! \file + * \brief * Outgoing zone transfers (AXFR + IXFR). */ diff --git a/contrib/bind9/bin/named/include/named/zoneconf.h b/contrib/bind9/bin/named/include/named/zoneconf.h index 3e63053..61737a2 100644 --- a/contrib/bind9/bin/named/include/named/zoneconf.h +++ b/contrib/bind9/bin/named/include/named/zoneconf.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,25 +15,26 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.h,v 1.16.2.2.8.3 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: zoneconf.h,v 1.19.18.5 2006/03/02 00:37:21 marka Exp $ */ #ifndef NS_ZONECONF_H #define NS_ZONECONF_H 1 +/*! \file */ + #include <isc/lang.h> #include <isc/types.h> +#include <isccfg/aclconf.h> #include <isccfg/cfg.h> -#include <named/aclconf.h> - ISC_LANG_BEGINDECLS isc_result_t ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, - const cfg_obj_t *zconfig, ns_aclconfctx_t *ac, + const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac, dns_zone_t *zone); -/* +/*%< * Configure or reconfigure a zone according to the named.conf * data in 'cctx' and 'czone'. * @@ -41,16 +42,16 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, * at zone creation time. * * Require: - * 'lctx' to be initialized or NULL. - * 'cctx' to be initialized or NULL. - * 'ac' to point to an initialized ns_aclconfctx_t. - * 'czone' to be initialized. - * 'zone' to be initialized. + * \li 'lctx' to be initialized or NULL. + * \li 'cctx' to be initialized or NULL. + * \li 'ac' to point to an initialized ns_aclconfctx_t. + * \li 'czone' to be initialized. + * \li 'zone' to be initialized. */ isc_boolean_t ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig); -/* +/*%< * If 'zone' can be safely reconfigured according to the configuration * data in 'zconfig', return ISC_TRUE. If the configuration data is so * different from the current zone state that the zone needs to be destroyed diff --git a/contrib/bind9/bin/named/interfacemgr.c b/contrib/bind9/bin/named/interfacemgr.c index a341056..db41031 100644 --- a/contrib/bind9/bin/named/interfacemgr.c +++ b/contrib/bind9/bin/named/interfacemgr.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: interfacemgr.c,v 1.59.2.5.8.18 2006/07/19 00:16:28 marka Exp $ */ +/* $Id: interfacemgr.c,v 1.76.18.8 2006/07/20 01:10:30 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -37,24 +39,29 @@ #define IFMGR_COMMON_LOGARGS \ ns_g_lctx, NS_LOGCATEGORY_NETWORK, NS_LOGMODULE_INTERFACEMGR +/*% nameserver interface manager structure */ struct ns_interfacemgr { - unsigned int magic; /* Magic number. */ + unsigned int magic; /*%< Magic number. */ int references; isc_mutex_t lock; - isc_mem_t * mctx; /* Memory context. */ - isc_taskmgr_t * taskmgr; /* Task manager. */ - isc_socketmgr_t * socketmgr; /* Socket manager. */ + isc_mem_t * mctx; /*%< Memory context. */ + isc_taskmgr_t * taskmgr; /*%< Task manager. */ + isc_socketmgr_t * socketmgr; /*%< Socket manager. */ dns_dispatchmgr_t * dispatchmgr; - unsigned int generation; /* Current generation no. */ + unsigned int generation; /*%< Current generation no. */ ns_listenlist_t * listenon4; ns_listenlist_t * listenon6; - dns_aclenv_t aclenv; /* Localhost/localnets ACLs */ - ISC_LIST(ns_interface_t) interfaces; /* List of interfaces. */ + dns_aclenv_t aclenv; /*%< Localhost/localnets ACLs */ + ISC_LIST(ns_interface_t) interfaces; /*%< List of interfaces. */ + ISC_LIST(isc_sockaddr_t) listenon; }; static void purge_old_interfaces(ns_interfacemgr_t *mgr); +static void +clearlistenon(ns_interfacemgr_t *mgr); + isc_result_t ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, isc_socketmgr_t *socketmgr, @@ -85,6 +92,7 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, mgr->listenon6 = NULL; ISC_LIST_INIT(mgr->interfaces); + ISC_LIST_INIT(mgr->listenon); /* * The listen-on lists are initially empty. @@ -117,6 +125,7 @@ ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) { dns_aclenv_destroy(&mgr->aclenv); ns_listenlist_detach(&mgr->listenon4); ns_listenlist_detach(&mgr->listenon6); + clearlistenon(mgr); DESTROYLOCK(&mgr->lock); mgr->magic = 0; isc_mem_put(mgr->mctx, mgr, sizeof(*mgr)); @@ -158,7 +167,7 @@ void ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr) { REQUIRE(NS_INTERFACEMGR_VALID(mgr)); - /* + /*% * Shut down and detach all interfaces. * By incrementing the generation count, we make purge_old_interfaces() * consider all interfaces "old". @@ -432,7 +441,7 @@ ns_interface_detach(ns_interface_t **targetp) { *targetp = NULL; } -/* +/*% * Search the interface list for an interface whose address and port * both match those of 'addr'. Return a pointer to it, or NULL if not found. */ @@ -447,7 +456,7 @@ find_matching_interface(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr) { return (ifp); } -/* +/*% * Remove any interfaces whose generation number is not the current one. */ static void @@ -537,6 +546,43 @@ setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) { return (ISC_R_SUCCESS); } +static void +setup_listenon(ns_interfacemgr_t *mgr, isc_interface_t *interface, + in_port_t port) +{ + isc_sockaddr_t *addr; + isc_sockaddr_t *old; + + addr = isc_mem_get(mgr->mctx, sizeof(*addr)); + if (addr == NULL) + return; + + isc_sockaddr_fromnetaddr(addr, &interface->address, port); + + for (old = ISC_LIST_HEAD(mgr->listenon); + old != NULL; + old = ISC_LIST_NEXT(old, link)) + if (isc_sockaddr_equal(addr, old)) + break; + + if (old != NULL) + isc_mem_put(mgr->mctx, addr, sizeof(*addr)); + else + ISC_LIST_APPEND(mgr->listenon, addr, link); +} + +static void +clearlistenon(ns_interfacemgr_t *mgr) { + isc_sockaddr_t *old; + + old = ISC_LIST_HEAD(mgr->listenon); + while (old != NULL) { + ISC_LIST_UNLINK(mgr->listenon, old, link); + isc_mem_put(mgr->mctx, old, sizeof(*old)); + old = ISC_LIST_HEAD(mgr->listenon); + } +} + static isc_result_t do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, isc_boolean_t verbose) @@ -553,6 +599,7 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, isc_sockaddr_t listen_addr; ns_interface_t *ifp; isc_boolean_t log_explicit = ISC_FALSE; + isc_boolean_t dolistenon; if (ext_listen != NULL) adjusting = ISC_TRUE; @@ -643,6 +690,7 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, result = clearacl(mgr->mctx, &mgr->aclenv.localnets); if (result != ISC_R_SUCCESS) goto cleanup_iter; + clearlistenon(mgr); } for (result = isc_interfaceiter_first(iter); @@ -688,6 +736,7 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, } ll = (family == AF_INET) ? mgr->listenon4 : mgr->listenon6; + dolistenon = ISC_TRUE; for (le = ISC_LIST_HEAD(ll->elts); le != NULL; le = ISC_LIST_NEXT(le, link)) @@ -723,6 +772,11 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, if (match <= 0) continue; + if (adjusting == ISC_FALSE && dolistenon == ISC_TRUE) { + setup_listenon(mgr, &interface, le->port); + dolistenon = ISC_FALSE; + } + /* * The case of "any" IPv6 address will require * special considerations later, so remember it. @@ -909,3 +963,16 @@ ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr) { } UNLOCK(&mgr->lock); } + +isc_boolean_t +ns_interfacemgr_listeningon(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr) { + isc_sockaddr_t *old; + + old = ISC_LIST_HEAD(mgr->listenon); + for (old = ISC_LIST_HEAD(mgr->listenon); + old != NULL; + old = ISC_LIST_NEXT(old, link)) + if (isc_sockaddr_equal(old, addr)) + return (ISC_TRUE); + return (ISC_FALSE); +} diff --git a/contrib/bind9/bin/named/listenlist.c b/contrib/bind9/bin/named/listenlist.c index bba164f..7e70ac9 100644 --- a/contrib/bind9/bin/named/listenlist.c +++ b/contrib/bind9/bin/named/listenlist.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: listenlist.c,v 1.9.208.1 2004/03/06 10:21:18 marka Exp $ */ +/* $Id: listenlist.c,v 1.10.18.2 2005/04/29 00:15:22 marka Exp $ */ + +/*! \file */ #include <config.h> diff --git a/contrib/bind9/bin/named/log.c b/contrib/bind9/bin/named/log.c index 9032af7..af75bab 100644 --- a/contrib/bind9/bin/named/log.c +++ b/contrib/bind9/bin/named/log.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: log.c,v 1.33.2.1.10.6 2005/05/24 23:58:17 marka Exp $ */ +/* $Id: log.c,v 1.37.18.6 2006/06/09 00:54:08 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -29,9 +31,10 @@ #define ISC_FACILITY LOG_DAEMON #endif -/* +/*% * When adding a new category, be sure to add the appropriate - * #define to <named/log.h>. + * #define to <named/log.h> and to update the list in + * bin/check/check-tool.c. */ static isc_logcategory_t categories[] = { { "", 0 }, @@ -44,7 +47,7 @@ static isc_logcategory_t categories[] = { { NULL, 0 } }; -/* +/*% * When adding a new module, be sure to add the appropriate * #define to <dns/log.h>. */ @@ -78,6 +81,9 @@ ns_log_init(isc_boolean_t safe) { if (result != ISC_R_SUCCESS) return (result); + /* + * named-checktool.c:setup_logging() needs to be kept in sync. + */ isc_log_registercategories(ns_g_lctx, ns_g_categories); isc_log_registermodules(ns_g_lctx, ns_g_modules); isc_log_setcontext(ns_g_lctx); diff --git a/contrib/bind9/bin/named/logconf.c b/contrib/bind9/bin/named/logconf.c index 1bf3b55..ce815f4 100644 --- a/contrib/bind9/bin/named/logconf.c +++ b/contrib/bind9/bin/named/logconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: logconf.c,v 1.30.2.3.10.4 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: logconf.c,v 1.35.18.5 2006/03/02 00:37:21 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -36,7 +38,7 @@ if (result != ISC_R_SUCCESS) goto cleanup; \ } while (0) -/* +/*% * Set up a logging category according to the named.conf data * in 'ccat' and add it to 'lctx'. */ @@ -84,7 +86,7 @@ category_fromconf(const cfg_obj_t *ccat, isc_logconfig_t *lctx) { return (ISC_R_SUCCESS); } -/* +/*% * Set up a logging channel according to the named.conf data * in 'cchan' and add it to 'lctx'. */ diff --git a/contrib/bind9/bin/named/lwaddr.c b/contrib/bind9/bin/named/lwaddr.c index 1bd8d82..78c2b0b 100644 --- a/contrib/bind9/bin/named/lwaddr.c +++ b/contrib/bind9/bin/named/lwaddr.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwaddr.c,v 1.3.208.1 2004/03/06 10:21:18 marka Exp $ */ +/* $Id: lwaddr.c,v 1.4.18.2 2005/04/29 00:15:23 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -29,7 +31,7 @@ #include <named/lwaddr.h> -/* +/*% * Convert addresses from lwres to isc format. */ isc_result_t @@ -63,7 +65,7 @@ lwaddr_sockaddr_fromlwresaddr(isc_sockaddr_t *sa, lwres_addr_t *la, return (ISC_R_SUCCESS); } -/* +/*% * Convert addresses from isc to lwres format. */ diff --git a/contrib/bind9/bin/named/lwdclient.c b/contrib/bind9/bin/named/lwdclient.c index 7975a49..68069ed 100644 --- a/contrib/bind9/bin/named/lwdclient.c +++ b/contrib/bind9/bin/named/lwdclient.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdclient.c,v 1.13.12.5 2004/03/08 09:04:15 marka Exp $ */ +/* $Id: lwdclient.c,v 1.17.18.2 2005/04/29 00:15:23 marka Exp $ */ + +/*! \file */ #include <config.h> diff --git a/contrib/bind9/bin/named/lwderror.c b/contrib/bind9/bin/named/lwderror.c index 51cecf0..db25824 100644 --- a/contrib/bind9/bin/named/lwderror.c +++ b/contrib/bind9/bin/named/lwderror.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwderror.c,v 1.7.208.1 2004/03/06 10:21:18 marka Exp $ */ +/* $Id: lwderror.c,v 1.8.18.2 2005/04/29 00:15:24 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -25,7 +27,7 @@ #include <named/types.h> #include <named/lwdclient.h> -/* +/*% * Generate an error packet for the client, schedule a send, and put us in * the SEND state. * diff --git a/contrib/bind9/bin/named/lwdgabn.c b/contrib/bind9/bin/named/lwdgabn.c index 539c25b..454d4df 100644 --- a/contrib/bind9/bin/named/lwdgabn.c +++ b/contrib/bind9/bin/named/lwdgabn.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdgabn.c,v 1.13.12.5 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: lwdgabn.c,v 1.15.18.5 2006/03/02 00:37:21 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -47,7 +49,7 @@ static isc_result_t start_find(ns_lwdclient_t *); static void restart_find(ns_lwdclient_t *); static void init_gabn(ns_lwdclient_t *); -/* +/*% * Destroy any finds. This can be used to "start over from scratch" and * should only be called when events are _not_ being generated by the finds. */ @@ -432,7 +434,7 @@ restart_find(ns_lwdclient_t *client) { client->clientmgr->task, process_gabn_finddone, client, dns_fixedname_name(&client->target_name), - dns_rootname, options, 0, + dns_rootname, 0, options, 0, dns_fixedname_name(&client->target_name), client->clientmgr->view->dstport, &client->find); diff --git a/contrib/bind9/bin/named/lwdgnba.c b/contrib/bind9/bin/named/lwdgnba.c index 21ef804..a500d27 100644 --- a/contrib/bind9/bin/named/lwdgnba.c +++ b/contrib/bind9/bin/named/lwdgnba.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdgnba.c,v 1.13.2.1.2.5 2004/03/08 04:04:19 marka Exp $ */ +/* $Id: lwdgnba.c,v 1.16.18.2 2005/04/29 00:15:24 marka Exp $ */ + +/*! \file */ #include <config.h> diff --git a/contrib/bind9/bin/named/lwdgrbn.c b/contrib/bind9/bin/named/lwdgrbn.c index 3ad9e9e..c1b2b1e 100644 --- a/contrib/bind9/bin/named/lwdgrbn.c +++ b/contrib/bind9/bin/named/lwdgrbn.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdgrbn.c,v 1.11.208.5 2006/01/04 23:50:19 marka Exp $ */ +/* $Id: lwdgrbn.c,v 1.13.18.5 2006/12/07 23:57:58 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -183,8 +185,6 @@ iterate_node(lwres_grbnresponse_t *grbn, dns_db_t *db, dns_dbnode_t *node, isc_mem_put(mctx, oldlens, oldsize * sizeof(*oldlens)); if (newrdatas != NULL) isc_mem_put(mctx, newrdatas, used * sizeof(*oldrdatas)); - if (newlens != NULL) - isc_mem_put(mctx, newlens, used * sizeof(*oldlens)); return (result); } diff --git a/contrib/bind9/bin/named/lwdnoop.c b/contrib/bind9/bin/named/lwdnoop.c index 30d95ee..fa591b4 100644 --- a/contrib/bind9/bin/named/lwdnoop.c +++ b/contrib/bind9/bin/named/lwdnoop.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdnoop.c,v 1.6.208.1 2004/03/06 10:21:19 marka Exp $ */ +/* $Id: lwdnoop.c,v 1.7.18.2 2005/04/29 00:15:25 marka Exp $ */ + +/*! \file */ #include <config.h> diff --git a/contrib/bind9/bin/named/lwresd.8 b/contrib/bind9/bin/named/lwresd.8 index 1333a5d..7275d29 100644 --- a/contrib/bind9/bin/named/lwresd.8 +++ b/contrib/bind9/bin/named/lwresd.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwresd.8,v 1.13.208.6 2006/06/29 13:02:30 marka Exp $ +.\" $Id: lwresd.8,v 1.15.18.10 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: lwresd .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: June 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -60,42 +60,57 @@ entries are present, or if forwarding fails, \fBlwresd\fR resolves the queries autonomously starting at the root name servers, using a built\-in list of root server hints. .SH "OPTIONS" -.TP 3n +.PP \-C \fIconfig\-file\fR +.RS 4 Use \fIconfig\-file\fR as the configuration file instead of the default, \fI/etc/resolv.conf\fR. -.TP 3n +.RE +.PP \-d \fIdebug\-level\fR +.RS 4 Set the daemon's debug level to \fIdebug\-level\fR. Debugging traces from \fBlwresd\fR become more verbose as the debug level increases. -.TP 3n +.RE +.PP \-f +.RS 4 Run the server in the foreground (i.e. do not daemonize). -.TP 3n +.RE +.PP \-g +.RS 4 Run the server in the foreground and force all logging to \fIstderr\fR. -.TP 3n +.RE +.PP \-n \fI#cpus\fR +.RS 4 Create \fI#cpus\fR worker threads to take advantage of multiple CPUs. If not specified, \fBlwresd\fR will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. -.TP 3n +.RE +.PP \-P \fIport\fR +.RS 4 Listen for lightweight resolver queries on port \fIport\fR. If not specified, the default is port 921. -.TP 3n +.RE +.PP \-p \fIport\fR +.RS 4 Send DNS lookups to port \fIport\fR. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a name server that listens for queries on a non\-standard port number. -.TP 3n +.RE +.PP \-s +.RS 4 Write memory usage statistics to \fIstdout\fR on exit. @@ -103,8 +118,10 @@ on exit. .B "Note:" This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release. .RE -.TP 3n +.RE +.PP \-t \fIdirectory\fR +.RS 4 \fBchroot()\fR to \fIdirectory\fR @@ -117,22 +134,31 @@ option, as chrooting a process running as root doesn't enhance security on most \fBchroot()\fR is defined allows a process with root privileges to escape a chroot jail. .RE -.TP 3n +.RE +.PP \-u \fIuser\fR +.RS 4 \fBsetuid()\fR to \fIuser\fR after completing privileged operations, such as creating sockets that listen on privileged ports. -.TP 3n +.RE +.PP \-v +.RS 4 Report the version number and exit. +.RE .SH "FILES" -.TP 3n +.PP \fI/etc/resolv.conf\fR +.RS 4 The default configuration file. -.TP 3n +.RE +.PP \fI/var/run/lwresd.pid\fR +.RS 4 The default process\-id file. +.RE .SH "SEE ALSO" .PP \fBnamed\fR(8), @@ -142,4 +168,7 @@ The default process\-id file. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/contrib/bind9/bin/named/lwresd.c b/contrib/bind9/bin/named/lwresd.c index e48822f..a1073fa 100644 --- a/contrib/bind9/bin/named/lwresd.c +++ b/contrib/bind9/bin/named/lwresd.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,9 +15,10 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwresd.c,v 1.37.2.2.2.8 2006/02/28 06:32:53 marka Exp $ */ +/* $Id: lwresd.c,v 1.46.18.7 2006/03/02 00:37:21 marka Exp $ */ -/* +/*! \file + * \brief * Main program for the Lightweight Resolver Daemon. * * To paraphrase the old saying about X11, "It's not a lightweight deamon @@ -59,11 +60,11 @@ #define LWRESLISTENER_MAGIC ISC_MAGIC('L', 'W', 'R', 'L') #define VALID_LWRESLISTENER(l) ISC_MAGIC_VALID(l, LWRESLISTENER_MAGIC) -/* +/*! * The total number of clients we can handle will be NTASKS * NRECVS. */ -#define NTASKS 2 /* tasks to create to handle lwres queries */ -#define NRECVS 2 /* max clients per task */ +#define NTASKS 2 /*%< tasks to create to handle lwres queries */ +#define NRECVS 2 /*%< max clients per task */ typedef ISC_LIST(ns_lwreslistener_t) ns_lwreslistenerlist_t; @@ -78,7 +79,7 @@ initialize_mutex(void) { } -/* +/*% * Wrappers around our memory management stuff, for the lwres functions. */ void * @@ -511,13 +512,19 @@ listener_create(isc_mem_t *mctx, ns_lwresd_t *lwresd, ns_lwreslistener_t **listenerp) { ns_lwreslistener_t *listener; + isc_result_t result; REQUIRE(listenerp != NULL && *listenerp == NULL); listener = isc_mem_get(mctx, sizeof(ns_lwreslistener_t)); if (listener == NULL) return (ISC_R_NOMEMORY); - RUNTIME_CHECK(isc_mutex_init(&listener->lock) == ISC_R_SUCCESS); + + result = isc_mutex_init(&listener->lock); + if (result != ISC_R_SUCCESS) { + isc_mem_put(mctx, listener, sizeof(ns_lwreslistener_t)); + return (result); + } listener->magic = LWRESLISTENER_MAGIC; listener->refs = 1; diff --git a/contrib/bind9/bin/named/lwresd.docbook b/contrib/bind9/bin/named/lwresd.docbook index c1f500b..d1eabfa 100644 --- a/contrib/bind9/bin/named/lwresd.docbook +++ b/contrib/bind9/bin/named/lwresd.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -18,8 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: lwresd.docbook,v 1.6.208.4 2005/05/13 01:22:33 marka Exp $ --> - +<!-- $Id: lwresd.docbook,v 1.7.18.5 2007/01/29 23:57:20 marka Exp $ --> <refentry> <refentryinfo> <date>June 30, 2000</date> @@ -31,10 +30,16 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <refnamediv> + <refname><application>lwresd</application></refname> + <refpurpose>lightweight resolver daemon</refpurpose> + </refnamediv> + <docinfo> <copyright> <year>2004</year> <year>2005</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -44,11 +49,6 @@ </copyright> </docinfo> - <refnamediv> - <refname><application>lwresd</application></refname> - <refpurpose>lightweight resolver daemon</refpurpose> - </refnamediv> - <refsynopsisdiv> <cmdsynopsis> <command>lwresd</command> @@ -69,37 +69,39 @@ <refsect1> <title>DESCRIPTION</title> - <para> - <command>lwresd</command> is the daemon providing name lookup - services to clients that use the BIND 9 lightweight resolver - library. It is essentially a stripped-down, caching-only name - server that answers queries using the BIND 9 lightweight - resolver protocol rather than the DNS protocol. + + <para><command>lwresd</command> + is the daemon providing name lookup + services to clients that use the BIND 9 lightweight resolver + library. It is essentially a stripped-down, caching-only name + server that answers queries using the BIND 9 lightweight + resolver protocol rather than the DNS protocol. </para> - <para> - <command>lwresd</command> listens for resolver queries on a - UDP port on the IPv4 loopback interface, 127.0.0.1. This - means that <command>lwresd</command> can only be used by - processes running on the local machine. By default UDP port - number 921 is used for lightweight resolver requests and - responses. + + <para><command>lwresd</command> + listens for resolver queries on a + UDP port on the IPv4 loopback interface, 127.0.0.1. This + means that <command>lwresd</command> can only be used by + processes running on the local machine. By default UDP port + number 921 is used for lightweight resolver requests and + responses. </para> <para> - Incoming lightweight resolver requests are decoded by the - server which then resolves them using the DNS protocol. When - the DNS lookup completes, <command>lwresd</command> encodes - the answers in the lightweight resolver format and returns - them to the client that made the request. + Incoming lightweight resolver requests are decoded by the + server which then resolves them using the DNS protocol. When + the DNS lookup completes, <command>lwresd</command> encodes + the answers in the lightweight resolver format and returns + them to the client that made the request. </para> <para> - If <filename>/etc/resolv.conf</filename> contains any - <option>nameserver</option> entries, <command>lwresd</command> - sends recursive DNS queries to those servers. This is similar - to the use of forwarders in a caching name server. If no - <option>nameserver</option> entries are present, or if - forwarding fails, <command>lwresd</command> resolves the - queries autonomously starting at the root name servers, using - a built-in list of root server hints. + If <filename>/etc/resolv.conf</filename> contains any + <option>nameserver</option> entries, <command>lwresd</command> + sends recursive DNS queries to those servers. This is similar + to the use of forwarders in a caching name server. If no + <option>nameserver</option> entries are present, or if + forwarding fails, <command>lwresd</command> resolves the + queries autonomously starting at the root name servers, using + a built-in list of root server hints. </para> </refsect1> @@ -108,145 +110,139 @@ <variablelist> <varlistentry> - <term>-C <replaceable class="parameter">config-file</replaceable></term> - <listitem> - <para> - Use <replaceable - class="parameter">config-file</replaceable> as the - configuration file instead of the default, - <filename>/etc/resolv.conf</filename>. + <term>-C <replaceable class="parameter">config-file</replaceable></term> + <listitem> + <para> + Use <replaceable class="parameter">config-file</replaceable> as the + configuration file instead of the default, + <filename>/etc/resolv.conf</filename>. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-d <replaceable class="parameter">debug-level</replaceable></term> - <listitem> - <para> - Set the daemon's debug level to <replaceable - class="parameter">debug-level</replaceable>. - Debugging traces from <command>lwresd</command> become - more verbose as the debug level increases. + <term>-d <replaceable class="parameter">debug-level</replaceable></term> + <listitem> + <para> + Set the daemon's debug level to <replaceable class="parameter">debug-level</replaceable>. + Debugging traces from <command>lwresd</command> become + more verbose as the debug level increases. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-f</term> - <listitem> - <para> - Run the server in the foreground (i.e. do not daemonize). + <term>-f</term> + <listitem> + <para> + Run the server in the foreground (i.e. do not daemonize). </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-g</term> - <listitem> - <para> - Run the server in the foreground and force all logging - to <filename>stderr</filename>. + <term>-g</term> + <listitem> + <para> + Run the server in the foreground and force all logging + to <filename>stderr</filename>. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-n <replaceable class="parameter">#cpus</replaceable></term> - <listitem> - <para> - Create <replaceable - class="parameter">#cpus</replaceable> worker threads - to take advantage of multiple CPUs. If not specified, - <command>lwresd</command> will try to determine the - number of CPUs present and create one thread per CPU. - If it is unable to determine the number of CPUs, a - single worker thread will be created. + <term>-n <replaceable class="parameter">#cpus</replaceable></term> + <listitem> + <para> + Create <replaceable class="parameter">#cpus</replaceable> worker threads + to take advantage of multiple CPUs. If not specified, + <command>lwresd</command> will try to determine the + number of CPUs present and create one thread per CPU. + If it is unable to determine the number of CPUs, a + single worker thread will be created. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-P <replaceable class="parameter">port</replaceable></term> - <listitem> - <para> - Listen for lightweight resolver queries on port - <replaceable class="parameter">port</replaceable>. If - not specified, the default is port 921. + <term>-P <replaceable class="parameter">port</replaceable></term> + <listitem> + <para> + Listen for lightweight resolver queries on port + <replaceable class="parameter">port</replaceable>. If + not specified, the default is port 921. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-p <replaceable class="parameter">port</replaceable></term> - <listitem> - <para> - Send DNS lookups to port <replaceable - class="parameter">port</replaceable>. If not - specified, the default is port 53. This provides a - way of testing the lightweight resolver daemon with a - name server that listens for queries on a non-standard - port number. + <term>-p <replaceable class="parameter">port</replaceable></term> + <listitem> + <para> + Send DNS lookups to port <replaceable class="parameter">port</replaceable>. If not + specified, the default is port 53. This provides a + way of testing the lightweight resolver daemon with a + name server that listens for queries on a non-standard + port number. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-s</term> - <listitem> - <para> - Write memory usage statistics to <filename>stdout</filename> - on exit. + <term>-s</term> + <listitem> + <para> + Write memory usage statistics to <filename>stdout</filename> + on exit. </para> - <note> - <para> - This option is mainly of interest to BIND 9 developers - and may be removed or changed in a future release. - </para> - </note> - </listitem> + <note> + <para> + This option is mainly of interest to BIND 9 developers + and may be removed or changed in a future release. + </para> + </note> + </listitem> </varlistentry> <varlistentry> - <term>-t <replaceable class="parameter">directory</replaceable></term> - <listitem> - <para> - <function>chroot()</function> to <replaceable - class="parameter">directory</replaceable> after - processing the command line arguments, but before - reading the configuration file. + <term>-t <replaceable class="parameter">directory</replaceable></term> + <listitem> + <para><function>chroot()</function> + to <replaceable class="parameter">directory</replaceable> after + processing the command line arguments, but before + reading the configuration file. </para> - <warning> - <para> - This option should be used in conjunction with the - <option>-u</option> option, as chrooting a process - running as root doesn't enhance security on most - systems; the way <function>chroot()</function> is - defined allows a process with root privileges to - escape a chroot jail. - </para> - </warning> - </listitem> + <warning> + <para> + This option should be used in conjunction with the + <option>-u</option> option, as chrooting a process + running as root doesn't enhance security on most + systems; the way <function>chroot()</function> is + defined allows a process with root privileges to + escape a chroot jail. + </para> + </warning> + </listitem> </varlistentry> <varlistentry> - <term>-u <replaceable class="parameter">user</replaceable></term> - <listitem> - <para> - <function>setuid()</function> to <replaceable - class="parameter">user</replaceable> after completing - privileged operations, such as creating sockets that - listen on privileged ports. + <term>-u <replaceable class="parameter">user</replaceable></term> + <listitem> + <para><function>setuid()</function> + to <replaceable class="parameter">user</replaceable> after completing + privileged operations, such as creating sockets that + listen on privileged ports. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-v</term> - <listitem> - <para> - Report the version number and exit. + <term>-v</term> + <listitem> + <para> + Report the version number and exit. </para> - </listitem> + </listitem> </varlistentry> </variablelist> @@ -259,21 +255,21 @@ <variablelist> <varlistentry> - <term><filename>/etc/resolv.conf</filename></term> - <listitem> - <para> - The default configuration file. + <term><filename>/etc/resolv.conf</filename></term> + <listitem> + <para> + The default configuration file. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term><filename>/var/run/lwresd.pid</filename></term> - <listitem> - <para> - The default process-id file. + <term><filename>/var/run/lwresd.pid</filename></term> + <listitem> + <para> + The default process-id file. </para> - </listitem> + </listitem> </varlistentry> </variablelist> @@ -282,33 +278,25 @@ <refsect1> <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>named</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>lwres</refentrytitle> - <manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>resolver</refentrytitle> - <manvolnum>5</manvolnum> - </citerefentry>. + <para><citerefentry> + <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>. </para> </refsect1> <refsect1> <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> + <para><corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> -</refentry> - - -<!-- +</refentry><!-- - Local variables: - mode: sgml - End: diff --git a/contrib/bind9/bin/named/lwresd.html b/contrib/bind9/bin/named/lwresd.html index 6ab7824..e25dfcf 100644 --- a/contrib/bind9/bin/named/lwresd.html +++ b/contrib/bind9/bin/named/lwresd.