diff options
| author | Jakob Schlyter <jakob@cvs.openbsd.org> | 2006-04-05 17:36:37 +0000 |
|---|---|---|
| committer | Jakob Schlyter <jakob@cvs.openbsd.org> | 2006-04-05 17:36:37 +0000 |
| commit | 0505bad000912a66c4f92c91a72202b9250e4bd5 (patch) | |
| tree | 00d8701ac1f3ee5feadd765c0274e9ff0a95aeac | |
| parent | 1da54ca1fd7764e567cd4bc055abd54d602773e1 (diff) | |
resolve conflicts
121 files changed, 14133 insertions, 34218 deletions
diff --git a/usr.sbin/bind/CHANGES b/usr.sbin/bind/CHANGES index 1673ae0c476..941b946db36 100644 --- a/usr.sbin/bind/CHANGES +++ b/usr.sbin/bind/CHANGES @@ -1,4 +1,261 @@ + --- 9.3.2 released --- + + --- 9.3.2rc1 released --- + +1936. [bug] The validator could leak memory. [RT #15544] + +1932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530] + + --- 9.3.2b2 released --- + +1930. [port] HPUX: ia64 support. [RT #15473] + +1929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM. + +1926. [bug] The Windows installer did not check for empty + passwords. BINDinstall was being installed in + the wrong place. [RT #15483] + +1925. [port] All outer level AC_TRY_RUNs need cross compiling + defaults. [RT #15469] + +1924. [port] libbind: hpux ia64 support. [RT #15473] + +1923. [bug] ns_client_detach() called too early. [RT #15499] + + --- 9.3.2b1 released --- + +1917. [doc] funcsynopsisinfo wasn't being treated as verbatim + when generating man pages. [RT #15385] + +1915. [bug] dig +ndots was broken. [RT #15215] + +1914. [protocol] DS is required to accept mnemonic algorithms + (RFC 4034). Still emit numeric algorithms for + compatability with RFC 3658. [RT #15354] + +1911. [bug] Update windows socket code. [RT #14965] + +1910. [bug] dig's +sigchase code overhauled. [RT #14933] + +1909. [bug] The DLV code has been re-worked to make no longer + query order sensitive. [RT #14933] + +1905. [bug] Strings returned from cfg_obj_asstring() should be + treated as read-only. [RT #15256] + +1901. [cleanup] Don't add DNSKEY records to the additional section. + +1900. [bug] ixfr-from-differences failed to ensure that the + serial number increased. [RT #15036] + +1896. [bug] Extend ISC_SOCKADDR_FORMATSIZE and + ISC_NETADDR_FORMATSIZE to allow for scope details. + +1894. [bug] Recursive clients soft quota support wasn't working + as expected. [RT #15103] + +1893. [bug] A escaped character is, potentially, converted to + the output character set too early. [RT #14666] + +1892. [port] Use uintptr_t if available. [RT #14606] + +1889. [port] sunos: non blocking i/o support. [RT #14951] + +1887. [bug] The cache could delete expired records too fast for + clients with a virtual time in the past. [RT #14991] + +1886. [bug] fctx_create() could return success even though it + failed. [RT #14993] + +1884. [cleanup] dighost.c: move external declarations into <dig/dig.h>. + +1883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug + levels. [RT #14962] + +1881. [func] Add a system test for named-checkconf. [RT #14931] + +1877. [bug] Fix unreasonably low quantum on call to + dns_rbt_destroy2(). Remove unnecessay unhash_node() + call. [RT #14919] + +1875. [bug] process_dhtkey() was using the wrong memory context + to free some memory. [RT #14890] + +1874. [port] sunos: portability fixes. [RT #14814] + +1873. [port] win32: isc__errno2result() now reports its caller. + [RT #13753] + +1872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753] + +1867. [bug] It was possible to trigger a INSIST in + dlv_validatezonekey(). [RT #14846] + +1866. [bug] resolv.conf parse errors were being ignored by + dig/host/nslookup. [RT #14841] + +1865. [bug] Silently ignore nameservers in /etc/resolv.conf with + bad addresses. [RT #14841] + +1864. [bug] Don't try the alternative transfer source if you + got a answer / transfer with the main source + address. [RT #14802] + +1863. [bug] rrset-order "fixed" error messages not complete. + +1861. [bug] dig could trigger a INSIST on certain malformed + responses. [RT #14801] + +1860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was + incorrectly set. [RT #14775] + +1858. [bug] The flush-zones-on-shutdown option wasn't being + parsed. [RT #14686] + +1857. [bug] named could trigger a INSIST() if reconfigured / + reloaded too fast. [RT #14673] + +1856. [doc] Switch Docbook toolchain from DSSSL to XSL. + [RT #11398] + +1855. [bug] ixfr-from-differences was failing to detect changes + of ttl due to dns_diff_subtract() was ignoring the ttl + of records. [RT #14616] + +1854. [bug] lwres also needs to know the print format for + (long long). [RT #13754] + +1853. [bug] Rework how DLV interacts with proveunsecure(). + [RT #13605] + +1852. [cleanup] Remove last vestiges of dnssec-signkey and + dnssec-makekeyset (removed from Makefile years ago). + +1850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591] + +1849. [doc] All forms of the man pages (docbook, man, html) should + have consistant copyright dates. + +1848. [bug] Improve SMF integration. [RT #13238] + +1847. [bug] isc_ondestroy_init() is called too late in + dns_rbtdb_create()/dns_rbtdb64_create(). + [RT #13661] + +1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer + <bortzmeyer@nic.fr>. + +1845. [bug] Improve error reporting to distingish between + accept()/fcntl() and socket()/fcntl() errors. + [RT #13745] + +1844. [bug] inet_pton() accepted more that 4 hexadecimal digits + for each 16 bit piece of the IPv6 address. The text + representation of a IPv6 address has been tighted + to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt). + [RT #5662] + +1843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps + when CFLAGS contains "-I /usr/local/include" + resulting in old header files being used. + +1842. [port] cmsg_len() could produce incorrect results on + some platform. [RT #13744] + +1841. [bug] "dig +nssearch" now makes a recursive query to + find the list of nameservers to query. [RT #13694] + +1839. [bug] <isc/hash.h> was not being installed. + +1838. [cleanup] Don't allow Linux capabilities to be inherited. + [RT #13707] + +1837. [bug] Compile time option ISC_FACILITY was not effective + for 'named -u <user>'. [RT #13714] + +1836. [cleanup] Silence compiler warnings in hash_test.c. + +1835. [bug] Update dnssec-signzone's usage message. [RT #13657] + +1834. [bug] Bad memset in rdata_test.c. [RT #13658] + +1833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660] + +1832. [bug] named fails to return BADKEY on unknown TSIG algorithm. + [RT #13620] + +1831. [doc] Update named-checkzone documentation. [RT#13604] + +1830. [bug] adb lame cache has sence of test reversed. [RT #13600] + +1829. [bug] win32: "pid-file none;" broken. [RT #13563] + +1828. [bug] isc_rwlock_init() failed to properly cleanup if it + encountered a error. [RT #13549] + +1827. [bug] host: update usage message for '-a'. [RT #37116] + +1826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out + of memory error. [RT #13537] + +1825. [bug] Missing UNLOCK() on out of memory error from in + rbtdb.c:subtractrdataset(). [RT #13519] + +1824. [bug] Memory leak on dns_zone_setdbtype() failure. + [RT #13510] + +1823. [bug] Wrong macro used to check for point to point interface. + [RT#13418] + +1822. [bug] check-names test for RT was reversed. [RT #13382] + +1821. [doc] acls definitions are no longer required to be + in named.conf prior to reference. They can be + defined after being referenced. + +1820. [bug] Gracefully handle acl loops. [RT #13659] + +1819. [bug] The validator needed to check both the algorithm and + digest types of the DS to determine if it could be + used to introduce a secure zone. [RT #13593] + +1816. [port] UnixWare: failed to compile lib/isc/unix/net.c. + [RT #13597] + +1815. [bug] nsupdate triggered a REQUIRE if the server was set + without also setting the zone and it encountered + a CNAME and was using TSIG. [RT #13086] + +1810. [bug] configure, lib/bind/configure make different default + decisions about whether to do a threaded build. + [RT #13212] + +1809. [bug] "make distclean" failed for libbind if the platform + is not supported. + +1807. [bug] When forwarding (forward only) set the active domain + from the forward zone name. [RT #13526] + +1804. [bug] Ensure that if we are queried for glue that it fits + in the additional section or TC is set to tell the + client to retry using TCP. [RT #10114] + +1803. [bug] dnssec-signzone sometimes failed to remove old + RRSIGs. [RT #13483] + +1802. [bug] Handle connection resets better. [RT #11280] + +1799. [bug] 'rndc flushname' failed to flush negative cache + entries. [RT #13438] + +1795. [bug] "rndc dumpdb" was not fully documented. Minor + formating issues with "rndc dumpdb -all". [RT #13396] + +1791. [bug] 'host -t a' still printed out AAAA and MX records. + [RT #13230] + --- 9.3.1 released --- 1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599] diff --git a/usr.sbin/bind/FAQ b/usr.sbin/bind/FAQ index f6ed41e422c..9b806cbde53 100644 --- a/usr.sbin/bind/FAQ +++ b/usr.sbin/bind/FAQ @@ -1,470 +1,525 @@ - - - Frequently Asked Questions about BIND 9 +------------------------------------------------------------------------------- Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads? A: Linux threads do not fully implement the Posix threads (pthreads) standard. -In particular, setuid() operates only on the current thread, not the full -process. Because of this limitation, BIND 9 cannot use setuid() on Linux as it -can on all other supported platforms. setuid() cannot be called before -creating threads, since the server does not start listening on reserved ports -until after threads have started. + In particular, setuid() operates only on the current thread, not the full + process. Because of this limitation, BIND 9 cannot use setuid() on Linux as + it can on all other supported platforms. setuid() cannot be called before + creating threads, since the server does not start listening on reserved + ports until after threads have started. - In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve -capabilities across a setuid() call is present. This allows BIND 9 to call -setuid() early, while retaining the ability to bind reserved ports. This is -a Linux-specific hack. + In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve + capabilities across a setuid() call is present. This allows BIND 9 to call + setuid() early, while retaining the ability to bind reserved ports. This is + a Linux-specific hack. - On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less -of a security risk than a root process that has not dropped privileges. + On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less + of a security risk than a root process that has not dropped privileges. - If Linux threads ever work correctly, this restriction will go away. + If Linux threads ever work correctly, this restriction will go away. - Configuring BIND9 with the --disable-threads option (the default) causes a -non-threaded version to be built, which will allow -u to be used. + Configuring BIND9 with the --disable-threads option (the default) causes a + non-threaded version to be built, which will allow -u to be used. +Q: Why does named log the warning message "no TTL specified - using SOA MINTTL + instead"? -Q: Why does named log the warning message "no TTL specified - using SOA -MINTTL instead"? - -A: Your zone file is illegal according to RFC1035. It must either -have a line like +A: Your zone file is illegal according to RFC1035. It must either have a line + like: $TTL 86400 -at the beginning, or the first record in it must have a TTL field, -like the "84600" in this example: + at the beginning, or the first record in it must have a TTL field, like the + "84600" in this example: example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 ) Q: Why do I see 5 (or more) copies of named on Linux? -A: Linux threads each show up as a process under ps. The approximate -number of threads running is n+4, where n is the number of CPUs. Note that -the amount of memory used is not cumulative; if each process is using 10M of -memory, only a total of 10M is used. - +A: Linux threads each show up as a process under ps. The approximate number of + threads running is n+4, where n is the number of CPUs. Note that the amount + of memory used is not cumulative; if each process is using 10M of memory, + only a total of 10M is used. -Q: Why does BIND 9 log "permission denied" errors accessing its -configuration files or zones on my Linux system even though it is running -as root? - -A: On Linux, BIND 9 drops most of its root privileges on startup. -This including the privilege to open files owned by other users. -Therefore, if the server is running as root, the configuration files -and zone files should also be owned by root. +Q: Why does BIND 9 log "permission denied" errors accessing its configuration + files or zones on my Linux system even though it is running as root? +A: On Linux, BIND 9 drops most of its root privileges on startup. This + including the privilege to open files owned by other users. Therefore, if + the server is running as root, the configuration files and zone files should + also be owned by root. Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file -bar: ran out of space" - -A: This is often caused by TXT records with missing close quotes. Check that -all TXT records containing quoted strings have both open and close quotes. + bar: ran out of space"? +A: This is often caused by TXT records with missing close quotes. Check that + all TXT records containing quoted strings have both open and close quotes. Q: How do I produce a usable core file from a multithreaded named on Linux? -A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps -are usable (that is, the correct thread is dumped). Otherwise, if using -a 2.2 kernel, apply the kernel patch found in contrib/linux/coredump-patch -and rebuild the kernel. This patch will cause multithreaded programs to dump -the correct thread. - +A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps are usable + (that is, the correct thread is dumped). Otherwise, if using a 2.2 kernel, + apply the kernel patch found in contrib/linux/coredump-patch and rebuild the + kernel. This patch will cause multithreaded programs to dump the correct + thread. Q: How do I restrict people from looking up the server version? -A: Put a "version" option containing something other than the real -version in the "options" section of named.conf. Note doing this will -not prevent attacks and may impede people trying to diagnose problems -with your server. Also it is possible to "fingerprint" nameservers to -determine their version. - - -Q: How do I restrict only remote users from looking up the server -version? +A: Put a "version" option containing something other than the real version in + the "options" section of named.conf. Note doing this will not prevent + attacks and may impede people trying to diagnose problems with your server. + Also it is possible to "fingerprint" nameservers to determine their version. -A: The following view statement will intercept lookups as the internal -view that holds the version information will be matched last. The -caveats of the previous answer still apply, of course. +Q: How do I restrict only remote users from looking up the server version? - view "chaos" chaos { - match-clients { <those to be refused>; }; - allow-query { none; }; - zone "." { - type hint; - file "/dev/null"; // or any empty file - }; - }; +A: The following view statement will intercept lookups as the internal view + that holds the version information will be matched last. The caveats of the + previous answer still apply, of course. + view "chaos" chaos { + match-clients { <those to be refused>; }; + allow-query { none; }; + zone "." { + type hint; + file "/dev/null"; // or any empty file + }; + }; Q: What do "no source of entropy found" or "could not open entropy source foo" -mean? + mean? A: The server requires a source of entropy to perform certain operations, -mostly DNSSEC related. These messages indicate that you have no source -of entropy. On systems with /dev/random or an equivalent, it is used by -default. A source of entropy can also be defined using the random-device -option in named.conf. + mostly DNSSEC related. These messages indicate that you have no source of + entropy. On systems with /dev/random or an equivalent, it is used by + default. A source of entropy can also be defined using the random-device + option in named.conf. +Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why? -Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why? +A: BIND 9 is installed under /usr/local by default. BIND 8 is often installed + under /usr. Check that the correct named is running. -A: BIND 9 is installed under /usr/local by default. BIND 8 is often -installed under /usr. Check that the correct named is running. +Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers. + I'm sure I have the keys set up correctly, but the server is rejecting the + TSIG. Why? +A: This may be a clock skew problem. Check that the the clocks on the client + and server are properly synchronised (e.g., using ntp). -Q: I'm trying to use TSIG to authenticate dynamic updates or zone -transfers. I'm sure I have the keys set up correctly, but the server -is rejecting the TSIG. Why? +Q: I'm trying to compile BIND 9, and "make" is failing due to files not being + found. Why? -A: This may be a clock skew problem. Check that the the clocks on -the client and server are properly synchronized (e.g., using ntp). +A: Using a parallel or distributed "make" to build BIND 9 is not supported, and + doesn't work. If you are using one of these, use normal make or gmake + instead. +Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging + error messages like "notify to 10.0.0.1#53 failed: unexpected end of input". + What's wrong? -Q: I'm trying to compile BIND 9, and "make" is failing due to files not -being found. Why? +A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in + BIND 8.2.4. It can be safely ignored - the notify has been acted on by the + slave despite the error message. -A: Using a parallel or distributed "make" to build BIND 9 is not -supported, and doesn't work. If you are using one of these, use -normal make or gmake instead. +Q: I keep getting log messages like the following. Why? + Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': update + failed: 'RRset exists (value dependent)' prerequisite not satisfied + (NXRRSET) -Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is -logging error messages like "notify to 10.0.0.1#53 failed: unexpected -end of input". What's wrong? +A: DNS updates allow the update request to test to see if certain conditions + are met prior to proceeding with the update. The message above is saying + that conditions were not met and the update is not proceeding. See doc/rfc/ + rfc2136.txt for more details on prerequisites. -A: This error message is caused by a known bug in BIND 8.2.3 and is fixed -in BIND 8.2.4. It can be safely ignored - the notify has been acted on by -the slave despite the error message. +Q: I keep getting log messages like the following. Why? + Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied -Q: I keep getting log messages like the following. Why? +A: Someone is trying to update your DNS data using the RFC2136 Dynamic Update + protocol. Windows 2000 machines have a habit of sending dynamic update + requests to DNS servers without being specifically configured to do so. If + the update requests are coming from a Windows 2000 machine, see http:// + support.microsoft.com/support/kb/articles/q246/8/04.asp for information + about how to turn them off. - Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': - update failed: 'RRset exists (value dependent)' prerequisite not - satisfied (NXRRSET) +Q: I see a log message like the following. Why? -A: DNS updates allow the update request to test to see if certain -conditions are met prior to proceeding with the update. The message -above is saying that conditions were not met and the update is not -proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites. + couldn't open pid file '/var/run/named.pid': Permission denied +A: You are most likely running named as a non-root user, and that user does not + have permission to write in /var/run. The common ways of fixing this are to + create a /var/run/named directory owned by the named user and set pid-file + to "/var/run/named/named.pid", or set pid-file to "named.pid", which will + put the file in the directory specified by the directory option (which, in + this case, must be writable by the named user). + +Q: When I do a "dig . ns", many of the A records for the root servers are + missing. Why? + +A: This is normal and harmless. It is a somewhat confusing side effect of the + way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to + avoid promoting glue into answers. + + When BIND 9 first starts up and primes its cache, it receives the root + server addresses as additional data in an authoritative response from a root + server, and these records are eligible for inclusion as additional data in + responses. Subsequently it receives a subset of the root server addresses as + additional data in a non-authoritative (referral) response from a root + server. This causes the addresses to now be considered non-authoritative + (glue) data, which is not eligible for inclusion in responses. + + The server does have a complete set of root server addresses cached at all + times, it just may not include all of them as additional data, depending on + whether they were last received as answers or as glue. You can always look + up the addresses with explicit queries like "dig a.root-servers.net A". + +Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. Why? + +A: This may be caused by a bug in the Windows 2000 DNS server where DNS + messages larger than 16K are not handled properly. This can be worked around + by setting the option "transfer-format one-answer;". Also check whether your + zone contains domain names with embedded spaces or other special characters, + like "John\032Doe\213s\032Computer", since such names have been known to + cause Windows 2000 slaves to incorrectly reject the zone. -Q: I keep getting log messages like the following. Why? +Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP? - Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied +A: A zone can be updated either by editing zone files and reloading the server + or by dynamic update, but not both. If you have enabled dynamic update for a + zone using the "allow-update" option, you are not supposed to edit the zone + file by hand, and the server will not attempt to reload it. + +Q: I can query the nameserver from the nameserver but not from other machines. + Why? + +A: This is usually the result of the firewall configuration stopping the + queries and / or the replies. + +Q: How can I make a server a slave for both an internal and an external view at + the same time? When I tried, both views on the slave were transferred from + the same view on the master. + +A: You will need to give the master and slave multiple IP addresses and use + those to make sure you reach the correct view on the other machine. + + Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias) + internal: + match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; + notify-source 10.0.1.1; + transfer-source 10.0.1.1; + query-source address 10.0.1.1; + external: + match-clients { any; }; + recursion no; // don't offer recursion to the world + notify-source 10.0.1.2; + transfer-source 10.0.1.2; + query-source address 10.0.1.2; + + Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias) + internal: + match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; + notify-source 10.0.1.3; + transfer-source 10.0.1.3; + query-source address 10.0.1.3; + external: + match-clients { any; }; + recursion no; // don't offer recursion to the world + notify-source 10.0.1.4; + transfer-source 10.0.1.4; + query-source address 10.0.1.4; + + You put the external address on the alias so that all the other dns clients + on these boxes see the internal view by default. + +A: BIND 9.3 and later: Use TSIG to select the appropriate view. + + Master 10.0.1.1: + key "external" { + algorithm hmac-md5; + secret "xxxxxxxx"; + }; + view "internal" { + match-clients { !key external; 10.0.1/24; }; + ... + }; + view "external" { + match-clients { key external; any; }; + server 10.0.0.2 { keys external; }; + recursion no; + ... + }; + + Slave 10.0.1.2: + key "external" { + algorithm hmac-md5; + secret "xxxxxxxx"; + }; + view "internal" { + match-clients { !key external; 10.0.1/24; }; + ... + }; + view "external" { + match-clients { key external; any; }; + server 10.0.0.1 { keys external; }; + recursion no; + ... + }; + +Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there. + +A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use + certain interrupts as a source of random events. You can make this permanent + by setting rand_irqs in /etc/rc.conf. + + /etc/rc.conf + rand_irqs="3 14 15" + + See also http://people.freebsd.org/~dougb/randomness.html -A: Someone is trying to update your DNS data using the RFC2136 Dynamic -Update protocol. Windows 2000 machines have a habit of sending dynamic -update requests to DNS servers without being specifically configured to -do so. If the update requests are coming from a Windows 2000 machine, -see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp> -for information about how to turn them off. +Q: Why is named listening on UDP port other than 53? +A: Named uses a system selected port to make queries of other nameservers. This + behaviour can be overridden by using query-source to lock down the port and/ + or address. See also notify-source and transfer-source. -Q: I see a log message like the following. Why? +Q: I get error messages like "multiple RRs of singleton type" and "CNAME and + other data" when transferring a zone. What does this mean? - couldn't open pid file '/var/run/named.pid': Permission denied +A: These indicate a malformed master zone. You can identify the exact records + involved by transferring the zone using dig then running named-checkzone on + it. -A: You are most likely running named as a non-root user, and that user -does not have permission to write in /var/run. The common ways of -fixing this are to create a /var/run/named directory owned by the named -user and set pid-file to "/var/run/named/named.pid", or set -pid-file to "named.pid", which will put the file in the directory -specified by the directory option (which, in this case, must be writable -by the named user). + dig axfr example.com @master-server > tmp + named-checkzone example.com tmp + A CNAME record cannot exist with the same name as another record except for + the DNSSEC records which prove its existance (NSEC). -Q: When I do a "dig . ns", many of the A records for the root -servers are missing. Why? + RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data + should be present; this ensures that the data for a canonical name and its + aliases cannot be different. This rule also insures that a cached CNAME can + be used without checking with an authoritative server for other RR types." -A: This is normal and harmless. It is a somewhat confusing side effect -of the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 -makes to avoid promoting glue into answers. +Q: I get error messages like "named.conf:99: unexpected end of input" where 99 + is the last line of named.conf. -When BIND 9 first starts up and primes its cache, it receives the root -server addresses as additional data in an authoritative response from -a root server, and these records are eligible for inclusion as -additional data in responses. Subsequently it receives a subset of -the root server addresses as additional data in a non-authoritative -(referral) response from a root server. This causes the addresses to -now be considered non-authoritative (glue) data, which is not eligible -for inclusion in responses. +A: Some text editors (notepad and wordpad) fail to put a line title indication + (e.g. CR/LF) on the last line of a text file. This can be fixed by "adding" + a blank line to the end of the file. Named expects to see EOF immediately + after EOL and treats text files where this is not met as truncated. -The server does have a complete set of root server addresses cached -at all times, it just may not include all of them as additional data, -depending on whether they were last received as answers or as glue. -You can always look up the addresses with explicit queries like -"dig a.root-servers.net A". +Q: I get warning messages like "zone example.com/IN: refresh: failure trying + master 1.2.3.4#53: timed out". +A: Check that you can make UDP queries from the slave to the master -Q: Zone transfers from my BIND 9 master to my Windows 2000 slave -fail. Why? + dig +norec example.com soa @1.2.3.4 -A: This may be caused by a bug in the Windows 2000 DNS server where -DNS messages larger than 16K are not handled properly. This can be -worked around by setting the option "transfer-format one-answer;". -Also check whether your zone contains domain names with embedded -spaces or other special characters, like "John\032Doe\213s\032Computer", -since such names have been known to cause Windows 2000 slaves to -incorrectly reject the zone. + You could be generating queries faster than the slave can cope with. Lower + the serial query rate. + serial-query-rate 5; // default 20 -Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP? +Q: How do I share a dynamic zone between multiple views? -A: A zone can be updated either by editing zone files and reloading -the server or by dynamic update, but not both. If you have enabled -dynamic update for a zone using the "allow-update" option, you are not -supposed to edit the zone file by hand, and the server will not -attempt to reload it. - - -Q: I can query the nameserver from the nameserver but not from other -machines. Why? - -A: This is usually the result of the firewall configuration stopping -the queries and / or the replies. - - -Q: How can I make a server a slave for both an internal and -an external view at the same time? When I tried, both views -on the slave were transferred from the same view on the master. - -A: You will need to give the master and slave multiple IP addresses and -use those to make sure you reach the correct view on the other machine. - - e.g. - Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias) - internal: - match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; - notify-source 10.0.1.1; - transfer-source 10.0.1.1; - query-source address 10.0.1.1; - external: - match-clients { any; }; - recursion no; // don't offer recursion to the world - notify-source 10.0.1.2; - transfer-source 10.0.1.2; - query-source address 10.0.1.2; - - Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias) - internal: - match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; - notify-source 10.0.1.3; - transfer-source 10.0.1.3; - query-source address 10.0.1.3; - external: - match-clients { any; }; - recursion no; // don't offer recursion to the world - notify-source 10.0.1.4; - transfer-source 10.0.1.4; - query-source address 10.0.1.4; - - You put the external address on the alias so that all the other - dns clients on these boxes see the internal view by default. - -A: (BIND 9.3 and later) Use TSIG to select the appropriate view. - - Master 10.0.1.1: - key "external" { - algorithm hmac-md5; - secret "xxxxxxxx"; - }; - view "internal" { - match-clients { !key external; 10.0.1/24; }; - ... - }; - view "external" { - match-clients { key external; any; }; - server 10.0.0.2 { keys external; }; - recursion no; - ... - }; - - Slave 10.0.1.2: - key "external" { - algorithm hmac-md5; - secret "xxxxxxxx"; - }; - view "internal" { - match-clients { !key external; 10.0.1/24; }; - }; - view "external" { - match-clients { key external; any; }; - server 10.0.0.1 { keys external; }; - recursion no; - ... - }; - - -Q: I have Freebsd 4.x and "rndc-confgen -a" just sits there. - -A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel -to use certain interrupts as a source of random events. You can make this -permanent by setting rand_irqs in /etc/rc.conf. - -e.g. - /etc/rc.conf - rand_irqs="3 14 15" - -See also http://people.freebsd.org/~dougb/randomness.html +A: You choose one view to be master and the second a slave and transfer the + zone between views. + + Master 10.0.1.1: + key "external" { + algorithm hmac-md5; + secret "xxxxxxxx"; + }; + + key "mykey" { + algorithm hmac-md5; + secret "yyyyyyyy"; + }; + + view "internal" { + match-clients { !external; 10.0.1/24; }; + server 10.0.1.1 { + /* Deliver notify messages to external view. */ + keys { external; }; + }; + zone "example.com" { + type master; + file "internal/example.db"; + allow-update { key mykey; }; + notify-also { 10.0.1.1; }; + }; + }; + + view "external" { + match-clients { external; any; }; + zone "example.com" { + type slave; + file "external/example.db"; + masters { 10.0.1.1; }; + transfer-source { 10.0.1.1; }; + // allow-update-forwarding { any; }; + // allow-notify { ... }; + }; + }; +Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master + file primaries/wireless.ietf56.ietf.org: no owner". -Q: Why is named listening on UDP port other than 53? +A: This error is produced when a line in the master file contains leading white + space (tab/space) but the is no current record owner name to inherit the + name from. Usually this is the result of putting white space before a + comment. Forgeting the "@" for the SOA record or indenting the master file. -A: Named uses a system selected port to make queries of other nameservers. -This behaviour can be overridden by using query-source to lock down the -port and/or address. See also notify-source and transfer-source. +Q: Why are my logs in GMT (UTC). +A: You are running chrooted (-t) and have not supplied local timzone + information in the chroot area. -Q: I get error messages like "multiple RRs of singleton type" and -"CNAME and other data" when transferring a zone. What does this mean? + FreeBSD: /etc/localtime + Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo + OSF: /etc/zoneinfo/localtime -A: These indicate a malformed master zone. You can identify the -exact records involved by transferring the zone using dig then -running named-checkzone on it. + See also tzset(3) and zic(8). - e.g. - dig axfr example.com @master-server > tmp - named-checkzone example.com tmp +Q: I get the error message "named: capset failed: Operation not permitted" when + starting named. +A: The capability module, part of "Linux Security Modules/LSM", has not been + loaded into the kernel. See insmod(8). -Q: I get error messages like "named.conf:99: unexpected end of input" where -99 is the last line of named.conf. +Q: I get "rndc: connect failed: connection refused" when I try to run rndc. -A: Some text editors (notepad and wordpad) fail to put a line termination -indication (e.g. CR/LF) on the last line of a text file. This can be fixed -by "adding" a blank line to the end of the file. Named expects to see EOF -immediately after EOL and treats text files where this is not met as truncated. +A: This is usually a configuration error. + First ensure that named is running and no errors are being reported at + startup (/var/log/messages or equivalent). Running "named -g <usual + arguments>" from a title can help at this point. -Q: I get warning messages like "zone example.com/IN: refresh: failure trying master -1.2.3.4#53: timed out". + Secondly ensure that named is configured to use rndc either by "rndc-confgen + -a", rndc-confgen or manually. The Administrators Reference manual has + details on how to do this. -A: Check that you can make UDP queries from the slave to the master + Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /etc/ + rndc.conf for the default server. Update /etc/rndc.conf if necessary so that + the default server listed in /etc/rndc.conf matches the addresses used in + named.conf. "localhost" has two address (127.0.0.1 and ::1). - dig +norec example.com soa @1.2.3.4 + If you use "rndc-confgen -a" and named is running with -t or -u ensure that + /etc/rndc.conf has the correct ownership and that a copy is in the chroot + area. You can do this by re-running "rndc-confgen -a" with appropriate -t + and -u arguments. -A: You could be generating queries faster than the slave can cope with. Lower -the serial query rate. +Q: I don't get RRSIG's returned when I use "dig +dnssec". - serial-query-rate 5; // default 20 +A: You need to ensure DNSSEC is enabled (dnssec-enable yes;). -Q: How do I share a dynamic zone between multiple views? +Q: I get "Error 1067" when starting named under Windows. -A: You choose one view to be master and the second a slave and transfer -the zone between views. - - Master 10.0.1.1: - key "external" { - algorithm hmac-md5; - secret "xxxxxxxx"; - }; - - key "mykey" { - algorithm hmac-md5; - secret "yyyyyyyy"; - }; - - view "internal" { - match-clients { !external; 10.0.1/24; }; - server 10.0.1.1 { - /* Deliver notify messages to external view. */ - keys { external; }; - }; - zone "example.com" { - type master; - file "internal/example.db"; - allow-update { key mykey; }; - notify-also { 10.0.1.1; }; - }; - }; - - view "external" { - match-clients { external; any; }; - zone "example.com" { - type slave; - file "external/example.db"; - masters { 10.0.1.1; }; - transfer-source { 10.0.1.1; }; - // allow-update-forwarding { any; }; - // allow-notify { ... }; - }; - }; +A: This is the service manager saying that named exited. You need to examine + the Application log in the EventViewer to find out why. -Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master -file primaries/wireless.ietf56.ietf.org: no owner". + Common causes are that you failed to create "named.conf" (usually "C:\ + windows\dns\etc\named.conf") or failed to specify the directory in + named.conf. -A: This error is produced when a line in the master file contains leading -white space (tab/space) but the is no current record owner name to inherit -the name from. Usually this is the result of putting white space before -a comment. Forgeting the "@" for the SOA record or indenting the master -file. + options { + Directory "C:\windows\dns\etc"; + }; +Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while + receiving responses: permission denied" error messages. -Q: Why are my logs in GMT (UTC). +A: These indicate a filesystem permission error preventing named creating / + renaming the temporary file. These will usually also have other associated + error messages like -A: You are running chrooted (-t) and have not supplied local timzone -information in the chroot area. + "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied" - FreeBSD: /etc/localtime - Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo - OSF: /etc/zoneinfo/localtime + Named needs write permission on the directory containing the file. Named + writes the new cache file to a temporary file then renames it to the name + specified in named.conf to ensure that the contents are always complete. + This is to prevent named loading a partial zone in the event of power + failure or similar interrupting the write of the master file. - See also tzset(3) and zic(8). + Note file names are relative to the directory specified in options and any + chroot directory ([<chroot dir>/][<options dir>]). + If named is invoked as "named -t /chroot/DNS" with the following named.conf + then "/chroot/DNS/var/named/sl" needs to be writable by the user named is + running as. -Q: I get the error message "named: capset failed: Operation not permitted" -when starting named. + options { + directory "/var/named"; + }; -A: The capset module has not been loaded into the kernel. See insmod(8). + zone "example.net" { + type slave; + file "sl/example.net"; + masters { 192.168.4.12; }; + }; +Q: How do I intergrate BIND 9 and Solaris SMF -Q: I get "rndc: connect failed: connection refused" when I try to run - rndc. +A: Sun has a blog entry describing how to do this. -A: This is usually a configuration error. + http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris - First ensure that named is running and no errors are being - reported at startup (/var/log/messages or equivalent). Running - "named -g <usual arguements>" from a terminal can help at this - point. +Q: Can a NS record refer to a CNAME. - Secondly ensure that named is configured to use rndc either by - "rndc-confgen -a", rndc-confgen or manually. The Administators - Reference manual has details on how to do this. +A: No. The rules for glue (copies of the *address* records in the parent zones) + and additional section processing do not allow it to work. - Old versions of rndc-confgen used localhost rather than 127.0.0.1 - in /etc/rndc.conf for the default server. Update /etc/rndc.conf - if necessary so that the default server listed in /etc/rndc.conf - matches the addresses used in named.conf. "localhost" has two - address (127.0.0.1 and ::1). + You would have to add both the CNAME and address records (A/AAAA) as glue to + the parent zone and have CNAMEs be followed when doing additional section + processing to make it work. No namesever implementation supports either of + these requirements. - If you use "rndc-confgen -a" and named is running with -t or -u - ensure that /etc/rndc.conf has the correct ownership and that - a copy is in the chroot area. You can do this by re-running - "rndc-confgen -a" with appropriate -t and -u arguements. +Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean? +A: If the IN-ADDR.ARPA name covered refers to a internal address space you are + using then you have failed to follow RFC 1918 usage rules and are leaking + queries to the Internet. You should establish your own zones for these + addresses to prevent you quering the Internet's name servers for these + addresses. Please see http://as112.net/ for details of the problems you are + causing and the counter measures that have had to be deployed. -Q: I don't get RRSIG's returned when I use "dig +dnssec". + If you are not using these private addresses then a client has queried for + them. You can just ignore the messages, get the offending client to stop + sending you these messages as they are most probably leaking them or setup + your own zones empty zones to serve answers to these queries. -A: You need to ensure DNSSEC is enabled (dnssec-enable yes;). + zone "10.IN-ADDR.ARPA" { + type master; + file "empty"; + }; + zone "16.172.IN-ADDR.ARPA" { + type master; + file "empty"; + }; -Q: I get "Error 1067" when starting named under Windows. + ... + + zone "31.172.IN-ADDR.ARPA" { + type master; + file "empty"; + }; -A: This is the service manager saying that named exited. You need to - examine the Application log in the EventViewer to find out why. + zone "168.192.IN-ADDR.ARPA" { + type master; + file "empty"; + }; - Common causes are that you failed to create "named.conf" (usually - "C:\windows\dns\etc\named.conf") or failed to specify the directory - in named.conf. + empty: + @ 10800 IN SOA <name-of-server>. <contact-email>. ( + 1 3600 1200 604800 10800 ) + @ 10800 IN NS <name-of-server>. - options { - Directory "C:\windows\dns\etc"; - }; + Note + Future versions of named are likely to do this automatically. diff --git a/usr.sbin/bind/Makefile.in b/usr.sbin/bind/Makefile.in index 05e8ac1c62d..417f0c95bfb 100644 --- a/usr.sbin/bind/Makefile.in +++ b/usr.sbin/bind/Makefile.in @@ -52,8 +52,3 @@ install:: isc-config.sh installdirs tags: rm -f TAGS find lib bin -name "*.[ch]" -print | @ETAGS@ - - -check: test - -test: - (cd bin/tests && ${MAKE} ${MAKEDEFS} test) diff --git a/usr.sbin/bind/README b/usr.sbin/bind/README index 8e3d01df5bb..574b07d7324 100644 --- a/usr.sbin/bind/README +++ b/usr.sbin/bind/README @@ -43,6 +43,26 @@ BIND 9 Nominum, Inc. +BIND 9.3.2 + + BIND 9.3.2 is a maintenance release, containing fixes for + a number of bugs in 9.3.1. + + libbind: corresponds to that from BIND 8.4.7-REL. + + Known Issues: + + The following INSIST can be triggered with DNSSEC enabled. + +resolver.c:762: INSIST(result != 0 || dns_rdataset_isassociated(event->rdataset) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_any) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_rrsig)) failed + + We are still trying to isolate the cause. If you have core + dump please send a bug report to bind9-bugs@isc.org with + the location of the core, named executable and OS details. + + Note: contrib/nanny contains a perl script to restart named + in the event of a INSIST/REQUIRE/ENSURE failure. + BIND 9.3.1 BIND 9.3.1 is a maintenance release, containing fixes for @@ -210,7 +230,7 @@ Building UnixWare 7.1.1 HP-UX 10.20 BSD/OS 4.2 - Mac OS X 10.1 + Mac OS X 10.1, 10.3.8 To build, just @@ -300,9 +320,11 @@ Building Building with gcc is not supported, unless gcc is the vendor's usual compiler (e.g. the various BSD systems, Linux). + Known compiler issues: * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86. * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02. * gcc-3.3.5 powerpc generates incorrect code at -02. + * Irix, MipsPRO 7.4.1m is known to cause problems. A limited test suite can be run with "make test". Many of the tests require you to configure a set of virtual IP addresses diff --git a/usr.sbin/bind/bin/check/named-checkconf.html b/usr.sbin/bind/bin/check/named-checkconf.html index 9973700e3a9..7be9399a37e 100644 --- a/usr.sbin/bind/bin/check/named-checkconf.html +++ b/usr.sbin/bind/bin/check/named-checkconf.html @@ -1,216 +1,92 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001, 2002 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2002 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: named-checkconf.html,v 1.5.2.1.4.5 2004/08/22 23:38:57 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->named-checkconf</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A -><SPAN -CLASS="APPLICATION" ->named-checkconf</SPAN -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->named-checkconf</SPAN -> -- named configuration file syntax checking tool</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->named-checkconf</B -> [<VAR -CLASS="OPTION" ->-v</VAR ->] [<VAR -CLASS="OPTION" ->-j</VAR ->] [<VAR -CLASS="OPTION" ->-t <VAR -CLASS="REPLACEABLE" ->directory</VAR -></VAR ->] {filename} [<VAR -CLASS="OPTION" ->-z</VAR ->]</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN26" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->named-checkconf</B -> checks the syntax, but not +<!-- $ISC: named-checkconf.html,v 1.5.2.1.4.12 2005/10/13 02:33:42 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>named-checkconf</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">named-checkconf</span> — named configuration file syntax checking tool</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525865"></a><h2>DESCRIPTION</h2> +<p> + <span><strong class="command">named-checkconf</strong></span> checks the syntax, but not the semantics, of a named configuration file. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN30" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-t <VAR -CLASS="REPLACEABLE" ->directory</VAR -></DT -><DD -><P -> chroot to <TT -CLASS="FILENAME" ->directory</TT -> so that include + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525878"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt> +<dd><p> + chroot to <code class="filename">directory</code> so that include directives in the configuration file are processed as if run by a similarly chrooted named. - </P -></DD -><DT ->-v</DT -><DD -><P -> Print the version of the <B -CLASS="COMMAND" ->named-checkconf</B -> + </p></dd> +<dt><span class="term">-v</span></dt> +<dd><p> + Print the version of the <span><strong class="command">named-checkconf</strong></span> program and exit. - </P -></DD -><DT ->-z</DT -><DD -><P -> Perform a check load the master zonefiles found in - <TT -CLASS="FILENAME" ->named.conf</TT ->. - </P -></DD -><DT ->-j</DT -><DD -><P -> When loading a zonefile read the journal if it exists. - </P -></DD -><DT ->filename</DT -><DD -><P -> The name of the configuration file to be checked. If not - specified, it defaults to <TT -CLASS="FILENAME" ->/etc/named.conf</TT ->. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN58" -></A -><H2 ->RETURN VALUES</H2 -><P -> <B -CLASS="COMMAND" ->named-checkconf</B -> returns an exit status of 1 if + </p></dd> +<dt><span class="term">-z</span></dt> +<dd><p> + Perform a check load the master zonefiles found in + <code class="filename">named.conf</code>. + </p></dd> +<dt><span class="term">-j</span></dt> +<dd><p> + When loading a zonefile read the journal if it exists. + </p></dd> +<dt><span class="term">filename</span></dt> +<dd><p> + The name of the configuration file to be checked. If not + specified, it defaults to <code class="filename">/etc/named.conf</code>. + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525970"></a><h2>RETURN VALUES</h2> +<p> + <span><strong class="command">named-checkconf</strong></span> returns an exit status of 1 if errors were detected and 0 otherwise. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN62" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->named</SPAN ->(8)</SPAN ->, - <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference Manual</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN69" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Systems Consortium - </P -></DIV -></BODY -></HTML -> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525982"></a><h2>SEE ALSO</h2> +<p> + <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526006"></a><h2>AUTHOR</h2> +<p> + <span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/dig/dig.1 b/usr.sbin/bind/bin/dig/dig.1 index b22602e762d..c83d290c634 100644 --- a/usr.sbin/bind/bin/dig/dig.1 +++ b/usr.sbin/bind/bin/dig/dig.1 @@ -1,216 +1,244 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2003 Internet Software Consortium. -.\" +.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2003 Internet Software Consortium. +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $ISC: dig.1,v 1.14.2.4.2.6 2004/06/23 09:11:01 marka Exp $ +.\" $ISC: dig.1,v 1.14.2.4.2.10 2005/10/13 02:33:42 marka Exp $ .\" -.TH "DIG" "1" "Jun 30, 2000" "BIND9" "" -.SH NAME +.hy 0 +.ad l +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "DIG" "1" "Jun 30, 2000" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" dig \- DNS lookup utility -.SH SYNOPSIS -.sp -\fBdig\fR [ \fB@server\fR ] [ \fB-b \fIaddress\fB\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-f \fIfilename\fB\fR ] [ \fB-k \fIfilename\fB\fR ] [ \fB-p \fIport#\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-x \fIaddr\fB\fR ] [ \fB-y \fIname:key\fB\fR ] [ \fB-4\fR ] [ \fB-6\fR ] [ \fBname\fR ] [ \fBtype\fR ] [ \fBclass\fR ] [ \fBqueryopt\fR\fI...\fR ] -.sp -\fBdig\fR [ \fB-h\fR ] -.sp -\fBdig\fR [ \fBglobal-queryopt\fR\fI...\fR ] [ \fBquery\fR\fI...