diff options
Diffstat (limited to 'contrib/bind9/bin')
127 files changed, 13235 insertions, 6357 deletions
diff --git a/contrib/bind9/bin/Makefile.in b/contrib/bind9/bin/Makefile.in index d8261d7..2e29f94 100644 --- a/contrib/bind9/bin/Makefile.in +++ b/contrib/bind9/bin/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.22.208.1 2004/03/06 10:21:10 marka Exp $ +# $Id: Makefile.in,v 1.23 2004/03/05 04:57:10 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/contrib/bind9/bin/check/Makefile.in b/contrib/bind9/bin/check/Makefile.in index 5fdf463..cd9ecf6 100644 --- a/contrib/bind9/bin/check/Makefile.in +++ b/contrib/bind9/bin/check/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2003 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.15.2.3.8.6 2004/07/20 07:01:48 marka Exp $ +# $Id: Makefile.in,v 1.24.18.6 2006/06/09 00:54:08 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -75,7 +75,8 @@ named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \ named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - named-checkzone.@O@ check-tool.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS} + named-checkzone.@O@ check-tool.@O@ ${ISCCFGLIBS} ${DNSLIBS} \ + ${ISCLIBS} ${LIBS} doc man:: ${MANOBJS} @@ -89,7 +90,9 @@ installdirs: install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir} ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir} + (cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@) for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done + (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8) clean distclean:: rm -f ${TARGETS} r1.htm diff --git a/contrib/bind9/bin/check/check-tool.c b/contrib/bind9/bin/check/check-tool.c index 1b67ca8..c8ef4df 100644 --- a/contrib/bind9/bin/check/check-tool.c +++ b/contrib/bind9/bin/check/check-tool.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.c,v 1.4.12.7 2004/11/30 01:15:40 marka Exp $ */ +/* $Id: check-tool.c,v 1.10.18.14 2006/06/08 01:43:00 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -27,6 +29,8 @@ #include <isc/buffer.h> #include <isc/log.h> +#include <isc/net.h> +#include <isc/netdb.h> #include <isc/region.h> #include <isc/stdio.h> #include <isc/types.h> @@ -34,24 +38,360 @@ #include <dns/fixedname.h> #include <dns/log.h> #include <dns/name.h> +#include <dns/rdata.h> #include <dns/rdataclass.h> +#include <dns/rdataset.h> #include <dns/types.h> #include <dns/zone.h> +#include <isccfg/log.h> + +#ifdef HAVE_ADDRINFO +#ifdef HAVE_GETADDRINFO +#ifdef HAVE_GAISTRERROR +#define USE_GETADDRINFO +#endif +#endif +#endif + #define CHECK(r) \ - do { \ + do { \ result = (r); \ - if (result != ISC_R_SUCCESS) \ - goto cleanup; \ - } while (0) + if (result != ISC_R_SUCCESS) \ + goto cleanup; \ + } while (0) static const char *dbtype[] = { "rbt" }; int debug = 0; isc_boolean_t nomerge = ISC_TRUE; +isc_boolean_t docheckmx = ISC_TRUE; +isc_boolean_t dochecksrv = ISC_TRUE; +isc_boolean_t docheckns = ISC_TRUE; unsigned int zone_options = DNS_ZONEOPT_CHECKNS | + DNS_ZONEOPT_CHECKMX | DNS_ZONEOPT_MANYERRORS | - DNS_ZONEOPT_CHECKNAMES; + DNS_ZONEOPT_CHECKNAMES | + DNS_ZONEOPT_CHECKINTEGRITY | + DNS_ZONEOPT_CHECKWILDCARD | + DNS_ZONEOPT_WARNMXCNAME | + DNS_ZONEOPT_WARNSRVCNAME; + +/* + * This needs to match the list in bin/named/log.c. + */ +static isc_logcategory_t categories[] = { + { "", 0 }, + { "client", 0 }, + { "network", 0 }, + { "update", 0 }, + { "queries", 0 }, + { "unmatched", 0 }, + { "update-security", 0 }, + { NULL, 0 } +}; + +static isc_boolean_t +checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner, + dns_rdataset_t *a, dns_rdataset_t *aaaa) +{ +#ifdef USE_GETADDRINFO + dns_rdataset_t *rdataset; + dns_rdata_t rdata = DNS_RDATA_INIT; + struct addrinfo hints, *ai, *cur; + char namebuf[DNS_NAME_FORMATSIZE + 1]; + char ownerbuf[DNS_NAME_FORMATSIZE]; + char addrbuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123")]; + isc_boolean_t answer = ISC_TRUE; + isc_boolean_t match; + const char *type; + void *ptr = NULL; + int result; + + REQUIRE(a == NULL || !dns_rdataset_isassociated(a) || + a->type == dns_rdatatype_a); + REQUIRE(aaaa == NULL || !dns_rdataset_isassociated(aaaa) || + aaaa->type == dns_rdatatype_aaaa); + memset(&hints, 0, sizeof(hints)); + hints.ai_flags = AI_CANONNAME; + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_protocol = IPPROTO_TCP; + + dns_name_format(name, namebuf, sizeof(namebuf) - 1); + /* + * Turn off search. + */ + if (dns_name_countlabels(name) > 1U) + strcat(namebuf, "."); + dns_name_format(owner, ownerbuf, sizeof(ownerbuf)); + + result = getaddrinfo(namebuf, NULL, &hints, &ai); + dns_name_format(name, namebuf, sizeof(namebuf) - 1); + switch (result) { + case 0: + if (strcasecmp(ai->ai_canonname, namebuf) != 0) { + dns_zone_log(zone, ISC_LOG_ERROR, + "%s/NS '%s' (out of zone) " + "is a CNAME (illegal)", + ownerbuf, namebuf); + /* XXX950 make fatal for 9.5.0 */ + /* answer = ISC_FALSE; */ + } + break; + case EAI_NONAME: +#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) + case EAI_NODATA: +#endif + dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' (out of zone) " + "has no addresses records (A or AAAA)", + ownerbuf, namebuf); + /* XXX950 make fatal for 9.5.0 */ + return (ISC_TRUE); + + default: + dns_zone_log(zone, ISC_LOG_WARNING, + "getaddrinfo(%s) failed: %s", + namebuf, gai_strerror(result)); + return (ISC_TRUE); + } + if (a == NULL || aaaa == NULL) + return (answer); + /* + * Check that all glue records really exist. + */ + if (!dns_rdataset_isassociated(a)) + goto checkaaaa; + result = dns_rdataset_first(a); + while (result == ISC_R_SUCCESS) { + dns_rdataset_current(a, &rdata); + match = ISC_FALSE; + for (cur = ai; cur != NULL; cur = cur->ai_next) { + if (cur->ai_family != AF_INET) + continue; + ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr; + if (memcmp(ptr, rdata.data, rdata.length) == 0) { + match = ISC_TRUE; + break; + } + } + if (!match) { + dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' " + "extra GLUE A record (%s)", + ownerbuf, namebuf, + inet_ntop(AF_INET, rdata.data, + addrbuf, sizeof(addrbuf))); + /* XXX950 make fatal for 9.5.0 */ + /* answer = ISC_FALSE; */ + } + dns_rdata_reset(&rdata); + result = dns_rdataset_next(a); + } + + checkaaaa: + if (!dns_rdataset_isassociated(aaaa)) + goto checkmissing; + result = dns_rdataset_first(aaaa); + while (result == ISC_R_SUCCESS) { + dns_rdataset_current(aaaa, &rdata); + match = ISC_FALSE; + for (cur = ai; cur != NULL; cur = cur->ai_next) { + if (cur->ai_family != AF_INET6) + continue; + ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr; + if (memcmp(ptr, rdata.data, rdata.length) == 0) { + match = ISC_TRUE; + break; + } + } + if (!match) { + dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' " + "extra GLUE AAAA record (%s)", + ownerbuf, namebuf, + inet_ntop(AF_INET6, rdata.data, + addrbuf, sizeof(addrbuf))); + /* XXX950 make fatal for 9.5.0. */ + /* answer = ISC_FALSE; */ + } + dns_rdata_reset(&rdata); + result = dns_rdataset_next(aaaa); + } + + checkmissing: + /* + * Check that all addresses appear in the glue. + */ + for (cur = ai; cur != NULL; cur = cur->ai_next) { + switch (cur->ai_family) { + case AF_INET: + rdataset = a; + ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr; + type = "A"; + break; + case AF_INET6: + rdataset = aaaa; + ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr; + type = "AAAA"; + break; + default: + continue; + } + match = ISC_FALSE; + if (dns_rdataset_isassociated(rdataset)) + result = dns_rdataset_first(rdataset); + else + result = ISC_R_FAILURE; + while (result == ISC_R_SUCCESS && !match) { + dns_rdataset_current(rdataset, &rdata); + if (memcmp(ptr, rdata.data, rdata.length) == 0) + match = ISC_TRUE; + dns_rdata_reset(&rdata); + result = dns_rdataset_next(rdataset); + } + if (!match) { + dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' " + "missing GLUE %s record (%s)", + ownerbuf, namebuf, type, + inet_ntop(cur->ai_family, ptr, + addrbuf, sizeof(addrbuf))); + /* XXX950 make fatal for 9.5.0. */ + /* answer = ISC_FALSE; */ + } + } + freeaddrinfo(ai); + return (answer); +#else + return (ISC_TRUE); +#endif +} + +static isc_boolean_t +checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) { +#ifdef USE_GETADDRINFO + struct addrinfo hints, *ai; + char namebuf[DNS_NAME_FORMATSIZE + 1]; + char ownerbuf[DNS_NAME_FORMATSIZE]; + int result; + int level = ISC_LOG_ERROR; + isc_boolean_t answer = ISC_TRUE; + + memset(&hints, 0, sizeof(hints)); + hints.ai_flags = AI_CANONNAME; + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_protocol = IPPROTO_TCP; + + dns_name_format(name, namebuf, sizeof(namebuf) - 1); + /* + * Turn off search. + */ + if (dns_name_countlabels(name) > 1U) + strcat(namebuf, "."); + dns_name_format(owner, ownerbuf, sizeof(ownerbuf)); + + result = getaddrinfo(namebuf, NULL, &hints, &ai); + dns_name_format(name, namebuf, sizeof(namebuf) - 1); + switch (result) { + case 0: + if (strcasecmp(ai->ai_canonname, namebuf) != 0) { + if ((zone_options & DNS_ZONEOPT_WARNMXCNAME) != 0) + level = ISC_LOG_WARNING; + if ((zone_options & DNS_ZONEOPT_IGNOREMXCNAME) == 0) { + dns_zone_log(zone, ISC_LOG_WARNING, + "%s/MX '%s' (out of zone) " + "is a CNAME (illegal)", + ownerbuf, namebuf); + if (level == ISC_LOG_ERROR) + answer = ISC_FALSE; + } + } + freeaddrinfo(ai); + return (answer); + + case EAI_NONAME: +#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) + case EAI_NODATA: +#endif + dns_zone_log(zone, ISC_LOG_ERROR, "%s/MX '%s' (out of zone) " + "has no addresses records (A or AAAA)", + ownerbuf, namebuf); + /* XXX950 make fatal for 9.5.0. */ + return (ISC_TRUE); + + default: + dns_zone_log(zone, ISC_LOG_WARNING, + "getaddrinfo(%s) failed: %s", + namebuf, gai_strerror(result)); + return (ISC_TRUE); + } +#else + return (ISC_TRUE); +#endif +} + +static isc_boolean_t +checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) { +#ifdef USE_GETADDRINFO + struct addrinfo hints, *ai; + char namebuf[DNS_NAME_FORMATSIZE + 1]; + char ownerbuf[DNS_NAME_FORMATSIZE]; + int result; + int level = ISC_LOG_ERROR; + isc_boolean_t answer = ISC_TRUE; + + memset(&hints, 0, sizeof(hints)); + hints.ai_flags = AI_CANONNAME; + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_protocol = IPPROTO_TCP; + + dns_name_format(name, namebuf, sizeof(namebuf) - 1); + /* + * Turn off search. + */ + if (dns_name_countlabels(name) > 1U) + strcat(namebuf, "."); + dns_name_format(owner, ownerbuf, sizeof(ownerbuf)); + + result = getaddrinfo(namebuf, NULL, &hints, &ai); + dns_name_format(name, namebuf, sizeof(namebuf) - 1); + switch (result) { + case 0: + if (strcasecmp(ai->ai_canonname, namebuf) != 0) { + if ((zone_options & DNS_ZONEOPT_WARNSRVCNAME) != 0) + level = ISC_LOG_WARNING; + if ((zone_options & DNS_ZONEOPT_IGNORESRVCNAME) == 0) { + dns_zone_log(zone, level, + "%s/SRV '%s' (out of zone) " + "is a CNAME (illegal)", + ownerbuf, namebuf); + if (level == ISC_LOG_ERROR) + answer = ISC_FALSE; + } + } + freeaddrinfo(ai); + return (answer); + + case EAI_NONAME: +#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) + case EAI_NODATA: +#endif + dns_zone_log(zone, ISC_LOG_ERROR, "%s/SRV '%s' (out of zone) " + "has no addresses records (A or AAAA)", + ownerbuf, namebuf); + /* XXX950 make fatal for 9.5.0. */ + return (ISC_TRUE); + + default: + dns_zone_log(zone, ISC_LOG_WARNING, + "getaddrinfo(%s) failed: %s", + namebuf, gai_strerror(result)); + return (ISC_TRUE); + } +#else + return (ISC_TRUE); +#endif +} isc_result_t setup_logging(isc_mem_t *mctx, isc_log_t **logp) { @@ -60,7 +400,11 @@ setup_logging(isc_mem_t *mctx, isc_log_t **logp) { isc_log_t *log = NULL; RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS); + isc_log_registercategories(log, categories); isc_log_setcontext(log); + dns_log_init(log); + dns_log_setcontext(log); + cfg_log_init(log); destination.file.stream = stdout; destination.file.name = NULL; @@ -77,9 +421,11 @@ setup_logging(isc_mem_t *mctx, isc_log_t **logp) { return (ISC_R_SUCCESS); } +/*% load the zone */ isc_result_t load_zone(isc_mem_t *mctx, const char *zonename, const char *filename, - const char *classname, dns_zone_t **zonep) + dns_masterformat_t fileformat, const char *classname, + dns_zone_t **zonep) { isc_result_t result; dns_rdataclass_t rdclass; @@ -104,10 +450,10 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename, dns_fixedname_init(&fixorigin); origin = dns_fixedname_name(&fixorigin); CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, - ISC_FALSE, NULL)); + ISC_FALSE, NULL)); CHECK(dns_zone_setorigin(zone, origin)); CHECK(dns_zone_setdbtype(zone, 1, (const char * const *) dbtype)); - CHECK(dns_zone_setfile(zone, filename)); + CHECK(dns_zone_setfile2(zone, filename, fileformat)); DE_CONST(classname, region.base); region.length = strlen(classname); @@ -116,9 +462,15 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename, dns_zone_setclass(zone, rdclass); dns_zone_setoption(zone, zone_options, ISC_TRUE); dns_zone_setoption(zone, DNS_ZONEOPT_NOMERGE, nomerge); + if (docheckmx) + dns_zone_setcheckmx(zone, checkmx); + if (docheckns) + dns_zone_setcheckns(zone, checkns); + if (dochecksrv) + dns_zone_setchecksrv(zone, checksrv); CHECK(dns_zone_load(zone)); - if (zonep != NULL){ + if (zonep != NULL) { *zonep = zone; zone = NULL; } @@ -129,8 +481,10 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename, return (result); } +/*% dump the zone */ isc_result_t -dump_zone(const char *zonename, dns_zone_t *zone, const char *filename) +dump_zone(const char *zonename, dns_zone_t *zone, const char *filename, + dns_masterformat_t fileformat, const dns_master_style_t *style) { isc_result_t result; FILE *output = stdout; @@ -153,7 +507,7 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename) } } - result = dns_zone_fulldumptostream(zone, output); + result = dns_zone_dumptostream2(zone, output, fileformat, style); if (filename != NULL) (void)isc_stdio_close(output); diff --git a/contrib/bind9/bin/check/check-tool.h b/contrib/bind9/bin/check/check-tool.h index 105cd25..ef9017f 100644 --- a/contrib/bind9/bin/check/check-tool.h +++ b/contrib/bind9/bin/check/check-tool.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,14 +15,17 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.h,v 1.2.12.5 2004/03/08 04:04:13 marka Exp $ */ +/* $Id: check-tool.h,v 1.7.18.4 2005/06/20 01:19:25 marka Exp $ */ #ifndef CHECK_TOOL_H #define CHECK_TOOL_H -#include <isc/lang.h> +/*! \file */ +#include <isc/lang.h> #include <isc/types.h> + +#include <dns/masterdump.h> #include <dns/types.h> ISC_LANG_BEGINDECLS @@ -32,13 +35,18 @@ setup_logging(isc_mem_t *mctx, isc_log_t **logp); isc_result_t load_zone(isc_mem_t *mctx, const char *zonename, const char *filename, - const char *classname, dns_zone_t **zonep); + dns_masterformat_t fileformat, const char *classname, + dns_zone_t **zonep); isc_result_t -dump_zone(const char *zonename, dns_zone_t *zone, const char *filename); +dump_zone(const char *zonename, dns_zone_t *zone, const char *filename, + dns_masterformat_t fileformat, const dns_master_style_t *style); extern int debug; extern isc_boolean_t nomerge; +extern isc_boolean_t docheckmx; +extern isc_boolean_t docheckns; +extern isc_boolean_t dochecksrv; extern unsigned int zone_options; ISC_LANG_ENDDECLS diff --git a/contrib/bind9/bin/check/named-checkconf.8 b/contrib/bind9/bin/check/named-checkconf.8 index 7d06335..9fb900e 100644 --- a/contrib/bind9/bin/check/named-checkconf.8 +++ b/contrib/bind9/bin/check/named-checkconf.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2002 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named-checkconf.8,v 1.11.12.8 2006/06/29 13:02:30 marka Exp $ +.\" $Id: named-checkconf.8,v 1.16.18.11 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: named\-checkconf .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: June 14, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -39,27 +39,37 @@ named\-checkconf \- named configuration file syntax checking tool \fBnamed\-checkconf\fR checks the syntax, but not the semantics, of a named configuration file. .SH "OPTIONS" -.TP 3n +.PP \-t \fIdirectory\fR +.RS 4 chroot to \fIdirectory\fR so that include directives in the configuration file are processed as if run by a similarly chrooted named. -.TP 3n +.RE +.PP \-v +.RS 4 Print the version of the \fBnamed\-checkconf\fR program and exit. -.TP 3n +.RE +.PP \-z +.RS 4 Perform a check load the master zonefiles found in \fInamed.conf\fR. -.TP 3n +.RE +.PP \-j +.RS 4 When loading a zonefile read the journal if it exists. -.TP 3n +.RE +.PP filename +.RS 4 The name of the configuration file to be checked. If not specified, it defaults to \fI/etc/named.conf\fR. +.RE .SH "RETURN VALUES" .PP \fBnamed\-checkconf\fR @@ -72,4 +82,7 @@ BIND 9 Administrator Reference Manual. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000\-2002 Internet Software Consortium. +.br diff --git a/contrib/bind9/bin/check/named-checkconf.c b/contrib/bind9/bin/check/named-checkconf.c index f50461d..cc63153 100644 --- a/contrib/bind9/bin/check/named-checkconf.c +++ b/contrib/bind9/bin/check/named-checkconf.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkconf.c,v 1.12.12.11 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: named-checkconf.c,v 1.28.18.14 2006/02/28 03:10:47 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -39,7 +41,9 @@ #include <dns/fixedname.h> #include <dns/log.h> +#include <dns/name.h> #include <dns/result.h> +#include <dns/zone.h> #include "check-tool.h" @@ -52,6 +56,7 @@ isc_log_t *logc = NULL; goto cleanup; \ } while (0) +/*% usage */ static void usage(void) { fprintf(stderr, "usage: named-checkconf [-j] [-v] [-z] [-t directory] " @@ -59,6 +64,7 @@ usage(void) { exit(1); } +/*% directory callback */ static isc_result_t directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) { isc_result_t result; @@ -84,19 +90,84 @@ directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) { return (ISC_R_SUCCESS); } +static isc_boolean_t +get_maps(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) { + int i; + for (i = 0;; i++) { + if (maps[i] == NULL) + return (ISC_FALSE); + if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS) + return (ISC_TRUE); + } +} + +static isc_boolean_t +get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) { + const cfg_listelt_t *element; + const cfg_obj_t *checknames; + const cfg_obj_t *type; + const cfg_obj_t *value; + isc_result_t result; + int i; + + for (i = 0;; i++) { + if (maps[i] == NULL) + return (ISC_FALSE); + checknames = NULL; + result = cfg_map_get(maps[i], "check-names", &checknames); + if (result != ISC_R_SUCCESS) + continue; + if (checknames != NULL && !cfg_obj_islist(checknames)) { + *obj = checknames; + return (ISC_TRUE); + } + for (element = cfg_list_first(checknames); + element != NULL; + element = cfg_list_next(element)) { + value = cfg_listelt_value(element); + type = cfg_tuple_get(value, "type"); + if (strcasecmp(cfg_obj_asstring(type), "master") != 0) + continue; + *obj = cfg_tuple_get(value, "mode"); + return (ISC_TRUE); + } + } +} + +static isc_result_t +config_get(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) { + int i; + + for (i = 0;; i++) { + if (maps[i] == NULL) + return (ISC_R_NOTFOUND); + if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS) + return (ISC_R_SUCCESS); + } +} + +/*% configure the zone */ static isc_result_t configure_zone(const char *vclass, const char *view, - const cfg_obj_t *zconfig, isc_mem_t *mctx) + const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, + const cfg_obj_t *config, isc_mem_t *mctx) { + int i = 0; isc_result_t result; const char *zclass; const char *zname; const char *zfile; + const cfg_obj_t *maps[4]; const cfg_obj_t *zoptions = NULL; const cfg_obj_t *classobj = NULL; const cfg_obj_t *typeobj = NULL; const cfg_obj_t *fileobj = NULL; const cfg_obj_t *dbobj = NULL; + const cfg_obj_t *obj = NULL; + const cfg_obj_t *fmtobj = NULL; + dns_masterformat_t masterformat; + + zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_MANYERRORS; zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name")); classobj = cfg_tuple_get(zconfig, "class"); @@ -104,7 +175,18 @@ configure_zone(const char *vclass, const char *view, zclass = vclass; else zclass = cfg_obj_asstring(classobj); + zoptions = cfg_tuple_get(zconfig, "options"); + maps[i++] = zoptions; + if (vconfig != NULL) + maps[i++] = cfg_tuple_get(vconfig, "options"); + if (config != NULL) { + cfg_map_get(config, "options", &obj); + if (obj != NULL) + maps[i++] = obj; + } + maps[i++] = NULL; + cfg_map_get(zoptions, "type", &typeobj); if (typeobj == NULL) return (ISC_R_FAILURE); @@ -117,13 +199,116 @@ configure_zone(const char *vclass, const char *view, if (fileobj == NULL) return (ISC_R_FAILURE); zfile = cfg_obj_asstring(fileobj); - result = load_zone(mctx, zname, zfile, zclass, NULL); + + obj = NULL; + if (get_maps(maps, "check-mx", &obj)) { + if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { + zone_options |= DNS_ZONEOPT_CHECKMX; + zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL; + } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { + zone_options |= DNS_ZONEOPT_CHECKMX; + zone_options |= DNS_ZONEOPT_CHECKMXFAIL; + } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { + zone_options &= ~DNS_ZONEOPT_CHECKMX; + zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL; + } else + INSIST(0); + } else { + zone_options |= DNS_ZONEOPT_CHECKMX; + zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL; + } + + obj = NULL; + if (get_maps(maps, "check-integrity", &obj)) { + if (cfg_obj_asboolean(obj)) + zone_options |= DNS_ZONEOPT_CHECKINTEGRITY; + else + zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY; + } + + obj = NULL; + if (get_maps(maps, "check-mx-cname", &obj)) { + if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { + zone_options |= DNS_ZONEOPT_WARNMXCNAME; + zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME; + } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { + zone_options &= ~DNS_ZONEOPT_WARNMXCNAME; + zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME; + } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { + zone_options |= DNS_ZONEOPT_WARNMXCNAME; + zone_options |= DNS_ZONEOPT_IGNOREMXCNAME; + } else + INSIST(0); + } else { + zone_options |= DNS_ZONEOPT_WARNMXCNAME; + zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME; + } + + obj = NULL; + if (get_maps(maps, "check-srv-cname", &obj)) { + if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { + zone_options |= DNS_ZONEOPT_WARNSRVCNAME; + zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME; + } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { + zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME; + zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME; + } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { + zone_options |= DNS_ZONEOPT_WARNSRVCNAME; + zone_options |= DNS_ZONEOPT_IGNORESRVCNAME; + } else + INSIST(0); + } else { + zone_options |= DNS_ZONEOPT_WARNSRVCNAME; + zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME; + } + + obj = NULL; + if (get_maps(maps, "check-sibling", &obj)) { + if (cfg_obj_asboolean(obj)) + zone_options |= DNS_ZONEOPT_CHECKSIBLING; + else + zone_options &= ~DNS_ZONEOPT_CHECKSIBLING; + } + + obj = NULL; + if (get_checknames(maps, &obj)) { + if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { + zone_options |= DNS_ZONEOPT_CHECKNAMES; + zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL; + } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { + zone_options |= DNS_ZONEOPT_CHECKNAMES; + zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL; + } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { + zone_options &= ~DNS_ZONEOPT_CHECKNAMES; + zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL; + } else + INSIST(0); + } else { + zone_options |= DNS_ZONEOPT_CHECKNAMES; + zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL; + } + + masterformat = dns_masterformat_text; + fmtobj = NULL; + result = config_get(maps, "masterfile-format", &fmtobj); + if (result == ISC_R_SUCCESS) { + const char *masterformatstr = cfg_obj_asstring(fmtobj); + if (strcasecmp(masterformatstr, "text") == 0) + masterformat = dns_masterformat_text; + else if (strcasecmp(masterformatstr, "raw") == 0) + masterformat = dns_masterformat_raw; + else + INSIST(0); + } + + result = load_zone(mctx, zname, zfile, masterformat, zclass, NULL); if (result != ISC_R_SUCCESS) fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass, dns_result_totext(result)); return(result); } +/*% configure a view */ static isc_result_t configure_view(const char *vclass, const char *view, const cfg_obj_t *config, const cfg_obj_t *vconfig, isc_mem_t *mctx) @@ -149,7 +334,8 @@ configure_view(const char *vclass, const char *view, const cfg_obj_t *config, element = cfg_list_next(element)) { const cfg_obj_t *zconfig = cfg_listelt_value(element); - tresult = configure_zone(vclass, view, zconfig, mctx); + tresult = configure_zone(vclass, view, zconfig, vconfig, + config, mctx); if (tresult != ISC_R_SUCCESS) result = tresult; } @@ -157,6 +343,7 @@ configure_view(const char *vclass, const char *view, const cfg_obj_t *config, } +/*% load zones from the configuration */ static isc_result_t load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx) { const cfg_listelt_t *element; @@ -197,6 +384,7 @@ load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx) { return (result); } +/*% The main processing routine */ int main(int argc, char **argv) { int c; @@ -240,6 +428,9 @@ main(int argc, char **argv) { case 'z': load_zones = ISC_TRUE; + docheckmx = ISC_FALSE; + docheckns = ISC_FALSE; + dochecksrv = ISC_FALSE; break; default: @@ -275,8 +466,6 @@ main(int argc, char **argv) { exit_status = 1; if (result == ISC_R_SUCCESS && load_zones) { - dns_log_init(logc); - dns_log_setcontext(logc); result = load_zones_fromconfig(config, mctx); if (result != ISC_R_SUCCESS) exit_status = 1; @@ -286,6 +475,8 @@ main(int argc, char **argv) { cfg_parser_destroy(&parser); + dns_name_destroy(); + isc_log_destroy(&logc); isc_hash_destroy(); diff --git a/contrib/bind9/bin/check/named-checkconf.docbook b/contrib/bind9/bin/check/named-checkconf.docbook index c2529f6..afeb8d5 100644 --- a/contrib/bind9/bin/check/named-checkconf.docbook +++ b/contrib/bind9/bin/check/named-checkconf.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2002 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -18,9 +18,8 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named-checkconf.docbook,v 1.3.2.1.8.7 2005/05/12 21:35:56 sra Exp $ --> - -<refentry> +<!-- $Id: named-checkconf.docbook,v 1.8.18.7 2007/01/29 23:57:20 marka Exp $ --> +<refentry id="man.named-checkconf"> <refentryinfo> <date>June 14, 2000</date> </refentryinfo> @@ -35,6 +34,7 @@ <copyright> <year>2004</year> <year>2005</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -63,9 +63,9 @@ <refsect1> <title>DESCRIPTION</title> - <para> - <command>named-checkconf</command> checks the syntax, but not - the semantics, of a named configuration file. + <para><command>named-checkconf</command> + checks the syntax, but not the semantics, of a named + configuration file. </para> </refsect1> @@ -75,52 +75,53 @@ <variablelist> <varlistentry> <term>-t <replaceable class="parameter">directory</replaceable></term> - <listitem> - <para> - chroot to <filename>directory</filename> so that include - directives in the configuration file are processed as if - run by a similarly chrooted named. - </para> - </listitem> + <listitem> + <para> + chroot to <filename>directory</filename> so that + include + directives in the configuration file are processed as if + run by a similarly chrooted named. + </para> + </listitem> </varlistentry> <varlistentry> <term>-v</term> - <listitem> - <para> - Print the version of the <command>named-checkconf</command> - program and exit. - </para> - </listitem> + <listitem> + <para> + Print the version of the <command>named-checkconf</command> + program and exit. + </para> + </listitem> </varlistentry> <varlistentry> <term>-z</term> - <listitem> - <para> - Perform a check load the master zonefiles found in - <filename>named.conf</filename>. - </para> - </listitem> + <listitem> + <para> + Perform a check load the master zonefiles found in + <filename>named.conf</filename>. + </para> + </listitem> </varlistentry> <varlistentry> <term>-j</term> - <listitem> - <para> - When loading a zonefile read the journal if it exists. - </para> - </listitem> + <listitem> + <para> + When loading a zonefile read the journal if it exists. + </para> + </listitem> </varlistentry> <varlistentry> <term>filename</term> - <listitem> - <para> - The name of the configuration file to be checked. If not - specified, it defaults to <filename>/etc/named.conf</filename>. - </para> - </listitem> + <listitem> + <para> + The name of the configuration file to be checked. If not + specified, it defaults to <filename>/etc/named.conf</filename>. + </para> + </listitem> </varlistentry> </variablelist> @@ -129,18 +130,16 @@ <refsect1> <title>RETURN VALUES</title> - <para> - <command>named-checkconf</command> returns an exit status of 1 if - errors were detected and 0 otherwise. + <para><command>named-checkconf</command> + returns an exit status of 1 if + errors were detected and 0 otherwise. </para> </refsect1> <refsect1> <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>named</refentrytitle> - <manvolnum>8</manvolnum> + <para><citerefentry> + <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citetitle>BIND 9 Administrator Reference Manual</citetitle>. </para> @@ -148,16 +147,12 @@ <refsect1> <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> + <para><corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> -</refentry> - -<!-- +</refentry><!-- - Local variables: - mode: sgml - End: --> - diff --git a/contrib/bind9/bin/check/named-checkconf.html b/contrib/bind9/bin/check/named-checkconf.html index 2283c51..f099645 100644 --- a/contrib/bind9/bin/check/named-checkconf.html +++ b/contrib/bind9/bin/check/named-checkconf.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2002 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named-checkconf.html,v 1.5.2.1.4.15 2006/06/29 13:02:30 marka Exp $ --> +<!-- $Id: named-checkconf.html,v 1.9.18.18 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>named-checkconf</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="man.named-checkconf"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p><span class="application">named-checkconf</span> — named configuration file syntax checking tool</p> @@ -32,60 +32,59 @@ <div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549430"></a><h2>DESCRIPTION</h2> -<p> - <span><strong class="command">named-checkconf</strong></span> checks the syntax, but not - the semantics, of a named configuration file. +<a name="id2543383"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">named-checkconf</strong></span> + checks the syntax, but not the semantics, of a named + configuration file. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549443"></a><h2>OPTIONS</h2> +<a name="id2543395"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt> <dd><p> - chroot to <code class="filename">directory</code> so that include - directives in the configuration file are processed as if - run by a similarly chrooted named. - </p></dd> + chroot to <code class="filename">directory</code> so that + include + directives in the configuration file are processed as if + run by a similarly chrooted named. + </p></dd> <dt><span class="term">-v</span></dt> <dd><p> - Print the version of the <span><strong class="command">named-checkconf</strong></span> - program and exit. - </p></dd> + Print the version of the <span><strong class="command">named-checkconf</strong></span> + program and exit. + </p></dd> <dt><span class="term">-z</span></dt> <dd><p> - Perform a check load the master zonefiles found in - <code class="filename">named.conf</code>. - </p></dd> + Perform a check load the master zonefiles found in + <code class="filename">named.conf</code>. + </p></dd> <dt><span class="term">-j</span></dt> <dd><p> - When loading a zonefile read the journal if it exists. - </p></dd> + When loading a zonefile read the journal if it exists. + </p></dd> <dt><span class="term">filename</span></dt> <dd><p> - The name of the configuration file to be checked. If not - specified, it defaults to <code class="filename">/etc/named.conf</code>. - </p></dd> + The name of the configuration file to be checked. If not + specified, it defaults to <code class="filename">/etc/named.conf</code>. + </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2549534"></a><h2>RETURN VALUES</h2> -<p> - <span><strong class="command">named-checkconf</strong></span> returns an exit status of 1 if - errors were detected and 0 otherwise. +<a name="id2543488"></a><h2>RETURN VALUES</h2> +<p><span><strong class="command">named-checkconf</strong></span> + returns an exit status of 1 if + errors were detected and 0 otherwise. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549547"></a><h2>SEE ALSO</h2> -<p> - <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, +<a name="id2543499"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549639"></a><h2>AUTHOR</h2> -<p> - <span class="corpauthor">Internet Systems Consortium</span> +<a name="id2543521"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> </div></body> diff --git a/contrib/bind9/bin/check/named-checkzone.8 b/contrib/bind9/bin/check/named-checkzone.8 index f50085c..ecd389c 100644 --- a/contrib/bind9/bin/check/named-checkzone.8 +++ b/contrib/bind9/bin/check/named-checkzone.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2002 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named-checkzone.8,v 1.11.2.1.8.11 2006/10/05 02:50:17 marka Exp $ +.\" $Id: named-checkzone.8,v 1.18.18.20 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: named\-checkzone .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: June 13, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -30,10 +30,12 @@ .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -named\-checkzone \- zone file validity checking tool +named\-checkzone, named\-compilezone \- zone file validity checking or converting tool .SH "SYNOPSIS" .HP 16 -\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] {zonename} {filename} +\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename} +.HP 18 +\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename} .SH "DESCRIPTION" .PP \fBnamed\-checkzone\fR @@ -42,64 +44,211 @@ checks the syntax and integrity of a zone file. It performs the same checks as does when loading a zone. This makes \fBnamed\-checkzone\fR useful for checking zone files before configuring them into a name server. +.PP +\fBnamed\-compilezone\fR +is similar to +\fBnamed\-checkzone\fR, but it always dumps the zone contents to a specified file in a specified format. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by +\fBnamed\fR. When manaully specified otherwise, the check levels must at least be as strict as those specified in the +\fBnamed\fR +configuration file. .SH "OPTIONS" -.TP 3n +.PP \-d +.RS 4 Enable debugging. -.TP 3n +.RE +.PP \-q +.RS 4 Quiet mode \- exit code only. -.TP 3n +.RE +.PP \-v +.RS 4 Print the version of the \fBnamed\-checkzone\fR program and exit. -.TP 3n +.RE +.PP \-j +.RS 4 When loading the zone file read the journal if it exists. -.TP 3n +.RE +.PP \-c \fIclass\fR +.RS 4 Specify the class of the zone. If not specified "IN" is assumed. -.TP 3n +.RE +.PP +\-i \fImode\fR +.RS 4 +Perform post load zone integrity checks. Possible modes are +\fB"full"\fR +(default), +\fB"full\-sibling"\fR, +\fB"local"\fR, +\fB"local\-sibling"\fR +and +\fB"none"\fR. +.sp +Mode +\fB"full"\fR +checks that MX records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). Mode +\fB"local"\fR +only checks MX records which refer to in\-zone hostnames. +.sp +Mode +\fB"full"\fR +checks that SRV records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). Mode +\fB"local"\fR +only checks SRV records which refer to in\-zone hostnames. +.sp +Mode +\fB"full"\fR +checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). It also checks that glue addresses records in the zone match those advertised by the child. Mode +\fB"local"\fR +only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone. +.sp +Mode +\fB"full\-sibling"\fR +and +\fB"local\-sibling"\fR +disable sibling glue checks but are otherwise the same as +\fB"full"\fR +and +\fB"local"\fR +respectively. +.sp +Mode +\fB"none"\fR +disables the checks. +.RE +.PP +\-f \fIformat\fR +.RS 4 +Specify the format of the zone file. Possible formats are +\fB"text"\fR +(default) and +\fB"raw"\fR. +.RE +.PP +\-F \fIformat\fR +.RS 4 +Specify the format of the output file specified. Possible formats are +\fB"text"\fR +(default) and +\fB"raw"\fR. For +\fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents. +.RE +.PP \-k \fImode\fR +.RS 4 Perform \fB"check\-names"\fR checks with the specified failure mode. Possible modes are +\fB"fail"\fR +(default for +\fBnamed\-compilezone\fR), +\fB"warn"\fR +(default for +\fBnamed\-checkzone\fR) and +\fB"ignore"\fR. +.RE +.PP +\-m \fImode\fR +.RS 4 +Specify whether MX records should be checked to see if they are addresses. Possible modes are \fB"fail"\fR, \fB"warn"\fR (default) and \fB"ignore"\fR. -.TP 3n -\-n \fImode\fR -Specify whether NS records should be checked to see if they are addresses. Possible modes are +.RE +.PP +\-M \fImode\fR +.RS 4 +Check if a MX record refers to a CNAME. Possible modes are \fB"fail"\fR, \fB"warn"\fR (default) and \fB"ignore"\fR. -.TP 3n +.RE +.PP +\-n \fImode\fR +.RS 4 +Specify whether NS records should be checked to see if they are addresses. Possible modes are +\fB"fail"\fR +(default for +\fBnamed\-compilezone\fR), +\fB"warn"\fR +(default for +\fBnamed\-checkzone\fR) and +\fB"ignore"\fR. +.RE +.PP \-o \fIfilename\fR +.RS 4 Write zone output to -\fIfilename\fR. -.TP 3n +\fIfilename\fR. This is mandatory for +\fBnamed\-compilezone\fR. +.RE +.PP +\-s \fIstyle\fR +.RS 4 +Specify the style of the dumped zone file. Possible styles are +\fB"full"\fR +(default) and +\fB"relative"\fR. The full format is most suitable for processing automatically by a separate script. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand. For +\fBnamed\-checkzone\fR +this does not cause any effects unless it dumps the zone contents. It also does not have any meaning if the output format is not text. +.RE +.PP +\-S \fImode\fR +.RS 4 +Check if a SRV record refers to a CNAME. Possible modes are +\fB"fail"\fR, +\fB"warn"\fR +(default) and +\fB"ignore"\fR. +.RE +.PP \-t \fIdirectory\fR +.RS 4 chroot to \fIdirectory\fR so that include directives in the configuration file are processed as if run by a similarly chrooted named. -.TP 3n +.RE +.PP \-w \fIdirectory\fR +.RS 4 chdir to \fIdirectory\fR so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in \fInamed.conf\fR. -.TP 3n +.RE +.PP \-D -Dump zone file in canonical format. -.TP 3n +.RS 4 +Dump zone file in canonical format. This is always enabled for +\fBnamed\-compilezone\fR. +.RE +.PP +\-W \fImode\fR +.RS 4 +Specify whether to check for non\-terminal wildcards. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034). Possible modes are +\fB"warn"\fR +(default) and +\fB"ignore"\fR. +.RE +.PP zonename +.RS 4 The domain name of the zone being checked. -.TP 3n +.RE +.PP filename +.RS 4 The name of the zone file. +.RE .SH "RETURN VALUES" .PP \fBnamed\-checkzone\fR @@ -113,4 +262,7 @@ BIND 9 Administrator Reference Manual. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000\-2002 Internet Software Consortium. +.br diff --git a/contrib/bind9/bin/check/named-checkzone.c b/contrib/bind9/bin/check/named-checkzone.c index 0eea166..aa94b8c 100644 --- a/contrib/bind9/bin/check/named-checkzone.c +++ b/contrib/bind9/bin/check/named-checkzone.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkzone.c,v 1.13.2.3.8.11 2004/10/25 01:36:06 marka Exp $ */ +/* $Id: named-checkzone.c,v 1.29.18.16 2006/10/05 05:24:35 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -37,9 +39,12 @@ #include <dns/db.h> #include <dns/fixedname.h> #include <dns/log.h> +#include <dns/masterdump.h> +#include <dns/name.h> #include <dns/rdataclass.h> #include <dns/rdataset.h> #include <dns/result.h> +#include <dns/types.h> #include <dns/zone.h> #include "check-tool.h" @@ -51,6 +56,9 @@ dns_zone_t *zone = NULL; dns_zonetype_t zonetype = dns_zone_master; static int dumpzone = 0; static const char *output_filename; +static char *prog_name = NULL; +static const dns_master_style_t *outputstyle = NULL; +static enum { progmode_check, progmode_compile } progmode; #define ERRRET(result, function) \ do { \ @@ -65,9 +73,13 @@ static const char *output_filename; static void usage(void) { fprintf(stderr, - "usage: named-checkzone [-djqvD] [-c class] [-o output] " + "usage: %s [-djqvD] [-c class] [-o output] " + "[-f inputformat] [-F outputformat] " "[-t directory] [-w directory] [-k (ignore|warn|fail)] " - "[-n (ignore|warn|fail)] zonename filename\n"); + "[-n (ignore|warn|fail)] [-m (ignore|warn|fail)] " + "[-i (full|local|none)] [-M (ignore|warn|fail)] " + "[-S (ignore|warn|fail)] [-W (ignore|warn)] " + "zonename filename\n", prog_name); exit(1); } @@ -75,8 +87,10 @@ static void destroy(void) { if (zone != NULL) dns_zone_detach(&zone); + dns_name_destroy(); } +/*% main processing routine */ int main(int argc, char **argv) { int c; @@ -87,8 +101,45 @@ main(int argc, char **argv) { char classname_in[] = "IN"; char *classname = classname_in; const char *workdir = NULL; + const char *inputformatstr = NULL; + const char *outputformatstr = NULL; + dns_masterformat_t inputformat = dns_masterformat_text; + dns_masterformat_t outputformat = dns_masterformat_text; + + outputstyle = &dns_master_style_full; + + prog_name = strrchr(argv[0], '/'); + if (prog_name != NULL) + prog_name++; + else + prog_name = argv[0]; + /* + * Libtool doesn't preserve the program name prior to final + * installation. Remove the libtool prefix ("lt-"). + */ + if (strncmp(prog_name, "lt-", 3) == 0) + prog_name += 3; + if (strcmp(prog_name, "named-checkzone") == 0) + progmode = progmode_check; + else if (strcmp(prog_name, "named-compilezone") == 0) + progmode = progmode_compile; + else + INSIST(0); + + /* Compilation specific defaults */ + if (progmode == progmode_compile) { + zone_options |= (DNS_ZONEOPT_CHECKNS | + DNS_ZONEOPT_FATALNS | + DNS_ZONEOPT_CHECKNAMES | + DNS_ZONEOPT_CHECKNAMESFAIL | + DNS_ZONEOPT_CHECKWILDCARD); + } + +#define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0) - while ((c = isc_commandline_parse(argc, argv, "c:dijk:n:qst:o:vw:D")) != EOF) { + while ((c = isc_commandline_parse(argc, argv, + "c:df:i:jk:m:n:qs:t:o:vw:DF:M:S:W:")) + != EOF) { switch (c) { case 'c': classname = isc_commandline_argument; @@ -98,34 +149,104 @@ main(int argc, char **argv) { debug++; break; + case 'i': + if (ARGCMP("full")) { + zone_options |= DNS_ZONEOPT_CHECKINTEGRITY | + DNS_ZONEOPT_CHECKSIBLING; + docheckmx = ISC_TRUE; + docheckns = ISC_TRUE; + dochecksrv = ISC_TRUE; + } else if (ARGCMP("full-sibling")) { + zone_options |= DNS_ZONEOPT_CHECKINTEGRITY; + zone_options &= ~DNS_ZONEOPT_CHECKSIBLING; + docheckmx = ISC_TRUE; + docheckns = ISC_TRUE; + dochecksrv = ISC_TRUE; + } else if (ARGCMP("local")) { + zone_options |= DNS_ZONEOPT_CHECKINTEGRITY; + zone_options |= DNS_ZONEOPT_CHECKSIBLING; + docheckmx = ISC_FALSE; + docheckns = ISC_FALSE; + dochecksrv = ISC_FALSE; + } else if (ARGCMP("local-sibling")) { + zone_options |= DNS_ZONEOPT_CHECKINTEGRITY; + zone_options &= ~DNS_ZONEOPT_CHECKSIBLING; + docheckmx = ISC_FALSE; + docheckns = ISC_FALSE; + dochecksrv = ISC_FALSE; + } else if (ARGCMP("none")) { + zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY; + zone_options &= ~DNS_ZONEOPT_CHECKSIBLING; + docheckmx = ISC_FALSE; + docheckns = ISC_FALSE; + dochecksrv = ISC_FALSE; + } else { + fprintf(stderr, "invalid argument to -i: %s\n", + isc_commandline_argument); + exit(1); + } + break; + + case 'f': + inputformatstr = isc_commandline_argument; + break; + + case 'F': + outputformatstr = isc_commandline_argument; + break; + case 'j': nomerge = ISC_FALSE; break; + case 'k': + if (ARGCMP("warn")) { + zone_options |= DNS_ZONEOPT_CHECKNAMES; + zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL; + } else if (ARGCMP("fail")) { + zone_options |= DNS_ZONEOPT_CHECKNAMES | + DNS_ZONEOPT_CHECKNAMESFAIL; + } else if (ARGCMP("ignore")) { + zone_options &= ~(DNS_ZONEOPT_CHECKNAMES | + DNS_ZONEOPT_CHECKNAMESFAIL); + } else { + fprintf(stderr, "invalid argument to -k: %s\n", + isc_commandline_argument); + exit(1); + } + break; + case 'n': - if (!strcmp(isc_commandline_argument, "ignore")) + if (ARGCMP("ignore")) { zone_options &= ~(DNS_ZONEOPT_CHECKNS| DNS_ZONEOPT_FATALNS); - else if (!strcmp(isc_commandline_argument, "warn")) { + } else if (ARGCMP("warn")) { zone_options |= DNS_ZONEOPT_CHECKNS; zone_options &= ~DNS_ZONEOPT_FATALNS; - } else if (!strcmp(isc_commandline_argument, "fail")) + } else if (ARGCMP("fail")) { zone_options |= DNS_ZONEOPT_CHECKNS| DNS_ZONEOPT_FATALNS; + } else { + fprintf(stderr, "invalid argument to -n: %s\n", + isc_commandline_argument); + exit(1); + } break; - case 'k': - if (!strcmp(isc_commandline_argument, "warn")) { - zone_options |= DNS_ZONEOPT_CHECKNAMES; - zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL; - } else if (!strcmp(isc_commandline_argument, - "fail")) { - zone_options |= DNS_ZONEOPT_CHECKNAMES | - DNS_ZONEOPT_CHECKNAMESFAIL; - } else if (!strcmp(isc_commandline_argument, - "ignore")) { - zone_options &= ~(DNS_ZONEOPT_CHECKNAMES | - DNS_ZONEOPT_CHECKNAMESFAIL); + case 'm': + if (ARGCMP("warn")) { + zone_options |= DNS_ZONEOPT_CHECKMX; + zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL; + } else if (ARGCMP("fail")) { + zone_options |= DNS_ZONEOPT_CHECKMX | + DNS_ZONEOPT_CHECKMXFAIL; + } else if (ARGCMP("ignore")) { + zone_options &= ~(DNS_ZONEOPT_CHECKMX | + DNS_ZONEOPT_CHECKMXFAIL); + } else { + fprintf(stderr, "invalid argument to -m: %s\n", + isc_commandline_argument); + exit(1); } break; @@ -149,6 +270,19 @@ main(int argc, char **argv) { } break; + case 's': + if (ARGCMP("full")) + outputstyle = &dns_master_style_full; + else if (ARGCMP("relative")) { + outputstyle = &dns_master_style_default; + } else { + fprintf(stderr, + "unknown or unsupported style: %s\n", + isc_commandline_argument); + exit(1); + } + break; + case 'o': output_filename = isc_commandline_argument; break; @@ -165,11 +299,61 @@ main(int argc, char **argv) { dumpzone++; break; + case 'M': + if (ARGCMP("fail")) { + zone_options &= ~DNS_ZONEOPT_WARNMXCNAME; + zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME; + } else if (ARGCMP("warn")) { + zone_options |= DNS_ZONEOPT_WARNMXCNAME; + zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME; + } else if (ARGCMP("ignore")) { + zone_options |= DNS_ZONEOPT_WARNMXCNAME; + zone_options |= DNS_ZONEOPT_IGNOREMXCNAME; + } else { + fprintf(stderr, "invalid argument to -M: %s\n", + isc_commandline_argument); + exit(1); + } + break; + + case 'S': + if (ARGCMP("fail")) { + zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME; + zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME; + } else if (ARGCMP("warn")) { + zone_options |= DNS_ZONEOPT_WARNSRVCNAME; + zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME; + } else if (ARGCMP("ignore")) { + zone_options |= DNS_ZONEOPT_WARNSRVCNAME; + zone_options |= DNS_ZONEOPT_IGNORESRVCNAME; + } else { + fprintf(stderr, "invalid argument to -S: %s\n", + isc_commandline_argument); + exit(1); + } + break; + + case 'W': + if (ARGCMP("warn")) + zone_options |= DNS_ZONEOPT_CHECKWILDCARD; + else if (ARGCMP("ignore")) + zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD; + break; + default: usage(); } } + if (progmode == progmode_compile) { + dumpzone = 1; /* always dump */ + if (output_filename == NULL) { + fprintf(stderr, + "output file required, but not specified\n"); + usage(); + } + } + if (workdir != NULL) { result = isc_dir_chdir(workdir); if (result != ISC_R_SUCCESS) { @@ -179,15 +363,36 @@ main(int argc, char **argv) { } } + if (inputformatstr != NULL) { + if (strcasecmp(inputformatstr, "text") == 0) + inputformat = dns_masterformat_text; + else if (strcasecmp(inputformatstr, "raw") == 0) + inputformat = dns_masterformat_raw; + else { + fprintf(stderr, "unknown file format: %s\n", + inputformatstr); + exit(1); + } + } + + if (outputformatstr != NULL) { + if (strcasecmp(outputformatstr, "text") == 0) + outputformat = dns_masterformat_text; + else if (strcasecmp(outputformatstr, "raw") == 0) + outputformat = dns_masterformat_raw; + else { + fprintf(stderr, "unknown file format: %s\n", + outputformatstr); + exit(1); + } + } + if (isc_commandline_index + 2 > argc) usage(); RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); - if (!quiet) { + if (!quiet) RUNTIME_CHECK(setup_logging(mctx, &lctx) == ISC_R_SUCCESS); - dns_log_init(lctx); - dns_log_setcontext(lctx); - } RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS); RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE) == ISC_R_SUCCESS); @@ -196,10 +401,18 @@ main(int argc, char **argv) { origin = argv[isc_commandline_index++]; filename = argv[isc_commandline_index++]; - result = load_zone(mctx, origin, filename, classname, &zone); + result = load_zone(mctx, origin, filename, inputformat, classname, + &zone); if (result == ISC_R_SUCCESS && dumpzone) { - result = dump_zone(origin, zone, output_filename); + if (!quiet && progmode == progmode_compile) { + fprintf(stdout, "dump zone to %s...", output_filename); + fflush(stdout); + } + result = dump_zone(origin, zone, output_filename, + outputformat, outputstyle); + if (!quiet && progmode == progmode_compile) + fprintf(stdout, "done\n"); } if (!quiet && result == ISC_R_SUCCESS) diff --git a/contrib/bind9/bin/check/named-checkzone.docbook b/contrib/bind9/bin/check/named-checkzone.docbook index a24e92b..70e1878 100644 --- a/contrib/bind9/bin/check/named-checkzone.docbook +++ b/contrib/bind9/bin/check/named-checkzone.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2002 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -18,9 +18,8 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named-checkzone.docbook,v 1.3.2.2.8.13 2006/09/30 23:58:36 marka Exp $ --> - -<refentry> +<!-- $Id: named-checkzone.docbook,v 1.11.18.17 2007/01/29 23:57:20 marka Exp $ --> +<refentry id="man.named-checkzone"> <refentryinfo> <date>June 13, 2000</date> </refentryinfo> @@ -36,6 +35,7 @@ <year>2004</year> <year>2005</year> <year>2006</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -48,7 +48,8 @@ <refnamediv> <refname><application>named-checkzone</application></refname> - <refpurpose>zone file validity checking tool</refpurpose> + <refname><application>named-compilezone</application></refname> + <refpurpose>zone file validity checking or converting tool</refpurpose> </refnamediv> <refsynopsisdiv> @@ -59,12 +60,43 @@ <arg><option>-q</option></arg> <arg><option>-v</option></arg> <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> + <arg><option>-f <replaceable class="parameter">format</replaceable></option></arg> + <arg><option>-F <replaceable class="parameter">format</replaceable></option></arg> + <arg><option>-i <replaceable class="parameter">mode</replaceable></option></arg> + <arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg> + <arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg> + <arg><option>-M <replaceable class="parameter">mode</replaceable></option></arg> + <arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg> + <arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg> + <arg><option>-s <replaceable class="parameter">style</replaceable></option></arg> + <arg><option>-S <replaceable class="parameter">mode</replaceable></option></arg> + <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg> + <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg> + <arg><option>-D</option></arg> + <arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg> + <arg choice="req">zonename</arg> + <arg choice="req">filename</arg> + </cmdsynopsis> + <cmdsynopsis> + <command>named-compilezone</command> + <arg><option>-d</option></arg> + <arg><option>-j</option></arg> + <arg><option>-q</option></arg> + <arg><option>-v</option></arg> + <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> + <arg><option>-C <replaceable class="parameter">mode</replaceable></option></arg> + <arg><option>-f <replaceable class="parameter">format</replaceable></option></arg> + <arg><option>-F <replaceable class="parameter">format</replaceable></option></arg> + <arg><option>-i <replaceable class="parameter">mode</replaceable></option></arg> <arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg> + <arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg> <arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg> <arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg> + <arg><option>-s <replaceable class="parameter">style</replaceable></option></arg> <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg> <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg> <arg><option>-D</option></arg> + <arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg> <arg choice="req">zonename</arg> <arg choice="req">filename</arg> </cmdsynopsis> @@ -72,13 +104,23 @@ <refsect1> <title>DESCRIPTION</title> - <para> - <command>named-checkzone</command> checks the syntax and integrity of - a zone file. It performs the same checks as <command>named</command> - does when loading a zone. This makes - <command>named-checkzone</command> useful for checking zone - files before configuring them into a name server. + <para><command>named-checkzone</command> + checks the syntax and integrity of a zone file. It performs the + same checks as <command>named</command> does when loading a + zone. This makes <command>named-checkzone</command> useful for + checking zone files before configuring them into a name server. </para> + <para> + <command>named-compilezone</command> is similar to + <command>named-checkzone</command>, but it always dumps the + zone contents to a specified file in a specified format. + Additionally, it applies stricter check levels by default, + since the dump output will be used as an actual zone file + loaded by <command>named</command>. + When manaully specified otherwise, the check levels must at + least be as strict as those specified in the + <command>named</command> configuration file. + </para> </refsect1> <refsect1> @@ -87,131 +129,280 @@ <variablelist> <varlistentry> <term>-d</term> - <listitem> - <para> - Enable debugging. - </para> - </listitem> + <listitem> + <para> + Enable debugging. + </para> + </listitem> </varlistentry> <varlistentry> <term>-q</term> - <listitem> - <para> - Quiet mode - exit code only. - </para> - </listitem> + <listitem> + <para> + Quiet mode - exit code only. + </para> + </listitem> </varlistentry> <varlistentry> <term>-v</term> - <listitem> - <para> - Print the version of the <command>named-checkzone</command> - program and exit. - </para> - </listitem> + <listitem> + <para> + Print the version of the <command>named-checkzone</command> + program and exit. + </para> + </listitem> </varlistentry> <varlistentry> <term>-j</term> <listitem> <para> - When loading the zone file read the journal if it exists. - </para> + When loading the zone file read the journal if it exists. + </para> </listitem> </varlistentry> <varlistentry> <term>-c <replaceable class="parameter">class</replaceable></term> + <listitem> + <para> + Specify the class of the zone. If not specified "IN" is assumed. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-i <replaceable class="parameter">mode</replaceable></term> <listitem> <para> - Specify the class of the zone. If not specified "IN" is assumed. + Perform post load zone integrity checks. Possible modes are + <command>"full"</command> (default), + <command>"full-sibling"</command>, + <command>"local"</command>, + <command>"local-sibling"</command> and + <command>"none"</command>. + </para> + <para> + Mode <command>"full"</command> checks that MX records + refer to A or AAAA record (both in-zone and out-of-zone + hostnames). Mode <command>"local"</command> only + checks MX records which refer to in-zone hostnames. + </para> + <para> + Mode <command>"full"</command> checks that SRV records + refer to A or AAAA record (both in-zone and out-of-zone + hostnames). Mode <command>"local"</command> only + checks SRV records which refer to in-zone hostnames. + </para> + <para> + Mode <command>"full"</command> checks that delegation NS + records refer to A or AAAA record (both in-zone and out-of-zone + hostnames). It also checks that glue addresses records + in the zone match those advertised by the child. + Mode <command>"local"</command> only checks NS records which + refer to in-zone hostnames or that some required glue exists, + that is when the nameserver is in a child zone. + </para> + <para> + Mode <command>"full-sibling"</command> and + <command>"local-sibling"</command> disable sibling glue + checks but are otherwise the same as <command>"full"</command> + and <command>"local"</command> respectively. + </para> + <para> + Mode <command>"none"</command> disables the checks. </para> </listitem> </varlistentry> <varlistentry> - <term>-k <replaceable class="parameter">mode</replaceable></term> + <term>-f <replaceable class="parameter">format</replaceable></term> <listitem> <para> - Perform <command>"check-names"</command> checks with the specified failure mode. - Possible modes are <command>"fail"</command>, - <command>"warn"</command> (default) and - <command>"ignore"</command>. + Specify the format of the zone file. + Possible formats are <command>"text"</command> (default) + and <command>"raw"</command>. </para> </listitem> </varlistentry> <varlistentry> - <term>-n <replaceable class="parameter">mode</replaceable></term> + <term>-F <replaceable class="parameter">format</replaceable></term> <listitem> <para> - Specify whether NS records should be checked to see if they - are addresses. Possible modes are <command>"fail"</command>, - <command>"warn"</command> (default) and - <command>"ignore"</command>. + Specify the format of the output file specified. + Possible formats are <command>"text"</command> (default) + and <command>"raw"</command>. + For <command>named-checkzone</command>, + this does not cause any effects unless it dumps the zone + contents. </para> </listitem> </varlistentry> <varlistentry> - <term>-o <replaceable class="parameter">filename</replaceable></term> + <term>-k <replaceable class="parameter">mode</replaceable></term> <listitem> <para> - Write zone output to <filename>filename</filename>. + Perform <command>"check-names"</command> checks with the + specified failure mode. + Possible modes are <command>"fail"</command> + (default for <command>named-compilezone</command>), + <command>"warn"</command> + (default for <command>named-checkzone</command>) and + <command>"ignore"</command>. </para> </listitem> </varlistentry> <varlistentry> - <term>-t <replaceable class="parameter">directory</replaceable></term> + <term>-m <replaceable class="parameter">mode</replaceable></term> <listitem> <para> - chroot to <filename>directory</filename> so that include - directives in the configuration file are processed as if - run by a similarly chrooted named. + Specify whether MX records should be checked to see if they + are addresses. Possible modes are <command>"fail"</command>, + <command>"warn"</command> (default) and + <command>"ignore"</command>. </para> </listitem> </varlistentry> <varlistentry> - <term>-w <replaceable class="parameter">directory</replaceable></term> + <term>-M <replaceable class="parameter">mode</replaceable></term> + <listitem> + <para> + Check if a MX record refers to a CNAME. + Possible modes are <command>"fail"</command>, + <command>"warn"</command> (default) and + <command>"ignore"</command>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-n <replaceable class="parameter">mode</replaceable></term> <listitem> <para> - chdir to <filename>directory</filename> so that relative - filenames in master file $INCLUDE directives work. This - is similar to the directory clause in - <filename>named.conf</filename>. + Specify whether NS records should be checked to see if they + are addresses. + Possible modes are <command>"fail"</command> + (default for <command>named-compilezone</command>), + <command>"warn"</command> + (default for <command>named-checkzone</command>) and + <command>"ignore"</command>. </para> </listitem> </varlistentry> <varlistentry> - <term>-D</term> + <term>-o <replaceable class="parameter">filename</replaceable></term> + <listitem> + <para> + Write zone output to <filename>filename</filename>. + This is mandatory for <command>named-compilezone</command>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-s <replaceable class="parameter">style</replaceable></term> <listitem> <para> - Dump zone file in canonical format. + Specify the style of the dumped zone file. + Possible styles are <command>"full"</command> (default) + and <command>"relative"</command>. + The full format is most suitable for processing + automatically by a separate script. + On the other hand, the relative format is more + human-readable and is thus suitable for editing by hand. + For <command>named-checkzone</command> + this does not cause any effects unless it dumps the zone + contents. + It also does not have any meaning if the output format + is not text. </para> </listitem> </varlistentry> <varlistentry> - <term>zonename</term> - <listitem> + <term>-S <replaceable class="parameter">mode</replaceable></term> + <listitem> <para> - The domain name of the zone being checked. + Check if a SRV record refers to a CNAME. + Possible modes are <command>"fail"</command>, + <command>"warn"</command> (default) and + <command>"ignore"</command>. </para> - </listitem> + </listitem> + </varlistentry> + + <varlistentry> + <term>-t <replaceable class="parameter">directory</replaceable></term> + <listitem> + <para> + chroot to <filename>directory</filename> so that + include + directives in the configuration file are processed as if + run by a similarly chrooted named. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-w <replaceable class="parameter">directory</replaceable></term> + <listitem> + <para> + chdir to <filename>directory</filename> so that + relative + filenames in master file $INCLUDE directives work. This + is similar to the directory clause in + <filename>named.conf</filename>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-D</term> + <listitem> + <para> + Dump zone file in canonical format. + This is always enabled for <command>named-compilezone</command>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-W <replaceable class="parameter">mode</replaceable></term> + <listitem> + <para> + Specify whether to check for non-terminal wildcards. + Non-terminal wildcards are almost always the result of a + failure to understand the wildcard matching algorithm (RFC 1034). + Possible modes are <command>"warn"</command> (default) + and + <command>"ignore"</command>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>zonename</term> + <listitem> + <para> + The domain name of the zone being checked. + </para> + </listitem> </varlistentry> <varlistentry> <term>filename</term> - <listitem> - <para> - The name of the zone file. - </para> - </listitem> + <listitem> + <para> + The name of the zone file. + </para> + </listitem> </varlistentry> </variablelist> @@ -220,18 +411,16 @@ <refsect1> <title>RETURN VALUES</title> - <para> - <command>named-checkzone</command> returns an exit status of 1 if - errors were detected and 0 otherwise. + <para><command>named-checkzone</command> + returns an exit status of 1 if + errors were detected and 0 otherwise. </para> </refsect1> <refsect1> <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>named</refentrytitle> - <manvolnum>8</manvolnum> + <para><citerefentry> + <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citetitle>RFC 1035</citetitle>, <citetitle>BIND 9 Administrator Reference Manual</citetitle>. @@ -240,16 +429,12 @@ <refsect1> <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> + <para><corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> -</refentry> - -<!-- +</refentry><!-- - Local variables: - mode: sgml - End: --> - diff --git a/contrib/bind9/bin/check/named-checkzone.html b/contrib/bind9/bin/check/named-checkzone.html index 8f5195a..be2f589 100644 --- a/contrib/bind9/bin/check/named-checkzone.html +++ b/contrib/bind9/bin/check/named-checkzone.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2002 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,121 +14,241 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named-checkzone.html,v 1.5.2.2.4.17 2006/10/05 02:50:17 marka Exp $ --> +<!-- $Id: named-checkzone.html,v 1.11.18.27 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>named-checkzone</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="man.named-checkzone"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> -<p><span class="application">named-checkzone</span> — zone file validity checking tool</p> +<p><span class="application">named-checkzone</span>, <span class="application">named-compilezone</span> — zone file validity checking or converting tool</p> </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] {zonename} {filename}</p></div> +<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div> +<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549490"></a><h2>DESCRIPTION</h2> -<p> - <span><strong class="command">named-checkzone</strong></span> checks the syntax and integrity of - a zone file. It performs the same checks as <span><strong class="command">named</strong></span> - does when loading a zone. This makes - <span><strong class="command">named-checkzone</strong></span> useful for checking zone - files before configuring them into a name server. +<a name="id2543665"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">named-checkzone</strong></span> + checks the syntax and integrity of a zone file. It performs the + same checks as <span><strong class="command">named</strong></span> does when loading a + zone. This makes <span><strong class="command">named-checkzone</strong></span> useful for + checking zone files before configuring them into a name server. </p> +<p> + <span><strong class="command">named-compilezone</strong></span> is similar to + <span><strong class="command">named-checkzone</strong></span>, but it always dumps the + zone contents to a specified file in a specified format. + Additionally, it applies stricter check levels by default, + since the dump output will be used as an actual zone file + loaded by <span><strong class="command">named</strong></span>. + When manaully specified otherwise, the check levels must at + least be as strict as those specified in the + <span><strong class="command">named</strong></span> configuration file. + </p> </div> <div class="refsect1" lang="en"> -<a name="id2549510"></a><h2>OPTIONS</h2> +<a name="id2543700"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-d</span></dt> <dd><p> - Enable debugging. - </p></dd> + Enable debugging. + </p></dd> <dt><span class="term">-q</span></dt> <dd><p> - Quiet mode - exit code only. - </p></dd> + Quiet mode - exit code only. + </p></dd> <dt><span class="term">-v</span></dt> <dd><p> - Print the version of the <span><strong class="command">named-checkzone</strong></span> - program and exit. - </p></dd> + Print the version of the <span><strong class="command">named-checkzone</strong></span> + program and exit. + </p></dd> <dt><span class="term">-j</span></dt> <dd><p> - When loading the zone file read the journal if it exists. + When loading the zone file read the journal if it exists. </p></dd> <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> <dd><p> - Specify the class of the zone. If not specified "IN" is assumed. + Specify the class of the zone. If not specified "IN" is assumed. + </p></dd> +<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt> +<dd> +<p> + Perform post load zone integrity checks. Possible modes are + <span><strong class="command">"full"</strong></span> (default), + <span><strong class="command">"full-sibling"</strong></span>, + <span><strong class="command">"local"</strong></span>, + <span><strong class="command">"local-sibling"</strong></span> and + <span><strong class="command">"none"</strong></span>. + </p> +<p> + Mode <span><strong class="command">"full"</strong></span> checks that MX records + refer to A or AAAA record (both in-zone and out-of-zone + hostnames). Mode <span><strong class="command">"local"</strong></span> only + checks MX records which refer to in-zone hostnames. + </p> +<p> + Mode <span><strong class="command">"full"</strong></span> checks that SRV records + refer to A or AAAA record (both in-zone and out-of-zone + hostnames). Mode <span><strong class="command">"local"</strong></span> only + checks SRV records which refer to in-zone hostnames. + </p> +<p> + Mode <span><strong class="command">"full"</strong></span> checks that delegation NS + records refer to A or AAAA record (both in-zone and out-of-zone + hostnames). It also checks that glue addresses records + in the zone match those advertised by the child. + Mode <span><strong class="command">"local"</strong></span> only checks NS records which + refer to in-zone hostnames or that some required glue exists, + that is when the nameserver is in a child zone. + </p> +<p> + Mode <span><strong class="command">"full-sibling"</strong></span> and + <span><strong class="command">"local-sibling"</strong></span> disable sibling glue + checks but are otherwise the same as <span><strong class="command">"full"</strong></span> + and <span><strong class="command">"local"</strong></span> respectively. + </p> +<p> + Mode <span><strong class="command">"none"</strong></span> disables the checks. + </p> +</dd> +<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt> +<dd><p> + Specify the format of the zone file. + Possible formats are <span><strong class="command">"text"</strong></span> (default) + and <span><strong class="command">"raw"</strong></span>. + </p></dd> +<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt> +<dd><p> + Specify the format of the output file specified. + Possible formats are <span><strong class="command">"text"</strong></span> (default) + and <span><strong class="command">"raw"</strong></span>. + For <span><strong class="command">named-checkzone</strong></span>, + this does not cause any effects unless it dumps the zone + contents. </p></dd> <dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt> <dd><p> - Perform <span><strong class="command">"check-names"</strong></span> checks with the specified failure mode. - Possible modes are <span><strong class="command">"fail"</strong></span>, - <span><strong class="command">"warn"</strong></span> (default) and - <span><strong class="command">"ignore"</strong></span>. + Perform <span><strong class="command">"check-names"</strong></span> checks with the + specified failure mode. + Possible modes are <span><strong class="command">"fail"</strong></span> + (default for <span><strong class="command">named-compilezone</strong></span>), + <span><strong class="command">"warn"</strong></span> + (default for <span><strong class="command">named-checkzone</strong></span>) and + <span><strong class="command">"ignore"</strong></span>. + </p></dd> +<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt> +<dd><p> + Specify whether MX records should be checked to see if they + are addresses. Possible modes are <span><strong class="command">"fail"</strong></span>, + <span><strong class="command">"warn"</strong></span> (default) and + <span><strong class="command">"ignore"</strong></span>. + </p></dd> +<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt> +<dd><p> + Check if a MX record refers to a CNAME. + Possible modes are <span><strong class="command">"fail"</strong></span>, + <span><strong class="command">"warn"</strong></span> (default) and + <span><strong class="command">"ignore"</strong></span>. </p></dd> <dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt> <dd><p> - Specify whether NS records should be checked to see if they - are addresses. Possible modes are <span><strong class="command">"fail"</strong></span>, - <span><strong class="command">"warn"</strong></span> (default) and - <span><strong class="command">"ignore"</strong></span>. - </p></dd> + Specify whether NS records should be checked to see if they + are addresses. + Possible modes are <span><strong class="command">"fail"</strong></span> + (default for <span><strong class="command">named-compilezone</strong></span>), + <span><strong class="command">"warn"</strong></span> + (default for <span><strong class="command">named-checkzone</strong></span>) and + <span><strong class="command">"ignore"</strong></span>. + </p></dd> <dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt> <dd><p> - Write zone output to <code class="filename">filename</code>. + Write zone output to <code class="filename">filename</code>. + This is mandatory for <span><strong class="command">named-compilezone</strong></span>. </p></dd> +<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt> +<dd><p> + Specify the style of the dumped zone file. + Possible styles are <span><strong class="command">"full"</strong></span> (default) + and <span><strong class="command">"relative"</strong></span>. + The full format is most suitable for processing + automatically by a separate script. + On the other hand, the relative format is more + human-readable and is thus suitable for editing by hand. + For <span><strong class="command">named-checkzone</strong></span> + this does not cause any effects unless it dumps the zone + contents. + It also does not have any meaning if the output format + is not text. + </p></dd> +<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt> +<dd><p> + Check if a SRV record refers to a CNAME. + Possible modes are <span><strong class="command">"fail"</strong></span>, + <span><strong class="command">"warn"</strong></span> (default) and + <span><strong class="command">"ignore"</strong></span>. + </p></dd> <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt> <dd><p> - chroot to <code class="filename">directory</code> so that include - directives in the configuration file are processed as if - run by a similarly chrooted named. + chroot to <code class="filename">directory</code> so that + include + directives in the configuration file are processed as if + run by a similarly chrooted named. </p></dd> <dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt> <dd><p> - chdir to <code class="filename">directory</code> so that relative - filenames in master file $INCLUDE directives work. This - is similar to the directory clause in - <code class="filename">named.conf</code>. + chdir to <code class="filename">directory</code> so that + relative + filenames in master file $INCLUDE directives work. This + is similar to the directory clause in + <code class="filename">named.conf</code>. </p></dd> <dt><span class="term">-D</span></dt> <dd><p> - Dump zone file in canonical format. - </p></dd> + Dump zone file in canonical format. + This is always enabled for <span><strong class="command">named-compilezone</strong></span>. + </p></dd> +<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt> +<dd><p> + Specify whether to check for non-terminal wildcards. + Non-terminal wildcards are almost always the result of a + failure to understand the wildcard matching algorithm (RFC 1034). + Possible modes are <span><strong class="command">"warn"</strong></span> (default) + and + <span><strong class="command">"ignore"</strong></span>. + </p></dd> <dt><span class="term">zonename</span></dt> <dd><p> - The domain name of the zone being checked. - </p></dd> + The domain name of the zone being checked. + </p></dd> <dt><span class="term">filename</span></dt> <dd><p> - The name of the zone file. - </p></dd> + The name of the zone file. + </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2549824"></a><h2>RETURN VALUES</h2> -<p> - <span><strong class="command">named-checkzone</strong></span> returns an exit status of 1 if - errors were detected and 0 otherwise. +<a name="id2544299"></a><h2>RETURN VALUES</h2> +<p><span><strong class="command">named-checkzone</strong></span> + returns an exit status of 1 if + errors were detected and 0 otherwise. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549836"></a><h2>SEE ALSO</h2> -<p> - <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, +<a name="id2544311"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <em class="citetitle">RFC 1035</em>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549863"></a><h2>AUTHOR</h2> -<p> - <span class="corpauthor">Internet Systems Consortium</span> +<a name="id2544336"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> </div></body> diff --git a/contrib/bind9/bin/dig/Makefile.in b/contrib/bind9/bin/dig/Makefile.in index 65c14ce..836b7f2 100644 --- a/contrib/bind9/bin/dig/Makefile.in +++ b/contrib/bind9/bin/dig/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2002 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.25.12.12 2004/08/18 23:25:57 marka Exp $ +# $Id: Makefile.in,v 1.33.18.6 2005/09/09 14:11:04 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -45,7 +45,7 @@ DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \ ${LWRESDEPLIBS} LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} \ - ${ISCCFGLIBS} @LIBS@ + ${ISCCFGLIBS} @IDNLIBS@ @LIBS@ SUBDIRS = diff --git a/contrib/bind9/bin/dig/dig.1 b/contrib/bind9/bin/dig/dig.1 index 735f31c..240b732 100644 --- a/contrib/bind9/bin/dig/dig.1 +++ b/contrib/bind9/bin/dig/dig.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dig.1,v 1.14.2.4.2.11 2006/06/29 13:02:30 marka Exp $ +.\" $Id: dig.1,v 1.23.18.19 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: dig .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -33,7 +33,7 @@ dig \- DNS lookup utility .SH "SYNOPSIS" .HP 4 -\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...] +\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...] .HP 4 \fBdig\fR [\fB\-h\fR] .HP 4 @@ -65,21 +65,30 @@ It is possible to set per\-user defaults for \fBdig\fR via \fI${HOME}/.digrc\fR. This file is read and any options in it are applied before the command line arguments. +.PP +The IN and CH class names overlap with the IN and CH top level domains names. Either use the +\fB\-t\fR +and +\fB\-c\fR +options to specify the type and class or use the +\fB\-q\fR +the specify the domain name or use "IN." and "CH." when looking up these top level domains. .SH "SIMPLE USAGE" .PP A typical invocation of \fBdig\fR looks like: .sp -.RS 3n +.RS 4 .nf dig @server name type .fi .RE .sp where: -.TP 3n +.PP \fBserver\fR +.RS 4 is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied \fIserver\fR argument is a hostname, @@ -91,11 +100,15 @@ argument is provided, consults \fI/etc/resolv.conf\fR and queries the name servers listed there. The reply from the name server that responds is displayed. -.TP 3n +.RE +.PP \fBname\fR +.RS 4 is the name of the resource record that is to be looked up. -.TP 3n +.RE +.PP \fBtype\fR +.RS 4 indicates what type of query is required \(em ANY, A, MX, SIG, etc. \fItype\fR can be any valid query type. If no @@ -103,6 +116,7 @@ can be any valid query type. If no argument is supplied, \fBdig\fR will perform a lookup for an A record. +.RE .SH "OPTIONS" .PP The @@ -154,6 +168,13 @@ is set to ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was \fIN\fR. .PP +The +\fB\-q\fR +option sets the query name to +\fIname\fR. This useful do distingish the +\fIname\fR +from other arguments. +.PP Reverse lookups \- mapping addresses to names \- are simplified by the \fB\-x\fR option. @@ -178,6 +199,8 @@ and their responses using transaction signatures (TSIG), specify a TSIG key file option. You can also specify the TSIG key itself on the command line using the \fB\-y\fR option; +\fIhmac\fR +is the type of the TSIG, default HMAC\-MD5, \fIname\fR is the name of the TSIG key and \fIkey\fR @@ -185,7 +208,7 @@ is the actual key. The key is a base\-64 encoded string, typically generated by \fBdnssec\-keygen\fR(8). Caution should be taken when using the \fB\-y\fR option on multi\-user systems as the key can be visible in the output from -\fBps\fR(1 ) +\fBps\fR(1) or in the shell's history file. When using TSIG authentication with \fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate \fBkey\fR @@ -202,19 +225,26 @@ Each query option is identified by a keyword preceded by a plus sign (+). Some k no to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form \fB+keyword=value\fR. The query options are: -.TP 3n +.PP \fB+[no]tcp\fR +.RS 4 Use [do not use] TCP when querying name servers. The default behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used. -.TP 3n +.RE +.PP \fB+[no]vc\fR +.RS 4 Use [do not use] TCP when querying name servers. This alternate syntax to \fI+[no]tcp\fR is provided for backwards compatibility. The "vc" stands for "virtual circuit". -.TP 3n +.RE +.PP \fB+[no]ignore\fR +.RS 4 Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed. -.TP 3n +.RE +.PP \fB+domain=somename\fR +.RS 4 Set the search list to contain the single domain \fIsomename\fR, as if specified in a \fBdomain\fR @@ -222,36 +252,59 @@ directive in \fI/etc/resolv.conf\fR, and enable search list processing as if the \fI+search\fR option were given. -.TP 3n +.RE +.PP \fB+[no]search\fR +.RS 4 Use [do not use] the search list defined by the searchlist or domain directive in \fIresolv.conf\fR (if any). The search list is not used by default. -.TP 3n +.RE +.PP +\fB+[no]showsearch\fR +.RS 4 +Perform [do not perform] a search showing intermediate results. +.RE +.PP \fB+[no]defname\fR +.RS 4 Deprecated, treated as a synonym for \fI+[no]search\fR -.TP 3n +.RE +.PP \fB+[no]aaonly\fR +.RS 4 Sets the "aa" flag in the query. -.TP 3n +.RE +.PP \fB+[no]aaflag\fR +.RS 4 A synonym for \fI+[no]aaonly\fR. -.TP 3n +.RE +.PP \fB+[no]adflag\fR +.RS 4 Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness. -.TP 3n +.RE +.PP \fB+[no]cdflag\fR +.RS 4 Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses. -.TP 3n +.RE +.PP \fB+[no]cl\fR +.RS 4 Display [do not display] the CLASS when printing the record. -.TP 3n +.RE +.PP \fB+[no]ttlid\fR +.RS 4 Display [do not display] the TTL when printing the record. -.TP 3n +.RE +.PP \fB+[no]recurse\fR +.RS 4 Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means \fBdig\fR normally sends recursive queries. Recursion is automatically disabled when the @@ -259,75 +312,109 @@ normally sends recursive queries. Recursion is automatically disabled when the or \fI+trace\fR query options are used. -.TP 3n +.RE +.PP \fB+[no]nssearch\fR +.RS 4 When this option is set, \fBdig\fR attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone. -.TP 3n +.RE +.PP \fB+[no]trace\fR +.RS 4 Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled, \fBdig\fR makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup. -.TP 3n +.RE +.PP \fB+[no]cmd\fR +.RS 4 toggles the printing of the initial comment in the output identifying the version of \fBdig\fR and the query options that have been applied. This comment is printed by default. -.TP 3n +.RE +.PP \fB+[no]short\fR +.RS 4 Provide a terse answer. The default is to print the answer in a verbose form. -.TP 3n +.RE +.PP \fB+[no]identify\fR +.RS 4 Show [or do not show] the IP address and port number that supplied the answer when the \fI+short\fR option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer. -.TP 3n +.RE +.PP \fB+[no]comments\fR +.RS 4 Toggle the display of comment lines in the output. The default is to print comments. -.TP 3n +.RE +.PP \fB+[no]stats\fR +.RS 4 This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is to print the query statistics. -.TP 3n +.RE +.PP \fB+[no]qr\fR +.RS 4 Print [do not print] the query as it is sent. By default, the query is not printed. -.TP 3n +.RE +.PP \fB+[no]question\fR +.RS 4 Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment. -.TP 3n +.RE +.PP \fB+[no]answer\fR +.RS 4 Display [do not display] the answer section of a reply. The default is to display it. -.TP 3n +.RE +.PP \fB+[no]authority\fR +.RS 4 Display [do not display] the authority section of a reply. The default is to display it. -.TP 3n +.RE +.PP \fB+[no]additional\fR +.RS 4 Display [do not display] the additional section of a reply. The default is to display it. -.TP 3n +.RE +.PP \fB+[no]all\fR +.RS 4 Set or clear all display flags. -.TP 3n +.RE +.PP \fB+time=T\fR +.RS 4 Sets the timeout for a query to \fIT\fR seconds. The default time out is 5 seconds. An attempt to set \fIT\fR to less than 1 will result in a query timeout of 1 second being applied. -.TP 3n +.RE +.PP \fB+tries=T\fR +.RS 4 Sets the number of times to try UDP queries to server to \fIT\fR instead of the default, 3. If \fIT\fR is less than or equal to zero, the number of tries is silently rounded up to 1. -.TP 3n +.RE +.PP \fB+retry=T\fR +.RS 4 Sets the number of times to retry UDP queries to server to \fIT\fR instead of the default, 2. Unlike \fI+tries\fR, this does not include the initial query. -.TP 3n +.RE +.PP \fB+ndots=D\fR +.RS 4 Set the number of dots that have to appear in \fIname\fR to @@ -339,30 +426,51 @@ or \fBdomain\fR directive in \fI/etc/resolv.conf\fR. -.TP 3n +.RE +.PP \fB+bufsize=B\fR +.RS 4 Set the UDP message buffer size advertised using EDNS0 to \fIB\fR -bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. -.TP 3n +bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. Values other than zero will cause a EDNS query to be sent. +.RE +.PP +\fB+edns=#\fR +.RS 4 +Specify the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version will cause a EDNS query to be sent. +\fB+noedns\fR +clears the remembered EDNS version. +.RE +.PP \fB+[no]multiline\fR +.RS 4 Print records like the SOA records in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the \fBdig\fR output. -.TP 3n +.RE +.PP \fB+[no]fail\fR +.RS 4 Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behaviour. -.TP 3n +.RE +.PP \fB+[no]besteffort\fR +.RS 4 Attempt to display the contents of messages which are malformed. The default is to not display malformed answers. -.TP 3n +.RE +.PP \fB+[no]dnssec\fR +.RS 4 Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query. -.TP 3n +.RE +.PP \fB+[no]sigchase\fR +.RS 4 Chase DNSSEC signature chains. Requires dig be compiled with \-DDIG_SIGCHASE. -.TP 3n +.RE +.PP \fB+trusted\-key=####\fR +.RS 4 Specifies a file containing trusted keys to be used with \fB+sigchase\fR. Each DNSKEY record must be on its own line. .sp @@ -375,9 +483,12 @@ then in the current directory. .sp Requires dig be compiled with \-DDIG_SIGCHASE. -.TP 3n +.RE +.PP \fB+[no]topdown\fR +.RS 4 When chasing DNSSEC signature chains perform a top down validation. Requires dig be compiled with \-DDIG_SIGCHASE. +.RE .SH "MULTIPLE QUERIES" .PP The BIND 9 implementation of @@ -394,7 +505,7 @@ A global set of query options, which should be applied to all queries, can also \fB+[no]cmd\fR option) can be overridden by a query\-specific set of query options. For example: .sp -.RS 3n +.RS 4 .nf dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr .fi @@ -414,6 +525,17 @@ which means that \fBdig\fR will not print the initial query when it looks up the NS records for isc.org. +.SH "IDN SUPPORT" +.PP +If +\fBdig\fR +has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names. +\fBdig\fR +appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the +\fBIDN_DISABLE\fR +environment variable. The IDN support is disabled if the variable is set when +\fBdig\fR +runs. .SH "FILES" .PP \fI/etc/resolv.conf\fR @@ -425,8 +547,11 @@ isc.org. \fBnamed\fR(8), \fBdnssec\-keygen\fR(8), RFC1035. -.SH "BUGS " +.SH "BUGS" .PP There are probably too many query options. .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000\-2003 Internet Software Consortium. +.br diff --git a/contrib/bind9/bin/dig/dig.c b/contrib/bind9/bin/dig/dig.c index 619e029..dd80199 100644 --- a/contrib/bind9/bin/dig/dig.c +++ b/contrib/bind9/bin/dig/dig.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.157.2.13.2.31 2006/07/22 23:52:57 marka Exp $ */ +/* $Id: dig.c,v 1.186.18.26 2006/07/21 23:52:21 marka Exp $ */ + +/*! \file */ #include <config.h> #include <stdlib.h> @@ -40,6 +42,7 @@ #include <dns/rdatatype.h> #include <dns/rdataclass.h> #include <dns/result.h> +#include <dns/tsig.h> #include <bind9/getaddresses.h> @@ -67,6 +70,7 @@ static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE, ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE, multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE; +/*% opcode text */ static const char *opcodetext[] = { "QUERY", "IQUERY", @@ -86,6 +90,7 @@ static const char *opcodetext[] = { "RESERVED15" }; +/*% return code text */ static const char *rcodetext[] = { "NOERROR", "FORMERR", @@ -106,6 +111,7 @@ static const char *rcodetext[] = { "BADVERS" }; +/*% print usage */ static void print_usage(FILE *fp) { fputs( @@ -122,11 +128,13 @@ usage(void) { exit(1); } +/*% version */ static void version(void) { fputs("DiG " VERSION "\n", stderr); } +/*% help */ static void help(void) { print_usage(stdout); @@ -141,10 +149,11 @@ help(void) { " -f filename (batch mode)\n" " -b address[#port] (bind to source address/port)\n" " -p port (specify port number)\n" +" -q name (specify query name)\n" " -t type (specify query type)\n" " -c class (specify query class)\n" " -k keyfile (specify tsig key file)\n" -" -y name:key (specify named base64 tsig key)\n" +" -y [hmac:]name:key (specify named base64 tsig key)\n" " -4 (use IPv4 query transport only)\n" " -6 (use IPv6 query transport only)\n" " d-opt is of the form +keyword[=value], where keyword is:\n" @@ -156,7 +165,9 @@ help(void) { " +domain=### (Set default domainname)\n" " +bufsize=### (Set EDNS0 Max UDP packet size)\n" " +ndots=### (Set NDOTS value)\n" +" +edns=### (Set EDNS version)\n" " +[no]search (Set whether to use searchlist)\n" +" +[no]showsearch (Search with intermediate results)\n" " +[no]defname (Ditto)\n" " +[no]recurse (Recursive mode)\n" " +[no]ignore (Don't revert to TCP for TC responses.)" @@ -198,7 +209,7 @@ help(void) { stdout); } -/* +/*% * Callback from dighost.c to print the received message. */ void @@ -219,10 +230,12 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) { time(&tnow); printf(";; WHEN: %s", ctime(&tnow)); if (query->lookup->doing_xfr) { - printf(";; XFR size: %u records (messages %u)\n", - query->rr_count, query->msg_count); + printf(";; XFR size: %u records (messages %u, " + "bytes %" ISC_PRINT_QUADFORMAT "u)\n", + query->rr_count, query->msg_count, + query->byte_count); } else { - printf(";; MSG SIZE rcvd: %d\n", bytes); + printf(";; MSG SIZE rcvd: %u\n", bytes); } if (key != NULL) { @@ -236,8 +249,11 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) { puts(""); } else if (query->lookup->identify && !short_form) { diff = isc_time_microdiff(&now, &query->time_sent); - printf(";; Received %u bytes from %s(%s) in %d ms\n\n", - bytes, fromtext, query->servname, + printf(";; Received %" ISC_PRINT_QUADFORMAT "u bytes " + "from %s(%s) in %d ms\n\n", + query->lookup->doing_xfr ? + query->byte_count : (isc_uint64_t)bytes, + fromtext, query->servname, (int)diff/1000); } } @@ -253,7 +269,7 @@ trying(char *frm, dig_lookup_t *lookup) { UNUSED(lookup); } -/* +/*% * Internal print routine used to print short form replies. */ static isc_result_t @@ -283,7 +299,7 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) { return (ISC_R_SUCCESS); } -/* +/*% * short_form message print handler. Calls above say_message() */ static isc_result_t @@ -475,7 +491,16 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { msg->counts[DNS_SECTION_ANSWER], msg->counts[DNS_SECTION_AUTHORITY], msg->counts[DNS_SECTION_ADDITIONAL]); + + if (msg != query->lookup->sendmsg && + (msg->flags & DNS_MESSAGEFLAG_RD) != 0 && + (msg->flags & DNS_MESSAGEFLAG_RA) == 0) + printf(";; WARNING: recursion requested " + "but not available\n"); } + if (msg != query->lookup->sendmsg && extrabytes != 0U) + printf(";; WARNING: Messages has %u extra byte%s at " + "end\n", extrabytes, extrabytes != 0 ? "s" : ""); } repopulate_buffer: @@ -578,7 +603,7 @@ cleanup: return (result); } -/* +/*% * print the greeting message when the program first starts up. */ static void @@ -625,7 +650,7 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) { } } -/* +/*% * Reorder an argument list so that server names all come at the end. * This is a bit of a hack, to allow batch-mode processing to properly * handle the server options. @@ -674,7 +699,7 @@ parse_uint(char *arg, const char *desc, isc_uint32_t max) { return (tmp); } -/* +/*% * We're not using isc_commandline_parse() here since the command line * syntax of dig is quite a bit different from that which can be described * by that routine. @@ -814,6 +839,8 @@ plus_option(char *option, isc_boolean_t is_batchfile, break; case 'n': /* dnssec */ FULLCHECK("dnssec"); + if (state && lookup->edns == -1) + lookup->edns = 0; lookup->dnssec = state; break; case 'o': /* domain */ @@ -829,6 +856,16 @@ plus_option(char *option, isc_boolean_t is_batchfile, goto invalid_option; } break; + case 'e': + FULLCHECK("edns"); + if (!state) { + lookup->edns = -1; + break; + } + if (value == NULL) + goto need_value; + lookup->edns = (isc_int16_t) parse_uint(value, "edns", 255); + break; case 'f': /* fail */ FULLCHECK("fail"); lookup->servfail_stops = state; @@ -928,17 +965,30 @@ plus_option(char *option, isc_boolean_t is_batchfile, FULLCHECK("search"); usesearch = state; break; - case 'h': /* short */ - FULLCHECK("short"); - short_form = state; - if (state) { - printcmd = ISC_FALSE; - lookup->section_additional = ISC_FALSE; - lookup->section_answer = ISC_TRUE; - lookup->section_authority = ISC_FALSE; - lookup->section_question = ISC_FALSE; - lookup->comments = ISC_FALSE; - lookup->stats = ISC_FALSE; + case 'h': + if (cmd[2] != 'o') + goto invalid_option; + switch (cmd[3]) { + case 'r': /* short */ + FULLCHECK("short"); + short_form = state; + if (state) { + printcmd = ISC_FALSE; + lookup->section_additional = ISC_FALSE; + lookup->section_answer = ISC_TRUE; + lookup->section_authority = ISC_FALSE; + lookup->section_question = ISC_FALSE; + lookup->comments = ISC_FALSE; + lookup->stats = ISC_FALSE; + } + break; + case 'w': /* showsearch */ + FULLCHECK("showsearch"); + showsearch = state; + usesearch = state; + break; + default: + goto invalid_option; } break; #ifdef DIG_SIGCHASE @@ -1047,16 +1097,16 @@ plus_option(char *option, isc_boolean_t is_batchfile, return; } -/* - * ISC_TRUE returned if value was used +/*% + * #ISC_TRUE returned if value was used */ static const char *single_dash_opts = "46dhimnv"; static const char *dash_opts = "46bcdfhikmnptvyx"; static isc_boolean_t dash_option(char *option, char *next, dig_lookup_t **lookup, - isc_boolean_t *open_type_class) + isc_boolean_t *open_type_class, isc_boolean_t config_only) { - char opt, *value, *ptr; + char opt, *value, *ptr, *ptr2, *ptr3; isc_result_t result; isc_boolean_t value_from_next; isc_textregion_t tr; @@ -1189,6 +1239,20 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, case 'p': port = (in_port_t) parse_uint(value, "port number", MAXPORT); return (value_from_next); + case 'q': + if (!config_only) { + (*lookup) = clone_lookup(default_lookup, + ISC_TRUE); + strncpy((*lookup)->textname, value, + sizeof((*lookup)->textname)); + (*lookup)->textname[sizeof((*lookup)->textname)-1]=0; + (*lookup)->trace_root = ISC_TF((*lookup)->trace || + (*lookup)->ns_search_only); + (*lookup)->new_search = ISC_TRUE; + ISC_LIST_APPEND(lookup_list, (*lookup), link); + debug("looking up %s", (*lookup)->textname); + } + return (value_from_next); case 't': *open_type_class = ISC_FALSE; if (strncasecmp(value, "ixfr=", 5) == 0) { @@ -1232,16 +1296,83 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, value); return (value_from_next); case 'y': - ptr = next_token(&value,":"); + ptr = next_token(&value,":"); /* hmac type or name */ if (ptr == NULL) { usage(); } + ptr2 = next_token(&value, ":"); /* name or secret */ + if (ptr2 == NULL) + usage(); + ptr3 = next_token(&value,":"); /* secret or NULL */ + if (ptr3 != NULL) { + if (strcasecmp(ptr, "hmac-md5") == 0) { + hmacname = DNS_TSIG_HMACMD5_NAME; + digestbits = 0; + } else if (strncasecmp(ptr, "hmac-md5-", 9) == 0) { + hmacname = DNS_TSIG_HMACMD5_NAME; + digestbits = parse_uint(&ptr[9], + "digest-bits [0..128]", + 128); + digestbits = (digestbits + 7) & ~0x7U; + } else if (strcasecmp(ptr, "hmac-sha1") == 0) { + hmacname = DNS_TSIG_HMACSHA1_NAME; + digestbits = 0; + } else if (strncasecmp(ptr, "hmac-sha1-", 10) == 0) { + hmacname = DNS_TSIG_HMACSHA1_NAME; + digestbits = parse_uint(&ptr[10], + "digest-bits [0..160]", + 160); + digestbits = (digestbits + 7) & ~0x7U; + } else if (strcasecmp(ptr, "hmac-sha224") == 0) { + hmacname = DNS_TSIG_HMACSHA224_NAME; + digestbits = 0; + } else if (strncasecmp(ptr, "hmac-sha224-", 12) == 0) { + hmacname = DNS_TSIG_HMACSHA224_NAME; + digestbits = parse_uint(&ptr[12], + "digest-bits [0..224]", + 224); + digestbits = (digestbits + 7) & ~0x7U; + } else if (strcasecmp(ptr, "hmac-sha256") == 0) { + hmacname = DNS_TSIG_HMACSHA256_NAME; + digestbits = 0; + } else if (strncasecmp(ptr, "hmac-sha256-", 12) == 0) { + hmacname = DNS_TSIG_HMACSHA256_NAME; + digestbits = parse_uint(&ptr[12], + "digest-bits [0..256]", + 256); + digestbits = (digestbits + 7) & ~0x7U; + } else if (strcasecmp(ptr, "hmac-sha384") == 0) { + hmacname = DNS_TSIG_HMACSHA384_NAME; + digestbits = 0; + } else if (strncasecmp(ptr, "hmac-sha384-", 12) == 0) { + hmacname = DNS_TSIG_HMACSHA384_NAME; + digestbits = parse_uint(&ptr[12], + "digest-bits [0..384]", + 384); + digestbits = (digestbits + 7) & ~0x7U; + } else if (strcasecmp(ptr, "hmac-sha512") == 0) { + hmacname = DNS_TSIG_HMACSHA512_NAME; + digestbits = 0; + } else if (strncasecmp(ptr, "hmac-sha512-", 12) == 0) { + hmacname = DNS_TSIG_HMACSHA512_NAME; + digestbits = parse_uint(&ptr[12], + "digest-bits [0..512]", + 512); + digestbits = (digestbits + 7) & ~0x7U; + } else { + fprintf(stderr, ";; Warning, ignoring " + "invalid TSIG algorithm %s\n", ptr); + return (value_from_next); + } + ptr = ptr2; + ptr2 = ptr3; + } else { + hmacname = DNS_TSIG_HMACMD5_NAME; + digestbits = 0; + } strncpy(keynametext, ptr, sizeof(keynametext)); keynametext[sizeof(keynametext)-1]=0; - ptr = next_token(&value, ""); - if (ptr == NULL) - usage(); - strncpy(keysecret, ptr, sizeof(keysecret)); + strncpy(keysecret, ptr2, sizeof(keysecret)); keysecret[sizeof(keysecret)-1]=0; return (value_from_next); case 'x': @@ -1273,10 +1404,11 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, return (ISC_FALSE); } -/* +/*% * Because we may be trying to do memory allocation recording, we're going * to need to parse the arguments for the -m *before* we start the main * argument parsing routine. + * * I'd prefer not to have to do this, but I am not quite sure how else to * fix the problem. Argument parsing in dig involves memory allocation * by its nature, so it can't be done in the main argument parser. @@ -1421,13 +1553,15 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, } else if (rv[0][0] == '-') { if (rc <= 1) { if (dash_option(&rv[0][1], NULL, - &lookup, &open_type_class)) { + &lookup, &open_type_class, + config_only)) { rc--; rv++; } } else { if (dash_option(&rv[0][1], rv[1], - &lookup, &open_type_class)) { + &lookup, &open_type_class, + config_only)) { rc--; rv++; } @@ -1621,6 +1755,7 @@ dighost_shutdown(void) { } } +/*% Main processing routine for dig */ int main(int argc, char **argv) { isc_result_t result; diff --git a/contrib/bind9/bin/dig/dig.docbook b/contrib/bind9/bin/dig/dig.docbook index 87c98ae..be01a86 100644 --- a/contrib/bind9/bin/dig/dig.docbook +++ b/contrib/bind9/bin/dig/dig.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -18,24 +18,30 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dig.docbook,v 1.4.2.7.4.12 2005/08/30 00:50:29 marka Exp $ --> +<!-- $Id: dig.docbook,v 1.17.18.17 2007/01/29 23:57:20 marka Exp $ --> +<refentry id="man.dig"> -<refentry> + <refentryinfo> + <date>Jun 30, 2000</date> + </refentryinfo> -<refentryinfo> -<date>Jun 30, 2000</date> -</refentryinfo> + <refmeta> + <refentrytitle>dig</refentrytitle> + <manvolnum>1</manvolnum> + <refmiscinfo>BIND9</refmiscinfo> + </refmeta> -<refmeta> -<refentrytitle>dig</refentrytitle> -<manvolnum>1</manvolnum> -<refmiscinfo>BIND9</refmiscinfo> -</refmeta> + <refnamediv> + <refname>dig</refname> + <refpurpose>DNS lookup utility</refpurpose> + </refnamediv> <docinfo> <copyright> <year>2004</year> <year>2005</year> + <year>2006</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -47,595 +53,884 @@ </copyright> </docinfo> -<refnamediv> -<refname>dig</refname> -<refpurpose>DNS lookup utility</refpurpose> -</refnamediv> - -<refsynopsisdiv> -<cmdsynopsis> -<command>dig</command> -<arg choice="opt">@server</arg> -<arg><option>-b <replaceable class="parameter">address</replaceable></option></arg> -<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> -<arg><option>-f <replaceable class="parameter">filename</replaceable></option></arg> -<arg><option>-k <replaceable class="parameter">filename</replaceable></option></arg> -<arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg> -<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg> -<arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg> -<arg><option>-y <replaceable class="parameter">name:key</replaceable></option></arg> -<arg><option>-4</option></arg> -<arg><option>-6</option></arg> -<arg choice="opt">name</arg> -<arg choice="opt">type</arg> -<arg choice="opt">class</arg> -<arg choice="opt" rep="repeat">queryopt</arg> -</cmdsynopsis> - -<cmdsynopsis> -<command>dig</command> -<arg><option>-h</option></arg> -</cmdsynopsis> - -<cmdsynopsis> -<command>dig</command> -<arg choice="opt" rep="repeat">global-queryopt</arg> -<arg choice="opt" rep="repeat">query</arg> -</cmdsynopsis> -</refsynopsisdiv> - -<refsect1> -<title>DESCRIPTION</title> -<para> -<command>dig</command> (domain information groper) is a flexible tool -for interrogating DNS name servers. It performs DNS lookups and -displays the answers that are returned from the name server(s) that -were queried. Most DNS administrators use <command>dig</command> to -troubleshoot DNS problems because of its flexibility, ease of use and -clarity of output. Other lookup tools tend to have less functionality -than <command>dig</command>. -</para> - -<para> -Although <command>dig</command> is normally used with command-line -arguments, it also has a batch mode of operation for reading lookup -requests from a file. A brief summary of its command-line arguments -and options is printed when the <option>-h</option> option is given. -Unlike earlier versions, the BIND9 implementation of -<command>dig</command> allows multiple lookups to be issued from the -command line. -</para> - -<para> -Unless it is told to query a specific name server, -<command>dig</command> will try each of the servers listed in -<filename>/etc/resolv.conf</filename>. -</para> - -<para> -When no command line arguments or options are given, will perform an -NS query for "." (the root). -</para> - -<para> -It is possible to set per-user defaults for <command>dig</command> via -<filename>${HOME}/.digrc</filename>. This file is read and any options in it -are applied before the command line arguments. -</para> - -</refsect1> - -<refsect1> -<title>SIMPLE USAGE</title> - -<para> -A typical invocation of <command>dig</command> looks like: -<programlisting> dig @server name type </programlisting> where: - -<variablelist> - -<varlistentry><term><constant>server</constant></term> -<listitem><para> -is the name or IP address of the name server to query. This can be an IPv4 -address in dotted-decimal notation or an IPv6 -address in colon-delimited notation. When the supplied -<parameter>server</parameter> argument is a hostname, -<command>dig</command> resolves that name before querying that name -server. If no <parameter>server</parameter> argument is provided, -<command>dig</command> consults <filename>/etc/resolv.conf</filename> -and queries the name servers listed there. The reply from the name -server that responds is displayed. -</para></listitem></varlistentry> - -<varlistentry><term><constant>name</constant></term> -<listitem><para> -is the name of the resource record that is to be looked up. -</para></listitem></varlistentry> - -<varlistentry><term><constant>type</constant></term> -<listitem><para> -indicates what type of query is required — -ANY, A, MX, SIG, etc. -<parameter>type</parameter> can be any valid query type. If no -<parameter>type</parameter> argument is supplied, -<command>dig</command> will perform a lookup for an A record. -</para></listitem></varlistentry> - -</variablelist> -</para> - -</refsect1> - -<refsect1> -<title>OPTIONS</title> - -<para> -The <option>-b</option> option sets the source IP address of the query -to <parameter>address</parameter>. This must be a valid address on -one of the host's network interfaces or "0.0.0.0" or "::". An optional port -may be specified by appending "#<port>" -</para> - -<para> -The default query class (IN for internet) is overridden by the -<option>-c</option> option. <parameter>class</parameter> is any valid -class, such as HS for Hesiod records or CH for CHAOSNET records. -</para> - -<para> -The <option>-f</option> option makes <command>dig </command> operate -in batch mode by reading a list of lookup requests to process from the -file <parameter>filename</parameter>. The file contains a number of -queries, one per line. Each entry in the file should be organised in -the same way they would be presented as queries to -<command>dig</command> using the command-line interface. -</para> - -<para> -If a non-standard port number is to be queried, the -<option>-p</option> option is used. <parameter>port#</parameter> is -the port number that <command>dig</command> will send its queries -instead of the standard DNS port number 53. This option would be used -to test a name server that has been configured to listen for queries -on a non-standard port number. -</para> - -<para> -The <option>-4</option> option forces <command>dig</command> to only -use IPv4 query transport. The <option>-6</option> option forces -<command>dig</command> to only use IPv6 query transport. -</para> - -<para> -The <option>-t</option> option sets the query type to -<parameter>type</parameter>. It can be any valid query type which is -supported in BIND9. The default query type "A", unless the -<option>-x</option> option is supplied to indicate a reverse lookup. -A zone transfer can be requested by specifying a type of AXFR. When -an incremental zone transfer (IXFR) is required, -<parameter>type</parameter> is set to <literal>ixfr=N</literal>. -The incremental zone transfer will contain the changes made to the zone -since the serial number in the zone's SOA record was -<parameter>N</parameter>. -</para> - -<para> -Reverse lookups - mapping addresses to names - are simplified by the -<option>-x</option> option. <parameter>addr</parameter> is an IPv4 -address in dotted-decimal notation, or a colon-delimited IPv6 address. -When this option is used, there is no need to provide the -<parameter>name</parameter>, <parameter>class</parameter> and -<parameter>type</parameter> arguments. <command>dig</command> -automatically performs a lookup for a name like -<literal>11.12.13.10.in-addr.arpa</literal> and sets the query type and -class to PTR and IN respectively. By default, IPv6 addresses are -looked up using nibble format under the IP6.ARPA domain. -To use the older RFC1886 method using the IP6.INT domain -specify the <option>-i</option> option. Bit string labels (RFC2874) -are now experimental and are not attempted. -</para> - -<para> -To sign the DNS queries sent by <command>dig</command> and their -responses using transaction signatures (TSIG), specify a TSIG key file -using the <option>-k</option> option. You can also specify the TSIG -key itself on the command line using the <option>-y</option> option; -<parameter>name</parameter> is the name of the TSIG key and -<parameter>key</parameter> is the actual key. The key is a base-64 -encoded string, typically generated by <citerefentry> -<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> -</citerefentry>. - -Caution should be taken when using the <option>-y</option> option on -multi-user systems as the key can be visible in the output from -<citerefentry> <refentrytitle>ps</refentrytitle><manvolnum>1 -</manvolnum> </citerefentry> or in the shell's history file. When -using TSIG authentication with <command>dig</command>, the name -server that is queried needs to know the key and algorithm that is -being used. In BIND, this is done by providing appropriate -<command>key</command> and <command>server</command> statements in -<filename>named.conf</filename>. -</para> - -</refsect1> - -<refsect1> -<title>QUERY OPTIONS</title> - -<para> -<command>dig</command> provides a number of query options which affect -the way in which lookups are made and the results displayed. Some of -these set or reset flag bits in the query header, some determine which -sections of the answer get printed, and others determine the timeout -and retry strategies. -</para> - -<para> -Each query option is identified by a keyword preceded by a plus sign -(<literal>+</literal>). Some keywords set or reset an option. These may be preceded -by the string <literal>no</literal> to negate the meaning of that keyword. Other -keywords assign values to options like the timeout interval. They -have the form <option>+keyword=value</option>. -The query options are: - -<variablelist> - -<varlistentry><term><option>+[no]tcp</option></term> -<listitem><para> -Use [do not use] TCP when querying name servers. The default -behaviour is to use UDP unless an AXFR or IXFR query is requested, in -which case a TCP connection is used. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]vc</option></term> -<listitem><para> -Use [do not use] TCP when querying name servers. This alternate -syntax to <parameter>+[no]tcp</parameter> is provided for backwards -compatibility. The "vc" stands for "virtual circuit". -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]ignore</option></term> -<listitem><para> -Ignore truncation in UDP responses instead of retrying with TCP. By -default, TCP retries are performed. -</para></listitem></varlistentry> - -<varlistentry><term><option>+domain=somename</option></term> -<listitem><para> -Set the search list to contain the single domain -<parameter>somename</parameter>, as if specified in a -<command>domain</command> directive in -<filename>/etc/resolv.conf</filename>, and enable search list -processing as if the <parameter>+search</parameter> option were given. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]search</option></term> -<listitem><para> -Use [do not use] the search list defined by the searchlist or domain -directive in <filename>resolv.conf</filename> (if any). -The search list is not used by default. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]defname</option></term> -<listitem><para> -Deprecated, treated as a synonym for <parameter>+[no]search</parameter> -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]aaonly</option></term> -<listitem><para> -Sets the "aa" flag in the query. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]aaflag</option></term> -<listitem><para> -A synonym for <parameter>+[no]aaonly</parameter>. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]adflag</option></term> -<listitem><para> -Set [do not set] the AD (authentic data) bit in the query. The AD bit -currently has a standard meaning only in responses, not in queries, -but the ability to set the bit in the query is provided for -completeness. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]cdflag</option></term> -<listitem><para> -Set [do not set] the CD (checking disabled) bit in the query. This -requests the server to not perform DNSSEC validation of responses. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]cl</option></term> -<listitem><para> -Display [do not display] the CLASS when printing the record. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]ttlid</option></term> -<listitem><para> -Display [do not display] the TTL when printing the record. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]recurse</option></term> -<listitem><para> -Toggle the setting of the RD (recursion desired) bit in the query. -This bit is set by default, which means <command>dig</command> -normally sends recursive queries. Recursion is automatically disabled -when the <parameter>+nssearch</parameter> or -<parameter>+trace</parameter> query options are used. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]nssearch</option></term> -<listitem><para> -When this option is set, <command>dig</command> attempts to find the -authoritative name servers for the zone containing the name being -looked up and display the SOA record that each name server has for the -zone. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]trace</option></term> -<listitem><para> -Toggle tracing of the delegation path from the root name servers for -the name being looked up. Tracing is disabled by default. When -tracing is enabled, <command>dig</command> makes iterative queries to -resolve the name being looked up. It will follow referrals from the -root servers, showing the answer from each server that was used to -resolve the lookup. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]cmd</option></term> -<listitem><para> -toggles the printing of the initial comment in the output identifying -the version of <command>dig</command> and the query options that have -been applied. This comment is printed by default. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]short</option></term> -<listitem><para> -Provide a terse answer. The default is to print the answer in a -verbose form. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]identify</option></term> -<listitem><para> -Show [or do not show] the IP address and port number that supplied the -answer when the <parameter>+short</parameter> option is enabled. If -short form answers are requested, the default is not to show the -source address and port number of the server that provided the answer. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]comments</option></term> -<listitem><para> -Toggle the display of comment lines in the output. The default is to -print comments. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]stats</option></term> -<listitem><para> -This query option toggles the printing of statistics: when the query -was made, the size of the reply and so on. The default behaviour is -to print the query statistics. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]qr</option></term> -<listitem><para> -Print [do not print] the query as it is sent. -By default, the query is not printed. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]question</option></term> -<listitem><para> -Print [do not print] the question section of a query when an answer is -returned. The default is to print the question section as a comment. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]answer</option></term> -<listitem><para> -Display [do not display] the answer section of a reply. The default -is to display it. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]authority</option></term> -<listitem><para> -Display [do not display] the authority section of a reply. The -default is to display it. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]additional</option></term> -<listitem><para> -Display [do not display] the additional section of a reply. -The default is to display it. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]all</option></term> -<listitem><para> -Set or clear all display flags. -</para></listitem></varlistentry> - -<varlistentry><term><option>+time=T</option></term> -<listitem><para> - -Sets the timeout for a query to -<parameter>T</parameter> seconds. The default time out is 5 seconds. -An attempt to set <parameter>T</parameter> to less than 1 will result -in a query timeout of 1 second being applied. -</para></listitem></varlistentry> - -<varlistentry><term><option>+tries=T</option></term> -<listitem><para> -Sets the number of times to try UDP queries to server to -<parameter>T</parameter> instead of the default, 3. If -<parameter>T</parameter> is less than or equal to zero, the number of -tries is silently rounded up to 1. -</para></listitem></varlistentry> - -<varlistentry><term><option>+retry=T</option></term> -<listitem><para> -Sets the number of times to retry UDP queries to server to -<parameter>T</parameter> instead of the default, 2. Unlike -<parameter>+tries</parameter>, this does not include the initial -query. -</para></listitem></varlistentry> - -<varlistentry><term><option>+ndots=D</option></term> -<listitem><para> -Set the number of dots that have to appear in -<parameter>name</parameter> to <parameter>D</parameter> for it to be -considered absolute. The default value is that defined using the -ndots statement in <filename>/etc/resolv.conf</filename>, or 1 if no -ndots statement is present. Names with fewer dots are interpreted as -relative names and will be searched for in the domains listed in the -<option>search</option> or <option>domain</option> directive in -<filename>/etc/resolv.conf</filename>. -</para></listitem></varlistentry> - -<varlistentry><term><option>+bufsize=B</option></term> -<listitem><para> -Set the UDP message buffer size advertised using EDNS0 to -<parameter>B</parameter> bytes. The maximum and minimum sizes of this -buffer are 65535 and 0 respectively. Values outside this range are -rounded up or down appropriately. -</para> -</listitem></varlistentry> - -<varlistentry><term><option>+[no]multiline</option></term> -<listitem><para> -Print records like the SOA records in a verbose multi-line -format with human-readable comments. The default is to print -each record on a single line, to facilitate machine parsing -of the <command>dig</command> output. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]fail</option></term> -<listitem><para> -Do not try the next server if you receive a SERVFAIL. The default is -to not try the next server which is the reverse of normal stub resolver -behaviour. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]besteffort</option></term> -<listitem><para> -Attempt to display the contents of messages which are malformed. -The default is to not display malformed answers. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]dnssec</option></term> -<listitem><para> -Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) -in the OPT record in the additional section of the query. -</para></listitem></varlistentry> - -<varlistentry><term><option>+[no]sigchase</option></term> -<listitem><para> -Chase DNSSEC signature chains. Requires dig be compiled with --DDIG_SIGCHASE. -</para></listitem></varlistentry> + <refsynopsisdiv> + <cmdsynopsis> + <command>dig</command> + <arg choice="opt">@server</arg> + <arg><option>-b <replaceable class="parameter">address</replaceable></option></arg> + <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> + <arg><option>-f <replaceable class="parameter">filename</replaceable></option></arg> + <arg><option>-k <replaceable class="parameter">filename</replaceable></option></arg> + <arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg> + <arg><option>-q <replaceable class="parameter">name</replaceable></option></arg> + <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg> + <arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg> + <arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>name:key</replaceable></option></arg> + <arg><option>-4</option></arg> + <arg><option>-6</option></arg> + <arg choice="opt">name</arg> + <arg choice="opt">type</arg> + <arg choice="opt">class</arg> + <arg choice="opt" rep="repeat">queryopt</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>dig</command> + <arg><option>-h</option></arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>dig</command> + <arg choice="opt" rep="repeat">global-queryopt</arg> + <arg choice="opt" rep="repeat">query</arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1> + <title>DESCRIPTION</title> + <para><command>dig</command> + (domain information groper) is a flexible tool + for interrogating DNS name servers. It performs DNS lookups and + displays the answers that are returned from the name server(s) that + were queried. Most DNS administrators use <command>dig</command> to + troubleshoot DNS problems because of its flexibility, ease of use and + clarity of output. Other lookup tools tend to have less functionality + than <command>dig</command>. + </para> + + <para> + Although <command>dig</command> is normally used with + command-line + arguments, it also has a batch mode of operation for reading lookup + requests from a file. A brief summary of its command-line arguments + and options is printed when the <option>-h</option> option is given. + Unlike earlier versions, the BIND9 implementation of + <command>dig</command> allows multiple lookups to be issued + from the + command line. + </para> + + <para> + Unless it is told to query a specific name server, + <command>dig</command> will try each of the servers listed + in + <filename>/etc/resolv.conf</filename>. + </para> + + <para> + When no command line arguments or options are given, will perform an + NS query for "." (the root). + </para> + + <para> + It is possible to set per-user defaults for <command>dig</command> via + <filename>${HOME}/.digrc</filename>. This file is read and + any options in it + are applied before the command line arguments. + </para> + + <para> + The IN and CH class names overlap with the IN and CH top level + domains names. Either use the <option>-t</option> and + <option>-c</option> options to specify the type and class or + use the <option>-q</option> the specify the domain name or + use "IN." and "CH." when looking up these top level domains. + </para> + + </refsect1> + + <refsect1> + <title>SIMPLE USAGE</title> + + <para> + A typical invocation of <command>dig</command> looks like: + <programlisting> dig @server name type </programlisting> + where: + + <variablelist> + + <varlistentry> + <term><constant>server</constant></term> + <listitem> + <para> + is the name or IP address of the name server to query. This can + be an IPv4 + address in dotted-decimal notation or an IPv6 + address in colon-delimited notation. When the supplied + <parameter>server</parameter> argument is a + hostname, + <command>dig</command> resolves that name before + querying that name + server. If no <parameter>server</parameter> + argument is provided, + <command>dig</command> consults <filename>/etc/resolv.conf</filename> + and queries the name servers listed there. The reply from the + name + server that responds is displayed. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>name</constant></term> + <listitem> + <para> + is the name of the resource record that is to be looked up. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>type</constant></term> + <listitem> + <para> + indicates what type of query is required — + ANY, A, MX, SIG, etc. + <parameter>type</parameter> can be any valid query + type. If no + <parameter>type</parameter> argument is supplied, + <command>dig</command> will perform a lookup for an + A record. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + + </refsect1> + + <refsect1> + <title>OPTIONS</title> + + <para> + The <option>-b</option> option sets the source IP address of the query + to <parameter>address</parameter>. This must be a valid + address on + one of the host's network interfaces or "0.0.0.0" or "::". An optional + port + may be specified by appending "#<port>" + </para> + + <para> + The default query class (IN for internet) is overridden by the + <option>-c</option> option. <parameter>class</parameter> is + any valid + class, such as HS for Hesiod records or CH for CHAOSNET records. + </para> + + <para> + The <option>-f</option> option makes <command>dig </command> + operate + in batch mode by reading a list of lookup requests to process from the + file <parameter>filename</parameter>. The file contains a + number of + queries, one per line. Each entry in the file should be organised in + the same way they would be presented as queries to + <command>dig</command> using the command-line interface. + </para> + + <para> + If a non-standard port number is to be queried, the + <option>-p</option> option is used. <parameter>port#</parameter> is + the port number that <command>dig</command> will send its + queries + instead of the standard DNS port number 53. This option would be used + to test a name server that has been configured to listen for queries + on a non-standard port number. + </para> + + <para> + The <option>-4</option> option forces <command>dig</command> + to only + use IPv4 query transport. The <option>-6</option> option forces + <command>dig</command> to only use IPv6 query transport. + </para> + + <para> + The <option>-t</option> option sets the query type to + <parameter>type</parameter>. It can be any valid query type + which is + supported in BIND9. The default query type "A", unless the + <option>-x</option> option is supplied to indicate a reverse lookup. + A zone transfer can be requested by specifying a type of AXFR. When + an incremental zone transfer (IXFR) is required, + <parameter>type</parameter> is set to <literal>ixfr=N</literal>. + The incremental zone transfer will contain the changes made to the zone + since the serial number in the zone's SOA record was + <parameter>N</parameter>. + </para> + + <para> + The <option>-q</option> option sets the query name to + <parameter>name</parameter>. This useful do distingish the + <parameter>name</parameter> from other arguments. + </para> + + <para> + Reverse lookups - mapping addresses to names - are simplified by the + <option>-x</option> option. <parameter>addr</parameter> is + an IPv4 + address in dotted-decimal notation, or a colon-delimited IPv6 address. + When this option is used, there is no need to provide the + <parameter>name</parameter>, <parameter>class</parameter> and + <parameter>type</parameter> arguments. <command>dig</command> + automatically performs a lookup for a name like + <literal>11.12.13.10.in-addr.arpa</literal> and sets the + query type and + class to PTR and IN respectively. By default, IPv6 addresses are + looked up using nibble format under the IP6.ARPA domain. + To use the older RFC1886 method using the IP6.INT domain + specify the <option>-i</option> option. Bit string labels (RFC2874) + are now experimental and are not attempted. + </para> + + <para> + To sign the DNS queries sent by <command>dig</command> and + their + responses using transaction signatures (TSIG), specify a TSIG key file + using the <option>-k</option> option. You can also specify the TSIG + key itself on the command line using the <option>-y</option> option; + <parameter>hmac</parameter> is the type of the TSIG, default HMAC-MD5, + <parameter>name</parameter> is the name of the TSIG key and + <parameter>key</parameter> is the actual key. The key is a + base-64 + encoded string, typically generated by + <citerefentry> + <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + + Caution should be taken when using the <option>-y</option> option on + multi-user systems as the key can be visible in the output from + <citerefentry> + <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum> + </citerefentry> + or in the shell's history file. When + using TSIG authentication with <command>dig</command>, the name + server that is queried needs to know the key and algorithm that is + being used. In BIND, this is done by providing appropriate + <command>key</command> and <command>server</command> statements in + <filename>named.conf</filename>. + </para> + + </refsect1> + + <refsect1> + <title>QUERY OPTIONS</title> + + <para><command>dig</command> + provides a number of query options which affect + the way in which lookups are made and the results displayed. Some of + these set or reset flag bits in the query header, some determine which + sections of the answer get printed, and others determine the timeout + and retry strategies. + </para> + + <para> + Each query option is identified by a keyword preceded by a plus sign + (<literal>+</literal>). Some keywords set or reset an + option. These may be preceded + by the string <literal>no</literal> to negate the meaning of + that keyword. Other + keywords assign values to options like the timeout interval. They + have the form <option>+keyword=value</option>. + The query options are: + + <variablelist> + + <varlistentry> + <term><option>+[no]tcp</option></term> + <listitem> + <para> + Use [do not use] TCP when querying name servers. The default + behaviour is to use UDP unless an AXFR or IXFR query is + requested, in + which case a TCP connection is used. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]vc</option></term> + <listitem> + <para> + Use [do not use] TCP when querying name servers. This alternate + syntax to <parameter>+[no]tcp</parameter> is + provided for backwards + compatibility. The "vc" stands for "virtual circuit". + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]ignore</option></term> + <listitem> + <para> + Ignore truncation in UDP responses instead of retrying with TCP. + By + default, TCP retries are performed. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+domain=somename</option></term> + <listitem> + <para> + Set the search list to contain the single domain + <parameter>somename</parameter>, as if specified in + a + <command>domain</command> directive in + <filename>/etc/resolv.conf</filename>, and enable + search list + processing as if the <parameter>+search</parameter> + option were given. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]search</option></term> + <listitem> + <para> + Use [do not use] the search list defined by the searchlist or + domain + directive in <filename>resolv.conf</filename> (if + any). + The search list is not used by default. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]showsearch</option></term> + <listitem> + <para> + Perform [do not perform] a search showing intermediate + results. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]defname</option></term> + <listitem> + <para> + Deprecated, treated as a synonym for <parameter>+[no]search</parameter> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]aaonly</option></term> + <listitem> + <para> + Sets the "aa" flag in the query. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]aaflag</option></term> + <listitem> + <para> + A synonym for <parameter>+[no]aaonly</parameter>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]adflag</option></term> + <listitem> + <para> + Set [do not set] the AD (authentic data) bit in the query. The + AD bit + currently has a standard meaning only in responses, not in + queries, + but the ability to set the bit in the query is provided for + completeness. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]cdflag</option></term> + <listitem> + <para> + Set [do not set] the CD (checking disabled) bit in the query. + This + requests the server to not perform DNSSEC validation of + responses. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]cl</option></term> + <listitem> + <para> + Display [do not display] the CLASS when printing the record. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]ttlid</option></term> + <listitem> + <para> + Display [do not display] the TTL when printing the record. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]recurse</option></term> + <listitem> + <para> + Toggle the setting of the RD (recursion desired) bit in the + query. + This bit is set by default, which means <command>dig</command> + normally sends recursive queries. Recursion is automatically + disabled + when the <parameter>+nssearch</parameter> or + <parameter>+trace</parameter> query options are + used. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]nssearch</option></term> + <listitem> + <para> + When this option is set, <command>dig</command> + attempts to find the + authoritative name servers for the zone containing the name + being + looked up and display the SOA record that each name server has + for the + zone. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]trace</option></term> + <listitem> + <para> + Toggle tracing of the delegation path from the root name servers + for + the name being looked up. Tracing is disabled by default. When + tracing is enabled, <command>dig</command> makes + iterative queries to + resolve the name being looked up. It will follow referrals from + the + root servers, showing the answer from each server that was used + to + resolve the lookup. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]cmd</option></term> + <listitem> + <para> + toggles the printing of the initial comment in the output + identifying + the version of <command>dig</command> and the query + options that have + been applied. This comment is printed by default. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]short</option></term> + <listitem> + <para> + Provide a terse answer. The default is to print the answer in a + verbose form. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]identify</option></term> + <listitem> + <para> + Show [or do not show] the IP address and port number that + supplied the + answer when the <parameter>+short</parameter> option + is enabled. If + short form answers are requested, the default is not to show the + source address and port number of the server that provided the + answer. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]comments</option></term> + <listitem> + <para> + Toggle the display of comment lines in the output. The default + is to + print comments. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]stats</option></term> + <listitem> + <para> + This query option toggles the printing of statistics: when the + query + was made, the size of the reply and so on. The default + behaviour is + to print the query statistics. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]qr</option></term> + <listitem> + <para> + Print [do not print] the query as it is sent. + By default, the query is not printed. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]question</option></term> + <listitem> + <para> + Print [do not print] the question section of a query when an + answer is + returned. The default is to print the question section as a + comment. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]answer</option></term> + <listitem> + <para> + Display [do not display] the answer section of a reply. The + default + is to display it. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]authority</option></term> + <listitem> + <para> + Display [do not display] the authority section of a reply. The + default is to display it. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]additional</option></term> + <listitem> + <para> + Display [do not display] the additional section of a reply. + The default is to display it. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]all</option></term> + <listitem> + <para> + Set or clear all display flags. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+time=T</option></term> + <listitem> + <para> + + Sets the timeout for a query to + <parameter>T</parameter> seconds. The default time + out is 5 seconds. + An attempt to set <parameter>T</parameter> to less + than 1 will result + in a query timeout of 1 second being applied. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+tries=T</option></term> + <listitem> + <para> + Sets the number of times to try UDP queries to server to + <parameter>T</parameter> instead of the default, 3. + If + <parameter>T</parameter> is less than or equal to + zero, the number of + tries is silently rounded up to 1. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+retry=T</option></term> + <listitem> + <para> + Sets the number of times to retry UDP queries to server to + <parameter>T</parameter> instead of the default, 2. + Unlike + <parameter>+tries</parameter>, this does not include + the initial + query. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+ndots=D</option></term> + <listitem> + <para> + Set the number of dots that have to appear in + <parameter>name</parameter> to <parameter>D</parameter> for it to be + considered absolute. The default value is that defined using + the + ndots statement in <filename>/etc/resolv.conf</filename>, or 1 if no + ndots statement is present. Names with fewer dots are + interpreted as + relative names and will be searched for in the domains listed in + the + <option>search</option> or <option>domain</option> directive in + <filename>/etc/resolv.conf</filename>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+bufsize=B</option></term> + <listitem> + <para> + Set the UDP message buffer size advertised using EDNS0 to + <parameter>B</parameter> bytes. The maximum and minimum sizes + of this buffer are 65535 and 0 respectively. Values outside + this range are rounded up or down appropriately. + Values other than zero will cause a EDNS query to be sent. + </para> + </listitem> + </varlistentry> <varlistentry> - <term><option>+trusted-key=####</option></term> + <term><option>+edns=#</option></term> <listitem> <para> - Specifies a file containing trusted keys to be used with + Specify the EDNS version to query with. Valid values + are 0 to 255. Setting the EDNS version will cause a + EDNS query to be sent. <option>+noedns</option> clears the + remembered EDNS version. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]multiline</option></term> + <listitem> + <para> + Print records like the SOA records in a verbose multi-line + format with human-readable comments. The default is to print + each record on a single line, to facilitate machine parsing + of the <command>dig</command> output. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]fail</option></term> + <listitem> + <para> + Do not try the next server if you receive a SERVFAIL. The + default is + to not try the next server which is the reverse of normal stub + resolver + behaviour. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]besteffort</option></term> + <listitem> + <para> + Attempt to display the contents of messages which are malformed. + The default is to not display malformed answers. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]dnssec</option></term> + <listitem> + <para> + Requests DNSSEC records be sent by setting the DNSSEC OK bit + (DO) + in the OPT record in the additional section of the query. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]sigchase</option></term> + <listitem> + <para> + Chase DNSSEC signature chains. Requires dig be compiled with + -DDIG_SIGCHASE. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+trusted-key=####</option></term> + <listitem> + <para> + Specifies a file containing trusted keys to be used with <option>+sigchase</option>. Each DNSKEY record must be on its own line. - </para> + </para> <para> If not specified <command>dig</command> will look for <filename>/etc/trusted-key.key</filename> then <filename>trusted-key.key</filename> in the current directory. </para> <para> - Requires dig be compiled with -DDIG_SIGCHASE. + Requires dig be compiled with -DDIG_SIGCHASE. </para> - </listitem> - </varlistentry> - -<varlistentry><term><option>+[no]topdown</option></term> -<listitem><para> -When chasing DNSSEC signature chains perform a top down validation. -Requires dig be compiled with -DDIG_SIGCHASE. -</para></listitem></varlistentry> - - - -</variablelist> - -</para> -</refsect1> - -<refsect1> -<title>MULTIPLE QUERIES</title> - -<para> -The BIND 9 implementation of <command>dig </command> supports -specifying multiple queries on the command line (in addition to -supporting the <option>-f</option> batch file option). Each of those -queries can be supplied with its own set of flags, options and query -options. -</para> - -<para> -In this case, each <parameter>query</parameter> argument represent an -individual query in the command-line syntax described above. Each -consists of any of the standard options and flags, the name to be -looked up, an optional query type and class and any query options that -should be applied to that query. -</para> - -<para> -A global set of query options, which should be applied to all queries, -can also be supplied. These global query options must precede the -first tuple of name, class, type, options, flags, and query options -supplied on the command line. Any global query options (except -the <option>+[no]cmd</option> option) can be -overridden by a query-specific set of query options. For example: -<programlisting> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>+[no]topdown</option></term> + <listitem> + <para> + When chasing DNSSEC signature chains perform a top down + validation. + Requires dig be compiled with -DDIG_SIGCHASE. + </para> + </listitem> + </varlistentry> + + + + </variablelist> + + </para> + </refsect1> + + <refsect1> + <title>MULTIPLE QUERIES</title> + + <para> + The BIND 9 implementation of <command>dig </command> + supports + specifying multiple queries on the command line (in addition to + supporting the <option>-f</option> batch file option). Each of those + queries can be supplied with its own set of flags, options and query + options. + </para> + + <para> + In this case, each <parameter>query</parameter> argument + represent an + individual query in the command-line syntax described above. Each + consists of any of the standard options and flags, the name to be + looked up, an optional query type and class and any query options that + should be applied to that query. + </para> + + <para> + A global set of query options, which should be applied to all queries, + can also be supplied. These global query options must precede the + first tuple of name, class, type, options, flags, and query options + supplied on the command line. Any global query options (except + the <option>+[no]cmd</option> option) can be + overridden by a query-specific set of query options. For example: + <programlisting> dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </programlisting> -shows how <command>dig</command> could be used from the command line -to make three lookups: an ANY query for <literal>www.isc.org</literal>, a -reverse lookup of 127.0.0.1 and a query for the NS records of -<literal>isc.org</literal>. - -A global query option of <parameter>+qr</parameter> is applied, so -that <command>dig</command> shows the initial query it made for each -lookup. The final query has a local query option of -<parameter>+noqr</parameter> which means that <command>dig</command> -will not print the initial query when it looks up the NS records for -<literal>isc.org</literal>. -</para> - -</refsect1> - -<refsect1> -<title>FILES</title> -<para> -<filename>/etc/resolv.conf</filename> -</para> -<para> -<filename>${HOME}/.digrc</filename> -</para> -</refsect1> - -<refsect1> -<title>SEE ALSO</title> -<para> -<citerefentry> -<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum> -</citerefentry>, -<citerefentry> -<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> -</citerefentry>, -<citerefentry> -<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> -</citerefentry>, -<citetitle>RFC1035</citetitle>. -</para> -</refsect1> - -<refsect1> -<title>BUGS </title> -<para> -There are probably too many query options. -</para> -</refsect1> -</refentry> + shows how <command>dig</command> could be used from the + command line + to make three lookups: an ANY query for <literal>www.isc.org</literal>, a + reverse lookup of 127.0.0.1 and a query for the NS records of + <literal>isc.org</literal>. + + A global query option of <parameter>+qr</parameter> is + applied, so + that <command>dig</command> shows the initial query it made + for each + lookup. The final query has a local query option of + <parameter>+noqr</parameter> which means that <command>dig</command> + will not print the initial query when it looks up the NS records for + <literal>isc.org</literal>. + </para> + + </refsect1> + + <refsect1> + <title>IDN SUPPORT</title> + <para> + If <command>dig</command> has been built with IDN (internationalized + domain name) support, it can accept and display non-ASCII domain names. + <command>dig</command> appropriately converts character encoding of + domain name before sending a request to DNS server or displaying a + reply from the server. + If you'd like to turn off the IDN support for some reason, defines + the <envar>IDN_DISABLE</envar> environment variable. + The IDN support is disabled if the variable is set when + <command>dig</command> runs. + </para> + </refsect1> + + <refsect1> + <title>FILES</title> + <para><filename>/etc/resolv.conf</filename> + </para> + <para><filename>${HOME}/.digrc</filename> + </para> + </refsect1> + + <refsect1> + <title>SEE ALSO</title> + <para><citerefentry> + <refentrytitle>host</refentrytitle><manvolnum>1</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citetitle>RFC1035</citetitle>. + </para> + </refsect1> + + <refsect1> + <title>BUGS</title> + <para> + There are probably too many query options. + </para> + </refsect1> +</refentry><!-- + - Local variables: + - mode: sgml + - End: +--> diff --git a/contrib/bind9/bin/dig/dig.html b/contrib/bind9/bin/dig/dig.html index 06771b3..945a896 100644 --- a/contrib/bind9/bin/dig/dig.html +++ b/contrib/bind9/bin/dig/dig.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,501 +14,616 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dig.html,v 1.6.2.4.2.15 2006/06/29 13:02:30 marka Exp $ --> +<!-- $Id: dig.html,v 1.13.18.25 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>dig</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="man.dig"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p>dig — DNS lookup utility</p> </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">dig</code> [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>name:key</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [name] [type] [class] [queryopt...]</p></div> +<div class="cmdsynopsis"><p><code class="command">dig</code> [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [name] [type] [class] [queryopt...]</p></div> <div class="cmdsynopsis"><p><code class="command">dig</code> [<code class="option">-h</code>]</p></div> <div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549541"></a><h2>DESCRIPTION</h2> +<a name="id2543508"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">dig</strong></span> + (domain information groper) is a flexible tool + for interrogating DNS name servers. It performs DNS lookups and + displays the answers that are returned from the name server(s) that + were queried. Most DNS administrators use <span><strong class="command">dig</strong></span> to + troubleshoot DNS problems because of its flexibility, ease of use and + clarity of output. Other lookup tools tend to have less functionality + than <span><strong class="command">dig</strong></span>. + </p> <p> -<span><strong class="command">dig</strong></span> (domain information groper) is a flexible tool -for interrogating DNS name servers. It performs DNS lookups and -displays the answers that are returned from the name server(s) that -were queried. Most DNS administrators use <span><strong class="command">dig</strong></span> to -troubleshoot DNS problems because of its flexibility, ease of use and -clarity of output. Other lookup tools tend to have less functionality -than <span><strong class="command">dig</strong></span>. -</p> + Although <span><strong class="command">dig</strong></span> is normally used with + command-line + arguments, it also has a batch mode of operation for reading lookup + requests from a file. A brief summary of its command-line arguments + and options is printed when the <code class="option">-h</code> option is given. + Unlike earlier versions, the BIND9 implementation of + <span><strong class="command">dig</strong></span> allows multiple lookups to be issued + from the + command line. + </p> <p> -Although <span><strong class="command">dig</strong></span> is normally used with command-line -arguments, it also has a batch mode of operation for reading lookup -requests from a file. A brief summary of its command-line arguments -and options is printed when the <code class="option">-h</code> option is given. -Unlike earlier versions, the BIND9 implementation of -<span><strong class="command">dig</strong></span> allows multiple lookups to be issued from the -command line. -</p> + Unless it is told to query a specific name server, + <span><strong class="command">dig</strong></span> will try each of the servers listed + in + <code class="filename">/etc/resolv.conf</code>. + </p> <p> -Unless it is told to query a specific name server, -<span><strong class="command">dig</strong></span> will try each of the servers listed in -<code class="filename">/etc/resolv.conf</code>. -</p> + When no command line arguments or options are given, will perform an + NS query for "." (the root). + </p> <p> -When no command line arguments or options are given, will perform an -NS query for "." (the root). -</p> + It is possible to set per-user defaults for <span><strong class="command">dig</strong></span> via + <code class="filename">${HOME}/.digrc</code>. This file is read and + any options in it + are applied before the command line arguments. + </p> <p> -It is possible to set per-user defaults for <span><strong class="command">dig</strong></span> via -<code class="filename">${HOME}/.digrc</code>. This file is read and any options in it -are applied before the command line arguments. -</p> + The IN and CH class names overlap with the IN and CH top level + domains names. Either use the <code class="option">-t</code> and + <code class="option">-c</code> options to specify the type and class or + use the <code class="option">-q</code> the specify the domain name or + use "IN." and "CH." when looking up these top level domains. + </p> </div> <div class="refsect1" lang="en"> -<a name="id2549600"></a><h2>SIMPLE USAGE</h2> +<a name="id2543577"></a><h2>SIMPLE USAGE</h2> <p> -A typical invocation of <span><strong class="command">dig</strong></span> looks like: -</p> + A typical invocation of <span><strong class="command">dig</strong></span> looks like: + </p> <pre class="programlisting"> dig @server name type </pre> -<p> where: +<p> + where: -</p> + </p> <div class="variablelist"><dl> <dt><span class="term"><code class="constant">server</code></span></dt> <dd><p> -is the name or IP address of the name server to query. This can be an IPv4 -address in dotted-decimal notation or an IPv6 -address in colon-delimited notation. When the supplied -<em class="parameter"><code>server</code></em> argument is a hostname, -<span><strong class="command">dig</strong></span> resolves that name before querying that name -server. If no <em class="parameter"><code>server</code></em> argument is provided, -<span><strong class="command">dig</strong></span> consults <code class="filename">/etc/resolv.conf</code> -and queries the name servers listed there. The reply from the name -server that responds is displayed. -</p></dd> + is the name or IP address of the name server to query. This can + be an IPv4 + address in dotted-decimal notation or an IPv6 + address in colon-delimited notation. When the supplied + <em class="parameter"><code>server</code></em> argument is a + hostname, + <span><strong class="command">dig</strong></span> resolves that name before + querying that name + server. If no <em class="parameter"><code>server</code></em> + argument is provided, + <span><strong class="command">dig</strong></span> consults <code class="filename">/etc/resolv.conf</code> + and queries the name servers listed there. The reply from the + name + server that responds is displayed. + </p></dd> <dt><span class="term"><code class="constant">name</code></span></dt> <dd><p> -is the name of the resource record that is to be looked up. -</p></dd> + is the name of the resource record that is to be looked up. + </p></dd> <dt><span class="term"><code class="constant">type</code></span></dt> <dd><p> -indicates what type of query is required — -ANY, A, MX, SIG, etc. -<em class="parameter"><code>type</code></em> can be any valid query type. If no -<em class="parameter"><code>type</code></em> argument is supplied, -<span><strong class="command">dig</strong></span> will perform a lookup for an A record. -</p></dd> + indicates what type of query is required — + ANY, A, MX, SIG, etc. + <em class="parameter"><code>type</code></em> can be any valid query + type. If no + <em class="parameter"><code>type</code></em> argument is supplied, + <span><strong class="command">dig</strong></span> will perform a lookup for an + A record. + </p></dd> </dl></div> <p> -</p> + </p> </div> <div class="refsect1" lang="en"> -<a name="id2549747"></a><h2>OPTIONS</h2> +<a name="id2543668"></a><h2>OPTIONS</h2> +<p> + The <code class="option">-b</code> option sets the source IP address of the query + to <em class="parameter"><code>address</code></em>. This must be a valid + address on + one of the host's network interfaces or "0.0.0.0" or "::". An optional + port + may be specified by appending "#<port>" + </p> <p> -The <code class="option">-b</code> option sets the source IP address of the query -to <em class="parameter"><code>address</code></em>. This must be a valid address on -one of the host's network interfaces or "0.0.0.0" or "::". An optional port -may be specified by appending "#<port>" -</p> + The default query class (IN for internet) is overridden by the + <code class="option">-c</code> option. <em class="parameter"><code>class</code></em> is + any valid + class, such as HS for Hesiod records or CH for CHAOSNET records. + </p> <p> -The default query class (IN for internet) is overridden by the -<code class="option">-c</code> option. <em class="parameter"><code>class</code></em> is any valid -class, such as HS for Hesiod records or CH for CHAOSNET records. -</p> + The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span> + operate + in batch mode by reading a list of lookup requests to process from the + file <em class="parameter"><code>filename</code></em>. The file contains a + number of + queries, one per line. Each entry in the file should be organised in + the same way they would be presented as queries to + <span><strong class="command">dig</strong></span> using the command-line interface. + </p> <p> -The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span> operate -in batch mode by reading a list of lookup requests to process from the -file <em class="parameter"><code>filename</code></em>. The file contains a number of -queries, one per line. Each entry in the file should be organised in -the same way they would be presented as queries to -<span><strong class="command">dig</strong></span> using the command-line interface. -</p> + If a non-standard port number is to be queried, the + <code class="option">-p</code> option is used. <em class="parameter"><code>port#</code></em> is + the port number that <span><strong class="command">dig</strong></span> will send its + queries + instead of the standard DNS port number 53. This option would be used + to test a name server that has been configured to listen for queries + on a non-standard port number. + </p> <p> -If a non-standard port number is to be queried, the -<code class="option">-p</code> option is used. <em class="parameter"><code>port#</code></em> is -the port number that <span><strong class="command">dig</strong></span> will send its queries -instead of the standard DNS port number 53. This option would be used -to test a name server that has been configured to listen for queries -on a non-standard port number. -</p> + The <code class="option">-4</code> option forces <span><strong class="command">dig</strong></span> + to only + use IPv4 query transport. The <code class="option">-6</code> option forces + <span><strong class="command">dig</strong></span> to only use IPv6 query transport. + </p> <p> -The <code class="option">-4</code> option forces <span><strong class="command">dig</strong></span> to only -use IPv4 query transport. The <code class="option">-6</code> option forces -<span><strong class="command">dig</strong></span> to only use IPv6 query transport. -</p> + The <code class="option">-t</code> option sets the query type to + <em class="parameter"><code>type</code></em>. It can be any valid query type + which is + supported in BIND9. The default query type "A", unless the + <code class="option">-x</code> option is supplied to indicate a reverse lookup. + A zone transfer can be requested by specifying a type of AXFR. When + an incremental zone transfer (IXFR) is required, + <em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>. + The incremental zone transfer will contain the changes made to the zone + since the serial number in the zone's SOA record was + <em class="parameter"><code>N</code></em>. + </p> <p> -The <code class="option">-t</code> option sets the query type to -<em class="parameter"><code>type</code></em>. It can be any valid query type which is -supported in BIND9. The default query type "A", unless the -<code class="option">-x</code> option is supplied to indicate a reverse lookup. -A zone transfer can be requested by specifying a type of AXFR. When -an incremental zone transfer (IXFR) is required, -<em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>. -The incremental zone transfer will contain the changes made to the zone -since the serial number in the zone's SOA record was -<em class="parameter"><code>N</code></em>. -</p> + The <code class="option">-q</code> option sets the query name to + <em class="parameter"><code>name</code></em>. This useful do distingish the + <em class="parameter"><code>name</code></em> from other arguments. + </p> <p> -Reverse lookups - mapping addresses to names - are simplified by the -<code class="option">-x</code> option. <em class="parameter"><code>addr</code></em> is an IPv4 -address in dotted-decimal notation, or a colon-delimited IPv6 address. -When this option is used, there is no need to provide the -<em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and -<em class="parameter"><code>type</code></em> arguments. <span><strong class="command">dig</strong></span> -automatically performs a lookup for a name like -<code class="literal">11.12.13.10.in-addr.arpa</code> and sets the query type and -class to PTR and IN respectively. By default, IPv6 addresses are -looked up using nibble format under the IP6.ARPA domain. -To use the older RFC1886 method using the IP6.INT domain -specify the <code class="option">-i</code> option. Bit string labels (RFC2874) -are now experimental and are not attempted. -</p> + Reverse lookups - mapping addresses to names - are simplified by the + <code class="option">-x</code> option. <em class="parameter"><code>addr</code></em> is + an IPv4 + address in dotted-decimal notation, or a colon-delimited IPv6 address. + When this option is used, there is no need to provide the + <em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and + <em class="parameter"><code>type</code></em> arguments. <span><strong class="command">dig</strong></span> + automatically performs a lookup for a name like + <code class="literal">11.12.13.10.in-addr.arpa</code> and sets the + query type and + class to PTR and IN respectively. By default, IPv6 addresses are + looked up using nibble format under the IP6.ARPA domain. + To use the older RFC1886 method using the IP6.INT domain + specify the <code class="option">-i</code> option. Bit string labels (RFC2874) + are now experimental and are not attempted. + </p> <p> -To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and their -responses using transaction signatures (TSIG), specify a TSIG key file -using the <code class="option">-k</code> option. You can also specify the TSIG -key itself on the command line using the <code class="option">-y</code> option; -<em class="parameter"><code>name</code></em> is the name of the TSIG key and -<em class="parameter"><code>key</code></em> is the actual key. The key is a base-64 -encoded string, typically generated by <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. + To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and + their + responses using transaction signatures (TSIG), specify a TSIG key file + using the <code class="option">-k</code> option. You can also specify the TSIG + key itself on the command line using the <code class="option">-y</code> option; + <em class="parameter"><code>hmac</code></em> is the type of the TSIG, default HMAC-MD5, + <em class="parameter"><code>name</code></em> is the name of the TSIG key and + <em class="parameter"><code>key</code></em> is the actual key. The key is a + base-64 + encoded string, typically generated by + <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. -Caution should be taken when using the <code class="option">-y</code> option on -multi-user systems as the key can be visible in the output from -<span class="citerefentry"><span class="refentrytitle">ps</span>(1 -)</span> or in the shell's history file. When -using TSIG authentication with <span><strong class="command">dig</strong></span>, the name -server that is queried needs to know the key and algorithm that is -being used. In BIND, this is done by providing appropriate -<span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in -<code class="filename">named.conf</code>. -</p> + Caution should be taken when using the <code class="option">-y</code> option on + multi-user systems as the key can be visible in the output from + <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> + or in the shell's history file. When + using TSIG authentication with <span><strong class="command">dig</strong></span>, the name + server that is queried needs to know the key and algorithm that is + being used. In BIND, this is done by providing appropriate + <span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in + <code class="filename">named.conf</code>. + </p> </div> <div class="refsect1" lang="en"> -<a name="id2549998"></a><h2>QUERY OPTIONS</h2> +<a name="id2543939"></a><h2>QUERY OPTIONS</h2> +<p><span><strong class="command">dig</strong></span> + provides a number of query options which affect + the way in which lookups are made and the results displayed. Some of + these set or reset flag bits in the query header, some determine which + sections of the answer get printed, and others determine the timeout + and retry strategies. + </p> <p> -<span><strong class="command">dig</strong></span> provides a number of query options which affect -the way in which lookups are made and the results displayed. Some of -these set or reset flag bits in the query header, some determine which -sections of the answer get printed, and others determine the timeout -and retry strategies. -</p> -<p> -Each query option is identified by a keyword preceded by a plus sign -(<code class="literal">+</code>). Some keywords set or reset an option. These may be preceded -by the string <code class="literal">no</code> to negate the meaning of that keyword. Other -keywords assign values to options like the timeout interval. They -have the form <code class="option">+keyword=value</code>. -The query options are: + Each query option is identified by a keyword preceded by a plus sign + (<code class="literal">+</code>). Some keywords set or reset an + option. These may be preceded + by the string <code class="literal">no</code> to negate the meaning of + that keyword. Other + keywords assign values to options like the timeout interval. They + have the form <code class="option">+keyword=value</code>. + The query options are: -</p> + </p> <div class="variablelist"><dl> <dt><span class="term"><code class="option">+[no]tcp</code></span></dt> <dd><p> -Use [do not use] TCP when querying name servers. The default -behaviour is to use UDP unless an AXFR or IXFR query is requested, in -which case a TCP connection is used. -</p></dd> + Use [do not use] TCP when querying name servers. The default + behaviour is to use UDP unless an AXFR or IXFR query is + requested, in + which case a TCP connection is used. + </p></dd> <dt><span class="term"><code class="option">+[no]vc</code></span></dt> <dd><p> -Use [do not use] TCP when querying name servers. This alternate -syntax to <em class="parameter"><code>+[no]tcp</code></em> is provided for backwards -compatibility. The "vc" stands for "virtual circuit". -</p></dd> + Use [do not use] TCP when querying name servers. This alternate + syntax to <em class="parameter"><code>+[no]tcp</code></em> is + provided for backwards + compatibility. The "vc" stands for "virtual circuit". + </p></dd> <dt><span class="term"><code class="option">+[no]ignore</code></span></dt> <dd><p> -Ignore truncation in UDP responses instead of retrying with TCP. By -default, TCP retries are performed. -</p></dd> + Ignore truncation in UDP responses instead of retrying with TCP. + By + default, TCP retries are performed. + </p></dd> <dt><span class="term"><code class="option">+domain=somename</code></span></dt> <dd><p> -Set the search list to contain the single domain -<em class="parameter"><code>somename</code></em>, as if specified in a -<span><strong class="command">domain</strong></span> directive in -<code class="filename">/etc/resolv.conf</code>, and enable search list -processing as if the <em class="parameter"><code>+search</code></em> option were given. -</p></dd> + Set the search list to contain the single domain + <em class="parameter"><code>somename</code></em>, as if specified in + a + <span><strong class="command">domain</strong></span> directive in + <code class="filename">/etc/resolv.conf</code>, and enable + search list + processing as if the <em class="parameter"><code>+search</code></em> + option were given. + </p></dd> <dt><span class="term"><code class="option">+[no]search</code></span></dt> <dd><p> -Use [do not use] the search list defined by the searchlist or domain -directive in <code class="filename">resolv.conf</code> (if any). -The search list is not used by default. -</p></dd> + Use [do not use] the search list defined by the searchlist or + domain + directive in <code class="filename">resolv.conf</code> (if + any). + The search list is not used by default. + </p></dd> +<dt><span class="term"><code class="option">+[no]showsearch</code></span></dt> +<dd><p> + Perform [do not perform] a search showing intermediate + results. + </p></dd> <dt><span class="term"><code class="option">+[no]defname</code></span></dt> <dd><p> -Deprecated, treated as a synonym for <em class="parameter"><code>+[no]search</code></em> -</p></dd> + Deprecated, treated as a synonym for <em class="parameter"><code>+[no]search</code></em> + </p></dd> <dt><span class="term"><code class="option">+[no]aaonly</code></span></dt> <dd><p> -Sets the "aa" flag in the query. -</p></dd> + Sets the "aa" flag in the query. + </p></dd> <dt><span class="term"><code class="option">+[no]aaflag</code></span></dt> <dd><p> -A synonym for <em class="parameter"><code>+[no]aaonly</code></em>. -</p></dd> + A synonym for <em class="parameter"><code>+[no]aaonly</code></em>. + </p></dd> <dt><span class="term"><code class="option">+[no]adflag</code></span></dt> <dd><p> -Set [do not set] the AD (authentic data) bit in the query. The AD bit -currently has a standard meaning only in responses, not in queries, -but the ability to set the bit in the query is provided for -completeness. -</p></dd> + Set [do not set] the AD (authentic data) bit in the query. The + AD bit + currently has a standard meaning only in responses, not in + queries, + but the ability to set the bit in the query is provided for + completeness. + </p></dd> <dt><span class="term"><code class="option">+[no]cdflag</code></span></dt> <dd><p> -Set [do not set] the CD (checking disabled) bit in the query. This -requests the server to not perform DNSSEC validation of responses. -</p></dd> + Set [do not set] the CD (checking disabled) bit in the query. + This + requests the server to not perform DNSSEC validation of + responses. + </p></dd> <dt><span class="term"><code class="option">+[no]cl</code></span></dt> <dd><p> -Display [do not display] the CLASS when printing the record. -</p></dd> + Display [do not display] the CLASS when printing the record. + </p></dd> <dt><span class="term"><code class="option">+[no]ttlid</code></span></dt> <dd><p> -Display [do not display] the TTL when printing the record. -</p></dd> + Display [do not display] the TTL when printing the record. + </p></dd> <dt><span class="term"><code class="option">+[no]recurse</code></span></dt> <dd><p> -Toggle the setting of the RD (recursion desired) bit in the query. -This bit is set by default, which means <span><strong class="command">dig</strong></span> -normally sends recursive queries. Recursion is automatically disabled -when the <em class="parameter"><code>+nssearch</code></em> or -<em class="parameter"><code>+trace</code></em> query options are used. -</p></dd> + Toggle the setting of the RD (recursion desired) bit in the + query. + This bit is set by default, which means <span><strong class="command">dig</strong></span> + normally sends recursive queries. Recursion is automatically + disabled + when the <em class="parameter"><code>+nssearch</code></em> or + <em class="parameter"><code>+trace</code></em> query options are + used. + </p></dd> <dt><span class="term"><code class="option">+[no]nssearch</code></span></dt> <dd><p> -When this option is set, <span><strong class="command">dig</strong></span> attempts to find the -authoritative name servers for the zone containing the name being -looked up and display the SOA record that each name server has for the -zone. -</p></dd> + When this option is set, <span><strong class="command">dig</strong></span> + attempts to find the + authoritative name servers for the zone containing the name + being + looked up and display the SOA record that each name server has + for the + zone. + </p></dd> <dt><span class="term"><code class="option">+[no]trace</code></span></dt> <dd><p> -Toggle tracing of the delegation path from the root name servers for -the name being looked up. Tracing is disabled by default. When -tracing is enabled, <span><strong class="command">dig</strong></span> makes iterative queries to -resolve the name being looked up. It will follow referrals from the -root servers, showing the answer from each server that was used to -resolve the lookup. -</p></dd> + Toggle tracing of the delegation path from the root name servers + for + the name being looked up. Tracing is disabled by default. When + tracing is enabled, <span><strong class="command">dig</strong></span> makes + iterative queries to + resolve the name being looked up. It will follow referrals from + the + root servers, showing the answer from each server that was used + to + resolve the lookup. + </p></dd> <dt><span class="term"><code class="option">+[no]cmd</code></span></dt> <dd><p> -toggles the printing of the initial comment in the output identifying -the version of <span><strong class="command">dig</strong></span> and the query options that have -been applied. This comment is printed by default. -</p></dd> + toggles the printing of the initial comment in the output + identifying + the version of <span><strong class="command">dig</strong></span> and the query + options that have + been applied. This comment is printed by default. + </p></dd> <dt><span class="term"><code class="option">+[no]short</code></span></dt> <dd><p> -Provide a terse answer. The default is to print the answer in a -verbose form. -</p></dd> + Provide a terse answer. The default is to print the answer in a + verbose form. + </p></dd> <dt><span class="term"><code class="option">+[no]identify</code></span></dt> <dd><p> -Show [or do not show] the IP address and port number that supplied the -answer when the <em class="parameter"><code>+short</code></em> option is enabled. If -short form answers are requested, the default is not to show the -source address and port number of the server that provided the answer. -</p></dd> + Show [or do not show] the IP address and port number that + supplied the + answer when the <em class="parameter"><code>+short</code></em> option + is enabled. If + short form answers are requested, the default is not to show the + source address and port number of the server that provided the + answer. + </p></dd> <dt><span class="term"><code class="option">+[no]comments</code></span></dt> <dd><p> -Toggle the display of comment lines in the output. The default is to -print comments. -</p></dd> + Toggle the display of comment lines in the output. The default + is to + print comments. + </p></dd> <dt><span class="term"><code class="option">+[no]stats</code></span></dt> <dd><p> -This query option toggles the printing of statistics: when the query -was made, the size of the reply and so on. The default behaviour is -to print the query statistics. -</p></dd> + This query option toggles the printing of statistics: when the + query + was made, the size of the reply and so on. The default + behaviour is + to print the query statistics. + </p></dd> <dt><span class="term"><code class="option">+[no]qr</code></span></dt> <dd><p> -Print [do not print] the query as it is sent. -By default, the query is not printed. -</p></dd> + Print [do not print] the query as it is sent. + By default, the query is not printed. + </p></dd> <dt><span class="term"><code class="option">+[no]question</code></span></dt> <dd><p> -Print [do not print] the question section of a query when an answer is -returned. The default is to print the question section as a comment. -</p></dd> + Print [do not print] the question section of a query when an + answer is + returned. The default is to print the question section as a + comment. + </p></dd> <dt><span class="term"><code class="option">+[no]answer</code></span></dt> <dd><p> -Display [do not display] the answer section of a reply. The default -is to display it. -</p></dd> + Display [do not display] the answer section of a reply. The + default + is to display it. + </p></dd> <dt><span class="term"><code class="option">+[no]authority</code></span></dt> <dd><p> -Display [do not display] the authority section of a reply. The -default is to display it. -</p></dd> + Display [do not display] the authority section of a reply. The + default is to display it. + </p></dd> <dt><span class="term"><code class="option">+[no]additional</code></span></dt> <dd><p> -Display [do not display] the additional section of a reply. -The default is to display it. -</p></dd> + Display [do not display] the additional section of a reply. + The default is to display it. + </p></dd> <dt><span class="term"><code class="option">+[no]all</code></span></dt> <dd><p> -Set or clear all display flags. -</p></dd> + Set or clear all display flags. + </p></dd> <dt><span class="term"><code class="option">+time=T</code></span></dt> <dd><p> -Sets the timeout for a query to -<em class="parameter"><code>T</code></em> seconds. The default time out is 5 seconds. -An attempt to set <em class="parameter"><code>T</code></em> to less than 1 will result -in a query timeout of 1 second being applied. -</p></dd> + Sets the timeout for a query to + <em class="parameter"><code>T</code></em> seconds. The default time + out is 5 seconds. + An attempt to set <em class="parameter"><code>T</code></em> to less + than 1 will result + in a query timeout of 1 second being applied. + </p></dd> <dt><span class="term"><code class="option">+tries=T</code></span></dt> <dd><p> -Sets the number of times to try UDP queries to server to -<em class="parameter"><code>T</code></em> instead of the default, 3. If -<em class="parameter"><code>T</code></em> is less than or equal to zero, the number of -tries is silently rounded up to 1. -</p></dd> + Sets the number of times to try UDP queries to server to + <em class="parameter"><code>T</code></em> instead of the default, 3. + If + <em class="parameter"><code>T</code></em> is less than or equal to + zero, the number of + tries is silently rounded up to 1. + </p></dd> <dt><span class="term"><code class="option">+retry=T</code></span></dt> <dd><p> -Sets the number of times to retry UDP queries to server to -<em class="parameter"><code>T</code></em> instead of the default, 2. Unlike -<em class="parameter"><code>+tries</code></em>, this does not include the initial -query. -</p></dd> + Sets the number of times to retry UDP queries to server to + <em class="parameter"><code>T</code></em> instead of the default, 2. + Unlike + <em class="parameter"><code>+tries</code></em>, this does not include + the initial + query. + </p></dd> <dt><span class="term"><code class="option">+ndots=D</code></span></dt> <dd><p> -Set the number of dots that have to appear in -<em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em> for it to be -considered absolute. The default value is that defined using the -ndots statement in <code class="filename">/etc/resolv.conf</code>, or 1 if no -ndots statement is present. Names with fewer dots are interpreted as -relative names and will be searched for in the domains listed in the -<code class="option">search</code> or <code class="option">domain</code> directive in -<code class="filename">/etc/resolv.conf</code>. -</p></dd> + Set the number of dots that have to appear in + <em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em> for it to be + considered absolute. The default value is that defined using + the + ndots statement in <code class="filename">/etc/resolv.conf</code>, or 1 if no + ndots statement is present. Names with fewer dots are + interpreted as + relative names and will be searched for in the domains listed in + the + <code class="option">search</code> or <code class="option">domain</code> directive in + <code class="filename">/etc/resolv.conf</code>. + </p></dd> <dt><span class="term"><code class="option">+bufsize=B</code></span></dt> <dd><p> -Set the UDP message buffer size advertised using EDNS0 to -<em class="parameter"><code>B</code></em> bytes. The maximum and minimum sizes of this -buffer are 65535 and 0 respectively. Values outside this range are -rounded up or down appropriately. -</p></dd> + Set the UDP message buffer size advertised using EDNS0 to + <em class="parameter"><code>B</code></em> bytes. The maximum and minimum sizes + of this buffer are 65535 and 0 respectively. Values outside + this range are rounded up or down appropriately. + Values other than zero will cause a EDNS query to be sent. + </p></dd> +<dt><span class="term"><code class="option">+edns=#</code></span></dt> +<dd><p> + Specify the EDNS version to query with. Valid values + are 0 to 255. Setting the EDNS version will cause a + EDNS query to be sent. <code class="option">+noedns</code> clears the + remembered EDNS version. + </p></dd> <dt><span class="term"><code class="option">+[no]multiline</code></span></dt> <dd><p> -Print records like the SOA records in a verbose multi-line -format with human-readable comments. The default is to print -each record on a single line, to facilitate machine parsing -of the <span><strong class="command">dig</strong></span> output. -</p></dd> + Print records like the SOA records in a verbose multi-line + format with human-readable comments. The default is to print + each record on a single line, to facilitate machine parsing + of the <span><strong class="command">dig</strong></span> output. + </p></dd> <dt><span class="term"><code class="option">+[no]fail</code></span></dt> <dd><p> -Do not try the next server if you receive a SERVFAIL. The default is -to not try the next server which is the reverse of normal stub resolver -behaviour. -</p></dd> + Do not try the next server if you receive a SERVFAIL. The + default is + to not try the next server which is the reverse of normal stub + resolver + behaviour. + </p></dd> <dt><span class="term"><code class="option">+[no]besteffort</code></span></dt> <dd><p> -Attempt to display the contents of messages which are malformed. -The default is to not display malformed answers. -</p></dd> + Attempt to display the contents of messages which are malformed. + The default is to not display malformed answers. + </p></dd> <dt><span class="term"><code class="option">+[no]dnssec</code></span></dt> <dd><p> -Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) -in the OPT record in the additional section of the query. -</p></dd> + Requests DNSSEC records be sent by setting the DNSSEC OK bit + (DO) + in the OPT record in the additional section of the query. + </p></dd> <dt><span class="term"><code class="option">+[no]sigchase</code></span></dt> <dd><p> -Chase DNSSEC signature chains. Requires dig be compiled with --DDIG_SIGCHASE. -</p></dd> + Chase DNSSEC signature chains. Requires dig be compiled with + -DDIG_SIGCHASE. + </p></dd> <dt><span class="term"><code class="option">+trusted-key=####</code></span></dt> <dd> <p> - Specifies a file containing trusted keys to be used with + Specifies a file containing trusted keys to be used with <code class="option">+sigchase</code>. Each DNSKEY record must be on its own line. - </p> + </p> <p> If not specified <span><strong class="command">dig</strong></span> will look for <code class="filename">/etc/trusted-key.key</code> then <code class="filename">trusted-key.key</code> in the current directory. </p> <p> - Requires dig be compiled with -DDIG_SIGCHASE. + Requires dig be compiled with -DDIG_SIGCHASE. </p> </dd> <dt><span class="term"><code class="option">+[no]topdown</code></span></dt> <dd><p> -When chasing DNSSEC signature chains perform a top down validation. -Requires dig be compiled with -DDIG_SIGCHASE. -</p></dd> + When chasing DNSSEC signature chains perform a top down + validation. + Requires dig be compiled with -DDIG_SIGCHASE. + </p></dd> </dl></div> <p> -</p> + </p> </div> <div class="refsect1" lang="en"> -<a name="id2550666"></a><h2>MULTIPLE QUERIES</h2> +<a name="id2545128"></a><h2>MULTIPLE QUERIES</h2> <p> -The BIND 9 implementation of <span><strong class="command">dig </strong></span> supports -specifying multiple queries on the command line (in addition to -supporting the <code class="option">-f</code> batch file option). Each of those -queries can be supplied with its own set of flags, options and query -options. -</p> + The BIND 9 implementation of <span><strong class="command">dig </strong></span> + supports + specifying multiple queries on the command line (in addition to + supporting the <code class="option">-f</code> batch file option). Each of those + queries can be supplied with its own set of flags, options and query + options. + </p> <p> -In this case, each <em class="parameter"><code>query</code></em> argument represent an -individual query in the command-line syntax described above. Each -consists of any of the standard options and flags, the name to be -looked up, an optional query type and class and any query options that -should be applied to that query. -</p> + In this case, each <em class="parameter"><code>query</code></em> argument + represent an + individual query in the command-line syntax described above. Each + consists of any of the standard options and flags, the name to be + looked up, an optional query type and class and any query options that + should be applied to that query. + </p> <p> -A global set of query options, which should be applied to all queries, -can also be supplied. These global query options must precede the -first tuple of name, class, type, options, flags, and query options -supplied on the command line. Any global query options (except -the <code class="option">+[no]cmd</code> option) can be -overridden by a query-specific set of query options. For example: -</p> + A global set of query options, which should be applied to all queries, + can also be supplied. These global query options must precede the + first tuple of name, class, type, options, flags, and query options + supplied on the command line. Any global query options (except + the <code class="option">+[no]cmd</code> option) can be + overridden by a query-specific set of query options. For example: + </p> <pre class="programlisting"> dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </pre> <p> -shows how <span><strong class="command">dig</strong></span> could be used from the command line -to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a -reverse lookup of 127.0.0.1 and a query for the NS records of -<code class="literal">isc.org</code>. + shows how <span><strong class="command">dig</strong></span> could be used from the + command line + to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a + reverse lookup of 127.0.0.1 and a query for the NS records of + <code class="literal">isc.org</code>. -A global query option of <em class="parameter"><code>+qr</code></em> is applied, so -that <span><strong class="command">dig</strong></span> shows the initial query it made for each -lookup. The final query has a local query option of -<em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span> -will not print the initial query when it looks up the NS records for -<code class="literal">isc.org</code>. -</p> + A global query option of <em class="parameter"><code>+qr</code></em> is + applied, so + that <span><strong class="command">dig</strong></span> shows the initial query it made + for each + lookup. The final query has a local query option of + <em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span> + will not print the initial query when it looks up the NS records for + <code class="literal">isc.org</code>. + </p> </div> <div class="refsect1" lang="en"> -<a name="id2550725"></a><h2>FILES</h2> +<a name="id2545258"></a><h2>IDN SUPPORT</h2> <p> -<code class="filename">/etc/resolv.conf</code> -</p> -<p> -<code class="filename">${HOME}/.digrc</code> -</p> + If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized + domain name) support, it can accept and display non-ASCII domain names. + <span><strong class="command">dig</strong></span> appropriately converts character encoding of + domain name before sending a request to DNS server or displaying a + reply from the server. + If you'd like to turn off the IDN support for some reason, defines + the <code class="envar">IDN_DISABLE</code> environment variable. + The IDN support is disabled if the variable is set when + <span><strong class="command">dig</strong></span> runs. + </p> </div> <div class="refsect1" lang="en"> -<a name="id2550744"></a><h2>SEE ALSO</h2> -<p> -<span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>, -<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, -<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, -<em class="citetitle">RFC1035</em>. -</p> +<a name="id2545281"></a><h2>FILES</h2> +<p><code class="filename">/etc/resolv.conf</code> + </p> +<p><code class="filename">${HOME}/.digrc</code> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2545298"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>, + <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, + <em class="citetitle">RFC1035</em>. + </p> </div> <div class="refsect1" lang="en"> -<a name="id2550782"></a><h2>BUGS </h2> +<a name="id2545335"></a><h2>BUGS</h2> <p> -There are probably too many query options. -</p> + There are probably too many query options. + </p> </div> </div></body> </html> diff --git a/contrib/bind9/bin/dig/dighost.c b/contrib/bind9/bin/dig/dighost.c index 398711d..2e950a4 100644 --- a/contrib/bind9/bin/dig/dighost.c +++ b/contrib/bind9/bin/dig/dighost.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,9 +15,10 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dighost.c,v 1.221.2.19.2.36 2006/12/07 01:26:33 marka Exp $ */ +/* $Id: dighost.c,v 1.259.18.39 2007/02/14 23:45:43 marka Exp $ */ -/* +/*! \file + * \note * Notice to programmers: Do not use this code as an example of how to * use the ISC library to perform DNS lookups. Dig and Host both operate * on the request level, since they allow fine-tuning of output and are @@ -32,6 +33,17 @@ #include <string.h> #include <limits.h> +#ifdef HAVE_LOCALE_H +#include <locale.h> +#endif + +#ifdef WITH_IDN +#include <idn/result.h> +#include <idn/log.h> +#include <idn/resconf.h> +#include <idn/api.h> +#endif + #include <dns/byaddr.h> #ifdef DIG_SIGCHASE #include <dns/dnssec.h> @@ -95,16 +107,19 @@ dig_serverlist_t server_list; dig_searchlistlist_t search_list; isc_boolean_t + check_ra = ISC_FALSE, have_ipv4 = ISC_FALSE, have_ipv6 = ISC_FALSE, specified_source = ISC_FALSE, free_now = ISC_FALSE, cancel_now = ISC_FALSE, usesearch = ISC_FALSE, + showsearch = ISC_FALSE, qr = ISC_FALSE, is_dst_up = ISC_FALSE; in_port_t port = 53; unsigned int timeout = 0; +unsigned int extrabytes; isc_mem_t *mctx = NULL; isc_taskmgr_t *taskmgr = NULL; isc_task_t *global_task = NULL; @@ -119,20 +134,35 @@ int ndots = -1; int tries = 3; int lookup_counter = 0; -/* +#ifdef WITH_IDN +static void initialize_idn(void); +static isc_result_t output_filter(isc_buffer_t *buffer, + unsigned int used_org, + isc_boolean_t absolute); +static idn_result_t append_textname(char *name, const char *origin, + size_t namesize); +static void idn_check_result(idn_result_t r, const char *msg); + +#define MAXDLEN 256 +#endif + +/*% * Exit Codes: - * 0 Everything went well, including things like NXDOMAIN - * 1 Usage error - * 7 Got too many RR's or Names - * 8 Couldn't open batch file - * 9 No reply from server - * 10 Internal error + * + *\li 0 Everything went well, including things like NXDOMAIN + *\li 1 Usage error + *\li 7 Got too many RR's or Names + *\li 8 Couldn't open batch file + *\li 9 No reply from server + *\li 10 Internal error */ int exitcode = 0; int fatalexit = 0; char keynametext[MXNAME]; char keyfile[MXNAME] = ""; char keysecret[MXNAME] = ""; +dns_name_t *hmacname = NULL; +unsigned int digestbits = 0; isc_buffer_t *namebuf = NULL; dns_tsigkey_t *key = NULL; isc_boolean_t validated = ISC_TRUE; @@ -246,7 +276,7 @@ dns_name_t chase_name; /* the query name */ /* * the current name is the parent name when we follow delegation */ -dns_name_t chase_current_name; +dns_name_t chase_current_name; /* * the child name is used for delegation (NS DS responses in AUTHORITY section) */ @@ -293,7 +323,7 @@ struct_tk_list tk_list = { {NULL, NULL, NULL, NULL, NULL}, 0}; #define DIG_MAX_ADDRESSES 20 -/* +/*% * Apply and clear locks at the event level in global task. * Can I get rid of these using shutdown events? XXX */ @@ -377,7 +407,7 @@ hex_dump(isc_buffer_t *b) { printf("\n"); } -/* +/*% * Append 'len' bytes of 'text' at '*p', failing with * ISC_R_NOSPACE if that would advance p past 'end'. */ @@ -493,7 +523,7 @@ check_result(isc_result_t result, const char *msg) { } } -/* +/*% * Create a server structure, which is part of the lookup structure. * This is little more than a linked list of servers to query in hopes * of finding the answer the user is looking for @@ -535,7 +565,7 @@ addr2af(int lwresaddrtype) return (af); } -/* +/*% * Create a copy of the server list from the lwres configuration structure. * The dest list must have already had ISC_LIST_INIT applied. */ @@ -585,7 +615,7 @@ set_nameserver(char *opt) { return; result = bind9_getaddresses(opt, 0, sockaddrs, - DIG_MAX_ADDRESSES, &count); + DIG_MAX_ADDRESSES, &count); if (result != ISC_R_SUCCESS) fatal("couldn't get address for '%s': %s", opt, isc_result_totext(result)); @@ -630,7 +660,7 @@ add_nameserver(lwres_conf_t *confdata, const char *addr, int af) { return (ISC_R_FAILURE); } -/* +/*% * Produce a cloned server list. The dest list must have already had * ISC_LIST_INIT applied. */ @@ -648,7 +678,7 @@ clone_server_list(dig_serverlist_t src, dig_serverlist_t *dest) { } } -/* +/*% * Create an empty lookup structure, which holds all the information needed * to get an answer to a user's question. This structure contains two * linked lists: the server list (servers to query) and the query list @@ -704,6 +734,7 @@ make_empty_lookup(void) { #endif #endif looknew->udpsize = 0; + looknew->edns = -1; looknew->recurse = ISC_TRUE; looknew->aaonly = ISC_FALSE; looknew->adflag = ISC_FALSE; @@ -723,13 +754,15 @@ make_empty_lookup(void) { looknew->section_authority = ISC_TRUE; looknew->section_additional = ISC_TRUE; looknew->new_search = ISC_FALSE; + looknew->done_as_is = ISC_FALSE; + looknew->need_search = ISC_FALSE; ISC_LINK_INIT(looknew, link); ISC_LIST_INIT(looknew->q); ISC_LIST_INIT(looknew->my_server_list); return (looknew); } -/* +/*% * Clone a lookup, perhaps copying the server list. This does not clone * the query list, since it will be regenerated by the setup_lookup() * function, nor does it queue up the new lookup for processing. @@ -780,6 +813,7 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) { #endif #endif looknew->udpsize = lookold->udpsize; + looknew->edns = lookold->edns; looknew->recurse = lookold->recurse; looknew->aaonly = lookold->aaonly; looknew->adflag = lookold->adflag; @@ -794,6 +828,8 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) { looknew->section_additional = lookold->section_additional; looknew->retries = lookold->retries; looknew->tsigctx = NULL; + looknew->need_search = lookold->need_search; + looknew->done_as_is = lookold->done_as_is; if (servers) clone_server_list(lookold->my_server_list, @@ -801,7 +837,7 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) { return (looknew); } -/* +/*% * Requeue a lookup for further processing, perhaps copying the server * list. The new lookup structure is returned to the caller, and is * queued for processing. If servers are not cloned in the requeue, they @@ -863,14 +899,15 @@ setup_text_key(void) { if (result != ISC_R_SUCCESS) goto failure; - result = dns_tsigkey_create(&keyname, dns_tsig_hmacmd5_name, - secretstore, secretsize, - ISC_FALSE, NULL, 0, 0, mctx, + result = dns_tsigkey_create(&keyname, hmacname, secretstore, + secretsize, ISC_FALSE, NULL, 0, 0, mctx, NULL, &key); failure: if (result != ISC_R_SUCCESS) printf(";; Couldn't create key %s: %s\n", keynametext, isc_result_totext(result)); + else + dst_key_setbits(key->key, digestbits); isc_mem_free(mctx, secretstore); dns_name_invalidate(&keyname); @@ -891,8 +928,31 @@ setup_file_key(void) { goto failure; } - result = dns_tsigkey_createfromkey(dst_key_name(dstkey), - dns_tsig_hmacmd5_name, + switch (dst_key_alg(dstkey)) { + case DST_ALG_HMACMD5: + hmacname = DNS_TSIG_HMACMD5_NAME; + break; + case DST_ALG_HMACSHA1: + hmacname = DNS_TSIG_HMACSHA1_NAME; + break; + case DST_ALG_HMACSHA224: + hmacname = DNS_TSIG_HMACSHA224_NAME; + break; + case DST_ALG_HMACSHA256: + hmacname = DNS_TSIG_HMACSHA256_NAME; + break; + case DST_ALG_HMACSHA384: + hmacname = DNS_TSIG_HMACSHA384_NAME; + break; + case DST_ALG_HMACSHA512: + hmacname = DNS_TSIG_HMACSHA512_NAME; + break; + default: + printf(";; Couldn't create key %s: bad algorithm\n", + keynametext); + goto failure; + } + result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmacname, dstkey, ISC_FALSE, NULL, 0, 0, mctx, NULL, &key); if (result != ISC_R_SUCCESS) { @@ -933,7 +993,7 @@ create_search_list(lwres_conf_t *confdata) { } } -/* +/*% * Setup the system as a whole, reading key information and resolv.conf * settings. */ @@ -987,6 +1047,10 @@ setup_system(void) { if (ISC_LIST_EMPTY(server_list)) copy_server_list(lwconf, &server_list); +#ifdef WITH_IDN + initialize_idn(); +#endif + if (keyfile[0] != 0) setup_file_key(); else if (keysecret[0] != 0) @@ -1017,7 +1081,7 @@ clear_searchlist(void) { } } -/* +/*% * Override the search list derived from resolv.conf by 'domain'. */ void @@ -1029,7 +1093,7 @@ set_search_domain(char *domain) { ISC_LIST_APPEND(search_list, search, link); } -/* +/*% * Setup the ISC and DNS libraries for use by the system. */ void @@ -1086,12 +1150,14 @@ setup_libs(void) { dns_result_register(); } -/* +/*% * Add EDNS0 option record to a message. Currently, the only supported * options are UDP buffer size and the DO bit. */ static void -add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_boolean_t dnssec) { +add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_uint16_t edns, + isc_boolean_t dnssec) +{ dns_rdataset_t *rdataset = NULL; dns_rdatalist_t *rdatalist = NULL; dns_rdata_t *rdata = NULL; @@ -1110,9 +1176,9 @@ add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_boolean_t dnssec) { rdatalist->type = dns_rdatatype_opt; rdatalist->covers = 0; rdatalist->rdclass = udpsize; - rdatalist->ttl = 0; + rdatalist->ttl = edns << 16; if (dnssec) - rdatalist->ttl = DNS_MESSAGEEXTFLAG_DO; + rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO; rdata->data = NULL; rdata->length = 0; ISC_LIST_INIT(rdatalist->rdata); @@ -1122,7 +1188,7 @@ add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_boolean_t dnssec) { check_result(result, "dns_message_setopt"); } -/* +/*% * Add a question section to a message, asking for the specified name, * type, and class. */ @@ -1142,7 +1208,7 @@ add_question(dns_message_t *message, dns_name_t *name, ISC_LIST_APPEND(name->list, rdataset, link); } -/* +/*% * Check if we're done with all the queued lookups, which is true iff * all sockets, sends, and recvs are accounted for (counters == 0), * and the lookup list is empty. @@ -1163,7 +1229,7 @@ check_if_done(void) { } } -/* +/*% * Clear out a query when we're done with it. WARNING: This routine * WILL invalidate the query pointer. */ @@ -1202,7 +1268,7 @@ clear_query(dig_query_t *query) { isc_mem_free(mctx, query); } -/* +/*% * Try and clear out a lookup if we're done with it. Return ISC_TRUE if * the lookup was successfully cleared. If ISC_TRUE is returned, the * lookup pointer has been invalidated. @@ -1260,7 +1326,7 @@ try_clear_lookup(dig_lookup_t *lookup) { return (ISC_TRUE); } -/* +/*% * If we can, start the next lookup in the queue running. * This assumes that the lookup on the head of the queue hasn't been * started yet. It also removes the lookup from the head of the queue, @@ -1336,7 +1402,7 @@ start_lookup(void) { current_lookup->qrdtype_sigchase = current_lookup->qrdtype; current_lookup->qrdtype = dns_rdatatype_ns; - + current_lookup->rdclass_sigchase = current_lookup->rdclass; current_lookup->rdclass_sigchaseset @@ -1373,7 +1439,7 @@ start_lookup(void) { } } -/* +/*% * If we can, clear the current lookup and start the next one running. * This calls try_clear_lookup, so may invalidate the lookup pointer. */ @@ -1394,7 +1460,7 @@ check_next_lookup(dig_lookup_t *lookup) { } } -/* +/*% * Create and queue a new lookup as a followup to the current lookup, * based on the supplied message and section. This is used in trace and * name server search modes to start a new lookup using servers from @@ -1411,6 +1477,8 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) isc_result_t result; isc_boolean_t success = ISC_FALSE; int numLookups = 0; + dns_name_t *domain; + isc_boolean_t horizontal = ISC_FALSE, bad = ISC_FALSE; INSIST(!free_now); @@ -1437,6 +1505,26 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) debug("found NS set"); + if (query->lookup->trace && !query->lookup->trace_root) { + dns_namereln_t namereln; + unsigned int nlabels; + int order; + + domain = dns_fixedname_name(&query->lookup->fdomain); + namereln = dns_name_fullcompare(name, domain, + &order, &nlabels); + if (namereln == dns_namereln_equal) { + if (!horizontal) + printf(";; BAD (HORIZONTAL) REFERRAL\n"); + horizontal = ISC_TRUE; + } else if (namereln != dns_namereln_subdomain) { + if (!bad) + printf(";; BAD REFERRAL\n"); + bad = ISC_TRUE; + continue; + } + } + for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) { @@ -1474,6 +1562,9 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) lookup->trace_root = ISC_FALSE; if (lookup->ns_search_only) lookup->recurse = ISC_FALSE; + dns_fixedname_init(&lookup->fdomain); + domain = dns_fixedname_name(&lookup->fdomain); + dns_name_copy(name, domain, NULL); } srv = make_server(namestr, namestr); debug("adding server %s", srv->servername); @@ -1487,10 +1578,32 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) (query->lookup->trace || query->lookup->ns_search_only)) return (followup_lookup(msg, query, DNS_SECTION_AUTHORITY)); - return numLookups; + /* + * Randomize the order the nameserver will be tried. + */ + if (numLookups > 1) { + isc_uint32_t i, j; + dig_serverlist_t my_server_list; + + ISC_LIST_INIT(my_server_list); + + for (i = numLookups; i > 0; i--) { + isc_random_get(&j); + j %= i; + srv = ISC_LIST_HEAD(lookup->my_server_list); + while (j-- > 0) + srv = ISC_LIST_NEXT(srv, link); + ISC_LIST_DEQUEUE(lookup->my_server_list, srv, link); + ISC_LIST_APPEND(my_server_list, srv, link); + } + ISC_LIST_APPENDLIST(lookup->my_server_list, + my_server_list, link); + } + + return (numLookups); } -/* +/*% * Create and queue a new lookup using the next origin from the search * list, read in setup_system(). * @@ -1499,6 +1612,7 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) static isc_boolean_t next_origin(dns_message_t *msg, dig_query_t *query) { dig_lookup_t *lookup; + dig_searchlist_t *search; UNUSED(msg); @@ -1513,18 +1627,27 @@ next_origin(dns_message_t *msg, dig_query_t *query) { * about finding the next entry. */ return (ISC_FALSE); - if (query->lookup->origin == NULL) + if (query->lookup->origin == NULL && !query->lookup->need_search) /* * Then we just did rootorg; there's nothing left. */ return (ISC_FALSE); - lookup = requeue_lookup(query->lookup, ISC_TRUE); - lookup->origin = ISC_LIST_NEXT(query->lookup->origin, link); + if (query->lookup->origin == NULL && query->lookup->need_search) { + lookup = requeue_lookup(query->lookup, ISC_TRUE); + lookup->origin = ISC_LIST_HEAD(search_list); + lookup->need_search = ISC_FALSE; + } else { + search = ISC_LIST_NEXT(query->lookup->origin, link); + if (search == NULL && query->lookup->done_as_is) + return (ISC_FALSE); + lookup = requeue_lookup(query->lookup, ISC_TRUE); + lookup->origin = search; + } cancel_lookup(query->lookup); return (ISC_TRUE); } -/* +/*% * Insert an SOA record into the sendmessage in a lookup. Used for * creating IXFR queries. */ @@ -1590,7 +1713,7 @@ insert_soa(dig_lookup_t *lookup) { dns_message_addname(lookup->sendmsg, soaname, DNS_SECTION_AUTHORITY); } -/* +/*% * Setup the supplied lookup structure, making it ready to start sending * queries to servers. Create and initialize the message to be sent as * well as the query structures and buffer space for the replies. If the @@ -1606,6 +1729,15 @@ setup_lookup(dig_lookup_t *lookup) { isc_buffer_t b; dns_compress_t cctx; char store[MXNAME]; +#ifdef WITH_IDN + idn_result_t mr; + char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME]; +#endif + +#ifdef WITH_IDN + result = dns_name_settotextfilter(output_filter); + check_result(result, "dns_name_settotextfilter"); +#endif REQUIRE(lookup != NULL); INSIST(!free_now); @@ -1634,6 +1766,17 @@ setup_lookup(dig_lookup_t *lookup) { isc_buffer_init(&lookup->onamebuf, lookup->onamespace, sizeof(lookup->onamespace)); +#ifdef WITH_IDN + /* + * We cannot convert `textname' and `origin' separately. + * `textname' doesn't contain TLD, but local mapping needs + * TLD. + */ + mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, lookup->textname, + utf8_textname, sizeof(utf8_textname)); + idn_check_result(mr, "convert textname to UTF-8"); +#endif + /* * If the name has too many dots, force the origin to be NULL * (which produces an absolute lookup). Otherwise, take the origin @@ -1641,12 +1784,43 @@ setup_lookup(dig_lookup_t *lookup) { * take the first entry in the searchlist iff either usesearch * is TRUE or we got a domain line in the resolv.conf file. */ - /* XXX New search here? */ - if ((count_dots(lookup->textname) >= ndots) || !usesearch) - lookup->origin = NULL; /* Force abs lookup */ - else if (lookup->origin == NULL && lookup->new_search && usesearch) - lookup->origin = ISC_LIST_HEAD(search_list); + if (lookup->new_search) { +#ifdef WITH_IDN + if ((count_dots(utf8_textname) >= ndots) || !usesearch) { + lookup->origin = NULL; /* Force abs lookup */ + lookup->done_as_is = ISC_TRUE; + lookup->need_search = usesearch; + } else if (lookup->origin == NULL && usesearch) { + lookup->origin = ISC_LIST_HEAD(search_list); + lookup->need_search = ISC_FALSE; + } +#else + if ((count_dots(lookup->textname) >= ndots) || !usesearch) { + lookup->origin = NULL; /* Force abs lookup */ + lookup->done_as_is = ISC_TRUE; + lookup->need_search = usesearch; + } else if (lookup->origin == NULL && usesearch) { + lookup->origin = ISC_LIST_HEAD(search_list); + lookup->need_search = ISC_FALSE; + } +#endif + } +#ifdef WITH_IDN + if (lookup->origin != NULL) { + mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, + lookup->origin->origin, utf8_origin, + sizeof(utf8_origin)); + idn_check_result(mr, "convert origin to UTF-8"); + mr = append_textname(utf8_textname, utf8_origin, + sizeof(utf8_textname)); + idn_check_result(mr, "append origin to textname"); + } + mr = idn_encodename(IDN_LOCALMAP | IDN_NAMEPREP | IDN_ASCCHECK | + IDN_IDNCONV | IDN_LENCHECK, utf8_textname, + idn_textname, sizeof(idn_textname)); + idn_check_result(mr, "convert UTF-8 textname to IDN encoding"); +#else if (lookup->origin != NULL) { debug("trying origin %s", lookup->origin->origin); result = dns_message_gettempname(lookup->sendmsg, @@ -1687,11 +1861,22 @@ setup_lookup(dig_lookup_t *lookup) { lookup->textname, isc_result_totext(result)); } dns_message_puttempname(lookup->sendmsg, &lookup->oname); - } else { + } else +#endif + { debug("using root origin"); if (lookup->trace && lookup->trace_root) dns_name_clone(dns_rootname, lookup->name); else { +#ifdef WITH_IDN + len = strlen(idn_textname); + isc_buffer_init(&b, idn_textname, len); + isc_buffer_add(&b, len); + result = dns_name_fromtext(lookup->name, &b, + dns_rootname, + ISC_FALSE, + &lookup->namebuf); +#else len = strlen(lookup->textname); isc_buffer_init(&b, lookup->textname, len); isc_buffer_add(&b, len); @@ -1699,6 +1884,7 @@ setup_lookup(dig_lookup_t *lookup) { dns_rootname, ISC_FALSE, &lookup->namebuf); +#endif } if (result != ISC_R_SUCCESS) { dns_message_puttempname(lookup->sendmsg, @@ -1793,10 +1979,13 @@ setup_lookup(dig_lookup_t *lookup) { result = dns_message_renderbegin(lookup->sendmsg, &cctx, &lookup->renderbuf); check_result(result, "dns_message_renderbegin"); - if (lookup->udpsize > 0 || lookup->dnssec) { + if (lookup->udpsize > 0 || lookup->dnssec || lookup->edns > -1) { if (lookup->udpsize == 0) - lookup->udpsize = 2048; - add_opt(lookup->sendmsg, lookup->udpsize, lookup->dnssec); + lookup->udpsize = 4096; + if (lookup->edns < 0) + lookup->edns = 0; + add_opt(lookup->sendmsg, lookup->udpsize, + lookup->edns, lookup->dnssec); } result = dns_message_rendersection(lookup->sendmsg, @@ -1844,6 +2033,7 @@ setup_lookup(dig_lookup_t *lookup) { query->userarg = serv->userarg; query->rr_count = 0; query->msg_count = 0; + query->byte_count = 0; ISC_LINK_INIT(query, link); ISC_LIST_INIT(query->recvlist); ISC_LIST_INIT(query->lengthlist); @@ -1862,12 +2052,13 @@ setup_lookup(dig_lookup_t *lookup) { } /* XXX qrflag, print_query, etc... */ if (!ISC_LIST_EMPTY(lookup->q) && qr) { + extrabytes = 0; printmessage(ISC_LIST_HEAD(lookup->q), lookup->sendmsg, ISC_TRUE); } } -/* +/*% * Event handler for send completion. Track send counter, and clear out * the query if the send was canceled. */ @@ -1914,7 +2105,7 @@ send_done(isc_task_t *_task, isc_event_t *event) { UNLOCK_LOOKUP; } -/* +/*% * Cancel a lookup, sending isc_socket_cancel() requests to all outstanding * IO sockets. The cancel handlers should take care of cleaning up the * query and lookup structures @@ -1976,7 +2167,7 @@ bringup_timer(dig_query_t *query, unsigned int default_timeout) { static void connect_done(isc_task_t *task, isc_event_t *event); -/* +/*% * Unlike send_udp, this can't be called multiple times with the same * query. When we retry TCP, we requeue the whole lookup, which should * start anew. @@ -2045,7 +2236,7 @@ send_tcp_connect(dig_query_t *query) { } } -/* +/*% * Send a UDP packet to the remote nameserver, possible starting the * recv action as well. Also make sure that the timer is running and * is properly reset. @@ -2106,7 +2297,7 @@ send_udp(dig_query_t *query) { sendcount++; } -/* +/*% * IO timeout handler, used for both connect and recv timeouts. If * retries are still allowed, either resend the UDP packet or queue a * new TCP lookup. Otherwise, cancel the lookup. @@ -2165,7 +2356,7 @@ connect_timeout(isc_task_t *task, isc_event_t *event) { UNLOCK_LOOKUP; } -/* +/*% * Event handler for the TCP recv which gets the length header of TCP * packets. Start the next recv of length bytes. */ @@ -2249,7 +2440,7 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) { UNLOCK_LOOKUP; } -/* +/*% * For transfers that involve multiple recvs (XFR's in particular), * launch the next recv. */ @@ -2308,7 +2499,7 @@ launch_next_query(dig_query_t *query, isc_boolean_t include_question) { return; } -/* +/*% * Event handler for TCP connect complete. Make sure the connection was * successful, then pass into launch_next_query to actually send the * question. @@ -2388,7 +2579,7 @@ connect_done(isc_task_t *task, isc_event_t *event) { UNLOCK_LOOKUP; } -/* +/*% * Check if the ongoing XFR needs more data before it's complete, using * the semantics of IXFR and AXFR protocols. Much of the complexity of * this routine comes from determining when an IXFR is complete. @@ -2416,6 +2607,7 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg, */ query->msg_count++; + query->byte_count += sevent->n; result = dns_message_firstname(msg, DNS_SECTION_ANSWER); if (result != ISC_R_SUCCESS) { puts("; Transfer failed."); @@ -2531,7 +2723,7 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg, return (ISC_TRUE); } -/* +/*% * Event handler for recv complete. Perform whatever actions are necessary, * based on the specifics of the user's request. */ @@ -2616,36 +2808,25 @@ recv_done(isc_task_t *task, isc_event_t *event) { } if (!l->tcp_mode && - !isc_sockaddr_equal(&sevent->address, &query->sockaddr)) { + !isc_sockaddr_compare(&sevent->address, &query->sockaddr, + ISC_SOCKADDR_CMPADDR| + ISC_SOCKADDR_CMPPORT| + ISC_SOCKADDR_CMPSCOPE| + ISC_SOCKADDR_CMPSCOPEZERO)) { char buf1[ISC_SOCKADDR_FORMATSIZE]; char buf2[ISC_SOCKADDR_FORMATSIZE]; isc_sockaddr_t any; - if (isc_sockaddr_pf(&query->sockaddr) == AF_INET) + if (isc_sockaddr_pf(&query->sockaddr) == AF_INET) isc_sockaddr_any(&any); else isc_sockaddr_any6(&any); -#ifdef ISC_PLATFORM_HAVESCOPEID /* - * Accept answers from any scope if we havn't specified the - * scope as long as the address and port match. - */ - if (isc_sockaddr_pf(&query->sockaddr) == AF_INET6 && - query->sockaddr.type.sin6.sin6_scope_id == 0 && - memcmp(&sevent->address.type.sin6.sin6_addr, - &query->sockaddr.type.sin6.sin6_addr, - sizeof(query->sockaddr.type.sin6.sin6_addr)) == 0 && - isc_sockaddr_getport(&sevent->address) == - isc_sockaddr_getport(&query->sockaddr)) - /* empty */; - else -#endif - /* - * We don't expect a match above when the packet is - * sent to 0.0.0.0, :: or to a multicast addresses. - * XXXMPA broadcast needs to be handled here as well. - */ + * We don't expect a match when the packet is + * sent to 0.0.0.0, :: or to a multicast addresses. + * XXXMPA broadcast needs to be handled here as well. + */ if ((!isc_sockaddr_eqaddr(&query->sockaddr, &any) && !isc_sockaddr_ismulticast(&query->sockaddr)) || isc_sockaddr_getport(&query->sockaddr) != @@ -2695,6 +2876,9 @@ recv_done(isc_task_t *task, isc_event_t *event) { "(< header size) message received\n"); } + if (result == ISC_R_SUCCESS && (msgflags & DNS_MESSAGEFLAG_QR) == 0) + printf(";; Warning: query response not set\n"); + if (!match) { isc_buffer_invalidate(&query->recvbuf); isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE); @@ -2761,8 +2945,8 @@ recv_done(isc_task_t *task, isc_event_t *event) { UNLOCK_LOOKUP; return; } - if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0 - && !l->ignore && !l->tcp_mode) { + if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0 && + !l->ignore && !l->tcp_mode) { printf(";; Truncated, retrying in TCP mode.\n"); n = requeue_lookup(l, ISC_TRUE); n->tcp_mode = ISC_TRUE; @@ -2775,7 +2959,9 @@ recv_done(isc_task_t *task, isc_event_t *event) { UNLOCK_LOOKUP; return; } - if (msg->rcode == dns_rcode_servfail && !l->servfail_stops) { + if ((msg->rcode == dns_rcode_servfail && !l->servfail_stops) || + (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 && l->recurse)) + { dig_query_t *next = ISC_LIST_NEXT(query, link); if (l->current_query == query) l->current_query = NULL; @@ -2793,9 +2979,13 @@ recv_done(isc_task_t *task, isc_event_t *event) { */ if ((ISC_LIST_HEAD(l->q) != query) || (ISC_LIST_NEXT(query, link) != NULL)) { - printf(";; Got SERVFAIL reply from %s, " - "trying next server\n", - query->servname); + if( l->comments == ISC_TRUE ) + printf(";; Got %s from %s, " + "trying next server\n", + msg->rcode == dns_rcode_servfail ? + "SERVFAIL reply" : + "recursion not available", + query->servname); clear_query(query); check_next_lookup(l); dns_message_destroy(&msg); @@ -2822,6 +3012,8 @@ recv_done(isc_task_t *task, isc_event_t *event) { check_result(result,"dns_message_getquerytsig"); } + extrabytes = isc_buffer_remaininglength(b); + debug("after parse"); if (l->doing_xfr && l->xfr_q == NULL) { l->xfr_q = query; @@ -2856,8 +3048,9 @@ recv_done(isc_task_t *task, isc_event_t *event) { } if (!l->doing_xfr || l->xfr_q == query) { - if (msg->rcode != dns_rcode_noerror && l->origin != NULL) { - if (!next_origin(msg, query)) { + if (msg->rcode != dns_rcode_noerror && + (l->origin != NULL || l->need_search)) { + if (!next_origin(msg, query) || showsearch) { printmessage(query, msg, ISC_TRUE); received(b->used, &sevent->address, query); } @@ -2891,7 +3084,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { if (l->trace_root) { /* - * This is the initial NS query. + * This is the initial NS query. */ int n; @@ -2906,7 +3099,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { if (!do_sigchase) #endif printmessage(query, msg, ISC_TRUE); - } + } #ifdef DIG_SIGCHASE if (do_sigchase) { chase_msg = isc_mem_allocate(mctx, @@ -2925,13 +3118,13 @@ recv_done(isc_task_t *task, isc_event_t *event) { isc_buffer_usedregion(b, &r); result = isc_buffer_allocate(mctx, &buf, r.length); - + check_result(result, "isc_buffer_allocate"); result = isc_buffer_copyregion(buf, &r); check_result(result, "isc_buffer_copyregion"); - + result = dns_message_parse(msg_temp, buf, 0); - + isc_buffer_free(&buf); chase_msg->msg = msg_temp; @@ -2946,11 +3139,10 @@ recv_done(isc_task_t *task, isc_event_t *event) { chase_msg2->msg = msg; } #endif - } - + #ifdef DIG_SIGCHASE - if (l->sigchase && ISC_LIST_EMPTY(lookup_list)) { + if (l->sigchase && ISC_LIST_EMPTY(lookup_list)) { sigchase(msg_temp); } #endif @@ -3009,7 +3201,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { UNLOCK_LOOKUP; } -/* +/*% * Turn a name into an address, using system-supplied routines. This is * used in looking up server names, etc... and needs to use system-supplied * routines, since they may be using a non-DNS system for these lookups. @@ -3028,7 +3220,7 @@ get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) { INSIST(count == 1); } -/* +/*% * Initiate either a TCP or UDP lookup */ void @@ -3044,7 +3236,7 @@ do_lookup(dig_lookup_t *lookup) { send_udp(ISC_LIST_HEAD(lookup->q)); } -/* +/*% * Start everything in action upon task startup. */ void @@ -3057,7 +3249,7 @@ onrun_callback(isc_task_t *task, isc_event_t *event) { UNLOCK_LOOKUP; } -/* +/*% * Make everything on the lookup queue go away. Mainly used by the * SIGINT handler. */ @@ -3101,16 +3293,19 @@ cancel_all(void) { UNLOCK_LOOKUP; } -/* +/*% * Destroy all of the libs we are using, and get everything ready for a * clean shutdown. */ void destroy_libs(void) { -#ifdef DIG_SIGCHASE +#ifdef DIG_SIGCHASE void * ptr; dig_message_t *chase_msg; #endif +#ifdef WITH_IDN + isc_result_t result; +#endif debug("destroy_libs()"); if (global_task != NULL) { @@ -3142,6 +3337,13 @@ destroy_libs(void) { flush_server_list(); clear_searchlist(); + +#ifdef WITH_IDN + result = dns_name_settotextfilter(NULL); + check_result(result, "dns_name_settotextfilter"); +#endif + dns_name_destroy(); + if (commctx != NULL) { debug("freeing commctx"); isc_mempool_destroy(&commctx); @@ -3218,8 +3420,104 @@ destroy_libs(void) { isc_mem_destroy(&mctx); } +#ifdef WITH_IDN +static void +initialize_idn(void) { + idn_result_t r; + isc_result_t result; + +#ifdef HAVE_SETLOCALE + /* Set locale */ + (void)setlocale(LC_ALL, ""); +#endif + /* Create configuration context. */ + r = idn_nameinit(1); + if (r != idn_success) + fatal("idn api initialization failed: %s", + idn_result_tostring(r)); + + /* Set domain name -> text post-conversion filter. */ + result = dns_name_settotextfilter(output_filter); + check_result(result, "dns_name_settotextfilter"); +} + +static isc_result_t +output_filter(isc_buffer_t *buffer, unsigned int used_org, + isc_boolean_t absolute) +{ + char tmp1[MAXDLEN], tmp2[MAXDLEN]; + size_t fromlen, tolen; + isc_boolean_t end_with_dot; + + /* + * Copy contents of 'buffer' to 'tmp1', supply trailing dot + * if 'absolute' is true, and terminate with NUL. + */ + fromlen = isc_buffer_usedlength(buffer) - used_org; + if (fromlen >= MAXDLEN) + return (ISC_R_SUCCESS); + memcpy(tmp1, (char *)isc_buffer_base(buffer) + used_org, fromlen); + end_with_dot = (tmp1[fromlen - 1] == '.') ? ISC_TRUE : ISC_FALSE; + if (absolute && !end_with_dot) { + fromlen++; + if (fromlen >= MAXDLEN) + return (ISC_R_SUCCESS); + tmp1[fromlen - 1] = '.'; + } + tmp1[fromlen] = '\0'; + + /* + * Convert contents of 'tmp1' to local encoding. + */ + if (idn_decodename(IDN_DECODE_APP, tmp1, tmp2, MAXDLEN) != idn_success) + return (ISC_R_SUCCESS); + strcpy(tmp1, tmp2); + + /* + * Copy the converted contents in 'tmp1' back to 'buffer'. + * If we have appended trailing dot, remove it. + */ + tolen = strlen(tmp1); + if (absolute && !end_with_dot && tmp1[tolen - 1] == '.') + tolen--; + + if (isc_buffer_length(buffer) < used_org + tolen) + return (ISC_R_NOSPACE); + + isc_buffer_subtract(buffer, isc_buffer_usedlength(buffer) - used_org); + memcpy(isc_buffer_used(buffer), tmp1, tolen); + isc_buffer_add(buffer, tolen); + + return (ISC_R_SUCCESS); +} + +static idn_result_t +append_textname(char *name, const char *origin, size_t namesize) { + size_t namelen = strlen(name); + size_t originlen = strlen(origin); + + /* Already absolute? */ + if (namelen > 0 && name[namelen - 1] == '.') + return idn_success; + /* Append dot and origin */ + if (namelen + 1 + originlen >= namesize) + return idn_buffer_overflow; + + name[namelen++] = '.'; + (void)strcpy(name + namelen, origin); + return idn_success; +} + +static void +idn_check_result(idn_result_t r, const char *msg) { + if (r != idn_success) { + exitcode = 1; + fatal("%s: %s", msg, idn_result_tostring(r)); + } +} +#endif /* WITH_IDN */ #ifdef DIG_SIGCHASE void @@ -3247,12 +3545,12 @@ void dump_database_section(dns_message_t *msg, int section) { dns_name_t *msg_name=NULL; - + dns_rdataset_t *rdataset; do { dns_message_currentname(msg, section, &msg_name); - + for (rdataset = ISC_LIST_HEAD(msg_name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { dns_name_print(msg_name, stdout); @@ -3271,15 +3569,15 @@ dump_database(void) { for (msg = ISC_LIST_HEAD(chase_message_list); msg != NULL; msg = ISC_LIST_NEXT(msg, link)) { if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER) - == ISC_R_SUCCESS) + == ISC_R_SUCCESS) dump_database_section(msg->msg, DNS_SECTION_ANSWER); - + if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY) - == ISC_R_SUCCESS) + == ISC_R_SUCCESS) dump_database_section(msg->msg, DNS_SECTION_AUTHORITY); if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL) - == ISC_R_SUCCESS) + == ISC_R_SUCCESS) dump_database_section(msg->msg, DNS_SECTION_ADDITIONAL); } } @@ -3347,7 +3645,7 @@ chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) { dns_rdataset_t *rdataset = NULL; dig_message_t * msg; - + for (msg = ISC_LIST_HEAD(chase_message_list2); msg != NULL; msg = ISC_LIST_NEXT(msg, link)) { if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER) @@ -3440,7 +3738,7 @@ insert_trustedkey(dst_key_t * key) return; tk_list.key[tk_list.nb_tk++] = key; - return; + return; } void @@ -3463,7 +3761,7 @@ char alphnum[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; isc_result_t -removetmpkey(isc_mem_t *mctx, const char *file) +removetmpkey(isc_mem_t *mctx, const char *file) { char *tempnamekey = NULL; int tempnamekeylen; @@ -3476,7 +3774,7 @@ removetmpkey(isc_mem_t *mctx, const char *file) return (ISC_R_NOMEMORY); memset(tempnamekey, 0, tempnamekeylen); - + strcat(tempnamekey, file); strcat(tempnamekey,".key"); isc_file_remove(tempnamekey); @@ -3516,14 +3814,14 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { isc_mem_free(mctx, tempname); return (ISC_R_FAILURE); } - + x = cp--; while (cp >= tempname && *cp == 'X') { isc_random_get(&which); *cp = alphnum[which % (sizeof(alphnum) - 1)]; x = cp--; } - + tempnamekeylen = tempnamelen+5; tempnamekey = isc_mem_allocate(mctx, tempnamekeylen); if (tempnamekey == NULL) @@ -3533,7 +3831,7 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { strncpy(tempnamekey, tempname, tempnamelen); strcat(tempnamekey ,".key"); - + if (isc_file_exists(tempnamekey)) { isc_mem_free(mctx, tempnamekey); isc_mem_free(mctx, tempname); @@ -3568,7 +3866,7 @@ get_trusted_key(isc_mem_t *mctx) char buf[1500]; FILE *fp, *fptemp; dst_key_t *key = NULL; - + result = isc_file_exists(trustedkey); if (result != ISC_TRUE) { result = isc_file_exists("/etc/trusted-key.key"); @@ -3646,11 +3944,11 @@ nameFromString(const char *str, dns_name_t *p_ret) { result = dns_name_dup(dns_fixedname_name(&fixedname), mctx, p_ret); check_result(result, "nameFromString"); -} +} #if DIG_SIGCHASE_TD -isc_result_t +isc_result_t prepare_lookup(dns_name_t *name) { isc_result_t result; @@ -3668,7 +3966,7 @@ prepare_lookup(dns_name_t *name) lookup->rdtype = lookup->rdtype_sigchase; lookup->rdtypeset = ISC_TRUE; lookup->qrdtype = lookup->qrdtype_sigchase; - + s = ISC_LIST_HEAD(lookup->my_server_list); while (s != NULL) { debug("freeing server %p belonging to %p", @@ -3702,11 +4000,11 @@ prepare_lookup(dns_name_t *name) dns_rdataset_current(chase_nsrdataset, &rdata); (void)dns_rdata_tostruct(&rdata, &ns, NULL); - - - + + + #ifdef __FOLLOW_GLUE__ - + result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_aaaa, dns_rdatatype_any, &true); @@ -3730,12 +4028,12 @@ prepare_lookup(dns_name_t *name) srv = make_server(namestr, namestr); - + ISC_LIST_APPEND(lookup->my_server_list, srv, link); } } - + rdataset = NULL; result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_a, dns_rdatatype_any, &true); @@ -3757,28 +4055,28 @@ prepare_lookup(dns_name_t *name) isc_buffer_free(&b); dns_rdata_reset(&a); printf("ns name: %s\n", namestr); - + srv = make_server(namestr, namestr); - + ISC_LIST_APPEND(lookup->my_server_list, srv, link); } } #else - + dns_name_format(&ns.name, namestr, sizeof(namestr)); printf("ns name: "); dns_name_print(&ns.name, stdout); printf("\n"); srv = make_server(namestr, namestr); - + ISC_LIST_APPEND(lookup->my_server_list, srv, link); -#endif +#endif dns_rdata_freestruct(&ns); dns_rdata_reset(&rdata); - + } ISC_LIST_APPEND(lookup_list, lookup, link); @@ -3832,10 +4130,10 @@ grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset) do { dns_rdataset_current(sigrdataset, &sigrdata); - + result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); check_result(result, "sigrdata tostruct siginfo"); - + if (dns_name_compare(&siginfo.signer, zone_name) == 0) { dns_rdata_freestruct(&siginfo); dns_rdata_reset(&sigrdata); @@ -3843,7 +4141,7 @@ grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset) } dns_rdata_freestruct(&siginfo); - + } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS); dns_rdata_reset(&sigrdata); @@ -3873,7 +4171,7 @@ initialization(dns_name_t *name) return (ISC_R_SUCCESS); } -#endif +#endif void print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx) @@ -3897,10 +4195,10 @@ print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx) } -void +void dup_name(dns_name_t *source, dns_name_t *target, isc_mem_t *mctx) { - isc_result_t result; - + isc_result_t result; + if (dns_name_dynamic(target)) free_name(target, mctx); result = dns_name_dup(source, mctx, target); @@ -3944,12 +4242,12 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, do { dns_rdataset_current(rdataset, &rdata); INSIST(rdata.type == dns_rdatatype_dnskey); - + result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dnsseckey); check_result(result, "dns_dnssec_keyfromrdata"); - + for (i = 0; i < tk_list.nb_tk; i++) { if (dst_key_compare(tk_list.key[i], dnsseckey) == ISC_TRUE) { @@ -3969,7 +4267,7 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, } } } - + dns_rdata_reset(&rdata); if (dnsseckey != NULL) dst_key_free(&dnsseckey); @@ -3999,7 +4297,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, do { dns_rdataset_current(keyrdataset, &keyrdata); INSIST(keyrdata.type == dns_rdatatype_dnskey); - + result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx, &dnsseckey); check_result(result, "dns_dnssec_keyfromrdata"); @@ -4031,22 +4329,22 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, result = dns_rdataset_first(sigrdataset); check_result(result, "empty RRSIG dataset"); dns_rdata_init(&sigrdata); - + do { dns_rdataset_current(sigrdataset, &sigrdata); result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); check_result(result, "sigrdata tostruct siginfo"); - + /* * Test if the id of the DNSKEY is * the id of the DNSKEY signer's */ if (siginfo.keyid == dst_key_id(dnsseckey)) { - + result = dns_rdataset_first(rdataset); check_result(result, "empty DS dataset"); - + result = dns_dnssec_verify(name, rdataset, dnsseckey, ISC_FALSE, mctx, &sigrdata); @@ -4063,7 +4361,7 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, } } dns_rdata_freestruct(&siginfo); - + } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS); dns_rdata_reset(&sigrdata); @@ -4089,18 +4387,18 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dns_rdata_init(&dsrdata); do { dns_rdataset_current(dsrdataset, &dsrdata); - + result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL); check_result(result, "dns_rdata_tostruct for DS"); - + result = dns_rdataset_first(keyrdataset); check_result(result, "empty KEY dataset"); - dns_rdata_init(&keyrdata); + dns_rdata_init(&keyrdata); do { dns_rdataset_current(keyrdataset, &keyrdata); INSIST(keyrdata.type == dns_rdatatype_dnskey); - + result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx, &dnsseckey); check_result(result, "dns_dnssec_keyfromrdata"); @@ -4115,14 +4413,14 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, result = dns_ds_buildrdata(name, &keyrdata, dsinfo.digest_type, dsbuf, &newdsrdata); - dns_rdata_freestruct(&dsinfo); + dns_rdata_freestruct(&dsinfo); if (result != ISC_R_SUCCESS) { dns_rdata_reset(&keyrdata); dns_rdata_reset(&newdsrdata); dns_rdata_reset(&dsrdata); dst_key_free(&dnsseckey); - dns_rdata_freestruct(&dsinfo); + dns_rdata_freestruct(&dsinfo); printf("Oops: impossible to build" " new DS rdata\n"); return (result); @@ -4136,7 +4434,7 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, printf(";; Now verify that this" " DNSKEY validates the " "DNSKEY RRset\n"); - + result = sigchase_verify_sig_key(name, keyrdataset, dnsseckey, @@ -4147,7 +4445,7 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dns_rdata_reset(&newdsrdata); dns_rdata_reset(&dsrdata); dst_key_free(&dnsseckey); - + return (result); } } else { @@ -4161,12 +4459,12 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dnsseckey = NULL; } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS); dns_rdata_reset(&keyrdata); - + } while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS); #if 0 dns_rdata_reset(&dsrdata); WARNING #endif - + return (ISC_R_NOTFOUND); } @@ -4179,13 +4477,13 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, * ISC_R_SUCCESS: if we found the rrset * ISC_R_NOTFOUND: we do not found the rrset in cache * and we do a query on the net - * ISC_R_FAILURE: rrset not found + * ISC_R_FAILURE: rrset not found */ isc_result_t advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers, isc_boolean_t *lookedup) -{ +{ isc_boolean_t tmplookedup; INSIST(rdataset != NULL); @@ -4260,7 +4558,7 @@ sigchase_td(dns_message_t *msg) } } - + if (have_answer) { chase_rdataset = chase_scanname_section(msg, &chase_name, @@ -4320,7 +4618,7 @@ sigchase_td(dns_message_t *msg) chase_dsrdataset, mctx); } - + if (result != ISC_R_SUCCESS) { printf("\n;; chain of trust can't be validated:" " FAILED\n\n"); @@ -4372,7 +4670,7 @@ sigchase_td(dns_message_t *msg) chase_sigrdataset = NULL; have_response = ISC_FALSE; have_delegation_ns = ISC_FALSE; - + dns_name_init(&tmp_name, NULL); result = child_of_zone(&chase_name, &chase_current_name, &tmp_name); @@ -4451,8 +4749,8 @@ sigchase_td(dns_message_t *msg) } chase_keyrdataset = NULL; chase_sigkeyrdataset = NULL; - - + + prepare_lookup(&chase_authority_name); have_response = ISC_FALSE; @@ -4548,7 +4846,7 @@ sigchase_td(dns_message_t *msg) } } -#endif +#endif #if DIG_SIGCHASE_BU @@ -4565,7 +4863,7 @@ getneededrr(dns_message_t *msg) if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER)) != ISC_R_SUCCESS) { printf(";; NO ANSWERS: %s\n", isc_result_totext(result)); - + if (chase_name.ndata == NULL) return (ISC_R_ADDRNOTAVAIL); } else { @@ -4608,7 +4906,7 @@ getneededrr(dns_message_t *msg) } INSIST(chase_sigrdataset != NULL); - + /* first find the DNSKEY name */ result = dns_rdataset_first(chase_sigrdataset); check_result(result, "empty RRSIG dataset"); @@ -4619,7 +4917,7 @@ getneededrr(dns_message_t *msg) dup_name(&siginfo.signer, &chase_signame, mctx); dns_rdata_freestruct(&siginfo); dns_rdata_reset(&sigrdata); - + /* Do we have a key? */ if (chase_keyrdataset == NULL) { result = advanced_rrsearch(&chase_keyrdataset, @@ -4688,7 +4986,7 @@ getneededrr(dns_message_t *msg) print_rdataset(&chase_signame, chase_dsrdataset, mctx); } } - + if (chase_dsrdataset != NULL) { /* * if there is no RRSIG of DS, @@ -4747,7 +5045,7 @@ sigchase_bu(dns_message_t *msg) dns_name_init(&query_name, NULL); dns_name_init(&rdata_name, NULL); nameFromString(current_lookup->textname, &query_name); - + result = prove_nx(msg, &query_name, current_lookup->rdclass, current_lookup->rdtype, &rdata_name, &rdataset, &sigrdataset); @@ -4850,7 +5148,7 @@ sigchase_bu(dns_message_t *msg) chase_sigdsrdataset = NULL; chase_siglookedup = chase_keylookedup = ISC_FALSE; chase_dslookedup = chase_sigdslookedup = ISC_FALSE; - + printf(";; Now, we want to validate the DS : recursive call\n"); sigchase(msg); return; @@ -4943,7 +5241,7 @@ prove_nx_domain(dns_message_t *msg, " validate the non-existence : FAILED\n"); return (ISC_R_FAILURE); } - + do { nsecname = NULL; dns_message_currentname(msg, DNS_SECTION_AUTHORITY, &nsecname); @@ -5089,5 +5387,6 @@ prove_nx(dns_message_t *msg, dns_name_t *name, dns_rdataclass_t class, rdataset, sigrdataset); return (ret); } + /* Never get here */ } #endif diff --git a/contrib/bind9/bin/dig/host.1 b/contrib/bind9/bin/dig/host.1 index 3a0432c..3149fc6 100644 --- a/contrib/bind9/bin/dig/host.1 +++ b/contrib/bind9/bin/dig/host.