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: lwresd.html,v 1.4.2.1.4.10 2006/06/29 13:02:30 marka Exp $ --> +<!-- $Id: lwresd.html,v 1.5.18.16 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>lwresd</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="id2476275"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p><span class="application">lwresd</span> — lightweight resolver daemon</p> @@ -32,157 +32,155 @@ <div class="cmdsynopsis"><p><code class="command">lwresd</code> [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549484"></a><h2>DESCRIPTION</h2> -<p> - <span><strong class="command">lwresd</strong></span> is the daemon providing name lookup - services to clients that use the BIND 9 lightweight resolver - library. It is essentially a stripped-down, caching-only name - server that answers queries using the BIND 9 lightweight - resolver protocol rather than the DNS protocol. +<a name="id2543435"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">lwresd</strong></span> + is the daemon providing name lookup + services to clients that use the BIND 9 lightweight resolver + library. It is essentially a stripped-down, caching-only name + server that answers queries using the BIND 9 lightweight + resolver protocol rather than the DNS protocol. </p> -<p> - <span><strong class="command">lwresd</strong></span> listens for resolver queries on a - UDP port on the IPv4 loopback interface, 127.0.0.1. This - means that <span><strong class="command">lwresd</strong></span> can only be used by - processes running on the local machine. By default UDP port - number 921 is used for lightweight resolver requests and - responses. +<p><span><strong class="command">lwresd</strong></span> + listens for resolver queries on a + UDP port on the IPv4 loopback interface, 127.0.0.1. This + means that <span><strong class="command">lwresd</strong></span> can only be used by + processes running on the local machine. By default UDP port + number 921 is used for lightweight resolver requests and + responses. </p> <p> - Incoming lightweight resolver requests are decoded by the - server which then resolves them using the DNS protocol. When - the DNS lookup completes, <span><strong class="command">lwresd</strong></span> encodes - the answers in the lightweight resolver format and returns - them to the client that made the request. + Incoming lightweight resolver requests are decoded by the + server which then resolves them using the DNS protocol. When + the DNS lookup completes, <span><strong class="command">lwresd</strong></span> encodes + the answers in the lightweight resolver format and returns + them to the client that made the request. </p> <p> - If <code class="filename">/etc/resolv.conf</code> contains any - <code class="option">nameserver</code> entries, <span><strong class="command">lwresd</strong></span> - sends recursive DNS queries to those servers. This is similar - to the use of forwarders in a caching name server. If no - <code class="option">nameserver</code> entries are present, or if - forwarding fails, <span><strong class="command">lwresd</strong></span> resolves the - queries autonomously starting at the root name servers, using - a built-in list of root server hints. + If <code class="filename">/etc/resolv.conf</code> contains any + <code class="option">nameserver</code> entries, <span><strong class="command">lwresd</strong></span> + sends recursive DNS queries to those servers. This is similar + to the use of forwarders in a caching name server. If no + <code class="option">nameserver</code> entries are present, or if + forwarding fails, <span><strong class="command">lwresd</strong></span> resolves the + queries autonomously starting at the root name servers, using + a built-in list of root server hints. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549533"></a><h2>OPTIONS</h2> +<a name="id2543482"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-C <em class="replaceable"><code>config-file</code></em></span></dt> <dd><p> - Use <em class="replaceable"><code>config-file</code></em> as the - configuration file instead of the default, - <code class="filename">/etc/resolv.conf</code>. + Use <em class="replaceable"><code>config-file</code></em> as the + configuration file instead of the default, + <code class="filename">/etc/resolv.conf</code>. </p></dd> <dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt> <dd><p> - Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>. - Debugging traces from <span><strong class="command">lwresd</strong></span> become - more verbose as the debug level increases. + Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>. + Debugging traces from <span><strong class="command">lwresd</strong></span> become + more verbose as the debug level increases. </p></dd> <dt><span class="term">-f</span></dt> <dd><p> - Run the server in the foreground (i.e. do not daemonize). + Run the server in the foreground (i.e. do not daemonize). </p></dd> <dt><span class="term">-g</span></dt> <dd><p> - Run the server in the foreground and force all logging - to <code class="filename">stderr</code>. + Run the server in the foreground and force all logging + to <code class="filename">stderr</code>. </p></dd> <dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt> <dd><p> - Create <em class="replaceable"><code>#cpus</code></em> worker threads - to take advantage of multiple CPUs. If not specified, - <span><strong class="command">lwresd</strong></span> will try to determine the - number of CPUs present and create one thread per CPU. - If it is unable to determine the number of CPUs, a - single worker thread will be created. + Create <em class="replaceable"><code>#cpus</code></em> worker threads + to take advantage of multiple CPUs. If not specified, + <span><strong class="command">lwresd</strong></span> will try to determine the + number of CPUs present and create one thread per CPU. + If it is unable to determine the number of CPUs, a + single worker thread will be created. </p></dd> <dt><span class="term">-P <em class="replaceable"><code>port</code></em></span></dt> <dd><p> - Listen for lightweight resolver queries on port - <em class="replaceable"><code>port</code></em>. If - not specified, the default is port 921. + Listen for lightweight resolver queries on port + <em class="replaceable"><code>port</code></em>. If + not specified, the default is port 921. </p></dd> <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> <dd><p> - Send DNS lookups to port <em class="replaceable"><code>port</code></em>. If not - specified, the default is port 53. This provides a - way of testing the lightweight resolver daemon with a - name server that listens for queries on a non-standard - port number. + Send DNS lookups to port <em class="replaceable"><code>port</code></em>. If not + specified, the default is port 53. This provides a + way of testing the lightweight resolver daemon with a + name server that listens for queries on a non-standard + port number. </p></dd> <dt><span class="term">-s</span></dt> <dd> <p> - Write memory usage statistics to <code class="filename">stdout</code> - on exit. + Write memory usage statistics to <code class="filename">stdout</code> + on exit. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - This option is mainly of interest to BIND 9 developers - and may be removed or changed in a future release. - </p> + This option is mainly of interest to BIND 9 developers + and may be removed or changed in a future release. + </p> </div> </dd> <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt> <dd> -<p> - <code class="function">chroot()</code> to <em class="replaceable"><code>directory</code></em> after - processing the command line arguments, but before - reading the configuration file. +<p><code class="function">chroot()</code> + to <em class="replaceable"><code>directory</code></em> after + processing the command line arguments, but before + reading the configuration file. </p> <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Warning</h3> <p> - This option should be used in conjunction with the - <code class="option">-u</code> option, as chrooting a process - running as root doesn't enhance security on most - systems; the way <code class="function">chroot()</code> is - defined allows a process with root privileges to - escape a chroot jail. - </p> + This option should be used in conjunction with the + <code class="option">-u</code> option, as chrooting a process + running as root doesn't enhance security on most + systems; the way <code class="function">chroot()</code> is + defined allows a process with root privileges to + escape a chroot jail. + </p> </div> </dd> <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt> -<dd><p> - <code class="function">setuid()</code> to <em class="replaceable"><code>user</code></em> after completing - privileged operations, such as creating sockets that - listen on privileged ports. +<dd><p><code class="function">setuid()</code> + to <em class="replaceable"><code>user</code></em> after completing + privileged operations, such as creating sockets that + listen on privileged ports. </p></dd> <dt><span class="term">-v</span></dt> <dd><p> - Report the version number and exit. + Report the version number and exit. </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2549939"></a><h2>FILES</h2> +<a name="id2543746"></a><h2>FILES</h2> <div class="variablelist"><dl> <dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt> <dd><p> - The default configuration file. + The default configuration file. </p></dd> <dt><span class="term"><code class="filename">/var/run/lwresd.pid</code></span></dt> <dd><p> - The default process-id file. + The default process-id file. </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2549978"></a><h2>SEE ALSO</h2> -<p> - <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, - <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>, - <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>. +<a name="id2543785"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>, + <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2550017"></a><h2>AUTHOR</h2> -<p> - <span class="corpauthor">Internet Systems Consortium</span> +<a name="id2543819"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> </div></body> diff --git a/contrib/bind9/bin/named/lwsearch.c b/contrib/bind9/bin/named/lwsearch.c index 8b9ea52..4a61f96 100644 --- a/contrib/bind9/bin/named/lwsearch.c +++ b/contrib/bind9/bin/named/lwsearch.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwsearch.c,v 1.7.208.1 2004/03/06 10:21:20 marka Exp $ */ +/* $Id: lwsearch.c,v 1.8.18.3 2005/07/12 01:22:17 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -38,6 +40,7 @@ isc_result_t ns_lwsearchlist_create(isc_mem_t *mctx, ns_lwsearchlist_t **listp) { ns_lwsearchlist_t *list; + isc_result_t result; REQUIRE(mctx != NULL); REQUIRE(listp != NULL && *listp == NULL); @@ -46,7 +49,11 @@ ns_lwsearchlist_create(isc_mem_t *mctx, ns_lwsearchlist_t **listp) { if (list == NULL) return (ISC_R_NOMEMORY); - RUNTIME_CHECK(isc_mutex_init(&list->lock) == ISC_R_SUCCESS); + result = isc_mutex_init(&list->lock); + if (result != ISC_R_SUCCESS) { + isc_mem_put(mctx, list, sizeof(ns_lwsearchlist_t)); + return (result); + } list->mctx = NULL; isc_mem_attach(mctx, &list->mctx); list->refs = 1; diff --git a/contrib/bind9/bin/named/main.c b/contrib/bind9/bin/named/main.c index 960de2a..6b9b67e 100644 --- a/contrib/bind9/bin/named/main.c +++ b/contrib/bind9/bin/named/main.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: main.c,v 1.119.2.3.2.25 2006/11/10 18:51:06 marka Exp $ */ +/* $Id: main.c,v 1.136.18.17 2006/11/10 18:51:14 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -71,6 +73,13 @@ */ /* #include "xxdb.h" */ +/* + * Include DLZ drivers if appropriate. + */ +#ifdef DLZ +#include <dlz/dlz_drivers.h> +#endif + static isc_boolean_t want_stats = ISC_FALSE; static char program_name[ISC_DIR_NAMEMAX] = "named"; static char absolute_conffile[ISC_DIR_PATHMAX]; @@ -226,7 +235,7 @@ lwresd_usage(void) { " [-f|-g] [-n number_of_cpus] [-p port] " "[-P listen-port] [-s]\n" " [-t chrootdir] [-u username] [-i pidfile]\n" - " [-m {usage|trace|record}]\n"); + " [-m {usage|trace|record|size|mctx}]\n"); } static void @@ -239,7 +248,7 @@ usage(void) { "usage: named [-4|-6] [-c conffile] [-d debuglevel] " "[-f|-g] [-n number_of_cpus]\n" " [-p port] [-s] [-t chrootdir] [-u username]\n" - " [-m {usage|trace|record}]\n"); + " [-m {usage|trace|record|size|mctx}]\n"); } static void @@ -307,6 +316,8 @@ static struct flag_def { { "trace", ISC_MEM_DEBUGTRACE }, { "record", ISC_MEM_DEBUGRECORD }, { "usage", ISC_MEM_DEBUGUSAGE }, + { "size", ISC_MEM_DEBUGSIZE }, + { "mctx", ISC_MEM_DEBUGCTX }, { NULL, 0 } }; @@ -671,6 +682,16 @@ setup(void) { */ /* xxdb_init(); */ +#ifdef DLZ + /* + * Registyer any DLZ drivers. + */ + result = dlz_drivers_init(); + if (result != ISC_R_SUCCESS) + ns_main_earlyfatal("dlz_drivers_init() failed: %s", + isc_result_totext(result)); +#endif + ns_server_create(ns_g_mctx, &ns_g_server); } @@ -687,6 +708,15 @@ cleanup(void) { */ /* xxdb_clear(); */ +#ifdef DLZ + /* + * Unregister any DLZ drivers. + */ + dlz_drivers_clear(); +#endif + + dns_name_destroy(); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ISC_LOG_NOTICE, "exiting"); ns_log_shutdown(); @@ -882,6 +912,7 @@ main(int argc, char *argv[]) { } } isc_mem_destroy(&ns_g_mctx); + isc_mem_checkdestroyed(stderr); ns_main_setmemstats(NULL); diff --git a/contrib/bind9/bin/named/named.8 b/contrib/bind9/bin/named/named.8 index 7172393..5b39e2a 100644 --- a/contrib/bind9/bin/named/named.8 +++ b/contrib/bind9/bin/named/named.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named.8,v 1.17.208.9 2006/06/29 13:02:30 marka Exp $ +.\" $Id: named.8,v 1.20.18.12 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: named .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: June 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -44,22 +44,27 @@ When invoked without arguments, will read the default configuration file \fI/etc/named.conf\fR, read any initial data, and listen for queries. .SH "OPTIONS" -.TP 3n +.PP \-4 +.RS 4 Use IPv4 only even if the host machine is capable of IPv6. \fB\-4\fR and \fB\-6\fR are mutually exclusive. -.TP 3n +.RE +.PP \-6 +.RS 4 Use IPv6 only even if the host machine is capable of IPv4. \fB\-4\fR and \fB\-6\fR are mutually exclusive. -.TP 3n +.RE +.PP \-c \fIconfig\-file\fR +.RS 4 Use \fIconfig\-file\fR as the configuration file instead of the default, @@ -68,32 +73,44 @@ as the configuration file instead of the default, option in the configuration file, \fIconfig\-file\fR should be an absolute pathname. -.TP 3n +.RE +.PP \-d \fIdebug\-level\fR +.RS 4 Set the daemon's debug level to \fIdebug\-level\fR. Debugging traces from \fBnamed\fR become more verbose as the debug level increases. -.TP 3n +.RE +.PP \-f +.RS 4 Run the server in the foreground (i.e. do not daemonize). -.TP 3n +.RE +.PP \-g +.RS 4 Run the server in the foreground and force all logging to \fIstderr\fR. -.TP 3n +.RE +.PP \-n \fI#cpus\fR +.RS 4 Create \fI#cpus\fR worker threads to take advantage of multiple CPUs. If not specified, \fBnamed\fR will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. -.TP 3n +.RE +.PP \-p \fIport\fR +.RS 4 Listen for queries on port \fIport\fR. If not specified, the default is port 53. -.TP 3n +.RE +.PP \-s +.RS 4 Write memory usage statistics to \fIstdout\fR on exit. @@ -101,8 +118,10 @@ on exit. .B "Note:" This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release. .RE -.TP 3n +.RE +.PP \-t \fIdirectory\fR +.RS 4 \fBchroot()\fR to \fIdirectory\fR @@ -115,8 +134,10 @@ option, as chrooting a process running as root doesn't enhance security on most \fBchroot()\fR is defined allows a process with root privileges to escape a chroot jail. .RE -.TP 3n +.RE +.PP \-u \fIuser\fR +.RS 4 \fBsetuid()\fR to \fIuser\fR @@ -134,11 +155,15 @@ option only works when is run on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since previous kernels did not allow privileges to be retained after \fBsetuid()\fR. .RE -.TP 3n +.RE +.PP \-v +.RS 4 Report the version number and exit. -.TP 3n +.RE +.PP \-x \fIcache\-file\fR +.RS 4 Load data from \fIcache\-file\fR into the cache of the default view. @@ -146,17 +171,22 @@ into the cache of the default view. .B "Warning:" This option must not be used. It is only of interest to BIND 9 developers and may be removed or changed in a future release. .RE +.RE .SH "SIGNALS" .PP In routine operation, signals should not be used to control the nameserver; \fBrndc\fR should be used instead. -.TP 3n +.PP SIGHUP +.RS 4 Force a reload of the server. -.TP 3n +.RE +.PP SIGINT, SIGTERM +.RS 4 Shut down the server. +.RE .PP The result of sending any other signals to the server is undefined. .SH "CONFIGURATION" @@ -166,12 +196,16 @@ The configuration file is too complex to describe in detail here. A complete description is provided in the BIND 9 Administrator Reference Manual. .SH "FILES" -.TP 3n +.PP \fI/etc/named.conf\fR +.RS 4 The default configuration file. -.TP 3n +.RE +.PP \fI/var/run/named.pid\fR +.RS 4 The default process\-id file. +.RE .SH "SEE ALSO" .PP RFC 1033, @@ -185,4 +219,7 @@ BIND 9 Administrator Reference Manual. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001, 2003 Internet Software Consortium. +.br diff --git a/contrib/bind9/bin/named/named.conf.5 b/contrib/bind9/bin/named/named.conf.5 index 1ace4da..75b1bb5 100644 --- a/contrib/bind9/bin/named/named.conf.5 +++ b/contrib/bind9/bin/named/named.conf.5 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -12,13 +12,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named.conf.5,v 1.1.4.10 2006/09/13 02:56:20 marka Exp $ +.\" $Id: named.conf.5,v 1.1.2.23 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: \fInamed.conf\fR .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: Aug 13, 2004 .\" Manual: BIND9 .\" Source: BIND9 @@ -46,14 +46,14 @@ C++ style: // to end of line Unix style: # to end of line .SH "ACL" .sp -.RS 3n +.RS 4 .nf acl \fIstring\fR { \fIaddress_match_element\fR; ... }; .fi .RE .SH "KEY" .sp -.RS 3n +.RS 4 .nf key \fIdomain_name\fR { algorithm \fIstring\fR; @@ -63,7 +63,7 @@ key \fIdomain_name\fR { .RE .SH "MASTERS" .sp -.RS 3n +.RS 4 .nf masters \fIstring\fR [ port \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [port \fIinteger\fR] | @@ -73,11 +73,13 @@ masters \fIstring\fR [ port \fIinteger\fR ] { .RE .SH "SERVER" .sp -.RS 3n +.RS 4 .nf -server ( \fIipv4_address\fR | \fIipv6_address\fR ) { +server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) { bogus \fIboolean\fR; edns \fIboolean\fR; + edns\-udp\-size \fIinteger\fR; + max\-udp\-size \fIinteger\fR; provide\-ixfr \fIboolean\fR; request\-ixfr \fIboolean\fR; keys \fIserver_key\fR; @@ -93,7 +95,7 @@ server ( \fIipv4_address\fR | \fIipv6_address\fR ) { .RE .SH "TRUSTED\-KEYS" .sp -.RS 3n +.RS 4 .nf trusted\-keys { \fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... @@ -102,7 +104,7 @@ trusted\-keys { .RE .SH "CONTROLS" .sp -.RS 3n +.RS 4 .nf controls { inet ( \fIipv4_address\fR | \fIipv6_address\fR | * ) @@ -115,7 +117,7 @@ controls { .RE .SH "LOGGING" .sp -.RS 3n +.RS 4 .nf logging { channel \fIstring\fR { @@ -134,7 +136,7 @@ logging { .RE .SH "LWRES" .sp -.RS 3n +.RS 4 .nf lwres { listen\-on [ port \fIinteger\fR ] { @@ -148,7 +150,7 @@ lwres { .RE .SH "OPTIONS" .sp -.RS 3n +.RS 4 .nf options { avoid\-v4\-udp\-ports { \fIport\fR; ... }; @@ -157,7 +159,6 @@ options { coresize \fIsize\fR; datasize \fIsize\fR; directory \fIquoted_string\fR; - cache\-file \fIquoted_string\fR; // test option dump\-file \fIquoted_string\fR; files \fIsize\fR; heartbeat\-interval \fIinteger\fR; @@ -205,8 +206,8 @@ options { rfc2308\-type1 \fIboolean\fR; // not yet implemented additional\-from\-auth \fIboolean\fR; additional\-from\-cache \fIboolean\fR; - query\-source [ address ( \fIipv4_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ]; - query\-source\-v6 [ address ( \fIipv6_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ]; + query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; + query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; cleaning\-interval \fIinteger\fR; min\-roots \fIinteger\fR; // not implemented lame\-ttl \fIinteger\fR; @@ -214,30 +215,48 @@ options { max\-cache\-ttl \fIinteger\fR; transfer\-format ( many\-answers | one\-answer ); max\-cache\-size \fIsize_no_default\fR; + max\-acache\-size \fIsize_no_default\fR; + clients\-per\-query \fInumber\fR; + max\-clients\-per\-query \fInumber\fR; check\-names ( master | slave | response ) ( fail | warn | ignore ); - cache\-file \fIquoted_string\fR; + check\-mx ( fail | warn | ignore ); + check\-integrity \fIboolean\fR; + check\-mx\-cname ( fail | warn | ignore ); + check\-srv\-cname ( fail | warn | ignore ); + cache\-file \fIquoted_string\fR; // test option suppress\-initial\-notify \fIboolean\fR; // not yet implemented preferred\-glue \fIstring\fR; dual\-stack\-servers [ port \fIinteger\fR ] { ( \fIquoted_string\fR [port \fIinteger\fR] | \fIipv4_address\fR [port \fIinteger\fR] | \fIipv6_address\fR [port \fIinteger\fR] ); ... - } + }; edns\-udp\-size \fIinteger\fR; + max\-udp\-size \fIinteger\fR; root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ]; disable\-algorithms \fIstring\fR { \fIstring\fR; ... }; dnssec\-enable \fIboolean\fR; + dnssec\-validation \fIboolean\fR; dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR; dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR; + dnssec\-accept\-expired \fIboolean\fR; + empty\-server \fIstring\fR; + empty\-contact \fIstring\fR; + empty\-zones\-enable \fIboolean\fR; + disable\-empty\-zone \fIstring\fR; dialup \fIdialuptype\fR; ixfr\-from\-differences \fIixfrdiff\fR; allow\-query { \fIaddress_match_element\fR; ... }; + allow\-query\-cache { \fIaddress_match_element\fR; ... }; allow\-transfer { \fIaddress_match_element\fR; ... }; + allow\-update { \fIaddress_match_element\fR; ... }; allow\-update\-forwarding { \fIaddress_match_element\fR; ... }; + update\-check\-ksk \fIboolean\fR; notify \fInotifytype\fR; notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; + notify\-delay \fIseconds\fR; also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ... }; allow\-notify { \fIaddress_match_element\fR; ... }; @@ -267,6 +286,8 @@ options { use\-alt\-transfer\-source \fIboolean\fR; zone\-statistics \fIboolean\fR; key\-directory \fIquoted_string\fR; + zero\-no\-soa\-ttl \fIboolean\fR; + zero\-no\-soa\-ttl\-cache \fIboolean\fR; allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete deallocate\-on\-exit \fIboolean\fR; // obsolete fake\-iquery \fIboolean\fR; // obsolete @@ -284,7 +305,7 @@ options { .RE .SH "VIEW" .sp -.RS 3n +.RS 4 .nf view \fIstring\fR \fIoptional_class\fR { match\-clients { \fIaddress_match_element\fR; ... }; @@ -297,7 +318,7 @@ view \fIstring\fR \fIoptional_class\fR { zone \fIstring\fR \fIoptional_class\fR { ... }; - server ( \fIipv4_address\fR | \fIipv6_address\fR ) { + server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) { ... }; trusted\-keys { @@ -318,8 +339,8 @@ view \fIstring\fR \fIoptional_class\fR { rfc2308\-type1 \fIboolean\fR; // not yet implemented additional\-from\-auth \fIboolean\fR; additional\-from\-cache \fIboolean\fR; - query\-source [ address ( \fIipv4_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ]; - query\-source\-v6 [ address ( \fIipv6_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ]; + query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; + query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; cleaning\-interval \fIinteger\fR; min\-roots \fIinteger\fR; // not implemented lame\-ttl \fIinteger\fR; @@ -327,9 +348,16 @@ view \fIstring\fR \fIoptional_class\fR { max\-cache\-ttl \fIinteger\fR; transfer\-format ( many\-answers | one\-answer ); max\-cache\-size \fIsize_no_default\fR; + max\-acache\-size \fIsize_no_default\fR; + clients\-per\-query \fInumber\fR; + max\-clients\-per\-query \fInumber\fR; check\-names ( master | slave | response ) ( fail | warn | ignore ); - cache\-file \fIquoted_string\fR; + check\-mx ( fail | warn | ignore ); + check\-integrity \fIboolean\fR; + check\-mx\-cname ( fail | warn | ignore ); + check\-srv\-cname ( fail | warn | ignore ); + cache\-file \fIquoted_string\fR; // test option suppress\-initial\-notify \fIboolean\fR; // not yet implemented preferred\-glue \fIstring\fR; dual\-stack\-servers [ port \fIinteger\fR ] { @@ -338,19 +366,30 @@ view \fIstring\fR \fIoptional_class\fR { \fIipv6_address\fR [port \fIinteger\fR] ); ... }; edns\-udp\-size \fIinteger\fR; + max\-udp\-size \fIinteger\fR; root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ]; disable\-algorithms \fIstring\fR { \fIstring\fR; ... }; dnssec\-enable \fIboolean\fR; + dnssec\-validation \fIboolean\fR; dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR; dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR; + dnssec\-accept\-expired \fIboolean\fR; + empty\-server \fIstring\fR; + empty\-contact \fIstring\fR; + empty\-zones\-enable \fIboolean\fR; + disable\-empty\-zone \fIstring\fR; dialup \fIdialuptype\fR; ixfr\-from\-differences \fIixfrdiff\fR; allow\-query { \fIaddress_match_element\fR; ... }; + allow\-query\-cache { \fIaddress_match_element\fR; ... }; allow\-transfer { \fIaddress_match_element\fR; ... }; + allow\-update { \fIaddress_match_element\fR; ... }; allow\-update\-forwarding { \fIaddress_match_element\fR; ... }; + update\-check\-ksk \fIboolean\fR; notify \fInotifytype\fR; notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; + notify\-delay \fIseconds\fR; also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ... }; allow\-notify { \fIaddress_match_element\fR; ... }; @@ -380,6 +419,8 @@ view \fIstring\fR \fIoptional_class\fR { use\-alt\-transfer\-source \fIboolean\fR; zone\-statistics \fIboolean\fR; key\-directory \fIquoted_string\fR; + zero\-no\-soa\-ttl \fIboolean\fR; + zero\-no\-soa\-ttl\-cache \fIboolean\fR; allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete fetch\-glue \fIboolean\fR; // obsolete maintain\-ixfr\-base \fIboolean\fR; // obsolete @@ -389,7 +430,7 @@ view \fIstring\fR \fIoptional_class\fR { .RE .SH "ZONE" .sp -.RS 3n +.RS 4 .nf zone \fIstring\fR \fIoptional_class\fR { type ( master | slave | stub | hint | @@ -403,8 +444,14 @@ zone \fIstring\fR \fIoptional_class\fR { database \fIstring\fR; delegation\-only \fIboolean\fR; check\-names ( fail | warn | ignore ); + check\-mx ( fail | warn | ignore ); + check\-integrity \fIboolean\fR; + check\-mx\-cname ( fail | warn | ignore ); + check\-srv\-cname ( fail | warn | ignore ); dialup \fIdialuptype\fR; ixfr\-from\-differences \fIboolean\fR; + journal \fIquoted_string\fR; + zero\-no\-soa\-ttl \fIboolean\fR; allow\-query { \fIaddress_match_element\fR; ... }; allow\-transfer { \fIaddress_match_element\fR; ... }; allow\-update { \fIaddress_match_element\fR; ... }; @@ -414,9 +461,11 @@ zone \fIstring\fR \fIoptional_class\fR { ( name | subdomain | wildcard | self ) \fIstring\fR \fIrrtypelist\fR; ... }; + update\-check\-ksk \fIboolean\fR; notify \fInotifytype\fR; notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; + notify\-delay \fIseconds\fR; also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ... }; allow\-notify { \fIaddress_match_element\fR; ... }; @@ -463,4 +512,5 @@ zone \fIstring\fR \fIoptional_class\fR { \fBrndc\fR(8), \fBBIND 9 Administrator Reference Manual\fR(). .SH "COPYRIGHT" -Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +.br diff --git a/contrib/bind9/bin/named/named.conf.docbook b/contrib/bind9/bin/named/named.conf.docbook index fb8a5ef..5d5f52f 100644 --- a/contrib/bind9/bin/named/named.conf.docbook +++ b/contrib/bind9/bin/named/named.conf.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -17,8 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.conf.docbook,v 1.1.4.8 2006/09/13 00:26:41 marka Exp $ --> - +<!