\fR ] +.SH "SYNOPSIS" +.HP 4 +\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...] +.HP 4 +\fBdig\fR [\fB\-h\fR] +.HP 4 +\fBdig\fR [global\-queryopt...] [query...] .SH "DESCRIPTION" .PP -\fBdig\fR (domain information groper) is a flexible tool -for interrogating DNS name servers. It performs DNS lookups and -displays the answers that are returned from the name server(s) that -were queried. Most DNS administrators use \fBdig\fR to -troubleshoot DNS problems because of its flexibility, ease of use and -clarity of output. Other lookup tools tend to have less functionality -than \fBdig\fR. +\fBdig\fR +(domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use +\fBdig\fR +to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than +\fBdig\fR. .PP -Although \fBdig\fR is normally used with command-line -arguments, it also has a batch mode of operation for reading lookup -requests from a file. A brief summary of its command-line arguments -and options is printed when the \fB-h\fR option is given. -Unlike earlier versions, the BIND9 implementation of -\fBdig\fR allows multiple lookups to be issued from the -command line. +Although +\fBdig\fR +is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command\-line arguments and options is printed when the +\fB\-h\fR +option is given. Unlike earlier versions, the BIND9 implementation of +\fBdig\fR +allows multiple lookups to be issued from the command line. .PP Unless it is told to query a specific name server, -\fBdig\fR will try each of the servers listed in +\fBdig\fR +will try each of the servers listed in \fI/etc/resolv.conf\fR. .PP -When no command line arguments or options are given, will perform an -NS query for "." (the root). +When no command line arguments or options are given, will perform an NS query for "." (the root). .PP -It is possible to set per-user defaults for \fBdig\fR via -\fI${HOME}/.digrc\fR. This file is read and any options in it -are applied before the command line arguments. +It is possible to set per\-user defaults for +\fBdig\fR +via +\fI${HOME}/.digrc\fR. This file is read and any options in it are applied before the command line arguments. .SH "SIMPLE USAGE" .PP -A typical invocation of \fBdig\fR looks like: +A typical invocation of +\fBdig\fR +looks like: .sp .nf dig @server name type -.sp .fi +.sp where: .TP \fBserver\fR -is the name or IP address of the name server to query. This can be an IPv4 -address in dotted-decimal notation or an IPv6 -address in colon-delimited notation. When the supplied -\fIserver\fR argument is a hostname, -\fBdig\fR resolves that name before querying that name -server. If no \fIserver\fR argument is provided, -\fBdig\fR consults \fI/etc/resolv.conf\fR -and queries the name servers listed there. The reply from the name -server that responds is displayed. +is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied +\fIserver\fR +argument is a hostname, +\fBdig\fR +resolves that name before querying that name server. If no +\fIserver\fR +argument is provided, +\fBdig\fR +consults +\fI/etc/resolv.conf\fR +and queries the name servers listed there. The reply from the name server that responds is displayed. .TP \fBname\fR is the name of the resource record that is to be looked up. .TP \fBtype\fR -indicates what type of query is required \(em -ANY, A, MX, SIG, etc. -\fItype\fR can be any valid query type. If no -\fItype\fR argument is supplied, -\fBdig\fR will perform a lookup for an A record. +indicates what type of query is required \(em ANY, A, MX, SIG, etc. +\fItype\fR +can be any valid query type. If no +\fItype\fR +argument is supplied, +\fBdig\fR +will perform a lookup for an A record. .SH "OPTIONS" .PP -The \fB-b\fR option sets the source IP address of the query -to \fIaddress\fR. This must be a valid address on -one of the host's network interfaces or "0.0.0.0" or "::". An optional port -may be specified by appending "#<port>" +The +\fB\-b\fR +option sets the source IP address of the query to +\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>" .PP The default query class (IN for internet) is overridden by the -\fB-c\fR option. \fIclass\fR is any valid -class, such as HS for Hesiod records or CH for CHAOSNET records. +\fB\-c\fR +option. +\fIclass\fR +is any valid class, such as HS for Hesiod records or CH for CHAOSNET records. .PP -The \fB-f\fR option makes \fBdig \fR operate -in batch mode by reading a list of lookup requests to process from the -file \fIfilename\fR. The file contains a number of -queries, one per line. Each entry in the file should be organised in -the same way they would be presented as queries to -\fBdig\fR using the command-line interface. +The +\fB\-f\fR +option makes +\fBdig \fR +operate in batch mode by reading a list of lookup requests to process from the file +\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organised in the same way they would be presented as queries to +\fBdig\fR +using the command\-line interface. .PP -If a non-standard port number is to be queried, the -\fB-p\fR option is used. \fIport#\fR is -the port number that \fBdig\fR will send its queries -instead of the standard DNS port number 53. This option would be used -to test a name server that has been configured to listen for queries -on a non-standard port number. +If a non\-standard port number is to be queried, the +\fB\-p\fR +option is used. +\fIport#\fR +is the port number that +\fBdig\fR +will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number. .PP -The \fB-4\fR option forces \fBdig\fR to only -use IPv4 query transport. The \fB-6\fR option forces -\fBdig\fR to only use IPv6 query transport. +The +\fB\-4\fR +option forces +\fBdig\fR +to only use IPv4 query transport. The +\fB\-6\fR +option forces +\fBdig\fR +to only use IPv6 query transport. .PP -The \fB-t\fR option sets the query type to -\fItype\fR. It can be any valid query type which is -supported in BIND9. The default query type "A", unless the -\fB-x\fR option is supplied to indicate a reverse lookup. -A zone transfer can be requested by specifying a type of AXFR. When -an incremental zone transfer (IXFR) is required, -\fItype\fR is set to ixfr=N. -The incremental zone transfer will contain the changes made to the zone -since the serial number in the zone's SOA record was +The +\fB\-t\fR +option sets the query type to +\fItype\fR. It can be any valid query type which is supported in BIND9. The default query type "A", unless the +\fB\-x\fR +option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, +\fItype\fR +is set to +ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was \fIN\fR. .PP -Reverse lookups - mapping addresses to names - are simplified by the -\fB-x\fR option. \fIaddr\fR is an IPv4 -address in dotted-decimal notation, or a colon-delimited IPv6 address. -When this option is used, there is no need to provide the -\fIname\fR, \fIclass\fR and -\fItype\fR arguments. \fBdig\fR +Reverse lookups \- mapping addresses to names \- are simplified by the +\fB\-x\fR +option. +\fIaddr\fR +is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When this option is used, there is no need to provide the +\fIname\fR, +\fIclass\fR +and +\fItype\fR +arguments. +\fBdig\fR automatically performs a lookup for a name like -11.12.13.10.in-addr.arpa and sets the query type and -class to PTR and IN respectively. By default, IPv6 addresses are -looked up using nibble format under the IP6.ARPA domain. -To use the older RFC1886 method using the IP6.INT domain -specify the \fB-i\fR option. Bit string labels (RFC2874) -are now experimental and are not attempted. +11.12.13.10.in\-addr.arpa +and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain specify the +\fB\-i\fR +option. Bit string labels (RFC2874) are now experimental and are not attempted. .PP -To sign the DNS queries sent by \fBdig\fR and their -responses using transaction signatures (TSIG), specify a TSIG key file -using the \fB-k\fR option. You can also specify the TSIG -key itself on the command line using the \fB-y\fR option; -\fIname\fR is the name of the TSIG key and -\fIkey\fR is the actual key. The key is a base-64 -encoded string, typically generated by \fBdnssec-keygen\fR(8). -Caution should be taken when using the \fB-y\fR option on -multi-user systems as the key can be visible in the output from -\fBps\fR(1) or in the shell's history file. When -using TSIG authentication with \fBdig\fR, the name -server that is queried needs to know the key and algorithm that is -being used. In BIND, this is done by providing appropriate -\fBkey\fR and \fBserver\fR statements in +To sign the DNS queries sent by +\fBdig\fR +and their responses using transaction signatures (TSIG), specify a TSIG key file using the +\fB\-k\fR +option. You can also specify the TSIG key itself on the command line using the +\fB\-y\fR +option; +\fIname\fR +is the name of the TSIG key and +\fIkey\fR +is the actual key. The key is a base\-64 encoded string, typically generated by +\fBdnssec\-keygen\fR(8). Caution should be taken when using the +\fB\-y\fR +option on multi\-user systems as the key can be visible in the output from +\fBps\fR(1 ) +or in the shell's history file. When using TSIG authentication with +\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate +\fBkey\fR +and +\fBserver\fR +statements in \fInamed.conf\fR. .SH "QUERY OPTIONS" .PP -\fBdig\fR provides a number of query options which affect -the way in which lookups are made and the results displayed. Some of -these set or reset flag bits in the query header, some determine which -sections of the answer get printed, and others determine the timeout -and retry strategies. +\fBdig\fR +provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies. .PP -Each query option is identified by a keyword preceded by a plus sign -(+). Some keywords set or reset an option. These may be preceded -by the string no to negate the meaning of that keyword. Other -keywords assign values to options like the timeout interval. They -have the form \fB+keyword=value\fR. -The query options are: +Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string +no +to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form +\fB+keyword=value\fR. The query options are: .TP \fB+[no]tcp\fR -Use [do not use] TCP when querying name servers. The default -behaviour is to use UDP unless an AXFR or IXFR query is requested, in -which case a TCP connection is used. +Use [do not use] TCP when querying name servers. The default behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used. .TP \fB+[no]vc\fR -Use [do not use] TCP when querying name servers. This alternate -syntax to \fI+[no]tcp\fR is provided for backwards -compatibility. The "vc" stands for "virtual circuit". +Use [do not use] TCP when querying name servers. This alternate syntax to +\fI+[no]tcp\fR +is provided for backwards compatibility. The "vc" stands for "virtual circuit". .TP \fB+[no]ignore\fR -Ignore truncation in UDP responses instead of retrying with TCP. By -default, TCP retries are performed. +Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed. .TP \fB+domain=somename\fR Set the search list to contain the single domain \fIsomename\fR, as if specified in a -\fBdomain\fR directive in -\fI/etc/resolv.conf\fR, and enable search list -processing as if the \fI+search\fR option were given. +\fBdomain\fR +directive in +\fI/etc/resolv.conf\fR, and enable search list processing as if the +\fI+search\fR +option were given. .TP \fB+[no]search\fR -Use [do not use] the search list defined by the searchlist or domain -directive in \fIresolv.conf\fR (if any). -The search list is not used by default. +Use [do not use] the search list defined by the searchlist or domain directive in +\fIresolv.conf\fR +(if any). The search list is not used by default. .TP \fB+[no]defname\fR -Deprecated, treated as a synonym for \fI+[no]search\fR +Deprecated, treated as a synonym for +\fI+[no]search\fR .TP \fB+[no]aaonly\fR Sets the "aa" flag in the query. .TP \fB+[no]aaflag\fR -A synonym for \fI+[no]aaonly\fR. +A synonym for +\fI+[no]aaonly\fR. .TP \fB+[no]adflag\fR -Set [do not set] the AD (authentic data) bit in the query. The AD bit -currently has a standard meaning only in responses, not in queries, -but the ability to set the bit in the query is provided for -completeness. +Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness. .TP \fB+[no]cdflag\fR -Set [do not set] the CD (checking disabled) bit in the query. This -requests the server to not perform DNSSEC validation of responses. +Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses. .TP \fB+[no]cl\fR Display [do not display] the CLASS when printing the record. @@ -219,170 +247,164 @@ Display [do not display] the CLASS when printing the record. Display [do not display] the TTL when printing the record. .TP \fB+[no]recurse\fR -Toggle the setting of the RD (recursion desired) bit in the query. -This bit is set by default, which means \fBdig\fR -normally sends recursive queries. Recursion is automatically disabled -when the \fI+nssearch\fR or -\fI+trace\fR query options are used. +Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means +\fBdig\fR +normally sends recursive queries. Recursion is automatically disabled when the +\fI+nssearch\fR +or +\fI+trace\fR +query options are used. .TP \fB+[no]nssearch\fR -When this option is set, \fBdig\fR attempts to find the -authoritative name servers for the zone containing the name being -looked up and display the SOA record that each name server has for the -zone. +When this option is set, +\fBdig\fR +attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone. .TP \fB+[no]trace\fR -Toggle tracing of the delegation path from the root name servers for -the name being looked up. Tracing is disabled by default. When -tracing is enabled, \fBdig\fR makes iterative queries to -resolve the name being looked up. It will follow referrals from the -root servers, showing the answer from each server that was used to -resolve the lookup. +Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled, +\fBdig\fR +makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup. .TP \fB+[no]cmd\fR -toggles the printing of the initial comment in the output identifying -the version of \fBdig\fR and the query options that have -been applied. This comment is printed by default. +toggles the printing of the initial comment in the output identifying the version of +\fBdig\fR +and the query options that have been applied. This comment is printed by default. .TP \fB+[no]short\fR -Provide a terse answer. The default is to print the answer in a -verbose form. +Provide a terse answer. The default is to print the answer in a verbose form. .TP \fB+[no]identify\fR -Show [or do not show] the IP address and port number that supplied the -answer when the \fI+short\fR option is enabled. If -short form answers are requested, the default is not to show the -source address and port number of the server that provided the answer. +Show [or do not show] the IP address and port number that supplied the answer when the +\fI+short\fR +option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer. .TP \fB+[no]comments\fR -Toggle the display of comment lines in the output. The default is to -print comments. +Toggle the display of comment lines in the output. The default is to print comments. .TP \fB+[no]stats\fR -This query option toggles the printing of statistics: when the query -was made, the size of the reply and so on. The default behaviour is -to print the query statistics. +This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is to print the query statistics. .TP \fB+[no]qr\fR -Print [do not print] the query as it is sent. -By default, the query is not printed. +Print [do not print] the query as it is sent. By default, the query is not printed. .TP \fB+[no]question\fR -Print [do not print] the question section of a query when an answer is -returned. The default is to print the question section as a comment. +Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment. .TP \fB+[no]answer\fR -Display [do not display] the answer section of a reply. The default -is to display it. +Display [do not display] the answer section of a reply. The default is to display it. .TP \fB+[no]authority\fR -Display [do not display] the authority section of a reply. The -default is to display it. +Display [do not display] the authority section of a reply. The default is to display it. .TP \fB+[no]additional\fR -Display [do not display] the additional section of a reply. -The default is to display it. +Display [do not display] the additional section of a reply. The default is to display it. .TP \fB+[no]all\fR Set or clear all display flags. .TP \fB+time=T\fR Sets the timeout for a query to -\fIT\fR seconds. The default time out is 5 seconds. -An attempt to set \fIT\fR to less than 1 will result -in a query timeout of 1 second being applied. +\fIT\fR +seconds. The default time out is 5 seconds. An attempt to set +\fIT\fR +to less than 1 will result in a query timeout of 1 second being applied. .TP \fB+tries=T\fR Sets the number of times to try UDP queries to server to -\fIT\fR instead of the default, 3. If -\fIT\fR is less than or equal to zero, the number of -tries is silently rounded up to 1. +\fIT\fR +instead of the default, 3. If +\fIT\fR +is less than or equal to zero, the number of tries is silently rounded up to 1. .TP \fB+retry=T\fR Sets the number of times to retry UDP queries to server to -\fIT\fR instead of the default, 2. Unlike -\fI+tries\fR, this does not include the initial -query. +\fIT\fR +instead of the default, 2. Unlike +\fI+tries\fR, this does not include the initial query. .TP \fB+ndots=D\fR Set the number of dots that have to appear in -\fIname\fR to \fID\fR for it to be -considered absolute. The default value is that defined using the -ndots statement in \fI/etc/resolv.conf\fR, or 1 if no -ndots statement is present. Names with fewer dots are interpreted as -relative names and will be searched for in the domains listed in the -\fBsearch\fR or \fBdomain\fR directive in +\fIname\fR +to +\fID\fR +for it to be considered absolute. The default value is that defined using the ndots statement in +\fI/etc/resolv.conf\fR, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the +\fBsearch\fR +or +\fBdomain\fR +directive in \fI/etc/resolv.conf\fR. .TP \fB+bufsize=B\fR Set the UDP message buffer size advertised using EDNS0 to -\fIB\fR bytes. The maximum and minimum sizes of this -buffer are 65535 and 0 respectively. Values outside this range are -rounded up or down appropriately. +\fIB\fR +bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. .TP \fB+[no]multiline\fR -Print records like the SOA records in a verbose multi-line -format with human-readable comments. The default is to print -each record on a single line, to facilitate machine parsing -of the \fBdig\fR output. +Print records like the SOA records in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the +\fBdig\fR +output. .TP \fB+[no]fail\fR -Do not try the next server if you receive a SERVFAIL. The default is -to not try the next server which is the reverse of normal stub resolver -behaviour. +Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behaviour. .TP \fB+[no]besteffort\fR -Attempt to display the contents of messages which are malformed. -The default is to not display malformed answers. +Attempt to display the contents of messages which are malformed. The default is to not display malformed answers. .TP \fB+[no]dnssec\fR -Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) -in the OPT record in the additional section of the query. +Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query. .TP \fB+[no]sigchase\fR -Chase DNSSEC signature chains. Requires dig be compiled with --DDIG_SIGCHASE. +Chase DNSSEC signature chains. Requires dig be compiled with \-DDIG_SIGCHASE. .TP -\fB+trusted-key=####\fR -Specify a trusted key to be used with \fB+sigchase\fR. -Requires dig be compiled with -DDIG_SIGCHASE. +\fB+trusted\-key=####\fR +Specifies a file containing trusted keys to be used with +\fB+sigchase\fR. Each DNSKEY record must be on its own line. +.sp +If not specified +\fBdig\fR +will look for +\fI/etc/trusted\-key.key\fR +then +\fItrusted\-key.key\fR +in the current directory. +.sp +Requires dig be compiled with \-DDIG_SIGCHASE. .TP \fB+[no]topdown\fR -When chasing DNSSEC signature chains perform a top down validation. -Requires dig be compiled with -DDIG_SIGCHASE. +When chasing DNSSEC signature chains perform a top down validation. Requires dig be compiled with \-DDIG_SIGCHASE. .SH "MULTIPLE QUERIES" .PP -The BIND 9 implementation of \fBdig \fR supports -specifying multiple queries on the command line (in addition to -supporting the \fB-f\fR batch file option). Each of those -queries can be supplied with its own set of flags, options and query -options. +The BIND 9 implementation of +\fBdig \fR +supports specifying multiple queries on the command line (in addition to supporting the +\fB\-f\fR +batch file option). Each of those queries can be supplied with its own set of flags, options and query options. .PP -In this case, each \fIquery\fR argument represent an -individual query in the command-line syntax described above. Each -consists of any of the standard options and flags, the name to be -looked up, an optional query type and class and any query options that -should be applied to that query. +In this case, each +\fIquery\fR +argument represent an individual query in the command\-line syntax described above. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query. .PP -A global set of query options, which should be applied to all queries, -can also be supplied. These global query options must precede the -first tuple of name, class, type, options, flags, and query options -supplied on the command line. Any global query options (except -the \fB+[no]cmd\fR option) can be -overridden by a query-specific set of query options. For example: +A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line. Any global query options (except the +\fB+[no]cmd\fR +option) can be overridden by a query\-specific set of query options. For example: .sp .nf -dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -.sp +dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr .fi -shows how \fBdig\fR could be used from the command line -to make three lookups: an ANY query for www.isc.org, a -reverse lookup of 127.0.0.1 and a query for the NS records of -isc.org. -A global query option of \fI+qr\fR is applied, so -that \fBdig\fR shows the initial query it made for each -lookup. The final query has a local query option of -\fI+noqr\fR which means that \fBdig\fR +.sp +shows how +\fBdig\fR +could be used from the command line to make three lookups: an ANY query for +www.isc.org, a reverse lookup of 127.0.0.1 and a query for the NS records of +isc.org. A global query option of +\fI+qr\fR +is applied, so that +\fBdig\fR +shows the initial query it made for each lookup. The final query has a local query option of +\fI+noqr\fR +which means that +\fBdig\fR will not print the initial query when it looks up the NS records for isc.org. .SH "FILES" @@ -394,8 +416,8 @@ isc.org. .PP \fBhost\fR(1), \fBnamed\fR(8), -\fBdnssec-keygen\fR(8), -\fIRFC1035\fR. -.SH "BUGS" +\fBdnssec\-keygen\fR(8), +RFC1035. +.SH "BUGS " .PP -There are probably too many query options. +There are probably too many query options. diff --git a/usr.sbin/bind/bin/dig/dig.c b/usr.sbin/bind/bin/dig/dig.c index 423eadbefd4..9e1f53f9b35 100644 --- a/usr.sbin/bind/bin/dig/dig.c +++ b/usr.sbin/bind/bin/dig/dig.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: dig.c,v 1.157.2.13.2.25 2004/09/16 02:14:14 marka Exp $ */ +/* $ISC: dig.c,v 1.157.2.13.2.29 2005/10/14 01:38:40 marka Exp $ */ #include <config.h> #include <stdlib.h> @@ -45,10 +45,6 @@ #include <dig/dig.h> -extern ISC_LIST(dig_lookup_t) lookup_list; -extern dig_serverlist_t server_list; -extern ISC_LIST(dig_searchlist_t) search_list; - #define ADD_STRING(b, s) { \ if (strlen(s) >= isc_buffer_availablelength(b)) \ return (ISC_R_NOSPACE); \ @@ -58,31 +54,8 @@ extern ISC_LIST(dig_searchlist_t) search_list; #define DIG_MAX_ADDRESSES 20 -extern isc_boolean_t have_ipv4, have_ipv6, specified_source, - usesearch, qr; -extern in_port_t port; -extern unsigned int timeout; -extern isc_mem_t *mctx; -extern dns_messageid_t id; -extern int sendcount; -extern int ndots; -extern int lookup_counter; -extern int exitcode; -extern isc_sockaddr_t bind_address; -extern char keynametext[MXNAME]; -extern char keyfile[MXNAME]; -extern char keysecret[MXNAME]; -#ifdef DIG_SIGCHASE -extern char trustedkey[MXNAME]; -#endif -extern dns_tsigkey_t *key; -extern isc_boolean_t validated; -extern isc_taskmgr_t *taskmgr; -extern isc_task_t *global_task; -extern isc_boolean_t free_now; dig_lookup_t *default_lookup = NULL; -extern isc_boolean_t debugging, memdebugging; static char *batchname = NULL; static FILE *batchfp = NULL; static char *argv0; @@ -133,8 +106,6 @@ static const char *rcodetext[] = { "BADVERS" }; -extern char *progname; - static void print_usage(FILE *fp) { fputs( @@ -593,6 +564,7 @@ buftoosmall: } } } + if (headers && query->lookup->comments && !short_form) printf("\n"); @@ -808,7 +780,7 @@ plus_option(char *option, isc_boolean_t is_batchfile, break; case 'l': /* cl */ FULLCHECK("cl"); - noclass = !state; + noclass = ISC_TF(!state); break; case 'm': /* cmd */ FULLCHECK("cmd"); @@ -881,7 +853,7 @@ plus_option(char *option, isc_boolean_t is_batchfile, lookup->ns_search_only = state; if (state) { lookup->trace_root = ISC_TRUE; - lookup->recurse = ISC_FALSE; + lookup->recurse = ISC_TRUE; lookup->identify = ISC_TRUE; lookup->stats = ISC_FALSE; lookup->comments = ISC_FALSE; @@ -1043,7 +1015,7 @@ plus_option(char *option, isc_boolean_t is_batchfile, break; case 't': /* ttlid */ FULLCHECK("ttlid"); - nottl = !state; + nottl = ISC_TF(!state); break; default: goto invalid_option; diff --git a/usr.sbin/bind/bin/dig/dig.docbook b/usr.sbin/bind/bin/dig/dig.docbook index 26471240b16..57984c186a8 100644 --- a/usr.sbin/bind/bin/dig/dig.docbook +++ b/usr.sbin/bind/bin/dig/dig.docbook @@ -1,6 +1,8 @@ -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" + "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" + [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -16,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: dig.docbook,v 1.4.2.7.4.9 2004/06/23 04:19:41 marka Exp $ --> +<!-- $ISC: dig.docbook,v 1.4.2.7.4.12 2005/08/30 00:50:29 marka Exp $ --> <refentry> @@ -30,6 +32,21 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <docinfo> + <copyright> + <year>2004</year> + <year>2005</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + <copyright> + <year>2000</year> + <year>2001</year> + <year>2002</year> + <year>2003</year> + <holder>Internet Software Consortium.</holder> + </copyright> + </docinfo> + <refnamediv> <refname>dig</refname> <refpurpose>DNS lookup utility</refpurpose> @@ -38,7 +55,7 @@ <refsynopsisdiv> <cmdsynopsis> <command>dig</command> -<arg choice=opt>@server</arg> +<arg choice="opt">@server</arg> <arg><option>-b <replaceable class="parameter">address</replaceable></option></arg> <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> <arg><option>-f <replaceable class="parameter">filename</replaceable></option></arg> @@ -49,10 +66,10 @@ <arg><option>-y <replaceable class="parameter">name:key</replaceable></option></arg> <arg><option>-4</option></arg> <arg><option>-6</option></arg> -<arg choice=opt>name</arg> -<arg choice=opt>type</arg> -<arg choice=opt>class</arg> -<arg choice=opt rep=repeat>queryopt</arg> +<arg choice="opt">name</arg> +<arg choice="opt">type</arg> +<arg choice="opt">class</arg> +<arg choice="opt" rep="repeat">queryopt</arg> </cmdsynopsis> <cmdsynopsis> @@ -62,8 +79,8 @@ <cmdsynopsis> <command>dig</command> -<arg choice=opt rep=repeat>global-queryopt</arg> -<arg choice=opt rep=repeat>query</arg> +<arg choice="opt" rep="repeat">global-queryopt</arg> +<arg choice="opt" rep="repeat">query</arg> </cmdsynopsis> </refsynopsisdiv> @@ -513,11 +530,24 @@ Chase DNSSEC signature chains. Requires dig be compiled with -DDIG_SIGCHASE. </para></listitem></varlistentry> -<varlistentry><term><option>+trusted-key=####</option></term> -<listitem><para> -Specify a trusted key to be used with <option>+sigchase</option>. -Requires dig be compiled with -DDIG_SIGCHASE. -</para></listitem></varlistentry> + <varlistentry> + <term><option>+trusted-key=####</option></term> + <listitem> + <para> + Specifies a file containing trusted keys to be used with + <option>+sigchase</option>. Each DNSKEY record must be + on its own line. + </para> + <para> + If not specified <command>dig</command> will look for + <filename>/etc/trusted-key.key</filename> then + <filename>trusted-key.key</filename> in the current directory. + </para> + <para> + Requires dig be compiled with -DDIG_SIGCHASE. + </para> + </listitem> + </varlistentry> <varlistentry><term><option>+[no]topdown</option></term> <listitem><para> diff --git a/usr.sbin/bind/bin/dig/dig.html b/usr.sbin/bind/bin/dig/dig.html index 9035ecb5d70..71a09a6aa89 100644 --- a/usr.sbin/bind/bin/dig/dig.html +++ b/usr.sbin/bind/bin/dig/dig.html @@ -1,1174 +1,514 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000-2003 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: dig.html,v 1.6.2.4.2.7 2004/08/22 23:38:57 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->dig</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->dig</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->dig -- DNS lookup utility</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN11" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->dig</B -> [@server] [<VAR -CLASS="OPTION" ->-b <VAR -CLASS="REPLACEABLE" ->address</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-c <VAR -CLASS="REPLACEABLE" ->class</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-f <VAR -CLASS="REPLACEABLE" ->filename</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-k <VAR -CLASS="REPLACEABLE" ->filename</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-p <VAR -CLASS="REPLACEABLE" ->port#</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-t <VAR -CLASS="REPLACEABLE" ->type</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-x <VAR -CLASS="REPLACEABLE" ->addr</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-y <VAR -CLASS="REPLACEABLE" ->name:key</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-4</VAR ->] [<VAR -CLASS="OPTION" ->-6</VAR ->] [name] [type] [class] [queryopt...]</P -><P -><B -CLASS="COMMAND" ->dig</B -> [<VAR -CLASS="OPTION" ->-h</VAR ->]</P -><P -><B -CLASS="COMMAND" ->dig</B -> [global-queryopt...] [query...]</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN55" -></A -><H2 ->DESCRIPTION</H2 -><P -><B -CLASS="COMMAND" ->dig</B -> (domain information groper) is a flexible tool +<!-- $ISC: dig.html,v 1.6.2.4.2.13 2005/10/13 02:33:43 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>dig</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>dig — DNS lookup utility</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">dig</code> [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>name:key</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [name] [type] [class] [queryopt...]</p></div> +<div class="cmdsynopsis"><p><code class="command">dig</code> [<code class="option">-h</code>]</p></div> +<div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525976"></a><h2>DESCRIPTION</h2> +<p> +<span><strong class="command">dig</strong></span> (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that -were queried. Most DNS administrators use <B -CLASS="COMMAND" ->dig</B -> to +were queried. Most DNS administrators use <span><strong class="command">dig</strong></span> to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality -than <B -CLASS="COMMAND" ->dig</B ->.</P -><P ->Although <B -CLASS="COMMAND" ->dig</B -> is normally used with command-line +than <span><strong class="command">dig</strong></span>. +</p> +<p> +Although <span><strong class="command">dig</strong></span> is normally used with command-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command-line arguments -and options is printed when the <VAR -CLASS="OPTION" ->-h</VAR -> option is given. +and options is printed when the <code class="option">-h</code> option is given. Unlike earlier versions, the BIND9 implementation of -<B -CLASS="COMMAND" ->dig</B -> allows multiple lookups to be issued from the -command line.</P -><P ->Unless it is told to query a specific name server, -<B -CLASS="COMMAND" ->dig</B -> will try each of the servers listed in -<TT -CLASS="FILENAME" ->/etc/resolv.conf</TT ->.</P -><P ->When no command line arguments or options are given, will perform an -NS query for "." (the root).</P -><P ->It is possible to set per-user defaults for <B -CLASS="COMMAND" ->dig</B -> via -<TT -CLASS="FILENAME" ->${HOME}/.digrc</TT ->. This file is read and any options in it -are applied before the command line arguments.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN72" -></A -><H2 ->SIMPLE USAGE</H2 -><P ->A typical invocation of <B -CLASS="COMMAND" ->dig</B -> looks like: -<PRE -CLASS="PROGRAMLISTING" -> dig @server name type </PRE -> where: +<span><strong class="command">dig</strong></span> allows multiple lookups to be issued from the +command line. +</p> +<p> +Unless it is told to query a specific name server, +<span><strong class="command">dig</strong></span> will try each of the servers listed in +<code class="filename">/etc/resolv.conf</code>. +</p> +<p> +When no command line arguments or options are given, will perform an +NS query for "." (the root). +</p> +<p> +It is possible to set per-user defaults for <span><strong class="command">dig</strong></span> via +<code class="filename">${HOME}/.digrc</code>. This file is read and any options in it +are applied before the command line arguments. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526035"></a><h2>SIMPLE USAGE</h2> +<p> +A typical invocation of <span><strong class="command">dig</strong></span> looks like: +</p> +<pre class="programlisting"> dig @server name type </pre> +<p> where: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><CODE -CLASS="CONSTANT" ->server</CODE -></DT -><DD -><P ->is the name or IP address of the name server to query. This can be an IPv4 +</p> +<div class="variablelist"><dl> +<dt><span class="term"><code class="constant">server</code></span></dt> +<dd><p> +is the name or IP address of the name server to query. This can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied -<VAR -CLASS="PARAMETER" ->server</VAR -> argument is a hostname, -<B -CLASS="COMMAND" ->dig</B -> resolves that name before querying that name -server. If no <VAR -CLASS="PARAMETER" ->server</VAR -> argument is provided, -<B -CLASS="COMMAND" ->dig</B -> consults <TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -> +<em class="parameter"><code>server</code></em> argument is a hostname, +<span><strong class="command">dig</strong></span> resolves that name before querying that name +server. If no <em class="parameter"><code>server</code></em> argument is provided, +<span><strong class="command">dig</strong></span> consults <code class="filename">/etc/resolv.conf</code> and queries the name servers listed there. The reply from the name -server that responds is displayed.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->name</CODE -></DT -><DD -><P ->is the name of the resource record that is to be looked up.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->type</CODE -></DT -><DD -><P ->indicates what type of query is required — +server that responds is displayed. +</p></dd> +<dt><span class="term"><code class="constant">name</code></span></dt> +<dd><p> +is the name of the resource record that is to be looked up. +</p></dd> +<dt><span class="term"><code class="constant">type</code></span></dt> +<dd><p> +indicates what type of query is required — ANY, A, MX, SIG, etc. -<VAR -CLASS="PARAMETER" ->type</VAR -> can be any valid query type. If no -<VAR -CLASS="PARAMETER" ->type</VAR -> argument is supplied, -<B -CLASS="COMMAND" ->dig</B -> will perform a lookup for an A record.</P -></DD -></DL -></DIV -></P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN101" -></A -><H2 ->OPTIONS</H2 -><P ->The <VAR -CLASS="OPTION" ->-b</VAR -> option sets the source IP address of the query -to <VAR -CLASS="PARAMETER" ->address</VAR ->. This must be a valid address on +<em class="parameter"><code>type</code></em> can be any valid query type. If no +<em class="parameter"><code>type</code></em> argument is supplied, +<span><strong class="command">dig</strong></span> will perform a lookup for an A record. +</p></dd> +</dl></div> +<p> +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526114"></a><h2>OPTIONS</h2> +<p> +The <code class="option">-b</code> option sets the source IP address of the query +to <em class="parameter"><code>address</code></em>. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port -may be specified by appending "#<port>"</P -><P ->The default query class (IN for internet) is overridden by the -<VAR -CLASS="OPTION" ->-c</VAR -> option. <VAR -CLASS="PARAMETER" ->class</VAR -> is any valid -class, such as HS for Hesiod records or CH for CHAOSNET records.</P -><P ->The <VAR -CLASS="OPTION" ->-f</VAR -> option makes <B -CLASS="COMMAND" ->dig </B -> operate +may be specified by appending "#<port>" +</p> +<p> +The default query class (IN for internet) is overridden by the +<code class="option">-c</code> option. <em class="parameter"><code>class</code></em> is any valid +class, such as HS for Hesiod records or CH for CHAOSNET records. +</p> +<p> +The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span> operate in batch mode by reading a list of lookup requests to process from the -file <VAR -CLASS="PARAMETER" ->filename</VAR ->. The file contains a number of +file <em class="parameter"><code>filename</code></em>. The file contains a number of queries, one per line. Each entry in the file should be organised in the same way they would be presented as queries to -<B -CLASS="COMMAND" ->dig</B -> using the command-line interface.</P -><P ->If a non-standard port number is to be queried, the -<VAR -CLASS="OPTION" ->-p</VAR -> option is used. <VAR -CLASS="PARAMETER" ->port#</VAR -> is -the port number that <B -CLASS="COMMAND" ->dig</B -> will send its queries +<span><strong class="command">dig</strong></span> using the command-line interface. +</p> +<p> +If a non-standard port number is to be queried, the +<code class="option">-p</code> option is used. <em class="parameter"><code>port#</code></em> is +the port number that <span><strong class="command">dig</strong></span> will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries -on a non-standard port number.</P -><P ->The <VAR -CLASS="OPTION" ->-4</VAR -> option forces <B -CLASS="COMMAND" ->dig</B -> to only -use IPv4 query transport. The <VAR -CLASS="OPTION" ->-6</VAR -> option forces -<B -CLASS="COMMAND" ->dig</B -> to only use IPv6 query transport.</P -><P ->The <VAR -CLASS="OPTION" ->-t</VAR -> option sets the query type to -<VAR -CLASS="PARAMETER" ->type</VAR ->. It can be any valid query type which is +on a non-standard port number. +</p> +<p> +The <code class="option">-4</code> option forces <span><strong class="command">dig</strong></span> to only +use IPv4 query transport. The <code class="option">-6</code> option forces +<span><strong class="command">dig</strong></span> to only use IPv6 query transport. +</p> +<p> +The <code class="option">-t</code> option sets the query type to +<em class="parameter"><code>type</code></em>. It can be any valid query type which is supported in BIND9. The default query type "A", unless the -<VAR -CLASS="OPTION" ->-x</VAR -> option is supplied to indicate a reverse lookup. +<code class="option">-x</code> option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, -<VAR -CLASS="PARAMETER" ->type</VAR -> is set to <VAR -CLASS="LITERAL" ->ixfr=N</VAR ->. +<em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was -<VAR -CLASS="PARAMETER" ->N</VAR ->.</P -><P ->Reverse lookups - mapping addresses to names - are simplified by the -<VAR -CLASS="OPTION" ->-x</VAR -> option. <VAR -CLASS="PARAMETER" ->addr</VAR -> is an IPv4 +<em class="parameter"><code>N</code></em>. +</p> +<p> +Reverse lookups - mapping addresses to names - are simplified by the +<code class="option">-x</code> option. <em class="parameter"><code>addr</code></em> is an IPv4 address in dotted-decimal notation, or a colon-delimited IPv6 address. When this option is used, there is no need to provide the -<VAR -CLASS="PARAMETER" ->name</VAR ->, <VAR -CLASS="PARAMETER" ->class</VAR -> and -<VAR -CLASS="PARAMETER" ->type</VAR -> arguments. <B -CLASS="COMMAND" ->dig</B -> +<em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and +<em class="parameter"><code>type</code></em> arguments. <span><strong class="command">dig</strong></span> automatically performs a lookup for a name like -<VAR -CLASS="LITERAL" ->11.12.13.10.in-addr.arpa</VAR -> and sets the query type and +<code class="literal">11.12.13.10.in-addr.arpa</code> and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain -specify the <VAR -CLASS="OPTION" ->-i</VAR -> option. Bit string labels (RFC2874) -are now experimental and are not attempted.</P -><P ->To sign the DNS queries sent by <B -CLASS="COMMAND" ->dig</B -> and their +specify the <code class="option">-i</code> option. Bit string labels (RFC2874) +are now experimental and are not attempted. +</p> +<p> +To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and their responses using transaction signatures (TSIG), specify a TSIG key file -using the <VAR -CLASS="OPTION" ->-k</VAR -> option. You can also specify the TSIG -key itself on the command line using the <VAR -CLASS="OPTION" ->-y</VAR -> option; -<VAR -CLASS="PARAMETER" ->name</VAR -> is the name of the TSIG key and -<VAR -CLASS="PARAMETER" ->key</VAR -> is the actual key. The key is a base-64 -encoded string, typically generated by <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-keygen</SPAN ->(8)</SPAN ->. +using the <code class="option">-k</code> option. You can also specify the TSIG +key itself on the command line using the <code class="option">-y</code> option; +<em class="parameter"><code>name</code></em> is the name of the TSIG key and +<em class="parameter"><code>key</code></em> is the actual key. The key is a base-64 +encoded string, typically generated by <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. -Caution should be taken when using the <VAR -CLASS="OPTION" ->-y</VAR -> option on +Caution should be taken when using the <code class="option">-y</code> option on multi-user systems as the key can be visible in the output from -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->ps</SPAN ->(1)</SPAN -> or in the shell's history file. When -using TSIG authentication with <B -CLASS="COMMAND" ->dig</B ->, the name +<span class="citerefentry"><span class="refentrytitle">ps</span>(1 +)</span> or in the shell's history file. When +using TSIG authentication with <span><strong class="command">dig</strong></span>, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate -<B -CLASS="COMMAND" ->key</B -> and <B -CLASS="COMMAND" ->server</B -> statements in -<TT -CLASS="FILENAME" ->named.conf</TT ->.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN156" -></A -><H2 ->QUERY OPTIONS</H2 -><P -><B -CLASS="COMMAND" ->dig</B -> provides a number of query options which affect +<span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in +<code class="filename">named.conf</code>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526365"></a><h2>QUERY OPTIONS</h2> +<p> +<span><strong class="command">dig</strong></span> provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout -and retry strategies.</P -><P ->Each query option is identified by a keyword preceded by a plus sign -(<VAR -CLASS="LITERAL" ->+</VAR ->). Some keywords set or reset an option. These may be preceded -by the string <VAR -CLASS="LITERAL" ->no</VAR -> to negate the meaning of that keyword. Other +and retry strategies. +</p> +<p> +Each query option is identified by a keyword preceded by a plus sign +(<code class="literal">+</code>). Some keywords set or reset an option. These may be preceded +by the string <code class="literal">no</code> to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They -have the form <VAR -CLASS="OPTION" ->+keyword=value</VAR ->. +have the form <code class="option">+keyword=value</code>. The query options are: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><VAR -CLASS="OPTION" ->+[no]tcp</VAR -></DT -><DD -><P ->Use [do not use] TCP when querying name servers. The default +</p> +<div class="variablelist"><dl> +<dt><span class="term"><code class="option">+[no]tcp</code></span></dt> +<dd><p> +Use [do not use] TCP when querying name servers. The default behaviour is to use UDP unless an AXFR or IXFR query is requested, in -which case a TCP connection is used.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]vc</VAR -></DT -><DD -><P ->Use [do not use] TCP when querying name servers. This alternate -syntax to <VAR -CLASS="PARAMETER" ->+[no]tcp</VAR -> is provided for backwards -compatibility. The "vc" stands for "virtual circuit".</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]ignore</VAR -></DT -><DD -><P ->Ignore truncation in UDP responses instead of retrying with TCP. By -default, TCP retries are performed.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+domain=somename</VAR -></DT -><DD -><P ->Set the search list to contain the single domain -<VAR -CLASS="PARAMETER" ->somename</VAR ->, as if specified in a -<B -CLASS="COMMAND" ->domain</B -> directive in -<TT -CLASS="FILENAME" ->/etc/resolv.conf</TT ->, and enable search list -processing as if the <VAR -CLASS="PARAMETER" ->+search</VAR -> option were given.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]search</VAR -></DT -><DD -><P ->Use [do not use] the search list defined by the searchlist or domain -directive in <TT -CLASS="FILENAME" ->resolv.conf</TT -> (if any). -The search list is not used by default.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]defname</VAR -></DT -><DD -><P ->Deprecated, treated as a synonym for <VAR -CLASS="PARAMETER" ->+[no]search</VAR -></P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]aaonly</VAR -></DT -><DD -><P ->Sets the "aa" flag in the query.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]aaflag</VAR -></DT -><DD -><P ->A synonym for <VAR -CLASS="PARAMETER" ->+[no]aaonly</VAR ->.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]adflag</VAR -></DT -><DD -><P ->Set [do not set] the AD (authentic data) bit in the query. The AD bit +which case a TCP connection is used. +</p></dd> +<dt><span class="term"><code class="option">+[no]vc</code></span></dt> +<dd><p> +Use [do not use] TCP when querying name servers. This alternate +syntax to <em class="parameter"><code>+[no]tcp</code></em> is provided for backwards +compatibility. The "vc" stands for "virtual circuit". +</p></dd> +<dt><span class="term"><code class="option">+[no]ignore</code></span></dt> +<dd><p> +Ignore truncation in UDP responses instead of retrying with TCP. By +default, TCP retries are performed. +</p></dd> +<dt><span class="term"><code class="option">+domain=somename</code></span></dt> +<dd><p> +Set the search list to contain the single domain +<em class="parameter"><code>somename</code></em>, as if specified in a +<span><strong class="command">domain</strong></span> directive in +<code class="filename">/etc/resolv.conf</code>, and enable search list +processing as if the <em class="parameter"><code>+search</code></em> option were given. +</p></dd> +<dt><span class="term"><code class="option">+[no]search</code></span></dt> +<dd><p> +Use [do not use] the search list defined by the searchlist or domain +directive in <code class="filename">resolv.conf</code> (if any). +The search list is not used by default. +</p></dd> +<dt><span class="term"><code class="option">+[no]defname</code></span></dt> +<dd><p> +Deprecated, treated as a synonym for <em class="parameter"><code>+[no]search</code></em> +</p></dd> +<dt><span class="term"><code class="option">+[no]aaonly</code></span></dt> +<dd><p> +Sets the "aa" flag in the query. +</p></dd> +<dt><span class="term"><code class="option">+[no]aaflag</code></span></dt> +<dd><p> +A synonym for <em class="parameter"><code>+[no]aaonly</code></em>. +</p></dd> +<dt><span class="term"><code class="option">+[no]adflag</code></span></dt> +<dd><p> +Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for -completeness.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]cdflag</VAR -></DT -><DD -><P ->Set [do not set] the CD (checking disabled) bit in the query. This -requests the server to not perform DNSSEC validation of responses.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]cl</VAR -></DT -><DD -><P ->Display [do not display] the CLASS when printing the record.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]ttlid</VAR -></DT -><DD -><P ->Display [do not display] the TTL when printing the record.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]recurse</VAR -></DT -><DD -><P ->Toggle the setting of the RD (recursion desired) bit in the query. -This bit is set by default, which means <B -CLASS="COMMAND" ->dig</B -> +completeness. +</p></dd> +<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt> +<dd><p> +Set [do not set] the CD (checking disabled) bit in the query. This +requests the server to not perform DNSSEC validation of responses. +</p></dd> +<dt><span class="term"><code class="option">+[no]cl</code></span></dt> +<dd><p> +Display [do not display] the CLASS when printing the record. +</p></dd> +<dt><span class="term"><code class="option">+[no]ttlid</code></span></dt> +<dd><p> +Display [do not display] the TTL when printing the record. +</p></dd> +<dt><span class="term"><code class="option">+[no]recurse</code></span></dt> +<dd><p> +Toggle the setting of the RD (recursion desired) bit in the query. +This bit is set by default, which means <span><strong class="command">dig</strong></span> normally sends recursive queries. Recursion is automatically disabled -when the <VAR -CLASS="PARAMETER" ->+nssearch</VAR -> or -<VAR -CLASS="PARAMETER" ->+trace</VAR -> query options are used.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]nssearch</VAR -></DT -><DD -><P ->When this option is set, <B -CLASS="COMMAND" ->dig</B -> attempts to find the +when the <em class="parameter"><code>+nssearch</code></em> or +<em class="parameter"><code>+trace</code></em> query options are used. +</p></dd> +<dt><span class="term"><code class="option">+[no]nssearch</code></span></dt> +<dd><p> +When this option is set, <span><strong class="command">dig</strong></span> attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the -zone.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]trace</VAR -></DT -><DD -><P ->Toggle tracing of the delegation path from the root name servers for +zone. +</p></dd> +<dt><span class="term"><code class="option">+[no]trace</code></span></dt> +<dd><p> +Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When -tracing is enabled, <B -CLASS="COMMAND" ->dig</B -> makes iterative queries to +tracing is enabled, <span><strong class="command">dig</strong></span> makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to -resolve the lookup.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]cmd</VAR -></DT -><DD -><P ->toggles the printing of the initial comment in the output identifying -the version of <B -CLASS="COMMAND" ->dig</B -> and the query options that have -been applied. This comment is printed by default.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]short</VAR -></DT -><DD -><P ->Provide a terse answer. The default is to print the answer in a -verbose form.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]identify</VAR -></DT -><DD -><P ->Show [or do not show] the IP address and port number that supplied the -answer when the <VAR -CLASS="PARAMETER" ->+short</VAR -> option is enabled. If +resolve the lookup. +</p></dd> +<dt><span class="term"><code class="option">+[no]cmd</code></span></dt> +<dd><p> +toggles the printing of the initial comment in the output identifying +the version of <span><strong class="command">dig</strong></span> and the query options that have +been applied. This comment is printed by default. +</p></dd> +<dt><span class="term"><code class="option">+[no]short</code></span></dt> +<dd><p> +Provide a terse answer. The default is to print the answer in a +verbose form. +</p></dd> +<dt><span class="term"><code class="option">+[no]identify</code></span></dt> +<dd><p> +Show [or do not show] the IP address and port number that supplied the +answer when the <em class="parameter"><code>+short</code></em> option is enabled. If short form answers are requested, the default is not to show the -source address and port number of the server that provided the answer.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]comments</VAR -></DT -><DD -><P ->Toggle the display of comment lines in the output. The default is to -print comments.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]stats</VAR -></DT -><DD -><P ->This query option toggles the printing of statistics: when the query +source address and port number of the server that provided the answer. +</p></dd> +<dt><span class="term"><code class="option">+[no]comments</code></span></dt> +<dd><p> +Toggle the display of comment lines in the output. The default is to +print comments. +</p></dd> +<dt><span class="term"><code class="option">+[no]stats</code></span></dt> +<dd><p> +This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is -to print the query statistics.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]qr</VAR -></DT -><DD -><P ->Print [do not print] the query as it is sent. -By default, the query is not printed.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]question</VAR -></DT -><DD -><P ->Print [do not print] the question section of a query when an answer is -returned. The default is to print the question section as a comment.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]answer</VAR -></DT -><DD -><P ->Display [do not display] the answer section of a reply. The default -is to display it.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]authority</VAR -></DT -><DD -><P ->Display [do not display] the authority section of a reply. The -default is to display it.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]additional</VAR -></DT -><DD -><P ->Display [do not display] the additional section of a reply. -The default is to display it.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]all</VAR -></DT -><DD -><P ->Set or clear all display flags.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+time=T</VAR -></DT -><DD -><P -> Sets the timeout for a query to -<VAR -CLASS="PARAMETER" ->T</VAR -> seconds. The default time out is 5 seconds. -An attempt to set <VAR -CLASS="PARAMETER" ->T</VAR -> to less than 1 will result -in a query timeout of 1 second being applied.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+tries=T</VAR -></DT -><DD -><P ->Sets the number of times to try UDP queries to server to -<VAR -CLASS="PARAMETER" ->T</VAR -> instead of the default, 3. If -<VAR -CLASS="PARAMETER" ->T</VAR -> is less than or equal to zero, the number of -tries is silently rounded up to 1.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+retry=T</VAR -></DT -><DD -><P ->Sets the number of times to retry UDP queries to server to -<VAR -CLASS="PARAMETER" ->T</VAR -> instead of the default, 2. Unlike -<VAR -CLASS="PARAMETER" ->+tries</VAR ->, this does not include the initial -query.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+ndots=D</VAR -></DT -><DD -><P ->Set the number of dots that have to appear in -<VAR -CLASS="PARAMETER" ->name</VAR -> to <VAR -CLASS="PARAMETER" ->D</VAR -> for it to be +to print the query statistics. +</p></dd> +<dt><span class="term"><code class="option">+[no]qr</code></span></dt> +<dd><p> +Print [do not print] the query as it is sent. +By default, the query is not printed. +</p></dd> +<dt><span class="term"><code class="option">+[no]question</code></span></dt> +<dd><p> +Print [do not print] the question section of a query when an answer is +returned. The default is to print the question section as a comment. +</p></dd> +<dt><span class="term"><code class="option">+[no]answer</code></span></dt> +<dd><p> +Display [do not display] the answer section of a reply. The default +is to display it. +</p></dd> +<dt><span class="term"><code class="option">+[no]authority</code></span></dt> +<dd><p> +Display [do not display] the authority section of a reply. The +default is to display it. +</p></dd> +<dt><span class="term"><code class="option">+[no]additional</code></span></dt> +<dd><p> +Display [do not display] the additional section of a reply. +The default is to display it. +</p></dd> +<dt><span class="term"><code class="option">+[no]all</code></span></dt> +<dd><p> +Set or clear all display flags. +</p></dd> +<dt><span class="term"><code class="option">+time=T</code></span></dt> +<dd><p> + +Sets the timeout for a query to +<em class="parameter"><code>T</code></em> seconds. The default time out is 5 seconds. +An attempt to set <em class="parameter"><code>T</code></em> to less than 1 will result +in a query timeout of 1 second being applied. +</p></dd> +<dt><span class="term"><code class="option">+tries=T</code></span></dt> +<dd><p> +Sets the number of times to try UDP queries to server to +<em class="parameter"><code>T</code></em> instead of the default, 3. If +<em class="parameter"><code>T</code></em> is less than or equal to zero, the number of +tries is silently rounded up to 1. +</p></dd> +<dt><span class="term"><code class="option">+retry=T</code></span></dt> +<dd><p> +Sets the number of times to retry UDP queries to server to +<em class="parameter"><code>T</code></em> instead of the default, 2. Unlike +<em class="parameter"><code>+tries</code></em>, this does not include the initial +query. +</p></dd> +<dt><span class="term"><code class="option">+ndots=D</code></span></dt> +<dd><p> +Set the number of dots that have to appear in +<em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em> for it to be considered absolute. The default value is that defined using the -ndots statement in <TT -CLASS="FILENAME" ->/etc/resolv.conf</TT ->, or 1 if no +ndots statement in <code class="filename">/etc/resolv.conf</code>, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the -<VAR -CLASS="OPTION" ->search</VAR -> or <VAR -CLASS="OPTION" ->domain</VAR -> directive in -<TT -CLASS="FILENAME" ->/etc/resolv.conf</TT ->.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+bufsize=B</VAR -></DT -><DD -><P ->Set the UDP message buffer size advertised using EDNS0 to -<VAR -CLASS="PARAMETER" ->B</VAR -> bytes. The maximum and minimum sizes of this +<code class="option">search</code> or <code class="option">domain</code> directive in +<code class="filename">/etc/resolv.conf</code>. +</p></dd> +<dt><span class="term"><code class="option">+bufsize=B</code></span></dt> +<dd><p> +Set the UDP message buffer size advertised using EDNS0 to +<em class="parameter"><code>B</code></em> bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are -rounded up or down appropriately.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]multiline</VAR -></DT -><DD -><P ->Print records like the SOA records in a verbose multi-line +rounded up or down appropriately. +</p></dd> +<dt><span class="term"><code class="option">+[no]multiline</code></span></dt> +<dd><p> +Print records like the SOA records in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to facilitate machine parsing -of the <B -CLASS="COMMAND" ->dig</B -> output.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]fail</VAR -></DT -><DD -><P ->Do not try the next server if you receive a SERVFAIL. The default is +of the <span><strong class="command">dig</strong></span> output. +</p></dd> +<dt><span class="term"><code class="option">+[no]fail</code></span></dt> +<dd><p> +Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver -behaviour.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]besteffort</VAR -></DT -><DD -><P ->Attempt to display the contents of messages which are malformed. -The default is to not display malformed answers.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]dnssec</VAR -></DT -><DD -><P ->Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) -in the OPT record in the additional section of the query.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]sigchase</VAR -></DT -><DD -><P ->Chase DNSSEC signature chains. Requires dig be compiled with --DDIG_SIGCHASE.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+trusted-key=####</VAR -></DT -><DD -><P ->Specify a trusted key to be used with <VAR -CLASS="OPTION" ->+sigchase</VAR ->. -Requires dig be compiled with -DDIG_SIGCHASE.</P -></DD -><DT -><VAR -CLASS="OPTION" ->+[no]topdown</VAR -></DT -><DD -><P ->When chasing DNSSEC signature chains perform a top down validation. -Requires dig be compiled with -DDIG_SIGCHASE.