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2002 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: host.1,v 1.11.2.1.4.8 2006/06/29 13:02:30 marka Exp $ +.\" $Id: host.1,v 1.14.18.13 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: host .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -33,7 +33,7 @@ host \- DNS lookup utility .SH "SYNOPSIS" .HP 5 -\fBhost\fR [\fB\-aCdlnrTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-4\fR] [\fB\-6\fR] {name} [server] +\fBhost\fR [\fB\-aCdlnrsTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-4\fR] [\fB\-6\fR] {name} [server] .SH "DESCRIPTION" .PP \fBhost\fR @@ -179,6 +179,32 @@ is less than one, the wait interval is set to one second. When the option is used, \fBhost\fR will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity. +.PP +The +\fB\-s\fR +option tells +\fBhost\fR +\fInot\fR +to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behaviour. +.PP +The +\fB\-m\fR +can be used to set the memory usage debugging flags +\fIrecord\fR, +\fIusage\fR +and +\fItrace\fR. +.SH "IDN SUPPORT" +.PP +If +\fBhost\fR +has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names. +\fBhost\fR +appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the +\fBIDN_DISABLE\fR +environment variable. The IDN support is disabled if the variable is set when +\fBhost\fR +runs. .SH "FILES" .PP \fI/etc/resolv.conf\fR @@ -187,4 +213,7 @@ will effectively wait forever for a reply. The time to wait for a response will \fBdig\fR(1), \fBnamed\fR(8). .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000\-2002 Internet Software Consortium. +.br diff --git a/contrib/bind9/bin/dig/host.c b/contrib/bind9/bin/dig/host.c index 7d8ce9b..f73145c 100644 --- a/contrib/bind9/bin/dig/host.c +++ b/contrib/bind9/bin/dig/host.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: host.c,v 1.76.2.5.2.16 2006/05/23 04:43:47 marka Exp $ */ +/* $Id: host.c,v 1.94.18.14 2006/05/23 04:40:42 marka Exp $ */ + +/*! \file */ #include <config.h> #include <limits.h> @@ -114,8 +116,8 @@ static void show_usage(void) { fputs( "Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]\n" -" [-R number] hostname [server]\n" -" -a is equivalent to -v -t *\n" +" [-R number] [-m flag] hostname [server]\n" +" -a is equivalent to -v -t ANY\n" " -c specifies query class for non-IN data\n" " -C compares SOA records on authoritative nameservers\n" " -d is equivalent to -v\n" @@ -124,13 +126,15 @@ show_usage(void) { " -N changes the number of dots allowed before root lookup is done\n" " -r disables recursive processing\n" " -R specifies number of retries for UDP packets\n" +" -s a SERVFAIL response should stop query\n" " -t specifies the query type\n" " -T enables TCP/IP mode\n" " -v enables verbose output\n" " -w specifies to wait forever for a reply\n" " -W specifies how long to wait for a reply\n" " -4 use IPv4 query transport only\n" -" -6 use IPv6 query transport only\n", stderr); +" -6 use IPv6 query transport only\n" +" -m set memory debugging flag (trace|record|usage)\n", stderr); exit(1); } @@ -556,6 +560,52 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { return (result); } +static const char * optstring = "46ac:dilnm:rst:vwCDN:R:TW:"; + +static void +pre_parse_args(int argc, char **argv) { + int c; + + while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) { + switch (c) { + case 'm': + if (strcasecmp("trace", isc_commandline_argument) == 0) + isc_mem_debugging |= ISC_MEM_DEBUGTRACE; + else if (!strcasecmp("record", + isc_commandline_argument) == 0) + isc_mem_debugging |= ISC_MEM_DEBUGRECORD; + else if (strcasecmp("usage", + isc_commandline_argument) == 0) + isc_mem_debugging |= ISC_MEM_DEBUGUSAGE; + break; + + case '4': break; + case '6': break; + case 'a': break; + case 'c': break; + case 'd': break; + case 'i': break; + case 'l': break; + case 'n': break; + case 'r': break; + case 's': break; + case 't': break; + case 'v': break; + case 'w': break; + case 'C': break; + case 'D': break; + case 'N': break; + case 'R': break; + case 'T': break; + case 'W': break; + default: + show_usage(); + } + } + isc_commandline_reset = ISC_TRUE; + isc_commandline_index = 1; +} + static void parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { char hostname[MXNAME]; @@ -572,8 +622,10 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { lookup = make_empty_lookup(); - while ((c = isc_commandline_parse(argc, argv, "lvwrdt:c:aTCN:R:W:Dni46")) - != EOF) { + lookup->servfail_stops = ISC_FALSE; + lookup->comments = ISC_FALSE; + + while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) { switch (c) { case 'l': lookup->tcp_mode = ISC_TRUE; @@ -657,6 +709,9 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { case 'n': /* deprecated */ break; + case 'm': + /* Handled by pre_parse_args(). */ + break; case 'w': /* * The timer routines are coded such that @@ -710,6 +765,9 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { } else fatal("can't find IPv6 networking"); break; + case 's': + lookup->servfail_stops = ISC_TRUE; + break; } } @@ -724,7 +782,8 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { set_nameserver(argv[isc_commandline_index+1]); debug("server is %s", argv[isc_commandline_index+1]); listed_server = ISC_TRUE; - } + } else + check_ra = ISC_TRUE; lookup->pending = ISC_FALSE; if (get_reverse(store, sizeof(store), hostname, @@ -758,6 +817,7 @@ main(int argc, char **argv) { debug("main()"); progname = argv[0]; + pre_parse_args(argc, argv); result = isc_app_start(); check_result(result, "isc_app_start"); setup_libs(); @@ -771,4 +831,3 @@ main(int argc, char **argv) { isc_app_finish(); return ((seen_error == 0) ? 0 : 1); } - diff --git a/contrib/bind9/bin/dig/host.docbook b/contrib/bind9/bin/dig/host.docbook index 2b6e92b..09a306c 100644 --- a/contrib/bind9/bin/dig/host.docbook +++ b/contrib/bind9/bin/dig/host.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2002 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -18,24 +18,29 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: host.docbook,v 1.2.2.2.4.7 2005/05/13 01:22:32 marka Exp $ --> +<!-- $Id: host.docbook,v 1.5.18.9 2007/01/29 23:57:20 marka Exp $ --> +<refentry id="man.host"> -<refentry> + <refentryinfo> + <date>Jun 30, 2000</date> + </refentryinfo> -<refentryinfo> -<date>Jun 30, 2000</date> -</refentryinfo> + <refmeta> + <refentrytitle>host</refentrytitle> + <manvolnum>1</manvolnum> + <refmiscinfo>BIND9</refmiscinfo> + </refmeta> -<refmeta> -<refentrytitle>host</refentrytitle> -<manvolnum>1</manvolnum> -<refmiscinfo>BIND9</refmiscinfo> -</refmeta> + <refnamediv> + <refname>host</refname> + <refpurpose>DNS lookup utility</refpurpose> + </refnamediv> <docinfo> <copyright> <year>2004</year> <year>2005</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -46,183 +51,227 @@ </copyright> </docinfo> -<refnamediv> -<refname>host</refname> -<refpurpose>DNS lookup utility</refpurpose> -</refnamediv> - -<refsynopsisdiv> -<cmdsynopsis> - <command>host</command> - <arg><option>-aCdlnrTwv</option></arg> - <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> - <arg><option>-N <replaceable class="parameter">ndots</replaceable></option></arg> - <arg><option>-R <replaceable class="parameter">number</replaceable></option></arg> - <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg> - <arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg> - <arg><option>-4</option></arg> - <arg><option>-6</option></arg> - <arg choice="req">name</arg> - <arg choice="opt">server</arg> -</cmdsynopsis> -</refsynopsisdiv> - -<refsect1> -<title>DESCRIPTION</title> -<para> -<command>host</command> -is a simple utility for performing DNS lookups. -It is normally used to convert names to IP addresses and vice versa. -When no arguments or options are given, -<command>host</command> -prints a short summary of its command line arguments and options. -</para> - -<para> -<parameter>name</parameter> is the domain name that is to be looked -up. It can also be a dotted-decimal IPv4 address or a colon-delimited -IPv6 address, in which case <command>host</command> will by default -perform a reverse lookup for that address. -<parameter>server</parameter> is an optional argument which is either -the name or IP address of the name server that <command>host</command> -should query instead of the server or servers listed in -<filename>/etc/resolv.conf</filename>. -</para> - -<para> -The <option>-a</option> (all) option is equivalent to setting the -<option>-v</option> option and asking <command>host</command> to make -a query of type ANY. -</para> - -<para> -When the <option>-C</option> option is used, <command>host</command> -will attempt to display the SOA records for zone -<parameter>name</parameter> from all the listed authoritative name -servers for that zone. The list of name servers is defined by the NS -records that are found for the zone. -</para> - -<para> -The <option>-c</option> option instructs to make a DNS query of class -<parameter>class</parameter>. This can be used to lookup Hesiod or -Chaosnet class resource records. The default class is IN (Internet). -</para> - -<para> -Verbose output is generated by <command>host</command> when the -<option>-d</option> or <option>-v</option> option is used. The two -options are equivalent. They have been provided for backwards -compatibility. In previous versions, the <option>-d</option> option -switched on debugging traces and <option>-v</option> enabled verbose -output. -</para> - -<para> -List mode is selected by the <option>-l</option> option. This makes -<command>host</command> perform a zone transfer for zone -<parameter>name</parameter>. Transfer the zone printing out the NS, PTR -and address records (A/AAAA). If combined with <option>-a</option> -all records will be printed. -</para> - -<para> -The <option>-i</option> -option specifies that reverse lookups of IPv6 addresses should -use the IP6.INT domain as defined in RFC1886. -The default is to use IP6.ARPA. -</para> - -<para> -The <option>-N</option> option sets the number of dots that have to be -in <parameter>name</parameter> for it to be considered absolute. The -default value is that defined using the ndots statement in -<filename>/etc/resolv.conf</filename>, or 1 if no ndots statement is -present. Names with fewer dots are interpreted as relative names and -will be searched for in the domains listed in the <type>search</type> -or <type>domain</type> directive in -<filename>/etc/resolv.conf</filename>. -</para> - -<para> -The number of UDP retries for a lookup can be changed with the -<option>-R</option> option. <parameter>number</parameter> indicates -how many times <command>host</command> will repeat a query that does -not get answered. The default number of retries is 1. If -<parameter>number</parameter> is negative or zero, the number of -retries will default to 1. -</para> - -<para> -Non-recursive queries can be made via the <option>-r</option> option. -Setting this option clears the <type>RD</type> — recursion -desired — bit in the query which <command>host</command> makes. -This should mean that the name server receiving the query will not -attempt to resolve <parameter>name</parameter>. The -<option>-r</option> option enables <command>host</command> to mimic -the behaviour of a name server by making non-recursive queries and -expecting to receive answers to those queries that are usually -referrals to other name servers. -</para> - -<para> -By default <command>host</command> uses UDP when making queries. The -<option>-T</option> option makes it use a TCP connection when querying -the name server. TCP will be automatically selected for queries that -require it, such as zone transfer (AXFR) requests. -</para> - -<para> -The <option>-4</option> option forces <command>host</command> to only -use IPv4 query transport. The <option>-6</option> option forces -<command>host</command> to only use IPv6 query transport. -</para> - -<para> -The <option>-t</option> option is used to select the query type. -<parameter>type</parameter> can be any recognised query type: CNAME, -NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, -<command>host</command> automatically selects an appropriate query -type. By default it looks for A records, but if the -<option>-C</option> option was given, queries will be made for SOA -records, and if <parameter>name</parameter> is a dotted-decimal IPv4 -address or colon-delimited IPv6 address, <command>host</command> will -query for PTR records. If a query type of IXFR is chosen the starting -serial number can be specified by appending an equal followed by the -starting serial number (e.g. -t IXFR=12345678). -</para> - -<para> -The time to wait for a reply can be controlled through the -<option>-W</option> and <option>-w</option> options. The -<option>-W</option> option makes <command>host</command> wait for -<parameter>wait</parameter> seconds. If <parameter>wait</parameter> -is less than one, the wait interval is set to one second. When the -<option>-w</option> option is used, <command>host</command> will -effectively wait forever for a reply. The time to wait for a response -will be set to the number of seconds given by the hardware's maximum -value for an integer quantity. -</para> - -</refsect1> - -<refsect1> -<title>FILES</title> -<para> -<filename>/etc/resolv.conf</filename> -</para> -</refsect1> - -<refsect1> -<title>SEE ALSO</title> -<para> -<citerefentry> -<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum> -</citerefentry>, -<citerefentry> -<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> -</citerefentry>. -</para> - -</refsect1> -</refentry> + <refsynopsisdiv> + <cmdsynopsis> + <command>host</command> + <arg><option>-aCdlnrsTwv</option></arg> + <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> + <arg><option>-N <replaceable class="parameter">ndots</replaceable></option></arg> + <arg><option>-R <replaceable class="parameter">number</replaceable></option></arg> + <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg> + <arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg> + <arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg> + <arg><option>-4</option></arg> + <arg><option>-6</option></arg> + <arg choice="req">name</arg> + <arg choice="opt">server</arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1> + <title>DESCRIPTION</title> + + <para><command>host</command> + is a simple utility for performing DNS lookups. + It is normally used to convert names to IP addresses and vice versa. + When no arguments or options are given, + <command>host</command> + prints a short summary of its command line arguments and options. + </para> + + <para><parameter>name</parameter> is the domain name that is to be + looked + up. It can also be a dotted-decimal IPv4 address or a colon-delimited + IPv6 address, in which case <command>host</command> will by + default + perform a reverse lookup for that address. + <parameter>server</parameter> is an optional argument which + is either + the name or IP address of the name server that <command>host</command> + should query instead of the server or servers listed in + <filename>/etc/resolv.conf</filename>. + </para> + + <para> + The <option>-a</option> (all) option is equivalent to setting the + <option>-v</option> option and asking <command>host</command> to make + a query of type ANY. + </para> + + <para> + When the <option>-C</option> option is used, <command>host</command> + will attempt to display the SOA records for zone + <parameter>name</parameter> from all the listed + authoritative name + servers for that zone. The list of name servers is defined by the NS + records that are found for the zone. + </para> + + <para> + The <option>-c</option> option instructs to make a DNS query of class + <parameter>class</parameter>. This can be used to lookup + Hesiod or + Chaosnet class resource records. The default class is IN (Internet). + </para> + + <para> + Verbose output is generated by <command>host</command> when + the + <option>-d</option> or <option>-v</option> option is used. The two + options are equivalent. They have been provided for backwards + compatibility. In previous versions, the <option>-d</option> option + switched on debugging traces and <option>-v</option> enabled verbose + output. + </para> + + <para> + List mode is selected by the <option>-l</option> option. This makes + <command>host</command> perform a zone transfer for zone + <parameter>name</parameter>. Transfer the zone printing out + the NS, PTR + and address records (A/AAAA). If combined with <option>-a</option> + all records will be printed. + </para> + + <para> + The <option>-i</option> + option specifies that reverse lookups of IPv6 addresses should + use the IP6.INT domain as defined in RFC1886. + The default is to use IP6.ARPA. + </para> + + <para> + The <option>-N</option> option sets the number of dots that have to be + in <parameter>name</parameter> for it to be considered + absolute. The + default value is that defined using the ndots statement in + <filename>/etc/resolv.conf</filename>, or 1 if no ndots + statement is + present. Names with fewer dots are interpreted as relative names and + will be searched for in the domains listed in the <type>search</type> + or <type>domain</type> directive in + <filename>/etc/resolv.conf</filename>. + </para> + + <para> + The number of UDP retries for a lookup can be changed with the + <option>-R</option> option. <parameter>number</parameter> + indicates + how many times <command>host</command> will repeat a query + that does + not get answered. The default number of retries is 1. If + <parameter>number</parameter> is negative or zero, the + number of + retries will default to 1. + </para> + + <para> + Non-recursive queries can be made via the <option>-r</option> option. + Setting this option clears the <type>RD</type> — recursion + desired — bit in the query which <command>host</command> makes. + This should mean that the name server receiving the query will not + attempt to resolve <parameter>name</parameter>. The + <option>-r</option> option enables <command>host</command> + to mimic + the behaviour of a name server by making non-recursive queries and + expecting to receive answers to those queries that are usually + referrals to other name servers. + </para> + + <para> + By default <command>host</command> uses UDP when making + queries. The + <option>-T</option> option makes it use a TCP connection when querying + the name server. TCP will be automatically selected for queries that + require it, such as zone transfer (AXFR) requests. + </para> + + <para> + The <option>-4</option> option forces <command>host</command> to only + use IPv4 query transport. The <option>-6</option> option forces + <command>host</command> to only use IPv6 query transport. + </para> + + <para> + The <option>-t</option> option is used to select the query type. + <parameter>type</parameter> can be any recognised query + type: CNAME, + NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, + <command>host</command> automatically selects an appropriate + query + type. By default it looks for A records, but if the + <option>-C</option> option was given, queries will be made for SOA + records, and if <parameter>name</parameter> is a + dotted-decimal IPv4 + address or colon-delimited IPv6 address, <command>host</command> will + query for PTR records. If a query type of IXFR is chosen the starting + serial number can be specified by appending an equal followed by the + starting serial number (e.g. -t IXFR=12345678). + </para> + + <para> + The time to wait for a reply can be controlled through the + <option>-W</option> and <option>-w</option> options. The + <option>-W</option> option makes <command>host</command> + wait for + <parameter>wait</parameter> seconds. If <parameter>wait</parameter> + is less than one, the wait interval is set to one second. When the + <option>-w</option> option is used, <command>host</command> + will + effectively wait forever for a reply. The time to wait for a response + will be set to the number of seconds given by the hardware's maximum + value for an integer quantity. + </para> + + <para> + The <option>-s</option> option tells <command>host</command> + <emphasis>not</emphasis> to send the query to the next nameserver + if any server responds with a SERVFAIL response, which is the + reverse of normal stub resolver behaviour. + </para> + + <para> + The <option>-m</option> can be used to set the memory usage debugging + flags + <parameter>record</parameter>, <parameter>usage</parameter> and + <parameter>trace</parameter>. + </para> + </refsect1> + + <refsect1> + <title>IDN SUPPORT</title> + <para> + If <command>host</command> has been built with IDN (internationalized + domain name) support, it can accept and display non-ASCII domain names. + <command>host</command> appropriately converts character encoding of + domain name before sending a request to DNS server or displaying a + reply from the server. + If you'd like to turn off the IDN support for some reason, defines + the <envar>IDN_DISABLE</envar> environment variable. + The IDN support is disabled if the variable is set when + <command>host</command> runs. + </para> + </refsect1> + + <refsect1> + <title>FILES</title> + <para><filename>/etc/resolv.conf</filename> + </para> + </refsect1> + + <refsect1> + <title>SEE ALSO</title> + <para><citerefentry> + <refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + + </refsect1> +</refentry><!-- + - Local variables: + - mode: sgml + - End: +--> diff --git a/contrib/bind9/bin/dig/host.html b/contrib/bind9/bin/dig/host.html index 4c16215..b370769 100644 --- a/contrib/bind9/bin/dig/host.html +++ b/contrib/bind9/bin/dig/host.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2002 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,158 +14,199 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: host.html,v 1.4.2.1.4.14 2006/06/29 13:02:30 marka Exp $ --> +<!-- $Id: host.html,v 1.7.18.19 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>host</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="man.host"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p>host — DNS lookup utility</p> </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div> +<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549466"></a><h2>DESCRIPTION</h2> -<p> -<span><strong class="command">host</strong></span> -is a simple utility for performing DNS lookups. -It is normally used to convert names to IP addresses and vice versa. -When no arguments or options are given, -<span><strong class="command">host</strong></span> -prints a short summary of its command line arguments and options. -</p> -<p> -<em class="parameter"><code>name</code></em> is the domain name that is to be looked -up. It can also be a dotted-decimal IPv4 address or a colon-delimited -IPv6 address, in which case <span><strong class="command">host</strong></span> will by default -perform a reverse lookup for that address. -<em class="parameter"><code>server</code></em> is an optional argument which is either -the name or IP address of the name server that <span><strong class="command">host</strong></span> -should query instead of the server or servers listed in -<code class="filename">/etc/resolv.conf</code>. -</p> -<p> -The <code class="option">-a</code> (all) option is equivalent to setting the -<code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make -a query of type ANY. -</p> -<p> -When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span> -will attempt to display the SOA records for zone -<em class="parameter"><code>name</code></em> from all the listed authoritative name -servers for that zone. The list of name servers is defined by the NS -records that are found for the zone. -</p> -<p> -The <code class="option">-c</code> option instructs to make a DNS query of class -<em class="parameter"><code>class</code></em>. This can be used to lookup Hesiod or -Chaosnet class resource records. The default class is IN (Internet). -</p> -<p> -Verbose output is generated by <span><strong class="command">host</strong></span> when the -<code class="option">-d</code> or <code class="option">-v</code> option is used. The two -options are equivalent. They have been provided for backwards -compatibility. In previous versions, the <code class="option">-d</code> option -switched on debugging traces and <code class="option">-v</code> enabled verbose -output. -</p> -<p> -List mode is selected by the <code class="option">-l</code> option. This makes -<span><strong class="command">host</strong></span> perform a zone transfer for zone -<em class="parameter"><code>name</code></em>. Transfer the zone printing out the NS, PTR -and address records (A/AAAA). If combined with <code class="option">-a</code> -all records will be printed. -</p> -<p> -The <code class="option">-i</code> -option specifies that reverse lookups of IPv6 addresses should -use the IP6.INT domain as defined in RFC1886. -The default is to use IP6.ARPA. -</p> -<p> -The <code class="option">-N</code> option sets the number of dots that have to be -in <em class="parameter"><code>name</code></em> for it to be considered absolute. The -default value is that defined using the ndots statement in -<code class="filename">/etc/resolv.conf</code>, or 1 if no ndots statement is -present. Names with fewer dots are interpreted as relative names and -will be searched for in the domains listed in the <span class="type">search</span> -or <span class="type">domain</span> directive in -<code class="filename">/etc/resolv.conf</code>. -</p> -<p> -The number of UDP retries for a lookup can be changed with the -<code class="option">-R</code> option. <em class="parameter"><code>number</code></em> indicates -how many times <span><strong class="command">host</strong></span> will repeat a query that does -not get answered. The default number of retries is 1. If -<em class="parameter"><code>number</code></em> is negative or zero, the number of -retries will default to 1. -</p> -<p> -Non-recursive queries can be made via the <code class="option">-r</code> option. -Setting this option clears the <span class="type">RD</span> — recursion -desired — bit in the query which <span><strong class="command">host</strong></span> makes. -This should mean that the name server receiving the query will not -attempt to resolve <em class="parameter"><code>name</code></em>. The -<code class="option">-r</code> option enables <span><strong class="command">host</strong></span> to mimic -the behaviour of a name server by making non-recursive queries and -expecting to receive answers to those queries that are usually -referrals to other name servers. -</p> -<p> -By default <span><strong class="command">host</strong></span> uses UDP when making queries. The -<code class="option">-T</code> option makes it use a TCP connection when querying -the name server. TCP will be automatically selected for queries that -require it, such as zone transfer (AXFR) requests. -</p> -<p> -The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only -use IPv4 query transport. The <code class="option">-6</code> option forces -<span><strong class="command">host</strong></span> to only use IPv6 query transport. -</p> -<p> -The <code class="option">-t</code> option is used to select the query type. -<em class="parameter"><code>type</code></em> can be any recognised query type: CNAME, -NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, -<span><strong class="command">host</strong></span> automatically selects an appropriate query -type. By default it looks for A records, but if the -<code class="option">-C</code> option was given, queries will be made for SOA -records, and if <em class="parameter"><code>name</code></em> is a dotted-decimal IPv4 -address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will -query for PTR records. If a query type of IXFR is chosen the starting -serial number can be specified by appending an equal followed by the -starting serial number (e.g. -t IXFR=12345678). -</p> -<p> -The time to wait for a reply can be controlled through the -<code class="option">-W</code> and <code class="option">-w</code> options. The -<code class="option">-W</code> option makes <span><strong class="command">host</strong></span> wait for -<em class="parameter"><code>wait</code></em> seconds. If <em class="parameter"><code>wait</code></em> -is less than one, the wait interval is set to one second. When the -<code class="option">-w</code> option is used, <span><strong class="command">host</strong></span> will -effectively wait forever for a reply. The time to wait for a response -will be set to the number of seconds given by the hardware's maximum -value for an integer quantity. -</p> +<a name="id2543428"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">host</strong></span> + is a simple utility for performing DNS lookups. + It is normally used to convert names to IP addresses and vice versa. + When no arguments or options are given, + <span><strong class="command">host</strong></span> + prints a short summary of its command line arguments and options. + </p> +<p><em class="parameter"><code>name</code></em> is the domain name that is to be + looked + up. It can also be a dotted-decimal IPv4 address or a colon-delimited + IPv6 address, in which case <span><strong class="command">host</strong></span> will by + default + perform a reverse lookup for that address. + <em class="parameter"><code>server</code></em> is an optional argument which + is either + the name or IP address of the name server that <span><strong class="command">host</strong></span> + should query instead of the server or servers listed in + <code class="filename">/etc/resolv.conf</code>. + </p> +<p> + The <code class="option">-a</code> (all) option is equivalent to setting the + <code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make + a query of type ANY. + </p> +<p> + When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span> + will attempt to display the SOA records for zone + <em class="parameter"><code>name</code></em> from all the listed + authoritative name + servers for that zone. The list of name servers is defined by the NS + records that are found for the zone. + </p> +<p> + The <code class="option">-c</code> option instructs to make a DNS query of class + <em class="parameter"><code>class</code></em>. This can be used to lookup + Hesiod or + Chaosnet class resource records. The default class is IN (Internet). + </p> +<p> + Verbose output is generated by <span><strong class="command">host</strong></span> when + the + <code class="option">-d</code> or <code class="option">-v</code> option is used. The two + options are equivalent. They have been provided for backwards + compatibility. In previous versions, the <code class="option">-d</code> option + switched on debugging traces and <code class="option">-v</code> enabled verbose + output. + </p> +<p> + List mode is selected by the <code class="option">-l</code> option. This makes + <span><strong class="command">host</strong></span> perform a zone transfer for zone + <em class="parameter"><code>name</code></em>. Transfer the zone printing out + the NS, PTR + and address records (A/AAAA). If combined with <code class="option">-a</code> + all records will be printed. + </p> +<p> + The <code class="option">-i</code> + option specifies that reverse lookups of IPv6 addresses should + use the IP6.INT domain as defined in RFC1886. + The default is to use IP6.ARPA. + </p> +<p> + The <code class="option">-N</code> option sets the number of dots that have to be + in <em class="parameter"><code>name</code></em> for it to be considered + absolute. The + default value is that defined using the ndots statement in + <code class="filename">/etc/resolv.conf</code>, or 1 if no ndots + statement is + present. Names with fewer dots are interpreted as relative names and + will be searched for in the domains listed in the <span class="type">search</span> + or <span class="type">domain</span> directive in + <code class="filename">/etc/resolv.conf</code>. + </p> +<p> + The number of UDP retries for a lookup can be changed with the + <code class="option">-R</code> option. <em class="parameter"><code>number</code></em> + indicates + how many times <span><strong class="command">host</strong></span> will repeat a query + that does + not get answered. The default number of retries is 1. If + <em class="parameter"><code>number</code></em> is negative or zero, the + number of + retries will default to 1. + </p> +<p> + Non-recursive queries can be made via the <code class="option">-r</code> option. + Setting this option clears the <span class="type">RD</span> — recursion + desired — bit in the query which <span><strong class="command">host</strong></span> makes. + This should mean that the name server receiving the query will not + attempt to resolve <em class="parameter"><code>name</code></em>. The + <code class="option">-r</code> option enables <span><strong class="command">host</strong></span> + to mimic + the behaviour of a name server by making non-recursive queries and + expecting to receive answers to those queries that are usually + referrals to other name servers. + </p> +<p> + By default <span><strong class="command">host</strong></span> uses UDP when making + queries. The + <code class="option">-T</code> option makes it use a TCP connection when querying + the name server. TCP will be automatically selected for queries that + require it, such as zone transfer (AXFR) requests. + </p> +<p> + The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only + use IPv4 query transport. The <code class="option">-6</code> option forces + <span><strong class="command">host</strong></span> to only use IPv6 query transport. + </p> +<p> + The <code class="option">-t</code> option is used to select the query type. + <em class="parameter"><code>type</code></em> can be any recognised query + type: CNAME, + NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, + <span><strong class="command">host</strong></span> automatically selects an appropriate + query + type. By default it looks for A records, but if the + <code class="option">-C</code> option was given, queries will be made for SOA + records, and if <em class="parameter"><code>name</code></em> is a + dotted-decimal IPv4 + address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will + query for PTR records. If a query type of IXFR is chosen the starting + serial number can be specified by appending an equal followed by the + starting serial number (e.g. -t IXFR=12345678). + </p> +<p> + The time to wait for a reply can be controlled through the + <code class="option">-W</code> and <code class="option">-w</code> options. The + <code class="option">-W</code> option makes <span><strong class="command">host</strong></span> + wait for + <em class="parameter"><code>wait</code></em> seconds. If <em class="parameter"><code>wait</code></em> + is less than one, the wait interval is set to one second. When the + <code class="option">-w</code> option is used, <span><strong class="command">host</strong></span> + will + effectively wait forever for a reply. The time to wait for a response + will be set to the number of seconds given by the hardware's maximum + value for an integer quantity. + </p> +<p> + The <code class="option">-s</code> option tells <span><strong class="command">host</strong></span> + <span class="emphasis"><em>not</em></span> to send the query to the next nameserver + if any server responds with a SERVFAIL response, which is the + reverse of normal stub resolver behaviour. + </p> +<p> + The <code class="option">-m</code> can be used to set the memory usage debugging + flags + <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em> and + <em class="parameter"><code>trace</code></em>. + </p> </div> <div class="refsect1" lang="en"> -<a name="id2549874"></a><h2>FILES</h2> -<p> -<code class="filename">/etc/resolv.conf</code> -</p> +<a name="id2543725"></a><h2>IDN SUPPORT</h2> +<p> + If <span><strong class="command">host</strong></span> has been built with IDN (internationalized + domain name) support, it can accept and display non-ASCII domain names. + <span><strong class="command">host</strong></span> appropriately converts character encoding of + domain name before sending a request to DNS server or displaying a + reply from the server. + If you'd like to turn off the IDN support for some reason, defines + the <code class="envar">IDN_DISABLE</code> environment variable. + The IDN support is disabled if the variable is set when + <span><strong class="command">host</strong></span> runs. + </p> </div> <div class="refsect1" lang="en"> -<a name="id2549886"></a><h2>SEE ALSO</h2> -<p> -<span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>, -<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>. -</p> +<a name="id2543748"></a><h2>FILES</h2> +<p><code class="filename">/etc/resolv.conf</code> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543828"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>, + <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>. + </p> </div> </div></body> </html> diff --git a/contrib/bind9/bin/dig/include/dig/dig.h b/contrib/bind9/bin/dig/include/dig/dig.h index 91dae5c..675bb15 100644 --- a/contrib/bind9/bin/dig/include/dig/dig.h +++ b/contrib/bind9/bin/dig/include/dig/dig.h @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.h,v 1.71.2.6.2.14 2006/12/07 01:26:33 marka Exp $ */ +/* $Id: dig.h,v 1.82.18.19 2006/12/07 06:08:02 marka Exp $ */ #ifndef DIG_H #define DIG_H +/*! \file */ + #include <dns/rdatalist.h> #include <dst/dst.h> @@ -38,29 +40,36 @@ #define MXSERV 20 #define MXNAME (DNS_NAME_MAXTEXT+1) #define MXRD 32 +/*% Buffer Size */ #define BUFSIZE 512 #define COMMSIZE 0xffff #ifndef RESOLV_CONF +/*% location of resolve.conf */ #define RESOLV_CONF "/etc/resolv.conf" #endif +/*% output buffer */ #define OUTPUTBUF 32767 +/*% Max RR Limit */ #define MAXRRLIMIT 0xffffffff #define MAXTIMEOUT 0xffff +/*% Max number of tries */ #define MAXTRIES 0xffffffff +/*% Max number of dots */ #define MAXNDOTS 0xffff +/*% Max number of ports */ #define MAXPORT 0xffff +/*% Max serial number */ #define MAXSERIAL 0xffffffff -/* - * Default timeout values - */ +/*% Default TCP Timeout */ #define TCP_TIMEOUT 10 +/*% Default UDP Timeout */ #define UDP_TIMEOUT 5 #define SERVER_TIMEOUT 1 #define LOOKUP_LIMIT 64 -/* +/*% * Lookup_limit is just a limiter, keeping too many lookups from being * created. It's job is mainly to prevent the program from running away * in a tight loop of constant lookups. It's value is arbitrary. @@ -90,22 +99,23 @@ typedef struct dig_message dig_message_t; typedef ISC_LIST(dig_server_t) dig_serverlist_t; typedef struct dig_searchlist dig_searchlist_t; +/*% The dig_lookup structure */ struct dig_lookup { isc_boolean_t - pending, /* Pending a successful answer */ + pending, /*%< Pending a successful answer */ waiting_connect, doing_xfr, - ns_search_only, /* dig +nssearch, host -C */ - identify, /* Append an "on server <foo>" message */ - identify_previous_line, /* Prepend a "Nameserver <foo>:" + ns_search_only, /*%< dig +nssearch, host -C */ + identify, /*%< Append an "on server <foo>" message */ + identify_previous_line, /*% Prepend a "Nameserver <foo>:" message, with newline and tab */ ignore, recurse, aaonly, adflag, cdflag, - trace, /* dig +trace */ - trace_root, /* initial query for either +trace or +nssearch */ + trace, /*% dig +trace */ + trace_root, /*% initial query for either +trace or +nssearch */ tcp_mode, ip6_int, comments, @@ -116,6 +126,8 @@ struct dig_lookup { section_additional, servfail_stops, new_search, + need_search, + done_as_is, besteffort, dnssec; #ifdef DIG_SIGCHASE @@ -130,7 +142,7 @@ isc_boolean_t sigchase; #endif #endif - char textname[MXNAME]; /* Name we're going to be looking up */ + char textname[MXNAME]; /*% Name we're going to be looking up */ char cmdline[MXNAME]; dns_rdatatype_t rdtype; dns_rdatatype_t qrdtype; @@ -162,14 +174,17 @@ isc_boolean_t sigchase; isc_uint32_t retries; int nsfound; isc_uint16_t udpsize; + isc_int16_t edns; isc_uint32_t ixfr_serial; isc_buffer_t rdatabuf; char rdatastore[MXNAME]; dst_context_t *tsigctx; isc_buffer_t *querysig; isc_uint32_t msgcounter; + dns_fixedname_t fdomain; }; +/*% The dig_query structure */ struct dig_query { dig_lookup_t *lookup; isc_boolean_t waiting_connect, @@ -200,6 +215,7 @@ struct dig_query { ISC_LINK(dig_query_t) link; isc_sockaddr_t sockaddr; isc_time_t time_sent; + isc_uint64_t byte_count; isc_buffer_t sendbuf; }; @@ -230,9 +246,10 @@ typedef ISC_LIST(dig_lookup_t) dig_lookuplist_t; extern dig_lookuplist_t lookup_list; extern dig_serverlist_t server_list; extern dig_searchlistlist_t search_list; +extern unsigned int extrabytes; -extern isc_boolean_t have_ipv4, have_ipv6, specified_source, - usesearch, qr; +extern isc_boolean_t check_ra, have_ipv4, have_ipv6, specified_source, + usesearch, showsearch, qr; extern in_port_t port; extern unsigned int timeout; extern isc_mem_t *mctx; @@ -245,6 +262,8 @@ extern isc_sockaddr_t bind_address; extern char keynametext[MXNAME]; extern char keyfile[MXNAME]; extern char keysecret[MXNAME]; +extern dns_name_t *hmacname; +extern unsigned int digestbits; #ifdef DIG_SIGCHASE extern char trustedkey[MXNAME]; #endif @@ -346,13 +365,13 @@ printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset, isc_result_t printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers); -/* +/*%< * Print the final result of the lookup. */ void received(int bytes, isc_sockaddr_t *from, dig_query_t *query); -/* +/*%< * Print a message about where and when the response * was received from, like the final comment in the * output of "dig". diff --git a/contrib/bind9/bin/dig/nslookup.1 b/contrib/bind9/bin/dig/nslookup.1 index 7b1d4d2..f941e9b 100644 --- a/contrib/bind9/bin/dig/nslookup.1 +++ b/contrib/bind9/bin/dig/nslookup.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -12,13 +12,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: nslookup.1,v 1.1.6.7 2006/06/29 13:02:30 marka Exp $ +.\" $Id: nslookup.1,v 1.1.10.12 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: nslookup .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -42,10 +42,10 @@ has two modes: interactive and non\-interactive. Interactive mode allows the use .SH "ARGUMENTS" .PP Interactive mode is entered in the following cases: -.TP 3n +.TP 4 1. when no arguments are given (the default name server will be used) -.TP 3n +.TP 4 2. when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server. .sp @@ -54,17 +54,22 @@ when the first argument is a hyphen (\-) and the second argument is the host nam Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server. .PP Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type: -.sp .RS 3n .nf nslookup \-query=hinfo \-timeout=10 .fi .RE +.sp .RS 4 .nf nslookup \-query=hinfo \-timeout=10 .fi .RE .SH "INTERACTIVE COMMANDS" -.TP 3n -host [server] +.PP +\fBhost\fR [server] +.RS 4 Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name. .sp To look up a host not in the current domain, append a period to the name. -.TP 3n +.RE +.PP \fBserver\fR \fIdomain\fR -.TP 3n +.RS 4 +.RE +.PP \fBlserver\fR \fIdomain\fR +.RS 4 Change the default server to \fIdomain\fR; \fBlserver\fR @@ -72,107 +77,165 @@ uses the initial server to look up information about \fIdomain\fR, while \fBserver\fR uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned. -.TP 3n +.RE +.PP \fBroot\fR +.RS 4 not implemented -.TP 3n +.RE +.PP \fBfinger\fR +.RS 4 not implemented -.TP 3n +.RE +.PP \fBls\fR +.RS 4 not implemented -.TP 3n +.RE +.PP \fBview\fR +.RS 4 not implemented -.TP 3n +.RE +.PP \fBhelp\fR +.RS 4 not implemented -.TP 3n +.RE +.PP \fB?\fR +.RS 4 not implemented -.TP 3n +.RE +.PP \fBexit\fR +.RS 4 Exits the program. -.TP 3n +.RE +.PP \fBset\fR \fIkeyword\fR\fI[=value]\fR +.RS 4 This command is used to change state information that affects the lookups. Valid keywords are: -.RS 3n -.TP 3n +.RS 4 +.PP \fBall\fR +.RS 4 Prints the current values of the frequently used options to \fBset\fR. Information about the current default server and host is also printed. -.TP 3n +.RE +.PP \fBclass=\fR\fIvalue\fR +.RS 4 Change the query class to one of: -.RS 3n -.TP 3n +.RS 4 +.PP \fBIN\fR +.RS 4 the Internet class -.TP 3n +.RE +.PP \fBCH\fR +.RS 4 the Chaos class -.TP 3n +.RE +.PP \fBHS\fR +.RS 4 the Hesiod class -.TP 3n +.RE +.PP \fBANY\fR +.RS 4 wildcard .RE -.IP "" 3n +.RE +.IP "" 4 The class specifies the protocol group of the information. .sp (Default = IN; abbreviation = cl) -.TP 3n -\fB\fI[no]\fR\fR\fBdebug\fR +.RE +.PP +\fB \fR\fB\fI[no]\fR\fR\fBdebug\fR +.RS 4 Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer. .sp (Default = nodebug; abbreviation = [no]deb) -.TP 3n -\fB\fI[no]\fR\fR\fBd2\fR +.RE +.PP +\fB \fR\fB\fI[no]\fR\fR\fBd2\fR +.RS 4 Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer. .sp (Default = nod2) -.TP 3n +.RE +.PP \fBdomain=\fR\fIname\fR +.RS 4 Sets the search list to \fIname\fR. -.TP 3n -\fB\fI[no]\fR\fR\fBsearch\fR +.RE +.PP +\fB \fR\fB\fI[no]\fR\fR\fBsearch\fR +.RS 4 If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received. .sp (Default = search) -.TP 3n +.RE +.PP \fBport=\fR\fIvalue\fR +.RS 4 Change the default TCP/UDP name server port to \fIvalue\fR. .sp (Default = 53; abbreviation = po) -.TP 3n +.RE +.PP \fBquerytype=\fR\fIvalue\fR -.TP 3n +.RS 4 +.RE +.PP \fBtype=\fR\fIvalue\fR +.RS 4 Change the type of the information query. .sp (Default = A; abbreviations = q, ty) -.TP 3n -\fB\fI[no]\fR\fR\fBrecurse\fR +.RE +.PP +\fB \fR\fB\fI[no]\fR\fR\fBrecurse\fR +.RS 4 Tell the name server to query other servers if it does not have the information. .sp (Default = recurse; abbreviation = [no]rec) -.TP 3n +.RE +.PP \fBretry=\fR\fInumber\fR +.RS 4 Set the number of retries to number. -.TP 3n +.RE +.PP \fBtimeout=\fR\fInumber\fR +.RS 4 Change the initial timeout interval for waiting for a reply to number seconds. -.TP 3n -\fB\fI[no]\fR\fR\fBvc\fR +.RE +.PP +\fB \fR\fB\fI[no]\fR\fR\fBvc\fR +.RS 4 Always use a virtual circuit when sending requests to the server. .sp (Default = novc) .RE -.IP "" 3n +.PP +\fB \fR\fB\fI[no]\fR\fR\fBfail\fR +.RS 4 +Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response. +.sp +(Default = nofail) +.RE +.RE +.IP "" 4 +.RE .SH "FILES" .PP \fI/etc/resolv.conf\fR @@ -185,4 +248,5 @@ Always use a virtual circuit when sending requests to the server. .PP Andrew Cherenson .SH "COPYRIGHT" -Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +.br diff --git a/contrib/bind9/bin/dig/nslookup.c b/contrib/bind9/bin/dig/nslookup.c index 5ae64d0..e2310af 100644 --- a/contrib/bind9/bin/dig/nslookup.c +++ b/contrib/bind9/bin/dig/nslookup.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nslookup.c,v 1.90.2.4.2.12 2006/06/09 23:50:53 marka Exp $ */ +/* $Id: nslookup.c,v 1.101.18.12 2006/12/07 06:08:02 marka Exp $ */ #include <config.h> @@ -50,7 +50,8 @@ static isc_boolean_t short_form = ISC_TRUE, comments = ISC_TRUE, section_question = ISC_TRUE, section_answer = ISC_TRUE, section_authority = ISC_TRUE, section_additional = ISC_TRUE, recurse = ISC_TRUE, - aaonly = ISC_FALSE; + aaonly = ISC_FALSE, nofail = ISC_TRUE; + static isc_boolean_t in_use = ISC_FALSE; static char defclass[MXRD] = "IN"; static char deftype[MXRD] = "A"; @@ -619,8 +620,10 @@ setoption(char *opt) { tcpmode = ISC_FALSE; } else if (strncasecmp(opt, "deb", 3) == 0) { short_form = ISC_FALSE; + showsearch = ISC_TRUE; } else if (strncasecmp(opt, "nodeb", 5) == 0) { short_form = ISC_TRUE; + showsearch = ISC_FALSE; } else if (strncasecmp(opt, "d2", 2) == 0) { debugging = ISC_TRUE; } else if (strncasecmp(opt, "nod2", 4) == 0) { @@ -631,6 +634,10 @@ setoption(char *opt) { usesearch = ISC_FALSE; } else if (strncasecmp(opt, "sil", 3) == 0) { /* deprecation_msg = ISC_FALSE; */ + } else if (strncasecmp(opt, "fail", 3) == 0) { + nofail=ISC_FALSE; + } else if (strncasecmp(opt, "nofail", 3) == 0) { + nofail=ISC_TRUE; } else { printf("*** Invalid option: %s\n", opt); } @@ -689,6 +696,8 @@ addlookup(char *opt) { lookup->section_authority = section_authority; lookup->section_additional = section_additional; lookup->new_search = ISC_TRUE; + if (nofail) + lookup->servfail_stops = ISC_FALSE; ISC_LIST_INIT(lookup->q); ISC_LINK_INIT(lookup, link); ISC_LIST_APPEND(lookup_list, lookup, link); @@ -728,6 +737,7 @@ get_next_command(void) { (strcasecmp(ptr, "lserver") == 0)) { isc_app_block(); set_nameserver(arg); + check_ra = ISC_FALSE; isc_app_unblock(); show_settings(ISC_TRUE, ISC_TRUE); } else if (strcasecmp(ptr, "exit") == 0) { @@ -766,9 +776,10 @@ parse_args(int argc, char **argv) { have_lookup = ISC_TRUE; in_use = ISC_TRUE; addlookup(argv[0]); - } - else + } else { set_nameserver(argv[0]); + check_ra = ISC_FALSE; + } } } } @@ -844,6 +855,8 @@ main(int argc, char **argv) { ISC_LIST_INIT(server_list); ISC_LIST_INIT(search_list); + check_ra = ISC_TRUE; + result = isc_app_start(); check_result(result, "isc_app_start"); diff --git a/contrib/bind9/bin/dig/nslookup.docbook b/contrib/bind9/bin/dig/nslookup.docbook index 741ad34..c989b73 100644 --- a/contrib/bind9/bin/dig/nslookup.docbook +++ b/contrib/bind9/bin/dig/nslookup.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -17,12 +17,11 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: nslookup.docbook,v 1.3.6.7 2006/01/06 00:01:42 marka Exp $ --> - +<!-- $Id: nslookup.docbook,v 1.4.2.10 2007/01/29 23:57:20 marka Exp $ --> <!-- - Copyright (c) 1985, 1989 - The Regents of the University of California. All rights reserved. - - + - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions - are met: @@ -38,7 +37,7 @@ - 4. Neither the name of the University nor the names of its contributors - may be used to endorse or promote products derived from this software - without specific prior written permission. - - + - - THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -51,281 +50,449 @@ - OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - SUCH DAMAGE. --> - <refentry> -<refentryinfo> -<date>Jun 30, 2000</date> -</refentryinfo> + <refentryinfo> + <date>Jun 30, 2000</date> + </refentryinfo> + + <refmeta> + <refentrytitle>nslookup</refentrytitle> + <manvolnum>1</manvolnum> + <refmiscinfo>BIND9</refmiscinfo> + </refmeta> -<refmeta> -<refentrytitle>nslookup</refentrytitle> -<manvolnum>1</manvolnum> -<refmiscinfo>BIND9</refmiscinfo> -</refmeta> + <refnamediv> + <refname>nslookup</refname> + <refpurpose>query Internet name servers interactively</refpurpose> + </refnamediv> <docinfo> <copyright> <year>2004</year> <year>2005</year> <year>2006</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> </docinfo> -<refnamediv> -<refname>nslookup</refname> -<refpurpose>query Internet name servers interactively</refpurpose> -</refnamediv> - -<refsynopsisdiv> -<cmdsynopsis> - <command>nslookup</command> - <arg><option>-option</option></arg> - <arg choice="opt">name | -</arg> - <arg choice="opt">server</arg> -</cmdsynopsis> -</refsynopsisdiv> - -<refsect1> -<title>DESCRIPTION</title> -<para> -<command>Nslookup</command> -is a program to query Internet domain name servers. <command>Nslookup</command> -has two modes: interactive and non-interactive. Interactive mode allows -the user to query name servers for information about various hosts and -domains or to print a list of hosts in a domain. Non-interactive mode is -used to print just the name and requested information for a host or -domain. -</para> -</refsect1> - -<refsect1> -<title>ARGUMENTS</title> -<para> -Interactive mode is entered in the following cases: -<orderedlist numeration="loweralpha"> -<listitem> -<para> -when no arguments are given (the default name server will be used) -</para> -</listitem> -<listitem> -<para> -when the first argument is a hyphen (-) and the second argument is -the host name or Internet address of a name server. -</para> -</listitem> -</orderedlist> -</para> - -<para> -Non-interactive mode is used when the name or Internet address of the -host to be looked up is given as the first argument. The optional second -argument specifies the host name or address of a name server. -</para> - -<para> -Options can also be specified on the command line if they precede the -arguments and are prefixed with a hyphen. For example, to -change the default query type to host information, and the initial timeout to 10 seconds, type: -<informalexample> -<programlisting> + <refsynopsisdiv> + <cmdsynopsis> + <command>nslookup</command> + <arg><option>-option</option></arg> + <arg choice="opt">name | -</arg> + <arg choice="opt">server</arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1> + <title>DESCRIPTION</title> + <para><command>Nslookup</command> + is a program to query Internet domain name servers. <command>Nslookup</command> + has two modes: interactive and non-interactive. Interactive mode allows + the user to query name servers for information about various hosts and + domains or to print a list of hosts in a domain. Non-interactive mode + is + used to print just the name and requested information for a host or + domain. + </para> + </refsect1> + + <refsect1> + <title>ARGUMENTS</title> + <para> + Interactive mode is entered in the following cases: + <orderedlist numeration="loweralpha"> + <listitem> + <para> + when no arguments are given (the default name server will be used) + </para> + </listitem> + <listitem> + <para> + when the first argument is a hyphen (-) and the second argument is + the host name or Internet address of a name server. + </para> + </listitem> + </orderedlist> + </para> + + <para> + Non-interactive mode is used when the name or Internet address of the + host to be looked up is given as the first argument. The optional second + argument specifies the host name or address of a name server. + </para> + + <para> + Options can also be specified on the command line if they precede the + arguments and are prefixed with a hyphen. For example, to + change the default query type to host information, and the initial + timeout to 10 seconds, type: + <informalexample> + <programlisting> nslookup -query=hinfo -timeout=10 </programlisting> -</informalexample> -</para> - -</refsect1> - -<refsect1> -<title>INTERACTIVE COMMANDS</title> -<variablelist> -<varlistentry><term>host <optional>server</optional></term> -<listitem><para> -Look up information for host using the current default server or -using server, if specified. If host is an Internet address and -the query type is A or PTR, the name of the host is returned. -If host is a name and does not have a trailing period, the -search list is used to qualify the name. -</para> - -<para> -To look up a host not in the current domain, append a period to -the name. -</para></listitem></varlistentry> - -<varlistentry><term><constant>server</constant> <replaceable class="parameter">domain</replaceable></term> -<listitem><para></para></listitem></varlistentry> -<varlistentry><term><constant>lserver</constant> <replaceable class="parameter">domain</replaceable></term> -<listitem><para> -Change the default server to <replaceable>domain</replaceable>; <constant>lserver</constant> uses the initial -server to look up information about <replaceable>domain</replaceable>, while <constant>server</constant> uses -the current default server. If an authoritative answer can't be -found, the names of servers that might have the answer are -returned. -</para></listitem></varlistentry> - -<varlistentry><term><constant>root</constant></term> -<listitem><para>not implemented</para></listitem></varlistentry> - -<varlistentry><term><constant>finger</constant></term> -<listitem><para>not implemented</para></listitem></varlistentry> - -<varlistentry><term><constant>ls</constant></term> -<listitem><para>not implemented</para></listitem></varlistentry> - -<varlistentry><term><constant>view</constant></term> -<listitem><para>not implemented</para></listitem></varlistentry> - -<varlistentry><term><constant>help</constant></term> -<listitem><para>not implemented</para></listitem></varlistentry> - -<varlistentry><term><constant>?</constant></term> -<listitem><para>not implemented</para></listitem></varlistentry> - -<varlistentry><term><constant>exit</constant></term> -<listitem><para>Exits the program.</para></listitem></varlistentry> - -<varlistentry><term><constant>set</constant> <replaceable>keyword<optional>=value</optional></replaceable></term> -<listitem><para>This command is used to change state information that affects -the lookups. Valid keywords are: - <variablelist> - <varlistentry><term><constant>all</constant></term> - <listitem> - <para>Prints the current values of the frequently used - options to <command>set</command>. Information about the current default - server and host is also printed. - </para> - </listitem> - </varlistentry> - - <varlistentry><term><constant>class=</constant><replaceable>value</replaceable></term> - <listitem><para> - Change the query class to one of: - <variablelist> - <varlistentry><term><constant>IN</constant></term> - <listitem><para>the Internet class</para></listitem></varlistentry> - <varlistentry><term><constant>CH</constant></term> - <listitem><para>the Chaos class</para></listitem></varlistentry> - <varlistentry><term><constant>HS</constant></term> - <listitem><para>the Hesiod class</para></listitem></varlistentry> - <varlistentry><term><constant>ANY</constant></term> - <listitem><para>wildcard</para></listitem></varlistentry> - </variablelist> - The class specifies the protocol group of the information. - </para><para> - (Default = IN; abbreviation = cl) - </para></listitem> - </varlistentry> - - <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>debug</constant></term> - <listitem><para> - Turn debugging mode on. A lot more information is - printed about the packet sent to the server and the - resulting answer. - </para><para> - (Default = nodebug; abbreviation = <optional>no</optional>deb) - </para></listitem></varlistentry> - - <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>d2</constant></term> - <listitem><para> - Turn debugging mode on. A lot more information is - printed about the packet sent to the server and the - resulting answer. - </para><para> - (Default = nod2) - </para></listitem></varlistentry> - - <varlistentry><term><constant>domain=</constant><replaceable>name</replaceable></term> - <listitem><para> - Sets the search list to <replaceable>name</replaceable>. - </para></listitem></varlistentry> - - <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>search</constant></term> - <listitem><para> - If the lookup request contains at least one period but - doesn't end with a trailing period, append the domain - names in the domain search list to the request until an - answer is received. - </para><para> - (Default = search) - </para></listitem></varlistentry> - - <varlistentry><term><constant>port=</constant><replaceable>value</replaceable></term> - <listitem><para> - Change the default TCP/UDP name server port to <replaceable>value</replaceable>. - </para><para> - (Default = 53; abbreviation = po) - </para></listitem></varlistentry> - - <varlistentry><term><constant>querytype=</constant><replaceable>value</replaceable></term> - <listitem><para></para></listitem></varlistentry> - - <varlistentry><term><constant>type=</constant><replaceable>value</replaceable></term> - <listitem><para> - Change the type of the information query. - </para><para> - (Default = A; abbreviations = q, ty) - </para></listitem></varlistentry> - - <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>recurse</constant></term> - <listitem><para> - Tell the name server to query other servers if it does not have the - information. - </para><para> - (Default = recurse; abbreviation = [no]rec) - </para></listitem></varlistentry> - - <varlistentry><term><constant>retry=</constant><replaceable>number</replaceable></term> - <listitem><para> - Set the number of retries to number. - </para></listitem></varlistentry> - - <varlistentry><term><constant>timeout=</constant><replaceable>number</replaceable></term> - <listitem><para> - Change the initial timeout interval for waiting for a - reply to number seconds. - </para></listitem></varlistentry> - - <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>vc</constant></term> - <listitem><para> - Always use a virtual circuit when sending requests to the server. - </para><para> - (Default = novc) - </para></listitem></varlistentry> - - </variablelist> -</para></listitem></varlistentry> -</variablelist> -</refsect1> - -<refsect1> -<title>FILES</title> -<para> -<filename>/etc/resolv.conf</filename> -</para> -</refsect1> - -<refsect1> -<title>SEE ALSO</title> -<para> -<citerefentry> -<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum> -</citerefentry>, -<citerefentry> -<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum> -</citerefentry>, -<citerefentry> -<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> -</citerefentry>. -</para> -</refsect1> - -<refsect1> -<title>Author</title> -<para> -Andrew Cherenson -</para> -</refsect1> -</refentry> + </informalexample> + </para> + + </refsect1> + + <refsect1> + <title>INTERACTIVE COMMANDS</title> + <variablelist> + <varlistentry> + <term><constant>host</constant> <optional>server</optional></term> + <listitem> + <para> + Look up information for host using the current default server or + using server, if specified. If host is an Internet address and + the query type is A or PTR, the name of the host is returned. + If host is a name and does not have a trailing period, the + search list is used to qualify the name. + </para> + + <para> + To look up a host not in the current domain, append a period to + the name. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>server</constant> <replaceable class="parameter">domain</replaceable></term> + <listitem> + <para/> + </listitem> + </varlistentry> + <varlistentry> + <term><constant>lserver</constant> <replaceable class="parameter">domain</replaceable></term> + <listitem> + <para> + Change the default server to <replaceable>domain</replaceable>; <constant>lserver</constant> uses the initial + server to look up information about <replaceable>domain</replaceable>, while <constant>server</constant> uses + the current default server. If an authoritative answer can't be + found, the names of servers that might have the answer are + returned. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>root</constant></term> + <listitem> + <para> + not implemented + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>finger</constant></term> + <listitem> + <para> + not implemented + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>ls</constant></term> + <listitem> + <para> + not implemented + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>view</constant></term> + <listitem> + <para> + not implemented + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>help</constant></term> + <listitem> + <para> + not implemented + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>?</constant></term> + <listitem> + <para> + not implemented + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>exit</constant></term> + <listitem> + <para> + Exits the program. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>set</constant> + <replaceable>keyword<optional>=value</optional></replaceable></term> + <listitem> + <para> + This command is used to change state information that affects + the lookups. Valid keywords are: + <variablelist> + <varlistentry> + <term><constant>all</constant></term> + <listitem> + <para> + Prints the current values of the frequently used + options to <command>set</command>. + Information about the current default + server and host is also printed. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>class=</constant><replaceable>value</replaceable></term> + <listitem> + <para> + Change the query class to one of: + <variablelist> + <varlistentry> + <term><constant>IN</constant></term> + <listitem> + <para> + the Internet class + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><constant>CH</constant></term> + <listitem> + <para> + the Chaos class + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><constant>HS</constant></term> + <listitem> + <para> + the Hesiod class + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><constant>ANY</constant></term> + <listitem> + <para> + wildcard + </para> + </listitem> + </varlistentry> + </variablelist> + The class specifies the protocol group of the information. + + </para> + <para> + (Default = IN; abbreviation = cl) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant> + <replaceable><optional>no</optional></replaceable>debug</constant></term> + <listitem> + <para> + Turn debugging mode on. A lot more information is + printed about the packet sent to the server and the + resulting answer. + </para> + <para> + (Default = nodebug; abbreviation = <optional>no</optional>deb) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant> + <replaceable><optional>no</optional></replaceable>d2</constant></term> + <listitem> + <para> + Turn debugging mode on. A lot more information is + printed about the packet sent to the server and the + resulting answer. + </para> + <para> + (Default = nod2) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>domain=</constant><replaceable>name</replaceable></term> + <listitem> + <para> + Sets the search list to <replaceable>name</replaceable>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant> + <replaceable><optional>no</optional></replaceable>search</constant></term> + <listitem> + <para> + If the lookup request contains at least one period but + doesn't end with a trailing period, append the domain + names in the domain search list to the request until an + answer is received. + </para> + <para> + (Default = search) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>port=</constant><replaceable>value</replaceable></term> + <listitem> + <para> + Change the default TCP/UDP name server port to <replaceable>value</replaceable>. + </para> + <para> + (Default = 53; abbreviation = po) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>querytype=</constant><replaceable>value</replaceable></term> + <listitem> + <para/> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>type=</constant><replaceable>value</replaceable></term> + <listitem> + <para> + Change the type of the information query. + </para> + <para> + (Default = A; abbreviations = q, ty) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant> + <replaceable><optional>no</optional></replaceable>recurse</constant></term> + <listitem> + <para> + Tell the name server to query other servers if it does not + have the + information. + </para> + <para> + (Default = recurse; abbreviation = [no]rec) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>retry=</constant><replaceable>number</replaceable></term> + <listitem> + <para> + Set the number of retries to number. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>timeout=</constant><replaceable>number</replaceable></term> + <listitem> + <para> + Change the initial timeout interval for waiting for a + reply to number seconds. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant> + <replaceable><optional>no</optional></replaceable>vc</constant></term> + <listitem> + <para> + Always use a virtual circuit when sending requests to the + server. + </para> + <para> + (Default = novc) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant> + <replaceable><optional>no</optional></replaceable>fail</constant></term> + <listitem> + <para> + Try the next nameserver if a nameserver responds with + SERVFAIL or a referral (nofail) or terminate query + (fail) on such a response. + </para> + <para> + (Default = nofail) + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>FILES</title> + <para><filename>/etc/resolv.conf</filename> + </para> + </refsect1> + + <refsect1> + <title>SEE ALSO</title> + <para><citerefentry> + <refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>host</refentrytitle><manvolnum>1</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1> + <title>Author</title> + <para> + Andrew Cherenson + </para> + </refsect1> +</refentry><!-- + - Local variables: + - mode: sgml + - End: +--> diff --git a/contrib/bind9/bin/dig/nslookup.html b/contrib/bind9/bin/dig/nslookup.html index e6801e9..07f8c3e 100644 --- a/contrib/bind9/bin/dig/nslookup.html +++ b/contrib/bind9/bin/dig/nslookup.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -13,15 +13,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: nslookup.html,v 1.1.6.12 2006/06/29 13:02:30 marka Exp $ --> +<!-- $Id: nslookup.html,v 1.1.10.19 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>nslookup</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482694"></a><div class="titlepage"></div> +<a name="id2476276"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p>nslookup — query Internet name servers interactively</p> @@ -31,234 +31,279 @@ <div class="cmdsynopsis"><p><code class="command">nslookup</code> [<code class="option">-option</code>] [name | -] [server]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549404"></a><h2>DESCRIPTION</h2> -<p> -<span><strong class="command">Nslookup</strong></span> -is a program to query Internet domain name servers. <span><strong class="command">Nslookup</strong></span> -has two modes: interactive and non-interactive. Interactive mode allows -the user to query name servers for information about various hosts and -domains or to print a list of hosts in a domain. Non-interactive mode is -used to print just the name and requested information for a host or -domain. -</p> +<a name="id2543355"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">Nslookup</strong></span> + is a program to query Internet domain name servers. <span><strong class="command">Nslookup</strong></span> + has two modes: interactive and non-interactive. Interactive mode allows + the user to query name servers for information about various hosts and + domains or to print a list of hosts in a domain. Non-interactive mode + is + used to print just the name and requested information for a host or + domain. + </p> </div> <div class="refsect1" lang="en"> -<a name="id2549421"></a><h2>ARGUMENTS</h2> +<a name="id2543371"></a><h2>ARGUMENTS</h2> <p> -Interactive mode is entered in the following cases: -</p> + Interactive mode is entered in the following cases: + </p> <div class="orderedlist"><ol type="a"> <li><p> -when no arguments are given (the default name server will be used) -</p></li> + when no arguments are given (the default name server will be used) + </p></li> <li><p> -when the first argument is a hyphen (-) and the second argument is -the host name or Internet address of a name server. -</p></li> + when the first argument is a hyphen (-) and the second argument is + the host name or Internet address of a name server. + </p></li> </ol></div> <p> -</p> + </p> <p> -Non-interactive mode is used when the name or Internet address of the -host to be looked up is given as the first argument. The optional second -argument specifies the host name or address of a name server. -</p> + Non-interactive mode is used when the name or Internet address of the + host to be looked up is given as the first argument. The optional second + argument specifies the host name or address of a name server. + </p> <p> -Options can also be specified on the command line if they precede the -arguments and are prefixed with a hyphen. For example, to -change the default query type to host information, and the initial timeout to 10 seconds, type: -</p> + Options can also be specified on the command line if they precede the + arguments and are prefixed with a hyphen. For example, to + change the default query type to host information, and the initial + timeout to 10 seconds, type: + </p> <div class="informalexample"><pre class="programlisting"> nslookup -query=hinfo -timeout=10 </pre></div> <p> -</p> + </p> </div> <div class="refsect1" lang="en"> -<a name="id2549464"></a><h2>INTERACTIVE COMMANDS</h2> +<a name="id2543413"></a><h2>INTERACTIVE COMMANDS</h2> <div class="variablelist"><dl> -<dt><span class="term">host [<span class="optional">server</span>]</span></dt> +<dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt> <dd> <p> -Look up information for host using the current default server or -using server, if specified. If host is an Internet address and -the query type is A or PTR, the name of the host is returned. -If host is a name and does not have a trailing period, the -search list is used to qualify the name. -</p> + Look up information for host using the current default server or + using server, if specified. If host is an Internet address and + the query type is A or PTR, the name of the host is returned. + If host is a name and does not have a trailing period, the + search list is used to qualify the name. + </p> <p> -To look up a host not in the current domain, append a period to -the name. -</p> + To look up a host not in the current domain, append a period to + the name. + </p> </dd> <dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt> <dd><p></p></dd> <dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt> <dd><p> -Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial -server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses -the current default server. If an authoritative answer can't be -found, the names of servers that might have the answer are -returned. -</p></dd> + Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial + server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses + the current default server. If an authoritative answer can't be + found, the names of servers that might have the answer are + returned. + </p></dd> <dt><span class="term"><code class="constant">root</code></span></dt> -<dd><p>not implemented</p></dd> +<dd><p> + not implemented + </p></dd> <dt><span class="term"><code class="constant">finger</code></span></dt> -<dd><p>not implemented</p></dd> +<dd><p> + not implemented + </p></dd> <dt><span class="term"><code class="constant">ls</code></span></dt> -<dd><p>not implemented</p></dd> +<dd><p> + not implemented + </p></dd> <dt><span class="term"><code class="constant">view</code></span></dt> -<dd><p>not implemented</p></dd> +<dd><p> + not implemented + </p></dd> <dt><span class="term"><code class="constant">help</code></span></dt> -<dd><p>not implemented</p></dd> +<dd><p> + not implemented + </p></dd> <dt><span class="term"><code class="constant">?</code></span></dt> -<dd><p>not implemented</p></dd> +<dd><p> + not implemented + </p></dd> <dt><span class="term"><code class="constant">exit</code></span></dt> -<dd><p>Exits the program.</p></dd> -<dt><span class="term"><code class="constant">set</code> <em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt> +<dd><p> + Exits the program. + </p></dd> +<dt><span class="term"><code class="constant">set</code> + <em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt> <dd> -<p>This command is used to change state information that affects -the lookups. Valid keywords are: - </p> +<p> + This command is used to change state information that affects + the lookups. Valid keywords are: + </p> <div class="variablelist"><dl> <dt><span class="term"><code class="constant">all</code></span></dt> -<dd><p>Prints the current values of the frequently used - options to <span><strong class="command">set</strong></span>. Information about the current default - server and host is also printed. - </p></dd> +<dd><p> + Prints the current values of the frequently used + options to <span><strong class="command">set</strong></span>. + Information about the current default + server and host is also printed. + </p></dd> <dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt> <dd> <p> - Change the query class to one of: - </p> + Change the query class to one of: + </p> <div class="variablelist"><dl> <dt><span class="term"><code class="constant">IN</code></span></dt> -<dd><p>the Internet class</p></dd> +<dd><p> + the Internet class + </p></dd> <dt><span class="term"><code class="constant">CH</code></span></dt> -<dd><p>the Chaos class</p></dd> +<dd><p> + the Chaos class + </p></dd> <dt><span class="term"><code class="constant">HS</code></span></dt> -<dd><p>the Hesiod class</p></dd> +<dd><p> + the Hesiod class + </p></dd> <dt><span class="term"><code class="constant">ANY</code></span></dt> -<dd><p>wildcard</p></dd> +<dd><p> + wildcard + </p></dd> </dl></div> <p> - The class specifies the protocol group of the information. - </p> + The class specifies the protocol group of the information. + + </p> <p> - (Default = IN; abbreviation = cl) - </p> + (Default = IN; abbreviation = cl) + </p> </dd> -<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt> +<dt><span class="term"><code class="constant"> + <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt> <dd> <p> - Turn debugging mode on. A lot more information is - printed about the packet sent to the server and the - resulting answer. - </p> + Turn debugging mode on. A lot more information is + printed about the packet sent to the server and the + resulting answer. + </p> <p> - (Default = nodebug; abbreviation = [<span class="optional">no</span>]deb) - </p> + (Default = nodebug; abbreviation = [<span class="optional">no</span>]deb) + </p> </dd> -<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt> +<dt><span class="term"><code class="constant"> + <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt> <dd> <p> - Turn debugging mode on. A lot more information is - printed about the packet sent to the server and the - resulting answer. - </p> + Turn debugging mode on. A lot more information is + printed about the packet sent to the server and the + resulting answer. + </p> <p> - (Default = nod2) - </p> + (Default = nod2) + </p> </dd> <dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt> <dd><p> - Sets the search list to <em class="replaceable"><code>name</code></em>. - </p></dd> -<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt> + Sets the search list to <em class="replaceable"><code>name</code></em>. + </p></dd> +<dt><span class="term"><code class="constant"> + <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt> <dd> <p> - If the lookup request contains at least one period but - doesn't end with a trailing period, append the domain - names in the domain search list to the request until an - answer is received. - </p> + If the lookup request contains at least one period but + doesn't end with a trailing period, append the domain + names in the domain search list to the request until an + answer is received. + </p> <p> - (Default = search) - </p> + (Default = search) + </p> </dd> <dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt> <dd> <p> - Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>. - </p> + Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>. + </p> <p> - (Default = 53; abbreviation = po) - </p> + (Default = 53; abbreviation = po) + </p> </dd> <dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt> <dd><p></p></dd> <dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt> <dd> <p> - Change the type of the information query. - </p> + Change the type of the information query. + </p> <p> - (Default = A; abbreviations = q, ty) - </p> + (Default = A; abbreviations = q, ty) + </p> </dd> -<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt> +<dt><span class="term"><code class="constant"> + <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt> <dd> <p> - Tell the name server to query other servers if it does not have the - information. - </p> + Tell the name server to query other servers if it does not + have the + information. + </p> <p> - (Default = recurse; abbreviation = [no]rec) - </p> + (Default = recurse; abbreviation = [no]rec) + </p> </dd> <dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt> <dd><p> - Set the number of retries to number. - </p></dd> + Set the number of retries to number. + </p></dd> <dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt> <dd><p> - Change the initial timeout interval for waiting for a - reply to number seconds. - </p></dd> -<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt> + Change the initial timeout interval for waiting for a + reply to number seconds. + </p></dd> +<dt><span class="term"><code class="constant"> + <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt> +<dd> +<p> + Always use a virtual circuit when sending requests to the + server. + </p> +<p> + (Default = novc) + </p> +</dd> +<dt><span class="term"><code class="constant"> + <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt> <dd> <p> - Always use a virtual circuit when sending requests to the server. - </p> + Try the next nameserver if a nameserver responds with + SERVFAIL or a referral (nofail) or terminate query + (fail) on such a response. + </p> <p> - (Default = novc) - </p> + (Default = nofail) + </p> </dd> </dl></div> <p> -</p> + </p> </dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2549990"></a><h2>FILES</h2> -<p> -<code class="filename">/etc/resolv.conf</code> -</p> +<a name="id2546279"></a><h2>FILES</h2> +<p><code class="filename">/etc/resolv.conf</code> + </p> </div> <div class="refsect1" lang="en"> -<a name="id2550003"></a><h2>SEE ALSO</h2> -<p> -<span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>, -<span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>, -<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>. -</p> +<a name="id2546291"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>, + <span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>, + <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>. + </p> </div> <div class="refsect1" lang="en"> -<a name="id2550038"></a><h2>Author</h2> +<a name="id2546325"></a><h2>Author</h2> <p> -Andrew Cherenson -</p> + Andrew Cherenson + </p> </div> </div></body> </html> diff --git a/contrib/bind9/bin/dnssec/Makefile.in b/contrib/bind9/bin/dnssec/Makefile.in index b9b7bea..b94dca7 100644 --- a/contrib/bind9/bin/dnssec/Makefile.in +++ b/contrib/bind9/bin/dnssec/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.19.12.12 2005/05/02 00:25:54 marka Exp $ +# $Id: Makefile.in,v 1.26.18.4 2005/05/02 00:26:11 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.8 b/contrib/bind9/bin/dnssec/dnssec-keygen.8 index 35bb0ef..39762fd 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.8 +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-keygen.8,v 1.19.12.10 2006/06/29 13:02:30 marka Exp $ +.\" $Id: dnssec-keygen.8,v 1.23.18.13 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: dnssec\-keygen .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: June 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -39,8 +39,9 @@ dnssec\-keygen \- DNSSEC key generation tool \fBdnssec\-keygen\fR generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC <TBA\\>. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. .SH "OPTIONS" -.TP 3n +.PP \-a \fIalgorithm\fR +.RS 4 Selects the cryptographic algorithm. The value of \fBalgorithm\fR must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive. @@ -48,38 +49,58 @@ must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC\-MD5. Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory. .sp Note 2: HMAC\-MD5 and DH automatically set the \-k flag. -.TP 3n +.RE +.PP \-b \fIkeysize\fR +.RS 4 Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits. -.TP 3n +.RE +.PP \-n \fInametype\fR +.RS 4 Specifies the owner type of the key. The value of \fBnametype\fR must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. -.TP 3n +.RE +.PP \-c \fIclass\fR +.RS 4 Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used. -.TP 3n +.RE +.PP \-e +.RS 4 If generating an RSAMD5/RSASHA1 key, use a large exponent. -.TP 3n +.RE +.PP \-f \fIflag\fR +.RS 4 Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY. -.TP 3n +.RE +.PP \-g \fIgenerator\fR +.RS 4 If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2. -.TP 3n +.RE +.PP \-h +.RS 4 Prints a short summary of the options and arguments to \fBdnssec\-keygen\fR. -.TP 3n +.RE +.PP \-k +.RS 4 Generate KEY records rather than DNSKEY records. -.TP 3n +.RE +.PP \-p \fIprotocol\fR +.RS 4 Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors. -.TP 3n +.RE +.PP \-r \fIrandomdev\fR +.RS 4 Specifies the source of randomness. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input. @@ -87,17 +108,24 @@ or equivalent device, the default source of randomness is keyboard input. specifies the name of a character device or file containing random data to be used instead of the default. The special value \fIkeyboard\fR indicates that keyboard input should be used. -.TP 3n +.RE +.PP \-s \fIstrength\fR +.RS 4 Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC. -.TP 3n +.RE +.PP \-t \fItype\fR +.RS 4 Indicates the use of the key. \fBtype\fR must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data. -.TP 3n +.RE +.PP \-v \fIlevel\fR +.RS 4 Sets the debugging level. +.RE .SH "GENERATED KEYS" .PP When @@ -105,20 +133,18 @@ When completes successfully, it prints a string of the form \fIKnnnn.+aaa+iiiii\fR to the standard output. This is an identification string for the key it has generated. -.TP 3n +.TP 4 \(bu \fInnnn\fR is the key name. -.TP 3n +.TP 4 \(bu \fIaaa\fR is the numeric representation of the algorithm. -.TP 3n +.TP 4 \(bu \fIiiiii\fR is the key identifier (or footprint). -.sp -.RE .PP \fBdnssec\-keygen\fR creates two file, with names based on the printed string. @@ -168,4 +194,7 @@ RFC 2539. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000\-2003 Internet Software Consortium. +.br diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.c b/contrib/bind9/bin/dnssec/dnssec-keygen.c index 7feaf7c..19087ea 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.c +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.c @@ -1,6 +1,6 @@ /* - * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Portions Copyright (C) 2000-2003 Internet Software Consortium. + * Portions Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 1999-2003 Internet Software Consortium. * Portions Copyright (C) 1995-2000 by Network Associates, Inc. * * Permission to use, copy, modify, and distribute this software for any @@ -16,7 +16,9 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keygen.c,v 1.48.2.1.10.11 2004/06/11 01:17:34 marka Exp $ */ +/* $Id: dnssec-keygen.c,v 1.66.18.9 2007/01/18 00:06:11 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -47,7 +49,9 @@ const char *program = "dnssec-keygen"; int verbose; -static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5"; +static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5 |" + " HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 | " + " HMAC-SHA384 | HMAC-SHA512"; static isc_boolean_t dsa_size_ok(int size) { @@ -68,10 +72,16 @@ usage(void) { fprintf(stderr, " DH:\t\t[128..4096]\n"); fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n"); fprintf(stderr, " HMAC-MD5:\t[1..512]\n"); + fprintf(stderr, " HMAC-SHA1:\t[1..160]\n"); + fprintf(stderr, " HMAC-SHA224:\t[1..224]\n"); + fprintf(stderr, " HMAC-SHA256:\t[1..256]\n"); + fprintf(stderr, " HMAC-SHA384:\t[1..384]\n"); + fprintf(stderr, " HMAC-SHA512:\t[1..512]\n"); fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n"); fprintf(stderr, " name: owner of the key\n"); fprintf(stderr, "Other options:\n"); fprintf(stderr, " -c <class> (default: IN)\n"); + fprintf(stderr, " -d <digest bits> (0 => max, default)\n"); fprintf(stderr, " -e use large exponent (RSAMD5/RSASHA1 only)\n"); fprintf(stderr, " -f keyflag: KSK\n"); fprintf(stderr, " -g <generator> use specified generator " @@ -115,6 +125,7 @@ main(int argc, char **argv) { isc_entropy_t *ectx = NULL; dns_rdataclass_t rdclass; int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC; + int dbits = 0; if (argc == 1) usage(); @@ -124,7 +135,7 @@ main(int argc, char **argv) { dns_result_register(); while ((ch = isc_commandline_parse(argc, argv, - "a:b:c:ef:g:kn:t:p:s:r:v:h")) != -1) + "a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1) { switch (ch) { case 'a': @@ -138,6 +149,11 @@ main(int argc, char **argv) { case 'c': classname = isc_commandline_argument; break; + case 'd': + dbits = strtol(isc_commandline_argument, &endp, 10); + if (*endp != '\0' || dbits < 0) + fatal("-d requires a non-negative number"); + break; case 'e': rsa_exp = 1; break; @@ -211,9 +227,29 @@ main(int argc, char **argv) { if (algname == NULL) fatal("no algorithm was specified"); - if (strcasecmp(algname, "HMAC-MD5") == 0) { + if (strcasecmp(algname, "RSA") == 0) { + fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n" + "If you still wish to use RSA (RSAMD5) please " + "specify \"-a RSAMD5\"\n"); + return (1); + } else if (strcasecmp(algname, "HMAC-MD5") == 0) { options |= DST_TYPE_KEY; alg = DST_ALG_HMACMD5; + } else if (strcasecmp(algname, "HMAC-SHA1") == 0) { + options |= DST_TYPE_KEY; + alg = DST_ALG_HMACSHA1; + } else if (strcasecmp(algname, "HMAC-SHA224") == 0) { + options |= DST_TYPE_KEY; + alg = DST_ALG_HMACSHA224; + } else if (strcasecmp(algname, "HMAC-SHA256") == 0) { + options |= DST_TYPE_KEY; + alg = DST_ALG_HMACSHA256; + } else if (strcasecmp(algname, "HMAC-SHA384") == 0) { + options |= DST_TYPE_KEY; + alg = DST_ALG_HMACSHA384; + } else if (strcasecmp(algname, "HMAC-SHA512") == 0) { + options |= DST_TYPE_KEY; + alg = DST_ALG_HMACSHA512; } else { r.base = algname; r.length = strlen(algname); @@ -260,6 +296,56 @@ main(int argc, char **argv) { case DST_ALG_HMACMD5: if (size < 1 || size > 512) fatal("HMAC-MD5 key size %d out of range", size); + if (dbits != 0 && (dbits < 80 || dbits > 128)) + fatal("HMAC-MD5 digest bits %d out of range", dbits); + if ((dbits % 8) != 0) + fatal("HMAC-MD5 digest bits %d not divisible by 8", + dbits); + break; + case DST_ALG_HMACSHA1: + if (size < 1 || size > 160) + fatal("HMAC-SHA1 key size %d out of range", size); + if (dbits != 0 && (dbits < 80 || dbits > 160)) + fatal("HMAC-SHA1 digest bits %d out of range", dbits); + if ((dbits % 8) != 0) + fatal("HMAC-SHA1 digest bits %d not divisible by 8", + dbits); + break; + case DST_ALG_HMACSHA224: + if (size < 1 || size > 224) + fatal("HMAC-SHA224 key size %d out of range", size); + if (dbits != 0 && (dbits < 112 || dbits > 224)) + fatal("HMAC-SHA224 digest bits %d out of range", dbits); + if ((dbits % 8) != 0) + fatal("HMAC-SHA224 digest bits %d not divisible by 8", + dbits); + break; + case DST_ALG_HMACSHA256: + if (size < 1 || size > 256) + fatal("HMAC-SHA256 key size %d out of range", size); + if (dbits != 0 && (dbits < 128 || dbits > 256)) + fatal("HMAC-SHA256 digest bits %d out of range", dbits); + if ((dbits % 8) != 0) + fatal("HMAC-SHA256 digest bits %d not divisible by 8", + dbits); + break; + case DST_ALG_HMACSHA384: + if (size < 1 || size > 384) + fatal("HMAC-384 key size %d out of range", size); + if (dbits != 0 && (dbits < 192 || dbits > 384)) + fatal("HMAC-SHA384 digest bits %d out of range", dbits); + if ((dbits % 8) != 0) + fatal("HMAC-SHA384 digest bits %d not divisible by 8", + dbits); + break; + case DST_ALG_HMACSHA512: + if (size < 1 || size > 512) + fatal("HMAC-SHA512 key size %d out of range", size); + if (dbits != 0 && (dbits < 256 || dbits > 512)) + fatal("HMAC-SHA512 digest bits %d out of range", dbits); + if ((dbits % 8) != 0) + fatal("HMAC-SHA512 digest bits %d not divisible by 8", + dbits); break; } @@ -306,7 +392,10 @@ main(int argc, char **argv) { } if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE && - (alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5)) + (alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5 || + alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || + alg == DST_ALG_HMACSHA256 || alg == DST_ALG_HMACSHA384 || + alg == DST_ALG_HMACSHA512)) fatal("a key with algorithm '%s' cannot be a zone key", algname); @@ -330,6 +419,11 @@ main(int argc, char **argv) { break; case DNS_KEYALG_DSA: case DST_ALG_HMACMD5: + case DST_ALG_HMACSHA1: + case DST_ALG_HMACSHA224: + case DST_ALG_HMACSHA256: + case DST_ALG_HMACSHA384: + case DST_ALG_HMACSHA512: param = 0; break; } @@ -358,6 +452,8 @@ main(int argc, char **argv) { exit(-1); } + dst_key_setbits(key, dbits); + /* * Try to read a key with the same name, alg and id from disk. * If there is one we must continue generating a new one @@ -407,6 +503,7 @@ main(int argc, char **argv) { cleanup_logging(&log); cleanup_entropy(&ectx); dst_lib_destroy(); + dns_name_destroy(); if (verbose > 10) isc_mem_stats(mctx, stdout); isc_mem_destroy(&mctx); diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook index e1eee22..cc5f1e7 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -18,9 +18,8 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-keygen.docbook,v 1.3.12.9 2005/08/30 01:41:41 marka Exp $ --> - -<refentry> +<!-- $Id: dnssec-keygen.docbook,v 1.7.18.9 2007/01/29 23:57:20 marka Exp $ --> +<refentry id="man.dnssec-keygen"> <refentryinfo> <date>June 30, 2000</date> </refentryinfo> @@ -31,10 +30,16 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <refnamediv> + <refname><application>dnssec-keygen</application></refname> + <refpurpose>DNSSEC key generation tool</refpurpose> + </refnamediv> + <docinfo> <copyright> <year>2004</year> <year>2005</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -46,11 +51,6 @@ </copyright> </docinfo> - <refnamediv> - <refname><application>dnssec-keygen</application></refname> - <refpurpose>DNSSEC key generation tool</refpurpose> - </refnamediv> - <refsynopsisdiv> <cmdsynopsis> <command>dnssec-keygen</command> @@ -74,11 +74,10 @@ <refsect1> <title>DESCRIPTION</title> - <para> - <command>dnssec-keygen</command> generates keys for DNSSEC - (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate - keys for use with TSIG (Transaction Signatures), as - defined in RFC 2845. + <para><command>dnssec-keygen</command> + generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 + and RFC <TBA\>. It can also generate keys for use with + TSIG (Transaction Signatures), as defined in RFC 2845. </para> </refsect1> @@ -88,168 +87,173 @@ <variablelist> <varlistentry> <term>-a <replaceable class="parameter">algorithm</replaceable></term> - <listitem> - <para> - Selects the cryptographic algorithm. The value of - <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1, - DSA, DH (Diffie Hellman), or HMAC-MD5. These values - are case insensitive. - </para> - <para> - Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, - and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. - </para> - <para> - Note 2: HMAC-MD5 and DH automatically set the -k flag. - </para> - </listitem> + <listitem> + <para> + Selects the cryptographic algorithm. The value of + <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1, + DSA, DH (Diffie Hellman), or HMAC-MD5. These values + are case insensitive. + </para> + <para> + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, + and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. + </para> + <para> + Note 2: HMAC-MD5 and DH automatically set the -k flag. + </para> + </listitem> </varlistentry> <varlistentry> <term>-b <replaceable class="parameter">keysize</replaceable></term> - <listitem> - <para> - Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between - 512 and 2048 bits. Diffie Hellman keys must be between - 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC-MD5 keys must be - between 1 and 512 bits. - </para> - </listitem> + <listitem> + <para> + Specifies the number of bits in the key. The choice of key + size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be + between + 512 and 2048 bits. Diffie Hellman keys must be between + 128 and 4096 bits. DSA keys must be between 512 and 1024 + bits and an exact multiple of 64. HMAC-MD5 keys must be + between 1 and 512 bits. + </para> + </listitem> </varlistentry> <varlistentry> <term>-n <replaceable class="parameter">nametype</replaceable></term> - <listitem> - <para> - Specifies the owner type of the key. The value of - <option>nametype</option> must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are - case insensitive. - </para> - </listitem> + <listitem> + <para> + Specifies the owner type of the key. The value of + <option>nametype</option> must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are + case insensitive. + </para> + </listitem> </varlistentry> <varlistentry> <term>-c <replaceable class="parameter">class</replaceable></term> - <listitem> - <para> - Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. - </para> - </listitem> + <listitem> + <para> + Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. + </para> + </listitem> </varlistentry> <varlistentry> <term>-e</term> - <listitem> - <para> - If generating an RSAMD5/RSASHA1 key, use a large exponent. - </para> - </listitem> + <listitem> + <para> + If generating an RSAMD5/RSASHA1 key, use a large exponent. + </para> + </listitem> </varlistentry> <varlistentry> <term>-f <replaceable class="parameter">flag</replaceable></term> - <listitem> - <para> - Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flag is KSK (Key Signing Key) DNSKEY. - </para> - </listitem> + <listitem> + <para> + Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flag is KSK (Key Signing Key) DNSKEY. + </para> + </listitem> </varlistentry> <varlistentry> <term>-g <replaceable class="parameter">generator</replaceable></term> - <listitem> - <para> - If generating a Diffie Hellman key, use this generator. - Allowed values are 2 and 5. If no generator - is specified, a known prime from RFC 2539 will be used - if possible; otherwise the default is 2. - </para> - </listitem> + <listitem> + <para> + If generating a Diffie Hellman key, use this generator. + Allowed values are 2 and 5. If no generator + is specified, a known prime from RFC 2539 will be used + if possible; otherwise the default is 2. + </para> + </listitem> </varlistentry> <varlistentry> <term>-h</term> - <listitem> - <para> - Prints a short summary of the options and arguments to - <command>dnssec-keygen</command>. - </para> - </listitem> + <listitem> + <para> + Prints a short summary of the options and arguments to + <command>dnssec-keygen</command>. + </para> + </listitem> </varlistentry> <varlistentry> <term>-k</term> - <listitem> - <para> - Generate KEY records rather than DNSKEY records. - </para> - </listitem> + <listitem> + <para> + Generate KEY records rather than DNSKEY records. + </para> + </listitem> </varlistentry> <varlistentry> <term>-p <replaceable class="parameter">protocol</replaceable></term> - <listitem> - <para> - Sets the protocol value for the generated key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. - </para> - </listitem> + <listitem> + <para> + Sets the protocol value for the generated key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. + </para> + </listitem> </varlistentry> <varlistentry> <term>-r <replaceable class="parameter">randomdev</replaceable></term> - <listitem> - <para> - Specifies the source of randomness. If the operating - system does not provide a <filename>/dev/random</filename> - or equivalent device, the default source of randomness - is keyboard input. <filename>randomdev</filename> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <filename>keyboard</filename> indicates that keyboard - input should be used. - </para> - </listitem> + <listitem> + <para> + Specifies the source of randomness. If the operating + system does not provide a <filename>/dev/random</filename> + or equivalent device, the default source of randomness + is keyboard input. <filename>randomdev</filename> + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + <filename>keyboard</filename> indicates that keyboard + input should be used. + </para> + </listitem> </varlistentry> <varlistentry> <term>-s <replaceable class="parameter">strength</replaceable></term> - <listitem> - <para> - Specifies the strength value of the key. The strength is - a number between 0 and 15, and currently has no defined - purpose in DNSSEC. - </para> - </listitem> + <listitem> + <para> + Specifies the strength value of the key. The strength is + a number between 0 and 15, and currently has no defined + purpose in DNSSEC. + </para> + </listitem> </varlistentry> <varlistentry> <term>-t <replaceable class="parameter">type</replaceable></term> - <listitem> - <para> - Indicates the use of the key. <option>type</option> must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. - </para> - </listitem> + <listitem> + <para> + Indicates the use of the key. <option>type</option> must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. + </para> + </listitem> </varlistentry> <varlistentry> <term>-v <replaceable class="parameter">level</replaceable></term> - <listitem> - <para> - Sets the debugging level. - </para> - </listitem> + <listitem> + <para> + Sets the debugging level. + </para> + </listitem> </varlistentry> </variablelist> @@ -258,82 +262,82 @@ <refsect1> <title>GENERATED KEYS</title> <para> - When <command>dnssec-keygen</command> completes successfully, - it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename> - to the standard output. This is an identification string for - the key it has generated. + When <command>dnssec-keygen</command> completes + successfully, + it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename> + to the standard output. This is an identification string for + the key it has generated. </para> <itemizedlist> <listitem> - <para> - <filename>nnnn</filename> is the key name. + <para><filename>nnnn</filename> is the key name. </para> </listitem> <listitem> - <para> - <filename>aaa</filename> is the numeric representation of the + <para><filename>aaa</filename> is the numeric representation + of the algorithm. </para> </listitem> <listitem> - <para> - <filename>iiiii</filename> is the key identifier (or footprint). + <para><filename>iiiii</filename> is the key identifier (or + footprint). </para> </listitem> </itemizedlist> - <para> - <command>dnssec-keygen</command> creates two file, with names based - on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename> - contains the public key, and - <filename>Knnnn.+aaa+iiiii.private</filename> contains the private - key. + <para><command>dnssec-keygen</command> + creates two file, with names based + on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename> + contains the public key, and + <filename>Knnnn.+aaa+iiiii.private</filename> contains the + private + key. </para> <para> - The <filename>.key</filename> file contains a DNS KEY record that - can be inserted into a zone file (directly or with a $INCLUDE - statement). + The <filename>.key</filename> file contains a DNS KEY record + that + can be inserted into a zone file (directly or with a $INCLUDE + statement). </para> <para> - The <filename>.private</filename> file contains algorithm specific - fields. For obvious security reasons, this file does not have - general read permission. + The <filename>.private</filename> file contains algorithm + specific + fields. For obvious security reasons, this file does not have + general read permission. </para> <para> - Both <filename>.key</filename> and <filename>.private</filename> - files are generated for symmetric encryption algorithm such as - HMAC-MD5, even though the public and private key are equivalent. + Both <filename>.key</filename> and <filename>.private</filename> + files are generated for symmetric encryption algorithm such as + HMAC-MD5, even though the public and private key are equivalent. </para> </refsect1> <refsect1> <title>EXAMPLE</title> <para> - To generate a 768-bit DSA key for the domain - <userinput>example.com</userinput>, the following command would be - issued: + To generate a 768-bit DSA key for the domain + <userinput>example.com</userinput>, the following command would be + issued: </para> - <para> - <userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput> + <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput> </para> <para> - The command would print a string of the form: + The command would print a string of the form: </para> - <para> - <userinput>Kexample.com.+003+26160</userinput> + <para><userinput>Kexample.com.+003+26160</userinput> </para> <para> - In this example, <command>dnssec-keygen</command> creates - the files <filename>Kexample.com.+003+26160.key</filename> and - <filename>Kexample.com.+003+26160.private</filename> + In this example, <command>dnssec-keygen</command> creates + the files <filename>Kexample.com.+003+26160.key</filename> + and + <filename>Kexample.com.+003+26160.private</filename> </para> </refsect1> <refsect1> <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>dnssec-signzone</refentrytitle> - <manvolnum>8</manvolnum> + <para><citerefentry> + <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citetitle>BIND 9 Administrator Reference Manual</citetitle>, <citetitle>RFC 2535</citetitle>, @@ -344,14 +348,11 @@ <refsect1> <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> + <para><corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> -</refentry> - -<!-- +</refentry><!-- - Local variables: - mode: sgml - End: diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.html b/contrib/bind9/bin/dnssec/dnssec-keygen.html index 7a15099..5229868 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.html +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-keygen.html,v 1.5.2.1.4.15 2006/06/29 13:02:30 marka Exp $ --> +<!-- $Id: dnssec-keygen.html,v 1.9.18.19 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>dnssec-keygen</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="man.dnssec-keygen"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p> @@ -32,186 +32,191 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549521"></a><h2>DESCRIPTION</h2> -<p> - <span><strong class="command">dnssec-keygen</strong></span> generates keys for DNSSEC - (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate - keys for use with TSIG (Transaction Signatures), as - defined in RFC 2845. +<a name="id2543474"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">dnssec-keygen</strong></span> + generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 + and RFC <TBA\>. It can also generate keys for use with + TSIG (Transaction Signatures), as defined in RFC 2845. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549533"></a><h2>OPTIONS</h2> +<a name="id2543485"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd> <p> - Selects the cryptographic algorithm. The value of - <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1, - DSA, DH (Diffie Hellman), or HMAC-MD5. These values - are case insensitive. - </p> + Selects the cryptographic algorithm. The value of + <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1, + DSA, DH (Diffie Hellman), or HMAC-MD5. These values + are case insensitive. + </p> <p> - Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, - and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. - </p> + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, + and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. + </p> <p> - Note 2: HMAC-MD5 and DH automatically set the -k flag. - </p> + Note 2: HMAC-MD5 and DH automatically set the -k flag. + </p> </dd> <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt> <dd><p> - Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between - 512 and 2048 bits. Diffie Hellman keys must be between - 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC-MD5 keys must be - between 1 and 512 bits. - </p></dd> + Specifies the number of bits in the key. The choice of key + size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be + between + 512 and 2048 bits. Diffie Hellman keys must be between + 128 and 4096 bits. DSA keys must be between 512 and 1024 + bits and an exact multiple of 64. HMAC-MD5 keys must be + between 1 and 512 bits. + </p></dd> <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt> <dd><p> - Specifies the owner type of the key. The value of - <code class="option">nametype</code> must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are - case insensitive. - </p></dd> + Specifies the owner type of the key. The value of + <code class="option">nametype</code> must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are + case insensitive. + </p></dd> <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> <dd><p> - Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. - </p></dd> + Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. + </p></dd> <dt><span class="term">-e</span></dt> <dd><p> - If generating an RSAMD5/RSASHA1 key, use a large exponent. - </p></dd> + If generating an RSAMD5/RSASHA1 key, use a large exponent. + </p></dd> <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt> <dd><p> - Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flag is KSK (Key Signing Key) DNSKEY. - </p></dd> + Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flag is KSK (Key Signing Key) DNSKEY. + </p></dd> <dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt> <dd><p> - If generating a Diffie Hellman key, use this generator. - Allowed values are 2 and 5. If no generator - is specified, a known prime from RFC 2539 will be used - if possible; otherwise the default is 2. - </p></dd> + If generating a Diffie Hellman key, use this generator. + Allowed values are 2 and 5. If no generator + is specified, a known prime from RFC 2539 will be used + if possible; otherwise the default is 2. + </p></dd> <dt><span class="term">-h</span></dt> <dd><p> - Prints a short summary of the options and arguments to - <span><strong class="command">dnssec-keygen</strong></span>. - </p></dd> + Prints a short summary of the options and arguments to + <span><strong class="command">dnssec-keygen</strong></span>. + </p></dd> <dt><span class="term">-k</span></dt> <dd><p> - Generate KEY records rather than DNSKEY records. - </p></dd> + Generate KEY records rather than DNSKEY records. + </p></dd> <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt> <dd><p> - Sets the protocol value for the generated key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. - </p></dd> + Sets the protocol value for the generated key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. + </p></dd> <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt> <dd><p> - Specifies the source of randomness. If the operating - system does not provide a <code class="filename">/dev/random</code> - or equivalent device, the default source of randomness - is keyboard input. <code class="filename">randomdev</code> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <code class="filename">keyboard</code> indicates that keyboard - input should be used. - </p></dd> + Specifies the source of randomness. If the operating + system does not provide a <code class="filename">/dev/random</code> + or equivalent device, the default source of randomness + is keyboard input. <code class="filename">randomdev</code> + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + <code class="filename">keyboard</code> indicates that keyboard + input should be used. + </p></dd> <dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt> <dd><p> - Specifies the strength value of the key. The strength is - a number between 0 and 15, and currently has no defined - purpose in DNSSEC. - </p></dd> + Specifies the strength value of the key. The strength is + a number between 0 and 15, and currently has no defined + purpose in DNSSEC. + </p></dd> <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt> <dd><p> - Indicates the use of the key. <code class="option">type</code> must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. - </p></dd> + Indicates the use of the key. <code class="option">type</code> must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. + </p></dd> <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> <dd><p> - Sets the debugging level. - </p></dd> + Sets the debugging level. + </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2549939"></a><h2>GENERATED KEYS</h2> +<a name="id2543820"></a><h2>GENERATED KEYS</h2> <p> - When <span><strong class="command">dnssec-keygen</strong></span> completes successfully, - it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code> - to the standard output. This is an identification string for - the key it has generated. + When <span><strong class="command">dnssec-keygen</strong></span> completes + successfully, + it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code> + to the standard output. This is an identification string for + the key it has generated. </p> <div class="itemizedlist"><ul type="disc"> -<li><p> - <code class="filename">nnnn</code> is the key name. +<li><p><code class="filename">nnnn</code> is the key name. </p></li> -<li><p> - <code class="filename">aaa</code> is the numeric representation of the +<li><p><code class="filename">aaa</code> is the numeric representation + of the algorithm. </p></li> -<li><p> - <code class="filename">iiiii</code> is the key identifier (or footprint). +<li><p><code class="filename">iiiii</code> is the key identifier (or + footprint). </p></li> </ul></div> -<p> - <span><strong class="command">dnssec-keygen</strong></span> creates two file, with names based - on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code> - contains the public key, and - <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the private - key. +<p><span><strong class="command">dnssec-keygen</strong></span> + creates two file, with names based + on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code> + contains the public key, and + <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the + private + key. </p> <p> - The <code class="filename">.key</code> file contains a DNS KEY record that - can be inserted into a zone file (directly or with a $INCLUDE - statement). + The <code class="filename">.key</code> file contains a DNS KEY record + that + can be inserted into a zone file (directly or with a $INCLUDE + statement). </p> <p> - The <code class="filename">.private</code> file contains algorithm specific - fields. For obvious security reasons, this file does not have - general read permission. + The <code class="filename">.private</code> file contains algorithm + specific + fields. For obvious security reasons, this file does not have + general read permission. </p> <p> - Both <code class="filename">.key</code> and <code class="filename">.private</code> - files are generated for symmetric encryption algorithm such as - HMAC-MD5, even though the public and private key are equivalent. + Both <code class="filename">.key</code> and <code class="filename">.private</code> + files are generated for symmetric encryption algorithm such as + HMAC-MD5, even though the public and private key are equivalent. </p> </div> <div class="refsect1" lang="en"> -<a name="id2550027"></a><h2>EXAMPLE</h2> +<a name="id2543902"></a><h2>EXAMPLE</h2> <p> - To generate a 768-bit DSA key for the domain - <strong class="userinput"><code>example.com</code></strong>, the following command would be - issued: + To generate a 768-bit DSA key for the domain + <strong class="userinput"><code>example.com</code></strong>, the following command would be + issued: </p> -<p> - <strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong> +<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong> </p> <p> - The command would print a string of the form: + The command would print a string of the form: </p> -<p> - <strong class="userinput"><code>Kexample.com.+003+26160</code></strong> +<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong> </p> <p> - In this example, <span><strong class="command">dnssec-keygen</strong></span> creates - the files <code class="filename">Kexample.com.+003+26160.key</code> and - <code class="filename">Kexample.com.+003+26160.private</code> + In this example, <span><strong class="command">dnssec-keygen</strong></span> creates + the files <code class="filename">Kexample.com.+003+26160.key</code> + and + <code class="filename">Kexample.com.+003+26160.private</code> </p> </div> <div class="refsect1" lang="en"> -<a name="id2550073"></a><h2>SEE ALSO</h2> -<p> - <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, +<a name="id2543946"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 2535</em>, <em class="citetitle">RFC 2845</em>, @@ -219,9 +224,8 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2550106"></a><h2>AUTHOR</h2> -<p> - <span class="corpauthor">Internet Systems Consortium</span> +<a name="id2544045"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> </div></body> diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.8 b/contrib/bind9/bin/dnssec/dnssec-signzone.8 index 734eca6..86347b1 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.8 +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-signzone.8,v 1.23.2.1.4.11 2006/06/29 13:02:30 marka Exp $ +.\" $Id: dnssec-signzone.8,v 1.28.18.16 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: dnssec\-signzone .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: June 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -33,7 +33,7 @@ dnssec\-signzone \- DNSSEC zone signing tool .SH "SYNOPSIS" .HP 16 -\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-n\ \fR\fB\fInthreads\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {zonefile} [key...] +\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {zonefile} [key...] .SH "DESCRIPTION" .PP \fBdnssec\-signzone\fR @@ -41,50 +41,71 @@ signs a zone. It generates NSEC and RRSIG records and produces a signed version \fIkeyset\fR file for each child zone. .SH "OPTIONS" -.TP 3n +.PP \-a +.RS 4 Verify all generated signatures. -.TP 3n +.RE +.PP \-c \fIclass\fR +.RS 4 Specifies the DNS class of the zone. -.TP 3n +.RE +.PP \-k \fIkey\fR +.RS 4 Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times. -.TP 3n +.RE +.PP \-l \fIdomain\fR +.RS 4 Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records. -.TP 3n +.RE +.PP \-d \fIdirectory\fR +.RS 4 Look for \fIkeyset\fR files in \fBdirectory\fR as the directory -.TP 3n +.RE +.PP \-g +.RS 4 Generate DS records for child zones from keyset files. Existing DS records will be removed. -.TP 3n +.RE +.PP \-s \fIstart\-time\fR +.RS 4 Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no \fBstart\-time\fR is specified, the current time minus 1 hour (to allow for clock skew) is used. -.TP 3n +.RE +.PP \-e \fIend\-time\fR +.RS 4 Specify the date and time when the generated RRSIG records expire. As with \fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no \fBend\-time\fR is specified, 30 days from the start time is used as a default. -.TP 3n +.RE +.PP \-f \fIoutput\-file\fR +.RS 4 The name of the output file containing the signed zone. The default is to append \fI.signed\fR to the input file. -.TP 3n +.RE +.PP \-h +.RS 4 Prints a short summary of the options and arguments to \fBdnssec\-signzone\fR. -.TP 3n +.RE +.PP \-i \fIinterval\fR +.RS 4 When a previously signed zone is passed as input, records may be resigned. The \fBinterval\fR option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced. @@ -96,17 +117,77 @@ or are specified, \fBdnssec\-signzone\fR generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced. -.TP 3n +.RE +.PP +\-I \fIinput\-format\fR +.RS 4 +The format of the input zone file. Possible formats are +\fB"text"\fR +(default) and +\fB"raw"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly. The use of this option does not make much sense for non\-dynamic zones. +.RE +.PP +\-j \fIjitter\fR +.RS 4 +When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previously signed zone is passed as input to the signer, all expired signatures has to be regenerated at about the same time. The +\fBjitter\fR +option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time. +.sp +Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i.e. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time. +.RE +.PP \-n \fIncpus\fR +.RS 4 Specifies the number of threads to use. By default, one thread is started for each detected CPU. -.TP 3n +.RE +.PP +\-N \fIsoa\-serial\-format\fR +.RS 4 +The SOA serial number format of the signed zone. Possible formats are +\fB"keep"\fR +(default), +\fB"increment"\fR +and +\fB"unixtime"\fR. +.RS 4 +.PP +\fB"keep"\fR +.RS 4 +Do not modify the SOA serial number. +.RE +.PP +\fB"increment"\fR +.RS 4 +Increment the SOA serial number using RFC 1982 arithmetics. +.RE +.PP +\fB"unixtime"\fR +.RS 4 +Set the SOA serial number to the number of seconds since epoch. +.RE +.RE +.RE +.PP \-o \fIorigin\fR +.RS 4 The zone origin. If not specified, the name of the zone file is assumed to be the origin. -.TP 3n +.RE +.PP +\-O \fIoutput\-format\fR +.RS 4 +The format of the output file containing the signed zone. Possible formats are +\fB"text"\fR +(default) and +\fB"raw"\fR. +.RE +.PP \-p +.RS 4 Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited. -.TP 3n +.RE +.PP \-r \fIrandomdev\fR +.RS 4 Specifies the source of randomness. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input. @@ -114,21 +195,32 @@ or equivalent device, the default source of randomness is keyboard input. specifies the name of a character device or file containing random data to be used instead of the default. The special value \fIkeyboard\fR indicates that keyboard input should be used. -.TP 3n +.RE +.PP \-t +.RS 4 Print statistics at completion. -.TP 3n +.RE +.PP \-v \fIlevel\fR +.RS 4 Sets the debugging level. -.TP 3n +.RE +.PP \-z +.RS 4 Ignore KSK flag on key when determining what to sign. -.TP 3n +.RE +.PP zonefile +.RS 4 The file containing the zone to be signed. -.TP 3n +.RE +.PP key +.RS 4 The keys used to sign the zone. If no keys are specified, the default all zone keys that have private key files in the current directory. +.RE .SH "EXAMPLE" .PP The following command signs the @@ -159,4 +251,7 @@ RFC 2535. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000\-2003 Internet Software Consortium. +.br diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.c b/contrib/bind9/bin/dnssec/dnssec-signzone.c index 4ac840d..1f5b538 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.c +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.c @@ -16,7 +16,9 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.139.2.2.4.23 2006/01/04 23:50:19 marka Exp $ */ +/* $Id: dnssec-signzone.c,v 1.177.18.21 2006/08/30 23:01:54 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -33,6 +35,7 @@ #include <isc/mutex.h> #include <isc/os.h> #include <isc/print.h> +#include <isc/random.h> #include <isc/serial.h> #include <isc/stdio.h> #include <isc/string.h> @@ -58,6 +61,7 @@ #include <dns/rdatastruct.h> #include <dns/rdatatype.h> #include <dns/result.h> +#include <dns/soa.h> #include <dns/time.h> #include <dst/dst.h> @@ -85,6 +89,10 @@ struct signer_key_struct { #define SIGNER_EVENT_WRITE (SIGNER_EVENTCLASS + 0) #define SIGNER_EVENT_WORK (SIGNER_EVENTCLASS + 1) +#define SOA_SERIAL_KEEP 0 +#define SOA_SERIAL_INCREMENT 1 +#define SOA_SERIAL_UNIXTIME 2 + typedef struct signer_event sevent_t; struct signer_event { ISC_EVENT_COMMON(sevent_t); @@ -96,6 +104,7 @@ static ISC_LIST(signer_key_t) keylist; static unsigned int keycount = 0; static isc_stdtime_t starttime = 0, endtime = 0, now; static int cycle = -1; +static int jitter = 0; static isc_boolean_t tryverify = ISC_FALSE; static isc_boolean_t printstats = ISC_FALSE; static isc_mem_t *mctx = NULL; @@ -104,6 +113,8 @@ static dns_ttl_t zonettl; static FILE *fp; static char *tempfile = NULL; static const dns_master_style_t *masterstyle; +static dns_masterformat_t inputformat = dns_masterformat_text; +static dns_masterformat_t outputformat = dns_masterformat_text; static unsigned int nsigned = 0, nretained = 0, ndropped = 0; static unsigned int nverified = 0, nverifyfailed = 0; static const char *directory; @@ -125,6 +136,7 @@ static isc_boolean_t ignoreksk = ISC_FALSE; static dns_name_t *dlv = NULL; static dns_fixedname_t dlv_fixed; static dns_master_style_t *dsstyle = NULL; +static unsigned int serialformat = SOA_SERIAL_KEEP; #define INCSTAT(counter) \ if (printstats) { \ @@ -154,42 +166,13 @@ static void dumpnode(dns_name_t *name, dns_dbnode_t *node) { isc_result_t result; + if (outputformat != dns_masterformat_text) + return; result = dns_master_dumpnodetostream(mctx, gdb, gversion, node, name, masterstyle, fp); check_result(result, "dns_master_dumpnodetostream"); } -static void -dumpdb(dns_db_t *db) { - dns_dbiterator_t *dbiter = NULL; - dns_dbnode_t *node; - dns_fixedname_t fname; - dns_name_t *name; - isc_result_t result; - - dbiter = NULL; - result = dns_db_createiterator(db, ISC_FALSE, &dbiter); - check_result(result, "dns_db_createiterator()"); - - dns_fixedname_init(&fname); - name = dns_fixedname_name(&fname); - node = NULL; - - for (result = dns_dbiterator_first(dbiter); - result == ISC_R_SUCCESS; - result = dns_dbiterator_next(dbiter)) - { - result = dns_dbiterator_current(dbiter, &node, name); - check_result(result, "dns_dbiterator_current()"); - dumpnode(name, node); - dns_db_detachnode(db, &node); - } - if (result != ISC_R_NOMORE) - fatal("iterating database: %s", isc_result_totext(result)); - - dns_dbiterator_destroy(&dbiter); -} - static signer_key_t * newkeystruct(dst_key_t *dstkey, isc_boolean_t signwithkey) { signer_key_t *key; @@ -217,8 +200,10 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata, dst_key_t *key, isc_buffer_t *b) { isc_result_t result; + isc_stdtime_t jendtime; - result = dns_dnssec_sign(name, rdataset, key, &starttime, &endtime, + jendtime = (jitter != 0) ? isc_random_jitter(endtime, jitter) : endtime; + result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime, mctx, b, rdata); isc_entropy_stopcallbacksources(ectx); if (result != ISC_R_SUCCESS) { @@ -253,7 +238,7 @@ iszonekey(signer_key_t *key) { dst_key_iszonekey(key->key))); } -/* +/*% * Finds the key that generated a RRSIG, if possible. First look at the keys * that we've loaded already, and then see if there's a key on disk. */ @@ -291,7 +276,7 @@ keythatsigned(dns_rdata_rrsig_t *rrsig) { return (key); } -/* +/*% * Check to see if we expect to find a key at this name. If we see a RRSIG * and can't find the signing key that we expect to find, we drop the rrsig. * I'm not sure if this is completely correct, but it seems to work. @@ -337,7 +322,7 @@ setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key, } } -/* +/*% * Signs a set. Goes through contortions to decide if each RRSIG should * be dropped or retained, and then determines if any new SIGs need to * be generated. @@ -598,7 +583,7 @@ opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass, dns_db_detach(dbp); } -/* +/*% * Loads the key set for a child zone, if there is one, and builds DS records. */ static isc_result_t @@ -653,6 +638,16 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) { ttl, &ds, &tuple); check_result(result, "dns_difftuple_create"); dns_diff_append(&diff, &tuple); + + dns_rdata_reset(&ds); + result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA256, + dsbuf, &ds); + check_result(result, "dns_ds_buildrdata"); + + result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, + ttl, &ds, &tuple); + check_result(result, "dns_difftuple_create"); + dns_diff_append(&diff, &tuple); } result = dns_diff_apply(&diff, db, ver); check_result(result, "dns_diff_apply"); @@ -775,7 +770,7 @@ delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) { return (ISC_TF(result == ISC_R_SUCCESS)); } -/* +/*% * Signs all records at a name. This mostly just signs each set individually, * but also adds the RRSIG bit to any NSECs generated earlier, deals with * parent/child KEY signatures, and handles other exceptional cases. @@ -957,7 +952,7 @@ active_node(dns_dbnode_t *node) { isc_result_totext(result)); if (!active) { - /* + /*% * The node is empty of everything but NSEC / RRSIG records. */ for (result = dns_rdatasetiter_first(rdsiter); @@ -1021,7 +1016,7 @@ active_node(dns_dbnode_t *node) { return (active); } -/* +/*% * Extracts the TTL from the SOA. */ static dns_ttl_t @@ -1053,7 +1048,82 @@ soattl(void) { return (ttl); } -/* +/*% + * Increment (or set if nonzero) the SOA serial + */ +static isc_result_t +setsoaserial(isc_uint32_t serial) { + isc_result_t result; + dns_dbnode_t *node = NULL; + dns_rdataset_t rdataset; + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_uint32_t old_serial, new_serial; + + result = dns_db_getoriginnode(gdb, &node); + if (result != ISC_R_SUCCESS) + return result; + + dns_rdataset_init(&rdataset); + + result = dns_db_findrdataset(gdb, node, gversion, + dns_rdatatype_soa, 0, + 0, &rdataset, NULL); + if (result != ISC_R_SUCCESS) + goto cleanup; + + result = dns_rdataset_first(&rdataset); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + dns_rdataset_current(&rdataset, &rdata); + + old_serial = dns_soa_getserial(&rdata); + + if (serial) { + /* Set SOA serial to the value provided. */ + new_serial = serial; + } else { + /* Increment SOA serial using RFC 1982 arithmetics */ + new_serial = (old_serial + 1) & 0xFFFFFFFF; + if (new_serial == 0) + new_serial = 1; + } + + /* If the new serial is not likely to cause a zone transfer + * (a/ixfr) from servers having the old serial, warn the user. + * + * RFC1982 section 7 defines the maximum increment to be + * (2^(32-1))-1. Using u_int32_t arithmetic, we can do a single + * comparison. (5 - 6 == (2^32)-1, not negative-one) + */ + if (new_serial == old_serial || + (new_serial - old_serial) > 0x7fffffffU) + fprintf(stderr, "%s: warning: Serial number not advanced, " + "zone may not transfer\n", program); + + dns_soa_setserial(new_serial, &rdata); + + result = dns_db_deleterdataset(gdb, node, gversion, + dns_rdatatype_soa, 0); + check_result(result, "dns_db_deleterdataset"); + if (result != ISC_R_SUCCESS) + goto cleanup; + + result = dns_db_addrdataset(gdb, node, gversion, + 0, &rdataset, 0, NULL); + check_result(result, "dns_db_addrdataset"); + if (result != ISC_R_SUCCESS) + goto cleanup; + +cleanup: + dns_rdataset_disassociate(&rdataset); + if (node != NULL) + dns_db_detachnode(gdb, &node); + dns_rdata_reset(&rdata); + + return (result); +} + +/*% * Delete any RRSIG records at a node. */ static void @@ -1062,6 +1132,9 @@ cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) { dns_rdataset_t set; isc_result_t result, dresult; + if (outputformat != dns_masterformat_text) + return; + dns_rdataset_init(&set); result = dns_db_allrdatasets(db, node, version, 0, &rdsiter); check_result(result, "dns_db_allrdatasets"); @@ -1089,7 +1162,7 @@ cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) { dns_rdatasetiter_destroy(&rdsiter); } -/* +/*% * Set up the iterator and global state before starting the tasks. */ static void @@ -1104,7 +1177,7 @@ presign(void) { check_result(result, "dns_dbiterator_first()"); } -/* +/*% * Clean up the iterator and global state after the tasks complete. */ static void @@ -1112,7 +1185,33 @@ postsign(void) { dns_dbiterator_destroy(&gdbiter); } -/* +/*% + * Sign the apex of the zone. + */ +static void +signapex(void) { + dns_dbnode_t *node = NULL; + dns_fixedname_t fixed; + dns_name_t *name; + isc_result_t result; + + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + result = dns_dbiterator_current(gdbiter, &node, name); + check_result(result, "dns_dbiterator_current()"); + signname(node, name); + dumpnode(name, node); + cleannode(gdb, gversion, node); + dns_db_detachnode(gdb, &node); + result = dns_dbiterator_next(gdbiter); + if (result == ISC_R_NOMORE) + finished = ISC_TRUE; + else if (result != ISC_R_SUCCESS) + fatal("failure iterating database: %s", + isc_result_totext(result)); +} + +/*% * Assigns a node to a worker thread. This is protected by the master task's * lock. */ @@ -1192,7 +1291,7 @@ assignwork(isc_task_t *task, isc_task_t *worker) { assigned++; } -/* +/*% * Start a worker task */ static void @@ -1204,7 +1303,7 @@ startworker(isc_task_t *task, isc_event_t *event) { isc_event_free(&event); } -/* +/*% * Write a node to the output file, and restart the worker task. */ static void @@ -1222,7 +1321,7 @@ writenode(isc_task_t *task, isc_event_t *event) { isc_event_free(&event); } -/* +/*% * Sign a database node. */ static void @@ -1247,7 +1346,7 @@ sign(isc_task_t *task, isc_event_t *event) { isc_task_send(master, ISC_EVENT_PTR(&wevent)); } -/* +/*% * Generate NSEC records for the zone. */ static void @@ -1318,7 +1417,7 @@ nsecify(void) { dns_dbiterator_destroy(&dbiter); } -/* +/*% * Load the zone file from disk */ static void @@ -1344,13 +1443,13 @@ loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) { rdclass, 0, NULL, db); check_result(result, "dns_db_create()"); - result = dns_db_load(*db, file); + result = dns_db_load2(*db, file, inputformat); if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) fatal("failed loading zone from '%s': %s", file, isc_result_totext(result)); } -/* +/*% * Finds all public zone keys in the zone, and attempts to load the * private keys from disk. */ @@ -1389,7 +1488,7 @@ loadzonekeys(dns_db_t *db) { dns_db_closeversion(db, ¤tversion, ISC_FALSE); } -/* +/*% * Finds all public zone keys in the zone. */ static void @@ -1580,6 +1679,19 @@ writeset(const char *prefix, dns_rdatatype_t type) { ds.type = dns_rdatatype_dlv; result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, 0, &ds, &tuple); + check_result(result, "dns_difftuple_create"); + dns_diff_append(&diff, &tuple); + + dns_rdata_reset(&ds); + result = dns_ds_buildrdata(gorigin, &rdata, + DNS_DSDIGEST_SHA256, + dsbuf, &ds); + check_result(result, "dns_ds_buildrdata"); + if (type == dns_rdatatype_dlv) + ds.type = dns_rdatatype_dlv; + result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, + name, 0, &ds, &tuple); + } else result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, gorigin, zonettl, @@ -1612,12 +1724,18 @@ static void print_time(FILE *fp) { time_t currenttime; + if (outputformat != dns_masterformat_text) + return; + currenttime = time(NULL); fprintf(fp, "; File written on %s", ctime(¤ttime)); } static void print_version(FILE *fp) { + if (outputformat != dns_masterformat_text) + return; + fprintf(fp, "; dnssec_signzone version " VERSION "\n"); } @@ -1644,12 +1762,20 @@ usage(void) { fprintf(stderr, "\t-i interval:\n"); fprintf(stderr, "\t\tcycle interval - resign " "if < interval from end ( (end-start)/4 )\n"); + fprintf(stderr, "\t-j jitter:\n"); + fprintf(stderr, "\t\trandomize signature end time up to jitter seconds\n"); fprintf(stderr, "\t-v debuglevel (0)\n"); fprintf(stderr, "\t-o origin:\n"); fprintf(stderr, "\t\tzone origin (name of zonefile)\n"); fprintf(stderr, "\t-f outfile:\n"); fprintf(stderr, "\t\tfile the signed zone is written in " "(zonefile + .signed)\n"); + fprintf(stderr, "\t-I format:\n"); + fprintf(stderr, "\t\tfile format of input zonefile (text)\n"); + fprintf(stderr, "\t-O format:\n"); + fprintf(stderr, "\t\tfile format of signed zone file (text)\n"); + fprintf(stderr, "\t-N format:\n"); + fprintf(stderr, "\t\tsoa serial format of signed zone file (keep)\n"); fprintf(stderr, "\t-r randomdev:\n"); fprintf(stderr, "\t\ta file containing random data\n"); fprintf(stderr, "\t-a:\t"); @@ -1708,6 +1834,8 @@ main(int argc, char *argv[]) { int i, ch; char *startstr = NULL, *endstr = NULL, *classname = NULL; char *origin = NULL, *file = NULL, *output = NULL; + char *inputformatstr = NULL, *outputformatstr = NULL; + char *serialformatstr = NULL; char *dskeyfile[MAXDSKEYS]; int ndskeys = 0; char *endp; @@ -1720,7 +1848,6 @@ main(int argc, char *argv[]) { isc_boolean_t free_output = ISC_FALSE; int tempfilelen; dns_rdataclass_t rdclass; - dns_db_t *udb = NULL; isc_task_t **tasks = NULL; isc_buffer_t b; int len; @@ -1736,7 +1863,7 @@ main(int argc, char *argv[]) { dns_result_register(); while ((ch = isc_commandline_parse(argc, argv, - "ac:d:e:f:ghi:k:l:n:o:pr:s:Stv:z")) + "ac:d:e:f:ghi:I:j:k:l:n:N:o:O:pr:s:Stv:z")) != -1) { switch (ch) { case 'a': @@ -1776,6 +1903,17 @@ main(int argc, char *argv[]) { "positive"); break; + case 'I': + inputformatstr = isc_commandline_argument; + break; + + case 'j': + endp = NULL; + jitter = strtol(isc_commandline_argument, &endp, 0); + if (*endp != '\0' || jitter < 0) + fatal("jitter must be numeric and positive"); + break; + case 'l': dns_fixedname_init(&dlv_fixed); len = strlen(isc_commandline_argument); @@ -1802,10 +1940,18 @@ main(int argc, char *argv[]) { fatal("number of cpus must be numeric"); break; + case 'N': + serialformatstr = isc_commandline_argument; + break; + case 'o': origin = isc_commandline_argument; break; + case 'O': + outputformatstr = isc_commandline_argument; + break; + case 'p': pseudorandom = ISC_TRUE; break; @@ -1901,6 +2047,36 @@ main(int argc, char *argv[]) { sprintf(output, "%s.signed", file); } + if (inputformatstr != NULL) { + if (strcasecmp(inputformatstr, "text") == 0) + inputformat = dns_masterformat_text; + else if (strcasecmp(inputformatstr, "raw") == 0) + inputformat = dns_masterformat_raw; + else + fatal("unknown file format: %s\n", inputformatstr); + } + + if (outputformatstr != NULL) { + if (strcasecmp(outputformatstr, "text") == 0) + outputformat = dns_masterformat_text; + else if (strcasecmp(outputformatstr, "raw") == 0) + outputformat = dns_masterformat_raw; + else + fatal("unknown file format: %s\n", outputformatstr); + } + + if (serialformatstr != NULL) { + if (strcasecmp(serialformatstr, "keep") == 0) + serialformat = SOA_SERIAL_KEEP; + else if (strcasecmp(serialformatstr, "increment") == 0 || + strcasecmp(serialformatstr, "incr") == 0) + serialformat = SOA_SERIAL_INCREMENT; + else if (strcasecmp(serialformatstr, "unixtime") == 0) + serialformat = SOA_SERIAL_UNIXTIME; + else + fatal("unknown soa serial format: %s\n", serialformatstr); + } + result = dns_master_stylecreate(&dsstyle, DNS_STYLEFLAG_NO_TTL, 0, 24, 0, 0, 0, 8, mctx); check_result(result, "dns_master_stylecreate"); @@ -2005,6 +2181,19 @@ main(int argc, char *argv[]) { result = dns_db_newversion(gdb, &gversion); check_result(result, "dns_db_newversion()"); + switch (serialformat) { + case SOA_SERIAL_INCREMENT: + setsoaserial(0); + break; + case SOA_SERIAL_UNIXTIME: + setsoaserial(now); + break; + case SOA_SERIAL_KEEP: + default: + /* do nothing */ + break; + } + nsecify(); if (!nokeys) { @@ -2053,10 +2242,6 @@ main(int argc, char *argv[]) { if (result != ISC_R_SUCCESS) fatal("failed to create task: %s", isc_result_totext(result)); - result = isc_app_onrun(mctx, master, startworker, tasks[i]); - if (result != ISC_R_SUCCESS) - fatal("failed to start task: %s", - isc_result_totext(result)); } RUNTIME_CHECK(isc_mutex_init(&namelock) == ISC_R_SUCCESS); @@ -2064,9 +2249,24 @@ main(int argc, char *argv[]) { RUNTIME_CHECK(isc_mutex_init(&statslock) == ISC_R_SUCCESS); presign(); - (void)isc_app_run(); - if (!finished) - fatal("process aborted by user"); + signapex(); + if (!finished) { + /* + * There is more work to do. Spread it out over multiple + * processors if possible. + */ + for (i = 0; i < (int)ntasks; i++) { + result = isc_app_onrun(mctx, master, startworker, + tasks[i]); + if (result != ISC_R_SUCCESS) + fatal("failed to start task: %s", + isc_result_totext(result)); + } + (void)isc_app_run(); + if (!finished) + fatal("process aborted by user"); + } else + isc_task_detach(&master); shuttingdown = ISC_TRUE; for (i = 0; i < (int)ntasks; i++) isc_task_detach(&tasks[i]); @@ -2074,9 +2274,11 @@ main(int argc, char *argv[]) { isc_mem_put(mctx, tasks, ntasks * sizeof(isc_task_t *)); postsign(); - if (udb != NULL) { - dumpdb(udb); - dns_db_detach(&udb); + if (outputformat != dns_masterformat_text) { + result = dns_master_dumptostream2(mctx, gdb, gversion, + masterstyle, outputformat, + fp); + check_result(result, "dns_master_dumptostream2"); } result = isc_stdio_close(fp); @@ -2115,6 +2317,7 @@ main(int argc, char *argv[]) { dst_lib_destroy(); isc_hash_destroy(); cleanup_entropy(&ectx); + dns_name_destroy(); if (verbose > 10) isc_mem_stats(mctx, stdout); isc_mem_destroy(&mctx); diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook index 35f35cc..371d72b 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -18,23 +18,29 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-signzone.docbook,v 1.2.2.2.4.11 2005/06/24 00:18:15 marka Exp $ --> - -<refentry> +<!-- $Id: dnssec-signzone.docbook,v 1.10.18.15 2007/01/29 23:57:20 marka Exp $ --> +<refentry id="man.dnssec-signzone"> <refentryinfo> <date>June 30, 2000</date> </refentryinfo> <refmeta> <refentrytitle><application>dnssec-signzone</application></refentrytitle> - <manvolnum>8</manvolnum> + <manvolnum>8</manvolnum> <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <refnamediv> + <refname><application>dnssec-signzone</application></refname> + <refpurpose>DNSSEC zone signing tool</refpurpose> + </refnamediv> + <docinfo> <copyright> <year>2004</year> <year>2005</year> + <year>2006</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -46,11 +52,6 @@ </copyright> </docinfo> - <refnamediv> - <refname><application>dnssec-signzone</application></refname> - <refpurpose>DNSSEC zone signing tool</refpurpose> - </refnamediv> - <refsynopsisdiv> <cmdsynopsis> <command>dnssec-signzone</command> @@ -64,8 +65,11 @@ <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg> <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg> <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg> - <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg> + <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg> + <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg> + <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg> <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg> + <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg> <arg><option>-p</option></arg> <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg> <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg> @@ -79,13 +83,13 @@ <refsect1> <title>DESCRIPTION</title> - <para> - <command>dnssec-signzone</command> signs a zone. It generates - NSEC and RRSIG records and produces a signed version of the - zone. The security status of delegations from the signed zone - (that is, whether the child zones are secure or not) is - determined by the presence or absence of a - <filename>keyset</filename> file for each child zone. + <para><command>dnssec-signzone</command> + signs a zone. It generates + NSEC and RRSIG records and produces a signed version of the + zone. The security status of delegations from the signed zone + (that is, whether the child zones are secure or not) is + determined by the presence or absence of a + <filename>keyset</filename> file for each child zone. </para> </refsect1> @@ -95,231 +99,323 @@ <variablelist> <varlistentry> <term>-a</term> - <listitem> - <para> - Verify all generated signatures. - </para> - </listitem> + <listitem> + <para> + Verify all generated signatures. + </para> + </listitem> </varlistentry> <varlistentry> <term>-c <replaceable class="parameter">class</replaceable></term> - <listitem> - <para> - Specifies the DNS class of the zone. - </para> - </listitem> + <listitem> + <para> + Specifies the DNS class of the zone. + </para> + </listitem> </varlistentry> <varlistentry> <term>-k <replaceable class="parameter">key</replaceable></term> - <listitem> - <para> - Treat specified key as a key signing key ignoring any - key flags. This option may be specified multiple times. - </para> - </listitem> + <listitem> + <para> + Treat specified key as a key signing key ignoring any + key flags. This option may be specified multiple times. + </para> + </listitem> </varlistentry> <varlistentry> <term>-l <replaceable class="parameter">domain</replaceable></term> - <listitem> - <para> - Generate a DLV set in addition to the key (DNSKEY) and DS sets. - The domain is appended to the name of the records. - </para> - </listitem> + <listitem> + <para> + Generate a DLV set in addition to the key (DNSKEY) and DS sets. + The domain is appended to the name of the records. + </para> + </listitem> </varlistentry> <varlistentry> <term>-d <replaceable class="parameter">directory</replaceable></term> - <listitem> - <para> - Look for <filename>keyset</filename> files in - <option>directory</option> as the directory - </para> - </listitem> + <listitem> + <para> + Look for <filename>keyset</filename> files in + <option>directory</option> as the directory + </para> + </listitem> </varlistentry> <varlistentry> <term>-g</term> - <listitem> - <para> - Generate DS records for child zones from keyset files. - Existing DS records will be removed. - </para> - </listitem> + <listitem> + <para> + Generate DS records for child zones from keyset files. + Existing DS records will be removed. + </para> + </listitem> </varlistentry> <varlistentry> <term>-s <replaceable class="parameter">start-time</replaceable></term> - <listitem> - <para> - Specify the date and time when the generated RRSIG records - become valid. This can be either an absolute or relative - time. An absolute start time is indicated by a number - in YYYYMMDDHHMMSS notation; 20000530144500 denotes - 14:45:00 UTC on May 30th, 2000. A relative start time is - indicated by +N, which is N seconds from the current time. - If no <option>start-time</option> is specified, the current - time minus 1 hour (to allow for clock skew) is used. - </para> - </listitem> + <listitem> + <para> + Specify the date and time when the generated RRSIG records + become valid. This can be either an absolute or relative + time. An absolute start time is indicated by a number + in YYYYMMDDHHMMSS notation; 20000530144500 denotes + 14:45:00 UTC on May 30th, 2000. A relative start time is + indicated by +N, which is N seconds from the current time. + If no <option>start-time</option> is specified, the current + time minus 1 hour (to allow for clock skew) is used. + </para> + </listitem> </varlistentry> <varlistentry> <term>-e <replaceable class="parameter">end-time</replaceable></term> - <listitem> - <para> - Specify the date and time when the generated RRSIG records - expire. As with <option>start-time</option>, an absolute - time is indicated in YYYYMMDDHHMMSS notation. A time relative - to the start time is indicated with +N, which is N seconds from - the start time. A time relative to the current time is - indicated with now+N. If no <option>end-time</option> is - specified, 30 days from the start time is used as a default. - </para> - </listitem> + <listitem> + <para> + Specify the date and time when the generated RRSIG records + expire. As with <option>start-time</option>, an absolute + time is indicated in YYYYMMDDHHMMSS notation. A time relative + to the start time is indicated with +N, which is N seconds from + the start time. A time relative to the current time is + indicated with now+N. If no <option>end-time</option> is + specified, 30 days from the start time is used as a default. + </para> + </listitem> </varlistentry> <varlistentry> <term>-f <replaceable class="parameter">output-file</replaceable></term> - <listitem> - <para> - The name of the output file containing the signed zone. The - default is to append <filename>.signed</filename> to the - input file. - </para> - </listitem> + <listitem> + <para> + The name of the output file containing the signed zone. The + default is to append <filename>.signed</filename> to + the + input file. + </para> + </listitem> </varlistentry> <varlistentry> <term>-h</term> - <listitem> - <para> - Prints a short summary of the options and arguments to - <command>dnssec-signzone</command>. - </para> - </listitem> + <listitem> + <para> + Prints a short summary of the options and arguments to + <command>dnssec-signzone</command>. + </para> + </listitem> </varlistentry> <varlistentry> <term>-i <replaceable class="parameter">interval</replaceable></term> - <listitem> - <para> - When a previously signed zone is passed as input, records - may be resigned. The <option>interval</option> option - specifies the cycle interval as an offset from the current - time (in seconds). If a RRSIG record expires after the - cycle interval, it is retained. Otherwise, it is considered - to be expiring soon, and it will be replaced. - </para> - <para> - The default cycle interval is one quarter of the difference - between the signature end and start times. So if neither - <option>end-time</option> or <option>start-time</option> - are specified, <command>dnssec-signzone</command> generates - signatures that are valid for 30 days, with a cycle - interval of 7.5 days. Therefore, if any existing RRSIG records - are due to expire in less than 7.5 days, they would be - replaced. - </para> - </listitem> + <listitem> + <para> + When a previously signed zone is passed as input, records + may be resigned. The <option>interval</option> option + specifies the cycle interval as an offset from the current + time (in seconds). If a RRSIG record expires after the + cycle interval, it is retained. Otherwise, it is considered + to be expiring soon, and it will be replaced. + </para> + <para> + The default cycle interval is one quarter of the difference + between the signature end and start times. So if neither + <option>end-time</option> or <option>start-time</option> + are specified, <command>dnssec-signzone</command> + generates + signatures that are valid for 30 days, with a cycle + interval of 7.5 days. Therefore, if any existing RRSIG records + are due to expire in less than 7.5 days, they would be + replaced. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-I <replaceable class="parameter">input-format</replaceable></term> + <listitem> + <para> + The format of the input zone file. + Possible formats are <command>"text"</command> (default) + and <command>"raw"</command>. + This option is primarily intended to be used for dynamic + signed zones so that the dumped zone file in a non-text + format containing updates can be signed directly. + The use of this option does not make much sense for + non-dynamic zones. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-j <replaceable class="parameter">jitter</replaceable></term> + <listitem> + <para> + When signing a zone with a fixed signature lifetime, all + RRSIG records issued at the time of signing expires + simultaneously. If the zone is incrementally signed, i.e. + a previously signed zone is passed as input to the signer, + all expired signatures has to be regenerated at about the + same time. The <option>jitter</option> option specifies a + jitter window that will be used to randomize the signature + expire time, thus spreading incremental signature + regeneration over time. + </para> + <para> + Signature lifetime jitter also to some extent benefits + validators and servers by spreading out cache expiration, + i.e. if large numbers of RRSIGs don't expire at the same time + from all caches there will be less congestion than if all + validators need to refetch at mostly the same time. + </para> + </listitem> </varlistentry> <varlistentry> <term>-n <replaceable class="parameter">ncpus</replaceable></term> - <listitem> - <para> - Specifies the number of threads to use. By default, one - thread is started for each detected CPU. - </para> - </listitem> + <listitem> + <para> + Specifies the number of threads to use. By default, one + thread is started for each detected CPU. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term> + <listitem> + <para> + The SOA serial number format of the signed zone. + Possible formats are <command>"keep"</command> (default), + <command>"increment"</command> and + <command>"unixtime"</command>. + </para> + + <variablelist> + <varlistentry> + <term><command>"keep"</command></term> + <listitem> + <para>Do not modify the SOA serial number.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><command>"increment"</command></term> + <listitem> + <para>Increment the SOA serial number using RFC 1982 + arithmetics.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><command>"unixtime"</command></term> + <listitem> + <para>Set the SOA serial number to the number of seconds + since epoch.</para> + </listitem> + </varlistentry> + </variablelist> + + </listitem> </varlistentry> <varlistentry> <term>-o <replaceable class="parameter">origin</replaceable></term> - <listitem> - <para> - The zone origin. If not specified, the name of the zone file - is assumed to be the origin. - </para> - </listitem> + <listitem> + <para> + The zone origin. If not specified, the name of the zone file + is assumed to be the origin. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-O <replaceable class="parameter">output-format</replaceable></term> + <listitem> + <para> + The format of the output file containing the signed zone. + Possible formats are <command>"text"</command> (default) + and <command>"raw"</command>. + </para> + </listitem> </varlistentry> <varlistentry> <term>-p</term> - <listitem> - <para> - Use pseudo-random data when signing the zone. This is faster, - but less secure, than using real random data. This option - may be useful when signing large zones or when the entropy - source is limited. - </para> - </listitem> + <listitem> + <para> + Use pseudo-random data when signing the zone. This is faster, + but less secure, than using real random data. This option + may be useful when signing large zones or when the entropy + source is limited. + </para> + </listitem> </varlistentry> <varlistentry> <term>-r <replaceable class="parameter">randomdev</replaceable></term> - <listitem> - <para> - Specifies the source of randomness. If the operating - system does not provide a <filename>/dev/random</filename> - or equivalent device, the default source of randomness - is keyboard input. <filename>randomdev</filename> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <filename>keyboard</filename> indicates that keyboard - input should be used. - </para> - </listitem> + <listitem> + <para> + Specifies the source of randomness. If the operating + system does not provide a <filename>/dev/random</filename> + or equivalent device, the default source of randomness + is keyboard input. <filename>randomdev</filename> + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + <filename>keyboard</filename> indicates that keyboard + input should be used. + </para> + </listitem> </varlistentry> <varlistentry> <term>-t</term> - <listitem> - <para> - Print statistics at completion. - </para> - </listitem> + <listitem> + <para> + Print statistics at completion. + </para> + </listitem> </varlistentry> <varlistentry> <term>-v <replaceable class="parameter">level</replaceable></term> - <listitem> - <para> - Sets the debugging level. - </para> - </listitem> + <listitem> + <para> + Sets the debugging level. + </para> + </listitem> </varlistentry> <varlistentry> <term>-z</term> - <listitem> - <para> - Ignore KSK flag on key when determining what to sign. - </para> - </listitem> + <listitem> + <para> + Ignore KSK flag on key when determining what to sign. + </para> + </listitem> </varlistentry> <varlistentry> <term>zonefile</term> - <listitem> - <para> - The file containing the zone to be signed. - </para> - </listitem> + <listitem> + <para> + The file containing the zone to be signed. + </para> + </listitem> </varlistentry> <varlistentry> <term>key</term> - <listitem> - <para> - The keys used to sign the zone. If no keys are specified, the - default all zone keys that have private key files in the - current directory. - </para> - </listitem> + <listitem> + <para> + The keys used to sign the zone. If no keys are specified, the + default all zone keys that have private key files in the + current directory. + </para> + </listitem> </varlistentry> </variablelist> @@ -328,34 +424,34 @@ <refsect1> <title>EXAMPLE</title> <para> - The following command signs the <userinput>example.com</userinput> - zone with the DSA key generated in the <command>dnssec-keygen</command> - man page. The zone's keys must be in the zone. If there are - <filename>keyset</filename> files associated with child zones, - they must be in the current directory. - <userinput>example.com</userinput>, the following command would be - issued: + The following command signs the <userinput>example.com</userinput> + zone with the DSA key generated in the <command>dnssec-keygen</command> + man page. The zone's keys must be in the zone. If there are + <filename>keyset</filename> files associated with child + zones, + they must be in the current directory. + <userinput>example.com</userinput>, the following command would be + issued: </para> - <para> - <userinput>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</userinput> + <para><userinput>dnssec-signzone -o example.com db.example.com + Kexample.com.+003+26160</userinput> </para> <para> - The command would print a string of the form: + The command would print a string of the form: </para> <para> - In this example, <command>dnssec-signzone</command> creates - the file <filename>db.example.com.signed</filename>. This file - should be referenced in a zone statement in a - <filename>named.conf</filename> file. + In this example, <command>dnssec-signzone</command> creates + the file <filename>db.example.com.signed</filename>. This + file + should be referenced in a zone statement in a + <filename>named.conf</filename> file. </para> </refsect1> <refsect1> <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>dnssec-keygen</refentrytitle> - <manvolnum>8</manvolnum> + <para><citerefentry> + <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citetitle>BIND 9 Administrator Reference Manual</citetitle>, <citetitle>RFC 2535</citetitle>. @@ -364,14 +460,11 @@ <refsect1> <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> + <para><corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> -</refentry> - -<!-- +</refentry><!-- - Local variables: - mode: sgml - End: diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.html b/contrib/bind9/bin/dnssec/dnssec-signzone.html index bd92631..da1e058 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.html +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,206 +14,266 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-signzone.html,v 1.4.2.1.4.16 2006/06/29 13:02:30 marka Exp $ --> +<!-- $Id: dnssec-signzone.html,v 1.8.18.22 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>dnssec-signzone</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="man.dnssec-signzone"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p> </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nthreads</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div> +<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549544"></a><h2>DESCRIPTION</h2> -<p> - <span><strong class="command">dnssec-signzone</strong></span> signs a zone. It generates - NSEC and RRSIG records and produces a signed version of the - zone. The security status of delegations from the signed zone - (that is, whether the child zones are secure or not) is - determined by the presence or absence of a - <code class="filename">keyset</code> file for each child zone. +<a name="id2543526"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">dnssec-signzone</strong></span> + signs a zone. It generates + NSEC and RRSIG records and produces a signed version of the + zone. The security status of delegations from the signed zone + (that is, whether the child zones are secure or not) is + determined by the presence or absence of a + <code class="filename">keyset</code> file for each child zone. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549560"></a><h2>OPTIONS</h2> +<a name="id2543541"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a</span></dt> <dd><p> - Verify all generated signatures. - </p></dd> + Verify all generated signatures. + </p></dd> <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> <dd><p> - Specifies the DNS class of the zone. - </p></dd> + Specifies the DNS class of the zone. + </p></dd> <dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt> <dd><p> - Treat specified key as a key signing key ignoring any - key flags. This option may be specified multiple times. - </p></dd> + Treat specified key as a key signing key ignoring any + key flags. This option may be specified multiple times. + </p></dd> <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt> <dd><p> - Generate a DLV set in addition to the key (DNSKEY) and DS sets. - The domain is appended to the name of the records. - </p></dd> + Generate a DLV set in addition to the key (DNSKEY) and DS sets. + The domain is appended to the name of the records. + </p></dd> <dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt> <dd><p> - Look for <code class="filename">keyset</code> files in - <code class="option">directory</code> as the directory - </p></dd> + Look for <code class="filename">keyset</code> files in + <code class="option">directory</code> as the directory + </p></dd> <dt><span class="term">-g</span></dt> <dd><p> - Generate DS records for child zones from keyset files. - Existing DS records will be removed. - </p></dd> + Generate DS records for child zones from keyset files. + Existing DS records will be removed. + </p></dd> <dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt> <dd><p> - Specify the date and time when the generated RRSIG records - become valid. This can be either an absolute or relative - time. An absolute start time is indicated by a number - in YYYYMMDDHHMMSS notation; 20000530144500 denotes - 14:45:00 UTC on May 30th, 2000. A relative start time is - indicated by +N, which is N seconds from the current time. - If no <code class="option">start-time</code> is specified, the current - time minus 1 hour (to allow for clock skew) is used. - </p></dd> + Specify the date and time when the generated RRSIG records + become valid. This can be either an absolute or relative + time. An absolute start time is indicated by a number + in YYYYMMDDHHMMSS notation; 20000530144500 denotes + 14:45:00 UTC on May 30th, 2000. A relative start time is + indicated by +N, which is N seconds from the current time. + If no <code class="option">start-time</code> is specified, the current + time minus 1 hour (to allow for clock skew) is used. + </p></dd> <dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt> <dd><p> - Specify the date and time when the generated RRSIG records - expire. As with <code class="option">start-time</code>, an absolute - time is indicated in YYYYMMDDHHMMSS notation. A time relative - to the start time is indicated with +N, which is N seconds from - the start time. A time relative to the current time is - indicated with now+N. If no <code class="option">end-time</code> is - specified, 30 days from the start time is used as a default. - </p></dd> + Specify the date and time when the generated RRSIG records + expire. As with <code class="option">start-time</code>, an absolute + time is indicated in YYYYMMDDHHMMSS notation. A time relative + to the start time is indicated with +N, which is N seconds from + the start time. A time relative to the current time is + indicated with now+N. If no <code class="option">end-time</code> is + specified, 30 days from the start time is used as a default. + </p></dd> <dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt> <dd><p> - The name of the output file containing the signed zone. The - default is to append <code class="filename">.signed</code> to the - input file. - </p></dd> + The name of the output file containing the signed zone. The + default is to append <code class="filename">.signed</code> to + the + input file. + </p></dd> <dt><span class="term">-h</span></dt> <dd><p> - Prints a short summary of the options and arguments to - <span><strong class="command">dnssec-signzone</strong></span>. - </p></dd> + Prints a short summary of the options and arguments to + <span><strong class="command">dnssec-signzone</strong></span>. + </p></dd> <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt> <dd> <p> - When a previously signed zone is passed as input, records - may be resigned. The <code class="option">interval</code> option - specifies the cycle interval as an offset from the current - time (in seconds). If a RRSIG record expires after the - cycle interval, it is retained. Otherwise, it is considered - to be expiring soon, and it will be replaced. - </p> + When a previously signed zone is passed as input, records + may be resigned. The <code class="option">interval</code> option + specifies the cycle interval as an offset from the current + time (in seconds). If a RRSIG record expires after the + cycle interval, it is retained. Otherwise, it is considered + to be expiring soon, and it will be replaced. + </p> +<p> + The default cycle interval is one quarter of the difference + between the signature end and start times. So if neither + <code class="option">end-time</code> or <code class="option">start-time</code> + are specified, <span><strong class="command">dnssec-signzone</strong></span> + generates + signatures that are valid for 30 days, with a cycle + interval of 7.5 days. Therefore, if any existing RRSIG records + are due to expire in less than 7.5 days, they would be + replaced. + </p> +</dd> +<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt> +<dd><p> + The format of the input zone file. + Possible formats are <span><strong class="command">"text"</strong></span> (default) + and <span><strong class="command">"raw"</strong></span>. + This option is primarily intended to be used for dynamic + signed zones so that the dumped zone file in a non-text + format containing updates can be signed directly. + The use of this option does not make much sense for + non-dynamic zones. + </p></dd> +<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt> +<dd> +<p> + When signing a zone with a fixed signature lifetime, all + RRSIG records issued at the time of signing expires + simultaneously. If the zone is incrementally signed, i.e. + a previously signed zone is passed as input to the signer, + all expired signatures has to be regenerated at about the + same time. The <code class="option">jitter</code> option specifies a + jitter window that will be used to randomize the signature + expire time, thus spreading incremental signature + regeneration over time. + </p> <p> - The default cycle interval is one quarter of the difference - between the signature end and start times. So if neither - <code class="option">end-time</code> or <code class="option">start-time</code> - are specified, <span><strong class="command">dnssec-signzone</strong></span> generates - signatures that are valid for 30 days, with a cycle - interval of 7.5 days. Therefore, if any existing RRSIG records - are due to expire in less than 7.5 days, they would be - replaced. - </p> + Signature lifetime jitter also to some extent benefits + validators and servers by spreading out cache expiration, + i.e. if large numbers of RRSIGs don't expire at the same time + from all caches there will be less congestion than if all + validators need to refetch at mostly the same time. + </p> </dd> <dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt> <dd><p> - Specifies the number of threads to use. By default, one - thread is started for each detected CPU. - </p></dd> + Specifies the number of threads to use. By default, one + thread is started for each detected CPU. + </p></dd> +<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt> +<dd> +<p> + The SOA serial number format of the signed zone. + Possible formats are <span><strong class="command">"keep"</strong></span> (default), + <span><strong class="command">"increment"</strong></span> and + <span><strong class="command">"unixtime"</strong></span>. + </p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt> +<dd><p>Do not modify the SOA serial number.</p></dd> +<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt> +<dd><p>Increment the SOA serial number using RFC 1982 + arithmetics.</p></dd> +<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt> +<dd><p>Set the SOA serial number to the number of seconds + since epoch.</p></dd> +</dl></div> +</dd> <dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt> <dd><p> - The zone origin. If not specified, the name of the zone file - is assumed to be the origin. - </p></dd> + The zone origin. If not specified, the name of the zone file + is assumed to be the origin. + </p></dd> +<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt> +<dd><p> + The format of the output file containing the signed zone. + Possible formats are <span><strong class="command">"text"</strong></span> (default) + and <span><strong class="command">"raw"</strong></span>. + </p></dd> <dt><span class="term">-p</span></dt> <dd><p> - Use pseudo-random data when signing the zone. This is faster, - but less secure, than using real random data. This option - may be useful when signing large zones or when the entropy - source is limited. - </p></dd> + Use pseudo-random data when signing the zone. This is faster, + but less secure, than using real random data. This option + may be useful when signing large zones or when the entropy + source is limited. + </p></dd> <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt> <dd><p> - Specifies the source of randomness. If the operating - system does not provide a <code class="filename">/dev/random</code> - or equivalent device, the default source of randomness - is keyboard input. <code class="filename">randomdev</code> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <code class="filename">keyboard</code> indicates that keyboard - input should be used. - </p></dd> + Specifies the source of randomness. If the operating + system does not provide a <code class="filename">/dev/random</code> + or equivalent device, the default source of randomness + is keyboard input. <code class="filename">randomdev</code> + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + <code class="filename">keyboard</code> indicates that keyboard + input should be used. + </p></dd> <dt><span class="term">-t</span></dt> <dd><p> - Print statistics at completion. - </p></dd> + Print statistics at completion. + </p></dd> <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> <dd><p> - Sets the debugging level. - </p></dd> + Sets the debugging level. + </p></dd> <dt><span class="term">-z</span></dt> <dd><p> - Ignore KSK flag on key when determining what to sign. - </p></dd> + Ignore KSK flag on key when determining what to sign. + </p></dd> <dt><span class="term">zonefile</span></dt> <dd><p> - The file containing the zone to be signed. - </p></dd> + The file containing the zone to be signed. + </p></dd> <dt><span class="term">key</span></dt> <dd><p> - The keys used to sign the zone. If no keys are specified, the - default all zone keys that have private key files in the - current directory. - </p></dd> + The keys used to sign the zone. If no keys are specified, the + default all zone keys that have private key files in the + current directory. + </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2550068"></a><h2>EXAMPLE</h2> +<a name="id2544327"></a><h2>EXAMPLE</h2> <p> - The following command signs the <strong class="userinput"><code>example.com</code></strong> - zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span> - man page. The zone's keys must be in the zone. If there are - <code class="filename">keyset</code> files associated with child zones, - they must be in the current directory. - <strong class="userinput"><code>example.com</code></strong>, the following command would be - issued: + The following command signs the <strong class="userinput"><code>example.com</code></strong> + zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span> + man page. The zone's keys must be in the zone. If there are + <code class="filename">keyset</code> files associated with child + zones, + they must be in the current directory. + <strong class="userinput"><code>example.com</code></strong>, the following command would be + issued: </p> -<p> - <strong class="userinput"><code>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</code></strong> +<p><strong class="userinput"><code>dnssec-signzone -o example.com db.example.com + Kexample.com.+003+26160</code></strong> </p> <p> - The command would print a string of the form: + The command would print a string of the form: </p> <p> - In this example, <span><strong class="command">dnssec-signzone</strong></span> creates - the file <code class="filename">db.example.com.signed</code>. This file - should be referenced in a zone statement in a - <code class="filename">named.conf</code> file. + In this example, <span><strong class="command">dnssec-signzone</strong></span> creates + the file <code class="filename">db.example.com.signed</code>. This + file + should be referenced in a zone statement in a + <code class="filename">named.conf</code> file. </p> </div> <div class="refsect1" lang="en"> -<a name="id2550118"></a><h2>SEE ALSO</h2> -<p> - <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, +<a name="id2544375"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 2535</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2550145"></a><h2>AUTHOR</h2> -<p> - <span class="corpauthor">Internet Systems Consortium</span> +<a name="id2544400"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> </div></body> diff --git a/contrib/bind9/bin/dnssec/dnssectool.c b/contrib/bind9/bin/dnssec/dnssectool.c index 83ba76d..4f95540 100644 --- a/contrib/bind9/bin/dnssec/dnssectool.c +++ b/contrib/bind9/bin/dnssec/dnssectool.c @@ -15,7 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssectool.c,v 1.31.2.3.2.6 2005/07/02 02:42:43 marka Exp $ */ +/* $Id: dnssectool.c,v 1.40.18.3 2005/07/01 03:55:28 marka Exp $ */ + +/*! \file */ + +/*% + * DNSSEC Support Routines. + */ #include <config.h> diff --git a/contrib/bind9/bin/dnssec/dnssectool.h b/contrib/bind9/bin/dnssec/dnssectool.h index 0d17950..c5f3648 100644 --- a/contrib/bind9/bin/dnssec/dnssectool.h +++ b/contrib/bind9/bin/dnssec/dnssectool.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssectool.h,v 1.15.12.3 2004/03/08 04:04:18 marka Exp $ */ +/* $Id: dnssectool.h,v 1.18 2004/03/05 04:57:41 marka Exp $ */ #ifndef DNSSECTOOL_H #define DNSSECTOOL_H 1 diff --git a/contrib/bind9/bin/named/Makefile.in b/contrib/bind9/bin/named/Makefile.in index 50fb93b..a809e59c 100644 --- a/contrib/bind9/bin/named/Makefile.in +++ b/contrib/bind9/bin/named/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2002 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.74.12.11 2004/09/06 21:47:25 marka Exp $ +# $Id: Makefile.in,v 1.80.18.7 2005/09/05 00:18:10 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -31,12 +31,20 @@ DBDRIVER_SRCS = DBDRIVER_INCLUDES = DBDRIVER_LIBS = +DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers + +DLZDRIVER_OBJS = @DLZ_DRIVER_OBJS@ +DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@ +DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ +DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ + CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include \ ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ - ${DBDRIVER_INCLUDES} + ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} + +CDEFINES = @USE_DLZ@ -CDEFINES = CWARNINGS = DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ @@ -57,13 +65,14 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS} LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ - ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ + ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ SUBDIRS = unix TARGETS = named@EXEEXT@ lwresd@EXEEXT@ -OBJS = aclconf.@O@ builtin.@O@ client.@O@ config.@O@ control.@O@ \ +OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ controlconf.@O@ interfacemgr.@O@ \ listenlist.@O@ log.@O@ logconf.@O@ main.@O@ notify.@O@ \ query.@O@ server.@O@ sortlist.@O@ \ @@ -71,11 +80,11 @@ OBJS = aclconf.@O@ builtin.@O@ client.@O@ config.@O@ control.@O@ \ zoneconf.@O@ \ lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \ - $(DBDRIVER_OBJS) + ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS} UOBJS = unix/os.@O@ -SRCS = aclconf.c builtin.c client.c config.c control.c \ +SRCS = builtin.c client.c config.c control.c \ controlconf.c interfacemgr.c \ listenlist.c log.c logconf.c main.c notify.c \ query.c server.c sortlist.c \ @@ -83,7 +92,7 @@ SRCS = aclconf.c builtin.c client.c config.c control.c \ zoneconf.c \ lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \ - $(DBDRIVER_SRCS) + ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} MANPAGES = named.8 lwresd.8 named.conf.5 @@ -133,3 +142,4 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8 ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 +@DLZ_DRIVER_RULES@ diff --git a/contrib/bind9/bin/named/builtin.c b/contrib/bind9/bin/named/builtin.c index af4d7a3..06cbd4a 100644 --- a/contrib/bind9/bin/named/builtin.c +++ b/contrib/bind9/bin/named/builtin.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,10 +15,11 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: builtin.c,v 1.4.106.4 2004/03/08 04:04:18 marka Exp $ */ +/* $Id: builtin.c,v 1.5.18.5 2005/08/23 04:12:38 marka Exp $ */ -/* - * The built-in "version", "hostname", "id" and "authors" databases. +/*! \file + * \brief + * The built-in "version", "hostname", "id", "authors" and "empty" databases. */ #include <config.h> @@ -26,12 +27,13 @@ #include <string.h> #include <stdio.h> +#include <isc/mem.h> #include <isc/print.h> #include <isc/result.h> #include <isc/util.h> -#include <dns/sdb.h> #include <dns/result.h> +#include <dns/sdb.h> #include <named/builtin.h> #include <named/globals.h> @@ -44,6 +46,7 @@ static isc_result_t do_version_lookup(dns_sdblookup_t *lookup); static isc_result_t do_hostname_lookup(dns_sdblookup_t *lookup); static isc_result_t do_authors_lookup(dns_sdblookup_t *lookup); static isc_result_t do_id_lookup(dns_sdblookup_t *lookup); +static isc_result_t do_empty_lookup(dns_sdblookup_t *lookup); /* * We can't use function pointers as the db_data directly @@ -53,12 +56,15 @@ static isc_result_t do_id_lookup(dns_sdblookup_t *lookup); struct builtin { isc_result_t (*do_lookup)(dns_sdblookup_t *lookup); + char *server; + char *contact; }; -static builtin_t version_builtin = { do_version_lookup }; -static builtin_t hostname_builtin = { do_hostname_lookup }; -static builtin_t authors_builtin = { do_authors_lookup }; -static builtin_t id_builtin = { do_id_lookup }; +static builtin_t version_builtin = { do_version_lookup, NULL, NULL }; +static builtin_t hostname_builtin = { do_hostname_lookup, NULL, NULL }; +static builtin_t authors_builtin = { do_authors_lookup, NULL, NULL }; +static builtin_t id_builtin = { do_id_lookup, NULL, NULL }; +static builtin_t empty_builtin = { do_empty_lookup, NULL, NULL }; static dns_sdbimplementation_t *builtin_impl; @@ -167,16 +173,37 @@ do_id_lookup(dns_sdblookup_t *lookup) { } static isc_result_t +do_empty_lookup(dns_sdblookup_t *lookup) { + + UNUSED(lookup); + return (ISC_R_SUCCESS); +} + +static isc_result_t builtin_authority(const char *zone, void *dbdata, dns_sdblookup_t *lookup) { isc_result_t result; + const char *contact = "hostmaster"; + const char *server = "@"; + builtin_t *b = (builtin_t *) dbdata; UNUSED(zone); UNUSED(dbdata); - result = dns_sdb_putsoa(lookup, "@", "hostmaster", 0); + if (b == &empty_builtin) { + server = "."; + contact = "."; + } else { + if (b->server != NULL) + server = b->server; + if (b->contact != NULL) + contact = b->contact; + } + + result = dns_sdb_putsoa(lookup, server, contact, 0); if (result != ISC_R_SUCCESS) return (ISC_R_FAILURE); - result = dns_sdb_putrr(lookup, "ns", 0, "@"); + + result = dns_sdb_putrr(lookup, "ns", 0, server); if (result != ISC_R_SUCCESS) return (ISC_R_FAILURE); @@ -187,10 +214,17 @@ static isc_result_t builtin_create(const char *zone, int argc, char **argv, void *driverdata, void **dbdata) { + REQUIRE(argc >= 1); + UNUSED(zone); UNUSED(driverdata); - if (argc != 1) + + if (strcmp(argv[0], "empty") == 0) { + if (argc != 3) + return (DNS_R_SYNTAX); + } else if (argc != 1) return (DNS_R_SYNTAX); + if (strcmp(argv[0], "version") == 0) *dbdata = &version_builtin; else if (strcmp(argv[0], "hostname") == 0) @@ -199,17 +233,62 @@ builtin_create(const char *zone, int argc, char **argv, *dbdata = &authors_builtin; else if (strcmp(argv[0], "id") == 0) *dbdata = &id_builtin; - else + else if (strcmp(argv[0], "empty") == 0) { + builtin_t *empty; + char *server; + char *contact; + /* + * We don't want built-in zones to fail. Fallback to + * the static configuration if memory allocation fails. + */ + empty = isc_mem_get(ns_g_mctx, sizeof(*empty)); + server = isc_mem_strdup(ns_g_mctx, argv[1]); + contact = isc_mem_strdup(ns_g_mctx, argv[2]); + if (empty == NULL || server == NULL || contact == NULL) { + *dbdata = &empty_builtin; + if (server != NULL) + isc_mem_free(ns_g_mctx, server); + if (contact != NULL) + isc_mem_free(ns_g_mctx, contact); + if (empty != NULL) + isc_mem_put(ns_g_mctx, empty, sizeof (*empty)); + } else { + memcpy(empty, &empty_builtin, sizeof (empty_builtin)); + empty->server = server; + empty->contact = contact; + *dbdata = empty; + } + } else return (ISC_R_NOTIMPLEMENTED); return (ISC_R_SUCCESS); } +static void +builtin_destroy(const char *zone, void *driverdata, void **dbdata) { + builtin_t *b = (builtin_t *) *dbdata; + + UNUSED(zone); + UNUSED(driverdata); + + /* + * Don't free the static versions. + */ + if (*dbdata == &version_builtin || *dbdata == &hostname_builtin || + *dbdata == &authors_builtin || *dbdata == &id_builtin || + *dbdata == &empty_builtin) + return; + + isc_mem_free(ns_g_mctx, b->server); + isc_mem_free(ns_g_mctx, b->contact); + isc_mem_put(ns_g_mctx, b, sizeof (*b)); +} + static dns_sdbmethods_t builtin_methods = { builtin_lookup, builtin_authority, NULL, /* allnodes */ builtin_create, - NULL /* destroy */ + builtin_destroy }; isc_result_t diff --git a/contrib/bind9/bin/named/client.c b/contrib/bind9/bin/named/client.c index b0ce793..d69e44b 100644 --- a/contrib/bind9/bin/named/client.c +++ b/contrib/bind9/bin/named/client.c @@ -15,13 +15,14 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.176.2.13.4.31 2006/07/22 01:09:38 marka Exp $ */ +/* $Id: client.c,v 1.219.18.20 2006/07/22 01:02:36 marka Exp $ */ #include <config.h> #include <isc/formatcheck.h> #include <isc/mutex.h> #include <isc/once.h> +#include <isc/platform.h> #include <isc/print.h> #include <isc/stdio.h> #include <isc/string.h> @@ -33,12 +34,13 @@ #include <dns/dispatch.h> #include <dns/events.h> #include <dns/message.h> +#include <dns/peer.h> #include <dns/rcode.h> -#include <dns/resolver.h> #include <dns/rdata.h> #include <dns/rdataclass.h> #include <dns/rdatalist.h> #include <dns/rdataset.h> +#include <dns/resolver.h> #include <dns/tsig.h> #include <dns/view.h> #include <dns/zone.h> @@ -53,7 +55,9 @@ *** Client ***/ -/* +/*! \file + * Client Routines + * * Important note! * * All client state changes, other than that from idle to listening, occur @@ -87,6 +91,25 @@ #define SEND_BUFFER_SIZE 4096 #define RECV_BUFFER_SIZE 4096 +#ifdef ISC_PLATFORM_USETHREADS +#define NMCTXS 100 +/*%< + * Number of 'mctx pools' for clients. (Should this be configurable?) + * When enabling threads, we use a pool of memory contexts shared by + * client objects, since concurrent access to a shared context would cause + * heavy contentions. The above constant is expected to be enough for + * completely avoiding contentions among threads for an authoritative-only + * server. + */ +#else +#define NMCTXS 0 +/*%< + * If named with built without thread, simply share manager's context. Using + * a separate context in this case would simply waste memory. + */ +#endif + +/*% nameserver client manager structure */ struct ns_clientmgr { /* Unlocked. */ unsigned int magic; @@ -96,15 +119,20 @@ struct ns_clientmgr { isc_mutex_t lock; /* Locked by lock. */ isc_boolean_t exiting; - client_list_t active; /* Active clients */ - client_list_t recursing; /* Recursing clients */ - client_list_t inactive; /* To be recycled */ + client_list_t active; /*%< Active clients */ + client_list_t recursing; /*%< Recursing clients */ + client_list_t inactive; /*%< To be recycled */ +#if NMCTXS > 0 + /*%< mctx pool for clients. */ + unsigned int nextmctx; + isc_mem_t * mctxpool[NMCTXS]; +#endif }; #define MANAGER_MAGIC ISC_MAGIC('N', 'S', 'C', 'm') #define VALID_MANAGER(m) ISC_MAGIC_VALID(m, MANAGER_MAGIC) -/* +/*! * Client object states. Ordering is significant: higher-numbered * states are generally "more active", meaning that the client can * have more dynamically allocated data, outstanding events, etc. @@ -117,12 +145,12 @@ struct ns_clientmgr { */ #define NS_CLIENTSTATE_FREED 0 -/* +/*%< * The client object no longer exists. */ #define NS_CLIENTSTATE_INACTIVE 1 -/* +/*%< * The client object exists and has a task and timer. * Its "query" struct and sendbuf are initialized. * It is on the client manager's list of inactive clients. @@ -130,7 +158,7 @@ struct ns_clientmgr { */ #define NS_CLIENTSTATE_READY 2 -/* +/*%< * The client object is either a TCP or a UDP one, and * it is associated with a network interface. It is on the * client manager's list of active clients. @@ -143,7 +171,7 @@ struct ns_clientmgr { */ #define NS_CLIENTSTATE_READING 3 -/* +/*%< * The client object is a TCP client object that has received * a connection. It has a tcpsocket, tcpmsg, TCP quota, and an * outstanding TCP read request. This state is not used for @@ -151,14 +179,14 @@ struct ns_clientmgr { */ #define NS_CLIENTSTATE_WORKING 4 -/* +/*%< * The client object has received a request and is working * on it. It has a view, and it may have any of a non-reset OPT, * recursion quota, and an outstanding write request. */ #define NS_CLIENTSTATE_MAX 9 -/* +/*%< * Sentinel value used to indicate "no state". When client->newstate * has this value, we are not attempting to exit the current state. * Must be greater than any valid state. @@ -171,6 +199,8 @@ struct ns_clientmgr { #define NS_CLIENT_DROPPORT 1 #endif +unsigned int ns_client_requests; + static void client_read(ns_client_t *client); static void client_accept(ns_client_t *client); static void client_udprecv(ns_client_t *client); @@ -227,7 +257,7 @@ ns_client_settimeout(ns_client_t *client, unsigned int seconds) { } } -/* +/*% * Check for a deactivation or shutdown request and take appropriate * action. Returns ISC_TRUE if either is in progress; in this case * the caller must no longer use the client object as it may have been @@ -489,7 +519,7 @@ exit_check(ns_client_t *client) { CTRACE("free"); client->magic = 0; - isc_mem_put(client->mctx, client, sizeof(*client)); + isc_mem_putanddetach(&client->mctx, client, sizeof(*client)); goto unlock; } @@ -510,7 +540,7 @@ exit_check(ns_client_t *client) { return (ISC_TRUE); } -/* +/*% * The client's task has received the client's control event * as part of the startup process. */ @@ -536,7 +566,7 @@ client_start(isc_task_t *task, isc_event_t *event) { } -/* +/*% * The client's task has received a shutdown event. */ static void @@ -591,6 +621,7 @@ ns_client_endrequest(ns_client_t *client) { client->udpsize = 512; client->extflags = 0; + client->ednsversion = -1; dns_message_reset(client->message, DNS_MESSAGE_INTENTPARSE); if (client->recursionquota != NULL) @@ -705,7 +736,7 @@ client_senddone(isc_task_t *task, isc_event_t *event) { ns_client_next(client, ISC_R_SUCCESS); } -/* +/*% * We only want to fail with ISC_R_NOSPACE when called from * ns_client_sendraw() and not when called from ns_client_send(), * tcpbuffer is NULL when called from ns_client_sendraw() and @@ -1182,6 +1213,64 @@ allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl) { } /* + * Callback to see if a non-recursive query coming from 'srcaddr' to + * 'destaddr', with optional key 'mykey' for class 'rdclass' would be + * delivered to 'myview'. + * + * We run this unlocked as both the view list and the interface list + * are updated when the approprite task has exclusivity. + */ +isc_boolean_t +ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey, + isc_sockaddr_t *srcaddr, isc_sockaddr_t *dstaddr, + dns_rdataclass_t rdclass, void *arg) +{ + dns_view_t *view; + dns_tsigkey_t *key; + isc_netaddr_t netsrc; + isc_netaddr_t netdst; + + UNUSED(arg); + + if (!ns_interfacemgr_listeningon(ns_g_server->interfacemgr, dstaddr)) + return (ISC_FALSE); + + isc_netaddr_fromsockaddr(&netsrc, srcaddr); + isc_netaddr_fromsockaddr(&netdst, dstaddr); + + for (view = ISC_LIST_HEAD(ns_g_server->viewlist); + view != NULL; + view = ISC_LIST_NEXT(view, link)) { + dns_name_t *tsig = NULL; + + if (view->matchrecursiveonly) + continue; + + if (rdclass != view->rdclass) + continue; + + if (mykey != NULL) { + isc_boolean_t match; + isc_result_t result; + + tsig = &mykey->name; + result = dns_view_gettsig(view, tsig, &key); + if (result != ISC_R_SUCCESS) + continue; + match = dst_key_compare(mykey->key, key->key); + dns_tsigkey_detach(&key); + if (!match) + continue; + } + + if (allowed(&netsrc, tsig, view->matchclients) && + allowed(&netdst, tsig, view->matchdestinations)) + break; + } + return (ISC_TF(view == myview)); +} + +/* * Handle an incoming request event from the socket (UDP case) * or tcpmsg (TCP case). */ @@ -1215,6 +1304,8 @@ client_request(isc_task_t *task, isc_event_t *event) { NS_CLIENTSTATE_READING : NS_CLIENTSTATE_READY); + ns_client_requests++; + if (event->ev_type == ISC_SOCKEVENT_RECVDONE) { INSIST(!TCP_CLIENT(client)); sevent = (isc_socketevent_t *)event; @@ -1384,8 +1475,6 @@ client_request(isc_task_t *task, isc_event_t *event) { */ opt = dns_message_getopt(client->message); if (opt != NULL) { - unsigned int version; - /* * Set the client's UDP buffer size. */ @@ -1404,22 +1493,24 @@ client_request(isc_task_t *task, isc_event_t *event) { client->extflags = (isc_uint16_t)(opt->ttl & 0xFFFF); /* - * Create an OPT for our reply. + * Do we understand this version of EDNS? + * + * XXXRTH need library support for this! */ - result = client_addopt(client); - if (result != ISC_R_SUCCESS) { + client->ednsversion = (opt->ttl & 0x00FF0000) >> 16; + if (client->ednsversion > 0) { + result = client_addopt(client); + if (result == ISC_R_SUCCESS) + result = DNS_R_BADVERS; ns_client_error(client, result); goto cleanup; } - /* - * Do we understand this version of ENDS? - * - * XXXRTH need library support for this! + * Create an OPT for our reply. */ - version = (opt->ttl & 0x00FF0000) >> 16; - if (version != 0) { - ns_client_error(client, DNS_R_BADVERS); + result = client_addopt(client); + if (result != ISC_R_SUCCESS) { + ns_client_error(client, result); goto cleanup; } } @@ -1629,6 +1720,19 @@ client_request(isc_task_t *task, isc_event_t *event) { "recursion not available"); /* + * Adjust maximum UDP response size for this client. + */ + if (client->udpsize > 512) { + dns_peer_t *peer = NULL; + isc_uint16_t udpsize = view->maxudp; + (void) dns_peerlist_peerbyaddr(view->peers, &netaddr, &peer); + if (peer != NULL) + dns_peer_getmaxudp(peer, &udpsize); + if (client->udpsize > udpsize) + client->udpsize = udpsize; + } + + /* * Dispatch the request. */ switch (client->message->opcode) { @@ -1689,9 +1793,42 @@ client_timeout(isc_task_t *task, isc_event_t *event) { } static isc_result_t +get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp) { + isc_mem_t *clientmctx; +#if NMCTXS > 0 + isc_result_t result; +#endif + + /* + * Caller must be holding the manager lock. + */ +#if NMCTXS > 0 + INSIST(manager->nextmctx < NMCTXS); + clientmctx = manager->mctxpool[manager->nextmctx]; + if (clientmctx == NULL) { + result = isc_mem_create(0, 0, &clientmctx); + if (result != ISC_R_SUCCESS) + return (result); + + manager->mctxpool[manager->nextmctx] = clientmctx; + manager->nextmctx++; + if (manager->nextmctx == NMCTXS) + manager->nextmctx = 0; + } +#else + clientmctx = manager->mctx; +#endif + + isc_mem_attach(clientmctx, mctxp); + + return (ISC_R_SUCCESS); +} + +static isc_result_t client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { ns_client_t *client; isc_result_t result; + isc_mem_t *mctx = NULL; /* * Caller must be holding the manager lock. @@ -1703,9 +1840,16 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { REQUIRE(clientp != NULL && *clientp == NULL); - client = isc_mem_get(manager->mctx, sizeof(*client)); - if (client == NULL) + result = get_clientmctx(manager, &mctx); + if (result != ISC_R_SUCCESS) + return (result); + + client = isc_mem_get(mctx, sizeof(*client)); + if (client == NULL) { + isc_mem_detach(&mctx); return (ISC_R_NOMEMORY); + } + client->mctx = mctx; client->task = NULL; result = isc_task_create(manager->taskmgr, 0, &client->task); @@ -1722,7 +1866,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { client->timerset = ISC_FALSE; client->message = NULL; - result = dns_message_create(manager->mctx, DNS_MESSAGE_INTENTPARSE, + result = dns_message_create(client->mctx, DNS_MESSAGE_INTENTPARSE, &client->message); if (result != ISC_R_SUCCESS) goto cleanup_timer; @@ -1730,7 +1874,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { /* XXXRTH Hardwired constants */ client->sendevent = (isc_socketevent_t *) - isc_event_allocate(manager->mctx, client, + isc_event_allocate(client->mctx, client, ISC_SOCKEVENT_SENDDONE, client_senddone, client, sizeof(isc_socketevent_t)); @@ -1739,14 +1883,14 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { goto cleanup_message; } - client->recvbuf = isc_mem_get(manager->mctx, RECV_BUFFER_SIZE); + client->recvbuf = isc_mem_get(client->mctx, RECV_BUFFER_SIZE); if (client->recvbuf == NULL) { result = ISC_R_NOMEMORY; goto cleanup_sendevent; } client->recvevent = (isc_socketevent_t *) - isc_event_allocate(manager->mctx, client, + isc_event_allocate(client->mctx, client, ISC_SOCKEVENT_RECVDONE, client_request, client, sizeof(isc_socketevent_t)); @@ -1756,7 +1900,6 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { } client->magic = NS_CLIENT_MAGIC; - client->mctx = manager->mctx; client->manager = NULL; client->state = NS_CLIENTSTATE_INACTIVE; client->newstate = NS_CLIENTSTATE_MAX; @@ -1778,6 +1921,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { client->opt = NULL; client->udpsize = 512; client->extflags = 0; + client->ednsversion = -1; client->next = NULL; client->shutdown = NULL; client->shutdown_arg = NULL; @@ -1826,7 +1970,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { isc_event_free((isc_event_t **)&client->recvevent); cleanup_recvbuf: - isc_mem_put(manager->mctx, client->recvbuf, RECV_BUFFER_SIZE); + isc_mem_put(client->mctx, client->recvbuf, RECV_BUFFER_SIZE); cleanup_sendevent: isc_event_free((isc_event_t **)&client->sendevent); @@ -1843,7 +1987,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { isc_task_detach(&client->task); cleanup_client: - isc_mem_put(manager->mctx, client, sizeof(*client)); + isc_mem_putanddetach(&client->mctx, client, sizeof(*client)); return (result); } @@ -2096,12 +2240,23 @@ ns_client_replace(ns_client_t *client) { static void clientmgr_destroy(ns_clientmgr_t *manager) { +#if NMCTXS > 0 + int i; +#endif + REQUIRE(ISC_LIST_EMPTY(manager->active)); REQUIRE(ISC_LIST_EMPTY(manager->inactive)); REQUIRE(ISC_LIST_EMPTY(manager->recursing)); MTRACE("clientmgr_destroy"); +#if NMCTXS > 0 + for (i = 0; i < NMCTXS; i++) { + if (manager->mctxpool[i] != NULL) + isc_mem_detach(&manager->mctxpool[i]); + } +#endif + DESTROYLOCK(&manager->lock); manager->magic = 0; isc_mem_put(manager->mctx, manager, sizeof(*manager)); @@ -2113,6 +2268,9 @@ ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, { ns_clientmgr_t *manager; isc_result_t result; +#if NMCTXS > 0 + int i; +#endif manager = isc_mem_get(mctx, sizeof(*manager)); if (manager == NULL) @@ -2129,6 +2287,11 @@ ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, ISC_LIST_INIT(manager->active); ISC_LIST_INIT(manager->inactive); ISC_LIST_INIT(manager->recursing); +#if NMCTXS > 0 + manager->nextmctx = 0; + for (i = 0; i < NMCTXS; i++) + manager->mctxpool[i] = NULL; /* will be created on-demand */ +#endif manager->magic = MANAGER_MAGIC; MTRACE("create"); diff --git a/contrib/bind9/bin/named/config.c b/contrib/bind9/bin/named/config.c index 7b5b99e..6a6d5e3 100644 --- a/contrib/bind9/bin/named/config.c +++ b/contrib/bind9/bin/named/config.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.c,v 1.11.2.4.8.32 2006/02/28 06:32:53 marka Exp $ */ +/* $Id: config.c,v 1.47.18.28 2006/05/03 01:46:40 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -25,6 +27,7 @@ #include <isc/buffer.h> #include <isc/log.h> #include <isc/mem.h> +#include <isc/parseint.h> #include <isc/region.h> #include <isc/result.h> #include <isc/sockaddr.h> @@ -42,6 +45,7 @@ #include <named/config.h> #include <named/globals.h> +/*% default configuration */ static char defaultconf[] = "\ options {\n\ # blackhole {none;};\n" @@ -76,7 +80,7 @@ options {\n\ #endif "\ recursive-clients 1000;\n\ - rrset-order {order cyclic;};\n\ + rrset-order {type NS order random; order cyclic; };\n\ serial-queries 20;\n\ serial-query-rate 20;\n\ server-id none;\n\ @@ -94,11 +98,13 @@ options {\n\ use-id-pool true;\n\ use-ixfr true;\n\ edns-udp-size 4096;\n\ + max-udp-size 4096;\n\ \n\ /* view */\n\ allow-notify {none;};\n\ allow-update-forwarding {none;};\n\ - allow-recursion {any;};\n\ + allow-query-cache { localnets; localhost; };\n\ + allow-recursion { localnets; localhost; };\n\ # allow-v6-synthesis <obsolete>;\n\ # sortlist <none>\n\ # topology <none>\n\ @@ -125,7 +131,16 @@ options {\n\ check-names master fail;\n\ check-names slave warn;\n\ check-names response ignore;\n\ - dnssec-enable no; /* Make yes for 9.4. */ \n\ + check-mx warn;\n\ + acache-enable no;\n\ + acache-cleaning-interval 60;\n\ + max-acache-size 0;\n\ + dnssec-enable yes;\n\ + dnssec-validation no; /* Make yes for 9.5. */ \n\ + dnssec-accept-expired no;\n\ + clients-per-query 10;\n\ + max-clients-per-query 100;\n\ + zero-no-soa-ttl-cache no;\n\ " " /* zone */\n\ @@ -133,6 +148,7 @@ options {\n\ allow-transfer {any;};\n\ notify yes;\n\ # also-notify <none>\n\ + notify-delay 5;\n\ dialup no;\n\ # forward <none>\n\ # forwarders <none>\n\ @@ -155,6 +171,13 @@ options {\n\ zone-statistics false;\n\ max-journal-size unlimited;\n\ ixfr-from-differences false;\n\ + check-wildcard yes;\n\ + check-sibling yes;\n\ + check-integrity yes;\n\ + check-mx-cname warn;\n\ + check-srv-cname warn;\n\ + zero-no-soa-ttl yes;\n\ + update-check-ksk yes;\n\ };\n\ " @@ -258,7 +281,6 @@ ns_config_listcount(const cfg_obj_t *list) { isc_result_t ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass, dns_rdataclass_t *classp) { - const char *str; isc_textregion_t r; isc_result_t result; @@ -266,20 +288,18 @@ ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass, *classp = defclass; return (ISC_R_SUCCESS); } - str = cfg_obj_asstring(classobj); - DE_CONST(str, r.base); - r.length = strlen(str); + DE_CONST(cfg_obj_asstring(classobj), r.base); + r.length = strlen(r.base); result = dns_rdataclass_fromtext(classp, &r); if (result != ISC_R_SUCCESS) cfg_obj_log(classobj, ns_g_lctx, ISC_LOG_ERROR, - "unknown class '%s'", str); + "unknown class '%s'", r.base); return (result); } isc_result_t ns_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype, dns_rdatatype_t *typep) { - const char *str; isc_textregion_t r; isc_result_t result; @@ -287,13 +307,12 @@ ns_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype, *typep = deftype; return (ISC_R_SUCCESS); } - str = cfg_obj_asstring(typeobj); - DE_CONST(str, r.base); - r.length = strlen(str); + DE_CONST(cfg_obj_asstring(typeobj), r.base); + r.length = strlen(r.base); result = dns_rdatatype_fromtext(typep, &r); if (result != ISC_R_SUCCESS) cfg_obj_log(typeobj, ns_g_lctx, ISC_LOG_ERROR, - "unknown type '%s'", str); + "unknown type '%s'", r.base); return (result); } @@ -383,7 +402,7 @@ ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp, static isc_result_t get_masters_def(const cfg_obj_t *cctx, const char *name, - const cfg_obj_t **ret) + const cfg_obj_t **ret) { isc_result_t result; const cfg_obj_t *masters = NULL; @@ -425,7 +444,7 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, dns_fixedname_t fname; isc_sockaddr_t *addrs = NULL; dns_name_t **keys = NULL; - const char **lists = NULL; + struct { const char *name; } *lists = NULL; struct { const cfg_listelt_t *element; in_port_t port; @@ -494,7 +513,7 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, } /* Seen? */ for (j = 0; j < l; j++) - if (strcasecmp(lists[j], listname) == 0) + if (strcasecmp(lists[j].name, listname) == 0) break; if (j < l) continue; @@ -508,7 +527,7 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, } if (tresult != ISC_R_SUCCESS) goto cleanup; - lists[l++] = listname; + lists[l++].name = listname; /* Grow stack? */ if (stackcount == pushed) { void * new; @@ -713,16 +732,65 @@ ns_config_getport(const cfg_obj_t *config, in_port_t *portp) { return (ISC_R_SUCCESS); } +struct keyalgorithms { + const char *str; + enum { hmacnone, hmacmd5, hmacsha1, hmacsha224, + hmacsha256, hmacsha384, hmacsha512 } hmac; + isc_uint16_t size; +} algorithms[] = { + { "hmac-md5", hmacmd5, 128 }, + { "hmac-md5.sig-alg.reg.int", hmacmd5, 0 }, + { "hmac-md5.sig-alg.reg.int.", hmacmd5, 0 }, + { "hmac-sha1", hmacsha1, 160 }, + { "hmac-sha224", hmacsha224, 224 }, + { "hmac-sha256", hmacsha256, 256 }, + { "hmac-sha384", hmacsha384, 384 }, + { "hmac-sha512", hmacsha512, 512 }, + { NULL, hmacnone, 0 } +}; + isc_result_t -ns_config_getkeyalgorithm(const char *str, dns_name_t **name) +ns_config_getkeyalgorithm(const char *str, dns_name_t **name, + isc_uint16_t *digestbits) { - if (strcasecmp(str, "hmac-md5") == 0 || - strcasecmp(str, "hmac-md5.sig-alg.reg.int") == 0 || - strcasecmp(str, "hmac-md5.sig-alg.reg.int.") == 0) - { - if (name != NULL) - *name = dns_tsig_hmacmd5_name; - return (ISC_R_SUCCESS); + int i; + size_t len = 0; + isc_uint16_t bits; + isc_result_t result; + + for (i = 0; algorithms[i].str != NULL; i++) { + len = strlen(algorithms[i].str); + if (strncasecmp(algorithms[i].str, str, len) == 0 && + (str[len] == '\0' || + (algorithms[i].size != 0 && str[len] == '-'))) + break; } - return (ISC_R_NOTFOUND); + if (algorithms[i].str == NULL) + return (ISC_R_NOTFOUND); + if (str[len] == '-') { + result = isc_parse_uint16(&bits, str + len + 1, 10); + if (result != ISC_R_SUCCESS) + return (result); + if (bits > algorithms[i].size) + return (ISC_R_RANGE); + } else if (algorithms[i].size == 0) + bits = 128; + else + bits = algorithms[i].size; + + if (name != NULL) { + switch (algorithms[i].hmac) { + case hmacmd5: *name = dns_tsig_hmacmd5_name; break; + case hmacsha1: *name = dns_tsig_hmacsha1_name; break; + case hmacsha224: *name = dns_tsig_hmacsha224_name; break; + case hmacsha256: *name = dns_tsig_hmacsha256_name; break; + case hmacsha384: *name = dns_tsig_hmacsha384_name; break; + case hmacsha512: *name = dns_tsig_hmacsha512_name; break; + default: + INSIST(0); + } + } + if (digestbits != NULL) + *digestbits = bits; + return (ISC_R_SUCCESS); } diff --git a/contrib/bind9/bin/named/control.c b/contrib/bind9/bin/named/control.c index c9d17ab..e3d54bd 100644 --- a/contrib/bind9/bin/named/control.c +++ b/contrib/bind9/bin/named/control.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: control.c,v 1.7.2.2.2.14 2005/04/29 01:04:47 marka Exp $ */ +/* $Id: control.c,v 1.20.10.8 2006/03/10 00:23:20 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -52,7 +54,7 @@ command_compare(const char *text, const char *command) { return (ISC_FALSE); } -/* +/*% * This function is called to process the incoming command * when a control channel message is received. */ @@ -163,8 +165,15 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { result = ns_server_freeze(ns_g_server, ISC_FALSE, command); } else if (command_compare(command, NS_COMMAND_RECURSING)) { result = ns_server_dumprecursing(ns_g_server); + } else if (command_compare(command, NS_COMMAND_TIMERPOKE)) { + result = ISC_R_SUCCESS; + isc_timermgr_poke(ns_g_timermgr); } else if (command_compare(command, NS_COMMAND_NULL)) { result = ISC_R_SUCCESS; + } else if (command_compare(command, NS_COMMAND_NOTIFY)) { + result = ns_server_notifycommand(ns_g_server, command, text); + } else if (command_compare(command, NS_COMMAND_VALIDATION)) { + result = ns_server_validation(ns_g_server, command); } else { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_CONTROL, ISC_LOG_WARNING, diff --git a/contrib/bind9/bin/named/controlconf.c b/contrib/bind9/bin/named/controlconf.c index b6bcc16..3e36446 100644 --- a/contrib/bind9/bin/named/controlconf.c +++ b/contrib/bind9/bin/named/controlconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: controlconf.c,v 1.28.2.9.2.10 2006/02/28 06:32:53 marka Exp $ */ +/* $Id: controlconf.c,v 1.40.18.10 2006/12/07 04:53:02 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -96,6 +98,10 @@ struct controllistener { isc_boolean_t exiting; controlkeylist_t keys; controlconnectionlist_t connections; + isc_sockettype_t type; + isc_uint32_t perm; + isc_uint32_t owner; + isc_uint32_t group; ISC_LINK(controllistener_t) link; }; @@ -191,6 +197,8 @@ shutdown_listener(controllistener_t *listener) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_CONTROL, ISC_LOG_NOTICE, "stopping command channel on %s", socktext); + if (listener->type == isc_sockettype_unix) + isc_socket_cleanunix(&listener->address, ISC_TRUE); listener->exiting = ISC_TRUE; } @@ -596,7 +604,8 @@ control_newconn(isc_task_t *task, isc_event_t *event) { sock = nevent->newsocket; (void)isc_socket_getpeername(sock, &peeraddr); - if (!address_ok(&peeraddr, listener->acl)) { + if (listener->type == isc_sockettype_tcp && + !address_ok(&peeraddr, listener->acl)) { char socktext[ISC_SOCKADDR_FORMATSIZE]; isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext)); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, @@ -681,7 +690,7 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx, char *newstr = NULL; const char *str; const cfg_obj_t *obj; - controlkey_t *key = NULL; + controlkey_t *key; for (element = cfg_list_first(keylist); element != NULL; @@ -700,7 +709,6 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx, key->secret.length = 0; ISC_LINK_INIT(key, link); ISC_LIST_APPEND(*keyids, key, link); - key = NULL; newstr = NULL; } return (ISC_R_SUCCESS); @@ -708,8 +716,6 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx, cleanup: if (newstr != NULL) isc_mem_free(mctx, newstr); - if (key != NULL) - isc_mem_put(mctx, key, sizeof(*key)); free_controlkeylist(keyids, mctx); return (ISC_R_NOMEMORY); } @@ -751,7 +757,7 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist, algstr = cfg_obj_asstring(algobj); secretstr = cfg_obj_asstring(secretobj); - if (ns_config_getkeyalgorithm(algstr, NULL) != + if (ns_config_getkeyalgorithm(algstr, NULL, NULL) != ISC_R_SUCCESS) { cfg_obj_log(control, ns_g_lctx, @@ -841,7 +847,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) { algstr = cfg_obj_asstring(algobj); secretstr = cfg_obj_asstring(secretobj); - if (ns_config_getkeyalgorithm(algstr, NULL) != ISC_R_SUCCESS) { + if (ns_config_getkeyalgorithm(algstr, NULL, NULL) != ISC_R_SUCCESS) { cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING, "unsupported algorithm '%s' in " @@ -918,8 +924,8 @@ get_key_info(const cfg_obj_t *config, const cfg_obj_t *control, static void update_listener(ns_controls_t *cp, controllistener_t **listenerp, const cfg_obj_t *control, const cfg_obj_t *config, - isc_sockaddr_t *addr, ns_aclconfctx_t *aclconfctx, - const char *socktext) + isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx, + const char *socktext, isc_sockettype_t type) { controllistener_t *listener; const cfg_obj_t *allow; @@ -1004,10 +1010,11 @@ update_listener(ns_controls_t *cp, controllistener_t **listenerp, /* * Now, keep the old access list unless a new one can be made. */ - if (control != NULL) { + if (control != NULL && type == isc_sockettype_tcp) { allow = cfg_tuple_get(control, "allow"); - result = ns_acl_fromconfig(allow, config, aclconfctx, - listener->mctx, &new_acl); + result = cfg_acl_fromconfig(allow, config, ns_g_lctx, + aclconfctx, listener->mctx, + &new_acl); } else { result = dns_acl_any(listener->mctx, &new_acl); } @@ -1029,14 +1036,34 @@ update_listener(ns_controls_t *cp, controllistener_t **listenerp, "command channel %s: %s", socktext, isc_result_totext(result)); + if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) { + isc_uint32_t perm, owner, group; + perm = cfg_obj_asuint32(cfg_tuple_get(control, "perm")); + owner = cfg_obj_asuint32(cfg_tuple_get(control, "owner")); + group = cfg_obj_asuint32(cfg_tuple_get(control, "group")); + result = ISC_R_SUCCESS; + if (listener->perm != perm || listener->owner != owner || + listener->group != group) + result = isc_socket_permunix(&listener->address, perm, + owner, group); + if (result == ISC_R_SUCCESS) { + listener->perm = perm; + listener->owner = owner; + listener->group = group; + } else if (control != NULL) + cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING, + "couldn't update ownership/permission for " + "command channel %s", socktext); + } + *listenerp = listener; } static void add_listener(ns_controls_t *cp, controllistener_t **listenerp, const cfg_obj_t *control, const cfg_obj_t *config, - isc_sockaddr_t *addr, ns_aclconfctx_t *aclconfctx, - const char *socktext) + isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx, + const char *socktext, isc_sockettype_t type) { isc_mem_t *mctx = cp->server->mctx; controllistener_t *listener; @@ -1059,6 +1086,10 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp, listener->listening = ISC_FALSE; listener->exiting = ISC_FALSE; listener->acl = NULL; + listener->type = type; + listener->perm = 0; + listener->owner = 0; + listener->group = 0; ISC_LINK_INIT(listener, link); ISC_LIST_INIT(listener->keys); ISC_LIST_INIT(listener->connections); @@ -1066,10 +1097,10 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp, /* * Make the acl. */ - if (control != NULL) { + if (control != NULL && type == isc_sockettype_tcp) { allow = cfg_tuple_get(control, "allow"); - result = ns_acl_fromconfig(allow, config, aclconfctx, - mctx, &new_acl); + result = cfg_acl_fromconfig(allow, config, ns_g_lctx, + aclconfctx, mctx, &new_acl); } else { result = dns_acl_any(mctx, &new_acl); } @@ -1104,20 +1135,35 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp, if (result == ISC_R_SUCCESS) { int pf = isc_sockaddr_pf(&listener->address); if ((pf == AF_INET && isc_net_probeipv4() != ISC_R_SUCCESS) || +#ifdef ISC_PLATFORM_HAVESYSUNH + (pf == AF_UNIX && isc_net_probeunix() != ISC_R_SUCCESS) || +#endif (pf == AF_INET6 && isc_net_probeipv6() != ISC_R_SUCCESS)) result = ISC_R_FAMILYNOSUPPORT; } + if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) + isc_socket_cleanunix(&listener->address, ISC_FALSE); + if (result == ISC_R_SUCCESS) result = isc_socket_create(ns_g_socketmgr, isc_sockaddr_pf(&listener->address), - isc_sockettype_tcp, - &listener->sock); + type, &listener->sock); if (result == ISC_R_SUCCESS) result = isc_socket_bind(listener->sock, &listener->address); + if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) { + listener->perm = cfg_obj_asuint32(cfg_tuple_get(control, + "perm")); + listener->owner = cfg_obj_asuint32(cfg_tuple_get(control, + "owner")); + listener->group = cfg_obj_asuint32(cfg_tuple_get(control, + "group")); + result = isc_socket_permunix(&listener->address, listener->perm, + listener->owner, listener->group); + } if (result == ISC_R_SUCCESS) result = control_listen(listener); @@ -1154,7 +1200,7 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp, isc_result_t ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config, - ns_aclconfctx_t *aclconfctx) + cfg_aclconfctx_t *aclconfctx) { controllistener_t *listener; controllistenerlist_t new_listeners; @@ -1200,9 +1246,6 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config, * The parser handles BIND 8 configuration file * syntax, so it allows unix phrases as well * inet phrases with no keys{} clause. - * - * "unix" phrases have been reported as - * unsupported by the parser. */ control = cfg_listelt_value(element2); @@ -1223,7 +1266,81 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config, socktext); update_listener(cp, &listener, control, config, - &addr, aclconfctx, socktext); + &addr, aclconfctx, socktext, + isc_sockettype_tcp); + + if (listener != NULL) + /* + * Remove the listener from the old + * list, so it won't be shut down. + */ + ISC_LIST_UNLINK(cp->listeners, + listener, link); + else + /* + * This is a new listener. + */ + add_listener(cp, &listener, control, + config, &addr, aclconfctx, + socktext, + isc_sockettype_tcp); + + if (listener != NULL) + ISC_LIST_APPEND(new_listeners, + listener, link); + } + } + for (element = cfg_list_first(controlslist); + element != NULL; + element = cfg_list_next(element)) { + const cfg_obj_t *controls; + const cfg_obj_t *unixcontrols = NULL; + + controls = cfg_listelt_value(element); + (void)cfg_map_get(controls, "unix", &unixcontrols); + if (unixcontrols == NULL) + continue; + + for (element2 = cfg_list_first(unixcontrols); + element2 != NULL; + element2 = cfg_list_next(element2)) { + const cfg_obj_t *control; + const cfg_obj_t *path; + isc_sockaddr_t addr; + isc_result_t result; + + /* + * The parser handles BIND 8 configuration file + * syntax, so it allows unix phrases as well + * inet phrases with no keys{} clause. + */ + control = cfg_listelt_value(element2); + + path = cfg_tuple_get(control, "path"); + result = isc_sockaddr_frompath(&addr, + cfg_obj_asstring(path)); + if (result != ISC_R_SUCCESS) { + isc_log_write(ns_g_lctx, + NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_CONTROL, + ISC_LOG_DEBUG(9), + "control channel '%s': %s", + cfg_obj_asstring(path), + isc_result_totext(result)); + continue; + } + + isc_log_write(ns_g_lctx, + NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_CONTROL, + ISC_LOG_DEBUG(9), + "processing control channel '%s'", + cfg_obj_asstring(path)); + + update_listener(cp, &listener, control, config, + &addr, aclconfctx, + cfg_obj_asstring(path), + isc_sockettype_unix); if (listener != NULL) /* @@ -1238,7 +1355,8 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config, */ add_listener(cp, &listener, control, config, &addr, aclconfctx, - socktext); + cfg_obj_asstring(path), + isc_sockettype_unix); if (listener != NULL) ISC_LIST_APPEND(new_listeners, @@ -1269,7 +1387,8 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config, isc_sockaddr_format(&addr, socktext, sizeof(socktext)); update_listener(cp, &listener, NULL, NULL, - &addr, NULL, socktext); + &addr, NULL, socktext, + isc_sockettype_tcp); if (listener != NULL) /* @@ -1283,7 +1402,8 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config, * This is a new listener. */ add_listener(cp, &listener, NULL, NULL, - &addr, NULL, socktext); + &addr, NULL, socktext, + isc_sockettype_tcp); if (listener != NULL) ISC_LIST_APPEND(new_listeners, diff --git a/contrib/bind9/bin/named/include/named/builtin.h b/contrib/bind9/bin/named/include/named/builtin.h index 15564bf..37a3e76 100644 --- a/contrib/bind9/bin/named/include/named/builtin.h +++ b/contrib/bind9/bin/named/include/named/builtin.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: builtin.h,v 1.1.204.3 2004/03/08 04:04:20 marka Exp $ */ +/* $Id: builtin.h,v 1.2.18.2 2005/04/29 00:15:34 marka Exp $ */ #ifndef NAMED_BUILTIN_H #define NAMED_BUILTIN_H 1 +/*! \file */ + #include <isc/types.h> isc_result_t ns_builtin_init(void); diff --git a/contrib/bind9/bin/named/include/named/client.h b/contrib/bind9/bin/named/include/named/client.h index f602be8..0cf7985 100644 --- a/contrib/bind9/bin/named/include/named/client.h +++ b/contrib/bind9/bin/named/include/named/client.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.h,v 1.60.2.2.10.12 2006/06/06 00:11:40 marka Exp $ */ +/* $Id: client.h,v 1.69.18.9 2006/06/06 00:11:41 marka Exp $ */ #ifndef NAMED_CLIENT_H #define NAMED_CLIENT_H 1 @@ -24,9 +24,8 @@ ***** Module Info *****/ -/* - * Client - * +/*! \file + * \brief * This module defines two objects, ns_client_t and ns_clientmgr_t. * * An ns_client_t object handles incoming DNS requests from clients @@ -44,12 +43,12 @@ * fully handled (which can be much later), the ns_client_t must be * notified of this by calling one of the following functions * exactly once in the context of its task: - * + * \code * ns_client_send() (sending a non-error response) * ns_client_sendraw() (sending a raw response) * ns_client_error() (sending an error response) * ns_client_next() (sending no response) - * + *\endcode * This will release any resources used by the request and * and allow the ns_client_t to listen for the next request. * @@ -84,6 +83,7 @@ typedef ISC_LIST(ns_client_t) client_list_t; +/*% nameserver client structure */ struct ns_client { unsigned int magic; isc_mem_t * mctx; @@ -116,15 +116,16 @@ struct ns_client { dns_rdataset_t * opt; isc_uint16_t udpsize; isc_uint16_t extflags; + isc_int16_t ednsversion; /* -1 noedns */ void (*next)(ns_client_t *); void (*shutdown)(void *arg, isc_result_t result); void *shutdown_arg; ns_query_t query; isc_stdtime_t requesttime; isc_stdtime_t now; - dns_name_t signername; /* [T]SIG key name */ - dns_name_t * signer; /* NULL if not valid sig */ - isc_boolean_t mortal; /* Die after handling request */ + dns_name_t signername; /*%< [T]SIG key name */ + dns_name_t * signer; /*%< NULL if not valid sig */ + isc_boolean_t mortal; /*%< Die after handling request */ isc_quota_t *tcpquota; isc_quota_t *recursionquota; ns_interface_t *interface; @@ -132,7 +133,7 @@ struct ns_client { isc_boolean_t peeraddr_valid; struct in6_pktinfo pktinfo; isc_event_t ctlevent; - /* + /*% * Information about recent FORMERR response(s), for * FORMERR loop avoidance. This is separate for each * client object rather than global only to avoid @@ -144,7 +145,7 @@ struct ns_client { dns_messageid_t id; } formerrcache; ISC_LINK(ns_client_t) link; - /* + /*% * The list 'link' is part of, or NULL if not on any list. */ client_list_t *list; @@ -154,38 +155,42 @@ struct ns_client { #define NS_CLIENT_VALID(c) ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC) #define NS_CLIENTATTR_TCP 0x01 -#define NS_CLIENTATTR_RA 0x02 /* Client gets recusive service */ -#define NS_CLIENTATTR_PKTINFO 0x04 /* pktinfo is valid */ -#define NS_CLIENTATTR_MULTICAST 0x08 /* recv'd from multicast */ -#define NS_CLIENTATTR_WANTDNSSEC 0x10 /* include dnssec records */ +#define NS_CLIENTATTR_RA 0x02 /*%< Client gets recusive service */ +#define NS_CLIENTATTR_PKTINFO 0x04 /*%< pktinfo is valid */ +#define NS_CLIENTATTR_MULTICAST 0x08 /*%< recv'd from multicast */ +#define NS_CLIENTATTR_WANTDNSSEC 0x10 /*%< include dnssec records */ +extern unsigned int ns_client_requests; /*** *** Functions ***/ -/* +/*% * Note! These ns_client_ routines MUST be called ONLY from the client's * task in order to ensure synchronization. */ void ns_client_send(ns_client_t *client); -/* +/*% * Finish processing the current client request and * send client->message as a response. + * \brief + * Note! These ns_client_ routines MUST be called ONLY from the client's + * task in order to ensure synchronization. */ void ns_client_sendraw(ns_client_t *client, dns_message_t *msg); -/* +/*% * Finish processing the current client request and * send msg as a response using client->message->id for the id. */ void ns_client_error(ns_client_t *client, isc_result_t result); -/* +/*% * Finish processing the current client request and return * an error response to the client. The error response * will have an RCODE determined by 'result'. @@ -193,38 +198,32 @@ ns_client_error(ns_client_t *client, isc_result_t result); void ns_client_next(ns_client_t *client, isc_result_t result); -/* +/*% * Finish processing the current client request, * return no response to the client. */ -void -ns_client_qnamereplace(ns_client_t *client, dns_name_t *name); -/*% - * Replace the qname. - */ - isc_boolean_t ns_client_shuttingdown(ns_client_t *client); -/* +/*% * Return ISC_TRUE iff the client is currently shutting down. */ void ns_client_attach(ns_client_t *source, ns_client_t **target); -/* +/*% * Attach '*targetp' to 'source'. */ void ns_client_detach(ns_client_t **clientp); -/* +/*% * Detach '*clientp' from its client. */ isc_result_t ns_client_replace(ns_client_t *client); -/* +/*% * Try to replace the current client with a new one, so that the * current one can go off and do some lengthy work without * leaving the dispatch/socket without service. @@ -232,20 +231,20 @@ ns_client_replace(ns_client_t *client); void ns_client_settimeout(ns_client_t *client, unsigned int seconds); -/* +/*% * Set a timer in the client to go off in the specified amount of time. */ isc_result_t ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr, ns_clientmgr_t **managerp); -/* +/*% * Create a client manager. */ void ns_clientmgr_destroy(ns_clientmgr_t **managerp); -/* +/*% * Destroy a client manager and all ns_client_t objects * managed by it. */ @@ -253,7 +252,7 @@ ns_clientmgr_destroy(ns_clientmgr_t **managerp); isc_result_t ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n, ns_interface_t *ifp, isc_boolean_t tcp); -/* +/*% * Create up to 'n' clients listening on interface 'ifp'. * If 'tcp' is ISC_TRUE, the clients will listen for TCP connections, * otherwise for UDP requests. @@ -261,7 +260,7 @@ ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n, isc_sockaddr_t * ns_client_getsockaddr(ns_client_t *client); -/* +/*% * Get the socket address of the client whose request is * currently being processed. */ @@ -270,27 +269,27 @@ isc_result_t ns_client_checkaclsilent(ns_client_t *client,dns_acl_t *acl, isc_boolean_t default_allow); -/* +/*% * Convenience function for client request ACL checking. * * Check the current client request against 'acl'. If 'acl' * is NULL, allow the request iff 'default_allow' is ISC_TRUE. * * Notes: - * This is appropriate for checking allow-update, + *\li This is appropriate for checking allow-update, * allow-query, allow-transfer, etc. It is not appropriate * for checking the blackhole list because we treat positive * matches as "allow" and negative matches as "deny"; in * the case of the blackhole list this would be backwards. * * Requires: - * 'client' points to a valid client. - * 'acl' points to a valid ACL, or is NULL. + *\li 'client' points to a valid client. + *\li 'acl' points to a valid ACL, or is NULL. * * Returns: - * ISC_R_SUCCESS if the request should be allowed - * ISC_R_REFUSED if the request should be denied - * No other return values are possible. + *\li ISC_R_SUCCESS if the request should be allowed + * \li ISC_R_REFUSED if the request should be denied + *\li No other return values are possible. */ isc_result_t @@ -298,16 +297,16 @@ ns_client_checkacl(ns_client_t *client, const char *opname, dns_acl_t *acl, isc_boolean_t default_allow, int log_level); -/* +/*% * Like ns_client_checkacl, but also logs the outcome of the * check at log level 'log_level' if denied, and at debug 3 * if approved. Log messages will refer to the request as * an 'opname' request. * * Requires: - * Those of ns_client_checkaclsilent(), and: + *\li Those of ns_client_checkaclsilent(), and: * - * 'opname' points to a null-terminated string. + *\li 'opname' points to a null-terminated string. */ void @@ -330,8 +329,7 @@ ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type, void ns_client_recursing(ns_client_t *client); /*% - * Add client to end of recursing list. If 'killoldest' is true - * kill the oldest recursive client (list head). + * Add client to end of th recursing list. */ void @@ -342,8 +340,22 @@ ns_client_killoldestquery(ns_client_t *client); void ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager); -/* +/*% * Dump the outstanding recursive queries to 'f'. */ +void +ns_client_qnamereplace(ns_client_t *client, dns_name_t *name); +/*% + * Replace the qname. + */ + +isc_boolean_t +ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey, + isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr, + dns_rdataclass_t rdclass, void *arg); +/*% + * Isself callback. + */ + #endif /* NAMED_CLIENT_H */ diff --git a/contrib/bind9/bin/named/include/named/config.h b/contrib/bind9/bin/named/include/named/config.h index 8e5b94a..e8e6038 100644 --- a/contrib/bind9/bin/named/include/named/config.h +++ b/contrib/bind9/bin/named/include/named/config.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001, 2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.h,v 1.4.12.6 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: config.h,v 1.6.18.6 2006/02/28 03:10:47 marka Exp $ */ #ifndef NAMED_CONFIG_H #define NAMED_CONFIG_H 1 +/*! \file */ + #include <isccfg/cfg.h> #include <dns/types.h> @@ -71,6 +73,7 @@ isc_result_t ns_config_getport(const cfg_obj_t *config, in_port_t *portp); isc_result_t -ns_config_getkeyalgorithm(const char *str, dns_name_t **name); +ns_config_getkeyalgorithm(const char *str, dns_name_t **name, + isc_uint16_t *digestbits); #endif /* NAMED_CONFIG_H */ diff --git a/contrib/bind9/bin/named/include/named/control.h b/contrib/bind9/bin/named/include/named/control.h index bdb706e..5b7e5f4 100644 --- a/contrib/bind9/bin/named/include/named/control.h +++ b/contrib/bind9/bin/named/include/named/control.