-- $Id: named.conf.docbook,v 1.1.2.25 2007/01/29 23:57:20 marka Exp $ --> <refentry> <refentryinfo> <date>Aug 13, 2004</date> @@ -30,20 +29,21 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <refnamediv> + <refname><filename>named.conf</filename></refname> + <refpurpose>configuration file for named</refpurpose> + </refnamediv> + <docinfo> <copyright> <year>2004</year> <year>2005</year> <year>2006</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> </docinfo> - <refnamediv> - <refname><filename>named.conf</filename></refname> - <refpurpose>configuration file for named</refpurpose> - </refnamediv> - <refsynopsisdiv> <cmdsynopsis> <command>named.conf</command> @@ -52,58 +52,60 @@ <refsect1> <title>DESCRIPTION</title> - <para> - <filename>named.conf</filename> is the configuration file for - <command>named</command>. Statements are enclosed - in braces and terminated with a semi-colon. Clauses in - the statements are also semi-colon terminated. The usual - comment styles are supported: + <para><filename>named.conf</filename> is the configuration file + for + <command>named</command>. Statements are enclosed + in braces and terminated with a semi-colon. Clauses in + the statements are also semi-colon terminated. The usual + comment styles are supported: </para> <para> - C style: /* */ + C style: /* */ </para> <para> - C++ style: // to end of line + C++ style: // to end of line </para> <para> - Unix style: # to end of line + Unix style: # to end of line </para> </refsect1> -<refsect1> -<title>ACL</title> -<literallayout> + <refsect1> + <title>ACL</title> + <literallayout> acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>KEY</title> -<literallayout> + <refsect1> + <title>KEY</title> + <literallayout> key <replaceable>domain_name</replaceable> { algorithm <replaceable>string</replaceable>; secret <replaceable>string</replaceable>; }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>MASTERS</title> -<literallayout> + <refsect1> + <title>MASTERS</title> + <literallayout> masters <replaceable>string</replaceable> <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> | <replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ) <optional> key <replaceable>string</replaceable> </optional>; ... }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>SERVER</title> -<literallayout> -server ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) { + <refsect1> + <title>SERVER</title> + <literallayout> +server ( <replaceable>ipv4_address<optional>/prefixlen</optional></replaceable> | <replaceable>ipv6_address<optional>/prefixlen</optional></replaceable> ) { bogus <replaceable>boolean</replaceable>; edns <replaceable>boolean</replaceable>; + edns-udp-size <replaceable>integer</replaceable>; + max-udp-size <replaceable>integer</replaceable>; provide-ixfr <replaceable>boolean</replaceable>; request-ixfr <replaceable>boolean</replaceable>; keys <replaceable>server_key</replaceable>; @@ -117,20 +119,20 @@ server ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</re support-ixfr <replaceable>boolean</replaceable>; // obsolete }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>TRUSTED-KEYS</title> -<literallayout> + <refsect1> + <title>TRUSTED-KEYS</title> + <literallayout> trusted-keys { <replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ... }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>CONTROLS</title> -<literallayout> + <refsect1> + <title>CONTROLS</title> + <literallayout> controls { inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> @@ -139,11 +141,11 @@ controls { unix <replaceable>unsupported</replaceable>; // not implemented }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>LOGGING</title> -<literallayout> + <refsect1> + <title>LOGGING</title> + <literallayout> logging { channel <replaceable>string</replaceable> { file <replaceable>log_file</replaceable>; @@ -158,11 +160,11 @@ logging { category <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... }; }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>LWRES</title> -<literallayout> + <refsect1> + <title>LWRES</title> + <literallayout> lwres { listen-on <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ... @@ -172,11 +174,11 @@ lwres { ndots <replaceable>integer</replaceable>; }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>OPTIONS</title> -<literallayout> + <refsect1> + <title>OPTIONS</title> + <literallayout> options { avoid-v4-udp-ports { <replaceable>port</replaceable>; ... }; avoid-v6-udp-ports { <replaceable>port</replaceable>; ... }; @@ -184,7 +186,6 @@ options { coresize <replaceable>size</replaceable>; datasize <replaceable>size</replaceable>; directory <replaceable>quoted_string</replaceable>; - cache-file <replaceable>quoted_string</replaceable>; // test option dump-file <replaceable>quoted_string</replaceable>; files <replaceable>size</replaceable>; heartbeat-interval <replaceable>integer</replaceable>; @@ -232,8 +233,8 @@ options { rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented additional-from-auth <replaceable>boolean</replaceable>; additional-from-cache <replaceable>boolean</replaceable>; - query-source <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; - query-source-v6 <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; + query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; + query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; cleaning-interval <replaceable>integer</replaceable>; min-roots <replaceable>integer</replaceable>; // not implemented lame-ttl <replaceable>integer</replaceable>; @@ -241,33 +242,52 @@ options { max-cache-ttl <replaceable>integer</replaceable>; transfer-format ( many-answers | one-answer ); max-cache-size <replaceable>size_no_default</replaceable>; + max-acache-size <replaceable>size_no_default</replaceable>; + clients-per-query <replaceable>number</replaceable>; + max-clients-per-query <replaceable>number</replaceable>; check-names ( master | slave | response ) ( fail | warn | ignore ); - cache-file <replaceable>quoted_string</replaceable>; + check-mx ( fail | warn | ignore ); + check-integrity <replaceable>boolean</replaceable>; + check-mx-cname ( fail | warn | ignore ); + check-srv-cname ( fail | warn | ignore ); + cache-file <replaceable>quoted_string</replaceable>; // test option suppress-initial-notify <replaceable>boolean</replaceable>; // not yet implemented preferred-glue <replaceable>string</replaceable>; dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>quoted_string</replaceable> <optional>port <replaceable>integer</replaceable></optional> | <replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> | <replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ); ... - } + }; edns-udp-size <replaceable>integer</replaceable>; + max-udp-size <replaceable>integer</replaceable>; root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>; disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... }; dnssec-enable <replaceable>boolean</replaceable>; + dnssec-validation <replaceable>boolean</replaceable>; dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>; dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>; + dnssec-accept-expired <replaceable>boolean</replaceable>; + + empty-server <replaceable>string</replaceable>; + empty-contact <replaceable>string</replaceable>; + empty-zones-enable <replaceable>boolean</replaceable>; + disable-empty-zone <replaceable>string</replaceable>; dialup <replaceable>dialuptype</replaceable>; ixfr-from-differences <replaceable>ixfrdiff</replaceable>; allow-query { <replaceable>address_match_element</replaceable>; ... }; + allow-query-cache { <replaceable>address_match_element</replaceable>; ... }; allow-transfer { <replaceable>address_match_element</replaceable>; ... }; + allow-update { <replaceable>address_match_element</replaceable>; ... }; allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... }; + update-check-ksk <replaceable>boolean</replaceable>; notify <replaceable>notifytype</replaceable>; notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; + notify-delay <replaceable>seconds</replaceable>; also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ... }; allow-notify { <replaceable>address_match_element</replaceable>; ... }; @@ -302,6 +322,8 @@ options { zone-statistics <replaceable>boolean</replaceable>; key-directory <replaceable>quoted_string</replaceable>; + zero-no-soa-ttl <replaceable>boolean</replaceable>; + zero-no-soa-ttl-cache <replaceable>boolean</replaceable>; allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete deallocate-on-exit <replaceable>boolean</replaceable>; // obsolete @@ -317,11 +339,11 @@ options { use-id-pool <replaceable>boolean</replaceable>; // obsolete }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>VIEW</title> -<literallayout> + <refsect1> + <title>VIEW</title> + <literallayout> view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> { match-clients { <replaceable>address_match_element</replaceable>; ... }; match-destinations { <replaceable>address_match_element</replaceable>; ... }; @@ -336,7 +358,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> ... }; - server ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) { + server ( <replaceable>ipv4_address<optional>/prefixlen</optional></replaceable> | <replaceable>ipv6_address<optional>/prefixlen</optional></replaceable> ) { ... }; @@ -359,8 +381,8 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented additional-from-auth <replaceable>boolean</replaceable>; additional-from-cache <replaceable>boolean</replaceable>; - query-source <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; - query-source-v6 <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; + query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; + query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; cleaning-interval <replaceable>integer</replaceable>; min-roots <replaceable>integer</replaceable>; // not implemented lame-ttl <replaceable>integer</replaceable>; @@ -368,9 +390,16 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> max-cache-ttl <replaceable>integer</replaceable>; transfer-format ( many-answers | one-answer ); max-cache-size <replaceable>size_no_default</replaceable>; + max-acache-size <replaceable>size_no_default</replaceable>; + clients-per-query <replaceable>number</replaceable>; + max-clients-per-query <replaceable>number</replaceable>; check-names ( master | slave | response ) ( fail | warn | ignore ); - cache-file <replaceable>quoted_string</replaceable>; + check-mx ( fail | warn | ignore ); + check-integrity <replaceable>boolean</replaceable>; + check-mx-cname ( fail | warn | ignore ); + check-srv-cname ( fail | warn | ignore ); + cache-file <replaceable>quoted_string</replaceable>; // test option suppress-initial-notify <replaceable>boolean</replaceable>; // not yet implemented preferred-glue <replaceable>string</replaceable>; dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> { @@ -379,22 +408,34 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> <replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ); ... }; edns-udp-size <replaceable>integer</replaceable>; + max-udp-size <replaceable>integer</replaceable>; root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>; disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... }; dnssec-enable <replaceable>boolean</replaceable>; + dnssec-validation <replaceable>boolean</replaceable>; dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>; - dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>; + dnssec-accept-expired <replaceable>boolean</replaceable>; + + empty-server <replaceable>string</replaceable>; + empty-contact <replaceable>string</replaceable>; + empty-zones-enable <replaceable>boolean</replaceable>; + disable-empty-zone <replaceable>string</replaceable>; + dialup <replaceable>dialuptype</replaceable>; ixfr-from-differences <replaceable>ixfrdiff</replaceable>; allow-query { <replaceable>address_match_element</replaceable>; ... }; + allow-query-cache { <replaceable>address_match_element</replaceable>; ... }; allow-transfer { <replaceable>address_match_element</replaceable>; ... }; + allow-update { <replaceable>address_match_element</replaceable>; ... }; allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... }; + update-check-ksk <replaceable>boolean</replaceable>; notify <replaceable>notifytype</replaceable>; notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; + notify-delay <replaceable>seconds</replaceable>; also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ... }; allow-notify { <replaceable>address_match_element</replaceable>; ... }; @@ -429,6 +470,8 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> zone-statistics <replaceable>boolean</replaceable>; key-directory <replaceable>quoted_string</replaceable>; + zero-no-soa-ttl <replaceable>boolean</replaceable>; + zero-no-soa-ttl-cache <replaceable>boolean</replaceable>; allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete fetch-glue <replaceable>boolean</replaceable>; // obsolete @@ -436,11 +479,11 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> max-ixfr-log-size <replaceable>size</replaceable>; // obsolete }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>ZONE</title> -<literallayout> + <refsect1> + <title>ZONE</title> + <literallayout> zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> { type ( master | slave | stub | hint | forward | delegation-only ); @@ -455,8 +498,14 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> database <replaceable>string</replaceable>; delegation-only <replaceable>boolean</replaceable>; check-names ( fail | warn | ignore ); + check-mx ( fail | warn | ignore ); + check-integrity <replaceable>boolean</replaceable>; + check-mx-cname ( fail | warn | ignore ); + check-srv-cname ( fail | warn | ignore ); dialup <replaceable>dialuptype</replaceable>; ixfr-from-differences <replaceable>boolean</replaceable>; + journal <replaceable>quoted_string</replaceable>; + zero-no-soa-ttl <replaceable>boolean</replaceable>; allow-query { <replaceable>address_match_element</replaceable>; ... }; allow-transfer { <replaceable>address_match_element</replaceable>; ... }; @@ -467,10 +516,12 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> ( name | subdomain | wildcard | self ) <replaceable>string</replaceable> <replaceable>rrtypelist</replaceable>; ... }; + update-check-ksk <replaceable>boolean</replaceable>; notify <replaceable>notifytype</replaceable>; notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; + notify-delay <replaceable>seconds</replaceable>; also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ... }; allow-notify { <replaceable>address_match_element</replaceable>; ... }; @@ -513,32 +564,29 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> pubkey <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; // obsolete }; </literallayout> -</refsect1> - -<refsect1> -<title>FILES</title> -<para> -<filename>/etc/named.conf</filename> -</para> -</refsect1> - -<refsect1> -<title>SEE ALSO</title> -<para> -<citerefentry> -<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> -</citerefentry>, -<citerefentry> -<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum> -</citerefentry>, -<citerefentry> -<refentrytitle>BIND 9 Administrator Reference Manual</refentrytitle> -</citerefentry>. -</para> -</refsect1> - -</refentry> -<!-- + </refsect1> + + <refsect1> + <title>FILES</title> + <para><filename>/etc/named.conf</filename> + </para> + </refsect1> + + <refsect1> + <title>SEE ALSO</title> + <para><citerefentry> + <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>BIND 9 Administrator Reference Manual</refentrytitle> + </citerefentry>. + </para> + </refsect1> + +</refentry><!-- - Local variables: - mode: sgml - End: diff --git a/contrib/bind9/bin/named/named.conf.html b/contrib/bind9/bin/named/named.conf.html index b43ee7f..5cd449e 100644 --- a/contrib/bind9/bin/named/named.conf.html +++ b/contrib/bind9/bin/named/named.conf.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -13,15 +13,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.conf.html,v 1.1.4.15 2006/09/13 02:56:21 marka Exp $ --> +<!-- $Id: named.conf.html,v 1.1.2.32 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>named.conf</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="id2476275"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p><code class="filename">named.conf</code> — configuration file for named</p> @@ -31,33 +31,33 @@ <div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549388"></a><h2>DESCRIPTION</h2> -<p> - <code class="filename">named.conf</code> is the configuration file for - <span><strong class="command">named</strong></span>. Statements are enclosed - in braces and terminated with a semi-colon. Clauses in - the statements are also semi-colon terminated. The usual - comment styles are supported: +<a name="id2542042"></a><h2>DESCRIPTION</h2> +<p><code class="filename">named.conf</code> is the configuration file + for + <span><strong class="command">named</strong></span>. Statements are enclosed + in braces and terminated with a semi-colon. Clauses in + the statements are also semi-colon terminated. The usual + comment styles are supported: </p> <p> - C style: /* */ + C style: /* */ </p> <p> - C++ style: // to end of line + C++ style: // to end of line </p> <p> - Unix style: # to end of line + Unix style: # to end of line </p> </div> <div class="refsect1" lang="en"> -<a name="id2549417"></a><h2>ACL</h2> +<a name="id2543367"></a><h2>ACL</h2> <div class="literallayout"><p><br> acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> <br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549433"></a><h2>KEY</h2> +<a name="id2543383"></a><h2>KEY</h2> <div class="literallayout"><p><br> key <em class="replaceable"><code>domain_name</code></em> {<br> algorithm <em class="replaceable"><code>string</code></em>;<br> @@ -66,7 +66,7 @@ key <em class="replaceable"><code>domain_name</code></em> {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549452"></a><h2>MASTERS</h2> +<a name="id2543402"></a><h2>MASTERS</h2> <div class="literallayout"><p><br> masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br> @@ -75,11 +75,13 @@ masters <em class="replaceable"><code>string</code></em> [<span class="optional" </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549498"></a><h2>SERVER</h2> +<a name="id2543448"></a><h2>SERVER</h2> <div class="literallayout"><p><br> -server ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) {<br> +server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br> bogus <em class="replaceable"><code>boolean</code></em>;<br> edns <em class="replaceable"><code>boolean</code></em>;<br> + edns-udp-size <em class="replaceable"><code>integer</code></em>;<br> + max-udp-size <em class="replaceable"><code>integer</code></em>;<br> provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br> request-ixfr <em class="replaceable"><code>boolean</code></em>;<br> keys <em class="replaceable"><code>server_key</code></em>;<br> @@ -95,7 +97,7 @@ server ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="rep </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549556"></a><h2>TRUSTED-KEYS</h2> +<a name="id2543516"></a><h2>TRUSTED-KEYS</h2> <div class="literallayout"><p><br> trusted-keys {<br> <em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br> @@ -103,7 +105,7 @@ trusted-keys {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549581"></a><h2>CONTROLS</h2> +<a name="id2543542"></a><h2>CONTROLS</h2> <div class="literallayout"><p><br> controls {<br> inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br> @@ -115,7 +117,7 @@ controls {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549617"></a><h2>LOGGING</h2> +<a name="id2543577"></a><h2>LOGGING</h2> <div class="literallayout"><p><br> logging {<br> channel <em class="replaceable"><code>string</code></em> {<br> @@ -133,7 +135,7 @@ logging {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549655"></a><h2>LWRES</h2> +<a name="id2543616"></a><h2>LWRES</h2> <div class="literallayout"><p><br> lwres {<br> listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> @@ -146,7 +148,7 @@ lwres {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549697"></a><h2>OPTIONS</h2> +<a name="id2543657"></a><h2>OPTIONS</h2> <div class="literallayout"><p><br> options {<br> avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br> @@ -155,7 +157,6 @@ options {<br> coresize <em class="replaceable"><code>size</code></em>;<br> datasize <em class="replaceable"><code>size</code></em>;<br> directory <em class="replaceable"><code>quoted_string</code></em>;<br> - cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br> dump-file <em class="replaceable"><code>quoted_string</code></em>;<br> files <em class="replaceable"><code>size</code></em>;<br> heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br> @@ -203,8 +204,8 @@ options {<br> rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br> additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br> additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br> - query-source [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> - query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> cleaning-interval <em class="replaceable"><code>integer</code></em>;<br> min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br> lame-ttl <em class="replaceable"><code>integer</code></em>;<br> @@ -212,33 +213,52 @@ options {<br> max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br> transfer-format ( many-answers | one-answer );<br> max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br> + max-acache-size <em class="replaceable"><code>size_no_default</code></em>;<br> + clients-per-query <em class="replaceable"><code>number</code></em>;<br> + max-clients-per-query <em class="replaceable"><code>number</code></em>;<br> check-names ( master | slave | response )<br> ( fail | warn | ignore );<br> - cache-file <em class="replaceable"><code>quoted_string</code></em>;<br> + check-mx ( fail | warn | ignore );<br> + check-integrity <em class="replaceable"><code>boolean</code></em>;<br> + check-mx-cname ( fail | warn | ignore );<br> + check-srv-cname ( fail | warn | ignore );<br> + cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br> suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br> preferred-glue <em class="replaceable"><code>string</code></em>;<br> dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br> <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br> <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br> - }<br> + };<br> edns-udp-size <em class="replaceable"><code>integer</code></em>;<br> + max-udp-size <em class="replaceable"><code>integer</code></em>;<br> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br> disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br> dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br> dnssec-lookaside <em class="replaceable"><code>string</code></em> trust-anchor <em class="replaceable"><code>string</code></em>;<br> dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br> +<br> + empty-server <em class="replaceable"><code>string</code></em>;<br> + empty-contact <em class="replaceable"><code>string</code></em>;<br> + empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br> + disable-empty-zone <em class="replaceable"><code>string</code></em>;<br> <br> dialup <em class="replaceable"><code>dialuptype</code></em>;<br> ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br> <br> allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br> <br> notify <em class="replaceable"><code>notifytype</code></em>;<br> notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + notify-delay <em class="replaceable"><code>seconds</code></em>;<br> also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br> allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> @@ -273,6 +293,8 @@ options {<br> <br> zone-statistics <em class="replaceable"><code>boolean</code></em>;<br> key-directory <em class="replaceable"><code>quoted_string</code></em>;<br> + zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br> + zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br> <br> allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br> deallocate-on-exit <em class="replaceable"><code>boolean</code></em>; // obsolete<br> @@ -290,7 +312,7 @@ options {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2550312"></a><h2>VIEW</h2> +<a name="id2544400"></a><h2>VIEW</h2> <div class="literallayout"><p><br> view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br> match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> @@ -306,7 +328,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c ...<br> };<br> <br> - server ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) {<br> + server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br> ...<br> };<br> <br> @@ -329,8 +351,8 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br> additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br> additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br> - query-source [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> - query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> cleaning-interval <em class="replaceable"><code>integer</code></em>;<br> min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br> lame-ttl <em class="replaceable"><code>integer</code></em>;<br> @@ -338,9 +360,16 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br> transfer-format ( many-answers | one-answer );<br> max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br> + max-acache-size <em class="replaceable"><code>size_no_default</code></em>;<br> + clients-per-query <em class="replaceable"><code>number</code></em>;<br> + max-clients-per-query <em class="replaceable"><code>number</code></em>;<br> check-names ( master | slave | response )<br> ( fail | warn | ignore );<br> - cache-file <em class="replaceable"><code>quoted_string</code></em>;<br> + check-mx ( fail | warn | ignore );<br> + check-integrity <em class="replaceable"><code>boolean</code></em>;<br> + check-mx-cname ( fail | warn | ignore );<br> + check-srv-cname ( fail | warn | ignore );<br> + cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br> suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br> preferred-glue <em class="replaceable"><code>string</code></em>;<br> dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> @@ -349,22 +378,34 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br> };<br> edns-udp-size <em class="replaceable"><code>integer</code></em>;<br> + max-udp-size <em class="replaceable"><code>integer</code></em>;<br> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br> disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br> dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br> dnssec-lookaside <em class="replaceable"><code>string</code></em> trust-anchor <em class="replaceable"><code>string</code></em>;<br> -<br> dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br> +<br> + empty-server <em class="replaceable"><code>string</code></em>;<br> + empty-contact <em class="replaceable"><code>string</code></em>;<br> + empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br> + disable-empty-zone <em class="replaceable"><code>string</code></em>;<br> +<br> dialup <em class="replaceable"><code>dialuptype</code></em>;<br> ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br> <br> allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br> <br> notify <em class="replaceable"><code>notifytype</code></em>;<br> notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + notify-delay <em class="replaceable"><code>seconds</code></em>;<br> also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br> allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> @@ -399,6 +440,8 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c <br> zone-statistics <em class="replaceable"><code>boolean</code></em>;<br> key-directory <em class="replaceable"><code>quoted_string</code></em>;<br> + zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br> + zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br> <br> allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br> fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br> @@ -408,7 +451,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2550878"></a><h2>ZONE</h2> +<a name="id2544964"></a><h2>ZONE</h2> <div class="literallayout"><p><br> zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br> type ( master | slave | stub | hint |<br> @@ -424,8 +467,14 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c database <em class="replaceable"><code>string</code></em>;<br> delegation-only <em class="replaceable"><code>boolean</code></em>;<br> check-names ( fail | warn | ignore );<br> + check-mx ( fail | warn | ignore );<br> + check-integrity <em class="replaceable"><code>boolean</code></em>;<br> + check-mx-cname ( fail | warn | ignore );<br> + check-srv-cname ( fail | warn | ignore );<br> dialup <em class="replaceable"><code>dialuptype</code></em>;<br> ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br> + journal <em class="replaceable"><code>quoted_string</code></em>;<br> + zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br> <br> allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> @@ -436,10 +485,12 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c ( name | subdomain | wildcard | self ) <em class="replaceable"><code>string</code></em><br> <em class="replaceable"><code>rrtypelist</code></em>; ...<br> };<br> + update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br> <br> notify <em class="replaceable"><code>notifytype</code></em>;<br> notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + notify-delay <em class="replaceable"><code>seconds</code></em>;<br> also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br> allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> @@ -484,18 +535,16 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2551216"></a><h2>FILES</h2> -<p> -<code class="filename">/etc/named.conf</code> -</p> +<a name="id2545316"></a><h2>FILES</h2> +<p><code class="filename">/etc/named.conf</code> + </p> </div> <div class="refsect1" lang="en"> -<a name="id2551228"></a><h2>SEE ALSO</h2> -<p> -<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, -<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, -<span class="citerefentry"><span class="refentrytitle">BIND 9 Administrator Reference Manual</span></span>. -</p> +<a name="id2545328"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">BIND 9 Administrator Reference Manual</span></span>. + </p> </div> </div></body> </html> diff --git a/contrib/bind9/bin/named/named.docbook b/contrib/bind9/bin/named/named.docbook index f7cae12..f648b9d 100644 --- a/contrib/bind9/bin/named/named.docbook +++ b/contrib/bind9/bin/named/named.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -18,9 +18,8 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.docbook,v 1.5.98.7 2006/01/17 23:49:30 marka Exp $ --> - -<refentry> +<!-- $Id: named.docbook,v 1.7.18.8 2007/01/29 23:57:20 marka Exp $ --> +<refentry id="man.named"> <refentryinfo> <date>June 30, 2000</date> </refentryinfo> @@ -31,11 +30,17 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <refnamediv> + <refname><application>named</application></refname> + <refpurpose>Internet domain name server</refpurpose> + </refnamediv> + <docinfo> <copyright> <year>2004</year> <year>2005</year> <year>2006</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -46,11 +51,6 @@ </copyright> </docinfo> - <refnamediv> - <refname><application>named</application></refname> - <refpurpose>Internet domain name server</refpurpose> - </refnamediv> - <refsynopsisdiv> <cmdsynopsis> <command>named</command> @@ -72,16 +72,17 @@ <refsect1> <title>DESCRIPTION</title> - <para> - <command>named</command> is a Domain Name System (DNS) server, - part of the BIND 9 distribution from ISC. For more - information on the DNS, see RFCs 1033, 1034, and 1035. + <para><command>named</command> + is a Domain Name System (DNS) server, + part of the BIND 9 distribution from ISC. For more + information on the DNS, see RFCs 1033, 1034, and 1035. </para> <para> - When invoked without arguments, <command>named</command> will - read the default configuration file - <filename>/etc/named.conf</filename>, read any initial - data, and listen for queries. + When invoked without arguments, <command>named</command> + will + read the default configuration file + <filename>/etc/named.conf</filename>, read any initial + data, and listen for queries. </para> </refsect1> @@ -90,189 +91,183 @@ <variablelist> <varlistentry> - <term>-4</term> - <listitem> - <para> - Use IPv4 only even if the host machine is capable of IPv6. - <option>-4</option> and <option>-6</option> are mutually - exclusive. + <term>-4</term> + <listitem> + <para> + Use IPv4 only even if the host machine is capable of IPv6. + <option>-4</option> and <option>-6</option> are mutually + exclusive. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-6</term> - <listitem> - <para> - Use IPv6 only even if the host machine is capable of IPv4. - <option>-4</option> and <option>-6</option> are mutually - exclusive. + <term>-6</term> + <listitem> + <para> + Use IPv6 only even if the host machine is capable of IPv4. + <option>-4</option> and <option>-6</option> are mutually + exclusive. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-c <replaceable class="parameter">config-file</replaceable></term> - <listitem> - <para> - Use <replaceable - class="parameter">config-file</replaceable> as the - configuration file instead of the default, - <filename>/etc/named.conf</filename>. To - ensure that reloading the configuration file continues - to work after the server has changed its working - directory due to to a possible - <option>directory</option> option in the configuration - file, <replaceable - class="parameter">config-file</replaceable> should be - an absolute pathname. + <term>-c <replaceable class="parameter">config-file</replaceable></term> + <listitem> + <para> + Use <replaceable class="parameter">config-file</replaceable> as the + configuration file instead of the default, + <filename>/etc/named.conf</filename>. To + ensure that reloading the configuration file continues + to work after the server has changed its working + directory due to to a possible + <option>directory</option> option in the configuration + file, <replaceable class="parameter">config-file</replaceable> should be + an absolute pathname. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-d <replaceable class="parameter">debug-level</replaceable></term> - <listitem> - <para> - Set the daemon's debug level to <replaceable - class="parameter">debug-level</replaceable>. - Debugging traces from <command>named</command> become - more verbose as the debug level increases. + <term>-d <replaceable class="parameter">debug-level</replaceable></term> + <listitem> + <para> + Set the daemon's debug level to <replaceable class="parameter">debug-level</replaceable>. + Debugging traces from <command>named</command> become + more verbose as the debug level increases. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-f</term> - <listitem> - <para> - Run the server in the foreground (i.e. do not daemonize). + <term>-f</term> + <listitem> + <para> + Run the server in the foreground (i.e. do not daemonize). </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-g</term> - <listitem> - <para> - Run the server in the foreground and force all logging - to <filename>stderr</filename>. + <term>-g</term> + <listitem> + <para> + Run the server in the foreground and force all logging + to <filename>stderr</filename>. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-n <replaceable class="parameter">#cpus</replaceable></term> - <listitem> - <para> - Create <replaceable - class="parameter">#cpus</replaceable> worker threads - to take advantage of multiple CPUs. If not specified, - <command>named</command> will try to determine the - number of CPUs present and create one thread per CPU. - If it is unable to determine the number of CPUs, a - single worker thread will be created. + <term>-n <replaceable class="parameter">#cpus</replaceable></term> + <listitem> + <para> + Create <replaceable class="parameter">#cpus</replaceable> worker threads + to take advantage of multiple CPUs. If not specified, + <command>named</command> will try to determine the + number of CPUs present and create one thread per CPU. + If it is unable to determine the number of CPUs, a + single worker thread will be created. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-p <replaceable class="parameter">port</replaceable></term> - <listitem> - <para> - Listen for queries on port <replaceable - class="parameter">port</replaceable>. If not - specified, the default is port 53. + <term>-p <replaceable class="parameter">port</replaceable></term> + <listitem> + <para> + Listen for queries on port <replaceable class="parameter">port</replaceable>. If not + specified, the default is port 53. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-s</term> - <listitem> - <para> - Write memory usage statistics to <filename>stdout</filename> on exit. + <term>-s</term> + <listitem> + <para> + Write memory usage statistics to <filename>stdout</filename> on exit. </para> - <note> - <para> - This option is mainly of interest to BIND 9 developers - and may be removed or changed in a future release. - </para> - </note> - </listitem> + <note> + <para> + This option is mainly of interest to BIND 9 developers + and may be removed or changed in a future release. + </para> + </note> + </listitem> </varlistentry> <varlistentry> - <term>-t <replaceable class="parameter">directory</replaceable></term> - <listitem> - <para> - <function>chroot()</function> to <replaceable - class="parameter">directory</replaceable> after - processing the command line arguments, but before - reading the configuration file. + <term>-t <replaceable class="parameter">directory</replaceable></term> + <listitem> + <para><function>chroot()</function> + to <replaceable class="parameter">directory</replaceable> after + processing the command line arguments, but before + reading the configuration file. </para> - <warning> - <para> - This option should be used in conjunction with the - <option>-u</option> option, as chrooting a process - running as root doesn't enhance security on most - systems; the way <function>chroot()</function> is - defined allows a process with root privileges to - escape a chroot jail. - </para> - </warning> - </listitem> + <warning> + <para> + This option should be used in conjunction with the + <option>-u</option> option, as chrooting a process + running as root doesn't enhance security on most + systems; the way <function>chroot()</function> is + defined allows a process with root privileges to + escape a chroot jail. + </para> + </warning> + </listitem> </varlistentry> <varlistentry> - <term>-u <replaceable class="parameter">user</replaceable></term> - <listitem> - <para> - <function>setuid()</function> to <replaceable - class="parameter">user</replaceable> after completing - privileged operations, such as creating sockets that - listen on privileged ports. + <term>-u <replaceable class="parameter">user</replaceable></term> + <listitem> + <para><function>setuid()</function> + to <replaceable class="parameter">user</replaceable> after completing + privileged operations, such as creating sockets that + listen on privileged ports. </para> - <note> - <para> - On Linux, <command>named</command> uses the kernel's - capability mechanism to drop all root privileges - except the ability to <function>bind()</function> to a - privileged port and set process resource limits. - Unfortunately, this means that the <option>-u</option> - option only works when <command>named</command> is run - on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or - later, since previous kernels did not allow privileges - to be retained after <function>setuid()</function>. - </para> - </note> - </listitem> + <note> + <para> + On Linux, <command>named</command> uses the kernel's + capability mechanism to drop all root privileges + except the ability to <function>bind()</function> to + a + privileged port and set process resource limits. + Unfortunately, this means that the <option>-u</option> + option only works when <command>named</command> is + run + on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or + later, since previous kernels did not allow privileges + to be retained after <function>setuid()</function>. + </para> + </note> + </listitem> </varlistentry> <varlistentry> - <term>-v</term> - <listitem> - <para> - Report the version number and exit. + <term>-v</term> + <listitem> + <para> + Report the version number and exit. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-x <replaceable class="parameter">cache-file</replaceable></term> - <listitem> - <para> - Load data from <replaceable - class="parameter">cache-file</replaceable> into the - cache of the default view. + <term>-x <replaceable class="parameter">cache-file</replaceable></term> + <listitem> + <para> + Load data from <replaceable class="parameter">cache-file</replaceable> into the + cache of the default view. </para> - <warning> - <para> - This option must not be used. It is only of interest - to BIND 9 developers and may be removed or changed in a - future release. - </para> - </warning> - </listitem> + <warning> + <para> + This option must not be used. It is only of interest + to BIND 9 developers and may be removed or changed in a + future release. + </para> + </warning> + </listitem> </varlistentry> </variablelist> @@ -282,35 +277,35 @@ <refsect1> <title>SIGNALS</title> <para> - In routine operation, signals should not be used to control - the nameserver; <command>rndc</command> should be used - instead. + In routine operation, signals should not be used to control + the nameserver; <command>rndc</command> should be used + instead. </para> <variablelist> <varlistentry> - <term>SIGHUP</term> - <listitem> - <para> - Force a reload of the server. + <term>SIGHUP</term> + <listitem> + <para> + Force a reload of the server. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>SIGINT, SIGTERM</term> - <listitem> - <para> - Shut down the server. + <term>SIGINT, SIGTERM</term> + <listitem> + <para> + Shut down the server. </para> - </listitem> + </listitem> </varlistentry> </variablelist> <para> - The result of sending any other signals to the server is undefined. + The result of sending any other signals to the server is undefined. </para> </refsect1> @@ -318,10 +313,10 @@ <refsect1> <title>CONFIGURATION</title> <para> - The <command>named</command> configuration file is too complex - to describe in detail here. A complete description is - provided in the <citetitle>BIND 9 Administrator Reference - Manual</citetitle>. + The <command>named</command> configuration file is too complex + to describe in detail here. A complete description is provided + in the + <citetitle>BIND 9 Administrator Reference Manual</citetitle>. </para> </refsect1> @@ -331,21 +326,21 @@ <variablelist> <varlistentry> - <term><filename>/etc/named.conf</filename></term> - <listitem> - <para> - The default configuration file. + <term><filename>/etc/named.conf</filename></term> + <listitem> + <para> + The default configuration file. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term><filename>/var/run/named.pid</filename></term> - <listitem> - <para> - The default process-id file. + <term><filename>/var/run/named.pid</filename></term> + <listitem> + <para> + The default process-id file. </para> - </listitem> + </listitem> </varlistentry> </variablelist> @@ -354,37 +349,32 @@ <refsect1> <title>SEE ALSO</title> - <para> - <citetitle>RFC 1033</citetitle>, - <citetitle>RFC 1034</citetitle>, - <citetitle>RFC 1035</citetitle>, - <citerefentry> - <refentrytitle>rndc</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>lwresd</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>named.conf</refentrytitle> - <manvolnum>5</manvolnum> - </citerefentry>, - <citetitle>BIND 9 Administrator Reference Manual</citetitle>. + <para><citetitle>RFC 1033</citetitle>, + <citetitle>RFC 1034</citetitle>, + <citetitle>RFC 1035</citetitle>, + <citerefentry> + <refentrytitle>rndc</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>lwresd</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>named.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry>, + <citetitle>BIND 9 Administrator Reference Manual</citetitle>. </para> </refsect1> <refsect1> <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> + <para><corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> -</refentry> - - -<!-- +</refentry><!-- - Local variables: - mode: sgml - End: diff --git a/contrib/bind9/bin/named/named.html b/contrib/bind9/bin/named/named.html index 6e77e5b..1839e4a 100644 --- a/contrib/bind9/bin/named/named.html +++ b/contrib/bind9/bin/named/named.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.html,v 1.4.2.1.4.13 2006/06/29 13:02:30 marka Exp $ --> +<!-- $Id: named.html,v 1.6.18.18 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>named</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="man.named"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p><span class="application">named</span> — Internet domain name server</p> @@ -32,209 +32,210 @@ <div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549491"></a><h2>DESCRIPTION</h2> -<p> - <span><strong class="command">named</strong></span> is a Domain Name System (DNS) server, - part of the BIND 9 distribution from ISC. For more - information on the DNS, see RFCs 1033, 1034, and 1035. +<a name="id2543444"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">named</strong></span> + is a Domain Name System (DNS) server, + part of the BIND 9 distribution from ISC. For more + information on the DNS, see RFCs 1033, 1034, and 1035. </p> <p> - When invoked without arguments, <span><strong class="command">named</strong></span> will - read the default configuration file - <code class="filename">/etc/named.conf</code>, read any initial - data, and listen for queries. + When invoked without arguments, <span><strong class="command">named</strong></span> + will + read the default configuration file + <code class="filename">/etc/named.conf</code>, read any initial + data, and listen for queries. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549516"></a><h2>OPTIONS</h2> +<a name="id2543468"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-4</span></dt> <dd><p> - Use IPv4 only even if the host machine is capable of IPv6. - <code class="option">-4</code> and <code class="option">-6</code> are mutually - exclusive. + Use IPv4 only even if the host machine is capable of IPv6. + <code class="option">-4</code> and <code class="option">-6</code> are mutually + exclusive. </p></dd> <dt><span class="term">-6</span></dt> <dd><p> - Use IPv6 only even if the host machine is capable of IPv4. - <code class="option">-4</code> and <code class="option">-6</code> are mutually - exclusive. + Use IPv6 only even if the host machine is capable of IPv4. + <code class="option">-4</code> and <code class="option">-6</code> are mutually + exclusive. </p></dd> <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt> <dd><p> - Use <em class="replaceable"><code>config-file</code></em> as the - configuration file instead of the default, - <code class="filename">/etc/named.conf</code>. To - ensure that reloading the configuration file continues - to work after the server has changed its working - directory due to to a possible - <code class="option">directory</code> option in the configuration - file, <em class="replaceable"><code>config-file</code></em> should be - an absolute pathname. + Use <em class="replaceable"><code>config-file</code></em> as the + configuration file instead of the default, + <code class="filename">/etc/named.conf</code>. To + ensure that reloading the configuration file continues + to work after the server has changed its working + directory due to to a possible + <code class="option">directory</code> option in the configuration + file, <em class="replaceable"><code>config-file</code></em> should be + an absolute pathname. </p></dd> <dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt> <dd><p> - Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>. - Debugging traces from <span><strong class="command">named</strong></span> become - more verbose as the debug level increases. + Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>. + Debugging traces from <span><strong class="command">named</strong></span> become + more verbose as the debug level increases. </p></dd> <dt><span class="term">-f</span></dt> <dd><p> - Run the server in the foreground (i.e. do not daemonize). + Run the server in the foreground (i.e. do not daemonize). </p></dd> <dt><span class="term">-g</span></dt> <dd><p> - Run the server in the foreground and force all logging - to <code class="filename">stderr</code>. + Run the server in the foreground and force all logging + to <code class="filename">stderr</code>. </p></dd> <dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt> <dd><p> - Create <em class="replaceable"><code>#cpus</code></em> worker threads - to take advantage of multiple CPUs. If not specified, - <span><strong class="command">named</strong></span> will try to determine the - number of CPUs present and create one thread per CPU. - If it is unable to determine the number of CPUs, a - single worker thread will be created. + Create <em class="replaceable"><code>#cpus</code></em> worker threads + to take advantage of multiple CPUs. If not specified, + <span><strong class="command">named</strong></span> will try to determine the + number of CPUs present and create one thread per CPU. + If it is unable to determine the number of CPUs, a + single worker thread will be created. </p></dd> <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> <dd><p> - Listen for queries on port <em class="replaceable"><code>port</code></em>. If not - specified, the default is port 53. + Listen for queries on port <em class="replaceable"><code>port</code></em>. If not + specified, the default is port 53. </p></dd> <dt><span class="term">-s</span></dt> <dd> <p> - Write memory usage statistics to <code class="filename">stdout</code> on exit. + Write memory usage statistics to <code class="filename">stdout</code> on exit. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - This option is mainly of interest to BIND 9 developers - and may be removed or changed in a future release. - </p> + This option is mainly of interest to BIND 9 developers + and may be removed or changed in a future release. + </p> </div> </dd> <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt> <dd> -<p> - <code class="function">chroot()</code> to <em class="replaceable"><code>directory</code></em> after - processing the command line arguments, but before - reading the configuration file. +<p><code class="function">chroot()</code> + to <em class="replaceable"><code>directory</code></em> after + processing the command line arguments, but before + reading the configuration file. </p> <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Warning</h3> <p> - This option should be used in conjunction with the - <code class="option">-u</code> option, as chrooting a process - running as root doesn't enhance security on most - systems; the way <code class="function">chroot()</code> is - defined allows a process with root privileges to - escape a chroot jail. - </p> + This option should be used in conjunction with the + <code class="option">-u</code> option, as chrooting a process + running as root doesn't enhance security on most + systems; the way <code class="function">chroot()</code> is + defined allows a process with root privileges to + escape a chroot jail. + </p> </div> </dd> <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt> <dd> -<p> - <code class="function">setuid()</code> to <em class="replaceable"><code>user</code></em> after completing - privileged operations, such as creating sockets that - listen on privileged ports. +<p><code class="function">setuid()</code> + to <em class="replaceable"><code>user</code></em> after completing + privileged operations, such as creating sockets that + listen on privileged ports. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - On Linux, <span><strong class="command">named</strong></span> uses the kernel's - capability mechanism to drop all root privileges - except the ability to <code class="function">bind()</code> to a - privileged port and set process resource limits. - Unfortunately, this means that the <code class="option">-u</code> - option only works when <span><strong class="command">named</strong></span> is run - on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or - later, since previous kernels did not allow privileges - to be retained after <code class="function">setuid()</code>. - </p> + On Linux, <span><strong class="command">named</strong></span> uses the kernel's + capability mechanism to drop all root privileges + except the ability to <code class="function">bind()</code> to + a + privileged port and set process resource limits. + Unfortunately, this means that the <code class="option">-u</code> + option only works when <span><strong class="command">named</strong></span> is + run + on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or + later, since previous kernels did not allow privileges + to be retained after <code class="function">setuid()</code>. + </p> </div> </dd> <dt><span class="term">-v</span></dt> <dd><p> - Report the version number and exit. + Report the version number and exit. </p></dd> <dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt> <dd> <p> - Load data from <em class="replaceable"><code>cache-file</code></em> into the - cache of the default view. + Load data from <em class="replaceable"><code>cache-file</code></em> into the + cache of the default view. </p> <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Warning</h3> <p> - This option must not be used. It is only of interest - to BIND 9 developers and may be removed or changed in a - future release. - </p> + This option must not be used. It is only of interest + to BIND 9 developers and may be removed or changed in a + future release. + </p> </div> </dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2550002"></a><h2>SIGNALS</h2> +<a name="id2543813"></a><h2>SIGNALS</h2> <p> - In routine operation, signals should not be used to control - the nameserver; <span><strong class="command">rndc</strong></span> should be used - instead. + In routine operation, signals should not be used to control + the nameserver; <span><strong class="command">rndc</strong></span> should be used + instead. </p> <div class="variablelist"><dl> <dt><span class="term">SIGHUP</span></dt> <dd><p> - Force a reload of the server. + Force a reload of the server. </p></dd> <dt><span class="term">SIGINT, SIGTERM</span></dt> <dd><p> - Shut down the server. + Shut down the server. </p></dd> </dl></div> <p> - The result of sending any other signals to the server is undefined. + The result of sending any other signals to the server is undefined. </p> </div> <div class="refsect1" lang="en"> -<a name="id2550049"></a><h2>CONFIGURATION</h2> +<a name="id2543861"></a><h2>CONFIGURATION</h2> <p> - The <span><strong class="command">named</strong></span> configuration file is too complex - to describe in detail here. A complete description is - provided in the <em class="citetitle">BIND 9 Administrator Reference - Manual</em>. + The <span><strong class="command">named</strong></span> configuration file is too complex + to describe in detail here. A complete description is provided + in the + <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2550066"></a><h2>FILES</h2> +<a name="id2543878"></a><h2>FILES</h2> <div class="variablelist"><dl> <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt> <dd><p> - The default configuration file. + The default configuration file. </p></dd> <dt><span class="term"><code class="filename">/var/run/named.pid</code></span></dt> <dd><p> - The default process-id file. + The default process-id file. </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2550105"></a><h2>SEE ALSO</h2> -<p> - <em class="citetitle">RFC 1033</em>, - <em class="citetitle">RFC 1034</em>, - <em class="citetitle">RFC 1035</em>, - <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, - <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>, - <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>, - <em class="citetitle">BIND 9 Administrator Reference Manual</em>. +<a name="id2543917"></a><h2>SEE ALSO</h2> +<p><em class="citetitle">RFC 1033</em>, + <em class="citetitle">RFC 1034</em>, + <em class="citetitle">RFC 1035</em>, + <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2550157"></a><h2>AUTHOR</h2> -<p> - <span class="corpauthor">Internet Systems Consortium</span> +<a name="id2543969"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> </div></body> diff --git a/contrib/bind9/bin/named/notify.c b/contrib/bind9/bin/named/notify.c index e3c5b2a..db2be71 100644 --- a/contrib/bind9/bin/named/notify.c +++ b/contrib/bind9/bin/named/notify.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: notify.c,v 1.24.2.2.2.7 2004/08/28 06:25:30 marka Exp $ */ +/* $Id: notify.c,v 1.30.18.3 2005/04/29 00:15:26 marka Exp $ */ #include <config.h> @@ -32,8 +32,9 @@ #include <named/log.h> #include <named/notify.h> -/* - * This module implements notify as in RFC 1996. +/*! \file + * \brief + * This module implements notify as in RFC1996. */ static void diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c index c0a76a8..f30c07c 100644 --- a/contrib/bind9/bin/named/query.c +++ b/contrib/bind9/bin/named/query.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.198.2.13.4.43 2006/08/31 03:57:11 marka Exp $ */ +/* $Id: query.c,v 1.257.18.36.12.1 2007/04/30 01:10:19 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -27,8 +29,13 @@ #include <dns/adb.h> #include <dns/byaddr.h> #include <dns/db.h> +#ifdef DLZ +#include <dns/dlz.h> +#endif +#include <dns/dnssec.h> #include <dns/events.h> #include <dns/message.h> +#include <dns/ncache.h> #include <dns/order.h> #include <dns/rdata.h> #include <dns/rdataclass.h> @@ -51,24 +58,34 @@ #include <named/sortlist.h> #include <named/xfrout.h> +/*% Partial answer? */ #define PARTIALANSWER(c) (((c)->query.attributes & \ NS_QUERYATTR_PARTIALANSWER) != 0) +/*% Use Cache? */ #define USECACHE(c) (((c)->query.attributes & \ NS_QUERYATTR_CACHEOK) != 0) +/*% Recursion OK? */ #define RECURSIONOK(c) (((c)->query.attributes & \ NS_QUERYATTR_RECURSIONOK) != 0) +/*% Recursing? */ #define RECURSING(c) (((c)->query.attributes & \ NS_QUERYATTR_RECURSING) != 0) +/*% Cache glue ok? */ #define CACHEGLUEOK(c) (((c)->query.attributes & \ NS_QUERYATTR_CACHEGLUEOK) != 0) +/*% Want Recursion? */ #define WANTRECURSION(c) (((c)->query.attributes & \ NS_QUERYATTR_WANTRECURSION) != 0) +/*% Want DNSSEC? */ #define WANTDNSSEC(c) (((c)->attributes & \ NS_CLIENTATTR_WANTDNSSEC) != 0) +/*% No authority? */ #define NOAUTHORITY(c) (((c)->query.attributes & \ NS_QUERYATTR_NOAUTHORITY) != 0) +/*% No additional? */ #define NOADDITIONAL(c) (((c)->query.attributes & \ NS_QUERYATTR_NOADDITIONAL) != 0) +/*% Secure? */ #define SECURE(c) (((c)->query.attributes & \ NS_QUERYATTR_SECURE) != 0) @@ -92,10 +109,19 @@ #define DNS_GETDB_NOLOG 0x02U #define DNS_GETDB_PARTIAL 0x04U +typedef struct client_additionalctx { + ns_client_t *client; + dns_rdataset_t *rdataset; +} client_additionalctx_t; + static void query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype); -/* +static isc_boolean_t +validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset); + +/*% * Increment query statistics counters. */ static inline void @@ -144,7 +170,12 @@ query_error(ns_client_t *client, isc_result_t result) { static void query_next(ns_client_t *client, isc_result_t result) { - inc_stats(client, dns_statscounter_failure); + if (result == DNS_R_DUPLICATE) + inc_stats(client, dns_statscounter_duplicate); + else if (result == DNS_R_DROP) + inc_stats(client, dns_statscounter_dropped); + else + inc_stats(client, dns_statscounter_failure); ns_client_next(client, result); } @@ -187,7 +218,7 @@ query_reset(ns_client_t *client, isc_boolean_t everything) { isc_buffer_t *dbuf, *dbuf_next; ns_dbversion_t *dbversion, *dbversion_next; - /* + /*% * Reset the query state of a client to its default state. */ @@ -266,7 +297,7 @@ query_newnamebuf(ns_client_t *client) { isc_result_t result; CTRACE("query_newnamebuf"); - /* + /*% * Allocate a name buffer. */ @@ -289,7 +320,7 @@ query_getnamebuf(ns_client_t *client) { isc_region_t r; CTRACE("query_getnamebuf"); - /* + /*% * Return a name buffer with space for a maximal name, allocating * a new one if necessary. */ @@ -325,7 +356,7 @@ query_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) { isc_region_t r; CTRACE("query_keepname"); - /* + /*% * 'name' is using space in 'dbuf', but 'dbuf' has not yet been * adjusted to take account of that. We do the adjustment. */ @@ -342,7 +373,7 @@ static inline void query_releasename(ns_client_t *client, dns_name_t **namep) { dns_name_t *name = *namep; - /* + /*% * 'name' is no longer needed. Return it to our pool of temporary * names. If it is using a name buffer, relinquish its exclusive * rights on the buffer. @@ -479,7 +510,7 @@ ns_query_init(ns_client_t *client) { client->query.authdb = NULL; client->query.authzone = NULL; client->query.authdbset = ISC_FALSE; - client->query.isreferral = ISC_FALSE; + client->query.isreferral = ISC_FALSE; query_reset(client, ISC_FALSE); result = query_newdbversion(client, 3); if (result != ISC_R_SUCCESS) { @@ -499,7 +530,7 @@ query_findversion(ns_client_t *client, dns_db_t *db, { ns_dbversion_t *dbversion; - /* + /*% * We may already have done a query related to this * database. If so, we must be sure to make subsequent * queries from the same version. @@ -532,42 +563,23 @@ query_findversion(ns_client_t *client, dns_db_t *db, } static inline isc_result_t -query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, - unsigned int options, dns_zone_t **zonep, dns_db_t **dbp, - dns_dbversion_t **versionp) +query_validatezonedb(ns_client_t *client, dns_name_t *name, + dns_rdatatype_t qtype, unsigned int options, + dns_zone_t *zone, dns_db_t *db, + dns_dbversion_t **versionp) { isc_result_t result; isc_boolean_t check_acl, new_zone; dns_acl_t *queryacl; ns_dbversion_t *dbversion; - unsigned int ztoptions; - dns_zone_t *zone = NULL; - dns_db_t *db = NULL; - isc_boolean_t partial = ISC_FALSE; - REQUIRE(zonep != NULL && *zonep == NULL); - REQUIRE(dbp != NULL && *dbp == NULL); - - /* - * Find a zone database to answer the query. - */ - ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ? - DNS_ZTFIND_NOEXACT : 0; - - result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL, - &zone); - if (result == DNS_R_PARTIALMATCH) - partial = ISC_TRUE; - if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) - result = dns_zone_getdb(zone, &db); - - if (result != ISC_R_SUCCESS) - goto fail; + REQUIRE(zone != NULL); + REQUIRE(db != NULL); /* * This limits our searching to the zone where the first name * (the query target) was looked for. This prevents following - * CNAMES or DNAMES