</P -></DD -></DL -></DIV -> </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN385" -></A -><H2 ->MULTIPLE QUERIES</H2 -><P ->The BIND 9 implementation of <B -CLASS="COMMAND" ->dig </B -> supports +behaviour. +</p></dd> +<dt><span class="term"><code class="option">+[no]besteffort</code></span></dt> +<dd><p> +Attempt to display the contents of messages which are malformed. +The default is to not display malformed answers. +</p></dd> +<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt> +<dd><p> +Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) +in the OPT record in the additional section of the query. +</p></dd> +<dt><span class="term"><code class="option">+[no]sigchase</code></span></dt> +<dd><p> +Chase DNSSEC signature chains. Requires dig be compiled with +-DDIG_SIGCHASE. +</p></dd> +<dt><span class="term"><code class="option">+trusted-key=####</code></span></dt> +<dd> +<p> + Specifies a file containing trusted keys to be used with + <code class="option">+sigchase</code>. Each DNSKEY record must be + on its own line. + </p> +<p> + If not specified <span><strong class="command">dig</strong></span> will look for + <code class="filename">/etc/trusted-key.key</code> then + <code class="filename">trusted-key.key</code> in the current directory. + </p> +<p> + Requires dig be compiled with -DDIG_SIGCHASE. + </p> +</dd> +<dt><span class="term"><code class="option">+[no]topdown</code></span></dt> +<dd><p> +When chasing DNSSEC signature chains perform a top down validation. +Requires dig be compiled with -DDIG_SIGCHASE. +</p></dd> +</dl></div> +<p> + +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2527033"></a><h2>MULTIPLE QUERIES</h2> +<p> +The BIND 9 implementation of <span><strong class="command">dig </strong></span> supports specifying multiple queries on the command line (in addition to -supporting the <VAR -CLASS="OPTION" ->-f</VAR -> batch file option). Each of those +supporting the <code class="option">-f</code> batch file option). Each of those queries can be supplied with its own set of flags, options and query -options.</P -><P ->In this case, each <VAR -CLASS="PARAMETER" ->query</VAR -> argument represent an +options. +</p> +<p> +In this case, each <em class="parameter"><code>query</code></em> argument represent an individual query in the command-line syntax described above. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that -should be applied to that query.</P -><P ->A global set of query options, which should be applied to all queries, +should be applied to that query. +</p> +<p> +A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line. Any global query options (except -the <VAR -CLASS="OPTION" ->+[no]cmd</VAR -> option) can be +the <code class="option">+[no]cmd</code> option) can be overridden by a query-specific set of query options. For example: -<PRE -CLASS="PROGRAMLISTING" ->dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr</PRE -> -shows how <B -CLASS="COMMAND" ->dig</B -> could be used from the command line -to make three lookups: an ANY query for <VAR -CLASS="LITERAL" ->www.isc.org</VAR ->, a +</p> +<pre class="programlisting"> +dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr +</pre> +<p> +shows how <span><strong class="command">dig</strong></span> could be used from the command line +to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a reverse lookup of 127.0.0.1 and a query for the NS records of -<VAR -CLASS="LITERAL" ->isc.org</VAR ->. +<code class="literal">isc.org</code>. -A global query option of <VAR -CLASS="PARAMETER" ->+qr</VAR -> is applied, so -that <B -CLASS="COMMAND" ->dig</B -> shows the initial query it made for each +A global query option of <em class="parameter"><code>+qr</code></em> is applied, so +that <span><strong class="command">dig</strong></span> shows the initial query it made for each lookup. The final query has a local query option of -<VAR -CLASS="PARAMETER" ->+noqr</VAR -> which means that <B -CLASS="COMMAND" ->dig</B -> +<em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span> will not print the initial query when it looks up the NS records for -<VAR -CLASS="LITERAL" ->isc.org</VAR ->.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN403" -></A -><H2 ->FILES</H2 -><P -><TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -></P -><P -><TT -CLASS="FILENAME" ->${HOME}/.digrc</TT -></P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN409" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->host</SPAN ->(1)</SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->named</SPAN ->(8)</SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-keygen</SPAN ->(8)</SPAN ->, -<I -CLASS="CITETITLE" ->RFC1035</I ->.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN422" -></A -><H2 ->BUGS </H2 -><P ->There are probably too many query options. </P -></DIV -></BODY -></HTML -> +<code class="literal">isc.org</code>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2527092"></a><h2>FILES</h2> +<p> +<code class="filename">/etc/resolv.conf</code> +</p> +<p> +<code class="filename">${HOME}/.digrc</code> +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2527111"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>, +<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, +<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, +<em class="citetitle">RFC1035</em>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2527149"></a><h2>BUGS </h2> +<p> +There are probably too many query options. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/dig/dighost.c b/usr.sbin/bind/bin/dig/dighost.c index f4b07b932d0..57bc3118f5e 100644 --- a/usr.sbin/bind/bin/dig/dighost.c +++ b/usr.sbin/bind/bin/dig/dighost.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: dighost.c,v 1.221.2.19.2.20 2004/11/22 23:30:31 marka Exp $ */ +/* $ISC: dighost.c,v 1.221.2.19.2.31 2005/10/14 01:38:40 marka Exp $ */ /* * Notice to programmers: Do not use this code as an example of how to @@ -37,7 +37,6 @@ #include <dns/dnssec.h> #include <dns/ds.h> #include <dns/nsec.h> -#include <isc/file.h> #include <isc/random.h> #include <ctype.h> #endif @@ -58,6 +57,7 @@ #include <isc/app.h> #include <isc/base64.h> #include <isc/entropy.h> +#include <isc/file.h> #include <isc/lang.h> #include <isc/netaddr.h> #ifdef DIG_SIGCHASE @@ -90,9 +90,9 @@ static lwres_context_t *lwctx = NULL; static lwres_conf_t *lwconf; -ISC_LIST(dig_lookup_t) lookup_list; +dig_lookuplist_t lookup_list; dig_serverlist_t server_list; -ISC_LIST(dig_searchlist_t) search_list; +dig_searchlistlist_t search_list; isc_boolean_t have_ipv4 = ISC_FALSE, @@ -146,7 +146,7 @@ dig_lookup_t *current_lookup = NULL; #ifdef DIG_SIGCHASE -isc_result_t get_trusted_key(isc_mem_t *mctx); +isc_result_t get_trusted_key(isc_mem_t *mctx); dns_rdataset_t * sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers, isc_boolean_t *lookedup, @@ -156,103 +156,104 @@ dns_rdataset_t * chase_scanname_section(dns_message_t *msg, dns_rdatatype_t type, dns_rdatatype_t covers, int section); -isc_result_t advanced_rrsearch(dns_rdataset_t **rdataset, +isc_result_t advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers, isc_boolean_t *lookedup); -isc_result_t sigchase_verify_sig_key(dns_name_t *name, +isc_result_t sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t* dnsseckey, dns_rdataset_t *sigrdataset, isc_mem_t *mctx); -isc_result_t sigchase_verify_sig(dns_name_t *name, +isc_result_t sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *keyrdataset, dns_rdataset_t *sigrdataset, isc_mem_t *mctx); -isc_result_t sigchase_verify_ds(dns_name_t *name, +isc_result_t sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dns_rdataset_t *dsrdataset, isc_mem_t *mctx); -void sigchase(dns_message_t *msg); -void print_rdata(dns_rdata_t *rdata, isc_mem_t *mctx); -void print_rdataset(dns_name_t *name, +void sigchase(dns_message_t *msg); +void print_rdata(dns_rdata_t *rdata, isc_mem_t *mctx); +void print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx); -void dup_name(dns_name_t *source, dns_name_t* target, +void dup_name(dns_name_t *source, dns_name_t* target, isc_mem_t *mctx); -void dump_database(void); -void dump_database_section(dns_message_t *msg, int section); +void free_name(dns_name_t *name, isc_mem_t *mctx); +void dump_database(void); +void dump_database_section(dns_message_t *msg, int section); dns_rdataset_t * search_type(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers); -isc_result_t contains_trusted_key(dns_name_t *name, +isc_result_t contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, isc_mem_t *mctx); -void print_type(dns_rdatatype_t type); -isc_result_t prove_nx_domain(dns_message_t * msg, +void print_type(dns_rdatatype_t type); +isc_result_t prove_nx_domain(dns_message_t * msg, dns_name_t * name, dns_name_t * rdata_name, dns_rdataset_t ** rdataset, dns_rdataset_t ** sigrdataset); -isc_result_t prove_nx_type(dns_message_t * msg, dns_name_t *name, +isc_result_t prove_nx_type(dns_message_t * msg, dns_name_t *name, dns_rdataset_t *nsec, dns_rdataclass_t class, dns_rdatatype_t type, dns_name_t * rdata_name, dns_rdataset_t ** rdataset, dns_rdataset_t ** sigrdataset); -isc_result_t prove_nx(dns_message_t * msg, dns_name_t * name, +isc_result_t prove_nx(dns_message_t * msg, dns_name_t * name, dns_rdataclass_t class, dns_rdatatype_t type, dns_name_t * rdata_name, dns_rdataset_t ** rdataset, dns_rdataset_t ** sigrdataset); static void nameFromString(const char *str, dns_name_t *p_ret); -int inf_name(dns_name_t * name1, dns_name_t * name2); -isc_result_t opentmpkey(isc_mem_t *mctx, const char *file, +int inf_name(dns_name_t * name1, dns_name_t * name2); +isc_result_t opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp); -isc_result_t removetmpkey(isc_mem_t *mctx, const char *file); -void clean_trustedkey(void ); -void insert_trustedkey(dst_key_t * key); +isc_result_t removetmpkey(isc_mem_t *mctx, const char *file); +void clean_trustedkey(void); +void insert_trustedkey(dst_key_t * key); #if DIG_SIGCHASE_BU -isc_result_t getneededrr(dns_message_t *msg); -void sigchase_bottom_up(dns_message_t *msg); -void sigchase_bu(dns_message_t *msg); +isc_result_t getneededrr(dns_message_t *msg); +void sigchase_bottom_up(dns_message_t *msg); +void sigchase_bu(dns_message_t *msg); #endif #if DIG_SIGCHASE_TD -isc_result_t initialization(dns_name_t *name); -isc_result_t prepare_lookup(dns_name_t *name); -isc_result_t grandfather_pb_test(dns_name_t * zone_name, +isc_result_t initialization(dns_name_t *name); +isc_result_t prepare_lookup(dns_name_t *name); +isc_result_t grandfather_pb_test(dns_name_t * zone_name, dns_rdataset_t *sigrdataset); -isc_result_t child_of_zone(dns_name_t *name, +isc_result_t child_of_zone(dns_name_t *name, dns_name_t *zone_name, dns_name_t *child_name); -void sigchase_td(dns_message_t *msg); +void sigchase_td(dns_message_t *msg); #endif char trustedkey[MXNAME] = ""; -dns_rdataset_t * chase_rdataset = NULL; -dns_rdataset_t * chase_sigrdataset = NULL; -dns_rdataset_t * chase_dsrdataset = NULL; -dns_rdataset_t * chase_sigdsrdataset = NULL; -dns_rdataset_t * chase_keyrdataset = NULL; -dns_rdataset_t * chase_sigkeyrdataset = NULL; -dns_rdataset_t * chase_nsrdataset = NULL; +dns_rdataset_t *chase_rdataset = NULL; +dns_rdataset_t *chase_sigrdataset = NULL; +dns_rdataset_t *chase_dsrdataset = NULL; +dns_rdataset_t *chase_sigdsrdataset = NULL; +dns_rdataset_t *chase_keyrdataset = NULL; +dns_rdataset_t *chase_sigkeyrdataset = NULL; +dns_rdataset_t *chase_nsrdataset = NULL; -dns_name_t chase_name; /* the query name */ +dns_name_t chase_name; /* the query name */ #if DIG_SIGCHASE_TD /* * the current name is the parent name when we follow delegation */ -dns_name_t chase_current_name; +dns_name_t chase_current_name; /* * the child name is used for delegation (NS DS responses in AUTHORITY section) */ -dns_name_t chase_authority_name; +dns_name_t chase_authority_name; #endif #if DIG_SIGCHASE_BU -dns_name_t chase_signame; +dns_name_t chase_signame; #endif @@ -274,7 +275,7 @@ dns_message_t * error_message = NULL; #endif isc_boolean_t dsvalidating = ISC_FALSE; -isc_boolean_t chase_name_dup = ISC_FALSE; +isc_boolean_t chase_name_dup = ISC_FALSE; ISC_LIST(dig_message_t) chase_message_list; ISC_LIST(dig_message_t) chase_message_list2; @@ -282,11 +283,11 @@ ISC_LIST(dig_message_t) chase_message_list2; #define MAX_TRUSTED_KEY 5 typedef struct struct_trusted_key_list { - dst_key_t * key[MAX_TRUSTED_KEY]; - int nb_tk; + dst_key_t * key[MAX_TRUSTED_KEY]; + int nb_tk; } struct_tk_list; -struct_tk_list tk_list = { {NULL, NULL, NULL, NULL, NULL}, 0}; +struct_tk_list tk_list = { {NULL, NULL, NULL, NULL, NULL}, 0}; #endif @@ -579,7 +580,7 @@ set_nameserver(char *opt) { return; result = bind9_getaddresses(opt, 0, sockaddrs, - DIG_MAX_ADDRESSES, &count); + DIG_MAX_ADDRESSES, &count); if (result != ISC_R_SUCCESS) fatal("couldn't get address for '%s': %s", opt, isc_result_totext(result)); @@ -688,13 +689,13 @@ make_empty_lookup(void) { #ifdef DIG_SIGCHASE looknew->sigchase = ISC_FALSE; #if DIG_SIGCHASE_TD - looknew->do_topdown = ISC_FALSE; + looknew->do_topdown = ISC_FALSE; looknew->trace_root_sigchase = ISC_FALSE; looknew->rdtype_sigchaseset = ISC_FALSE; looknew->rdtype_sigchase = dns_rdatatype_any; looknew->qrdtype_sigchase = dns_rdatatype_any; looknew->rdclass_sigchase = dns_rdataclass_in; - looknew->rdclass_sigchaseset = ISC_FALSE; + looknew->rdclass_sigchaseset = ISC_FALSE; #endif #endif looknew->udpsize = 0; @@ -763,9 +764,9 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) { #ifdef DIG_SIGCHASE looknew->sigchase = lookold->sigchase; #if DIG_SIGCHASE_TD - looknew->do_topdown = lookold->do_topdown; + looknew->do_topdown = lookold->do_topdown; looknew->trace_root_sigchase = lookold->trace_root_sigchase; - looknew->rdtype_sigchaseset = lookold->rdtype_sigchaseset; + looknew->rdtype_sigchaseset = lookold->rdtype_sigchaseset; looknew->rdtype_sigchase = lookold->rdtype_sigchase; looknew->qrdtype_sigchase = lookold->qrdtype_sigchase; looknew->rdclass_sigchase = lookold->rdclass_sigchase; @@ -940,14 +941,17 @@ setup_system(void) { if (lwresult != LWRES_R_SUCCESS) fatal("lwres_context_create failed"); - (void)lwres_conf_parse(lwctx, RESOLV_CONF); + if (isc_file_exists(RESOLV_CONF)) + lwresult = lwres_conf_parse(lwctx, RESOLV_CONF); + if (lwresult != LWRES_R_SUCCESS) + fatal("parse of %s failed", RESOLV_CONF); + lwconf = lwres_conf_get(lwctx); /* Make the search list */ if (lwconf->searchnxt > 0) create_search_list(lwconf); - else { - /* No search list. Use the domain name if any */ + else { /* No search list. Use the domain name if any */ if (lwconf->domainname != NULL) { domain = make_searchlist_entry(lwconf->domainname); ISC_LIST_INITANDAPPEND(search_list, domain, link); @@ -955,8 +959,10 @@ setup_system(void) { } } - ndots = lwconf->ndots; - debug("ndots is %d.", ndots); + if (ndots == -1) { + ndots = lwconf->ndots; + debug("ndots is %d.", ndots); + } /* If we don't find a nameserver fall back to localhost */ if (lwconf->nsnext == 0) { @@ -981,15 +987,15 @@ setup_system(void) { setup_text_key(); #ifdef DIG_SIGCHASE /* Setup the list of messages for +sigchase */ - ISC_LIST_INIT(chase_message_list); - ISC_LIST_INIT(chase_message_list2); + ISC_LIST_INIT(chase_message_list); + ISC_LIST_INIT(chase_message_list2); dns_name_init(&chase_name, NULL); #if DIG_SIGCHASE_TD dns_name_init(&chase_current_name, NULL); dns_name_init(&chase_authority_name, NULL); #endif #if DIG_SIGCHASE_BU - dns_name_init(&chase_signame, NULL); + dns_name_init(&chase_signame, NULL); #endif #endif @@ -1206,8 +1212,7 @@ try_clear_lookup(dig_lookup_t *lookup) { if (debugging) { q = ISC_LIST_HEAD(lookup->q); while (q != NULL) { - debug("query to %s still pending", - q->servname); + debug("query to %s still pending", q->servname); q = ISC_LIST_NEXT(q, link); } return (ISC_FALSE); @@ -1220,8 +1225,7 @@ try_clear_lookup(dig_lookup_t *lookup) { debug("cleared"); s = ISC_LIST_HEAD(lookup->my_server_list); while (s != NULL) { - debug("freeing server %p belonging to %p", - s, lookup); + debug("freeing server %p belonging to %p", s, lookup); ptr = s; s = ISC_LIST_NEXT(s, link); ISC_LIST_DEQUEUE(lookup->my_server_list, @@ -1274,12 +1278,12 @@ start_lookup(void) { #if DIG_SIGCHASE_TD if (current_lookup->do_topdown && !current_lookup->rdtype_sigchaseset) { - dst_key_t * trustedkey = NULL; + dst_key_t *trustedkey = NULL; isc_buffer_t *b = NULL; isc_region_t r; isc_result_t result; dns_name_t query_name; - dns_name_t * key_name; + dns_name_t *key_name; int i; result = get_trusted_key(mctx); @@ -1292,9 +1296,9 @@ start_lookup(void) { dns_name_init(&query_name, NULL); nameFromString(current_lookup->textname, &query_name); - for (i = 0; i< tk_list.nb_tk; i++) { + for (i = 0; i < tk_list.nb_tk; i++) { key_name = dst_key_name(tk_list.key[i]); - + if (dns_name_issubdomain(&query_name, key_name) == ISC_TRUE) trustedkey = tk_list.key[i]; @@ -1309,35 +1313,32 @@ start_lookup(void) { printf(" isn't a subdomain of any Trusted Keys" ": +sigchase option is disable\n"); current_lookup->sigchase = ISC_FALSE; - dns_name_free(&query_name, mctx); + free_name(&query_name, mctx); goto novalidation; } - dns_name_free(&query_name, mctx); + free_name(&query_name, mctx); - current_lookup->rdtype_sigchase - = current_lookup->rdtype; + = current_lookup->rdtype; current_lookup->rdtype_sigchaseset - = current_lookup->rdtypeset; + = current_lookup->rdtypeset; current_lookup->rdtype = dns_rdatatype_ns; - - + current_lookup->qrdtype_sigchase = current_lookup->qrdtype; current_lookup->qrdtype = dns_rdatatype_ns; - + current_lookup->rdclass_sigchase = current_lookup->rdclass; current_lookup->rdclass_sigchaseset = current_lookup->rdclassset; current_lookup->rdclass = dns_rdataclass_in; - strlcpy(current_lookup->textnamesigchase, current_lookup->textname, MXNAME); current_lookup->trace_root_sigchase = ISC_TRUE; - + result = isc_buffer_allocate(mctx, &b, BUFSIZE); check_result(result, "isc_buffer_allocate"); result = dns_name_totext(dst_key_name(trustedkey), @@ -1462,6 +1463,8 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) lookup->ns_search_only = query->lookup->ns_search_only; lookup->trace_root = ISC_FALSE; + if (lookup->ns_search_only) + lookup->recurse = ISC_FALSE; } srv = make_server(namestr, namestr); debug("adding server %s", srv->servername); @@ -1632,9 +1635,9 @@ setup_lookup(dig_lookup_t *lookup) { /* XXX New search here? */ if ((count_dots(lookup->textname) >= ndots) || !usesearch) lookup->origin = NULL; /* Force abs lookup */ - else if (lookup->origin == NULL && lookup->new_search && usesearch) { + else if (lookup->origin == NULL && lookup->new_search && usesearch) lookup->origin = ISC_LIST_HEAD(search_list); - } + if (lookup->origin != NULL) { debug("trying origin %s", lookup->origin->origin); result = dns_message_gettempname(lookup->sendmsg, @@ -1918,21 +1921,17 @@ bringup_timer(dig_query_t *query, unsigned int default_timeout) { if (ISC_LIST_NEXT(query, link) != NULL) local_timeout = SERVER_TIMEOUT; else { - if (timeout == 0) { + if (timeout == 0) local_timeout = default_timeout; - } else + else local_timeout = timeout; } debug("have local timeout of %d", local_timeout); isc_interval_set(&l->interval, local_timeout, 0); if (l->timer != NULL) isc_timer_detach(&l->timer); - result = isc_timer_create(timermgr, - isc_timertype_once, - NULL, - &l->interval, - global_task, - connect_timeout, + result = isc_timer_create(timermgr, isc_timertype_once, NULL, + &l->interval, global_task, connect_timeout, l, &l->timer); check_result(result, "isc_timer_create"); } @@ -2025,8 +2024,7 @@ send_udp(dig_query_t *query) { l = query->lookup; bringup_timer(query, UDP_TIMEOUT); l->current_query = query; - debug("working on lookup %p, query %p", - query->lookup, query); + debug("working on lookup %p, query %p", query->lookup, query); if (!query->recv_made) { /* XXX Check the sense of this, need assertion? */ query->waiting_connect = ISC_FALSE; @@ -2052,12 +2050,9 @@ send_udp(dig_query_t *query) { ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link); debug("recving with lookup=%p, query=%p, sock=%p", - query->lookup, query, - query->sock); - result = isc_socket_recvv(query->sock, - &query->recvlist, 1, - global_task, recv_done, - query); + query->lookup, query, query->sock); + result = isc_socket_recvv(query->sock, &query->recvlist, 1, + global_task, recv_done, query); check_result(result, "isc_socket_recvv"); recvcount++; debug("recvcount=%d", recvcount); @@ -2093,7 +2088,7 @@ send_udp(dig_query_t *query) { */ static void connect_timeout(isc_task_t *task, isc_event_t *event) { - dig_lookup_t *l = NULL, *n; + dig_lookup_t *l = NULL; dig_query_t *query = NULL, *cq; UNUSED(task); @@ -2129,7 +2124,7 @@ connect_timeout(isc_task_t *task, isc_event_t *event) { debug("making new TCP request, %d tries left", l->retries); l->retries--; - n = requeue_lookup(l, ISC_TRUE); + requeue_lookup(l, ISC_TRUE); cancel_lookup(l); check_next_lookup(l); } @@ -2216,8 +2211,7 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) { ENSURE(ISC_LIST_EMPTY(query->recvlist)); ISC_LINK_INIT(&query->recvbuf, link); ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link); - debug("recving with lookup=%p, query=%p", - query->lookup, query); + debug("recving with lookup=%p, query=%p", query->lookup, query); result = isc_socket_recvv(query->sock, &query->recvlist, length, task, recv_done, query); check_result(result, "isc_socket_recvv"); @@ -2335,8 +2329,7 @@ connect_done(isc_task_t *task, isc_event_t *event) { debug("unsuccessful connection: %s", isc_result_totext(sevent->result)); - isc_sockaddr_format(&query->sockaddr, sockstr, - sizeof(sockstr)); + isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr)); if (sevent->result != ISC_R_CANCELED) printf(";; Connection to %s(%s) for %s failed: " "%s.\n", sockstr, @@ -2426,8 +2419,7 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg, if ((!query->first_soa_rcvd) && (rdata.type != dns_rdatatype_soa)) { puts("; Transfer failed. " - "Didn't start with " - "SOA answer."); + "Didn't start with SOA answer."); return (ISC_TRUE); } if ((!query->second_rr_rcvd) && @@ -2604,7 +2596,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { char buf2[ISC_SOCKADDR_FORMATSIZE]; isc_sockaddr_t any; - if (isc_sockaddr_pf(&query->sockaddr) == AF_INET) + if (isc_sockaddr_pf(&query->sockaddr) == AF_INET) isc_sockaddr_any(&any); else isc_sockaddr_any6(&any); @@ -2625,7 +2617,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { else #endif /* - * We don't expect a match above when the packet is + * We don't expect a match above when the packet is * sent to 0.0.0.0, :: or to a multicast addresses. * XXXMPA broadcast needs to be handled here as well. */ @@ -2839,9 +2831,6 @@ recv_done(isc_task_t *task, isc_event_t *event) { } if (!l->doing_xfr || l->xfr_q == query) { -#ifdef DIG_SIGCHASE - int count = 0; -#endif if (msg->rcode != dns_rcode_noerror && l->origin != NULL) { if (!next_origin(msg, query)) { printmessage(query, msg, ISC_TRUE); @@ -2854,11 +2843,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { printmessage(query, msg, ISC_TRUE); } else if (l->trace) { int n = 0; -#ifdef DIG_SIGCHASE - count = msg->counts[DNS_SECTION_ANSWER]; -#else int count = msg->counts[DNS_SECTION_ANSWER]; -#endif debug("in TRACE code"); if (!l->ns_search_only) @@ -2881,7 +2866,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { if (l->trace_root) { /* - * This is the initial NS query. + * This is the initial NS query. */ int n; @@ -2896,9 +2881,9 @@ recv_done(isc_task_t *task, isc_event_t *event) { if (!do_sigchase) #endif printmessage(query, msg, ISC_TRUE); - } + } #ifdef DIG_SIGCHASE - if ( do_sigchase) { + if (do_sigchase) { chase_msg = isc_mem_allocate(mctx, sizeof(dig_message_t)); if (chase_msg == NULL) { @@ -2912,16 +2897,16 @@ recv_done(isc_task_t *task, isc_event_t *event) { fatal("dns_message_create in %s:%d", __FILE__, __LINE__); } - + isc_buffer_usedregion(b, &r); result = isc_buffer_allocate(mctx, &buf, r.length); - + check_result(result, "isc_buffer_allocate"); result = isc_buffer_copyregion(buf, &r); check_result(result, "isc_buffer_copyregion"); - + result = dns_message_parse(msg_temp, buf, 0); - + isc_buffer_free(&buf); chase_msg->msg = msg_temp; @@ -2938,9 +2923,9 @@ recv_done(isc_task_t *task, isc_event_t *event) { #endif } - + #ifdef DIG_SIGCHASE - if (l->sigchase && ISC_LIST_EMPTY(lookup_list) ) { + if (l->sigchase && ISC_LIST_EMPTY(lookup_list)) { sigchase(msg_temp); } #endif @@ -3097,7 +3082,7 @@ cancel_all(void) { */ void destroy_libs(void) { -#ifdef DIG_SIGCHASE +#ifdef DIG_SIGCHASE void * ptr; dig_message_t *chase_msg; #endif @@ -3167,7 +3152,7 @@ destroy_libs(void) { debug("Destroy the messages kept for sigchase"); /* Destroy the messages kept for sigchase */ - chase_msg = ISC_LIST_HEAD(chase_message_list); + chase_msg = ISC_LIST_HEAD(chase_message_list); while (chase_msg != NULL) { INSIST(chase_msg->msg != NULL); @@ -3187,16 +3172,16 @@ destroy_libs(void) { isc_mem_free(mctx, ptr); } if (dns_name_dynamic(&chase_name)) - dns_name_free(&chase_name, mctx); + free_name(&chase_name, mctx); #if DIG_SIGCHASE_TD if (dns_name_dynamic(&chase_current_name)) - dns_name_free(&chase_current_name, mctx); + free_name(&chase_current_name, mctx); if (dns_name_dynamic(&chase_authority_name)) - dns_name_free(&chase_authority_name, mctx); + free_name(&chase_authority_name, mctx); #endif #if DIG_SIGCHASE_BU if (dns_name_dynamic(&chase_signame)) - dns_name_free(&chase_signame, mctx); + free_name(&chase_signame, mctx); #endif debug("Destroy memory"); @@ -3208,7 +3193,7 @@ destroy_libs(void) { isc_mem_destroy(&mctx); } - + #ifdef DIG_SIGCHASE @@ -3218,32 +3203,31 @@ print_type(dns_rdatatype_t type) isc_buffer_t * b = NULL; isc_result_t result; isc_region_t r; - + result = isc_buffer_allocate(mctx, &b, 4000); check_result(result, "isc_buffer_allocate"); result = dns_rdatatype_totext(type, b); check_result(result, "print_type"); - + isc_buffer_usedregion(b, &r); r.base[r.length] = '\0'; - + printf("%s", r.base); isc_buffer_free(&b); } - void -dump_database_section( dns_message_t *msg, int section) +dump_database_section(dns_message_t *msg, int section) { dns_name_t *msg_name=NULL; - + dns_rdataset_t *rdataset; do { dns_message_currentname(msg, section, &msg_name); - + for (rdataset = ISC_LIST_HEAD(msg_name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { dns_name_print(msg_name, stdout); @@ -3252,35 +3236,32 @@ dump_database_section( dns_message_t *msg, int section) printf("end\n"); } msg_name = NULL; - } while ( dns_message_nextname(msg, section) == ISC_R_SUCCESS); + } while (dns_message_nextname(msg, section) == ISC_R_SUCCESS); } - -void dump_database(void) -{ +void +dump_database(void) { dig_message_t * msg; for (msg = ISC_LIST_HEAD(chase_message_list); msg != NULL; msg = ISC_LIST_NEXT(msg, link)) { if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER) - == ISC_R_SUCCESS) + == ISC_R_SUCCESS) dump_database_section(msg->msg, DNS_SECTION_ANSWER); - + if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY) - == ISC_R_SUCCESS) + == ISC_R_SUCCESS) dump_database_section(msg->msg, DNS_SECTION_AUTHORITY); if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL) - == ISC_R_SUCCESS) + == ISC_R_SUCCESS) dump_database_section(msg->msg, DNS_SECTION_ADDITIONAL); } } -dns_rdataset_t * search_type(dns_name_t *name, - dns_rdatatype_t type, - dns_rdatatype_t covers) -{ +dns_rdataset_t * +search_type(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) { dns_rdataset_t *rdataset; dns_rdata_sig_t siginfo; dns_rdata_t sigrdata; @@ -3290,10 +3271,9 @@ dns_rdataset_t * search_type(dns_name_t *name, rdataset = ISC_LIST_NEXT(rdataset, link)) { if (type == dns_rdatatype_any) { if (rdataset->type != dns_rdatatype_rrsig) - return rdataset; - } - else if ((type == dns_rdatatype_rrsig) && - (rdataset->type == dns_rdatatype_rrsig)) { + return (rdataset); + } else if ((type == dns_rdatatype_rrsig) && + (rdataset->type == dns_rdatatype_rrsig)) { dns_rdata_init(&sigrdata); result = dns_rdataset_first(rdataset); check_result(result, "empty rdataset"); @@ -3305,38 +3285,35 @@ dns_rdataset_t * search_type(dns_name_t *name, (covers == dns_rdatatype_any)) { dns_rdata_reset(&sigrdata); dns_rdata_freestruct(&siginfo); - return rdataset; + return (rdataset); } dns_rdata_reset(&sigrdata); dns_rdata_freestruct(&siginfo); - } - else if (rdataset->type == type) - return rdataset; + } else if (rdataset->type == type) + return (rdataset); } - return NULL; + return (NULL); } dns_rdataset_t * -chase_scanname_section(dns_message_t *msg, - dns_name_t *name, - dns_rdatatype_t type, - dns_rdatatype_t covers, +chase_scanname_section(dns_message_t *msg, dns_name_t *name, + dns_rdatatype_t type, dns_rdatatype_t covers, int section) { dns_rdataset_t *rdataset; dns_name_t *msg_name = NULL; - + do { dns_message_currentname(msg, section, &msg_name); if (dns_name_compare(msg_name, name) == 0) { rdataset = search_type(msg_name, type, covers); - if ( rdataset != NULL) - return rdataset; + if (rdataset != NULL) + return (rdataset); } msg_name = NULL; - } while ( dns_message_nextname(msg, section) == ISC_R_SUCCESS); - - return(NULL); + } while (dns_message_nextname(msg, section) == ISC_R_SUCCESS); + + return (NULL); } @@ -3345,7 +3322,7 @@ chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) { dns_rdataset_t *rdataset = NULL; dig_message_t * msg; - + for (msg = ISC_LIST_HEAD(chase_message_list2); msg != NULL; msg = ISC_LIST_NEXT(msg, link)) { if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER) @@ -3354,7 +3331,7 @@ chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) type, covers, DNS_SECTION_ANSWER); if (rdataset != NULL) - return rdataset; + return (rdataset); if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY) == ISC_R_SUCCESS) rdataset = @@ -3362,7 +3339,7 @@ chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) type, covers, DNS_SECTION_AUTHORITY); if (rdataset != NULL) - return rdataset; + return (rdataset); if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL) == ISC_R_SUCCESS) rdataset = @@ -3370,16 +3347,15 @@ chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) covers, DNS_SECTION_ADDITIONAL); if (rdataset != NULL) - return rdataset; + return (rdataset); } - return NULL; + return (NULL); } dns_rdataset_t * sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers, - isc_boolean_t * lookedup, - dns_name_t *rdata_name ) + isc_boolean_t * lookedup, dns_name_t *rdata_name) { dig_lookup_t *lookup; isc_buffer_t *b = NULL; @@ -3388,18 +3364,17 @@ sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers, dns_rdataset_t * temp; dns_rdatatype_t querytype; - if ((temp=chase_scanname(rdata_name, type, covers))!=NULL) { - return(temp); - } + temp = chase_scanname(rdata_name, type, covers); + if (temp != NULL) + return (temp); - if (*lookedup == ISC_TRUE) { - return(NULL); - } + if (*lookedup == ISC_TRUE) + return (NULL); lookup = clone_lookup(current_lookup, ISC_TRUE); lookup->trace_root = ISC_FALSE; lookup->new_search = ISC_TRUE; - + result = isc_buffer_allocate(mctx, &b, BUFSIZE); check_result(result, "isc_buffer_allocate"); result = dns_name_totext(rdata_name, ISC_FALSE, b); @@ -3413,9 +3388,10 @@ sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers, querytype = covers; else querytype = type; + if (querytype == 0 || querytype == 255) { printf("Error in the queried type: %d\n", querytype); - return(NULL); + return (NULL); } lookup->rdtype = querytype; @@ -3427,11 +3403,11 @@ sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers, printf("\n\nLaunch a query to find a RRset of type "); print_type(type); printf(" for zone: %s\n", lookup->textname); - return(NULL); + return (NULL); } void -insert_trustedkey(dst_key_t * key) +insert_trustedkey(dst_key_t * key) { if (key == NULL) return; @@ -3439,7 +3415,7 @@ insert_trustedkey(dst_key_t * key) return; tk_list.key[tk_list.nb_tk++] = key; - return; + return; } void @@ -3451,8 +3427,7 @@ clean_trustedkey() if (tk_list.key[i] != NULL) { dst_key_free(&tk_list.key[i]); tk_list.key[i] = NULL; - } - else + } else break; } tk_list.nb_tk = 0; @@ -3463,14 +3438,14 @@ char alphnum[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; isc_result_t -removetmpkey(isc_mem_t *mctx, const char *file) +removetmpkey(isc_mem_t *mctx, const char *file) { char *tempnamekey = NULL; int tempnamekeylen; isc_result_t result; - + tempnamekeylen = strlen(file)+10; - + tempnamekey = isc_mem_allocate(mctx, tempnamekeylen); if (tempnamekey == NULL) return (ISC_R_NOMEMORY); @@ -3479,20 +3454,21 @@ removetmpkey(isc_mem_t *mctx, const char *file) strlcat(tempnamekey, file, tempnamekeylen); strlcat(tempnamekey,".key", tempnamekeylen); + isc_file_remove(tempnamekey); result = isc_file_remove(tempnamekey); isc_mem_free(mctx, tempnamekey); - return(result); + return (result); } isc_result_t opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { - FILE *f = NULL; - isc_result_t result; - char *tempname = NULL; + FILE *f = NULL; + isc_result_t result; + char *tempname = NULL; char *tempnamekey = NULL; - int tempnamelen; + int tempnamelen; int tempnamekeylen; char *x; char *cp; @@ -3516,14 +3492,14 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { isc_mem_free(mctx, tempname); return (ISC_R_FAILURE); } - + x = cp--; while (cp >= tempname && *cp == 'X') { isc_random_get(&which); *cp = alphnum[which % (sizeof(alphnum) - 1)]; x = cp--; } - + tempnamekeylen = tempnamelen+5; tempnamekey = isc_mem_allocate(mctx, tempnamekeylen); if (tempnamekey == NULL) @@ -3533,7 +3509,7 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { strlcpy(tempnamekey, tempname, tempnamelen); strlcat(tempnamekey ,".key", tempnamelen); - + if (isc_file_exists(tempnamekey)) { isc_mem_free(mctx, tempnamekey); isc_mem_free(mctx, tempname); @@ -3543,19 +3519,19 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { if ((f = fopen(tempnamekey, "w")) == NULL) { printf("get_trusted_key(): trusted key not found %s\n", tempnamekey); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } break; } isc_mem_free(mctx, tempnamekey); - *tempp = tempname; - *fp = f; - return (ISC_R_SUCCESS); + *tempp = tempname; + *fp = f; + return (ISC_R_SUCCESS); cleanup: - isc_mem_free(mctx, tempname); + isc_mem_free(mctx, tempname); - return (result); + return (result); } @@ -3563,57 +3539,55 @@ isc_result_t get_trusted_key(isc_mem_t *mctx) { isc_result_t result; - const char * filename = NULL; - char * filetemp =NULL; + const char *filename = NULL; + char *filetemp = NULL; char buf[1500]; - FILE *fp , *fptemp; - dst_key_t * key = NULL; - - result = isc_file_exists(trustedkey); + FILE *fp, *fptemp; + dst_key_t *key = NULL; + + result = isc_file_exists(trustedkey); if (result != ISC_TRUE) { - result = isc_file_exists("/etc/trusted-key.key"); + result = isc_file_exists("/etc/trusted-key.key"); if (result != ISC_TRUE) { - result = isc_file_exists("./trusted-key.key"); + result = isc_file_exists("./trusted-key.key"); if (result != ISC_TRUE) - return ISC_R_FAILURE; + return (ISC_R_FAILURE); else filename = "./trusted-key.key"; - } - else + } else filename = "/etc/trusted-key.key"; - } - else + } else filename = trustedkey; if (filename == NULL) { printf("No trusted key\n"); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } if ((fp = fopen(filename, "r")) == NULL) { printf("get_trusted_key(): trusted key not found %s\n", filename); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } while (fgets(buf, 1500, fp) != NULL) { result = opentmpkey(mctx,"tmp_file", &filetemp, &fptemp); if (result != ISC_R_SUCCESS) { fclose(fp); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } - if (fputs(buf, fptemp)<0) { + if (fputs(buf, fptemp) < 0) { fclose(fp); fclose(fptemp); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } fclose(fptemp); result = dst_key_fromnamedfile(filetemp, DST_TYPE_PUBLIC, mctx, &key); removetmpkey(mctx, filetemp); isc_mem_free(mctx, filetemp); - if (result != ISC_R_SUCCESS ) { + if (result != ISC_R_SUCCESS) { fclose(fp); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } insert_trustedkey(key); #if 0 @@ -3621,7 +3595,7 @@ get_trusted_key(isc_mem_t *mctx) #endif key = NULL; } - return ISC_R_SUCCESS; + return (ISC_R_SUCCESS); } @@ -3644,19 +3618,19 @@ nameFromString(const char *str, dns_name_t *p_ret) { check_result(result, "nameFromString"); if (dns_name_dynamic(p_ret)) - dns_name_free(p_ret, mctx); - + free_name(p_ret, mctx); + result = dns_name_dup(dns_fixedname_name(&fixedname), mctx, p_ret); check_result(result, "nameFromString"); -} +} #if DIG_SIGCHASE_TD -isc_result_t +isc_result_t prepare_lookup(dns_name_t *name) { - isc_result_t result; - dig_lookup_t * lookup = NULL; + isc_result_t result; + dig_lookup_t *lookup = NULL; dig_server_t *s; void *ptr; @@ -3670,7 +3644,7 @@ prepare_lookup(dns_name_t *name) lookup->rdtype = lookup->rdtype_sigchase; lookup->rdtypeset = ISC_TRUE; lookup->qrdtype = lookup->qrdtype_sigchase; - + s = ISC_LIST_HEAD(lookup->my_server_list); while (s != NULL) { debug("freeing server %p belonging to %p", @@ -3681,7 +3655,7 @@ prepare_lookup(dns_name_t *name) (dig_server_t *)ptr, link); isc_mem_free(mctx, ptr); } - + for (result = dns_rdataset_first(chase_nsrdataset); result == ISC_R_SUCCESS; @@ -3690,13 +3664,13 @@ prepare_lookup(dns_name_t *name) dns_rdata_ns_t ns; dns_rdata_t rdata = DNS_RDATA_INIT; dig_server_t * srv = NULL; -#define __FOLLOW_GLUE__ +#define __FOLLOW_GLUE__ #ifdef __FOLLOW_GLUE__ - isc_buffer_t * b = NULL; + isc_buffer_t *b = NULL; isc_result_t result; isc_region_t r; - dns_rdataset_t * rdataset =NULL; - isc_boolean_t true = ISC_TRUE; + dns_rdataset_t *rdataset = NULL; + isc_boolean_t true = ISC_TRUE; #endif memset(namestr, 0, DNS_NAME_FORMATSIZE); @@ -3704,11 +3678,11 @@ prepare_lookup(dns_name_t *name) dns_rdataset_current(chase_nsrdataset, &rdata); (void)dns_rdata_tostruct(&rdata, &ns, NULL); - - - + + + #ifdef __FOLLOW_GLUE__ - + result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_aaaa, dns_rdatatype_any, &true); @@ -3732,12 +3706,12 @@ prepare_lookup(dns_name_t *name) srv = make_server(namestr, namestr); - + ISC_LIST_APPEND(lookup->my_server_list, srv, link); } } - + rdataset = NULL; result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_a, dns_rdatatype_any, &true); @@ -3759,28 +3733,28 @@ prepare_lookup(dns_name_t *name) isc_buffer_free(&b); dns_rdata_reset(&a); printf("ns name: %s\n", namestr); - + srv = make_server(namestr, namestr); - + ISC_LIST_APPEND(lookup->my_server_list, srv, link); } } #else - + dns_name_format(&ns.name, namestr, sizeof(namestr)); printf("ns name: "); dns_name_print(&ns.name, stdout); printf("\n"); srv = make_server(namestr, namestr); - + ISC_LIST_APPEND(lookup->my_server_list, srv, link); -#endif +#endif dns_rdata_freestruct(&ns); dns_rdata_reset(&rdata); - + } ISC_LIST_APPEND(lookup_list, lookup, link); @@ -3790,7 +3764,7 @@ prepare_lookup(dns_name_t *name) printf(" with nameservers:"); printf("\n"); print_rdataset(name, chase_nsrdataset, mctx); - return ISC_R_SUCCESS; + return (ISC_R_SUCCESS); } @@ -3803,15 +3777,14 @@ child_of_zone(dns_name_t * name, dns_name_t * zone_name, unsigned int nlabelsp; name_reln = dns_name_fullcompare(name, zone_name, &orderp, &nlabelsp); - if ( (name_reln != dns_namereln_subdomain) || - (dns_name_countlabels(name) <= - dns_name_countlabels(zone_name) +1)) { + if (name_reln != dns_namereln_subdomain || + dns_name_countlabels(name) <= dns_name_countlabels(zone_name) + 1) { printf("\n;; ERROR : "); dns_name_print(name, stdout); printf(" is not a subdomain of: "); dns_name_print(zone_name, stdout); printf(" FAILED\n\n"); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } dns_name_getlabelsequence(name, @@ -3819,11 +3792,11 @@ child_of_zone(dns_name_t * name, dns_name_t * zone_name, dns_name_countlabels(zone_name) -1, dns_name_countlabels(zone_name) +1, child_name); - return ISC_R_SUCCESS; + return (ISC_R_SUCCESS); } isc_result_t -grandfather_pb_test(dns_name_t * zone_name, dns_rdataset_t * sigrdataset) +grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset) { isc_result_t result; dns_rdata_t sigrdata; @@ -3832,31 +3805,31 @@ grandfather_pb_test(dns_name_t * zone_name, dns_rdataset_t * sigrdataset) result = dns_rdataset_first(sigrdataset); check_result(result, "empty RRSIG dataset"); dns_rdata_init(&sigrdata); - + do { dns_rdataset_current(sigrdataset, &sigrdata); - + result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); check_result(result, "sigrdata tostruct siginfo"); - + if (dns_name_compare(&siginfo.signer, zone_name) == 0) { dns_rdata_freestruct(&siginfo); dns_rdata_reset(&sigrdata); - return ISC_R_SUCCESS; + return (ISC_R_SUCCESS); } dns_rdata_freestruct(&siginfo); - + } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS); dns_rdata_reset(&sigrdata); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } isc_result_t -initialization(dns_name_t * name) +initialization(dns_name_t *name) { isc_result_t result; isc_boolean_t true = ISC_TRUE; @@ -3867,21 +3840,21 @@ initialization(dns_name_t * name) if (result != ISC_R_SUCCESS) { printf("\n;; NS RRset is missing to continue validation:" " FAILED\n\n"); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } INSIST(chase_nsrdataset != NULL); prepare_lookup(name); dup_name(name, &chase_current_name, mctx); - return ISC_R_SUCCESS; + return (ISC_R_SUCCESS); } -#endif +#endif void -print_rdataset(dns_name_t * name, dns_rdataset_t *rdataset, isc_mem_t *mctx) +print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx) { - isc_buffer_t * b = NULL; + isc_buffer_t *b = NULL; isc_result_t result; isc_region_t r; @@ -3900,16 +3873,22 @@ print_rdataset(dns_name_t * name, dns_rdataset_t *rdataset, isc_mem_t *mctx) } -void +void dup_name(dns_name_t *source, dns_name_t *target, isc_mem_t *mctx) { - isc_result_t result; - + isc_result_t result; + if (dns_name_dynamic(target)) - dns_name_free(target, mctx); + free_name(target, mctx); result = dns_name_dup(source, mctx, target); check_result(result, "dns_name_dup"); } +void +free_name(dns_name_t *name, isc_mem_t *mctx) { + dns_name_free(name, mctx); + dns_name_init(name, NULL); +} + /* * * take a DNSKEY RRset and the RRSIG RRset corresponding in parameter @@ -3927,13 +3906,12 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, { isc_result_t result; dns_rdata_t rdata; - dst_key_t * trustedKey = NULL; - dst_key_t * dnsseckey = NULL; + dst_key_t *trustedKey = NULL; + dst_key_t *dnsseckey = NULL; int i; - - if (name == NULL || rdataset == NULL) { - return ISC_R_FAILURE; - } + + if (name == NULL || rdataset == NULL) + return (ISC_R_FAILURE); result = dns_rdataset_first(rdataset); check_result(result, "empty rdataset"); @@ -3942,13 +3920,13 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, do { dns_rdataset_current(rdataset, &rdata); INSIST(rdata.type == dns_rdatatype_dnskey); - + result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dnsseckey); check_result(result, "dns_dnssec_keyfromrdata"); - - for (i = 0; i< tk_list.nb_tk; i++) { + + for (i = 0; i < tk_list.nb_tk; i++) { if (dst_key_compare(tk_list.key[i], dnsseckey) == ISC_TRUE) { dns_rdata_reset(&rdata); @@ -3963,11 +3941,11 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, == ISC_R_SUCCESS) { dst_key_free(&dnsseckey); dnsseckey = NULL; - return ISC_R_SUCCESS; + return (ISC_R_SUCCESS); } } } - + dns_rdata_reset(&rdata); if (dnsseckey != NULL) dst_key_free(&dnsseckey); @@ -3976,8 +3954,8 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, if (trustedKey != NULL) dst_key_free(&trustedKey); trustedKey = NULL; - - return ISC_R_NOTFOUND; + + return (ISC_R_NOTFOUND); } isc_result_t @@ -3988,7 +3966,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, { isc_result_t result; dns_rdata_t keyrdata; - dst_key_t * dnsseckey = NULL; + dst_key_t *dnsseckey = NULL; result = dns_rdataset_first(keyrdataset); check_result(result, "empty DNSKEY dataset"); @@ -3997,7 +3975,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, do { dns_rdataset_current(keyrdataset, &keyrdata); INSIST(keyrdata.type == dns_rdatatype_dnskey); - + result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx, &dnsseckey); check_result(result, "dns_dnssec_keyfromrdata"); @@ -4007,20 +3985,20 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, if (result == ISC_R_SUCCESS) { dns_rdata_reset(&keyrdata); dst_key_free(&dnsseckey); - return(ISC_R_SUCCESS); + return (ISC_R_SUCCESS); } dst_key_free(&dnsseckey); } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS); - + dns_rdata_reset(&keyrdata); - - return ISC_R_NOTFOUND; + + return (ISC_R_NOTFOUND); } isc_result_t sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, - dst_key_t* dnsseckey, - dns_rdataset_t *sigrdataset, isc_mem_t *mctx) + dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset, + isc_mem_t *mctx) { isc_result_t result; dns_rdata_t sigrdata; @@ -4029,22 +4007,22 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, result = dns_rdataset_first(sigrdataset); check_result(result, "empty RRSIG dataset"); dns_rdata_init(&sigrdata); - + do { dns_rdataset_current(sigrdataset, &sigrdata); result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); check_result(result, "sigrdata tostruct siginfo"); - + /* * Test if the id of the DNSKEY is * the id of the DNSKEY signer's */ if (siginfo.keyid == dst_key_id(dnsseckey)) { - + result = dns_rdataset_first(rdataset); check_result(result, "empty DS dataset"); - + result = dns_dnssec_verify(name, rdataset, dnsseckey, ISC_FALSE, mctx, &sigrdata); @@ -4054,19 +4032,19 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, dns_name_print(name, stdout); printf(" with DNSKEY:%d: %s\n", dst_key_id(dnsseckey), isc_result_totext(result)); - + if (result == ISC_R_SUCCESS) { dns_rdata_reset(&sigrdata); - return result; + return (result); } } dns_rdata_freestruct(&siginfo); - + } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS); dns_rdata_reset(&sigrdata); - return ISC_R_NOTFOUND; + return (ISC_R_NOTFOUND); } @@ -4079,7 +4057,7 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dns_rdata_t newdsrdata; dns_rdata_t dsrdata; dns_rdata_ds_t dsinfo; - dst_key_t* dnsseckey = NULL; + dst_key_t *dnsseckey = NULL; unsigned char dsbuf[DNS_DS_BUFFERSIZE]; result = dns_rdataset_first(dsrdataset); @@ -4087,18 +4065,18 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dns_rdata_init(&dsrdata); do { dns_rdataset_current(dsrdataset, &dsrdata); - + result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL); check_result(result, "dns_rdata_tostruct for DS"); - + result = dns_rdataset_first(keyrdataset); check_result(result, "empty KEY dataset"); - dns_rdata_init(&keyrdata); + dns_rdata_init(&keyrdata); do { dns_rdataset_current(keyrdataset, &keyrdata); INSIST(keyrdata.type == dns_rdatatype_dnskey); - + result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx, &dnsseckey); check_result(result, "dns_dnssec_keyfromrdata"); @@ -4113,17 +4091,17 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, result = dns_ds_buildrdata(name, &keyrdata, dsinfo.digest_type, dsbuf, &newdsrdata); - dns_rdata_freestruct(&dsinfo); + dns_rdata_freestruct(&dsinfo); if (result != ISC_R_SUCCESS) { dns_rdata_reset(&keyrdata); dns_rdata_reset(&newdsrdata); dns_rdata_reset(&dsrdata); dst_key_free(&dnsseckey); - dns_rdata_freestruct(&dsinfo); + dns_rdata_freestruct(&dsinfo); printf("Oops: impossible to build" " new DS rdata\n"); - return result; + return (result); } @@ -4134,7 +4112,7 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, printf(";; Now verify that this" " DNSKEY validates the " "DNSKEY RRset\n"); - + result = sigchase_verify_sig_key(name, keyrdataset, dnsseckey, @@ -4145,11 +4123,10 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dns_rdata_reset(&newdsrdata); dns_rdata_reset(&dsrdata); dst_key_free(&dnsseckey); - - return result; + + return (result); } - } - else { + } else { printf(";; This DS is NOT the DS for" " the chasing KEY: FAILED\n"); } @@ -4160,13 +4137,13 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dnsseckey = NULL; } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS); dns_rdata_reset(&keyrdata); - + } while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS); #if 0 dns_rdata_reset(&dsrdata); WARNING #endif - - return ISC_R_NOTFOUND; + + return (ISC_R_NOTFOUND); } /* @@ -4178,20 +4155,19 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, * ISC_R_SUCCESS: if we found the rrset * ISC_R_NOTFOUND: we do not found the rrset in cache * and we do a query on the net - * ISC_R_FAILURE: rrset not found + * ISC_R_FAILURE: rrset not found */ isc_result_t -advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t * name, - dns_rdatatype_t type, - dns_rdatatype_t covers, +advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t *name, + dns_rdatatype_t type, dns_rdatatype_t covers, isc_boolean_t *lookedup) -{ +{ isc_boolean_t tmplookedup; INSIST(rdataset != NULL); if (*rdataset != NULL) - return(ISC_R_SUCCESS); + return (ISC_R_SUCCESS); tmplookedup = *lookedup; if ((*rdataset = sigchase_scanname(type, covers, @@ -4201,20 +4177,19 @@ advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t * name, return (ISC_R_NOTFOUND); } *lookedup = ISC_FALSE; - return(ISC_R_SUCCESS); + return (ISC_R_SUCCESS); } #if DIG_SIGCHASE_TD void -sigchase_td(dns_message_t * msg) +sigchase_td(dns_message_t *msg) { - isc_result_t result; - dns_name_t * name = NULL; - isc_boolean_t have_answer = ISC_FALSE; - - isc_boolean_t true = ISC_TRUE; + isc_result_t result; + dns_name_t *name = NULL; + isc_boolean_t have_answer = ISC_FALSE; + isc_boolean_t true = ISC_TRUE; if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER)) == ISC_R_SUCCESS) { @@ -4224,8 +4199,7 @@ sigchase_td(dns_message_t * msg) return; } have_answer = true; - } - else { + } else { if (!current_lookup->trace_root_sigchase) { result = dns_message_firstname(msg, DNS_SECTION_AUTHORITY); @@ -4245,8 +4219,7 @@ sigchase_td(dns_message_t * msg) " in authority section:"); dns_name_print(name, stdout); printf("\n"); - } - else { + } else { printf("no response and no delegation in " "authority section but a reference" " to: "); @@ -4254,17 +4227,16 @@ sigchase_td(dns_message_t * msg) printf("\n"); error_message = msg; } - } - else { + } else { printf(";; NO ANSWERS: %s\n", isc_result_totext(result)); - dns_name_free(&chase_name, mctx); + free_name(&chase_name, mctx); clean_trustedkey(); return; } } - + if (have_answer) { chase_rdataset = chase_scanname_section(msg, &chase_name, @@ -4316,8 +4288,7 @@ sigchase_td(dns_message_t * msg) chase_keyrdataset, chase_sigkeyrdataset, mctx); - } - else { + } else { INSIST(chase_dsrdataset != NULL); INSIST(chase_sigdsrdataset != NULL); result = sigchase_verify_ds(&chase_current_name, @@ -4325,13 +4296,12 @@ sigchase_td(dns_message_t * msg) chase_dsrdataset, mctx); } - + if (result != ISC_R_SUCCESS) { printf("\n;; chain of trust can't be validated:" " FAILED\n\n"); goto cleanandgo; - } - else { + } else { chase_dsrdataset = NULL; chase_sigdsrdataset = NULL; } @@ -4353,9 +4323,8 @@ sigchase_td(dns_message_t * msg) " FAILED\n\n"); goto cleanandgo; } - - } - else { + + } else { result = advanced_rrsearch(&chase_sigrdataset, &chase_authority_name, dns_rdatatype_rrsig, @@ -4379,20 +4348,19 @@ sigchase_td(dns_message_t * msg) chase_sigrdataset = NULL; have_response = ISC_FALSE; have_delegation_ns = ISC_FALSE; - + dns_name_init(&tmp_name, NULL); result = child_of_zone(&chase_name, &chase_current_name, &tmp_name); if (dns_name_dynamic(&chase_authority_name)) - dns_name_free( &chase_authority_name, mctx); + free_name(&chase_authority_name, mctx); dup_name(&tmp_name, &chase_authority_name, mctx); printf(";; and we try to continue chain of trust" " validation of the zone: "); dns_name_print(&chase_authority_name, stdout); printf("\n"); have_delegation_ns = ISC_TRUE; - } - else { + } else { if (have_response) goto finalstep; else @@ -4416,7 +4384,7 @@ sigchase_td(dns_message_t * msg) return; } INSIST(chase_nsrdataset != NULL); - + result = advanced_rrsearch(&chase_dsrdataset, &chase_authority_name, dns_rdatatype_ds, @@ -4459,8 +4427,8 @@ sigchase_td(dns_message_t * msg) } chase_keyrdataset = NULL; chase_sigkeyrdataset = NULL; - - + + prepare_lookup(&chase_authority_name); have_response = ISC_FALSE; @@ -4468,24 +4436,24 @@ sigchase_td(dns_message_t * msg) delegation_follow = ISC_TRUE; error_message = NULL; dup_name(&chase_authority_name, &chase_current_name, mctx); - dns_name_free(&chase_authority_name, mctx); + free_name(&chase_authority_name, mctx); return; } - + if (error_message != NULL) { - dns_rdataset_t * rdataset; - dns_rdataset_t * sigrdataset; - dns_name_t rdata_name; - isc_result_t ret = ISC_R_FAILURE; + dns_rdataset_t *rdataset; + dns_rdataset_t *sigrdataset; + dns_name_t rdata_name; + isc_result_t ret = ISC_R_FAILURE; dns_name_init(&rdata_name, NULL); result = prove_nx(error_message, &chase_name, current_lookup->rdclass_sigchase, current_lookup->rdtype_sigchase, &rdata_name, &rdataset, &sigrdataset); - if (&rdata_name == NULL || rdataset == NULL || - sigrdataset == NULL) { + if (rdataset == NULL || sigrdataset == NULL || + dns_name_countlabels(&rdata_name) == 0) { printf("\n;; Impossible to verify the non-existence," " the NSEC RRset can't be validated:" " FAILED\n\n"); @@ -4495,18 +4463,17 @@ sigchase_td(dns_message_t * msg) chase_keyrdataset, sigrdataset, mctx); if (ret != ISC_R_SUCCESS) { - dns_name_free(&rdata_name, mctx); + free_name(&rdata_name, mctx); printf("\n;; Impossible to verify the NSEC RR to prove" " the non-existence : FAILED\n\n"); goto cleanandgo; } - dns_name_free(&rdata_name, mctx); + free_name(&rdata_name, mctx); if (result != ISC_R_SUCCESS) { printf("\n;; Impossible to verify the non-existence:" " FAILED\n\n"); goto cleanandgo; - } - else { + } else { printf("\n;; OK the query doesn't have response but" " we have validate this fact : SUCCESS\n\n"); goto cleanandgo; @@ -4516,9 +4483,9 @@ sigchase_td(dns_message_t * msg) cleanandgo: printf(";; cleanandgo \n"); if (dns_name_dynamic(&chase_current_name)) - dns_name_free(&chase_current_name, mctx); + free_name(&chase_current_name, mctx); if (dns_name_dynamic(&chase_authority_name)) - dns_name_free(&chase_authority_name, mctx); + free_name(&chase_authority_name, mctx); clean_trustedkey(); return; @@ -4547,8 +4514,7 @@ sigchase_td(dns_message_t * msg) printf("\n"); */ goto cleanandgo; - } - else { + } else { printf("\n;; The Answer:\n"); print_rdataset(&chase_name , chase_rdataset, mctx); @@ -4558,7 +4524,7 @@ sigchase_td(dns_message_t * msg) } } -#endif +#endif #if DIG_SIGCHASE_BU @@ -4575,12 +4541,10 @@ getneededrr(dns_message_t *msg) if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER)) != ISC_R_SUCCESS) { printf(";; NO ANSWERS: %s\n", isc_result_totext(result)); - - if (chase_name.ndata == NULL) { - return ISC_R_ADDRNOTAVAIL; - } - } - else { + + if (chase_name.ndata == NULL) + return (ISC_R_ADDRNOTAVAIL); + } else { dns_message_currentname(msg, DNS_SECTION_ANSWER, &name); } @@ -4591,7 +4555,7 @@ getneededrr(dns_message_t *msg) dns_rdatatype_any, &true); if (result != ISC_R_SUCCESS) { printf("\n;; No Answers: Validation FAILED\n\n"); - return ISC_R_NOTFOUND; + return (ISC_R_NOTFOUND); } dup_name(name, &chase_name, mctx); printf(";; RRset to chase:\n"); @@ -4609,18 +4573,18 @@ getneededrr(dns_message_t *msg) printf("\n;; RRSIG is missing for continue validation:" " FAILED\n\n"); if (dns_name_dynamic(&chase_name)) - dns_name_free(&chase_name, mctx); - return ISC_R_NOTFOUND; + free_name(&chase_name, mctx); + return (ISC_R_NOTFOUND); } if (result == ISC_R_NOTFOUND) { - return(ISC_R_NOTFOUND); + return (ISC_R_NOTFOUND); } printf("\n;; RRSIG of the RRset to chase:\n"); print_rdataset(&chase_name, chase_sigrdataset, mctx); } INSIST(chase_sigrdataset != NULL); - + /* first find the DNSKEY name */ result = dns_rdataset_first(chase_sigrdataset); check_result(result, "empty RRSIG dataset"); @@ -4631,7 +4595,7 @@ getneededrr(dns_message_t *msg) dup_name(&siginfo.signer, &chase_signame, mctx); dns_rdata_freestruct(&siginfo); dns_rdata_reset(&sigrdata); - + /* Do we have a key? */ if (chase_keyrdataset == NULL) { result = advanced_rrsearch(&chase_keyrdataset, @@ -4642,14 +4606,14 @@ getneededrr(dns_message_t *msg) if (result == ISC_R_FAILURE) { printf("\n;; DNSKEY is missing to continue validation:" " FAILED\n\n"); - dns_name_free(&chase_signame, mctx); + free_name(&chase_signame, mctx); if (dns_name_dynamic(&chase_name)) - dns_name_free(&chase_name, mctx); - return ISC_R_NOTFOUND; + free_name(&chase_name, mctx); + return (ISC_R_NOTFOUND); } if (result == ISC_R_NOTFOUND) { - dns_name_free(&chase_signame, mctx); - return(ISC_R_NOTFOUND); + free_name(&chase_signame, mctx); + return (ISC_R_NOTFOUND); } printf("\n;; DNSKEYset that signs the RRset to chase:\n"); print_rdataset(&chase_signame, chase_keyrdataset, mctx); @@ -4665,14 +4629,14 @@ getneededrr(dns_message_t *msg) if (result == ISC_R_FAILURE) { printf("\n;; RRSIG for DNSKEY is missing to continue" " validation : FAILED\n\n"); - dns_name_free(&chase_signame, mctx); + free_name(&chase_signame, mctx); if (dns_name_dynamic(&chase_name)) - dns_name_free(&chase_name, mctx); - return ISC_R_NOTFOUND; + free_name(&chase_name, mctx); + return (ISC_R_NOTFOUND); } if (result == ISC_R_NOTFOUND) { - dns_name_free(&chase_signame, mctx); - return(ISC_R_NOTFOUND); + free_name(&chase_signame, mctx); + return (ISC_R_NOTFOUND); } printf("\n;; RRSIG of the DNSKEYset that signs the " "RRset to chase:\n"); @@ -4692,15 +4656,15 @@ getneededrr(dns_message_t *msg) printf("\n"); } if (result == ISC_R_NOTFOUND) { - dns_name_free(&chase_signame, mctx); - return(ISC_R_NOTFOUND); + free_name(&chase_signame, mctx); + return (ISC_R_NOTFOUND); } if (chase_dsrdataset != NULL) { printf("\n;; DSset of the DNSKEYset\n"); print_rdataset(&chase_signame, chase_dsrdataset, mctx); } } - + if (chase_dsrdataset != NULL) { /* * if there is no RRSIG of DS, @@ -4718,14 +4682,13 @@ getneededrr(dns_message_t *msg) * because the DNSKEY could be a Trusted Key. */ chase_dsrdataset = NULL; - } - else { + } else { printf("\n;; RRSIG of the DSset of the DNSKEYset\n"); print_rdataset(&chase_signame, chase_sigdsrdataset, mctx); } } - return(1); + return (1); } @@ -4744,28 +4707,29 @@ sigchase_bu(dns_message_t *msg) } } - + ret = getneededrr(msg); if (ret == ISC_R_NOTFOUND) return; if (ret == ISC_R_ADDRNOTAVAIL) { /* We have no response */ - dns_rdataset_t * rdataset; - dns_rdataset_t * sigrdataset; - dns_name_t rdata_name; - dns_name_t query_name; + dns_rdataset_t *rdataset; + dns_rdataset_t *sigrdataset; + dns_name_t rdata_name; + dns_name_t query_name; dns_name_init(&query_name, NULL); + dns_name_init(&rdata_name, NULL); nameFromString(current_lookup->textname, &query_name); - + result = prove_nx(msg, &query_name, current_lookup->rdclass, current_lookup->rdtype, &rdata_name, &rdataset, &sigrdataset); - dns_name_free(&query_name, mctx); - if (&rdata_name == NULL || rdataset == NULL || - sigrdataset == NULL) { + free_name(&query_name, mctx); + if (rdataset == NULL || sigrdataset == NULL || + dns_name_countlabels(&rdata_name) == 0) { printf("\n;; Impossible to verify the Non-existence," " the NSEC RRset can't be validated: " "FAILED\n\n"); @@ -4783,7 +4747,7 @@ sigchase_bu(dns_message_t *msg) " Now we want validate this NSEC\n"); dup_name(&rdata_name, &chase_name, mctx); - dns_name_free(&rdata_name, mctx); + free_name(&rdata_name, mctx); chase_rdataset = rdataset; chase_sigrdataset = sigrdataset; chase_keyrdataset = NULL; @@ -4798,7 +4762,7 @@ sigchase_bu(dns_message_t *msg) clean_trustedkey(); return; } - + printf("\n\n\n;; WE HAVE MATERIAL, WE NOW DO VALIDATION\n"); @@ -4806,8 +4770,8 @@ sigchase_bu(dns_message_t *msg) chase_keyrdataset, chase_sigrdataset, mctx); if (result != ISC_R_SUCCESS) { - dns_name_free(&chase_name, mctx); - dns_name_free(&chase_signame, mctx); + free_name(&chase_name, mctx); + free_name(&chase_signame, mctx); printf(";; No DNSKEY is valid to check the RRSIG" " of the RRset: FAILED\n"); clean_trustedkey(); @@ -4818,8 +4782,8 @@ sigchase_bu(dns_message_t *msg) result = contains_trusted_key(&chase_signame, chase_keyrdataset, chase_sigkeyrdataset, mctx); if (result == ISC_R_SUCCESS) { - dns_name_free(&chase_name, mctx); - dns_name_free(&chase_signame, mctx); + free_name(&chase_name, mctx); + free_name(&chase_signame, mctx); printf("\n;; Ok this DNSKEY is a Trusted Key," " DNSSEC validation is ok: SUCCESS\n\n"); clean_trustedkey(); @@ -4829,8 +4793,8 @@ sigchase_bu(dns_message_t *msg) printf(";; Now, we are going to validate this DNSKEY by the DS\n"); if (chase_dsrdataset == NULL) { - dns_name_free(&chase_name, mctx); - dns_name_free(&chase_signame, mctx); + free_name(&chase_name, mctx); + free_name(&chase_signame, mctx); printf(";; the DNSKEY isn't trusted-key and there isn't" " DS to validate the DNSKEY: FAILED\n"); clean_trustedkey(); @@ -4840,21 +4804,20 @@ sigchase_bu(dns_message_t *msg) result = sigchase_verify_ds(&chase_signame, chase_keyrdataset, chase_dsrdataset, mctx); if (result != ISC_R_SUCCESS) { - dns_name_free(&chase_signame, mctx); - dns_name_free(&chase_name, mctx); + free_name(&chase_signame, mctx); + free_name(&chase_name, mctx); printf(";; ERROR no DS validates a DNSKEY in the" " DNSKEY RRset: FAILED\n"); clean_trustedkey(); return; - } - else + } else printf(";; OK this DNSKEY (validated by the DS) validates" " the RRset of the DNSKEYs, thus the DNSKEY validates" " the RRset\n"); INSIST(chase_sigdsrdataset != NULL); dup_name(&chase_signame, &chase_name, mctx); - dns_name_free(&chase_signame, mctx); + free_name(&chase_signame, mctx); chase_rdataset = chase_dsrdataset; chase_sigrdataset = chase_sigdsrdataset; chase_keyrdataset = NULL; @@ -4863,7 +4826,7 @@ sigchase_bu(dns_message_t *msg) chase_sigdsrdataset = NULL; chase_siglookedup = chase_keylookedup = ISC_FALSE; chase_dslookedup = chase_sigdslookedup = ISC_FALSE; - + printf(";; Now, we want to validate the DS : recursive call\n"); sigchase(msg); return; @@ -4871,8 +4834,7 @@ sigchase_bu(dns_message_t *msg) #endif void -sigchase(dns_message_t * msg) -{ +sigchase(dns_message_t *msg) { #if DIG_SIGCHASE_TD if (current_lookup->do_topdown) { sigchase_td(msg); @@ -4888,12 +4850,12 @@ sigchase(dns_message_t * msg) /* * return 1 if name1 < name2 - * 0 if name1 == name2 - * -1 if name1 > name2 + * 0 if name1 == name2 + * -1 if name1 > name2 * and -2 if problem */ int -inf_name(dns_name_t * name1, dns_name_t * name2) +inf_name(dns_name_t *name1, dns_name_t *name2) { dns_label_t label1; dns_label_t label2; @@ -4916,19 +4878,19 @@ inf_name(dns_name_t * name1, dns_name_t * name2) dns_name_getlabel(name1, nblabel1 -1 - i, &label1); dns_name_getlabel(name2, nblabel2 -1 - i, &label2); if ((ret = isc_region_compare(&label1, &label2)) != 0) { - if (ret <0 ) - return -1; - else if (ret >0 ) - return 1; + if (ret < 0) + return (-1); + else if (ret > 0) + return (1); } } if (nblabel1 == nblabel2) - return 0; + return (0); if (nblabel1 < nblabel2) - return -1; + return (-1); else - return 1; + return (1); } /** @@ -4940,24 +4902,24 @@ isc_result_t prove_nx_domain(dns_message_t *msg, dns_name_t *name, dns_name_t *rdata_name, - dns_rdataset_t ** rdataset, + dns_rdataset_t **rdataset, dns_rdataset_t **sigrdataset) { - isc_result_t ret = ISC_R_FAILURE; - isc_result_t result = ISC_R_NOTFOUND; - dns_rdataset_t * nsecset = NULL; - dns_rdataset_t * signsecset = NULL ; - dns_rdata_t nsec = DNS_RDATA_INIT; - dns_name_t * nsecname; - dns_rdata_nsec_t nsecstruct; - + isc_result_t ret = ISC_R_FAILURE; + isc_result_t result = ISC_R_NOTFOUND; + dns_rdataset_t *nsecset = NULL; + dns_rdataset_t *signsecset = NULL ; + dns_rdata_t nsec = DNS_RDATA_INIT; + dns_name_t *nsecname; + dns_rdata_nsec_t nsecstruct; + if ((result = dns_message_firstname(msg, DNS_SECTION_AUTHORITY)) != ISC_R_SUCCESS) { printf(";; nothing in authority section : impossible to" " validate the non-existence : FAILED\n"); - return(ISC_R_FAILURE); + return (ISC_R_FAILURE); } - + do { nsecname = NULL; dns_message_currentname(msg, DNS_SECTION_AUTHORITY, &nsecname); @@ -4985,7 +4947,7 @@ prove_nx_domain(dns_message_t *msg, printf(";; no RRSIG NSEC in authority section:" " impossible to validate the " "non-existence: FAILED\n"); - return(ISC_R_FAILURE); + return (ISC_R_FAILURE); } ret = dns_rdata_tostruct(&nsec, &nsecstruct, NULL); @@ -4999,8 +4961,8 @@ prove_nx_domain(dns_message_t *msg, *rdataset = nsecset; *sigrdataset = signsecset; dup_name(nsecname, rdata_name, mctx); - - return ISC_R_SUCCESS; + + return (ISC_R_SUCCESS); } dns_rdata_freestruct(&nsecstruct); @@ -5011,7 +4973,7 @@ prove_nx_domain(dns_message_t *msg, *rdataset = NULL; *sigrdataset = NULL; rdata_name = NULL; - return(ISC_R_FAILURE); + return (ISC_R_FAILURE); } /** @@ -5022,27 +4984,22 @@ prove_nx_domain(dns_message_t *msg, * */ isc_result_t -prove_nx_type(dns_message_t * msg, - dns_name_t *name, - dns_rdataset_t *nsecset, - dns_rdataclass_t class, - dns_rdatatype_t type, - dns_name_t * rdata_name, - dns_rdataset_t ** rdataset, - dns_rdataset_t ** sigrdataset) +prove_nx_type(dns_message_t *msg, dns_name_t *name, dns_rdataset_t *nsecset, + dns_rdataclass_t class, dns_rdatatype_t type, + dns_name_t *rdata_name, dns_rdataset_t **rdataset, + dns_rdataset_t **sigrdataset) { - isc_result_t ret; - dns_rdataset_t * signsecset; - dns_rdata_t nsec = DNS_RDATA_INIT; + isc_result_t ret; + dns_rdataset_t *signsecset; + dns_rdata_t nsec = DNS_RDATA_INIT; UNUSED(class); - UNUSED(rdata_name); - + ret = dns_rdataset_first(nsecset); check_result(ret,"dns_rdataset_first"); dns_rdataset_current(nsecset, &nsec); - + ret = dns_nsec_typepresent(&nsec, type); if (ret == ISC_R_SUCCESS) printf("OK the NSEC said that the type doesn't exist \n"); @@ -5053,8 +5010,9 @@ prove_nx_type(dns_message_t * msg, DNS_SECTION_AUTHORITY); if (signsecset == NULL) { printf("There isn't RRSIG NSEC for the zone \n"); - return ISC_R_FAILURE; + return (ISC_R_FAILURE); } + dup_name(name, rdata_name, mctx); *rdataset = nsecset; *sigrdataset = signsecset; @@ -5068,17 +5026,12 @@ prove_nx_type(dns_message_t * msg, * */ isc_result_t -prove_nx(dns_message_t * msg, - dns_name_t * name, - dns_rdataclass_t class, - dns_rdatatype_t type, - dns_name_t * rdata_name, - dns_rdataset_t ** rdataset, - dns_rdataset_t ** sigrdataset) +prove_nx(dns_message_t *msg, dns_name_t *name, dns_rdataclass_t class, + dns_rdatatype_t type, dns_name_t *rdata_name, + dns_rdataset_t **rdataset, dns_rdataset_t **sigrdataset) { isc_result_t ret; - dns_rdataset_t * nsecset = NULL; - + dns_rdataset_t *nsecset = NULL; printf("We want to prove the non-existance of a type of rdata %d" " or of the zone: \n", type); @@ -5087,7 +5040,7 @@ prove_nx(dns_message_t * msg, != ISC_R_SUCCESS) { printf(";; nothing in authority section : impossible to" " validate the non-existence : FAILED\n"); - return(ISC_R_FAILURE); + return (ISC_R_FAILURE); } nsecset = chase_scanname_section(msg, name, dns_rdatatype_nsec, @@ -5100,18 +5053,17 @@ prove_nx(dns_message_t * msg, sigrdataset); if (ret != ISC_R_SUCCESS) { printf("prove_nx: ERROR type exist\n"); - return(ret); + return (ret); } else { printf("prove_nx: OK type does not exist\n"); - return(ISC_R_SUCCESS); + return (ISC_R_SUCCESS); } } else { printf("there is no NSEC for this zone: validating " "that the zone doesn't exist\n"); ret = prove_nx_domain(msg, name, rdata_name, rdataset, sigrdataset); - return(ret); + return (ret); } - /* Never get here */ } #endif diff --git a/usr.sbin/bind/bin/dig/host.1 b/usr.sbin/bind/bin/dig/host.1 index e4ffca4bf3c..5eb74434d96 100644 --- a/usr.sbin/bind/bin/dig/host.1 +++ b/usr.sbin/bind/bin/dig/host.1 @@ -1,132 +1,181 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2002 Internet Software Consortium. -.\" +.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2002 Internet Software Consortium. +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $ISC: host.1,v 1.11.2.1.4.4 2004/04/13 04:11:03 marka Exp $ +.\" $ISC: host.1,v 1.11.2.1.4.7 2005/10/13 02:33:43 marka Exp $ .\" -.TH "HOST" "1" "Jun 30, 2000" "BIND9" "" -.SH NAME +.hy 0 +.ad l +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "HOST" "1" "Jun 30, 2000" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" host \- DNS lookup utility -.SH SYNOPSIS -.sp -\fBhost\fR [ \fB-aCdlnrTwv\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-N \fIndots\fB\fR ] [ \fB-R \fInumber\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-W \fIwait\fB\fR ] [ \fB-4\fR ] [ \fB-6\fR ] \fBname\fR [ \fBserver\fR ] +.SH "SYNOPSIS" +.HP 5 +\fBhost\fR [\fB\-aCdlnrTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-4\fR] [\fB\-6\fR] {name} [server] .SH "DESCRIPTION" .PP \fBhost\fR -is a simple utility for performing DNS lookups. -It is normally used to convert names to IP addresses and vice versa. -When no arguments or options are given, +is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given, \fBhost\fR prints a short summary of its command line arguments and options. .PP -\fIname\fR is the domain name that is to be looked -up. It can also be a dotted-decimal IPv4 address or a colon-delimited -IPv6 address, in which case \fBhost\fR will by default -perform a reverse lookup for that address. -\fIserver\fR is an optional argument which is either -the name or IP address of the name server that \fBhost\fR +\fIname\fR +is the domain name that is to be looked up. It can also be a dotted\-decimal IPv4 address or a colon\-delimited IPv6 address, in which case +\fBhost\fR +will by default perform a reverse lookup for that address. +\fIserver\fR +is an optional argument which is either the name or IP address of the name server that +\fBhost\fR should query instead of the server or servers listed in \fI/etc/resolv.conf\fR. .PP -The \fB-a\fR (all) option is equivalent to setting the -\fB-v\fR option and asking \fBhost\fR to make -a query of type ANY. +The +\fB\-a\fR +(all) option is equivalent to setting the +\fB\-v\fR +option and asking +\fBhost\fR +to make a query of type ANY. .PP -When the \fB-C\fR option is used, \fBhost\fR +When the +\fB\-C\fR +option is used, +\fBhost\fR will attempt to display the SOA records for zone -\fIname\fR from all the listed authoritative name -servers for that zone. The list of name servers is defined by the NS -records that are found for the zone. -.PP -The \fB-c\fR option instructs to make a DNS query of class -\fIclass\fR. This can be used to lookup Hesiod or -Chaosnet class resource records. The default class is IN (Internet). -.PP -Verbose output is generated by \fBhost\fR when the -\fB-d\fR or \fB-v\fR option is used. The two -options are equivalent. They have been provided for backwards -compatibility. In previous versions, the \fB-d\fR option -switched on debugging traces and \fB-v\fR enabled verbose -output. -.PP -List mode is selected by the \fB-l\fR option. This makes -\fBhost\fR perform a zone transfer for zone -\fIname\fR. Transfer the zone printing out the NS, PTR -and address records (A/AAAA). If combined with \fB-a\fR -all records will be printed. -.PP -The \fB-i\fR -option specifies that reverse lookups of IPv6 addresses should -use the IP6.INT domain as defined in RFC1886. -The default is to use IP6.ARPA. -.PP -The \fB-N\fR option sets the number of dots that have to be -in \fIname\fR for it to be considered absolute. The -default value is that defined using the ndots statement in -\fI/etc/resolv.conf\fR, or 1 if no ndots statement is -present. Names with fewer dots are interpreted as relative names and -will be searched for in the domains listed in the \fBsearch\fR -or \fBdomain\fR directive in +\fIname\fR +from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS records that are found for the zone. +.PP +The +\fB\-c\fR +option instructs to make a DNS query of class +\fIclass\fR. This can be used to lookup Hesiod or Chaosnet class resource records. The default class is IN (Internet). +.PP +Verbose output is generated by +\fBhost\fR +when the +\fB\-d\fR +or +\fB\-v\fR +option is used. The two options are equivalent. They have been provided for backwards compatibility. In previous versions, the +\fB\-d\fR +option switched on debugging traces and +\fB\-v\fR +enabled verbose output. +.PP +List mode is selected by the +\fB\-l\fR +option. This makes +\fBhost\fR +perform a zone transfer for zone +\fIname\fR. Transfer the zone printing out the NS, PTR and address records (A/AAAA). If combined with +\fB\-a\fR +all records will be printed. +.PP +The +\fB\-i\fR +option specifies that reverse lookups of IPv6 addresses should use the IP6.INT domain as defined in RFC1886. The default is to use IP6.ARPA. +.PP +The +\fB\-N\fR +option sets the number of dots that have to be in +\fIname\fR +for it to be considered absolute. The default value is that defined using the ndots statement in +\fI/etc/resolv.conf\fR, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the +\fBsearch\fR +or +\fBdomain\fR +directive in \fI/etc/resolv.conf\fR. .PP The number of UDP retries for a lookup can be changed with the -\fB-R\fR option. \fInumber\fR indicates -how many times \fBhost\fR will repeat a query that does -not get answered. The default number of retries is 1. If -\fInumber\fR is negative or zero, the number of -retries will default to 1. -.PP -Non-recursive queries can be made via the \fB-r\fR option. -Setting this option clears the \fBRD\fR \(em recursion -desired \(em bit in the query which \fBhost\fR makes. -This should mean that the name server receiving the query will not -attempt to resolve \fIname\fR. The -\fB-r\fR option enables \fBhost\fR to mimic -the behaviour of a name server by making non-recursive queries and -expecting to receive answers to those queries that are usually -referrals to other name servers. -.PP -By default \fBhost\fR uses UDP when making queries. The -\fB-T\fR option makes it use a TCP connection when querying -the name server. TCP will be automatically selected for queries that -require it, such as zone transfer (AXFR) requests. -.PP -The \fB-4\fR option forces \fBhost\fR to only -use IPv4 query transport. The \fB-6\fR option forces -\fBhost\fR to only use IPv6 query transport. -.PP -The \fB-t\fR option is used to select the query type. -\fItype\fR can be any recognised query type: CNAME, -NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, -\fBhost\fR automatically selects an appropriate query -type. By default it looks for A records, but if the -\fB-C\fR option was given, queries will be made for SOA -records, and if \fIname\fR is a dotted-decimal IPv4 -address or colon-delimited IPv6 address, \fBhost\fR will -query for PTR records. If a query type of IXFR is chosen the starting -serial number can be specified by appending an equal followed by the -starting serial number (e.g. -t IXFR=12345678). +\fB\-R\fR +option. +\fInumber\fR +indicates how many times +\fBhost\fR +will repeat a query that does not get answered. The default number of retries is 1. If +\fInumber\fR +is negative or zero, the number of retries will default to 1. +.PP +Non\-recursive queries can be made via the +\fB\-r\fR +option. Setting this option clears the +\fBRD\fR +\(em recursion desired \(em bit in the query which +\fBhost\fR +makes. This should mean that the name server receiving the query will not attempt to resolve +\fIname\fR. The +\fB\-r\fR +option enables +\fBhost\fR +to mimic the behaviour of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers. +.PP +By default +\fBhost\fR +uses UDP when making queries. The +\fB\-T\fR +option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests. +.PP +The +\fB\-4\fR +option forces +\fBhost\fR +to only use IPv4 query transport. The +\fB\-6\fR +option forces +\fBhost\fR +to only use IPv6 query transport. +.PP +The +\fB\-t\fR +option is used to select the query type. +\fItype\fR +can be any recognised query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, +\fBhost\fR +automatically selects an appropriate query type. By default it looks for A records, but if the +\fB\-C\fR +option was given, queries will be made for SOA records, and if +\fIname\fR +is a dotted\-decimal IPv4 address or colon\-delimited IPv6 address, +\fBhost\fR +will query for PTR records. If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (e.g. \-t IXFR=12345678). .PP The time to wait for a reply can be controlled through the -\fB-W\fR and \fB-w\fR options. The -\fB-W\fR option makes \fBhost\fR wait for -\fIwait\fR seconds. If \fIwait\fR +\fB\-W\fR +and +\fB\-w\fR +options. The +\fB\-W\fR +option makes +\fBhost\fR +wait for +\fIwait\fR +seconds. If +\fIwait\fR is less than one, the wait interval is set to one second. When the -\fB-w\fR option is used, \fBhost\fR will -effectively wait forever for a reply. The time to wait for a response -will be set to the number of seconds given by the hardware's maximum -value for an integer quantity. +\fB\-w\fR +option is used, +\fBhost\fR +will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity. .SH "FILES" .PP \fI/etc/resolv.conf\fR diff --git a/usr.sbin/bind/bin/dig/host.c b/usr.sbin/bind/bin/dig/host.c index ea90b10544f..8ced431d8a0 100644 --- a/usr.sbin/bind/bin/dig/host.c +++ b/usr.sbin/bind/bin/dig/host.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: host.c,v 1.76.2.5.2.10 2004/09/06 01:33:05 marka Exp $ */ +/* $ISC: host.c,v 1.76.2.5.2.13 2005/07/04 03:29:45 marka Exp $ */ #include <config.h> #include <limits.h> @@ -40,21 +40,6 @@ #include <dig/dig.h> -extern ISC_LIST(dig_lookup_t) lookup_list; -extern dig_serverlist_t server_list; -extern ISC_LIST(dig_searchlist_t) search_list; - -extern isc_boolean_t have_ipv4, have_ipv6; -extern isc_boolean_t usesearch; -extern isc_boolean_t debugging; -extern unsigned int timeout; -extern isc_mem_t *mctx; -extern int ndots; -extern int tries; -extern char *progname; -extern isc_task_t *global_task; -extern int fatalexit; - static isc_boolean_t short_form = ISC_TRUE, listed_server = ISC_FALSE; static isc_boolean_t default_lookups = ISC_TRUE; static int seen_error = -1; @@ -602,6 +587,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { } else list_type = rdtype; list_addresses = ISC_FALSE; + default_lookups = ISC_FALSE; break; case 'c': tr.base = isc_commandline_argument; diff --git a/usr.sbin/bind/bin/dig/host.docbook b/usr.sbin/bind/bin/dig/host.docbook index 9132823b68e..12cecbf15b9 100644 --- a/usr.sbin/bind/bin/dig/host.docbook +++ b/usr.sbin/bind/bin/dig/host.docbook @@ -1,6 +1,8 @@ -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" + "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" + [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2002 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -16,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: host.docbook,v 1.2.2.2.4.5 2004/04/13 01:26:26 marka Exp $ --> +<!-- $ISC: host.docbook,v 1.2.2.2.4.7 2005/05/13 01:22:32 marka Exp $ --> <refentry> @@ -30,6 +32,20 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <docinfo> + <copyright> + <year>2004</year> + <year>2005</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + <copyright> + <year>2000</year> + <year>2001</year> + <year>2002</year> + <holder>Internet Software Consortium.</holder> + </copyright> + </docinfo> + <refnamediv> <refname>host</refname> <refpurpose>DNS lookup utility</refpurpose> @@ -46,8 +62,8 @@ <arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg> <arg><option>-4</option></arg> <arg><option>-6</option></arg> - <arg choice=req>name</arg> - <arg choice=opt>server</arg> + <arg choice="req">name</arg> + <arg choice="opt">server</arg> </cmdsynopsis> </refsynopsisdiv> diff --git a/usr.sbin/bind/bin/dig/host.html b/usr.sbin/bind/bin/dig/host.html index dbbb479adf0..e993de1a248 100644 --- a/usr.sbin/bind/bin/dig/host.html +++ b/usr.sbin/bind/bin/dig/host.html @@ -1,434 +1,171 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000-2002 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2002 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: host.html,v 1.4.2.1.4.6 2004/08/22 23:38:58 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->host</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->host</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->host -- DNS lookup utility</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN11" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->host</B -> [<VAR -CLASS="OPTION" ->-aCdlnrTwv</VAR ->] [<VAR -CLASS="OPTION" ->-c <VAR -CLASS="REPLACEABLE" ->class</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-N <VAR -CLASS="REPLACEABLE" ->ndots</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-R <VAR -CLASS="REPLACEABLE" ->number</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-t <VAR -CLASS="REPLACEABLE" ->type</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-W <VAR -CLASS="REPLACEABLE" ->wait</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-4</VAR ->] [<VAR -CLASS="OPTION" ->-6</VAR ->] {name} [server]</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN37" -></A -><H2 ->DESCRIPTION</H2 -><P -><B -CLASS="COMMAND" ->host</B -> +<!-- $ISC: host.html,v 1.4.2.1.4.12 2005/10/13 02:33:44 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>host</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>host — DNS lookup utility</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525901"></a><h2>DESCRIPTION</h2> +<p> +<span><strong class="command">host</strong></span> is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given, -<B -CLASS="COMMAND" ->host</B -> -prints a short summary of its command line arguments and options.</P -><P -><VAR -CLASS="PARAMETER" ->name</VAR -> is the domain name that is to be looked +<span><strong class="command">host</strong></span> +prints a short summary of its command line arguments and options. +</p> +<p> +<em class="parameter"><code>name</code></em> is the domain name that is to be looked up. It can also be a dotted-decimal IPv4 address or a colon-delimited -IPv6 address, in which case <B -CLASS="COMMAND" ->host</B -> will by default +IPv6 address, in which case <span><strong class="command">host</strong></span> will by default perform a reverse lookup for that address. -<VAR -CLASS="PARAMETER" ->server</VAR -> is an optional argument which is either -the name or IP address of the name server that <B -CLASS="COMMAND" ->host</B -> +<em class="parameter"><code>server</code></em> is an optional argument which is either +the name or IP address of the name server that <span><strong class="command">host</strong></span> should query instead of the server or servers listed in -<TT -CLASS="FILENAME" ->/etc/resolv.conf</TT ->.</P -><P ->The <VAR -CLASS="OPTION" ->-a</VAR -> (all) option is equivalent to setting the -<VAR -CLASS="OPTION" ->-v</VAR -> option and asking <B -CLASS="COMMAND" ->host</B -> to make -a query of type ANY.</P -><P ->When the <VAR -CLASS="OPTION" ->-C</VAR -> option is used, <B -CLASS="COMMAND" ->host</B -> +<code class="filename">/etc/resolv.conf</code>. +</p> +<p> +The <code class="option">-a</code> (all) option is equivalent to setting the +<code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make +a query of type ANY. +</p> +<p> +When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span> will attempt to display the SOA records for zone -<VAR -CLASS="PARAMETER" ->name</VAR -> from all the listed authoritative name +<em class="parameter"><code>name</code></em> from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS -records that are found for the zone.</P -><P ->The <VAR -CLASS="OPTION" ->-c</VAR -> option instructs to make a DNS query of class -<VAR -CLASS="PARAMETER" ->class</VAR ->. This can be used to lookup Hesiod or -Chaosnet class resource records. The default class is IN (Internet).</P -><P ->Verbose output is generated by <B -CLASS="COMMAND" ->host</B -> when the -<VAR -CLASS="OPTION" ->-d</VAR -> or <VAR -CLASS="OPTION" ->-v</VAR -> option is used. The two +records that are found for the zone. +</p> +<p> +The <code class="option">-c</code> option instructs to make a DNS query of class +<em class="parameter"><code>class</code></em>. This can be used to lookup Hesiod or +Chaosnet class resource records. The default class is IN (Internet). +</p> +<p> +Verbose output is generated by <span><strong class="command">host</strong></span> when the +<code class="option">-d</code> or <code class="option">-v</code> option is used. The two options are equivalent. They have been provided for backwards -compatibility. In previous versions, the <VAR -CLASS="OPTION" ->-d</VAR -> option -switched on debugging traces and <VAR -CLASS="OPTION" ->-v</VAR -> enabled verbose -output.</P -><P ->List mode is selected by the <VAR -CLASS="OPTION" ->-l</VAR -> option. This makes -<B -CLASS="COMMAND" ->host</B -> perform a zone transfer for zone -<VAR -CLASS="PARAMETER" ->name</VAR ->. Transfer the zone printing out the NS, PTR -and address records (A/AAAA). If combined with <VAR -CLASS="OPTION" ->-a</VAR -> -all records will be printed. </P -><P ->The <VAR -CLASS="OPTION" ->-i</VAR -> +compatibility. In previous versions, the <code class="option">-d</code> option +switched on debugging traces and <code class="option">-v</code> enabled verbose +output. +</p> +<p> +List mode is selected by the <code class="option">-l</code> option. This makes +<span><strong class="command">host</strong></span> perform a zone transfer for zone +<em class="parameter"><code>name</code></em>. Transfer the zone printing out the NS, PTR +and address records (A/AAAA). If combined with <code class="option">-a</code> +all records will be printed. +</p> +<p> +The <code class="option">-i</code> option specifies that reverse lookups of IPv6 addresses should use the IP6.INT domain as defined in RFC1886. -The default is to use IP6.ARPA.</P -><P ->The <VAR -CLASS="OPTION" ->-N</VAR -> option sets the number of dots that have to be -in <VAR -CLASS="PARAMETER" ->name</VAR -> for it to be considered absolute. The +The default is to use IP6.ARPA. +</p> +<p> +The <code class="option">-N</code> option sets the number of dots that have to be +in <em class="parameter"><code>name</code></em> for it to be considered absolute. The default value is that defined using the ndots statement in -<TT -CLASS="FILENAME" ->/etc/resolv.conf</TT ->, or 1 if no ndots statement is +<code class="filename">/etc/resolv.conf</code>, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and -will be searched for in the domains listed in the <SPAN -CLASS="TYPE" ->search</SPAN -> -or <SPAN -CLASS="TYPE" ->domain</SPAN -> directive in -<TT -CLASS="FILENAME" ->/etc/resolv.conf</TT ->.</P -><P ->The number of UDP retries for a lookup can be changed with the -<VAR -CLASS="OPTION" ->-R</VAR -> option. <VAR -CLASS="PARAMETER" ->number</VAR -> indicates -how many times <B -CLASS="COMMAND" ->host</B -> will repeat a query that does +will be searched for in the domains listed in the <span class="type">search</span> +or <span class="type">domain</span> directive in +<code class="filename">/etc/resolv.conf</code>. +</p> +<p> +The number of UDP retries for a lookup can be changed with the +<code class="option">-R</code> option. <em class="parameter"><code>number</code></em> indicates +how many times <span><strong class="command">host</strong></span> will repeat a query that does not get answered. The default number of retries is 1. If -<VAR -CLASS="PARAMETER" ->number</VAR -> is negative or zero, the number of -retries will default to 1.</P -><P ->Non-recursive queries can be made via the <VAR -CLASS="OPTION" ->-r</VAR -> option. -Setting this option clears the <SPAN -CLASS="TYPE" ->RD</SPAN -> — recursion -desired — bit in the query which <B -CLASS="COMMAND" ->host</B -> makes. +<em class="parameter"><code>number</code></em> is negative or zero, the number of +retries will default to 1. +</p> +<p> +Non-recursive queries can be made via the <code class="option">-r</code> option. +Setting this option clears the <span class="type">RD</span> — recursion +desired — bit in the query which <span><strong class="command">host</strong></span> makes. This should mean that the name server receiving the query will not -attempt to resolve <VAR -CLASS="PARAMETER" ->name</VAR ->. The -<VAR -CLASS="OPTION" ->-r</VAR -> option enables <B -CLASS="COMMAND" ->host</B -> to mimic +attempt to resolve <em class="parameter"><code>name</code></em>. The +<code class="option">-r</code> option enables <span><strong class="command">host</strong></span> to mimic the behaviour of a name server by making non-recursive queries and expecting to receive answers to those queries that are usually -referrals to other name servers.</P -><P ->By default <B -CLASS="COMMAND" ->host</B -> uses UDP when making queries. The -<VAR -CLASS="OPTION" ->-T</VAR -> option makes it use a TCP connection when querying +referrals to other name servers. +</p> +<p> +By default <span><strong class="command">host</strong></span> uses UDP when making queries. The +<code class="option">-T</code> option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that -require it, such as zone transfer (AXFR) requests.</P -><P ->The <VAR -CLASS="OPTION" ->-4</VAR -> option forces <B -CLASS="COMMAND" ->host</B -> to only -use IPv4 query transport. The <VAR -CLASS="OPTION" ->-6</VAR -> option forces -<B -CLASS="COMMAND" ->host</B -> to only use IPv6 query transport.</P -><P ->The <VAR -CLASS="OPTION" ->-t</VAR -> option is used to select the query type. -<VAR -CLASS="PARAMETER" ->type</VAR -> can be any recognised query type: CNAME, +require it, such as zone transfer (AXFR) requests. +</p> +<p> +The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only +use IPv4 query transport. The <code class="option">-6</code> option forces +<span><strong class="command">host</strong></span> to only use IPv6 query transport. +</p> +<p> +The <code class="option">-t</code> option is used to select the query type. +<em class="parameter"><code>type</code></em> can be any recognised query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, -<B -CLASS="COMMAND" ->host</B -> automatically selects an appropriate query +<span><strong class="command">host</strong></span> automatically selects an appropriate query type. By default it looks for A records, but if the -<VAR -CLASS="OPTION" ->-C</VAR -> option was given, queries will be made for SOA -records, and if <VAR -CLASS="PARAMETER" ->name</VAR -> is a dotted-decimal IPv4 -address or colon-delimited IPv6 address, <B -CLASS="COMMAND" ->host</B -> will +<code class="option">-C</code> option was given, queries will be made for SOA +records, and if <em class="parameter"><code>name</code></em> is a dotted-decimal IPv4 +address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will query for PTR records. If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the -starting serial number (e.g. -t IXFR=12345678).</P -><P ->The time to wait for a reply can be controlled through the -<VAR -CLASS="OPTION" ->-W</VAR -> and <VAR -CLASS="OPTION" ->-w</VAR -> options. The -<VAR -CLASS="OPTION" ->-W</VAR -> option makes <B -CLASS="COMMAND" ->host</B -> wait for -<VAR -CLASS="PARAMETER" ->wait</VAR -> seconds. If <VAR -CLASS="PARAMETER" ->wait</VAR -> +starting serial number (e.g. -t IXFR=12345678). +</p> +<p> +The time to wait for a reply can be controlled through the +<code class="option">-W</code> and <code class="option">-w</code> options. The +<code class="option">-W</code> option makes <span><strong class="command">host</strong></span> wait for +<em class="parameter"><code>wait</code></em> seconds. If <em class="parameter"><code>wait</code></em> is less than one, the wait interval is set to one second. When the -<VAR -CLASS="OPTION" ->-w</VAR -> option is used, <B -CLASS="COMMAND" ->host</B -> will +<code class="option">-w</code> option is used, <span><strong class="command">host</strong></span> will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum -value for an integer quantity.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN115" -></A -><H2 ->FILES</H2 -><P -><TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -></P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN119" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dig</SPAN ->(1)</SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->named</SPAN ->(8)</SPAN ->.</P -></DIV -></BODY -></HTML -> +value for an integer quantity. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526241"></a><h2>FILES</h2> +<p> +<code class="filename">/etc/resolv.conf</code> +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526253"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>, +<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/dig/include/dig/dig.h b/usr.sbin/bind/bin/dig/include/dig/dig.h index 751e7df319b..f84652966cd 100644 --- a/usr.sbin/bind/bin/dig/include/dig/dig.h +++ b/usr.sbin/bind/bin/dig/include/dig/dig.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: dig.h,v 1.71.2.6.2.7 2004/09/06 01:33:06 marka Exp $ */ +/* $ISC: dig.h,v 1.71.2.6.2.11 2005/07/04 03:29:45 marka Exp $ */ #ifndef DIG_H #define DIG_H @@ -35,7 +35,7 @@ #include <isc/sockaddr.h> #include <isc/socket.h> -#define MXSERV 6 +#define MXSERV 20 #define MXNAME (DNS_NAME_MAXTEXT+1) #define MXRD 32 #define BUFSIZE 512 @@ -66,14 +66,6 @@ * in a tight loop of constant lookups. It's value is arbitrary. */ -#define ROOTNS 1 -/* - * Set the number of root servers to ask for information when running in - * trace mode. - * XXXMWS -- trace mode is currently semi-broken, and this number *MUST* - * be 1. - */ - /* * Defaults for the sigchase suboptions. Consolidated here because * these control the layout of dig_lookup_t (among other things). @@ -224,6 +216,46 @@ struct dig_message { ISC_LINK(dig_message_t) link; }; #endif + +typedef ISC_LIST(dig_searchlist_t) dig_searchlistlist_t; +typedef ISC_LIST(dig_lookup_t) dig_lookuplist_t; + +/* + * Externals from dighost.c + */ + +extern dig_lookuplist_t lookup_list; +extern dig_serverlist_t server_list; +extern dig_searchlistlist_t search_list; + +extern isc_boolean_t have_ipv4, have_ipv6, specified_source, + usesearch, qr; +extern in_port_t port; +extern unsigned int timeout; +extern isc_mem_t *mctx; +extern dns_messageid_t id; +extern int sendcount; +extern int ndots; +extern int lookup_counter; +extern int exitcode; +extern isc_sockaddr_t bind_address; +extern char keynametext[MXNAME]; +extern char keyfile[MXNAME]; +extern char keysecret[MXNAME]; +#ifdef DIG_SIGCHASE +extern char trustedkey[MXNAME]; +#endif +extern dns_tsigkey_t *key; +extern isc_boolean_t validated; +extern isc_taskmgr_t *taskmgr; +extern isc_task_t *global_task; +extern isc_boolean_t free_now; +extern isc_boolean_t debugging, memdebugging; + +extern char *progname; +extern int tries; +extern int fatalexit; + /* * Routines in dighost.c. */ diff --git a/usr.sbin/bind/bin/dig/nslookup.1 b/usr.sbin/bind/bin/dig/nslookup.1 index 73953d84d4f..6bb946b0e5e 100644 --- a/usr.sbin/bind/bin/dig/nslookup.1 +++ b/usr.sbin/bind/bin/dig/nslookup.1 @@ -1,76 +1,75 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" +.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $ISC: nslookup.1,v 1.1.6.2 2004/08/20 02:29:39 marka Exp $ +.\" $ISC: nslookup.1,v 1.1.6.5 2005/10/13 02:33:43 marka Exp $ .\" -.TH "NSLOOKUP" "1" "Jun 30, 2000" "BIND9" "" -.SH NAME +.hy 0 +.ad l +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "NSLOOKUP" "1" "Jun 30, 2000" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" nslookup \- query Internet name servers interactively -.SH SYNOPSIS -.sp -\fBnslookup\fR [ \fB-option\fR ] [ \fBname | -\fR ] [ \fBserver\fR ] +.SH "SYNOPSIS" +.HP 9 +\fBnslookup\fR [\fB\-option\fR] [name\ |\ \-] [server] .SH "DESCRIPTION" .PP \fBNslookup\fR -is a program to query Internet domain name servers. \fBNslookup\fR -has two modes: interactive and non-interactive. Interactive mode allows -the user to query name servers for information about various hosts and -domains or to print a list of hosts in a domain. Non-interactive mode is -used to print just the name and requested information for a host or -domain. +is a program to query Internet domain name servers. +\fBNslookup\fR +has two modes: interactive and non\-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non\-interactive mode is used to print just the name and requested information for a host or domain. .SH "ARGUMENTS" .PP Interactive mode is entered in the following cases: -.IP 1. +.TP 3 +1. when no arguments are given (the default name server will be used) -.IP 2. -when the first argument is a hyphen (-) and the second argument is -the host name or Internet address of a name server. -.PP -Non-interactive mode is used when the name or Internet address of the -host to be looked up is given as the first argument. The optional second -argument specifies the host name or address of a name server. +.TP +2. +when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server. .PP -Options can also be specified on the command line if they precede the -arguments and are prefixed with a hyphen. For example, to -change the default query type to host information, and the initial timeout to 10 seconds, type: +Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server. .PP -.sp +Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type: +.IP .nf -nslookup -query=hinfo -timeout=10 -.sp +nslookup \-query=hinfo \-timeout=10 .fi .SH "INTERACTIVE COMMANDS" .TP -\fBhost [server]\fR -Look up information for host using the current default server or -using server, if specified. If host is an Internet address and -the query type is A or PTR, the name of the host is returned. -If host is a name and does not have a trailing period, the -search list is used to qualify the name. - -To look up a host not in the current domain, append a period to -the name. -.TP -\fBserver \fIdomain\fB\fR -.TP -\fBlserver \fIdomain\fB\fR -Change the default server to \fIdomain\fR; lserver uses the initial -server to look up information about \fIdomain\fR, while server uses -the current default server. If an authoritative answer can't be -found, the names of servers that might have the answer are -returned. +host [server] +Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name. +.sp +To look up a host not in the current domain, append a period to the name. +.TP +\fBserver\fR \fIdomain\fR +.TP +\fBlserver\fR \fIdomain\fR +Change the default server to +\fIdomain\fR; +\fBlserver\fR +uses the initial server to look up information about +\fIdomain\fR, while +\fBserver\fR +uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned. .TP \fBroot\fR not implemented @@ -93,17 +92,15 @@ not implemented \fBexit\fR Exits the program. .TP -\fBset \fIkeyword[=value]\fB\fR -This command is used to change state information that affects -the lookups. Valid keywords are: +\fBset\fR \fIkeyword\fR\fI[=value]\fR +This command is used to change state information that affects the lookups. Valid keywords are: .RS .TP \fBall\fR -Prints the current values of the frequently used -options to \fBset\fR. Information about the current default -server and host is also printed. +Prints the current values of the frequently used options to +\fBset\fR. Information about the current default server and host is also printed. .TP -\fBclass=\fIvalue\fB\fR +\fBclass=\fR\fIvalue\fR Change the query class to one of: .RS .TP @@ -119,66 +116,61 @@ the Hesiod class \fBANY\fR wildcard .RE -.PP +.IP The class specifies the protocol group of the information. - +.sp (Default = IN; abbreviation = cl) .TP -\fB\fI[no]\fBdebug\fR -Turn debugging mode on. A lot more information is -printed about the packet sent to the server and the -resulting answer. - -(Default = nodebug; abbreviation = [no]deb) -.TP -\fB\fI[no]\fBd2\fR -Turn debugging mode on. A lot more information is -printed about the packet sent to the server and the -resulting answer. - +\fB\fI[no]\fR\fR\fBdebug\fR +Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer. +.sp +(Default = nodebug; abbreviation = +[no]deb) +.TP +\fB\fI[no]\fR\fR\fBd2\fR +Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer. +.sp (Default = nod2) .TP -\fBdomain=\fIname\fB\fR -Sets the search list to \fIname\fR. +\fBdomain=\fR\fIname\fR +Sets the search list to +\fIname\fR. .TP -\fB\fI[no]\fBsearch\fR -If the lookup request contains at least one period but -doesn't end with a trailing period, append the domain -names in the domain search list to the request until an -answer is received. - +\fB\fI[no]\fR\fR\fBsearch\fR +If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received. +.sp (Default = search) .TP -\fBport=\fIvalue\fB\fR -Change the default TCP/UDP name server port to \fIvalue\fR. - +\fBport=\fR\fIvalue\fR +Change the default TCP/UDP name server port to +\fIvalue\fR. +.sp (Default = 53; abbreviation = po) .TP -\fBquerytype=\fIvalue\fB\fR +\fBquerytype=\fR\fIvalue\fR .TP \fBtype=\fIvalue\fB\fR Change the type of the information query. - +.sp (Default = A; abbreviations = q, ty) .TP -\fB\fI[no]\fBrecurse\fR -Tell the name server to query other servers if it does not have the -information. - +\fB\fI[no]\fR\fR\fBrecurse\fR +Tell the name server to query other servers if it does not have the information. +.sp (Default = recurse; abbreviation = [no]rec) .TP -\fBretry=\fInumber\fB\fR +\fBretry=\fR\fInumber\fR Set the number of retries to number. .TP -\fBtimeout=\fInumber\fB\fR -Change the initial timeout interval for waiting for a -reply to number seconds. +\fBtimeout=\fR\fInumber\fR +Change the initial timeout interval for waiting for a reply to number seconds. .TP -\fB\fI[no]\fBvc\fR +\fB\fI[no]\fR\fR\fBvc\fR Always use a virtual circuit when sending requests to the server. - +.sp (Default = novc) .RE +.IP .SH "FILES" .PP \fI/etc/resolv.conf\fR diff --git a/usr.sbin/bind/bin/dig/nslookup.c b/usr.sbin/bind/bin/dig/nslookup.c index c0db69e5659..ca1d98cf754 100644 --- a/usr.sbin/bind/bin/dig/nslookup.c +++ b/usr.sbin/bind/bin/dig/nslookup.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: nslookup.c,v 1.90.2.4.2.8 2004/09/06 01:33:05 marka Exp $ */ +/* $ISC: nslookup.c,v 1.90.2.4.2.10 2005/07/12 05:47:42 marka Exp $ */ #include <config.h> @@ -44,19 +44,6 @@ #include <dig/dig.h> -extern ISC_LIST(dig_lookup_t) lookup_list; -extern dig_serverlist_t server_list; -extern ISC_LIST(dig_searchlist_t) search_list; - -extern isc_boolean_t usesearch, debugging; -extern in_port_t port; -extern unsigned int timeout; -extern isc_mem_t *mctx; -extern int tries; -extern int lookup_counter; -extern isc_task_t *global_task; -extern char *progname; - static isc_boolean_t short_form = ISC_TRUE, tcpmode = ISC_FALSE, identify = ISC_FALSE, stats = ISC_TRUE, diff --git a/usr.sbin/bind/bin/dnssec/dnssec-keygen.html b/usr.sbin/bind/bin/dnssec/dnssec-keygen.html index 2c1e379609e..07b44d1f065 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-keygen.html +++ b/usr.sbin/bind/bin/dnssec/dnssec-keygen.html @@ -1,544 +1,228 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001-2003 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: dnssec-keygen.html,v 1.5.2.1.4.6 2004/08/22 23:38:58 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->dnssec-keygen</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A -><SPAN -CLASS="APPLICATION" ->dnssec-keygen</SPAN -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->dnssec-keygen</SPAN -> -- DNSSEC key generation tool</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->dnssec-keygen</B -> {-a <VAR -CLASS="REPLACEABLE" ->algorithm</VAR ->} {-b <VAR -CLASS="REPLACEABLE" ->keysize</VAR ->} {-n <VAR -CLASS="REPLACEABLE" ->nametype</VAR ->} [<VAR -CLASS="OPTION" ->-c <VAR -CLASS="REPLACEABLE" ->class</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-e</VAR ->] [<VAR -CLASS="OPTION" ->-f <VAR -CLASS="REPLACEABLE" ->flag</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-g <VAR -CLASS="REPLACEABLE" ->generator</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-h</VAR ->] [<VAR -CLASS="OPTION" ->-k</VAR ->] [<VAR -CLASS="OPTION" ->-p <VAR -CLASS="REPLACEABLE" ->protocol</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-r <VAR -CLASS="REPLACEABLE" ->randomdev</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-s <VAR -CLASS="REPLACEABLE" ->strength</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-t <VAR -CLASS="REPLACEABLE" ->type</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-v <VAR -CLASS="REPLACEABLE" ->level</VAR -></VAR ->] {name}</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN53" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->dnssec-keygen</B -> generates keys for DNSSEC +<!-- $ISC: dnssec-keygen.html,v 1.5.2.1.4.13 2005/10/13 02:33:45 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>dnssec-keygen</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525956"></a><h2>DESCRIPTION</h2> +<p> + <span><strong class="command">dnssec-keygen</strong></span> generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN57" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-a <VAR -CLASS="REPLACEABLE" ->algorithm</VAR -></DT -><DD -><P -> Selects the cryptographic algorithm. The value of - <VAR -CLASS="OPTION" ->algorithm</VAR -> must be one of RSAMD5 (RSA) or RSASHA1, + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525969"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> +<dd> +<p> + Selects the cryptographic algorithm. The value of + <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC-MD5. These values are case insensitive. - </P -><P -> Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, + </p> +<p> + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. - </P -><P -> Note 2: HMAC-MD5 and DH automatically set the -k flag. - </P -></DD -><DT ->-b <VAR -CLASS="REPLACEABLE" ->keysize</VAR -></DT -><DD -><P -> Specifies the number of bits in the key. The choice of key + </p> +<p> + Note 2: HMAC-MD5 and DH automatically set the -k flag. + </p> +</dd> +<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt> +<dd><p> + Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC-MD5 keys must be between 1 and 512 bits. - </P -></DD -><DT ->-n <VAR -CLASS="REPLACEABLE" ->nametype</VAR -></DT -><DD -><P -> Specifies the owner type of the key. The value of - <VAR -CLASS="OPTION" ->nametype</VAR -> must either be ZONE (for a DNSSEC + </p></dd> +<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt> +<dd><p> + Specifies the owner type of the key. The value of + <code class="option">nametype</code> must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. - </P -></DD -><DT ->-c <VAR -CLASS="REPLACEABLE" ->class</VAR -></DT -><DD -><P -> Indicates that the DNS record containing the key should have + </p></dd> +<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> +<dd><p> + Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used. - </P -></DD -><DT ->-e</DT -><DD -><P -> If generating an RSAMD5/RSASHA1 key, use a large exponent. - </P -></DD -><DT ->-f <VAR -CLASS="REPLACEABLE" ->flag</VAR -></DT -><DD -><P -> Set the specified flag in the flag field of the KEY/DNSKEY record. + </p></dd> +<dt><span class="term">-e</span></dt> +<dd><p> + If generating an RSAMD5/RSASHA1 key, use a large exponent. + </p></dd> +<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt> +<dd><p> + Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY. - </P -></DD -><DT ->-g <VAR -CLASS="REPLACEABLE" ->generator</VAR -></DT -><DD -><P -> If generating a Diffie Hellman key, use this generator. + </p></dd> +<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt> +<dd><p> + If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2. - </P -></DD -><DT ->-h</DT -><DD -><P -> Prints a short summary of the options and arguments to - <B -CLASS="COMMAND" ->dnssec-keygen</B ->. - </P -></DD -><DT ->-k</DT -><DD -><P -> Generate KEY records rather than DNSKEY records. - </P -></DD -><DT ->-p <VAR -CLASS="REPLACEABLE" ->protocol</VAR -></DT -><DD -><P -> Sets the protocol value for the generated key. The protocol + </p></dd> +<dt><span class="term">-h</span></dt> +<dd><p> + Prints a short summary of the options and arguments to + <span><strong class="command">dnssec-keygen</strong></span>. + </p></dd> +<dt><span class="term">-k</span></dt> +<dd><p> + Generate KEY records rather than DNSKEY records. + </p></dd> +<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt> +<dd><p> + Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors. - </P -></DD -><DT ->-r <VAR -CLASS="REPLACEABLE" ->randomdev</VAR -></DT -><DD -><P -> Specifies the source of randomness. If the operating - system does not provide a <TT -CLASS="FILENAME" ->/dev/random</TT -> + </p></dd> +<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt> +<dd><p> + Specifies the source of randomness. If the operating + system does not provide a <code class="filename">/dev/random</code> or equivalent device, the default source of randomness - is keyboard input. <TT -CLASS="FILENAME" ->randomdev</TT -> specifies + is keyboard input. <code class="filename">randomdev</code> specifies the name of a character device or file containing random data to be used instead of the default. The special value - <TT -CLASS="FILENAME" ->keyboard</TT -> indicates that keyboard + <code class="filename">keyboard</code> indicates that keyboard input should be used. - </P -></DD -><DT ->-s <VAR -CLASS="REPLACEABLE" ->strength</VAR -></DT -><DD -><P -> Specifies the strength value of the key. The strength is + </p></dd> +<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt> +<dd><p> + Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC. - </P -></DD -><DT ->-t <VAR -CLASS="REPLACEABLE" ->type</VAR -></DT -><DD -><P -> Indicates the use of the key. <VAR -CLASS="OPTION" ->type</VAR -> must be + </p></dd> +<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt> +<dd><p> + Indicates the use of the key. <code class="option">type</code> must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data. - </P -></DD -><DT ->-v <VAR -CLASS="REPLACEABLE" ->level</VAR -></DT -><DD -><P -> Sets the debugging level. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN136" -></A -><H2 ->GENERATED KEYS</H2 -><P -> When <B -CLASS="COMMAND" ->dnssec-keygen</B -> completes successfully, - it prints a string of the form <TT -CLASS="FILENAME" ->Knnnn.+aaa+iiiii</TT -> + </p></dd> +<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> +<dd><p> + Sets the debugging level. + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2526306"></a><h2>GENERATED KEYS</h2> +<p> + When <span><strong class="command">dnssec-keygen</strong></span> completes successfully, + it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code> to the standard output. This is an identification string for - the key it has generated. These strings can be used as arguments - to <B -CLASS="COMMAND" ->dnssec-makekeyset</B ->. - </P -><P -></P -><UL -><LI -><P -> <TT -CLASS="FILENAME" ->nnnn</TT -> is the key name. - </P -></LI -><LI -><P -> <TT -CLASS="FILENAME" ->aaa</TT -> is the numeric representation of the + the key it has generated. + </p> +<div class="itemizedlist"><ul type="disc"> +<li><p> + <code class="filename">nnnn</code> is the key name. + </p></li> +<li><p> + <code class="filename">aaa</code> is the numeric representation of the algorithm. - </P -></LI -><LI -><P -> <TT -CLASS="FILENAME" ->iiiii</TT -> is the key identifier (or footprint). - </P -></LI -></UL -><P -> <B -CLASS="COMMAND" ->dnssec-keygen</B -> creates two file, with names based - on the printed string. <TT -CLASS="FILENAME" ->Knnnn.+aaa+iiiii.key</TT -> + </p></li> +<li><p> + <code class="filename">iiiii</code> is the key identifier (or footprint). + </p></li> +</ul></div> +<p> + <span><strong class="command">dnssec-keygen</strong></span> creates two file, with names based + on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code> contains the public key, and - <TT -CLASS="FILENAME" ->Knnnn.+aaa+iiiii.private</TT -> contains the private + <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the private key. - </P -><P -> The <TT -CLASS="FILENAME" ->.key</TT -> file contains a DNS KEY record that + </p> +<p> + The <code class="filename">.key</code> file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement). - </P -><P -> The <TT -CLASS="FILENAME" ->.private</TT -> file contains algorithm specific + </p> +<p> + The <code class="filename">.private</code> file contains algorithm specific fields. For obvious security reasons, this file does not have general read permission. - </P -><P -> Both <TT -CLASS="FILENAME" ->.key</TT -> and <TT -CLASS="FILENAME" ->.private</TT -> + </p> +<p> + Both <code class="filename">.key</code> and <code class="filename">.private</code> files are generated for symmetric encryption algorithm such as HMAC-MD5, even though the public and private key are equivalent. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN163" -></A -><H2 ->EXAMPLE</H2 -><P -> To generate a 768-bit DSA key for the domain - <KBD -CLASS="USERINPUT" ->example.com</KBD ->, the following command would be + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526394"></a><h2>EXAMPLE</h2> +<p> + To generate a 768-bit DSA key for the domain + <strong class="userinput"><code>example.com</code></strong>, the following command would be issued: - </P -><P -> <KBD -CLASS="USERINPUT" ->dnssec-keygen -a DSA -b 768 -n ZONE example.com</KBD -> - </P -><P -> The command would print a string of the form: - </P -><P -> <KBD -CLASS="USERINPUT" ->Kexample.com.+003+26160</KBD -> - </P -><P -> In this example, <B -CLASS="COMMAND" ->dnssec-keygen</B -> creates - the files <TT -CLASS="FILENAME" ->Kexample.com.+003+26160.key</TT -> and - <TT -CLASS="FILENAME" ->Kexample.com.+003+26160.private</TT -> - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN176" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-signzone</SPAN ->(8)</SPAN ->, - <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference Manual</I ->, - <I -CLASS="CITETITLE" ->RFC 2535</I ->, - <I -CLASS="CITETITLE" ->RFC 2845</I ->, - <I -CLASS="CITETITLE" ->RFC 2539</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN186" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Systems Consortium - </P -></DIV -></BODY -></HTML -> + </p> +<p> + <strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong> + </p> +<p> + The command would print a string of the form: + </p> +<p> + <strong class="userinput"><code>Kexample.com.