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,18 +15,20 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: control.h,v 1.6.2.2.2.9 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: control.h,v 1.14.18.8 2006/03/09 23:46:20 marka Exp $ */ #ifndef NAMED_CONTROL_H #define NAMED_CONTROL_H 1 -/* +/*! \file + * \brief * The name server command channel. */ #include <isccc/types.h> -#include <named/aclconf.h> +#include <isccfg/aclconf.h> + #include <named/types.h> #define NS_CONTROL_PORT 953 @@ -48,18 +50,21 @@ #define NS_COMMAND_FREEZE "freeze" #define NS_COMMAND_UNFREEZE "unfreeze" #define NS_COMMAND_THAW "thaw" +#define NS_COMMAND_TIMERPOKE "timerpoke" #define NS_COMMAND_RECURSING "recursing" #define NS_COMMAND_NULL "null" +#define NS_COMMAND_NOTIFY "notify" +#define NS_COMMAND_VALIDATION "validation" isc_result_t ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp); -/* +/*%< * Create an initial, empty set of command channels for 'server'. */ void ns_controls_destroy(ns_controls_t **ctrlsp); -/* +/*%< * Destroy a set of command channels. * * Requires: @@ -68,8 +73,8 @@ ns_controls_destroy(ns_controls_t **ctrlsp); isc_result_t ns_controls_configure(ns_controls_t *controls, const cfg_obj_t *config, - ns_aclconfctx_t *aclconfctx); -/* + cfg_aclconfctx_t *aclconfctx); +/*%< * Configure zero or more command channels into 'controls' * as defined in the configuration parse tree 'config'. * The channels will evaluate ACLs in the context of @@ -78,7 +83,7 @@ ns_controls_configure(ns_controls_t *controls, const cfg_obj_t *config, void ns_controls_shutdown(ns_controls_t *controls); -/* +/*%< * Initiate shutdown of all the command channels in 'controls'. */ diff --git a/contrib/bind9/bin/named/include/named/globals.h b/contrib/bind9/bin/named/include/named/globals.h index b8137e8..11f3989 100644 --- a/contrib/bind9/bin/named/include/named/globals.h +++ b/contrib/bind9/bin/named/include/named/globals.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: globals.h,v 1.59.68.7 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: globals.h,v 1.64.18.4 2006/03/02 00:37:21 marka Exp $ */ #ifndef NAMED_GLOBALS_H #define NAMED_GLOBALS_H 1 +/*! \file */ + #include <isc/rwlock.h> #include <isc/log.h> #include <isc/net.h> diff --git a/contrib/bind9/bin/named/include/named/interfacemgr.h b/contrib/bind9/bin/named/include/named/interfacemgr.h index 54bd91c..42279ff 100644 --- a/contrib/bind9/bin/named/include/named/interfacemgr.h +++ b/contrib/bind9/bin/named/include/named/interfacemgr.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: interfacemgr.h,v 1.23.24.7 2004/04/29 01:31:22 marka Exp $ */ +/* $Id: interfacemgr.h,v 1.26.18.4 2005/04/27 05:00:35 sra Exp $ */ #ifndef NAMED_INTERFACEMGR_H #define NAMED_INTERFACEMGR_H 1 @@ -24,24 +24,23 @@ ***** Module Info *****/ -/* - * Interface manager - * +/*! \file + * \brief * The interface manager monitors the operating system's list * of network interfaces, creating and destroying listeners * as needed. * * Reliability: - * No impact expected. + *\li No impact expected. * * Resources: * * Security: - * The server will only be able to bind to the DNS port on + * \li The server will only be able to bind to the DNS port on * newly discovered interfaces if it is running as root. * * Standards: - * The API for scanning varies greatly among operating systems. + *\li The API for scanning varies greatly among operating systems. * This module attempts to hide the differences. */ @@ -65,23 +64,24 @@ #define IFACE_MAGIC ISC_MAGIC('I',':','-',')') #define NS_INTERFACE_VALID(t) ISC_MAGIC_VALID(t, IFACE_MAGIC) -#define NS_INTERFACEFLAG_ANYADDR 0x01U /* bound to "any" address */ +#define NS_INTERFACEFLAG_ANYADDR 0x01U /*%< bound to "any" address */ +/*% The nameserver interface structure */ struct ns_interface { - unsigned int magic; /* Magic number. */ - ns_interfacemgr_t * mgr; /* Interface manager. */ + unsigned int magic; /*%< Magic number. */ + ns_interfacemgr_t * mgr; /*%< Interface manager. */ isc_mutex_t lock; - int references; /* Locked */ - unsigned int generation; /* Generation number. */ - isc_sockaddr_t addr; /* Address and port. */ - unsigned int flags; /* Interface characteristics */ - char name[32]; /* Null terminated. */ - dns_dispatch_t * udpdispatch; /* UDP dispatcher. */ - isc_socket_t * tcpsocket; /* TCP socket. */ - int ntcptarget; /* Desired number of concurrent - TCP accepts */ - int ntcpcurrent; /* Current ditto, locked */ - ns_clientmgr_t * clientmgr; /* Client manager. */ + int references; /*%< Locked */ + unsigned int generation; /*%< Generation number. */ + isc_sockaddr_t addr; /*%< Address and port. */ + unsigned int flags; /*%< Interface characteristics */ + char name[32]; /*%< Null terminated. */ + dns_dispatch_t * udpdispatch; /*%< UDP dispatcher. */ + isc_socket_t * tcpsocket; /*%< TCP socket. */ + int ntcptarget; /*%< Desired number of concurrent + TCP accepts */ + int ntcpcurrent; /*%< Current ditto, locked */ + ns_clientmgr_t * clientmgr; /*%< Client manager. */ ISC_LINK(ns_interface_t) link; }; @@ -94,7 +94,7 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, isc_socketmgr_t *socketmgr, dns_dispatchmgr_t *dispatchmgr, ns_interfacemgr_t **mgrp); -/* +/*% * Create a new interface manager. * * Initially, the new manager will not listen on any interfaces. @@ -113,7 +113,7 @@ ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr); void ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose); -/* +/*% * Scan the operatings system's list of network interfaces * and create listeners when new interfaces are discovered. * Shut down the sockets for interfaces that go away. @@ -126,7 +126,7 @@ ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose); void ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list, isc_boolean_t verbose); -/* +/*% * Similar to ns_interfacemgr_scan(), but this function also tries to see the * need for an explicit listen-on when a list element in 'list' is going to * override an already-listening a wildcard interface. @@ -139,14 +139,14 @@ ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list, void ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value); -/* +/*% * Set the IPv4 "listen-on" list of 'mgr' to 'value'. * The previous IPv4 listen-on list is freed. */ void ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value); -/* +/*% * Set the IPv6 "listen-on" list of 'mgr' to 'value'. * The previous IPv6 listen-on list is freed. */ @@ -162,7 +162,7 @@ ns_interface_detach(ns_interface_t **targetp); void ns_interface_shutdown(ns_interface_t *ifp); -/* +/*% * Stop listening for queries on interface 'ifp'. * May safely be called multiple times. */ @@ -170,4 +170,7 @@ ns_interface_shutdown(ns_interface_t *ifp); void ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr); +isc_boolean_t +ns_interfacemgr_listeningon(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr); + #endif /* NAMED_INTERFACEMGR_H */ diff --git a/contrib/bind9/bin/named/include/named/listenlist.h b/contrib/bind9/bin/named/include/named/listenlist.h index 31e8893..cdca026 100644 --- a/contrib/bind9/bin/named/include/named/listenlist.h +++ b/contrib/bind9/bin/named/include/named/listenlist.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: listenlist.h,v 1.10.208.1 2004/03/06 10:21:24 marka Exp $ */ +/* $Id: listenlist.h,v 1.11.18.2 2005/04/29 00:15:34 marka Exp $ */ #ifndef NAMED_LISTENLIST_H #define NAMED_LISTENLIST_H 1 @@ -24,7 +24,8 @@ ***** Module Info *****/ -/* +/*! \file + * \brief * "Listen lists", as in the "listen-on" configuration statement. */ @@ -62,38 +63,38 @@ struct ns_listenlist { isc_result_t ns_listenelt_create(isc_mem_t *mctx, in_port_t port, dns_acl_t *acl, ns_listenelt_t **target); -/* +/*% * Create a listen-on list element. */ void ns_listenelt_destroy(ns_listenelt_t *elt); -/* +/*% * Destroy a listen-on list element. */ isc_result_t ns_listenlist_create(isc_mem_t *mctx, ns_listenlist_t **target); -/* +/*% * Create a new, empty listen-on list. */ void ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target); -/* +/*% * Attach '*target' to '*source'. */ void ns_listenlist_detach(ns_listenlist_t **listp); -/* +/*% * Detach 'listp'. */ isc_result_t ns_listenlist_default(isc_mem_t *mctx, in_port_t port, isc_boolean_t enabled, ns_listenlist_t **target); -/* +/*% * Create a listen-on list with default contents, matching * all addresses with port 'port' (if 'enabled' is ISC_TRUE), * or no addresses (if 'enabled' is ISC_FALSE). diff --git a/contrib/bind9/bin/named/include/named/log.h b/contrib/bind9/bin/named/include/named/log.h index e8ad1ca..6d6e648 100644 --- a/contrib/bind9/bin/named/include/named/log.h +++ b/contrib/bind9/bin/named/include/named/log.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: log.h,v 1.19.12.3 2004/03/08 04:04:21 marka Exp $ */ +/* $Id: log.h,v 1.21.18.2 2005/04/29 00:15:35 marka Exp $ */ #ifndef NAMED_LOG_H #define NAMED_LOG_H 1 +/*! \file */ + #include <isc/log.h> #include <isc/types.h> @@ -54,7 +56,7 @@ isc_result_t ns_log_init(isc_boolean_t safe); -/* +/*% * Initialize the logging system and set up an initial default * logging default configuration that will be used until the * config file has been read. @@ -66,7 +68,7 @@ ns_log_init(isc_boolean_t safe); isc_result_t ns_log_setdefaultchannels(isc_logconfig_t *lcfg); -/* +/*% * Set up logging channels according to the named defaults, which * may differ from the logging library defaults. Currently, * this just means setting up default_debug. @@ -74,19 +76,19 @@ ns_log_setdefaultchannels(isc_logconfig_t *lcfg); isc_result_t ns_log_setsafechannels(isc_logconfig_t *lcfg); -/* +/*% * Like ns_log_setdefaultchannels(), but omits any logging to files. */ isc_result_t ns_log_setdefaultcategory(isc_logconfig_t *lcfg); -/* +/*% * Set up "category default" to go to the right places. */ isc_result_t ns_log_setunmatchedcategory(isc_logconfig_t *lcfg); -/* +/*% * Set up "category unmatched" to go to the right places. */ diff --git a/contrib/bind9/bin/named/include/named/logconf.h b/contrib/bind9/bin/named/include/named/logconf.h index b92ad31..79df5c6 100644 --- a/contrib/bind9/bin/named/include/named/logconf.h +++ b/contrib/bind9/bin/named/include/named/logconf.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,16 +15,18 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: logconf.h,v 1.10.208.3 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: logconf.h,v 1.11.18.4 2006/03/02 00:37:21 marka Exp $ */ #ifndef NAMED_LOGCONF_H #define NAMED_LOGCONF_H 1 +/*! \file */ + #include <isc/log.h> isc_result_t ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt); -/* +/*%< * Set up the logging configuration in '*logconf' according to * the named.conf data in 'logstmt'. */ diff --git a/contrib/bind9/bin/named/include/named/lwaddr.h b/contrib/bind9/bin/named/include/named/lwaddr.h index 0aa66b7..552d1d4 100644 --- a/contrib/bind9/bin/named/include/named/lwaddr.h +++ b/contrib/bind9/bin/named/include/named/lwaddr.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwaddr.h,v 1.3.208.1 2004/03/06 10:21:24 marka Exp $ */ +/* $Id: lwaddr.h,v 1.4.18.2 2005/04/29 00:15:35 marka Exp $ */ + +/*! \file */ #include <lwres/lwres.h> #include <lwres/net.h> diff --git a/contrib/bind9/bin/named/include/named/lwdclient.h b/contrib/bind9/bin/named/include/named/lwdclient.h index 09d68ff..591b86c 100644 --- a/contrib/bind9/bin/named/include/named/lwdclient.h +++ b/contrib/bind9/bin/named/include/named/lwdclient.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdclient.h,v 1.13.208.1 2004/03/06 10:21:24 marka Exp $ */ +/* $Id: lwdclient.h,v 1.14.18.2 2005/04/29 00:15:36 marka Exp $ */ #ifndef NAMED_LWDCLIENT_H #define NAMED_LWDCLIENT_H 1 +/*! \file */ + #include <isc/event.h> #include <isc/eventclass.h> #include <isc/netaddr.h> @@ -37,23 +39,24 @@ #define LWRD_SHUTDOWN (LWRD_EVENTCLASS + 0x0001) +/*% Lighweight Resolver Daemon Client */ struct ns_lwdclient { - isc_sockaddr_t address; /* where to reply */ + isc_sockaddr_t address; /*%< where to reply */ struct in6_pktinfo pktinfo; isc_boolean_t pktinfo_valid; - ns_lwdclientmgr_t *clientmgr; /* our parent */ + ns_lwdclientmgr_t *clientmgr; /*%< our parent */ ISC_LINK(ns_lwdclient_t) link; unsigned int state; - void *arg; /* packet processing state */ + void *arg; /*%< packet processing state */ /* * Received data info. */ - unsigned char buffer[LWRES_RECVLENGTH]; /* receive buffer */ - isc_uint32_t recvlength; /* length recv'd */ + unsigned char buffer[LWRES_RECVLENGTH]; /*%< receive buffer */ + isc_uint32_t recvlength; /*%< length recv'd */ lwres_lwpacket_t pkt; - /* + /*% * Send data state. If sendbuf != buffer (that is, the send buffer * isn't our receive buffer) it will be freed to the lwres_context_t. */ @@ -61,19 +64,19 @@ struct ns_lwdclient { isc_uint32_t sendlength; isc_buffer_t recv_buffer; - /* + /*% * gabn (get address by name) state info. */ dns_adbfind_t *find; dns_adbfind_t *v4find; dns_adbfind_t *v6find; - unsigned int find_wanted; /* Addresses we want */ + unsigned int find_wanted; /*%< Addresses we want */ dns_fixedname_t query_name; dns_fixedname_t target_name; ns_lwsearchctx_t searchctx; lwres_gabnresponse_t gabn; - /* + /*% * gnba (get name by address) state info. */ lwres_gnbaresponse_t gnba; @@ -81,7 +84,7 @@ struct ns_lwdclient { unsigned int options; isc_netaddr_t na; - /* + /*% * grbn (get rrset by name) state info. * * Note: this also uses target_name and searchctx. @@ -90,7 +93,7 @@ struct ns_lwdclient { dns_lookup_t *lookup; dns_rdatatype_t rdtype; - /* + /*% * Alias and address info. This is copied up to the gabn/gnba * structures eventually. * @@ -103,7 +106,7 @@ struct ns_lwdclient { lwres_addr_t addrs[LWRES_MAX_ADDRS]; }; -/* +/*% * Client states. * * _IDLE The client is not doing anything at all. @@ -156,7 +159,7 @@ struct ns_lwdclient { #define NS_LWDCLIENT_ISSEND(c) \ ((c)->state == NS_LWDCLIENT_STATESEND) -/* +/*% * Overall magic test that means we're not idle. */ #define NS_LWDCLIENT_ISRUNNING(c) (!NS_LWDCLIENT_ISIDLE(c)) @@ -174,17 +177,18 @@ struct ns_lwdclient { #define NS_LWDCLIENT_SETSENDDONE(c) \ ((c)->state = NS_LWDCLIENT_STATESENDDONE) +/*% lightweight daemon client manager */ struct ns_lwdclientmgr { ns_lwreslistener_t *listener; isc_mem_t *mctx; - isc_socket_t *sock; /* socket to use */ + isc_socket_t *sock; /*%< socket to use */ dns_view_t *view; - lwres_context_t *lwctx; /* lightweight proto context */ - isc_task_t *task; /* owning task */ + lwres_context_t *lwctx; /*%< lightweight proto context */ + isc_task_t *task; /*%< owning task */ unsigned int flags; ISC_LINK(ns_lwdclientmgr_t) link; - ISC_LIST(ns_lwdclient_t) idle; /* idle client slots */ - ISC_LIST(ns_lwdclient_t) running; /* running clients */ + ISC_LIST(ns_lwdclient_t) idle; /*%< idle client slots */ + ISC_LIST(ns_lwdclient_t) running; /*%< running clients */ }; #define NS_LWDCLIENTMGR_FLAGRECVPENDING 0x00000001 diff --git a/contrib/bind9/bin/named/include/named/lwresd.h b/contrib/bind9/bin/named/include/named/lwresd.h index 2aa1d55..ef93fcd 100644 --- a/contrib/bind9/bin/named/include/named/lwresd.h +++ b/contrib/bind9/bin/named/include/named/lwresd.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwresd.h,v 1.12.208.3 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: lwresd.h,v 1.13.18.4 2006/03/02 00:37:21 marka Exp $ */ #ifndef NAMED_LWRESD_H #define NAMED_LWRESD_H 1 +/*! \file */ + #include <isc/types.h> #include <isc/sockaddr.h> @@ -52,7 +54,7 @@ struct ns_lwreslistener { ISC_LINK(ns_lwreslistener_t) link; }; -/* +/*% * Configure lwresd. */ isc_result_t @@ -62,7 +64,7 @@ isc_result_t ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx, cfg_obj_t **configp); -/* +/*% * Trigger shutdown. */ void @@ -71,29 +73,36 @@ ns_lwresd_shutdown(void); /* * Manager functions */ +/*% create manager */ isc_result_t ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres, ns_lwresd_t **lwresdp); +/*% attach to manager */ void ns_lwdmanager_attach(ns_lwresd_t *source, ns_lwresd_t **targetp); +/*% detach from manager */ void ns_lwdmanager_detach(ns_lwresd_t **lwresdp); /* * Listener functions */ +/*% attach to listener */ void ns_lwreslistener_attach(ns_lwreslistener_t *source, ns_lwreslistener_t **targetp); +/*% detach from lister */ void ns_lwreslistener_detach(ns_lwreslistener_t **listenerp); +/*% link client manager */ void ns_lwreslistener_unlinkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm); +/*% unlink client manager */ void ns_lwreslistener_linkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm); diff --git a/contrib/bind9/bin/named/include/named/lwsearch.h b/contrib/bind9/bin/named/include/named/lwsearch.h index a864a89..b85e401 100644 --- a/contrib/bind9/bin/named/include/named/lwsearch.h +++ b/contrib/bind9/bin/named/include/named/lwsearch.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwsearch.h,v 1.4.208.1 2004/03/06 10:21:25 marka Exp $ */ +/* $Id: lwsearch.h,v 1.5.18.2 2005/04/29 00:15:36 marka Exp $ */ #ifndef NAMED_LWSEARCH_H #define NAMED_LWSEARCH_H 1 @@ -28,7 +28,8 @@ #include <named/types.h> -/* +/*! \file + * \brief * Lightweight resolver search list types and routines. * * An ns_lwsearchlist_t holds a list of search path elements. @@ -37,6 +38,7 @@ * operation. */ +/*% An ns_lwsearchlist_t holds a list of search path elements. */ struct ns_lwsearchlist { unsigned int magic; @@ -45,7 +47,7 @@ struct ns_lwsearchlist { unsigned int refs; dns_namelist_t names; }; - +/*% An ns_lwsearchctx stores the state of search list during a lookup operation. */ struct ns_lwsearchctx { dns_name_t *relname; dns_name_t *searchname; @@ -57,51 +59,51 @@ struct ns_lwsearchctx { isc_result_t ns_lwsearchlist_create(isc_mem_t *mctx, ns_lwsearchlist_t **listp); -/* +/*%< * Create an empty search list object. */ void ns_lwsearchlist_attach(ns_lwsearchlist_t *source, ns_lwsearchlist_t **target); -/* +/*%< * Attach to a search list object. */ void ns_lwsearchlist_detach(ns_lwsearchlist_t **listp); -/* +/*%< * Detach from a search list object. */ isc_result_t ns_lwsearchlist_append(ns_lwsearchlist_t *list, dns_name_t *name); -/* +/*%< * Append an element to a search list. This creates a copy of the name. */ void ns_lwsearchctx_init(ns_lwsearchctx_t *sctx, ns_lwsearchlist_t *list, dns_name_t *name, unsigned int ndots); -/* +/*%< * Creates a search list context structure. */ void ns_lwsearchctx_first(ns_lwsearchctx_t *sctx); -/* +/*%< * Moves the search list context iterator to the first element, which * is usually the exact name. */ isc_result_t ns_lwsearchctx_next(ns_lwsearchctx_t *sctx); -/* +/*%< * Moves the search list context iterator to the next element. */ isc_result_t ns_lwsearchctx_current(ns_lwsearchctx_t *sctx, dns_name_t *absname); -/* +/*%< * Obtains the current name to be looked up. This involves either * concatenating the name with a search path element, making an * exact name absolute, or doing nothing. diff --git a/contrib/bind9/bin/named/include/named/main.h b/contrib/bind9/bin/named/include/named/main.h index e37b519..dd4fe8c 100644 --- a/contrib/bind9/bin/named/include/named/main.h +++ b/contrib/bind9/bin/named/include/named/main.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: main.h,v 1.8.2.2.8.4 2004/03/08 04:04:21 marka Exp $ */ +/* $Id: main.h,v 1.11.18.2 2005/04/29 00:15:37 marka Exp $ */ #ifndef NAMED_MAIN_H #define NAMED_MAIN_H 1 +/*! \file */ + void ns_main_earlyfatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); diff --git a/contrib/bind9/bin/named/include/named/notify.h b/contrib/bind9/bin/named/include/named/notify.h index 3cb1d85..106d70c 100644 --- a/contrib/bind9/bin/named/include/named/notify.h +++ b/contrib/bind9/bin/named/include/named/notify.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: notify.h,v 1.9.208.1 2004/03/06 10:21:25 marka Exp $ */ +/* $Id: notify.h,v 1.10.18.2 2005/04/29 00:15:37 marka Exp $ */ #ifndef NAMED_NOTIFY_H #define NAMED_NOTIFY_H 1 @@ -27,8 +27,9 @@ *** Module Info ***/ -/* - * RFC 1996 +/*! \file + * \brief + * RFC1996 * A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY) */ @@ -39,7 +40,7 @@ void ns_notify_start(ns_client_t *client); -/* +/*%< * Examines the incoming message to determine apporiate zone. * Returns FORMERR if there is not exactly one question. * Returns REFUSED if we do not serve the listed zone. @@ -47,7 +48,7 @@ ns_notify_start(ns_client_t *client); * and returns the return status. * * Requires - * client to be valid. + *\li client to be valid. */ #endif /* NAMED_NOTIFY_H */ diff --git a/contrib/bind9/bin/named/include/named/ns_smf_globals.h b/contrib/bind9/bin/named/include/named/ns_smf_globals.h index 49aa31d..06df2ba 100644 --- a/contrib/bind9/bin/named/include/named/ns_smf_globals.h +++ b/contrib/bind9/bin/named/include/named/ns_smf_globals.h @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ns_smf_globals.h,v 1.2.4.4 2005/05/13 01:22:33 marka Exp $ */ +/* $Id: ns_smf_globals.h,v 1.2.2.4 2005/05/13 01:32:46 marka Exp $ */ #ifndef NS_SMF_GLOBALS_H #define NS_SMF_GLOBALS_H 1 diff --git a/contrib/bind9/bin/named/include/named/query.h b/contrib/bind9/bin/named/include/named/query.h index 6f348d5..741212f 100644 --- a/contrib/bind9/bin/named/include/named/query.h +++ b/contrib/bind9/bin/named/include/named/query.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.h,v 1.28.2.3.8.6 2004/03/08 04:04:21 marka Exp $ */ +/* $Id: query.h,v 1.36.18.2 2005/04/29 00:15:37 marka Exp $ */ #ifndef NAMED_QUERY_H #define NAMED_QUERY_H 1 +/*! \file */ + #include <isc/types.h> #include <isc/buffer.h> #include <isc/netaddr.h> @@ -28,6 +30,7 @@ #include <named/types.h> +/*% nameserver database version structure */ typedef struct ns_dbversion { dns_db_t *db; dns_dbversion_t *version; @@ -35,6 +38,7 @@ typedef struct ns_dbversion { ISC_LINK(struct ns_dbversion) link; } ns_dbversion_t; +/*% nameserver query structure */ struct ns_query { unsigned int attributes; unsigned int restarts; diff --git a/contrib/bind9/bin/named/include/named/server.h b/contrib/bind9/bin/named/include/named/server.h index 37526c0..54d1dae 100644 --- a/contrib/bind9/bin/named/include/named/server.h +++ b/contrib/bind9/bin/named/include/named/server.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.h,v 1.58.2.1.10.13 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: server.h,v 1.73.18.8 2006/03/09 23:46:20 marka Exp $ */ #ifndef NAMED_SERVER_H #define NAMED_SERVER_H 1 +/*! \file */ + #include <isc/log.h> #include <isc/sockaddr.h> #include <isc/magic.h> @@ -35,7 +37,7 @@ #define NS_EVENT_RELOAD (NS_EVENTCLASS + 0) #define NS_EVENT_CLIENTCONTROL (NS_EVENTCLASS + 1) -/* +/*% * Name server state. Better here than in lots of separate global variables. */ struct ns_server { @@ -49,18 +51,18 @@ struct ns_server { isc_quota_t tcpquota; isc_quota_t recursionquota; dns_acl_t *blackholeacl; - char * statsfile; /* Statistics file name */ - char * dumpfile; /* Dump file name */ - char * recfile; /* Recursive file name */ - isc_boolean_t version_set; /* User has set version */ - char * version; /* User-specified version */ - isc_boolean_t hostname_set; /* User has set hostname */ - char * hostname; /* User-specified hostname */ - /* Use hostname for server id */ + char * statsfile; /*%< Statistics file name */ + char * dumpfile; /*%< Dump file name */ + char * recfile; /*%< Recursive file name */ + isc_boolean_t version_set; /*%< User has set version */ + char * version; /*%< User-specified version */ + isc_boolean_t hostname_set; /*%< User has set hostname */ + char * hostname; /*%< User-specified hostname */ + /*% Use hostname for server id */ isc_boolean_t server_usehostname; - char * server_id; /* User-specified server id */ + char * server_id; /*%< User-specified server id */ - /* + /*% * Current ACL environment. This defines the * current values of the localhost and localnets * ACLs. @@ -77,6 +79,8 @@ struct ns_server { isc_timer_t * interface_timer; isc_timer_t * heartbeat_timer; + isc_timer_t * pps_timer; + isc_uint32_t interface_interval; isc_uint32_t heartbeat_interval; @@ -84,14 +88,15 @@ struct ns_server { isc_event_t * reload_event; isc_boolean_t flushonshutdown; - isc_boolean_t log_queries; /* For BIND 8 compatibility */ + isc_boolean_t log_queries; /*%< For BIND 8 compatibility */ - isc_uint64_t * querystats; /* Query statistics counters */ + isc_uint64_t * querystats; /*%< Query statistics counters */ - ns_controls_t * controls; /* Control channels */ + ns_controls_t * controls; /*%< Control channels */ unsigned int dispatchgen; ns_dispatchlist_t dispatches; - + + dns_acache_t *acache; }; #define NS_SERVER_MAGIC ISC_MAGIC('S','V','E','R') @@ -99,7 +104,7 @@ struct ns_server { void ns_server_create(isc_mem_t *mctx, ns_server_t **serverp); -/* +/*%< * Create a server object with default settings. * This function either succeeds or causes the program to exit * with a fatal error. @@ -107,13 +112,13 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp); void ns_server_destroy(ns_server_t **serverp); -/* +/*%< * Destroy a server object, freeing its memory. */ void ns_server_reloadwanted(ns_server_t *server); -/* +/*%< * Inform a server that a reload is wanted. This function * may be called asynchronously, from outside the server's task. * If a reload is already scheduled or in progress, the call @@ -122,92 +127,104 @@ ns_server_reloadwanted(ns_server_t *server); void ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush); -/* +/*%< * Inform the server that the zones should be flushed to disk on shutdown. */ isc_result_t ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text); -/* +/*%< * Act on a "reload" command from the command channel. */ isc_result_t ns_server_reconfigcommand(ns_server_t *server, char *args); -/* +/*%< * Act on a "reconfig" command from the command channel. */ isc_result_t +ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text); +/*%< + * Act on a "notify" command from the command channel. + */ + +isc_result_t ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text); -/* +/*%< * Act on a "refresh" command from the command channel. */ isc_result_t ns_server_retransfercommand(ns_server_t *server, char *args); -/* +/*%< * Act on a "retransfer" command from the command channel. */ isc_result_t ns_server_togglequerylog(ns_server_t *server); -/* +/*%< * Toggle logging of queries, as in BIND 8. */ -/* +/*% * Dump the current statistics to the statistics file. */ isc_result_t ns_server_dumpstats(ns_server_t *server); -/* +/*% * Dump the current cache to the dump file. */ isc_result_t ns_server_dumpdb(ns_server_t *server, char *args); -/* +/*% * Change or increment the server debug level. */ isc_result_t ns_server_setdebuglevel(ns_server_t *server, char *args); -/* +/*% * Flush the server's cache(s) */ isc_result_t ns_server_flushcache(ns_server_t *server, char *args); -/* +/*% * Flush a particular name from the server's cache(s) */ isc_result_t ns_server_flushname(ns_server_t *server, char *args); -/* +/*% * Report the server's status. */ isc_result_t ns_server_status(ns_server_t *server, isc_buffer_t *text); -/* +/*% * Enable or disable updates for a zone. */ isc_result_t ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args); -/* +/*% * Dump the current recursive queries. */ isc_result_t ns_server_dumprecursing(ns_server_t *server); -/* +/*% * Maintain a list of dispatches that require reserved ports. */ void ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr); +/*% + * Enable or disable dnssec validation. + */ +isc_result_t +ns_server_validation(ns_server_t *server, char *args); + #endif /* NAMED_SERVER_H */ diff --git a/contrib/bind9/bin/named/include/named/sortlist.h b/contrib/bind9/bin/named/include/named/sortlist.h index 9966686..f849be2 100644 --- a/contrib/bind9/bin/named/include/named/sortlist.h +++ b/contrib/bind9/bin/named/include/named/sortlist.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,22 +15,24 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sortlist.h,v 1.4.208.3 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: sortlist.h,v 1.5.18.4 2006/03/02 00:37:21 marka Exp $ */ #ifndef NAMED_SORTLIST_H #define NAMED_SORTLIST_H 1 +/*! \file */ + #include <isc/types.h> #include <dns/types.h> -/* +/*% * Type for callback functions that rank addresses. */ typedef int (*dns_addressorderfunc_t)(const isc_netaddr_t *address, const void *arg); -/* +/*% * Return value type for setup_sortlist. */ typedef enum { @@ -42,7 +44,7 @@ typedef enum { ns_sortlisttype_t ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, const void **argp); -/* +/*%< * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any. * * If a 1-element sortlist item applies, return NS_SORTLISTTYPE_1ELEMENT and @@ -57,14 +59,14 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, int ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg); -/* +/*%< * Find the sort order of 'addr' in 'arg', the matching element * of a 1-element top-level sortlist statement. */ int ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg); -/* +/*%< * Find the sort order of 'addr' in 'arg', a topology-like * ACL forming the second element in a 2-element top-level * sortlist statement. @@ -74,7 +76,7 @@ void ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr, dns_addressorderfunc_t *orderp, const void **argp); -/* +/*%< * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any. * If a sortlist statement applies, return in '*orderp' a pointer to a function * for ranking network addresses based on that sortlist statement, and in diff --git a/contrib/bind9/bin/named/include/named/tkeyconf.h b/contrib/bind9/bin/named/include/named/tkeyconf.h index ac72f3e..946944d 100644 --- a/contrib/bind9/bin/named/include/named/tkeyconf.h +++ b/contrib/bind9/bin/named/include/named/tkeyconf.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tkeyconf.h,v 1.9.208.3 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: tkeyconf.h,v 1.10.18.4 2006/03/02 00:37:21 marka Exp $ */ #ifndef NS_TKEYCONF_H #define NS_TKEYCONF_H 1 +/*! \file */ + #include <isc/types.h> #include <isc/lang.h> @@ -30,20 +32,20 @@ ISC_LANG_BEGINDECLS isc_result_t ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp); -/* +/*%< * Create a TKEY context and configure it, including the default DH key * and default domain, according to 'options'. * * Requires: - * 'cfg' is a valid configuration options object. - * 'mctx' is not NULL - * 'ectx' is not NULL - * 'tctx' is not NULL - * '*tctx' is NULL + *\li 'cfg' is a valid configuration options object. + *\li 'mctx' is not NULL + *\li 'ectx' is not NULL + *\li 'tctx' is not NULL + *\li '*tctx' is NULL * * Returns: - * ISC_R_SUCCESS - * ISC_R_NOMEMORY + *\li ISC_R_SUCCESS + *\li ISC_R_NOMEMORY */ ISC_LANG_ENDDECLS diff --git a/contrib/bind9/bin/named/include/named/tsigconf.h b/contrib/bind9/bin/named/include/named/tsigconf.h index fcb415e..a18eede 100644 --- a/contrib/bind9/bin/named/include/named/tsigconf.h +++ b/contrib/bind9/bin/named/include/named/tsigconf.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tsigconf.h,v 1.9.208.3 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: tsigconf.h,v 1.10.18.4 2006/03/02 00:37:21 marka Exp $ */ #ifndef NS_TSIGCONF_H #define NS_TSIGCONF_H 1 +/*! \file */ + #include <isc/types.h> #include <isc/lang.h> @@ -28,18 +30,18 @@ ISC_LANG_BEGINDECLS isc_result_t ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_tsig_keyring_t **ringp); -/* +/*%< * Create a TSIG key ring and configure it according to the 'key' * statements in the global and view configuration objects. * * Requires: - * 'config' is not NULL. - * 'mctx' is not NULL - * 'ring' is not NULL, and '*ring' is NULL + * \li 'config' is not NULL. + * \li 'mctx' is not NULL + * \li 'ring' is not NULL, and '*ring' is NULL * * Returns: - * ISC_R_SUCCESS - * ISC_R_NOMEMORY + * \li ISC_R_SUCCESS + * \li ISC_R_NOMEMORY */ ISC_LANG_ENDDECLS diff --git a/contrib/bind9/bin/named/include/named/types.h b/contrib/bind9/bin/named/include/named/types.h index eb44c53..abc25d5 100644 --- a/contrib/bind9/bin/named/include/named/types.h +++ b/contrib/bind9/bin/named/include/named/types.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: types.h,v 1.19.208.2 2004/03/06 10:21:26 marka Exp $ */ +/* $Id: types.h,v 1.21.18.2 2005/04/29 00:15:38 marka Exp $ */ #ifndef NAMED_TYPES_H #define NAMED_TYPES_H 1 +/*! \file */ + #include <dns/types.h> typedef struct ns_client ns_client_t; diff --git a/contrib/bind9/bin/named/include/named/update.h b/contrib/bind9/bin/named/include/named/update.h index 4c97235..37daa95 100644 --- a/contrib/bind9/bin/named/include/named/update.h +++ b/contrib/bind9/bin/named/include/named/update.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.h,v 1.8.208.1 2004/03/06 10:21:26 marka Exp $ */ +/* $Id: update.h,v 1.9.18.2 2005/04/29 00:15:39 marka Exp $ */ #ifndef NAMED_UPDATE_H #define NAMED_UPDATE_H 1 @@ -24,7 +24,8 @@ ***** Module Info *****/ -/* +/*! \file + * \brief * RFC2136 Dynamic Update */ diff --git a/contrib/bind9/bin/named/include/named/xfrout.h b/contrib/bind9/bin/named/include/named/xfrout.h index e96ff31..82e0e66 100644 --- a/contrib/bind9/bin/named/include/named/xfrout.h +++ b/contrib/bind9/bin/named/include/named/xfrout.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: xfrout.h,v 1.7.208.1 2004/03/06 10:21:27 marka Exp $ */ +/* $Id: xfrout.h,v 1.8.18.2 2005/04/29 00:15:39 marka Exp $ */ #ifndef NAMED_XFROUT_H #define NAMED_XFROUT_H 1 @@ -24,7 +24,8 @@ ***** Module Info *****/ -/* +/*! \file + * \brief * Outgoing zone transfers (AXFR + IXFR). */ diff --git a/contrib/bind9/bin/named/include/named/zoneconf.h b/contrib/bind9/bin/named/include/named/zoneconf.h index 3e63053..61737a2 100644 --- a/contrib/bind9/bin/named/include/named/zoneconf.h +++ b/contrib/bind9/bin/named/include/named/zoneconf.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,25 +15,26 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.h,v 1.16.2.2.8.3 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: zoneconf.h,v 1.19.18.5 2006/03/02 00:37:21 marka Exp $ */ #ifndef NS_ZONECONF_H #define NS_ZONECONF_H 1 +/*! \file */ + #include <isc/lang.h> #include <isc/types.h> +#include <isccfg/aclconf.h> #include <isccfg/cfg.h> -#include <named/aclconf.h> - ISC_LANG_BEGINDECLS isc_result_t ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, - const cfg_obj_t *zconfig, ns_aclconfctx_t *ac, + const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac, dns_zone_t *zone); -/* +/*%< * Configure or reconfigure a zone according to the named.conf * data in 'cctx' and 'czone'. * @@ -41,16 +42,16 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, * at zone creation time. * * Require: - * 'lctx' to be initialized or NULL. - * 'cctx' to be initialized or NULL. - * 'ac' to point to an initialized ns_aclconfctx_t. - * 'czone' to be initialized. - * 'zone' to be initialized. + * \li 'lctx' to be initialized or NULL. + * \li 'cctx' to be initialized or NULL. + * \li 'ac' to point to an initialized ns_aclconfctx_t. + * \li 'czone' to be initialized. + * \li 'zone' to be initialized. */ isc_boolean_t ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig); -/* +/*%< * If 'zone' can be safely reconfigured according to the configuration * data in 'zconfig', return ISC_TRUE. If the configuration data is so * different from the current zone state that the zone needs to be destroyed diff --git a/contrib/bind9/bin/named/interfacemgr.c b/contrib/bind9/bin/named/interfacemgr.c index a341056..db41031 100644 --- a/contrib/bind9/bin/named/interfacemgr.c +++ b/contrib/bind9/bin/named/interfacemgr.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: interfacemgr.c,v 1.59.2.5.8.18 2006/07/19 00:16:28 marka Exp $ */ +/* $Id: interfacemgr.c,v 1.76.18.8 2006/07/20 01:10:30 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -37,24 +39,29 @@ #define IFMGR_COMMON_LOGARGS \ ns_g_lctx, NS_LOGCATEGORY_NETWORK, NS_LOGMODULE_INTERFACEMGR +/*% nameserver interface manager structure */ struct ns_interfacemgr { - unsigned int magic; /* Magic number. */ + unsigned int magic; /*%< Magic number. */ int references; isc_mutex_t lock; - isc_mem_t * mctx; /* Memory context. */ - isc_taskmgr_t * taskmgr; /* Task manager. */ - isc_socketmgr_t * socketmgr; /* Socket manager. */ + isc_mem_t * mctx; /*%< Memory context. */ + isc_taskmgr_t * taskmgr; /*%< Task manager. */ + isc_socketmgr_t * socketmgr; /*%< Socket manager. */ dns_dispatchmgr_t * dispatchmgr; - unsigned int generation; /* Current generation no. */ + unsigned int generation; /*%< Current generation no. */ ns_listenlist_t * listenon4; ns_listenlist_t * listenon6; - dns_aclenv_t aclenv; /* Localhost/localnets ACLs */ - ISC_LIST(ns_interface_t) interfaces; /* List of interfaces. */ + dns_aclenv_t aclenv; /*%< Localhost/localnets ACLs */ + ISC_LIST(ns_interface_t) interfaces; /*%< List of interfaces. */ + ISC_LIST(isc_sockaddr_t) listenon; }; static void purge_old_interfaces(ns_interfacemgr_t *mgr); +static void +clearlistenon(ns_interfacemgr_t *mgr); + isc_result_t ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, isc_socketmgr_t *socketmgr, @@ -85,6 +92,7 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, mgr->listenon6 = NULL; ISC_LIST_INIT(mgr->interfaces); + ISC_LIST_INIT(mgr->listenon); /* * The listen-on lists are initially empty. @@ -117,6 +125,7 @@ ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) { dns_aclenv_destroy(&mgr->aclenv); ns_listenlist_detach(&mgr->listenon4); ns_listenlist_detach(&mgr->listenon6); + clearlistenon(mgr); DESTROYLOCK(&mgr->lock); mgr->magic = 0; isc_mem_put(mgr->mctx, mgr, sizeof(*mgr)); @@ -158,7 +167,7 @@ void ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr) { REQUIRE(NS_INTERFACEMGR_VALID(mgr)); - /* + /*% * Shut down and detach all interfaces. * By incrementing the generation count, we make purge_old_interfaces() * consider all interfaces "old". @@ -432,7 +441,7 @@ ns_interface_detach(ns_interface_t **targetp) { *targetp = NULL; } -/* +/*% * Search the interface list for an interface whose address and port * both match those of 'addr'. Return a pointer to it, or NULL if not found. */ @@ -447,7 +456,7 @@ find_matching_interface(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr) { return (ifp); } -/* +/*% * Remove any interfaces whose generation number is not the current one. */ static void @@ -537,6 +546,43 @@ setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) { return (ISC_R_SUCCESS); } +static void +setup_listenon(ns_interfacemgr_t *mgr, isc_interface_t *interface, + in_port_t port) +{ + isc_sockaddr_t *addr; + isc_sockaddr_t *old; + + addr = isc_mem_get(mgr->mctx, sizeof(*addr)); + if (addr == NULL) + return; + + isc_sockaddr_fromnetaddr(addr, &interface->address, port); + + for (old = ISC_LIST_HEAD(mgr->listenon); + old != NULL; + old = ISC_LIST_NEXT(old, link)) + if (isc_sockaddr_equal(addr, old)) + break; + + if (old != NULL) + isc_mem_put(mgr->mctx, addr, sizeof(*addr)); + else + ISC_LIST_APPEND(mgr->listenon, addr, link); +} + +static void +clearlistenon(ns_interfacemgr_t *mgr) { + isc_sockaddr_t *old; + + old = ISC_LIST_HEAD(mgr->listenon); + while (old != NULL) { + ISC_LIST_UNLINK(mgr->listenon, old, link); + isc_mem_put(mgr->mctx, old, sizeof(*old)); + old = ISC_LIST_HEAD(mgr->listenon); + } +} + static isc_result_t do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, isc_boolean_t verbose) @@ -553,6 +599,7 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, isc_sockaddr_t listen_addr; ns_interface_t *ifp; isc_boolean_t log_explicit = ISC_FALSE; + isc_boolean_t dolistenon; if (ext_listen != NULL) adjusting = ISC_TRUE; @@ -643,6 +690,7 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, result = clearacl(mgr->mctx, &mgr->aclenv.localnets); if (result != ISC_R_SUCCESS) goto cleanup_iter; + clearlistenon(mgr); } for (result = isc_interfaceiter_first(iter); @@ -688,6 +736,7 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, } ll = (family == AF_INET) ? mgr->listenon4 : mgr->listenon6; + dolistenon = ISC_TRUE; for (le = ISC_LIST_HEAD(ll->elts); le != NULL; le = ISC_LIST_NEXT(le, link)) @@ -723,6 +772,11 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, if (match <= 0) continue; + if (adjusting == ISC_FALSE && dolistenon == ISC_TRUE) { + setup_listenon(mgr, &interface, le->port); + dolistenon = ISC_FALSE; + } + /* * The case of "any" IPv6 address will require * special considerations later, so remember it. @@ -909,3 +963,16 @@ ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr) { } UNLOCK(&mgr->lock); } + +isc_boolean_t +ns_interfacemgr_listeningon(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr) { + isc_sockaddr_t *old; + + old = ISC_LIST_HEAD(mgr->listenon); + for (old = ISC_LIST_HEAD(mgr->listenon); + old != NULL; + old = ISC_LIST_NEXT(old, link)) + if (isc_sockaddr_equal(old, addr)) + return (ISC_TRUE); + return (ISC_FALSE); +} diff --git a/contrib/bind9/bin/named/listenlist.c b/contrib/bind9/bin/named/listenlist.c index bba164f..7e70ac9 100644 --- a/contrib/bind9/bin/named/listenlist.c +++ b/contrib/bind9/bin/named/listenlist.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: listenlist.c,v 1.9.208.1 2004/03/06 10:21:18 marka Exp $ */ +/* $Id: listenlist.c,v 1.10.18.2 2005/04/29 00:15:22 marka Exp $ */ + +/*! \file */ #include <config.h> diff --git a/contrib/bind9/bin/named/log.c b/contrib/bind9/bin/named/log.c index 9032af7..af75bab 100644 --- a/contrib/bind9/bin/named/log.c +++ b/contrib/bind9/bin/named/log.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: log.c,v 1.33.2.1.10.6 2005/05/24 23:58:17 marka Exp $ */ +/* $Id: log.c,v 1.37.18.6 2006/06/09 00:54:08 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -29,9 +31,10 @@ #define ISC_FACILITY LOG_DAEMON #endif -/* +/*% * When adding a new category, be sure to add the appropriate - * #define to <named/log.h>. + * #define to <named/log.h> and to update the list in + * bin/check/check-tool.c. */ static isc_logcategory_t categories[] = { { "", 0 }, @@ -44,7 +47,7 @@ static isc_logcategory_t categories[] = { { NULL, 0 } }; -/* +/*% * When adding a new module, be sure to add the appropriate * #define to <dns/log.h>. */ @@ -78,6 +81,9 @@ ns_log_init(isc_boolean_t safe) { if (result != ISC_R_SUCCESS) return (result); + /* + * named-checktool.c:setup_logging() needs to be kept in sync. + */ isc_log_registercategories(ns_g_lctx, ns_g_categories); isc_log_registermodules(ns_g_lctx, ns_g_modules); isc_log_setcontext(ns_g_lctx); diff --git a/contrib/bind9/bin/named/logconf.c b/contrib/bind9/bin/named/logconf.c index 1bf3b55..ce815f4 100644 --- a/contrib/bind9/bin/named/logconf.c +++ b/contrib/bind9/bin/named/logconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: logconf.c,v 1.30.2.3.10.4 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: logconf.c,v 1.35.18.5 2006/03/02 00:37:21 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -36,7 +38,7 @@ if (result != ISC_R_SUCCESS) goto cleanup; \ } while (0) -/* +/*% * Set up a logging category according to the named.conf data * in 'ccat' and add it to 'lctx'. */ @@ -84,7 +86,7 @@ category_fromconf(const cfg_obj_t *ccat, isc_logconfig_t *lctx) { return (ISC_R_SUCCESS); } -/* +/*% * Set up a logging channel according to the named.conf data * in 'cchan' and add it to 'lctx'. */ diff --git a/contrib/bind9/bin/named/lwaddr.c b/contrib/bind9/bin/named/lwaddr.c index 1bd8d82..78c2b0b 100644 --- a/contrib/bind9/bin/named/lwaddr.c +++ b/contrib/bind9/bin/named/lwaddr.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwaddr.c,v 1.3.208.1 2004/03/06 10:21:18 marka Exp $ */ +/* $Id: lwaddr.c,v 1.4.18.2 2005/04/29 00:15:23 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -29,7 +31,7 @@ #include <named/lwaddr.h> -/* +/*% * Convert addresses from lwres to isc format. */ isc_result_t @@ -63,7 +65,7 @@ lwaddr_sockaddr_fromlwresaddr(isc_sockaddr_t *sa, lwres_addr_t *la, return (ISC_R_SUCCESS); } -/* +/*% * Convert addresses from isc to lwres format. */ diff --git a/contrib/bind9/bin/named/lwdclient.c b/contrib/bind9/bin/named/lwdclient.c index 7975a49..68069ed 100644 --- a/contrib/bind9/bin/named/lwdclient.c +++ b/contrib/bind9/bin/named/lwdclient.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdclient.c,v 1.13.12.5 2004/03/08 09:04:15 marka Exp $ */ +/* $Id: lwdclient.c,v 1.17.18.2 2005/04/29 00:15:23 marka Exp $ */ + +/*! \file */ #include <config.h> diff --git a/contrib/bind9/bin/named/lwderror.c b/contrib/bind9/bin/named/lwderror.c index 51cecf0..db25824 100644 --- a/contrib/bind9/bin/named/lwderror.c +++ b/contrib/bind9/bin/named/lwderror.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwderror.c,v 1.7.208.1 2004/03/06 10:21:18 marka Exp $ */ +/* $Id: lwderror.c,v 1.8.18.2 2005/04/29 00:15:24 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -25,7 +27,7 @@ #include <named/types.h> #include <named/lwdclient.h> -/* +/*% * Generate an error packet for the client, schedule a send, and put us in * the SEND state. * diff --git a/contrib/bind9/bin/named/lwdgabn.c b/contrib/bind9/bin/named/lwdgabn.c index 539c25b..454d4df 100644 --- a/contrib/bind9/bin/named/lwdgabn.c +++ b/contrib/bind9/bin/named/lwdgabn.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdgabn.c,v 1.13.12.5 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: lwdgabn.c,v 1.15.18.5 2006/03/02 00:37:21 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -47,7 +49,7 @@ static isc_result_t start_find(ns_lwdclient_t *); static void restart_find(ns_lwdclient_t *); static void init_gabn(ns_lwdclient_t *); -/* +/*% * Destroy any finds. This can be used to "start over from scratch" and * should only be called when events are _not_ being generated by the finds. */ @@ -432,7 +434,7 @@ restart_find(ns_lwdclient_t *client) { client->clientmgr->task, process_gabn_finddone, client, dns_fixedname_name(&client->target_name), - dns_rootname, options, 0, + dns_rootname, 0, options, 0, dns_fixedname_name(&client->target_name), client->clientmgr->view->dstport, &client->find); diff --git a/contrib/bind9/bin/named/lwdgnba.c b/contrib/bind9/bin/named/lwdgnba.c index 21ef804..a500d27 100644 --- a/contrib/bind9/bin/named/lwdgnba.c +++ b/contrib/bind9/bin/named/lwdgnba.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdgnba.c,v 1.13.2.1.2.5 2004/03/08 04:04:19 marka Exp $ */ +/* $Id: lwdgnba.c,v 1.16.18.2 2005/04/29 00:15:24 marka Exp $ */ + +/*! \file */ #include <config.h> diff --git a/contrib/bind9/bin/named/lwdgrbn.c b/contrib/bind9/bin/named/lwdgrbn.c index 3ad9e9e..c1b2b1e 100644 --- a/contrib/bind9/bin/named/lwdgrbn.c +++ b/contrib/bind9/bin/named/lwdgrbn.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdgrbn.c,v 1.11.208.5 2006/01/04 23:50:19 marka Exp $ */ +/* $Id: lwdgrbn.c,v 1.13.18.5 2006/12/07 23:57:58 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -183,8 +185,6 @@ iterate_node(lwres_grbnresponse_t *grbn, dns_db_t *db, dns_dbnode_t *node, isc_mem_put(mctx, oldlens, oldsize * sizeof(*oldlens)); if (newrdatas != NULL) isc_mem_put(mctx, newrdatas, used * sizeof(*oldrdatas)); - if (newlens != NULL) - isc_mem_put(mctx, newlens, used * sizeof(*oldlens)); return (result); } diff --git a/contrib/bind9/bin/named/lwdnoop.c b/contrib/bind9/bin/named/lwdnoop.c index 30d95ee..fa591b4 100644 --- a/contrib/bind9/bin/named/lwdnoop.c +++ b/contrib/bind9/bin/named/lwdnoop.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdnoop.c,v 1.6.208.1 2004/03/06 10:21:19 marka Exp $ */ +/* $Id: lwdnoop.c,v 1.7.18.2 2005/04/29 00:15:25 marka Exp $ */ + +/*! \file */ #include <config.h> diff --git a/contrib/bind9/bin/named/lwresd.8 b/contrib/bind9/bin/named/lwresd.8 index 1333a5d..7275d29 100644 --- a/contrib/bind9/bin/named/lwresd.8 +++ b/contrib/bind9/bin/named/lwresd.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwresd.8,v 1.13.208.6 2006/06/29 13:02:30 marka Exp $ +.\" $Id: lwresd.8,v 1.15.18.10 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: lwresd .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: June 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -60,42 +60,57 @@ entries are present, or if forwarding fails, \fBlwresd\fR resolves the queries autonomously starting at the root name servers, using a built\-in list of root server hints. .SH "OPTIONS" -.TP 3n +.PP \-C \fIconfig\-file\fR +.RS 4 Use \fIconfig\-file\fR as the configuration file instead of the default, \fI/etc/resolv.conf\fR. -.TP 3n +.RE +.PP \-d \fIdebug\-level\fR +.RS 4 Set the daemon's debug level to \fIdebug\-level\fR. Debugging traces from \fBlwresd\fR become more verbose as the debug level increases. -.TP 3n +.RE +.PP \-f +.RS 4 Run the server in the foreground (i.e. do not daemonize). -.TP 3n +.RE +.PP \-g +.RS 4 Run the server in the foreground and force all logging to \fIstderr\fR. -.TP 3n +.RE +.PP \-n \fI#cpus\fR +.RS 4 Create \fI#cpus\fR worker threads to take advantage of multiple CPUs. If not specified, \fBlwresd\fR will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. -.TP 3n +.RE +.PP \-P \fIport\fR +.RS 4 Listen for lightweight resolver queries on port \fIport\fR. If not specified, the default is port 921. -.TP 3n +.RE +.PP \-p \fIport\fR +.RS 4 Send DNS lookups to port \fIport\fR. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a name server that listens for queries on a non\-standard port number. -.TP 3n +.RE +.PP \-s +.RS 4 Write memory usage statistics to \fIstdout\fR on exit. @@ -103,8 +118,10 @@ on exit. .B "Note:" This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release. .RE -.TP 3n +.RE +.PP \-t \fIdirectory\fR +.RS 4 \fBchroot()\fR to \fIdirectory\fR @@ -117,22 +134,31 @@ option, as chrooting a process running as root doesn't enhance security on most \fBchroot()\fR is defined allows a process with root privileges to escape a chroot jail. .RE -.TP 3n +.RE +.PP \-u \fIuser\fR +.RS 4 \fBsetuid()\fR to \fIuser\fR after completing privileged operations, such as creating sockets that listen on privileged ports. -.TP 3n +.RE +.PP \-v +.RS 4 Report the version number and exit. +.RE .SH "FILES" -.TP 3n +.PP \fI/etc/resolv.conf\fR +.RS 4 The default configuration file. -.TP 3n +.RE +.PP \fI/var/run/lwresd.pid\fR +.RS 4 The default process\-id file. +.RE .SH "SEE ALSO" .PP \fBnamed\fR(8), @@ -142,4 +168,7 @@ The default process\-id file. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/contrib/bind9/bin/named/lwresd.c b/contrib/bind9/bin/named/lwresd.c index e48822f..a1073fa 100644 --- a/contrib/bind9/bin/named/lwresd.c +++ b/contrib/bind9/bin/named/lwresd.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,9 +15,10 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwresd.c,v 1.37.2.2.2.8 2006/02/28 06:32:53 marka Exp $ */ +/* $Id: lwresd.c,v 1.46.18.7 2006/03/02 00:37:21 marka Exp $ */ -/* +/*! \file + * \brief * Main program for the Lightweight Resolver Daemon. * * To paraphrase the old saying about X11, "It's not a lightweight deamon @@ -59,11 +60,11 @@ #define LWRESLISTENER_MAGIC ISC_MAGIC('L', 'W', 'R', 'L') #define VALID_LWRESLISTENER(l) ISC_MAGIC_VALID(l, LWRESLISTENER_MAGIC) -/* +/*! * The total number of clients we can handle will be NTASKS * NRECVS. */ -#define NTASKS 2 /* tasks to create to handle lwres queries */ -#define NRECVS 2 /* max clients per task */ +#define NTASKS 2 /*%< tasks to create to handle lwres queries */ +#define NRECVS 2 /*%< max clients per task */ typedef ISC_LIST(ns_lwreslistener_t) ns_lwreslistenerlist_t; @@ -78,7 +79,7 @@ initialize_mutex(void) { } -/* +/*% * Wrappers around our memory management stuff, for the lwres functions. */ void * @@ -511,13 +512,19 @@ listener_create(isc_mem_t *mctx, ns_lwresd_t *lwresd, ns_lwreslistener_t **listenerp) { ns_lwreslistener_t *listener; + isc_result_t result; REQUIRE(listenerp != NULL && *listenerp == NULL); listener = isc_mem_get(mctx, sizeof(ns_lwreslistener_t)); if (listener == NULL) return (ISC_R_NOMEMORY); - RUNTIME_CHECK(isc_mutex_init(&listener->lock) == ISC_R_SUCCESS); + + result = isc_mutex_init(&listener->lock); + if (result != ISC_R_SUCCESS) { + isc_mem_put(mctx, listener, sizeof(ns_lwreslistener_t)); + return (result); + } listener->magic = LWRESLISTENER_MAGIC; listener->refs = 1; diff --git a/contrib/bind9/bin/named/lwresd.docbook b/contrib/bind9/bin/named/lwresd.docbook index c1f500b..d1eabfa 100644 --- a/contrib/bind9/bin/named/lwresd.docbook +++ b/contrib/bind9/bin/named/lwresd.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -18,8 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: lwresd.docbook,v 1.6.208.4 2005/05/13 01:22:33 marka Exp $ --> - +<!-- $Id: lwresd.docbook,v 1.7.18.5 2007/01/29 23:57:20 marka Exp $ --> <refentry> <refentryinfo> <date>June 30, 2000</date> @@ -31,10 +30,16 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <refnamediv> + <refname><application>lwresd</application></refname> + <refpurpose>lightweight resolver daemon</refpurpose> + </refnamediv> + <docinfo> <copyright> <year>2004</year> <year>2005</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -44,11 +49,6 @@ </copyright> </docinfo> - <refnamediv> - <refname><application>lwresd</application></refname> - <refpurpose>lightweight resolver daemon</refpurpose> - </refnamediv> - <refsynopsisdiv> <cmdsynopsis> <command>lwresd</command> @@ -69,37 +69,39 @@ <refsect1> <title>DESCRIPTION</title> - <para> - <command>lwresd</command> is the daemon providing name lookup - services to clients that use the BIND 9 lightweight resolver - library. It is essentially a stripped-down, caching-only name - server that answers queries using the BIND 9 lightweight - resolver protocol rather than the DNS protocol. + + <para><command>lwresd</command> + is the daemon providing name lookup + services to clients that use the BIND 9 lightweight resolver + library. It is essentially a stripped-down, caching-only name + server that answers queries using the BIND 9 lightweight + resolver protocol rather than the DNS protocol. </para> - <para> - <command>lwresd</command> listens for resolver queries on a - UDP port on the IPv4 loopback interface, 127.0.0.1. This - means that <command>lwresd</command> can only be used by - processes running on the local machine. By default UDP port - number 921 is used for lightweight resolver requests and - responses. + + <para><command>lwresd</command> + listens for resolver queries on a + UDP port on the IPv4 loopback interface, 127.0.0.1. This + means that <command>lwresd</command> can only be used by + processes running on the local machine. By default UDP port + number 921 is used for lightweight resolver requests and + responses. </para> <para> - Incoming lightweight resolver requests are decoded by the - server which then resolves them using the DNS protocol. When - the DNS lookup completes, <command>lwresd</command> encodes - the answers in the lightweight resolver format and returns - them to the client that made the request. + Incoming lightweight resolver requests are decoded by the + server which then resolves them using the DNS protocol. When + the DNS lookup completes, <command>lwresd</command> encodes + the answers in the lightweight resolver format and returns + them to the client that made the request. </para> <para> - If <filename>/etc/resolv.conf</filename> contains any - <option>nameserver</option> entries, <command>lwresd</command> - sends recursive DNS queries to those servers. This is similar - to the use of forwarders in a caching name server. If no - <option>nameserver</option> entries are present, or if - forwarding fails, <command>lwresd</command> resolves the - queries autonomously starting at the root name servers, using - a built-in list of root server hints. + If <filename>/etc/resolv.conf</filename> contains any + <option>nameserver</option> entries, <command>lwresd</command> + sends recursive DNS queries to those servers. This is similar + to the use of forwarders in a caching name server. If no + <option>nameserver</option> entries are present, or if + forwarding fails, <command>lwresd</command> resolves the + queries autonomously starting at the root name servers, using + a built-in list of root server hints. </para> </refsect1> @@ -108,145 +110,139 @@ <variablelist> <varlistentry> - <term>-C <replaceable class="parameter">config-file</replaceable></term> - <listitem> - <para> - Use <replaceable - class="parameter">config-file</replaceable> as the - configuration file instead of the default, - <filename>/etc/resolv.conf</filename>. + <term>-C <replaceable class="parameter">config-file</replaceable></term> + <listitem> + <para> + Use <replaceable class="parameter">config-file</replaceable> as the + configuration file instead of the default, + <filename>/etc/resolv.conf</filename>. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-d <replaceable class="parameter">debug-level</replaceable></term> - <listitem> - <para> - Set the daemon's debug level to <replaceable - class="parameter">debug-level</replaceable>. - Debugging traces from <command>lwresd</command> become - more verbose as the debug level increases. + <term>-d <replaceable class="parameter">debug-level</replaceable></term> + <listitem> + <para> + Set the daemon's debug level to <replaceable class="parameter">debug-level</replaceable>. + Debugging traces from <command>lwresd</command> become + more verbose as the debug level increases. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-f</term> - <listitem> - <para> - Run the server in the foreground (i.e. do not daemonize). + <term>-f</term> + <listitem> + <para> + Run the server in the foreground (i.e. do not daemonize). </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-g</term> - <listitem> - <para> - Run the server in the foreground and force all logging - to <filename>stderr</filename>. + <term>-g</term> + <listitem> + <para> + Run the server in the foreground and force all logging + to <filename>stderr</filename>. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-n <replaceable class="parameter">#cpus</replaceable></term> - <listitem> - <para> - Create <replaceable - class="parameter">#cpus</replaceable> worker threads - to take advantage of multiple CPUs. If not specified, - <command>lwresd</command> will try to determine the - number of CPUs present and create one thread per CPU. - If it is unable to determine the number of CPUs, a - single worker thread will be created. + <term>-n <replaceable class="parameter">#cpus</replaceable></term> + <listitem> + <para> + Create <replaceable class="parameter">#cpus</replaceable> worker threads + to take advantage of multiple CPUs. If not specified, + <command>lwresd</command> will try to determine the + number of CPUs present and create one thread per CPU. + If it is unable to determine the number of CPUs, a + single worker thread will be created. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-P <replaceable class="parameter">port</replaceable></term> - <listitem> - <para> - Listen for lightweight resolver queries on port - <replaceable class="parameter">port</replaceable>. If - not specified, the default is port 921. + <term>-P <replaceable class="parameter">port</replaceable></term> + <listitem> + <para> + Listen for lightweight resolver queries on port + <replaceable class="parameter">port</replaceable>. If + not specified, the default is port 921. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-p <replaceable class="parameter">port</replaceable></term> - <listitem> - <para> - Send DNS lookups to port <replaceable - class="parameter">port</replaceable>. If not - specified, the default is port 53. This provides a - way of testing the lightweight resolver daemon with a - name server that listens for queries on a non-standard - port number. + <term>-p <replaceable class="parameter">port</replaceable></term> + <listitem> + <para> + Send DNS lookups to port <replaceable class="parameter">port</replaceable>. If not + specified, the default is port 53. This provides a + way of testing the lightweight resolver daemon with a + name server that listens for queries on a non-standard + port number. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-s</term> - <listitem> - <para> - Write memory usage statistics to <filename>stdout</filename> - on exit. + <term>-s</term> + <listitem> + <para> + Write memory usage statistics to <filename>stdout</filename> + on exit. </para> - <note> - <para> - This option is mainly of interest to BIND 9 developers - and may be removed or changed in a future release. - </para> - </note> - </listitem> + <note> + <para> + This option is mainly of interest to BIND 9 developers + and may be removed or changed in a future release. + </para> + </note> + </listitem> </varlistentry> <varlistentry> - <term>-t <replaceable class="parameter">directory</replaceable></term> - <listitem> - <para> - <function>chroot()</function> to <replaceable - class="parameter">directory</replaceable> after - processing the command line arguments, but before - reading the configuration file. + <term>-t <replaceable class="parameter">directory</replaceable></term> + <listitem> + <para><function>chroot()</function> + to <replaceable class="parameter">directory</replaceable> after + processing the command line arguments, but before + reading the configuration file. </para> - <warning> - <para> - This option should be used in conjunction with the - <option>-u</option> option, as chrooting a process - running as root doesn't enhance security on most - systems; the way <function>chroot()</function> is - defined allows a process with root privileges to - escape a chroot jail. - </para> - </warning> - </listitem> + <warning> + <para> + This option should be used in conjunction with the + <option>-u</option> option, as chrooting a process + running as root doesn't enhance security on most + systems; the way <function>chroot()</function> is + defined allows a process with root privileges to + escape a chroot jail. + </para> + </warning> + </listitem> </varlistentry> <varlistentry> - <term>-u <replaceable class="parameter">user</replaceable></term> - <listitem> - <para> - <function>setuid()</function> to <replaceable - class="parameter">user</replaceable> after completing - privileged operations, such as creating sockets that - listen on privileged ports. + <term>-u <replaceable class="parameter">user</replaceable></term> + <listitem> + <para><function>setuid()</function> + to <replaceable class="parameter">user</replaceable> after completing + privileged operations, such as creating sockets that + listen on privileged ports. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-v</term> - <listitem> - <para> - Report the version number and exit. + <term>-v</term> + <listitem> + <para> + Report the version number and exit. </para> - </listitem> + </listitem> </varlistentry> </variablelist> @@ -259,21 +255,21 @@ <variablelist> <varlistentry> - <term><filename>/etc/resolv.conf</filename></term> - <listitem> - <para> - The default configuration file. + <term><filename>/etc/resolv.conf</filename></term> + <listitem> + <para> + The default configuration file. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term><filename>/var/run/lwresd.pid</filename></term> - <listitem> - <para> - The default process-id file. + <term><filename>/var/run/lwresd.pid</filename></term> + <listitem> + <para> + The default process-id file. </para> - </listitem> + </listitem> </varlistentry> </variablelist> @@ -282,33 +278,25 @@ <refsect1> <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>named</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>lwres</refentrytitle> - <manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>resolver</refentrytitle> - <manvolnum>5</manvolnum> - </citerefentry>. + <para><citerefentry> + <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>. </para> </refsect1> <refsect1> <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> + <para><corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> -</refentry> - - -<!-- +</refentry><!-- - Local variables: - mode: sgml - End: diff --git a/contrib/bind9/bin/named/lwresd.html b/contrib/bind9/bin/named/lwresd.html index 6ab7824..e25dfcf 100644 --- a/contrib/bind9/bin/named/lwresd.html +++ b/contrib/bind9/bin/named/lwresd.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: lwresd.html,v 1.4.2.1.4.10 2006/06/29 13:02:30 marka Exp $ --> +<!-- $Id: lwresd.html,v 1.5.18.16 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>lwresd</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="id2476275"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p><span class="application">lwresd</span> — lightweight resolver daemon</p> @@ -32,157 +32,155 @@ <div class="cmdsynopsis"><p><code class="command">lwresd</code> [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549484"></a><h2>DESCRIPTION</h2> -<p> - <span><strong class="command">lwresd</strong></span> is the daemon providing name lookup - services to clients that use the BIND 9 lightweight resolver - library. It is essentially a stripped-down, caching-only name - server that answers queries using the BIND 9 lightweight - resolver protocol rather than the DNS protocol. +<a name="id2543435"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">lwresd</strong></span> + is the daemon providing name lookup + services to clients that use the BIND 9 lightweight resolver + library. It is essentially a stripped-down, caching-only name + server that answers queries using the BIND 9 lightweight + resolver protocol rather than the DNS protocol. </p> -<p> - <span><strong class="command">lwresd</strong></span> listens for resolver queries on a - UDP port on the IPv4 loopback interface, 127.0.0.1. This - means that <span><strong class="command">lwresd</strong></span> can only be used by - processes running on the local machine. By default UDP port - number 921 is used for lightweight resolver requests and - responses. +<p><span><strong class="command">lwresd</strong></span> + listens for resolver queries on a + UDP port on the IPv4 loopback interface, 127.0.0.1. This + means that <span><strong class="command">lwresd</strong></span> can only be used by + processes running on the local machine. By default UDP port + number 921 is used for lightweight resolver requests and + responses. </p> <p> - Incoming lightweight resolver requests are decoded by the - server which then resolves them using the DNS protocol. When - the DNS lookup completes, <span><strong class="command">lwresd</strong></span> encodes - the answers in the lightweight resolver format and returns - them to the client that made the request. + Incoming lightweight resolver requests are decoded by the + server which then resolves them using the DNS protocol. When + the DNS lookup completes, <span><strong class="command">lwresd</strong></span> encodes + the answers in the lightweight resolver format and returns + them to the client that made the request. </p> <p> - If <code class="filename">/etc/resolv.conf</code> contains any - <code class="option">nameserver</code> entries, <span><strong class="command">lwresd</strong></span> - sends recursive DNS queries to those servers. This is similar - to the use of forwarders in a caching name server. If no - <code class="option">nameserver</code> entries are present, or if - forwarding fails, <span><strong class="command">lwresd</strong></span> resolves the - queries autonomously starting at the root name servers, using - a built-in list of root server hints. + If <code class="filename">/etc/resolv.conf</code> contains any + <code class="option">nameserver</code> entries, <span><strong class="command">lwresd</strong></span> + sends recursive DNS queries to those servers. This is similar + to the use of forwarders in a caching name server. If no + <code class="option">nameserver</code> entries are present, or if + forwarding fails, <span><strong class="command">lwresd</strong></span> resolves the + queries autonomously starting at the root name servers, using + a built-in list of root server hints. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549533"></a><h2>OPTIONS</h2> +<a name="id2543482"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-C <em class="replaceable"><code>config-file</code></em></span></dt> <dd><p> - Use <em class="replaceable"><code>config-file</code></em> as the - configuration file instead of the default, - <code class="filename">/etc/resolv.conf</code>. + Use <em class="replaceable"><code>config-file</code></em> as the + configuration file instead of the default, + <code class="filename">/etc/resolv.conf</code>. </p></dd> <dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt> <dd><p> - Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>. - Debugging traces from <span><strong class="command">lwresd</strong></span> become - more verbose as the debug level increases. + Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>. + Debugging traces from <span><strong class="command">lwresd</strong></span> become + more verbose as the debug level increases. </p></dd> <dt><span class="term">-f</span></dt> <dd><p> - Run the server in the foreground (i.e. do not daemonize). + Run the server in the foreground (i.e. do not daemonize). </p></dd> <dt><span class="term">-g</span></dt> <dd><p> - Run the server in the foreground and force all logging - to <code class="filename">stderr</code>. + Run the server in the foreground and force all logging + to <code class="filename">stderr</code>. </p></dd> <dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt> <dd><p> - Create <em class="replaceable"><code>#cpus</code></em> worker threads - to take advantage of multiple CPUs. If not specified, - <span><strong class="command">lwresd</strong></span> will try to determine the - number of CPUs present and create one thread per CPU. - If it is unable to determine the number of CPUs, a - single worker thread will be created. + Create <em class="replaceable"><code>#cpus</code></em> worker threads + to take advantage of multiple CPUs. If not specified, + <span><strong class="command">lwresd</strong></span> will try to determine the + number of CPUs present and create one thread per CPU. + If it is unable to determine the number of CPUs, a + single worker thread will be created. </p></dd> <dt><span class="term">-P <em class="replaceable"><code>port</code></em></span></dt> <dd><p> - Listen for lightweight resolver queries on port - <em class="replaceable"><code>port</code></em>. If - not specified, the default is port 921. + Listen for lightweight resolver queries on port + <em class="replaceable"><code>port</code></em>. If + not specified, the default is port 921. </p></dd> <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> <dd><p> - Send DNS lookups to port <em class="replaceable"><code>port</code></em>. If not - specified, the default is port 53. This provides a - way of testing the lightweight resolver daemon with a - name server that listens for queries on a non-standard - port number. + Send DNS lookups to port <em class="replaceable"><code>port</code></em>. If not + specified, the default is port 53. This provides a + way of testing the lightweight resolver daemon with a + name server that listens for queries on a non-standard + port number. </p></dd> <dt><span class="term">-s</span></dt> <dd> <p> - Write memory usage statistics to <code class="filename">stdout</code> - on exit. + Write memory usage statistics to <code class="filename">stdout</code> + on exit. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - This option is mainly of interest to BIND 9 developers - and may be removed or changed in a future release. - </p> + This option is mainly of interest to BIND 9 developers + and may be removed or changed in a future release. + </p> </div> </dd> <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt> <dd> -<p> - <code class="function">chroot()</code> to <em class="replaceable"><code>directory</code></em> after - processing the command line arguments, but before - reading the configuration file. +<p><code class="function">chroot()</code> + to <em class="replaceable"><code>directory</code></em> after + processing the command line arguments, but before + reading the configuration file. </p> <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Warning</h3> <p> - This option should be used in conjunction with the - <code class="option">-u</code> option, as chrooting a process - running as root doesn't enhance security on most - systems; the way <code class="function">chroot()</code> is - defined allows a process with root privileges to - escape a chroot jail. - </p> + This option should be used in conjunction with the + <code class="option">-u</code> option, as chrooting a process + running as root doesn't enhance security on most + systems; the way <code class="function">chroot()</code> is + defined allows a process with root privileges to + escape a chroot jail. + </p> </div> </dd> <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt> -<dd><p> - <code class="function">setuid()</code> to <em class="replaceable"><code>user</code></em> after completing - privileged operations, such as creating sockets that - listen on privileged ports. +<dd><p><code class="function">setuid()</code> + to <em class="replaceable"><code>user</code></em> after completing + privileged operations, such as creating sockets that + listen on privileged ports. </p></dd> <dt><span class="term">-v</span></dt> <dd><p> - Report the version number and exit. + Report the version number and exit. </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2549939"></a><h2>FILES</h2> +<a name="id2543746"></a><h2>FILES</h2> <div class="variablelist"><dl> <dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt> <dd><p> - The default configuration file. + The default configuration file. </p></dd> <dt><span class="term"><code class="filename">/var/run/lwresd.pid</code></span></dt> <dd><p> - The default process-id file. + The default process-id file. </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2549978"></a><h2>SEE ALSO</h2> -<p> - <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, - <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>, - <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>. +<a name="id2543785"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>, + <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2550017"></a><h2>AUTHOR</h2> -<p> - <span class="corpauthor">Internet Systems Consortium</span> +<a name="id2543819"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> </div></body> diff --git a/contrib/bind9/bin/named/lwsearch.c b/contrib/bind9/bin/named/lwsearch.c index 8b9ea52..4a61f96 100644 --- a/contrib/bind9/bin/named/lwsearch.c +++ b/contrib/bind9/bin/named/lwsearch.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwsearch.c,v 1.7.208.1 2004/03/06 10:21:20 marka Exp $ */ +/* $Id: lwsearch.c,v 1.8.18.3 2005/07/12 01:22:17 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -38,6 +40,7 @@ isc_result_t ns_lwsearchlist_create(isc_mem_t *mctx, ns_lwsearchlist_t **listp) { ns_lwsearchlist_t *list; + isc_result_t result; REQUIRE(mctx != NULL); REQUIRE(listp != NULL && *listp == NULL); @@ -46,7 +49,11 @@ ns_lwsearchlist_create(isc_mem_t *mctx, ns_lwsearchlist_t **listp) { if (list == NULL) return (ISC_R_NOMEMORY); - RUNTIME_CHECK(isc_mutex_init(&list->lock) == ISC_R_SUCCESS); + result = isc_mutex_init(&list->lock); + if (result != ISC_R_SUCCESS) { + isc_mem_put(mctx, list, sizeof(ns_lwsearchlist_t)); + return (result); + } list->mctx = NULL; isc_mem_attach(mctx, &list->mctx); list->refs = 1; diff --git a/contrib/bind9/bin/named/main.c b/contrib/bind9/bin/named/main.c index 960de2a..6b9b67e 100644 --- a/contrib/bind9/bin/named/main.c +++ b/contrib/bind9/bin/named/main.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: main.c,v 1.119.2.3.2.25 2006/11/10 18:51:06 marka Exp $ */ +/* $Id: main.c,v 1.136.18.17 2006/11/10 18:51:14 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -71,6 +73,13 @@ */ /* #include "xxdb.h" */ +/* + * Include DLZ drivers if appropriate. + */ +#ifdef DLZ +#include <dlz/dlz_drivers.h> +#endif + static isc_boolean_t want_stats = ISC_FALSE; static char program_name[ISC_DIR_NAMEMAX] = "named"; static char absolute_conffile[ISC_DIR_PATHMAX]; @@ -226,7 +235,7 @@ lwresd_usage(void) { " [-f|-g] [-n number_of_cpus] [-p port] " "[-P listen-port] [-s]\n" " [-t chrootdir] [-u username] [-i pidfile]\n" - " [-m {usage|trace|record}]\n"); + " [-m {usage|trace|record|size|mctx}]\n"); } static void @@ -239,7 +248,7 @@ usage(void) { "usage: named [-4|-6] [-c conffile] [-d debuglevel] " "[-f|-g] [-n number_of_cpus]\n" " [-p port] [-s] [-t chrootdir] [-u username]\n" - " [-m {usage|trace|record}]\n"); + " [-m {usage|trace|record|size|mctx}]\n"); } static void @@ -307,6 +316,8 @@ static struct flag_def { { "trace", ISC_MEM_DEBUGTRACE }, { "record", ISC_MEM_DEBUGRECORD }, { "usage", ISC_MEM_DEBUGUSAGE }, + { "size", ISC_MEM_DEBUGSIZE }, + { "mctx", ISC_MEM_DEBUGCTX }, { NULL, 0 } }; @@ -671,6 +682,16 @@ setup(void) { */ /* xxdb_init(); */ +#ifdef DLZ + /* + * Registyer any DLZ drivers. + */ + result = dlz_drivers_init(); + if (result != ISC_R_SUCCESS) + ns_main_earlyfatal("dlz_drivers_init() failed: %s", + isc_result_totext(result)); +#endif + ns_server_create(ns_g_mctx, &ns_g_server); } @@ -687,6 +708,15 @@ cleanup(void) { */ /* xxdb_clear(); */ +#ifdef DLZ + /* + * Unregister any DLZ drivers. + */ + dlz_drivers_clear(); +#endif + + dns_name_destroy(); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ISC_LOG_NOTICE, "exiting"); ns_log_shutdown(); @@ -882,6 +912,7 @@ main(int argc, char *argv[]) { } } isc_mem_destroy(&ns_g_mctx); + isc_mem_checkdestroyed(stderr); ns_main_setmemstats(NULL); diff --git a/contrib/bind9/bin/named/named.8 b/contrib/bind9/bin/named/named.8 index 7172393..5b39e2a 100644 --- a/contrib/bind9/bin/named/named.8 +++ b/contrib/bind9/bin/named/named.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named.8,v 1.17.208.9 2006/06/29 13:02:30 marka Exp $ +.\" $Id: named.8,v 1.20.18.12 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: named .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: June 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -44,22 +44,27 @@ When invoked without arguments, will read the default configuration file \fI/etc/named.conf\fR, read any initial data, and listen for queries. .SH "OPTIONS" -.TP 3n +.PP \-4 +.RS 4 Use IPv4 only even if the host machine is capable of IPv6. \fB\-4\fR and \fB\-6\fR are mutually exclusive. -.TP 3n +.RE +.PP \-6 +.RS 4 Use IPv6 only even if the host machine is capable of IPv4. \fB\-4\fR and \fB\-6\fR are mutually exclusive. -.TP 3n +.RE +.PP \-c \fIconfig\-file\fR +.RS 4 Use \fIconfig\-file\fR as the configuration file instead of the default, @@ -68,32 +73,44 @@ as the configuration file instead of the default, option in the configuration file, \fIconfig\-file\fR should be an absolute pathname. -.TP 3n +.RE +.PP \-d \fIdebug\-level\fR +.RS 4 Set the daemon's debug level to \fIdebug\-level\fR. Debugging traces from \fBnamed\fR become more verbose as the debug level increases. -.TP 3n +.RE +.PP \-f +.RS 4 Run the server in the foreground (i.e. do not daemonize). -.TP 3n +.RE +.PP \-g +.RS 4 Run the server in the foreground and force all logging to \fIstderr\fR. -.TP 3n +.RE +.PP \-n \fI#cpus\fR +.RS 4 Create \fI#cpus\fR worker threads to take advantage of multiple CPUs. If not specified, \fBnamed\fR will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. -.TP 3n +.RE +.PP \-p \fIport\fR +.RS 4 Listen for queries on port \fIport\fR. If not specified, the default is port 53. -.TP 3n +.RE +.PP \-s +.RS 4 Write memory usage statistics to \fIstdout\fR on exit. @@ -101,8 +118,10 @@ on exit. .B "Note:" This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release. .RE -.TP 3n +.RE +.PP \-t \fIdirectory\fR +.RS 4 \fBchroot()\fR to \fIdirectory\fR @@ -115,8 +134,10 @@ option, as chrooting a process running as root doesn't enhance security on most \fBchroot()\fR is defined allows a process with root privileges to escape a chroot jail. .RE -.TP 3n +.RE +.PP \-u \fIuser\fR +.RS 4 \fBsetuid()\fR to \fIuser\fR @@ -134,11 +155,15 @@ option only works when is run on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since previous kernels did not allow privileges to be retained after \fBsetuid()\fR. .RE -.TP 3n +.RE +.PP \-v +.RS 4 Report the version number and exit. -.TP 3n +.RE +.PP \-x \fIcache\-file\fR +.RS 4 Load data from \fIcache\-file\fR into the cache of the default view. @@ -146,17 +171,22 @@ into the cache of the default view. .B "Warning:" This option must not be used. It is only of interest to BIND 9 developers and may be removed or changed in a future release. .RE +.RE .SH "SIGNALS" .PP In routine operation, signals should not be used to control the nameserver; \fBrndc\fR should be used instead. -.TP 3n +.PP SIGHUP +.RS 4 Force a reload of the server. -.TP 3n +.RE +.PP SIGINT, SIGTERM +.RS 4 Shut down the server. +.RE .PP The result of sending any other signals to the server is undefined. .SH "CONFIGURATION" @@ -166,12 +196,16 @@ The configuration file is too complex to describe in detail here. A complete description is provided in the BIND 9 Administrator Reference Manual. .SH "FILES" -.TP 3n +.PP \fI/etc/named.conf\fR +.RS 4 The default configuration file. -.TP 3n +.RE +.PP \fI/var/run/named.pid\fR +.RS 4 The default process\-id file. +.RE .SH "SEE ALSO" .PP RFC 1033, @@ -185,4 +219,7 @@ BIND 9 Administrator Reference Manual. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001, 2003 Internet Software Consortium. +.br diff --git a/contrib/bind9/bin/named/named.conf.5 b/contrib/bind9/bin/named/named.conf.5 index 1ace4da..75b1bb5 100644 --- a/contrib/bind9/bin/named/named.conf.5 +++ b/contrib/bind9/bin/named/named.conf.5 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -12,13 +12,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named.conf.5,v 1.1.4.10 2006/09/13 02:56:20 marka Exp $ +.\" $Id: named.conf.5,v 1.1.2.23 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: \fInamed.conf\fR .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: Aug 13, 2004 .\" Manual: BIND9 .\" Source: BIND9 @@ -46,14 +46,14 @@ C++ style: // to end of line Unix style: # to end of line .SH "ACL" .sp -.RS 3n +.RS 4 .nf acl \fIstring\fR { \fIaddress_match_element\fR; ... }; .fi .RE .SH "KEY" .sp -.RS 3n +.RS 4 .nf key \fIdomain_name\fR { algorithm \fIstring\fR; @@ -63,7 +63,7 @@ key \fIdomain_name\fR { .RE .SH "MASTERS" .sp -.RS 3n +.RS 4 .nf masters \fIstring\fR [ port \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [port \fIinteger\fR] | @@ -73,11 +73,13 @@ masters \fIstring\fR [ port \fIinteger\fR ] { .RE .SH "SERVER" .sp -.RS 3n +.RS 4 .nf -server ( \fIipv4_address\fR | \fIipv6_address\fR ) { +server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) { bogus \fIboolean\fR; edns \fIboolean\fR; + edns\-udp\-size \fIinteger\fR; + max\-udp\-size \fIinteger\fR; provide\-ixfr \fIboolean\fR; request\-ixfr \fIboolean\fR; keys \fIserver_key\fR; @@ -93,7 +95,7 @@ server ( \fIipv4_address\fR | \fIipv6_address\fR ) { .RE .SH "TRUSTED\-KEYS" .sp -.RS 3n +.RS 4 .nf trusted\-keys { \fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... @@ -102,7 +104,7 @@ trusted\-keys { .RE .SH "CONTROLS" .sp -.RS 3n +.RS 4 .nf controls { inet ( \fIipv4_address\fR | \fIipv6_address\fR | * ) @@ -115,7 +117,7 @@ controls { .RE .SH "LOGGING" .sp -.RS 3n +.RS 4 .nf logging { channel \fIstring\fR { @@ -134,7 +136,7 @@ logging { .RE .SH "LWRES" .sp -.RS 3n +.RS 4 .nf lwres { listen\-on [ port \fIinteger\fR ] { @@ -148,7 +150,7 @@ lwres { .RE .SH "OPTIONS" .sp -.RS 3n +.RS 4 .nf options { avoid\-v4\-udp\-ports { \fIport\fR; ... }; @@ -157,7 +159,6 @@ options { coresize \fIsize\fR; datasize \fIsize\fR; directory \fIquoted_string\fR; - cache\-file \fIquoted_string\fR; // test option dump\-file \fIquoted_string\fR; files \fIsize\fR; heartbeat\-interval \fIinteger\fR; @@ -205,8 +206,8 @@ options { rfc2308\-type1 \fIboolean\fR; // not yet implemented additional\-from\-auth \fIboolean\fR; additional\-from\-cache \fIboolean\fR; - query\-source [ address ( \fIipv4_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ]; - query\-source\-v6 [ address ( \fIipv6_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ]; + query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; + query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; cleaning\-interval \fIinteger\fR; min\-roots \fIinteger\fR; // not implemented lame\-ttl \fIinteger\fR; @@ -214,30 +215,48 @@ options { max\-cache\-ttl \fIinteger\fR; transfer\-format ( many\-answers | one\-answer ); max\-cache\-size \fIsize_no_default\fR; + max\-acache\-size \fIsize_no_default\fR; + clients\-per\-query \fInumber\fR; + max\-clients\-per\-query \fInumber\fR; check\-names ( master | slave | response ) ( fail | warn | ignore ); - cache\-file \fIquoted_string\fR; + check\-mx ( fail | warn | ignore ); + check\-integrity \fIboolean\fR; + check\-mx\-cname ( fail | warn | ignore ); + check\-srv\-cname ( fail | warn | ignore ); + cache\-file \fIquoted_string\fR; // test option suppress\-initial\-notify \fIboolean\fR; // not yet implemented preferred\-glue \fIstring\fR; dual\-stack\-servers [ port \fIinteger\fR ] { ( \fIquoted_string\fR [port \fIinteger\fR] | \fIipv4_address\fR [port \fIinteger\fR] | \fIipv6_address\fR [port \fIinteger\fR] ); ... - } + }; edns\-udp\-size \fIinteger\fR; + max\-udp\-size \fIinteger\fR; root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ]; disable\-algorithms \fIstring\fR { \fIstring\fR; ... }; dnssec\-enable \fIboolean\fR; + dnssec\-validation \fIboolean\fR; dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR; dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR; + dnssec\-accept\-expired \fIboolean\fR; + empty\-server \fIstring\fR; + empty\-contact \fIstring\fR; + empty\-zones\-enable \fIboolean\fR; + disable\-empty\-zone \fIstring\fR; dialup \fIdialuptype\fR; ixfr\-from\-differences \fIixfrdiff\fR; allow\-query { \fIaddress_match_element\fR; ... }; + allow\-query\-cache { \fIaddress_match_element\fR; ... }; allow\-transfer { \fIaddress_match_element\fR; ... }; + allow\-update { \fIaddress_match_element\fR; ... }; allow\-update\-forwarding { \fIaddress_match_element\fR; ... }; + update\-check\-ksk \fIboolean\fR; notify \fInotifytype\fR; notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; + notify\-delay \fIseconds\fR; also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ... }; allow\-notify { \fIaddress_match_element\fR; ... }; @@ -267,6 +286,8 @@ options { use\-alt\-transfer\-source \fIboolean\fR; zone\-statistics \fIboolean\fR; key\-directory \fIquoted_string\fR; + zero\-no\-soa\-ttl \fIboolean\fR; + zero\-no\-soa\-ttl\-cache \fIboolean\fR; allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete deallocate\-on\-exit \fIboolean\fR; // obsolete fake\-iquery \fIboolean\fR; // obsolete @@ -284,7 +305,7 @@ options { .RE .SH "VIEW" .sp -.RS 3n +.RS 4 .nf view \fIstring\fR \fIoptional_class\fR { match\-clients { \fIaddress_match_element\fR; ... }; @@ -297,7 +318,7 @@ view \fIstring\fR \fIoptional_class\fR { zone \fIstring\fR \fIoptional_class\fR { ... }; - server ( \fIipv4_address\fR | \fIipv6_address\fR ) { + server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) { ... }; trusted\-keys { @@ -318,8 +339,8 @@ view \fIstring\fR \fIoptional_class\fR { rfc2308\-type1 \fIboolean\fR; // not yet implemented additional\-from\-auth \fIboolean\fR; additional\-from\-cache \fIboolean\fR; - query\-source [ address ( \fIipv4_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ]; - query\-source\-v6 [ address ( \fIipv6_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ]; + query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; + query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; cleaning\-interval \fIinteger\fR; min\-roots \fIinteger\fR; // not implemented lame\-ttl \fIinteger\fR; @@ -327,9 +348,16 @@ view \fIstring\fR \fIoptional_class\fR { max\-cache\-ttl \fIinteger\fR; transfer\-format ( many\-answers | one\-answer ); max\-cache\-size \fIsize_no_default\fR; + max\-acache\-size \fIsize_no_default\fR; + clients\-per\-query \fInumber\fR; + max\-clients\-per\-query \fInumber\fR; check\-names ( master | slave | response ) ( fail | warn | ignore ); - cache\-file \fIquoted_string\fR; + check\-mx ( fail | warn | ignore ); + check\-integrity \fIboolean\fR; + check\-mx\-cname ( fail | warn | ignore ); + check\-srv\-cname ( fail | warn | ignore ); + cache\-file \fIquoted_string\fR; // test option suppress\-initial\-notify \fIboolean\fR; // not yet implemented preferred\-glue \fIstring\fR; dual\-stack\-servers [ port \fIinteger\fR ] { @@ -338,19 +366,30 @@ view \fIstring\fR \fIoptional_class\fR { \fIipv6_address\fR [port \fIinteger\fR] ); ... }; edns\-udp\-size \fIinteger\fR; + max\-udp\-size \fIinteger\fR; root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ]; disable\-algorithms \fIstring\fR { \fIstring\fR; ... }; dnssec\-enable \fIboolean\fR; + dnssec\-validation \fIboolean\fR; dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR; dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR; + dnssec\-accept\-expired \fIboolean\fR; + empty\-server \fIstring\fR; + empty\-contact \fIstring\fR; + empty\-zones\-enable \fIboolean\fR; + disable\-empty\-zone \fIstring\fR; dialup \fIdialuptype\fR; ixfr\-from\-differences \fIixfrdiff\fR; allow\-query { \fIaddress_match_element\fR; ... }; + allow\-query\-cache { \fIaddress_match_element\fR; ... }; allow\-transfer { \fIaddress_match_element\fR; ... }; + allow\-update { \fIaddress_match_element\fR; ... }; allow\-update\-forwarding { \fIaddress_match_element\fR; ... }; + update\-check\-ksk \fIboolean\fR; notify \fInotifytype\fR; notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; + notify\-delay \fIseconds\fR; also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ... }; allow\-notify { \fIaddress_match_element\fR; ... }; @@ -380,6 +419,8 @@ view \fIstring\fR \fIoptional_class\fR { use\-alt\-transfer\-source \fIboolean\fR; zone\-statistics \fIboolean\fR; key\-directory \fIquoted_string\fR; + zero\-no\-soa\-ttl \fIboolean\fR; + zero\-no\-soa\-ttl\-cache \fIboolean\fR; allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete fetch\-glue \fIboolean\fR; // obsolete maintain\-ixfr\-base \fIboolean\fR; // obsolete @@ -389,7 +430,7 @@ view \fIstring\fR \fIoptional_class\fR { .RE .SH "ZONE" .sp -.RS 3n +.RS 4 .nf zone \fIstring\fR \fIoptional_class\fR { type ( master | slave | stub | hint | @@ -403,8 +444,14 @@ zone \fIstring\fR \fIoptional_class\fR { database \fIstring\fR; delegation\-only \fIboolean\fR; check\-names ( fail | warn | ignore ); + check\-mx ( fail | warn | ignore ); + check\-integrity \fIboolean\fR; + check\-mx\-cname ( fail | warn | ignore ); + check\-srv\-cname ( fail | warn | ignore ); dialup \fIdialuptype\fR; ixfr\-from\-differences \fIboolean\fR; + journal \fIquoted_string\fR; + zero\-no\-soa\-ttl \fIboolean\fR; allow\-query { \fIaddress_match_element\fR; ... }; allow\-transfer { \fIaddress_match_element\fR; ... }; allow\-update { \fIaddress_match_element\fR; ... }; @@ -414,9 +461,11 @@ zone \fIstring\fR \fIoptional_class\fR { ( name | subdomain | wildcard | self ) \fIstring\fR \fIrrtypelist\fR; ... }; + update\-check\-ksk \fIboolean\fR; notify \fInotifytype\fR; notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; + notify\-delay \fIseconds\fR; also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ... }; allow\-notify { \fIaddress_match_element\fR; ... }; @@ -463,4 +512,5 @@ zone \fIstring\fR \fIoptional_class\fR { \fBrndc\fR(8), \fBBIND 9 Administrator Reference Manual\fR(). .SH "COPYRIGHT" -Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +.br diff --git a/contrib/bind9/bin/named/named.conf.docbook b/contrib/bind9/bin/named/named.conf.docbook index fb8a5ef..5d5f52f 100644 --- a/contrib/bind9/bin/named/named.conf.docbook +++ b/contrib/bind9/bin/named/named.conf.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -17,8 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.conf.docbook,v 1.1.4.8 2006/09/13 00:26:41 marka Exp $ --> - +<!-- $Id: named.conf.docbook,v 1.1.2.25 2007/01/29 23:57:20 marka Exp $ --> <refentry> <refentryinfo> <date>Aug 13, 2004</date> @@ -30,20 +29,21 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <refnamediv> + <refname><filename>named.conf</filename></refname> + <refpurpose>configuration file for named</refpurpose> + </refnamediv> + <docinfo> <copyright> <year>2004</year> <year>2005</year> <year>2006</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> </docinfo> - <refnamediv> - <refname><filename>named.conf</filename></refname> - <refpurpose>configuration file for named</refpurpose> - </refnamediv> - <refsynopsisdiv> <cmdsynopsis> <command>named.conf</command> @@ -52,58 +52,60 @@ <refsect1> <title>DESCRIPTION</title> - <para> - <filename>named.conf</filename> is the configuration file for - <command>named</command>. Statements are enclosed - in braces and terminated with a semi-colon. Clauses in - the statements are also semi-colon terminated. The usual - comment styles are supported: + <para><filename>named.conf</filename> is the configuration file + for + <command>named</command>. Statements are enclosed + in braces and terminated with a semi-colon. Clauses in + the statements are also semi-colon terminated. The usual + comment styles are supported: </para> <para> - C style: /* */ + C style: /* */ </para> <para> - C++ style: // to end of line + C++ style: // to end of line </para> <para> - Unix style: # to end of line + Unix style: # to end of line </para> </refsect1> -<refsect1> -<title>ACL</title> -<literallayout> + <refsect1> + <title>ACL</title> + <literallayout> acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>KEY</title> -<literallayout> + <refsect1> + <title>KEY</title> + <literallayout> key <replaceable>domain_name</replaceable> { algorithm <replaceable>string</replaceable>; secret <replaceable>string</replaceable>; }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>MASTERS</title> -<literallayout> + <refsect1> + <title>MASTERS</title> + <literallayout> masters <replaceable>string</replaceable> <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> | <replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ) <optional> key <replaceable>string</replaceable> </optional>; ... }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>SERVER</title> -<literallayout> -server ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) { + <refsect1> + <title>SERVER</title> + <literallayout> +server ( <replaceable>ipv4_address<optional>/prefixlen</optional></replaceable> | <replaceable>ipv6_address<optional>/prefixlen</optional></replaceable> ) { bogus <replaceable>boolean</replaceable>; edns <replaceable>boolean</replaceable>; + edns-udp-size <replaceable>integer</replaceable>; + max-udp-size <replaceable>integer</replaceable>; provide-ixfr <replaceable>boolean</replaceable>; request-ixfr <replaceable>boolean</replaceable>; keys <replaceable>server_key</replaceable>; @@ -117,20 +119,20 @@ server ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</re support-ixfr <replaceable>boolean</replaceable>; // obsolete }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>TRUSTED-KEYS</title> -<literallayout> + <refsect1> + <title>TRUSTED-KEYS</title> + <literallayout> trusted-keys { <replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ... }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>CONTROLS</title> -<literallayout> + <refsect1> + <title>CONTROLS</title> + <literallayout> controls { inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> @@ -139,11 +141,11 @@ controls { unix <replaceable>unsupported</replaceable>; // not implemented }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>LOGGING</title> -<literallayout> + <refsect1> + <title>LOGGING</title> + <literallayout> logging { channel <replaceable>string</replaceable> { file <replaceable>log_file</replaceable>; @@ -158,11 +160,11 @@ logging { category <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... }; }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>LWRES</title> -<literallayout> + <refsect1> + <title>LWRES</title> + <literallayout> lwres { listen-on <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ... @@ -172,11 +174,11 @@ lwres { ndots <replaceable>integer</replaceable>; }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>OPTIONS</title> -<literallayout> + <refsect1> + <title>OPTIONS</title> + <literallayout> options { avoid-v4-udp-ports { <replaceable>port</replaceable>; ... }; avoid-v6-udp-ports { <replaceable>port</replaceable>; ... }; @@ -184,7 +186,6 @@ options { coresize <replaceable>size</replaceable>; datasize <replaceable>size</replaceable>; directory <replaceable>quoted_string</replaceable>; - cache-file <replaceable>quoted_string</replaceable>; // test option dump-file <replaceable>quoted_string</replaceable>; files <replaceable>size</replaceable>; heartbeat-interval <replaceable>integer</replaceable>; @@ -232,8 +233,8 @@ options { rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented additional-from-auth <replaceable>boolean</replaceable>; additional-from-cache <replaceable>boolean</replaceable>; - query-source <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; - query-source-v6 <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; + query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; + query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; cleaning-interval <replaceable>integer</replaceable>; min-roots <replaceable>integer</replaceable>; // not implemented lame-ttl <replaceable>integer</replaceable>; @@ -241,33 +242,52 @@ options { max-cache-ttl <replaceable>integer</replaceable>; transfer-format ( many-answers | one-answer ); max-cache-size <replaceable>size_no_default</replaceable>; + max-acache-size <replaceable>size_no_default</replaceable>; + clients-per-query <replaceable>number</replaceable>; + max-clients-per-query <replaceable>number</replaceable>; check-names ( master | slave | response ) ( fail | warn | ignore ); - cache-file <replaceable>quoted_string</replaceable>; + check-mx ( fail | warn | ignore ); + check-integrity <replaceable>boolean</replaceable>; + check-mx-cname ( fail | warn | ignore ); + check-srv-cname ( fail | warn | ignore ); + cache-file <replaceable>quoted_string</replaceable>; // test option suppress-initial-notify <replaceable>boolean</replaceable>; // not yet implemented preferred-glue <replaceable>string</replaceable>; dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>quoted_string</replaceable> <optional>port <replaceable>integer</replaceable></optional> | <replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> | <replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ); ... - } + }; edns-udp-size <replaceable>integer</replaceable>; + max-udp-size <replaceable>integer</replaceable>; root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>; disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... }; dnssec-enable <replaceable>boolean</replaceable>; + dnssec-validation <replaceable>boolean</replaceable>; dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>; dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>; + dnssec-accept-expired <replaceable>boolean</replaceable>; + + empty-server <replaceable>string</replaceable>; + empty-contact <replaceable>string</replaceable>; + empty-zones-enable <replaceable>boolean</replaceable>; + disable-empty-zone <replaceable>string</replaceable>; dialup <replaceable>dialuptype</replaceable>; ixfr-from-differences <replaceable>ixfrdiff</replaceable>; allow-query { <replaceable>address_match_element</replaceable>; ... }; + allow-query-cache { <replaceable>address_match_element</replaceable>; ... }; allow-transfer { <replaceable>address_match_element</replaceable>; ... }; + allow-update { <replaceable>address_match_element</replaceable>; ... }; allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... }; + update-check-ksk <replaceable>boolean</replaceable>; notify <replaceable>notifytype</replaceable>; notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; + notify-delay <replaceable>seconds</replaceable>; also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ... }; allow-notify { <replaceable>address_match_element</replaceable>; ... }; @@ -302,6 +322,8 @@ options { zone-statistics <replaceable>boolean</replaceable>; key-directory <replaceable>quoted_string</replaceable>; + zero-no-soa-ttl <replaceable>boolean</replaceable>; + zero-no-soa-ttl-cache <replaceable>boolean</replaceable>; allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete deallocate-on-exit <replaceable>boolean</replaceable>; // obsolete @@ -317,11 +339,11 @@ options { use-id-pool <replaceable>boolean</replaceable>; // obsolete }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>VIEW</title> -<literallayout> + <refsect1> + <title>VIEW</title> + <literallayout> view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> { match-clients { <replaceable>address_match_element</replaceable>; ... }; match-destinations { <replaceable>address_match_element</replaceable>; ... }; @@ -336,7 +358,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> ... }; - server ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) { + server ( <replaceable>ipv4_address<optional>/prefixlen</optional></replaceable> | <replaceable>ipv6_address<optional>/prefixlen</optional></replaceable> ) { ... }; @@ -359,8 +381,8 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented additional-from-auth <replaceable>boolean</replaceable>; additional-from-cache <replaceable>boolean</replaceable>; - query-source <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; - query-source-v6 <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; + query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; + query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; cleaning-interval <replaceable>integer</replaceable>; min-roots <replaceable>integer</replaceable>; // not implemented lame-ttl <replaceable>integer</replaceable>; @@ -368,9 +390,16 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> max-cache-ttl <replaceable>integer</replaceable>; transfer-format ( many-answers | one-answer ); max-cache-size <replaceable>size_no_default</replaceable>; + max-acache-size <replaceable>size_no_default</replaceable>; + clients-per-query <replaceable>number</replaceable>; + max-clients-per-query <replaceable>number</replaceable>; check-names ( master | slave | response ) ( fail | warn | ignore ); - cache-file <replaceable>quoted_string</replaceable>; + check-mx ( fail | warn | ignore ); + check-integrity <replaceable>boolean</replaceable>; + check-mx-cname ( fail | warn | ignore ); + check-srv-cname ( fail | warn | ignore ); + cache-file <replaceable>quoted_string</replaceable>; // test option suppress-initial-notify <replaceable>boolean</replaceable>; // not yet implemented preferred-glue <replaceable>string</replaceable>; dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> { @@ -379,22 +408,34 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> <replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ); ... }; edns-udp-size <replaceable>integer</replaceable>; + max-udp-size <replaceable>integer</replaceable>; root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>; disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... }; dnssec-enable <replaceable>boolean</replaceable>; + dnssec-validation <replaceable>boolean</replaceable>; dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>; - dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>; + dnssec-accept-expired <replaceable>boolean</replaceable>; + + empty-server <replaceable>string</replaceable>; + empty-contact <replaceable>string</replaceable>; + empty-zones-enable <replaceable>boolean</replaceable>; + disable-empty-zone <replaceable>string</replaceable>; + dialup <replaceable>dialuptype</replaceable>; ixfr-from-differences <replaceable>ixfrdiff</replaceable>; allow-query { <replaceable>address_match_element</replaceable>; ... }; + allow-query-cache { <replaceable>address_match_element</replaceable>; ... }; allow-transfer { <replaceable>address_match_element</replaceable>; ... }; + allow-update { <replaceable>address_match_element</replaceable>; ... }; allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... }; + update-check-ksk <replaceable>boolean</replaceable>; notify <replaceable>notifytype</replaceable>; notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; + notify-delay <replaceable>seconds</replaceable>; also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ... }; allow-notify { <replaceable>address_match_element</replaceable>; ... }; @@ -429,6 +470,8 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> zone-statistics <replaceable>boolean</replaceable>; key-directory <replaceable>quoted_string</replaceable>; + zero-no-soa-ttl <replaceable>boolean</replaceable>; + zero-no-soa-ttl-cache <replaceable>boolean</replaceable>; allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete fetch-glue <replaceable>boolean</replaceable>; // obsolete @@ -436,11 +479,11 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> max-ixfr-log-size <replaceable>size</replaceable>; // obsolete }; </literallayout> -</refsect1> + </refsect1> -<refsect1> -<title>ZONE</title> -<literallayout> + <refsect1> + <title>ZONE</title> + <literallayout> zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> { type ( master | slave | stub | hint | forward | delegation-only ); @@ -455,8 +498,14 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> database <replaceable>string</replaceable>; delegation-only <replaceable>boolean</replaceable>; check-names ( fail | warn | ignore ); + check-mx ( fail | warn | ignore ); + check-integrity <replaceable>boolean</replaceable>; + check-mx-cname ( fail | warn | ignore ); + check-srv-cname ( fail | warn | ignore ); dialup <replaceable>dialuptype</replaceable>; ixfr-from-differences <replaceable>boolean</replaceable>; + journal <replaceable>quoted_string</replaceable>; + zero-no-soa-ttl <replaceable>boolean</replaceable>; allow-query { <replaceable>address_match_element</replaceable>; ... }; allow-transfer { <replaceable>address_match_element</replaceable>; ... }; @@ -467,10 +516,12 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> ( name | subdomain | wildcard | self ) <replaceable>string</replaceable> <replaceable>rrtypelist</replaceable>; ... }; + update-check-ksk <replaceable>boolean</replaceable>; notify <replaceable>notifytype</replaceable>; notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>; + notify-delay <replaceable>seconds</replaceable>; also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ... }; allow-notify { <replaceable>address_match_element</replaceable>; ... }; @@ -513,32 +564,29 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> pubkey <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; // obsolete }; </literallayout> -</refsect1> - -<refsect1> -<title>FILES</title> -<para> -<filename>/etc/named.conf</filename> -</para> -</refsect1> - -<refsect1> -<title>SEE ALSO</title> -<para> -<citerefentry> -<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> -</citerefentry>, -<citerefentry> -<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum> -</citerefentry>, -<citerefentry> -<refentrytitle>BIND 9 Administrator Reference Manual</refentrytitle> -</citerefentry>. -</para> -</refsect1> - -</refentry> -<!-- + </refsect1> + + <refsect1> + <title>FILES</title> + <para><filename>/etc/named.conf</filename> + </para> + </refsect1> + + <refsect1> + <title>SEE ALSO</title> + <para><citerefentry> + <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>BIND 9 Administrator Reference Manual</refentrytitle> + </citerefentry>. + </para> + </refsect1> + +</refentry><!-- - Local variables: - mode: sgml - End: diff --git a/contrib/bind9/bin/named/named.conf.html b/contrib/bind9/bin/named/named.conf.html index b43ee7f..5cd449e 100644 --- a/contrib/bind9/bin/named/named.conf.html +++ b/contrib/bind9/bin/named/named.conf.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -13,15 +13,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.conf.html,v 1.1.4.15 2006/09/13 02:56:21 marka Exp $ --> +<!-- $Id: named.conf.html,v 1.1.2.32 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>named.conf</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="id2476275"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p><code class="filename">named.conf</code> — configuration file for named</p> @@ -31,33 +31,33 @@ <div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549388"></a><h2>DESCRIPTION</h2> -<p> - <code class="filename">named.conf</code> is the configuration file for - <span><strong class="command">named</strong></span>. Statements are enclosed - in braces and terminated with a semi-colon. Clauses in - the statements are also semi-colon terminated. The usual - comment styles are supported: +<a name="id2542042"></a><h2>DESCRIPTION</h2> +<p><code class="filename">named.conf</code> is the configuration file + for + <span><strong class="command">named</strong></span>. Statements are enclosed + in braces and terminated with a semi-colon. Clauses in + the statements are also semi-colon terminated. The usual + comment styles are supported: </p> <p> - C style: /* */ + C style: /* */ </p> <p> - C++ style: // to end of line + C++ style: // to end of line </p> <p> - Unix style: # to end of line + Unix style: # to end of line </p> </div> <div class="refsect1" lang="en"> -<a name="id2549417"></a><h2>ACL</h2> +<a name="id2543367"></a><h2>ACL</h2> <div class="literallayout"><p><br> acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> <br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549433"></a><h2>KEY</h2> +<a name="id2543383"></a><h2>KEY</h2> <div class="literallayout"><p><br> key <em class="replaceable"><code>domain_name</code></em> {<br> algorithm <em class="replaceable"><code>string</code></em>;<br> @@ -66,7 +66,7 @@ key <em class="replaceable"><code>domain_name</code></em> {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549452"></a><h2>MASTERS</h2> +<a name="id2543402"></a><h2>MASTERS</h2> <div class="literallayout"><p><br> masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br> @@ -75,11 +75,13 @@ masters <em class="replaceable"><code>string</code></em> [<span class="optional" </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549498"></a><h2>SERVER</h2> +<a name="id2543448"></a><h2>SERVER</h2> <div class="literallayout"><p><br> -server ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) {<br> +server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br> bogus <em class="replaceable"><code>boolean</code></em>;<br> edns <em class="replaceable"><code>boolean</code></em>;<br> + edns-udp-size <em class="replaceable"><code>integer</code></em>;<br> + max-udp-size <em class="replaceable"><code>integer</code></em>;<br> provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br> request-ixfr <em class="replaceable"><code>boolean</code></em>;<br> keys <em class="replaceable"><code>server_key</code></em>;<br> @@ -95,7 +97,7 @@ server ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="rep </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549556"></a><h2>TRUSTED-KEYS</h2> +<a name="id2543516"></a><h2>TRUSTED-KEYS</h2> <div class="literallayout"><p><br> trusted-keys {<br> <em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br> @@ -103,7 +105,7 @@ trusted-keys {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549581"></a><h2>CONTROLS</h2> +<a name="id2543542"></a><h2>CONTROLS</h2> <div class="literallayout"><p><br> controls {<br> inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br> @@ -115,7 +117,7 @@ controls {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549617"></a><h2>LOGGING</h2> +<a name="id2543577"></a><h2>LOGGING</h2> <div class="literallayout"><p><br> logging {<br> channel <em class="replaceable"><code>string</code></em> {<br> @@ -133,7 +135,7 @@ logging {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549655"></a><h2>LWRES</h2> +<a name="id2543616"></a><h2>LWRES</h2> <div class="literallayout"><p><br> lwres {<br> listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> @@ -146,7 +148,7 @@ lwres {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549697"></a><h2>OPTIONS</h2> +<a name="id2543657"></a><h2>OPTIONS</h2> <div class="literallayout"><p><br> options {<br> avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br> @@ -155,7 +157,6 @@ options {<br> coresize <em class="replaceable"><code>size</code></em>;<br> datasize <em class="replaceable"><code>size</code></em>;<br> directory <em class="replaceable"><code>quoted_string</code></em>;<br> - cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br> dump-file <em class="replaceable"><code>quoted_string</code></em>;<br> files <em class="replaceable"><code>size</code></em>;<br> heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br> @@ -203,8 +204,8 @@ options {<br> rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br> additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br> additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br> - query-source [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> - query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> cleaning-interval <em class="replaceable"><code>integer</code></em>;<br> min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br> lame-ttl <em class="replaceable"><code>integer</code></em>;<br> @@ -212,33 +213,52 @@ options {<br> max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br> transfer-format ( many-answers | one-answer );<br> max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br> + max-acache-size <em class="replaceable"><code>size_no_default</code></em>;<br> + clients-per-query <em class="replaceable"><code>number</code></em>;<br> + max-clients-per-query <em class="replaceable"><code>number</code></em>;<br> check-names ( master | slave | response )<br> ( fail | warn | ignore );<br> - cache-file <em class="replaceable"><code>quoted_string</code></em>;<br> + check-mx ( fail | warn | ignore );<br> + check-integrity <em class="replaceable"><code>boolean</code></em>;<br> + check-mx-cname ( fail | warn | ignore );<br> + check-srv-cname ( fail | warn | ignore );<br> + cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br> suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br> preferred-glue <em class="replaceable"><code>string</code></em>;<br> dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br> <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br> <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br> - }<br> + };<br> edns-udp-size <em class="replaceable"><code>integer</code></em>;<br> + max-udp-size <em class="replaceable"><code>integer</code></em>;<br> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br> disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br> dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br> dnssec-lookaside <em class="replaceable"><code>string</code></em> trust-anchor <em class="replaceable"><code>string</code></em>;<br> dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br> +<br> + empty-server <em class="replaceable"><code>string</code></em>;<br> + empty-contact <em class="replaceable"><code>string</code></em>;<br> + empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br> + disable-empty-zone <em class="replaceable"><code>string</code></em>;<br> <br> dialup <em class="replaceable"><code>dialuptype</code></em>;<br> ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br> <br> allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br> <br> notify <em class="replaceable"><code>notifytype</code></em>;<br> notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + notify-delay <em class="replaceable"><code>seconds</code></em>;<br> also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br> allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> @@ -273,6 +293,8 @@ options {<br> <br> zone-statistics <em class="replaceable"><code>boolean</code></em>;<br> key-directory <em class="replaceable"><code>quoted_string</code></em>;<br> + zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br> + zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br> <br> allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br> deallocate-on-exit <em class="replaceable"><code>boolean</code></em>; // obsolete<br> @@ -290,7 +312,7 @@ options {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2550312"></a><h2>VIEW</h2> +<a name="id2544400"></a><h2>VIEW</h2> <div class="literallayout"><p><br> view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br> match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> @@ -306,7 +328,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c ...