into other zones and prevents returning + * CNAMES or DNAMES into other zones and prevents returning * additional data from other zones. */ if (!client->view->additionalfromauth && @@ -644,7 +656,7 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, ISC_LOG_DEBUG(3), "%s approved", msg); } - } else { + } else { ns_client_aclmsg("query", name, qtype, client->view->rdclass, msg, sizeof(msg)); @@ -683,17 +695,63 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, */ dbversion->queryok = ISC_TRUE; + /* Transfer ownership, if necessary. */ + if (versionp != NULL) + *versionp = dbversion->version; + + return (ISC_R_SUCCESS); + + refuse: + return (DNS_R_REFUSED); + + fail: + return (result); +} + +static inline isc_result_t +query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, + unsigned int options, dns_zone_t **zonep, dns_db_t **dbp, + dns_dbversion_t **versionp) +{ + isc_result_t result; + unsigned int ztoptions; + dns_zone_t *zone = NULL; + dns_db_t *db = NULL; + isc_boolean_t partial = ISC_FALSE; + + REQUIRE(zonep != NULL && *zonep == NULL); + REQUIRE(dbp != NULL && *dbp == NULL); + + /*% + * Find a zone database to answer the query. + */ + ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ? + DNS_ZTFIND_NOEXACT : 0; + + result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL, + &zone); + if (result == DNS_R_PARTIALMATCH) + partial = ISC_TRUE; + if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) + result = dns_zone_getdb(zone, &db); + + if (result != ISC_R_SUCCESS) + goto fail; + + result = query_validatezonedb(client, name, qtype, options, zone, db, + versionp); + + if (result != ISC_R_SUCCESS) + goto fail; + /* Transfer ownership. */ *zonep = zone; *dbp = db; - *versionp = dbversion->version; if (partial && (options & DNS_GETDB_PARTIAL) != 0) return (DNS_R_PARTIALMATCH); return (ISC_R_SUCCESS); - refuse: - result = DNS_R_REFUSED; fail: if (zone != NULL) dns_zone_detach(&zone); @@ -713,7 +771,7 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, REQUIRE(dbp != NULL && *dbp == NULL); - /* + /*% * Find a cache database to answer the query. * This may fail with DNS_R_REFUSED if the client * is not allowed to use the cache. @@ -745,7 +803,7 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, if (check_acl) { isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0); char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")]; - + result = ns_client_checkaclsilent(client, client->view->queryacl, ISC_TRUE); @@ -811,9 +869,85 @@ query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, { isc_result_t result; +#ifdef DLZ + isc_result_t tresult; + unsigned int namelabels; + unsigned int zonelabels; + dns_zone_t *zone = NULL; + dns_db_t *tdbp; + + REQUIRE(zonep != NULL && *zonep == NULL); + + tdbp = NULL; + + /* Calculate how many labels are in name. */ + namelabels = dns_name_countlabels(name); + zonelabels = 0; + + /* Try to find name in bind's standard database. */ + result = query_getzonedb(client, name, qtype, options, &zone, + dbp, versionp); + + /* See how many labels are in the zone's name. */ + if (result == ISC_R_SUCCESS && zone != NULL) + zonelabels = dns_name_countlabels(dns_zone_getorigin(zone)); + /* + * If # zone labels < # name labels, try to find an even better match + * Only try if a DLZ driver is loaded for this view + */ + if (zonelabels < namelabels && client->view->dlzdatabase != NULL) { + tresult = dns_dlzfindzone(client->view, name, + zonelabels, &tdbp); + /* If we successful, we found a better match. */ + if (tresult == ISC_R_SUCCESS) { + /* + * If the previous search returned a zone, detach it. + */ + if (zone != NULL) + dns_zone_detach(&zone); + + /* + * If the previous search returned a database, + * detach it. + */ + if (*dbp != NULL) + dns_db_detach(dbp); + + /* + * If the previous search returned a version, clear it. + */ + *versionp = NULL; + + /* + * Get our database version. + */ + dns_db_currentversion(tdbp, versionp); + + /* + * Be sure to return our database. + */ + *dbp = tdbp; + + /* + * We return a null zone, No stats for DLZ zones. + */ + zone = NULL; + result = tresult; + } + } +#else result = query_getzonedb(client, name, qtype, options, zonep, dbp, versionp); +#endif + + /* If successfull, Transfer ownership of zone. */ if (result == ISC_R_SUCCESS) { +#ifdef DLZ + *zonep = zone; +#endif + /* + * If neither attempt above succeeded, return the cache instead + */ *is_zonep = ISC_TRUE; } else if (result == ISC_R_NOTFOUND) { result = query_getcachedb(client, name, qtype, dbp, options); @@ -975,10 +1109,23 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { * Most likely the client isn't allowed to query the cache. */ goto try_glue; - - result = dns_db_find(db, name, version, type, client->query.dboptions, + /* + * Attempt to validate glue. + */ + if (sigrdataset == NULL) { + sigrdataset = query_newrdataset(client); + if (sigrdataset == NULL) + goto cleanup; + } + result = dns_db_find(db, name, version, type, + client->query.dboptions | DNS_DBFIND_GLUEOK, client->now, &node, fname, rdataset, sigrdataset); + if (result == DNS_R_GLUE && + validate(client, db, fname, rdataset, sigrdataset)) + result = ISC_R_SUCCESS; + if (!WANTDNSSEC(client)) + query_putrdataset(client, &sigrdataset); if (result == ISC_R_SUCCESS) goto found; @@ -1192,7 +1339,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { * recursing to add address records, which in turn can cause * recursion to add KEYs. */ - if (type == dns_rdatatype_srv && trdataset != NULL) { + if (type == dns_rdatatype_srv && trdataset != NULL) { /* * If we're adding SRV records to the additional data * section, it's helpful if we add the SRV additional data @@ -1222,9 +1369,523 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } static inline void +query_discardcache(ns_client_t *client, dns_rdataset_t *rdataset_base, + dns_rdatasetadditional_t additionaltype, + dns_rdatatype_t type, dns_zone_t **zonep, dns_db_t **dbp, + dns_dbversion_t **versionp, dns_dbnode_t **nodep, + dns_name_t *fname) +{ + dns_rdataset_t *rdataset; + + while ((rdataset = ISC_LIST_HEAD(fname->list)) != NULL) { + ISC_LIST_UNLINK(fname->list, rdataset, link); + query_putrdataset(client, &rdataset); + } + if (*versionp != NULL) + dns_db_closeversion(*dbp, versionp, ISC_FALSE); + if (*nodep != NULL) + dns_db_detachnode(*dbp, nodep); + if (*dbp != NULL) + dns_db_detach(dbp); + if (*zonep != NULL) + dns_zone_detach(zonep); + (void)dns_rdataset_putadditional(client->view->acache, rdataset_base, + additionaltype, type); +} + +static inline isc_result_t +query_iscachevalid(dns_zone_t *zone, dns_db_t *db, dns_db_t *db0, + dns_dbversion_t *version) +{ + isc_result_t result = ISC_R_SUCCESS; + dns_dbversion_t *version_current = NULL; + dns_db_t *db_current = db0; + + if (db_current == NULL) { + result = dns_zone_getdb(zone, &db_current); + if (result != ISC_R_SUCCESS) + return (result); + } + dns_db_currentversion(db_current, &version_current); + if (db_current != db || version_current != version) { + result = ISC_R_FAILURE; + goto cleanup; + } + + cleanup: + dns_db_closeversion(db_current, &version_current, ISC_FALSE); + if (db0 == NULL && db_current != NULL) + dns_db_detach(&db_current); + + return (result); +} + +static isc_result_t +query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { + client_additionalctx_t *additionalctx = arg; + dns_rdataset_t *rdataset_base; + ns_client_t *client; + isc_result_t result, eresult; + dns_dbnode_t *node, *cnode; + dns_db_t *db, *cdb; + dns_name_t *fname, *mname0, cfname; + dns_rdataset_t *rdataset, *sigrdataset; + dns_rdataset_t *crdataset, *crdataset_next; + isc_buffer_t *dbuf; + isc_buffer_t b; + dns_dbversion_t *version, *cversion; + isc_boolean_t added_something, need_addname, needadditionalcache; + isc_boolean_t need_sigrrset; + dns_zone_t *zone; + dns_rdatatype_t type; + dns_rdatasetadditional_t additionaltype; + + if (qtype != dns_rdatatype_a) { + /* + * This function is optimized for "address" types. For other + * types, use a generic routine. + * XXX: ideally, this function should be generic enough. + */ + return (query_addadditional(additionalctx->client, + name, qtype)); + } + + /* + * Initialization. + */ + rdataset_base = additionalctx->rdataset; + client = additionalctx->client; + REQUIRE(NS_CLIENT_VALID(client)); + eresult = ISC_R_SUCCESS; + fname = NULL; + rdataset = NULL; + sigrdataset = NULL; + db = NULL; + cdb = NULL; + version = NULL; + cversion = NULL; + node = NULL; + cnode = NULL; + added_something = ISC_FALSE; + need_addname = ISC_FALSE; + zone = NULL; + needadditionalcache = ISC_FALSE; + additionaltype = dns_rdatasetadditional_fromauth; + dns_name_init(&cfname, NULL); + + CTRACE("query_addadditional2"); + + /* + * We treat type A additional section processing as if it + * were "any address type" additional section processing. + * To avoid multiple lookups, we do an 'any' database + * lookup and iterate over the node. + * XXXJT: this approach can cause a suboptimal result when the cache + * DB only has partial address types and the glue DB has remaining + * ones. + */ + type = dns_rdatatype_any; + + /* + * Get some resources. + */ + dbuf = query_getnamebuf(client); + if (dbuf == NULL) + goto cleanup; + fname = query_newname(client, dbuf, &b); + if (fname == NULL) + goto cleanup; + dns_name_setbuffer(&cfname, &b); /* share the buffer */ + + /* Check additional cache */ + result = dns_rdataset_getadditional(rdataset_base, additionaltype, + type, client->view->acache, &zone, + &cdb, &cversion, &cnode, &cfname, + client->message, client->now); + if (result != ISC_R_SUCCESS) + goto findauthdb; + if (zone == NULL) { + CTRACE("query_addadditional2: auth zone not found"); + goto try_cache; + } + + /* Is the cached DB up-to-date? */ + result = query_iscachevalid(zone, cdb, NULL, cversion); + if (result != ISC_R_SUCCESS) { + CTRACE("query_addadditional2: old auth additional cache"); + query_discardcache(client, rdataset_base, additionaltype, + type, &zone, &cdb, &cversion, &cnode, + &cfname); + goto findauthdb; + } + + if (cnode == NULL) { + /* + * We have a negative cache. We don't have to check the zone + * ACL, since the result (not using this zone) would be same + * regardless of the result. + */ + CTRACE("query_addadditional2: negative auth additional cache"); + dns_db_closeversion(cdb, &cversion, ISC_FALSE); + dns_db_detach(&cdb); + dns_zone_detach(&zone); + goto try_cache; + } + + result = query_validatezonedb(client, name, qtype, DNS_GETDB_NOLOG, + zone, cdb, NULL); + if (result != ISC_R_SUCCESS) { + query_discardcache(client, rdataset_base, additionaltype, + type, &zone, &cdb, &cversion, &cnode, + &cfname); + goto try_cache; + } + + /* We've got an active cache. */ + CTRACE("query_addadditional2: auth additional cache"); + dns_db_closeversion(cdb, &cversion, ISC_FALSE); + db = cdb; + node = cnode; + dns_name_clone(&cfname, fname); + query_keepname(client, fname, dbuf); + goto foundcache; + + /* + * Look for a zone database that might contain authoritative + * additional data. + */ + findauthdb: + result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG, + &zone, &db, &version); + if (result != ISC_R_SUCCESS) { + /* Cache the negative result */ + (void)dns_rdataset_setadditional(rdataset_base, additionaltype, + type, client->view->acache, + NULL, NULL, NULL, NULL, + NULL); + goto try_cache; + } + + CTRACE("query_addadditional2: db_find"); + + /* + * Since we are looking for authoritative data, we do not set + * the GLUEOK flag. Glue will be looked for later, but not + * necessarily in the same database. + */ + node = NULL; + result = dns_db_find(db, name, version, type, client->query.dboptions, + client->now, &node, fname, NULL, NULL); + if (result == ISC_R_SUCCESS) + goto found; + + /* Cache the negative result */ + (void)dns_rdataset_setadditional(rdataset_base, additionaltype, + type, client->view->acache, zone, db, + version, NULL, fname); + + if (node != NULL) + dns_db_detachnode(db, &node); + version = NULL; + dns_db_detach(&db); + + /* + * No authoritative data was found. The cache is our next best bet. + */ + + try_cache: + additionaltype = dns_rdatasetadditional_fromcache; + result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG); + if (result != ISC_R_SUCCESS) + /* + * Most likely the client isn't allowed to query the cache. + */ + goto try_glue; + + result = dns_db_find(db, name, version, type, + client->query.dboptions | DNS_DBFIND_GLUEOK, + client->now, &node, fname, NULL, NULL); + if (result == ISC_R_SUCCESS) + goto found; + + if (node != NULL) + dns_db_detachnode(db, &node); + dns_db_detach(&db); + + try_glue: + /* + * No cached data was found. Glue is our last chance. + * RFC1035 sayeth: + * + * NS records cause both the usual additional section + * processing to locate a type A record, and, when used + * in a referral, a special search of the zone in which + * they reside for glue information. + * + * This is the "special search". Note that we must search + * the zone where the NS record resides, not the zone it + * points to, and that we only do the search in the delegation + * case (identified by client->query.gluedb being set). + */ + if (client->query.gluedb == NULL) + goto cleanup; + + /* + * Don't poision caches using the bailiwick protection model. + */ + if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb))) + goto cleanup; + + /* Check additional cache */ + additionaltype = dns_rdatasetadditional_fromglue; + result = dns_rdataset_getadditional(rdataset_base, additionaltype, + type, client->view->acache, NULL, + &cdb, &cversion, &cnode, &cfname, + client->message, client->now); + if (result != ISC_R_SUCCESS) + goto findglue; + + result = query_iscachevalid(zone, cdb, client->query.gluedb, cversion); + if (result != ISC_R_SUCCESS) { + CTRACE("query_addadditional2: old glue additional cache"); + query_discardcache(client, rdataset_base, additionaltype, + type, &zone, &cdb, &cversion, &cnode, + &cfname); + goto findglue; + } + + if (cnode == NULL) { + /* We have a negative cache. */ + CTRACE("query_addadditional2: negative glue additional cache"); + dns_db_closeversion(cdb, &cversion, ISC_FALSE); + dns_db_detach(&cdb); + goto cleanup; + } + + /* Cache hit. */ + CTRACE("query_addadditional2: glue additional cache"); + dns_db_closeversion(cdb, &cversion, ISC_FALSE); + db = cdb; + node = cnode; + dns_name_clone(&cfname, fname); + query_keepname(client, fname, dbuf); + goto foundcache; + + findglue: + dns_db_attach(client->query.gluedb, &db); + result = dns_db_find(db, name, version, type, + client->query.dboptions | DNS_DBFIND_GLUEOK, + client->now, &node, fname, NULL, NULL); + if (!(result == ISC_R_SUCCESS || + result == DNS_R_ZONECUT || + result == DNS_R_GLUE)) { + /* cache the negative result */ + (void)dns_rdataset_setadditional(rdataset_base, additionaltype, + type, client->view->acache, + NULL, db, version, NULL, + fname); + goto cleanup; + } + + found: + /* + * We have found a DB node to iterate over from a DB. + * We are going to look for address RRsets (i.e., A and AAAA) in the DB + * node we've just found. We'll then store the complete information + * in the additional data cache. + */ + dns_name_clone(fname, &cfname); + query_keepname(client, fname, dbuf); + needadditionalcache = ISC_TRUE; + + rdataset = query_newrdataset(client); + if (rdataset == NULL) + goto cleanup; + + sigrdataset = query_newrdataset(client); + if (sigrdataset == NULL) + goto cleanup; + + /* + * Find A RRset with sig RRset. Even if we don't find a sig RRset + * for a client using DNSSEC, we'll continue the process to make a + * complete list to be cached. However, we need to cancel the + * caching when something unexpected happens, in order to avoid + * caching incomplete information. + */ + result = dns_db_findrdataset(db, node, version, dns_rdatatype_a, 0, + client->now, rdataset, sigrdataset); + /* + * If we can't promote glue/pending from the cache to secure + * then drop it. + */ + if (result == ISC_R_SUCCESS && + additionaltype == dns_rdatasetadditional_fromcache && + (rdataset->trust == dns_trust_pending || + rdataset->trust == dns_trust_glue) && + !validate(client, db, fname, rdataset, sigrdataset)) { + dns_rdataset_disassociate(rdataset); + if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); + result = ISC_R_NOTFOUND; + } + if (result == DNS_R_NCACHENXDOMAIN) + goto setcache; + if (result == DNS_R_NCACHENXRRSET) { + dns_rdataset_disassociate(rdataset); + /* + * Negative cache entries don't have sigrdatasets. + */ + INSIST(! dns_rdataset_isassociated(sigrdataset)); + } + if (result == ISC_R_SUCCESS) { + /* Remember the result as a cache */ + ISC_LIST_APPEND(cfname.list, rdataset, link); + if (dns_rdataset_isassociated(sigrdataset)) { + ISC_LIST_APPEND(cfname.list, sigrdataset, link); + sigrdataset = query_newrdataset(client); + } + rdataset = query_newrdataset(client); + if (sigrdataset == NULL || rdataset == NULL) { + /* do not cache incomplete information */ + goto foundcache; + } + } + + /* Find AAAA RRset with sig RRset */ + result = dns_db_findrdataset(db, node, version, dns_rdatatype_aaaa, + 0, client->now, rdataset, sigrdataset); + /* + * If we can't promote glue/pending from the cache to secure + * then drop it. + */ + if (result == ISC_R_SUCCESS && + additionaltype == dns_rdatasetadditional_fromcache && + (rdataset->trust == dns_trust_pending || + rdataset->trust == dns_trust_glue) && + !validate(client, db, fname, rdataset, sigrdataset)) { + dns_rdataset_disassociate(rdataset); + if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); + result = ISC_R_NOTFOUND; + } + if (result == ISC_R_SUCCESS) { + ISC_LIST_APPEND(cfname.list, rdataset, link); + rdataset = NULL; + if (dns_rdataset_isassociated(sigrdataset)) { + ISC_LIST_APPEND(cfname.list, sigrdataset, link); + sigrdataset = NULL; + } + } + + setcache: + /* + * Set the new result in the cache if required. We do not support + * caching additional data from a cache DB. + */ + if (needadditionalcache == ISC_TRUE && + (additionaltype == dns_rdatasetadditional_fromauth || + additionaltype == dns_rdatasetadditional_fromglue)) { + (void)dns_rdataset_setadditional(rdataset_base, additionaltype, + type, client->view->acache, + zone, db, version, node, + &cfname); + } + + foundcache: + need_sigrrset = ISC_FALSE; + mname0 = NULL; + for (crdataset = ISC_LIST_HEAD(cfname.list); + crdataset != NULL; + crdataset = crdataset_next) { + dns_name_t *mname; + + crdataset_next = ISC_LIST_NEXT(crdataset, link); + + mname = NULL; + if (crdataset->type == dns_rdatatype_a || + crdataset->type == dns_rdatatype_aaaa) { + if (!query_isduplicate(client, fname, crdataset->type, + &mname)) { + if (mname != NULL) { + /* + * A different type of this name is + * already stored in the additional + * section. We'll reuse the name. + * Note that this should happen at most + * once. Otherwise, fname->link could + * leak below. + */ + INSIST(mname0 == NULL); + + query_releasename(client, &fname); + fname = mname; + mname0 = mname; + } else + need_addname = ISC_TRUE; + ISC_LIST_UNLINK(cfname.list, crdataset, link); + ISC_LIST_APPEND(fname->list, crdataset, link); + added_something = ISC_TRUE; + need_sigrrset = ISC_TRUE; + } else + need_sigrrset = ISC_FALSE; + } else if (crdataset->type == dns_rdatatype_rrsig && + need_sigrrset && WANTDNSSEC(client)) { + ISC_LIST_UNLINK(cfname.list, crdataset, link); + ISC_LIST_APPEND(fname->list, crdataset, link); + added_something = ISC_TRUE; /* just in case */ + need_sigrrset = ISC_FALSE; + } + } + + CTRACE("query_addadditional2: addname"); + + /* + * If we haven't added anything, then we're done. + */ + if (!added_something) + goto cleanup; + + /* + * We may have added our rdatasets to an existing name, if so, then + * need_addname will be ISC_FALSE. Whether we used an existing name + * or a new one, we must set fname to NULL to prevent cleanup. + */ + if (need_addname) + dns_message_addname(client->message, fname, + DNS_SECTION_ADDITIONAL); + fname = NULL; + + cleanup: + CTRACE("query_addadditional2: cleanup"); + + if (rdataset != NULL) + query_putrdataset(client, &rdataset); + if (sigrdataset != NULL) + query_putrdataset(client, &sigrdataset); + while ((crdataset = ISC_LIST_HEAD(cfname.list)) != NULL) { + ISC_LIST_UNLINK(cfname.list, crdataset, link); + query_putrdataset(client, &crdataset); + } + if (fname != NULL) + query_releasename(client, &fname); + if (node != NULL) + dns_db_detachnode(db, &node); + if (db != NULL) + dns_db_detach(&db); + if (zone != NULL) + dns_zone_detach(&zone); + + CTRACE("query_addadditional2: done"); + return (eresult); +} + +static inline void query_addrdataset(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) { + client_additionalctx_t additionalctx; + /* * Add 'rdataset' and any pertinent additional data to * 'fname', a name in the response message for 'client'. @@ -1238,6 +1899,8 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, rdataset->attributes |= dns_order_find(client->view->order, fname, rdataset->type, rdataset->rdclass); + rdataset->attributes |= DNS_RDATASETATTR_LOADORDER; + if (NOADDITIONAL(client)) return; @@ -1246,8 +1909,10 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, * * We don't care if dns_rdataset_additionaldata() fails. */ - (void)dns_rdataset_additionaldata(rdataset, - query_addadditional, client); + additionalctx.client = client; + additionalctx.rdataset = rdataset; + (void)dns_rdataset_additionaldata(rdataset, query_addadditional2, + &additionalctx); CTRACE("query_addrdataset: done"); } @@ -1260,7 +1925,7 @@ query_addrrset(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset, *mrdataset, *sigrdataset; isc_result_t result; - /* + /*% * To the current response for 'client', add the answer RRset * '*rdatasetp' and an optional signature set '*sigrdatasetp', with * owner name '*namep', to section 'section', unless they are @@ -1328,11 +1993,12 @@ query_addrrset(ns_client_t *client, dns_name_t **namep, } static inline isc_result_t -query_addsoa(ns_client_t *client, dns_db_t *db, isc_boolean_t zero_ttl) { - dns_name_t *name, *fname; +query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version, + isc_boolean_t zero_ttl) +{ + dns_name_t *name; dns_dbnode_t *node; isc_result_t result, eresult; - dns_fixedname_t foundname; dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; dns_rdataset_t **sigrdatasetp = NULL; @@ -1344,8 +2010,6 @@ query_addsoa(ns_client_t *client, dns_db_t *db, isc_boolean_t zero_ttl) { name = NULL; rdataset = NULL; node = NULL; - dns_fixedname_init(&foundname); - fname = dns_fixedname_name(&foundname); /* * Get resources and make 'name' be the database origin. @@ -1371,9 +2035,23 @@ query_addsoa(ns_client_t *client, dns_db_t *db, isc_boolean_t zero_ttl) { /* * Find the SOA. */ - result = dns_db_find(db, name, NULL, dns_rdatatype_soa, - client->query.dboptions, 0, &node, - fname, rdataset, sigrdataset); + result = dns_db_getoriginnode(db, &node); + if (result == ISC_R_SUCCESS) { + result = dns_db_findrdataset(db, node, version, + dns_rdatatype_soa, + 0, client->now, rdataset, + sigrdataset); + } else { + dns_fixedname_t foundname; + dns_name_t *fname; + + dns_fixedname_init(&foundname); + fname = dns_fixedname_name(&foundname); + + result = dns_db_find(db, name, version, dns_rdatatype_soa, + client->query.dboptions, 0, &node, + fname, rdataset, sigrdataset); + } if (result != ISC_R_SUCCESS) { /* * This is bad. We tried to get the SOA RR at the zone top @@ -1429,7 +2107,7 @@ query_addsoa(ns_client_t *client, dns_db_t *db, isc_boolean_t zero_ttl) { } static inline isc_result_t -query_addns(ns_client_t *client, dns_db_t *db) { +query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { dns_name_t *name, *fname; dns_dbnode_t *node; isc_result_t result, eresult; @@ -1476,13 +2154,22 @@ query_addns(ns_client_t *client, dns_db_t *db) { /* * Find the NS rdataset. */ - CTRACE("query_addns: calling dns_db_find"); - result = dns_db_find(db, name, NULL, dns_rdatatype_ns, - client->query.dboptions, 0, &node, - fname, rdataset, sigrdataset); - CTRACE("query_addns: dns_db_find complete"); + result = dns_db_getoriginnode(db, &node); + if (result == ISC_R_SUCCESS) { + result = dns_db_findrdataset(db, node, version, + dns_rdatatype_ns, + 0, client->now, rdataset, + sigrdataset); + } else { + CTRACE("query_addns: calling dns_db_find"); + result = dns_db_find(db, name, NULL, dns_rdatatype_ns, + client->query.dboptions, 0, &node, + fname, rdataset, sigrdataset); + CTRACE("query_addns: dns_db_find complete"); + } if (result != ISC_R_SUCCESS) { - CTRACE("query_addns: dns_db_find failed"); + CTRACE("query_addns: " + "dns_db_findrdataset or dns_db_find failed"); /* * This is bad. We tried to get the NS rdataset at the zone * top and it didn't work! @@ -1575,6 +2262,161 @@ query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname, return (ISC_R_SUCCESS); } +/* + * Mark the RRsets as secure. Update the cache (db) to reflect the + * change in trust level. + */ +static void +mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) +{ + isc_result_t result; + dns_dbnode_t *node = NULL; + + rdataset->trust = dns_trust_secure; + sigrdataset->trust = dns_trust_secure; + + /* + * Save the updated secure state. Ignore failures. + */ + result = dns_db_findnode(db, name, ISC_TRUE, &node); + if (result != ISC_R_SUCCESS) + return; + (void)dns_db_addrdataset(db, node, NULL, client->now, rdataset, + 0, NULL); + (void)dns_db_addrdataset(db, node, NULL, client->now, sigrdataset, + 0, NULL); + dns_db_detachnode(db, &node); +} + +/* + * Find the secure key that corresponds to rrsig. + * Note: 'keyrdataset' maintains state between sucessive calls, + * there may be multiple keys with the same keyid. + * Return ISC_FALSE if we have exhausted all the possible keys. + */ +static isc_boolean_t +get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig, + dns_rdataset_t *keyrdataset, dst_key_t **keyp) +{ + isc_result_t result; + dns_dbnode_t *node = NULL; + isc_boolean_t secure = ISC_FALSE; + + if (!dns_rdataset_isassociated(keyrdataset)) { + result = dns_db_findnode(db, &rrsig->signer, ISC_FALSE, &node); + if (result != ISC_R_SUCCESS) + return (ISC_FALSE); + + result = dns_db_findrdataset(db, node, NULL, + dns_rdatatype_dnskey, 0, + client->now, keyrdataset, NULL); + dns_db_detachnode(db, &node); + if (result != ISC_R_SUCCESS) + return (ISC_FALSE); + + if (keyrdataset->trust != dns_trust_secure) + return (ISC_FALSE); + + result = dns_rdataset_first(keyrdataset); + } else + result = dns_rdataset_next(keyrdataset); + + for ( ; result == ISC_R_SUCCESS; + result = dns_rdataset_next(keyrdataset)) { + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_buffer_t b; + + dns_rdataset_current(keyrdataset, &rdata); + isc_buffer_init(&b, rdata.data, rdata.length); + isc_buffer_add(&b, rdata.length); + result = dst_key_fromdns(&rrsig->signer, rdata.rdclass, &b, + client->mctx, keyp); + if (result != ISC_R_SUCCESS) + continue; + if (rrsig->algorithm == (dns_secalg_t)dst_key_alg(*keyp) && + rrsig->keyid == (dns_keytag_t)dst_key_id(*keyp) && + dst_key_iszonekey(*keyp)) { + secure = ISC_TRUE; + break; + } + dst_key_free(keyp); + } + return (secure); +} + +static isc_boolean_t +verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset, + dns_rdata_t *rdata, isc_mem_t *mctx, isc_boolean_t acceptexpired) +{ + isc_result_t result; + dns_fixedname_t fixed; + isc_boolean_t ignore = ISC_FALSE; + + dns_fixedname_init(&fixed); + +again: + result = dns_dnssec_verify2(name, rdataset, key, ignore, mctx, + rdata, NULL); + if (result == DNS_R_SIGEXPIRED && acceptexpired) { + ignore = ISC_TRUE; + goto again; + } + if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) + return (ISC_TRUE); + return (ISC_FALSE); +} + +/* + * Validate the rdataset if possible with available records. + */ +static isc_boolean_t +validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) +{ + isc_result_t result; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_rrsig_t rrsig; + dst_key_t *key = NULL; + dns_rdataset_t keyrdataset; + + if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset)) + return (ISC_FALSE); + + for (result = dns_rdataset_first(sigrdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(sigrdataset)) { + + dns_rdata_reset(&rdata); + dns_rdataset_current(sigrdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &rrsig, NULL); + if (result != ISC_R_SUCCESS) + return (ISC_FALSE); + if (!dns_resolver_algorithm_supported(client->view->resolver, + name, rrsig.algorithm)) + continue; + if (!dns_name_issubdomain(name, &rrsig.signer)) + continue; + dns_rdataset_init(&keyrdataset); + do { + if (!get_key(client, db, &rrsig, &keyrdataset, &key)) + break; + if (verify(key, name, rdataset, &rdata, client->mctx, + client->view->acceptexpired)) { + dst_key_free(&key); + dns_rdataset_disassociate(&keyrdataset); + mark_secure(client, db, name, rdataset, + sigrdataset); + return (ISC_TRUE); + } + dst_key_free(&key); + } while (1); + if (dns_rdataset_isassociated(&keyrdataset)) + dns_rdataset_disassociate(&keyrdataset); + } + return (ISC_FALSE); +} + static void query_addbestns(ns_client_t *client) { dns_db_t *db, *zdb; @@ -1622,7 +2464,11 @@ query_addbestns(ns_client_t *client) { rdataset = query_newrdataset(client); if (fname == NULL || rdataset == NULL) goto cleanup; - if (WANTDNSSEC(client)) { + /* + * Get the RRSIGs if the client requested them or if we may + * need to validate answers from the cache. + */ + if (WANTDNSSEC(client) || !is_zone) { sigrdataset = query_newrdataset(client); if (sigrdataset == NULL) goto cleanup; @@ -1698,16 +2544,27 @@ query_addbestns(ns_client_t *client) { zsigrdataset = NULL; } - if ((client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0 && - (rdataset->trust == dns_trust_pending || - (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending))) + /* + * Attempt to validate RRsets that are pending or that are glue. + */ + if ((rdataset->trust == dns_trust_pending || + (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending)) + && !validate(client, db, fname, rdataset, sigrdataset) && + (client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0) goto cleanup; - if (WANTDNSSEC(client) && SECURE(client) && - (rdataset->trust == dns_trust_glue || - (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue))) + if ((rdataset->trust == dns_trust_glue || + (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue)) && + !validate(client, db, fname, rdataset, sigrdataset) && + SECURE(client) && WANTDNSSEC(client)) goto cleanup; + /* + * If the client doesn't want DNSSEC we can