+003+26160</code></strong> + </p> +<p> + In this example, <span><strong class="command">dnssec-keygen</strong></span> creates + the files <code class="filename">Kexample.com.+003+26160.key</code> and + <code class="filename">Kexample.com.+003+26160.private</code> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526440"></a><h2>SEE ALSO</h2> +<p> + <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>, + <em class="citetitle">RFC 2535</em>, + <em class="citetitle">RFC 2845</em>, + <em class="citetitle">RFC 2539</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526473"></a><h2>AUTHOR</h2> +<p> + <span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.8 b/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.8 deleted file mode 100644 index b55ca723cbf..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.8 +++ /dev/null @@ -1,113 +0,0 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -.\" PERFORMANCE OF THIS SOFTWARE. -.\" -.\" $ISC: dnssec-makekeyset.8,v 1.16.2.2.4.1 2004/03/06 07:41:39 marka Exp $ -.\" -.TH "DNSSEC-MAKEKEYSET" "8" "June 30, 2000" "BIND9" "" -.SH NAME -dnssec-makekeyset \- DNSSEC zone signing tool -.SH SYNOPSIS -.sp -\fBdnssec-makekeyset\fR [ \fB-a\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-h\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-t\fIttl\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBkey\fR\fI...\fR -.SH "DESCRIPTION" -.PP -\fBdnssec-makekeyset\fR generates a key set from one -or more keys created by \fBdnssec-keygen\fR. It creates -a file containing a KEY record for each key, and self-signs the key -set with each zone key. The output file is of the form -\fIkeyset-nnnn.\fR, where \fInnnn\fR -is the zone name. -.SH "OPTIONS" -.TP -\fB-a\fR -Verify all generated signatures. -.TP -\fB-s \fIstart-time\fB\fR -Specify the date and time when the generated SIG records -become valid. This can be either an absolute or relative -time. An absolute start time is indicated by a number -in YYYYMMDDHHMMSS notation; 20000530144500 denotes -14:45:00 UTC on May 30th, 2000. A relative start time is -indicated by +N, which is N seconds from the current time. -If no \fBstart-time\fR is specified, the current -time is used. -.TP -\fB-e \fIend-time\fB\fR -Specify the date and time when the generated SIG records -expire. As with \fBstart-time\fR, an absolute -time is indicated in YYYYMMDDHHMMSS notation. A time relative -to the start time is indicated with +N, which is N seconds from -the start time. A time relative to the current time is -indicated with now+N. If no \fBend-time\fR is -specified, 30 days from the start time is used as a default. -.TP -\fB-h\fR -Prints a short summary of the options and arguments to -\fBdnssec-makekeyset\fR. -.TP -\fB-p\fR -Use pseudo-random data when signing the zone. This is faster, -but less secure, than using real random data. This option -may be useful when signing large zones or when the entropy -source is limited. -.TP -\fB-r \fIrandomdev\fB\fR -Specifies the source of randomness. If the operating -system does not provide a \fI/dev/random\fR -or equivalent device, the default source of randomness -is keyboard input. \fIrandomdev\fR specifies -the name of a character device or file containing random -data to be used instead of the default. The special value -\fIkeyboard\fR indicates that keyboard -input should be used. -.TP -\fB-t \fIttl\fB\fR -Specify the TTL (time to live) of the KEY and SIG records. -The default is 3600 seconds. -.TP -\fB-v \fIlevel\fB\fR -Sets the debugging level. -.TP -\fBkey\fR -The list of keys to be included in the keyset file. These keys -are expressed in the form \fIKnnnn.+aaa+iiiii\fR -as generated by \fBdnssec-keygen\fR. -.SH "EXAMPLE" -.PP -The following command generates a keyset containing the DSA key for -\fBexample.com\fR generated in the -\fBdnssec-keygen\fR man page. -.PP -\fBdnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160\fR -.PP -In this example, \fBdnssec-makekeyset\fR creates -the file \fIkeyset-example.com.\fR. This file -contains the specified key and a self-generated signature. -.PP -The DNS administrator for \fBexample.com\fR could -send \fIkeyset-example.com.\fR to the DNS -administrator for \fB.com\fR for signing, if the -\&.com zone is DNSSEC-aware and the administrators of the two zones -have some mechanism for authenticating each other and exchanging -the keys and signatures securely. -.SH "SEE ALSO" -.PP -\fBdnssec-keygen\fR(8), -\fBdnssec-signkey\fR(8), -\fIBIND 9 Administrator Reference Manual\fR, -\fIRFC 2535\fR. -.SH "AUTHOR" -.PP -Internet Software Consortium diff --git a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.c b/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.c deleted file mode 100644 index 535f9105300..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.c +++ /dev/null @@ -1,402 +0,0 @@ -/* - * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Portions Copyright (C) 2000-2003 Internet Software Consortium. - * Portions Copyright (C) 1995-2000 by Network Associates, Inc. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE - * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR - * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: dnssec-makekeyset.c,v 1.52.2.1.10.7 2004/08/28 06:25:27 marka Exp $ */ - -#include <config.h> - -#include <stdlib.h> - -#include <isc/commandline.h> -#include <isc/entropy.h> -#include <isc/mem.h> -#include <isc/print.h> -#include <isc/string.h> -#include <isc/util.h> - -#include <dns/db.h> -#include <dns/diff.h> -#include <dns/dnssec.h> -#include <dns/fixedname.h> -#include <dns/log.h> -#include <dns/rdata.h> -#include <dns/rdataset.h> -#include <dns/result.h> -#include <dns/secalg.h> -#include <dns/time.h> - -#include <dst/dst.h> - -#include "dnssectool.h" - -const char *program = "dnssec-makekeyset"; -int verbose; - -typedef struct keynode keynode_t; -struct keynode { - dst_key_t *key; - ISC_LINK(keynode_t) link; -}; -typedef ISC_LIST(keynode_t) keylist_t; - -static isc_stdtime_t starttime = 0, endtime = 0, now; -static int ttl = -1; - -static isc_mem_t *mctx = NULL; -static isc_entropy_t *ectx = NULL; - -static keylist_t keylist; - -static void -usage(void) { - fprintf(stderr, "Usage:\n"); - fprintf(stderr, "\t%s [options] keys\n", program); - - fprintf(stderr, "\n"); - - fprintf(stderr, "Version: %s\n", VERSION); - - fprintf(stderr, "Options: (default value in parenthesis) \n"); - fprintf(stderr, "\t-a\n"); - fprintf(stderr, "\t\tverify generated signatures\n"); - fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n"); - fprintf(stderr, "\t\tSIG start time - absolute|offset (now)\n"); - fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n"); - fprintf(stderr, "\t\tSIG end time - " - "absolute|from start|from now (now + 30 days)\n"); - fprintf(stderr, "\t-t ttl\n"); - fprintf(stderr, "\t-p\n"); - fprintf(stderr, "\t\tuse pseudorandom data (faster but less secure)\n"); - fprintf(stderr, "\t-r randomdev:\n"); - fprintf(stderr, "\t\ta file containing random data\n"); - fprintf(stderr, "\t-v level:\n"); - fprintf(stderr, "\t\tverbose level (0)\n"); - - fprintf(stderr, "\n"); - - fprintf(stderr, "keys:\n"); - fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n"); - - fprintf(stderr, "\n"); - - fprintf(stderr, "Output:\n"); - fprintf(stderr, "\tkeyset (keyset-<name>)\n"); - exit(0); -} - -static isc_boolean_t -zonekey_on_list(dst_key_t *key) { - keynode_t *keynode; - for (keynode = ISC_LIST_HEAD(keylist); - keynode != NULL; - keynode = ISC_LIST_NEXT(keynode, link)) - { - if (dst_key_compare(keynode->key, key)) - return (ISC_TRUE); - } - return (ISC_FALSE); -} - -int -main(int argc, char *argv[]) { - int i, ch; - char *startstr = NULL, *endstr = NULL; - dns_fixedname_t fdomain; - dns_name_t *domain = NULL; - char *output = NULL; - char *endp; - unsigned char data[65536]; - dns_db_t *db; - dns_dbversion_t *version; - dns_diff_t diff; - dns_difftuple_t *tuple; - dns_fixedname_t tname; - dst_key_t *key = NULL; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdataset_t rdataset; - dns_rdataclass_t rdclass; - isc_result_t result; - isc_buffer_t b; - isc_region_t r; - isc_log_t *log = NULL; - keynode_t *keynode; - unsigned int eflags; - isc_boolean_t pseudorandom = ISC_FALSE; - isc_boolean_t tryverify = ISC_FALSE; - - result = isc_mem_create(0, 0, &mctx); - if (result != ISC_R_SUCCESS) - fatal("failed to create memory context: %s", - isc_result_totext(result)); - - dns_result_register(); - - while ((ch = isc_commandline_parse(argc, argv, "as:e:t:r:v:ph")) != -1) - { - switch (ch) { - case 'a': - tryverify = ISC_TRUE; - break; - case 's': - startstr = isc_commandline_argument; - break; - - case 'e': - endstr = isc_commandline_argument; - break; - - case 't': - endp = NULL; - ttl = strtol(isc_commandline_argument, &endp, 0); - if (*endp != '\0') - fatal("TTL must be numeric"); - break; - - case 'r': - setup_entropy(mctx, isc_commandline_argument, &ectx); - break; - - case 'v': - endp = NULL; - verbose = strtol(isc_commandline_argument, &endp, 0); - if (*endp != '\0') - fatal("verbose level must be numeric"); - break; - - case 'p': - pseudorandom = ISC_TRUE; - break; - - case 'h': - default: - usage(); - - } - } - - argc -= isc_commandline_index; - argv += isc_commandline_index; - - if (argc < 1) - usage(); - - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); - eflags = ISC_ENTROPY_BLOCKING; - if (!pseudorandom) - eflags |= ISC_ENTROPY_GOODONLY; - result = dst_lib_init(mctx, ectx, eflags); - if (result != ISC_R_SUCCESS) - fatal("could not initialize dst: %s", - isc_result_totext(result)); - - isc_stdtime_get(&now); - - if (startstr != NULL) - starttime = strtotime(startstr, now, now); - else - starttime = now; - - if (endstr != NULL) - endtime = strtotime(endstr, now, starttime); - else - endtime = starttime + (30 * 24 * 60 * 60); - - if (ttl == -1) { - ttl = 3600; - fprintf(stderr, "%s: TTL not specified, assuming 3600\n", - program); - } - - setup_logging(verbose, mctx, &log); - - dns_diff_init(mctx, &diff); - rdclass = 0; - - ISC_LIST_INIT(keylist); - - for (i = 0; i < argc; i++) { - char namestr[DNS_NAME_FORMATSIZE]; - isc_buffer_t namebuf; - - key = NULL; - result = dst_key_fromnamedfile(argv[i], DST_TYPE_PUBLIC, - mctx, &key); - if (result != ISC_R_SUCCESS) - fatal("error loading key from %s: %s", argv[i], - isc_result_totext(result)); - if (rdclass == 0) - rdclass = dst_key_class(key); - - isc_buffer_init(&namebuf, namestr, sizeof(namestr)); - result = dns_name_tofilenametext(dst_key_name(key), - ISC_FALSE, - &namebuf); - check_result(result, "dns_name_tofilenametext"); - isc_buffer_putuint8(&namebuf, 0); - - if (domain == NULL) { - dns_fixedname_init(&fdomain); - domain = dns_fixedname_name(&fdomain); - dns_name_copy(dst_key_name(key), domain, NULL); - } else if (!dns_name_equal(domain, dst_key_name(key))) { - char str[DNS_NAME_FORMATSIZE]; - dns_name_format(domain, str, sizeof(str)); - fatal("all keys must have the same owner - %s " - "and %s do not match", str, namestr); - } - - if (output == NULL) { - size_t len; - len = strlen("keyset-") + strlen(namestr); - output = isc_mem_allocate(mctx, len + 1); - if (output == NULL) - fatal("out of memory"); - strlcpy(output, "keyset-", len + 1); - strlcat(output, namestr, len + 1); - } - - if (dst_key_iszonekey(key)) { - dst_key_t *zonekey = NULL; - result = dst_key_fromnamedfile(argv[i], - DST_TYPE_PUBLIC | - DST_TYPE_PRIVATE, - mctx, &zonekey); - if (result != ISC_R_SUCCESS) - fatal("failed to read private key %s: %s", - argv[i], isc_result_totext(result)); - if (!zonekey_on_list(zonekey)) { - keynode = isc_mem_get(mctx, sizeof(keynode_t)); - if (keynode == NULL) - fatal("out of memory"); - keynode->key = zonekey; - ISC_LIST_INITANDAPPEND(keylist, keynode, link); - } else - dst_key_free(&zonekey); - } - dns_rdata_reset(&rdata); - isc_buffer_init(&b, data, sizeof(data)); - result = dst_key_todns(key, &b); - dst_key_free(&key); - if (result != ISC_R_SUCCESS) - fatal("failed to convert key %s to a DNS KEY: %s", - argv[i], isc_result_totext(result)); - isc_buffer_usedregion(&b, &r); - dns_rdata_fromregion(&rdata, rdclass, dns_rdatatype_dnskey, &r); - tuple = NULL; - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, - domain, ttl, &rdata, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - } - - db = NULL; - result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone, - rdclass, 0, NULL, &db); - if (result != ISC_R_SUCCESS) - fatal("failed to create a database"); - - version = NULL; - dns_db_newversion(db, &version); - - result = dns_diff_apply(&diff, db, version); - check_result(result, "dns_diff_apply"); - dns_diff_clear(&diff); - - dns_fixedname_init(&tname); - dns_rdataset_init(&rdataset); - result = dns_db_find(db, domain, version, dns_rdatatype_dnskey, 0, 0, - NULL, dns_fixedname_name(&tname), &rdataset, - NULL); - check_result(result, "dns_db_find"); - - if (ISC_LIST_EMPTY(keylist)) - fprintf(stderr, - "%s: no private zone key found; not self-signing\n", - program); - for (keynode = ISC_LIST_HEAD(keylist); - keynode != NULL; - keynode = ISC_LIST_NEXT(keynode, link)) - { - dns_rdata_reset(&rdata); - isc_buffer_init(&b, data, sizeof(data)); - result = dns_dnssec_sign(domain, &rdataset, keynode->key, - &starttime, &endtime, mctx, &b, - &rdata); - isc_entropy_stopcallbacksources(ectx); - if (result != ISC_R_SUCCESS) { - char keystr[KEY_FORMATSIZE]; - key_format(keynode->key, keystr, sizeof(keystr)); - fatal("failed to sign keyset with key %s: %s", - keystr, isc_result_totext(result)); - } - if (tryverify) { - result = dns_dnssec_verify(domain, &rdataset, - keynode->key, ISC_TRUE, - mctx, &rdata); - if (result != ISC_R_SUCCESS) { - char keystr[KEY_FORMATSIZE]; - key_format(keynode->key, keystr, sizeof(keystr)); - fatal("signature from key '%s' failed to " - "verify: %s", - keystr, isc_result_totext(result)); - } - } - tuple = NULL; - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, - domain, ttl, &rdata, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - } - - result = dns_diff_apply(&diff, db, version); - check_result(result, "dns_diff_apply"); - dns_diff_clear(&diff); - - dns_rdataset_disassociate(&rdataset); - - dns_db_closeversion(db, &version, ISC_TRUE); - result = dns_db_dump(db, version, output); - if (result != ISC_R_SUCCESS) { - char domainstr[DNS_NAME_FORMATSIZE]; - dns_name_format(domain, domainstr, sizeof(domainstr)); - fatal("failed to write database for %s to %s", - domainstr, output); - } - - printf("%s\n", output); - - dns_db_detach(&db); - - while (!ISC_LIST_EMPTY(keylist)) { - keynode = ISC_LIST_HEAD(keylist); - ISC_LIST_UNLINK(keylist, keynode, link); - dst_key_free(&keynode->key); - isc_mem_put(mctx, keynode, sizeof(keynode_t)); - } - - cleanup_logging(&log); - cleanup_entropy(&ectx); - - isc_mem_free(mctx, output); - dst_lib_destroy(); - if (verbose > 10) - isc_mem_stats(mctx, stdout); - isc_mem_destroy(&mctx); - return (0); -} diff --git a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.docbook b/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.docbook deleted file mode 100644 index 47c70a638e4..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.docbook +++ /dev/null @@ -1,233 +0,0 @@ -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> -<!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001, 2003 Internet Software Consortium. - - - - Permission to use, copy, modify, and distribute this software for any - - purpose with or without fee is hereby granted, provided that the above - - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - - PERFORMANCE OF THIS SOFTWARE. ---> - -<!-- $ISC: dnssec-makekeyset.docbook,v 1.2.2.3.4.2 2004/06/03 02:24:55 marka Exp $ --> - -<refentry> - <refentryinfo> - <date>June 30, 2000</date> - </refentryinfo> - - <refmeta> - <refentrytitle><application>dnssec-makekeyset</application></refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo>BIND9</refmiscinfo> - </refmeta> - - <refnamediv> - <refname><application>dnssec-makekeyset</application></refname> - <refpurpose>DNSSEC zone signing tool</refpurpose> - </refnamediv> - - <refsynopsisdiv> - <cmdsynopsis> - <command>dnssec-makekeyset</command> - <arg><option>-a</option></arg> - <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg> - <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg> - <arg><option>-h</option></arg> - <arg><option>-p</option></arg> - <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg> - <arg><option>-t</option><replaceable class="parameter">ttl</replaceable></arg> - <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> - <arg choice="req" rep="repeat">key</arg> - </cmdsynopsis> - </refsynopsisdiv> - - <refsect1> - <title>DESCRIPTION</title> - <para> - <command>dnssec-makekeyset</command> generates a key set from one - or more keys created by <command>dnssec-keygen</command>. It creates - a file containing a KEY record for each key, and self-signs the key - set with each zone key. The output file is of the form - <filename>keyset-nnnn.</filename>, where <filename>nnnn</filename> - is the zone name. - </para> - </refsect1> - - <refsect1> - <title>OPTIONS</title> - - <variablelist> - <varlistentry> - <term>-a</term> - <listitem> - <para> - Verify all generated signatures. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-s <replaceable class="parameter">start-time</replaceable></term> - <listitem> - <para> - Specify the date and time when the generated SIG records - become valid. This can be either an absolute or relative - time. An absolute start time is indicated by a number - in YYYYMMDDHHMMSS notation; 20000530144500 denotes - 14:45:00 UTC on May 30th, 2000. A relative start time is - indicated by +N, which is N seconds from the current time. - If no <option>start-time</option> is specified, the current - time is used. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-e <replaceable class="parameter">end-time</replaceable></term> - <listitem> - <para> - Specify the date and time when the generated SIG records - expire. As with <option>start-time</option>, an absolute - time is indicated in YYYYMMDDHHMMSS notation. A time relative - to the start time is indicated with +N, which is N seconds from - the start time. A time relative to the current time is - indicated with now+N. If no <option>end-time</option> is - specified, 30 days from the start time is used as a default. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-h</term> - <listitem> - <para> - Prints a short summary of the options and arguments to - <command>dnssec-makekeyset</command>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-p</term> - <listitem> - <para> - Use pseudo-random data when signing the zone. This is faster, - but less secure, than using real random data. This option - may be useful when signing large zones or when the entropy - source is limited. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-r <replaceable class="parameter">randomdev</replaceable></term> - <listitem> - <para> - Specifies the source of randomness. If the operating - system does not provide a <filename>/dev/random</filename> - or equivalent device, the default source of randomness - is keyboard input. <filename>randomdev</filename> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <filename>keyboard</filename> indicates that keyboard - input should be used. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-t <replaceable class="parameter">ttl</replaceable></term> - <listitem> - <para> - Specify the TTL (time to live) of the KEY and SIG records. - The default is 3600 seconds. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-v <replaceable class="parameter">level</replaceable></term> - <listitem> - <para> - Sets the debugging level. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>key</term> - <listitem> - <para> - The list of keys to be included in the keyset file. These keys - are expressed in the form <filename>Knnnn.+aaa+iiiii</filename> - as generated by <command>dnssec-keygen</command>. - </para> - </listitem> - </varlistentry> - - </variablelist> - </refsect1> - - <refsect1> - <title>EXAMPLE</title> - <para> - The following command generates a keyset containing the DSA key for - <userinput>example.com</userinput> generated in the - <command>dnssec-keygen</command> man page. - </para> - <para> - <userinput>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</userinput> - </para> - <para> - In this example, <command>dnssec-makekeyset</command> creates - the file <filename>keyset-example.com.</filename>. This file - contains the specified key and a self-generated signature. - </para> - <para> - The DNS administrator for <userinput>example.com</userinput> could - send <filename>keyset-example.com.</filename> to the DNS - administrator for <userinput>.com</userinput> for signing, if the - .com zone is DNSSEC-aware and the administrators of the two zones - have some mechanism for authenticating each other and exchanging - the keys and signatures securely. - </para> - </refsect1> - - <refsect1> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>dnssec-keygen</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>dnssec-signkey</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, - <citetitle>BIND 9 Administrator Reference Manual</citetitle>, - <citetitle>RFC 2535</citetitle>. - </para> - </refsect1> - - <refsect1> - <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> - </para> - </refsect1> - -</refentry> - -<!-- - - Local variables: - - mode: sgml - - End: ---> diff --git a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.html b/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.html deleted file mode 100644 index ff7c424da66..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.html +++ /dev/null @@ -1,407 +0,0 @@ -<!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001, 2003 Internet Software Consortium. - - - - Permission to use, copy, modify, and distribute this software for any - - purpose with or without fee is hereby granted, provided that the above - - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - - PERFORMANCE OF THIS SOFTWARE. ---> - -<!-- $ISC: dnssec-makekeyset.html,v 1.4.2.2.4.1 2004/03/06 10:21:15 marka Exp $ --> - -<HTML -><HEAD -><TITLE ->dnssec-makekeyset</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.73 -"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -><SPAN -CLASS="APPLICATION" ->dnssec-makekeyset</SPAN -></A -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->dnssec-makekeyset</SPAN -> -- DNSSEC zone signing tool</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->dnssec-makekeyset</B -> [<TT -CLASS="OPTION" ->-a</TT ->] [<TT -CLASS="OPTION" ->-s <TT -CLASS="REPLACEABLE" -><I ->start-time</I -></TT -></TT ->] [<TT -CLASS="OPTION" ->-e <TT -CLASS="REPLACEABLE" -><I ->end-time</I -></TT -></TT ->] [<TT -CLASS="OPTION" ->-h</TT ->] [<TT -CLASS="OPTION" ->-p</TT ->] [<TT -CLASS="OPTION" ->-r <TT -CLASS="REPLACEABLE" -><I ->randomdev</I -></TT -></TT ->] [<TT -CLASS="OPTION" ->-t</TT -><TT -CLASS="REPLACEABLE" -><I ->ttl</I -></TT ->] [<TT -CLASS="OPTION" ->-v <TT -CLASS="REPLACEABLE" -><I ->level</I -></TT -></TT ->] {key...}</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN38" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->dnssec-makekeyset</B -> generates a key set from one - or more keys created by <B -CLASS="COMMAND" ->dnssec-keygen</B ->. It creates - a file containing a KEY record for each key, and self-signs the key - set with each zone key. The output file is of the form - <TT -CLASS="FILENAME" ->keyset-nnnn.</TT ->, where <TT -CLASS="FILENAME" ->nnnn</TT -> - is the zone name. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN45" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-a</DT -><DD -><P -> Verify all generated signatures. - </P -></DD -><DT ->-s <TT -CLASS="REPLACEABLE" -><I ->start-time</I -></TT -></DT -><DD -><P -> Specify the date and time when the generated SIG records - become valid. This can be either an absolute or relative - time. An absolute start time is indicated by a number - in YYYYMMDDHHMMSS notation; 20000530144500 denotes - 14:45:00 UTC on May 30th, 2000. A relative start time is - indicated by +N, which is N seconds from the current time. - If no <TT -CLASS="OPTION" ->start-time</TT -> is specified, the current - time is used. - </P -></DD -><DT ->-e <TT -CLASS="REPLACEABLE" -><I ->end-time</I -></TT -></DT -><DD -><P -> Specify the date and time when the generated SIG records - expire. As with <TT -CLASS="OPTION" ->start-time</TT ->, an absolute - time is indicated in YYYYMMDDHHMMSS notation. A time relative - to the start time is indicated with +N, which is N seconds from - the start time. A time relative to the current time is - indicated with now+N. If no <TT -CLASS="OPTION" ->end-time</TT -> is - specified, 30 days from the start time is used as a default. - </P -></DD -><DT ->-h</DT -><DD -><P -> Prints a short summary of the options and arguments to - <B -CLASS="COMMAND" ->dnssec-makekeyset</B ->. - </P -></DD -><DT ->-p</DT -><DD -><P -> Use pseudo-random data when signing the zone. This is faster, - but less secure, than using real random data. This option - may be useful when signing large zones or when the entropy - source is limited. - </P -></DD -><DT ->-r <TT -CLASS="REPLACEABLE" -><I ->randomdev</I -></TT -></DT -><DD -><P -> Specifies the source of randomness. If the operating - system does not provide a <TT -CLASS="FILENAME" ->/dev/random</TT -> - or equivalent device, the default source of randomness - is keyboard input. <TT -CLASS="FILENAME" ->randomdev</TT -> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <TT -CLASS="FILENAME" ->keyboard</TT -> indicates that keyboard - input should be used. - </P -></DD -><DT ->-t <TT -CLASS="REPLACEABLE" -><I ->ttl</I -></TT -></DT -><DD -><P -> Specify the TTL (time to live) of the KEY and SIG records. - The default is 3600 seconds. - </P -></DD -><DT ->-v <TT -CLASS="REPLACEABLE" -><I ->level</I -></TT -></DT -><DD -><P -> Sets the debugging level. - </P -></DD -><DT ->key</DT -><DD -><P -> The list of keys to be included in the keyset file. These keys - are expressed in the form <TT -CLASS="FILENAME" ->Knnnn.+aaa+iiiii</TT -> - as generated by <B -CLASS="COMMAND" ->dnssec-keygen</B ->. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN98" -></A -><H2 ->EXAMPLE</H2 -><P -> The following command generates a keyset containing the DSA key for - <TT -CLASS="USERINPUT" -><B ->example.com</B -></TT -> generated in the - <B -CLASS="COMMAND" ->dnssec-keygen</B -> man page. - </P -><P -> <TT -CLASS="USERINPUT" -><B ->dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</B -></TT -> - </P -><P -> In this example, <B -CLASS="COMMAND" ->dnssec-makekeyset</B -> creates - the file <TT -CLASS="FILENAME" ->keyset-example.com.</TT ->. This file - contains the specified key and a self-generated signature. - </P -><P -> The DNS administrator for <TT -CLASS="USERINPUT" -><B ->example.com</B -></TT -> could - send <TT -CLASS="FILENAME" ->keyset-example.com.</TT -> to the DNS - administrator for <TT -CLASS="USERINPUT" -><B ->.com</B -></TT -> for signing, if the - .com zone is DNSSEC-aware and the administrators of the two zones - have some mechanism for authenticating each other and exchanging - the keys and signatures securely. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN112" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-keygen</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-signkey</SPAN ->(8)</SPAN ->, - <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference Manual</I ->, - <I -CLASS="CITETITLE" ->RFC 2535</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN123" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Software Consortium - </P -></DIV -></BODY -></HTML -> diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signkey.8 b/usr.sbin/bind/bin/dnssec/dnssec-signkey.8 deleted file mode 100644 index ea55dd5af77..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-signkey.8 +++ /dev/null @@ -1,108 +0,0 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -.\" PERFORMANCE OF THIS SOFTWARE. -.\" -.\" $ISC: dnssec-signkey.8,v 1.18.2.1.4.1 2004/03/06 07:41:39 marka Exp $ -.\" -.TH "DNSSEC-SIGNKEY" "8" "June 30, 2000" "BIND9" "" -.SH NAME -dnssec-signkey \- DNSSEC key set signing tool -.SH SYNOPSIS -.sp -\fBdnssec-signkey\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-h\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBkeyset\fR \fBkey\fR\fI...\fR -.SH "DESCRIPTION" -.PP -\fBdnssec-signkey\fR signs a keyset. Typically -the keyset will be for a child zone, and will have been generated -by \fBdnssec-makekeyset\fR. The child zone's keyset -is signed with the zone keys for its parent zone. The output file -is of the form \fIsignedkey-nnnn.\fR, where -\fInnnn\fR is the zone name. -.SH "OPTIONS" -.TP -\fB-a\fR -Verify all generated signatures. -.TP -\fB-c \fIclass\fB\fR -Specifies the DNS class of the key sets. -.TP -\fB-s \fIstart-time\fB\fR -Specify the date and time when the generated SIG records -become valid. This can be either an absolute or relative -time. An absolute start time is indicated by a number -in YYYYMMDDHHMMSS notation; 20000530144500 denotes -14:45:00 UTC on May 30th, 2000. A relative start time is -indicated by +N, which is N seconds from the current time. -If no \fBstart-time\fR is specified, the current -time is used. -.TP -\fB-e \fIend-time\fB\fR -Specify the date and time when the generated SIG records -expire. As with \fBstart-time\fR, an absolute -time is indicated in YYYYMMDDHHMMSS notation. A time relative -to the start time is indicated with +N, which is N seconds from -the start time. A time relative to the current time is -indicated with now+N. If no \fBend-time\fR is -specified, 30 days from the start time is used as a default. -.TP -\fB-h\fR -Prints a short summary of the options and arguments to -\fBdnssec-signkey\fR. -.TP -\fB-p\fR -Use pseudo-random data when signing the zone. This is faster, -but less secure, than using real random data. This option -may be useful when signing large zones or when the entropy -source is limited. -.TP -\fB-r \fIrandomdev\fB\fR -Specifies the source of randomness. If the operating -system does not provide a \fI/dev/random\fR -or equivalent device, the default source of randomness -is keyboard input. \fIrandomdev\fR specifies -the name of a character device or file containing random -data to be used instead of the default. The special value -\fIkeyboard\fR indicates that keyboard -input should be used. -.TP -\fB-v \fIlevel\fB\fR -Sets the debugging level. -.TP -\fBkeyset\fR -The file containing the child's keyset. -.TP -\fBkey\fR -The keys used to sign the child's keyset. -.SH "EXAMPLE" -.PP -The DNS administrator for a DNSSEC-aware \fB.com\fR -zone would use the following command to sign the -\fIkeyset\fR file for \fBexample.com\fR -created by \fBdnssec-makekeyset\fR with a key generated -by \fBdnssec-keygen\fR: -.PP -\fBdnssec-signkey keyset-example.com. Kcom.+003+51944\fR -.PP -In this example, \fBdnssec-signkey\fR creates -the file \fIsignedkey-example.com.\fR, which -contains the \fBexample.com\fR keys and the -signatures by the \fB.com\fR keys. -.SH "SEE ALSO" -.PP -\fBdnssec-keygen\fR(8), -\fBdnssec-makekeyset\fR(8), -\fBdnssec-signzone\fR(8). -.SH "AUTHOR" -.PP -Internet Software Consortium diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signkey.c b/usr.sbin/bind/bin/dnssec/dnssec-signkey.c deleted file mode 100644 index f821b990a4c..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-signkey.c +++ /dev/null @@ -1,450 +0,0 @@ -/* - * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Portions Copyright (C) 2000-2003 Internet Software Consortium. - * Portions Copyright (C) 1995-2000 by Network Associates, Inc. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE - * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR - * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: dnssec-signkey.c,v 1.50.2.2.2.7 2004/08/28 06:25:28 marka Exp $ */ - -#include <config.h> - -#include <stdlib.h> - -#include <isc/string.h> -#include <isc/commandline.h> -#include <isc/entropy.h> -#include <isc/mem.h> -#include <isc/print.h> -#include <isc/util.h> - -#include <dns/db.h> -#include <dns/dbiterator.h> -#include <dns/diff.h> -#include <dns/dnssec.h> -#include <dns/fixedname.h> -#include <dns/log.h> -#include <dns/rdata.h> -#include <dns/rdataclass.h> -#include <dns/rdataset.h> -#include <dns/rdatasetiter.h> -#include <dns/rdatastruct.h> -#include <dns/result.h> -#include <dns/secalg.h> - -#include <dst/dst.h> - -#include "dnssectool.h" - -const char *program = "dnssec-signkey"; -int verbose; - -typedef struct keynode keynode_t; -struct keynode { - dst_key_t *key; - isc_boolean_t verified; - ISC_LINK(keynode_t) link; -}; -typedef ISC_LIST(keynode_t) keylist_t; - -static isc_stdtime_t starttime = 0, endtime = 0, now; - -static isc_mem_t *mctx = NULL; -static isc_entropy_t *ectx = NULL; -static keylist_t keylist; - -static void -usage(void) { - fprintf(stderr, "Usage:\n"); - fprintf(stderr, "\t%s [options] keyset keys\n", program); - - fprintf(stderr, "\n"); - - fprintf(stderr, "Version: %s\n", VERSION); - - fprintf(stderr, "Options: (default value in parenthesis) \n"); - fprintf(stderr, "\t-a\n"); - fprintf(stderr, "\t\tverify generated signatures\n"); - fprintf(stderr, "\t-c class (IN)\n"); - fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n"); - fprintf(stderr, "\t\tSIG start time - absolute|offset (from keyset)\n"); - fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n"); - fprintf(stderr, "\t\tSIG end time - absolute|from start|from now " - "(from keyset)\n"); - fprintf(stderr, "\t-v level:\n"); - fprintf(stderr, "\t\tverbose level (0)\n"); - fprintf(stderr, "\t-p\n"); - fprintf(stderr, "\t\tuse pseudorandom data (faster but less secure)\n"); - fprintf(stderr, "\t-r randomdev:\n"); - fprintf(stderr, "\t\ta file containing random data\n"); - - fprintf(stderr, "\n"); - - fprintf(stderr, "keyset:\n"); - fprintf(stderr, "\tfile with keyset to be signed (keyset-<name>)\n"); - fprintf(stderr, "keys:\n"); - fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n"); - - fprintf(stderr, "\n"); - fprintf(stderr, "Output:\n"); - fprintf(stderr, "\tsigned keyset (signedkey-<name>)\n"); - exit(0); -} - -static void -loadkeys(dns_name_t *name, dns_rdataset_t *rdataset) { - dst_key_t *key; - dns_rdata_t rdata = DNS_RDATA_INIT; - keynode_t *keynode; - isc_result_t result; - - ISC_LIST_INIT(keylist); - result = dns_rdataset_first(rdataset); - check_result(result, "dns_rdataset_first"); - for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) { - dns_rdata_reset(&rdata); - dns_rdataset_current(rdataset, &rdata); - key = NULL; - result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &key); - if (result != ISC_R_SUCCESS) - continue; - if (!dst_key_iszonekey(key)) { - dst_key_free(&key); - continue; - } - keynode = isc_mem_get(mctx, sizeof(keynode_t)); - if (keynode == NULL) - fatal("out of memory"); - keynode->key = key; - keynode->verified = ISC_FALSE; - ISC_LIST_INITANDAPPEND(keylist, keynode, link); - } - if (result != ISC_R_NOMORE) - fatal("failure traversing key list"); -} - -static dst_key_t * -findkey(dns_rdata_rrsig_t *sig) { - keynode_t *keynode; - for (keynode = ISC_LIST_HEAD(keylist); - keynode != NULL; - keynode = ISC_LIST_NEXT(keynode, link)) - { - if (dst_key_id(keynode->key) == sig->keyid && - dst_key_alg(keynode->key) == sig->algorithm) { - keynode->verified = ISC_TRUE; - return (keynode->key); - } - } - fatal("signature generated by non-zone or missing key"); - return (NULL); -} - -int -main(int argc, char *argv[]) { - int i, ch; - char *startstr = NULL, *endstr = NULL, *classname = NULL; - char tdomain[1025]; - dns_fixedname_t fdomain; - dns_name_t *domain; - char *output = NULL; - char *endp; - unsigned char data[65536]; - dns_db_t *db; - dns_dbnode_t *node; - dns_dbversion_t *version; - dns_diff_t diff; - dns_difftuple_t *tuple; - dns_dbiterator_t *dbiter; - dns_rdatasetiter_t *rdsiter; - dst_key_t *key = NULL; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_t sigrdata = DNS_RDATA_INIT; - dns_rdataset_t rdataset, sigrdataset; - dns_rdata_rrsig_t sig; - isc_result_t result; - isc_buffer_t b; - isc_log_t *log = NULL; - keynode_t *keynode; - isc_boolean_t pseudorandom = ISC_FALSE; - unsigned int eflags; - dns_rdataclass_t rdclass; - isc_boolean_t tryverify = ISC_FALSE; - isc_boolean_t settime = ISC_FALSE; - size_t len; - - result = isc_mem_create(0, 0, &mctx); - check_result(result, "isc_mem_create()"); - - dns_result_register(); - - while ((ch = isc_commandline_parse(argc, argv, "ac:s:e:pr:v:h")) != -1) - { - switch (ch) { - case 'a': - tryverify = ISC_TRUE; - break; - case 'c': - classname = isc_commandline_argument; - break; - - case 's': - startstr = isc_commandline_argument; - break; - - case 'e': - endstr = isc_commandline_argument; - break; - - case 'p': - pseudorandom = ISC_TRUE; - break; - - case 'r': - setup_entropy(mctx, isc_commandline_argument, &ectx); - break; - - case 'v': - endp = NULL; - verbose = strtol(isc_commandline_argument, &endp, 0); - if (*endp != '\0') - fatal("verbose level must be numeric"); - break; - - case 'h': - default: - usage(); - - } - } - - argc -= isc_commandline_index; - argv += isc_commandline_index; - - if (argc < 2) - usage(); - - rdclass = strtoclass(classname); - - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); - eflags = ISC_ENTROPY_BLOCKING; - if (!pseudorandom) - eflags |= ISC_ENTROPY_GOODONLY; - result = dst_lib_init(mctx, ectx, eflags); - if (result != ISC_R_SUCCESS) - fatal("could not initialize dst: %s", - isc_result_totext(result)); - - isc_stdtime_get(&now); - - if ((startstr == NULL || endstr == NULL) && - !(startstr == NULL && endstr == NULL)) - fatal("if -s or -e is specified, both must be"); - - if (startstr != NULL) { - starttime = strtotime(startstr, now, now); - endtime = strtotime(endstr, now, starttime); - settime = ISC_TRUE; - } - - setup_logging(verbose, mctx, &log); - - if (strlen(argv[0]) < 8U || strncmp(argv[0], "keyset-", 7) != 0) - fatal("keyset file '%s' must start with keyset-", argv[0]); - - db = NULL; - result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone, - rdclass, 0, NULL, &db); - check_result(result, "dns_db_create()"); - - result = dns_db_load(db, argv[0]); - if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) - fatal("failed to load database from '%s': %s", argv[0], - isc_result_totext(result)); - - dns_fixedname_init(&fdomain); - domain = dns_fixedname_name(&fdomain); - - dbiter = NULL; - result = dns_db_createiterator(db, ISC_FALSE, &dbiter); - check_result(result, "dns_db_createiterator()"); - - result = dns_dbiterator_first(dbiter); - check_result(result, "dns_dbiterator_first()"); - while (result == ISC_R_SUCCESS) { - node = NULL; - dns_dbiterator_current(dbiter, &node, domain); - rdsiter = NULL; - result = dns_db_allrdatasets(db, node, NULL, 0, &rdsiter); - check_result(result, "dns_db_allrdatasets()"); - result = dns_rdatasetiter_first(rdsiter); - dns_rdatasetiter_destroy(&rdsiter); - if (result == ISC_R_SUCCESS) - break; - dns_db_detachnode(db, &node); - result = dns_dbiterator_next(dbiter); - } - dns_dbiterator_destroy(&dbiter); - if (result != ISC_R_SUCCESS) - fatal("failed to find data in keyset file"); - - isc_buffer_init(&b, tdomain, sizeof(tdomain) - 1); - result = dns_name_tofilenametext(domain, ISC_FALSE, &b); - check_result(result, "dns_name_tofilenametext()"); - isc_buffer_putuint8(&b, 0); - - len = strlen("signedkey-") + strlen(tdomain); - output = isc_mem_allocate(mctx, len + 1); - if (output == NULL) - fatal("out of memory"); - strlcpy(output, "signedkey-", len + 1); - strlcat(output, tdomain, len + 1); - - version = NULL; - dns_db_newversion(db, &version); - - dns_rdataset_init(&rdataset); - dns_rdataset_init(&sigrdataset); - result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 0, - 0, &rdataset, &sigrdataset); - if (result != ISC_R_SUCCESS) { - char domainstr[DNS_NAME_FORMATSIZE]; - dns_name_format(domain, domainstr, sizeof(domainstr)); - fatal("failed to find rdataset '%s KEY': %s", - domainstr, isc_result_totext(result)); - } - - loadkeys(domain, &rdataset); - - dns_diff_init(mctx, &diff); - - if (!dns_rdataset_isassociated(&sigrdataset)) - fatal("no SIG KEY set present"); - - result = dns_rdataset_first(&sigrdataset); - check_result(result, "dns_rdataset_first()"); - do { - dns_rdataset_current(&sigrdataset, &sigrdata); - result = dns_rdata_tostruct(&sigrdata, &sig, mctx); - check_result(result, "dns_rdata_tostruct()"); - key = findkey(&sig); - result = dns_dnssec_verify(domain, &rdataset, key, - ISC_TRUE, mctx, &sigrdata); - if (result != ISC_R_SUCCESS) { - char keystr[KEY_FORMATSIZE]; - key_format(key, keystr, sizeof(keystr)); - fatal("signature by key '%s' did not verify: %s", - keystr, isc_result_totext(result)); - } - if (!settime) { - starttime = sig.timesigned; - endtime = sig.timeexpire; - settime = ISC_TRUE; - } - dns_rdata_freestruct(&sig); - dns_rdata_reset(&sigrdata); - result = dns_rdataset_next(&sigrdataset); - } while (result == ISC_R_SUCCESS); - - for (keynode = ISC_LIST_HEAD(keylist); - keynode != NULL; - keynode = ISC_LIST_NEXT(keynode, link)) - if (!keynode->verified) - fatal("not all zone keys self signed the key set"); - - argc -= 1; - argv += 1; - - for (i = 0; i < argc; i++) { - key = NULL; - result = dst_key_fromnamedfile(argv[i], - DST_TYPE_PUBLIC | - DST_TYPE_PRIVATE, - mctx, &key); - if (result != ISC_R_SUCCESS) - fatal("failed to read key %s from disk: %s", - argv[i], isc_result_totext(result)); - - dns_rdata_reset(&rdata); - isc_buffer_init(&b, data, sizeof(data)); - result = dns_dnssec_sign(domain, &rdataset, key, - &starttime, &endtime, - mctx, &b, &rdata); - isc_entropy_stopcallbacksources(ectx); - if (result != ISC_R_SUCCESS) { - char keystr[KEY_FORMATSIZE]; - key_format(key, keystr, sizeof(keystr)); - fatal("key '%s' failed to sign data: %s", - keystr, isc_result_totext(result)); - } - if (tryverify) { - result = dns_dnssec_verify(domain, &rdataset, key, - ISC_TRUE, mctx, &rdata); - if (result != ISC_R_SUCCESS) { - char keystr[KEY_FORMATSIZE]; - key_format(key, keystr, sizeof(keystr)); - fatal("signature from key '%s' failed to " - "verify: %s", - keystr, isc_result_totext(result)); - } - } - tuple = NULL; - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, - domain, rdataset.ttl, - &rdata, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - dst_key_free(&key); - } - - result = dns_db_deleterdataset(db, node, version, dns_rdatatype_rrsig, - dns_rdatatype_dnskey); - check_result(result, "dns_db_deleterdataset"); - - result = dns_diff_apply(&diff, db, version); - check_result(result, "dns_diff_apply"); - dns_diff_clear(&diff); - - dns_db_detachnode(db, &node); - dns_db_closeversion(db, &version, ISC_TRUE); - result = dns_db_dump(db, version, output); - if (result != ISC_R_SUCCESS) - fatal("failed to write database to '%s': %s", - output, isc_result_totext(result)); - - printf("%s\n", output); - - dns_rdataset_disassociate(&rdataset); - dns_rdataset_disassociate(&sigrdataset); - - dns_db_detach(&db); - - while (!ISC_LIST_EMPTY(keylist)) { - keynode = ISC_LIST_HEAD(keylist); - ISC_LIST_UNLINK(keylist, keynode, link); - dst_key_free(&keynode->key); - isc_mem_put(mctx, keynode, sizeof(keynode_t)); - } - - cleanup_logging(&log); - - isc_mem_free(mctx, output); - cleanup_entropy(&ectx); - dst_lib_destroy(); - if (verbose > 10) - isc_mem_stats(mctx, stdout); - isc_mem_destroy(&mctx); - return (0); -} diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signkey.docbook b/usr.sbin/bind/bin/dnssec/dnssec-signkey.docbook deleted file mode 100644 index 40cf45ba2f2..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-signkey.docbook +++ /dev/null @@ -1,237 +0,0 @@ -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> -<!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001, 2003 Internet Software Consortium. - - - - Permission to use, copy, modify, and distribute this software for any - - purpose with or without fee is hereby granted, provided that the above - - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - - PERFORMANCE OF THIS SOFTWARE. ---> - -<!-- $ISC: dnssec-signkey.docbook,v 1.2.2.2.4.2 2004/06/03 02:24:55 marka Exp $ --> - -<refentry> - <refentryinfo> - <date>June 30, 2000</date> - </refentryinfo> - - <refmeta> - <refentrytitle><application>dnssec-signkey</application></refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo>BIND9</refmiscinfo> - </refmeta> - - <refnamediv> - <refname><application>dnssec-signkey</application></refname> - <refpurpose>DNSSEC key set signing tool</refpurpose> - </refnamediv> - - <refsynopsisdiv> - <cmdsynopsis> - <command>dnssec-signkey</command> - <arg><option>-a</option></arg> - <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> - <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg> - <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg> - <arg><option>-h</option></arg> - <arg><option>-p</option></arg> - <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg> - <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> - <arg choice="req">keyset</arg> - <arg choice="req" rep="repeat">key</arg> - </cmdsynopsis> - </refsynopsisdiv> - - <refsect1> - <title>DESCRIPTION</title> - <para> - <command>dnssec-signkey</command> signs a keyset. Typically - the keyset will be for a child zone, and will have been generated - by <command>dnssec-makekeyset</command>. The child zone's keyset - is signed with the zone keys for its parent zone. The output file - is of the form <filename>signedkey-nnnn.</filename>, where - <filename>nnnn</filename> is the zone name. - </para> - </refsect1> - - <refsect1> - <title>OPTIONS</title> - - <variablelist> - <varlistentry> - <term>-a</term> - <listitem> - <para> - Verify all generated signatures. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-c <replaceable class="parameter">class</replaceable></term> - <listitem> - <para> - Specifies the DNS class of the key sets. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-s <replaceable class="parameter">start-time</replaceable></term> - <listitem> - <para> - Specify the date and time when the generated SIG records - become valid. This can be either an absolute or relative - time. An absolute start time is indicated by a number - in YYYYMMDDHHMMSS notation; 20000530144500 denotes - 14:45:00 UTC on May 30th, 2000. A relative start time is - indicated by +N, which is N seconds from the current time. - If no <option>start-time</option> is specified, the current - time is used. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-e <replaceable class="parameter">end-time</replaceable></term> - <listitem> - <para> - Specify the date and time when the generated SIG records - expire. As with <option>start-time</option>, an absolute - time is indicated in YYYYMMDDHHMMSS notation. A time relative - to the start time is indicated with +N, which is N seconds from - the start time. A time relative to the current time is - indicated with now+N. If no <option>end-time</option> is - specified, 30 days from the start time is used as a default. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-h</term> - <listitem> - <para> - Prints a short summary of the options and arguments to - <command>dnssec-signkey</command>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-p</term> - <listitem> - <para> - Use pseudo-random data when signing the zone. This is faster, - but less secure, than using real random data. This option - may be useful when signing large zones or when the entropy - source is limited. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-r <replaceable class="parameter">randomdev</replaceable></term> - <listitem> - <para> - Specifies the source of randomness. If the operating - system does not provide a <filename>/dev/random</filename> - or equivalent device, the default source of randomness - is keyboard input. <filename>randomdev</filename> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <filename>keyboard</filename> indicates that keyboard - input should be used. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-v <replaceable class="parameter">level</replaceable></term> - <listitem> - <para> - Sets the debugging level. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>keyset</term> - <listitem> - <para> - The file containing the child's keyset. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>key</term> - <listitem> - <para> - The keys used to sign the child's keyset. - </para> - </listitem> - </varlistentry> - - </variablelist> - </refsect1> - - <refsect1> - <title>EXAMPLE</title> - <para> - The DNS administrator for a DNSSEC-aware <userinput>.com</userinput> - zone would use the following command to sign the - <filename>keyset</filename> file for <userinput>example.com</userinput> - created by <command>dnssec-makekeyset</command> with a key generated - by <command>dnssec-keygen</command>: - </para> - <para> - <userinput>dnssec-signkey keyset-example.com. Kcom.+003+51944</userinput> - </para> - <para> - In this example, <command>dnssec-signkey</command> creates - the file <filename>signedkey-example.com.</filename>, which - contains the <userinput>example.com</userinput> keys and the - signatures by the <userinput>.com</userinput> keys. - </para> - </refsect1> - - <refsect1> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>dnssec-keygen</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>dnssec-makekeyset</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>dnssec-signzone</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>. - </para> - </refsect1> - - <refsect1> - <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> - </para> - </refsect1> - -</refentry> - -<!-- - - Local variables: - - mode: sgml - - End: ---> diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signkey.html b/usr.sbin/bind/bin/dnssec/dnssec-signkey.html deleted file mode 100644 index fb134bfe1b3..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-signkey.html +++ /dev/null @@ -1,407 +0,0 @@ -<!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001, 2003 Internet Software Consortium. - - - - Permission to use, copy, modify, and distribute this software for any - - purpose with or without fee is hereby granted, provided that the above - - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - - PERFORMANCE OF THIS SOFTWARE. ---> - -<!-- $ISC: dnssec-signkey.html,v 1.4.2.1.4.1 2004/03/06 10:21:15 marka Exp $ --> - -<HTML -><HEAD -><TITLE ->dnssec-signkey</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.73 -"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -><SPAN -CLASS="APPLICATION" ->dnssec-signkey</SPAN -></A -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->dnssec-signkey</SPAN -> -- DNSSEC key set signing tool</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->dnssec-signkey</B -> [<TT -CLASS="OPTION" ->-a</TT ->] [<TT -CLASS="OPTION" ->-c <TT -CLASS="REPLACEABLE" -><I ->class</I -></TT -></TT ->] [<TT -CLASS="OPTION" ->-s <TT -CLASS="REPLACEABLE" -><I ->start-time</I -></TT -></TT ->] [<TT -CLASS="OPTION" ->-e <TT -CLASS="REPLACEABLE" -><I ->end-time</I -></TT -></TT ->] [<TT -CLASS="OPTION" ->-h</TT ->] [<TT -CLASS="OPTION" ->-p</TT ->] [<TT -CLASS="OPTION" ->-r <TT -CLASS="REPLACEABLE" -><I ->randomdev</I -></TT -></TT ->] [<TT -CLASS="OPTION" ->-v <TT -CLASS="REPLACEABLE" -><I ->level</I -></TT -></TT ->] {keyset} {key...}</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN39" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->dnssec-signkey</B -> signs a keyset. Typically - the keyset will be for a child zone, and will have been generated - by <B -CLASS="COMMAND" ->dnssec-makekeyset</B ->. The child zone's keyset - is signed with the zone keys for its parent zone. The output file - is of the form <TT -CLASS="FILENAME" ->signedkey-nnnn.</TT ->, where - <TT -CLASS="FILENAME" ->nnnn</TT -> is the zone name. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN46" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-a</DT -><DD -><P -> Verify all generated signatures. - </P -></DD -><DT ->-c <TT -CLASS="REPLACEABLE" -><I ->class</I -></TT -></DT -><DD -><P -> Specifies the DNS class of the key sets. - </P -></DD -><DT ->-s <TT -CLASS="REPLACEABLE" -><I ->start-time</I -></TT -></DT -><DD -><P -> Specify the date and time when the generated SIG records - become valid. This can be either an absolute or relative - time. An absolute start time is indicated by a number - in YYYYMMDDHHMMSS notation; 20000530144500 denotes - 14:45:00 UTC on May 30th, 2000. A relative start time is - indicated by +N, which is N seconds from the current time. - If no <TT -CLASS="OPTION" ->start-time</TT -> is specified, the current - time is used. - </P -></DD -><DT ->-e <TT -CLASS="REPLACEABLE" -><I ->end-time</I -></TT -></DT -><DD -><P -> Specify the date and time when the generated SIG records - expire. As with <TT -CLASS="OPTION" ->start-time</TT ->, an absolute - time is indicated in YYYYMMDDHHMMSS notation. A time relative - to the start time is indicated with +N, which is N seconds from - the start time. A time relative to the current time is - indicated with now+N. If no <TT -CLASS="OPTION" ->end-time</TT -> is - specified, 30 days from the start time is used as a default. - </P -></DD -><DT ->-h</DT -><DD -><P -> Prints a short summary of the options and arguments to - <B -CLASS="COMMAND" ->dnssec-signkey</B ->. - </P -></DD -><DT ->-p</DT -><DD -><P -> Use pseudo-random data when signing the zone. This is faster, - but less secure, than using real random data. This option - may be useful when signing large zones or when the entropy - source is limited. - </P -></DD -><DT ->-r <TT -CLASS="REPLACEABLE" -><I ->randomdev</I -></TT -></DT -><DD -><P -> Specifies the source of randomness. If the operating - system does not provide a <TT -CLASS="FILENAME" ->/dev/random</TT -> - or equivalent device, the default source of randomness - is keyboard input. <TT -CLASS="FILENAME" ->randomdev</TT -> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <TT -CLASS="FILENAME" ->keyboard</TT -> indicates that keyboard - input should be used. - </P -></DD -><DT ->-v <TT -CLASS="REPLACEABLE" -><I ->level</I -></TT -></DT -><DD -><P -> Sets the debugging level. - </P -></DD -><DT ->keyset</DT -><DD -><P -> The file containing the child's keyset. - </P -></DD -><DT ->key</DT -><DD -><P -> The keys used to sign the child's keyset. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN101" -></A -><H2 ->EXAMPLE</H2 -><P -> The DNS administrator for a DNSSEC-aware <TT -CLASS="USERINPUT" -><B ->.com</B -></TT -> - zone would use the following command to sign the - <TT -CLASS="FILENAME" ->keyset</TT -> file for <TT -CLASS="USERINPUT" -><B ->example.com</B -></TT -> - created by <B -CLASS="COMMAND" ->dnssec-makekeyset</B -> with a key generated - by <B -CLASS="COMMAND" ->dnssec-keygen</B ->: - </P -><P -> <TT -CLASS="USERINPUT" -><B ->dnssec-signkey keyset-example.com. Kcom.+003+51944</B -></TT -> - </P -><P -> In this example, <B -CLASS="COMMAND" ->dnssec-signkey</B -> creates - the file <TT -CLASS="FILENAME" ->signedkey-example.com.</TT ->, which - contains the <TT -CLASS="USERINPUT" -><B ->example.com</B -></TT -> keys and the - signatures by the <TT -CLASS="USERINPUT" -><B ->.com</B -></TT -> keys. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN116" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-keygen</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-makekeyset</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-signzone</SPAN ->(8)</SPAN ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN128" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Software Consortium - </P -></DIV -></BODY -></HTML -> diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signzone.8 b/usr.sbin/bind/bin/dnssec/dnssec-signzone.8 index 6f158fcb6c6..a6dffe57a66 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-signzone.8 +++ b/usr.sbin/bind/bin/dnssec/dnssec-signzone.8 @@ -1,167 +1,157 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2003 Internet Software Consortium. -.\" +.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2003 Internet Software Consortium. +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $ISC: dnssec-signzone.8,v 1.23.2.1.4.6 2004/06/11 02:32:46 marka Exp $ +.\" $ISC: dnssec-signzone.8,v 1.23.2.1.4.10 2005/10/13 02:33:45 marka Exp $ .