<br> };<br> <br> - server ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) {<br> + server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br> ...<br> };<br> <br> @@ -329,8 +351,8 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br> additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br> additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br> - query-source [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> - query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> cleaning-interval <em class="replaceable"><code>integer</code></em>;<br> min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br> lame-ttl <em class="replaceable"><code>integer</code></em>;<br> @@ -338,9 +360,16 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br> transfer-format ( many-answers | one-answer );<br> max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br> + max-acache-size <em class="replaceable"><code>size_no_default</code></em>;<br> + clients-per-query <em class="replaceable"><code>number</code></em>;<br> + max-clients-per-query <em class="replaceable"><code>number</code></em>;<br> check-names ( master | slave | response )<br> ( fail | warn | ignore );<br> - cache-file <em class="replaceable"><code>quoted_string</code></em>;<br> + check-mx ( fail | warn | ignore );<br> + check-integrity <em class="replaceable"><code>boolean</code></em>;<br> + check-mx-cname ( fail | warn | ignore );<br> + check-srv-cname ( fail | warn | ignore );<br> + cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br> suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br> preferred-glue <em class="replaceable"><code>string</code></em>;<br> dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> @@ -349,22 +378,34 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br> };<br> edns-udp-size <em class="replaceable"><code>integer</code></em>;<br> + max-udp-size <em class="replaceable"><code>integer</code></em>;<br> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br> disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br> dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br> dnssec-lookaside <em class="replaceable"><code>string</code></em> trust-anchor <em class="replaceable"><code>string</code></em>;<br> -<br> dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br> + dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br> +<br> + empty-server <em class="replaceable"><code>string</code></em>;<br> + empty-contact <em class="replaceable"><code>string</code></em>;<br> + empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br> + disable-empty-zone <em class="replaceable"><code>string</code></em>;<br> +<br> dialup <em class="replaceable"><code>dialuptype</code></em>;<br> ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br> <br> allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> + update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br> <br> notify <em class="replaceable"><code>notifytype</code></em>;<br> notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + notify-delay <em class="replaceable"><code>seconds</code></em>;<br> also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br> allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> @@ -399,6 +440,8 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c <br> zone-statistics <em class="replaceable"><code>boolean</code></em>;<br> key-directory <em class="replaceable"><code>quoted_string</code></em>;<br> + zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br> + zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br> <br> allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br> fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br> @@ -408,7 +451,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2550878"></a><h2>ZONE</h2> +<a name="id2544964"></a><h2>ZONE</h2> <div class="literallayout"><p><br> zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br> type ( master | slave | stub | hint |<br> @@ -424,8 +467,14 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c database <em class="replaceable"><code>string</code></em>;<br> delegation-only <em class="replaceable"><code>boolean</code></em>;<br> check-names ( fail | warn | ignore );<br> + check-mx ( fail | warn | ignore );<br> + check-integrity <em class="replaceable"><code>boolean</code></em>;<br> + check-mx-cname ( fail | warn | ignore );<br> + check-srv-cname ( fail | warn | ignore );<br> dialup <em class="replaceable"><code>dialuptype</code></em>;<br> ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br> + journal <em class="replaceable"><code>quoted_string</code></em>;<br> + zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br> <br> allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> @@ -436,10 +485,12 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c ( name | subdomain | wildcard | self ) <em class="replaceable"><code>string</code></em><br> <em class="replaceable"><code>rrtypelist</code></em>; ...<br> };<br> + update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br> <br> notify <em class="replaceable"><code>notifytype</code></em>;<br> notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br> + notify-delay <em class="replaceable"><code>seconds</code></em>;<br> also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br> allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> @@ -484,18 +535,16 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2551216"></a><h2>FILES</h2> -<p> -<code class="filename">/etc/named.conf</code> -</p> +<a name="id2545316"></a><h2>FILES</h2> +<p><code class="filename">/etc/named.conf</code> + </p> </div> <div class="refsect1" lang="en"> -<a name="id2551228"></a><h2>SEE ALSO</h2> -<p> -<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, -<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, -<span class="citerefentry"><span class="refentrytitle">BIND 9 Administrator Reference Manual</span></span>. -</p> +<a name="id2545328"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">BIND 9 Administrator Reference Manual</span></span>. + </p> </div> </div></body> </html> diff --git a/contrib/bind9/bin/named/named.docbook b/contrib/bind9/bin/named/named.docbook index f7cae12..f648b9d 100644 --- a/contrib/bind9/bin/named/named.docbook +++ b/contrib/bind9/bin/named/named.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -18,9 +18,8 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.docbook,v 1.5.98.7 2006/01/17 23:49:30 marka Exp $ --> - -<refentry> +<!-- $Id: named.docbook,v 1.7.18.8 2007/01/29 23:57:20 marka Exp $ --> +<refentry id="man.named"> <refentryinfo> <date>June 30, 2000</date> </refentryinfo> @@ -31,11 +30,17 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <refnamediv> + <refname><application>named</application></refname> + <refpurpose>Internet domain name server</refpurpose> + </refnamediv> + <docinfo> <copyright> <year>2004</year> <year>2005</year> <year>2006</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -46,11 +51,6 @@ </copyright> </docinfo> - <refnamediv> - <refname><application>named</application></refname> - <refpurpose>Internet domain name server</refpurpose> - </refnamediv> - <refsynopsisdiv> <cmdsynopsis> <command>named</command> @@ -72,16 +72,17 @@ <refsect1> <title>DESCRIPTION</title> - <para> - <command>named</command> is a Domain Name System (DNS) server, - part of the BIND 9 distribution from ISC. For more - information on the DNS, see RFCs 1033, 1034, and 1035. + <para><command>named</command> + is a Domain Name System (DNS) server, + part of the BIND 9 distribution from ISC. For more + information on the DNS, see RFCs 1033, 1034, and 1035. </para> <para> - When invoked without arguments, <command>named</command> will - read the default configuration file - <filename>/etc/named.conf</filename>, read any initial - data, and listen for queries. + When invoked without arguments, <command>named</command> + will + read the default configuration file + <filename>/etc/named.conf</filename>, read any initial + data, and listen for queries. </para> </refsect1> @@ -90,189 +91,183 @@ <variablelist> <varlistentry> - <term>-4</term> - <listitem> - <para> - Use IPv4 only even if the host machine is capable of IPv6. - <option>-4</option> and <option>-6</option> are mutually - exclusive. + <term>-4</term> + <listitem> + <para> + Use IPv4 only even if the host machine is capable of IPv6. + <option>-4</option> and <option>-6</option> are mutually + exclusive. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-6</term> - <listitem> - <para> - Use IPv6 only even if the host machine is capable of IPv4. - <option>-4</option> and <option>-6</option> are mutually - exclusive. + <term>-6</term> + <listitem> + <para> + Use IPv6 only even if the host machine is capable of IPv4. + <option>-4</option> and <option>-6</option> are mutually + exclusive. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-c <replaceable class="parameter">config-file</replaceable></term> - <listitem> - <para> - Use <replaceable - class="parameter">config-file</replaceable> as the - configuration file instead of the default, - <filename>/etc/named.conf</filename>. To - ensure that reloading the configuration file continues - to work after the server has changed its working - directory due to to a possible - <option>directory</option> option in the configuration - file, <replaceable - class="parameter">config-file</replaceable> should be - an absolute pathname. + <term>-c <replaceable class="parameter">config-file</replaceable></term> + <listitem> + <para> + Use <replaceable class="parameter">config-file</replaceable> as the + configuration file instead of the default, + <filename>/etc/named.conf</filename>. To + ensure that reloading the configuration file continues + to work after the server has changed its working + directory due to to a possible + <option>directory</option> option in the configuration + file, <replaceable class="parameter">config-file</replaceable> should be + an absolute pathname. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-d <replaceable class="parameter">debug-level</replaceable></term> - <listitem> - <para> - Set the daemon's debug level to <replaceable - class="parameter">debug-level</replaceable>. - Debugging traces from <command>named</command> become - more verbose as the debug level increases. + <term>-d <replaceable class="parameter">debug-level</replaceable></term> + <listitem> + <para> + Set the daemon's debug level to <replaceable class="parameter">debug-level</replaceable>. + Debugging traces from <command>named</command> become + more verbose as the debug level increases. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-f</term> - <listitem> - <para> - Run the server in the foreground (i.e. do not daemonize). + <term>-f</term> + <listitem> + <para> + Run the server in the foreground (i.e. do not daemonize). </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-g</term> - <listitem> - <para> - Run the server in the foreground and force all logging - to <filename>stderr</filename>. + <term>-g</term> + <listitem> + <para> + Run the server in the foreground and force all logging + to <filename>stderr</filename>. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-n <replaceable class="parameter">#cpus</replaceable></term> - <listitem> - <para> - Create <replaceable - class="parameter">#cpus</replaceable> worker threads - to take advantage of multiple CPUs. If not specified, - <command>named</command> will try to determine the - number of CPUs present and create one thread per CPU. - If it is unable to determine the number of CPUs, a - single worker thread will be created. + <term>-n <replaceable class="parameter">#cpus</replaceable></term> + <listitem> + <para> + Create <replaceable class="parameter">#cpus</replaceable> worker threads + to take advantage of multiple CPUs. If not specified, + <command>named</command> will try to determine the + number of CPUs present and create one thread per CPU. + If it is unable to determine the number of CPUs, a + single worker thread will be created. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-p <replaceable class="parameter">port</replaceable></term> - <listitem> - <para> - Listen for queries on port <replaceable - class="parameter">port</replaceable>. If not - specified, the default is port 53. + <term>-p <replaceable class="parameter">port</replaceable></term> + <listitem> + <para> + Listen for queries on port <replaceable class="parameter">port</replaceable>. If not + specified, the default is port 53. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-s</term> - <listitem> - <para> - Write memory usage statistics to <filename>stdout</filename> on exit. + <term>-s</term> + <listitem> + <para> + Write memory usage statistics to <filename>stdout</filename> on exit. </para> - <note> - <para> - This option is mainly of interest to BIND 9 developers - and may be removed or changed in a future release. - </para> - </note> - </listitem> + <note> + <para> + This option is mainly of interest to BIND 9 developers + and may be removed or changed in a future release. + </para> + </note> + </listitem> </varlistentry> <varlistentry> - <term>-t <replaceable class="parameter">directory</replaceable></term> - <listitem> - <para> - <function>chroot()</function> to <replaceable - class="parameter">directory</replaceable> after - processing the command line arguments, but before - reading the configuration file. + <term>-t <replaceable class="parameter">directory</replaceable></term> + <listitem> + <para><function>chroot()</function> + to <replaceable class="parameter">directory</replaceable> after + processing the command line arguments, but before + reading the configuration file. </para> - <warning> - <para> - This option should be used in conjunction with the - <option>-u</option> option, as chrooting a process - running as root doesn't enhance security on most - systems; the way <function>chroot()</function> is - defined allows a process with root privileges to - escape a chroot jail. - </para> - </warning> - </listitem> + <warning> + <para> + This option should be used in conjunction with the + <option>-u</option> option, as chrooting a process + running as root doesn't enhance security on most + systems; the way <function>chroot()</function> is + defined allows a process with root privileges to + escape a chroot jail. + </para> + </warning> + </listitem> </varlistentry> <varlistentry> - <term>-u <replaceable class="parameter">user</replaceable></term> - <listitem> - <para> - <function>setuid()</function> to <replaceable - class="parameter">user</replaceable> after completing - privileged operations, such as creating sockets that - listen on privileged ports. + <term>-u <replaceable class="parameter">user</replaceable></term> + <listitem> + <para><function>setuid()</function> + to <replaceable class="parameter">user</replaceable> after completing + privileged operations, such as creating sockets that + listen on privileged ports. </para> - <note> - <para> - On Linux, <command>named</command> uses the kernel's - capability mechanism to drop all root privileges - except the ability to <function>bind()</function> to a - privileged port and set process resource limits. - Unfortunately, this means that the <option>-u</option> - option only works when <command>named</command> is run - on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or - later, since previous kernels did not allow privileges - to be retained after <function>setuid()</function>. - </para> - </note> - </listitem> + <note> + <para> + On Linux, <command>named</command> uses the kernel's + capability mechanism to drop all root privileges + except the ability to <function>bind()</function> to + a + privileged port and set process resource limits. + Unfortunately, this means that the <option>-u</option> + option only works when <command>named</command> is + run + on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or + later, since previous kernels did not allow privileges + to be retained after <function>setuid()</function>. + </para> + </note> + </listitem> </varlistentry> <varlistentry> - <term>-v</term> - <listitem> - <para> - Report the version number and exit. + <term>-v</term> + <listitem> + <para> + Report the version number and exit. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>-x <replaceable class="parameter">cache-file</replaceable></term> - <listitem> - <para> - Load data from <replaceable - class="parameter">cache-file</replaceable> into the - cache of the default view. + <term>-x <replaceable class="parameter">cache-file</replaceable></term> + <listitem> + <para> + Load data from <replaceable class="parameter">cache-file</replaceable> into the + cache of the default view. </para> - <warning> - <para> - This option must not be used. It is only of interest - to BIND 9 developers and may be removed or changed in a - future release. - </para> - </warning> - </listitem> + <warning> + <para> + This option must not be used. It is only of interest + to BIND 9 developers and may be removed or changed in a + future release. + </para> + </warning> + </listitem> </varlistentry> </variablelist> @@ -282,35 +277,35 @@ <refsect1> <title>SIGNALS</title> <para> - In routine operation, signals should not be used to control - the nameserver; <command>rndc</command> should be used - instead. + In routine operation, signals should not be used to control + the nameserver; <command>rndc</command> should be used + instead. </para> <variablelist> <varlistentry> - <term>SIGHUP</term> - <listitem> - <para> - Force a reload of the server. + <term>SIGHUP</term> + <listitem> + <para> + Force a reload of the server. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term>SIGINT, SIGTERM</term> - <listitem> - <para> - Shut down the server. + <term>SIGINT, SIGTERM</term> + <listitem> + <para> + Shut down the server. </para> - </listitem> + </listitem> </varlistentry> </variablelist> <para> - The result of sending any other signals to the server is undefined. + The result of sending any other signals to the server is undefined. </para> </refsect1> @@ -318,10 +313,10 @@ <refsect1> <title>CONFIGURATION</title> <para> - The <command>named</command> configuration file is too complex - to describe in detail here. A complete description is - provided in the <citetitle>BIND 9 Administrator Reference - Manual</citetitle>. + The <command>named</command> configuration file is too complex + to describe in detail here. A complete description is provided + in the + <citetitle>BIND 9 Administrator Reference Manual</citetitle>. </para> </refsect1> @@ -331,21 +326,21 @@ <variablelist> <varlistentry> - <term><filename>/etc/named.conf</filename></term> - <listitem> - <para> - The default configuration file. + <term><filename>/etc/named.conf</filename></term> + <listitem> + <para> + The default configuration file. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> - <term><filename>/var/run/named.pid</filename></term> - <listitem> - <para> - The default process-id file. + <term><filename>/var/run/named.pid</filename></term> + <listitem> + <para> + The default process-id file. </para> - </listitem> + </listitem> </varlistentry> </variablelist> @@ -354,37 +349,32 @@ <refsect1> <title>SEE ALSO</title> - <para> - <citetitle>RFC 1033</citetitle>, - <citetitle>RFC 1034</citetitle>, - <citetitle>RFC 1035</citetitle>, - <citerefentry> - <refentrytitle>rndc</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>lwresd</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>named.conf</refentrytitle> - <manvolnum>5</manvolnum> - </citerefentry>, - <citetitle>BIND 9 Administrator Reference Manual</citetitle>. + <para><citetitle>RFC 1033</citetitle>, + <citetitle>RFC 1034</citetitle>, + <citetitle>RFC 1035</citetitle>, + <citerefentry> + <refentrytitle>rndc</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>lwresd</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>named.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry>, + <citetitle>BIND 9 Administrator Reference Manual</citetitle>. </para> </refsect1> <refsect1> <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> + <para><corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> -</refentry> - - -<!-- +</refentry><!-- - Local variables: - mode: sgml - End: diff --git a/contrib/bind9/bin/named/named.html b/contrib/bind9/bin/named/named.html index 6e77e5b..1839e4a 100644 --- a/contrib/bind9/bin/named/named.html +++ b/contrib/bind9/bin/named/named.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.html,v 1.4.2.1.4.13 2006/06/29 13:02:30 marka Exp $ --> +<!-- $Id: named.html,v 1.6.18.18 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>named</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="man.named"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p><span class="application">named</span> — Internet domain name server</p> @@ -32,209 +32,210 @@ <div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549491"></a><h2>DESCRIPTION</h2> -<p> - <span><strong class="command">named</strong></span> is a Domain Name System (DNS) server, - part of the BIND 9 distribution from ISC. For more - information on the DNS, see RFCs 1033, 1034, and 1035. +<a name="id2543444"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">named</strong></span> + is a Domain Name System (DNS) server, + part of the BIND 9 distribution from ISC. For more + information on the DNS, see RFCs 1033, 1034, and 1035. </p> <p> - When invoked without arguments, <span><strong class="command">named</strong></span> will - read the default configuration file - <code class="filename">/etc/named.conf</code>, read any initial - data, and listen for queries. + When invoked without arguments, <span><strong class="command">named</strong></span> + will + read the default configuration file + <code class="filename">/etc/named.conf</code>, read any initial + data, and listen for queries. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549516"></a><h2>OPTIONS</h2> +<a name="id2543468"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-4</span></dt> <dd><p> - Use IPv4 only even if the host machine is capable of IPv6. - <code class="option">-4</code> and <code class="option">-6</code> are mutually - exclusive. + Use IPv4 only even if the host machine is capable of IPv6. + <code class="option">-4</code> and <code class="option">-6</code> are mutually + exclusive. </p></dd> <dt><span class="term">-6</span></dt> <dd><p> - Use IPv6 only even if the host machine is capable of IPv4. - <code class="option">-4</code> and <code class="option">-6</code> are mutually - exclusive. + Use IPv6 only even if the host machine is capable of IPv4. + <code class="option">-4</code> and <code class="option">-6</code> are mutually + exclusive. </p></dd> <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt> <dd><p> - Use <em class="replaceable"><code>config-file</code></em> as the - configuration file instead of the default, - <code class="filename">/etc/named.conf</code>. To - ensure that reloading the configuration file continues - to work after the server has changed its working - directory due to to a possible - <code class="option">directory</code> option in the configuration - file, <em class="replaceable"><code>config-file</code></em> should be - an absolute pathname. + Use <em class="replaceable"><code>config-file</code></em> as the + configuration file instead of the default, + <code class="filename">/etc/named.conf</code>. To + ensure that reloading the configuration file continues + to work after the server has changed its working + directory due to to a possible + <code class="option">directory</code> option in the configuration + file, <em class="replaceable"><code>config-file</code></em> should be + an absolute pathname. </p></dd> <dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt> <dd><p> - Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>. - Debugging traces from <span><strong class="command">named</strong></span> become - more verbose as the debug level increases. + Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>. + Debugging traces from <span><strong class="command">named</strong></span> become + more verbose as the debug level increases. </p></dd> <dt><span class="term">-f</span></dt> <dd><p> - Run the server in the foreground (i.e. do not daemonize). + Run the server in the foreground (i.e. do not daemonize). </p></dd> <dt><span class="term">-g</span></dt> <dd><p> - Run the server in the foreground and force all logging - to <code class="filename">stderr</code>. + Run the server in the foreground and force all logging + to <code class="filename">stderr</code>. </p></dd> <dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt> <dd><p> - Create <em class="replaceable"><code>#cpus</code></em> worker threads - to take advantage of multiple CPUs. If not specified, - <span><strong class="command">named</strong></span> will try to determine the - number of CPUs present and create one thread per CPU. - If it is unable to determine the number of CPUs, a - single worker thread will be created. + Create <em class="replaceable"><code>#cpus</code></em> worker threads + to take advantage of multiple CPUs. If not specified, + <span><strong class="command">named</strong></span> will try to determine the + number of CPUs present and create one thread per CPU. + If it is unable to determine the number of CPUs, a + single worker thread will be created. </p></dd> <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> <dd><p> - Listen for queries on port <em class="replaceable"><code>port</code></em>. If not - specified, the default is port 53. + Listen for queries on port <em class="replaceable"><code>port</code></em>. If not + specified, the default is port 53. </p></dd> <dt><span class="term">-s</span></dt> <dd> <p> - Write memory usage statistics to <code class="filename">stdout</code> on exit. + Write memory usage statistics to <code class="filename">stdout</code> on exit. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - This option is mainly of interest to BIND 9 developers - and may be removed or changed in a future release. - </p> + This option is mainly of interest to BIND 9 developers + and may be removed or changed in a future release. + </p> </div> </dd> <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt> <dd> -<p> - <code class="function">chroot()</code> to <em class="replaceable"><code>directory</code></em> after - processing the command line arguments, but before - reading the configuration file. +<p><code class="function">chroot()</code> + to <em class="replaceable"><code>directory</code></em> after + processing the command line arguments, but before + reading the configuration file. </p> <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Warning</h3> <p> - This option should be used in conjunction with the - <code class="option">-u</code> option, as chrooting a process - running as root doesn't enhance security on most - systems; the way <code class="function">chroot()</code> is - defined allows a process with root privileges to - escape a chroot jail. - </p> + This option should be used in conjunction with the + <code class="option">-u</code> option, as chrooting a process + running as root doesn't enhance security on most + systems; the way <code class="function">chroot()</code> is + defined allows a process with root privileges to + escape a chroot jail. + </p> </div> </dd> <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt> <dd> -<p> - <code class="function">setuid()</code> to <em class="replaceable"><code>user</code></em> after completing - privileged operations, such as creating sockets that - listen on privileged ports. +<p><code class="function">setuid()</code> + to <em class="replaceable"><code>user</code></em> after completing + privileged operations, such as creating sockets that + listen on privileged ports. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - On Linux, <span><strong class="command">named</strong></span> uses the kernel's - capability mechanism to drop all root privileges - except the ability to <code class="function">bind()</code> to a - privileged port and set process resource limits. - Unfortunately, this means that the <code class="option">-u</code> - option only works when <span><strong class="command">named</strong></span> is run - on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or - later, since previous kernels did not allow privileges - to be retained after <code class="function">setuid()</code>. - </p> + On Linux, <span><strong class="command">named</strong></span> uses the kernel's + capability mechanism to drop all root privileges + except the ability to <code class="function">bind()</code> to + a + privileged port and set process resource limits. + Unfortunately, this means that the <code class="option">-u</code> + option only works when <span><strong class="command">named</strong></span> is + run + on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or + later, since previous kernels did not allow privileges + to be retained after <code class="function">setuid()</code>. + </p> </div> </dd> <dt><span class="term">-v</span></dt> <dd><p> - Report the version number and exit. + Report the version number and exit. </p></dd> <dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt> <dd> <p> - Load data from <em class="replaceable"><code>cache-file</code></em> into the - cache of the default view. + Load data from <em class="replaceable"><code>cache-file</code></em> into the + cache of the default view. </p> <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Warning</h3> <p> - This option must not be used. It is only of interest - to BIND 9 developers and may be removed or changed in a - future release. - </p> + This option must not be used. It is only of interest + to BIND 9 developers and may be removed or changed in a + future release. + </p> </div> </dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2550002"></a><h2>SIGNALS</h2> +<a name="id2543813"></a><h2>SIGNALS</h2> <p> - In routine operation, signals should not be used to control - the nameserver; <span><strong class="command">rndc</strong></span> should be used - instead. + In routine operation, signals should not be used to control + the nameserver; <span><strong class="command">rndc</strong></span> should be used + instead. </p> <div class="variablelist"><dl> <dt><span class="term">SIGHUP</span></dt> <dd><p> - Force a reload of the server. + Force a reload of the server. </p></dd> <dt><span class="term">SIGINT, SIGTERM</span></dt> <dd><p> - Shut down the server. + Shut down the server. </p></dd> </dl></div> <p> - The result of sending any other signals to the server is undefined. + The result of sending any other signals to the server is undefined. </p> </div> <div class="refsect1" lang="en"> -<a name="id2550049"></a><h2>CONFIGURATION</h2> +<a name="id2543861"></a><h2>CONFIGURATION</h2> <p> - The <span><strong class="command">named</strong></span> configuration file is too complex - to describe in detail here. A complete description is - provided in the <em class="citetitle">BIND 9 Administrator Reference - Manual</em>. + The <span><strong class="command">named</strong></span> configuration file is too complex + to describe in detail here. A complete description is provided + in the + <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2550066"></a><h2>FILES</h2> +<a name="id2543878"></a><h2>FILES</h2> <div class="variablelist"><dl> <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt> <dd><p> - The default configuration file. + The default configuration file. </p></dd> <dt><span class="term"><code class="filename">/var/run/named.pid</code></span></dt> <dd><p> - The default process-id file. + The default process-id file. </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2550105"></a><h2>SEE ALSO</h2> -<p> - <em class="citetitle">RFC 1033</em>, - <em class="citetitle">RFC 1034</em>, - <em class="citetitle">RFC 1035</em>, - <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, - <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>, - <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>, - <em class="citetitle">BIND 9 Administrator Reference Manual</em>. +<a name="id2543917"></a><h2>SEE ALSO</h2> +<p><em class="citetitle">RFC 1033</em>, + <em class="citetitle">RFC 1034</em>, + <em class="citetitle">RFC 1035</em>, + <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2550157"></a><h2>AUTHOR</h2> -<p> - <span class="corpauthor">Internet Systems Consortium</span> +<a name="id2543969"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> </div></body> diff --git a/contrib/bind9/bin/named/notify.c b/contrib/bind9/bin/named/notify.c index e3c5b2a..db2be71 100644 --- a/contrib/bind9/bin/named/notify.c +++ b/contrib/bind9/bin/named/notify.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: notify.c,v 1.24.2.2.2.7 2004/08/28 06:25:30 marka Exp $ */ +/* $Id: notify.c,v 1.30.18.3 2005/04/29 00:15:26 marka Exp $ */ #include <config.h> @@ -32,8 +32,9 @@ #include <named/log.h> #include <named/notify.h> -/* - * This module implements notify as in RFC 1996. +/*! \file + * \brief + * This module implements notify as in RFC1996. */ static void diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c index c0a76a8..f30c07c 100644 --- a/contrib/bind9/bin/named/query.c +++ b/contrib/bind9/bin/named/query.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.198.2.13.4.43 2006/08/31 03:57:11 marka Exp $ */ +/* $Id: query.c,v 1.257.18.36.12.1 2007/04/30 01:10:19 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -27,8 +29,13 @@ #include <dns/adb.h> #include <dns/byaddr.h> #include <dns/db.h> +#ifdef DLZ +#include <dns/dlz.h> +#endif +#include <dns/dnssec.h> #include <dns/events.h> #include <dns/message.h> +#include <dns/ncache.h> #include <dns/order.h> #include <dns/rdata.h> #include <dns/rdataclass.h> @@ -51,24 +58,34 @@ #include <named/sortlist.h> #include <named/xfrout.h> +/*% Partial answer? */ #define PARTIALANSWER(c) (((c)->query.attributes & \ NS_QUERYATTR_PARTIALANSWER) != 0) +/*% Use Cache? */ #define USECACHE(c) (((c)->query.attributes & \ NS_QUERYATTR_CACHEOK) != 0) +/*% Recursion OK? */ #define RECURSIONOK(c) (((c)->query.attributes & \ NS_QUERYATTR_RECURSIONOK) != 0) +/*% Recursing? */ #define RECURSING(c) (((c)->query.attributes & \ NS_QUERYATTR_RECURSING) != 0) +/*% Cache glue ok? */ #define CACHEGLUEOK(c) (((c)->query.attributes & \ NS_QUERYATTR_CACHEGLUEOK) != 0) +/*% Want Recursion? */ #define WANTRECURSION(c) (((c)->query.attributes & \ NS_QUERYATTR_WANTRECURSION) != 0) +/*% Want DNSSEC? */ #define WANTDNSSEC(c) (((c)->attributes & \ NS_CLIENTATTR_WANTDNSSEC) != 0) +/*% No authority? */ #define NOAUTHORITY(c) (((c)->query.attributes & \ NS_QUERYATTR_NOAUTHORITY) != 0) +/*% No additional? */ #define NOADDITIONAL(c) (((c)->query.attributes & \ NS_QUERYATTR_NOADDITIONAL) != 0) +/*% Secure? */ #define SECURE(c) (((c)->query.attributes & \ NS_QUERYATTR_SECURE) != 0) @@ -92,10 +109,19 @@ #define DNS_GETDB_NOLOG 0x02U #define DNS_GETDB_PARTIAL 0x04U +typedef struct client_additionalctx { + ns_client_t *client; + dns_rdataset_t *rdataset; +} client_additionalctx_t; + static void query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype); -/* +static isc_boolean_t +validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset); + +/*% * Increment query statistics counters. */ static inline void @@ -144,7 +170,12 @@ query_error(ns_client_t *client, isc_result_t result) { static void query_next(ns_client_t *client, isc_result_t result) { - inc_stats(client, dns_statscounter_failure); + if (result == DNS_R_DUPLICATE) + inc_stats(client, dns_statscounter_duplicate); + else if (result == DNS_R_DROP) + inc_stats(client, dns_statscounter_dropped); + else + inc_stats(client, dns_statscounter_failure); ns_client_next(client, result); } @@ -187,7 +218,7 @@ query_reset(ns_client_t *client, isc_boolean_t everything) { isc_buffer_t *dbuf, *dbuf_next; ns_dbversion_t *dbversion, *dbversion_next; - /* + /*% * Reset the query state of a client to its default state. */ @@ -266,7 +297,7 @@ query_newnamebuf(ns_client_t *client) { isc_result_t result; CTRACE("query_newnamebuf"); - /* + /*% * Allocate a name buffer. */ @@ -289,7 +320,7 @@ query_getnamebuf(ns_client_t *client) { isc_region_t r; CTRACE("query_getnamebuf"); - /* + /*% * Return a name buffer with space for a maximal name, allocating * a new one if necessary. */ @@ -325,7 +356,7 @@ query_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) { isc_region_t r; CTRACE("query_keepname"); - /* + /*% * 'name' is using space in 'dbuf', but 'dbuf' has not yet been * adjusted to take account of that. We do the adjustment. */ @@ -342,7 +373,7 @@ static inline void query_releasename(ns_client_t *client, dns_name_t **namep) { dns_name_t *name = *namep; - /* + /*% * 'name' is no longer needed. Return it to our pool of temporary * names. If it is using a name buffer, relinquish its exclusive * rights on the buffer. @@ -479,7 +510,7 @@ ns_query_init(ns_client_t *client) { client->query.authdb = NULL; client->query.authzone = NULL; client->query.authdbset = ISC_FALSE; - client->query.isreferral = ISC_FALSE; + client->query.isreferral = ISC_FALSE; query_reset(client, ISC_FALSE); result = query_newdbversion(client, 3); if (result != ISC_R_SUCCESS) { @@ -499,7 +530,7 @@ query_findversion(ns_client_t *client, dns_db_t *db, { ns_dbversion_t *dbversion; - /* + /*% * We may already have done a query related to this * database. If so, we must be sure to make subsequent * queries from the same version. @@ -532,42 +563,23 @@ query_findversion(ns_client_t *client, dns_db_t *db, } static inline isc_result_t -query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, - unsigned int options, dns_zone_t **zonep, dns_db_t **dbp, - dns_dbversion_t **versionp) +query_validatezonedb(ns_client_t *client, dns_name_t *name, + dns_rdatatype_t qtype, unsigned int options, + dns_zone_t *zone, dns_db_t *db, + dns_dbversion_t **versionp) { isc_result_t result; isc_boolean_t check_acl, new_zone; dns_acl_t *queryacl; ns_dbversion_t *dbversion; - unsigned int ztoptions; - dns_zone_t *zone = NULL; - dns_db_t *db = NULL; - isc_boolean_t partial = ISC_FALSE; - REQUIRE(zonep != NULL && *zonep == NULL); - REQUIRE(dbp != NULL && *dbp == NULL); - - /* - * Find a zone database to answer the query. - */ - ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ? - DNS_ZTFIND_NOEXACT : 0; - - result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL, - &zone); - if (result == DNS_R_PARTIALMATCH) - partial = ISC_TRUE; - if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) - result = dns_zone_getdb(zone, &db); - - if (result != ISC_R_SUCCESS) - goto fail; + REQUIRE(zone != NULL); + REQUIRE(db != NULL); /* * This limits our searching to the zone where the first name * (the query target) was looked for. This prevents following - * CNAMES or DNAMES into other zones and prevents returning + * CNAMES or DNAMES into other zones and prevents returning * additional data from other zones. */ if (!client->view->additionalfromauth && @@ -644,7 +656,7 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, ISC_LOG_DEBUG(3), "%s approved", msg); } - } else { + } else { ns_client_aclmsg("query", name, qtype, client->view->rdclass, msg, sizeof(msg)); @@ -683,17 +695,63 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, */ dbversion->queryok = ISC_TRUE; + /* Transfer ownership, if necessary. */ + if (versionp != NULL) + *versionp = dbversion->version; + + return (ISC_R_SUCCESS); + + refuse: + return (DNS_R_REFUSED); + + fail: + return (result); +} + +static inline isc_result_t +query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, + unsigned int options, dns_zone_t **zonep, dns_db_t **dbp, + dns_dbversion_t **versionp) +{ + isc_result_t result; + unsigned int ztoptions; + dns_zone_t *zone = NULL; + dns_db_t *db = NULL; + isc_boolean_t partial = ISC_FALSE; + + REQUIRE(zonep != NULL && *zonep == NULL); + REQUIRE(dbp != NULL && *dbp == NULL); + + /*% + * Find a zone database to answer the query. + */ + ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ? + DNS_ZTFIND_NOEXACT : 0; + + result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL, + &zone); + if (result == DNS_R_PARTIALMATCH) + partial = ISC_TRUE; + if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) + result = dns_zone_getdb(zone, &db); + + if (result != ISC_R_SUCCESS) + goto fail; + + result = query_validatezonedb(client, name, qtype, options, zone, db, + versionp); + + if (result != ISC_R_SUCCESS) + goto fail; + /* Transfer ownership. */ *zonep = zone; *dbp = db; - *versionp = dbversion->version; if (partial && (options & DNS_GETDB_PARTIAL) != 0) return (DNS_R_PARTIALMATCH); return (ISC_R_SUCCESS); - refuse: - result = DNS_R_REFUSED; fail: if (zone != NULL) dns_zone_detach(&zone); @@ -713,7 +771,7 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, REQUIRE(dbp != NULL && *dbp == NULL); - /* + /*% * Find a cache database to answer the query. * This may fail with DNS_R_REFUSED if the client * is not allowed to use the cache. @@ -745,7 +803,7 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, if (check_acl) { isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0); char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")]; - + result = ns_client_checkaclsilent(client, client->view->queryacl, ISC_TRUE); @@ -811,9 +869,85 @@ query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, { isc_result_t result; +#ifdef DLZ + isc_result_t tresult; + unsigned int namelabels; + unsigned int zonelabels; + dns_zone_t *zone = NULL; + dns_db_t *tdbp; + + REQUIRE(zonep != NULL && *zonep == NULL); + + tdbp = NULL; + + /* Calculate how many labels are in name. */ + namelabels = dns_name_countlabels(name); + zonelabels = 0; + + /* Try to find name in bind's standard database. */ + result = query_getzonedb(client, name, qtype, options, &zone, + dbp, versionp); + + /* See how many labels are in the zone's name. */ + if (result == ISC_R_SUCCESS && zone != NULL) + zonelabels = dns_name_countlabels(dns_zone_getorigin(zone)); + /* + * If # zone labels < # name labels, try to find an even better match + * Only try if a DLZ driver is loaded for this view + */ + if (zonelabels < namelabels && client->view->dlzdatabase != NULL) { + tresult = dns_dlzfindzone(client->view, name, + zonelabels, &tdbp); + /* If we successful, we found a better match. */ + if (tresult == ISC_R_SUCCESS) { + /* + * If the previous search returned a zone, detach it. + */ + if (zone != NULL) + dns_zone_detach(&zone); + + /* + * If the previous search returned a database, + * detach it. + */ + if (*dbp != NULL) + dns_db_detach(dbp); + + /* + * If the previous search returned a version, clear it. + */ + *versionp = NULL; + + /* + * Get our database version. + */ + dns_db_currentversion(tdbp, versionp); + + /* + * Be sure to return our database. + */ + *dbp = tdbp; + + /* + * We return a null zone, No stats for DLZ zones. + */ + zone = NULL; + result = tresult; + } + } +#else result = query_getzonedb(client, name, qtype, options, zonep, dbp, versionp); +#endif + + /* If successfull, Transfer ownership of zone. */ if (result == ISC_R_SUCCESS) { +#ifdef DLZ + *zonep = zone; +#endif + /* + * If neither attempt above succeeded, return the cache instead + */ *is_zonep = ISC_TRUE; } else if (result == ISC_R_NOTFOUND) { result = query_getcachedb(client, name, qtype, dbp, options); @@ -975,10 +1109,23 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { * Most likely the client isn't allowed to query the cache. */ goto try_glue; - - result = dns_db_find(db, name, version, type, client->query.dboptions, + /* + * Attempt to validate glue. + */ + if (sigrdataset == NULL) { + sigrdataset = query_newrdataset(client); + if (sigrdataset == NULL) + goto cleanup; + } + result = dns_db_find(db, name, version, type, + client->query.dboptions | DNS_DBFIND_GLUEOK, client->now, &node, fname, rdataset, sigrdataset); + if (result == DNS_R_GLUE && + validate(client, db, fname, rdataset, sigrdataset)) + result = ISC_R_SUCCESS; + if (!WANTDNSSEC(client)) + query_putrdataset(client, &sigrdataset); if (result == ISC_R_SUCCESS) goto found; @@ -1192,7 +1339,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { * recursing to add address records, which in turn can cause * recursion to add KEYs. */ - if (type == dns_rdatatype_srv && trdataset != NULL) { + if (type == dns_rdatatype_srv && trdataset != NULL) { /* * If we're adding SRV records to the additional data * section, it's helpful if we add the SRV additional data @@ -1222,9 +1369,523 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } static inline void +query_discardcache(ns_client_t *client, dns_rdataset_t *rdataset_base, + dns_rdatasetadditional_t additionaltype, + dns_rdatatype_t type, dns_zone_t **zonep, dns_db_t **dbp, + dns_dbversion_t **versionp, dns_dbnode_t **nodep, + dns_name_t *fname) +{ + dns_rdataset_t *rdataset; + + while ((rdataset = ISC_LIST_HEAD(fname->list)) != NULL) { + ISC_LIST_UNLINK(fname->list, rdataset, link); + query_putrdataset(client, &rdataset); + } + if (*versionp != NULL) + dns_db_closeversion(*dbp, versionp, ISC_FALSE); + if (*nodep != NULL) + dns_db_detachnode(*dbp, nodep); + if (*dbp != NULL) + dns_db_detach(dbp); + if (*zonep != NULL) + dns_zone_detach(zonep); + (void)dns_rdataset_putadditional(client->view->acache, rdataset_base, + additionaltype, type); +} + +static inline isc_result_t +query_iscachevalid(dns_zone_t *zone, dns_db_t *db, dns_db_t *db0, + dns_dbversion_t *version) +{ + isc_result_t result = ISC_R_SUCCESS; + dns_dbversion_t *version_current = NULL; + dns_db_t *db_current = db0; + + if (db_current == NULL) { + result = dns_zone_getdb(zone, &db_current); + if (result != ISC_R_SUCCESS) + return (result); + } + dns_db_currentversion(db_current, &version_current); + if (db_current != db || version_current != version) { + result = ISC_R_FAILURE; + goto cleanup; + } + + cleanup: + dns_db_closeversion(db_current, &version_current, ISC_FALSE); + if (db0 == NULL && db_current != NULL) + dns_db_detach(&db_current); + + return (result); +} + +static isc_result_t +query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { + client_additionalctx_t *additionalctx = arg; + dns_rdataset_t *rdataset_base; + ns_client_t *client; + isc_result_t result, eresult; + dns_dbnode_t *node, *cnode; + dns_db_t *db, *cdb; + dns_name_t *fname, *mname0, cfname; + dns_rdataset_t *rdataset, *sigrdataset; + dns_rdataset_t *crdataset, *crdataset_next; + isc_buffer_t *dbuf; + isc_buffer_t b; + dns_dbversion_t *version, *cversion; + isc_boolean_t added_something, need_addname, needadditionalcache; + isc_boolean_t need_sigrrset; + dns_zone_t *zone; + dns_rdatatype_t type; + dns_rdatasetadditional_t additionaltype; + + if (qtype != dns_rdatatype_a) { + /* + * This function is optimized for "address" types. For other + * types, use a generic routine. + * XXX: ideally, this function should be generic enough. + */ + return (query_addadditional(additionalctx->client, + name, qtype)); + } + + /* + * Initialization. + */ + rdataset_base = additionalctx->rdataset; + client = additionalctx->client; + REQUIRE(NS_CLIENT_VALID(client)); + eresult = ISC_R_SUCCESS; + fname = NULL; + rdataset = NULL; + sigrdataset = NULL; + db = NULL; + cdb = NULL; + version = NULL; + cversion = NULL; + node = NULL; + cnode = NULL; + added_something = ISC_FALSE; + need_addname = ISC_FALSE; + zone = NULL; + needadditionalcache = ISC_FALSE; + additionaltype = dns_rdatasetadditional_fromauth; + dns_name_init(&cfname, NULL); + + CTRACE("query_addadditional2"); + + /* + * We treat type A additional section processing as if it + * were "any address type" additional section processing. + * To avoid multiple lookups, we do an 'any' database + * lookup and iterate over the node. + * XXXJT: this approach can cause a suboptimal result when the cache + * DB only has partial address types and the glue DB has remaining + * ones. + */ + type = dns_rdatatype_any; + + /* + * Get some resources. + */ + dbuf = query_getnamebuf(client); + if (dbuf == NULL) + goto cleanup; + fname = query_newname(client, dbuf, &b); + if (fname == NULL) + goto cleanup; + dns_name_setbuffer(&cfname, &b); /* share the buffer */ + + /* Check additional cache */ + result = dns_rdataset_getadditional(rdataset_base, additionaltype, + type, client->view->acache, &zone, + &cdb, &cversion, &cnode, &cfname, + client->message, client->now); + if (result != ISC_R_SUCCESS) + goto findauthdb; + if (zone == NULL) { + CTRACE("query_addadditional2: auth zone not found"); + goto try_cache; + } + + /* Is the cached DB up-to-date? */ + result = query_iscachevalid(zone, cdb, NULL, cversion); + if (result != ISC_R_SUCCESS) { + CTRACE("query_addadditional2: old auth additional cache"); + query_discardcache(client, rdataset_base, additionaltype, + type, &zone, &cdb, &cversion, &cnode, + &cfname); + goto findauthdb; + } + + if (cnode == NULL) { + /* + * We have a negative cache. We don't have to check the zone + * ACL, since the result (not using this zone) would be same + * regardless of the result. + */ + CTRACE("query_addadditional2: negative auth additional cache"); + dns_db_closeversion(cdb, &cversion, ISC_FALSE); + dns_db_detach(&cdb); + dns_zone_detach(&zone); + goto try_cache; + } + + result = query_validatezonedb(client, name, qtype, DNS_GETDB_NOLOG, + zone, cdb, NULL); + if (result != ISC_R_SUCCESS) { + query_discardcache(client, rdataset_base, additionaltype, + type, &zone, &cdb, &cversion, &cnode, + &cfname); + goto try_cache; + } + + /* We've got an active cache. */ + CTRACE("query_addadditional2: auth additional cache"); + dns_db_closeversion(cdb, &cversion, ISC_FALSE); + db = cdb; + node = cnode; + dns_name_clone(&cfname, fname); + query_keepname(client, fname, dbuf); + goto foundcache; + + /* + * Look for a zone database that might contain authoritative + * additional data. + */ + findauthdb: + result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG, + &zone, &db, &version); + if (result != ISC_R_SUCCESS) { + /* Cache the negative result */ + (void)dns_rdataset_setadditional(rdataset_base, additionaltype, + type, client->view->acache, + NULL, NULL, NULL, NULL, + NULL); + goto try_cache; + } + + CTRACE("query_addadditional2: db_find"); + + /* + * Since we are looking for authoritative data, we do not set + * the GLUEOK flag. Glue will be looked for later, but not + * necessarily in the same database. + */ + node = NULL; + result = dns_db_find(db, name, version, type, client->query.dboptions, + client->now, &node, fname, NULL, NULL); + if (result == ISC_R_SUCCESS) + goto found; + + /* Cache the negative result */ + (void)dns_rdataset_setadditional(rdataset_base, additionaltype, + type, client->view->acache, zone, db, + version, NULL, fname); + + if (node != NULL) + dns_db_detachnode(db, &node); + version = NULL; + dns_db_detach(&db); + + /* + * No authoritative data was found. The cache is our next best bet. + */ + + try_cache: + additionaltype = dns_rdatasetadditional_fromcache; + result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG); + if (result != ISC_R_SUCCESS) + /* + * Most likely the client isn't allowed to query the cache. + */ + goto try_glue; + + result = dns_db_find(db, name, version, type, + client->query.dboptions | DNS_DBFIND_GLUEOK, + client->now, &node, fname, NULL, NULL); + if (result == ISC_R_SUCCESS) + goto found; + + if (node != NULL) + dns_db_detachnode(db, &node); + dns_db_detach(&db); + + try_glue: + /* + * No cached data was found. Glue is our last chance. + * RFC1035 sayeth: + * + * NS records cause both the usual additional section + * processing to locate a type A record, and, when used + * in a referral, a special search of the zone in which + * they reside for glue information. + * + * This is the "special search". Note that we must search + * the zone where the NS record resides, not the zone it + * points to, and that we only do the search in the delegation + * case (identified by client->query.gluedb being set). + */ + if (client->query.gluedb == NULL) + goto cleanup; + + /* + * Don't poision caches using the bailiwick protection model. + */ + if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb))) + goto cleanup; + + /* Check additional cache */ + additionaltype = dns_rdatasetadditional_fromglue; + result = dns_rdataset_getadditional(rdataset_base, additionaltype, + type, client->view->acache, NULL, + &cdb, &cversion, &cnode, &cfname, + client->message, client->now); + if (result != ISC_R_SUCCESS) + goto findglue; + + result = query_iscachevalid(zone, cdb, client->query.gluedb, cversion); + if (result != ISC_R_SUCCESS) { + CTRACE("query_addadditional2: old glue additional cache"); + query_discardcache(client, rdataset_base, additionaltype, + type, &zone, &cdb, &cversion, &cnode, + &cfname); + goto findglue; + } + + if (cnode == NULL) { + /* We have a negative cache. */ + CTRACE("query_addadditional2: negative glue additional cache"); + dns_db_closeversion(cdb, &cversion, ISC_FALSE); + dns_db_detach(&cdb); + goto cleanup; + } + + /* Cache hit. */ + CTRACE("query_addadditional2: glue additional cache"); + dns_db_closeversion(cdb, &cversion, ISC_FALSE); + db = cdb; + node = cnode; + dns_name_clone(&cfname, fname); + query_keepname(client, fname, dbuf); + goto foundcache; + + findglue: + dns_db_attach(client->query.gluedb, &db); + result = dns_db_find(db, name, version, type, + client->query.dboptions | DNS_DBFIND_GLUEOK, + client->now, &node, fname, NULL, NULL); + if (!(result == ISC_R_SUCCESS || + result == DNS_R_ZONECUT || + result == DNS_R_GLUE)) { + /* cache the negative result */ + (void)dns_rdataset_setadditional(rdataset_base, additionaltype, + type, client->view->acache, + NULL, db, version, NULL, + fname); + goto cleanup; + } + + found: + /* + * We have found a DB node to iterate over from a DB. + * We are going to look for address RRsets (i.e., A and AAAA) in the DB + * node we've just found. We'll then store the complete information + * in the additional data cache. + */ + dns_name_clone(fname, &cfname); + query_keepname(client, fname, dbuf); + needadditionalcache = ISC_TRUE; + + rdataset = query_newrdataset(client); + if (rdataset == NULL) + goto cleanup; + + sigrdataset = query_newrdataset(client); + if (sigrdataset == NULL) + goto cleanup; + + /* + * Find A RRset with sig RRset. Even if we don't find a sig RRset + * for a client using DNSSEC, we'll continue the process to make a + * complete list to be cached. However, we need to cancel the + * caching when something unexpected happens, in order to avoid + * caching incomplete information. + */ + result = dns_db_findrdataset(db, node, version, dns_rdatatype_a, 0, + client->now, rdataset, sigrdataset); + /* + * If we can't promote glue/pending from the cache to secure + * then drop it. + */ + if (result == ISC_R_SUCCESS && + additionaltype == dns_rdatasetadditional_fromcache && + (rdataset->trust == dns_trust_pending || + rdataset->trust == dns_trust_glue) && + !validate(client, db, fname, rdataset, sigrdataset)) { + dns_rdataset_disassociate(rdataset); + if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); + result = ISC_R_NOTFOUND; + } + if (result == DNS_R_NCACHENXDOMAIN) + goto setcache; + if (result == DNS_R_NCACHENXRRSET) { + dns_rdataset_disassociate(rdataset); + /* + * Negative cache entries don't have sigrdatasets. + */ + INSIST(! dns_rdataset_isassociated(sigrdataset)); + } + if (result == ISC_R_SUCCESS) { + /* Remember the result as a cache */ + ISC_LIST_APPEND(cfname.list, rdataset, link); + if (dns_rdataset_isassociated(sigrdataset)) { + ISC_LIST_APPEND(cfname.list, sigrdataset, link); + sigrdataset = query_newrdataset(client); + } + rdataset = query_newrdataset(client); + if (sigrdataset == NULL || rdataset == NULL) { + /* do not cache incomplete information */ + goto foundcache; + } + } + + /* Find AAAA RRset with sig RRset */ + result = dns_db_findrdataset(db, node, version, dns_rdatatype_aaaa, + 0, client->now, rdataset, sigrdataset); + /* + * If we can't promote glue/pending from the cache to secure + * then drop it. + */ + if (result == ISC_R_SUCCESS && + additionaltype == dns_rdatasetadditional_fromcache && + (rdataset->trust == dns_trust_pending || + rdataset->trust == dns_trust_glue) && + !validate(client, db, fname, rdataset, sigrdataset)) { + dns_rdataset_disassociate(rdataset); + if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); + result = ISC_R_NOTFOUND; + } + if (result == ISC_R_SUCCESS) { + ISC_LIST_APPEND(cfname.list, rdataset, link); + rdataset = NULL; + if (dns_rdataset_isassociated(sigrdataset)) { + ISC_LIST_APPEND(cfname.list, sigrdataset, link); + sigrdataset = NULL; + } + } + + setcache: + /* + * Set the new result in the cache if required. We do not support + * caching additional data from a cache DB. + */ + if (needadditionalcache == ISC_TRUE && + (additionaltype == dns_rdatasetadditional_fromauth || + additionaltype == dns_rdatasetadditional_fromglue)) { + (void)dns_rdataset_setadditional(rdataset_base, additionaltype, + type, client->view->acache, + zone, db, version, node, + &cfname); + } + + foundcache: + need_sigrrset = ISC_FALSE; + mname0 = NULL; + for (crdataset = ISC_LIST_HEAD(cfname.list); + crdataset != NULL; + crdataset = crdataset_next) { + dns_name_t *mname; + + crdataset_next = ISC_LIST_NEXT(crdataset, link); + + mname = NULL; + if (crdataset->type == dns_rdatatype_a || + crdataset->type == dns_rdatatype_aaaa) { + if (!query_isduplicate(client, fname, crdataset->type, + &mname)) { + if (mname != NULL) { + /* + * A different type of this name is + * already stored in the additional + * section. We'll reuse the name. + * Note that this should happen at most + * once. Otherwise, fname->link could + * leak below. + */ + INSIST(mname0 == NULL); + + query_releasename(client, &fname); + fname = mname; + mname0 = mname; + } else + need_addname = ISC_TRUE; + ISC_LIST_UNLINK(cfname.list, crdataset, link); + ISC_LIST_APPEND(fname->list, crdataset, link); + added_something = ISC_TRUE; + need_sigrrset = ISC_TRUE; + } else + need_sigrrset = ISC_FALSE; + } else if (crdataset->type == dns_rdatatype_rrsig && + need_sigrrset && WANTDNSSEC(client)) { + ISC_LIST_UNLINK(cfname.list, crdataset, link); + ISC_LIST_APPEND(fname->list, crdataset, link); + added_something = ISC_TRUE; /* just in case */ + need_sigrrset = ISC_FALSE; + } + } + + CTRACE("query_addadditional2: addname"); + + /* + * If we haven't added anything, then we're done. + */ + if (!added_something) + goto cleanup; + + /* + * We may have added our rdatasets to an existing name, if so, then + * need_addname will be ISC_FALSE. Whether we used an existing name + * or a new one, we must set fname to NULL to prevent cleanup. + */ + if (need_addname) + dns_message_addname(client->message, fname, + DNS_SECTION_ADDITIONAL); + fname = NULL; + + cleanup: + CTRACE("query_addadditional2: cleanup"); + + if (rdataset != NULL) + query_putrdataset(client, &rdataset); + if (sigrdataset != NULL) + query_putrdataset(client, &sigrdataset); + while ((crdataset = ISC_LIST_HEAD(cfname.list)) != NULL) { + ISC_LIST_UNLINK(cfname.list, crdataset, link); + query_putrdataset(client, &crdataset); + } + if (fname != NULL) + query_releasename(client, &fname); + if (node != NULL) + dns_db_detachnode(db, &node); + if (db != NULL) + dns_db_detach(&db); + if (zone != NULL) + dns_zone_detach(&zone); + + CTRACE("query_addadditional2: done"); + return (eresult); +} + +static inline void query_addrdataset(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) { + client_additionalctx_t additionalctx; + /* * Add 'rdataset' and any pertinent additional data to * 'fname', a name in the response message for 'client'. @@ -1238,6 +1899,8 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, rdataset->attributes |= dns_order_find(client->view->order, fname, rdataset->type, rdataset->rdclass); + rdataset->attributes |= DNS_RDATASETATTR_LOADORDER; + if (NOADDITIONAL(client)) return; @@ -1246,8 +1909,10 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, * * We don't care if dns_rdataset_additionaldata() fails. */ - (void)dns_rdataset_additionaldata(rdataset, - query_addadditional, client); + additionalctx.client = client; + additionalctx.rdataset = rdataset; + (void)dns_rdataset_additionaldata(rdataset, query_addadditional2, + &additionalctx); CTRACE("query_addrdataset: done"); } @@ -1260,7 +1925,7 @@ query_addrrset(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset, *mrdataset, *sigrdataset; isc_result_t result; - /* + /*% * To the current response for 'client', add the answer RRset * '*rdatasetp' and an optional signature set '*sigrdatasetp', with * owner name '*namep', to section 'section', unless they are @@ -1328,11 +1993,12 @@ query_addrrset(ns_client_t *client, dns_name_t **namep, } static inline isc_result_t -query_addsoa(ns_client_t *client, dns_db_t *db, isc_boolean_t zero_ttl) { - dns_name_t *name, *fname; +query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version, + isc_boolean_t zero_ttl) +{ + dns_name_t *name; dns_dbnode_t *node; isc_result_t result, eresult; - dns_fixedname_t foundname; dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; dns_rdataset_t **sigrdatasetp = NULL; @@ -1344,8 +2010,6 @@ query_addsoa(ns_client_t *client, dns_db_t *db, isc_boolean_t zero_ttl) { name = NULL; rdataset = NULL; node = NULL; - dns_fixedname_init(&foundname); - fname = dns_fixedname_name(&foundname); /* * Get resources and make 'name' be the database origin. @@ -1371,9 +2035,23 @@ query_addsoa(ns_client_t *client, dns_db_t *db, isc_boolean_t zero_ttl) { /* * Find the SOA. */ - result = dns_db_find(db, name, NULL, dns_rdatatype_soa, - client->query.dboptions, 0, &node, - fname, rdataset, sigrdataset); + result = dns_db_getoriginnode(db, &node); + if (result == ISC_R_SUCCESS) { + result = dns_db_findrdataset(db, node, version, + dns_rdatatype_soa, + 0, client->now, rdataset, + sigrdataset); + } else { + dns_fixedname_t foundname; + dns_name_t *fname; + + dns_fixedname_init(&foundname); + fname = dns_fixedname_name(&foundname); + + result = dns_db_find(db, name, version, dns_rdatatype_soa, + client->query.dboptions, 0, &node, + fname, rdataset, sigrdataset); + } if (result != ISC_R_SUCCESS) { /* * This is bad. We tried to get the SOA RR at the zone top @@ -1429,7 +2107,7 @@ query_addsoa(ns_client_t *client, dns_db_t *db, isc_boolean_t zero_ttl) { } static inline isc_result_t -query_addns(ns_client_t *client, dns_db_t *db) { +query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { dns_name_t *name, *fname; dns_dbnode_t *node; isc_result_t result, eresult; @@ -1476,13 +2154,22 @@ query_addns(ns_client_t *client, dns_db_t *db) { /* * Find the NS rdataset. */ - CTRACE("query_addns: calling dns_db_find"); - result = dns_db_find(db, name, NULL, dns_rdatatype_ns, - client->query.dboptions, 0, &node, - fname, rdataset, sigrdataset); - CTRACE("query_addns: dns_db_find complete"); + result = dns_db_getoriginnode(db, &node); + if (result == ISC_R_SUCCESS) { + result = dns_db_findrdataset(db, node, version, + dns_rdatatype_ns, + 0, client->now, rdataset, + sigrdataset); + } else { + CTRACE("query_addns: calling dns_db_find"); + result = dns_db_find(db, name, NULL, dns_rdatatype_ns, + client->query.dboptions, 0, &node, + fname, rdataset, sigrdataset); + CTRACE("query_addns: dns_db_find complete"); + } if (result != ISC_R_SUCCESS) { - CTRACE("query_addns: dns_db_find failed"); + CTRACE("query_addns: " + "dns_db_findrdataset or dns_db_find failed"); /* * This is bad. We tried to get the NS rdataset at the zone * top and it didn't work! @@ -1575,6 +2262,161 @@ query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname, return (ISC_R_SUCCESS); } +/* + * Mark the RRsets as secure. Update the cache (db) to reflect the + * change in trust level. + */ +static void +mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) +{ + isc_result_t result; + dns_dbnode_t *node = NULL; + + rdataset->trust = dns_trust_secure; + sigrdataset->trust = dns_trust_secure; + + /* + * Save the updated secure state. Ignore failures. + */ + result = dns_db_findnode(db, name, ISC_TRUE, &node); + if (result != ISC_R_SUCCESS) + return; + (void)dns_db_addrdataset(db, node, NULL, client->now, rdataset, + 0, NULL); + (void)dns_db_addrdataset(db, node, NULL, client->now, sigrdataset, + 0, NULL); + dns_db_detachnode(db, &node); +} + +/* + * Find the secure key that corresponds to rrsig. + * Note: 'keyrdataset' maintains state between sucessive calls, + * there may be multiple keys with the same keyid. + * Return ISC_FALSE if we have exhausted all the possible keys. + */ +static isc_boolean_t +get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig, + dns_rdataset_t *keyrdataset, dst_key_t **keyp) +{ + isc_result_t result; + dns_dbnode_t *node = NULL; + isc_boolean_t secure = ISC_FALSE; + + if (!dns_rdataset_isassociated(keyrdataset)) { + result = dns_db_findnode(db, &rrsig->signer, ISC_FALSE, &node); + if (result != ISC_R_SUCCESS) + return (ISC_FALSE); + + result = dns_db_findrdataset(db, node, NULL, + dns_rdatatype_dnskey, 0, + client->now, keyrdataset, NULL); + dns_db_detachnode(db, &node); + if (result != ISC_R_SUCCESS) + return (ISC_FALSE); + + if (keyrdataset->trust != dns_trust_secure) + return (ISC_FALSE); + + result = dns_rdataset_first(keyrdataset); + } else + result = dns_rdataset_next(keyrdataset); + + for ( ; result == ISC_R_SUCCESS; + result = dns_rdataset_next(keyrdataset)) { + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_buffer_t b; + + dns_rdataset_current(keyrdataset, &rdata); + isc_buffer_init(&b, rdata.data, rdata.length); + isc_buffer_add(&b, rdata.length); + result = dst_key_fromdns(&rrsig->signer, rdata.rdclass, &b, + client->mctx, keyp); + if (result != ISC_R_SUCCESS) + continue; + if (rrsig->algorithm == (dns_secalg_t)dst_key_alg(*keyp) && + rrsig->keyid == (dns_keytag_t)dst_key_id(*keyp) && + dst_key_iszonekey(*keyp)) { + secure = ISC_TRUE; + break; + } + dst_key_free(keyp); + } + return (secure); +} + +static isc_boolean_t +verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset, + dns_rdata_t *rdata, isc_mem_t *mctx, isc_boolean_t acceptexpired) +{ + isc_result_t result; + dns_fixedname_t fixed; + isc_boolean_t ignore = ISC_FALSE; + + dns_fixedname_init(&fixed); + +again: + result = dns_dnssec_verify2(name, rdataset, key, ignore, mctx, + rdata, NULL); + if (result == DNS_R_SIGEXPIRED && acceptexpired) { + ignore = ISC_TRUE; + goto again; + } + if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) + return (ISC_TRUE); + return (ISC_FALSE); +} + +/* + * Validate the rdataset if possible with available records. + */ +static isc_boolean_t +validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) +{ + isc_result_t result; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_rrsig_t rrsig; + dst_key_t *key = NULL; + dns_rdataset_t keyrdataset; + + if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset)) + return (ISC_FALSE); + + for (result = dns_rdataset_first(sigrdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(sigrdataset)) { + + dns_rdata_reset(&rdata); + dns_rdataset_current(sigrdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &rrsig, NULL); + if (result != ISC_R_SUCCESS) + return (ISC_FALSE); + if (!dns_resolver_algorithm_supported(client->view->resolver, + name, rrsig.algorithm)) + continue; + if (!dns_name_issubdomain(name, &rrsig.signer)) + continue; + dns_rdataset_init(&keyrdataset); + do { + if (!get_key(client, db, &rrsig, &keyrdataset, &key)) + break; + if (verify(key, name, rdataset, &rdata, client->mctx, + client->view->acceptexpired)) { + dst_key_free(&key); + dns_rdataset_disassociate(&keyrdataset); + mark_secure(client, db, name, rdataset, + sigrdataset); + return (ISC_TRUE); + } + dst_key_free(&key); + } while (1); + if (dns_rdataset_isassociated(&keyrdataset)) + dns_rdataset_disassociate(&keyrdataset); + } + return (ISC_FALSE); +} + static void query_addbestns(ns_client_t *client) { dns_db_t *db, *zdb; @@ -1622,7 +2464,11 @@ query_addbestns(ns_client_t *client) { rdataset = query_newrdataset(client); if (fname == NULL || rdataset == NULL) goto cleanup; - if (WANTDNSSEC(client)) { + /* + * Get the RRSIGs if the client requested them or if we may + * need to validate answers from the cache. + */ + if (WANTDNSSEC(client) || !is_zone) { sigrdataset = query_newrdataset(client); if (sigrdataset == NULL) goto cleanup; @@ -1698,16 +2544,27 @@ query_addbestns(ns_client_t *client) { zsigrdataset = NULL; } - if ((client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0 && - (rdataset->trust == dns_trust_pending || - (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending))) + /* + * Attempt to validate RRsets that are pending or that are glue. + */ + if ((rdataset->trust == dns_trust_pending || + (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending)) + && !validate(client, db, fname, rdataset, sigrdataset) && + (client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0) goto cleanup; - if (WANTDNSSEC(client) && SECURE(client) && - (rdataset->trust == dns_trust_glue || - (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue))) + if ((rdataset->trust == dns_trust_glue || + (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue)) && + !validate(client, db, fname, rdataset, sigrdataset) && + SECURE(client) && WANTDNSSEC(client)) goto cleanup; + /* + * If the client doesn't want DNSSEC we can discard the sigrdataset + * now. + */ + if (!WANTDNSSEC(client)) + query_putrdataset(client, &sigrdataset); query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf, DNS_SECTION_AUTHORITY); @@ -1837,20 +2694,20 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, * Given: * example SOA * example NSEC b.example - * b.example A - * b.example NSEC a.d.example - * a.d.example A - * a.d.example NSEC g.f.example - * g.f.example A - * g.f.example NSEC z.i.example - * z.i.example A - * z.i.example NSEC example + * b.example A + * b.example NSEC a.d.example + * a.d.example A + * a.d.example NSEC g.f.example + * g.f.example A + * g.f.example NSEC z.i.example + * z.i.example A + * z.i.example NSEC example * * QNAME: * a.example -> example NSEC b.example - * owner common example - * next common example - * wild *.example + * owner common example + * next common example + * wild *.example * d.b.example -> b.example NSEC a.d.example * owner common b.example * next common example @@ -1861,7 +2718,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, * wild *.f.example * j.example -> z.i.example NSEC example * owner common example - * next common example + * next common example * wild *.f.example */ options = client->query.dboptions | DNS_DBFIND_NOWILD; @@ -1922,7 +2779,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, name = wname; goto again; } - } + } cleanup: if (rdataset != NULL) query_putrdataset(client, &rdataset); @@ -2068,6 +2925,7 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain, { isc_result_t result; dns_rdataset_t *rdataset, *sigrdataset; + isc_sockaddr_t *peeraddr; inc_stats(client, dns_statscounter_recursion); @@ -2149,14 +3007,19 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain, if (client->query.timerset == ISC_FALSE) ns_client_settimeout(client, 60); - result = dns_resolver_createfetch(client->view->resolver, - client->query.qname, - qtype, qdomain, nameservers, - NULL, client->query.fetchoptions, - client->task, - query_resume, client, - rdataset, sigrdataset, - &client->query.fetch); + if ((client->attributes & NS_CLIENTATTR_TCP) == 0) + peeraddr = &client->peeraddr; + else + peeraddr = NULL; + result = dns_resolver_createfetch2(client->view->resolver, + client->query.qname, + qtype, qdomain, nameservers, + NULL, peeraddr, client->message->id, + client->query.fetchoptions, + client->task, + query_resume, client, + rdataset, sigrdataset, + &client->query.fetch); if (result == ISC_R_SUCCESS) { /* @@ -2193,7 +3056,7 @@ static isc_result_t rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) { struct in_addr ina; struct in6_addr in6a; - + switch (rdata->type) { case dns_rdatatype_a: INSIST(rdata->length == 4); @@ -2246,7 +3109,7 @@ setup_query_sortlist(ns_client_t *client) { isc_netaddr_t netaddr; dns_rdatasetorderfunc_t order = NULL; const void *order_arg = NULL; - + isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); switch (ns_sortlist_setup(client->view->sortlist, &netaddr, &order_arg)) { @@ -2331,6 +3194,111 @@ answer_in_glue(ns_client_t *client, dns_rdatatype_t qtype) { } } +#define NS_NAME_INIT(A,B) \ + { \ + DNS_NAME_MAGIC, \ + A, sizeof(A), sizeof(B), \ + DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \ + B, NULL, { (void *)-1, (void *)-1}, \ + {NULL, NULL} \ + } + +static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 }; +static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 }; +static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 }; + +static unsigned char inaddr10[] = "\00210\007IN-ADDR\004ARPA"; + +static unsigned char inaddr16172[] = "\00216\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr17172[] = "\00217\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr18172[] = "\00218\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr19172[] = "\00219\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr20172[] = "\00220\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr21172[] = "\00221\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr22172[] = "\00222\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr23172[] = "\00223\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr24172[] = "\00224\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr25172[] = "\00225\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr26172[] = "\00226\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr27172[] = "\00227\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr28172[] = "\00228\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr29172[] = "\00229\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr30172[] = "\00230\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr31172[] = "\00231\003172\007IN-ADDR\004ARPA"; + +static unsigned char inaddr168192[] = "\003168\003192\007IN-ADDR\004ARPA"; + +static dns_name_t rfc1918names[] = { + NS_NAME_INIT(inaddr10, inaddr10_offsets), + NS_NAME_INIT(inaddr16172, inaddr172_offsets), + NS_NAME_INIT(inaddr17172, inaddr172_offsets), + NS_NAME_INIT(inaddr18172, inaddr172_offsets), + NS_NAME_INIT(inaddr19172, inaddr172_offsets), + NS_NAME_INIT(inaddr20172, inaddr172_offsets), + NS_NAME_INIT(inaddr21172, inaddr172_offsets), + NS_NAME_INIT(inaddr22172, inaddr172_offsets), + NS_NAME_INIT(inaddr23172, inaddr172_offsets), + NS_NAME_INIT(inaddr24172, inaddr172_offsets), + NS_NAME_INIT(inaddr25172, inaddr172_offsets), + NS_NAME_INIT(inaddr26172, inaddr172_offsets), + NS_NAME_INIT(inaddr27172, inaddr172_offsets), + NS_NAME_INIT(inaddr28172, inaddr172_offsets), + NS_NAME_INIT(inaddr29172, inaddr172_offsets), + NS_NAME_INIT(inaddr30172, inaddr172_offsets), + NS_NAME_INIT(inaddr31172, inaddr172_offsets), + NS_NAME_INIT(inaddr168192, inaddr192_offsets) +}; + + +static unsigned char prisoner_data[] = "\010prisoner\004iana\003org"; +static unsigned char hostmaster_data[] = "\012hostmaster\014root-servers\003org"; + +static unsigned char prisoner_offsets[] = { 0, 9, 14, 18 }; +static unsigned char hostmaster_offsets[] = { 0, 11, 24, 28 }; + +static dns_name_t prisoner = NS_NAME_INIT(prisoner_data, prisoner_offsets); +static dns_name_t hostmaster = NS_NAME_INIT(hostmaster_data, hostmaster_offsets); + +static void +warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) { + unsigned int i; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_soa_t soa; + dns_rdataset_t found; + isc_result_t result; + + for (i = 0; i < (sizeof(rfc1918names)/sizeof(*rfc1918names)); i++) { + if (dns_name_issubdomain(fname, &rfc1918names[i])) { + dns_rdataset_init(&found); + result = dns_ncache_getrdataset(rdataset, + &rfc1918names[i], + dns_rdatatype_soa, + &found); + if (result != ISC_R_SUCCESS) + return; + + result = dns_rdataset_first(&found); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_rdataset_current(&found, &rdata); + result = dns_rdata_tostruct(&rdata, &soa, NULL); + if (result != ISC_R_SUCCESS) + return; + if (dns_name_equal(&soa.origin, &prisoner) && + dns_name_equal(&soa.contact, &hostmaster)) { + char buf[DNS_NAME_FORMATSIZE]; + dns_name_format(fname, buf, sizeof(buf)); + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_QUERY, + ISC_LOG_WARNING, + "RFC 1918 response from " + "Internet for %s", buf); + } + dns_rdataset_disassociate(&found); + return; + } + } +} + /* * Do the bulk of query processing for the current query of 'client'. * If 'event' is non-NULL, we are returning from recursion and 'qtype' @@ -2434,7 +3402,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) goto resume; } - + /* * Not returning from recursion. */ @@ -2527,10 +3495,20 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (is_zone) authoritative = ISC_TRUE; - + if (event == NULL && client->query.restarts == 0) { if (is_zone) { - dns_zone_attach(zone, &client->query.authzone); +#ifdef DLZ + if (zone != NULL) { + /* + * if is_zone = true, zone = NULL then this is + * a DLZ zone. Don't attempt to attach zone. + */ +#endif + dns_zone_attach(zone, &client->query.authzone); +#ifdef DLZ + } +#endif dns_db_attach(db, &client->query.authdb); } client->query.authdbset = ISC_TRUE; @@ -2625,7 +3603,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (result == ISC_R_SUCCESS) client->query.attributes |= NS_QUERYATTR_RECURSING; - else { + else if (result == DNS_R_DUPLICATE || + result == DNS_R_DROP) { + /* Duplicate query. */ + QUERY_ERROR(result); + } else { /* Unable to recurse. */ QUERY_ERROR(DNS_R_SERVFAIL); } @@ -2795,6 +3777,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (result == ISC_R_SUCCESS) client->query.attributes |= NS_QUERYATTR_RECURSING; + else if (result == DNS_R_DUPLICATE || + result == DNS_R_DROP) + QUERY_ERROR(result); else QUERY_ERROR(DNS_R_SERVFAIL); } else { @@ -2851,7 +3836,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * Add SOA. */ - result = query_addsoa(client, db, ISC_FALSE); + result = query_addsoa(client, db, version, ISC_FALSE); if (result != ISC_R_SUCCESS) { QUERY_ERROR(result); goto cleanup; @@ -2891,10 +3876,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * the containing zone of an arbitrary name with a stub * resolver and not have it cached. */ - if (qtype == dns_rdatatype_soa) - result = query_addsoa(client, db, ISC_TRUE); + if (qtype == dns_rdatatype_soa && +#ifdef DLZ + zone != NULL && +#endif + dns_zone_getzeronosoattl(zone)) + result = query_addsoa(client, db, version, ISC_TRUE); else - result = query_addsoa(client, db, ISC_FALSE); + result = query_addsoa(client, db, version, ISC_FALSE); if (result != ISC_R_SUCCESS) { QUERY_ERROR(result); goto cleanup; @@ -2930,6 +3919,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (result == DNS_R_NCACHENXDOMAIN) client->message->rcode = dns_rcode_nxdomain; /* + * Look for RFC 1918 leakage from Internet. + */ + if (result == DNS_R_NCACHENXDOMAIN && + qtype == dns_rdatatype_ptr && + client->message->rdclass == dns_rdataclass_in && + dns_name_countlabels(fname) == 7) + warn_rfc1918(client, fname, rdataset); + /* * We don't call query_addrrset() because we don't need any * of its extra features (and things would probably break!). */ @@ -3090,7 +4087,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) dns_message_puttempname(client->message, &tname); if (result == ISC_R_NOSPACE) { /* - * RFC 2672, section 4.1, subsection 3c says + * RFC2672, section 4.1, subsection 3c says * we should return YXDOMAIN if the constructed * name would be too long. */ @@ -3212,6 +4209,21 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * an error unless we were searching for * glue. Ugh. */ + if (!is_zone) { + authoritative = ISC_FALSE; + dns_rdatasetiter_destroy(&rdsiter); + if (RECURSIONOK(client)) { + result = query_recurse(client, + qtype, + NULL, + NULL); + if (result == ISC_R_SUCCESS) + client->query.attributes |= + NS_QUERYATTR_RECURSING; + else + QUERY_ERROR(DNS_R_SERVFAIL); } + goto addauth; + } /* * We were searching for SIG records in * a nonsecure zone. Send a "no error, @@ -3220,7 +4232,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * Add SOA. */ - result = query_addsoa(client, db, ISC_FALSE); + result = query_addsoa(client, db, version, + ISC_FALSE); if (result == ISC_R_SUCCESS) result = ISC_R_NOMORE; } else { @@ -3249,6 +4262,13 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) noqname = rdataset; else noqname = NULL; + /* + * BIND 8 priming queries need the additional section. + */ + if (is_zone && qtype == dns_rdatatype_ns && + dns_name_equal(client->query.qname, dns_rootname)) + client->query.attributes &= ~NS_QUERYATTR_NOADDITIONAL; + query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf, DNS_SECTION_ANSWER); if (noqname != NULL) @@ -3272,7 +4292,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) qtype == dns_rdatatype_any) && dns_name_equal(client->query.qname, dns_db_origin(db)))) - (void)query_addns(client, db); + (void)query_addns(client, db, version); } else if (qtype != dns_rdatatype_ns) { if (fname != NULL) query_releasename(client, &fname); @@ -3337,13 +4357,22 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (eresult != ISC_R_SUCCESS && (!PARTIALANSWER(client) || WANTRECURSION(client))) { - /* - * If we don't have any answer to give the client, - * or if the client requested recursion and thus wanted - * the complete answer, send an error response. - */ - query_error(client, eresult); - ns_client_detach(&client); + if (eresult == DNS_R_DUPLICATE || eresult == DNS_R_DROP) { + /* + * This was a duplicate query that we are + * recursing on. Don't send a response now. + * The original query will still cause a response. + */ + query_next(client, eresult); + } else { + /* + * If we don't have any answer to give the client, + * or if the client requested recursion and thus wanted + * the complete answer, send an error response. + */ + query_error(client, eresult); + } + ns_client_detach(&client); } else if (!RECURSING(client)) { /* * We are done. Set up sortlist data for the message @@ -3418,14 +4447,16 @@ ns_query_start(ns_client_t *client) { if (!client->view->enablednssec) { message->flags &= ~DNS_MESSAGEFLAG_CD; client->extflags &= ~DNS_MESSAGEEXTFLAG_DO; + if (client->opt != NULL) + client->opt->ttl &= ~DNS_MESSAGEEXTFLAG_DO; } if ((message->flags & DNS_MESSAGEFLAG_RD) != 0) client->query.attributes |= NS_QUERYATTR_WANTRECURSION; - + if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0) client->attributes |= NS_CLIENTATTR_WANTDNSSEC; - + if (client->view->minimalresponses) client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | NS_QUERYATTR_NOADDITIONAL); @@ -3521,13 +4552,17 @@ ns_query_start(ns_client_t *client) { * If the client has requested that DNSSEC checking be disabled, * allow lookups to return pending data and instruct the resolver * to return data before validation has completed. + * + * We don't need to set DNS_DBFIND_PENDINGOK when validation is + * disabled as there will be no pending data. */ if (message->flags & DNS_MESSAGEFLAG_CD || qtype == dns_rdatatype_rrsig) { client->query.dboptions |= DNS_DBFIND_PENDINGOK; client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE; - } + } else if (!client->view->enablevalidation) + client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE; /* * Allow glue NS records to be added to the authority section diff --git a/contrib/bind9/bin/named/server.c b/contrib/bind9/bin/named/server.c index f29321e..6ae31cb 100644 --- a/contrib/bind9/bin/named/server.c +++ b/contrib/bind9/bin/named/server.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.339.2.15.2.70 2006/05/24 04:30:24 marka Exp $ */ +/* $Id: server.c,v 1.419.18.49 2006/12/07 05:24:19 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -41,13 +43,18 @@ #include <bind9/check.h> +#include <dns/acache.h> #include <dns/adb.h> #include <dns/cache.h> #include <dns/db.h> #include <dns/dispatch.h> +#ifdef DLZ +#include <dns/dlz.h> +#endif #include <dns/forward.h> #include <dns/journal.h> #include <dns/keytable.h> +#include <dns/lib.h> #include <dns/master.h> #include <dns/masterdump.h> #include <dns/order.h> @@ -86,7 +93,7 @@ #include <stdlib.h> #endif -/* +/*% * Check an operation for failure. Assumes that the function * using it has a 'result' variable and a 'cleanup' label. */ @@ -160,6 +167,54 @@ struct zonelistentry { ISC_LINK(struct zonelistentry) link; }; +/* + * These zones should not leak onto the Internet. + */ +static const struct { + const char *zone; + isc_boolean_t rfc1918; +} empty_zones[] = { +#ifdef notyet + /* RFC 1918 */ + { "10.IN-ADDR.ARPA", ISC_TRUE }, + { "16.172.IN-ADDR.ARPA", ISC_TRUE }, + { "17.172.IN-ADDR.ARPA", ISC_TRUE }, + { "18.172.IN-ADDR.ARPA", ISC_TRUE }, + { "19.172.IN-ADDR.ARPA", ISC_TRUE }, + { "20.172.IN-ADDR.ARPA", ISC_TRUE }, + { "21.172.IN-ADDR.ARPA", ISC_TRUE }, + { "22.172.IN-ADDR.ARPA", ISC_TRUE }, + { "23.172.IN-ADDR.ARPA", ISC_TRUE }, + { "24.172.IN-ADDR.ARPA", ISC_TRUE }, + { "25.172.IN-ADDR.ARPA", ISC_TRUE }, + { "26.172.IN-ADDR.ARPA", ISC_TRUE }, + { "27.172.IN-ADDR.ARPA", ISC_TRUE }, + { "28.172.IN-ADDR.ARPA", ISC_TRUE }, + { "29.172.IN-ADDR.ARPA", ISC_TRUE }, + { "30.172.IN-ADDR.ARPA", ISC_TRUE }, + { "31.172.IN-ADDR.ARPA", ISC_TRUE }, + { "168.192.IN-ADDR.ARPA", ISC_TRUE }, +#endif + + /* RFC 3330 */ + { "127.IN-ADDR.ARPA", ISC_FALSE }, /* LOOPBACK */ + { "254.169.IN-ADDR.ARPA", ISC_FALSE }, /* LINK LOCAL */ + { "2.0.192.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET */ + { "255.255.255.255.IN-ADDR.ARPA", ISC_FALSE }, /* BROADCAST */ + + /* Local IPv6 Unicast Addresses */ + { "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE }, + { "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE }, + /* LOCALLY ASSIGNED LOCAL ADDRES S SCOPE */ + { "D.F.IP6.ARPA", ISC_FALSE }, + { "8.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ + { "9.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ + { "A.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ + { "B.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ + + { NULL, ISC_FALSE } +}; + static void fatal(const char *msg, isc_result_t result); @@ -168,11 +223,11 @@ ns_server_reload(isc_task_t *task, isc_event_t *event); static isc_result_t ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, - ns_aclconfctx_t *actx, + cfg_aclconfctx_t *actx, isc_mem_t *mctx, ns_listenelt_t **target); static isc_result_t ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config, - ns_aclconfctx_t *actx, + cfg_aclconfctx_t *actx, isc_mem_t *mctx, ns_listenlist_t **target); static isc_result_t @@ -186,19 +241,19 @@ configure_alternates(const cfg_obj_t *config, dns_view_t *view, static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, - ns_aclconfctx_t *aclconf); + cfg_aclconfctx_t *aclconf); static void end_reserved_dispatches(ns_server_t *server, isc_boolean_t all); -/* +/*% * Configure a single view ACL at '*aclp'. Get its configuration by * calling 'getvcacl' (for per-view configuration) and maybe 'getscacl' * (for a global default). */ static isc_result_t configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config, - const char *aclname, ns_aclconfctx_t *actx, + const char *aclname, cfg_aclconfctx_t *actx, isc_mem_t *mctx, dns_acl_t **aclp) { isc_result_t result; @@ -225,7 +280,8 @@ configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config, */ return (ISC_R_SUCCESS); - result = ns_acl_fromconfig(aclobj, config, actx, mctx, aclp); + result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, + actx, mctx, aclp); return (result); } @@ -290,6 +346,13 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key, keystruct.datalen = r.length; keystruct.data = r.base; + if ((keystruct.algorithm == DST_ALG_RSASHA1 || + keystruct.algorithm == DST_ALG_RSAMD5) && + r.length > 1 && r.base[0] == 1 && r.base[1] == 3) + cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING, + "trusted key '%s' has a weak exponent", + keynamestr); + CHECK(dns_rdata_fromstruct(NULL, keystruct.common.rdclass, keystruct.common.rdtype, @@ -326,7 +389,7 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key, return (result); } -/* +/*% * Configure DNSSEC keys for a view. Currently used only for * the security roots. * @@ -414,7 +477,7 @@ mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) return (result); } -/* +/*% * Get a dispatch appropriate for the resolver of a given view. */ static isc_result_t @@ -581,15 +644,14 @@ configure_order(dns_order_t *order, const cfg_obj_t *ent) { static isc_result_t configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { - const isc_sockaddr_t *sa; isc_netaddr_t na; dns_peer_t *peer; const cfg_obj_t *obj; const char *str; isc_result_t result; + unsigned int prefixlen; - sa = cfg_obj_assockaddr(cfg_map_getname(cpeer)); - isc_netaddr_fromsockaddr(&na, sa); + cfg_obj_asnetprefix(cfg_map_getname(cpeer), &na, &prefixlen); peer = NULL; result = dns_peer_new(mctx, &na, &peer); @@ -617,6 +679,28 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj))); obj = NULL; + (void)cfg_map_get(cpeer, "edns-udp-size", &obj); + if (obj != NULL) { + isc_uint32_t udpsize = cfg_obj_asuint32(obj); + if (udpsize < 512) + udpsize = 512; + if (udpsize > 4096) + udpsize = 4096; + CHECK(dns_peer_setudpsize(peer, (isc_uint16_t)udpsize)); + } + + obj = NULL; + (void)cfg_map_get(cpeer, "max-udp-size", &obj); + if (obj != NULL) { + isc_uint32_t udpsize = cfg_obj_asuint32(obj); + if (udpsize < 512) + udpsize = 512; + if (udpsize > 4096) + udpsize = 4096; + CHECK(dns_peer_setmaxudp(peer, (isc_uint16_t)udpsize)); + } + + obj = NULL; (void)cfg_map_get(cpeer, "transfers", &obj); if (obj != NULL) CHECK(dns_peer_settransfers(peer, cfg_obj_asuint32(obj))); @@ -644,7 +728,7 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { } obj = NULL; - if (isc_sockaddr_pf(sa) == AF_INET) + if (na.family == AF_INET) (void)cfg_map_get(cpeer, "transfer-source", &obj); else (void)cfg_map_get(cpeer, "transfer-source-v6", &obj); @@ -653,7 +737,35 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { cfg_obj_assockaddr(obj)); if (result != ISC_R_SUCCESS) goto cleanup; + ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); + } + + obj = NULL; + if (na.family == AF_INET) + (void)cfg_map_get(cpeer, "notify-source", &obj); + else + (void)cfg_map_get(cpeer, "notify-source-v6", &obj); + if (obj != NULL) { + result = dns_peer_setnotifysource(peer, + cfg_obj_assockaddr(obj)); + if (result != ISC_R_SUCCESS) + goto cleanup; + ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); } + + obj = NULL; + if (na.family == AF_INET) + (void)cfg_map_get(cpeer, "query-source", &obj); + else + (void)cfg_map_get(cpeer, "query-source-v6", &obj); + if (obj != NULL) { + result = dns_peer_setquerysource(peer, + cfg_obj_assockaddr(obj)); + if (result != ISC_R_SUCCESS) + goto cleanup; + ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); + } + *peerp = peer; return (ISC_R_SUCCESS); @@ -708,6 +820,68 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { return (result); } +static isc_boolean_t +on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) { + const cfg_listelt_t *element; + dns_fixedname_t fixed; + dns_name_t *name; + isc_result_t result; + const cfg_obj_t *value; + const char *str; + isc_buffer_t b; + + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + + for (element = cfg_list_first(disablelist); + element != NULL; + element = cfg_list_next(element)) + { + value = cfg_listelt_value(element); + str = cfg_obj_asstring(value); + isc_buffer_init(&b, str, strlen(str)); + isc_buffer_add(&b, strlen(str)); + result = dns_name_fromtext(name, &b, dns_rootname, + ISC_TRUE, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + if (dns_name_equal(name, zonename)) + return (ISC_TRUE); + } + return (ISC_FALSE); +} + +static void +check_dbtype(dns_zone_t **zonep, unsigned int dbtypec, const char **dbargv, + isc_mem_t *mctx) +{ + char **argv = NULL; + unsigned int i; + isc_result_t result; + + result = dns_zone_getdbtype(*zonep, &argv, mctx); + if (result != ISC_R_SUCCESS) { + dns_zone_detach(zonep); + return; + } + + /* + * Check that all the arguments match. + */ + for (i = 0; i < dbtypec; i++) + if (argv[i] == NULL || strcmp(argv[i], dbargv[i]) != 0) { + dns_zone_detach(zonep); + break; + } + + /* + * Check that there are not extra arguments. + */ + if (i == dbtypec && argv[i] != NULL) + dns_zone_detach(zonep); + isc_mem_free(mctx, argv); +} + + /* * Configure 'view' according to 'vconfig', taking defaults from 'config' * where values are missing in 'vconfig'. @@ -717,8 +891,8 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { */ static isc_result_t configure_view(dns_view_t *view, const cfg_obj_t *config, - const cfg_obj_t *vconfig, isc_mem_t *mctx, ns_aclconfctx_t *actx, - isc_boolean_t need_hints) + const cfg_obj_t *vconfig, isc_mem_t *mctx, + cfg_aclconfctx_t *actx, isc_boolean_t need_hints) { const cfg_obj_t *maps[4]; const cfg_obj_t *cfgmaps[3]; @@ -728,6 +902,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, const cfg_obj_t *forwarders; const cfg_obj_t *alternates; const cfg_obj_t *zonelist; +#ifdef DLZ + const cfg_obj_t *dlz; + unsigned int dlzargc; + char **dlzargv; +#endif const cfg_obj_t *disabled; const cfg_obj_t *obj; const cfg_listelt_t *element; @@ -736,6 +915,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, isc_result_t result; isc_uint32_t max_adb_size; isc_uint32_t max_cache_size; + isc_uint32_t max_acache_size; isc_uint32_t lame_ttl; dns_tsig_keyring_t *ring; dns_view_t *pview = NULL; /* Production view */ @@ -748,6 +928,14 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, dns_order_t *order = NULL; isc_uint32_t udpsize; unsigned int check = 0; + dns_zone_t *zone = NULL; + isc_uint32_t max_clients_per_query; + const char *sep = ": view "; + const char *viewname = view->name; + const char *forview = " for view "; + isc_boolean_t rfc1918; + isc_boolean_t empty_zones_enable; + const cfg_obj_t *disablelist = NULL; REQUIRE(DNS_VIEW_VALID(view)); @@ -773,6 +961,12 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, cfgmaps[i++] = config; cfgmaps[i] = NULL; + if (!strcmp(viewname, "_default")) { + sep = ""; + viewname = ""; + forview = ""; + } + /* * Set the view's port number for outgoing queries. */ @@ -780,6 +974,52 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, dns_view_setdstport(view, port); /* + * Create additional cache for this view and zones under the view + * if explicitly enabled. + * XXX950 default to on. + */ + obj = NULL; + (void)ns_config_get(maps, "acache-enable", &obj); + if (obj != NULL && cfg_obj_asboolean(obj)) { + cmctx = NULL; + CHECK(isc_mem_create(0, 0, &cmctx)); + CHECK(dns_acache_create(&view->acache, cmctx, ns_g_taskmgr, + ns_g_timermgr)); + isc_mem_detach(&cmctx); + } + if (view->acache != NULL) { + obj = NULL; + result = ns_config_get(maps, "acache-cleaning-interval", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_acache_setcleaninginterval(view->acache, + cfg_obj_asuint32(obj) * 60); + + obj = NULL; + result = ns_config_get(maps, "max-acache-size", &obj); + INSIST(result == ISC_R_SUCCESS); + if (cfg_obj_isstring(obj)) { + str = cfg_obj_asstring(obj); + INSIST(strcasecmp(str, "unlimited") == 0); + max_acache_size = ISC_UINT32_MAX; + } else { + isc_resourcevalue_t value; + + value = cfg_obj_asuint64(obj); + if (value > ISC_UINT32_MAX) { + cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, + "'max-acache-size " + "%" ISC_PRINT_QUADFORMAT + "d' is too large", + value); + result = ISC_R_RANGE; + goto cleanup; + } + max_acache_size = (isc_uint32_t)value; + } + dns_acache_setcachesize(view->acache, max_acache_size); + } + + /* * Configure the zones. */ zonelist = NULL; @@ -796,6 +1036,45 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, actx)); } +#ifdef DLZ + /* + * Create Dynamically Loadable Zone driver. + */ + dlz = NULL; + if (voptions != NULL) + (void)cfg_map_get(voptions, "dlz", &dlz); + else + (void)cfg_map_get(config, "dlz", &dlz); + + obj = NULL; + if (dlz != NULL) { + (void)cfg_map_get(cfg_tuple_get(dlz, "options"), + "database", &obj); + if (obj != NULL) { + char *s = isc_mem_strdup(mctx, cfg_obj_asstring(obj)); + if (s == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + + result = dns_dlzstrtoargv(mctx, s, &dlzargc, &dlzargv); + if (result != ISC_R_SUCCESS) { + isc_mem_free(mctx, s); + goto cleanup; + } + + obj = cfg_tuple_get(dlz, "name"); + result = dns_dlzcreate(mctx, cfg_obj_asstring(obj), + dlzargv[0], dlzargc, dlzargv, + &view->dlzdatabase); + isc_mem_free(mctx, s); + isc_mem_put(mctx, dlzargv, dlzargc * sizeof(*dlzargv)); + if (result != ISC_R_SUCCESS) + goto cleanup; + } + } +#endif + /* * Configure the view's cache. Try to reuse an existing * cache if possible, otherwise create a new cache. @@ -931,6 +1210,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, if (lame_ttl > 1800) lame_ttl = 1800; dns_resolver_setlamettl(view->resolver, lame_ttl); + + obj = NULL; + result = ns_config_get(maps, "zero-no-soa-ttl-cache", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_resolver_setzeronosoattl(view->resolver, cfg_obj_asboolean(obj)); /* * Set the resolver's EDNS UDP size. @@ -946,6 +1230,19 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, dns_resolver_setudpsize(view->resolver, (isc_uint16_t)udpsize); /* + * Set the maximum UDP response size. + */ + obj = NULL; + result = ns_config_get(maps, "max-udp-size", &obj); + INSIST(result == ISC_R_SUCCESS); + udpsize = cfg_obj_asuint32(obj); + if (udpsize < 512) + udpsize = 512; + if (udpsize > 4096) + udpsize = 4096; + view->maxudp = udpsize; + + /* * Set supported DNSSEC algorithms. */ dns_resolver_reset_algorithms(view->resolver); @@ -1138,8 +1435,12 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, view->additionalfromcache = ISC_TRUE; } - CHECK(configure_view_acl(vconfig, config, "allow-query", + CHECK(configure_view_acl(vconfig, config, "allow-query-cache", actx, ns_g_mctx, &view->queryacl)); + if (view->queryacl == NULL) + CHECK(configure_view_acl(NULL, ns_g_defaults, + "allow-query-cache", actx, + ns_g_mctx, &view->queryacl)); if (strcmp(view->name, "_bind") != 0) CHECK(configure_view_acl(vconfig, config, "allow-recursion", @@ -1152,20 +1453,18 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, if (!view->recursion && view->recursionacl != NULL && (view->recursionacl->length != 1 || view->recursionacl->elements[0].type != dns_aclelementtype_any || - view->recursionacl->elements[0].negative != ISC_TRUE)) { - const char *forview = " for view "; - const char *viewname = view->name; - - if (!strcmp(view->name, "_bind") || - !strcmp(view->name, "_default")) { - forview = ""; - viewname = ""; - } + view->recursionacl->elements[0].negative != ISC_TRUE)) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_WARNING, "both \"recursion no;\" and \"allow-recursion\" " "active%s%s", forview, viewname); - } + + /* + * Set default "allow-recursion" acl. + */ + if (view->recursionacl == NULL && view->recursion) + CHECK(configure_view_acl(NULL, ns_g_defaults, "allow-recursion", + actx, ns_g_mctx, &view->recursionacl)); CHECK(configure_view_acl(vconfig, config, "sortlist", actx, ns_g_mctx, &view->sortlist)); @@ -1179,6 +1478,18 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, result = ns_config_get(maps, "provide-ixfr", &obj); INSIST(result == ISC_R_SUCCESS); view->provideixfr = cfg_obj_asboolean(obj); + + obj = NULL; + result = ns_config_get(maps, "max-clients-per-query", &obj); + INSIST(result == ISC_R_SUCCESS); + max_clients_per_query = cfg_obj_asuint32(obj); + + obj = NULL; + result = ns_config_get(maps, "clients-per-query", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_resolver_setclientsperquery(view->resolver, + cfg_obj_asuint32(obj), + max_clients_per_query); obj = NULL; result = ns_config_get(maps, "dnssec-enable", &obj); @@ -1186,6 +1497,16 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, view->enablednssec = cfg_obj_asboolean(obj); obj = NULL; + result = ns_config_get(maps, "dnssec-accept-expired", &obj); + INSIST(result == ISC_R_SUCCESS); + view->acceptexpired = cfg_obj_asboolean(obj); + + obj = NULL; + result = ns_config_get(maps, "dnssec-validation", &obj); + INSIST(result == ISC_R_SUCCESS); + view->enablevalidation = cfg_obj_asboolean(obj); + + obj = NULL; result = ns_config_get(maps, "dnssec-lookaside", &obj); if (result == ISC_R_SUCCESS) { for (element = cfg_list_first(obj); @@ -1231,15 +1552,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, * For now, there is only one kind of trusted keys, the * "security roots". */ - if (view->enablednssec) { - CHECK(configure_view_dnsseckeys(vconfig, config, mctx, - &view->secroots)); - dns_resolver_resetmustbesecure(view->resolver); - obj = NULL; - result = ns_config_get(maps, "dnssec-must-be-secure", &obj); - if (result == ISC_R_SUCCESS) - CHECK(mustbesecure(obj, view->resolver)); - } + CHECK(configure_view_dnsseckeys(vconfig, config, mctx, + &view->secroots)); + dns_resolver_resetmustbesecure(view->resolver); + obj = NULL; + result = ns_config_get(maps, "dnssec-must-be-secure", &obj); + if (result == ISC_R_SUCCESS) + CHECK(mustbesecure(obj, view->resolver)); obj = NULL; result = ns_config_get(maps, "max-cache-ttl", &obj); @@ -1295,9 +1614,180 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, } else dns_view_setrootdelonly(view, ISC_FALSE); + /* + * Setup automatic empty zones. If recursion is off then + * they are disabled by default. + */ + obj = NULL; + (void)ns_config_get(maps, "empty-zones-enable", &obj); + (void)ns_config_get(maps, "disable-empty-zone", &disablelist); + if (obj == NULL && disablelist == NULL && + view->rdclass == dns_rdataclass_in) { + rfc1918 = ISC_FALSE; + empty_zones_enable = view->recursion; + } else if (view->rdclass == dns_rdataclass_in) { + rfc1918 = ISC_TRUE; + if (obj != NULL) + empty_zones_enable = cfg_obj_asboolean(obj); + else + empty_zones_enable = view->recursion; + } else { + rfc1918 = ISC_FALSE; + empty_zones_enable = ISC_FALSE; + } + if (empty_zones_enable) { + const char *empty; + int empty_zone = 0; + dns_fixedname_t fixed; + dns_name_t *name; + isc_buffer_t buffer; + const char *str; + char server[DNS_NAME_FORMATSIZE + 1]; + char contact[DNS_NAME_FORMATSIZE + 1]; + isc_boolean_t logit; + const char *empty_dbtype[4] = + { "_builtin", "empty", NULL, NULL }; + int empty_dbtypec = 4; + + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + + obj = NULL; + result = ns_config_get(maps, "empty-server", &obj); + if (result == ISC_R_SUCCESS) { + str = cfg_obj_asstring(obj); + isc_buffer_init(&buffer, str, strlen(str)); + isc_buffer_add(&buffer, strlen(str)); + CHECK(dns_name_fromtext(name, &buffer, dns_rootname, + ISC_FALSE, NULL)); + isc_buffer_init(&buffer, server, sizeof(server) - 1); + CHECK(dns_name_totext(name, ISC_FALSE, &buffer)); + server[isc_buffer_usedlength(&buffer)] = 0; + empty_dbtype[2] = server; + } else + empty_dbtype[2] = "@"; + + obj = NULL; + result = ns_config_get(maps, "empty-contact", &obj); + if (result == ISC_R_SUCCESS) { + str = cfg_obj_asstring(obj); + isc_buffer_init(&buffer, str, strlen(str)); + isc_buffer_add(&buffer, strlen(str)); + CHECK(dns_name_fromtext(name, &buffer, dns_rootname, + ISC_FALSE, NULL)); + isc_buffer_init(&buffer, contact, sizeof(contact) - 1); + CHECK(dns_name_totext(name, ISC_FALSE, &buffer)); + contact[isc_buffer_usedlength(&buffer)] = 0; + empty_dbtype[3] = contact; + } else + empty_dbtype[3] = "."; + + logit = ISC_TRUE; + for (empty = empty_zones[empty_zone].zone; + empty != NULL; + empty = empty_zones[++empty_zone].zone) + { + dns_forwarders_t *forwarders = NULL; + dns_view_t *pview = NULL; + + isc_buffer_init(&buffer, empty, strlen(empty)); + isc_buffer_add(&buffer, strlen(empty)); + /* + * Look for zone on drop list. + */ + CHECK(dns_name_fromtext(name, &buffer, dns_rootname, + ISC_FALSE, NULL)); + if (disablelist != NULL && + on_disable_list(disablelist, name)) + continue; + + /* + * This zone already exists. + */ + (void)dns_view_findzone(view, name, &zone); + if (zone != NULL) { + dns_zone_detach(&zone); + continue; + } + + /* + * If we would forward this name don't add a + * empty zone for it. + */ + result = dns_fwdtable_find(view->fwdtable, name, + &forwarders); + if (result == ISC_R_SUCCESS && + forwarders->fwdpolicy == dns_fwdpolicy_only) + continue; + + if (!rfc1918 && empty_zones[empty_zone].rfc1918) { + if (logit) { + isc_log_write(ns_g_lctx, + NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, + ISC_LOG_WARNING, + "Warning%s%s: " + "'empty-zones-enable/" + "disable-empty-zone' " + "not set: disabling " + "RFC 1918 empty zones", + sep, viewname); + logit = ISC_FALSE; + } + continue; + } + + /* + * See if we can re-use a existing zone. + */ + result = dns_viewlist_find(&ns_g_server->viewlist, + view->name, view->rdclass, + &pview); + if (result != ISC_R_NOTFOUND && + result != ISC_R_SUCCESS) + goto cleanup; + + if (pview != NULL) { + (void)dns_view_findzone(pview, name, &zone); + dns_view_detach(&pview); + if (zone != NULL) + check_dbtype(&zone, empty_dbtypec, + empty_dbtype, mctx); + if (zone != NULL) { + dns_zone_setview(zone, view); + dns_zone_detach(&zone); + continue; + } + } + + CHECK(dns_zone_create(&zone, mctx)); + CHECK(dns_zone_setorigin(zone, name)); + dns_zone_setview(zone, view); + CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone)); + dns_zone_setclass(zone, view->rdclass); + dns_zone_settype(zone, dns_zone_master); + CHECK(dns_zone_setdbtype(zone, empty_dbtypec, + empty_dbtype)); + if (view->queryacl != NULL) + dns_zone_setqueryacl(zone, view->queryacl); + dns_zone_setdialup(zone, dns_dialuptype_no); + dns_zone_setnotifytype(zone, dns_notifytype_no); + dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, + ISC_TRUE); + CHECK(dns_view_addzone(view, zone)); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "automatic empty zone%s%s: %s", + sep, viewname, empty); + dns_zone_detach(&zone); + } + } + result = ISC_R_SUCCESS; cleanup: + if (zone != NULL) + dns_zone_detach(&zone); if (dispatch4 != NULL) dns_dispatch_detach(&dispatch4); if (dispatch6 != NULL) @@ -1563,7 +2053,7 @@ create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist, static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, - ns_aclconfctx_t *aclconf) + cfg_aclconfctx_t *aclconf) { dns_view_t *pview = NULL; /* Production view */ dns_zone_t *zone = NULL; /* New or reused zone */ @@ -1728,10 +2218,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, result = dns_view_findzone(pview, origin, &zone); if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) goto cleanup; - if (zone != NULL) { - if (! ns_zone_reusable(zone, zconfig)) - dns_zone_detach(&zone); - } + if (zone != NULL && !ns_zone_reusable(zone, zconfig)) + dns_zone_detach(&zone); if (zone != NULL) { /* @@ -1739,6 +2227,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, * new view. */ dns_zone_setview(zone, view); + if (view->acache != NULL) + dns_zone_setacache(zone, view->acache); } else { /* * We cannot reuse an existing zone, we have @@ -1747,6 +2237,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, CHECK(dns_zone_create(&zone, mctx)); CHECK(dns_zone_setorigin(zone, origin)); dns_zone_setview(zone, view); + if (view->acache != NULL) + dns_zone_setacache(zone, view->acache); CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone)); } @@ -2020,6 +2512,21 @@ heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) { } } +static void +pps_timer_tick(isc_task_t *task, isc_event_t *event) { + static unsigned int oldrequests = 0; + unsigned int requests = ns_client_requests; + + UNUSED(task); + isc_event_free(&event); + + /* + * Don't worry about wrapping as the overflow result will be right. + */ + dns_pps = (requests - oldrequests) / 1200; + oldrequests = requests; +} + /* * Replace the current value of '*field', a dynamically allocated * string or NULL, with a dynamically allocated copy of the @@ -2122,10 +2629,36 @@ portlist_fromconf(dns_portlist_t *portlist, unsigned int family, } static isc_result_t +removed(dns_zone_t *zone, void *uap) { + const char *type; + + if (dns_zone_getview(zone) != uap) + return (ISC_R_SUCCESS); + + switch (dns_zone_gettype(zone)) { + case dns_zone_master: + type = "master"; + break; + case dns_zone_slave: + type = "slave"; + break; + case dns_zone_stub: + type = "stub"; + break; + default: + type = "other"; + break; + } + dns_zone_log(zone, ISC_LOG_INFO, "(%s) removed", type); + return (ISC_R_SUCCESS); +} + +static isc_result_t load_configuration(const char *filename, ns_server_t *server, isc_boolean_t first_time) { isc_result_t result; + isc_interval_t interval; cfg_parser_t *parser = NULL; cfg_obj_t *config; const cfg_obj_t *options; @@ -2139,14 +2672,14 @@ load_configuration(const char *filename, ns_server_t *server, dns_view_t *view_next; dns_viewlist_t viewlist; dns_viewlist_t tmpviewlist; - ns_aclconfctx_t aclconfctx; + cfg_aclconfctx_t aclconfctx; isc_uint32_t interface_interval; isc_uint32_t heartbeat_interval; isc_uint32_t udpsize; in_port_t listen_port; int i; - ns_aclconfctx_init(&aclconfctx); + cfg_aclconfctx_init(&aclconfctx); ISC_LIST_INIT(viewlist); /* Ensure exclusive access to configuration data. */ @@ -2401,7 +2934,6 @@ load_configuration(const char *filename, ns_server_t *server, isc_timertype_inactive, NULL, NULL, ISC_TRUE)); } else if (server->interface_interval != interface_interval) { - isc_interval_t interval; isc_interval_set(&interval, interface_interval, 0); CHECK(isc_timer_reset(server->interface_timer, isc_timertype_ticker, @@ -2421,13 +2953,16 @@ load_configuration(const char *filename, ns_server_t *server, isc_timertype_inactive, NULL, NULL, ISC_TRUE)); } else if (server->heartbeat_interval != heartbeat_interval) { - isc_interval_t interval; isc_interval_set(&interval, heartbeat_interval, 0); CHECK(isc_timer_reset(server->heartbeat_timer, isc_timertype_ticker, NULL, &interval, ISC_FALSE)); } server->heartbeat_interval = heartbeat_interval; + + isc_interval_set(&interval, 1200, 0); + CHECK(isc_timer_reset(server->pps_timer, isc_timertype_ticker, NULL, + &interval, ISC_FALSE)); /* * Configure and freeze all explicit views. Explicit @@ -2716,7 +3251,7 @@ load_configuration(const char *filename, ns_server_t *server, } else if (result == ISC_R_SUCCESS) { CHECKM(setoptstring(server, &server->server_id, obj), "strdup"); } else { - result = setoptstring(server, &server->server_id, NULL); + result = setstring(server, &server->server_id, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); } @@ -2731,7 +3266,7 @@ load_configuration(const char *filename, ns_server_t *server, result = ISC_R_SUCCESS; cleanup: - ns_aclconfctx_destroy(&aclconfctx); + cfg_aclconfctx_destroy(&aclconfctx); if (parser != NULL) { if (config != NULL) @@ -2752,8 +3287,11 @@ load_configuration(const char *filename, ns_server_t *server, view = view_next) { view_next = ISC_LIST_NEXT(view, link); ISC_LIST_UNLINK(viewlist, view, link); + if (result == ISC_R_SUCCESS && + strcmp(view->name, "_bind") != 0) + (void)dns_zt_apply(view->zonetable, ISC_FALSE, + removed, view); dns_view_detach(&view); - } /* @@ -2860,6 +3398,11 @@ run_server(isc_task_t *task, isc_event_t *event) { server, &server->heartbeat_timer), "creating heartbeat timer"); + CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive, + NULL, NULL, server->task, pps_timer_tick, + server, &server->pps_timer), + "creating pps timer"); + CHECKFATAL(cfg_parser_create(ns_g_mctx, NULL, &ns_g_parser), "creating default configuration parser"); @@ -2924,6 +3467,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) { isc_timer_detach(&server->interface_timer); isc_timer_detach(&server->heartbeat_timer); + isc_timer_detach(&server->pps_timer); ns_interfacemgr_shutdown(server->interfacemgr); ns_interfacemgr_detach(&server->interfacemgr); @@ -3012,6 +3556,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { server->interface_timer = NULL; server->heartbeat_timer = NULL; + server->pps_timer = NULL; server->interface_interval = 0; server->heartbeat_interval = 0; @@ -3454,6 +3999,29 @@ ns_server_reconfigcommand(ns_server_t *server, char *args) { } /* + * Act on a "notify" command from the command channel. + */ +isc_result_t +ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) { + isc_result_t result; + dns_zone_t *zone = NULL; + const unsigned char msg[] = "zone notify queued"; + + result = zone_from_args(server, args, &zone); + if (result != ISC_R_SUCCESS) + return (result); + if (zone == NULL) + return (ISC_R_UNEXPECTEDEND); + + dns_zone_notify(zone); + dns_zone_detach(&zone); + if (sizeof(msg) <= isc_buffer_availablelength(text)) + isc_buffer_putmem(text, msg, sizeof(msg)); + + return (ISC_R_SUCCESS); +} + +/* * Act on a "refresh" command from the command channel. */ isc_result_t @@ -3498,7 +4066,7 @@ ns_server_togglequerylog(ns_server_t *server) { static isc_result_t ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config, - ns_aclconfctx_t *actx, + cfg_aclconfctx_t *actx, isc_mem_t *mctx, ns_listenlist_t **target) { isc_result_t result; @@ -3537,7 +4105,7 @@ ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config, */ static isc_result_t ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, - ns_aclconfctx_t *actx, + cfg_aclconfctx_t *actx, isc_mem_t *mctx, ns_listenelt_t **target) { isc_result_t result; @@ -3569,8 +4137,8 @@ ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, if (result != ISC_R_SUCCESS) return (result); - result = ns_acl_fromconfig(cfg_tuple_get(listener, "acl"), - config, actx, mctx, &delt->acl); + result = cfg_acl_fromconfig(cfg_tuple_get(listener, "acl"), + config, ns_g_lctx, actx, mctx, &delt->acl); if (result != ISC_R_SUCCESS) { ns_listenelt_destroy(delt); return (result); @@ -3951,6 +4519,59 @@ ns_server_setdebuglevel(ns_server_t *server, char *args) { } isc_result_t +ns_server_validation(ns_server_t *server, char *args) { + char *ptr, *viewname; + dns_view_t *view; + isc_boolean_t changed = ISC_FALSE; + isc_result_t result; + isc_boolean_t enable; + + /* Skip the command name. */ + ptr = next_token(&args, " \t"); + if (ptr == NULL) + return (ISC_R_UNEXPECTEDEND); + + /* Find out what we are to do. */ + ptr = next_token(&args, " \t"); + if (ptr == NULL) + return (ISC_R_UNEXPECTEDEND); + + if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") || + !