diff options
Diffstat (limited to 'contrib/bind9/bin')
35 files changed, 404 insertions, 187 deletions
diff --git a/contrib/bind9/bin/Makefile.in b/contrib/bind9/bin/Makefile.in index e480552..89b4673 100644 --- a/contrib/bind9/bin/Makefile.in +++ b/contrib/bind9/bin/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/bin/check/Makefile.in b/contrib/bind9/bin/check/Makefile.in index 403933b..c191605 100644 --- a/contrib/bind9/bin/check/Makefile.in +++ b/contrib/bind9/bin/check/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2003 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/bin/check/check-tool.c b/contrib/bind9/bin/check/check-tool.c index 422d9b1..2bf16a6 100644 --- a/contrib/bind9/bin/check/check-tool.c +++ b/contrib/bind9/bin/check/check-tool.c @@ -639,6 +639,9 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename, { isc_result_t result; FILE *output = stdout; + const char *flags; + + flags = (fileformat == dns_masterformat_text) ? "w+" : "wb+"; if (debug) { if (filename != NULL && strcmp(filename, "-") != 0) @@ -649,7 +652,7 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename, } if (filename != NULL && strcmp(filename, "-") != 0) { - result = isc_stdio_open(filename, "w+", &output); + result = isc_stdio_open(filename, flags, &output); if (result != ISC_R_SUCCESS) { fprintf(stderr, "could not open output " diff --git a/contrib/bind9/bin/confgen/Makefile.in b/contrib/bind9/bin/confgen/Makefile.in index 64ddf76..8b3e5aa 100644 --- a/contrib/bind9/bin/confgen/Makefile.in +++ b/contrib/bind9/bin/confgen/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/bin/confgen/unix/Makefile.in b/contrib/bind9/bin/confgen/unix/Makefile.in index 924701e..2ab6d92 100644 --- a/contrib/bind9/bin/confgen/unix/Makefile.in +++ b/contrib/bind9/bin/confgen/unix/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/bin/dig/Makefile.in b/contrib/bind9/bin/dig/Makefile.in index 19dc61c..2a3bc5d 100644 --- a/contrib/bind9/bin/dig/Makefile.in +++ b/contrib/bind9/bin/dig/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2005, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/bin/dig/nslookup.c b/contrib/bind9/bin/dig/nslookup.c index 48c390b..2ef8f84 100644 --- a/contrib/bind9/bin/dig/nslookup.c +++ b/contrib/bind9/bin/dig/nslookup.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -57,6 +57,7 @@ static isc_boolean_t in_use = ISC_FALSE; static char defclass[MXRD] = "IN"; static char deftype[MXRD] = "A"; static isc_event_t *global_event = NULL; +static int query_error = 1, print_error = 0; static char domainopt[DNS_NAME_MAXTEXT]; @@ -406,6 +407,9 @@ isc_result_t printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { char servtext[ISC_SOCKADDR_FORMATSIZE]; + /* I've we've gotten this far, we've reached a server. */ + query_error = 0; + debug("printmessage()"); isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext)); @@ -433,6 +437,9 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { (msg->rcode != dns_rcode_nxdomain) ? nametext : query->lookup->textname, rcode_totext(msg->rcode)); debug("returning with rcode == 0"); + + /* the lookup failed */ + print_error |= 1; return (ISC_R_SUCCESS); } @@ -887,5 +894,5 @@ main(int argc, char **argv) { destroy_libs(); isc_app_finish(); - return (0); + return (query_error | print_error); } diff --git a/contrib/bind9/bin/dnssec/Makefile.in b/contrib/bind9/bin/dnssec/Makefile.in index 6bfd162..0bca141 100644 --- a/contrib/bind9/bin/dnssec/Makefile.in +++ b/contrib/bind9/bin/dnssec/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2005, 2007-2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 index 437aa37..ae9bb54 100644 --- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 +++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2008-2010, 2012 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -55,7 +55,7 @@ Use SHA\-256 as the digest algorithm. .RS 4 Select the digest algorithm. The value of \fBalgorithm\fR -must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or GOST. These values are case insensitive. +must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384). These values are case insensitive. .RE .PP \-K \fIdirectory\fR @@ -139,5 +139,5 @@ RFC 4509. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2008\-2010 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2008\-2010, 2012 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c index c4b157c..93d789b 100644 --- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c +++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -296,7 +296,7 @@ usage(void) { fprintf(stderr, " -K <directory>: directory in which to find " "key file or keyset file\n"); fprintf(stderr, " -a algorithm: digest algorithm " - "(SHA-1, SHA-256 or GOST)\n"); + "(SHA-1, SHA-256, GOST or SHA-384)\n"); fprintf(stderr, " -1: use SHA-1\n"); fprintf(stderr, " -2: use SHA-256\n"); fprintf(stderr, " -l: add lookaside zone and print DLV records\n"); @@ -415,6 +415,9 @@ main(int argc, char **argv) { else if (strcasecmp(algname, "GOST") == 0) dtype = DNS_DSDIGEST_GOST; #endif + else if (strcasecmp(algname, "SHA384") == 0 || + strcasecmp(algname, "SHA-384") == 0) + dtype = DNS_DSDIGEST_SHA384; else fatal("unknown algorithm %s", algname); } diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook index d139ba5..d705033 100644 --- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook +++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2008-2010, 2012 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -39,6 +39,7 @@ <year>2008</year> <year>2009</year> <year>2010</year> + <year>2012</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> </docinfo> @@ -107,7 +108,8 @@ <para> Select the digest algorithm. The value of <option>algorithm</option> must be one of SHA-1 (SHA1), - SHA-256 (SHA256) or GOST. These values are case insensitive. + SHA-256 (SHA256), GOST or SHA-384 (SHA384). + These values are case insensitive. </para> </listitem> </varlistentry> diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html index 3031c39..24bc0c1 100644 --- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html +++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2008-2010, 2012 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -32,14 +32,14 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543465"></a><h2>DESCRIPTION</h2> +<a name="id2543468"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-dsfromkey</strong></span> outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s). </p> </div> <div class="refsect1" lang="en"> -<a name="id2543477"></a><h2>OPTIONS</h2> +<a name="id2543480"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-1</span></dt> <dd><p> @@ -54,7 +54,8 @@ <dd><p> Select the digest algorithm. The value of <code class="option">algorithm</code> must be one of SHA-1 (SHA1), - SHA-256 (SHA256) or GOST. These values are case insensitive. + SHA-256 (SHA256), GOST or SHA-384 (SHA384). + These values are case insensitive. </p></dd> <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt> <dd><p> @@ -100,7 +101,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543664"></a><h2>EXAMPLE</h2> +<a name="id2543667"></a><h2>EXAMPLE</h2> <p> To build the SHA-256 DS RR from the <strong class="userinput"><code>Kexample.com.