discard the sigrdataset + * now. + */ + if (!WANTDNSSEC(client)) + query_putrdataset(client, &sigrdataset); query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf, DNS_SECTION_AUTHORITY); @@ -1837,20 +2694,20 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, * Given: * example SOA * example NSEC b.example - * b.example A - * b.example NSEC a.d.example - * a.d.example A - * a.d.example NSEC g.f.example - * g.f.example A - * g.f.example NSEC z.i.example - * z.i.example A - * z.i.example NSEC example + * b.example A + * b.example NSEC a.d.example + * a.d.example A + * a.d.example NSEC g.f.example + * g.f.example A + * g.f.example NSEC z.i.example + * z.i.example A + * z.i.example NSEC example * * QNAME: * a.example -> example NSEC b.example - * owner common example - * next common example - * wild *.example + * owner common example + * next common example + * wild *.example * d.b.example -> b.example NSEC a.d.example * owner common b.example * next common example @@ -1861,7 +2718,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, * wild *.f.example * j.example -> z.i.example NSEC example * owner common example - * next common example + * next common example * wild *.f.example */ options = client->query.dboptions | DNS_DBFIND_NOWILD; @@ -1922,7 +2779,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, name = wname; goto again; } - } + } cleanup: if (rdataset != NULL) query_putrdataset(client, &rdataset); @@ -2068,6 +2925,7 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain, { isc_result_t result; dns_rdataset_t *rdataset, *sigrdataset; + isc_sockaddr_t *peeraddr; inc_stats(client, dns_statscounter_recursion); @@ -2149,14 +3007,19 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain, if (client->query.timerset == ISC_FALSE) ns_client_settimeout(client, 60); - result = dns_resolver_createfetch(client->view->resolver, - client->query.qname, - qtype, qdomain, nameservers, - NULL, client->query.fetchoptions, - client->task, - query_resume, client, - rdataset, sigrdataset, - &client->query.fetch); + if ((client->attributes & NS_CLIENTATTR_TCP) == 0) + peeraddr = &client->peeraddr; + else + peeraddr = NULL; + result = dns_resolver_createfetch2(client->view->resolver, + client->query.qname, + qtype, qdomain, nameservers, + NULL, peeraddr, client->message->id, + client->query.fetchoptions, + client->task, + query_resume, client, + rdataset, sigrdataset, + &client->query.fetch); if (result == ISC_R_SUCCESS) { /* @@ -2193,7 +3056,7 @@ static isc_result_t rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) { struct in_addr ina; struct in6_addr in6a; - + switch (rdata->type) { case dns_rdatatype_a: INSIST(rdata->length == 4); @@ -2246,7 +3109,7 @@ setup_query_sortlist(ns_client_t *client) { isc_netaddr_t netaddr; dns_rdatasetorderfunc_t order = NULL; const void *order_arg = NULL; - + isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); switch (ns_sortlist_setup(client->view->sortlist, &netaddr, &order_arg)) { @@ -2331,6 +3194,111 @@ answer_in_glue(ns_client_t *client, dns_rdatatype_t qtype) { } } +#define NS_NAME_INIT(A,B) \ + { \ + DNS_NAME_MAGIC, \ + A, sizeof(A), sizeof(B), \ + DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \ + B, NULL, { (void *)-1, (void *)-1}, \ + {NULL, NULL} \ + } + +static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 }; +static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 }; +static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 }; + +static unsigned char inaddr10[] = "\00210\007IN-ADDR\004ARPA"; + +static unsigned char inaddr16172[] = "\00216\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr17172[] = "\00217\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr18172[] = "\00218\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr19172[] = "\00219\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr20172[] = "\00220\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr21172[] = "\00221\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr22172[] = "\00222\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr23172[] = "\00223\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr24172[] = "\00224\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr25172[] = "\00225\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr26172[] = "\00226\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr27172[] = "\00227\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr28172[] = "\00228\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr29172[] = "\00229\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr30172[] = "\00230\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr31172[] = "\00231\003172\007IN-ADDR\004ARPA"; + +static unsigned char inaddr168192[] = "\003168\003192\007IN-ADDR\004ARPA"; + +static dns_name_t rfc1918names[] = { + NS_NAME_INIT(inaddr10, inaddr10_offsets), + NS_NAME_INIT(inaddr16172, inaddr172_offsets), + NS_NAME_INIT(inaddr17172, inaddr172_offsets), + NS_NAME_INIT(inaddr18172, inaddr172_offsets), + NS_NAME_INIT(inaddr19172, inaddr172_offsets), + NS_NAME_INIT(inaddr20172, inaddr172_offsets), + NS_NAME_INIT(inaddr21172, inaddr172_offsets), + NS_NAME_INIT(inaddr22172, inaddr172_offsets), + NS_NAME_INIT(inaddr23172, inaddr172_offsets), + NS_NAME_INIT(inaddr24172, inaddr172_offsets), + NS_NAME_INIT(inaddr25172, inaddr172_offsets), + NS_NAME_INIT(inaddr26172, inaddr172_offsets), + NS_NAME_INIT(inaddr27172, inaddr172_offsets), + NS_NAME_INIT(inaddr28172, inaddr172_offsets), + NS_NAME_INIT(inaddr29172, inaddr172_offsets), + NS_NAME_INIT(inaddr30172, inaddr172_offsets), + NS_NAME_INIT(inaddr31172, inaddr172_offsets), + NS_NAME_INIT(inaddr168192, inaddr192_offsets) +}; + + +static unsigned char prisoner_data[] = "\010prisoner\004iana\003org"; +static unsigned char hostmaster_data[] = "\012hostmaster\014root-servers\003org"; + +static unsigned char prisoner_offsets[] = { 0, 9, 14, 18 }; +static unsigned char hostmaster_offsets[] = { 0, 11, 24, 28 }; + +static dns_name_t prisoner = NS_NAME_INIT(prisoner_data, prisoner_offsets); +static dns_name_t hostmaster = NS_NAME_INIT(hostmaster_data, hostmaster_offsets); + +static void +warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) { + unsigned int i; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_soa_t soa; + dns_rdataset_t found; + isc_result_t result; + + for (i = 0; i < (sizeof(rfc1918names)/sizeof(*rfc1918names)); i++) { + if (dns_name_issubdomain(fname, &rfc1918names[i])) { + dns_rdataset_init(&found); + result = dns_ncache_getrdataset(rdataset, + &rfc1918names[i], + dns_rdatatype_soa, + &found); + if (result != ISC_R_SUCCESS) + return; + + result = dns_rdataset_first(&found); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_rdataset_current(&found, &rdata); + result = dns_rdata_tostruct(&rdata, &soa, NULL); + if (result != ISC_R_SUCCESS) + return; + if (dns_name_equal(&soa.origin, &prisoner) && + dns_name_equal(&soa.contact, &hostmaster)) { + char buf[DNS_NAME_FORMATSIZE]; + dns_name_format(fname, buf, sizeof(buf)); + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_QUERY, + ISC_LOG_WARNING, + "RFC 1918 response from " + "Internet for %s", buf); + } + dns_rdataset_disassociate(&found); + return; + } + } +} + /* * Do the bulk of query processing for the current query of 'client'. * If 'event' is non-NULL, we are returning from recursion and 'qtype' @@ -2434,7 +3402,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) goto resume; } - + /* * Not returning from recursion. */ @@ -2527,10 +3495,20 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (is_zone) authoritative = ISC_TRUE; - + if (event == NULL && client->query.restarts == 0) { if (is_zone) { - dns_zone_attach(zone, &client->query.authzone); +#ifdef DLZ + if (zone != NULL) { + /* + * if is_zone = true, zone = NULL then this is + * a DLZ zone. Don't attempt to attach zone. + */ +#endif + dns_zone_attach(zone, &client->query.authzone); +#ifdef DLZ + } +#endif dns_db_attach(db, &client->query.authdb); } client->query.authdbset = ISC_TRUE; @@ -2625,7 +3603,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (result == ISC_R_SUCCESS) client->query.attributes |= NS_QUERYATTR_RECURSING; - else { + else if (result == DNS_R_DUPLICATE || + result == DNS_R_DROP) { + /* Duplicate query. */ + QUERY_ERROR(result); + } else { /* Unable to recurse. */ QUERY_ERROR(DNS_R_SERVFAIL); } @@ -2795,6 +3777,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (result == ISC_R_SUCCESS) client->query.attributes |= NS_QUERYATTR_RECURSING; + else if (result == DNS_R_DUPLICATE || + result == DNS_R_DROP) + QUERY_ERROR(result); else QUERY_ERROR(DNS_R_SERVFAIL); } else { @@ -2851,7 +3836,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * Add SOA. */ - result = query_addsoa(client, db, ISC_FALSE); + result = query_addsoa(client, db, version, ISC_FALSE); if (result != ISC_R_SUCCESS) { QUERY_ERROR(result); goto cleanup; @@ -2891,10 +3876,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * the containing zone of an arbitrary name with a stub * resolver and not have it cached. */ - if (qtype == dns_rdatatype_soa) - result = query_addsoa(client, db, ISC_TRUE); + if (qtype == dns_rdatatype_soa && +#ifdef DLZ + zone != NULL && +#endif + dns_zone_getzeronosoattl(zone)) + result = query_addsoa(client, db, version, ISC_TRUE); else - result = query_addsoa(client, db, ISC_FALSE); + result = query_addsoa(client, db, version, ISC_FALSE); if (result != ISC_R_SUCCESS) { QUERY_ERROR(result); goto cleanup; @@ -2930,6 +3919,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (result == DNS_R_NCACHENXDOMAIN) client->message->rcode = dns_rcode_nxdomain; /* + * Look for RFC 1918 leakage from Internet. + */ + if (result == DNS_R_NCACHENXDOMAIN && + qtype == dns_rdatatype_ptr && + client->message->rdclass == dns_rdataclass_in && + dns_name_countlabels(fname) == 7) + warn_rfc1918(client, fname, rdataset); + /* * We don't call query_addrrset() because we don't need any * of its extra features (and things would probably break!). */ @@ -3090,7 +4087,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) dns_message_puttempname(client->message, &tname); if (result == ISC_R_NOSPACE) { /* - * RFC 2672, section 4.1, subsection 3c says + * RFC2672, section 4.1, subsection 3c says * we should return YXDOMAIN if the constructed * name would be too long. */ @@ -3212,6 +4209,21 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * an error unless we were searching for * glue. Ugh. */ + if (!is_zone) { + authoritative = ISC_FALSE; + dns_rdatasetiter_destroy(&rdsiter); + if (RECURSIONOK(client)) { + result = query_recurse(client, + qtype, + NULL, + NULL); + if (result == ISC_R_SUCCESS) + client->query.attributes |= + NS_QUERYATTR_RECURSING; + else + QUERY_ERROR(DNS_R_SERVFAIL); } + goto addauth; + } /* * We were searching for SIG records in * a nonsecure zone. Send a "no error, @@ -3220,7 +4232,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * Add SOA. */ - result = query_addsoa(client, db, ISC_FALSE); + result = query_addsoa(client, db, version, + ISC_FALSE); if (result == ISC_R_SUCCESS) result = ISC_R_NOMORE; } else { @@ -3249,6 +4262,13 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) noqname = rdataset; else noqname = NULL; + /* + * BIND 8 priming queries need the additional section. + */ + if (is_zone && qtype == dns_rdatatype_ns && + dns_name_equal(client->query.qname, dns_rootname)) + client->query.attributes &= ~NS_QUERYATTR_NOADDITIONAL; + query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf, DNS_SECTION_ANSWER); if (noqname != NULL) @@ -3272,7 +4292,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) qtype == dns_rdatatype_any) && dns_name_equal(client->query.qname, dns_db_origin(db)))) - (void)query_addns(client, db); + (void)query_addns(client, db, version); } else if (qtype != dns_rdatatype_ns) { if (fname != NULL) query_releasename(client, &fname); @@ -3337,13 +4357,22 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (eresult != ISC_R_SUCCESS && (!PARTIALANSWER(client) || WANTRECURSION(client))) { - /* - * If we don't have any answer to give the client, - * or if the client requested recursion and thus wanted - * the complete answer, send an error response. - */ - query_error(client, eresult); - ns_client_detach(&client); + if (eresult == DNS_R_DUPLICATE || eresult == DNS_R_DROP) { + /* + * This was a duplicate query that we are + * recursing on. Don't send a response now. + * The original query will still cause a response. + */ + query_next(client, eresult); + } else { + /* + * If we don't have any answer to give the client, + * or if the client requested recursion and thus wanted + * the complete answer, send an error response. + */ + query_error(client, eresult); + } + ns_client_detach(&client); } else if (!RECURSING(client)) { /* * We are done. Set up sortlist data for the message @@ -3418,14 +4447,16 @@ ns_query_start(ns_client_t *client) { if (!client->view->enablednssec) { message->flags &= ~DNS_MESSAGEFLAG_CD; client->extflags &= ~DNS_MESSAGEEXTFLAG_DO; + if (client->opt != NULL) + client->opt->ttl &= ~DNS_MESSAGEEXTFLAG_DO; } if ((message->flags & DNS_MESSAGEFLAG_RD) != 0) client->query.attributes |= NS_QUERYATTR_WANTRECURSION; - + if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0) client->attributes |= NS_CLIENTATTR_WANTDNSSEC; - + if (client->view->minimalresponses) client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | NS_QUERYATTR_NOADDITIONAL); @@ -3521,13 +4552,17 @@ ns_query_start(ns_client_t *client) { * If the client has requested that DNSSEC checking be disabled, * allow lookups to return pending data and instruct the resolver * to return data before validation has completed. + * + * We don't need to set DNS_DBFIND_PENDINGOK when validation is + * disabled as there will be no pending data. */ if (message->flags & DNS_MESSAGEFLAG_CD || qtype == dns_rdatatype_rrsig) { client->query.dboptions |= DNS_DBFIND_PENDINGOK; client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE; - } + } else if (!client->view->enablevalidation) + client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE; /* * Allow glue NS records to be added to the authority section diff --git a/contrib/bind9/bin/named/server.c b/contrib/bind9/bin/named/server.c index f29321e..6ae31cb 100644 --- a/contrib/bind9/bin/named/server.c +++ b/contrib/bind9/bin/named/server.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.339.2.15.2.70 2006/05/24 04:30:24 marka Exp $ */ +/* $Id: server.c,v 1.419.18.49 2006/12/07 05:24:19 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -41,13 +43,18 @@ #include <bind9/check.h> +#include <dns/acache.h> #include <dns/adb.h> #include <dns/cache.h> #include <dns/db.h> #include <dns/dispatch.h> +#ifdef DLZ +#include <dns/dlz.h> +#endif #include <dns/forward.h> #include <dns/journal.h> #include <dns/keytable.h> +#include <dns/lib.h> #include <dns/master.h> #include <dns/masterdump.h> #include <dns/order.h> @@ -86,7 +93,7 @@ #include <stdlib.h> #endif -/* +/*% * Check an operation for failure. Assumes that the function * using it has a 'result' variable and a 'cleanup' label. */ @@ -160,6 +167,54 @@ struct zonelistentry { ISC_LINK(struct zonelistentry) link; }; +/* + * These zones should not leak onto the Internet. + */ +static const struct { + const char *zone; + isc_boolean_t rfc1918; +} empty_zones[] = { +#ifdef notyet + /* RFC 1918 */ + { "10.IN-ADDR.ARPA", ISC_TRUE }, + { "16.172.IN-ADDR.ARPA", ISC_TRUE }, + { "17.172.IN-ADDR.ARPA", ISC_TRUE }, + { "18.172.IN-ADDR.ARPA", ISC_TRUE }, + { "19.172.IN-ADDR.ARPA", ISC_TRUE }, + { "20.172.IN-ADDR.ARPA", ISC_TRUE }, + { "21.172.IN-ADDR.ARPA", ISC_TRUE }, + { "22.172.IN-ADDR.ARPA", ISC_TRUE }, + { "23.172.IN-ADDR.ARPA", ISC_TRUE }, + { "24.172.IN-ADDR.ARPA", ISC_TRUE }, + { "25.172.IN-ADDR.ARPA", ISC_TRUE }, + { "26.172.IN-ADDR.ARPA", ISC_TRUE }, + { "27.172.IN-ADDR.ARPA", ISC_TRUE }, + { "28.172.IN-ADDR.ARPA", ISC_TRUE }, + { "29.172.IN-ADDR.ARPA", ISC_TRUE }, + { "30.172.IN-ADDR.ARPA", ISC_TRUE }, + { "31.172.IN-ADDR.ARPA", ISC_TRUE }, + { "168.192.IN-ADDR.ARPA", ISC_TRUE }, +#endif + + /* RFC 3330 */ + { "127.IN-ADDR.ARPA", ISC_FALSE }, /* LOOPBACK */ + { "254.169.IN-ADDR.ARPA", ISC_FALSE }, /* LINK LOCAL */ + { "2.0.192.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET */ + { "255.255.255.255.IN-ADDR.ARPA", ISC_FALSE }, /* BROADCAST */ + + /* Local IPv6 Unicast Addresses */ + { "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE }, + { "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE }, + /* LOCALLY ASSIGNED LOCAL ADDRES S SCOPE */ + { "D.F.IP6.ARPA", ISC_FALSE }, + { "8.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ + { "9.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ + { "A.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ + { "B.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ + + { NULL, ISC_FALSE } +}; + static void fatal(const char *msg, isc_result_t result); @@ -168,11 +223,11 @@ ns_server_reload(isc_task_t *task, isc_event_t *event); static isc_result_t ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, - ns_aclconfctx_t *actx, + cfg_aclconfctx_t *actx, isc_mem_t *mctx, ns_listenelt_t **target); static isc_result_t ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config, - ns_aclconfctx_t *actx, + cfg_aclconfctx_t *actx, isc_mem_t *mctx, ns_listenlist_t **target); static isc_result_t @@ -186,19 +241,19 @@ configure_alternates(const cfg_obj_t *config, dns_view_t *view, static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, - ns_aclconfctx_t *aclconf); + cfg_aclconfctx_t *aclconf); static void end_reserved_dispatches(ns_server_t *server, isc_boolean_t all); -/* +/*% * Configure a single view ACL at '*aclp'. Get its configuration by * calling 'getvcacl' (for per-view configuration) and maybe 'getscacl' * (for a global default). */ static isc_result_t configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config, - const char *aclname, ns_aclconfctx_t *actx, + const char *aclname, cfg_aclconfctx_t *actx, isc_mem_t *mctx, dns_acl_t **aclp) { isc_result_t result; @@ -225,7 +280,8 @@ configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config, */ return (ISC_R_SUCCESS); - result = ns_acl_fromconfig(aclobj, config, actx, mctx, aclp); + result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, + actx, mctx, aclp); return (result); } @@ -290,6 +346,13 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key, keystruct.datalen = r.length; keystruct.data = r.base; + if ((keystruct.algorithm == DST_ALG_RSASHA1 || + keystruct.algorithm == DST_ALG_RSAMD5) && + r.length > 1 && r.base[0] == 1 && r.base[1] == 3) + cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING, + "trusted key '%s' has a weak exponent", + keynamestr); + CHECK(dns_rdata_fromstruct(NULL, keystruct.common.rdclass, keystruct.common.rdtype, @@ -326,7 +389,7 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key, return (result); } -/* +/*% * Configure DNSSEC keys for a view. Currently used only for * the security roots. * @@ -414,7 +477,7 @@ mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) return (result); } -/* +/*% * Get a dispatch appropriate for the resolver of a given view. */ static isc_result_t @@ -581,15 +644,14 @@ configure_order(dns_order_t *order, const cfg_obj_t *ent) { static isc_result_t configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { - const isc_sockaddr_t *sa; isc_netaddr_t na; dns_peer_t *peer; const cfg_obj_t *obj; const char *str; isc_result_t result; + unsigned int prefixlen; - sa = cfg_obj_assockaddr(cfg_map_getname(cpeer)); - isc_netaddr_fromsockaddr(&na, sa); + cfg_obj_asnetprefix(cfg_map_getname(cpeer), &na, &prefixlen); peer = NULL; result = dns_peer_new(mctx, &na, &peer); @@ -617,6 +679,28 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj))); obj = NULL; + (void)cfg_map_get(cpeer, "edns-udp-size", &obj); + if (obj != NULL) { + isc_uint32_t udpsize = cfg_obj_asuint32(obj); + if (udpsize < 512) + udpsize = 512; + if (udpsize > 4096) + udpsize = 4096; + CHECK(dns_peer_setudpsize(peer, (isc_uint16_t)udpsize)); + } + + obj = NULL; + (void)cfg_map_get(cpeer, "max-udp-size", &obj); + if (obj != NULL) { + isc_uint32_t udpsize = cfg_obj_asuint32(obj); + if (udpsize < 512) + udpsize = 512; + if (udpsize > 4096) + udpsize = 4096; + CHECK(dns_peer_setmaxudp(peer, (isc_uint16_t)udpsize)); + } + + obj = NULL; (void)cfg_map_get(cpeer, "transfers", &obj); if (obj != NULL) CHECK(dns_peer_settransfers(peer, cfg_obj_asuint32(obj))); @@ -644,7 +728,7 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { } obj = NULL; - if (isc_sockaddr_pf(sa) == AF_INET) + if (na.family == AF_INET) (void)cfg_map_get(cpeer, "transfer-source", &obj); else (void)cfg_map_get(cpeer, "transfer-source-v6", &obj); @@ -653,7 +737,35 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { cfg_obj_assockaddr(obj)); if (result != ISC_R_SUCCESS) goto cleanup; + ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); + } + + obj = NULL; + if (na.family == AF_INET) + (void)cfg_map_get(cpeer, "notify-source", &obj); + else + (void)cfg_map_get(cpeer, "notify-source-v6", &obj); + if (obj != NULL) { + result = dns_peer_setnotifysource(peer, + cfg_obj_assockaddr(obj)); + if (result != ISC_R_SUCCESS) + goto cleanup; + ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); } + + obj = NULL; + if (na.family == AF_INET) + (void)cfg_map_get(cpeer, "query-source", &obj); + else + (void)cfg_map_get(cpeer, "query-source-v6", &obj); + if (obj != NULL) { + result = dns_peer_setquerysource(peer, + cfg_obj_assockaddr(obj)); + if (result != ISC_R_SUCCESS) + goto cleanup; + ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); + } + *peerp = peer; return (ISC_R_SUCCESS); @@ -708,6 +820,68 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { return (result); } +static isc_boolean_t +on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) { + const cfg_listelt_t *element; + dns_fixedname_t fixed; + dns_name_t *name; + isc_result_t result; + const cfg_obj_t *value; + const char *str; + isc_buffer_t b; + + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + + for (element = cfg_list_first(disablelist); + element != NULL; + element = cfg_list_next(element)) + { + value = cfg_listelt_value(element); + str = cfg_obj_asstring(value); + isc_buffer_init(&b, str, strlen(str)); + isc_buffer_add(&b, strlen(str)); + result = dns_name_fromtext(name, &b, dns_rootname, + ISC_TRUE, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + if (dns_name_equal(name, zonename)) + return (ISC_TRUE); + } + return (ISC_FALSE); +} + +static void +check_dbtype(dns_zone_t **zonep, unsigned int dbtypec, const char **dbargv, + isc_mem_t *mctx) +{ + char **argv = NULL; + unsigned int i; + isc_result_t result; + + result = dns_zone_getdbtype(*zonep, &argv, mctx); + if (result != ISC_R_SUCCESS) { + dns_zone_detach(zonep); + return; + } + + /* + * Check that all the arguments match. + */ + for (i = 0; i < dbtypec; i++) + if (argv[i] == NULL || strcmp(argv[i], dbargv[i]) != 0) { + dns_zone_detach(zonep); + break; + } + + /* + * Check that there are not extra arguments. + */ + if (i == dbtypec && argv[i] != NULL) + dns_zone_detach(zonep); + isc_mem_free(mctx, argv); +} + + /* * Configure 'view' according to 'vconfig', taking defaults from 'config' * where values are missing in 'vconfig'. @@ -717,8 +891,8 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { */ static isc_result_t configure_view(dns_view_t *view, const cfg_obj_t *config, - const cfg_obj_t *vconfig, isc_mem_t *mctx, ns_aclconfctx_t *actx, - isc_boolean_t need_hints) + const cfg_obj_t *vconfig, isc_mem_t *mctx, + cfg_aclconfctx_t *actx, isc_boolean_t need_hints) { const cfg_obj_t *maps[4]; const cfg_obj_t *cfgmaps[3]; @@ -728,6 +902,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, const cfg_obj_t *forwarders; const cfg_obj_t *alternates; const cfg_obj_t *zonelist; +#ifdef DLZ + const cfg_obj_t *dlz; + unsigned int dlzargc; + char **dlzargv; +#endif const cfg_obj_t *disabled; const cfg_obj_t *obj; const cfg_listelt_t *element; @@ -736,6 +915,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, isc_result_t result; isc_uint32_t max_adb_size; isc_uint32_t max_cache_size; + isc_uint32_t max_acache_size; isc_uint32_t lame_ttl; dns_tsig_keyring_t *ring; dns_view_t *pview = NULL; /* Production view */ @@ -748,6 +928,14 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, dns_order_t *order = NULL; isc_uint32_t udpsize; unsigned int check = 0; + dns_zone_t *zone = NULL; + isc_uint32_t max_clients_per_query; + const char *sep = ": view "; + const char *viewname = view->name; + const char *forview = " for view "; + isc_boolean_t rfc1918; + isc_boolean_t empty_zones_enable; + const cfg_obj_t *disablelist = NULL; REQUIRE(DNS_VIEW_VALID(view)); @@ -773,6 +961,12 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, cfgmaps[i++] = config; cfgmaps[i] = NULL; + if (!strcmp(viewname, "_default")) { + sep = ""; + viewname = ""; + forview = ""; + } + /* * Set the view's port number for outgoing queries. */ @@ -780,6 +974,52 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, dns_view_setdstport(view, port); /* + * Create additional cache for this view and zones under the view + * if explicitly enabled. + * XXX950 default to on. + */ + obj = NULL; + (void)ns_config_get(maps, "acache-enable", &obj); + if (obj != NULL && cfg_obj_asboolean(obj)) { + cmctx = NULL; + CHECK(isc_mem_create(0, 0, &cmctx)); + CHECK(dns_acache_create(&view->acache, cmctx, ns_g_taskmgr, + ns_g_timermgr)); + isc_mem_detach(&cmctx); + } + if (view->acache != NULL) { + obj = NULL; + result = ns_config_get(maps, "acache-cleaning-interval", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_acache_setcleaninginterval(view->acache, + cfg_obj_asuint32(obj) * 60); + + obj = NULL; + result = ns_config_get(maps, "max-acache-size", &obj); + INSIST(result == ISC_R_SUCCESS); + if (cfg_obj_isstring(obj)) { + str = cfg_obj_asstring(obj); + INSIST(strcasecmp(str, "unlimited") == 0); + max_acache_size = ISC_UINT32_MAX; + } else { + isc_resourcevalue_t value; + + value = cfg_obj_asuint64(obj); + if (value > ISC_UINT32_MAX) { + cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, + "'max-acache-size " + "%" ISC_PRINT_QUADFORMAT + "d' is too large", + value); + result = ISC_R_RANGE; + goto cleanup; + } + max_acache_size = (isc_uint32_t)value; + } + dns_acache_setcachesize(view->acache, max_acache_size); + } + + /* * Configure the zones. */ zonelist = NULL; @@ -796,6 +1036,45 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, actx)); } +#ifdef DLZ + /* + * Create Dynamically Loadable Zone driver. + */ + dlz = NULL; + if (voptions != NULL) + (void)cfg_map_get(voptions, "dlz", &dlz); + else + (void)cfg_map_get(config, "dlz", &dlz); + + obj = NULL; + if (dlz != NULL) { + (void)cfg_map_get(cfg_tuple_get(dlz, "options"), + "database", &obj); + if (obj != NULL) { + char *s = isc_mem_strdup(mctx, cfg_obj_asstring(obj)); + if (s == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + + result = dns_dlzstrtoargv(mctx, s, &dlzargc, &dlzargv); + if (result != ISC_R_SUCCESS) { + isc_mem_free(mctx, s); + goto cleanup; + } + + obj = cfg_tuple_get(dlz, "name"); + result = dns_dlzcreate(mctx, cfg_obj_asstring(obj), + dlzargv[0], dlzargc, dlzargv, + &view->dlzdatabase); + isc_mem_free(mctx, s); + isc_mem_put(mctx, dlzargv, dlzargc * sizeof(*dlzargv)); + if (result != ISC_R_SUCCESS) + goto cleanup; + } + } +#endif + /* * Configure the view's cache. Try to reuse an existing * cache if possible, otherwise create a new cache. @@ -931,6 +1210,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, if (lame_ttl > 1800) lame_ttl = 1800; dns_resolver_setlamettl(view->resolver, lame_ttl); + + obj = NULL; + result = ns_config_get(maps, "zero-no-soa-ttl-cache", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_resolver_setzeronosoattl(view->resolver, cfg_obj_asboolean(obj)); /* * Set the resolver's EDNS UDP size. @@ -946,6 +1230,19 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, dns_resolver_setudpsize(view->resolver, (isc_uint16_t)udpsize); /* + * Set the maximum UDP response size. + */ + obj = NULL; + result = ns_config_get(maps, "max-udp-size", &obj); + INSIST(result == ISC_R_SUCCESS); + udpsize = cfg_obj_asuint32(obj); + if (udpsize < 512) + udpsize = 512; + if (udpsize > 4096) + udpsize = 4096; + view->maxudp = udpsize; + + /* * Set supported DNSSEC algorithms. */ dns_resolver_reset_algorithms(view->resolver); @@ -1138,8 +1435,12 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, view->additionalfromcache = ISC_TRUE; } - CHECK(configure_view_acl(vconfig, config, "allow-query", + CHECK(configure_view_acl(vconfig, config, "allow-query-cache", actx, ns_g_mctx, &view->queryacl)); + if (view->queryacl == NULL) + CHECK(configure_view_acl(NULL, ns_g_defaults, + "allow-query-cache", actx, + ns_g_mctx, &view->queryacl)); if (strcmp(view->name, "_bind") != 0) CHECK(configure_view_acl(vconfig, config, "allow-recursion", @@ -1152,20 +1453,18 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, if (!view->recursion && view->recursionacl != NULL && (view->recursionacl->length != 1 || view->recursionacl->elements[0].type != dns_aclelementtype_any || - view->recursionacl->elements[0].negative != ISC_TRUE)) { - const char *forview = " for view "; - const char *viewname = view->name; - - if (!strcmp(view->name, "_bind") || - !strcmp(view->name, "_default")) { - forview = ""; - viewname = ""; - } + view->recursionacl->elements[0].negative != ISC_TRUE)) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_WARNING, "both \"recursion no;\" and \"allow-recursion\" " "active%s%s", forview, viewname); - } + + /* + * Set default "allow-recursion" acl. + */ + if (view->recursionacl == NULL && view->recursion) + CHECK(configure_view_acl(NULL, ns_g_defaults, "allow-recursion", + actx, ns_g_mctx, &view->recursionacl)); CHECK(configure_view_acl(vconfig, config, "sortlist", actx, ns_g_mctx, &view->sortlist)); @@ -1179,6 +1478,18 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, result = ns_config_get(maps, "provide-ixfr", &obj); INSIST(result == ISC_R_SUCCESS); view->provideixfr = cfg_obj_asboolean(obj); + + obj = NULL; + result = ns_config_get(maps, "max-clients-per-query", &obj); + INSIST(result == ISC_R_SUCCESS); + max_clients_per_query = cfg_obj_asuint32(obj); + + obj = NULL; + result = ns_config_get(maps, "clients-per-query", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_resolver_setclientsperquery(view->resolver, + cfg_obj_asuint32(obj), + max_clients_per_query); obj = NULL; result = ns_config_get(maps, "dnssec-enable", &obj); @@ -1186,6 +1497,16 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, view->enablednssec = cfg_obj_asboolean(obj); obj = NULL; + result = ns_config_get(maps, "dnssec-accept-expired", &obj); + INSIST(result == ISC_R_SUCCESS); + view->acceptexpired = cfg_obj_asboolean(obj); + + obj = NULL; + result = ns_config_get(maps, "dnssec-validation", &obj); + INSIST(result == ISC_R_SUCCESS); + view->enablevalidation = cfg_obj_asboolean(obj); + + obj = NULL; result = ns_config_get(maps, "dnssec-lookaside", &obj); if (result == ISC_R_SUCCESS) { for (element = cfg_list_first(obj); @@ -1231,15 +1552,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, * For now, there is only one kind of trusted keys, the * "security roots". */ - if (view->enablednssec) { - CHECK(configure_view_dnsseckeys(vconfig, config, mctx, - &view->secroots)); - dns_resolver_resetmustbesecure(view->resolver); - obj = NULL; - result = ns_config_get(maps, "dnssec-must-be-secure", &obj); - if (result == ISC_R_SUCCESS) - CHECK(mustbesecure(obj, view->resolver)); - } + CHECK(configure_view_dnsseckeys(vconfig, config, mctx, + &view->secroots)); + dns_resolver_resetmustbesecure(view->resolver); + obj = NULL; + result = ns_config_get(maps, "dnssec-must-be-secure", &obj); + if (result == ISC_R_SUCCESS) + CHECK(mustbesecure(obj, view->resolver)); obj = NULL; result = ns_config_get(maps, "max-cache-ttl", &obj); @@ -1295,9 +1614,180 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, } else dns_view_setrootdelonly(view, ISC_FALSE); + /* + * Setup automatic empty zones. If recursion is off then + * they are disabled by default. + */ + obj = NULL; + (void)ns_config_get(maps, "empty-zones-enable", &obj); + (void)ns_config_get(maps, "disable-empty-zone", &disablelist); + if (obj == NULL && disablelist == NULL && + view->rdclass == dns_rdataclass_in) { + rfc1918 = ISC_FALSE; + empty_zones_enable = view->recursion; + } else if (view->rdclass == dns_rdataclass_in) { + rfc1918 = ISC_TRUE; + if (obj != NULL) + empty_zones_enable = cfg_obj_asboolean(obj); + else + empty_zones_enable = view->recursion; + } else { + rfc1918 = ISC_FALSE; + empty_zones_enable = ISC_FALSE; + } + if (empty_zones_enable) { + const char *empty; + int empty_zone = 0; + dns_fixedname_t fixed; + dns_name_t *name; + isc_buffer_t buffer; + const char *str; + char server[DNS_NAME_FORMATSIZE + 1]; + char contact[DNS_NAME_FORMATSIZE + 1]; + isc_boolean_t logit; + const char *empty_dbtype[4] = + { "_builtin", "empty", NULL, NULL }; + int empty_dbtypec = 4; + + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + + obj = NULL; + result = ns_config_get(maps, "empty-server", &obj); + if (result == ISC_R_SUCCESS) { + str = cfg_obj_asstring(obj); + isc_buffer_init(&buffer, str, strlen(str)); + isc_buffer_add(&buffer, strlen(str)); + CHECK(dns_name_fromtext(name, &buffer, dns_rootname, + ISC_FALSE, NULL)); + isc_buffer_init(&buffer, server, sizeof(server) - 1); + CHECK(dns_name_totext(name, ISC_FALSE, &buffer)); + server[isc_buffer_usedlength(&buffer)] = 0; + empty_dbtype[2] = server; + } else + empty_dbtype[2] = "@"; + + obj = NULL; + result = ns_config_get(maps, "empty-contact", &obj); + if (result == ISC_R_SUCCESS) { + str = cfg_obj_asstring(obj); + isc_buffer_init(&buffer, str, strlen(str)); + isc_buffer_add(&buffer, strlen(str)); + CHECK(dns_name_fromtext(name, &buffer, dns_rootname, + ISC_FALSE, NULL)); + isc_buffer_init(&buffer, contact, sizeof(contact) - 1); + CHECK(dns_name_totext(name, ISC_FALSE, &buffer)); + contact[isc_buffer_usedlength(&buffer)] = 0; + empty_dbtype[3] = contact; + } else + empty_dbtype[3] = "."; + + logit = ISC_TRUE; + for (empty = empty_zones[empty_zone].zone; + empty != NULL; + empty = empty_zones[++empty_zone].zone) + { + dns_forwarders_t *forwarders = NULL; + dns_view_t *pview = NULL; + + isc_buffer_init(&buffer, empty, strlen(empty)); + isc_buffer_add(&buffer, strlen(empty)); + /* + * Look for zone on drop list. + */ + CHECK(dns_name_fromtext(name, &buffer, dns_rootname, + ISC_FALSE, NULL)); + if (disablelist != NULL && + on_disable_list(disablelist, name)) + continue; + + /* + * This zone already exists. + */ + (void)dns_view_findzone(view, name, &zone); + if (zone != NULL) { + dns_zone_detach(&zone); + continue; + } + + /* + * If we would forward this name don't add a + * empty zone for it. + */ + result = dns_fwdtable_find(view->fwdtable, name, + &forwarders); + if (result == ISC_R_SUCCESS && + forwarders->fwdpolicy == dns_fwdpolicy_only) + continue; + + if (!rfc1918 && empty_zones[empty_zone].rfc1918) { + if (logit) { + isc_log_write(ns_g_lctx, + NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, + ISC_LOG_WARNING, + "Warning%s%s: " + "'empty-zones-enable/" + "disable-empty-zone' " + "not set: disabling " + "RFC 1918 empty zones", + sep, viewname); + logit = ISC_FALSE; + } + continue; + } + + /* + * See if we can re-use a existing zone. + */ + result = dns_viewlist_find(&ns_g_server->viewlist, + view->name, view->rdclass, + &pview); + if (result != ISC_R_NOTFOUND && + result != ISC_R_SUCCESS) + goto cleanup; + + if (pview != NULL) { + (void)dns_view_findzone(pview, name, &zone); + dns_view_detach(&pview); + if (zone != NULL) + check_dbtype(&zone, empty_dbtypec, + empty_dbtype, mctx); + if (zone != NULL) { + dns_zone_setview(zone, view); + dns_zone_detach(&zone); + continue; + } + } + + CHECK(dns_zone_create(&zone, mctx)); + CHECK(dns_zone_setorigin(zone, name)); + dns_zone_setview(zone, view); + CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone)); + dns_zone_setclass(zone, view->rdclass); + dns_zone_settype(zone, dns_zone_master); + CHECK(dns_zone_setdbtype(zone, empty_dbtypec, + empty_dbtype)); + if (view->queryacl != NULL) + dns_zone_setqueryacl(zone, view->queryacl); + dns_zone_setdialup(zone, dns_dialuptype_no); + dns_zone_setnotifytype(zone, dns_notifytype_no); + dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, + ISC_TRUE); + CHECK(dns_view_addzone(view, zone)); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "automatic empty zone%s%s: %s", + sep, viewname, empty); + dns_zone_detach(&zone); + } + } + result = ISC_R_SUCCESS; cleanup: + if (zone != NULL) + dns_zone_detach(&zone); if (dispatch4 != NULL) dns_dispatch_detach(&dispatch4); if (dispatch6 != NULL) @@ -1563,7 +2053,7 @@ create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist, static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, - ns_aclconfctx_t *aclconf) + cfg_aclconfctx_t *aclconf) { dns_view_t *pview = NULL; /* Production view */ dns_zone_t *zone = NULL; /* New or reused zone */ @@ -1728,10 +2218,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, result = dns_view_findzone(pview, origin, &zone); if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) goto cleanup; - if (zone != NULL) { - if (! ns_zone_reusable(zone, zconfig)) - dns_zone_detach(&zone); - } + if (zone != NULL && !ns_zone_reusable(zone, zconfig)) + dns_zone_detach(&zone); if (zone != NULL) { /* @@ -1739,6 +2227,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, * new view. */ dns_zone_setview(zone, view); + if (view->acache != NULL) + dns_zone_setacache(zone, view->acache); } else { /* * We cannot reuse an existing zone, we have @@ -1747,6 +2237,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, CHECK(dns_zone_create(&zone, mctx)); CHECK(dns_zone_setorigin(zone, origin)); dns_zone_setview(zone, view); + if (view->acache != NULL) + dns_zone_setacache(zone, view->acache); CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone)); } @@ -2020,6 +2512,21 @@ heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) { } } +static void +pps_timer_tick(isc_task_t *task, isc_event_t *event) { + static unsigned int oldrequests = 0; + unsigned int requests = ns_client_requests; + + UNUSED(task); + isc_event_free(&event); + + /* + * Don't worry about wrapping as the overflow result will be right. + */ + dns_pps = (requests - oldrequests) / 1200; + oldrequests = requests; +} + /* * Replace the current value of '*field', a dynamically allocated * string or NULL, with a dynamically allocated copy of the @@ -2122,10 +2629,36 @@ portlist_fromconf(dns_portlist_t *portlist, unsigned int family, } static isc_result_t +removed(dns_zone_t *zone, void *uap) { + const char *type; + + if (dns_zone_getview(zone) != uap) + return (ISC_R_SUCCESS); + + switch (dns_zone_gettype(zone)) { + case dns_zone_master: + type = "master"; + break; + case dns_zone_slave: + type = "slave"; + break; + case dns_zone_stub: + type = "stub"; + break; + default: + type = "other"; + break; + } + dns_zone_log(zone, ISC_LOG_INFO, "(%s) removed", type); + return (ISC_R_SUCCESS); +} + +static isc_result_t load_configuration(const char *filename, ns_server_t *server, isc_boolean_t first_time) { isc_result_t result; + isc_interval_t interval; cfg_parser_t *parser = NULL; cfg_obj_t *config; const cfg_obj_t *options; @@ -2139,14 +2672,14 @@ load_configuration(const char *filename, ns_server_t *server, dns_view_t *view_next; dns_viewlist_t viewlist; dns_viewlist_t tmpviewlist; - ns_aclconfctx_t aclconfctx; + cfg_aclconfctx_t aclconfctx; isc_uint32_t interface_interval; isc_uint32_t heartbeat_interval; isc_uint32_t udpsize; in_port_t listen_port; int i; - ns_aclconfctx_init(&aclconfctx); + cfg_aclconfctx_init(&aclconfctx); ISC_LIST_INIT(viewlist); /* Ensure exclusive access to configuration data. */ @@ -2401,7 +2934,6 @@ load_configuration(const char *filename, ns_server_t *server, isc_timertype_inactive, NULL, NULL, ISC_TRUE)); } else if (server->interface_interval != interface_interval) { - isc_interval_t interval; isc_interval_set(&interval, interface_interval, 0); CHECK(isc_timer_reset(server->interface_timer, isc_timertype_ticker, @@ -2421,13 +2953,16 @@ load_configuration(const char *filename, ns_server_t *server, isc_timertype_inactive, NULL, NULL, ISC_TRUE)); } else if (server->heartbeat_interval != heartbeat_interval) { - isc_interval_t interval; isc_interval_set(&interval, heartbeat_interval, 0); CHECK(isc_timer_reset(server->heartbeat_timer, isc_timertype_ticker, NULL, &interval, ISC_FALSE)); } server->heartbeat_interval = heartbeat_interval; + + isc_interval_set(&interval, 1200, 0); + CHECK(isc_timer_reset(server->pps_timer, isc_timertype_ticker, NULL, + &interval, ISC_FALSE)); /* * Configure and freeze all explicit views. Explicit @@ -2716,7 +3251,7 @@ load_configuration(const char *filename, ns_server_t *server, } else if (result == ISC_R_SUCCESS) { CHECKM(setoptstring(server, &server->server_id, obj), "strdup"); } else { - result = setoptstring(server, &server->server_id, NULL); + result = setstring(server, &server->server_id, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); } @@ -2731,7 +3266,7 @@ load_configuration(const char *filename, ns_server_t *server, result = ISC_R_SUCCESS; cleanup: - ns_aclconfctx_destroy(&aclconfctx); + cfg_aclconfctx_destroy(&aclconfctx); if (parser != NULL) { if (config != NULL) @@ -2752,8 +3287,11 @@ load_configuration(const char *filename, ns_server_t *server, view = view_next) { view_next = ISC_LIST_NEXT(view, link); ISC_LIST_UNLINK(viewlist, view, link); + if (result == ISC_R_SUCCESS && + strcmp(view->name, "_bind") != 0) + (void)dns_zt_apply(view->zonetable, ISC_FALSE, + removed, view); dns_view_detach(&view); - } /* @@ -2860,6 +3398,11 @@ run_server(isc_task_t *task, isc_event_t *event) { server, &server->heartbeat_timer), "creating heartbeat timer"); + CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive, + NULL, NULL, server->task, pps_timer_tick, + server, &server->pps_timer), + "creating pps timer"); + CHECKFATAL(cfg_parser_create(ns_g_mctx, NULL, &ns_g_parser), "creating default configuration parser"); @@ -2924,6 +3467,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) { isc_timer_detach(&server->interface_timer); isc_timer_detach(&server->heartbeat_timer); + isc_timer_detach(&server->pps_timer); ns_interfacemgr_shutdown(server->interfacemgr); ns_interfacemgr_detach(&server->interfacemgr); @@ -3012,6 +3556,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { server->interface_timer = NULL; server->heartbeat_timer = NULL; + server->pps_timer = NULL; server->interface_interval = 0; server->heartbeat_interval = 0; @@ -3454,6 +3999,29 @@ ns_server_reconfigcommand(ns_server_t *server, char *args) { } /* + * Act on a "notify" command from the command channel. + */ +isc_result_t +ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) { + isc_result_t result; + dns_zone_t *zone = NULL; + const unsigned char msg[] = "zone notify queued"; + + result = zone_from_args(server, args, &zone); + if (result != ISC_R_SUCCESS) + return (result); + if (zone == NULL) + return (ISC_R_UNEXPECTEDEND); + + dns_zone_notify(zone); + dns_zone_detach(&zone); + if (sizeof(msg) <= isc_buffer_availablelength(text)) + isc_buffer_putmem(text, msg, sizeof(msg)); + + return (ISC_R_SUCCESS); +} + +/* * Act on a "refresh" command from the command channel. */ isc_result_t @@ -3498,7 +4066,7 @@ ns_server_togglequerylog(ns_server_t *server) { static isc_result_t ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config, - ns_aclconfctx_t *actx, + cfg_aclconfctx_t *actx, isc_mem_t *mctx, ns_listenlist_t **target) { isc_result_t result; @@ -3537,7 +4105,7 @@ ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config, */ static isc_result_t ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, - ns_aclconfctx_t *actx, + cfg_aclconfctx_t *actx, isc_mem_t *mctx, ns_listenelt_t **target) { isc_result_t result; @@ -3569,8 +4137,8 @@ ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, if (result != ISC_R_SUCCESS) return (result); - result = ns_acl_fromconfig(cfg_tuple_get(listener, "acl"), - config, actx, mctx, &delt->acl); + result = cfg_acl_fromconfig(cfg_tuple_get(listener, "acl"), + config, ns_g_lctx, actx, mctx, &delt->acl); if (result != ISC_R_SUCCESS) { ns_listenelt_destroy(delt); return (result); @@ -3951,6 +4519,59 @@ ns_server_setdebuglevel(ns_server_t *server, char *args) { } isc_result_t +ns_server_validation(ns_server_t *server, char *args) { + char *ptr, *viewname; + dns_view_t *view; + isc_boolean_t changed = ISC_FALSE; + isc_result_t result; + isc_boolean_t enable; + + /* Skip the command name. */ + ptr = next_token(&args, " \t"); + if (ptr == NULL) + return (ISC_R_UNEXPECTEDEND); + + /* Find out what we are to do. */ + ptr = next_token(&args, " \t"); + if (ptr == NULL) + return (ISC_R_UNEXPECTEDEND); + + if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") || + !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true")) + enable = ISC_TRUE; + else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") || + !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false")) + enable = ISC_FALSE; + else + return (DNS_R_SYNTAX); + + /* Look for the view name. */ + viewname = next_token(&args, " \t"); + + result = isc_task_beginexclusive(server->task); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + for (view = ISC_LIST_HEAD(server->viewlist); + view != NULL; + view = ISC_LIST_NEXT(view, link)) + { + if (viewname != NULL && strcasecmp(viewname, view->name) != 0) + continue; + result = dns_view_flushcache(view); + if (result != ISC_R_SUCCESS) + goto out; + view->enablevalidation = enable; + changed = ISC_TRUE; + } + if (changed) + result = ISC_R_SUCCESS; + else + result = ISC_R_FAILURE; + out: + isc_task_endexclusive(server->task); + return (result); +} + +isc_result_t ns_server_flushcache(ns_server_t *server, char *args) { char *ptr, *viewname; dns_view_t *view; @@ -4059,12 +4680,13 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) { "xfers deferred: %u\n" "soa queries in progress: %u\n" "query logging is %s\n" - "recursive clients: %d/%d\n" + "recursive clients: %d/%d/%d\n" "tcp clients: %d/%d\n" "server is up and running", zonecount, ns_g_debuglevel, xferrunning, xferdeferred, soaqueries, server->log_queries ? "ON" : "OFF", - server->recursionquota.used, server->recursionquota.max, + server->recursionquota.used, server->recursionquota.soft, + server->recursionquota.max, server->tcpquota.used, server->tcpquota.max); if (n >= isc_buffer_availablelength(text)) return (ISC_R_NOSPACE); @@ -4073,11 +4695,11 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) { } /* - * Act on a "freeze" or "unfreeze" command from the command channel. + * Act on a "freeze" or "thaw" command from the command channel. */ isc_result_t ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) { - isc_result_t result; + isc_result_t result, tresult; dns_zone_t *zone = NULL; dns_zonetype_t type; char classstr[DNS_RDATACLASS_FORMATSIZE]; @@ -4090,8 +4712,26 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) { result = zone_from_args(server, args, &zone); if (result != ISC_R_SUCCESS) return (result); - if (zone == NULL) - return (ISC_R_UNEXPECTEDEND); + if (zone == NULL) { + result = isc_task_beginexclusive(server->task); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + tresult = ISC_R_SUCCESS; + for (view = ISC_LIST_HEAD(server->viewlist); + view != NULL; + view = ISC_LIST_NEXT(view, link)) { + result = dns_view_freezezones(view, freeze); + if (result != ISC_R_SUCCESS && + tresult == ISC_R_SUCCESS) + tresult = result; + } + isc_task_endexclusive(server->task); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "%s all zones: %s", + freeze ? "freezing" : "thawing", + isc_result_totext(tresult)); + return (tresult); + } type = dns_zone_gettype(zone); if (type != dns_zone_master) { dns_zone_detach(&zone); @@ -4137,7 +4777,7 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "%s zone '%s/%s'%s%s: %s", - freeze ? "freezing" : "unfreezing", + freeze ? "freezing" : "thawing", zonename, classstr, sep, vname, isc_result_totext(result)); dns_zone_detach(&zone); diff --git a/contrib/bind9/bin/named/sortlist.c b/contrib/bind9/bin/named/sortlist.c index 0feba3b..28f0360 100644 --- a/contrib/bind9/bin/named/sortlist.c +++ b/contrib/bind9/bin/named/sortlist.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sortlist.c,v 1.5.12.6 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: sortlist.c,v 1.9.18.4 2006/03/02 00:37:21 marka Exp $ */ + +/*! \file */ #include <config.h> diff --git a/contrib/bind9/bin/named/tkeyconf.c b/contrib/bind9/bin/named/tkeyconf.c index f23c1db..3c843ac 100644 --- a/contrib/bind9/bin/named/tkeyconf.c +++ b/contrib/bind9/bin/named/tkeyconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tkeyconf.c,v 1.19.208.4 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: tkeyconf.c,v 1.20.18.6 2006/03/02 00:37:21 marka Exp $ */ + +/*! \file */ #include <config.h> diff --git a/contrib/bind9/bin/named/tsigconf.c b/contrib/bind9/bin/named/tsigconf.c index a90438d..7fa7fe5 100644 --- a/contrib/bind9/bin/named/tsigconf.c +++ b/contrib/bind9/bin/named/tsigconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tsigconf.c,v 1.21.208.6 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: tsigconf.c,v 1.22.18.6 2006/02/28 03:10:47 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -38,6 +40,7 @@ static isc_result_t add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) { + dns_tsigkey_t *tsigkey = NULL; const cfg_listelt_t *element; const cfg_obj_t *key = NULL; const char *keyid = NULL; @@ -46,6 +49,7 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, int secretlen = 0; isc_result_t ret; isc_stdtime_t now; + isc_uint16_t bits; for (element = cfg_list_first(list); element != NULL; @@ -86,10 +90,11 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, * Create the algorithm. */ algstr = cfg_obj_asstring(algobj); - if (ns_config_getkeyalgorithm(algstr, &alg) != ISC_R_SUCCESS) { + if (ns_config_getkeyalgorithm(algstr, &alg, &bits) + != ISC_R_SUCCESS) { cfg_obj_log(algobj, ns_g_lctx, ISC_LOG_ERROR, - "key '%s': the only supported algorithm " - "is hmac-md5", keyid); + "key '%s': has a unsupported algorithm '%s'", + keyid, algstr); ret = DNS_R_BADALG; goto failure; } @@ -110,11 +115,16 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_stdtime_get(&now); ret = dns_tsigkey_create(&keyname, alg, secret, secretlen, ISC_FALSE, NULL, now, now, - mctx, ring, NULL); + mctx, ring, &tsigkey); isc_mem_put(mctx, secret, secretalloc); secret = NULL; if (ret != ISC_R_SUCCESS) goto failure; + /* + * Set digest bits. + */ + dst_key_setbits(tsigkey->key, bits); + dns_tsigkey_detach(&tsigkey); } return (ISC_R_SUCCESS); @@ -127,7 +137,6 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, if (secret != NULL) isc_mem_put(mctx, secret, secretalloc); return (ret); - } isc_result_t diff --git a/contrib/bind9/bin/named/unix/Makefile.in b/contrib/bind9/bin/named/unix/Makefile.in index 60ce968..a18351a 100644 --- a/contrib/bind9/bin/named/unix/Makefile.in +++ b/contrib/bind9/bin/named/unix/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.6.12.3 2004/03/08 09:04:15 marka Exp $ +# $Id: Makefile.in,v 1.8 2004/03/05 04:58:01 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/contrib/bind9/bin/named/unix/include/named/os.h b/contrib/bind9/bin/named/unix/include/named/os.h index 03baee5..24afdcb 100644 --- a/contrib/bind9/bin/named/unix/include/named/os.h +++ b/contrib/bind9/bin/named/unix/include/named/os.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.h,v 1.14.2.2.8.9 2004/09/29 06:36:44 marka Exp $ */ +/* $Id: os.h,v 1.22.18.3 2005/04/29 00:15:39 marka Exp $ */ #ifndef NS_OS_H #define NS_OS_H 1 +/*! \file */ + #include <isc/types.h> void diff --git a/contrib/bind9/bin/named/unix/os.c b/contrib/bind9/bin/named/unix/os.c index 361d1b6..3864612 100644 --- a/contrib/bind9/bin/named/unix/os.c +++ b/contrib/bind9/bin/named/unix/os.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.c,v 1.46.2.4.8.24 2006/02/03 23:51:37 marka Exp $ */ +/* $Id: os.c,v 1.66.18.11 2006/02/03 23:51:38 marka Exp $ */ + +/*! \file */ #include <config.h> #include <stdarg.h> @@ -114,7 +116,7 @@ static int dfd[2] = { -1, -1 }; static isc_boolean_t non_root = ISC_FALSE; static isc_boolean_t non_root_caps = ISC_FALSE; -/* +/*% * We define _LINUX_FS_H to prevent it from being included. We don't need * anything from it, and the files it includes cause warnings with 2.2 * kernels, and compilation failures (due to conflicts between <linux/string.h> @@ -176,7 +178,7 @@ static void linux_initialprivs(void) { unsigned int caps; - /* + /*% * We don't need most privileges, so we drop them right away. * Later on linux_minprivs() will be called, which will drop our * capabilities to the minimum needed to run the server. @@ -231,7 +233,7 @@ static void linux_minprivs(void) { unsigned int caps; - /* + /*% * Drop all privileges except the ability to bind() to privileged * ports. * @@ -258,7 +260,7 @@ linux_minprivs(void) { static void linux_keepcaps(void) { char strbuf[ISC_STRERRORSIZE]; - /* + /*% * Ask the kernel to allow us to keep our capabilities after we * setuid(). */ diff --git a/contrib/bind9/bin/named/update.c b/contrib/bind9/bin/named/update.c index fa0ddb0..0547761 100644 --- a/contrib/bind9/bin/named/update.c +++ b/contrib/bind9/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.88.2.5.2.29 2006/01/06 00:01:42 marka Exp $ */ +/* $Id: update.c,v 1.109.18.19 2006/03/06 01:38:00 marka Exp $ */ #include <config.h> @@ -31,6 +31,7 @@ #include <dns/events.h> #include <dns/fixedname.h> #include <dns/journal.h> +#include <dns/keyvalues.h> #include <dns/message.h> #include <dns/nsec.h> #include <dns/rdataclass.h> @@ -48,7 +49,8 @@ #include <named/log.h> #include <named/update.h> -/* +/*! \file + * \brief * This module implements dynamic update as in RFC2136. */ @@ -59,17 +61,17 @@ /**************************************************************************/ -/* +/*% * Log level for tracing dynamic update protocol requests. */ #define LOGLEVEL_PROTOCOL ISC_LOG_INFO -/* +/*% * Log level for low-level debug tracing. */ #define LOGLEVEL_DEBUG ISC_LOG_DEBUG(8) -/* +/*% * Check an operation for failure. These macros all assume that * the function using them has a 'result' variable and a 'failure' * label. @@ -79,7 +81,7 @@ if (result != ISC_R_SUCCESS) goto failure; \ } while (0) -/* +/*% * Fail unconditionally with result 'code', which must not * be ISC_R_SUCCESS. The reason for failure presumably has * been logged already. @@ -94,7 +96,7 @@ if (result != ISC_R_SUCCESS) goto failure; \ } while (0) -/* +/*% * Fail unconditionally and log as a client error. * The test against ISC_R_SUCCESS is there to keep the Solaris compiler * from complaining about "end-of-loop code not reached". @@ -160,7 +162,7 @@ } \ if (result != ISC_R_SUCCESS) goto failure; \ } while (0) -/* +/*% * Fail unconditionally and log as a server error. * The test against ISC_R_SUCCESS is there to keep the Solaris compiler * from complaining about "end-of-loop code not reached". @@ -270,12 +272,12 @@ checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message, return (result); } -/* +/*% * Update a single RR in version 'ver' of 'db' and log the * update in 'diff'. * * Ensures: - * '*tuple' == NULL. Either the tuple is freed, or its + * \li '*tuple' == NULL. Either the tuple is freed, or its * ownership has been transferred to the diff. */ static isc_result_t @@ -313,12 +315,12 @@ do_one_tuple(dns_difftuple_t **tuple, return (ISC_R_SUCCESS); } -/* +/*% * Perform the updates in 'updates' in version 'ver' of 'db' and log the * update in 'diff'. * * Ensures: - * 'updates' is empty. + * \li 'updates' is empty. */ static isc_result_t do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver, @@ -371,17 +373,17 @@ update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff, * XXXRTH We might want to make this public somewhere in libdns. */ -/* +/*% * Function type for foreach_rrset() iterator actions. */ typedef isc_result_t rrset_func(void *data, dns_rdataset_t *rrset); -/* +/*% * Function type for foreach_rr() iterator actions. */ typedef isc_result_t rr_func(void *data, rr_t *rr); -/* +/*% * Internal context struct for foreach_node_rr(). */ typedef struct { @@ -389,7 +391,7 @@ typedef struct { void * rr_action_data; } foreach_node_rr_ctx_t; -/* +/*% * Internal helper function for foreach_node_rr(). */ static isc_result_t @@ -413,7 +415,7 @@ foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) { return (ISC_R_SUCCESS); } -/* +/*% * For each rdataset of 'name' in 'ver' of 'db', call 'action' * with the rdataset and 'action_data' as arguments. If the name * does not exist, do nothing. @@ -471,7 +473,7 @@ foreach_rrset(dns_db_t *db, return (result); } -/* +/*% * For each RR of 'name' in 'ver' of 'db', call 'action' * with the RR and 'action_data' as arguments. If the name * does not exist, do nothing. @@ -494,7 +496,7 @@ foreach_node_rr(dns_db_t *db, } -/* +/*% * For each of the RRs specified by 'db', 'ver', 'name', 'type', * (which can be dns_rdatatype_any to match any type), and 'covers', call * 'action' with the RR and 'action_data' as arguments. If the name @@ -566,13 +568,13 @@ foreach_rr(dns_db_t *db, * Various tests on the database contents (for prerequisites, etc). */ -/* +/*% * Function type for predicate functions that compare a database RR 'db_rr' * against an update RR 'update_rr'. */ typedef isc_boolean_t rr_predicate(dns_rdata_t *update_rr, dns_rdata_t *db_rr); -/* +/*% * Helper function for rrset_exists(). */ static isc_result_t @@ -582,7 +584,7 @@ rrset_exists_action(void *data, rr_t *rr) { return (ISC_R_EXISTS); } -/* +/*% * Utility macro for RR existence checking functions. * * If the variable 'result' has the value ISC_R_EXISTS or @@ -602,7 +604,7 @@ rrset_exists_action(void *data, rr_t *rr) { (*exists = ISC_FALSE, ISC_R_SUCCESS) : \ result)) -/* +/*% * Set '*exists' to true iff an rrset of the given type exists, * to false otherwise. */ @@ -617,7 +619,7 @@ rrset_exists(dns_db_t *db, dns_dbversion_t *ver, RETURN_EXISTENCE_FLAG; } -/* +/*% * Helper function for cname_incompatible_rrset_exists. */ static isc_result_t @@ -629,7 +631,7 @@ cname_compatibility_action(void *data, dns_rdataset_t *rrset) { return (ISC_R_SUCCESS); } -/* +/*% * Check whether there is an rrset incompatible with adding a CNAME RR, * i.e., anything but another CNAME (which can be replaced) or a * DNSSEC RR (which can coexist). @@ -646,7 +648,7 @@ cname_incompatible_rrset_exists(dns_db_t *db, dns_dbversion_t *ver, RETURN_EXISTENCE_FLAG; } -/* +/*% * Helper function for rr_count(). */ static isc_result_t @@ -657,7 +659,7 @@ count_rr_action(void *data, rr_t *rr) { return (ISC_R_SUCCESS); } -/* +/*% * Count the number of RRs of 'type' belonging to 'name' in 'ver' of 'db'. */ static isc_result_t @@ -669,7 +671,7 @@ rr_count(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, count_rr_action, countp)); } -/* +/*% * Context struct and helper function for name_exists(). */ @@ -680,7 +682,7 @@ name_exists_action(void *data, dns_rdataset_t *rrset) { return (ISC_R_EXISTS); } -/* +/*% * Set '*exists' to true iff the given name exists, to false otherwise. */ static isc_result_t @@ -741,7 +743,7 @@ ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, */ -/* +/*% * Append a tuple asserting the existence of the RR with * 'name' and 'rdata' to 'diff'. */ @@ -758,7 +760,7 @@ temp_append(dns_diff_t *diff, dns_name_t *name, dns_rdata_t *rdata) { return (result); } -/* +/*% * Compare two rdatasets represented as sorted lists of tuples. * All list elements must have the same owner name and type. * Return ISC_R_SUCCESS if the rdatasets are equal, rcode(dns_rcode_nxrrset) @@ -783,7 +785,7 @@ temp_check_rrset(dns_difftuple_t *a, dns_difftuple_t *b) { return (ISC_R_SUCCESS); } -/* +/*% * A comparison function defining the sorting order for the entries * in the "temp" data structure. The major sort key is the owner name, * followed by the type and rdata. @@ -805,7 +807,7 @@ temp_order(const void *av, const void *bv) { return (r); } -/* +/*% * Check the "RRset exists (value dependent)" prerequisite information * in 'temp' against the contents of the database 'db'. * @@ -948,7 +950,7 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db, * Conditional deletion of RRs. */ -/* +/*% * Context structure for delete_if(). */ @@ -961,11 +963,11 @@ typedef struct { dns_rdata_t *update_rr; } conditional_delete_ctx_t; -/* +/*% * Predicate functions for delete_if(). */ -/* +/*% * Return true iff 'db_rr' is neither a SOA nor an NS RR nor * an RRSIG nor a NSEC. */ @@ -979,7 +981,7 @@ type_not_soa_nor_ns_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { ISC_TRUE : ISC_FALSE); } -/* +/*% * Return true iff 'db_rr' is neither a RRSIG nor a NSEC. */ static isc_boolean_t @@ -990,7 +992,7 @@ type_not_dnssec(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { ISC_TRUE : ISC_FALSE); } -/* +/*% * Return true always. */ static isc_boolean_t @@ -1000,7 +1002,7 @@ true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { return (ISC_TRUE); } -/* +/*% * Return true iff the two RRs have identical rdata. */ static isc_boolean_t @@ -1014,7 +1016,7 @@ rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { ISC_TRUE : ISC_FALSE); } -/* +/*% * Return true iff 'update_rr' should replace 'db_rr' according * to the special RFC2136 rules for CNAME, SOA, and WKS records. * @@ -1048,7 +1050,7 @@ replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { return (ISC_FALSE); } -/* +/*% * Internal helper function for delete_if(). */ static isc_result_t @@ -1065,7 +1067,7 @@ delete_if_action(void *data, rr_t *rr) { } } -/* +/*% * Conditionally delete RRs. Apply 'predicate' to the RRs * specified by 'db', 'ver', 'name', and 'type' (which can * be dns_rdatatype_any to match any type). Delete those @@ -1094,7 +1096,7 @@ delete_if(rr_predicate *predicate, } /**************************************************************************/ -/* +/*% * Prepare an RR for the addition of the new RR 'ctx->update_rr', * with TTL 'ctx->update_rr_ttl', to its rdataset, by deleting * the RRs if it is replaced by the new RR or has a conflicting TTL. @@ -1175,7 +1177,7 @@ add_rr_prepare_action(void *data, rr_t *rr) { * Miscellaneous subroutines. */ -/* +/*% * Extract a single update RR from 'section' of dynamic update message * 'msg', with consistency checking. * @@ -1205,7 +1207,7 @@ get_current_rr(dns_message_t *msg, dns_section_t section, rdata->rdclass = zoneclass; } -/* +/*% * Increment the SOA serial number of database 'db', version 'ver'. * Replace the SOA record in the database, and log the * change in 'diff'. @@ -1250,7 +1252,7 @@ increment_soa_serial(dns_db_t *db, dns_dbversion_t *ver, return (result); } -/* +/*% * Check that the new SOA record at 'update_rdata' does not * illegally cause the SOA serial number to decrease or stay * unchanged relative to the existing SOA in 'db'. @@ -1300,9 +1302,9 @@ check_soa_increment(dns_db_t *db, dns_dbversion_t *ver, * Incremental updating of NSECs and RRSIGs. */ -#define MAXZONEKEYS 32 /* Maximum number of zone keys supported. */ +#define MAXZONEKEYS 32 /*%< Maximum number of zone keys supported. */ -/* +/*% * We abuse the dns_diff_t type to represent a set of domain names * affected by the update. */ @@ -1310,8 +1312,8 @@ static isc_result_t namelist_append_name(dns_diff_t *list, dns_name_t *name) { isc_result_t result; dns_difftuple_t *tuple = NULL; - static dns_rdata_t dummy_rdata = { NULL, 0, 0, 0, 0, - { (void*)(-1), (void*)(-1) } }; + static dns_rdata_t dummy_rdata = DNS_RDATA_INIT; + CHECK(dns_difftuple_create(list->mctx, DNS_DIFFOP_EXISTS, name, 0, &dummy_rdata, &tuple)); dns_diff_append(list, &tuple); @@ -1353,7 +1355,7 @@ namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected) -/* +/*% * Helper function for non_nsec_rrset_exists(). */ static isc_result_t @@ -1366,7 +1368,7 @@ is_non_nsec_action(void *data, dns_rdataset_t *rrset) { return (ISC_R_SUCCESS); } -/* +/*% * Check whether there is an rrset other than a NSEC or RRSIG NSEC, * i.e., anything that justifies the continued existence of a name * after a secure update. @@ -1384,7 +1386,7 @@ non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver, RETURN_EXISTENCE_FLAG; } -/* +/*% * A comparison function for sorting dns_diff_t:s by name. */ static int @@ -1449,7 +1451,7 @@ is_glue(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, } } -/* +/*% * Find the next/previous name that has a NSEC record. * In other words, skip empty database nodes and names that * have had their NSECs removed because they are obscured by @@ -1512,7 +1514,7 @@ next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, return (result); } -/* +/*% * Add a NSEC record for "name", recording the change in "diff". * The existing NSEC is removed. */ @@ -1564,7 +1566,7 @@ add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, return (result); } -/* +/*% * Add a placeholder NSEC record for "name", recording the change in "diff". */ static isc_result_t @@ -1603,14 +1605,52 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, return (result); } -/* +static isc_boolean_t +ksk_sanity(dns_db_t *db, dns_dbversion_t *ver) { + isc_boolean_t ret = ISC_FALSE; + isc_boolean_t have_ksk = ISC_FALSE, have_nonksk = ISC_FALSE; + isc_result_t result; + dns_dbnode_t *node = NULL; + dns_rdataset_t rdataset; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_dnskey_t dnskey; + + dns_rdataset_init(&rdataset); + CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); + CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0, + &rdataset, NULL)); + CHECK(dns_rdataset_first(&rdataset)); + while (result == ISC_R_SUCCESS && (!have_ksk || !have_nonksk)) { + dns_rdataset_current(&rdataset, &rdata); + CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL)); + if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH)) + == DNS_KEYOWNER_ZONE) { + if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0) + have_ksk = ISC_TRUE; + else + have_nonksk = ISC_TRUE; + } + dns_rdata_reset(&rdata); + result = dns_rdataset_next(&rdataset); + } + if (have_ksk && have_nonksk) + ret = ISC_TRUE; + failure: + if (dns_rdataset_isassociated(&rdataset)) + dns_rdataset_disassociate(&rdataset); + if (node != NULL) + dns_db_detachnode(db, &node); + return (ret); +} + +/*% * Add RRSIG records for an RRset, recording the change in "diff". */ static isc_result_t add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception, - isc_stdtime_t expire) + isc_stdtime_t expire, isc_boolean_t check_ksk) { isc_result_t result; dns_dbnode_t *node = NULL; @@ -1631,6 +1671,11 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_db_detachnode(db, &node); for (i = 0; i < nkeys; i++) { + + if (check_ksk && type != dns_rdatatype_dnskey && + (dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0) + continue; + /* Calculate the signature, creating a RRSIG RDATA. */ CHECK(dns_dnssec_sign(name, &rdataset, keys[i], &inception, &expire, @@ -1651,7 +1696,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, return (result); } -/* +/*% * Update RRSIG and NSEC records affected by an update. The original * update, including the SOA serial update but exluding the RRSIG & NSEC * changes, is in "diff" and has already been applied to "newver" of "db". @@ -1684,6 +1729,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_t rdataset; dns_dbnode_t *node = NULL; + isc_boolean_t check_ksk; dns_diff_init(client->mctx, &diffnames); dns_diff_init(client->mctx, &affected); @@ -1705,6 +1751,17 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, expire = now + sigvalidityinterval; /* + * Do we look at the KSK flag on the DNSKEY to determining which + * keys sign which RRsets? First check the zone option then + * check the keys flags to make sure atleast one has a ksk set + * and one doesn't. + */ + check_ksk = ISC_TF((dns_zone_getoptions(zone) & + DNS_ZONEOPT_UPDATECHECKKSK) != 0); + if (check_ksk) + check_ksk = ksk_sanity(db, newver); + + /* * Get the NSEC's TTL from the SOA MINIMUM field. */ CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); @@ -1763,7 +1820,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, CHECK(add_sigs(db, newver, name, type, &sig_diff, zone_keys, nkeys, client->mctx, inception, - expire)); + expire, check_ksk)); } skip: /* Skip any other updates to the same RRset. */ @@ -1948,7 +2005,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, } else if (t->op == DNS_DIFFOP_ADD) { CHECK(add_sigs(db, newver, &t->name, dns_rdatatype_nsec, &sig_diff, zone_keys, nkeys, - client->mctx, inception, expire)); + client->mctx, inception, expire, + check_ksk)); } else { INSIST(0); } @@ -1984,7 +2042,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, /**************************************************************************/ -/* +/*% * The actual update code in all its glory. We try to follow * the RFC2136 pseudocode as closely as possible. */ @@ -2113,7 +2171,7 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) { dns_zone_detach(&zone); } -/* +/*% * DS records are not allowed to exist without corresponding NS records, * draft-ietf-dnsext-delegation-signer-11.txt, 2.2 Protocol Change, * "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex". @@ -2148,6 +2206,112 @@ remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) { return (result); } +/* + * This implements the post load integrity checks for mx records. + */ +static isc_result_t +check_mx(ns_client_t *client, dns_zone_t *zone, + dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) +{ + char tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123.")]; + char ownerbuf[DNS_NAME_FORMATSIZE]; + char namebuf[DNS_NAME_FORMATSIZE]; + char altbuf[DNS_NAME_FORMATSIZE]; + dns_difftuple_t *t; + dns_fixedname_t fixed; + dns_name_t *foundname; + dns_rdata_mx_t mx; + dns_rdata_t rdata; + isc_boolean_t ok = ISC_TRUE; + isc_boolean_t isaddress; + isc_result_t result; + struct in6_addr addr6; + struct in_addr addr; + unsigned int options; + + dns_fixedname_init(&fixed); + foundname = dns_fixedname_name(&fixed); + dns_rdata_init(&rdata); + options = dns_zone_getoptions(zone); + + for (t = ISC_LIST_HEAD(diff->tuples); + t != NULL; + t = ISC_LIST_NEXT(t, link)) { + if (t->op != DNS_DIFFOP_DEL || + t->rdata.type != dns_rdatatype_mx) + continue; + + result = dns_rdata_tostruct(&t->rdata, &mx, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + /* + * Check if we will error out if we attempt to reload the + * zone. + */ + dns_name_format(&mx.mx, namebuf, sizeof(namebuf)); + dns_name_format(&t->name, ownerbuf, sizeof(ownerbuf)); + isaddress = ISC_FALSE; + if ((options & DNS_RDATA_CHECKMX) != 0 && + strlcpy(tmp, namebuf, sizeof(tmp)) < sizeof(tmp)) { + if (tmp[strlen(tmp) - 1] == '.') + tmp[strlen(tmp) - 1] = '\0'; + if (inet_aton(tmp, &addr) == 1 || + inet_pton(AF_INET6, tmp, &addr6) == 1) + isaddress = ISC_TRUE; + } + + if (isaddress && (options & DNS_RDATA_CHECKMXFAIL) != 0) { + update_log(client, zone, ISC_LOG_ERROR, + "%s/MX: '%s': %s", + ownerbuf, namebuf, + dns_result_totext(DNS_R_MXISADDRESS)); + ok = ISC_FALSE; + } else if (isaddress) { + update_log(client, zone, ISC_LOG_WARNING, + "%s/MX: warning: '%s': %s", + ownerbuf, namebuf, + dns_result_totext(DNS_R_MXISADDRESS)); + } + + /* + * Check zone integrity checks. + */ + if ((options & DNS_ZONEOPT_CHECKINTEGRITY) == 0) + continue; + result = dns_db_find(db, &mx.mx, newver, dns_rdatatype_a, + 0, 0, NULL, foundname, NULL, NULL); + if (result == ISC_R_SUCCESS) + continue; + + if (result == DNS_R_NXRRSET) { + result = dns_db_find(db, &mx.mx, newver, + dns_rdatatype_aaaa, + 0, 0, NULL, foundname, + NULL, NULL); + if (result == ISC_R_SUCCESS) + continue; + } + + if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN) { + update_log(client, zone, ISC_LOG_ERROR, + "%s/MX '%s' has no address records " + "(A or AAAA)", ownerbuf, namebuf); + ok = ISC_FALSE; + } else if (result == DNS_R_CNAME) { + update_log(client, zone, ISC_LOG_ERROR, + "%s/MX '%s' is a CNAME (illegal)", + ownerbuf, namebuf); + ok = ISC_FALSE; + } else if (result == DNS_R_DNAME) { + dns_name_format(foundname, altbuf, sizeof altbuf); + update_log(client, zone, ISC_LOG_ERROR, + "%s/MX '%s' is below a DNAME '%s' (illegal)", + ownerbuf, namebuf, altbuf); + ok = ISC_FALSE; + } + } + return (ok ? ISC_R_SUCCESS : DNS_R_REFUSED); +} + static void update_action(isc_task_t *task, isc_event_t *event) { update_event_t *uev = (update_event_t *) event; @@ -2169,6 +2333,7 @@ update_action(isc_task_t *task, isc_event_t *event) { dns_ssutable_t *ssutable = NULL; dns_fixedname_t tmpnamefixed; dns_name_t *tmpname = NULL; + unsigned int options; INSIST(event->ev_type == DNS_EVENT_UPDATE); @@ -2402,6 +2567,7 @@ update_action(isc_task_t *task, isc_event_t *event) { * Process the Update Section. */ + options = dns_zone_getoptions(zone); for (result = dns_message_firstname(request, DNS_SECTION_UPDATE); result == ISC_R_SUCCESS; result = dns_message_nextname(request, DNS_SECTION_UPDATE)) @@ -2418,7 +2584,7 @@ update_action(isc_task_t *task, isc_event_t *event) { if (update_class == zoneclass) { /* - * RFC 1123 doesn't allow MF and MD in master zones. */ + * RFC1123 doesn't allow MF and MD in master zones. */ if (rdata.type == dns_rdatatype_md || rdata.type == dns_rdatatype_mf) { char typebuf[DNS_RDATATYPE_FORMATSIZE]; @@ -2488,6 +2654,15 @@ update_action(isc_task_t *task, isc_event_t *event) { } soa_serial_changed = ISC_TRUE; } + if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 && + dns_name_internalwildcard(name)) { + char namestr[DNS_NAME_FORMATSIZE]; + dns_name_format(name, namestr, + sizeof(namestr)); + update_log(client, zone, LOGLEVEL_PROTOCOL, + "warning: ownername '%s' contains " + "a non-terminal wildcard", namestr); + } if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { char namestr[DNS_NAME_FORMATSIZE]; @@ -2636,6 +2811,8 @@ update_action(isc_task_t *task, isc_event_t *event) { CHECK(increment_soa_serial(db, ver, &diff, mctx)); } + CHECK(check_mx(client, zone, db, ver, &diff)); + CHECK(remove_orphaned_ds(db, ver, &diff)); if (dns_db_issecure(db)) { @@ -2747,7 +2924,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) { ns_client_detach(&client); } -/* +/*% * Update forwarding support. */ diff --git a/contrib/bind9/bin/named/xfrout.c b/contrib/bind9/bin/named/xfrout.c index 687c287..9fe90a2 100644 --- a/contrib/bind9/bin/named/xfrout.c +++ b/contrib/bind9/bin/named/xfrout.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: xfrout.c,v 1.101.2.5.2.12 2005/10/14 02:13:05 marka Exp $ */ +/* $Id: xfrout.c,v 1.115.18.8 2006/03/05 23:58:51 marka Exp $ */ #include <config.h> @@ -27,6 +27,9 @@ #include <dns/db.h> #include <dns/dbiterator.h> +#ifdef DLZ +#include <dns/dlz.h> +#endif #include <dns/fixedname.h> #include <dns/journal.h> #include <dns/message.h> @@ -48,7 +51,8 @@ #include <named/server.h> #include <named/xfrout.h> -/* +/*! \file + * \brief * Outgoing AXFR and IXFR. */ @@ -71,7 +75,7 @@ #define XFROUT_RR_LOGLEVEL ISC_LOG_DEBUG(8) -/* +/*% * Fail unconditionally and log as a client error. * The test against ISC_R_SUCCESS is there to keep the Solaris compiler * from complaining about "end-of-loop code not reached". @@ -106,13 +110,14 @@ } while (0) /**************************************************************************/ -/* +/*% * A db_rr_iterator_t is an iterator that iterates over an entire database, * returning one RR at a time, in some arbitrary order. */ typedef struct db_rr_iterator db_rr_iterator_t; +/*% db_rr_iterator structure */ struct db_rr_iterator { isc_result_t result; dns_db_t *db; @@ -195,7 +200,7 @@ db_rr_iterator_first(db_rr_iterator_t *it) { continue; } dns_rdatasetiter_current(it->rdatasetit, &it->rdataset); - + it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER; it->result = dns_rdataset_first(&it->rdataset); return (it->result); } @@ -245,6 +250,7 @@ db_rr_iterator_next(db_rr_iterator_t *it) { if (it->result != ISC_R_SUCCESS) return (it->result); dns_rdatasetiter_current(it->rdatasetit, &it->rdataset); + it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER; it->result = dns_rdataset_first(&it->rdataset); if (it->result != ISC_R_SUCCESS) return (it->result); @@ -283,7 +289,7 @@ db_rr_iterator_current(db_rr_iterator_t *it, dns_name_t **name, /**************************************************************************/ -/* Log an RR (for debugging) */ +/*% Log an RR (for debugging) */ static void log_rr(dns_name_t *name, dns_rdata_t *rdata, isc_uint32_t ttl) { @@ -903,6 +909,9 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { char msg[NS_CLIENT_ACLMSGSIZE("zone transfer")]; char keyname[DNS_NAME_FORMATSIZE]; isc_boolean_t is_poll = ISC_FALSE; +#ifdef DLZ + isc_boolean_t is_dlz = ISC_FALSE; +#endif switch (reqtype) { case dns_rdatatype_axfr: @@ -953,19 +962,71 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { result = dns_zt_find(client->view->zonetable, question_name, 0, NULL, &zone); + if (result != ISC_R_SUCCESS) - FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", - question_name, question_class); - switch(dns_zone_gettype(zone)) { - case dns_zone_master: - case dns_zone_slave: - break; /* Master and slave zones are OK for transfer. */ - default: - FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", - question_name, question_class); +#ifdef DLZ + { + /* + * Normal zone table does not have a match. Try the DLZ database + */ + if (client->view->dlzdatabase != NULL) { + result = dns_dlzallowzonexfr(client->view, + question_name, &client->peeraddr, + &db); + + if (result == ISC_R_NOPERM) { + char _buf1[DNS_NAME_FORMATSIZE]; + char _buf2[DNS_RDATACLASS_FORMATSIZE]; + + result = DNS_R_REFUSED; + dns_name_format(question_name, _buf1, + sizeof(_buf1)); + dns_rdataclass_format(question_class, + _buf2, sizeof(_buf2)); + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_XFER_OUT, + ISC_LOG_ERROR, + "zone transfer '%s/%s' denied", + _buf1, _buf2); + goto failure; + } + if (result != ISC_R_SUCCESS) +#endif + FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", + question_name, question_class); +#ifdef DLZ + is_dlz = ISC_TRUE; + /* + * DLZ only support full zone transfer, not incremental + */ + if (reqtype != dns_rdatatype_axfr) { + mnemonic = "AXFR-style IXFR"; + reqtype = dns_rdatatype_axfr; + } + + } else { + /* + * not DLZ and not in normal zone table, we are + * not authoritative + */ + FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", + question_name, question_class); + } + } else { + /* zone table has a match */ +#endif + switch(dns_zone_gettype(zone)) { + case dns_zone_master: + case dns_zone_slave: + break; /* Master and slave zones are OK for transfer. */ + default: + FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", question_name, question_class); + } + CHECK(dns_zone_getdb(zone, &db)); + dns_db_currentversion(db, &ver); +#ifdef DLZ } - CHECK(dns_zone_getdb(zone, &db)); - dns_db_currentversion(db, &ver); +#endif xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6), "%s question section OK", mnemonic); @@ -1021,11 +1082,20 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { /* * Decide whether to allow this transfer. */ - ns_client_aclmsg("zone transfer", question_name, reqtype, - client->view->rdclass, msg, sizeof(msg)); - CHECK(ns_client_checkacl(client, msg, - dns_zone_getxfracl(zone), ISC_TRUE, - ISC_LOG_ERROR)); +#ifdef DLZ + /* + * if not a DLZ zone decide whether to allow this transfer. + */ + if (!is_dlz) { +#endif + ns_client_aclmsg("zone transfer", question_name, reqtype, + client->view->rdclass, msg, sizeof(msg)); + CHECK(ns_client_checkacl(client, msg, + dns_zone_getxfracl(zone), ISC_TRUE, + ISC_LOG_ERROR)); +#ifdef DLZ + } +#endif /* * AXFR over UDP is not possible. @@ -1049,6 +1119,10 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { /* * Get a dynamically allocated copy of the current SOA. */ +#ifdef DLZ + if (is_dlz) + dns_db_currentversion(db, &ver); +#endif CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS, ¤t_soa_tuple)); @@ -1131,15 +1205,32 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { * Create the xfrout context object. This transfers the ownership * of "stream", "db", "ver", and "quota" to the xfrout context object. */ - CHECK(xfrout_ctx_create(mctx, client, request->id, question_name, - reqtype, question_class, db, ver, quota, - stream, dns_message_gettsigkey(request), - tsigbuf, - dns_zone_getmaxxfrout(zone), - dns_zone_getidleout(zone), - (format == dns_many_answers) ? - ISC_TRUE : ISC_FALSE, - &xfr)); + + + +#ifdef DLZ + if (is_dlz) + CHECK(xfrout_ctx_create(mctx, client, request->id, question_name, + reqtype, question_class, db, ver, quota, + stream, dns_message_gettsigkey(request), + tsigbuf, + 3600, + 3600, + (format == dns_many_answers) ? + ISC_TRUE : ISC_FALSE, + &xfr)); + else +#endif + CHECK(xfrout_ctx_create(mctx, client, request->id, question_name, + reqtype, question_class, db, ver, quota, + stream, dns_message_gettsigkey(request), + tsigbuf, + dns_zone_getmaxxfrout(zone), + dns_zone_getidleout(zone), + (format == dns_many_answers) ? + ISC_TRUE : ISC_FALSE, + &xfr)); + xfr->mnemonic = mnemonic; stream = NULL; quota = NULL; @@ -1511,6 +1602,7 @@ sendstream(xfrout_ctx_t *xfr) { if ((xfr->client->attributes & NS_CLIENTATTR_TCP) != 0) { CHECK(dns_compress_init(&cctx, -1, xfr->mctx)); + dns_compress_setsensitive(&cctx, ISC_TRUE); cleanup_cctx = ISC_TRUE; CHECK(dns_message_renderbegin(msg, &cctx, &xfr->txbuf)); CHECK(dns_message_rendersection(msg, DNS_SECTION_QUESTION, 0)); diff --git a/contrib/bind9/bin/named/zoneconf.c b/contrib/bind9/bin/named/zoneconf.c index 66ef905..a0c1bab 100644 --- a/contrib/bind9/bin/named/zoneconf.c +++ b/contrib/bind9/bin/named/zoneconf.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.c,v 1.87.2.4.10.19 2006/02/28 06:32:53 marka Exp $ */ +/* $Id: zoneconf.c,v 1.110.18.23 2006/05/16 03:39:57 marka Exp $ */ + +/*% */ #include <config.h> @@ -35,13 +37,14 @@ #include <dns/view.h> #include <dns/zone.h> +#include <named/client.h> #include <named/config.h> #include <named/globals.h> #include <named/log.h> #include <named/server.h> #include <named/zoneconf.h> -/* +/*% * These are BIND9 server defaults, not necessarily identical to the * library defaults defined in zone.c. */ @@ -51,18 +54,18 @@ return (_r); \ } while (0) -/* +/*% * Convenience function for configuring a single zone ACL. */ static isc_result_t configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, const cfg_obj_t *config, const char *aclname, - ns_aclconfctx_t *actx, dns_zone_t *zone, + cfg_aclconfctx_t *actx, dns_zone_t *zone, void (*setzacl)(dns_zone_t *, dns_acl_t *), void (*clearzacl)(dns_zone_t *)) { isc_result_t result; - const cfg_obj_t *maps[4]; + const cfg_obj_t *maps[5]; const cfg_obj_t *aclobj = NULL; int i = 0; dns_acl_t *dacl = NULL; @@ -77,6 +80,7 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, if (options != NULL) maps[i++] = options; } + maps[i++] = ns_g_defaults; maps[i] = NULL; result = ns_config_get(maps, aclname, &aclobj); @@ -85,8 +89,8 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, return (ISC_R_SUCCESS); } - result = ns_acl_fromconfig(aclobj, config, actx, - dns_zone_getmctx(zone), &dacl); + result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, actx, + dns_zone_getmctx(zone), &dacl); if (result != ISC_R_SUCCESS) return (result); (*setzacl)(zone, dacl); @@ -94,7 +98,7 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, return (ISC_R_SUCCESS); } -/* +/*% * Parse the zone update-policy statement. */ static isc_result_t @@ -150,6 +154,10 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) { mtype = DNS_SSUMATCHTYPE_WILDCARD; else if (strcasecmp(str, "self") == 0) mtype = DNS_SSUMATCHTYPE_SELF; + else if (strcasecmp(str, "selfsub") == 0) + mtype = DNS_SSUMATCHTYPE_SELFSUB; + else if (strcasecmp(str, "selfwild") == 0) + mtype = DNS_SSUMATCHTYPE_SELFWILD; else INSIST(0); @@ -235,7 +243,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) { return (result); } -/* +/*% * Convert a config file zone type into a server zone type. */ static inline dns_zonetype_t @@ -248,7 +256,7 @@ zonetype_fromconfig(const cfg_obj_t *map) { return (ns_config_getzonetype(obj)); } -/* +/*% * Helper function for strtoargv(). Pardon the gratuitous recursion. */ static isc_result_t @@ -282,7 +290,7 @@ strtoargvsub(isc_mem_t *mctx, char *s, unsigned int *argcp, return (ISC_R_SUCCESS); } -/* +/*% * Tokenize the string "s" into whitespace-separated words, * return the number of words in '*argcp' and an array * of pointers to the words in '*argvp'. The caller @@ -313,7 +321,7 @@ checknames(dns_zonetype_t ztype, const cfg_obj_t **maps, isc_result_t ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, - const cfg_obj_t *zconfig, ns_aclconfctx_t *ac, + const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac, dns_zone_t *zone) { isc_result_t result; @@ -342,6 +350,9 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, isc_boolean_t alt; dns_view_t *view; isc_boolean_t check = ISC_FALSE, fail = ISC_FALSE; + isc_boolean_t warn = ISC_FALSE, ignore = ISC_FALSE; + isc_boolean_t ixfrdiff; + dns_masterformat_t masterformat; i = 0; if (zconfig != NULL) { @@ -409,7 +420,26 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, result = cfg_map_get(zoptions, "file", &obj); if (result == ISC_R_SUCCESS) filename = cfg_obj_asstring(obj); - RETERR(dns_zone_setfile(zone, filename)); + + masterformat = dns_masterformat_text; + obj = NULL; + result= ns_config_get(maps, "masterfile-format", &obj); + if (result == ISC_R_SUCCESS) { + const char *masterformatstr = cfg_obj_asstring(obj); + + if (strcasecmp(masterformatstr, "text") == 0) + masterformat = dns_masterformat_text; + else if (strcasecmp(masterformatstr, "raw") == 0) + masterformat = dns_masterformat_raw; + else + INSIST(0); + } + RETERR(dns_zone_setfile2(zone, filename, masterformat)); + + obj = NULL; + result = cfg_map_get(zoptions, "journal", &obj); + if (result == ISC_R_SUCCESS) + RETERR(dns_zone_setjournal(zone, cfg_obj_asstring(obj))); if (ztype == dns_zone_slave) RETERR(configure_zone_acl(zconfig, vconfig, config, @@ -470,6 +500,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, const char *notifystr = cfg_obj_asstring(obj); if (strcasecmp(notifystr, "explicit") == 0) notifytype = dns_notifytype_explicit; + else if (strcasecmp(notifystr, "master-only") == 0) + notifytype = dns_notifytype_masteronly; else INSIST(0); } @@ -504,6 +536,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, RETERR(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj))); ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); + dns_zone_setisself(zone, ns_client_isself, NULL); + RETERR(configure_zone_acl(zconfig, vconfig, config, "allow-transfer", ac, zone, dns_zone_setxfracl, @@ -546,8 +580,17 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, obj = NULL; result = ns_config_get(maps, "ixfr-from-differences", &obj); INSIST(result == ISC_R_SUCCESS); - dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS, - cfg_obj_asboolean(obj)); + if (cfg_obj_isboolean(obj)) + ixfrdiff = cfg_obj_asboolean(obj); + else if (strcasecmp(cfg_obj_asstring(obj), "master") && + ztype == dns_zone_master) + ixfrdiff = ISC_TRUE; + else if (strcasecmp(cfg_obj_asstring(obj), "slave") && + ztype == dns_zone_slave) + ixfrdiff = ISC_TRUE; + else + ixfrdiff = ISC_FALSE; + dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS, ixfrdiff); checknames(ztype, maps, &obj); INSIST(obj != NULL); @@ -562,6 +605,128 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, INSIST(0); dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES, check); dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL, fail); + + obj = NULL; + result = ns_config_get(maps, "notify-delay", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setnotifydelay(zone, cfg_obj_asuint32(obj)); + + obj = NULL; + result = ns_config_get(maps, "check-sibling", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSIBLING, + cfg_obj_asboolean(obj)); + + obj = NULL; + result = ns_config_get(maps, "zero-no-soa-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setzeronosoattl(zone, cfg_obj_asboolean(obj)); + } + + /* + * Configure update-related options. These apply to + * primary masters only. + */ + if (ztype == dns_zone_master) { + dns_acl_t *updateacl; + RETERR(configure_zone_acl(zconfig, vconfig, config, + "allow-update", ac, zone, + dns_zone_setupdateacl, + dns_zone_clearupdateacl)); + + updateacl = dns_zone_getupdateacl(zone); + if (updateacl != NULL && dns_acl_isinsecure(updateacl)) + isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_SERVER, ISC_LOG_WARNING, + "zone '%s' allows updates by IP " + "address, which is insecure", + zname); + + RETERR(configure_zone_ssutable(zoptions, zone)); + + obj = NULL; + result = ns_config_get(maps, "sig-validity-interval", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setsigvalidityinterval(zone, + cfg_obj_asuint32(obj) * 86400); + + obj = NULL; + result = ns_config_get(maps, "key-directory", &obj); + if (result == ISC_R_SUCCESS) { + filename = cfg_obj_asstring(obj); + if (!isc_file_isabsolute(filename)) { + cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, + "key-directory '%s' " + "is not absolute", filename); + return (ISC_R_FAILURE); + } + RETERR(dns_zone_setkeydirectory(zone, filename)); + } + + obj = NULL; + result = ns_config_get(maps, "check-wildcard", &obj); + if (result == ISC_R_SUCCESS) + check = cfg_obj_asboolean(obj); + else + check = ISC_FALSE; + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKWILDCARD, check); + + obj = NULL; + result = ns_config_get(maps, "check-mx", &obj); + INSIST(obj != NULL); + if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { + fail = ISC_FALSE; + check = ISC_TRUE; + } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { + fail = check = ISC_TRUE; + } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { + fail = check = ISC_FALSE; + } else + INSIST(0); + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKMX, check); + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKMXFAIL, fail); + + obj = NULL; + result = ns_config_get(maps, "check-integrity", &obj); + INSIST(obj != NULL); + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKINTEGRITY, + cfg_obj_asboolean(obj)); + + obj = NULL; + result = ns_config_get(maps, "check-mx-cname", &obj); + INSIST(obj != NULL); + if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { + warn = ISC_TRUE; + ignore = ISC_FALSE; + } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { + warn = ignore = ISC_FALSE; + } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { + warn = ignore = ISC_TRUE; + } else + INSIST(0); + dns_zone_setoption(zone, DNS_ZONEOPT_WARNMXCNAME, warn); + dns_zone_setoption(zone, DNS_ZONEOPT_IGNOREMXCNAME, ignore); + + obj = NULL; + result = ns_config_get(maps, "check-srv-cname", &obj); + INSIST(obj != NULL); + if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { + warn = ISC_TRUE; + ignore = ISC_FALSE; + } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { + warn = ignore = ISC_FALSE; + } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { + warn = ignore = ISC_TRUE; + } else + INSIST(0); + dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn); + dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore); + + obj = NULL; + result = ns_config_get(maps, "update-check-ksk", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK, + cfg_obj_asboolean(obj)); } /* |