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true")) + enable = ISC_TRUE; + else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") || + !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false")) + enable = ISC_FALSE; + else + return (DNS_R_SYNTAX); + + /* Look for the view name. */ + viewname = next_token(&args, " \t"); + + result = isc_task_beginexclusive(server->task); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + for (view = ISC_LIST_HEAD(server->viewlist); + view != NULL; + view = ISC_LIST_NEXT(view, link)) + { + if (viewname != NULL && strcasecmp(viewname, view->name) != 0) + continue; + result = dns_view_flushcache(view); + if (result != ISC_R_SUCCESS) + goto out; + view->enablevalidation = enable; + changed = ISC_TRUE; + } + if (changed) + result = ISC_R_SUCCESS; + else + result = ISC_R_FAILURE; + out: + isc_task_endexclusive(server->task); + return (result); +} + +isc_result_t ns_server_flushcache(ns_server_t *server, char *args) { char *ptr, *viewname; dns_view_t *view; @@ -4059,12 +4680,13 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) { "xfers deferred: %u\n" "soa queries in progress: %u\n" "query logging is %s\n" - "recursive clients: %d/%d\n" + "recursive clients: %d/%d/%d\n" "tcp clients: %d/%d\n" "server is up and running", zonecount, ns_g_debuglevel, xferrunning, xferdeferred, soaqueries, server->log_queries ? "ON" : "OFF", - server->recursionquota.used, server->recursionquota.max, + server->recursionquota.used, server->recursionquota.soft, + server->recursionquota.max, server->tcpquota.used, server->tcpquota.max); if (n >= isc_buffer_availablelength(text)) return (ISC_R_NOSPACE); @@ -4073,11 +4695,11 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) { } /* - * Act on a "freeze" or "unfreeze" command from the command channel. + * Act on a "freeze" or "thaw" command from the command channel. */ isc_result_t ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) { - isc_result_t result; + isc_result_t result, tresult; dns_zone_t *zone = NULL; dns_zonetype_t type; char classstr[DNS_RDATACLASS_FORMATSIZE]; @@ -4090,8 +4712,26 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) { result = zone_from_args(server, args, &zone); if (result != ISC_R_SUCCESS) return (result); - if (zone == NULL) - return (ISC_R_UNEXPECTEDEND); + if (zone == NULL) { + result = isc_task_beginexclusive(server->task); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + tresult = ISC_R_SUCCESS; + for (view = ISC_LIST_HEAD(server->viewlist); + view != NULL; + view = ISC_LIST_NEXT(view, link)) { + result = dns_view_freezezones(view, freeze); + if (result != ISC_R_SUCCESS && + tresult == ISC_R_SUCCESS) + tresult = result; + } + isc_task_endexclusive(server->task); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "%s all zones: %s", + freeze ? "freezing" : "thawing", + isc_result_totext(tresult)); + return (tresult); + } type = dns_zone_gettype(zone); if (type != dns_zone_master) { dns_zone_detach(&zone); @@ -4137,7 +4777,7 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "%s zone '%s/%s'%s%s: %s", - freeze ? "freezing" : "unfreezing", + freeze ? "freezing" : "thawing", zonename, classstr, sep, vname, isc_result_totext(result)); dns_zone_detach(&zone); diff --git a/contrib/bind9/bin/named/sortlist.c b/contrib/bind9/bin/named/sortlist.c index 0feba3b..28f0360 100644 --- a/contrib/bind9/bin/named/sortlist.c +++ b/contrib/bind9/bin/named/sortlist.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sortlist.c,v 1.5.12.6 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: sortlist.c,v 1.9.18.4 2006/03/02 00:37:21 marka Exp $ */ + +/*! \file */ #include <config.h> diff --git a/contrib/bind9/bin/named/tkeyconf.c b/contrib/bind9/bin/named/tkeyconf.c index f23c1db..3c843ac 100644 --- a/contrib/bind9/bin/named/tkeyconf.c +++ b/contrib/bind9/bin/named/tkeyconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tkeyconf.c,v 1.19.208.4 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: tkeyconf.c,v 1.20.18.6 2006/03/02 00:37:21 marka Exp $ */ + +/*! \file */ #include <config.h> diff --git a/contrib/bind9/bin/named/tsigconf.c b/contrib/bind9/bin/named/tsigconf.c index a90438d..7fa7fe5 100644 --- a/contrib/bind9/bin/named/tsigconf.c +++ b/contrib/bind9/bin/named/tsigconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tsigconf.c,v 1.21.208.6 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: tsigconf.c,v 1.22.18.6 2006/02/28 03:10:47 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -38,6 +40,7 @@ static isc_result_t add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) { + dns_tsigkey_t *tsigkey = NULL; const cfg_listelt_t *element; const cfg_obj_t *key = NULL; const char *keyid = NULL; @@ -46,6 +49,7 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, int secretlen = 0; isc_result_t ret; isc_stdtime_t now; + isc_uint16_t bits; for (element = cfg_list_first(list); element != NULL; @@ -86,10 +90,11 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, * Create the algorithm. */ algstr = cfg_obj_asstring(algobj); - if (ns_config_getkeyalgorithm(algstr, &alg) != ISC_R_SUCCESS) { + if (ns_config_getkeyalgorithm(algstr, &alg, &bits) + != ISC_R_SUCCESS) { cfg_obj_log(algobj, ns_g_lctx, ISC_LOG_ERROR, - "key '%s': the only supported algorithm " - "is hmac-md5", keyid); + "key '%s': has a unsupported algorithm '%s'", + keyid, algstr); ret = DNS_R_BADALG; goto failure; } @@ -110,11 +115,16 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_stdtime_get(&now); ret = dns_tsigkey_create(&keyname, alg, secret, secretlen, ISC_FALSE, NULL, now, now, - mctx, ring, NULL); + mctx, ring, &tsigkey); isc_mem_put(mctx, secret, secretalloc); secret = NULL; if (ret != ISC_R_SUCCESS) goto failure; + /* + * Set digest bits. + */ + dst_key_setbits(tsigkey->key, bits); + dns_tsigkey_detach(&tsigkey); } return (ISC_R_SUCCESS); @@ -127,7 +137,6 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, if (secret != NULL) isc_mem_put(mctx, secret, secretalloc); return (ret); - } isc_result_t diff --git a/contrib/bind9/bin/named/unix/Makefile.in b/contrib/bind9/bin/named/unix/Makefile.in index 60ce968..a18351a 100644 --- a/contrib/bind9/bin/named/unix/Makefile.in +++ b/contrib/bind9/bin/named/unix/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.6.12.3 2004/03/08 09:04:15 marka Exp $ +# $Id: Makefile.in,v 1.8 2004/03/05 04:58:01 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/contrib/bind9/bin/named/unix/include/named/os.h b/contrib/bind9/bin/named/unix/include/named/os.h index 03baee5..24afdcb 100644 --- a/contrib/bind9/bin/named/unix/include/named/os.h +++ b/contrib/bind9/bin/named/unix/include/named/os.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.h,v 1.14.2.2.8.9 2004/09/29 06:36:44 marka Exp $ */ +/* $Id: os.h,v 1.22.18.3 2005/04/29 00:15:39 marka Exp $ */ #ifndef NS_OS_H #define NS_OS_H 1 +/*! \file */ + #include <isc/types.h> void diff --git a/contrib/bind9/bin/named/unix/os.c b/contrib/bind9/bin/named/unix/os.c index 361d1b6..3864612 100644 --- a/contrib/bind9/bin/named/unix/os.c +++ b/contrib/bind9/bin/named/unix/os.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.c,v 1.46.2.4.8.24 2006/02/03 23:51:37 marka Exp $ */ +/* $Id: os.c,v 1.66.18.11 2006/02/03 23:51:38 marka Exp $ */ + +/*! \file */ #include <config.h> #include <stdarg.h> @@ -114,7 +116,7 @@ static int dfd[2] = { -1, -1 }; static isc_boolean_t non_root = ISC_FALSE; static isc_boolean_t non_root_caps = ISC_FALSE; -/* +/*% * We define _LINUX_FS_H to prevent it from being included. We don't need * anything from it, and the files it includes cause warnings with 2.2 * kernels, and compilation failures (due to conflicts between <linux/string.h> @@ -176,7 +178,7 @@ static void linux_initialprivs(void) { unsigned int caps; - /* + /*% * We don't need most privileges, so we drop them right away. * Later on linux_minprivs() will be called, which will drop our * capabilities to the minimum needed to run the server. @@ -231,7 +233,7 @@ static void linux_minprivs(void) { unsigned int caps; - /* + /*% * Drop all privileges except the ability to bind() to privileged * ports. * @@ -258,7 +260,7 @@ linux_minprivs(void) { static void linux_keepcaps(void) { char strbuf[ISC_STRERRORSIZE]; - /* + /*% * Ask the kernel to allow us to keep our capabilities after we * setuid(). */ diff --git a/contrib/bind9/bin/named/update.c b/contrib/bind9/bin/named/update.c index fa0ddb0..0547761 100644 --- a/contrib/bind9/bin/named/update.c +++ b/contrib/bind9/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.88.2.5.2.29 2006/01/06 00:01:42 marka Exp $ */ +/* $Id: update.c,v 1.109.18.19 2006/03/06 01:38:00 marka Exp $ */ #include <config.h> @@ -31,6 +31,7 @@ #include <dns/events.h> #include <dns/fixedname.h> #include <dns/journal.h> +#include <dns/keyvalues.h> #include <dns/message.h> #include <dns/nsec.h> #include <dns/rdataclass.h> @@ -48,7 +49,8 @@ #include <named/log.h> #include <named/update.h> -/* +/*! \file + * \brief * This module implements dynamic update as in RFC2136. */ @@ -59,17 +61,17 @@ /**************************************************************************/ -/* +/*% * Log level for tracing dynamic update protocol requests. */ #define LOGLEVEL_PROTOCOL ISC_LOG_INFO -/* +/*% * Log level for low-level debug tracing. */ #define LOGLEVEL_DEBUG ISC_LOG_DEBUG(8) -/* +/*% * Check an operation for failure. These macros all assume that * the function using them has a 'result' variable and a 'failure' * label. @@ -79,7 +81,7 @@ if (result != ISC_R_SUCCESS) goto failure; \ } while (0) -/* +/*% * Fail unconditionally with result 'code', which must not * be ISC_R_SUCCESS. The reason for failure presumably has * been logged already. @@ -94,7 +96,7 @@ if (result != ISC_R_SUCCESS) goto failure; \ } while (0) -/* +/*% * Fail unconditionally and log as a client error. * The test against ISC_R_SUCCESS is there to keep the Solaris compiler * from complaining about "end-of-loop code not reached". @@ -160,7 +162,7 @@ } \ if (result != ISC_R_SUCCESS) goto failure; \ } while (0) -/* +/*% * Fail unconditionally and log as a server error. * The test against ISC_R_SUCCESS is there to keep the Solaris compiler * from complaining about "end-of-loop code not reached". @@ -270,12 +272,12 @@ checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message, return (result); } -/* +/*% * Update a single RR in version 'ver' of 'db' and log the * update in 'diff'. * * Ensures: - * '*tuple' == NULL. Either the tuple is freed, or its + * \li '*tuple' == NULL. Either the tuple is freed, or its * ownership has been transferred to the diff. */ static isc_result_t @@ -313,12 +315,12 @@ do_one_tuple(dns_difftuple_t **tuple, return (ISC_R_SUCCESS); } -/* +/*% * Perform the updates in 'updates' in version 'ver' of 'db' and log the * update in 'diff'. * * Ensures: - * 'updates' is empty. + * \li 'updates' is empty. */ static isc_result_t do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver, @@ -371,17 +373,17 @@ update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff, * XXXRTH We might want to make this public somewhere in libdns. */ -/* +/*% * Function type for foreach_rrset() iterator actions. */ typedef isc_result_t rrset_func(void *data, dns_rdataset_t *rrset); -/* +/*% * Function type for foreach_rr() iterator actions. */ typedef isc_result_t rr_func(void *data, rr_t *rr); -/* +/*% * Internal context struct for foreach_node_rr(). */ typedef struct { @@ -389,7 +391,7 @@ typedef struct { void * rr_action_data; } foreach_node_rr_ctx_t; -/* +/*% * Internal helper function for foreach_node_rr(). */ static isc_result_t @@ -413,7 +415,7 @@ foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) { return (ISC_R_SUCCESS); } -/* +/*% * For each rdataset of 'name' in 'ver' of 'db', call 'action' * with the rdataset and 'action_data' as arguments. If the name * does not exist, do nothing. @@ -471,7 +473,7 @@ foreach_rrset(dns_db_t *db, return (result); } -/* +/*% * For each RR of 'name' in 'ver' of 'db', call 'action' * with the RR and 'action_data' as arguments. If the name * does not exist, do nothing. @@ -494,7 +496,7 @@ foreach_node_rr(dns_db_t *db, } -/* +/*% * For each of the RRs specified by 'db', 'ver', 'name', 'type', * (which can be dns_rdatatype_any to match any type), and 'covers', call * 'action' with the RR and 'action_data' as arguments. If the name @@ -566,13 +568,13 @@ foreach_rr(dns_db_t *db, * Various tests on the database contents (for prerequisites, etc). */ -/* +/*% * Function type for predicate functions that compare a database RR 'db_rr' * against an update RR 'update_rr'. */ typedef isc_boolean_t rr_predicate(dns_rdata_t *update_rr, dns_rdata_t *db_rr); -/* +/*% * Helper function for rrset_exists(). */ static isc_result_t @@ -582,7 +584,7 @@ rrset_exists_action(void *data, rr_t *rr) { return (ISC_R_EXISTS); } -/* +/*% * Utility macro for RR existence checking functions. * * If the variable 'result' has the value ISC_R_EXISTS or @@ -602,7 +604,7 @@ rrset_exists_action(void *data, rr_t *rr) { (*exists = ISC_FALSE, ISC_R_SUCCESS) : \ result)) -/* +/*% * Set '*exists' to true iff an rrset of the given type exists, * to false otherwise. */ @@ -617,7 +619,7 @@ rrset_exists(dns_db_t *db, dns_dbversion_t *ver, RETURN_EXISTENCE_FLAG; } -/* +/*% * Helper function for cname_incompatible_rrset_exists. */ static isc_result_t @@ -629,7 +631,7 @@ cname_compatibility_action(void *data, dns_rdataset_t *rrset) { return (ISC_R_SUCCESS); } -/* +/*% * Check whether there is an rrset incompatible with adding a CNAME RR, * i.e., anything but another CNAME (which can be replaced) or a * DNSSEC RR (which can coexist). @@ -646,7 +648,7 @@ cname_incompatible_rrset_exists(dns_db_t *db, dns_dbversion_t *ver, RETURN_EXISTENCE_FLAG; } -/* +/*% * Helper function for rr_count(). */ static isc_result_t @@ -657,7 +659,7 @@ count_rr_action(void *data, rr_t *rr) { return (ISC_R_SUCCESS); } -/* +/*% * Count the number of RRs of 'type' belonging to 'name' in 'ver' of 'db'. */ static isc_result_t @@ -669,7 +671,7 @@ rr_count(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, count_rr_action, countp)); } -/* +/*% * Context struct and helper function for name_exists(). */ @@ -680,7 +682,7 @@ name_exists_action(void *data, dns_rdataset_t *rrset) { return (ISC_R_EXISTS); } -/* +/*% * Set '*exists' to true iff the given name exists, to false otherwise. */ static isc_result_t @@ -741,7 +743,7 @@ ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, */ -/* +/*% * Append a tuple asserting the existence of the RR with * 'name' and 'rdata' to 'diff'. */ @@ -758,7 +760,7 @@ temp_append(dns_diff_t *diff, dns_name_t *name, dns_rdata_t *rdata) { return (result); } -/* +/*% * Compare two rdatasets represented as sorted lists of tuples. * All list elements must have the same owner name and type. * Return ISC_R_SUCCESS if the rdatasets are equal, rcode(dns_rcode_nxrrset) @@ -783,7 +785,7 @@ temp_check_rrset(dns_difftuple_t *a, dns_difftuple_t *b) { return (ISC_R_SUCCESS); } -/* +/*% * A comparison function defining the sorting order for the entries * in the "temp" data structure. The major sort key is the owner name, * followed by the type and rdata. @@ -805,7 +807,7 @@ temp_order(const void *av, const void *bv) { return (r); } -/* +/*% * Check the "RRset exists (value dependent)" prerequisite information * in 'temp' against the contents of the database 'db'. * @@ -948,7 +950,7 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db, * Conditional deletion of RRs. */ -/* +/*% * Context structure for delete_if(). */ @@ -961,11 +963,11 @@ typedef struct { dns_rdata_t *update_rr; } conditional_delete_ctx_t; -/* +/*% * Predicate functions for delete_if(). */ -/* +/*% * Return true iff 'db_rr' is neither a SOA nor an NS RR nor * an RRSIG nor a NSEC. */ @@ -979,7 +981,7 @@ type_not_soa_nor_ns_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { ISC_TRUE : ISC_FALSE); } -/* +/*% * Return true iff 'db_rr' is neither a RRSIG nor a NSEC. */ static isc_boolean_t @@ -990,7 +992,7 @@ type_not_dnssec(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { ISC_TRUE : ISC_FALSE); } -/* +/*% * Return true always. */ static isc_boolean_t @@ -1000,7 +1002,7 @@ true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { return (ISC_TRUE); } -/* +/*% * Return true iff the two RRs have identical rdata. */ static isc_boolean_t @@ -1014,7 +1016,7 @@ rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { ISC_TRUE : ISC_FALSE); } -/* +/*% * Return true iff 'update_rr' should replace 'db_rr' according * to the special RFC2136 rules for CNAME, SOA, and WKS records. * @@ -1048,7 +1050,7 @@ replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { return (ISC_FALSE); } -/* +/*% * Internal helper function for delete_if(). */ static isc_result_t @@ -1065,7 +1067,7 @@ delete_if_action(void *data, rr_t *rr) { } } -/* +/*% * Conditionally delete RRs. Apply 'predicate' to the RRs * specified by 'db', 'ver', 'name', and 'type' (which can * be dns_rdatatype_any to match any type). Delete those @@ -1094,7 +1096,7 @@ delete_if(rr_predicate *predicate, } /**************************************************************************/ -/* +/*% * Prepare an RR for the addition of the new RR 'ctx->update_rr', * with TTL 'ctx->update_rr_ttl', to its rdataset, by deleting * the RRs if it is replaced by the new RR or has a conflicting TTL. @@ -1175,7 +1177,7 @@ add_rr_prepare_action(void *data, rr_t *rr) { * Miscellaneous subroutines. */ -/* +/*% * Extract a single update RR from 'section' of dynamic update message * 'msg', with consistency checking. * @@ -1205,7 +1207,7 @@ get_current_rr(dns_message_t *msg, dns_section_t section, rdata->rdclass = zoneclass; } -/* +/*% * Increment the SOA serial number of database 'db', version 'ver'. * Replace the SOA record in the database, and log the * change in 'diff'. @@ -1250,7 +1252,7 @@ increment_soa_serial(dns_db_t *db, dns_dbversion_t *ver, return (result); } -/* +/*% * Check that the new SOA record at 'update_rdata' does not * illegally cause the SOA serial number to decrease or stay * unchanged relative to the existing SOA in 'db'. @@ -1300,9 +1302,9 @@ check_soa_increment(dns_db_t *db, dns_dbversion_t *ver, * Incremental updating of NSECs and RRSIGs. */ -#define MAXZONEKEYS 32 /* Maximum number of zone keys supported. */ +#define MAXZONEKEYS 32 /*%< Maximum number of zone keys supported. */ -/* +/*% * We abuse the dns_diff_t type to represent a set of domain names * affected by the update. */ @@ -1310,8 +1312,8 @@ static isc_result_t namelist_append_name(dns_diff_t *list, dns_name_t *name) { isc_result_t result; dns_difftuple_t *tuple = NULL; - static dns_rdata_t dummy_rdata = { NULL, 0, 0, 0, 0, - { (void*)(-1), (void*)(-1) } }; + static dns_rdata_t dummy_rdata = DNS_RDATA_INIT; + CHECK(dns_difftuple_create(list->mctx, DNS_DIFFOP_EXISTS, name, 0, &dummy_rdata, &tuple)); dns_diff_append(list, &tuple); @@ -1353,7 +1355,7 @@ namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected) -/* +/*% * Helper function for non_nsec_rrset_exists(). */ static isc_result_t @@ -1366,7 +1368,7 @@ is_non_nsec_action(void *data, dns_rdataset_t *rrset) { return (ISC_R_SUCCESS); } -/* +/*% * Check whether there is an rrset other than a NSEC or RRSIG NSEC, * i.e., anything that justifies the continued existence of a name * after a secure update. @@ -1384,7 +1386,7 @@ non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver, RETURN_EXISTENCE_FLAG; } -/* +/*% * A comparison function for sorting dns_diff_t:s by name. */ static int @@ -1449,7 +1451,7 @@ is_glue(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, } } -/* +/*% * Find the next/previous name that has a NSEC record. * In other words, skip empty database nodes and names that * have had their NSECs removed because they are obscured by @@ -1512,7 +1514,7 @@ next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, return (result); } -/* +/*% * Add a NSEC record for "name", recording the change in "diff". * The existing NSEC is removed. */ @@ -1564,7 +1566,7 @@ add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, return (result); } -/* +/*% * Add a placeholder NSEC record for "name", recording the change in "diff". */ static isc_result_t @@ -1603,14 +1605,52 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, return (result); } -/* +static isc_boolean_t +ksk_sanity(dns_db_t *db, dns_dbversion_t *ver) { + isc_boolean_t ret = ISC_FALSE; + isc_boolean_t have_ksk = ISC_FALSE, have_nonksk = ISC_FALSE; + isc_result_t result; + dns_dbnode_t *node = NULL; + dns_rdataset_t rdataset; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_dnskey_t dnskey; + + dns_rdataset_init(&rdataset); + CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); + CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0, + &rdataset, NULL)); + CHECK(dns_rdataset_first(&rdataset)); + while (result == ISC_R_SUCCESS && (!have_ksk || !have_nonksk)) { + dns_rdataset_current(&rdataset, &rdata); + CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL)); + if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH)) + == DNS_KEYOWNER_ZONE) { + if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0) + have_ksk = ISC_TRUE; + else + have_nonksk = ISC_TRUE; + } + dns_rdata_reset(&rdata); + result = dns_rdataset_next(&rdataset); + } + if (have_ksk && have_nonksk) + ret = ISC_TRUE; + failure: + if (dns_rdataset_isassociated(&rdataset)) + dns_rdataset_disassociate(&rdataset); + if (node != NULL) + dns_db_detachnode(db, &node); + return (ret); +} + +/*% * Add RRSIG records for an RRset, recording the change in "diff". */ static isc_result_t add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception, - isc_stdtime_t expire) + isc_stdtime_t expire, isc_boolean_t check_ksk) { isc_result_t result; dns_dbnode_t *node = NULL; @@ -1631,6 +1671,11 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_db_detachnode(db, &node); for (i = 0; i < nkeys; i++) { + + if (check_ksk && type != dns_rdatatype_dnskey && + (dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0) + continue; + /* Calculate the signature, creating a RRSIG RDATA. */ CHECK(dns_dnssec_sign(name, &rdataset, keys[i], &inception, &expire, @@ -1651,7 +1696,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, return (result); } -/* +/*% * Update RRSIG and NSEC records affected by an update. The original * update, including the SOA serial update but exluding the RRSIG & NSEC * changes, is in "diff" and has already been applied to "newver" of "db". @@ -1684,6 +1729,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_t rdataset; dns_dbnode_t *node = NULL; + isc_boolean_t check_ksk; dns_diff_init(client->mctx, &diffnames); dns_diff_init(client->mctx, &affected); @@ -1705,6 +1751,17 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, expire = now + sigvalidityinterval; /* + * Do we look at the KSK flag on the DNSKEY to determining which + * keys sign which RRsets? First check the zone option then + * check the keys flags to make sure atleast one has a ksk set + * and one doesn't. + */ + check_ksk = ISC_TF((dns_zone_getoptions(zone) & + DNS_ZONEOPT_UPDATECHECKKSK) != 0); + if (check_ksk) + check_ksk = ksk_sanity(db, newver); + + /* * Get the NSEC's TTL from the SOA MINIMUM field. */ CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); @@ -1763,7 +1820,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, CHECK(add_sigs(db, newver, name, type, &sig_diff, zone_keys, nkeys, client->mctx, inception, - expire)); + expire, check_ksk)); } skip: /* Skip any other updates to the same RRset. */ @@ -1948,7 +2005,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, } else if (t->op == DNS_DIFFOP_ADD) { CHECK(add_sigs(db, newver, &t->name, dns_rdatatype_nsec, &sig_diff, zone_keys, nkeys, - client->mctx, inception, expire)); + client->mctx, inception, expire, + check_ksk)); } else { INSIST(0); } @@ -1984,7 +2042,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, /**************************************************************************/ -/* +/*% * The actual update code in all its glory. We try to follow * the RFC2136 pseudocode as closely as possible. */ @@ -2113,7 +2171,7 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) { dns_zone_detach(&zone); } -/* +/*% * DS records are not allowed to exist without corresponding NS records, * draft-ietf-dnsext-delegation-signer-11.txt, 2.2 Protocol Change, * "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex". @@ -2148,6 +2206,112 @@ remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) { return (result); } +/* + * This implements the post load integrity checks for mx records. + */ +static isc_result_t +check_mx(ns_client_t *client, dns_zone_t *zone, + dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) +{ + char tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123.")]; + char ownerbuf[DNS_NAME_FORMATSIZE]; + char namebuf[DNS_NAME_FORMATSIZE]; + char altbuf[DNS_NAME_FORMATSIZE]; + dns_difftuple_t *t; + dns_fixedname_t fixed; + dns_name_t *foundname; + dns_rdata_mx_t mx; + dns_rdata_t rdata; + isc_boolean_t ok = ISC_TRUE; + isc_boolean_t isaddress; + isc_result_t result; + struct in6_addr addr6; + struct in_addr addr; + unsigned int options; + + dns_fixedname_init(&fixed); + foundname = dns_fixedname_name(&fixed); + dns_rdata_init(&rdata); + options = dns_zone_getoptions(zone); + + for (t = ISC_LIST_HEAD(diff->tuples); + t != NULL; + t = ISC_LIST_NEXT(t, link)) { + if (t->op != DNS_DIFFOP_DEL || + t->rdata.type != dns_rdatatype_mx) + continue; + + result = dns_rdata_tostruct(&t->rdata, &mx, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + /* + * Check if we will error out if we attempt to reload the + * zone. + */ + dns_name_format(&mx.mx, namebuf, sizeof(namebuf)); + dns_name_format(&t->name, ownerbuf, sizeof(ownerbuf)); + isaddress = ISC_FALSE; + if ((options & DNS_RDATA_CHECKMX) != 0 && + strlcpy(tmp, namebuf, sizeof(tmp)) < sizeof(tmp)) { + if (tmp[strlen(tmp) - 1] == '.') + tmp[strlen(tmp) - 1] = '\0'; + if (inet_aton(tmp, &addr) == 1 || + inet_pton(AF_INET6, tmp, &addr6) == 1) + isaddress = ISC_TRUE; + } + + if (isaddress && (options & DNS_RDATA_CHECKMXFAIL) != 0) { + update_log(client, zone, ISC_LOG_ERROR, + "%s/MX: '%s': %s", + ownerbuf, namebuf, + dns_result_totext(DNS_R_MXISADDRESS)); + ok = ISC_FALSE; + } else if (isaddress) { + update_log(client, zone, ISC_LOG_WARNING, + "%s/MX: warning: '%s': %s", + ownerbuf, namebuf, + dns_result_totext(DNS_R_MXISADDRESS)); + } + + /* + * Check zone integrity checks. + */ + if ((options & DNS_ZONEOPT_CHECKINTEGRITY) == 0) + continue; + result = dns_db_find(db, &mx.mx, newver, dns_rdatatype_a, + 0, 0, NULL, foundname, NULL, NULL); + if (result == ISC_R_SUCCESS) + continue; + + if (result == DNS_R_NXRRSET) { + result = dns_db_find(db, &mx.mx, newver, + dns_rdatatype_aaaa, + 0, 0, NULL, foundname, + NULL, NULL); + if (result == ISC_R_SUCCESS) + continue; + } + + if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN) { + update_log(client, zone, ISC_LOG_ERROR, + "%s/MX '%s' has no address records " + "(A or AAAA)", ownerbuf, namebuf); + ok = ISC_FALSE; + } else if (result == DNS_R_CNAME) { + update_log(client, zone, ISC_LOG_ERROR, + "%s/MX '%s' is a CNAME (illegal)", + ownerbuf, namebuf); + ok = ISC_FALSE; + } else if (result == DNS_R_DNAME) { + dns_name_format(foundname, altbuf, sizeof altbuf); + update_log(client, zone, ISC_LOG_ERROR, + "%s/MX '%s' is below a DNAME '%s' (illegal)", + ownerbuf, namebuf, altbuf); + ok = ISC_FALSE; + } + } + return (ok ? ISC_R_SUCCESS : DNS_R_REFUSED); +} + static void update_action(isc_task_t *task, isc_event_t *event) { update_event_t *uev = (update_event_t *) event; @@ -2169,6 +2333,7 @@ update_action(isc_task_t *task, isc_event_t *event) { dns_ssutable_t *ssutable = NULL; dns_fixedname_t tmpnamefixed; dns_name_t *tmpname = NULL; + unsigned int options; INSIST(event->ev_type == DNS_EVENT_UPDATE); @@ -2402,6 +2567,7 @@ update_action(isc_task_t *task, isc_event_t *event) { * Process the Update Section. */ + options = dns_zone_getoptions(zone); for (result = dns_message_firstname(request, DNS_SECTION_UPDATE); result == ISC_R_SUCCESS; result = dns_message_nextname(request, DNS_SECTION_UPDATE)) @@ -2418,7 +2584,7 @@ update_action(isc_task_t *task, isc_event_t *event) { if (update_class == zoneclass) { /* - * RFC 1123 doesn't allow MF and MD in master zones. */ + * RFC1123 doesn't allow MF and MD in master zones. */ if (rdata.type == dns_rdatatype_md || rdata.type == dns_rdatatype_mf) { char typebuf[DNS_RDATATYPE_FORMATSIZE]; @@ -2488,6 +2654,15 @@ update_action(isc_task_t *task, isc_event_t *event) { } soa_serial_changed = ISC_TRUE; } + if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 && + dns_name_internalwildcard(name)) { + char namestr[DNS_NAME_FORMATSIZE]; + dns_name_format(name, namestr, + sizeof(namestr)); + update_log(client, zone, LOGLEVEL_PROTOCOL, + "warning: ownername '%s' contains " + "a non-terminal wildcard", namestr); + } if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { char namestr[DNS_NAME_FORMATSIZE]; @@ -2636,6 +2811,8 @@ update_action(isc_task_t *task, isc_event_t *event) { CHECK(increment_soa_serial(db, ver, &diff, mctx)); } + CHECK(check_mx(client, zone, db, ver, &diff)); + CHECK(remove_orphaned_ds(db, ver, &diff)); if (dns_db_issecure(db)) { @@ -2747,7 +2924,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) { ns_client_detach(&client); } -/* +/*% * Update forwarding support. */ diff --git a/contrib/bind9/bin/named/xfrout.c b/contrib/bind9/bin/named/xfrout.c index 687c287..9fe90a2 100644 --- a/contrib/bind9/bin/named/xfrout.c +++ b/contrib/bind9/bin/named/xfrout.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: xfrout.c,v 1.101.2.5.2.12 2005/10/14 02:13:05 marka Exp $ */ +/* $Id: xfrout.c,v 1.115.18.8 2006/03/05 23:58:51 marka Exp $ */ #include <config.h> @@ -27,6 +27,9 @@ #include <dns/db.h> #include <dns/dbiterator.h> +#ifdef DLZ +#include <dns/dlz.h> +#endif #include <dns/fixedname.h> #include <dns/journal.h> #include <dns/message.h> @@ -48,7 +51,8 @@ #include <named/server.h> #include <named/xfrout.h> -/* +/*! \file + * \brief * Outgoing AXFR and IXFR. */ @@ -71,7 +75,7 @@ #define XFROUT_RR_LOGLEVEL ISC_LOG_DEBUG(8) -/* +/*% * Fail unconditionally and log as a client error. * The test against ISC_R_SUCCESS is there to keep the Solaris compiler * from complaining about "end-of-loop code not reached". @@ -106,13 +110,14 @@ } while (0) /**************************************************************************/ -/* +/*% * A db_rr_iterator_t is an iterator that iterates over an entire database, * returning one RR at a time, in some arbitrary order. */ typedef struct db_rr_iterator db_rr_iterator_t; +/*% db_rr_iterator structure */ struct db_rr_iterator { isc_result_t result; dns_db_t *db; @@ -195,7 +200,7 @@ db_rr_iterator_first(db_rr_iterator_t *it) { continue; } dns_rdatasetiter_current(it->rdatasetit, &it->rdataset); - + it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER; it->result = dns_rdataset_first(&it->rdataset); return (it->result); } @@ -245,6 +250,7 @@ db_rr_iterator_next(db_rr_iterator_t *it) { if (it->result != ISC_R_SUCCESS) return (it->result); dns_rdatasetiter_current(it->rdatasetit, &it->rdataset); + it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER; it->result = dns_rdataset_first(&it->rdataset); if (it->result != ISC_R_SUCCESS) return (it->result); @@ -283,7 +289,7 @@ db_rr_iterator_current(db_rr_iterator_t *it, dns_name_t **name, /**************************************************************************/ -/* Log an RR (for debugging) */ +/*% Log an RR (for debugging) */ static void log_rr(dns_name_t *name, dns_rdata_t *rdata, isc_uint32_t ttl) { @@ -903,6 +909,9 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { char msg[NS_CLIENT_ACLMSGSIZE("zone transfer")]; char keyname[DNS_NAME_FORMATSIZE]; isc_boolean_t is_poll = ISC_FALSE; +#ifdef DLZ + isc_boolean_t is_dlz = ISC_FALSE; +#endif switch (reqtype) { case dns_rdatatype_axfr: @@ -953,19 +962,71 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { result = dns_zt_find(client->view->zonetable, question_name, 0, NULL, &zone); + if (result != ISC_R_SUCCESS) - FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", - question_name, question_class); - switch(dns_zone_gettype(zone)) { - case dns_zone_master: - case dns_zone_slave: - break; /* Master and slave zones are OK for transfer. */ - default: - FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", - question_name, question_class); +#ifdef DLZ + { + /* + * Normal zone table does not have a match. Try the DLZ database + */ + if (client->view->dlzdatabase != NULL) { + result = dns_dlzallowzonexfr(client->view, + question_name, &client->peeraddr, + &db); + + if (result == ISC_R_NOPERM) { + char _buf1[DNS_NAME_FORMATSIZE]; + char _buf2[DNS_RDATACLASS_FORMATSIZE]; + + result = DNS_R_REFUSED; + dns_name_format(question_name, _buf1, + sizeof(_buf1)); + dns_rdataclass_format(question_class, + _buf2, sizeof(_buf2)); + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_XFER_OUT, + ISC_LOG_ERROR, + "zone transfer '%s/%s' denied", + _buf1, _buf2); + goto failure; + } + if (result != ISC_R_SUCCESS) +#endif + FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", + question_name, question_class); +#ifdef DLZ + is_dlz = ISC_TRUE; + /* + * DLZ only support full zone transfer, not incremental + */ + if (reqtype != dns_rdatatype_axfr) { + mnemonic = "AXFR-style IXFR"; + reqtype = dns_rdatatype_axfr; + } + + } else { + /* + * not DLZ and not in normal zone table, we are + * not authoritative + */ + FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", + question_name, question_class); + } + } else { + /* zone table has a match */ +#endif + switch(dns_zone_gettype(zone)) { + case dns_zone_master: + case dns_zone_slave: + break; /* Master and slave zones are OK for transfer. */ + default: + FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", question_name, question_class); + } + CHECK(dns_zone_getdb(zone, &db)); + dns_db_currentversion(db, &ver); +#ifdef DLZ } - CHECK(dns_zone_getdb(zone, &db)); - dns_db_currentversion(db, &ver); +#endif xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6), "%s question section OK", mnemonic); @@ -1021,11 +1082,20 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { /* * Decide whether to allow this transfer. */ - ns_client_aclmsg("zone transfer", question_name, reqtype, - client->view->rdclass, msg, sizeof(msg)); - CHECK(ns_client_checkacl(client, msg, - dns_zone_getxfracl(zone), ISC_TRUE, - ISC_LOG_ERROR)); +#ifdef DLZ + /* + * if not a DLZ zone decide whether to allow this transfer. + */ + if (!is_dlz) { +#endif + ns_client_aclmsg("zone transfer", question_name, reqtype, + client->view->rdclass, msg, sizeof(msg)); + CHECK(ns_client_checkacl(client, msg, + dns_zone_getxfracl(zone), ISC_TRUE, + ISC_LOG_ERROR)); +#ifdef DLZ + } +#endif /* * AXFR over UDP is not possible. @@ -1049,6 +1119,10 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { /* * Get a dynamically allocated copy of the current SOA. */ +#ifdef DLZ + if (is_dlz) + dns_db_currentversion(db, &ver); +#endif CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS, ¤t_soa_tuple)); @@ -1131,15 +1205,32 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { * Create the xfrout context object. This transfers the ownership * of "stream", "db", "ver", and "quota" to the xfrout context object. */ - CHECK(xfrout_ctx_create(mctx, client, request->id, question_name, - reqtype, question_class, db, ver, quota, - stream, dns_message_gettsigkey(request), - tsigbuf, - dns_zone_getmaxxfrout(zone), - dns_zone_getidleout(zone), - (format == dns_many_answers) ? - ISC_TRUE : ISC_FALSE, - &xfr)); + + + +#ifdef DLZ + if (is_dlz) + CHECK(xfrout_ctx_create(mctx, client, request->id, question_name, + reqtype, question_class, db, ver, quota, + stream, dns_message_gettsigkey(request), + tsigbuf, + 3600, + 3600, + (format == dns_many_answers) ? + ISC_TRUE : ISC_FALSE, + &xfr)); + else +#endif + CHECK(xfrout_ctx_create(mctx, client, request->id, question_name, + reqtype, question_class, db, ver, quota, + stream, dns_message_gettsigkey(request), + tsigbuf, + dns_zone_getmaxxfrout(zone), + dns_zone_getidleout(zone), + (format == dns_many_answers) ? + ISC_TRUE : ISC_FALSE, + &xfr)); + xfr->mnemonic = mnemonic; stream = NULL; quota = NULL; @@ -1511,6 +1602,7 @@ sendstream(xfrout_ctx_t *xfr) { if ((xfr->client->attributes & NS_CLIENTATTR_TCP) != 0) { CHECK(dns_compress_init(&cctx, -1, xfr->mctx)); + dns_compress_setsensitive(&cctx, ISC_TRUE); cleanup_cctx = ISC_TRUE; CHECK(dns_message_renderbegin(msg, &cctx, &xfr->txbuf)); CHECK(dns_message_rendersection(msg, DNS_SECTION_QUESTION, 0)); diff --git a/contrib/bind9/bin/named/zoneconf.c b/contrib/bind9/bin/named/zoneconf.c index 66ef905..a0c1bab 100644 --- a/contrib/bind9/bin/named/zoneconf.c +++ b/contrib/bind9/bin/named/zoneconf.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.c,v 1.87.2.4.10.19 2006/02/28 06:32:53 marka Exp $ */ +/* $Id: zoneconf.c,v 1.110.18.23 2006/05/16 03:39:57 marka Exp $ */ + +/*% */ #include <config.h> @@ -35,13 +37,14 @@ #include <dns/view.h> #include <dns/zone.h> +#include <named/client.h> #include <named/config.h> #include <named/globals.h> #include <named/log.h> #include <named/server.h> #include <named/zoneconf.h> -/* +/*% * These are BIND9 server defaults, not necessarily identical to the * library defaults defined in zone.c. */ @@ -51,18 +54,18 @@ return (_r); \ } while (0) -/* +/*% * Convenience function for configuring a single zone ACL. */ static isc_result_t configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, const cfg_obj_t *config, const char *aclname, - ns_aclconfctx_t *actx, dns_zone_t *zone, + cfg_aclconfctx_t *actx, dns_zone_t *zone, void (*setzacl)(dns_zone_t *, dns_acl_t *), void (*clearzacl)(dns_zone_t *)) { isc_result_t result; - const cfg_obj_t *maps[4]; + const cfg_obj_t *maps[5]; const cfg_obj_t *aclobj = NULL; int i = 0; dns_acl_t *dacl = NULL; @@ -77,6 +80,7 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, if (options != NULL) maps[i++] = options; } + maps[i++] = ns_g_defaults; maps[i] = NULL; result = ns_config_get(maps, aclname, &aclobj); @@ -85,8 +89,8 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, return (ISC_R_SUCCESS); } - result = ns_acl_fromconfig(aclobj, config, actx, - dns_zone_getmctx(zone), &dacl); + result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, actx, + dns_zone_getmctx(zone), &dacl); if (result != ISC_R_SUCCESS) return (result); (*setzacl)(zone, dacl); @@ -94,7 +98,7 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, return (ISC_R_SUCCESS); } -/* +/*% * Parse the zone update-policy statement. */ static isc_result_t @@ -150,6 +154,10 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) { mtype = DNS_SSUMATCHTYPE_WILDCARD; else if (strcasecmp(str, "self") == 0) mtype = DNS_SSUMATCHTYPE_SELF; + else if (strcasecmp(str, "selfsub") == 0) + mtype = DNS_SSUMATCHTYPE_SELFSUB; + else if (strcasecmp(str, "selfwild") == 0) + mtype = DNS_SSUMATCHTYPE_SELFWILD; else INSIST(0); @@ -235,7 +243,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) { return (result); } -/* +/*% * Convert a config file zone type into a server zone type. */ static inline dns_zonetype_t @@ -248,7 +256,7 @@ zonetype_fromconfig(const cfg_obj_t *map) { return (ns_config_getzonetype(obj)); } -/* +/*% * Helper function for strtoargv(). Pardon the gratuitous recursion. */ static isc_result_t @@ -282,7 +290,7 @@ strtoargvsub(isc_mem_t *mctx, char *s, unsigned int *argcp, return (ISC_R_SUCCESS); } -/* +/*% * Tokenize the string "s" into whitespace-separated words, * return the number of words in '*argcp' and an array * of pointers to the words in '*argvp'. The caller @@ -313,7 +321,7 @@ checknames(dns_zonetype_t ztype, const cfg_obj_t **maps, isc_result_t ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, - const cfg_obj_t *zconfig, ns_aclconfctx_t *ac, + const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac, dns_zone_t *zone) { isc_result_t result; @@ -342,6 +350,9 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, isc_boolean_t alt; dns_view_t *view; isc_boolean_t check = ISC_FALSE, fail = ISC_FALSE; + isc_boolean_t warn = ISC_FALSE, ignore = ISC_FALSE; + isc_boolean_t ixfrdiff; + dns_masterformat_t masterformat; i = 0; if (zconfig != NULL) { @@ -409,7 +420,26 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, result = cfg_map_get(zoptions, "file", &obj); if (result == ISC_R_SUCCESS) filename = cfg_obj_asstring(obj); - RETERR(dns_zone_setfile(zone, filename)); + + masterformat = dns_masterformat_text; + obj = NULL; + result= ns_config_get(maps, "masterfile-format", &obj); + if (result == ISC_R_SUCCESS) { + const char *masterformatstr = cfg_obj_asstring(obj); + + if (strcasecmp(masterformatstr, "text") == 0) + masterformat = dns_masterformat_text; + else if (strcasecmp(masterformatstr, "raw") == 0) + masterformat = dns_masterformat_raw; + else + INSIST(0); + } + RETERR(dns_zone_setfile2(zone, filename, masterformat)); + + obj = NULL; + result = cfg_map_get(zoptions, "journal", &obj); + if (result == ISC_R_SUCCESS) + RETERR(dns_zone_setjournal(zone, cfg_obj_asstring(obj))); if (ztype == dns_zone_slave) RETERR(configure_zone_acl(zconfig, vconfig, config, @@ -470,6 +500,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, const char *notifystr = cfg_obj_asstring(obj); if (strcasecmp(notifystr, "explicit") == 0) notifytype = dns_notifytype_explicit; + else if (strcasecmp(notifystr, "master-only") == 0) + notifytype = dns_notifytype_masteronly; else INSIST(0); } @@ -504,6 +536,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, RETERR(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj))); ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); + dns_zone_setisself(zone, ns_client_isself, NULL); + RETERR(configure_zone_acl(zconfig, vconfig, config, "allow-transfer", ac, zone, dns_zone_setxfracl, @@ -546,8 +580,17 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, obj = NULL; result = ns_config_get(maps, "ixfr-from-differences", &obj); INSIST(result == ISC_R_SUCCESS); - dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS, - cfg_obj_asboolean(obj)); + if (cfg_obj_isboolean(obj)) + ixfrdiff = cfg_obj_asboolean(obj); + else if (strcasecmp(cfg_obj_asstring(obj), "master") && + ztype == dns_zone_master) + ixfrdiff = ISC_TRUE; + else if (strcasecmp(cfg_obj_asstring(obj), "slave") && + ztype == dns_zone_slave) + ixfrdiff = ISC_TRUE; + else + ixfrdiff = ISC_FALSE; + dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS, ixfrdiff); checknames(ztype, maps, &obj); INSIST(obj != NULL); @@ -562,6 +605,128 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, INSIST(0); dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES, check); dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL, fail); + + obj = NULL; + result = ns_config_get(maps, "notify-delay", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setnotifydelay(zone, cfg_obj_asuint32(obj)); + + obj = NULL; + result = ns_config_get(maps, "check-sibling", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSIBLING, + cfg_obj_asboolean(obj)); + + obj = NULL; + result = ns_config_get(maps, "zero-no-soa-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setzeronosoattl(zone, cfg_obj_asboolean(obj)); + } + + /* + * Configure update-related options. These apply to + * primary masters only. + */ + if (ztype == dns_zone_master) { + dns_acl_t *updateacl; + RETERR(configure_zone_acl(zconfig, vconfig, config, + "allow-update", ac, zone, + dns_zone_setupdateacl, + dns_zone_clearupdateacl)); + + updateacl = dns_zone_getupdateacl(zone); + if (updateacl != NULL && dns_acl_isinsecure(updateacl)) + isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_SERVER, ISC_LOG_WARNING, + "zone '%s' allows updates by IP " + "address, which is insecure", + zname); + + RETERR(configure_zone_ssutable(zoptions, zone)); + + obj = NULL; + result = ns_config_get(maps, "sig-validity-interval", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setsigvalidityinterval(zone, + cfg_obj_asuint32(obj) * 86400); + + obj = NULL; + result = ns_config_get(maps, "key-directory", &obj); + if (result == ISC_R_SUCCESS) { + filename = cfg_obj_asstring(obj); + if (!isc_file_isabsolute(filename)) { + cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, + "key-directory '%s' " + "is not absolute", filename); + return (ISC_R_FAILURE); + } + RETERR(dns_zone_setkeydirectory(zone, filename)); + } + + obj = NULL; + result = ns_config_get(maps, "check-wildcard", &obj); + if (result == ISC_R_SUCCESS) + check = cfg_obj_asboolean(obj); + else + check = ISC_FALSE; + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKWILDCARD, check); + + obj = NULL; + result = ns_config_get(maps, "check-mx", &obj); + INSIST(obj != NULL); + if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { + fail = ISC_FALSE; + check = ISC_TRUE; + } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { + fail = check = ISC_TRUE; + } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { + fail = check = ISC_FALSE; + } else + INSIST(0); + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKMX, check); + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKMXFAIL, fail); + + obj = NULL; + result = ns_config_get(maps, "check-integrity", &obj); + INSIST(obj != NULL); + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKINTEGRITY, + cfg_obj_asboolean(obj)); + + obj = NULL; + result = ns_config_get(maps, "check-mx-cname", &obj); + INSIST(obj != NULL); + if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { + warn = ISC_TRUE; + ignore = ISC_FALSE; + } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { + warn = ignore = ISC_FALSE; + } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { + warn = ignore = ISC_TRUE; + } else + INSIST(0); + dns_zone_setoption(zone, DNS_ZONEOPT_WARNMXCNAME, warn); + dns_zone_setoption(zone, DNS_ZONEOPT_IGNOREMXCNAME, ignore); + + obj = NULL; + result = ns_config_get(maps, "check-srv-cname", &obj); + INSIST(obj != NULL); + if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { + warn = ISC_TRUE; + ignore = ISC_FALSE; + } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { + warn = ignore = ISC_FALSE; + } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { + warn = ignore = ISC_TRUE; + } else + INSIST(0); + dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn); + dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore); + + obj = NULL; + result = ns_config_get(maps, "update-check-ksk", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK, + cfg_obj_asboolean(obj)); } /* diff --git a/contrib/bind9/bin/nsupdate/Makefile.in b/contrib/bind9/bin/nsupdate/Makefile.in index 2652628..6bb22f8 100644 --- a/contrib/bind9/bin/nsupdate/Makefile.in +++ b/contrib/bind9/bin/nsupdate/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.15.12.10 2004/07/20 07:01:49 marka Exp $ +# $Id: Makefile.in,v 1.22.18.1 2004/07/20 07:03:20 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/contrib/bind9/bin/nsupdate/nsupdate.8 b/contrib/bind9/bin/nsupdate/nsupdate.8 index 7e254e0..5b9f247 100644 --- a/contrib/bind9/bin/nsupdate/nsupdate.8 +++ b/contrib/bind9/bin/nsupdate/nsupdate.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: nsupdate.8,v 1.24.2.2.2.9 2006/06/29 13:02:30 marka Exp $ +.\" $Id: nsupdate.8,v 1.30.18.13 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: nsupdate .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -33,7 +33,7 @@ nsupdate \- Dynamic DNS update utility .SH "SYNOPSIS" .HP 9 -\fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-v\fR] [filename] +\fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-v\fR] [filename] .SH "DESCRIPTION" .PP \fBnsupdate\fR @@ -71,7 +71,7 @@ uses the \fB\-y\fR or \fB\-k\fR -option (with an HMAC\-MD5 key) to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests. These options are mutually exclusive. With the +option to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests, default type HMAC\-MD5. These options are mutually exclusive. With the \fB\-k\fR option, \fBnsupdate\fR @@ -82,14 +82,14 @@ reads the shared secret from the file must also be present. When the \fB\-y\fR option is used, a signature is generated from -\fIkeyname:secret.\fR +[\fIhmac:\fR]\fIkeyname:secret.\fR \fIkeyname\fR is the name of the key, and \fIsecret\fR is the base64 encoded shared secret. Use of the \fB\-y\fR option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from -\fBps\fR(1 ) +\fBps\fR(1) or in a history file maintained by the user's shell. .PP The @@ -127,8 +127,9 @@ Every update request consists of zero or more prerequisites and zero or more upd command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server. .PP The command formats and their meaning are as follows: -.TP 3n -.HP 7 \fBserver\fR {servername} [port] +.PP +\fBserver\fR {servername} [port] +.RS 4 Sends all dynamic update requests to the name server \fIservername\fR. When no server statement is provided, \fBnsupdate\fR @@ -137,30 +138,38 @@ will send updates to the master server of the correct zone. The MNAME field of t is the port number on \fIservername\fR where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used. -.TP 3n -.HP 6 \fBlocal\fR {address} [port] +.RE +.PP +\fBlocal\fR {address} [port] +.RS 4 Sends all dynamic update requests using the local \fIaddress\fR. When no local statement is provided, \fBnsupdate\fR will send updates using an address and port chosen by the system. \fIport\fR can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one. -.TP 3n -.HP 5 \fBzone\fR {zonename} +.RE +.PP +\fBzone\fR {zonename} +.RS 4 Specifies that all updates are to be made to the zone \fIzonename\fR. If no \fIzone\fR statement is provided, \fBnsupdate\fR will attempt determine the correct zone to update based on the rest of the input. -.TP 3n -.HP 6 \fBclass\fR {classname} +.RE +.PP +\fBclass\fR {classname} +.RS 4 Specify the default class. If no \fIclass\fR is specified the default class is \fIIN\fR. -.TP 3n -.HP 4 \fBkey\fR {name} {secret} +.RE +.PP +\fBkey\fR {name} {secret} +.RS 4 Specifies that all updates are to be TSIG signed using the \fIkeyname\fR \fIkeysecret\fR @@ -170,17 +179,23 @@ command overrides any key specified on the command line via \fB\-y\fR or \fB\-k\fR. -.TP 3n -.HP 16 \fBprereq nxdomain\fR {domain\-name} +.RE +.PP +\fBprereq nxdomain\fR {domain\-name} +.RS 4 Requires that no resource record of any type exists with name \fIdomain\-name\fR. -.TP 3n -.HP 16 \fBprereq yxdomain\fR {domain\-name} +.RE +.PP +\fBprereq yxdomain\fR {domain\-name} +.RS 4 Requires that \fIdomain\-name\fR exists (has as at least one resource record, of any type). -.TP 3n -.HP 15 \fBprereq nxrrset\fR {domain\-name} [class] {type} +.RE +.PP +\fBprereq nxrrset\fR {domain\-name} [class] {type} +.RS 4 Requires that no resource record exists of the specified \fItype\fR, \fIclass\fR @@ -188,8 +203,10 @@ and \fIdomain\-name\fR. If \fIclass\fR is omitted, IN (internet) is assumed. -.TP 3n -.HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type} +.RE +.PP +\fBprereq yxrrset\fR {domain\-name} [class] {type} +.RS 4 This requires that a resource record of the specified \fItype\fR, \fIclass\fR @@ -198,8 +215,10 @@ and must exist. If \fIclass\fR is omitted, IN (internet) is assumed. -.TP 3n -.HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type} {data...} +.RE +.PP +\fBprereq yxrrset\fR {domain\-name} [class] {type} {data...} +.RS 4 The \fIdata\fR from each set of prerequisites of this form sharing a common @@ -212,8 +231,10 @@ are combined to form a set of RRs. This set of RRs must exactly match the set of \fIdomain\-name\fR. The \fIdata\fR are written in the standard text representation of the resource record's RDATA. -.TP 3n -.HP 14 \fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]] +.RE +.PP +\fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]] +.RS 4 Deletes any resource records named \fIdomain\-name\fR. If \fItype\fR @@ -224,22 +245,31 @@ is provided, only matching resource records will be removed. The internet class is not supplied. The \fIttl\fR is ignored, and is only allowed for compatibility. -.TP 3n -.HP 11 \fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...} +.RE +.PP +\fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...} +.RS 4 Adds a new resource record with the specified \fIttl\fR, \fIclass\fR and \fIdata\fR. -.TP 3n -.HP 5 \fBshow\fR +.RE +.PP +\fBshow\fR +.RS 4 Displays the current message, containing all of the prerequisites and updates specified since the last send. -.TP 3n -.HP 5 \fBsend\fR +.RE +.PP +\fBsend\fR +.RS 4 Sends the current message. This is equivalent to entering a blank line. -.TP 3n -.HP 7 \fBanswer\fR +.RE +.PP +\fBanswer\fR +.RS 4 Displays the answer. +.RE .PP Lines beginning with a semicolon are comments and are ignored. .SH "EXAMPLES" @@ -251,7 +281,7 @@ could be used to insert and delete resource records from the zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for \fBexample.com\fR. .sp -.RS 3n +.RS 4 .nf # nsupdate > update delete oldhost.example.com A @@ -267,7 +297,7 @@ are deleted. and an A record for \fBnewhost.example.com\fR it IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86400 seconds) .sp -.RS 3n +.RS 4 .nf # nsupdate > prereq nxdomain nickname.example.com @@ -280,17 +310,23 @@ it IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (8640 The prerequisite condition gets the name server to check that there are no resource records of any type for \fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.) .SH "FILES" -.TP 3n +.PP \fB/etc/resolv.conf\fR +.RS 4 used to identify default name server -.TP 3n +.RE +.PP \fBK{name}.+157.+{random}.key\fR +.RS 4 base\-64 encoding of HMAC\-MD5 key created by \fBdnssec\-keygen\fR(8). -.TP 3n +.RE +.PP \fBK{name}.+157.+{random}.private\fR +.RS 4 base\-64 encoding of HMAC\-MD5 key created by \fBdnssec\-keygen\fR(8). +.RE .SH "SEE ALSO" .PP \fBRFC2136\fR(), @@ -306,4 +342,7 @@ base\-64 encoding of HMAC\-MD5 key created by .PP The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases. .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000\-2003 Internet Software Consortium. +.br diff --git a/contrib/bind9/bin/nsupdate/nsupdate.c b/contrib/bind9/bin/nsupdate/nsupdate.c index 107d85f..412505e 100644 --- a/contrib/bind9/bin/nsupdate/nsupdate.c +++ b/contrib/bind9/bin/nsupdate/nsupdate.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsupdate.c,v 1.103.2.15.2.23 2006/06/09 07:29:24 marka Exp $ */ +/* $Id: nsupdate.c,v 1.130.18.15 2006/12/07 05:39:45 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -159,6 +161,9 @@ debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); static void ddebug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); +static void +error(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); + #define STATUS_MORE (isc_uint16_t)0 #define STATUS_SEND (isc_uint16_t)1 #define STATUS_QUIT (isc_uint16_t)2 @@ -193,6 +198,16 @@ fatal(const char *format, ...) { } static void +error(const char *format, ...) { + va_list args; + + va_start(args, format); + vfprintf(stderr, format, args); + va_end(args); + fprintf(stderr, "\n"); +} + +static void debug(const char *format, ...) { va_list args; @@ -282,6 +297,74 @@ reset_system(void) { updatemsg->opcode = dns_opcode_update; } +static isc_uint16_t +parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len) { + isc_uint16_t digestbits = 0; + isc_result_t result; + char buf[20]; + + REQUIRE(hmac != NULL && *hmac == NULL); + REQUIRE(hmacstr != NULL); + + if (len >= sizeof(buf)) + fatal("unknown key type '%.*s'", (int)(len), hmacstr); + + strncpy(buf, hmacstr, len); + buf[len] = 0; + + if (strcasecmp(buf, "hmac-md5") == 0) { + *hmac = DNS_TSIG_HMACMD5_NAME; + } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { + *hmac = DNS_TSIG_HMACMD5_NAME; + result = isc_parse_uint16(&digestbits, &buf[9], 10); + if (result != ISC_R_SUCCESS || digestbits > 128) + fatal("digest-bits out of range [0..128]"); + digestbits = (digestbits +7) & ~0x7U; + } else if (strcasecmp(buf, "hmac-sha1") == 0) { + *hmac = DNS_TSIG_HMACSHA1_NAME; + } else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) { + *hmac = DNS_TSIG_HMACSHA1_NAME; + result = isc_parse_uint16(&digestbits, &buf[10], 10); + if (result != ISC_R_SUCCESS || digestbits > 160) + fatal("digest-bits out of range [0..160]"); + digestbits = (digestbits +7) & ~0x7U; + } else if (strcasecmp(buf, "hmac-sha224") == 0) { + *hmac = DNS_TSIG_HMACSHA224_NAME; + } else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) { + *hmac = DNS_TSIG_HMACSHA224_NAME; + result = isc_parse_uint16(&digestbits, &buf[12], 10); + if (result != ISC_R_SUCCESS || digestbits > 224) + fatal("digest-bits out of range [0..224]"); + digestbits = (digestbits +7) & ~0x7U; + } else if (strcasecmp(buf, "hmac-sha256") == 0) { + *hmac = DNS_TSIG_HMACSHA256_NAME; + } else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) { + *hmac = DNS_TSIG_HMACSHA256_NAME; + result = isc_parse_uint16(&digestbits, &buf[12], 10); + if (result != ISC_R_SUCCESS || digestbits > 256) + fatal("digest-bits out of range [0..256]"); + digestbits = (digestbits +7) & ~0x7U; + } else if (strcasecmp(buf, "hmac-sha384") == 0) { + *hmac = DNS_TSIG_HMACSHA384_NAME; + } else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) { + *hmac = DNS_TSIG_HMACSHA384_NAME; + result = isc_parse_uint16(&digestbits, &buf[12], 10); + if (result != ISC_R_SUCCESS || digestbits > 384) + fatal("digest-bits out of range [0..384]"); + digestbits = (digestbits +7) & ~0x7U; + } else if (strcasecmp(buf, "hmac-sha512") == 0) { + *hmac = DNS_TSIG_HMACSHA512_NAME; + } else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) { + *hmac = DNS_TSIG_HMACSHA512_NAME; + result = isc_parse_uint16(&digestbits, &buf[12], 10); + if (result != ISC_R_SUCCESS || digestbits > 512) + fatal("digest-bits out of range [0..512]"); + digestbits = (digestbits +7) & ~0x7U; + } else + fatal("unknown key type '%s'", buf); + return (digestbits); +} + static void setup_keystr(void) { unsigned char *secret = NULL; @@ -290,9 +373,12 @@ setup_keystr(void) { isc_result_t result; isc_buffer_t keynamesrc; char *secretstr; - char *s; + char *s, *n; dns_fixedname_t fkeyname; dns_name_t *keyname; + char *name; + dns_name_t *hmacname = NULL; + isc_uint16_t digestbits = 0; dns_fixedname_init(&fkeyname); keyname = dns_fixedname_name(&fkeyname); @@ -300,12 +386,24 @@ setup_keystr(void) { debug("Creating key..."); s = strchr(keystr, ':'); - if (s == NULL || s == keystr || *s == 0) - fatal("key option must specify keyname:secret"); + if (s == NULL || s == keystr || s[1] == 0) + fatal("key option must specify [hmac:]keyname:secret"); secretstr = s + 1; + n = strchr(secretstr, ':'); + if (n != NULL) { + if (n == secretstr || n[1] == 0) + fatal("key option must specify [hmac:]keyname:secret"); + name = secretstr; + secretstr = n + 1; + digestbits = parse_hmac(&hmacname, keystr, s - keystr); + } else { + hmacname = DNS_TSIG_HMACMD5_NAME; + name = keystr; + n = s; + } - isc_buffer_init(&keynamesrc, keystr, s - keystr); - isc_buffer_add(&keynamesrc, s - keystr); + isc_buffer_init(&keynamesrc, name, n - name); + isc_buffer_add(&keynamesrc, n - name); debug("namefromtext"); result = dns_name_fromtext(keyname, &keynamesrc, dns_rootname, @@ -328,12 +426,13 @@ setup_keystr(void) { secretlen = isc_buffer_usedlength(&secretbuf); debug("keycreate"); - result = dns_tsigkey_create(keyname, dns_tsig_hmacmd5_name, - secret, secretlen, ISC_TRUE, NULL, - 0, 0, mctx, NULL, &tsigkey); + result = dns_tsigkey_create(keyname, hmacname, secret, secretlen, + ISC_TRUE, NULL, 0, 0, mctx, NULL, &tsigkey); if (result != ISC_R_SUCCESS) fprintf(stderr, "could not create key from %s: %s\n", keystr, dns_result_totext(result)); + else + dst_key_setbits(tsigkey->key, digestbits); failure: if (secret != NULL) isc_mem_free(mctx, secret); @@ -343,6 +442,7 @@ static void setup_keyfile(void) { dst_key_t *dstkey = NULL; isc_result_t result; + dns_name_t *hmacname = NULL; debug("Creating key..."); @@ -354,11 +454,31 @@ setup_keyfile(void) { keyfile, isc_result_totext(result)); return; } - if (dst_key_alg(dstkey) == DST_ALG_HMACMD5) { + switch (dst_key_alg(dstkey)) { + case DST_ALG_HMACMD5: + hmacname = DNS_TSIG_HMACMD5_NAME; + break; + case DST_ALG_HMACSHA1: + hmacname = DNS_TSIG_HMACSHA1_NAME; + break; + case DST_ALG_HMACSHA224: + hmacname = DNS_TSIG_HMACSHA224_NAME; + break; + case DST_ALG_HMACSHA256: + hmacname = DNS_TSIG_HMACSHA256_NAME; + break; + case DST_ALG_HMACSHA384: + hmacname = DNS_TSIG_HMACSHA384_NAME; + break; + case DST_ALG_HMACSHA512: + hmacname = DNS_TSIG_HMACSHA512_NAME; + break; + } + if (hmacname != NULL) { result = dns_tsigkey_createfromkey(dst_key_name(dstkey), - dns_tsig_hmacmd5_name, - dstkey, ISC_FALSE, NULL, - 0, 0, mctx, NULL, &tsigkey); + hmacname, dstkey, ISC_FALSE, + NULL, 0, 0, mctx, NULL, + &tsigkey); if (result != ISC_R_SUCCESS) { fprintf(stderr, "could not create key from %s: %s\n", keyfile, isc_result_totext(result)); @@ -998,6 +1118,9 @@ evaluate_key(char *cmdline) { int secretlen; unsigned char *secret = NULL; isc_buffer_t secretbuf; + dns_name_t *hmacname = NULL; + isc_uint16_t digestbits = 0; + char *n; namestr = nsu_strsep(&cmdline, " \t\r\n"); if (*namestr == 0) { @@ -1008,6 +1131,13 @@ evaluate_key(char *cmdline) { dns_fixedname_init(&fkeyname); keyname = dns_fixedname_name(&fkeyname); + n = strchr(namestr, ':'); + if (n != NULL) { + digestbits = parse_hmac(&hmacname, namestr, n - namestr); + namestr = n + 1; + } else + hmacname = DNS_TSIG_HMACMD5_NAME; + isc_buffer_init(&b, namestr, strlen(namestr)); isc_buffer_add(&b, strlen(namestr)); result = dns_name_fromtext(keyname, &b, dns_rootname, ISC_FALSE, NULL); @@ -1038,15 +1168,16 @@ evaluate_key(char *cmdline) { if (tsigkey != NULL) dns_tsigkey_detach(&tsigkey); - result = dns_tsigkey_create(keyname, dns_tsig_hmacmd5_name, - secret, secretlen, ISC_TRUE, NULL, 0, 0, - mctx, NULL, &tsigkey); + result = dns_tsigkey_create(keyname, hmacname, secret, secretlen, + ISC_TRUE, NULL, 0, 0, mctx, NULL, + &tsigkey); isc_mem_free(mctx, secret); if (result != ISC_R_SUCCESS) { fprintf(stderr, "could not create key from %s %s: %s\n", namestr, secretstr, dns_result_totext(result)); return (STATUS_SYNTAX); } + dst_key_setbits(tsigkey->key, digestbits); return (STATUS_MORE); } @@ -1304,12 +1435,50 @@ evaluate_update(char *cmdline) { } static void +setzone(dns_name_t *zonename) { + isc_result_t result; + dns_name_t *name = NULL; + dns_rdataset_t *rdataset = NULL; + + result = dns_message_firstname(updatemsg, DNS_SECTION_ZONE); + if (result == ISC_R_SUCCESS) { + dns_message_currentname(updatemsg, DNS_SECTION_ZONE, &name); + dns_message_removename(updatemsg, name, DNS_SECTION_ZONE); + for (rdataset = ISC_LIST_HEAD(name->list); + rdataset != NULL; + rdataset = ISC_LIST_HEAD(name->list)) { + ISC_LIST_UNLINK(name->list, rdataset, link); + dns_rdataset_disassociate(rdataset); + dns_message_puttemprdataset(updatemsg, &rdataset); + } + dns_message_puttempname(updatemsg, &name); + } + + if (zonename != NULL) { + result = dns_message_gettempname(updatemsg, &name); + check_result(result, "dns_message_gettempname"); + dns_name_init(name, NULL); + dns_name_clone(zonename, name); + result = dns_message_gettemprdataset(updatemsg, &rdataset); + check_result(result, "dns_message_gettemprdataset"); + dns_rdataset_makequestion(rdataset, getzoneclass(), + dns_rdatatype_soa); + ISC_LIST_INIT(name->list); + ISC_LIST_APPEND(name->list, rdataset, link); + dns_message_addname(updatemsg, name, DNS_SECTION_ZONE); + } +} + +static void show_message(dns_message_t *msg) { isc_result_t result; isc_buffer_t *buf = NULL; int bufsz; ddebug("show_message()"); + + setzone(userzone); + bufsz = INITTEXT; do { if (bufsz > MAXTEXT) { @@ -1537,22 +1706,11 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master, { isc_result_t result; dns_request_t *request = NULL; - dns_name_t *name = NULL; - dns_rdataset_t *rdataset = NULL; unsigned int options = 0; ddebug("send_update()"); - result = dns_message_gettempname(updatemsg, &name); - check_result(result, "dns_message_gettempname"); - dns_name_init(name, NULL); - dns_name_clone(zonename, name); - result = dns_message_gettemprdataset(updatemsg, &rdataset); - check_result(result, "dns_message_gettemprdataset"); - dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa); - ISC_LIST_INIT(name->list); - ISC_LIST_APPEND(name->list, rdataset, link); - dns_message_addname(updatemsg, name, DNS_SECTION_ZONE); + setzone(zonename); if (usevc) options |= DNS_REQUESTOPT_TCP; @@ -1643,8 +1801,9 @@ recvsoa(isc_task_t *task, isc_event_t *event) { setzoneclass(dns_rdataclass_none); return; } - isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t)); + isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t)); + reqinfo = NULL; isc_event_free(&event); reqev = NULL; @@ -1703,6 +1862,19 @@ recvsoa(isc_task_t *task, isc_event_t *event) { rcvmsg->rcode != dns_rcode_nxdomain) fatal("response to SOA query was unsuccessful"); + if (userzone != NULL && rcvmsg->rcode == dns_rcode_nxdomain) { + char namebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(userzone, namebuf, sizeof(namebuf)); + error("specified zone '%s' does not exist (NXDOMAIN)", + namebuf); + dns_message_destroy(&rcvmsg); + dns_request_destroy(&request); + dns_message_destroy(&soaquery); + ddebug("Out of recvsoa"); + done_update(); + return; + } + lookforsoa: if (pass == 0) section = DNS_SECTION_ANSWER; @@ -1859,15 +2031,6 @@ start_update(void) { if (answer != NULL) dns_message_destroy(&answer); - result = dns_message_firstname(updatemsg, section); - if (result == ISC_R_NOMORE) { - section = DNS_SECTION_PREREQUISITE; - result = dns_message_firstname(updatemsg, section); - } - if (result != ISC_R_SUCCESS) { - done_update(); - return; - } if (userzone != NULL && userserver != NULL) { send_update(userzone, userserver, localaddr); @@ -1879,7 +2042,8 @@ start_update(void) { &soaquery); check_result(result, "dns_message_create"); - soaquery->flags |= DNS_MESSAGEFLAG_RD; + if (userserver == NULL) + soaquery->flags |= DNS_MESSAGEFLAG_RD; result = dns_message_gettempname(soaquery, &name); check_result(result, "dns_message_gettempname"); @@ -1889,10 +2053,24 @@ start_update(void) { dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa); - firstname = NULL; - dns_message_currentname(updatemsg, section, &firstname); - dns_name_init(name, NULL); - dns_name_clone(firstname, name); + if (userzone != NULL) { + dns_name_init(name, NULL); + dns_name_clone(userzone, name); + } else { + result = dns_message_firstname(updatemsg, section); + if (result == ISC_R_NOMORE) { + section = DNS_SECTION_PREREQUISITE; + result = dns_message_firstname(updatemsg, section); + } + if (result != ISC_R_SUCCESS) { + done_update(); + return; + } + firstname = NULL; + dns_message_currentname(updatemsg, section, &firstname); + dns_name_init(name, NULL); + dns_name_clone(firstname, name); + } ISC_LIST_INIT(name->list); ISC_LIST_APPEND(name->list, rdataset, link); @@ -1927,6 +2105,9 @@ cleanup(void) { ddebug("Destroying hash context"); isc_hash_destroy(); + ddebug("Destroying name state"); + dns_name_destroy(); + ddebug("Destroying memory context"); if (memdebugging) isc_mem_stats(mctx, stderr); diff --git a/contrib/bind9/bin/nsupdate/nsupdate.docbook b/contrib/bind9/bin/nsupdate/nsupdate.docbook index 7a2b4cf..77eff65 100644 --- a/contrib/bind9/bin/nsupdate/nsupdate.docbook +++ b/contrib/bind9/bin/nsupdate/nsupdate.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -18,22 +18,27 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: nsupdate.docbook,v 1.8.2.3.2.10 2005/05/12 21:36:03 sra Exp $ --> - +<!-- $Id: nsupdate.docbook,v 1.18.18.8 2007/01/29 23:57:20 marka Exp $ --> <refentry> -<refentryinfo> -<date>Jun 30, 2000</date> -</refentryinfo> -<refmeta> -<refentrytitle>nsupdate</refentrytitle> -<manvolnum>8</manvolnum> -<refmiscinfo>BIND9</refmiscinfo> -</refmeta> + <refentryinfo> + <date>Jun 30, 2000</date> + </refentryinfo> + <refmeta> + <refentrytitle>nsupdate</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo>BIND9</refmiscinfo> + </refmeta> + <refnamediv> + <refname>nsupdate</refname> + <refpurpose>Dynamic DNS update utility</refpurpose> + </refnamediv> <docinfo> <copyright> <year>2004</year> <year>2005</year> + <year>2006</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -45,614 +50,608 @@ </copyright> </docinfo> -<refnamediv> -<refname>nsupdate</refname> -<refpurpose>Dynamic DNS update utility</refpurpose> -</refnamediv> -<refsynopsisdiv> -<cmdsynopsis> -<command>nsupdate</command> -<arg><option>-d</option></arg> -<group> - <arg><option>-y <replaceable class="parameter">keyname:secret</replaceable></option></arg> - <arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg> -</group> -<arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg> -<arg><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg> -<arg><option>-r <replaceable class="parameter">udpretries</replaceable></option></arg> -<arg><option>-v</option></arg> -<arg>filename</arg> -</cmdsynopsis> -</refsynopsisdiv> - -<refsect1> -<title>DESCRIPTION</title> -<para> -<command>nsupdate</command> -is used to submit Dynamic DNS Update requests as defined in RFC2136 -to a name server. -This allows resource records to be added or removed from a zone -without manually editing the zone file. -A single update request can contain requests to add or remove more than one -resource record. -</para> -<para> -Zones that are under dynamic control via -<command>nsupdate</command> -or a DHCP server should not be edited by hand. -Manual edits could -conflict with dynamic updates and cause data to be lost. -</para> -<para> -The resource records that are dynamically added or removed with -<command>nsupdate</command> -have to be in the same zone. -Requests are sent to the zone's master server. -This is identified by the MNAME field of the zone's SOA record. -</para> -<para> -The -<option>-d</option> -option makes -<command>nsupdate</command> -operate in debug mode. -This provides tracing information about the update requests that are -made and the replies received from the name server. -</para> -<para> -Transaction signatures can be used to authenticate the Dynamic DNS -updates. -These use the TSIG resource record type described in RFC2845 or the -SIG(0) record described in RFC3535 and RFC2931. -TSIG relies on a shared secret that should only be known to -<command>nsupdate</command> and the name server. -Currently, the only supported encryption algorithm for TSIG is -HMAC-MD5, which is defined in RFC 2104. -Once other algorithms are defined for TSIG, applications will need to -ensure they select the appropriate algorithm as well as the key when -authenticating each other. -For instance suitable -<type>key</type> -and -<type>server</type> -statements would be added to -<filename>/etc/named.conf</filename> -so that the name server can associate the appropriate secret key -and algorithm with the IP address of the -client application that will be using TSIG authentication. -SIG(0) uses public key cryptography. To use a SIG(0) key, the public -key must be stored in a KEY record in a zone served by the name server. -<command>nsupdate</command> -does not read -<filename>/etc/named.conf</filename>. -</para> -<para> -<command>nsupdate</command> -uses the -<option>-y</option> -or -<option>-k</option> -option (with an HMAC-MD5 key) to provide the shared secret needed to generate -a TSIG record for authenticating Dynamic DNS update requests. -These options are mutually exclusive. -With the -<option>-k</option> -option, -<command>nsupdate</command> -reads the shared secret from the file -<parameter>keyfile</parameter>, -whose name is of the form -<filename>K{name}.+157.+{random}.private</filename>. -For historical -reasons, the file -<filename>K{name}.+157.+{random}.key</filename> -must also be present. When the -<option>-y</option> -option is used, a signature is generated from -<parameter>keyname:secret.</parameter> -<parameter>keyname</parameter> -is the name of the key, -and -<parameter>secret</parameter> -is the base64 encoded shared secret. -Use of the -<option>-y</option> -option is discouraged because the shared secret is supplied as a command -line argument in clear text. -This may be visible in the output from -<citerefentry> -<refentrytitle>ps</refentrytitle><manvolnum>1 -</manvolnum> -</citerefentry> -or in a history file maintained by the user's shell. -</para> -<para> -The <option>-k</option> may also be used to specify a SIG(0) key used -to authenticate Dynamic DNS update requests. In this case, the key -specified is not an HMAC-MD5 key. -</para> -<para> -By default -<command>nsupdate</command> -uses UDP to send update requests to the name server unless they are too -large to fit in a UDP request in which case TCP will be used. -The -<option>-v</option> -option makes -<command>nsupdate</command> -use a TCP connection. -This may be preferable when a batch of update requests is made. -</para> -<para>The <option>-t</option> option sets the maximum time a update request can -take before it is aborted. The default is 300 seconds. Zero can be used -to disable the timeout. -</para> -<para>The <option>-u</option> option sets the UDP retry interval. The default is -3 seconds. If zero the interval will be computed from the timeout interval -and number of UDP retries. -</para> -<para>The <option>-r</option> option sets the number of UDP retries. The default is -3. If zero only one update request will be made. -</para> -</refsect1> - -<refsect1> -<title>INPUT FORMAT</title> -<para> -<command>nsupdate</command> -reads input from -<parameter>filename</parameter> -or standard input. -Each command is supplied on exactly one line of input. -Some commands are for administrative purposes. -The others are either update instructions or prerequisite checks on the -contents of the zone. -These checks set conditions that some name or set of -resource records (RRset) either exists or is absent from the zone. -These conditions must be met if the entire update request is to succeed. -Updates will be rejected if the tests for the prerequisite conditions fail. -</para> -<para> -Every update request consists of zero or more prerequisites -and zero or more updates. -This allows a suitably authenticated update request to proceed if some -specified resource records are present or missing from the zone. -A blank input line (or the <command>send</command> command) causes the -accumulated commands to be sent as one Dynamic DNS update request to the -name server. -</para> -<para> -The command formats and their meaning are as follows: -<variablelist> -<varlistentry><term> -<cmdsynopsis> -<command>server</command> -<arg choice="req">servername</arg> -<arg choice="opt">port</arg> -</cmdsynopsis> -</term> -<listitem> -<para> -Sends all dynamic update requests to the name server -<parameter>servername</parameter>. -When no server statement is provided, -<command>nsupdate</command> -will send updates to the master server of the correct zone. -The MNAME field of that zone's SOA record will identify the master -server for that zone. -<parameter>port</parameter> -is the port number on -<parameter>servername</parameter> -where the dynamic update requests get sent. -If no port number is specified, the default DNS port number of 53 is -used. -</para> -</listitem> -</varlistentry> - -<varlistentry><term> -<cmdsynopsis> -<command>local</command> -<arg choice="req">address</arg> -<arg choice="opt">port</arg> -</cmdsynopsis> -</term> -<listitem> -<para> -Sends all dynamic update requests using the local -<parameter>address</parameter>. - -When no local statement is provided, -<command>nsupdate</command> -will send updates using an address and port chosen by the system. -<parameter>port</parameter> -can additionally be used to make requests come from a specific port. -If no port number is specified, the system will assign one. -</para> -</listitem> -</varlistentry> - -<varlistentry><term> -<cmdsynopsis> -<command>zone</command> -<arg choice="req">zonename</arg> -</cmdsynopsis> -</term> -<listitem> -<para> -Specifies that all updates are to be made to the zone -<parameter>zonename</parameter>. -If no -<parameter>zone</parameter> -statement is provided, -<command>nsupdate</command> -will attempt determine the correct zone to update based on the rest of the input. -</para> -</listitem> -</varlistentry> - -<varlistentry><term> -<cmdsynopsis> -<command>class</command> -<arg choice="req">classname</arg> -</cmdsynopsis> -</term> -<listitem> -<para> -Specify the default class. -If no <parameter>class</parameter> is specified the default class is -<parameter>IN</parameter>. -</para> -</listitem> -</varlistentry> - -<varlistentry><term> -<cmdsynopsis> -<command>key</command> -<arg choice="req">name</arg> -<arg choice="req">secret</arg> -</cmdsynopsis> -</term> -<listitem> -<para> -Specifies that all updates are to be TSIG signed using the -<parameter>keyname</parameter> <parameter>keysecret</parameter> pair. -The <command>key</command> command -overrides any key specified on the command line via -<option>-y</option> or <option>-k</option>. -</para> -</listitem> -</varlistentry> - -<varlistentry><term> -<cmdsynopsis> -<command>prereq nxdomain</command> -<arg choice="req">domain-name</arg> -</cmdsynopsis> -</term> -<listitem> -<para> -Requires that no resource record of any type exists with name -<parameter>domain-name</parameter>. -</para> -</listitem> -</varlistentry> - - -<varlistentry><term> -<cmdsynopsis> -<command>prereq yxdomain</command> -<arg choice="req">domain-name</arg> -</cmdsynopsis> -</term> -<listitem> -<para> -Requires that -<parameter>domain-name</parameter> -exists (has as at least one resource record, of any type). -</para> -</listitem> -</varlistentry> - -<varlistentry><term> -<cmdsynopsis> -<command>prereq nxrrset</command> -<arg choice="req">domain-name</arg> -<arg choice="opt">class</arg> -<arg choice="req">type</arg> -</cmdsynopsis> -</term> -<listitem> -<para> -Requires that no resource record exists of the specified -<parameter>type</parameter>, -<parameter>class</parameter> -and -<parameter>domain-name</parameter>. -If -<parameter>class</parameter> -is omitted, IN (internet) is assumed. -</para> -</listitem> -</varlistentry> - - -<varlistentry><term> -<cmdsynopsis> -<command>prereq yxrrset</command> -<arg choice="req">domain-name</arg> -<arg choice="opt">class</arg> -<arg choice="req">type</arg> -</cmdsynopsis> -</term> -<listitem> -<para> -This requires that a resource record of the specified -<parameter>type</parameter>, -<parameter>class</parameter> -and -<parameter>domain-name</parameter> -must exist. -If -<parameter>class</parameter> -is omitted, IN (internet) is assumed. -</para> -</listitem> -</varlistentry> - -<varlistentry><term> -<cmdsynopsis> -<command>prereq yxrrset</command> -<arg choice="req">domain-name</arg> -<arg choice="opt">class</arg> -<arg choice="req">type</arg> -<arg choice="req" rep="repeat">data</arg> -</cmdsynopsis> -</term> -<listitem> -<para> -The -<parameter>data</parameter> -from each set of prerequisites of this form -sharing a common -<parameter>type</parameter>, -<parameter>class</parameter>, -and -<parameter>domain-name</parameter> -are combined to form a set of RRs. This set of RRs must -exactly match the set of RRs existing in the zone at the -given -<parameter>type</parameter>, -<parameter>class</parameter>, -and -<parameter>domain-name</parameter>. -The -<parameter>data</parameter> -are written in the standard text representation of the resource record's -RDATA. -</para> -</listitem> -</varlistentry> - -<varlistentry><term> -<cmdsynopsis> -<command>update delete</command> -<arg choice="req">domain-name</arg> -<arg choice="opt">ttl</arg> -<arg choice="opt">class</arg> -<arg choice="opt">type <arg choice="opt" rep="repeat">data</arg></arg> -</cmdsynopsis> -</term> -<listitem> -<para> -Deletes any resource records named -<parameter>domain-name</parameter>. -If -<parameter>type</parameter> -and -<parameter>data</parameter> -is provided, only matching resource records will be removed. -The internet class is assumed if -<parameter>class</parameter> -is not supplied. The -<parameter>ttl</parameter> -is ignored, and is only allowed for compatibility. -</para> -</listitem> -</varlistentry> - -<varlistentry><term> -<cmdsynopsis> -<command>update add</command> -<arg choice="req">domain-name</arg> -<arg choice="req">ttl</arg> -<arg choice="opt">class</arg> -<arg choice="req">type</arg> -<arg choice="req" rep="repeat">data</arg> -</cmdsynopsis> -</term> -<listitem> -<para> -Adds a new resource record with the specified -<parameter>ttl</parameter>, -<parameter>class</parameter> -and -<parameter>data</parameter>. -</para> -</listitem> -</varlistentry> - -<varlistentry><term> -<cmdsynopsis> -<command>show</command> -</cmdsynopsis> -</term> -<listitem> -<para> -Displays the current message, containing all of the prerequisites and -updates specified since the last send. -</para> -</listitem> -</varlistentry> - -<varlistentry><term> -<cmdsynopsis> -<command>send</command> -</cmdsynopsis> -</term> -<listitem> -<para> -Sends the current message. This is equivalent to entering a blank line. -</para> -</listitem> -</varlistentry> - -<varlistentry><term> -<cmdsynopsis> -<command>answer</command> -</cmdsynopsis> -</term> -<listitem> -<para> -Displays the answer. -</para> -</listitem> -</varlistentry> - -</variablelist> -</para> - -<para> -Lines beginning with a semicolon are comments and are ignored. -</para> - -</refsect1> - -<refsect1> -<title>EXAMPLES</title> -<para> -The examples below show how -<command>nsupdate</command> -could be used to insert and delete resource records from the -<type>example.com</type> -zone. -Notice that the input in each example contains a trailing blank line so that -a group of commands are sent as one dynamic update request to the -master name server for -<type>example.com</type>. - -<programlisting> + <refsynopsisdiv> + <cmdsynopsis> + <command>nsupdate</command> + <arg><option>-d</option></arg> + <group> + <arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></option></arg> + <arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg> + </group> + <arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg> + <arg><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg> + <arg><option>-r <replaceable class="parameter">udpretries</replaceable></option></arg> + <arg><option>-v</option></arg> + <arg>filename</arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1> + <title>DESCRIPTION</title> + <para><command>nsupdate</command> + is used to submit Dynamic DNS Update requests as defined in RFC2136 + to a name server. + This allows resource records to be added or removed from a zone + without manually editing the zone file. + A single update request can contain requests to add or remove more than + one + resource record. + </para> + <para> + Zones that are under dynamic control via + <command>nsupdate</command> + or a DHCP server should not be edited by hand. + Manual edits could + conflict with dynamic updates and cause data to be lost. + </para> + <para> + The resource records that are dynamically added or removed with + <command>nsupdate</command> + have to be in the same zone. + Requests are sent to the zone's master server. + This is identified by the MNAME field of the zone's SOA record. + </para> + <para> + The + <option>-d</option> + option makes + <command>nsupdate</command> + operate in debug mode. + This provides tracing information about the update requests that are + made and the replies received from the name server. + </para> + <para> + Transaction signatures can be used to authenticate the Dynamic DNS + updates. + These use the TSIG resource record type described in RFC2845 or the + SIG(0) record described in RFC3535 and RFC2931. + TSIG relies on a shared secret that should only be known to + <command>nsupdate</command> and the name server. + Currently, the only supported encryption algorithm for TSIG is + HMAC-MD5, which is defined in RFC 2104. + Once other algorithms are defined for TSIG, applications will need to + ensure they select the appropriate algorithm as well as the key when + authenticating each other. + For instance suitable + <type>key</type> + and + <type>server</type> + statements would be added to + <filename>/etc/named.conf</filename> + so that the name server can associate the appropriate secret key + and algorithm with the IP address of the + client application that will be using TSIG authentication. + SIG(0) uses public key cryptography. To use a SIG(0) key, the public + key must be stored in a KEY record in a zone served by the name server. + <command>nsupdate</command> + does not read + <filename>/etc/named.conf</filename>. + </para> + <para><command>nsupdate</command> + uses the <option>-y</option> or <option>-k</option> option + to provide the shared secret needed to generate a TSIG record + for authenticating Dynamic DNS update requests, default type + HMAC-MD5. These options are mutually exclusive. With the + <option>-k</option> option, <command>nsupdate</command> reads + the shared secret from the file <parameter>keyfile</parameter>, + whose name is of the form + <filename>K{name}.+157.+{random}.private</filename>. For + historical reasons, the file + <filename>K{name}.+157.+{random}.key</filename> must also be + present. When the <option>-y</option> option is used, a + signature is generated from + <optional><parameter>hmac:</parameter></optional><parameter>keyname:secret.</parameter> + <parameter>keyname</parameter> is the name of the key, and + <parameter>secret</parameter> is the base64 encoded shared + secret. Use of the <option>-y</option> option is discouraged + because the shared secret is supplied as a command line + argument in clear text. This may be visible in the output + from + <citerefentry> + <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum> + </citerefentry> or in a history file maintained by the user's + shell. + </para> + <para> + The <option>-k</option> may also be used to specify a SIG(0) key used + to authenticate Dynamic DNS update requests. In this case, the key + specified is not an HMAC-MD5 key. + </para> + <para> + By default + <command>nsupdate</command> + uses UDP to send update requests to the name server unless they are too + large to fit in a UDP request in which case TCP will be used. + The + <option>-v</option> + option makes + <command>nsupdate</command> + use a TCP connection. + This may be preferable when a batch of update requests is made. + </para> + <para> + The <option>-t</option> option sets the maximum time a update request + can + take before it is aborted. The default is 300 seconds. Zero can be + used + to disable the timeout. + </para> + <para> + The <option>-u</option> option sets the UDP retry interval. The default + is + 3 seconds. If zero the interval will be computed from the timeout + interval + and number of UDP retries. + </para> + <para> + The <option>-r</option> option sets the number of UDP retries. The + default is + 3. If zero only one update request will be made. + </para> + </refsect1> + + <refsect1> + <title>INPUT FORMAT</title> + <para><command>nsupdate</command> + reads input from + <parameter>filename</parameter> + or standard input. + Each command is supplied on exactly one line of input. + Some commands are for administrative purposes. + The others are either update instructions or prerequisite checks on the + contents of the zone. + These checks set conditions that some name or set of + resource records (RRset) either exists or is absent from the zone. + These conditions must be met if the entire update request is to succeed. + Updates will be rejected if the tests for the prerequisite conditions + fail. + </para> + <para> + Every update request consists of zero or more prerequisites + and zero or more updates. + This allows a suitably authenticated update request to proceed if some + specified resource records are present or missing from the zone. + A blank input line (or the <command>send</command> command) + causes the + accumulated commands to be sent as one Dynamic DNS update request to the + name server. + </para> + <para> + The command formats and their meaning are as follows: + <variablelist> + + <varlistentry> + <term> + <command>server</command> + <arg choice="req">servername</arg> + <arg choice="opt">port</arg> + </term> + <listitem> + <para> + Sends all dynamic update requests to the name server + <parameter>servername</parameter>. + When no server statement is provided, + <command>nsupdate</command> + will send updates to the master server of the correct zone. + The MNAME field of that zone's SOA record will identify the + master + server for that zone. + <parameter>port</parameter> + is the port number on + <parameter>servername</parameter> + where the dynamic update requests get sent. + If no port number is specified, the default DNS port number of + 53 is + used. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>local</command> + <arg choice="req">address</arg> + <arg choice="opt">port</arg> + </term> + <listitem> + <para> + Sends all dynamic update requests using the local + <parameter>address</parameter>. + + When no local statement is provided, + <command>nsupdate</command> + will send updates using an address and port chosen by the + system. + <parameter>port</parameter> + can additionally be used to make requests come from a specific + port. + If no port number is specified, the system will assign one. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>zone</command> + <arg choice="req">zonename</arg> + </term> + <listitem> + <para> + Specifies that all updates are to be made to the zone + <parameter>zonename</parameter>. + If no + <parameter>zone</parameter> + statement is provided, + <command>nsupdate</command> + will attempt determine the correct zone to update based on the + rest of the input. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>class</command> + <arg choice="req">classname</arg> + </term> + <listitem> + <para> + Specify the default class. + If no <parameter>class</parameter> is specified the + default class is + <parameter>IN</parameter>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>key</command> + <arg choice="req">name</arg> + <arg choice="req">secret</arg> + </term> + <listitem> + <para> + Specifies that all updates are to be TSIG signed using the + <parameter>keyname</parameter> <parameter>keysecret</parameter> pair. + The <command>key</command> command + overrides any key specified on the command line via + <option>-y</option> or <option>-k</option>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>prereq nxdomain</command> + <arg choice="req">domain-name</arg> + </term> + <listitem> + <para> + Requires that no resource record of any type exists with name + <parameter>domain-name</parameter>. + </para> + </listitem> + </varlistentry> + + + <varlistentry> + <term> + <command>prereq yxdomain</command> + <arg choice="req">domain-name</arg> + </term> + <listitem> + <para> + Requires that + <parameter>domain-name</parameter> + exists (has as at least one resource record, of any type). + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>prereq nxrrset</command> + <arg choice="req">domain-name</arg> + <arg choice="opt">class</arg> + <arg choice="req">type</arg> + </term> + <listitem> + <para> + Requires that no resource record exists of the specified + <parameter>type</parameter>, + <parameter>class</parameter> + and + <parameter>domain-name</parameter>. + If + <parameter>class</parameter> + is omitted, IN (internet) is assumed. + </para> + </listitem> + </varlistentry> + + + <varlistentry> + <term> + <command>prereq yxrrset</command> + <arg choice="req">domain-name</arg> + <arg choice="opt">class</arg> + <arg choice="req">type</arg> + </term> + <listitem> + <para> + This requires that a resource record of the specified + <parameter>type</parameter>, + <parameter>class</parameter> + and + <parameter>domain-name</parameter> + must exist. + If + <parameter>class</parameter> + is omitted, IN (internet) is assumed. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>prereq yxrrset</command> + <arg choice="req">domain-name</arg> + <arg choice="opt">class</arg> + <arg choice="req">type</arg> + <arg choice="req" rep="repeat">data</arg> + </term> + <listitem> + <para> + The + <parameter>data</parameter> + from each set of prerequisites of this form + sharing a common + <parameter>type</parameter>, + <parameter>class</parameter>, + and + <parameter>domain-name</parameter> + are combined to form a set of RRs. This set of RRs must + exactly match the set of RRs existing in the zone at the + given + <parameter>type</parameter>, + <parameter>class</parameter>, + and + <parameter>domain-name</parameter>. + The + <parameter>data</parameter> + are written in the standard text representation of the resource + record's + RDATA. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>update delete</command> + <arg choice="req">domain-name</arg> + <arg choice="opt">ttl</arg> + <arg choice="opt">class</arg> + <arg choice="opt">type <arg choice="opt" rep="repeat">data</arg></arg> + </term> + <listitem> + <para> + Deletes any resource records named + <parameter>domain-name</parameter>. + If + <parameter>type</parameter> + and + <parameter>data</parameter> + is provided, only matching resource records will be removed. + The internet class is assumed if + <parameter>class</parameter> + is not supplied. The + <parameter>ttl</parameter> + is ignored, and is only allowed for compatibility. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>update add</command> + <arg choice="req">domain-name</arg> + <arg choice="req">ttl</arg> + <arg choice="opt">class</arg> + <arg choice="req">type</arg> + <arg choice="req" rep="repeat">data</arg> + </term> + <listitem> + <para> + Adds a new resource record with the specified + <parameter>ttl</parameter>, + <parameter>class</parameter> + and + <parameter>data</parameter>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>show</command> + </term> + <listitem> + <para> + Displays the current message, containing all of the + prerequisites and + updates specified since the last send. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>send</command> + </term> + <listitem> + <para> + Sends the current message. This is equivalent to entering a + blank line. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <command>answer</command> + </term> + <listitem> + <para> + Displays the answer. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + + <para> + Lines beginning with a semicolon are comments and are ignored. + </para> + + </refsect1> + + <refsect1> + <title>EXAMPLES</title> + <para> + The examples below show how + <command>nsupdate</command> + could be used to insert and delete resource records from the + <type>example.com</type> + zone. + Notice that the input in each example contains a trailing blank line so + that + a group of commands are sent as one dynamic update request to the + master name server for + <type>example.com</type>. + + <programlisting> # nsupdate -> update delete oldhost.example.com A -> update add newhost.example.com 86400 A 172.16.1.1 -> send +> update delete oldhost.example.com A +> update add newhost.example.com 86400 A 172.16.1.1 +> send </programlisting> -</para> -<para> -Any A records for -<type>oldhost.example.com</type> -are deleted. -and an A record for -<type>newhost.example.com</type> -it IP address 172.16.1.1 is added. -The newly-added record has a 1 day TTL (86400 seconds) -<programlisting> + </para> + <para> + Any A records for + <type>oldhost.example.com</type> + are deleted. + and an A record for + <type>newhost.example.com</type> + it IP address 172.16.1.1 is added. + The newly-added record has a 1 day TTL (86400 seconds) + <programlisting> # nsupdate -> prereq nxdomain nickname.example.com -> update add nickname.example.com 86400 CNAME somehost.example.com -> send +> prereq nxdomain nickname.example.com +> update add nickname.example.com 86400 CNAME somehost.example.com +> send </programlisting> -</para> -<para> -The prerequisite condition gets the name server to check that there -are no resource records of any type for -<type>nickname.example.com</type>. - -If there are, the update request fails. -If this name does not exist, a CNAME for it is added. -This ensures that when the CNAME is added, it cannot conflict with the -long-standing rule in RFC1034 that a name must not exist as any other -record type if it exists as a CNAME. -(The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have -RRSIG, DNSKEY and NSEC records.) -</para> -</refsect1> - -<refsect1> -<title>FILES</title> - -<variablelist> -<varlistentry><term><constant>/etc/resolv.conf</constant></term> -<listitem> -<para> -used to identify default name server -</para> -</listitem> -</varlistentry> - -<varlistentry><term><constant>K{name}.+157.+{random}.key</constant></term> -<listitem> -<para> -base-64 encoding of HMAC-MD5 key created by -<citerefentry> -<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> -</citerefentry>. -</para> -</listitem> -</varlistentry> - -<varlistentry><term><constant>K{name}.+157.+{random}.private</constant></term> -<listitem> -<para> -base-64 encoding of HMAC-MD5 key created by -<citerefentry> -<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> -</citerefentry>. -</para> -</listitem> -</varlistentry> -</variablelist> -</refsect1> - -<refsect1> -<title>SEE ALSO</title> -<para> -<citerefentry> -<refentrytitle>RFC2136</refentrytitle> -</citerefentry>, -<citerefentry> -<refentrytitle>RFC3007</refentrytitle> -</citerefentry>, -<citerefentry> -<refentrytitle>RFC2104</refentrytitle> -</citerefentry>, -<citerefentry> -<refentrytitle>RFC2845</refentrytitle> -</citerefentry>, -<citerefentry> -<refentrytitle>RFC1034</refentrytitle> -</citerefentry>, -<citerefentry> -<refentrytitle>RFC2535</refentrytitle> -</citerefentry>, -<citerefentry> -<refentrytitle>RFC2931</refentrytitle> -</citerefentry>, -<citerefentry> -<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> -</citerefentry>, -<citerefentry> -<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> -</citerefentry>. -</para> -</refsect1> -<refsect1> -<title>BUGS</title> -<para> -The TSIG key is redundantly stored in two separate files. -This is a consequence of nsupdate using the DST library -for its cryptographic operations, and may change in future -releases. -</para> -</refsect1> -</refentry> + </para> + <para> + The prerequisite condition gets the name server to check that there + are no resource records of any type for + <type>nickname.example.com</type>. + + If there are, the update request fails. + If this name does not exist, a CNAME for it is added. + This ensures that when the CNAME is added, it cannot conflict with the + long-standing rule in RFC1034 that a name must not exist as any other + record type if it exists as a CNAME. + (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have + RRSIG, DNSKEY and NSEC records.) + </para> + </refsect1> + + <refsect1> + <title>FILES</title> + + <variablelist> + <varlistentry> + <term><constant>/etc/resolv.conf</constant></term> + <listitem> + <para> + used to identify default name server + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>K{name}.+157.+{random}.key</constant></term> + <listitem> + <para> + base-64 encoding of HMAC-MD5 key created by + <citerefentry> + <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><constant>K{name}.+157.+{random}.private</constant></term> + <listitem> + <para> + base-64 encoding of HMAC-MD5 key created by + <citerefentry> + <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1> + <title>SEE ALSO</title> + <para><citerefentry> + <refentrytitle>RFC2136</refentrytitle> + </citerefentry>, + <citerefentry> + <refentrytitle>RFC3007</refentrytitle> + </citerefentry>, + <citerefentry> + <refentrytitle>RFC2104</refentrytitle> + </citerefentry>, + <citerefentry> + <refentrytitle>RFC2845</refentrytitle> + </citerefentry>, + <citerefentry> + <refentrytitle>RFC1034</refentrytitle> + </citerefentry>, + <citerefentry> + <refentrytitle>RFC2535</refentrytitle> + </citerefentry>, + <citerefentry> + <refentrytitle>RFC2931</refentrytitle> + </citerefentry>, + <citerefentry> + <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + + </refsect1> + <refsect1> + <title>BUGS</title> + <para> + The TSIG key is redundantly stored in two separate files. + This is a consequence of nsupdate using the DST library + for its cryptographic operations, and may change in future + releases. + </para> + </refsect1> +</refentry><!-- + - Local variables: + - mode: sgml + - End: +--> diff --git a/contrib/bind9/bin/nsupdate/nsupdate.html b/contrib/bind9/bin/nsupdate/nsupdate.html index 4df8280..ecf52ab 100644 --- a/contrib/bind9/bin/nsupdate/nsupdate.html +++ b/contrib/bind9/bin/nsupdate/nsupdate.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,375 +14,408 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: nsupdate.html,v 1.9.2.3.2.15 2006/06/29 13:02:30 marka Exp $ --> +<!-- $Id: nsupdate.html,v 1.14.18.21 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>nsupdate</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="id2476275"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p>nsupdate — Dynamic DNS update utility</p> </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [[<code class="option">-y <em class="replaceable"><code>keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-v</code>] [filename]</p></div> +<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [[<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-v</code>] [filename]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549461"></a><h2>DESCRIPTION</h2> +<a name="id2543417"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">nsupdate</strong></span> + is used to submit Dynamic DNS Update requests as defined in RFC2136 + to a name server. + This allows resource records to be added or removed from a zone + without manually editing the zone file. + A single update request can contain requests to add or remove more than + one + resource record. + </p> <p> -<span><strong class="command">nsupdate</strong></span> -is used to submit Dynamic DNS Update requests as defined in RFC2136 -to a name server. -This allows resource records to be added or removed from a zone -without manually editing the zone file. -A single update request can contain requests to add or remove more than one -resource record. -</p> + Zones that are under dynamic control via + <span><strong class="command">nsupdate</strong></span> + or a DHCP server should not be edited by hand. + Manual edits could + conflict with dynamic updates and cause data to be lost. + </p> <p> -Zones that are under dynamic control via -<span><strong class="command">nsupdate</strong></span> -or a DHCP server should not be edited by hand. -Manual edits could -conflict with dynamic updates and cause data to be lost. -</p> + The resource records that are dynamically added or removed with + <span><strong class="command">nsupdate</strong></span> + have to be in the same zone. + Requests are sent to the zone's master server. + This is identified by the MNAME field of the zone's SOA record. + </p> <p> -The resource records that are dynamically added or removed with -<span><strong class="command">nsupdate</strong></span> -have to be in the same zone. -Requests are sent to the zone's master server. -This is identified by the MNAME field of the zone's SOA record. -</p> + The + <code class="option">-d</code> + option makes + <span><strong class="command">nsupdate</strong></span> + operate in debug mode. + This provides tracing information about the update requests that are + made and the replies received from the name server. + </p> <p> -The -<code class="option">-d</code> -option makes -<span><strong class="command">nsupdate</strong></span> -operate in debug mode. -This provides tracing information about the update requests that are -made and the replies received from the name server. -</p> + Transaction signatures can be used to authenticate the Dynamic DNS + updates. + These use the TSIG resource record type described in RFC2845 or the + SIG(0) record described in RFC3535 and RFC2931. + TSIG relies on a shared secret that should only be known to + <span><strong class="command">nsupdate</strong></span> and the name server. + Currently, the only supported encryption algorithm for TSIG is + HMAC-MD5, which is defined in RFC 2104. + Once other algorithms are defined for TSIG, applications will need to + ensure they select the appropriate algorithm as well as the key when + authenticating each other. + For instance suitable + <span class="type">key</span> + and + <span class="type">server</span> + statements would be added to + <code class="filename">/etc/named.conf</code> + so that the name server can associate the appropriate secret key + and algorithm with the IP address of the + client application that will be using TSIG authentication. + SIG(0) uses public key cryptography. To use a SIG(0) key, the public + key must be stored in a KEY record in a zone served by the name server. + <span><strong class="command">nsupdate</strong></span> + does not read + <code class="filename">/etc/named.conf</code>. + </p> +<p><span><strong class="command">nsupdate</strong></span> + uses the <code class="option">-y</code> or <code class="option">-k</code> option + to provide the shared secret needed to generate a TSIG record + for authenticating Dynamic DNS update requests, default type + HMAC-MD5. These options are mutually exclusive. With the + <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads + the shared secret from the file <em class="parameter"><code>keyfile</code></em>, + whose name is of the form + <code class="filename">K{name}.+157.+{random}.private</code>. For + historical reasons, the file + <code class="filename">K{name}.+157.+{random}.key</code> must also be + present. When the <code class="option">-y</code> option is used, a + signature is generated from + [<span class="optional"><em class="parameter"><code>hmac:</code></em></span>]<em class="parameter"><code>keyname:secret.</code></em> + <em class="parameter"><code>keyname</code></em> is the name of the key, and + <em class="parameter"><code>secret</code></em> is the base64 encoded shared + secret. Use of the <code class="option">-y</code> option is discouraged + because the shared secret is supplied as a command line + argument in clear text. This may be visible in the output + from + <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> or in a history file maintained by the user's + shell. + </p> <p> -Transaction signatures can be used to authenticate the Dynamic DNS -updates. -These use the TSIG resource record type described in RFC2845 or the -SIG(0) record described in RFC3535 and RFC2931. -TSIG relies on a shared secret that should only be known to -<span><strong class="command">nsupdate</strong></span> and the name server. -Currently, the only supported encryption algorithm for TSIG is -HMAC-MD5, which is defined in RFC 2104. -Once other algorithms are defined for TSIG, applications will need to -ensure they select the appropriate algorithm as well as the key when -authenticating each other. -For instance suitable -<span class="type">key</span> -and -<span class="type">server</span> -statements would be added to -<code class="filename">/etc/named.conf</code> -so that the name server can associate the appropriate secret key -and algorithm with the IP address of the -client application that will be using TSIG authentication. -SIG(0) uses public key cryptography. To use a SIG(0) key, the public -key must be stored in a KEY record in a zone served by the name server. -<span><strong class="command">nsupdate</strong></span> -does not read -<code class="filename">/etc/named.conf</code>. -</p> + The <code class="option">-k</code> may also be used to specify a SIG(0) key used + to authenticate Dynamic DNS update requests. In this case, the key + specified is not an HMAC-MD5 key. + </p> <p> -<span><strong class="command">nsupdate</strong></span> -uses the -<code class="option">-y</code> -or -<code class="option">-k</code> -option (with an HMAC-MD5 key) to provide the shared secret needed to generate -a TSIG record for authenticating Dynamic DNS update requests. -These options are mutually exclusive. -With the -<code class="option">-k</code> -option, -<span><strong class="command">nsupdate</strong></span> -reads the shared secret from the file -<em class="parameter"><code>keyfile</code></em>, -whose name is of the form -<code class="filename">K{name}.+157.+{random}.private</code>. -For historical -reasons, the file -<code class="filename">K{name}.+157.+{random}.key</code> -must also be present. When the -<code class="option">-y</code> -option is used, a signature is generated from -<em class="parameter"><code>keyname:secret.