+003+26160</code></strong> @@ -115,7 +116,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543693"></a><h2>FILES</h2> +<a name="id2543697"></a><h2>FILES</h2> <p> The keyfile can be designed by the key identification <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name @@ -129,13 +130,13 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543729"></a><h2>CAVEAT</h2> +<a name="id2543732"></a><h2>CAVEAT</h2> <p> A keyfile error can give a "file not found" even if the file exists. </p> </div> <div class="refsect1" lang="en"> -<a name="id2543738"></a><h2>SEE ALSO</h2> +<a name="id2543741"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, @@ -145,7 +146,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543778"></a><h2>AUTHOR</h2> +<a name="id2543781"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 index e3bb48f..9867ff7e 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 +++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -47,7 +47,7 @@ of the key is specified on the command line. This must match the name of the zon .RS 4 Selects the cryptographic algorithm. The value of \fBalgorithm\fR -must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. These values are case insensitive. +must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive. .sp If no algorithm is specified, then RSASHA1 will be used by default, unless the \fB\-3\fR @@ -215,5 +215,5 @@ RFC 4034. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2008\-2011 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2008\-2012 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c index 6a07146..e91e02d 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c +++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2007-2012 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -55,7 +55,8 @@ int verbose; static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |" " NSEC3DSA | NSEC3RSASHA1 |" - " RSASHA256 | RSASHA512 | ECCGOST"; + " RSASHA256 | RSASHA512 | ECCGOST |" + " ECDSAP256SHA256 | ECDSAP384SHA384"; ISC_PLATFORM_NORETURN_PRE static void usage(void) ISC_PLATFORM_NORETURN_POST; @@ -369,7 +370,8 @@ main(int argc, char **argv) { if (use_nsec3 && alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 && alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 && - alg != DST_ALG_ECCGOST) { + alg != DST_ALG_ECCGOST && + alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) { fatal("%s is incompatible with NSEC3; " "do not use the -3 option", algname); } diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook index 5f3e0e6..4662e87 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook +++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -40,6 +40,7 @@ <year>2009</year> <year>2010</year> <year>2011</year> + <year>2012</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> </docinfo> @@ -94,7 +95,8 @@ <para> Selects the cryptographic algorithm. The value of <option>algorithm</option> must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, + ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive. </para> <para> diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html index f2c72c5..0fa3aff 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html +++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -31,7 +31,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543495"></a><h2>DESCRIPTION</h2> +<a name="id2543498"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-keyfromlabel</strong></span> gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 @@ -44,14 +44,15 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543513"></a><h2>OPTIONS</h2> +<a name="id2543516"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd> <p> Selects the cryptographic algorithm. The value of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, + ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive. </p> <p> @@ -163,7 +164,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543877"></a><h2>TIMING OPTIONS</h2> +<a name="id2543880"></a><h2>TIMING OPTIONS</h2> <p> Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -210,7 +211,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544043"></a><h2>GENERATED KEY FILES</h2> +<a name="id2544046"></a><h2>GENERATED KEY FILES</h2> <p> When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes successfully, @@ -249,7 +250,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544116"></a><h2>SEE ALSO</h2> +<a name="id2544119"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, @@ -257,7 +258,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544149"></a><h2>AUTHOR</h2> +<a name="id2544152"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.8 b/contrib/bind9/bin/dnssec/dnssec-keygen.8 index 690abf9..689f23d 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.8 +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005, 2007-2010 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007-2010, 2012 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and/or distribute this software for any @@ -48,7 +48,7 @@ of the key is specified on the command line. For DNSSEC keys, this must match th .RS 4 Selects the cryptographic algorithm. For DNSSEC keys, the value of \fBalgorithm\fR -must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive. +must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive. .sp If no algorithm is specified, then RSASHA1 will be used by default, unless the \fB\-3\fR @@ -63,7 +63,7 @@ Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the .PP \-b \fIkeysize\fR .RS 4 -Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. +Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. Elliptic curve algorithms don't need this parameter. .sp The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with \fB\-f KSK\fR). However, if an algorithm is explicitly specified with the @@ -81,7 +81,7 @@ must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a .PP \-3 .RS 4 -Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms are NSEC3\-capable. +Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3\-capable. .RE .PP \-C @@ -298,7 +298,7 @@ RFC 4034. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005, 2007\-2010 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007\-2010, 2012 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000\-2003 Internet Software Consortium. .br diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.c b/contrib/bind9/bin/dnssec/dnssec-keygen.c index cc1d9b1..8af100c 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.c +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.c @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -85,6 +85,7 @@ usage(void) { fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1" " | NSEC3DSA |\n"); fprintf(stderr, " RSASHA256 | RSASHA512 | ECCGOST |\n"); + fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n"); fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | " "HMAC-SHA256 | \n"); fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n"); @@ -102,6 +103,8 @@ usage(void) { fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible " "by 64\n"); fprintf(stderr, " ECCGOST:\tignored\n"); + fprintf(stderr, " ECDSAP256SHA256:\tignored\n"); + fprintf(stderr, " ECDSAP384SHA384:\tignored\n"); fprintf(stderr, " HMAC-MD5:\t[1..512]\n"); fprintf(stderr, " HMAC-SHA1:\t[1..160]\n"); fprintf(stderr, " HMAC-SHA224:\t[1..224]\n"); @@ -549,7 +552,8 @@ main(int argc, char **argv) { if (use_nsec3 && alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 && alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 && - alg != DST_ALG_ECCGOST) { + alg != DST_ALG_ECCGOST && + alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) { fatal("%s is incompatible with NSEC3; " "do not use the -3 option", algname); } @@ -579,9 +583,11 @@ main(int argc, char **argv) { size = 1024; if (verbose > 0) fprintf(stderr, "key size not " - "specified; defaulting " - "to %d\n", size); - } else if (alg != DST_ALG_ECCGOST) + "specified; defaulting" + " to %d\n", size); + } else if (alg != DST_ALG_ECCGOST && + alg != DST_ALG_ECDSA256 && + alg != DST_ALG_ECDSA384) fatal("key size not specified (-b option)"); } @@ -710,6 +716,8 @@ main(int argc, char **argv) { fatal("invalid DSS key size: %d", size); break; case DST_ALG_ECCGOST: + case DST_ALG_ECDSA256: + case DST_ALG_ECDSA384: break; case DST_ALG_HMACMD5: options |= DST_TYPE_KEY; @@ -775,7 +783,8 @@ main(int argc, char **argv) { if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 || alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 || - alg == DNS_KEYALG_RSASHA512 || alg == DST_ALG_ECCGOST) && + alg == DNS_KEYALG_RSASHA512 || alg == DST_ALG_ECCGOST || + alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384) && rsa_exp != 0) fatal("specified RSA exponent for a non-RSA key"); @@ -849,6 +858,8 @@ main(int argc, char **argv) { case DNS_KEYALG_DSA: case DNS_KEYALG_NSEC3DSA: case DST_ALG_ECCGOST: + case DST_ALG_ECDSA256: + case DST_ALG_ECDSA384: show_progress = ISC_TRUE; /* fall through */ diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook index f0cf7f5..0a1926b 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005, 2007-2010 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007-2010, 2012 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -43,6 +43,7 @@ <year>2008</year> <year>2009</year> <year>2010</year> + <year>2012</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -114,7 +115,8 @@ <para> Selects the cryptographic algorithm. For DNSSEC keys, the value of <option>algorithm</option> must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, + ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are @@ -148,7 +150,8 @@ between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be - between 1 and 512 bits. + between 1 and 512 bits. Elliptic curve algorithms don't need + this parameter. </para> <para> The key size does not need to be specified if using a default @@ -184,7 +187,8 @@ Use an NSEC3-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by - default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms + default. Note that RSASHA256, RSASHA512, ECCGOST, + ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3-capable. </para> </listitem> diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.html b/contrib/bind9/bin/dnssec/dnssec-keygen.html index 4bf1f6b..3bdfa07 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.html +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005, 2007-2010 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007-2010, 2012 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -32,7 +32,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543579"></a><h2>DESCRIPTION</h2> +<a name="id2543582"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-keygen</strong></span> generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -46,14 +46,15 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543597"></a><h2>OPTIONS</h2> +<a name="id2543601"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd> <p> Selects the cryptographic algorithm. For DNSSEC keys, the value of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, + ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are @@ -84,7 +85,8 @@ between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be - between 1 and 512 bits. + between 1 and 512 bits. Elliptic curve algorithms don't need + this parameter. </p> <p> The key size does not need to be specified if using a default @@ -111,7 +113,8 @@ Use an NSEC3-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by - default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms + default. Note that RSASHA256, RSASHA512, ECCGOST, + ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3-capable. </p></dd> <dt><span class="term">-C</span></dt> @@ -248,7 +251,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544166"></a><h2>TIMING OPTIONS</h2> +<a name="id2544169"></a><h2>TIMING OPTIONS</h2> <p> Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -319,7 +322,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544356"></a><h2>GENERATED KEYS</h2> +<a name="id2544359"></a><h2>GENERATED KEYS</h2> <p> When <span><strong class="command">dnssec-keygen</strong></span> completes successfully, @@ -365,7 +368,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544506"></a><h2>EXAMPLE</h2> +<a name="id2544441"></a><h2>EXAMPLE</h2> <p> To generate a 768-bit DSA key for the domain <strong class="userinput"><code>example.com</code></strong>, the following command would be @@ -386,7 +389,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544550"></a><h2>SEE ALSO</h2> +<a name="id2544485"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 2539</em>, @@ -395,7 +398,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544581"></a><h2>AUTHOR</h2> +<a name="id2544584"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/contrib/bind9/bin/dnssec/dnssec-settime.c b/contrib/bind9/bin/dnssec/dnssec-settime.c index 7a81490..f7f4486 100644 --- a/contrib/bind9/bin/dnssec/dnssec-settime.c +++ b/contrib/bind9/bin/dnssec/dnssec-settime.