</code></em> -<em class="parameter"><code>keyname</code></em> -is the name of the key, -and -<em class="parameter"><code>secret</code></em> -is the base64 encoded shared secret. -Use of the -<code class="option">-y</code> -option is discouraged because the shared secret is supplied as a command -line argument in clear text. -This may be visible in the output from -<span class="citerefentry"><span class="refentrytitle">ps</span>(1 -)</span> -or in a history file maintained by the user's shell. -</p> + By default + <span><strong class="command">nsupdate</strong></span> + uses UDP to send update requests to the name server unless they are too + large to fit in a UDP request in which case TCP will be used. + The + <code class="option">-v</code> + option makes + <span><strong class="command">nsupdate</strong></span> + use a TCP connection. + This may be preferable when a batch of update requests is made. + </p> <p> -The <code class="option">-k</code> may also be used to specify a SIG(0) key used -to authenticate Dynamic DNS update requests. In this case, the key -specified is not an HMAC-MD5 key. -</p> + The <code class="option">-t</code> option sets the maximum time a update request + can + take before it is aborted. The default is 300 seconds. Zero can be + used + to disable the timeout. + </p> <p> -By default -<span><strong class="command">nsupdate</strong></span> -uses UDP to send update requests to the name server unless they are too -large to fit in a UDP request in which case TCP will be used. -The -<code class="option">-v</code> -option makes -<span><strong class="command">nsupdate</strong></span> -use a TCP connection. -This may be preferable when a batch of update requests is made. -</p> -<p>The <code class="option">-t</code> option sets the maximum time a update request can -take before it is aborted. The default is 300 seconds. Zero can be used -to disable the timeout. -</p> -<p>The <code class="option">-u</code> option sets the UDP retry interval. The default is -3 seconds. If zero the interval will be computed from the timeout interval -and number of UDP retries. -</p> -<p>The <code class="option">-r</code> option sets the number of UDP retries. The default is -3. If zero only one update request will be made. -</p> + The <code class="option">-u</code> option sets the UDP retry interval. The default + is + 3 seconds. If zero the interval will be computed from the timeout + interval + and number of UDP retries. + </p> +<p> + The <code class="option">-r</code> option sets the number of UDP retries. The + default is + 3. If zero only one update request will be made. + </p> </div> <div class="refsect1" lang="en"> -<a name="id2549686"></a><h2>INPUT FORMAT</h2> -<p> -<span><strong class="command">nsupdate</strong></span> -reads input from -<em class="parameter"><code>filename</code></em> -or standard input. -Each command is supplied on exactly one line of input. -Some commands are for administrative purposes. -The others are either update instructions or prerequisite checks on the -contents of the zone. -These checks set conditions that some name or set of -resource records (RRset) either exists or is absent from the zone. -These conditions must be met if the entire update request is to succeed. -Updates will be rejected if the tests for the prerequisite conditions fail. -</p> +<a name="id2543645"></a><h2>INPUT FORMAT</h2> +<p><span><strong class="command">nsupdate</strong></span> + reads input from + <em class="parameter"><code>filename</code></em> + or standard input. + Each command is supplied on exactly one line of input. + Some commands are for administrative purposes. + The others are either update instructions or prerequisite checks on the + contents of the zone. + These checks set conditions that some name or set of + resource records (RRset) either exists or is absent from the zone. + These conditions must be met if the entire update request is to succeed. + Updates will be rejected if the tests for the prerequisite conditions + fail. + </p> <p> -Every update request consists of zero or more prerequisites -and zero or more updates. -This allows a suitably authenticated update request to proceed if some -specified resource records are present or missing from the zone. -A blank input line (or the <span><strong class="command">send</strong></span> command) causes the -accumulated commands to be sent as one Dynamic DNS update request to the -name server. -</p> + Every update request consists of zero or more prerequisites + and zero or more updates. + This allows a suitably authenticated update request to proceed if some + specified resource records are present or missing from the zone. + A blank input line (or the <span><strong class="command">send</strong></span> command) + causes the + accumulated commands to be sent as one Dynamic DNS update request to the + name server. + </p> <p> -The command formats and their meaning are as follows: -</p> + The command formats and their meaning are as follows: + </p> <div class="variablelist"><dl> <dt><span class="term"> -<div class="cmdsynopsis"><p><code class="command">server</code> {servername} [port]</p></div> -</span></dt> + <span><strong class="command">server</strong></span> + {servername} + [port] + </span></dt> <dd><p> -Sends all dynamic update requests to the name server -<em class="parameter"><code>servername</code></em>. -When no server statement is provided, -<span><strong class="command">nsupdate</strong></span> -will send updates to the master server of the correct zone. -The MNAME field of that zone's SOA record will identify the master -server for that zone. -<em class="parameter"><code>port</code></em> -is the port number on -<em class="parameter"><code>servername</code></em> -where the dynamic update requests get sent. -If no port number is specified, the default DNS port number of 53 is -used. -</p></dd> + Sends all dynamic update requests to the name server + <em class="parameter"><code>servername</code></em>. + When no server statement is provided, + <span><strong class="command">nsupdate</strong></span> + will send updates to the master server of the correct zone. + The MNAME field of that zone's SOA record will identify the + master + server for that zone. + <em class="parameter"><code>port</code></em> + is the port number on + <em class="parameter"><code>servername</code></em> + where the dynamic update requests get sent. + If no port number is specified, the default DNS port number of + 53 is + used. + </p></dd> <dt><span class="term"> -<div class="cmdsynopsis"><p><code class="command">local</code> {address} [port]</p></div> -</span></dt> + <span><strong class="command">local</strong></span> + {address} + [port] + </span></dt> <dd><p> -Sends all dynamic update requests using the local -<em class="parameter"><code>address</code></em>. + Sends all dynamic update requests using the local + <em class="parameter"><code>address</code></em>. -When no local statement is provided, -<span><strong class="command">nsupdate</strong></span> -will send updates using an address and port chosen by the system. -<em class="parameter"><code>port</code></em> -can additionally be used to make requests come from a specific port. -If no port number is specified, the system will assign one. -</p></dd> + When no local statement is provided, + <span><strong class="command">nsupdate</strong></span> + will send updates using an address and port chosen by the + system. + <em class="parameter"><code>port</code></em> + can additionally be used to make requests come from a specific + port. + If no port number is specified, the system will assign one. + </p></dd> <dt><span class="term"> -<div class="cmdsynopsis"><p><code class="command">zone</code> {zonename}</p></div> -</span></dt> + <span><strong class="command">zone</strong></span> + {zonename} + </span></dt> <dd><p> -Specifies that all updates are to be made to the zone -<em class="parameter"><code>zonename</code></em>. -If no -<em class="parameter"><code>zone</code></em> -statement is provided, -<span><strong class="command">nsupdate</strong></span> -will attempt determine the correct zone to update based on the rest of the input. -</p></dd> + Specifies that all updates are to be made to the zone + <em class="parameter"><code>zonename</code></em>. + If no + <em class="parameter"><code>zone</code></em> + statement is provided, + <span><strong class="command">nsupdate</strong></span> + will attempt determine the correct zone to update based on the + rest of the input. + </p></dd> <dt><span class="term"> -<div class="cmdsynopsis"><p><code class="command">class</code> {classname}</p></div> -</span></dt> + <span><strong class="command">class</strong></span> + {classname} + </span></dt> <dd><p> -Specify the default class. -If no <em class="parameter"><code>class</code></em> is specified the default class is -<em class="parameter"><code>IN</code></em>. -</p></dd> + Specify the default class. + If no <em class="parameter"><code>class</code></em> is specified the + default class is + <em class="parameter"><code>IN</code></em>. + </p></dd> <dt><span class="term"> -<div class="cmdsynopsis"><p><code class="command">key</code> {name} {secret}</p></div> -</span></dt> + <span><strong class="command">key</strong></span> + {name} + {secret} + </span></dt> <dd><p> -Specifies that all updates are to be TSIG signed using the -<em class="parameter"><code>keyname</code></em> <em class="parameter"><code>keysecret</code></em> pair. -The <span><strong class="command">key</strong></span> command -overrides any key specified on the command line via -<code class="option">-y</code> or <code class="option">-k</code>. -</p></dd> + Specifies that all updates are to be TSIG signed using the + <em class="parameter"><code>keyname</code></em> <em class="parameter"><code>keysecret</code></em> pair. + The <span><strong class="command">key</strong></span> command + overrides any key specified on the command line via + <code class="option">-y</code> or <code class="option">-k</code>. + </p></dd> <dt><span class="term"> -<div class="cmdsynopsis"><p><code class="command">prereq nxdomain</code> {domain-name}</p></div> -</span></dt> + <span><strong class="command">prereq nxdomain</strong></span> + {domain-name} + </span></dt> <dd><p> -Requires that no resource record of any type exists with name -<em class="parameter"><code>domain-name</code></em>. -</p></dd> + Requires that no resource record of any type exists with name + <em class="parameter"><code>domain-name</code></em>. + </p></dd> <dt><span class="term"> -<div class="cmdsynopsis"><p><code class="command">prereq yxdomain</code> {domain-name}</p></div> -</span></dt> + <span><strong class="command">prereq yxdomain</strong></span> + {domain-name} + </span></dt> <dd><p> -Requires that -<em class="parameter"><code>domain-name</code></em> -exists (has as at least one resource record, of any type). -</p></dd> + Requires that + <em class="parameter"><code>domain-name</code></em> + exists (has as at least one resource record, of any type). + </p></dd> <dt><span class="term"> -<div class="cmdsynopsis"><p><code class="command">prereq nxrrset</code> {domain-name} [class] {type}</p></div> -</span></dt> + <span><strong class="command">prereq nxrrset</strong></span> + {domain-name} + [class] + {type} + </span></dt> <dd><p> -Requires that no resource record exists of the specified -<em class="parameter"><code>type</code></em>, -<em class="parameter"><code>class</code></em> -and -<em class="parameter"><code>domain-name</code></em>. -If -<em class="parameter"><code>class</code></em> -is omitted, IN (internet) is assumed. -</p></dd> + Requires that no resource record exists of the specified + <em class="parameter"><code>type</code></em>, + <em class="parameter"><code>class</code></em> + and + <em class="parameter"><code>domain-name</code></em>. + If + <em class="parameter"><code>class</code></em> + is omitted, IN (internet) is assumed. + </p></dd> <dt><span class="term"> -<div class="cmdsynopsis"><p><code class="command">prereq yxrrset</code> {domain-name} [class] {type}</p></div> -</span></dt> + <span><strong class="command">prereq yxrrset</strong></span> + {domain-name} + [class] + {type} + </span></dt> <dd><p> -This requires that a resource record of the specified -<em class="parameter"><code>type</code></em>, -<em class="parameter"><code>class</code></em> -and -<em class="parameter"><code>domain-name</code></em> -must exist. -If -<em class="parameter"><code>class</code></em> -is omitted, IN (internet) is assumed. -</p></dd> + This requires that a resource record of the specified + <em class="parameter"><code>type</code></em>, + <em class="parameter"><code>class</code></em> + and + <em class="parameter"><code>domain-name</code></em> + must exist. + If + <em class="parameter"><code>class</code></em> + is omitted, IN (internet) is assumed. + </p></dd> <dt><span class="term"> -<div class="cmdsynopsis"><p><code class="command">prereq yxrrset</code> {domain-name} [class] {type} {data...}</p></div> -</span></dt> + <span><strong class="command">prereq yxrrset</strong></span> + {domain-name} + [class] + {type} + {data...} + </span></dt> <dd><p> -The -<em class="parameter"><code>data</code></em> -from each set of prerequisites of this form -sharing a common -<em class="parameter"><code>type</code></em>, -<em class="parameter"><code>class</code></em>, -and -<em class="parameter"><code>domain-name</code></em> -are combined to form a set of RRs. This set of RRs must -exactly match the set of RRs existing in the zone at the -given -<em class="parameter"><code>type</code></em>, -<em class="parameter"><code>class</code></em>, -and -<em class="parameter"><code>domain-name</code></em>. -The -<em class="parameter"><code>data</code></em> -are written in the standard text representation of the resource record's -RDATA. -</p></dd> + The + <em class="parameter"><code>data</code></em> + from each set of prerequisites of this form + sharing a common + <em class="parameter"><code>type</code></em>, + <em class="parameter"><code>class</code></em>, + and + <em class="parameter"><code>domain-name</code></em> + are combined to form a set of RRs. This set of RRs must + exactly match the set of RRs existing in the zone at the + given + <em class="parameter"><code>type</code></em>, + <em class="parameter"><code>class</code></em>, + and + <em class="parameter"><code>domain-name</code></em>. + The + <em class="parameter"><code>data</code></em> + are written in the standard text representation of the resource + record's + RDATA. + </p></dd> <dt><span class="term"> -<div class="cmdsynopsis"><p><code class="command">update delete</code> {domain-name} [ttl] [class] [type [data...]]</p></div> -</span></dt> + <span><strong class="command">update delete</strong></span> + {domain-name} + [ttl] + [class] + [type [data...]] + </span></dt> <dd><p> -Deletes any resource records named -<em class="parameter"><code>domain-name</code></em>. -If -<em class="parameter"><code>type</code></em> -and -<em class="parameter"><code>data</code></em> -is provided, only matching resource records will be removed. -The internet class is assumed if -<em class="parameter"><code>class</code></em> -is not supplied. The -<em class="parameter"><code>ttl</code></em> -is ignored, and is only allowed for compatibility. -</p></dd> + Deletes any resource records named + <em class="parameter"><code>domain-name</code></em>. + If + <em class="parameter"><code>type</code></em> + and + <em class="parameter"><code>data</code></em> + is provided, only matching resource records will be removed. + The internet class is assumed if + <em class="parameter"><code>class</code></em> + is not supplied. The + <em class="parameter"><code>ttl</code></em> + is ignored, and is only allowed for compatibility. + </p></dd> <dt><span class="term"> -<div class="cmdsynopsis"><p><code class="command">update add</code> {domain-name} {ttl} [class] {type} {data...}</p></div> -</span></dt> + <span><strong class="command">update add</strong></span> + {domain-name} + {ttl} + [class] + {type} + {data...} + </span></dt> <dd><p> -Adds a new resource record with the specified -<em class="parameter"><code>ttl</code></em>, -<em class="parameter"><code>class</code></em> -and -<em class="parameter"><code>data</code></em>. -</p></dd> + Adds a new resource record with the specified + <em class="parameter"><code>ttl</code></em>, + <em class="parameter"><code>class</code></em> + and + <em class="parameter"><code>data</code></em>. + </p></dd> <dt><span class="term"> -<div class="cmdsynopsis"><p><code class="command">show</code> </p></div> -</span></dt> + <span><strong class="command">show</strong></span> + </span></dt> <dd><p> -Displays the current message, containing all of the prerequisites and -updates specified since the last send. -</p></dd> + Displays the current message, containing all of the + prerequisites and + updates specified since the last send. + </p></dd> <dt><span class="term"> -<div class="cmdsynopsis"><p><code class="command">send</code> </p></div> -</span></dt> + <span><strong class="command">send</strong></span> + </span></dt> <dd><p> -Sends the current message. This is equivalent to entering a blank line. -</p></dd> + Sends the current message. This is equivalent to entering a + blank line. + </p></dd> <dt><span class="term"> -<div class="cmdsynopsis"><p><code class="command">answer</code> </p></div> -</span></dt> + <span><strong class="command">answer</strong></span> + </span></dt> <dd><p> -Displays the answer. -</p></dd> + Displays the answer. + </p></dd> </dl></div> <p> -</p> + </p> <p> -Lines beginning with a semicolon are comments and are ignored. -</p> + Lines beginning with a semicolon are comments and are ignored. + </p> </div> <div class="refsect1" lang="en"> -<a name="id2550382"></a><h2>EXAMPLES</h2> +<a name="id2544649"></a><h2>EXAMPLES</h2> <p> -The examples below show how -<span><strong class="command">nsupdate</strong></span> -could be used to insert and delete resource records from the -<span class="type">example.com</span> -zone. -Notice that the input in each example contains a trailing blank line so that -a group of commands are sent as one dynamic update request to the -master name server for -<span class="type">example.com</span>. + The examples below show how + <span><strong class="command">nsupdate</strong></span> + could be used to insert and delete resource records from the + <span class="type">example.com</span> + zone. + Notice that the input in each example contains a trailing blank line so + that + a group of commands are sent as one dynamic update request to the + master name server for + <span class="type">example.com</span>. -</p> + </p> <pre class="programlisting"> # nsupdate > update delete oldhost.example.com A @@ -390,16 +423,16 @@ master name server for > send </pre> <p> -</p> + </p> <p> -Any A records for -<span class="type">oldhost.example.com</span> -are deleted. -and an A record for -<span class="type">newhost.example.com</span> -it IP address 172.16.1.1 is added. -The newly-added record has a 1 day TTL (86400 seconds) -</p> + Any A records for + <span class="type">oldhost.example.com</span> + are deleted. + and an A record for + <span class="type">newhost.example.com</span> + it IP address 172.16.1.1 is added. + The newly-added record has a 1 day TTL (86400 seconds) + </p> <pre class="programlisting"> # nsupdate > prereq nxdomain nickname.example.com @@ -407,62 +440,61 @@ The newly-added record has a 1 day TTL (86400 seconds) > send </pre> <p> -</p> + </p> <p> -The prerequisite condition gets the name server to check that there -are no resource records of any type for -<span class="type">nickname.example.com</span>. + The prerequisite condition gets the name server to check that there + are no resource records of any type for + <span class="type">nickname.example.com</span>. -If there are, the update request fails. -If this name does not exist, a CNAME for it is added. -This ensures that when the CNAME is added, it cannot conflict with the -long-standing rule in RFC1034 that a name must not exist as any other -record type if it exists as a CNAME. -(The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have -RRSIG, DNSKEY and NSEC records.) -</p> + If there are, the update request fails. + If this name does not exist, a CNAME for it is added. + This ensures that when the CNAME is added, it cannot conflict with the + long-standing rule in RFC1034 that a name must not exist as any other + record type if it exists as a CNAME. + (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have + RRSIG, DNSKEY and NSEC records.) + </p> </div> <div class="refsect1" lang="en"> -<a name="id2550426"></a><h2>FILES</h2> +<a name="id2544693"></a><h2>FILES</h2> <div class="variablelist"><dl> <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt> <dd><p> -used to identify default name server -</p></dd> + used to identify default name server + </p></dd> <dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt> <dd><p> -base-64 encoding of HMAC-MD5 key created by -<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. -</p></dd> + base-64 encoding of HMAC-MD5 key created by + <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. + </p></dd> <dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt> <dd><p> -base-64 encoding of HMAC-MD5 key created by -<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. -</p></dd> + base-64 encoding of HMAC-MD5 key created by + <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. + </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2549061"></a><h2>SEE ALSO</h2> -<p> -<span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>, -<span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>, -<span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>, -<span class="citerefentry"><span class="refentrytitle">RFC2845</span></span>, -<span class="citerefentry"><span class="refentrytitle">RFC1034</span></span>, -<span class="citerefentry"><span class="refentrytitle">RFC2535</span></span>, -<span class="citerefentry"><span class="refentrytitle">RFC2931</span></span>, -<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, -<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. -</p> +<a name="id2544830"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>, + <span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>, + <span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>, + <span class="citerefentry"><span class="refentrytitle">RFC2845</span></span>, + <span class="citerefentry"><span class="refentrytitle">RFC1034</span></span>, + <span class="citerefentry"><span class="refentrytitle">RFC2535</span></span>, + <span class="citerefentry"><span class="refentrytitle">RFC2931</span></span>, + <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. + </p> </div> <div class="refsect1" lang="en"> -<a name="id2549132"></a><h2>BUGS</h2> +<a name="id2544901"></a><h2>BUGS</h2> <p> -The TSIG key is redundantly stored in two separate files. -This is a consequence of nsupdate using the DST library -for its cryptographic operations, and may change in future -releases. -</p> + The TSIG key is redundantly stored in two separate files. + This is a consequence of nsupdate using the DST library + for its cryptographic operations, and may change in future + releases. + </p> </div> </div></body> </html> diff --git a/contrib/bind9/bin/rndc/Makefile.in b/contrib/bind9/bin/rndc/Makefile.in index e677315..eed3c0a 100644 --- a/contrib/bind9/bin/rndc/Makefile.in +++ b/contrib/bind9/bin/rndc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2002 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.32.2.3.8.8 2004/07/20 07:01:50 marka Exp $ +# $Id: Makefile.in,v 1.40.18.3 2007/01/19 00:55:49 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -47,6 +47,8 @@ RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${I CONFLIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} +SRCS= rndc.c rndc-confgen.c + SUBDIRS = unix TARGETS = rndc@EXEEXT@ rndc-confgen@EXEEXT@ diff --git a/contrib/bind9/bin/rndc/include/rndc/os.h b/contrib/bind9/bin/rndc/include/rndc/os.h index b5ade47..b5c1d24 100644 --- a/contrib/bind9/bin/rndc/include/rndc/os.h +++ b/contrib/bind9/bin/rndc/include/rndc/os.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.h,v 1.4.206.1 2004/03/06 10:21:33 marka Exp $ */ +/* $Id: os.h,v 1.5.18.2 2005/04/29 00:15:41 marka Exp $ */ + +/*! \file */ #ifndef RNDC_OS_H #define RNDC_OS_H 1 @@ -26,13 +28,13 @@ ISC_LANG_BEGINDECLS FILE *safe_create(const char *filename); -/* +/*%< * Open 'filename' for writing, truncate if necessary. If the file was * created ensure that only the owner can read/write it. */ int set_user(FILE *fd, const char *user); -/* +/*%< * Set the owner of the file refernced by 'fd' to 'user'. * Returns: * 0 success diff --git a/contrib/bind9/bin/rndc/rndc-confgen.8 b/contrib/bind9/bin/rndc/rndc-confgen.8 index c6a4218..fe25a7b 100644 --- a/contrib/bind9/bin/rndc/rndc-confgen.8 +++ b/contrib/bind9/bin/rndc/rndc-confgen.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2001, 2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: rndc-confgen.8,v 1.3.2.5.2.8 2006/06/29 13:02:31 marka Exp $ +.\" $Id: rndc-confgen.8,v 1.9.18.11 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: rndc\-confgen .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: Aug 27, 2001 .\" Manual: BIND9 .\" Source: BIND9 @@ -56,8 +56,9 @@ file and a \fBcontrols\fR statement altogether. .SH "OPTIONS" -.TP 3n +.PP \-a +.RS 4 Do automatic \fBrndc\fR configuration. This creates a file @@ -100,31 +101,43 @@ option and set up a and \fInamed.conf\fR as directed. -.TP 3n +.RE +.PP \-b \fIkeysize\fR +.RS 4 Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128. -.TP 3n +.RE +.PP \-c \fIkeyfile\fR +.RS 4 Used with the \fB\-a\fR option to specify an alternate location for \fIrndc.key\fR. -.TP 3n +.RE +.PP \-h +.RS 4 Prints a short summary of the options and arguments to \fBrndc\-confgen\fR. -.TP 3n +.RE +.PP \-k \fIkeyname\fR +.RS 4 Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is \fBrndc\-key\fR. -.TP 3n +.RE +.PP \-p \fIport\fR +.RS 4 Specifies the command channel port where \fBnamed\fR listens for connections from \fBrndc\fR. The default is 953. -.TP 3n +.RE +.PP \-r \fIrandomfile\fR +.RS 4 Specifies a source of random data for generating the authorization. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input. @@ -132,14 +145,18 @@ or equivalent device, the default source of randomness is keyboard input. specifies the name of a character device or file containing random data to be used instead of the default. The special value \fIkeyboard\fR indicates that keyboard input should be used. -.TP 3n +.RE +.PP \-s \fIaddress\fR +.RS 4 Specifies the IP address where \fBnamed\fR listens for command channel connections from \fBrndc\fR. The default is the loopback address 127.0.0.1. -.TP 3n +.RE +.PP \-t \fIchrootdir\fR +.RS 4 Used with the \fB\-a\fR option to specify a directory where @@ -148,8 +165,10 @@ will run chrooted. An additional copy of the \fIrndc.key\fR will be written relative to this directory so that it will be found by the chrooted \fBnamed\fR. -.TP 3n +.RE +.PP \-u \fIuser\fR +.RS 4 Used with the \fB\-a\fR option to set the owner of the @@ -157,6 +176,7 @@ option to set the owner of the file generated. If \fB\-t\fR is also specified only the file in the chroot area has its owner changed. +.RE .SH "EXAMPLES" .PP To allow @@ -185,4 +205,7 @@ BIND 9 Administrator Reference Manual. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2001, 2003 Internet Software Consortium. +.br diff --git a/contrib/bind9/bin/rndc/rndc-confgen.c b/contrib/bind9/bin/rndc/rndc-confgen.c index f6e578e..0764104 100644 --- a/contrib/bind9/bin/rndc/rndc-confgen.c +++ b/contrib/bind9/bin/rndc/rndc-confgen.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,18 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rndc-confgen.c,v 1.9.2.6.2.5 2004/09/28 07:14:57 marka Exp $ */ +/* $Id: rndc-confgen.c,v 1.18.18.3 2005/04/29 00:15:40 marka Exp $ */ + +/*! \file */ + +/** + * rndc-confgen generates configuration files for rndc. It can be used + * as a convenient alternative to writing the rndc.conf file and the + * corresponding controls and key statements in named.conf by hand. + * Alternatively, it can be run with the -a option to set up a + * rndc.key file and avoid the need for a rndc.conf file and a + * controls statement altogether. + */ #include <config.h> @@ -45,7 +56,7 @@ #include "util.h" -#define DEFAULT_KEYLENGTH 128 /* Bits. */ +#define DEFAULT_KEYLENGTH 128 /*% Bits. */ #define DEFAULT_KEYNAME "rndc-key" #define DEFAULT_SERVER "127.0.0.1" #define DEFAULT_PORT 953 @@ -78,7 +89,7 @@ Usage:\n\ exit (status); } -/* +/*% * Write an rndc.key file to 'keyfile'. If 'user' is non-NULL, * make that user the owner of the file. The key will have * the name 'keyname' and the secret in the buffer 'secret'. diff --git a/contrib/bind9/bin/rndc/rndc-confgen.docbook b/contrib/bind9/bin/rndc/rndc-confgen.docbook index e0c5a68..7267f5c 100644 --- a/contrib/bind9/bin/rndc/rndc-confgen.docbook +++ b/contrib/bind9/bin/rndc/rndc-confgen.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2001, 2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -18,9 +18,8 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc-confgen.docbook,v 1.3.2.1.4.5 2005/05/13 01:22:34 marka Exp $ --> - -<refentry> +<!-- $Id: rndc-confgen.docbook,v 1.6.18.6 2007/01/29 23:57:20 marka Exp $ --> +<refentry id="man.rndc-confgen"> <refentryinfo> <date>Aug 27, 2001</date> </refentryinfo> @@ -31,10 +30,16 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <refnamediv> + <refname><application>rndc-confgen</application></refname> + <refpurpose>rndc key generation tool</refpurpose> + </refnamediv> + <docinfo> <copyright> <year>2004</year> <year>2005</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -44,11 +49,6 @@ </copyright> </docinfo> - <refnamediv> - <refname><application>rndc-confgen</application></refname> - <refpurpose>rndc key generation tool</refpurpose> - </refnamediv> - <refsynopsisdiv> <cmdsynopsis> <command>rndc-confgen</command> @@ -67,18 +67,18 @@ <refsect1> <title>DESCRIPTION</title> - <para> - <command>rndc-confgen</command> generates configuration files - for <command>rndc</command>. It can be used as a - convenient alternative to writing the - <filename>rndc.conf</filename> file - and the corresponding <command>controls</command> - and <command>key</command> - statements in <filename>named.conf</filename> by hand. - Alternatively, it can be run with the <command>-a</command> - option to set up a <filename>rndc.key</filename> file and - avoid the need for a <filename>rndc.conf</filename> file - and a <command>controls</command> statement altogether. + <para><command>rndc-confgen</command> + generates configuration files + for <command>rndc</command>. It can be used as a + convenient alternative to writing the + <filename>rndc.conf</filename> file + and the corresponding <command>controls</command> + and <command>key</command> + statements in <filename>named.conf</filename> by hand. + Alternatively, it can be run with the <command>-a</command> + option to set up a <filename>rndc.key</filename> file and + avoid the need for a <filename>rndc.conf</filename> file + and a <command>controls</command> statement altogether. </para> </refsect1> @@ -89,145 +89,152 @@ <variablelist> <varlistentry> <term>-a</term> - <listitem> - <para> - Do automatic <command>rndc</command> configuration. - This creates a file <filename>rndc.key</filename> - in <filename>/etc</filename> (or whatever - <varname>sysconfdir</varname> - was specified as when <acronym>BIND</acronym> was built) - that is read by both <command>rndc</command> - and <command>named</command> on startup. The - <filename>rndc.key</filename> file defines a default - command channel and authentication key allowing - <command>rndc</command> to communicate with - <command>named</command> on the local host - with no further configuration. - </para> - <para> - Running <command>rndc-confgen -a</command> allows - BIND 9 and <command>rndc</command> to be used as drop-in - replacements for BIND 8 and <command>ndc</command>, - with no changes to the existing BIND 8 - <filename>named.conf</filename> file. - </para> + <listitem> + <para> + Do automatic <command>rndc</command> configuration. + This creates a file <filename>rndc.key</filename> + in <filename>/etc</filename> (or whatever + <varname>sysconfdir</varname> + was specified as when <acronym>BIND</acronym> was + built) + that is read by both <command>rndc</command> + and <command>named</command> on startup. The + <filename>rndc.key</filename> file defines a default + command channel and authentication key allowing + <command>rndc</command> to communicate with + <command>named</command> on the local host + with no further configuration. + </para> + <para> + Running <command>rndc-confgen -a</command> allows + BIND 9 and <command>rndc</command> to be used as + drop-in + replacements for BIND 8 and <command>ndc</command>, + with no changes to the existing BIND 8 + <filename>named.conf</filename> file. + </para> <para> - If a more elaborate configuration than that - generated by <command>rndc-confgen -a</command> - is required, for example if rndc is to be used remotely, - you should run <command>rndc-confgen</command> without the - <command>-a</command> option and set up a - <filename>rndc.conf</filename> and - <filename>named.conf</filename> - as directed. + If a more elaborate configuration than that + generated by <command>rndc-confgen -a</command> + is required, for example if rndc is to be used remotely, + you should run <command>rndc-confgen</command> without + the + <command>-a</command> option and set up a + <filename>rndc.conf</filename> and + <filename>named.conf</filename> + as directed. </para> - </listitem> + </listitem> </varlistentry> <varlistentry> <term>-b <replaceable class="parameter">keysize</replaceable></term> - <listitem> - <para> - Specifies the size of the authentication key in bits. - Must be between 1 and 512 bits; the default is 128. - </para> - </listitem> + <listitem> + <para> + Specifies the size of the authentication key in bits. + Must be between 1 and 512 bits; the default is 128. + </para> + </listitem> </varlistentry> <varlistentry> <term>-c <replaceable class="parameter">keyfile</replaceable></term> - <listitem> - <para> - Used with the <command>-a</command> option to specify - an alternate location for <filename>rndc.key</filename>. - </para> - </listitem> + <listitem> + <para> + Used with the <command>-a</command> option to specify + an alternate location for <filename>rndc.key</filename>. + </para> + </listitem> </varlistentry> <varlistentry> <term>-h</term> - <listitem> - <para> - Prints a short summary of the options and arguments to - <command>rndc-confgen</command>. - </para> - </listitem> + <listitem> + <para> + Prints a short summary of the options and arguments to + <command>rndc-confgen</command>. + </para> + </listitem> </varlistentry> <varlistentry> <term>-k <replaceable class="parameter">keyname</replaceable></term> - <listitem> - <para> - Specifies the key name of the rndc authentication key. - This must be a valid domain name. - The default is <constant>rndc-key</constant>. - </para> - </listitem> + <listitem> + <para> + Specifies the key name of the rndc authentication key. + This must be a valid domain name. + The default is <constant>rndc-key</constant>. + </para> + </listitem> </varlistentry> <varlistentry> <term>-p <replaceable class="parameter">port</replaceable></term> - <listitem> - <para> - Specifies the command channel port where <command>named</command> - listens for connections from <command>rndc</command>. - The default is 953. - </para> - </listitem> + <listitem> + <para> + Specifies the command channel port where <command>named</command> + listens for connections from <command>rndc</command>. + The default is 953. + </para> + </listitem> </varlistentry> <varlistentry> <term>-r <replaceable class="parameter">randomfile</replaceable></term> - <listitem> - <para> - Specifies a source of random data for generating the - authorization. If the operating - system does not provide a <filename>/dev/random</filename> - or equivalent device, the default source of randomness - is keyboard input. <filename>randomdev</filename> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <filename>keyboard</filename> indicates that keyboard - input should be used. - </para> - </listitem> + <listitem> + <para> + Specifies a source of random data for generating the + authorization. If the operating + system does not provide a <filename>/dev/random</filename> + or equivalent device, the default source of randomness + is keyboard input. <filename>randomdev</filename> + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + <filename>keyboard</filename> indicates that keyboard + input should be used. + </para> + </listitem> </varlistentry> <varlistentry> <term>-s <replaceable class="parameter">address</replaceable></term> - <listitem> - <para> - Specifies the IP address where <command>named</command> - listens for command channel connections from - <command>rndc</command>. The default is the loopback - address 127.0.0.1. - </para> - </listitem> + <listitem> + <para> + Specifies the IP address where <command>named</command> + listens for command channel connections from + <command>rndc</command>. The default is the loopback + address 127.0.0.1. + </para> + </listitem> </varlistentry> <varlistentry> <term>-t <replaceable class="parameter">chrootdir</replaceable></term> - <listitem> - <para> - Used with the <command>-a</command> option to specify - a directory where <command>named</command> will run - chrooted. An additional copy of the <filename>rndc.key</filename> - will be written relative to this directory so that - it will be found by the chrooted <command>named</command>. - </para> - </listitem> + <listitem> + <para> + Used with the <command>-a</command> option to specify + a directory where <command>named</command> will run + chrooted. An additional copy of the <filename>rndc.key</filename> + will be written relative to this directory so that + it will be found by the chrooted <command>named</command>. + </para> + </listitem> </varlistentry> <varlistentry> <term>-u <replaceable class="parameter">user</replaceable></term> - <listitem> - <para> - Used with the <command>-a</command> option to set the owner - of the <filename>rndc.key</filename> file generated. If - <command>-t</command> is also specified only the file in - the chroot area has its owner changed. - </para> - </listitem> + <listitem> + <para> + Used with the <command>-a</command> option to set the + owner + of the <filename>rndc.key</filename> file generated. + If + <command>-t</command> is also specified only the file + in + the chroot area has its owner changed. + </para> + </listitem> </varlistentry> </variablelist> @@ -236,37 +243,31 @@ <refsect1> <title>EXAMPLES</title> <para> - To allow <command>rndc</command> to be used with - no manual configuration, run + To allow <command>rndc</command> to be used with + no manual configuration, run </para> - <para> - <userinput>rndc-confgen -a</userinput> + <para><userinput>rndc-confgen -a</userinput> </para> <para> - To print a sample <filename>rndc.conf</filename> file and - corresponding <command>controls</command> and <command>key</command> - statements to be manually inserted into <filename>named.conf</filename>, - run + To print a sample <filename>rndc.conf</filename> file and + corresponding <command>controls</command> and <command>key</command> + statements to be manually inserted into <filename>named.conf</filename>, + run </para> - <para> - <userinput>rndc-confgen</userinput> + <para><userinput>rndc-confgen</userinput> </para> </refsect1> <refsect1> <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>rndc</refentrytitle> - <manvolnum>8</manvolnum> + <para><citerefentry> + <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>rndc.conf</refentrytitle> - <manvolnum>5</manvolnum> + <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>named</refentrytitle> - <manvolnum>8</manvolnum> + <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citetitle>BIND 9 Administrator Reference Manual</citetitle>. </para> @@ -274,14 +275,11 @@ <refsect1> <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> + <para><corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> -</refentry> - -<!-- +</refentry><!-- - Local variables: - mode: sgml - End: diff --git a/contrib/bind9/bin/rndc/rndc-confgen.html b/contrib/bind9/bin/rndc/rndc-confgen.html index 058cd56..fd40a81 100644 --- a/contrib/bind9/bin/rndc/rndc-confgen.html +++ b/contrib/bind9/bin/rndc/rndc-confgen.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2001, 2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc-confgen.html,v 1.3.2.5.2.13 2006/06/29 13:02:31 marka Exp $ --> +<!-- $Id: rndc-confgen.html,v 1.8.18.17 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>rndc-confgen</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="man.rndc-confgen"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p><span class="application">rndc-confgen</span> — rndc key generation tool</p> @@ -32,153 +32,156 @@ <div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549476"></a><h2>DESCRIPTION</h2> -<p> - <span><strong class="command">rndc-confgen</strong></span> generates configuration files - for <span><strong class="command">rndc</strong></span>. It can be used as a - convenient alternative to writing the - <code class="filename">rndc.conf</code> file - and the corresponding <span><strong class="command">controls</strong></span> - and <span><strong class="command">key</strong></span> - statements in <code class="filename">named.conf</code> by hand. - Alternatively, it can be run with the <span><strong class="command">-a</strong></span> - option to set up a <code class="filename">rndc.key</code> file and - avoid the need for a <code class="filename">rndc.conf</code> file - and a <span><strong class="command">controls</strong></span> statement altogether. +<a name="id2543429"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">rndc-confgen</strong></span> + generates configuration files + for <span><strong class="command">rndc</strong></span>. It can be used as a + convenient alternative to writing the + <code class="filename">rndc.conf</code> file + and the corresponding <span><strong class="command">controls</strong></span> + and <span><strong class="command">key</strong></span> + statements in <code class="filename">named.conf</code> by hand. + Alternatively, it can be run with the <span><strong class="command">-a</strong></span> + option to set up a <code class="filename">rndc.key</code> file and + avoid the need for a <code class="filename">rndc.conf</code> file + and a <span><strong class="command">controls</strong></span> statement altogether. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549522"></a><h2>OPTIONS</h2> +<a name="id2543474"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a</span></dt> <dd> <p> - Do automatic <span><strong class="command">rndc</strong></span> configuration. - This creates a file <code class="filename">rndc.key</code> - in <code class="filename">/etc</code> (or whatever - <code class="varname">sysconfdir</code> - was specified as when <acronym class="acronym">BIND</acronym> was built) - that is read by both <span><strong class="command">rndc</strong></span> - and <span><strong class="command">named</strong></span> on startup. The - <code class="filename">rndc.key</code> file defines a default - command channel and authentication key allowing - <span><strong class="command">rndc</strong></span> to communicate with - <span><strong class="command">named</strong></span> on the local host - with no further configuration. - </p> + Do automatic <span><strong class="command">rndc</strong></span> configuration. + This creates a file <code class="filename">rndc.key</code> + in <code class="filename">/etc</code> (or whatever + <code class="varname">sysconfdir</code> + was specified as when <acronym class="acronym">BIND</acronym> was + built) + that is read by both <span><strong class="command">rndc</strong></span> + and <span><strong class="command">named</strong></span> on startup. The + <code class="filename">rndc.key</code> file defines a default + command channel and authentication key allowing + <span><strong class="command">rndc</strong></span> to communicate with + <span><strong class="command">named</strong></span> on the local host + with no further configuration. + </p> <p> - Running <span><strong class="command">rndc-confgen -a</strong></span> allows - BIND 9 and <span><strong class="command">rndc</strong></span> to be used as drop-in - replacements for BIND 8 and <span><strong class="command">ndc</strong></span>, - with no changes to the existing BIND 8 - <code class="filename">named.conf</code> file. - </p> + Running <span><strong class="command">rndc-confgen -a</strong></span> allows + BIND 9 and <span><strong class="command">rndc</strong></span> to be used as + drop-in + replacements for BIND 8 and <span><strong class="command">ndc</strong></span>, + with no changes to the existing BIND 8 + <code class="filename">named.conf</code> file. + </p> <p> - If a more elaborate configuration than that - generated by <span><strong class="command">rndc-confgen -a</strong></span> - is required, for example if rndc is to be used remotely, - you should run <span><strong class="command">rndc-confgen</strong></span> without the - <span><strong class="command">-a</strong></span> option and set up a - <code class="filename">rndc.conf</code> and - <code class="filename">named.conf</code> - as directed. + If a more elaborate configuration than that + generated by <span><strong class="command">rndc-confgen -a</strong></span> + is required, for example if rndc is to be used remotely, + you should run <span><strong class="command">rndc-confgen</strong></span> without + the + <span><strong class="command">-a</strong></span> option and set up a + <code class="filename">rndc.conf</code> and + <code class="filename">named.conf</code> + as directed. </p> </dd> <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt> <dd><p> - Specifies the size of the authentication key in bits. - Must be between 1 and 512 bits; the default is 128. - </p></dd> + Specifies the size of the authentication key in bits. + Must be between 1 and 512 bits; the default is 128. + </p></dd> <dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt> <dd><p> - Used with the <span><strong class="command">-a</strong></span> option to specify - an alternate location for <code class="filename">rndc.key</code>. - </p></dd> + Used with the <span><strong class="command">-a</strong></span> option to specify + an alternate location for <code class="filename">rndc.key</code>. + </p></dd> <dt><span class="term">-h</span></dt> <dd><p> - Prints a short summary of the options and arguments to - <span><strong class="command">rndc-confgen</strong></span>. - </p></dd> + Prints a short summary of the options and arguments to + <span><strong class="command">rndc-confgen</strong></span>. + </p></dd> <dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt> <dd><p> - Specifies the key name of the rndc authentication key. - This must be a valid domain name. - The default is <code class="constant">rndc-key</code>. - </p></dd> + Specifies the key name of the rndc authentication key. + This must be a valid domain name. + The default is <code class="constant">rndc-key</code>. + </p></dd> <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> <dd><p> - Specifies the command channel port where <span><strong class="command">named</strong></span> - listens for connections from <span><strong class="command">rndc</strong></span>. - The default is 953. - </p></dd> + Specifies the command channel port where <span><strong class="command">named</strong></span> + listens for connections from <span><strong class="command">rndc</strong></span>. + The default is 953. + </p></dd> <dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt> <dd><p> - Specifies a source of random data for generating the - authorization. If the operating - system does not provide a <code class="filename">/dev/random</code> - or equivalent device, the default source of randomness - is keyboard input. <code class="filename">randomdev</code> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <code class="filename">keyboard</code> indicates that keyboard - input should be used. - </p></dd> + Specifies a source of random data for generating the + authorization. If the operating + system does not provide a <code class="filename">/dev/random</code> + or equivalent device, the default source of randomness + is keyboard input. <code class="filename">randomdev</code> + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + <code class="filename">keyboard</code> indicates that keyboard + input should be used. + </p></dd> <dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt> <dd><p> - Specifies the IP address where <span><strong class="command">named</strong></span> - listens for command channel connections from - <span><strong class="command">rndc</strong></span>. The default is the loopback - address 127.0.0.1. - </p></dd> + Specifies the IP address where <span><strong class="command">named</strong></span> + listens for command channel connections from + <span><strong class="command">rndc</strong></span>. The default is the loopback + address 127.0.0.1. + </p></dd> <dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt> <dd><p> - Used with the <span><strong class="command">-a</strong></span> option to specify - a directory where <span><strong class="command">named</strong></span> will run - chrooted. An additional copy of the <code class="filename">rndc.key</code> - will be written relative to this directory so that - it will be found by the chrooted <span><strong class="command">named</strong></span>. - </p></dd> + Used with the <span><strong class="command">-a</strong></span> option to specify + a directory where <span><strong class="command">named</strong></span> will run + chrooted. An additional copy of the <code class="filename">rndc.key</code> + will be written relative to this directory so that + it will be found by the chrooted <span><strong class="command">named</strong></span>. + </p></dd> <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt> <dd><p> - Used with the <span><strong class="command">-a</strong></span> option to set the owner - of the <code class="filename">rndc.key</code> file generated. If - <span><strong class="command">-t</strong></span> is also specified only the file in - the chroot area has its owner changed. - </p></dd> + Used with the <span><strong class="command">-a</strong></span> option to set the + owner + of the <code class="filename">rndc.key</code> file generated. + If + <span><strong class="command">-t</strong></span> is also specified only the file + in + the chroot area has its owner changed. + </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2549972"></a><h2>EXAMPLES</h2> +<a name="id2543787"></a><h2>EXAMPLES</h2> <p> - To allow <span><strong class="command">rndc</strong></span> to be used with - no manual configuration, run + To allow <span><strong class="command">rndc</strong></span> to be used with + no manual configuration, run </p> -<p> - <strong class="userinput"><code>rndc-confgen -a</code></strong> +<p><strong class="userinput"><code>rndc-confgen -a</code></strong> </p> <p> - To print a sample <code class="filename">rndc.conf</code> file and - corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span> - statements to be manually inserted into <code class="filename">named.conf</code>, - run + To print a sample <code class="filename">rndc.conf</code> file and + corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span> + statements to be manually inserted into <code class="filename">named.conf</code>, + run </p> -<p> - <strong class="userinput"><code>rndc-confgen</code></strong> +<p><strong class="userinput"><code>rndc-confgen</code></strong> </p> </div> <div class="refsect1" lang="en"> -<a name="id2550016"></a><h2>SEE ALSO</h2> -<p> - <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, +<a name="id2543829"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2550058"></a><h2>AUTHOR</h2> -<p> - <span class="corpauthor">Internet Systems Consortium</span> +<a name="id2543867"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> </div></body> diff --git a/contrib/bind9/bin/rndc/rndc.8 b/contrib/bind9/bin/rndc/rndc.8 index 04bd133..11e0c2d 100644 --- a/contrib/bind9/bin/rndc/rndc.8 +++ b/contrib/bind9/bin/rndc/rndc.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: rndc.8,v 1.24.206.6 2006/06/29 13:02:30 marka Exp $ +.\" $Id: rndc.8,v 1.26.18.12 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: rndc .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: June 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -33,7 +33,7 @@ rndc \- name server control utility .SH "SYNOPSIS" .HP 5 -\fBrndc\fR [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-k\ \fR\fB\fIkey\-file\fR\fR] [\fB\-s\ \fR\fB\fIserver\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-V\fR] [\fB\-y\ \fR\fB\fIkey_id\fR\fR] {command} +\fBrndc\fR [\fB\-b\ \fR\fB\fIsource\-address\fR\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-k\ \fR\fB\fIkey\-file\fR\fR] [\fB\-s\ \fR\fB\fIserver\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-V\fR] [\fB\-y\ \fR\fB\fIkey_id\fR\fR] {command} .SH "DESCRIPTION" .PP \fBrndc\fR @@ -53,14 +53,24 @@ named the only supported authentication algorithm is HMAC\-MD5, which uses a sha \fBrndc\fR reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use. .SH "OPTIONS" -.TP 3n +.PP +\-b \fIsource\-address\fR +.RS 4 +Use +\fIsource\-address\fR +as the source address for the connection to the server. Multiple instances are permitted to allow setting of both the IPv4 and IPv6 source addresses. +.RE +.PP \-c \fIconfig\-file\fR +.RS 4 Use \fIconfig\-file\fR as the configuration file instead of the default, \fI/etc/rndc.conf\fR. -.TP 3n +.RE +.PP \-k \fIkey\-file\fR +.RS 4 Use \fIkey\-file\fR as the key file instead of the default, @@ -69,21 +79,29 @@ as the key file instead of the default, will be used to authenticate commands sent to the server if the \fIconfig\-file\fR does not exist. -.TP 3n +.RE +.PP \-s \fIserver\fR +.RS 4 \fIserver\fR is the name or address of the server which matches a server statement in the configuration file for \fBrndc\fR. If no server is supplied on the command line, the host named by the default\-server clause in the option statement of the configuration file will be used. -.TP 3n +.RE +.PP \-p \fIport\fR +.RS 4 Send commands to TCP port \fIport\fR instead of BIND 9's default control channel port, 953. -.TP 3n +.RE +.PP \-V +.RS 4 Enable verbose logging. -.TP 3n +.RE +.PP \-y \fIkeyid\fR +.RS 4 Use the key \fIkeyid\fR from the configuration file. @@ -93,6 +111,7 @@ must be known by named with the same algorithm and secret string in order for co is specified, \fBrndc\fR will first look for a key clause in the server statement of the server being used, or if no server statement is present for that host, then the default\-key clause of the options statement. Note that the configuration file contains shared secrets which are used to send authenticated control commands to name servers. It should therefore not have general read or write access. +.RE .PP For the complete set of commands supported by \fBrndc\fR, see the BIND 9 Administrator Reference Manual or run @@ -121,4 +140,7 @@ BIND 9 Administrator Reference Manual. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/contrib/bind9/bin/rndc/rndc.c b/contrib/bind9/bin/rndc/rndc.c index a5e912d..8fd0d8e 100644 --- a/contrib/bind9/bin/rndc/rndc.c +++ b/contrib/bind9/bin/rndc/rndc.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rndc.c,v 1.77.2.5.2.19 2006/08/04 03:03:08 marka Exp $ */ +/* $Id: rndc.c,v 1.96.18.17 2006/08/04 03:03:41 marka Exp $ */ + +/*! \file */ /* * Principal Author: DCL @@ -30,6 +32,7 @@ #include <isc/commandline.h> #include <isc/file.h> #include <isc/log.h> +#include <isc/net.h> #include <isc/mem.h> #include <isc/random.h> #include <isc/socket.h> @@ -50,6 +53,8 @@ #include <isccc/types.h> #include <isccc/util.h> +#include <dns/name.h> + #include <bind9/getaddresses.h> #include "util.h" @@ -64,6 +69,8 @@ static const char *admin_keyfile; static const char *version = VERSION; static const char *servername = NULL; static isc_sockaddr_t serveraddrs[SERVERADDRS]; +static isc_sockaddr_t local4, local6; +static isc_boolean_t local4set = ISC_FALSE, local6set = ISC_FALSE; static int nserveraddrs; static int currentaddr = 0; static unsigned int remoteport = 0; @@ -97,10 +104,14 @@ command is one of the following:\n\ Schedule immediate maintenance for a zone.\n\ retransfer zone [class [view]]\n\ Retransfer a single zone without checking serial number.\n\ + freeze Suspend updates to all dynamic zones.\n\ freeze zone [class [view]]\n\ Suspend updates to a dynamic zone.\n\ + thaw Enable updates to all dynamic zones and reload them.\n\ thaw zone [class [view]]\n\ Enable updates to a frozen dynamic zone and reload it.\n\ + notify zone [class [view]]\n\ + Resend NOTIFY messages for the zone.\n\ reconfig Reload configuration file and new zones only.\n\ stats Write server statistics to the statistics file.\n\ querylog Toggle query logging.\n\ @@ -121,6 +132,8 @@ command is one of the following:\n\ Flush the given name from the server's cache(s)\n\ status Display status of the server.\n\ recursing Dump the queries that are currently recursing (named.recursing)\n\ + validation newstate [view]\n\ + Enable / disable DNSSEC validation.\n\ *restart Restart the server.\n\ \n\ * == not yet implemented\n\ @@ -133,11 +146,20 @@ Version: %s\n", static void get_addresses(const char *host, in_port_t port) { isc_result_t result; - - isc_app_block(); - result = bind9_getaddresses(servername, port, - serveraddrs, SERVERADDRS, &nserveraddrs); - isc_app_unblock(); + int found = 0, count; + + if (*host == '/') { + result = isc_sockaddr_frompath(&serveraddrs[nserveraddrs], + host); + if (result == ISC_R_SUCCESS) + nserveraddrs++; + } else { + count = SERVERADDRS - nserveraddrs; + result = bind9_getaddresses(host, port, + &serveraddrs[nserveraddrs], + count, &found); + nserveraddrs += found; + } if (result != ISC_R_SUCCESS) fatal("couldn't get address for '%s': %s", host, isc_result_totext(result)); @@ -174,10 +196,12 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) { if (ccmsg.result == ISC_R_EOF) fatal("connection to remote host closed\n" - "This may indicate that the remote server is using " - "an older version of \n" - "the command protocol, this host is not authorized " - "to connect,\nor the key is invalid."); + "This may indicate that\n" + "* the remote server is using an older version of" + " the command protocol,\n" + "* this host is not authorized to connect,\n" + "* the clocks are not syncronized, or\n" + "* the key is invalid."); if (ccmsg.result != ISC_R_SUCCESS) fatal("recv failed: %s", isc_result_totext(ccmsg.result)); @@ -235,10 +259,12 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) { if (ccmsg.result == ISC_R_EOF) fatal("connection to remote host closed\n" - "This may indicate that the remote server is using " - "an older version of \n" - "the command protocol, this host is not authorized " - "to connect,\nor the key is invalid."); + "This may indicate that\n" + "* the remote server is using an older version of" + " the command protocol,\n" + "* this host is not authorized to connect,\n" + "* the clocks are not syncronized, or\n" + "* the key is invalid."); if (ccmsg.result != ISC_R_SUCCESS) fatal("recv failed: %s", isc_result_totext(ccmsg.result)); @@ -357,6 +383,8 @@ rndc_connected(isc_task_t *task, isc_event_t *event) { static void rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task) { isc_result_t result; + int pf; + isc_sockettype_t type; char socktext[ISC_SOCKADDR_FORMATSIZE]; @@ -364,9 +392,22 @@ rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task) { notify("using server %s (%s)", servername, socktext); - DO("create socket", isc_socket_create(socketmgr, - isc_sockaddr_pf(addr), - isc_sockettype_tcp, &sock)); + pf = isc_sockaddr_pf(addr); + if (pf == AF_INET || pf == AF_INET6) + type = isc_sockettype_tcp; + else + type = isc_sockettype_unix; + DO("create socket", isc_socket_create(socketmgr, pf, type, &sock)); + switch (isc_sockaddr_pf(addr)) { + case AF_INET: + DO("bind socket", isc_socket_bind(sock, &local4)); + break; + case AF_INET6: + DO("bind socket", isc_socket_bind(sock, &local6)); + break; + default: + break; + } DO("connect", isc_socket_connect(sock, addr, task, rndc_connected, NULL)); connects++; @@ -376,8 +417,6 @@ static void rndc_start(isc_task_t *task, isc_event_t *event) { isc_event_free(&event); - get_addresses(servername, (in_port_t) remoteport); - currentaddr = 0; rndc_startconnect(&serveraddrs[currentaddr], task); } @@ -388,6 +427,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, { isc_result_t result; const char *conffile = admin_conffile; + const cfg_obj_t *addresses = NULL; const cfg_obj_t *defkey = NULL; const cfg_obj_t *options = NULL; const cfg_obj_t *servers = NULL; @@ -398,12 +438,14 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, const cfg_obj_t *secretobj = NULL; const cfg_obj_t *algorithmobj = NULL; cfg_obj_t *config = NULL; + const cfg_obj_t *address = NULL; const cfg_listelt_t *elt; const char *secretstr; const char *algorithm; static char secretarray[1024]; const cfg_type_t *conftype = &cfg_type_rndcconf; isc_boolean_t key_only = ISC_FALSE; + const cfg_listelt_t *element; if (! isc_file_exists(conffile)) { conffile = admin_keyfile; @@ -521,10 +563,96 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, if (defport != NULL) { remoteport = cfg_obj_asuint32(defport); if (remoteport > 65535 || remoteport == 0) - fatal("port %d out of range", remoteport); + fatal("port %u out of range", remoteport); } else if (remoteport == 0) remoteport = NS_CONTROL_PORT; + if (server != NULL) + result = cfg_map_get(server, "addresses", &addresses); + else + result = ISC_R_NOTFOUND; + if (result == ISC_R_SUCCESS) { + for (element = cfg_list_first(addresses); + element != NULL; + element = cfg_list_next(element)) + { + isc_sockaddr_t sa; + + address = cfg_listelt_value(element); + if (!cfg_obj_issockaddr(address)) { + unsigned int myport; + const char *name; + const cfg_obj_t *obj; + + obj = cfg_tuple_get(address, "name"); + name = cfg_obj_asstring(obj); + obj = cfg_tuple_get(address, "port"); + if (cfg_obj_isuint32(obj)) { + myport = cfg_obj_asuint32(obj); + if (myport > ISC_UINT16_MAX || + myport == 0) + fatal("port %u out of range", + myport); + } else + myport = remoteport; + if (nserveraddrs < SERVERADDRS) + get_addresses(name, (in_port_t) myport); + else + fprintf(stderr, "too many address: " + "%s: dropped\n", name); + continue; + } + sa = *cfg_obj_assockaddr(address); + if (isc_sockaddr_getport(&sa) == 0) + isc_sockaddr_setport(&sa, remoteport); + if (nserveraddrs < SERVERADDRS) + serveraddrs[nserveraddrs++] = sa; + else { + char socktext[ISC_SOCKADDR_FORMATSIZE]; + + isc_sockaddr_format(&sa, socktext, + sizeof(socktext)); + fprintf(stderr, + "too many address: %s: dropped\n", + socktext); + } + } + } + + if (!local4set && server != NULL) { + address = NULL; + cfg_map_get(server, "source-address", &address); + if (address != NULL) { + local4 = *cfg_obj_assockaddr(address); + local4set = ISC_TRUE; + } + } + if (!local4set && options != NULL) { + address = NULL; + cfg_map_get(options, "default-source-address", &address); + if (address != NULL) { + local4 = *cfg_obj_assockaddr(address); + local4set = ISC_TRUE; + } + } + + if (!local6set && server != NULL) { + address = NULL; + cfg_map_get(server, "source-address-v6", &address); + if (address != NULL) { + local6 = *cfg_obj_assockaddr(address); + local6set = ISC_TRUE; + } + } + if (!local6set && options != NULL) { + address = NULL; + cfg_map_get(options, "default-source-address-v6", &address); + if (address != NULL) { + local6 = *cfg_obj_assockaddr(address); + local6set = ISC_TRUE; + } + } + *configp = config; } @@ -540,6 +668,8 @@ main(int argc, char **argv) { cfg_parser_t *pctx = NULL; cfg_obj_t *config = NULL; const char *keyname = NULL; + struct in_addr in; + struct in6_addr in6; char *p; size_t argslen; int ch; @@ -553,13 +683,28 @@ main(int argc, char **argv) { admin_conffile = RNDC_CONFFILE; admin_keyfile = RNDC_KEYFILE; + isc_sockaddr_any(&local4); + isc_sockaddr_any6(&local6); + result = isc_app_start(); if (result != ISC_R_SUCCESS) fatal("isc_app_start() failed: %s", isc_result_totext(result)); - while ((ch = isc_commandline_parse(argc, argv, "c:k:Mmp:s:Vy:")) + while ((ch = isc_commandline_parse(argc, argv, "b:c:k:Mmp:s:Vy:")) != -1) { switch (ch) { + case 'b': + if (inet_pton(AF_INET, isc_commandline_argument, + &in) == 1) { + isc_sockaddr_fromin(&local4, &in, 0); + local4set = ISC_TRUE; + } else if (inet_pton(AF_INET6, isc_commandline_argument, + &in6) == 1) { + isc_sockaddr_fromin6(&local6, &in6, 0); + local6set = ISC_TRUE; + } + break; + case 'c': admin_conffile = isc_commandline_argument; break; @@ -586,15 +731,19 @@ main(int argc, char **argv) { case 's': servername = isc_commandline_argument; break; + case 'V': verbose = ISC_TRUE; break; + case 'y': keyname = isc_commandline_argument; break; + case '?': usage(0); break; + default: fatal("unexpected error parsing command arguments: " "got %c\n", ch); @@ -665,6 +814,9 @@ main(int argc, char **argv) { if (strcmp(command, "restart") == 0) fatal("'%s' is not implemented", command); + if (nserveraddrs == 0) + get_addresses(servername, (in_port_t) remoteport); + DO("post event", isc_app_onrun(mctx, task, rndc_start, NULL)); result = isc_app_run(); @@ -686,6 +838,8 @@ main(int argc, char **argv) { isc_mem_put(mctx, args, argslen); isccc_ccmsg_invalidate(&ccmsg); + dns_name_destroy(); + if (show_final_mem) isc_mem_stats(mctx, stderr); diff --git a/contrib/bind9/bin/rndc/rndc.conf b/contrib/bind9/bin/rndc/rndc.conf index 1dc5607..e303535 100644 --- a/contrib/bind9/bin/rndc/rndc.conf +++ b/contrib/bind9/bin/rndc/rndc.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rndc.conf,v 1.7.206.1 2004/03/06 10:21:32 marka Exp $ */ +/* $Id: rndc.conf,v 1.8.18.1 2004/06/18 04:39:39 marka Exp $ */ /* * Sample rndc configuration file. @@ -30,6 +30,17 @@ server localhost { key "key"; }; +key "cc64b3d1db63fc88d7cb5d2f9f57d258" { + algorithm hmac-md5; + secret "34f88008d07deabbe65bd01f1d233d47"; +}; + +server "test1" { + key "cc64b3d1db63fc88d7cb5d2f9f57d258"; + port 5353; + addresses { 10.53.0.1; }; +}; + key "key" { algorithm hmac-md5; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; diff --git a/contrib/bind9/bin/rndc/rndc.conf.5 b/contrib/bind9/bin/rndc/rndc.conf.5 index 3a06a44..ce12151 100644 --- a/contrib/bind9/bin/rndc/rndc.conf.5 +++ b/contrib/bind9/bin/rndc/rndc.conf.5 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: rndc.conf.5,v 1.21.206.6 2006/06/29 13:02:31 marka Exp $ +.\" $Id: rndc.conf.5,v 1.23.18.13 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: \fIrndc.conf\fR .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: June 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -53,7 +53,7 @@ is much simpler than .PP The \fBoptions\fR -statement contains three clauses. The +statement contains five clauses. The \fBdefault\-server\fR clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to \fBrndc\fR. The @@ -74,14 +74,25 @@ option is provided on the rndc command line, and no \fBport\fR clause is found in a matching \fBserver\fR -statement, this default port will be used to connect. +statement, this default port will be used to connect. The +\fBdefault\-source\-address\fR +and +\fBdefault\-source\-address\-v6\fR +clauses which can be used to set the IPv4 and IPv6 source addresses respectively. .PP After the \fBserver\fR -keyword, the server statement includes a string which is the hostname or address for a name server. The statement has two possible clauses: -\fBkey\fR +keyword, the server statement includes a string which is the hostname or address for a name server. The statement has three possible clauses: +\fBkey\fR, +\fBport\fR and -\fBport\fR. The key name must match the name of a key statement in the file. The port number specifies the port to connect to. +\fBaddresses\fR. The key name must match the name of a key statement in the file. The port number specifies the port to connect to. If an +\fBaddresses\fR +clause is supplied these addresses will be used instead of the server name. Each address can take a optional port. If an +\fBsource\-address\fR +or +\fBsource\-address\-v6\fR +of supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively. .PP The \fBkey\fR @@ -100,27 +111,66 @@ program, also known as \fBmmencode\fR does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each. .SH "EXAMPLE" -.sp -.RS 3n +.PP +.RS 4 .nf - options { + options { default\-server localhost; default\-key samplekey; }; +.fi +.RE +.sp +.PP +.RS 4 +.nf server localhost { key samplekey; }; +.fi +.RE +.sp +.PP +.RS 4 +.nf + server testserver { + key testkey; + addresses { localhost port 5353; }; + }; +.fi +.RE +.sp +.PP +.RS 4 +.nf key samplekey { algorithm hmac\-md5; - secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; + secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz"; }; .fi .RE +.sp +.PP +.RS 4 +.nf + key testkey { + algorithm hmac\-md5; + secret "R3HI8P6BKw9ZwXwN3VZKuQ=="; + } +.fi +.RE +.sp .PP In the above example, \fBrndc\fR will by default use the server at localhost (127.0.0.1) and the key called samplekey. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret. The key statement indicates that samplekey uses the HMAC\-MD5 algorithm and its secret clause contains the base\-64 encoding of the HMAC\-MD5 secret enclosed in double quotes. .PP +If +\fBrndc \-s testserver\fR +is used then +\fBrndc\fR +will connect to server on localhost port 5353 using the key testkey. +.PP To generate a random secret with \fBrndc\-confgen\fR: .PP @@ -158,4 +208,7 @@ BIND 9 Administrator Reference Manual. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/contrib/bind9/bin/rndc/rndc.conf.docbook b/contrib/bind9/bin/rndc/rndc.conf.docbook index 16b9caf..624a235 100644 --- a/contrib/bind9/bin/rndc/rndc.conf.docbook +++ b/contrib/bind9/bin/rndc/rndc.conf.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -18,9 +18,8 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc.conf.docbook,v 1.4.206.4 2005/05/12 21:36:04 sra Exp $ --> - -<refentry> +<!-- $Id: rndc.conf.docbook,v 1.5.18.9 2007/01/29 23:57:20 marka Exp $ --> +<refentry id="man.rndc.conf"> <refentryinfo> <date>June 30, 2000</date> </refentryinfo> @@ -31,10 +30,16 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <refnamediv> + <refname><filename>rndc.conf</filename></refname> + <refpurpose>rndc configuration file</refpurpose> + </refnamediv> + <docinfo> <copyright> <year>2004</year> <year>2005</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -44,11 +49,6 @@ </copyright> </docinfo> - <refnamediv> - <refname><filename>rndc.conf</filename></refname> - <refpurpose>rndc configuration file</refpurpose> - </refnamediv> - <refsynopsisdiv> <cmdsynopsis> <command>rndc.conf</command> @@ -57,152 +57,183 @@ <refsect1> <title>DESCRIPTION</title> - <para> - <filename>rndc.conf</filename> is the configuration file - for <command>rndc</command>, the BIND 9 name server control - utility. This file has a similar structure and syntax to - <filename>named.conf</filename>. Statements are enclosed - in braces and terminated with a semi-colon. Clauses in - the statements are also semi-colon terminated. The usual - comment styles are supported: - </para> - <para> - C style: /* */ - </para> - <para> - C++ style: // to end of line - </para> - <para> - Unix style: # to end of line - </para> - <para> - <filename>rndc.conf</filename> is much simpler than - <filename>named.conf</filename>. The file uses three - statements: an options statement, a server statement - and a key statement. - </para> - <para> - The <option>options</option> statement contains three clauses. - The <option>default-server</option> clause is followed by the - name or address of a name server. This host will be used when - no name server is given as an argument to - <command>rndc</command>. The <option>default-key</option> - clause is followed by the name of a key which is identified by - a <option>key</option> statement. If no - <option>keyid</option> is provided on the rndc command line, - and no <option>key</option> clause is found in a matching - <option>server</option> statement, this default key will be - used to authenticate the server's commands and responses. The - <option>default-port</option> clause is followed by the port - to connect to on the remote name server. If no - <option>port</option> option is provided on the rndc command - line, and no <option>port</option> clause is found in a - matching <option>server</option> statement, this default port - will be used to connect. - </para> - <para> - After the <option>server</option> keyword, the server statement - includes a string which is the hostname or address for a name - server. The statement has two possible clauses: - <option>key</option> and <option>port</option>. The key name must - match the name of a key statement in the file. The port number - specifies the port to connect to. - </para> - <para> - The <option>key</option> statement begins with an identifying - string, the name of the key. The statement has two clauses. - <option>algorithm</option> identifies the encryption algorithm - for <command>rndc</command> to use; currently only HMAC-MD5 is - supported. This is followed by a secret clause which contains - the base-64 encoding of the algorithm's encryption key. The - base-64 string is enclosed in double quotes. - </para> - <para> - There are two common ways to generate the base-64 string for the - secret. The BIND 9 program <command>rndc-confgen</command> can - be used to generate a random key, or the - <command>mmencode</command> program, also known as - <command>mimencode</command>, can be used to generate a base-64 - string from known input. <command>mmencode</command> does not - ship with BIND 9 but is available on many systems. See the - EXAMPLE section for sample command lines for each. + <para><filename>rndc.conf</filename> is the configuration file + for <command>rndc</command>, the BIND 9 name server control + utility. This file has a similar structure and syntax to + <filename>named.conf</filename>. Statements are enclosed + in braces and terminated with a semi-colon. Clauses in + the statements are also semi-colon terminated. The usual + comment styles are supported: + </para> + <para> + C style: /* */ + </para> + <para> + C++ style: // to end of line + </para> + <para> + Unix style: # to end of line + </para> + <para><filename>rndc.conf</filename> is much simpler than + <filename>named.conf</filename>. The file uses three + statements: an options statement, a server statement + and a key statement. + </para> + <para> + The <option>options</option> statement contains five clauses. + The <option>default-server</option> clause is followed by the + name or address of a name server. This host will be used when + no name server is given as an argument to + <command>rndc</command>. The <option>default-key</option> + clause is followed by the name of a key which is identified by + a <option>key</option> statement. If no + <option>keyid</option> is provided on the rndc command line, + and no <option>key</option> clause is found in a matching + <option>server</option> statement, this default key will be + used to authenticate the server's commands and responses. The + <option>default-port</option> clause is followed by the port + to connect to on the remote name server. If no + <option>port</option> option is provided on the rndc command + line, and no <option>port</option> clause is found in a + matching <option>server</option> statement, this default port + will be used to connect. + The <option>default-source-address</option> and + <option>default-source-address-v6</option> clauses which + can be used to set the IPv4 and IPv6 source addresses + respectively. + </para> + <para> + After the <option>server</option> keyword, the server + statement includes a string which is the hostname or address + for a name server. The statement has three possible clauses: + <option>key</option>, <option>port</option> and + <option>addresses</option>. The key name must match the + name of a key statement in the file. The port number + specifies the port to connect to. If an <option>addresses</option> + clause is supplied these addresses will be used instead of + the server name. Each address can take a optional port. + If an <option>source-address</option> or <option>source-address-v6</option> + of supplied then these will be used to specify the IPv4 and IPv6 + source addresses respectively. + </para> + <para> + The <option>key</option> statement begins with an identifying + string, the name of the key. The statement has two clauses. + <option>algorithm</option> identifies the encryption algorithm + for <command>rndc</command> to use; currently only HMAC-MD5 + is + supported. This is followed by a secret clause which contains + the base-64 encoding of the algorithm's encryption key. The + base-64 string is enclosed in double quotes. + </para> + <para> + There are two common ways to generate the base-64 string for the + secret. The BIND 9 program <command>rndc-confgen</command> + can + be used to generate a random key, or the + <command>mmencode</command> program, also known as + <command>mimencode</command>, can be used to generate a + base-64 + string from known input. <command>mmencode</command> does + not + ship with BIND 9 but is available on many systems. See the + EXAMPLE section for sample command lines for each. </para> </refsect1> <refsect1> <title>EXAMPLE</title> - <programlisting> - options { + <para><programlisting> + options { default-server localhost; default-key samplekey; }; - +</programlisting> + </para> + <para><programlisting> server localhost { key samplekey; }; - +</programlisting> + </para> + <para><programlisting> + server testserver { + key testkey; + addresses { localhost port 5353; }; + }; +</programlisting> + </para> + <para><programlisting> key samplekey { algorithm hmac-md5; - secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; + secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz"; }; +</programlisting> + </para> + <para><programlisting> + key testkey { + algorithm hmac-md5; + secret "R3HI8P6BKw9ZwXwN3VZKuQ=="; + } </programlisting> + </para> <para> - In the above example, <command>rndc</command> will by default use - the server at localhost (127.0.0.1) and the key called samplekey. - Commands to the localhost server will use the samplekey key, which - must also be defined in the server's configuration file with the - same name and secret. The key statement indicates that samplekey - uses the HMAC-MD5 algorithm and its secret clause contains the - base-64 encoding of the HMAC-MD5 secret enclosed in double quotes. + In the above example, <command>rndc</command> will by + default use + the server at localhost (127.0.0.1) and the key called samplekey. + Commands to the localhost server will use the samplekey key, which + must also be defined in the server's configuration file with the + same name and secret. The key statement indicates that samplekey + uses the HMAC-MD5 algorithm and its secret clause contains the + base-64 encoding of the HMAC-MD5 secret enclosed in double quotes. </para> <para> - To generate a random secret with <command>rndc-confgen</command>: + If <command>rndc -s testserver</command> is used then <command>rndc</command> will + connect to server on localhost port 5353 using the key testkey. </para> <para> - <userinput>rndc-confgen</userinput> + To generate a random secret with <command>rndc-confgen</command>: </para> - <para> - A complete <filename>rndc.conf</filename> file, including the - randomly generated key, will be written to the standard - output. Commented out <option>key</option> and - <option>controls</option> statements for - <filename>named.conf</filename> are also printed. + <para><userinput>rndc-confgen</userinput> </para> <para> - To generate a base-64 secret with <command>mmencode</command>: + A complete <filename>rndc.conf</filename> file, including + the + randomly generated key, will be written to the standard + output. Commented out <option>key</option> and + <option>controls</option> statements for + <filename>named.conf</filename> are also printed. </para> <para> - <userinput>echo "known plaintext for a secret" | mmencode</userinput> + To generate a base-64 secret with <command>mmencode</command>: + </para> + <para><userinput>echo "known plaintext for a secret" | mmencode</userinput> </para> </refsect1> <refsect1> <title>NAME SERVER CONFIGURATION</title> <para> - The name server must be configured to accept rndc connections and - to recognize the key specified in the <filename>rndc.conf</filename> - file, using the controls statement in <filename>named.conf</filename>. - See the sections on the <option>controls</option> statement in the - BIND 9 Administrator Reference Manual for details. + The name server must be configured to accept rndc connections and + to recognize the key specified in the <filename>rndc.conf</filename> + file, using the controls statement in <filename>named.conf</filename>. + See the sections on the <option>controls</option> statement in the + BIND 9 Administrator Reference Manual for details. </para> </refsect1> <refsect1> <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>rndc</refentrytitle> - <manvolnum>8</manvolnum> + <para><citerefentry> + <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>rndc-confgen</refentrytitle> - <manvolnum>8</manvolnum> + <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>mmencode</refentrytitle> - <manvolnum>1</manvolnum> + <refentrytitle>mmencode</refentrytitle><manvolnum>1</manvolnum> </citerefentry>, <citetitle>BIND 9 Administrator Reference Manual</citetitle>. </para> @@ -210,16 +241,12 @@ <refsect1> <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> + <para><corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> -</refentry> - -<!-- +</refentry><!-- - Local variables: - mode: sgml - End: --> - diff --git a/contrib/bind9/bin/rndc/rndc.conf.html b/contrib/bind9/bin/rndc/rndc.conf.html index fefe616..8e510bd 100644 --- a/contrib/bind9/bin/rndc/rndc.conf.html +++ b/contrib/bind9/bin/rndc/rndc.conf.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc.conf.html,v 1.5.2.1.4.13 2006/06/29 13:02:31 marka Exp $ --> +<!-- $Id: rndc.conf.html,v 1.6.18.21 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>rndc.conf</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="man.rndc.conf"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p><code class="filename">rndc.conf</code> — rndc configuration file</p> @@ -32,147 +32,185 @@ <div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549398"></a><h2>DESCRIPTION</h2> -<p> - <code class="filename">rndc.conf</code> is the configuration file - for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control - utility. This file has a similar structure and syntax to - <code class="filename">named.conf</code>. Statements are enclosed - in braces and terminated with a semi-colon. Clauses in - the statements are also semi-colon terminated. The usual - comment styles are supported: - </p> -<p> - C style: /* */ - </p> -<p> - C++ style: // to end of line - </p> -<p> - Unix style: # to end of line - </p> -<p> - <code class="filename">rndc.conf</code> is much simpler than - <code class="filename">named.conf</code>. The file uses three - statements: an options statement, a server statement - and a key statement. - </p> -<p> - The <code class="option">options</code> statement contains three clauses. - The <code class="option">default-server</code> clause is followed by the - name or address of a name server. This host will be used when - no name server is given as an argument to - <span><strong class="command">rndc</strong></span>. The <code class="option">default-key</code> - clause is followed by the name of a key which is identified by - a <code class="option">key</code> statement. If no - <code class="option">keyid</code> is provided on the rndc command line, - and no <code class="option">key</code> clause is found in a matching - <code class="option">server</code> statement, this default key will be - used to authenticate the server's commands and responses. The - <code class="option">default-port</code> clause is followed by the port - to connect to on the remote name server. If no - <code class="option">port</code> option is provided on the rndc command - line, and no <code class="option">port</code> clause is found in a - matching <code class="option">server</code> statement, this default port - will be used to connect. - </p> -<p> - After the <code class="option">server</code> keyword, the server statement - includes a string which is the hostname or address for a name - server. The statement has two possible clauses: - <code class="option">key</code> and <code class="option">port</code>. The key name must - match the name of a key statement in the file. The port number - specifies the port to connect to. - </p> -<p> - The <code class="option">key</code> statement begins with an identifying - string, the name of the key. The statement has two clauses. - <code class="option">algorithm</code> identifies the encryption algorithm - for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5 is - supported. This is followed by a secret clause which contains - the base-64 encoding of the algorithm's encryption key. The - base-64 string is enclosed in double quotes. - </p> -<p> - There are two common ways to generate the base-64 string for the - secret. The BIND 9 program <span><strong class="command">rndc-confgen</strong></span> can - be used to generate a random key, or the - <span><strong class="command">mmencode</strong></span> program, also known as - <span><strong class="command">mimencode</strong></span>, can be used to generate a base-64 - string from known input. <span><strong class="command">mmencode</strong></span> does not - ship with BIND 9 but is available on many systems. See the - EXAMPLE section for sample command lines for each. +<a name="id2543352"></a><h2>DESCRIPTION</h2> +<p><code class="filename">rndc.conf</code> is the configuration file + for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control + utility. This file has a similar structure and syntax to + <code class="filename">named.conf</code>. Statements are enclosed + in braces and terminated with a semi-colon. Clauses in + the statements are also semi-colon terminated. The usual + comment styles are supported: + </p> +<p> + C style: /* */ + </p> +<p> + C++ style: // to end of line + </p> +<p> + Unix style: # to end of line + </p> +<p><code class="filename">rndc.conf</code> is much simpler than + <code class="filename">named.conf</code>. The file uses three + statements: an options statement, a server statement + and a key statement. + </p> +<p> + The <code class="option">options</code> statement contains five clauses. + The <code class="option">default-server</code> clause is followed by the + name or address of a name server. This host will be used when + no name server is given as an argument to + <span><strong class="command">rndc</strong></span>. The <code class="option">default-key</code> + clause is followed by the name of a key which is identified by + a <code class="option">key</code> statement. If no + <code class="option">keyid</code> is provided on the rndc command line, + and no <code class="option">key</code> clause is found in a matching + <code class="option">server</code> statement, this default key will be + used to authenticate the server's commands and responses. The + <code class="option">default-port</code> clause is followed by the port + to connect to on the remote name server. If no + <code class="option">port</code> option is provided on the rndc command + line, and no <code class="option">port</code> clause is found in a + matching <code class="option">server</code> statement, this default port + will be used to connect. + The <code class="option">default-source-address</code> and + <code class="option">default-source-address-v6</code> clauses which + can be used to set the IPv4 and IPv6 source addresses + respectively. + </p> +<p> + After the <code class="option">server</code> keyword, the server + statement includes a string which is the hostname or address + for a name server. The statement has three possible clauses: + <code class="option">key</code>, <code class="option">port</code> and + <code class="option">addresses</code>. The key name must match the + name of a key statement in the file. The port number + specifies the port to connect to. If an <code class="option">addresses</code> + clause is supplied these addresses will be used instead of + the server name. Each address can take a optional port. + If an <code class="option">source-address</code> or <code class="option">source-address-v6</code> + of supplied then these will be used to specify the IPv4 and IPv6 + source addresses respectively. + </p> +<p> + The <code class="option">key</code> statement begins with an identifying + string, the name of the key. The statement has two clauses. + <code class="option">algorithm</code> identifies the encryption algorithm + for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5 + is + supported. This is followed by a secret clause which contains + the base-64 encoding of the algorithm's encryption key. The + base-64 string is enclosed in double quotes. + </p> +<p> + There are two common ways to generate the base-64 string for the + secret. The BIND 9 program <span><strong class="command">rndc-confgen</strong></span> + can + be used to generate a random key, or the + <span><strong class="command">mmencode</strong></span> program, also known as + <span><strong class="command">mimencode</strong></span>, can be used to generate a + base-64 + string from known input. <span><strong class="command">mmencode</strong></span> does + not + ship with BIND 9 but is available on many systems. See the + EXAMPLE section for sample command lines for each. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549601"></a><h2>EXAMPLE</h2> +<a name="id2543500"></a><h2>EXAMPLE</h2> <pre class="programlisting"> - options { + options { default-server localhost; default-key samplekey; }; - +</pre> +<p> + </p> +<pre class="programlisting"> server localhost { key samplekey; }; - +</pre> +<p> + </p> +<pre class="programlisting"> + server testserver { + key testkey; + addresses { localhost port 5353; }; + }; +</pre> +<p> + </p> +<pre class="programlisting"> key samplekey { algorithm hmac-md5; - secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; + secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz"; }; +</pre> +<p> + </p> +<pre class="programlisting"> + key testkey { + algorithm hmac-md5; + secret "R3HI8P6BKw9ZwXwN3VZKuQ=="; + } </pre> <p> - In the above example, <span><strong class="command">rndc</strong></span> will by default use - the server at localhost (127.0.0.1) and the key called samplekey. - Commands to the localhost server will use the samplekey key, which - must also be defined in the server's configuration file with the - same name and secret. The key statement indicates that samplekey - uses the HMAC-MD5 algorithm and its secret clause contains the - base-64 encoding of the HMAC-MD5 secret enclosed in double quotes. </p> <p> - To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>: + In the above example, <span><strong class="command">rndc</strong></span> will by + default use + the server at localhost (127.0.0.1) and the key called samplekey. + Commands to the localhost server will use the samplekey key, which + must also be defined in the server's configuration file with the + same name and secret. The key statement indicates that samplekey + uses the HMAC-MD5 algorithm and its secret clause contains the + base-64 encoding of the HMAC-MD5 secret enclosed in double quotes. </p> <p> - <strong class="userinput"><code>rndc-confgen</code></strong> + If <span><strong class="command">rndc -s testserver</strong></span> is used then <span><strong class="command">rndc</strong></span> will + connect to server on localhost port 5353 using the key testkey. </p> <p> - A complete <code class="filename">rndc.conf</code> file, including the - randomly generated key, will be written to the standard - output. Commented out <code class="option">key</code> and - <code class="option">controls</code> statements for - <code class="filename">named.conf</code> are also printed. + To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>: + </p> +<p><strong class="userinput"><code>rndc-confgen</code></strong> </p> <p> - To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>: + A complete <code class="filename">rndc.conf</code> file, including + the + randomly generated key, will be written to the standard + output. Commented out <code class="option">key</code> and + <code class="option">controls</code> statements for + <code class="filename">named.conf</code> are also printed. </p> <p> - <strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong> + To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>: + </p> +<p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong> </p> </div> <div class="refsect1" lang="en"> -<a name="id2549730"></a><h2>NAME SERVER CONFIGURATION</h2> +<a name="id2543592"></a><h2>NAME SERVER CONFIGURATION</h2> <p> - The name server must be configured to accept rndc connections and - to recognize the key specified in the <code class="filename">rndc.conf</code> - file, using the controls statement in <code class="filename">named.conf</code>. - See the sections on the <code class="option">controls</code> statement in the - BIND 9 Administrator Reference Manual for details. + The name server must be configured to accept rndc connections and + to recognize the key specified in the <code class="filename">rndc.conf</code> + file, using the controls statement in <code class="filename">named.conf</code>. + See the sections on the <code class="option">controls</code> statement in the + BIND 9 Administrator Reference Manual for details. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549750"></a><h2>SEE ALSO</h2> -<p> - <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, +<a name="id2543613"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549793"></a><h2>AUTHOR</h2> -<p> - <span class="corpauthor">Internet Systems Consortium</span> +<a name="id2543652"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> </div></body> diff --git a/contrib/bind9/bin/rndc/rndc.docbook b/contrib/bind9/bin/rndc/rndc.docbook index afb88f5..5dd2606 100644 --- a/contrib/bind9/bin/rndc/rndc.docbook +++ b/contrib/bind9/bin/rndc/rndc.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -18,9 +18,8 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc.docbook,v 1.7.206.4 2005/05/12 21:36:05 sra Exp $ --> - -<refentry> +<!-- $Id: rndc.docbook,v 1.8.18.8 2007/01/29 23:57:20 marka Exp $ --> +<refentry id="man.rndc"> <refentryinfo> <date>June 30, 2000</date> </refentryinfo> @@ -31,10 +30,16 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <refnamediv> + <refname><application>rndc</application></refname> + <refpurpose>name server control utility</refpurpose> + </refnamediv> + <docinfo> <copyright> <year>2004</year> <year>2005</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -44,14 +49,10 @@ </copyright> </docinfo> - <refnamediv> - <refname><application>rndc</application></refname> - <refpurpose>name server control utility</refpurpose> - </refnamediv> - <refsynopsisdiv> <cmdsynopsis> <command>rndc</command> + <arg><option>-b <replaceable class="parameter">source-address</replaceable></option></arg> <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg> <arg><option>-k <replaceable class="parameter">key-file</replaceable></option></arg> <arg><option>-s <replaceable class="parameter">server</replaceable></option></arg> @@ -64,31 +65,31 @@ <refsect1> <title>DESCRIPTION</title> - <para> - <command>rndc</command> controls the operation of a name - server. It supersedes the <command>ndc</command> utility - that was provided in old BIND releases. If - <command>rndc</command> is invoked with no command line - options or arguments, it prints a short summary of the - supported commands and the available options and their - arguments. + <para><command>rndc</command> + controls the operation of a name + server. It supersedes the <command>ndc</command> utility + that was provided in old BIND releases. If + <command>rndc</command> is invoked with no command line + options or arguments, it prints a short summary of the + supported commands and the available options and their + arguments. </para> - <para> - <command>rndc</command> communicates with the name server - over a TCP connection, sending commands authenticated with - digital signatures. In the current versions of - <command>rndc</command> and <command>named</command> named - the only supported authentication algorithm is HMAC-MD5, - which uses a shared secret on each end of the connection. - This provides TSIG-style authentication for the command - request and the name server's response. All commands sent - over the channel must be signed by a key_id known to the - server. + <para><command>rndc</command> + communicates with the name server + over a TCP connection, sending commands authenticated with + digital signatures. In the current versions of + <command>rndc</command> and <command>named</command> named + the only supported authentication algorithm is HMAC-MD5, + which uses a shared secret on each end of the connection. + This provides TSIG-style authentication for the command + request and the name server's response. All commands sent + over the channel must be signed by a key_id known to the + server. </para> - <para> - <command>rndc</command> reads a configuration file to - determine how to contact the name server and decide what - algorithm and key it should use. + <para><command>rndc</command> + reads a configuration file to + determine how to contact the name server and decide what + algorithm and key it should use. </para> </refsect1> @@ -97,85 +98,100 @@ <variablelist> <varlistentry> + <term>-b <replaceable class="parameter">source-address</replaceable></term> + <listitem> + <para> + Use <replaceable class="parameter">source-address</replaceable> + as the source address for the connection to the server. + Multiple instances are permitted to allow setting of both + the IPv4 and IPv6 source addresses. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>-c <replaceable class="parameter">config-file</replaceable></term> - <listitem> - <para> - Use <replaceable class="parameter">config-file</replaceable> - as the configuration file instead of the default, - <filename>/etc/rndc.conf</filename>. - </para> - </listitem> + <listitem> + <para> + Use <replaceable class="parameter">config-file</replaceable> + as the configuration file instead of the default, + <filename>/etc/rndc.conf</filename>. + </para> + </listitem> </varlistentry> <varlistentry> <term>-k <replaceable class="parameter">key-file</replaceable></term> - <listitem> - <para> - Use <replaceable class="parameter">key-file</replaceable> - as the key file instead of the default, - <filename>/etc/rndc.key</filename>. The key in - <filename>/etc/rndc.key</filename> will be used to authenticate - commands sent to the server if the <replaceable class="parameter">config-file</replaceable> - does not exist. - </para> - </listitem> + <listitem> + <para> + Use <replaceable class="parameter">key-file</replaceable> + as the key file instead of the default, + <filename>/etc/rndc.key</filename>. The key in + <filename>/etc/rndc.key</filename> will be used to + authenticate + commands sent to the server if the <replaceable class="parameter">config-file</replaceable> + does not exist. + </para> + </listitem> </varlistentry> <varlistentry> <term>-s <replaceable class="parameter">server</replaceable></term> - <listitem> - <para> - <replaceable class="parameter">server</replaceable> is - the name or address of the server which matches a - server statement in the configuration file for - <command>rndc</command>. If no server is supplied on the - command line, the host named by the default-server clause - in the option statement of the configuration file will be - used. - </para> - </listitem> + <listitem> + <para><replaceable class="parameter">server</replaceable> is + the name or address of the server which matches a + server statement in the configuration file for + <command>rndc</command>. If no server is supplied on + the + command line, the host named by the default-server clause + in the option statement of the configuration file will be + used. + </para> + </listitem> </varlistentry> <varlistentry> <term>-p <replaceable class="parameter">port</replaceable></term> - <listitem> - <para> - Send commands to TCP port - <replaceable class="parameter">port</replaceable> instead - of BIND 9's default control channel port, 953. - </para> - </listitem> + <listitem> + <para> + Send commands to TCP port + <replaceable class="parameter">port</replaceable> + instead + of BIND 9's default control channel port, 953. + </para> + </listitem> </varlistentry> <varlistentry> <term>-V</term> - <listitem> - <para> - Enable verbose logging. - </para> - </listitem> + <listitem> + <para> + Enable verbose logging. + </para> + </listitem> </varlistentry> <varlistentry> <term>-y <replaceable class="parameter">keyid</replaceable></term> - <listitem> - <para> - Use the key <replaceable class="parameter">keyid</replaceable> - from the configuration file. - <replaceable class="parameter">keyid</replaceable> must be - known by named with the same algorithm and secret string - in order for control message validation to succeed. - If no <replaceable class="parameter">keyid</replaceable> - is specified, <command>rndc</command> will first look - for a key clause in the server statement of the server - being used, or if no server statement is present for that - host, then the default-key clause of the options statement. - Note that the configuration file contains shared secrets - which are used to send authenticated control commands - to name servers. It should therefore not have general read - or write access. - </para> - </listitem> + <listitem> + <para> + Use the key <replaceable class="parameter">keyid</replaceable> + from the configuration file. + <replaceable class="parameter">keyid</replaceable> + must be + known by named with the same algorithm and secret string + in order for control message validation to succeed. + If no <replaceable class="parameter">keyid</replaceable> + is specified, <command>rndc</command> will first look + for a key clause in the server statement of the server + being used, or if no server statement is present for that + host, then the default-key clause of the options statement. + Note that the configuration file contains shared secrets + which are used to send authenticated control commands + to name servers. It should therefore not have general read + or write access. + </para> + </listitem> </varlistentry> </variablelist> @@ -183,44 +199,40 @@ <para> For the complete set of commands supported by <command>rndc</command>, see the BIND 9 Administrator Reference Manual or run - <command>rndc</command> without arguments to see its help message. + <command>rndc</command> without arguments to see its help + message. </para> </refsect1> <refsect1> <title>LIMITATIONS</title> - <para> - <command>rndc</command> does not yet support all the commands of - the BIND 8 <command>ndc</command> utility. + <para><command>rndc</command> + does not yet support all the commands of + the BIND 8 <command>ndc</command> utility. </para> <para> - There is currently no way to provide the shared secret for a - <option>key_id</option> without using the configuration file. + There is currently no way to provide the shared secret for a + <option>key_id</option> without using the configuration file. </para> <para> - Several error messages could be clearer. + Several error messages could be clearer. </para> </refsect1> <refsect1> <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>rndc.conf</refentrytitle> - <manvolnum>5</manvolnum> + <para><citerefentry> + <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>named</refentrytitle> - <manvolnum>8</manvolnum> + <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>named.conf</refentrytitle> - <manvolnum>5</manvolnum> + <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry> <citerefentry> - <refentrytitle>ndc</refentrytitle> - <manvolnum>8</manvolnum> + <refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citetitle>BIND 9 Administrator Reference Manual</citetitle>. </para> @@ -228,16 +240,12 @@ <refsect1> <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> + <para><corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> -</refentry> - -<!-- +</refentry><!-- - Local variables: - mode: sgml - End: --> - diff --git a/contrib/bind9/bin/rndc/rndc.html b/contrib/bind9/bin/rndc/rndc.html index 4dfd318..35e949a 100644 --- a/contrib/bind9/bin/rndc/rndc.html +++ b/contrib/bind9/bin/rndc/rndc.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,132 +14,142 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc.html,v 1.7.2.1.4.12 2006/06/29 13:02:31 marka Exp $ --> +<!-- $Id: rndc.html,v 1.8.18.19 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>rndc</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="man.rndc"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p><span class="application">rndc</span> — name server control utility</p> </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div> +<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549451"></a><h2>DESCRIPTION</h2> -<p> - <span><strong class="command">rndc</strong></span> controls the operation of a name - server. It supersedes the <span><strong class="command">ndc</strong></span> utility - that was provided in old BIND releases. If - <span><strong class="command">rndc</strong></span> is invoked with no command line - options or arguments, it prints a short summary of the - supported commands and the available options and their - arguments. +<a name="id2543413"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">rndc</strong></span> + controls the operation of a name + server. It supersedes the <span><strong class="command">ndc</strong></span> utility + that was provided in old BIND releases. If + <span><strong class="command">rndc</strong></span> is invoked with no command line + options or arguments, it prints a short summary of the + supported commands and the available options and their + arguments. </p> -<p> - <span><strong class="command">rndc</strong></span> communicates with the name server - over a TCP connection, sending commands authenticated with - digital signatures. In the current versions of - <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span> named - the only supported authentication algorithm is HMAC-MD5, - which uses a shared secret on each end of the connection. - This provides TSIG-style authentication for the command - request and the name server's response. All commands sent - over the channel must be signed by a key_id known to the - server. +<p><span><strong class="command">rndc</strong></span> + communicates with the name server + over a TCP connection, sending commands authenticated with + digital signatures. In the current versions of + <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span> named + the only supported authentication algorithm is HMAC-MD5, + which uses a shared secret on each end of the connection. + This provides TSIG-style authentication for the command + request and the name server's response. All commands sent + over the channel must be signed by a key_id known to the + server. </p> -<p> - <span><strong class="command">rndc</strong></span> reads a configuration file to - determine how to contact the name server and decide what - algorithm and key it should use. +<p><span><strong class="command">rndc</strong></span> + reads a configuration file to + determine how to contact the name server and decide what + algorithm and key it should use. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549492"></a><h2>OPTIONS</h2> +<a name="id2543448"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> +<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt> +<dd><p> + Use <em class="replaceable"><code>source-address</code></em> + as the source address for the connection to the server. + Multiple instances are permitted to allow setting of both + the IPv4 and IPv6 source addresses. + </p></dd> <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt> <dd><p> - Use <em class="replaceable"><code>config-file</code></em> - as the configuration file instead of the default, - <code class="filename">/etc/rndc.conf</code>. - </p></dd> + Use <em class="replaceable"><code>config-file</code></em> + as the configuration file instead of the default, + <code class="filename">/etc/rndc.conf</code>. + </p></dd> <dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt> <dd><p> - Use <em class="replaceable"><code>key-file</code></em> - as the key file instead of the default, - <code class="filename">/etc/rndc.key</code>. The key in - <code class="filename">/etc/rndc.key</code> will be used to authenticate - commands sent to the server if the <em class="replaceable"><code>config-file</code></em> - does not exist. - </p></dd> + Use <em class="replaceable"><code>key-file</code></em> + as the key file instead of the default, + <code class="filename">/etc/rndc.key</code>. The key in + <code class="filename">/etc/rndc.key</code> will be used to + authenticate + commands sent to the server if the <em class="replaceable"><code>config-file</code></em> + does not exist. + </p></dd> <dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt> -<dd><p> - <em class="replaceable"><code>server</code></em> is - the name or address of the server which matches a - server statement in the configuration file for - <span><strong class="command">rndc</strong></span>. If no server is supplied on the - command line, the host named by the default-server clause - in the option statement of the configuration file will be - used. - </p></dd> +<dd><p><em class="replaceable"><code>server</code></em> is + the name or address of the server which matches a + server statement in the configuration file for + <span><strong class="command">rndc</strong></span>. If no server is supplied on + the + command line, the host named by the default-server clause + in the option statement of the configuration file will be + used. + </p></dd> <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> <dd><p> - Send commands to TCP port - <em class="replaceable"><code>port</code></em> instead - of BIND 9's default control channel port, 953. - </p></dd> + Send commands to TCP port + <em class="replaceable"><code>port</code></em> + instead + of BIND 9's default control channel port, 953. + </p></dd> <dt><span class="term">-V</span></dt> <dd><p> - Enable verbose logging. - </p></dd> + Enable verbose logging. + </p></dd> <dt><span class="term">-y <em class="replaceable"><code>keyid</code></em></span></dt> <dd><p> - Use the key <em class="replaceable"><code>keyid</code></em> - from the configuration file. - <em class="replaceable"><code>keyid</code></em> must be - known by named with the same algorithm and secret string - in order for control message validation to succeed. - If no <em class="replaceable"><code>keyid</code></em> - is specified, <span><strong class="command">rndc</strong></span> will first look - for a key clause in the server statement of the server - being used, or if no server statement is present for that - host, then the default-key clause of the options statement. - Note that the configuration file contains shared secrets - which are used to send authenticated control commands - to name servers. It should therefore not have general read - or write access. - </p></dd> + Use the key <em class="replaceable"><code>keyid</code></em> + from the configuration file. + <em class="replaceable"><code>keyid</code></em> + must be + known by named with the same algorithm and secret string + in order for control message validation to succeed. + If no <em class="replaceable"><code>keyid</code></em> + is specified, <span><strong class="command">rndc</strong></span> will first look + for a key clause in the server statement of the server + being used, or if no server statement is present for that + host, then the default-key clause of the options statement. + Note that the configuration file contains shared secrets + which are used to send authenticated control commands + to name servers. It should therefore not have general read + or write access. + </p></dd> </dl></div> <p> For the complete set of commands supported by <span><strong class="command">rndc</strong></span>, see the BIND 9 Administrator Reference Manual or run - <span><strong class="command">rndc</strong></span> without arguments to see its help message. + <span><strong class="command">rndc</strong></span> without arguments to see its help + message. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549811"></a><h2>LIMITATIONS</h2> -<p> - <span><strong class="command">rndc</strong></span> does not yet support all the commands of - the BIND 8 <span><strong class="command">ndc</strong></span> utility. +<a name="id2543652"></a><h2>LIMITATIONS</h2> +<p><span><strong class="command">rndc</strong></span> + does not yet support all the commands of + the BIND 8 <span><strong class="command">ndc</strong></span> utility. </p> <p> - There is currently no way to provide the shared secret for a - <code class="option">key_id</code> without using the configuration file. + There is currently no way to provide the shared secret for a + <code class="option">key_id</code> without using the configuration file. </p> <p> - Several error messages could be clearer. + Several error messages could be clearer. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549840"></a><h2>SEE ALSO</h2> -<p> - <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>, +<a name="id2543678"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span> <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>, @@ -147,9 +157,8 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2549892"></a><h2>AUTHOR</h2> -<p> - <span class="corpauthor">Internet Systems Consortium</span> +<a name="id2543725"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> </div></body> diff --git a/contrib/bind9/bin/rndc/unix/Makefile.in b/contrib/bind9/bin/rndc/unix/Makefile.in index 0409a18..6696c23 100644 --- a/contrib/bind9/bin/rndc/unix/Makefile.in +++ b/contrib/bind9/bin/rndc/unix/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1.12.3 2004/03/08 04:04:24 marka Exp $ +# $Id: Makefile.in,v 1.3 2004/03/05 04:58:29 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/contrib/bind9/bin/rndc/unix/os.c b/contrib/bind9/bin/rndc/unix/os.c index 1adfdee..f5f6a91 100644 --- a/contrib/bind9/bin/rndc/unix/os.c +++ b/contrib/bind9/bin/rndc/unix/os.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.c,v 1.5.206.1 2004/03/06 10:21:33 marka Exp $ */ +/* $Id: os.c,v 1.6.18.2 2005/04/29 00:15:41 marka Exp $ */ + +/*! \file */ #include <config.h> diff --git a/contrib/bind9/bin/rndc/util.c b/contrib/bind9/bin/rndc/util.c index 249cbe2..c64add72 100644 --- a/contrib/bind9/bin/rndc/util.c +++ b/contrib/bind9/bin/rndc/util.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: util.c,v 1.2.206.1 2004/03/06 10:21:32 marka Exp $ */ +/* $Id: util.c,v 1.3.18.2 2005/04/29 00:15:40 marka Exp $ */ + +/*! \file */ #include <config.h> diff --git a/contrib/bind9/bin/rndc/util.h b/contrib/bind9/bin/rndc/util.h index 3c19cd4..6414861 100644 --- a/contrib/bind9/bin/rndc/util.h +++ b/contrib/bind9/bin/rndc/util.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,11 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: util.h,v 1.5.206.1 2004/03/06 10:21:32 marka Exp $ */ +/* $Id: util.h,v 1.6.18.2 2005/04/29 00:15:41 marka Exp $ */ #ifndef RNDC_UTIL_H #define RNDC_UTIL_H 1 +/*! \file */ + #include <isc/lang.h> #include <isc/formatcheck.h> |