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2009-2012 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -38,6 +38,7 @@ #include <dns/keyvalues.h> #include <dns/result.h> +#include <dns/log.h> #include <dst/dst.h> @@ -151,6 +152,7 @@ main(int argc, char **argv) { isc_boolean_t force = ISC_FALSE; isc_boolean_t epoch = ISC_FALSE; isc_boolean_t changed = ISC_FALSE; + isc_log_t *log = NULL; if (argc == 1) usage(); @@ -159,6 +161,8 @@ main(int argc, char **argv) { if (result != ISC_R_SUCCESS) fatal("Out of memory"); + setup_logging(verbose, mctx, &log); + dns_result_register(); isc_commandline_errprint = ISC_FALSE; @@ -578,6 +582,7 @@ main(int argc, char **argv) { cleanup_entropy(&ectx); if (verbose > 10) isc_mem_stats(mctx, stdout); + cleanup_logging(&log); isc_mem_free(mctx, directory); isc_mem_destroy(&mctx); diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.c b/contrib/bind9/bin/dnssec/dnssec-signzone.c index 953e2b0..2376249 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.c +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.c @@ -3893,7 +3893,10 @@ main(int argc, char *argv[]) { check_result(result, "isc_file_mktemplate"); fp = NULL; - result = isc_file_openunique(tempfile, &fp); + if (outputformat == dns_masterformat_text) + result = isc_file_openunique(tempfile, &fp); + else + result = isc_file_bopenunique(tempfile, &fp); if (result != ISC_R_SUCCESS) fatal("failed to open temporary output file: %s", isc_result_totext(result)); diff --git a/contrib/bind9/bin/named/Makefile.in b/contrib/bind9/bin/named/Makefile.in index 272cf96..ea919ae 100644 --- a/contrib/bind9/bin/named/Makefile.in +++ b/contrib/bind9/bin/named/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/bin/named/builtin.c b/contrib/bind9/bin/named/builtin.c index 754e73d..14204cd 100644 --- a/contrib/bind9/bin/named/builtin.c +++ b/contrib/bind9/bin/named/builtin.c @@ -99,9 +99,9 @@ static size_t dns64_rdata(unsigned char *v, size_t start, unsigned char *rdata) { size_t i, j = 0; - for (i = 0; i < 4; i++) { + for (i = 0; i < 4U; i++) { unsigned char c = v[start++]; - if (start == 7) + if (start == 7U) start++; if (c > 99) { rdata[j++] = 3; @@ -164,7 +164,7 @@ dns64_cname(const dns_name_t *zone, const dns_name_t *name, i = (nlen % 4) == 2U ? 1 : 0; j = nlen; memset(v, 0, sizeof(v)); - while (j != 0) { + while (j != 0U) { INSIST((i/2) < sizeof(v)); if (ndata[0] != 1) return (ISC_R_NOTFOUND); diff --git a/contrib/bind9/bin/named/config.c b/contrib/bind9/bin/named/config.c index f5e93e4..9e453ad 100644 --- a/contrib/bind9/bin/named/config.c +++ b/contrib/bind9/bin/named/config.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -89,7 +89,7 @@ options {\n\ #endif "\ recursive-clients 1000;\n\ - resolver-query-timeout 30;\n\ + resolver-query-timeout 10;\n\ rrset-order {type NS order random; order cyclic; };\n\ serial-queries 20;\n\ serial-query-rate 20;\n\ diff --git a/contrib/bind9/bin/named/controlconf.c b/contrib/bind9/bin/named/controlconf.c index 926c205..daf00d0 100644 --- a/contrib/bind9/bin/named/controlconf.c +++ b/contrib/bind9/bin/named/controlconf.c @@ -373,8 +373,10 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { if (result == ISC_R_SUCCESS) break; isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret)); - log_invalid(&conn->ccmsg, result); - goto cleanup; + if (result != ISCCC_R_BADAUTH) { + log_invalid(&conn->ccmsg, result); + goto cleanup; + } } if (key == NULL) { diff --git a/contrib/bind9/bin/named/convertxsl.pl b/contrib/bind9/bin/named/convertxsl.pl index 87550b3..f355368 100755 --- a/contrib/bind9/bin/named/convertxsl.pl +++ b/contrib/bind9/bin/named/convertxsl.pl @@ -1,6 +1,6 @@ #!/usr/bin/env perl # -# Copyright (C) 2006-2008 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2006-2008, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c index 10a7d6d..9e67f2d 100644 --- a/contrib/bind9/bin/named/query.c +++ b/contrib/bind9/bin/named/query.c @@ -25,6 +25,7 @@ #include <isc/hex.h> #include <isc/mem.h> +#include <isc/serial.h> #include <isc/stats.h> #include <isc/util.h> @@ -2775,11 +2776,12 @@ query_add_cname(ns_client_t *client, dns_name_t *qname, dns_name_t *tname, */ static void mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name, - isc_uint32_t ttl, dns_rdataset_t *rdataset, + dns_rdata_rrsig_t *rrsig, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { isc_result_t result; dns_dbnode_t *node = NULL; + isc_stdtime_t now; rdataset->trust = dns_trust_secure; sigrdataset->trust = dns_trust_secure; @@ -2790,17 +2792,10 @@ mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name, result = dns_db_findnode(db, name, ISC_TRUE, &node); if (result != ISC_R_SUCCESS) return; - /* - * Bound the validated ttls then minimise. - */ - if (sigrdataset->ttl > ttl) - sigrdataset->ttl = ttl; - if (rdataset->ttl > ttl) - rdataset->ttl = ttl; - if (rdataset->ttl > sigrdataset->ttl) - rdataset->ttl = sigrdataset->ttl; - else - sigrdataset->ttl = rdataset->ttl; + + isc_stdtime_get(&now); + dns_rdataset_trimttl(rdataset, sigrdataset, rrsig, now, + client->view->acceptexpired); (void)dns_db_addrdataset(db, node, NULL, client->now, rdataset, 0, NULL); @@ -2925,8 +2920,7 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, client->view->acceptexpired)) { dst_key_free(&key); dns_rdataset_disassociate(&keyrdataset); - mark_secure(client, db, name, - rrsig.originalttl, + mark_secure(client, db, name, &rrsig, rdataset, sigrdataset); return (ISC_TRUE); } @@ -3802,6 +3796,13 @@ rpz_clean(dns_zone_t **zonep, dns_db_t **dbp, dns_dbnode_t **nodep, dns_rdataset_disassociate(*rdatasetp); } +static void +rpz_match_clear(dns_rpz_st_t *st) +{ + rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset); + st->m.version = NULL; +} + static inline isc_result_t rpz_ready(ns_client_t *client, dns_zone_t **zonep, dns_db_t **dbp, dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp) @@ -3821,10 +3822,9 @@ static void rpz_st_clear(ns_client_t *client) { dns_rpz_st_t *st = client->query.rpz_st; - rpz_clean(&st->m.zone, &st->m.db, &st->m.node, NULL); - st->m.version = NULL; if (st->m.rdataset != NULL) query_putrdataset(client, &st->m.rdataset); + rpz_match_clear(st); rpz_clean(NULL, &st->r.db, NULL, NULL); if (st->r.ns_rdataset != NULL) @@ -3974,6 +3974,9 @@ rpz_rewrite_ip(ns_client_t *client, dns_rdataset_t *rdataset, for (rpz = ISC_LIST_HEAD(client->view->rpz_zones); rpz != NULL; rpz = ISC_LIST_NEXT(rpz, link)) { + if (!RECURSIONOK(client) && rpz->recursive_only) + continue; + /* * Do not check policy zones that cannot replace a policy * already known to match. @@ -4002,9 +4005,8 @@ rpz_rewrite_ip(ns_client_t *client, dns_rdataset_t *rdataset, * hit, if any. Note the domain name and quality of the * best hit. */ - (void)dns_db_rpz_findips(rpz, rpz_type, zone, db, version, - rdataset, st, - client->query.rpz_st->qname); + dns_db_rpz_findips(rpz, rpz_type, zone, db, version, + rdataset, st, client->query.rpz_st->qname); rpz_clean(&zone, &db, NULL, NULL); } return (ISC_R_SUCCESS); @@ -4109,8 +4111,8 @@ rpz_rewrite_rrsets(ns_client_t *client, dns_rpz_type_t rpz_type, */ static isc_result_t rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, - dns_name_t *sname, dns_rpz_type_t rpz_type, dns_zone_t **zonep, - dns_db_t **dbp, dns_dbversion_t **versionp, + dns_name_t *sname, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, + dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, dns_rpz_policy_t *policyp) { @@ -4149,7 +4151,7 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, if (result != ISC_R_SUCCESS) { dns_db_detachnode(*dbp, nodep); rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, - qnamef, "allrdatasets()", result); + qnamef, "allrdatasets() ", result); *policyp = DNS_RPZ_POLICY_ERROR; return (DNS_R_SERVFAIL); } @@ -4166,7 +4168,7 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, if (result != ISC_R_SUCCESS) { if (result != ISC_R_NOMORE) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, - rpz_type, qnamef, "rdatasetiter", + rpz_type, qnamef, "rdatasetiter ", result); *policyp = DNS_RPZ_POLICY_ERROR; return (DNS_R_SERVFAIL); @@ -4194,7 +4196,7 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, if ((*rdatasetp)->type != dns_rdatatype_cname) { policy = DNS_RPZ_POLICY_RECORD; } else { - policy = dns_rpz_decode_cname(*rdatasetp, sname); + policy = dns_rpz_decode_cname(rpz, *rdatasetp, sname); if ((policy == DNS_RPZ_POLICY_RECORD || policy == DNS_RPZ_POLICY_WILDCNAME) && qtype != dns_rdatatype_cname && @@ -4265,6 +4267,9 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, for (rpz = ISC_LIST_HEAD(client->view->rpz_zones); rpz != NULL; rpz = ISC_LIST_NEXT(rpz, link)) { + if (!RECURSIONOK(client) && rpz->recursive_only) + continue; + /* * Do not check policy zones that cannot replace a policy * already known to match. @@ -4310,11 +4315,11 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, } /* - * See if the policy record exists. + * See if the policy record exists and get its policy. */ - result = rpz_find(client, qtype, rpz_qname, qname, rpz_type, - &zone, &db, &version, &node, rdatasetp, - &policy); + result = rpz_find(client, qtype, rpz_qname, qname, rpz, + rpz_type, &zone, &db, &version, &node, + rdatasetp, &policy); switch (result) { case DNS_R_NXDOMAIN: case DNS_R_EMPTYNAME: @@ -4350,8 +4355,7 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, continue; } - rpz_clean(&st->m.zone, &st->m.db, &st->m.node, - &st->m.rdataset); + rpz_match_clear(st); st->m.rpz = rpz; st->m.type = rpz_type; st->m.prefix = 0; @@ -4365,9 +4369,11 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, trdataset = st->m.rdataset; st->m.rdataset = *rdatasetp; *rdatasetp = trdataset; - st->m.ttl = st->m.rdataset->ttl; + st->m.ttl = ISC_MIN(st->m.rdataset->ttl, + rpz->max_policy_ttl); } else { - st->m.ttl = DNS_RPZ_TTL_DEFAULT; + st->m.ttl = ISC_MIN(DNS_RPZ_TTL_DEFAULT, + rpz->max_policy_ttl); } st->m.node = node; node = NULL; @@ -4462,13 +4468,13 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult, case DNS_R_BROKENCHAIN: rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, DNS_RPZ_TYPE_QNAME, client->query.qname, - "stop on qresult in rpz_rewrite()", + "stop on qresult in rpz_rewrite() ", qresult); return (ISC_R_SUCCESS); default: rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, DNS_RPZ_TYPE_QNAME, client->query.qname, - "stop on unrecognized qresult in rpz_rewrite()", + "stop on unrecognized qresult in rpz_rewrite() ", qresult); return (ISC_R_SUCCESS); } @@ -4647,10 +4653,11 @@ cleanup: if (st->m.policy == DNS_RPZ_POLICY_MISS || st->m.policy == DNS_RPZ_POLICY_PASSTHRU || st->m.policy == DNS_RPZ_POLICY_ERROR) { - if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU) + if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU && + result != DNS_R_DELEGATION) rpz_log_rewrite(client, "", st->m.policy, st->m.type, st->qname); - rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset); + rpz_match_clear(st); } if (st->m.policy == DNS_RPZ_POLICY_ERROR) { st->m.type = DNS_RPZ_TYPE_BAD; @@ -4664,6 +4671,64 @@ cleanup: } /* + * See if response policy zone rewriting is allowed a lack of interest + * by the client in DNSSEC or a lack of signatures. + */ +static isc_boolean_t +rpz_ck_dnssec(ns_client_t *client, isc_result_t result, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) +{ + dns_fixedname_t fixed; + dns_name_t *found; + dns_rdataset_t trdataset; + dns_rdatatype_t type; + + if (client->view->rpz_break_dnssec) + return (ISC_TRUE); + /* + * sigrdataset == NULL if and only !WANTDNSSEC(client) + */ + if (sigrdataset == NULL) + return (ISC_TRUE); + if (dns_rdataset_isassociated(sigrdataset)) + return (ISC_FALSE); + + /* + * We are happy to rewrite nothing. + */ + if (rdataset == NULL || !dns_rdataset_isassociated(rdataset)) + return (ISC_TRUE); + /* + * Do not rewrite if there is any sign of signatures. + */ + if (rdataset->type == dns_rdatatype_nsec || + rdataset->type == dns_rdatatype_nsec3 || + rdataset->type == dns_rdatatype_rrsig) + return (ISC_FALSE); + + /* + * Look for a signature in a negative cache rdataset. + */ + if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) == 0) + return (ISC_TRUE); + dns_fixedname_init(&fixed); + found = dns_fixedname_name(&fixed); + dns_rdataset_init(&trdataset); + for (result = dns_rdataset_first(rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(rdataset)) { + dns_ncache_current(rdataset, found, &trdataset); + type = trdataset.type; + dns_rdataset_disassociate(&trdataset); + if (type == dns_rdatatype_nsec || + type == dns_rdatatype_nsec3 || + type == dns_rdatatype_rrsig) + return (ISC_FALSE); + } + return (ISC_TRUE); +} + +/* * Add a CNAME to the query response, including translating foo.evil.com and * *.evil.com CNAME *.example.com * to @@ -4707,7 +4772,8 @@ rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st, * Turn off DNSSEC because the results of a * response policy zone cannot verify. */ - client->attributes &= ~NS_CLIENTATTR_WANTDNSSEC; + client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC | + DNS_MESSAGEFLAG_AD); return (ISC_R_SUCCESS); } @@ -5117,10 +5183,12 @@ dns64_ttl(dns_db_t *db, dns_dbversion_t *version) { isc_result_t result; isc_uint32_t ttl = ISC_UINT32_MAX; + dns_rdataset_init(&rdataset); + result = dns_db_getoriginnode(db, &node); if (result != ISC_R_SUCCESS) goto cleanup; - dns_rdataset_init(&rdataset); + result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa, 0, 0, &rdataset, NULL); if (result != ISC_R_SUCCESS) @@ -5502,9 +5570,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) CTRACE("query_find: resume"); if (!ISC_LIST_EMPTY(client->view->rpz_zones) && - RECURSIONOK(client) && !RECURSING(client) && - (!WANTDNSSEC(client) || sigrdataset == NULL || - !dns_rdataset_isassociated(sigrdataset)) && + (RECURSIONOK(client) || !client->view->rpz_recursive_only) && + rpz_ck_dnssec(client, result, rdataset, sigrdataset) && + !RECURSING(client) && (client->query.rpz_st == NULL || (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0) && !dns_name_equal(client->query.qname, dns_rootname)) { @@ -5578,10 +5646,22 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) break; case DNS_RPZ_POLICY_RECORD: result = rpz_st->m.result; - if (type == dns_rdatatype_any && - result != DNS_R_CNAME && - dns_rdataset_isassociated(rdataset)) - dns_rdataset_disassociate(rdataset); + if (qtype == dns_rdatatype_any && + result != DNS_R_CNAME) { + /* + * We will add all of the rdatasets of + * the node by iterating, setting the + * TTL then. + */ + if (dns_rdataset_isassociated(rdataset)) + dns_rdataset_disassociate(rdataset); + } else { + /* + * We will add this rdataset. + */ + rdataset->ttl = ISC_MIN(rdataset->ttl, + rpz_st->m.ttl); + } break; case DNS_RPZ_POLICY_WILDCNAME: result = dns_rdataset_first(rdataset); @@ -5620,7 +5700,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * Turn off DNSSEC because the results of a * response policy zone cannot verify. */ - client->attributes &= ~NS_CLIENTATTR_WANTDNSSEC; + client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC | + DNS_MESSAGEFLAG_AD); query_putrdataset(client, &sigrdataset); is_zone = ISC_TRUE; rpz_log_rewrite(client, "", rpz_st->m.policy, @@ -6560,6 +6641,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) noqname = rdataset; else noqname = NULL; + rpz_st = client->query.rpz_st; + if (rpz_st != NULL) + rdataset->ttl = ISC_MIN(rdataset->ttl, + rpz_st->m.ttl); query_addrrset(client, fname != NULL ? &fname : &tname, &rdataset, NULL, @@ -6852,8 +6937,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) */ rpz_st = client->query.rpz_st; if (rpz_st != NULL && (rpz_st->state & DNS_RPZ_RECURSING) == 0) { - rpz_clean(&rpz_st->m.zone, &rpz_st->m.db, &rpz_st->m.node, - &rpz_st->m.rdataset); + rpz_match_clear(rpz_st); rpz_st->state &= ~DNS_RPZ_DONE_QNAME; } if (rdataset != NULL) diff --git a/contrib/bind9/bin/named/server.c b/contrib/bind9/bin/named/server.c index 666d854..c3eb1ea 100644 --- a/contrib/bind9/bin/named/server.c +++ b/contrib/bind9/bin/named/server.c @@ -1430,15 +1430,14 @@ cleanup: } static isc_result_t -configure_rpz(dns_view_t *view, const cfg_listelt_t *element) { - const cfg_obj_t *rpz_obj, *policy_obj; +configure_rpz(dns_view_t *view, const cfg_listelt_t *element, + isc_boolean_t recursive_only_def, dns_ttl_t ttl_def) +{ + const cfg_obj_t *rpz_obj, *policy_obj, *obj; const char *str; - dns_fixedname_t fixed; - dns_name_t *origin; dns_rpz_zone_t *old, *new; dns_zone_t *zone = NULL; isc_result_t result; - unsigned int l1, l2; new = isc_mem_get(view->mctx, sizeof(*new)); if (new == NULL) { @@ -1447,9 +1446,10 @@ configure_rpz(dns_view_t *view, const cfg_listelt_t *element) { } memset(new, 0, sizeof(*new)); - dns_name_init(&new->nsdname, NULL); dns_name_init(&new->origin, NULL); + dns_name_init(&new->nsdname, NULL); dns_name_init(&new->cname, NULL); + dns_name_init(&new->passthru, NULL); ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link); rpz_obj = cfg_listelt_value(element); @@ -1457,15 +1457,31 @@ configure_rpz(dns_view_t *view, const cfg_listelt_t *element) { if (cfg_obj_isvoid(policy_obj)) { new->policy = DNS_RPZ_POLICY_GIVEN; } else { - str = cfg_obj_asstring(policy_obj); + str = cfg_obj_asstring(cfg_tuple_get(policy_obj, + "policy name")); new->policy = dns_rpz_str2policy(str); INSIST(new->policy != DNS_RPZ_POLICY_ERROR); } - dns_fixedname_init(&fixed); - origin = dns_fixedname_name(&fixed); - str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "name")); - result = dns_name_fromstring(origin, str, DNS_NAME_DOWNCASE, NULL); + obj = cfg_tuple_get(rpz_obj, "recursive-only"); + if (cfg_obj_isvoid(obj)) { + new->recursive_only = recursive_only_def; + } else { + new->recursive_only = cfg_obj_asboolean(obj); + } + if (!new->recursive_only) + view->rpz_recursive_only = ISC_FALSE; + + obj = cfg_tuple_get(rpz_obj, "max-policy-ttl"); + if (cfg_obj_isuint32(obj)) { + new->max_policy_ttl = cfg_obj_asuint32(obj); + } else { + new->max_policy_ttl = ttl_def; + } + + str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name")); + result = dns_name_fromstring(&new->origin, str, DNS_NAME_DOWNCASE, + view->mctx); if (result != ISC_R_SUCCESS) { cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, "invalid zone '%s'", str); @@ -1473,31 +1489,28 @@ configure_rpz(dns_view_t *view, const cfg_listelt_t *element) { } result = dns_name_fromstring2(&new->nsdname, DNS_RPZ_NSDNAME_ZONE, - origin, DNS_NAME_DOWNCASE, view->mctx); + &new->origin, DNS_NAME_DOWNCASE, + view->mctx); if (result != ISC_R_SUCCESS) { cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, "invalid zone '%s'", str); goto cleanup; } - /* - * The origin is part of 'nsdname' so we don't need to keep it - * seperately. - */ - l1 = dns_name_countlabels(&new->nsdname); - l2 = dns_name_countlabels(origin); - dns_name_getlabelsequence(&new->nsdname, l1 - l2, l2, &new->origin); + result = dns_name_fromstring(&new->passthru, DNS_RPZ_PASSTHRU_ZONE, + DNS_NAME_DOWNCASE, view->mctx); + if (result != ISC_R_SUCCESS) { + cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, + "invalid zone '%s'", str); + goto cleanup; + } - /* - * Are we configured to with the reponse policy zone? - */ result = dns_view_findzone(view, &new->origin, &zone); if (result != ISC_R_SUCCESS) { cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, "unknown zone '%s'", str); goto cleanup; } - if (dns_zone_gettype(zone) != dns_zone_master && dns_zone_gettype(zone) != dns_zone_slave) { cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, @@ -1521,8 +1534,9 @@ configure_rpz(dns_view_t *view, const cfg_listelt_t *element) { } if (new->policy == DNS_RPZ_POLICY_CNAME) { - str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "cname")); - result = dns_name_fromstring(&new->cname, str, 0, view->mctx); + str = cfg_obj_asstring(cfg_tuple_get(policy_obj, "cname")); + result = dns_name_fromstring(&new->cname, str, + DNS_NAME_DOWNCASE, view->mctx); if (result != ISC_R_SUCCESS) { cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, "invalid cname '%s'", str); @@ -2876,19 +2890,39 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, * Make the list of response policy zone names for views that * are used for real lookups and so care about hints. */ - zonelist = NULL; - if (view->rdclass == dns_rdataclass_in && need_hints) { - obj = NULL; - result = ns_config_get(maps, "response-policy", &obj); - if (result == ISC_R_SUCCESS) - cfg_map_get(obj, "zone", &zonelist); - } + obj = NULL; + if (view->rdclass == dns_rdataclass_in && need_hints && + ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) { + const cfg_obj_t *recursive_only_obj; + const cfg_obj_t *break_dnssec_obj, *ttl_obj; + isc_boolean_t recursive_only_def; + dns_ttl_t ttl_def; + + recursive_only_obj = cfg_tuple_get(obj, "recursive-only"); + if (!cfg_obj_isvoid(recursive_only_obj) && + !cfg_obj_asboolean(recursive_only_obj)) + recursive_only_def = ISC_FALSE; + else + recursive_only_def = ISC_TRUE; - if (zonelist != NULL) { - for (element = cfg_list_first(zonelist); + break_dnssec_obj = cfg_tuple_get(obj, "break-dnssec"); + if (!cfg_obj_isvoid(break_dnssec_obj) && + cfg_obj_asboolean(break_dnssec_obj)) + view->rpz_break_dnssec = ISC_TRUE; + else + view->rpz_break_dnssec = ISC_FALSE; + + ttl_obj = cfg_tuple_get(obj, "max-policy-ttl"); + if (cfg_obj_isuint32(ttl_obj)) + ttl_def = cfg_obj_asuint32(ttl_obj); + else + ttl_def = DNS_RPZ_MAX_TTL_DEFAULT; + + for (element = cfg_list_first(cfg_tuple_get(obj, "zone list")); element != NULL; element = cfg_list_next(element)) { - result = configure_rpz(view, element); + result = configure_rpz(view, element, + recursive_only_def, ttl_def); if (result != ISC_R_SUCCESS) goto cleanup; dns_rpz_set_need(ISC_TRUE); @@ -5434,11 +5468,13 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { /* * Setup the server task, which is responsible for coordinating - * startup and shutdown of the server. + * startup and shutdown of the server, as well as all exclusive + * tasks. */ CHECKFATAL(isc_task_create(ns_g_taskmgr, 0, &server->task), "creating server task"); isc_task_setname(server->task, "server", server); + isc_taskmgr_setexcltask(ns_g_taskmgr, server->task); CHECKFATAL(isc_task_onshutdown(server->task, shutdown_server, server), "isc_task_onshutdown"); CHECKFATAL(isc_app_onrun(ns_g_mctx, server->task, run_server, server), diff --git a/contrib/bind9/bin/named/statschannel.c b/contrib/bind9/bin/named/statschannel.c index d0518c9..6ea0be5 100644 --- a/contrib/bind9/bin/named/statschannel.c +++ b/contrib/bind9/bin/named/statschannel.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -85,16 +85,19 @@ static const char *nsstats_desc[dns_nsstatscounter_max]; static const char *resstats_desc[dns_resstatscounter_max]; static const char *zonestats_desc[dns_zonestatscounter_max]; static const char *sockstats_desc[isc_sockstatscounter_max]; +static const char *dnssecstats_desc[dns_dnssecstats_max]; #ifdef HAVE_LIBXML2 static const char *nsstats_xmldesc[dns_nsstatscounter_max]; static const char *resstats_xmldesc[dns_resstatscounter_max]; static const char *zonestats_xmldesc[dns_zonestatscounter_max]; static const char *sockstats_xmldesc[isc_sockstatscounter_max]; +static const char *dnssecstats_xmldesc[dns_dnssecstats_max]; #else #define nsstats_xmldesc NULL #define resstats_xmldesc NULL #define zonestats_xmldesc NULL #define sockstats_xmldesc NULL +#define dnssecstats_xmldesc NULL #endif /* HAVE_LIBXML2 */ #define TRY0(a) do { xmlrc = (a); if (xmlrc < 0) goto error; } while(0) @@ -108,6 +111,7 @@ static int nsstats_index[dns_nsstatscounter_max]; static int resstats_index[dns_resstatscounter_max]; static int zonestats_index[dns_zonestatscounter_max]; static int sockstats_index[isc_sockstatscounter_max]; +static int dnssecstats_index[dns_dnssecstats_max]; static inline void set_desc(int counter, int maxcounter, const char *fdesc, const char **fdescs, @@ -409,6 +413,33 @@ init_desc(void) { "FDwatchRecvErr"); INSIST(i == isc_sockstatscounter_max); + /* Initialize DNSSEC statistics */ + for (i = 0; i < dns_dnssecstats_max; i++) + dnssecstats_desc[i] = NULL; +#ifdef HAVE_LIBXML2 + for (i = 0; i < dns_dnssecstats_max; i++) + dnssecstats_xmldesc[i] = NULL; +#endif + +#define SET_DNSSECSTATDESC(counterid, desc, xmldesc) \ + do { \ + set_desc(dns_dnssecstats_ ## counterid, \ + dns_dnssecstats_max, \ + desc, dnssecstats_desc,\ + xmldesc, dnssecstats_xmldesc); \ + dnssecstats_index[i++] = dns_dnssecstats_ ## counterid; \ + } while (0) + + i = 0; + SET_DNSSECSTATDESC(asis, "dnssec validation success with signer " + "\"as is\"", "DNSSECasis"); + SET_DNSSECSTATDESC(downcase, "dnssec validation success with signer " + "lower cased", "DNSSECdowncase"); + SET_DNSSECSTATDESC(wildcard, "dnssec validation of wildcard signature", + "DNSSECwild"); + SET_DNSSECSTATDESC(fail, "dnssec validation failures", "DNSSECfail"); + INSIST(i == dns_dnssecstats_max); + /* Sanity check */ for (i = 0; i < dns_nsstatscounter_max; i++) INSIST(nsstats_desc[i] != NULL); @@ -418,6 +449,8 @@ init_desc(void) { INSIST(zonestats_desc[i] != NULL); for (i = 0; i < isc_sockstatscounter_max; i++) INSIST(sockstats_desc[i] != NULL); + for (i = 0; i < dns_dnssecstats_max; i++) + INSIST(dnssecstats_desc[i] != NULL); #ifdef HAVE_LIBXML2 for (i = 0; i < dns_nsstatscounter_max; i++) INSIST(nsstats_xmldesc[i] != NULL); @@ -427,6 +460,8 @@ init_desc(void) { INSIST(zonestats_xmldesc[i] != NULL); for (i = 0; i < isc_sockstatscounter_max; i++) INSIST(sockstats_xmldesc[i] != NULL); + for (i = 0; i < dns_dnssecstats_max; i++) + INSIST(dnssecstats_xmldesc[i] != NULL); #endif } diff --git a/contrib/bind9/bin/named/unix/Makefile.in b/contrib/bind9/bin/named/unix/Makefile.in index 135c634..ff2ecce 100644 --- a/contrib/bind9/bin/named/unix/Makefile.in +++ b/contrib/bind9/bin/named/unix/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007, 2009, 2011 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1999-2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/bin/nsupdate/Makefile.in b/contrib/bind9/bin/nsupdate/Makefile.in index e86731b..f62ee34 100644 --- a/contrib/bind9/bin/nsupdate/Makefile.in +++ b/contrib/bind9/bin/nsupdate/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2006-2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2006-2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/bin/nsupdate/nsupdate.c b/contrib/bind9/bin/nsupdate/nsupdate.c index 743f321..1f5e3e9 100644 --- a/contrib/bind9/bin/nsupdate/nsupdate.c +++ b/contrib/bind9/bin/nsupdate/nsupdate.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -1122,7 +1122,7 @@ parse_name(char **cmdlinep, dns_message_t *msg, dns_name_t **namep) { isc_buffer_t source; word = nsu_strsep(cmdlinep, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read owner name\n"); return (STATUS_SYNTAX); } @@ -1154,6 +1154,11 @@ parse_rdata(char **cmdlinep, dns_rdataclass_t rdataclass, dns_rdatacallbacks_t callbacks; isc_result_t result; + if (cmdline == NULL) { + rdata->flags = DNS_RDATA_UPDATE; + return (STATUS_MORE); + } + while (*cmdline != 0 && isspace((unsigned char)*cmdline)) cmdline++; @@ -1220,7 +1225,7 @@ make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) { */ if (isrrset) { word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read class or type\n"); goto failure; } @@ -1236,7 +1241,7 @@ make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) { * Now read the type. */ word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read type\n"); goto failure; } @@ -1310,7 +1315,7 @@ evaluate_prereq(char *cmdline) { ddebug("evaluate_prereq()"); word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read operation code\n"); return (STATUS_SYNTAX); } @@ -1344,14 +1349,14 @@ evaluate_server(char *cmdline) { } word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read server name\n"); return (STATUS_SYNTAX); } server = word; word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) + if (word == NULL || *word == 0) port = dnsport; else { char *endp; @@ -1385,14 +1390,14 @@ evaluate_local(char *cmdline) { struct in6_addr in6; word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read server name\n"); return (STATUS_SYNTAX); } local = word; word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) + if (word == NULL || *word == 0) port = 0; else { char *endp; @@ -1441,7 +1446,7 @@ evaluate_key(char *cmdline) { char *n; namestr = nsu_strsep(&cmdline, " \t\r\n"); - if (*namestr == 0) { + if (namestr == NULL || *namestr == 0) { fprintf(stderr, "could not read key name\n"); return (STATUS_SYNTAX); } @@ -1465,7 +1470,7 @@ evaluate_key(char *cmdline) { } secretstr = nsu_strsep(&cmdline, "\r\n"); - if (*secretstr == 0) { + if (secretstr == NULL || *secretstr == 0) { fprintf(stderr, "could not read key secret\n"); return (STATUS_SYNTAX); } @@ -1506,7 +1511,7 @@ evaluate_zone(char *cmdline) { isc_result_t result; word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read zone name\n"); return (STATUS_SYNTAX); } @@ -1532,7 +1537,7 @@ evaluate_realm(char *cmdline) { char buf[1024]; word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { if (realm != NULL) isc_mem_free(mctx, realm); realm = NULL; @@ -1557,7 +1562,7 @@ evaluate_ttl(char *cmdline) { isc_uint32_t ttl; word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not ttl\n"); return (STATUS_SYNTAX); } @@ -1591,7 +1596,7 @@ evaluate_class(char *cmdline) { dns_rdataclass_t rdclass; word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read class name\n"); return (STATUS_SYNTAX); } @@ -1649,7 +1654,7 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) { * If it's a delete, ignore a TTL if present (for compatibility). */ word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { if (!isdelete) { fprintf(stderr, "could not read owner ttl\n"); goto failure; @@ -1690,7 +1695,7 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) { */ word = nsu_strsep(&cmdline, " \t\r\n"); parseclass: - if (*word == 0) { + if (word == NULL || *word == 0) { if (isdelete) { rdataclass = dns_rdataclass_any; rdatatype = dns_rdatatype_any; @@ -1714,7 +1719,7 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) { * Now read the type. */ word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { if (isdelete) { rdataclass = dns_rdataclass_any; rdatatype = dns_rdatatype_any; @@ -1794,7 +1799,7 @@ evaluate_update(char *cmdline) { ddebug("evaluate_update()"); word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read operation code\n"); return (STATUS_SYNTAX); } @@ -1884,6 +1889,7 @@ get_next_command(void) { char cmdlinebuf[MAXCMD]; char *cmdline; char *word; + char *tmp; ddebug("get_next_command()"); if (interactive) { @@ -1895,11 +1901,18 @@ get_next_command(void) { isc_app_unblock(); if (cmdline == NULL) return (STATUS_QUIT); + + /* + * Normalize input by removing any eol. + */ + tmp = cmdline; + (void)nsu_strsep(&tmp, "\r\n"); + word = nsu_strsep(&cmdline, " \t\r\n"); if (feof(input)) return (STATUS_QUIT); - if (*word == 0) + if (word == NULL || *word == 0) return (STATUS_SEND); if (word[0] == ';') return (STATUS_MORE); diff --git a/contrib/bind9/bin/rndc/Makefile.in b/contrib/bind9/bin/rndc/Makefile.in index e67bad7..f6100df 100644 --- a/contrib/bind9/bin/rndc/Makefile.in +++ b/contrib/bind9/bin/rndc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/bin/tools/Makefile.in b/contrib/bind9/bin/tools/Makefile.in index a77376b..a396005 100644 --- a/contrib/bind9/bin/tools/Makefile.in +++ b/contrib/bind9/bin/tools/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2010, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above |