\" -.TH "DNSSEC-SIGNZONE" "8" "June 30, 2000" "BIND9" "" -.SH NAME -dnssec-signzone \- DNSSEC zone signing tool -.SH SYNOPSIS -.sp -\fBdnssec-signzone\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-d \fIdirectory\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-f \fIoutput-file\fB\fR ] [ \fB-g\fR ] [ \fB-h\fR ] [ \fB-k \fIkey\fB\fR ] [ \fB-l \fIdomain\fB\fR ] [ \fB-i \fIinterval\fB\fR ] [ \fB-n \fInthreads\fB\fR ] [ \fB-o \fIorigin\fB\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-t\fR ] [ \fB-v \fIlevel\fB\fR ] [ \fB-z\fR ] \fBzonefile\fR [ \fBkey\fR\fI...\fR ] +.hy 0 +.ad l +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "DNSSEC\-SIGNZONE" "8" "June 30, 2000" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +dnssec\-signzone \- DNSSEC zone signing tool +.SH "SYNOPSIS" +.HP 16 +\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-n\ \fR\fB\fInthreads\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {zonefile} [key...] .SH "DESCRIPTION" .PP -\fBdnssec-signzone\fR signs a zone. It generates -NSEC and RRSIG records and produces a signed version of the -zone. The security status of delegations from the signed zone -(that is, whether the child zones are secure or not) is -determined by the presence or absence of a -\fIkeyset\fR file for each child zone. +\fBdnssec\-signzone\fR +signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a +\fIkeyset\fR +file for each child zone. .SH "OPTIONS" .TP -\fB-a\fR +\-a Verify all generated signatures. .TP -\fB-c \fIclass\fB\fR +\-c \fIclass\fR Specifies the DNS class of the zone. .TP -\fB-k \fIkey\fB\fR -Treat specified key as a key signing key ignoring any -key flags. This option may be specified multiple times. -.TP -\fB-l \fIdomain\fB\fR -Generate a DLV set in addition to the key (DNSKEY) and DS sets. -The domain is appended to the name of the records. -.TP -\fB-d \fIdirectory\fB\fR -Look for \fIkeyset\fR files in -\fBdirectory\fR as the directory -.TP -\fB-g\fR -Generate DS records for child zones from keyset files. -Existing DS records will be removed. -.TP -\fB-s \fIstart-time\fB\fR -Specify the date and time when the generated RRSIG records -become valid. This can be either an absolute or relative -time. An absolute start time is indicated by a number -in YYYYMMDDHHMMSS notation; 20000530144500 denotes -14:45:00 UTC on May 30th, 2000. A relative start time is -indicated by +N, which is N seconds from the current time. -If no \fBstart-time\fR is specified, the current -time minus 1 hour (to allow for clock skew) is used. -.TP -\fB-e \fIend-time\fB\fR -Specify the date and time when the generated RRSIG records -expire. As with \fBstart-time\fR, an absolute -time is indicated in YYYYMMDDHHMMSS notation. A time relative -to the start time is indicated with +N, which is N seconds from -the start time. A time relative to the current time is -indicated with now+N. If no \fBend-time\fR is -specified, 30 days from the start time is used as a default. -.TP -\fB-f \fIoutput-file\fB\fR -The name of the output file containing the signed zone. The -default is to append \fI.signed\fR to the -input file. -.TP -\fB-h\fR +\-k \fIkey\fR +Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times. +.TP +\-l \fIdomain\fR +Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records. +.TP +\-d \fIdirectory\fR +Look for +\fIkeyset\fR +files in +\fBdirectory\fR +as the directory +.TP +\-g +Generate DS records for child zones from keyset files. Existing DS records will be removed. +.TP +\-s \fIstart\-time\fR +Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no +\fBstart\-time\fR +is specified, the current time minus 1 hour (to allow for clock skew) is used. +.TP +\-e \fIend\-time\fR +Specify the date and time when the generated RRSIG records expire. As with +\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no +\fBend\-time\fR +is specified, 30 days from the start time is used as a default. +.TP +\-f \fIoutput\-file\fR +The name of the output file containing the signed zone. The default is to append +\fI.signed\fR +to the input file. +.TP +\-h Prints a short summary of the options and arguments to -\fBdnssec-signzone\fR. -.TP -\fB-i \fIinterval\fB\fR -When a previously signed zone is passed as input, records -may be resigned. The \fBinterval\fR option -specifies the cycle interval as an offset from the current -time (in seconds). If a RRSIG record expires after the -cycle interval, it is retained. Otherwise, it is considered -to be expiring soon, and it will be replaced. - -The default cycle interval is one quarter of the difference -between the signature end and start times. So if neither -\fBend-time\fR or \fBstart-time\fR -are specified, \fBdnssec-signzone\fR generates -signatures that are valid for 30 days, with a cycle -interval of 7.5 days. Therefore, if any existing RRSIG records -are due to expire in less than 7.5 days, they would be -replaced. -.TP -\fB-n \fIncpus\fB\fR -Specifies the number of threads to use. By default, one -thread is started for each detected CPU. -.TP -\fB-o \fIorigin\fB\fR -The zone origin. If not specified, the name of the zone file -is assumed to be the origin. -.TP -\fB-p\fR -Use pseudo-random data when signing the zone. This is faster, -but less secure, than using real random data. This option -may be useful when signing large zones or when the entropy -source is limited. -.TP -\fB-r \fIrandomdev\fB\fR -Specifies the source of randomness. If the operating -system does not provide a \fI/dev/random\fR -or equivalent device, the default source of randomness -is keyboard input. \fIrandomdev\fR specifies -the name of a character device or file containing random -data to be used instead of the default. The special value -\fIkeyboard\fR indicates that keyboard -input should be used. -.TP -\fB-t\fR +\fBdnssec\-signzone\fR. +.TP +\-i \fIinterval\fR +When a previously signed zone is passed as input, records may be resigned. The +\fBinterval\fR +option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced. +.sp +The default cycle interval is one quarter of the difference between the signature end and start times. So if neither +\fBend\-time\fR +or +\fBstart\-time\fR +are specified, +\fBdnssec\-signzone\fR +generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced. +.TP +\-n \fIncpus\fR +Specifies the number of threads to use. By default, one thread is started for each detected CPU. +.TP +\-o \fIorigin\fR +The zone origin. If not specified, the name of the zone file is assumed to be the origin. +.TP +\-p +Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited. +.TP +\-r \fIrandomdev\fR +Specifies the source of randomness. If the operating system does not provide a +\fI/dev/random\fR +or equivalent device, the default source of randomness is keyboard input. +\fIrandomdev\fR +specifies the name of a character device or file containing random data to be used instead of the default. The special value +\fIkeyboard\fR +indicates that keyboard input should be used. +.TP +\-t Print statistics at completion. .TP -\fB-v \fIlevel\fB\fR +\-v \fIlevel\fR Sets the debugging level. .TP -\fB-z\fR +\-z Ignore KSK flag on key when determining what to sign. .TP -\fBzonefile\fR +zonefile The file containing the zone to be signed. -Sets the debugging level. .TP -\fBkey\fR -The keys used to sign the zone. If no keys are specified, the -default all zone keys that have private key files in the -current directory. +key +The keys used to sign the zone. If no keys are specified, the default all zone keys that have private key files in the current directory. .SH "EXAMPLE" .PP -The following command signs the \fBexample.com\fR -zone with the DSA key generated in the \fBdnssec-keygen\fR +The following command signs the +\fBexample.com\fR +zone with the DSA key generated in the +\fBdnssec\-keygen\fR man page. The zone's keys must be in the zone. If there are -\fIkeyset\fR files associated with child zones, -they must be in the current directory. -\fBexample.com\fR, the following command would be -issued: +\fIkeyset\fR +files associated with child zones, they must be in the current directory. +\fBexample.com\fR, the following command would be issued: .PP -\fBdnssec-signzone -o example.com db.example.com Kexample.com.+003+26160\fR +\fBdnssec\-signzone \-o example.com db.example.com Kexample.com.+003+26160\fR .PP The command would print a string of the form: .PP -In this example, \fBdnssec-signzone\fR creates -the file \fIdb.example.com.signed\fR. This file -should be referenced in a zone statement in a -\fInamed.conf\fR file. +In this example, +\fBdnssec\-signzone\fR +creates the file +\fIdb.example.com.signed\fR. This file should be referenced in a zone statement in a +\fInamed.conf\fR +file. .SH "SEE ALSO" .PP -\fBdnssec-keygen\fR(8), -\fIBIND 9 Administrator Reference Manual\fR, -\fIRFC 2535\fR. +\fBdnssec\-keygen\fR(8), +BIND 9 Administrator Reference Manual, +RFC 2535. .SH "AUTHOR" .PP Internet Systems Consortium diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signzone.c b/usr.sbin/bind/bin/dnssec/dnssec-signzone.c index e8645027a40..76fd0f3ba27 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-signzone.c +++ b/usr.sbin/bind/bin/dnssec/dnssec-signzone.c @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. * Portions Copyright (C) 1995-2000 by Network Associates, Inc. * @@ -16,7 +16,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: dnssec-signzone.c,v 1.139.2.2.4.17 2004/10/25 01:36:06 marka Exp $ */ +/* $ISC: dnssec-signzone.c,v 1.139.2.2.4.21 2005/10/14 01:38:41 marka Exp $ */ #include <config.h> @@ -787,7 +787,6 @@ signname(dns_dbnode_t *node, dns_name_t *name) { dns_rdatasetiter_t *rdsiter; isc_boolean_t isdelegation = ISC_FALSE; isc_boolean_t hasds = ISC_FALSE; - isc_boolean_t atorigin; isc_boolean_t changed = ISC_FALSE; dns_diff_t del, add; char namestr[DNS_NAME_FORMATSIZE]; @@ -795,8 +794,6 @@ signname(dns_dbnode_t *node, dns_name_t *name) { dns_name_format(name, namestr, sizeof(namestr)); - atorigin = dns_name_equal(name, gorigin); - /* * Determine if this is a delegation point. */ @@ -931,13 +928,16 @@ signname(dns_dbnode_t *node, dns_name_t *name) { static inline isc_boolean_t active_node(dns_dbnode_t *node) { - dns_rdatasetiter_t *rdsiter; + dns_rdatasetiter_t *rdsiter = NULL; + dns_rdatasetiter_t *rdsiter2 = NULL; isc_boolean_t active = ISC_FALSE; isc_result_t result; dns_rdataset_t rdataset; + dns_rdatatype_t type; + dns_rdatatype_t covers; + isc_boolean_t found; dns_rdataset_init(&rdataset); - rdsiter = NULL; result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); check_result(result, "dns_db_allrdatasets()"); result = dns_rdatasetiter_first(rdsiter); @@ -958,36 +958,63 @@ active_node(dns_dbnode_t *node) { if (!active) { /* - * Make sure there is no NSEC / RRSIG records for - * this node. + * The node is empty of everything but NSEC / RRSIG records. */ - result = dns_db_deleterdataset(gdb, node, gversion, - dns_rdatatype_nsec, 0); - if (result == DNS_R_UNCHANGED) - result = ISC_R_SUCCESS; - check_result(result, "dns_db_deleterdataset(nsec)"); - - result = dns_rdatasetiter_first(rdsiter); for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS; result = dns_rdatasetiter_next(rdsiter)) { dns_rdatasetiter_current(rdsiter, &rdataset); - if (rdataset.type == dns_rdatatype_rrsig) { - dns_rdatatype_t type = rdataset.type; - dns_rdatatype_t covers = rdataset.covers; + result = dns_db_deleterdataset(gdb, node, gversion, + rdataset.type, + rdataset.covers); + check_result(result, "dns_db_deleterdataset()"); + dns_rdataset_disassociate(&rdataset); + } + if (result != ISC_R_NOMORE) + fatal("rdataset iteration failed: %s", + isc_result_totext(result)); + } else { + /* + * Delete RRSIGs for types that no longer exist. + */ + result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter2); + check_result(result, "dns_db_allrdatasets()"); + for (result = dns_rdatasetiter_first(rdsiter); + result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(rdsiter)) { + dns_rdatasetiter_current(rdsiter, &rdataset); + type = rdataset.type; + covers = rdataset.covers; + dns_rdataset_disassociate(&rdataset); + if (type != dns_rdatatype_rrsig) + continue; + found = ISC_FALSE; + for (result = dns_rdatasetiter_first(rdsiter2); + !found && result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(rdsiter2)) { + dns_rdatasetiter_current(rdsiter2, &rdataset); + if (rdataset.type == covers) + found = ISC_TRUE; + dns_rdataset_disassociate(&rdataset); + } + if (!found) { + if (result != ISC_R_NOMORE) + fatal("rdataset iteration failed: %s", + isc_result_totext(result)); result = dns_db_deleterdataset(gdb, node, gversion, type, covers); - if (result == DNS_R_UNCHANGED) - result = ISC_R_SUCCESS; check_result(result, "dns_db_deleterdataset(rrsig)"); - } - dns_rdataset_disassociate(&rdataset); + } else if (result != ISC_R_NOMORE && + result != ISC_R_SUCCESS) + fatal("rdataset iteration failed: %s", + isc_result_totext(result)); } if (result != ISC_R_NOMORE) fatal("rdataset iteration failed: %s", isc_result_totext(result)); + dns_rdatasetiter_destroy(&rdsiter2); } dns_rdatasetiter_destroy(&rdsiter); @@ -1423,7 +1450,6 @@ warnifallksk(dns_db_t *db) { dns_dbnode_t *node = NULL; dns_rdataset_t rdataset; dns_rdata_t rdata = DNS_RDATA_INIT; - dst_key_t *pubkey; isc_result_t result; dns_rdata_key_t key; isc_boolean_t have_non_ksk = ISC_FALSE; @@ -1444,7 +1470,6 @@ warnifallksk(dns_db_t *db) { result = dns_rdataset_first(&rdataset); check_result(result, "dns_rdataset_first"); while (result == ISC_R_SUCCESS) { - pubkey = NULL; dns_rdata_reset(&rdata); dns_rdataset_current(&rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &key, NULL); @@ -1615,9 +1640,9 @@ usage(void) { fprintf(stderr, "\t\tdirectory to find keyset files (.)\n"); fprintf(stderr, "\t-g:\t"); fprintf(stderr, "generate DS records from keyset files\n"); - fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n"); + fprintf(stderr, "\t-s [YYYYMMDDHHMMSS|+offset]:\n"); fprintf(stderr, "\t\tRRSIG start time - absolute|offset (now - 1 hour)\n"); - fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n"); + fprintf(stderr, "\t-e [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n"); fprintf(stderr, "\t\tRRSIG end time - absolute|from start|from now " "(now + 30 days)\n"); fprintf(stderr, "\t-i interval:\n"); diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signzone.docbook b/usr.sbin/bind/bin/dnssec/dnssec-signzone.docbook index a559e80064e..6c36ff708b0 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-signzone.docbook +++ b/usr.sbin/bind/bin/dnssec/dnssec-signzone.docbook @@ -1,7 +1,9 @@ -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" + "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" + [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001-2003 Internet Software Consortium. + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -16,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: dnssec-signzone.docbook,v 1.2.2.2.4.8 2004/06/11 01:17:35 marka Exp $ --> +<!-- $ISC: dnssec-signzone.docbook,v 1.2.2.2.4.11 2005/06/24 00:18:15 marka Exp $ --> <refentry> <refentryinfo> @@ -29,6 +31,21 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <docinfo> + <copyright> + <year>2004</year> + <year>2005</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + <copyright> + <year>2000</year> + <year>2001</year> + <year>2002</year> + <year>2003</year> + <holder>Internet Software Consortium.</holder> + </copyright> + </docinfo> + <refnamediv> <refname><application>dnssec-signzone</application></refname> <refpurpose>DNSSEC zone signing tool</refpurpose> @@ -290,7 +307,6 @@ <listitem> <para> The file containing the zone to be signed. - Sets the debugging level. </para> </listitem> </varlistentry> diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signzone.html b/usr.sbin/bind/bin/dnssec/dnssec-signzone.html index 4c0f0008897..787d7703ba9 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-signzone.html +++ b/usr.sbin/bind/bin/dnssec/dnssec-signzone.html @@ -1,553 +1,220 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001-2003 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: dnssec-signzone.html,v 1.4.2.1.4.7 2004/08/22 23:38:58 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->dnssec-signzone</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A -><SPAN -CLASS="APPLICATION" ->dnssec-signzone</SPAN -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->dnssec-signzone</SPAN -> -- DNSSEC zone signing tool</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->dnssec-signzone</B -> [<VAR -CLASS="OPTION" ->-a</VAR ->] [<VAR -CLASS="OPTION" ->-c <VAR -CLASS="REPLACEABLE" ->class</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-d <VAR -CLASS="REPLACEABLE" ->directory</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-e <VAR -CLASS="REPLACEABLE" ->end-time</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-f <VAR -CLASS="REPLACEABLE" ->output-file</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-g</VAR ->] [<VAR -CLASS="OPTION" ->-h</VAR ->] [<VAR -CLASS="OPTION" ->-k <VAR -CLASS="REPLACEABLE" ->key</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-l <VAR -CLASS="REPLACEABLE" ->domain</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-i <VAR -CLASS="REPLACEABLE" ->interval</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-n <VAR -CLASS="REPLACEABLE" ->nthreads</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-o <VAR -CLASS="REPLACEABLE" ->origin</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-p</VAR ->] [<VAR -CLASS="OPTION" ->-r <VAR -CLASS="REPLACEABLE" ->randomdev</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-s <VAR -CLASS="REPLACEABLE" ->start-time</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-t</VAR ->] [<VAR -CLASS="OPTION" ->-v <VAR -CLASS="REPLACEABLE" ->level</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-z</VAR ->] {zonefile} [key...]</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN66" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->dnssec-signzone</B -> signs a zone. It generates +<!-- $ISC: dnssec-signzone.html,v 1.4.2.1.4.14 2005/10/13 02:33:46 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>dnssec-signzone</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nthreads</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525979"></a><h2>DESCRIPTION</h2> +<p> + <span><strong class="command">dnssec-signzone</strong></span> signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a - <TT -CLASS="FILENAME" ->keyset</TT -> file for each child zone. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN71" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-a</DT -><DD -><P -> Verify all generated signatures. - </P -></DD -><DT ->-c <VAR -CLASS="REPLACEABLE" ->class</VAR -></DT -><DD -><P -> Specifies the DNS class of the zone. - </P -></DD -><DT ->-k <VAR -CLASS="REPLACEABLE" ->key</VAR -></DT -><DD -><P -> Treat specified key as a key signing key ignoring any + <code class="filename">keyset</code> file for each child zone. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525995"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-a</span></dt> +<dd><p> + Verify all generated signatures. + </p></dd> +<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> +<dd><p> + Specifies the DNS class of the zone. + </p></dd> +<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt> +<dd><p> + Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times. - </P -></DD -><DT ->-l <VAR -CLASS="REPLACEABLE" ->domain</VAR -></DT -><DD -><P -> Generate a DLV set in addition to the key (DNSKEY) and DS sets. + </p></dd> +<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt> +<dd><p> + Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records. - </P -></DD -><DT ->-d <VAR -CLASS="REPLACEABLE" ->directory</VAR -></DT -><DD -><P -> Look for <TT -CLASS="FILENAME" ->keyset</TT -> files in - <VAR -CLASS="OPTION" ->directory</VAR -> as the directory - </P -></DD -><DT ->-g</DT -><DD -><P -> Generate DS records for child zones from keyset files. + </p></dd> +<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt> +<dd><p> + Look for <code class="filename">keyset</code> files in + <code class="option">directory</code> as the directory + </p></dd> +<dt><span class="term">-g</span></dt> +<dd><p> + Generate DS records for child zones from keyset files. Existing DS records will be removed. - </P -></DD -><DT ->-s <VAR -CLASS="REPLACEABLE" ->start-time</VAR -></DT -><DD -><P -> Specify the date and time when the generated RRSIG records + </p></dd> +<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt> +<dd><p> + Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. - If no <VAR -CLASS="OPTION" ->start-time</VAR -> is specified, the current + If no <code class="option">start-time</code> is specified, the current time minus 1 hour (to allow for clock skew) is used. - </P -></DD -><DT ->-e <VAR -CLASS="REPLACEABLE" ->end-time</VAR -></DT -><DD -><P -> Specify the date and time when the generated RRSIG records - expire. As with <VAR -CLASS="OPTION" ->start-time</VAR ->, an absolute + </p></dd> +<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt> +<dd><p> + Specify the date and time when the generated RRSIG records + expire. As with <code class="option">start-time</code>, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is - indicated with now+N. If no <VAR -CLASS="OPTION" ->end-time</VAR -> is + indicated with now+N. If no <code class="option">end-time</code> is specified, 30 days from the start time is used as a default. - </P -></DD -><DT ->-f <VAR -CLASS="REPLACEABLE" ->output-file</VAR -></DT -><DD -><P -> The name of the output file containing the signed zone. The - default is to append <TT -CLASS="FILENAME" ->.signed</TT -> to the + </p></dd> +<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt> +<dd><p> + The name of the output file containing the signed zone. The + default is to append <code class="filename">.signed</code> to the input file. - </P -></DD -><DT ->-h</DT -><DD -><P -> Prints a short summary of the options and arguments to - <B -CLASS="COMMAND" ->dnssec-signzone</B ->. - </P -></DD -><DT ->-i <VAR -CLASS="REPLACEABLE" ->interval</VAR -></DT -><DD -><P -> When a previously signed zone is passed as input, records - may be resigned. The <VAR -CLASS="OPTION" ->interval</VAR -> option + </p></dd> +<dt><span class="term">-h</span></dt> +<dd><p> + Prints a short summary of the options and arguments to + <span><strong class="command">dnssec-signzone</strong></span>. + </p></dd> +<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt> +<dd> +<p> + When a previously signed zone is passed as input, records + may be resigned. The <code class="option">interval</code> option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced. - </P -><P -> The default cycle interval is one quarter of the difference + </p> +<p> + The default cycle interval is one quarter of the difference between the signature end and start times. So if neither - <VAR -CLASS="OPTION" ->end-time</VAR -> or <VAR -CLASS="OPTION" ->start-time</VAR -> - are specified, <B -CLASS="COMMAND" ->dnssec-signzone</B -> generates + <code class="option">end-time</code> or <code class="option">start-time</code> + are specified, <span><strong class="command">dnssec-signzone</strong></span> generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced. - </P -></DD -><DT ->-n <VAR -CLASS="REPLACEABLE" ->ncpus</VAR -></DT -><DD -><P -> Specifies the number of threads to use. By default, one + </p> +</dd> +<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt> +<dd><p> + Specifies the number of threads to use. By default, one thread is started for each detected CPU. - </P -></DD -><DT ->-o <VAR -CLASS="REPLACEABLE" ->origin</VAR -></DT -><DD -><P -> The zone origin. If not specified, the name of the zone file + </p></dd> +<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt> +<dd><p> + The zone origin. If not specified, the name of the zone file is assumed to be the origin. - </P -></DD -><DT ->-p</DT -><DD -><P -> Use pseudo-random data when signing the zone. This is faster, + </p></dd> +<dt><span class="term">-p</span></dt> +<dd><p> + Use pseudo-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited. - </P -></DD -><DT ->-r <VAR -CLASS="REPLACEABLE" ->randomdev</VAR -></DT -><DD -><P -> Specifies the source of randomness. If the operating - system does not provide a <TT -CLASS="FILENAME" ->/dev/random</TT -> + </p></dd> +<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt> +<dd><p> + Specifies the source of randomness. If the operating + system does not provide a <code class="filename">/dev/random</code> or equivalent device, the default source of randomness - is keyboard input. <TT -CLASS="FILENAME" ->randomdev</TT -> specifies + is keyboard input. <code class="filename">randomdev</code> specifies the name of a character device or file containing random data to be used instead of the default. The special value - <TT -CLASS="FILENAME" ->keyboard</TT -> indicates that keyboard + <code class="filename">keyboard</code> indicates that keyboard input should be used. - </P -></DD -><DT ->-t</DT -><DD -><P -> Print statistics at completion. - </P -></DD -><DT ->-v <VAR -CLASS="REPLACEABLE" ->level</VAR -></DT -><DD -><P -> Sets the debugging level. - </P -></DD -><DT ->-z</DT -><DD -><P -> Ignore KSK flag on key when determining what to sign. - </P -></DD -><DT ->zonefile</DT -><DD -><P -> The file containing the zone to be signed. + </p></dd> +<dt><span class="term">-t</span></dt> +<dd><p> + Print statistics at completion. + </p></dd> +<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> +<dd><p> Sets the debugging level. - </P -></DD -><DT ->key</DT -><DD -><P -> The keys used to sign the zone. If no keys are specified, the + </p></dd> +<dt><span class="term">-z</span></dt> +<dd><p> + Ignore KSK flag on key when determining what to sign. + </p></dd> +<dt><span class="term">zonefile</span></dt> +<dd><p> + The file containing the zone to be signed. + </p></dd> +<dt><span class="term">key</span></dt> +<dd><p> + The keys used to sign the zone. If no keys are specified, the default all zone keys that have private key files in the current directory. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN181" -></A -><H2 ->EXAMPLE</H2 -><P -> The following command signs the <KBD -CLASS="USERINPUT" ->example.com</KBD -> - zone with the DSA key generated in the <B -CLASS="COMMAND" ->dnssec-keygen</B -> + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2526435"></a><h2>EXAMPLE</h2> +<p> + The following command signs the <strong class="userinput"><code>example.com</code></strong> + zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span> man page. The zone's keys must be in the zone. If there are - <TT -CLASS="FILENAME" ->keyset</TT -> files associated with child zones, + <code class="filename">keyset</code> files associated with child zones, they must be in the current directory. - <KBD -CLASS="USERINPUT" ->example.com</KBD ->, the following command would be + <strong class="userinput"><code>example.com</code></strong>, the following command would be issued: - </P -><P -> <KBD -CLASS="USERINPUT" ->dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</KBD -> - </P -><P -> The command would print a string of the form: - </P -><P -> In this example, <B -CLASS="COMMAND" ->dnssec-signzone</B -> creates - the file <TT -CLASS="FILENAME" ->db.example.com.signed</TT ->. This file + </p> +<p> + <strong class="userinput"><code>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</code></strong> + </p> +<p> + The command would print a string of the form: + </p> +<p> + In this example, <span><strong class="command">dnssec-signzone</strong></span> creates + the file <code class="filename">db.example.com.signed</code>. This file should be referenced in a zone statement in a - <TT -CLASS="FILENAME" ->named.conf</TT -> file. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN195" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-keygen</SPAN ->(8)</SPAN ->, - <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference Manual</I ->, - <I -CLASS="CITETITLE" ->RFC 2535</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN203" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Systems Consortium - </P -></DIV -></BODY -></HTML -> + <code class="filename">named.conf</code> file. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526485"></a><h2>SEE ALSO</h2> +<p> + <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>, + <em class="citetitle">RFC 2535</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526512"></a><h2>AUTHOR</h2> +<p> + <span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/dnssec/dnssectool.c b/usr.sbin/bind/bin/dnssec/dnssectool.c index 01e655d4712..965373e71ea 100644 --- a/usr.sbin/bind/bin/dnssec/dnssectool.c +++ b/usr.sbin/bind/bin/dnssec/dnssectool.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: dnssectool.c,v 1.31.2.3.2.4 2004/03/08 02:07:38 marka Exp $ */ +/* $ISC: dnssectool.c,v 1.31.2.3.2.6 2005/07/02 02:42:43 marka Exp $ */ #include <config.h> @@ -145,6 +145,8 @@ setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp) { isc_log_t *log = NULL; int level; + if (verbose < 0) + verbose = 0; switch (verbose) { case 0: /* diff --git a/usr.sbin/bind/bin/named/client.c b/usr.sbin/bind/bin/named/client.c index 691ae3f472b..16e1040f129 100644 --- a/usr.sbin/bind/bin/named/client.c +++ b/usr.sbin/bind/bin/named/client.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: client.c,v 1.176.2.13.4.23 2004/09/26 22:37:43 marka Exp $ */ +/* $ISC: client.c,v 1.176.2.13.4.26 2005/07/27 02:53:14 marka Exp $ */ #include <config.h> @@ -177,20 +177,10 @@ static void client_request(isc_task_t *task, isc_event_t *event); static void ns_client_dumpmessage(ns_client_t *client, const char *reason); void -ns_client_recursing(ns_client_t *client, isc_boolean_t killoldest) { - ns_client_t *oldest; +ns_client_recursing(ns_client_t *client) { REQUIRE(NS_CLIENT_VALID(client)); LOCK(&client->manager->lock); - if (killoldest) { - oldest = ISC_LIST_HEAD(client->manager->recursing); - if (oldest != NULL) { - ns_query_cancel(oldest); - ISC_LIST_UNLINK(*oldest->list, oldest, link); - ISC_LIST_APPEND(client->manager->active, oldest, link); - oldest->list = &client->manager->active; - } - } ISC_LIST_UNLINK(*client->list, client, link); ISC_LIST_APPEND(client->manager->recursing, client, link); client->list = &client->manager->recursing; @@ -198,6 +188,22 @@ ns_client_recursing(ns_client_t *client, isc_boolean_t killoldest) { } void +ns_client_killoldestquery(ns_client_t *client) { + ns_client_t *oldest; + REQUIRE(NS_CLIENT_VALID(client)); + + LOCK(&client->manager->lock); + oldest = ISC_LIST_HEAD(client->manager->recursing); + if (oldest != NULL) { + ns_query_cancel(oldest); + ISC_LIST_UNLINK(*oldest->list, oldest, link); + ISC_LIST_APPEND(client->manager->active, oldest, link); + oldest->list = &client->manager->active; + } + UNLOCK(&client->manager->lock); +} + +void ns_client_settimeout(ns_client_t *client, unsigned int seconds) { isc_result_t result; isc_interval_t interval; @@ -1603,8 +1609,7 @@ client_timeout(isc_task_t *task, isc_event_t *event) { } static isc_result_t -client_create(ns_clientmgr_t *manager, ns_client_t **clientp) -{ +client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { ns_client_t *client; isc_result_t result; diff --git a/usr.sbin/bind/bin/named/control.c b/usr.sbin/bind/bin/named/control.c index 157c7550d78..25fe878a749 100644 --- a/usr.sbin/bind/bin/named/control.c +++ b/usr.sbin/bind/bin/named/control.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: control.c,v 1.7.2.2.2.11 2004/09/03 03:43:31 marka Exp $ */ +/* $ISC: control.c,v 1.7.2.2.2.14 2005/04/29 01:04:47 marka Exp $ */ #include <config.h> @@ -37,6 +37,9 @@ #include <named/log.h> #include <named/os.h> #include <named/server.h> +#ifdef HAVE_LIBSCF +#include <named/ns_smf_globals.h> +#endif static isc_boolean_t command_compare(const char *text, const char *command) { @@ -58,6 +61,9 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { isccc_sexpr_t *data; char *command; isc_result_t result; +#ifdef HAVE_LIBSCF + ns_smf_want_disable = 0; +#endif data = isccc_alist_lookup(message, "_data"); if (data == NULL) { @@ -92,11 +98,41 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { } else if (command_compare(command, NS_COMMAND_RETRANSFER)) { result = ns_server_retransfercommand(ns_g_server, command); } else if (command_compare(command, NS_COMMAND_HALT)) { +#ifdef HAVE_LIBSCF + /* + * If we are managed by smf(5), AND in chroot, then + * we cannot connect to the smf repository, so just + * return with an appropriate message back to rndc. + */ + if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) { + result = ns_smf_add_message(text); + return (result); + } + /* + * If we are managed by smf(5) but not in chroot, + * try to disable ourselves the smf way. + */ + if (ns_smf_got_instance == 1 && ns_smf_chroot == 0) + ns_smf_want_disable = 1; + /* + * If ns_smf_got_instance = 0, ns_smf_chroot + * is not relevant and we fall through to + * isc_app_shutdown below. + */ +#endif ns_server_flushonshutdown(ns_g_server, ISC_FALSE); ns_os_shutdownmsg(command, text); isc_app_shutdown(); result = ISC_R_SUCCESS; } else if (command_compare(command, NS_COMMAND_STOP)) { +#ifdef HAVE_LIBSCF + if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) { + result = ns_smf_add_message(text); + return (result); + } + if (ns_smf_got_instance == 1 && ns_smf_chroot == 0) + ns_smf_want_disable = 1; +#endif ns_server_flushonshutdown(ns_g_server, ISC_TRUE); ns_os_shutdownmsg(command, text); isc_app_shutdown(); diff --git a/usr.sbin/bind/bin/named/lwresd.html b/usr.sbin/bind/bin/named/lwresd.html index 06b01664ace..fb800eeefe3 100644 --- a/usr.sbin/bind/bin/named/lwresd.html +++ b/usr.sbin/bind/bin/named/lwresd.html @@ -1,497 +1,189 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwresd.html,v 1.4.2.1.4.3 2004/08/22 23:38:59 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwresd</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A -><SPAN -CLASS="APPLICATION" ->lwresd</SPAN -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->lwresd</SPAN -> -- lightweight resolver daemon</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->lwresd</B -> [<VAR -CLASS="OPTION" ->-C <VAR -CLASS="REPLACEABLE" ->config-file</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-d <VAR -CLASS="REPLACEABLE" ->debug-level</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-f</VAR ->] [<VAR -CLASS="OPTION" ->-g</VAR ->] [<VAR -CLASS="OPTION" ->-i <VAR -CLASS="REPLACEABLE" ->pid-file</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-n <VAR -CLASS="REPLACEABLE" ->#cpus</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-P <VAR -CLASS="REPLACEABLE" ->port</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-p <VAR -CLASS="REPLACEABLE" ->port</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-s</VAR ->] [<VAR -CLASS="OPTION" ->-t <VAR -CLASS="REPLACEABLE" ->directory</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-u <VAR -CLASS="REPLACEABLE" ->user</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-v</VAR ->]</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN48" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->lwresd</B -> is the daemon providing name lookup +<!-- $ISC: lwresd.html,v 1.4.2.1.4.8 2005/10/13 02:33:47 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwresd</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">lwresd</span> — lightweight resolver daemon</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">lwresd</code> [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525920"></a><h2>DESCRIPTION</h2> +<p> + <span><strong class="command">lwresd</strong></span> is the daemon providing name lookup services to clients that use the BIND 9 lightweight resolver library. It is essentially a stripped-down, caching-only name server that answers queries using the BIND 9 lightweight resolver protocol rather than the DNS protocol. - </P -><P -> <B -CLASS="COMMAND" ->lwresd</B -> listens for resolver queries on a + </p> +<p> + <span><strong class="command">lwresd</strong></span> listens for resolver queries on a UDP port on the IPv4 loopback interface, 127.0.0.1. This - means that <B -CLASS="COMMAND" ->lwresd</B -> can only be used by + means that <span><strong class="command">lwresd</strong></span> can only be used by processes running on the local machine. By default UDP port number 921 is used for lightweight resolver requests and responses. - </P -><P -> Incoming lightweight resolver requests are decoded by the + </p> +<p> + Incoming lightweight resolver requests are decoded by the server which then resolves them using the DNS protocol. When - the DNS lookup completes, <B -CLASS="COMMAND" ->lwresd</B -> encodes + the DNS lookup completes, <span><strong class="command">lwresd</strong></span> encodes the answers in the lightweight resolver format and returns them to the client that made the request. - </P -><P -> If <TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -> contains any - <VAR -CLASS="OPTION" ->nameserver</VAR -> entries, <B -CLASS="COMMAND" ->lwresd</B -> + </p> +<p> + If <code class="filename">/etc/resolv.conf</code> contains any + <code class="option">nameserver</code> entries, <span><strong class="command">lwresd</strong></span> sends recursive DNS queries to those servers. This is similar to the use of forwarders in a caching name server. If no - <VAR -CLASS="OPTION" ->nameserver</VAR -> entries are present, or if - forwarding fails, <B -CLASS="COMMAND" ->lwresd</B -> resolves the + <code class="option">nameserver</code> entries are present, or if + forwarding fails, <span><strong class="command">lwresd</strong></span> resolves the queries autonomously starting at the root name servers, using a built-in list of root server hints. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN63" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-C <VAR -CLASS="REPLACEABLE" ->config-file</VAR -></DT -><DD -><P -> Use <VAR -CLASS="REPLACEABLE" ->config-file</VAR -> as the + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525969"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-C <em class="replaceable"><code>config-file</code></em></span></dt> +<dd><p> + Use <em class="replaceable"><code>config-file</code></em> as the configuration file instead of the default, - <TT -CLASS="FILENAME" ->/etc/resolv.conf</TT ->. - </P -></DD -><DT ->-d <VAR -CLASS="REPLACEABLE" ->debug-level</VAR -></DT -><DD -><P -> Set the daemon's debug level to <VAR -CLASS="REPLACEABLE" ->debug-level</VAR ->. - Debugging traces from <B -CLASS="COMMAND" ->lwresd</B -> become + <code class="filename">/etc/resolv.conf</code>. + </p></dd> +<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt> +<dd><p> + Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>. + Debugging traces from <span><strong class="command">lwresd</strong></span> become more verbose as the debug level increases. - </P -></DD -><DT ->-f</DT -><DD -><P -> Run the server in the foreground (i.e. do not daemonize). - </P -></DD -><DT ->-g</DT -><DD -><P -> Run the server in the foreground and force all logging - to <TT -CLASS="FILENAME" ->stderr</TT ->. - </P -></DD -><DT ->-n <VAR -CLASS="REPLACEABLE" ->#cpus</VAR -></DT -><DD -><P -> Create <VAR -CLASS="REPLACEABLE" ->#cpus</VAR -> worker threads + </p></dd> +<dt><span class="term">-f</span></dt> +<dd><p> + Run the server in the foreground (i.e. do not daemonize). + </p></dd> +<dt><span class="term">-g</span></dt> +<dd><p> + Run the server in the foreground and force all logging + to <code class="filename">stderr</code>. + </p></dd> +<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt> +<dd><p> + Create <em class="replaceable"><code>#cpus</code></em> worker threads to take advantage of multiple CPUs. If not specified, - <B -CLASS="COMMAND" ->lwresd</B -> will try to determine the + <span><strong class="command">lwresd</strong></span> will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. - </P -></DD -><DT ->-P <VAR -CLASS="REPLACEABLE" ->port</VAR -></DT -><DD -><P -> Listen for lightweight resolver queries on port - <VAR -CLASS="REPLACEABLE" ->port</VAR ->. If + </p></dd> +<dt><span class="term">-P <em class="replaceable"><code>port</code></em></span></dt> +<dd><p> + Listen for lightweight resolver queries on port + <em class="replaceable"><code>port</code></em>. If not specified, the default is port 921. - </P -></DD -><DT ->-p <VAR -CLASS="REPLACEABLE" ->port</VAR -></DT -><DD -><P -> Send DNS lookups to port <VAR -CLASS="REPLACEABLE" ->port</VAR ->. If not + </p></dd> +<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> +<dd><p> + Send DNS lookups to port <em class="replaceable"><code>port</code></em>. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a name server that listens for queries on a non-standard port number. - </P -></DD -><DT ->-s</DT -><DD -><P -> Write memory usage statistics to <TT -CLASS="FILENAME" ->stdout</TT -> + </p></dd> +<dt><span class="term">-s</span></dt> +<dd> +<p> + Write memory usage statistics to <code class="filename">stdout</code> on exit. - </P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B -> This option is mainly of interest to BIND 9 developers + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release. - </P -></BLOCKQUOTE -></DIV -></DD -><DT ->-t <VAR -CLASS="REPLACEABLE" ->directory</VAR -></DT -><DD -><P -> <CODE -CLASS="FUNCTION" ->chroot()</CODE -> to <VAR -CLASS="REPLACEABLE" ->directory</VAR -> after + </p> +</div> +</dd> +<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt> +<dd> +<p> + <code class="function">chroot()</code> to <em class="replaceable"><code>directory</code></em> after processing the command line arguments, but before reading the configuration file. - </P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="90%" -><TR -><TD -ALIGN="CENTER" -><B ->Warning</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P -> This option should be used in conjunction with the - <VAR -CLASS="OPTION" ->-u</VAR -> option, as chrooting a process + </p> +<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Warning</h3> +<p> + This option should be used in conjunction with the + <code class="option">-u</code> option, as chrooting a process running as root doesn't enhance security on most - systems; the way <CODE -CLASS="FUNCTION" ->chroot()</CODE -> is + systems; the way <code class="function">chroot()</code> is defined allows a process with root privileges to escape a chroot jail. - </P -></TD -></TR -></TABLE -></DIV -></DD -><DT ->-u <VAR -CLASS="REPLACEABLE" ->user</VAR -></DT -><DD -><P -> <CODE -CLASS="FUNCTION" ->setuid()</CODE -> to <VAR -CLASS="REPLACEABLE" ->user</VAR -> after completing + </p> +</div> +</dd> +<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt> +<dd><p> + <code class="function">setuid()</code> to <em class="replaceable"><code>user</code></em> after completing privileged operations, such as creating sockets that listen on privileged ports. - </P -></DD -><DT ->-v</DT -><DD -><P -> Report the version number and exit. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN137" -></A -><H2 ->FILES</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -></DT -><DD -><P -> The default configuration file. - </P -></DD -><DT -><TT -CLASS="FILENAME" ->/var/run/lwresd.pid</TT -></DT -><DD -><P -> The default process-id file. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN150" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->named</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres</SPAN ->(3)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->resolver</SPAN ->(5)</SPAN ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN162" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Systems Consortium - </P -></DIV -></BODY -></HTML -> + </p></dd> +<dt><span class="term">-v</span></dt> +<dd><p> + Report the version number and exit. + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2526237"></a><h2>FILES</h2> +<div class="variablelist"><dl> +<dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt> +<dd><p> + The default configuration file. + </p></dd> +<dt><span class="term"><code class="filename">/var/run/lwresd.pid</code></span></dt> +<dd><p> + The default process-id file. + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2526277"></a><h2>SEE ALSO</h2> +<p> + <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>, + <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526315"></a><h2>AUTHOR</h2> +<p> + <span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/named/main.c b/usr.sbin/bind/bin/named/main.c index 55d22471834..0db824a4b2a 100644 --- a/usr.sbin/bind/bin/named/main.c +++ b/usr.sbin/bind/bin/named/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: main.c,v 1.119.2.3.2.17 2004/10/25 00:42:54 marka Exp $ */ +/* $ISC: main.c,v 1.119.2.3.2.22 2005/04/29 01:04:47 marka Exp $ */ #include <config.h> @@ -48,10 +48,6 @@ #include <dst/result.h> -#ifdef HAVE_LIBSCF -#include <libscf.h> -#endif - /* * Defining NS_MAIN provides storage declarations (rather than extern) * for variables in named/globals.h. @@ -67,6 +63,9 @@ #include <named/server.h> #include <named/lwresd.h> #include <named/main.h> +#ifdef HAVE_LIBSCF +#include <named/ns_smf_globals.h> +#endif /* * Include header files for database drivers here. @@ -540,6 +539,9 @@ destroy_managers(void) { static void setup(void) { isc_result_t result; +#ifdef HAVE_LIBSCF + char *instance = NULL; +#endif /* * Write pidfile before chroot if specified on the command line @@ -561,6 +563,18 @@ setup(void) { ns_os_opendevnull(); +#ifdef HAVE_LIBSCF + /* Check if named is under smf control, before chroot. */ + result = ns_smf_get_instance(&instance, 0, ns_g_mctx); + /* We don't care about instance, just check if we got one. */ + if (result == ISC_R_SUCCESS) + ns_smf_got_instance = 1; + else + ns_smf_got_instance = 0; + if (instance != NULL) + isc_mem_free(ns_g_mctx, instance); +#endif /* HAVE_LIBSCF */ + #ifdef PATH_RANDOMDEV /* * Initialize system's random device as fallback entropy source @@ -716,92 +730,73 @@ ns_main_setmemstats(const char *filename) { #ifdef HAVE_LIBSCF /* - * Get FMRI for the current named process + * Get FMRI for the named process. */ -static char * -scf_get_ins_name(void) { +isc_result_t +ns_smf_get_instance(char **ins_name, int debug, isc_mem_t *mctx) { scf_handle_t *h = NULL; int namelen; - char *ins_name; + char *instance; + + REQUIRE(ins_name != NULL && *ins_name == NULL); if ((h = scf_handle_create(SCF_VERSION)) == NULL) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "scf_handle_create() failed: %s", - scf_strerror(scf_error())); - return (NULL); + if (debug) + UNEXPECTED_ERROR(__FILE__, __LINE__, + "scf_handle_create() failed: %s", + scf_strerror(scf_error())); + return (ISC_R_FAILURE); } if (scf_handle_bind(h) == -1) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "scf_handle_bind() failed: %s", - scf_strerror(scf_error())); + if (debug) + UNEXPECTED_ERROR(__FILE__, __LINE__, + "scf_handle_bind() failed: %s", + scf_strerror(scf_error())); scf_handle_destroy(h); - return (NULL); + return (ISC_R_FAILURE); } if ((namelen = scf_myname(h, NULL, 0)) == -1) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_MAIN, ISC_LOG_INFO, - "scf_myname() failed: %s", - scf_strerror(scf_error())); + if (debug) + UNEXPECTED_ERROR(__FILE__, __LINE__, + "scf_myname() failed: %s", + scf_strerror(scf_error())); scf_handle_destroy(h); - return (NULL); + return (ISC_R_FAILURE); } - if ((ins_name = malloc(namelen + 1)) == NULL) { + if ((instance = isc_mem_allocate(mctx, namelen + 1)) == NULL) { UNEXPECTED_ERROR(__FILE__, __LINE__, - "scf_get_ins_named() memory " + "ns_smf_get_instance memory " "allocation failed: %s", isc_result_totext(ISC_R_NOMEMORY)); scf_handle_destroy(h); - return (NULL); + return (ISC_R_FAILURE); } - if (scf_myname(h, ins_name, namelen + 1) == -1) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "scf_myname() failed: %s", - scf_strerror(scf_error())); + if (scf_myname(h, instance, namelen + 1) == -1) { + if (debug) + UNEXPECTED_ERROR(__FILE__, __LINE__, + "scf_myname() failed: %s", + scf_strerror(scf_error())); scf_handle_destroy(h); - free(ins_name); - return (NULL); + isc_mem_free(mctx, instance); + return (ISC_R_FAILURE); } scf_handle_destroy(h); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, - ISC_LOG_INFO, "instance name:%s", ins_name); - - return (ins_name); -} - -static void -scf_cleanup(void) { - char *s; - char *ins_name; - - if ((ins_name = scf_get_ins_name()) != NULL) { - if ((s = smf_get_state(ins_name)) != NULL) { - if ((strcmp(SCF_STATE_STRING_ONLINE, s) == 0) || - (strcmp(SCF_STATE_STRING_DEGRADED, s) == 0)) { - if (smf_disable_instance(ins_name, 0) != 0) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "smf_disable_instance() failed: %s", - scf_strerror(scf_error())); - } - } - free(s); - } else { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "smf_get_state() failed: %s", - scf_strerror(scf_error())); - } - free(ins_name); - } + *ins_name = instance; + return (ISC_R_SUCCESS); } -#endif +#endif /* HAVE_LIBSCF */ int main(int argc, char *argv[]) { isc_result_t result; +#ifdef HAVE_LIBSCF + char *instance = NULL; +#endif /* * Record version in core image. @@ -869,8 +864,20 @@ main(int argc, char *argv[]) { } while (result != ISC_R_SUCCESS); #ifdef HAVE_LIBSCF - scf_cleanup(); -#endif + if (ns_smf_want_disable == 1) { + result = ns_smf_get_instance(&instance, 1, ns_g_mctx); + if (result == ISC_R_SUCCESS && instance != NULL) { + if (smf_disable_instance(instance, 0) != 0) + UNEXPECTED_ERROR(__FILE__, __LINE__, + "smf_disable_instance() ", + "failed for %s : %s", + instance, + scf_strerror(scf_error())); + } + if (instance != NULL) + isc_mem_free(ns_g_mctx, instance); + } +#endif /* HAVE_LIBSCF */ cleanup(); diff --git a/usr.sbin/bind/bin/named/named.html b/usr.sbin/bind/bin/named/named.html index 08a1d5db250..6589680aee3 100644 --- a/usr.sbin/bind/bin/named/named.html +++ b/usr.sbin/bind/bin/named/named.html @@ -1,625 +1,240 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: named.html,v 1.4.2.1.4.4 2004/08/22 23:38:59 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->named</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A -><SPAN -CLASS="APPLICATION" ->named</SPAN -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->named</SPAN -> -- Internet domain name server</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->named</B -> [<VAR -CLASS="OPTION" ->-4</VAR ->] [<VAR -CLASS="OPTION" ->-6</VAR ->] [<VAR -CLASS="OPTION" ->-c <VAR -CLASS="REPLACEABLE" ->config-file</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-d <VAR -CLASS="REPLACEABLE" ->debug-level</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-f</VAR ->] [<VAR -CLASS="OPTION" ->-g</VAR ->] [<VAR -CLASS="OPTION" ->-n <VAR -CLASS="REPLACEABLE" ->#cpus</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-p <VAR -CLASS="REPLACEABLE" ->port</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-s</VAR ->] [<VAR -CLASS="OPTION" ->-t <VAR -CLASS="REPLACEABLE" ->directory</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-u <VAR -CLASS="REPLACEABLE" ->user</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-v</VAR ->] [<VAR -CLASS="OPTION" ->-x <VAR -CLASS="REPLACEABLE" ->cache-file</VAR -></VAR ->]</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN49" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->named</B -> is a Domain Name System (DNS) server, +<!-- $ISC: named.html,v 1.4.2.1.4.9 2005/10/13 02:33:47 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>named</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">named</span> — Internet domain name server</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525923"></a><h2>DESCRIPTION</h2> +<p> + <span><strong class="command">named</strong></span> is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more information on the DNS, see RFCs 1033, 1034, and 1035. - </P -><P -> When invoked without arguments, <B -CLASS="COMMAND" ->named</B -> will + </p> +<p> + When invoked without arguments, <span><strong class="command">named</strong></span> will read the default configuration file - <TT -CLASS="FILENAME" ->/etc/named.conf</TT ->, read any initial + <code class="filename">/etc/named.conf</code>, read any initial data, and listen for queries. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN56" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-4</DT -><DD -><P -> Use IPv4 only even if the host machine is capable of IPv6. - <VAR -CLASS="OPTION" ->-4</VAR -> and <VAR -CLASS="OPTION" ->-6</VAR -> are mutually + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525948"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-4</span></dt> +<dd><p> + Use IPv4 only even if the host machine is capable of IPv6. + <code class="option">-4</code> and <code class="option">-6</code> are mutually exclusive. - </P -></DD -><DT ->-6</DT -><DD -><P -> Use IPv6 only even if the host machine is capable of IPv4. - <VAR -CLASS="OPTION" ->-4</VAR -> and <VAR -CLASS="OPTION" ->-6</VAR -> are mutually + </p></dd> +<dt><span class="term">-6</span></dt> +<dd><p> + Use IPv6 only even if the host machine is capable of IPv4. + <code class="option">-4</code> and <code class="option">-6</code> are mutually exclusive. - </P -></DD -><DT ->-c <VAR -CLASS="REPLACEABLE" ->config-file</VAR -></DT -><DD -><P -> Use <VAR -CLASS="REPLACEABLE" ->config-file</VAR -> as the + </p></dd> +<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt> +<dd><p> + Use <em class="replaceable"><code>config-file</code></em> as the configuration file instead of the default, - <TT -CLASS="FILENAME" ->/etc/named.conf</TT ->. To + <code class="filename">/etc/named.conf</code>. To ensure that reloading the configuration file continues to work after the server has changed its working directory due to to a possible - <VAR -CLASS="OPTION" ->directory</VAR -> option in the configuration - file, <VAR -CLASS="REPLACEABLE" ->config-file</VAR -> should be + <code class="option">directory</code> option in the configuration + file, <em class="replaceable"><code>config-file</code></em> should be an absolute pathname. - </P -></DD -><DT ->-d <VAR -CLASS="REPLACEABLE" ->debug-level</VAR -></DT -><DD -><P -> Set the daemon's debug level to <VAR -CLASS="REPLACEABLE" ->debug-level</VAR ->. - Debugging traces from <B -CLASS="COMMAND" ->named</B -> become + </p></dd> +<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt> +<dd><p> + Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>. + Debugging traces from <span><strong class="command">named</strong></span> become more verbose as the debug level increases. - </P -></DD -><DT ->-f</DT -><DD -><P -> Run the server in the foreground (i.e. do not daemonize). - </P -></DD -><DT ->-g</DT -><DD -><P -> Run the server in the foreground and force all logging - to <TT -CLASS="FILENAME" ->stderr</TT ->. - </P -></DD -><DT ->-n <VAR -CLASS="REPLACEABLE" ->#cpus</VAR -></DT -><DD -><P -> Create <VAR -CLASS="REPLACEABLE" ->#cpus</VAR -> worker threads + </p></dd> +<dt><span class="term">-f</span></dt> +<dd><p> + Run the server in the foreground (i.e. do not daemonize). + </p></dd> +<dt><span class="term">-g</span></dt> +<dd><p> + Run the server in the foreground and force all logging + to <code class="filename">stderr</code>. + </p></dd> +<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt> +<dd><p> + Create <em class="replaceable"><code>#cpus</code></em> worker threads to take advantage of multiple CPUs. If not specified, - <B -CLASS="COMMAND" ->named</B -> will try to determine the + <span><strong class="command">named</strong></span> will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. - </P -></DD -><DT ->-p <VAR -CLASS="REPLACEABLE" ->port</VAR -></DT -><DD -><P -> Listen for queries on port <VAR -CLASS="REPLACEABLE" ->port</VAR ->. If not + </p></dd> +<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> +<dd><p> + Listen for queries on port <em class="replaceable"><code>port</code></em>. If not specified, the default is port 53. - </P -></DD -><DT ->-s</DT -><DD -><P -> Write memory usage statistics to <TT -CLASS="FILENAME" ->stdout</TT -> on exit. - </P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B -> This option is mainly of interest to BIND 9 developers + </p></dd> +<dt><span class="term">-s</span></dt> +<dd> +<p> + Write memory usage statistics to <code class="filename">stdout</code> on exit. + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release. - </P -></BLOCKQUOTE -></DIV -></DD -><DT ->-t <VAR -CLASS="REPLACEABLE" ->directory</VAR -></DT -><DD -><P -> <CODE -CLASS="FUNCTION" ->chroot()</CODE -> to <VAR -CLASS="REPLACEABLE" ->directory</VAR -> after + </p> +</div> +</dd> +<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt> +<dd> +<p> + <code class="function">chroot()</code> to <em class="replaceable"><code>directory</code></em> after processing the command line arguments, but before reading the configuration file. - </P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="90%" -><TR -><TD -ALIGN="CENTER" -><B ->Warning</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P -> This option should be used in conjunction with the - <VAR -CLASS="OPTION" ->-u</VAR -> option, as chrooting a process + </p> +<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Warning</h3> +<p> + This option should be used in conjunction with the + <code class="option">-u</code> option, as chrooting a process running as root doesn't enhance security on most - systems; the way <CODE -CLASS="FUNCTION" ->chroot()</CODE -> is + systems; the way <code class="function">chroot()</code> is defined allows a process with root privileges to escape a chroot jail. - </P -></TD -></TR -></TABLE -></DIV -></DD -><DT ->-u <VAR -CLASS="REPLACEABLE" ->user</VAR -></DT -><DD -><P -> <CODE -CLASS="FUNCTION" ->setuid()</CODE -> to <VAR -CLASS="REPLACEABLE" ->user</VAR -> after completing + </p> +</div> +</dd> +<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt> +<dd> +<p> + <code class="function">setuid()</code> to <em class="replaceable"><code>user</code></em> after completing privileged operations, such as creating sockets that listen on privileged ports. - </P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B -> On Linux, <B -CLASS="COMMAND" ->named</B -> uses the kernel's + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + On Linux, <span><strong class="command">named</strong></span> uses the kernel's capability mechanism to drop all root privileges - except the ability to <CODE -CLASS="FUNCTION" ->bind()</CODE -> to a + except the ability to <code class="function">bind()</code> to a privileged port and set process resource limits. - Unfortunately, this means that the <VAR -CLASS="OPTION" ->-u</VAR -> - option only works when <B -CLASS="COMMAND" ->named</B -> is run + Unfortunately, this means that the <code class="option">-u</code> + option only works when <span><strong class="command">named</strong></span> is run on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or later, since previous kernels did not allow privileges - to be retained after <CODE -CLASS="FUNCTION" ->setuid()</CODE ->. - </P -></BLOCKQUOTE -></DIV -></DD -><DT ->-v</DT -><DD -><P -> Report the version number and exit. - </P -></DD -><DT ->-x <VAR -CLASS="REPLACEABLE" ->cache-file</VAR -></DT -><DD -><P -> Load data from <VAR -CLASS="REPLACEABLE" ->cache-file</VAR -> into the + to be retained after <code class="function">setuid()</code>. + </p> +</div> +</dd> +<dt><span class="term">-v</span></dt> +<dd><p> + Report the version number and exit. + </p></dd> +<dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt> +<dd> +<p> + Load data from <em class="replaceable"><code>cache-file</code></em> into the cache of the default view. - </P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="90%" -><TR -><TD -ALIGN="CENTER" -><B ->Warning</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P -> This option must not be used. It is only of interest + </p> +<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Warning</h3> +<p> + This option must not be used. It is only of interest to BIND 9 developers and may be removed or changed in a future release. - </P -></TD -></TR -></TABLE -></DIV -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN153" -></A -><H2 ->SIGNALS</H2 -><P -> In routine operation, signals should not be used to control - the nameserver; <B -CLASS="COMMAND" ->rndc</B -> should be used + </p> +</div> +</dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2526297"></a><h2>SIGNALS</h2> +<p> + In routine operation, signals should not be used to control + the nameserver; <span><strong class="command">rndc</strong></span> should be used instead. - </P -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->SIGHUP</DT -><DD -><P -> Force a reload of the server. - </P -></DD -><DT ->SIGINT, SIGTERM</DT -><DD -><P -> Shut down the server. - </P -></DD -></DL -></DIV -><P -> The result of sending any other signals to the server is undefined. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN167" -></A -><H2 ->CONFIGURATION</H2 -><P -> The <B -CLASS="COMMAND" ->named</B -> configuration file is too complex + </p> +<div class="variablelist"><dl> +<dt><span class="term">SIGHUP</span></dt> +<dd><p> + Force a reload of the server. + </p></dd> +<dt><span class="term">SIGINT, SIGTERM</span></dt> +<dd><p> + Shut down the server. + </p></dd> +</dl></div> +<p> + The result of sending any other signals to the server is undefined. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526412"></a><h2>CONFIGURATION</h2> +<p> + The <span><strong class="command">named</strong></span> configuration file is too complex to describe in detail here. A complete description is - provided in the <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference - Manual</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN172" -></A -><H2 ->FILES</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><TT -CLASS="FILENAME" ->/etc/named.conf</TT -></DT -><DD -><P -> The default configuration file. - </P -></DD -><DT -><TT -CLASS="FILENAME" ->/var/run/named.pid</TT -></DT -><DD -><P -> The default process-id file. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN185" -></A -><H2 ->SEE ALSO</H2 -><P -> <I -CLASS="CITETITLE" ->RFC 1033</I ->, - <I -CLASS="CITETITLE" ->RFC 1034</I ->, - <I -CLASS="CITETITLE" ->RFC 1035</I ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->rndc</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwresd</SPAN ->(8)</SPAN ->, - <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference Manual</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN198" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Systems Consortium - </P -></DIV -></BODY -></HTML -> + provided in the <em class="citetitle">BIND 9 Administrator Reference + Manual</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526429"></a><h2>FILES</h2> +<div class="variablelist"><dl> +<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt> +<dd><p> + The default configuration file. + </p></dd> +<dt><span class="term"><code class="filename">/var/run/named.pid</code></span></dt> +<dd><p> + The default process-id file. + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2526469"></a><h2>SEE ALSO</h2> +<p> + <em class="citetitle">RFC 1033</em>, + <em class="citetitle">RFC 1034</em>, + <em class="citetitle">RFC 1035</em>, + <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526512"></a><h2>AUTHOR</h2> +<p> + <span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/named/query.c b/usr.sbin/bind/bin/named/query.c index 24e13c7c636..4f805516aad 100644 --- a/usr.sbin/bind/bin/named/query.c +++ b/usr.sbin/bind/bin/named/query.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: query.c,v 1.198.2.13.4.30 2004/06/30 14:13:05 marka Exp $ */ +/* $ISC: query.c,v 1.198.2.13.4.36 2005/08/11 05:25:20 marka Exp $ */ #include <config.h> @@ -1198,17 +1198,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { * recursing to add address records, which in turn can cause * recursion to add KEYs. */ - if (type == dns_rdatatype_a || type == dns_rdatatype_aaaa) { - /* - * RFC 2535 section 3.5 says that when A or AAAA records are - * retrieved as additional data, any KEY RRs for the owner name - * should be added to the additional data section. - * - * XXXRTH We should lower the priority here. Alternatively, - * we could raise the priority of glue records. - */ - eresult = query_addadditional(client, name, dns_rdatatype_dnskey); - } else if (type == dns_rdatatype_srv && trdataset != NULL) { + if (type == dns_rdatatype_srv && trdataset != NULL) { /* * If we're adding SRV records to the additional data * section, it's helpful if we add the SRV additional data @@ -1241,8 +1231,6 @@ static inline void query_addrdataset(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) { - dns_rdatatype_t type = rdataset->type; - /* * Add 'rdataset' and any pertinent additional data to * 'fname', a name in the response message for 'client'. @@ -1266,22 +1254,6 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, */ (void)dns_rdataset_additionaldata(rdataset, query_addadditional, client); - /* - * RFC 2535 section 3.5 says that when NS, SOA, A, or AAAA records - * are retrieved, any KEY RRs for the owner name should be added - * to the additional data section. We treat A6 records the same way. - * - * We don't care if query_addadditional() fails. - */ - if (type == dns_rdatatype_ns || type == dns_rdatatype_soa || - type == dns_rdatatype_a || type == dns_rdatatype_aaaa || - type == dns_rdatatype_a6) { - /* - * XXXRTH We should lower the priority here. Alternatively, - * we could raise the priority of glue records. - */ - (void)query_addadditional(client, fname, dns_rdatatype_dnskey); - } CTRACE("query_addrdataset: done"); } @@ -2116,33 +2088,37 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain, * connection was accepted (if allowed by the TCP quota). */ if (client->recursionquota == NULL) { - isc_boolean_t killoldest = ISC_FALSE; result = isc_quota_attach(&ns_g_server->recursionquota, &client->recursionquota); - if (result == ISC_R_SOFTQUOTA) { + if (result == ISC_R_SOFTQUOTA) { ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, - "recursive-clients limit exceeded, " + "recursive-clients soft limit exceeded, " "aborting oldest query"); - killoldest = ISC_TRUE; + ns_client_killoldestquery(client); result = ISC_R_SUCCESS; - } - if (dns_resolver_nrunning(client->view->resolver) > - (unsigned int)ns_g_server->recursionquota.max) - result = ISC_R_QUOTA; - if (result == ISC_R_SUCCESS && !client->mortal && - (client->attributes & NS_CLIENTATTR_TCP) == 0) - result = ns_client_replace(client); - if (result != ISC_R_SUCCESS) { + } else if (result == ISC_R_QUOTA) { ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, "no more recursive clients: %s", isc_result_totext(result)); - if (client->recursionquota != NULL) + ns_client_killoldestquery(client); + } + if (result == ISC_R_SUCCESS && !client->mortal && + (client->attributes & NS_CLIENTATTR_TCP) == 0) { + result = ns_client_replace(client); + if (result != ISC_R_SUCCESS) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_QUERY, + ISC_LOG_WARNING, + "ns_client_replace() failed: %s", + isc_result_totext(result)); isc_quota_detach(&client->recursionquota); - return (result); + } } - ns_client_recursing(client, killoldest); + if (result != ISC_R_SUCCESS) + return (result); + ns_client_recursing(client); } /* @@ -2319,6 +2295,34 @@ query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) { query_releasename(client, &fname); } +static inline void +answer_in_glue(ns_client_t *client, dns_rdatatype_t qtype) { + dns_name_t *name; + dns_message_t *msg; + dns_section_t section = DNS_SECTION_ADDITIONAL; + dns_rdataset_t *rdataset = NULL; + + msg = client->message; + for (name = ISC_LIST_HEAD(msg->sections[section]); + name != NULL; + name = ISC_LIST_NEXT(name, link)) + if (dns_name_equal(name, client->query.qname)) { + for (rdataset = ISC_LIST_HEAD(name->list); + rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) + if (rdataset->type == qtype) + break; + break; + } + if (rdataset != NULL) { + ISC_LIST_UNLINK(msg->sections[section], name, link); + ISC_LIST_PREPEND(msg->sections[section], name, link); + ISC_LIST_UNLINK(name->list, rdataset, link); + ISC_LIST_PREPEND(name->list, rdataset, link); + rdataset->attributes |= DNS_RDATASETATTR_REQUIREDGLUE; + } +} + /* * Do the bulk of query processing for the current query of 'client'. * If 'event' is non-NULL, we are returning from recursion and 'qtype' @@ -2875,7 +2879,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * Add SOA. If the query was for a SOA record force the * ttl to zero so that it is possible for clients to find - * the containing zone of a arbitary name with a stub + * the containing zone of an arbitrary name with a stub * resolver and not have it cached. */ if (qtype == dns_rdatatype_soa) @@ -3338,6 +3342,16 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) */ setup_query_sortlist(client); + /* + * If this is a referral and the answer to the question + * is in the glue sort it to the start of the additional + * section. + */ + if (client->message->counts[DNS_SECTION_ANSWER] == 0 && + client->message->rcode == dns_rcode_noerror && + (qtype == dns_rdatatype_a || qtype == dns_rdatatype_aaaa)) + answer_in_glue(client, qtype); + if (client->message->rcode == dns_rcode_nxdomain && client->view->auth_nxdomain == ISC_TRUE) client->message->flags |= DNS_MESSAGEFLAG_AA; diff --git a/usr.sbin/bind/bin/named/server.c b/usr.sbin/bind/bin/named/server.c index 2a1a7e27976..f008fa811df 100644 --- a/usr.sbin/bind/bin/named/server.c +++ b/usr.sbin/bind/bin/named/server.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: server.c,v 1.339.2.15.2.59 2004/11/10 22:13:56 marka Exp $ */ +/* $ISC: server.c,v 1.339.2.15.2.65 2005/07/27 02:53:15 marka Exp $ */ #include <config.h> @@ -81,6 +81,10 @@ #include <named/tkeyconf.h> #include <named/tsigconf.h> #include <named/zoneconf.h> +#ifdef HAVE_LIBSCF +#include <named/ns_smf_globals.h> +#include <stdlib.h> +#endif /* * Check an operation for failure. Assumes that the function @@ -1798,7 +1802,7 @@ configure_server_quota(cfg_obj_t **maps, const char *name, isc_quota_t *quota) result = ns_config_get(maps, name, &obj); INSIST(result == ISC_R_SUCCESS); - quota->max = cfg_obj_asuint32(obj); + isc_quota_max(quota, cfg_obj_asuint32(obj)); } /* @@ -1937,9 +1941,13 @@ adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) { * At this point the zone list may contain a stale zone * just removed from the configuration. To see the validity, * check if the corresponding view is in our current view list. + * There may also be old zones that are still in the process + * of shutting down and have detached from their old view + * (zoneview == NULL). */ zoneview = dns_zone_getview(zone); - INSIST(zoneview != NULL); + if (zoneview == NULL) + continue; for (view = ISC_LIST_HEAD(server->viewlist); view != NULL && view != zoneview; view = ISC_LIST_NEXT(view, link)) @@ -2221,6 +2229,11 @@ load_configuration(const char *filename, ns_server_t *server, configure_server_quota(maps, "tcp-clients", &server->tcpquota); configure_server_quota(maps, "recursive-clients", &server->recursionquota); + if (server->recursionquota.max > 1000) + isc_quota_soft(&server->recursionquota, + server->recursionquota.max - 100); + else + isc_quota_soft(&server->recursionquota, 0); CHECK(configure_view_acl(NULL, config, "blackhole", &aclconfctx, ns_g_mctx, &server->blackholeacl)); @@ -2951,7 +2964,6 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { RUNTIME_CHECK(result == ISC_R_SUCCESS); result = isc_quota_init(&server->recursionquota, 100); RUNTIME_CHECK(result == ISC_R_SUCCESS); - isc_quota_soft(&server->recursionquota, ISC_FALSE); result = dns_aclenv_init(mctx, &server->aclenv); RUNTIME_CHECK(result == ISC_R_SUCCESS); @@ -3640,6 +3652,15 @@ add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) { struct viewlistentry *vle; isc_result_t result = ISC_R_SUCCESS; + /* + * Prevent duplicate views. + */ + for (vle = ISC_LIST_HEAD(dctx->viewlist); + vle != NULL; + vle = ISC_LIST_NEXT(vle, link)) + if (vle->view == view) + return (ISC_R_SUCCESS); + vle = isc_mem_get(dctx->mctx, sizeof *vle); if (vle == NULL) return (ISC_R_NOMEMORY); @@ -3703,9 +3724,11 @@ dumpdone(void *arg, isc_result_t result) { if (dctx->view == NULL) goto done; INSIST(dctx->zone == NULL); - } + } else + goto resume; nextview: fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name); + resume: if (dctx->zone == NULL && dctx->cache == NULL && dctx->dumpcache) { style = &dns_master_style_cache; /* start cache dump */ @@ -3766,9 +3789,12 @@ dumpdone(void *arg, isc_result_t result) { &dctx->mdctx); if (result == DNS_R_CONTINUE) return; - if (result == ISC_R_NOTIMPLEMENTED) + if (result == ISC_R_NOTIMPLEMENTED) { fprintf(dctx->fp, "; %s\n", dns_result_totext(result)); + result = ISC_R_SUCCESS; + goto nextzone; + } if (result != ISC_R_SUCCESS) goto cleanup; } @@ -3792,7 +3818,6 @@ dumpdone(void *arg, isc_result_t result) { dumpcontext_destroy(dctx); } - isc_result_t ns_server_dumpdb(ns_server_t *server, char *args) { struct dumpcontext *dctx = NULL; @@ -3848,6 +3873,7 @@ ns_server_dumpdb(ns_server_t *server, char *args) { ptr = next_token(&args, " \t"); } + nextview: for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) @@ -3856,6 +3882,11 @@ ns_server_dumpdb(ns_server_t *server, char *args) { continue; CHECK(add_view_tolist(dctx, view)); } + if (ptr != NULL) { + ptr = next_token(&args, " \t"); + if (ptr != NULL) + goto nextview; + } dumpdone(dctx, ISC_R_SUCCESS); return (ISC_R_SUCCESS); @@ -4107,3 +4138,22 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) { dns_zone_detach(&zone); return (result); } + +#ifdef HAVE_LIBSCF +/* + * This function adds a message for rndc to echo if named + * is managed by smf and is also running chroot. + */ +isc_result_t +ns_smf_add_message(isc_buffer_t *text) { + unsigned int n; + + n = snprintf((char *)isc_buffer_used(text), + isc_buffer_availablelength(text), + "use svcadm(1M) to manage named"); + if (n >= isc_buffer_availablelength(text)) + return (ISC_R_NOSPACE); + isc_buffer_add(text, n); + return (ISC_R_SUCCESS); +} +#endif /* HAVE_LIBSCF */ diff --git a/usr.sbin/bind/bin/named/unix/os.c b/usr.sbin/bind/bin/named/unix/os.c index 45a141e02ca..cb719d5fac7 100644 --- a/usr.sbin/bind/bin/named/unix/os.c +++ b/usr.sbin/bind/bin/named/unix/os.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: os.c,v 1.46.2.4.8.19 2004/10/07 02:34:20 marka Exp $ */ +/* $ISC: os.c,v 1.46.2.4.8.22 2005/05/20 01:37:19 marka Exp $ */ #include <config.h> #include <stdarg.h> @@ -46,6 +46,9 @@ #include <named/main.h> #include <named/os.h> +#ifdef HAVE_LIBSCF +#include <named/ns_smf_globals.h> +#endif static char *pidfile = NULL; static int pidfilefd = -1; @@ -162,7 +165,7 @@ linux_setcaps(unsigned int caps) { memset(&cap, 0, sizeof(cap)); cap.effective = caps; cap.permitted = caps; - cap.inheritable = caps; + cap.inheritable = 0; if (syscall(SYS_capset, &caphead, &cap) < 0) { isc__strerror(errno, strbuf, sizeof(strbuf)); ns_main_earlyfatal("capset failed: %s:" @@ -420,6 +423,9 @@ all_digits(const char *s) { void ns_os_chroot(const char *root) { char strbuf[ISC_STRERRORSIZE]; +#ifdef HAVE_LIBSCF + ns_smf_chroot = 0; +#endif if (root != NULL) { if (chroot(root) < 0) { isc__strerror(errno, strbuf, sizeof(strbuf)); @@ -429,6 +435,10 @@ ns_os_chroot(const char *root) { isc__strerror(errno, strbuf, sizeof(strbuf)); ns_main_earlyfatal("chdir(/): %s", strbuf); } +#ifdef HAVE_LIBSCF + /* Set ns_smf_chroot flag on successful chroot. */ + ns_smf_chroot = 1; +#endif } } diff --git a/usr.sbin/bind/bin/named/update.c b/usr.sbin/bind/bin/named/update.c index 86dd24defaa..9adb836cdc0 100644 --- a/usr.sbin/bind/bin/named/update.c +++ b/usr.sbin/bind/bin/named/update.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: update.c,v 1.88.2.5.2.25 2004/10/21 01:40:22 marka Exp $ */ +/* $ISC: update.c,v 1.88.2.5.2.27 2005/10/08 00:21:06 marka Exp $ */ #include <config.h> @@ -2723,8 +2723,8 @@ updatedone_action(isc_task_t *task, isc_event_t *event) { INSIST(client->nupdates > 0); client->nupdates--; respond(client, uev->result); - ns_client_detach(&client); isc_event_free(&event); + ns_client_detach(&client); } /* @@ -2740,8 +2740,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) { INSIST(client->nupdates > 0); client->nupdates--; respond(client, DNS_R_SERVFAIL); - ns_client_detach(&client); isc_event_free(&event); + ns_client_detach(&client); } diff --git a/usr.sbin/bind/bin/named/xfrout.c b/usr.sbin/bind/bin/named/xfrout.c index 86e93e3cb13..b87035247bc 100644 --- a/usr.sbin/bind/bin/named/xfrout.c +++ b/usr.sbin/bind/bin/named/xfrout.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: xfrout.c,v 1.101.2.5.2.10 2004/04/02 06:08:17 marka Exp $ */ +/* $ISC: xfrout.c,v 1.101.2.5.2.12 2005/10/14 02:13:05 marka Exp $ */ #include <config.h> @@ -868,7 +868,7 @@ xfrout_log1(ns_client_t *client, dns_name_t *zonename, const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6); static void -xfrout_log(xfrout_ctx_t *xfr, unsigned int level, const char *fmt, ...) +xfrout_log(xfrout_ctx_t *xfr, int level, const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4); /**************************************************************************/ @@ -1710,7 +1710,7 @@ xfrout_log1(ns_client_t *client, dns_name_t *zonename, * Logging function for use when there is a xfrout_ctx_t. */ static void -xfrout_log(xfrout_ctx_t *xfr, unsigned int level, const char *fmt, ...) { +xfrout_log(xfrout_ctx_t *xfr, int level, const char *fmt, ...) { va_list ap; va_start(ap, fmt); xfrout_logv(xfr->client, xfr->qname, xfr->qclass, level, fmt, ap); diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.8 b/usr.sbin/bind/bin/nsupdate/nsupdate.8 index ccd9d85251b..b5d1b227746 100644 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.8 +++ b/usr.sbin/bind/bin/nsupdate/nsupdate.8 @@ -1,294 +1,239 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2003 Internet Software Consortium. -.\" +.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2003 Internet Software Consortium. +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $ISC: nsupdate.8,v 1.24.2.2.2.5 2004/03/08 09:04:15 marka Exp $ +.\" $ISC: nsupdate.8,v 1.24.2.2.2.8 2005/10/13 02:33:48 marka Exp $ .\" -.TH "NSUPDATE" "8" "Jun 30, 2000" "BIND9" "" -.SH NAME +.hy 0 +.ad l +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "NSUPDATE" "8" "Jun 30, 2000" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" nsupdate \- Dynamic DNS update utility -.SH SYNOPSIS -.sp -\fBnsupdate\fR [ \fB-d\fR ] [ \fB [ -y \fIkeyname:secret\fB ] [ -k \fIkeyfile\fB ] \fR ] [ \fB-t \fItimeout\fB\fR ] [ \fB-u \fIudptimeout\fB\fR ] [ \fB-r \fIudpretries\fB\fR ] [ \fB-v\fR ] [ \fBfilename\fR ] +.SH "SYNOPSIS" +.HP 9 +\fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fIkeyname:secret\fR\fR] [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-v\fR] [filename] .SH "DESCRIPTION" .PP \fBnsupdate\fR -is used to submit Dynamic DNS Update requests as defined in RFC2136 -to a name server. -This allows resource records to be added or removed from a zone -without manually editing the zone file. -A single update request can contain requests to add or remove more than one -resource record. +is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. This allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one resource record. .PP Zones that are under dynamic control via \fBnsupdate\fR -or a DHCP server should not be edited by hand. -Manual edits could -conflict with dynamic updates and cause data to be lost. +or a DHCP server should not be edited by hand. Manual edits could conflict with dynamic updates and cause data to be lost. .PP The resource records that are dynamically added or removed with \fBnsupdate\fR -have to be in the same zone. -Requests are sent to the zone's master server. -This is identified by the MNAME field of the zone's SOA record. +have to be in the same zone. Requests are sent to the zone's master server. This is identified by the MNAME field of the zone's SOA record. .PP The -\fB-d\fR +\fB\-d\fR option makes \fBnsupdate\fR -operate in debug mode. -This provides tracing information about the update requests that are -made and the replies received from the name server. +operate in debug mode. This provides tracing information about the update requests that are made and the replies received from the name server. .PP -Transaction signatures can be used to authenticate the Dynamic DNS -updates. -These use the TSIG resource record type described in RFC2845 or the -SIG(0) record described in RFC3535 and RFC2931. -TSIG relies on a shared secret that should only be known to -\fBnsupdate\fR and the name server. -Currently, the only supported encryption algorithm for TSIG is -HMAC-MD5, which is defined in RFC 2104. -Once other algorithms are defined for TSIG, applications will need to -ensure they select the appropriate algorithm as well as the key when -authenticating each other. -For instance suitable +Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931. TSIG relies on a shared secret that should only be known to +\fBnsupdate\fR +and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance suitable \fBkey\fR and \fBserver\fR statements would be added to \fI/etc/named.conf\fR -so that the name server can associate the appropriate secret key -and algorithm with the IP address of the -client application that will be using TSIG authentication. -SIG(0) uses public key cryptography. To use a SIG(0) key, the public -key must be stored in a KEY record in a zone served by the name server. +so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server. \fBnsupdate\fR does not read \fI/etc/named.conf\fR. .PP \fBnsupdate\fR uses the -\fB-y\fR +\fB\-y\fR or -\fB-k\fR -option (with an HMAC-MD5 key) to provide the shared secret needed to generate -a TSIG record for authenticating Dynamic DNS update requests. -These options are mutually exclusive. -With the -\fB-k\fR +\fB\-k\fR +option (with an HMAC\-MD5 key) to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests. These options are mutually exclusive. With the +\fB\-k\fR option, \fBnsupdate\fR reads the shared secret from the file -\fIkeyfile\fR, -whose name is of the form -\fIK{name}.+157.+{random}.private\fR. -For historical -reasons, the file +\fIkeyfile\fR, whose name is of the form +\fIK{name}.+157.+{random}.private\fR. For historical reasons, the file \fIK{name}.+157.+{random}.key\fR must also be present. When the -\fB-y\fR +\fB\-y\fR option is used, a signature is generated from -\fIkeyname:secret.\fR -\fIkeyname\fR -is the name of the key, -and +\fIkeyname:secret.\fR\fIkeyname\fR +is the name of the key, and \fIsecret\fR -is the base64 encoded shared secret. -Use of the -\fB-y\fR -option is discouraged because the shared secret is supplied as a command -line argument in clear text. -This may be visible in the output from -\fBps\fR(1) +is the base64 encoded shared secret. Use of the +\fB\-y\fR +option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from +\fBps\fR(1 ) or in a history file maintained by the user's shell. .PP -The \fB-k\fR may also be used to specify a SIG(0) key used -to authenticate Dynamic DNS update requests. In this case, the key -specified is not an HMAC-MD5 key. +The +\fB\-k\fR +may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC\-MD5 key. .PP By default \fBnsupdate\fR -uses UDP to send update requests to the name server unless they are too -large to fit in a UDP request in which case TCP will be used. -The -\fB-v\fR +uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. The +\fB\-v\fR option makes \fBnsupdate\fR -use a TCP connection. -This may be preferable when a batch of update requests is made. +use a TCP connection. This may be preferable when a batch of update requests is made. .PP -The \fB-t\fR option sets the maximum time a update request can -take before it is aborted. The default is 300 seconds. Zero can be used -to disable the timeout. +The +\fB\-t\fR +option sets the maximum time a update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout. .PP -The \fB-u\fR option sets the UDP retry interval. The default is -3 seconds. If zero the interval will be computed from the timeout interval -and number of UDP retries. +The +\fB\-u\fR +option sets the UDP retry interval. The default is 3 seconds. If zero the interval will be computed from the timeout interval and number of UDP retries. .PP -The \fB-r\fR option sets the number of UDP retries. The default is -3. If zero only one update request will be made. +The +\fB\-r\fR +option sets the number of UDP retries. The default is 3. If zero only one update request will be made. .SH "INPUT FORMAT" .PP \fBnsupdate\fR reads input from \fIfilename\fR -or standard input. -Each command is supplied on exactly one line of input. -Some commands are for administrative purposes. -The others are either update instructions or prerequisite checks on the -contents of the zone. -These checks set conditions that some name or set of -resource records (RRset) either exists or is absent from the zone. -These conditions must be met if the entire update request is to succeed. -Updates will be rejected if the tests for the prerequisite conditions fail. +or standard input. Each command is supplied on exactly one line of input. Some commands are for administrative purposes. The others are either update instructions or prerequisite checks on the contents of the zone. These checks set conditions that some name or set of resource records (RRset) either exists or is absent from the zone. These conditions must be met if the entire update request is to succeed. Updates will be rejected if the tests for the prerequisite conditions fail. .PP -Every update request consists of zero or more prerequisites -and zero or more updates. -This allows a suitably authenticated update request to proceed if some -specified resource records are present or missing from the zone. -A blank input line (or the \fBsend\fR command) causes the -accumulated commands to be sent as one Dynamic DNS update request to the -name server. +Every update request consists of zero or more prerequisites and zero or more updates. This allows a suitably authenticated update request to proceed if some specified resource records are present or missing from the zone. A blank input line (or the +\fBsend\fR +command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server. .PP The command formats and their meaning are as follows: .TP -\fBserver servername [ port ]\fR +.HP 7 \fBserver\fR {servername} [port] Sends all dynamic update requests to the name server -\fIservername\fR. -When no server statement is provided, +\fIservername\fR. When no server statement is provided, \fBnsupdate\fR -will send updates to the master server of the correct zone. -The MNAME field of that zone's SOA record will identify the master -server for that zone. +will send updates to the master server of the correct zone. The MNAME field of that zone's SOA record will identify the master server for that zone. \fIport\fR is the port number on \fIservername\fR -where the dynamic update requests get sent. -If no port number is specified, the default DNS port number of 53 is -used. +where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used. .TP -\fBlocal address [ port ]\fR +.HP 6 \fBlocal\fR {address} [port] Sends all dynamic update requests using the local -\fIaddress\fR. -When no local statement is provided, +\fIaddress\fR. When no local statement is provided, \fBnsupdate\fR will send updates using an address and port chosen by the system. \fIport\fR -can additionally be used to make requests come from a specific port. -If no port number is specified, the system will assign one. +can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one. .TP -\fBzone zonename\fR +.HP 5 \fBzone\fR {zonename} Specifies that all updates are to be made to the zone -\fIzonename\fR. -If no +\fIzonename\fR. If no \fIzone\fR statement is provided, \fBnsupdate\fR will attempt determine the correct zone to update based on the rest of the input. .TP -\fBclass classname\fR -Specify the default class. -If no \fIclass\fR is specified the default class is +.HP 6 \fBclass\fR {classname} +Specify the default class. If no +\fIclass\fR +is specified the default class is \fIIN\fR. .TP -\fBkey name secret\fR +.HP 4 \fBkey\fR {name} {secret} Specifies that all updates are to be TSIG signed using the -\fIkeyname\fR \fIkeysecret\fR pair. -The \fBkey\fR command -overrides any key specified on the command line via -\fB-y\fR or \fB-k\fR. +\fIkeyname\fR\fIkeysecret\fR +pair. The +\fBkey\fR +command overrides any key specified on the command line via +\fB\-y\fR +or +\fB\-k\fR. .TP -\fBprereq nxdomain domain-name\fR +.HP 16 \fBprereq nxdomain\fR {domain\-name} Requires that no resource record of any type exists with name -\fIdomain-name\fR. +\fIdomain\-name\fR. .TP -\fBprereq yxdomain domain-name\fR +.HP 16 \fBprereq yxdomain\fR {domain\-name} Requires that -\fIdomain-name\fR +\fIdomain\-name\fR exists (has as at least one resource record, of any type). .TP -\fBprereq nxrrset domain-name [ class ] type\fR +.HP 15 \fBprereq nxrrset\fR {domain\-name} [class] {type} Requires that no resource record exists of the specified \fItype\fR, \fIclass\fR and -\fIdomain-name\fR. -If +\fIdomain\-name\fR. If \fIclass\fR is omitted, IN (internet) is assumed. .TP -\fBprereq yxrrset domain-name [ class ] type\fR +.HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type} This requires that a resource record of the specified \fItype\fR, \fIclass\fR and -\fIdomain-name\fR -must exist. -If +\fIdomain\-name\fR +must exist. If \fIclass\fR is omitted, IN (internet) is assumed. .TP -\fBprereq yxrrset domain-name [ class ] type data\fI...\fB\fR +.HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type} {data...} The \fIdata\fR -from each set of prerequisites of this form -sharing a common +from each set of prerequisites of this form sharing a common \fItype\fR, -\fIclass\fR, -and -\fIdomain-name\fR -are combined to form a set of RRs. This set of RRs must -exactly match the set of RRs existing in the zone at the -given +\fIclass\fR, and +\fIdomain\-name\fR +are combined to form a set of RRs. This set of RRs must exactly match the set of RRs existing in the zone at the given \fItype\fR, -\fIclass\fR, -and -\fIdomain-name\fR. -The +\fIclass\fR, and +\fIdomain\-name\fR. The \fIdata\fR -are written in the standard text representation of the resource record's -RDATA. +are written in the standard text representation of the resource record's RDATA. .TP -\fBupdate delete domain-name [ ttl ] [ class ] [ type [ data\fI...\fB ] ]\fR +.HP 14 \fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]] Deletes any resource records named -\fIdomain-name\fR. -If +\fIdomain\-name\fR. If \fItype\fR and \fIdata\fR -is provided, only matching resource records will be removed. -The internet class is assumed if +is provided, only matching resource records will be removed. The internet class is assumed if \fIclass\fR is not supplied. The \fIttl\fR is ignored, and is only allowed for compatibility. .TP -\fBupdate add domain-name ttl [ class ] type data\fI...\fB\fR +.HP 11 \fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...} Adds a new resource record with the specified \fIttl\fR, \fIclass\fR and \fIdata\fR. .TP -\fBshow\fR -Displays the current message, containing all of the prerequisites and -updates specified since the last send. +.HP 5 \fBshow\fR +Displays the current message, containing all of the prerequisites and updates specified since the last send. .TP -\fBsend\fR +.HP 5 \fBsend\fR Sends the current message. This is equivalent to entering a blank line. .TP -\fBanswer\fR +.HP 7 \fBanswer\fR Displays the answer. .PP Lines beginning with a semicolon are comments and are ignored. @@ -298,10 +243,7 @@ The examples below show how \fBnsupdate\fR could be used to insert and delete resource records from the \fBexample.com\fR -zone. -Notice that the input in each example contains a trailing blank line so that -a group of commands are sent as one dynamic update request to the -master name server for +zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for \fBexample.com\fR. .sp .nf @@ -309,61 +251,48 @@ master name server for > update delete oldhost.example.com A > update add newhost.example.com 86400 A 172.16.1.1 > send -.sp .fi +.sp .PP Any A records for \fBoldhost.example.com\fR -are deleted. -and an A record for +are deleted. and an A record for \fBnewhost.example.com\fR -it IP address 172.16.1.1 is added. -The newly-added record has a 1 day TTL (86400 seconds) +it IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86400 seconds) .sp .nf # nsupdate > prereq nxdomain nickname.example.com > update add nickname.example.com 86400 CNAME somehost.example.com > send -.sp .fi +.sp .PP -The prerequisite condition gets the name server to check that there -are no resource records of any type for -\fBnickname.example.com\fR. -If there are, the update request fails. -If this name does not exist, a CNAME for it is added. -This ensures that when the CNAME is added, it cannot conflict with the -long-standing rule in RFC1034 that a name must not exist as any other -record type if it exists as a CNAME. -(The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have -RRSIG, DNSKEY and NSEC records.) +The prerequisite condition gets the name server to check that there are no resource records of any type for +\fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.) .SH "FILES" .TP \fB/etc/resolv.conf\fR used to identify default name server .TP \fBK{name}.+157.+{random}.key\fR -base-64 encoding of HMAC-MD5 key created by -\fBdnssec-keygen\fR(8). +base\-64 encoding of HMAC\-MD5 key created by +\fBdnssec\-keygen\fR(8). .TP \fBK{name}.+157.+{random}.private\fR -base-64 encoding of HMAC-MD5 key created by -\fBdnssec-keygen\fR(8). +base\-64 encoding of HMAC\-MD5 key created by +\fBdnssec\-keygen\fR(8). .SH "SEE ALSO" .PP -\fBRFC2136\fR, -\fBRFC3007\fR, -\fBRFC2104\fR, -\fBRFC2845\fR, -\fBRFC1034\fR, -\fBRFC2535\fR, -\fBRFC2931\fR, +\fBRFC2136\fR(), +\fBRFC3007\fR(), +\fBRFC2104\fR(), +\fBRFC2845\fR(), +\fBRFC1034\fR(), +\fBRFC2535\fR(), +\fBRFC2931\fR(), \fBnamed\fR(8), -\fBdnssec-keygen\fR(8). +\fBdnssec\-keygen\fR(8). .SH "BUGS" .PP -The TSIG key is redundantly stored in two separate files. -This is a consequence of nsupdate using the DST library -for its cryptographic operations, and may change in future -releases. +The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases. diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.c b/usr.sbin/bind/bin/nsupdate/nsupdate.c index ce154afc80d..5999f1b636e 100644 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.c +++ b/usr.sbin/bind/bin/nsupdate/nsupdate.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: nsupdate.c,v 1.103.2.15.2.18 2004/09/16 02:12:18 marka Exp $ */ +/* $ISC: nsupdate.c,v 1.103.2.15.2.20 2005/03/17 03:58:26 marka Exp $ */ #include <config.h> @@ -1634,6 +1634,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) { ddebug("Destroying request [%p]", request); dns_request_destroy(&request); dns_message_renderreset(soaquery); + dns_message_settsigkey(soaquery, NULL); sendrequest(localaddr, &servers[ns_inuse], soaquery, &request); isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t)); isc_event_free(&event); @@ -1813,6 +1814,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) { dns_name_clone(&tname, name); dns_request_destroy(&request); dns_message_renderreset(soaquery); + dns_message_settsigkey(soaquery, NULL); if (userserver != NULL) sendrequest(localaddr, userserver, soaquery, &request); else diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.docbook b/usr.sbin/bind/bin/nsupdate/nsupdate.docbook index 7242155eb1e..2cb70abcdca 100644 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.docbook +++ b/usr.sbin/bind/bin/nsupdate/nsupdate.docbook @@ -1,7 +1,9 @@ -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" + "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" + [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001-2003 Internet Software Consortium. + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -16,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: nsupdate.docbook,v 1.8.2.3.2.8 2004/03/08 04:04:23 marka Exp $ --> +<!-- $ISC: nsupdate.docbook,v 1.8.2.3.2.10 2005/05/12 21:36:03 sra Exp $ --> <refentry> <refentryinfo> @@ -27,6 +29,22 @@ <manvolnum>8</manvolnum> <refmiscinfo>BIND9</refmiscinfo> </refmeta> + + <docinfo> + <copyright> + <year>2004</year> + <year>2005</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + <copyright> + <year>2000</year> + <year>2001</year> + <year>2002</year> + <year>2003</year> + <holder>Internet Software Consortium.</holder> + </copyright> + </docinfo> + <refnamediv> <refname>nsupdate</refname> <refpurpose>Dynamic DNS update utility</refpurpose> @@ -229,6 +247,8 @@ where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used. </para> +</listitem> +</varlistentry> <varlistentry><term> <cmdsynopsis> @@ -248,6 +268,9 @@ will send updates using an address and port chosen by the system. <parameter>port</parameter> can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one. +</para> +</listitem> +</varlistentry> <varlistentry><term> <cmdsynopsis> @@ -482,6 +505,7 @@ updates specified since the last send. Sends the current message. This is equivalent to entering a blank line. </para> </listitem> +</varlistentry> <varlistentry><term> <cmdsynopsis> @@ -493,8 +517,10 @@ Sends the current message. This is equivalent to entering a blank line. Displays the answer. </para> </listitem> +</varlistentry> </variablelist> +</para> <para> Lines beginning with a semicolon are comments and are ignored. @@ -562,6 +588,7 @@ RRSIG, DNSKEY and NSEC records.) used to identify default name server </para> </listitem> +</varlistentry> <varlistentry><term><constant>K{name}.+157.+{random}.key</constant></term> <listitem> @@ -572,6 +599,7 @@ base-64 encoding of HMAC-MD5 key created by </citerefentry>. </para> </listitem> +</varlistentry> <varlistentry><term><constant>K{name}.+157.+{random}.private</constant></term> <listitem> @@ -582,6 +610,7 @@ base-64 encoding of HMAC-MD5 key created by </citerefentry>. </para> </listitem> +</varlistentry> </variablelist> </refsect1> @@ -615,7 +644,7 @@ base-64 encoding of HMAC-MD5 key created by <citerefentry> <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> </citerefentry>. - +</para> </refsect1> <refsect1> <title>BUGS</title> diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.html b/usr.sbin/bind/bin/nsupdate/nsupdate.html index 7697ead9982..cc4678b8e4a 100644 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.html +++ b/usr.sbin/bind/bin/nsupdate/nsupdate.html @@ -1,339 +1,170 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001-2003 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: nsupdate.html,v 1.9.2.3.2.5 2004/08/22 23:38:59 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->nsupdate</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->nsupdate</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->nsupdate -- Dynamic DNS update utility</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN11" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->nsupdate</B -> [<VAR -CLASS="OPTION" ->-d</VAR ->] [<VAR -CLASS="OPTION" ->-y <VAR -CLASS="REPLACEABLE" ->keyname:secret</VAR -></VAR -> | <VAR -CLASS="OPTION" ->-k <VAR -CLASS="REPLACEABLE" ->keyfile</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-t <VAR -CLASS="REPLACEABLE" ->timeout</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-u <VAR -CLASS="REPLACEABLE" ->udptimeout</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-r <VAR -CLASS="REPLACEABLE" ->udpretries</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-v</VAR ->] [filename]</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN35" -></A -><H2 ->DESCRIPTION</H2 -><P -><B -CLASS="COMMAND" ->nsupdate</B -> +<!-- $ISC: nsupdate.html,v 1.9.2.3.2.12 2005/10/13 02:33:49 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>nsupdate</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>nsupdate — Dynamic DNS update utility</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [[<code class="option">-y <em class="replaceable"><code>keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-v</code>] [filename]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525896"></a><h2>DESCRIPTION</h2> +<p> +<span><strong class="command">nsupdate</strong></span> is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. This allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one -resource record.</P -><P ->Zones that are under dynamic control via -<B -CLASS="COMMAND" ->nsupdate</B -> +resource record. +</p> +<p> +Zones that are under dynamic control via +<span><strong class="command">nsupdate</strong></span> or a DHCP server should not be edited by hand. Manual edits could -conflict with dynamic updates and cause data to be lost.</P -><P ->The resource records that are dynamically added or removed with -<B -CLASS="COMMAND" ->nsupdate</B -> +conflict with dynamic updates and cause data to be lost. +</p> +<p> +The resource records that are dynamically added or removed with +<span><strong class="command">nsupdate</strong></span> have to be in the same zone. Requests are sent to the zone's master server. -This is identified by the MNAME field of the zone's SOA record.</P -><P ->The -<VAR -CLASS="OPTION" ->-d</VAR -> +This is identified by the MNAME field of the zone's SOA record. +</p> +<p> +The +<code class="option">-d</code> option makes -<B -CLASS="COMMAND" ->nsupdate</B -> +<span><strong class="command">nsupdate</strong></span> operate in debug mode. This provides tracing information about the update requests that are -made and the replies received from the name server.</P -><P ->Transaction signatures can be used to authenticate the Dynamic DNS +made and the replies received from the name server. +</p> +<p> +Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931. TSIG relies on a shared secret that should only be known to -<B -CLASS="COMMAND" ->nsupdate</B -> and the name server. +<span><strong class="command">nsupdate</strong></span> and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance suitable -<SPAN -CLASS="TYPE" ->key</SPAN -> +<span class="type">key</span> and -<SPAN -CLASS="TYPE" ->server</SPAN -> +<span class="type">server</span> statements would be added to -<TT -CLASS="FILENAME" ->/etc/named.conf</TT -> +<code class="filename">/etc/named.conf</code> so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server. -<B -CLASS="COMMAND" ->nsupdate</B -> +<span><strong class="command">nsupdate</strong></span> does not read -<TT -CLASS="FILENAME" ->/etc/named.conf</TT ->.</P -><P -><B -CLASS="COMMAND" ->nsupdate</B -> +<code class="filename">/etc/named.conf</code>. +</p> +<p> +<span><strong class="command">nsupdate</strong></span> uses the -<VAR -CLASS="OPTION" ->-y</VAR -> +<code class="option">-y</code> or -<VAR -CLASS="OPTION" ->-k</VAR -> +<code class="option">-k</code> option (with an HMAC-MD5 key) to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests. These options are mutually exclusive. With the -<VAR -CLASS="OPTION" ->-k</VAR -> +<code class="option">-k</code> option, -<B -CLASS="COMMAND" ->nsupdate</B -> +<span><strong class="command">nsupdate</strong></span> reads the shared secret from the file -<VAR -CLASS="PARAMETER" ->keyfile</VAR ->, +<em class="parameter"><code>keyfile</code></em>, whose name is of the form -<TT -CLASS="FILENAME" ->K{name}.+157.+{random}.private</TT ->. +<code class="filename">K{name}.+157.+{random}.private</code>. For historical reasons, the file -<TT -CLASS="FILENAME" ->K{name}.+157.+{random}.key</TT -> +<code class="filename">K{name}.+157.+{random}.key</code> must also be present. When the -<VAR -CLASS="OPTION" ->-y</VAR -> +<code class="option">-y</code> option is used, a signature is generated from -<VAR -CLASS="PARAMETER" ->keyname:secret.</VAR -> -<VAR -CLASS="PARAMETER" ->keyname</VAR -> +<em class="parameter"><code>keyname:secret.</code></em> +<em class="parameter"><code>keyname</code></em> is the name of the key, and -<VAR -CLASS="PARAMETER" ->secret</VAR -> +<em class="parameter"><code>secret</code></em> is the base64 encoded shared secret. Use of the -<VAR -CLASS="OPTION" ->-y</VAR -> +<code class="option">-y</code> option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->ps</SPAN ->(1)</SPAN -> -or in a history file maintained by the user's shell.</P -><P ->The <VAR -CLASS="OPTION" ->-k</VAR -> may also be used to specify a SIG(0) key used +<span class="citerefentry"><span class="refentrytitle">ps</span>(1 +)</span> +or in a history file maintained by the user's shell. +</p> +<p> +The <code class="option">-k</code> may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key -specified is not an HMAC-MD5 key.</P -><P ->By default -<B -CLASS="COMMAND" ->nsupdate</B -> +specified is not an HMAC-MD5 key. +</p> +<p> +By default +<span><strong class="command">nsupdate</strong></span> uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. The -<VAR -CLASS="OPTION" ->-v</VAR -> +<code class="option">-v</code> option makes -<B -CLASS="COMMAND" ->nsupdate</B -> +<span><strong class="command">nsupdate</strong></span> use a TCP connection. -This may be preferable when a batch of update requests is made.</P -><P ->The <VAR -CLASS="OPTION" ->-t</VAR -> option sets the maximum time a update request can +This may be preferable when a batch of update requests is made. +</p> +<p>The <code class="option">-t</code> option sets the maximum time a update request can take before it is aborted. The default is 300 seconds. Zero can be used -to disable the timeout.</P -><P ->The <VAR -CLASS="OPTION" ->-u</VAR -> option sets the UDP retry interval. The default is +to disable the timeout. +</p> +<p>The <code class="option">-u</code> option sets the UDP retry interval. The default is 3 seconds. If zero the interval will be computed from the timeout interval -and number of UDP retries.</P -><P ->The <VAR -CLASS="OPTION" ->-r</VAR -> option sets the number of UDP retries. The default is -3. If zero only one update request will be made.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN82" -></A -><H2 ->INPUT FORMAT</H2 -><P -><B -CLASS="COMMAND" ->nsupdate</B -> +and number of UDP retries. +</p> +<p>The <code class="option">-r</code> option sets the number of UDP retries. The default is +3. If zero only one update request will be made. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526121"></a><h2>INPUT FORMAT</h2> +<p> +<span><strong class="command">nsupdate</strong></span> reads input from -<VAR -CLASS="PARAMETER" ->filename</VAR -> +<em class="parameter"><code>filename</code></em> or standard input. Each command is supplied on exactly one line of input. Some commands are for administrative purposes. @@ -342,471 +173,245 @@ contents of the zone. These checks set conditions that some name or set of resource records (RRset) either exists or is absent from the zone. These conditions must be met if the entire update request is to succeed. -Updates will be rejected if the tests for the prerequisite conditions fail.</P -><P ->Every update request consists of zero or more prerequisites +Updates will be rejected if the tests for the prerequisite conditions fail. +</p> +<p> +Every update request consists of zero or more prerequisites and zero or more updates. This allows a suitably authenticated update request to proceed if some specified resource records are present or missing from the zone. -A blank input line (or the <B -CLASS="COMMAND" ->send</B -> command) causes the +A blank input line (or the <span><strong class="command">send</strong></span> command) causes the accumulated commands to be sent as one Dynamic DNS update request to the -name server.</P -><P ->The command formats and their meaning are as follows: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><P -><B -CLASS="COMMAND" ->server</B -> {servername} [port]</P -></DT -><DD -><P ->Sends all dynamic update requests to the name server -<VAR -CLASS="PARAMETER" ->servername</VAR ->. +name server. +</p> +<p> +The command formats and their meaning are as follows: +</p> +<div class="variablelist"><dl> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">server</code> {servername} [port]</p></div> +</span></dt> +<dd><p> +Sends all dynamic update requests to the name server +<em class="parameter"><code>servername</code></em>. When no server statement is provided, -<B -CLASS="COMMAND" ->nsupdate</B -> +<span><strong class="command">nsupdate</strong></span> will send updates to the master server of the correct zone. The MNAME field of that zone's SOA record will identify the master server for that zone. -<VAR -CLASS="PARAMETER" ->port</VAR -> +<em class="parameter"><code>port</code></em> is the port number on -<VAR -CLASS="PARAMETER" ->servername</VAR -> +<em class="parameter"><code>servername</code></em> where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is -used.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->local</B -> {address} [port]</P -></DT -><DD -><P ->Sends all dynamic update requests using the local -<VAR -CLASS="PARAMETER" ->address</VAR ->. +used. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">local</code> {address} [port]</p></div> +</span></dt> +<dd><p> +Sends all dynamic update requests using the local +<em class="parameter"><code>address</code></em>. When no local statement is provided, -<B -CLASS="COMMAND" ->nsupdate</B -> +<span><strong class="command">nsupdate</strong></span> will send updates using an address and port chosen by the system. -<VAR -CLASS="PARAMETER" ->port</VAR -> +<em class="parameter"><code>port</code></em> can additionally be used to make requests come from a specific port. -If no port number is specified, the system will assign one. </P -></DD -><DT -><P -><B -CLASS="COMMAND" ->zone</B -> {zonename}</P -></DT -><DD -><P ->Specifies that all updates are to be made to the zone -<VAR -CLASS="PARAMETER" ->zonename</VAR ->. +If no port number is specified, the system will assign one. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">zone</code> {zonename}</p></div> +</span></dt> +<dd><p> +Specifies that all updates are to be made to the zone +<em class="parameter"><code>zonename</code></em>. If no -<VAR -CLASS="PARAMETER" ->zone</VAR -> +<em class="parameter"><code>zone</code></em> statement is provided, -<B -CLASS="COMMAND" ->nsupdate</B -> -will attempt determine the correct zone to update based on the rest of the input.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->class</B -> {classname}</P -></DT -><DD -><P ->Specify the default class. -If no <VAR -CLASS="PARAMETER" ->class</VAR -> is specified the default class is -<VAR -CLASS="PARAMETER" ->IN</VAR ->.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->key</B -> {name} {secret}</P -></DT -><DD -><P ->Specifies that all updates are to be TSIG signed using the -<VAR -CLASS="PARAMETER" ->keyname</VAR -> <VAR -CLASS="PARAMETER" ->keysecret</VAR -> pair. -The <B -CLASS="COMMAND" ->key</B -> command +<span><strong class="command">nsupdate</strong></span> +will attempt determine the correct zone to update based on the rest of the input. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">class</code> {classname}</p></div> +</span></dt> +<dd><p> +Specify the default class. +If no <em class="parameter"><code>class</code></em> is specified the default class is +<em class="parameter"><code>IN</code></em>. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">key</code> {name} {secret}</p></div> +</span></dt> +<dd><p> +Specifies that all updates are to be TSIG signed using the +<em class="parameter"><code>keyname</code></em> <em class="parameter"><code>keysecret</code></em> pair. +The <span><strong class="command">key</strong></span> command overrides any key specified on the command line via -<VAR -CLASS="OPTION" ->-y</VAR -> or <VAR -CLASS="OPTION" ->-k</VAR ->.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->prereq nxdomain</B -> {domain-name}</P -></DT -><DD -><P ->Requires that no resource record of any type exists with name -<VAR -CLASS="PARAMETER" ->domain-name</VAR ->.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->prereq yxdomain</B -> {domain-name}</P -></DT -><DD -><P ->Requires that -<VAR -CLASS="PARAMETER" ->domain-name</VAR -> -exists (has as at least one resource record, of any type).</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->prereq nxrrset</B -> {domain-name} [class] {type}</P -></DT -><DD -><P ->Requires that no resource record exists of the specified -<VAR -CLASS="PARAMETER" ->type</VAR ->, -<VAR -CLASS="PARAMETER" ->class</VAR -> +<code class="option">-y</code> or <code class="option">-k</code>. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">prereq nxdomain</code> {domain-name}</p></div> +</span></dt> +<dd><p> +Requires that no resource record of any type exists with name +<em class="parameter"><code>domain-name</code></em>. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">prereq yxdomain</code> {domain-name}</p></div> +</span></dt> +<dd><p> +Requires that +<em class="parameter"><code>domain-name</code></em> +exists (has as at least one resource record, of any type). +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">prereq nxrrset</code> {domain-name} [class] {type}</p></div> +</span></dt> +<dd><p> +Requires that no resource record exists of the specified +<em class="parameter"><code>type</code></em>, +<em class="parameter"><code>class</code></em> and -<VAR -CLASS="PARAMETER" ->domain-name</VAR ->. +<em class="parameter"><code>domain-name</code></em>. If -<VAR -CLASS="PARAMETER" ->class</VAR -> -is omitted, IN (internet) is assumed.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->prereq yxrrset</B -> {domain-name} [class] {type}</P -></DT -><DD -><P ->This requires that a resource record of the specified -<VAR -CLASS="PARAMETER" ->type</VAR ->, -<VAR -CLASS="PARAMETER" ->class</VAR -> +<em class="parameter"><code>class</code></em> +is omitted, IN (internet) is assumed. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">prereq yxrrset</code> {domain-name} [class] {type}</p></div> +</span></dt> +<dd><p> +This requires that a resource record of the specified +<em class="parameter"><code>type</code></em>, +<em class="parameter"><code>class</code></em> and -<VAR -CLASS="PARAMETER" ->domain-name</VAR -> +<em class="parameter"><code>domain-name</code></em> must exist. If -<VAR -CLASS="PARAMETER" ->class</VAR -> -is omitted, IN (internet) is assumed.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->prereq yxrrset</B -> {domain-name} [class] {type} {data...}</P -></DT -><DD -><P ->The -<VAR -CLASS="PARAMETER" ->data</VAR -> +<em class="parameter"><code>class</code></em> +is omitted, IN (internet) is assumed. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">prereq yxrrset</code> {domain-name} [class] {type} {data...}</p></div> +</span></dt> +<dd><p> +The +<em class="parameter"><code>data</code></em> from each set of prerequisites of this form sharing a common -<VAR -CLASS="PARAMETER" ->type</VAR ->, -<VAR -CLASS="PARAMETER" ->class</VAR ->, +<em class="parameter"><code>type</code></em>, +<em class="parameter"><code>class</code></em>, and -<VAR -CLASS="PARAMETER" ->domain-name</VAR -> +<em class="parameter"><code>domain-name</code></em> are combined to form a set of RRs. This set of RRs must exactly match the set of RRs existing in the zone at the given -<VAR -CLASS="PARAMETER" ->type</VAR ->, -<VAR -CLASS="PARAMETER" ->class</VAR ->, +<em class="parameter"><code>type</code></em>, +<em class="parameter"><code>class</code></em>, and -<VAR -CLASS="PARAMETER" ->domain-name</VAR ->. +<em class="parameter"><code>domain-name</code></em>. The -<VAR -CLASS="PARAMETER" ->data</VAR -> +<em class="parameter"><code>data</code></em> are written in the standard text representation of the resource record's -RDATA.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->update delete</B -> {domain-name} [ttl] [class] [type [data...]]</P -></DT -><DD -><P ->Deletes any resource records named -<VAR -CLASS="PARAMETER" ->domain-name</VAR ->. +RDATA. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">update delete</code> {domain-name} [ttl] [class] [type [data...]]</p></div> +</span></dt> +<dd><p> +Deletes any resource records named +<em class="parameter"><code>domain-name</code></em>. If -<VAR -CLASS="PARAMETER" ->type</VAR -> +<em class="parameter"><code>type</code></em> and -<VAR -CLASS="PARAMETER" ->data</VAR -> +<em class="parameter"><code>data</code></em> is provided, only matching resource records will be removed. The internet class is assumed if -<VAR -CLASS="PARAMETER" ->class</VAR -> +<em class="parameter"><code>class</code></em> is not supplied. The -<VAR -CLASS="PARAMETER" ->ttl</VAR -> -is ignored, and is only allowed for compatibility.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->update add</B -> {domain-name} {ttl} [class] {type} {data...}</P -></DT -><DD -><P ->Adds a new resource record with the specified -<VAR -CLASS="PARAMETER" ->ttl</VAR ->, -<VAR -CLASS="PARAMETER" ->class</VAR -> +<em class="parameter"><code>ttl</code></em> +is ignored, and is only allowed for compatibility. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">update add</code> {domain-name} {ttl} [class] {type} {data...}</p></div> +</span></dt> +<dd><p> +Adds a new resource record with the specified +<em class="parameter"><code>ttl</code></em>, +<em class="parameter"><code>class</code></em> and -<VAR -CLASS="PARAMETER" ->data</VAR ->.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->show</B -> </P -></DT -><DD -><P ->Displays the current message, containing all of the prerequisites and -updates specified since the last send.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->send</B -> </P -></DT -><DD -><P ->Sends the current message. This is equivalent to entering a blank line.</P -></DD -><DT -><P -><B -CLASS="COMMAND" ->answer</B -> </P -></DT -><DD -><P ->Displays the answer.</P -></DD -></DL -></DIV -> </P -><P ->Lines beginning with a semicolon are comments and are ignored.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN255" -></A -><H2 ->EXAMPLES</H2 -><P ->The examples below show how -<B -CLASS="COMMAND" ->nsupdate</B -> +<em class="parameter"><code>data</code></em>. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">show</code> </p></div> +</span></dt> +<dd><p> +Displays the current message, containing all of the prerequisites and +updates specified since the last send. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">send</code> </p></div> +</span></dt> +<dd><p> +Sends the current message. This is equivalent to entering a blank line. +</p></dd> +<dt><span class="term"> +<div class="cmdsynopsis"><p><code class="command">answer</code> </p></div> +</span></dt> +<dd><p> +Displays the answer. +</p></dd> +</dl></div> +<p> +</p> +<p> +Lines beginning with a semicolon are comments and are ignored. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526749"></a><h2>EXAMPLES</h2> +<p> +The examples below show how +<span><strong class="command">nsupdate</strong></span> could be used to insert and delete resource records from the -<SPAN -CLASS="TYPE" ->example.com</SPAN -> +<span class="type">example.com</span> zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for -<SPAN -CLASS="TYPE" ->example.com</SPAN ->. +<span class="type">example.com</span>. -<PRE -CLASS="PROGRAMLISTING" -># nsupdate -> update delete oldhost.example.com A -> update add newhost.example.com 86400 A 172.16.1.1 -> send</PRE -></P -><P ->Any A records for -<SPAN -CLASS="TYPE" ->oldhost.example.com</SPAN -> +</p> +<pre class="programlisting"> +# nsupdate +> update delete oldhost.example.com A +> update add newhost.example.com 86400 A 172.16.1.1 +> send +</pre> +<p> +</p> +<p> +Any A records for +<span class="type">oldhost.example.com</span> are deleted. and an A record for -<SPAN -CLASS="TYPE" ->newhost.example.com</SPAN -> +<span class="type">newhost.example.com</span> it IP address 172.16.1.1 is added. The newly-added record has a 1 day TTL (86400 seconds) -<PRE -CLASS="PROGRAMLISTING" -># nsupdate -> prereq nxdomain nickname.example.com -> update add nickname.example.com 86400 CNAME somehost.example.com -> send</PRE -></P -><P ->The prerequisite condition gets the name server to check that there +</p> +<pre class="programlisting"> +# nsupdate +> prereq nxdomain nickname.example.com +> update add nickname.example.com 86400 CNAME somehost.example.com +> send +</pre> +<p> +</p> +<p> +The prerequisite condition gets the name server to check that there are no resource records of any type for -<SPAN -CLASS="TYPE" ->nickname.example.com</SPAN ->. +<span class="type">nickname.example.com</span>. If there are, the update request fails. If this name does not exist, a CNAME for it is added. @@ -814,149 +419,50 @@ This ensures that when the CNAME is added, it cannot conflict with the long-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have -RRSIG, DNSKEY and NSEC records.)</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN268" -></A -><H2 ->FILES</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><CODE -CLASS="CONSTANT" ->/etc/resolv.conf</CODE -></DT -><DD -><P ->used to identify default name server</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->K{name}.+157.+{random}.key</CODE -></DT -><DD -><P ->base-64 encoding of HMAC-MD5 key created by -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-keygen</SPAN ->(8)</SPAN ->.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->K{name}.+157.+{random}.private</CODE -></DT -><DD -><P ->base-64 encoding of HMAC-MD5 key created by -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-keygen</SPAN ->(8)</SPAN ->.</P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN292" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC2136</SPAN -></SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC3007</SPAN -></SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC2104</SPAN -></SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC2845</SPAN -></SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC1034</SPAN -></SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC2535</SPAN -></SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC2931</SPAN -></SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->named</SPAN ->(8)</SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-keygen</SPAN ->(8)</SPAN ->. </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN315" -></A -><H2 ->BUGS</H2 -><P ->The TSIG key is redundantly stored in two separate files. +RRSIG, DNSKEY and NSEC records.) +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526793"></a><h2>FILES</h2> +<div class="variablelist"><dl> +<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt> +<dd><p> +used to identify default name server +</p></dd> +<dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt> +<dd><p> +base-64 encoding of HMAC-MD5 key created by +<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. +</p></dd> +<dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt> +<dd><p> +base-64 encoding of HMAC-MD5 key created by +<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. +</p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525155"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>, +<span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>, +<span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>, +<span class="citerefentry"><span class="refentrytitle">RFC2845</span></span>, +<span class="citerefentry"><span class="refentrytitle">RFC1034</span></span>, +<span class="citerefentry"><span class="refentrytitle">RFC2535</span></span>, +<span class="citerefentry"><span class="refentrytitle">RFC2931</span></span>, +<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, +<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525226"></a><h2>BUGS</h2> +<p> +The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future -releases.</P -></DIV -></BODY -></HTML -> +releases. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/rndc/rndc-confgen.8 b/usr.sbin/bind/bin/rndc/rndc-confgen.8 index 009568e961c..c5c151ccc25 100644 --- a/usr.sbin/bind/bin/rndc/rndc-confgen.8 +++ b/usr.sbin/bind/bin/rndc/rndc-confgen.8 @@ -1,140 +1,183 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2001-2003 Internet Software Consortium. -.\" +.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2001, 2003 Internet Software Consortium. +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $ISC: rndc-confgen.8,v 1.3.2.5.2.3 2004/06/03 05:35:48 marka Exp $ +.\" $ISC: rndc-confgen.8,v 1.3.2.5.2.7 2005/10/13 02:33:50 marka Exp $ .\" -.TH "RNDC-CONFGEN" "8" "Aug 27, 2001" "BIND9" "" -.SH NAME -rndc-confgen \- rndc key generation tool -.SH SYNOPSIS -.sp -\fBrndc-confgen\fR [ \fB-a\fR ] [ \fB-b \fIkeysize\fB\fR ] [ \fB-c \fIkeyfile\fB\fR ] [ \fB-h\fR ] [ \fB-k \fIkeyname\fB\fR ] [ \fB-p \fIport\fB\fR ] [ \fB-r \fIrandomfile\fB\fR ] [ \fB-s \fIaddress\fB\fR ] [ \fB-t \fIchrootdir\fB\fR ] [ \fB-u \fIuser\fB\fR ] +.hy 0 +.ad l +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "RNDC\-CONFGEN" "8" "Aug 27, 2001" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +rndc\-confgen \- rndc key generation tool +.SH "SYNOPSIS" +.HP 13 +\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] .SH "DESCRIPTION" .PP -\fBrndc-confgen\fR generates configuration files -for \fBrndc\fR. It can be used as a -convenient alternative to writing the -\fIrndc.conf\fR file -and the corresponding \fBcontrols\fR -and \fBkey\fR -statements in \fInamed.conf\fR by hand. -Alternatively, it can be run with the \fB-a\fR -option to set up a \fIrndc.key\fR file and -avoid the need for a \fIrndc.conf\fR file -and a \fBcontrols\fR statement altogether. +\fBrndc\-confgen\fR +generates configuration files for +\fBrndc\fR. It can be used as a convenient alternative to writing the +\fIrndc.conf\fR +file and the corresponding +\fBcontrols\fR +and +\fBkey\fR +statements in +\fInamed.conf\fR +by hand. Alternatively, it can be run with the +\fB\-a\fR +option to set up a +\fIrndc.key\fR +file and avoid the need for a +\fIrndc.conf\fR +file and a +\fBcontrols\fR +statement altogether. .SH "OPTIONS" .TP -\fB-a\fR -Do automatic \fBrndc\fR configuration. -This creates a file \fIrndc.key\fR -in \fI/etc\fR (or whatever -sysconfdir -was specified as when BIND was built) -that is read by both \fBrndc\fR -and \fBnamed\fR on startup. The -\fIrndc.key\fR file defines a default -command channel and authentication key allowing -\fBrndc\fR to communicate with -\fBnamed\fR on the local host -with no further configuration. - -Running \fBrndc-confgen -a\fR allows -BIND 9 and \fBrndc\fR to be used as drop-in -replacements for BIND 8 and \fBndc\fR, -with no changes to the existing BIND 8 -\fInamed.conf\fR file. - -If a more elaborate configuration than that -generated by \fBrndc-confgen -a\fR -is required, for example if rndc is to be used remotely, -you should run \fBrndc-confgen\fR without the -\fB-a\fR option and set up a -\fIrndc.conf\fR and +\-a +Do automatic +\fBrndc\fR +configuration. This creates a file +\fIrndc.key\fR +in +\fI/etc\fR +(or whatever +\fIsysconfdir\fR +was specified as when +BIND +was built) that is read by both +\fBrndc\fR +and +\fBnamed\fR +on startup. The +\fIrndc.key\fR +file defines a default command channel and authentication key allowing +\fBrndc\fR +to communicate with +\fBnamed\fR +on the local host with no further configuration. +.sp +Running +\fBrndc\-confgen \-a\fR +allows BIND 9 and +\fBrndc\fR +to be used as drop\-in replacements for BIND 8 and +\fBndc\fR, with no changes to the existing BIND 8 +\fInamed.conf\fR +file. +.sp +If a more elaborate configuration than that generated by +\fBrndc\-confgen \-a\fR +is required, for example if rndc is to be used remotely, you should run +\fBrndc\-confgen\fR +without the +\fB\-a\fR +option and set up a +\fIrndc.conf\fR +and \fInamed.conf\fR as directed. .TP -\fB-b \fIkeysize\fB\fR -Specifies the size of the authentication key in bits. -Must be between 1 and 512 bits; the default is 128. +\-b \fIkeysize\fR +Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128. .TP -\fB-c \fIkeyfile\fB\fR -Used with the \fB-a\fR option to specify -an alternate location for \fIrndc.key\fR. +\-c \fIkeyfile\fR +Used with the +\fB\-a\fR +option to specify an alternate location for +\fIrndc.key\fR. .TP -\fB-h\fR +\-h Prints a short summary of the options and arguments to -\fBrndc-confgen\fR. +\fBrndc\-confgen\fR. .TP -\fB-k \fIkeyname\fB\fR -Specifies the key name of the rndc authentication key. -This must be a valid domain name. -The default is rndc-key. +\-k \fIkeyname\fR +Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is +\fBrndc\-key\fR. .TP -\fB-p \fIport\fB\fR -Specifies the command channel port where \fBnamed\fR -listens for connections from \fBrndc\fR. -The default is 953. +\-p \fIport\fR +Specifies the command channel port where +\fBnamed\fR +listens for connections from +\fBrndc\fR. The default is 953. .TP -\fB-r \fIrandomfile\fB\fR -Specifies a source of random data for generating the -authorization. If the operating -system does not provide a \fI/dev/random\fR -or equivalent device, the default source of randomness -is keyboard input. \fIrandomdev\fR specifies -the name of a character device or file containing random -data to be used instead of the default. The special value -\fIkeyboard\fR indicates that keyboard -input should be used. +\-r \fIrandomfile\fR +Specifies a source of random data for generating the authorization. If the operating system does not provide a +\fI/dev/random\fR +or equivalent device, the default source of randomness is keyboard input. +\fIrandomdev\fR +specifies the name of a character device or file containing random data to be used instead of the default. The special value +\fIkeyboard\fR +indicates that keyboard input should be used. .TP -\fB-s \fIaddress\fB\fR -Specifies the IP address where \fBnamed\fR +\-s \fIaddress\fR +Specifies the IP address where +\fBnamed\fR listens for command channel connections from -\fBrndc\fR. The default is the loopback -address 127.0.0.1. +\fBrndc\fR. The default is the loopback address 127.0.0.1. .TP -\fB-t \fIchrootdir\fB\fR -Used with the \fB-a\fR option to specify -a directory where \fBnamed\fR will run -chrooted. An additional copy of the \fIrndc.key\fR -will be written relative to this directory so that -it will be found by the chrooted \fBnamed\fR. +\-t \fIchrootdir\fR +Used with the +\fB\-a\fR +option to specify a directory where +\fBnamed\fR +will run chrooted. An additional copy of the +\fIrndc.key\fR +will be written relative to this directory so that it will be found by the chrooted +\fBnamed\fR. .TP -\fB-u \fIuser\fB\fR -Used with the \fB-a\fR option to set the owner -of the \fIrndc.key\fR file generated. If -\fB-t\fR is also specified only the file in -the chroot area has its owner changed. +\-u \fIuser\fR +Used with the +\fB\-a\fR +option to set the owner of the +\fIrndc.key\fR +file generated. If +\fB\-t\fR +is also specified only the file in the chroot area has its owner changed. .SH "EXAMPLES" .PP -To allow \fBrndc\fR to be used with -no manual configuration, run +To allow +\fBrndc\fR +to be used with no manual configuration, run .PP -\fBrndc-confgen -a\fR +\fBrndc\-confgen \-a\fR .PP -To print a sample \fIrndc.conf\fR file and -corresponding \fBcontrols\fR and \fBkey\fR -statements to be manually inserted into \fInamed.conf\fR, -run +To print a sample +\fIrndc.conf\fR +file and corresponding +\fBcontrols\fR +and +\fBkey\fR +statements to be manually inserted into +\fInamed.conf\fR, run .PP -\fBrndc-confgen\fR +\fBrndc\-confgen\fR .SH "SEE ALSO" .PP \fBrndc\fR(8), \fBrndc.conf\fR(5), \fBnamed\fR(8), -\fIBIND 9 Administrator Reference Manual\fR. +BIND 9 Administrator Reference Manual. .SH "AUTHOR" .PP Internet Systems Consortium diff --git a/usr.sbin/bind/bin/rndc/rndc-confgen.docbook b/usr.sbin/bind/bin/rndc/rndc-confgen.docbook index 9a74463d805..562adb4e277 100644 --- a/usr.sbin/bind/bin/rndc/rndc-confgen.docbook +++ b/usr.sbin/bind/bin/rndc/rndc-confgen.docbook @@ -1,6 +1,8 @@ -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" + "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" + [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2001, 2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -16,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: rndc-confgen.docbook,v 1.3.2.1.4.3 2004/06/03 02:24:58 marka Exp $ --> +<!-- $ISC: rndc-confgen.docbook,v 1.3.2.1.4.5 2005/05/13 01:22:34 marka Exp $ --> <refentry> <refentryinfo> @@ -29,6 +31,19 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <docinfo> + <copyright> + <year>2004</year> + <year>2005</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + <copyright> + <year>2001</year> + <year>2003</year> + <holder>Internet Software Consortium.</holder> + </copyright> + </docinfo> + <refnamediv> <refname><application>rndc-confgen</application></refname> <refpurpose>rndc key generation tool</refpurpose> diff --git a/usr.sbin/bind/bin/rndc/rndc-confgen.html b/usr.sbin/bind/bin/rndc/rndc-confgen.html index 797d5ce2c5f..2e32cf9a1a0 100644 --- a/usr.sbin/bind/bin/rndc/rndc-confgen.html +++ b/usr.sbin/bind/bin/rndc/rndc-confgen.html @@ -1,538 +1,185 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001-2003 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001, 2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: rndc-confgen.html,v 1.3.2.5.2.4 2004/08/22 23:39:00 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->rndc-confgen</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A -><SPAN -CLASS="APPLICATION" ->rndc-confgen</SPAN -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->rndc-confgen</SPAN -> -- rndc key generation tool</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->rndc-confgen</B -> [<VAR -CLASS="OPTION" ->-a</VAR ->] [<VAR -CLASS="OPTION" ->-b <VAR -CLASS="REPLACEABLE" ->keysize</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-c <VAR -CLASS="REPLACEABLE" ->keyfile</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-h</VAR ->] [<VAR -CLASS="OPTION" ->-k <VAR -CLASS="REPLACEABLE" ->keyname</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-p <VAR -CLASS="REPLACEABLE" ->port</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-r <VAR -CLASS="REPLACEABLE" ->randomfile</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-s <VAR -CLASS="REPLACEABLE" ->address</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-t <VAR -CLASS="REPLACEABLE" ->chrootdir</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-u <VAR -CLASS="REPLACEABLE" ->user</VAR -></VAR ->]</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN44" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->rndc-confgen</B -> generates configuration files - for <B -CLASS="COMMAND" ->rndc</B ->. It can be used as a +<!-- $ISC: rndc-confgen.html,v 1.3.2.5.2.11 2005/10/13 02:33:51 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>rndc-confgen</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">rndc-confgen</span> — rndc key generation tool</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525911"></a><h2>DESCRIPTION</h2> +<p> + <span><strong class="command">rndc-confgen</strong></span> generates configuration files + for <span><strong class="command">rndc</strong></span>. It can be used as a convenient alternative to writing the - <TT -CLASS="FILENAME" ->rndc.conf</TT -> file - and the corresponding <B -CLASS="COMMAND" ->controls</B -> - and <B -CLASS="COMMAND" ->key</B -> - statements in <TT -CLASS="FILENAME" ->named.conf</TT -> by hand. - Alternatively, it can be run with the <B -CLASS="COMMAND" ->-a</B -> - option to set up a <TT -CLASS="FILENAME" ->rndc.key</TT -> file and - avoid the need for a <TT -CLASS="FILENAME" ->rndc.conf</TT -> file - and a <B -CLASS="COMMAND" ->controls</B -> statement altogether. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN57" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-a</DT -><DD -><P -> Do automatic <B -CLASS="COMMAND" ->rndc</B -> configuration. - This creates a file <TT -CLASS="FILENAME" ->rndc.key</TT -> - in <TT -CLASS="FILENAME" ->/etc</TT -> (or whatever - <VAR -CLASS="VARNAME" ->sysconfdir</VAR -> - was specified as when <ACRONYM -CLASS="ACRONYM" ->BIND</ACRONYM -> was built) - that is read by both <B -CLASS="COMMAND" ->rndc</B -> - and <B -CLASS="COMMAND" ->named</B -> on startup. The - <TT -CLASS="FILENAME" ->rndc.key</TT -> file defines a default + <code class="filename">rndc.conf</code> file + and the corresponding <span><strong class="command">controls</strong></span> + and <span><strong class="command">key</strong></span> + statements in <code class="filename">named.conf</code> by hand. + Alternatively, it can be run with the <span><strong class="command">-a</strong></span> + option to set up a <code class="filename">rndc.key</code> file and + avoid the need for a <code class="filename">rndc.conf</code> file + and a <span><strong class="command">controls</strong></span> statement altogether. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525957"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-a</span></dt> +<dd> +<p> + Do automatic <span><strong class="command">rndc</strong></span> configuration. + This creates a file <code class="filename">rndc.key</code> + in <code class="filename">/etc</code> (or whatever + <code class="varname">sysconfdir</code> + was specified as when <span class="acronym">BIND</span> was built) + that is read by both <span><strong class="command">rndc</strong></span> + and <span><strong class="command">named</strong></span> on startup. The + <code class="filename">rndc.key</code> file defines a default command channel and authentication key allowing - <B -CLASS="COMMAND" ->rndc</B -> to communicate with - <B -CLASS="COMMAND" ->named</B -> on the local host + <span><strong class="command">rndc</strong></span> to communicate with + <span><strong class="command">named</strong></span> on the local host with no further configuration. - </P -><P -> Running <B -CLASS="COMMAND" ->rndc-confgen -a</B -> allows - BIND 9 and <B -CLASS="COMMAND" ->rndc</B -> to be used as drop-in - replacements for BIND 8 and <B -CLASS="COMMAND" ->ndc</B ->, + </p> +<p> + Running <span><strong class="command">rndc-confgen -a</strong></span> allows + BIND 9 and <span><strong class="command">rndc</strong></span> to be used as drop-in + replacements for BIND 8 and <span><strong class="command">ndc</strong></span>, with no changes to the existing BIND 8 - <TT -CLASS="FILENAME" ->named.conf</TT -> file. - </P -><P -> If a more elaborate configuration than that - generated by <B -CLASS="COMMAND" ->rndc-confgen -a</B -> + <code class="filename">named.conf</code> file. + </p> +<p> + If a more elaborate configuration than that + generated by <span><strong class="command">rndc-confgen -a</strong></span> is required, for example if rndc is to be used remotely, - you should run <B -CLASS="COMMAND" ->rndc-confgen</B -> without the - <B -CLASS="COMMAND" ->-a</B -> option and set up a - <TT -CLASS="FILENAME" ->rndc.conf</TT -> and - <TT -CLASS="FILENAME" ->named.conf</TT -> + you should run <span><strong class="command">rndc-confgen</strong></span> without the + <span><strong class="command">-a</strong></span> option and set up a + <code class="filename">rndc.conf</code> and + <code class="filename">named.conf</code> as directed. - </P -></DD -><DT ->-b <VAR -CLASS="REPLACEABLE" ->keysize</VAR -></DT -><DD -><P -> Specifies the size of the authentication key in bits. + </p> +</dd> +<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt> +<dd><p> + Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128. - </P -></DD -><DT ->-c <VAR -CLASS="REPLACEABLE" ->keyfile</VAR -></DT -><DD -><P -> Used with the <B -CLASS="COMMAND" ->-a</B -> option to specify - an alternate location for <TT -CLASS="FILENAME" ->rndc.key</TT ->. - </P -></DD -><DT ->-h</DT -><DD -><P -> Prints a short summary of the options and arguments to - <B -CLASS="COMMAND" ->rndc-confgen</B ->. - </P -></DD -><DT ->-k <VAR -CLASS="REPLACEABLE" ->keyname</VAR -></DT -><DD -><P -> Specifies the key name of the rndc authentication key. + </p></dd> +<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt> +<dd><p> + Used with the <span><strong class="command">-a</strong></span> option to specify + an alternate location for <code class="filename">rndc.key</code>. + </p></dd> +<dt><span class="term">-h</span></dt> +<dd><p> + Prints a short summary of the options and arguments to + <span><strong class="command">rndc-confgen</strong></span>. + </p></dd> +<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt> +<dd><p> + Specifies the key name of the rndc authentication key. This must be a valid domain name. - The default is <CODE -CLASS="CONSTANT" ->rndc-key</CODE ->. - </P -></DD -><DT ->-p <VAR -CLASS="REPLACEABLE" ->port</VAR -></DT -><DD -><P -> Specifies the command channel port where <B -CLASS="COMMAND" ->named</B -> - listens for connections from <B -CLASS="COMMAND" ->rndc</B ->. + The default is <code class="constant">rndc-key</code>. + </p></dd> +<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> +<dd><p> + Specifies the command channel port where <span><strong class="command">named</strong></span> + listens for connections from <span><strong class="command">rndc</strong></span>. The default is 953. - </P -></DD -><DT ->-r <VAR -CLASS="REPLACEABLE" ->randomfile</VAR -></DT -><DD -><P -> Specifies a source of random data for generating the + </p></dd> +<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt> +<dd><p> + Specifies a source of random data for generating the authorization. If the operating - system does not provide a <TT -CLASS="FILENAME" ->/dev/random</TT -> + system does not provide a <code class="filename">/dev/random</code> or equivalent device, the default source of randomness - is keyboard input. <TT -CLASS="FILENAME" ->randomdev</TT -> specifies + is keyboard input. <code class="filename">randomdev</code> specifies the name of a character device or file containing random data to be used instead of the default. The special value - <TT -CLASS="FILENAME" ->keyboard</TT -> indicates that keyboard + <code class="filename">keyboard</code> indicates that keyboard input should be used. - </P -></DD -><DT ->-s <VAR -CLASS="REPLACEABLE" ->address</VAR -></DT -><DD -><P -> Specifies the IP address where <B -CLASS="COMMAND" ->named</B -> + </p></dd> +<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt> +<dd><p> + Specifies the IP address where <span><strong class="command">named</strong></span> listens for command channel connections from - <B -CLASS="COMMAND" ->rndc</B ->. The default is the loopback + <span><strong class="command">rndc</strong></span>. The default is the loopback address 127.0.0.1. - </P -></DD -><DT ->-t <VAR -CLASS="REPLACEABLE" ->chrootdir</VAR -></DT -><DD -><P -> Used with the <B -CLASS="COMMAND" ->-a</B -> option to specify - a directory where <B -CLASS="COMMAND" ->named</B -> will run - chrooted. An additional copy of the <TT -CLASS="FILENAME" ->rndc.key</TT -> + </p></dd> +<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt> +<dd><p> + Used with the <span><strong class="command">-a</strong></span> option to specify + a directory where <span><strong class="command">named</strong></span> will run + chrooted. An additional copy of the <code class="filename">rndc.key</code> will be written relative to this directory so that - it will be found by the chrooted <B -CLASS="COMMAND" ->named</B ->. - </P -></DD -><DT ->-u <VAR -CLASS="REPLACEABLE" ->user</VAR -></DT -><DD -><P -> Used with the <B -CLASS="COMMAND" ->-a</B -> option to set the owner - of the <TT -CLASS="FILENAME" ->rndc.key</TT -> file generated. If - <B -CLASS="COMMAND" ->-t</B -> is also specified only the file in + it will be found by the chrooted <span><strong class="command">named</strong></span>. + </p></dd> +<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt> +<dd><p> + Used with the <span><strong class="command">-a</strong></span> option to set the owner + of the <code class="filename">rndc.key</code> file generated. If + <span><strong class="command">-t</strong></span> is also specified only the file in the chroot area has its owner changed. - </P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN147" -></A -><H2 ->EXAMPLES</H2 -><P -> To allow <B -CLASS="COMMAND" ->rndc</B -> to be used with + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2526270"></a><h2>EXAMPLES</h2> +<p> + To allow <span><strong class="command">rndc</strong></span> to be used with no manual configuration, run - </P -><P -> <KBD -CLASS="USERINPUT" ->rndc-confgen -a</KBD -> - </P -><P -> To print a sample <TT -CLASS="FILENAME" ->rndc.conf</TT -> file and - corresponding <B -CLASS="COMMAND" ->controls</B -> and <B -CLASS="COMMAND" ->key</B -> - statements to be manually inserted into <TT -CLASS="FILENAME" ->named.conf</TT ->, + </p> +<p> + <strong class="userinput"><code>rndc-confgen -a</code></strong> + </p> +<p> + To print a sample <code class="filename">rndc.conf</code> file and + corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span> + statements to be manually inserted into <code class="filename">named.conf</code>, run - </P -><P -> <KBD -CLASS="USERINPUT" ->rndc-confgen</KBD -> - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN160" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->rndc</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->rndc.conf</SPAN ->(5)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->named</SPAN ->(8)</SPAN ->, - <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference Manual</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN173" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Systems Consortium - </P -></DIV -></BODY -></HTML -> + </p> +<p> + <strong class="userinput"><code>rndc-confgen</code></strong> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526314"></a><h2>SEE ALSO</h2> +<p> + <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>, + <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526357"></a><h2>AUTHOR</h2> +<p> + <span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/rndc/rndc.c b/usr.sbin/bind/bin/rndc/rndc.c index 7945ef2a53c..ec27daaf94c 100644 --- a/usr.sbin/bind/bin/rndc/rndc.c +++ b/usr.sbin/bind/bin/rndc/rndc.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: rndc.c,v 1.77.2.5.2.13 2004/09/03 03:43:32 marka Exp $ */ +/* $ISC: rndc.c,v 1.77.2.5.2.15 2005/03/17 03:58:27 marka Exp $ */ /* * Principal Author: DCL @@ -104,7 +104,8 @@ command is one of the following:\n\ reconfig Reload configuration file and new zones only.\n\ stats Write server statistics to the statistics file.\n\ querylog Toggle query logging.\n\ - dumpdb Dump cache(s) to the dump file (named_dump.db).\n\ + dumpdb [-all|-cache|-zones] [view ...]\n\ + Dump cache(s) to the dump file (named_dump.db).\n\ stop Save pending updates to master files and stop the server.\n\ stop -p Save pending updates to master files and stop the server\n\ reporting process id.\n\ diff --git a/usr.sbin/bind/bin/rndc/rndc.conf.html b/usr.sbin/bind/bin/rndc/rndc.conf.html index 4167af74780..f80c17dadcd 100644 --- a/usr.sbin/bind/bin/rndc/rndc.conf.html +++ b/usr.sbin/bind/bin/rndc/rndc.conf.html @@ -1,238 +1,113 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: rndc.conf.html,v 1.5.2.1.4.3 2004/08/22 23:39:00 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->rndc.conf</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A -><TT -CLASS="FILENAME" ->rndc.conf</TT -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><TT -CLASS="FILENAME" ->rndc.conf</TT -> -- rndc configuration file</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->rndc.conf</B -> </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN16" -></A -><H2 ->DESCRIPTION</H2 -><P -> <TT -CLASS="FILENAME" ->rndc.conf</TT -> is the configuration file - for <B -CLASS="COMMAND" ->rndc</B ->, the BIND 9 name server control +<!-- $ISC: rndc.conf.html,v 1.5.2.1.4.10 2005/10/13 02:33:51 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>rndc.conf</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><code class="filename">rndc.conf</code> — rndc configuration file</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525833"></a><h2>DESCRIPTION</h2> +<p> + <code class="filename">rndc.conf</code> is the configuration file + for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control utility. This file has a similar structure and syntax to - <TT -CLASS="FILENAME" ->named.conf</TT ->. Statements are enclosed + <code class="filename">named.conf</code>. Statements are enclosed in braces and terminated with a semi-colon. Clauses in the statements are also semi-colon terminated. The usual comment styles are supported: - </P -><P -> C style: /* */ - </P -><P -> C++ style: // to end of line - </P -><P -> Unix style: # to end of line - </P -><P -> <TT -CLASS="FILENAME" ->rndc.conf</TT -> is much simpler than - <TT -CLASS="FILENAME" ->named.conf</TT ->. The file uses three + </p> +<p> + C style: /* */ + </p> +<p> + C++ style: // to end of line + </p> +<p> + Unix style: # to end of line + </p> +<p> + <code class="filename">rndc.conf</code> is much simpler than + <code class="filename">named.conf</code>. The file uses three statements: an options statement, a server statement and a key statement. - </P -><P -> The <VAR -CLASS="OPTION" ->options</VAR -> statement contains three clauses. - The <VAR -CLASS="OPTION" ->default-server</VAR -> clause is followed by the + </p> +<p> + The <code class="option">options</code> statement contains three clauses. + The <code class="option">default-server</code> clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to - <B -CLASS="COMMAND" ->rndc</B ->. The <VAR -CLASS="OPTION" ->default-key</VAR -> + <span><strong class="command">rndc</strong></span>. The <code class="option">default-key</code> clause is followed by the name of a key which is identified by - a <VAR -CLASS="OPTION" ->key</VAR -> statement. If no - <VAR -CLASS="OPTION" ->keyid</VAR -> is provided on the rndc command line, - and no <VAR -CLASS="OPTION" ->key</VAR -> clause is found in a matching - <VAR -CLASS="OPTION" ->server</VAR -> statement, this default key will be + a <code class="option">key</code> statement. If no + <code class="option">keyid</code> is provided on the rndc command line, + and no <code class="option">key</code> clause is found in a matching + <code class="option">server</code> statement, this default key will be used to authenticate the server's commands and responses. The - <VAR -CLASS="OPTION" ->default-port</VAR -> clause is followed by the port + <code class="option">default-port</code> clause is followed by the port to connect to on the remote name server. If no - <VAR -CLASS="OPTION" ->port</VAR -> option is provided on the rndc command - line, and no <VAR -CLASS="OPTION" ->port</VAR -> clause is found in a - matching <VAR -CLASS="OPTION" ->server</VAR -> statement, this default port + <code class="option">port</code> option is provided on the rndc command + line, and no <code class="option">port</code> clause is found in a + matching <code class="option">server</code> statement, this default port will be used to connect. - </P -><P -> After the <VAR -CLASS="OPTION" ->server</VAR -> keyword, the server statement + </p> +<p> + After the <code class="option">server</code> keyword, the server statement includes a string which is the hostname or address for a name server. The statement has two possible clauses: - <VAR -CLASS="OPTION" ->key</VAR -> and <VAR -CLASS="OPTION" ->port</VAR ->. The key name must + <code class="option">key</code> and <code class="option">port</code>. The key name must match the name of a key statement in the file. The port number specifies the port to connect to. - </P -><P -> The <VAR -CLASS="OPTION" ->key</VAR -> statement begins with an identifying + </p> +<p> + The <code class="option">key</code> statement begins with an identifying string, the name of the key. The statement has two clauses. - <VAR -CLASS="OPTION" ->algorithm</VAR -> identifies the encryption algorithm - for <B -CLASS="COMMAND" ->rndc</B -> to use; currently only HMAC-MD5 is + <code class="option">algorithm</code> identifies the encryption algorithm + for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5 is supported. This is followed by a secret clause which contains the base-64 encoding of the algorithm's encryption key. The base-64 string is enclosed in double quotes. - </P -><P -> There are two common ways to generate the base-64 string for the - secret. The BIND 9 program <B -CLASS="COMMAND" ->rndc-confgen</B -> can + </p> +<p> + There are two common ways to generate the base-64 string for the + secret. The BIND 9 program <span><strong class="command">rndc-confgen</strong></span> can be used to generate a random key, or the - <B -CLASS="COMMAND" ->mmencode</B -> program, also known as - <B -CLASS="COMMAND" ->mimencode</B ->, can be used to generate a base-64 - string from known input. <B -CLASS="COMMAND" ->mmencode</B -> does not + <span><strong class="command">mmencode</strong></span> program, also known as + <span><strong class="command">mimencode</strong></span>, can be used to generate a base-64 + string from known input. <span><strong class="command">mmencode</strong></span> does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN54" -></A -><H2 ->EXAMPLE</H2 -><PRE -CLASS="PROGRAMLISTING" -> options { + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525968"></a><h2>EXAMPLE</h2> +<pre class="programlisting"> + options { default-server localhost; default-key samplekey; }; @@ -245,133 +120,60 @@ CLASS="PROGRAMLISTING" algorithm hmac-md5; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; }; - </PRE -><P -> In the above example, <B -CLASS="COMMAND" ->rndc</B -> will by default use + </pre> +<p> + In the above example, <span><strong class="command">rndc</strong></span> will by default use the server at localhost (127.0.0.1) and the key called samplekey. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret. The key statement indicates that samplekey uses the HMAC-MD5 algorithm and its secret clause contains the base-64 encoding of the HMAC-MD5 secret enclosed in double quotes. - </P -><P -> To generate a random secret with <B -CLASS="COMMAND" ->rndc-confgen</B ->: - </P -><P -> <KBD -CLASS="USERINPUT" ->rndc-confgen</KBD -> - </P -><P -> A complete <TT -CLASS="FILENAME" ->rndc.conf</TT -> file, including the + </p> +<p> + To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>: + </p> +<p> + <strong class="userinput"><code>rndc-confgen</code></strong> + </p> +<p> + A complete <code class="filename">rndc.conf</code> file, including the randomly generated key, will be written to the standard - output. Commented out <VAR -CLASS="OPTION" ->key</VAR -> and - <VAR -CLASS="OPTION" ->controls</VAR -> statements for - <TT -CLASS="FILENAME" ->named.conf</TT -> are also printed. - </P -><P -> To generate a base-64 secret with <B -CLASS="COMMAND" ->mmencode</B ->: - </P -><P -> <KBD -CLASS="USERINPUT" ->echo "known plaintext for a secret" | mmencode</KBD -> - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN72" -></A -><H2 ->NAME SERVER CONFIGURATION</H2 -><P -> The name server must be configured to accept rndc connections and - to recognize the key specified in the <TT -CLASS="FILENAME" ->rndc.conf</TT -> - file, using the controls statement in <TT -CLASS="FILENAME" ->named.conf</TT ->. - See the sections on the <VAR -CLASS="OPTION" ->controls</VAR -> statement in the + output. Commented out <code class="option">key</code> and + <code class="option">controls</code> statements for + <code class="filename">named.conf</code> are also printed. + </p> +<p> + To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>: + </p> +<p> + <strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526028"></a><h2>NAME SERVER CONFIGURATION</h2> +<p> + The name server must be configured to accept rndc connections and + to recognize the key specified in the <code class="filename">rndc.conf</code> + file, using the controls statement in <code class="filename">named.conf</code>. + See the sections on the <code class="option">controls</code> statement in the BIND 9 Administrator Reference Manual for details. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN78" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->rndc</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->rndc-confgen</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->mmencode</SPAN ->(1)</SPAN ->, - <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference Manual</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN91" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Systems Consortium - </P -></DIV -></BODY -></HTML -> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526049"></a><h2>SEE ALSO</h2> +<p> + <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526091"></a><h2>AUTHOR</h2> +<p> + <span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/bin/rndc/rndc.html b/usr.sbin/bind/bin/rndc/rndc.html index 5e20ad852ab..85beb8267bd 100644 --- a/usr.sbin/bind/bin/rndc/rndc.html +++ b/usr.sbin/bind/bin/rndc/rndc.html @@ -1,284 +1,112 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: rndc.html,v 1.7.2.1.4.3 2004/08/22 23:39:00 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->rndc</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A -><SPAN -CLASS="APPLICATION" ->rndc</SPAN -></H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN9" -></A -><H2 ->Name</H2 -><SPAN -CLASS="APPLICATION" ->rndc</SPAN -> -- name server control utility</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><P -><B -CLASS="COMMAND" ->rndc</B -> [<VAR -CLASS="OPTION" ->-c <VAR -CLASS="REPLACEABLE" ->config-file</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-k <VAR -CLASS="REPLACEABLE" ->key-file</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-s <VAR -CLASS="REPLACEABLE" ->server</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-p <VAR -CLASS="REPLACEABLE" ->port</VAR -></VAR ->] [<VAR -CLASS="OPTION" ->-V</VAR ->] [<VAR -CLASS="OPTION" ->-y <VAR -CLASS="REPLACEABLE" ->key_id</VAR -></VAR ->] {command}</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN34" -></A -><H2 ->DESCRIPTION</H2 -><P -> <B -CLASS="COMMAND" ->rndc</B -> controls the operation of a name - server. It supersedes the <B -CLASS="COMMAND" ->ndc</B -> utility +<!-- $ISC: rndc.html,v 1.7.2.1.4.10 2005/10/13 02:33:50 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>rndc</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">rndc</span> — name server control utility</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525886"></a><h2>DESCRIPTION</h2> +<p> + <span><strong class="command">rndc</strong></span> controls the operation of a name + server. It supersedes the <span><strong class="command">ndc</strong></span> utility that was provided in old BIND releases. If - <B -CLASS="COMMAND" ->rndc</B -> is invoked with no command line + <span><strong class="command">rndc</strong></span> is invoked with no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments. - </P -><P -> <B -CLASS="COMMAND" ->rndc</B -> communicates with the name server + </p> +<p> + <span><strong class="command">rndc</strong></span> communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of - <B -CLASS="COMMAND" ->rndc</B -> and <B -CLASS="COMMAND" ->named</B -> named + <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span> named the only supported authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connection. This provides TSIG-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server. - </P -><P -> <B -CLASS="COMMAND" ->rndc</B -> reads a configuration file to + </p> +<p> + <span><strong class="command">rndc</strong></span> reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN46" -></A -><H2 ->OPTIONS</H2 -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->-c <VAR -CLASS="REPLACEABLE" ->config-file</VAR -></DT -><DD -><P -> Use <VAR -CLASS="REPLACEABLE" ->config-file</VAR -> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525927"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt> +<dd><p> + Use <em class="replaceable"><code>config-file</code></em> as the configuration file instead of the default, - <TT -CLASS="FILENAME" ->/etc/rndc.conf</TT ->. - </P -></DD -><DT ->-k <VAR -CLASS="REPLACEABLE" ->key-file</VAR -></DT -><DD -><P -> Use <VAR -CLASS="REPLACEABLE" ->key-file</VAR -> + <code class="filename">/etc/rndc.conf</code>. + </p></dd> +<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt> +<dd><p> + Use <em class="replaceable"><code>key-file</code></em> as the key file instead of the default, - <TT -CLASS="FILENAME" ->/etc/rndc.key</TT ->. The key in - <TT -CLASS="FILENAME" ->/etc/rndc.key</TT -> will be used to authenticate - commands sent to the server if the <VAR -CLASS="REPLACEABLE" ->config-file</VAR -> + <code class="filename">/etc/rndc.key</code>. The key in + <code class="filename">/etc/rndc.key</code> will be used to authenticate + commands sent to the server if the <em class="replaceable"><code>config-file</code></em> does not exist. - </P -></DD -><DT ->-s <VAR -CLASS="REPLACEABLE" ->server</VAR -></DT -><DD -><P -> <VAR -CLASS="REPLACEABLE" ->server</VAR -> is + </p></dd> +<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt> +<dd><p> + <em class="replaceable"><code>server</code></em> is the name or address of the server which matches a server statement in the configuration file for - <B -CLASS="COMMAND" ->rndc</B ->. If no server is supplied on the + <span><strong class="command">rndc</strong></span>. If no server is supplied on the command line, the host named by the default-server clause in the option statement of the configuration file will be used. - </P -></DD -><DT ->-p <VAR -CLASS="REPLACEABLE" ->port</VAR -></DT -><DD -><P -> Send commands to TCP port - <VAR -CLASS="REPLACEABLE" ->port</VAR -> instead + </p></dd> +<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> +<dd><p> + Send commands to TCP port + <em class="replaceable"><code>port</code></em> instead of BIND 9's default control channel port, 953. - </P -></DD -><DT ->-V</DT -><DD -><P -> Enable verbose logging. - </P -></DD -><DT ->-y <VAR -CLASS="REPLACEABLE" ->keyid</VAR -></DT -><DD -><P -> Use the key <VAR -CLASS="REPLACEABLE" ->keyid</VAR -> + </p></dd> +<dt><span class="term">-V</span></dt> +<dd><p> + Enable verbose logging. + </p></dd> +<dt><span class="term">-y <em class="replaceable"><code>keyid</code></em></span></dt> +<dd><p> + Use the key <em class="replaceable"><code>keyid</code></em> from the configuration file. - <VAR -CLASS="REPLACEABLE" ->keyid</VAR -> must be + <em class="replaceable"><code>keyid</code></em> must be known by named with the same algorithm and secret string in order for control message validation to succeed. - If no <VAR -CLASS="REPLACEABLE" ->keyid</VAR -> - is specified, <B -CLASS="COMMAND" ->rndc</B -> will first look + If no <em class="replaceable"><code>keyid</code></em> + is specified, <span><strong class="command">rndc</strong></span> will first look for a key clause in the server statement of the server being used, or if no server statement is present for that host, then the default-key clause of the options statement. @@ -286,103 +114,43 @@ CLASS="COMMAND" which are used to send authenticated control commands to name servers. It should therefore not have general read or write access. - </P -></DD -></DL -></DIV -><P -> For the complete set of commands supported by <B -CLASS="COMMAND" ->rndc</B ->, + </p></dd> +</dl></div> +<p> + For the complete set of commands supported by <span><strong class="command">rndc</strong></span>, see the BIND 9 Administrator Reference Manual or run - <B -CLASS="COMMAND" ->rndc</B -> without arguments to see its help message. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN94" -></A -><H2 ->LIMITATIONS</H2 -><P -> <B -CLASS="COMMAND" ->rndc</B -> does not yet support all the commands of - the BIND 8 <B -CLASS="COMMAND" ->ndc</B -> utility. - </P -><P -> There is currently no way to provide the shared secret for a - <VAR -CLASS="OPTION" ->key_id</VAR -> without using the configuration file. - </P -><P -> Several error messages could be clearer. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN102" -></A -><H2 ->SEE ALSO</H2 -><P -> <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->rndc.conf</SPAN ->(5)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->named</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->named.conf</SPAN ->(5)</SPAN -> - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->ndc</SPAN ->(8)</SPAN ->, - <I -CLASS="CITETITLE" ->BIND 9 Administrator Reference Manual</I ->. - </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN118" -></A -><H2 ->AUTHOR</H2 -><P -> Internet Systems Consortium - </P -></DIV -></BODY -></HTML -> + <span><strong class="command">rndc</strong></span> without arguments to see its help message. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526109"></a><h2>LIMITATIONS</h2> +<p> + <span><strong class="command">rndc</strong></span> does not yet support all the commands of + the BIND 8 <span><strong class="command">ndc</strong></span> utility. + </p> +<p> + There is currently no way to provide the shared secret for a + <code class="option">key_id</code> without using the configuration file. + </p> +<p> + Several error messages could be clearer. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526138"></a><h2>SEE ALSO</h2> +<p> + <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>, + <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span> + <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526190"></a><h2>AUTHOR</h2> +<p> + <span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/config.h.in b/usr.sbin/bind/config.h.in index 3dc3004cbc7..13061c684fd 100644 --- a/usr.sbin/bind/config.h.in +++ b/usr.sbin/bind/config.h.in @@ -16,7 +16,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: config.h.in,v 1.47.2.3.2.13 2004/12/04 06:53:50 marka Exp $ */ +/* $ISC: config.h.in,v 1.47.2.3.2.20 2005/10/20 23:57:38 marka Exp $ */ /*** *** This file is not to be included by any public header files, because @@ -224,6 +224,9 @@ int sigwait(const unsigned int *set, int *sig); /* Define to 1 if you have the <unistd.h> header file. */ #undef HAVE_UNISTD_H +/* Defined if extern char *optarg is not declared. */ +#undef NEED_OPTARG + /* Define to the address where bug reports for this package should be sent. */ #undef PACKAGE_BUGREPORT @@ -239,12 +242,20 @@ int sigwait(const unsigned int *set, int *sig); /* Define to the version of this package. */ #undef PACKAGE_VERSION +/* Sets which flag to pass to open/fcntl to make non-blocking + (O_NDELAY/O_NONBLOCK). */ +#undef PORT_NONBLOCK + /* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS /* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */ #undef TIME_WITH_SYS_TIME +/* Defined if you need to use ioctl(FIONBIO) instead a fcntl call to make + non-blocking. */ +#undef USE_FIONBIO_IOCTL + /* Define to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel and VAX). */ #undef WORDS_BIGENDIAN @@ -263,3 +274,6 @@ int sigwait(const unsigned int *set, int *sig); /* Define to `int' if <sys/types.h> does not define. */ #undef ssize_t + +/* Define to `unsigned long' if <sys/types.h> does not define. */ +#undef uintptr_t diff --git a/usr.sbin/bind/doc/arm/Bv9ARM-book.xml b/usr.sbin/bind/doc/arm/Bv9ARM-book.xml index b680405aaf5..980edcac8f4 100644 --- a/usr.sbin/bind/doc/arm/Bv9ARM-book.xml +++ b/usr.sbin/bind/doc/arm/Bv9ARM-book.xml @@ -1,24 +1,44 @@ - <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"> - -<!-- File: $ISC: Bv9ARM-book.xml,v 1.155.2.27.2.52 2005/02/09 03:48:57 marka Exp $ --> + "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" + [<!ENTITY mdash "—">]> +<!-- + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<!-- File: $ISC: Bv9ARM-book.xml,v 1.155.2.27.2.59 2005/10/10 00:22:24 marka Exp $ --> <book> <title>BIND 9 Administrator Reference Manual</title> -<bookinfo> -<copyright> -<year>2004</year> -<holder>Internet Systems Consortium, Inc. ("ISC")</holder> -</copyright> -<copyright> -<year>2000-2003</year> -<holder>Internet Software Consortium</holder> -</copyright> -</bookinfo> - - <chapter id="ch01"> + <bookinfo> + <copyright> + <year>2004</year> + <year>2005</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + <copyright> + <year>2000</year> + <year>2001</year> + <year>2002</year> + <year>2003</year> + <holder>Internet Software Consortium.</holder> + </copyright> + </bookinfo> + + <chapter id="Bv9ARM.ch01"> <title>Introduction </title> <para>The Internet Domain Name System (<acronym>DNS</acronym>) consists of the syntax to specify the names of entities in the Internet in a hierarchical @@ -368,7 +388,7 @@ be placed inside a firewall.</para> </chapter> -<chapter id="ch02"><title><acronym>BIND</acronym> Resource Requirements</title> +<chapter id="Bv9ARM.ch02"><title><acronym>BIND</acronym> Resource Requirements</title> <sect1> <title>Hardware requirements</title> @@ -419,7 +439,7 @@ of the BIND 9 source distribution.</para> </sect1> </chapter> -<chapter id="ch03"> +<chapter id="Bv9ARM.ch03"> <title>Name Server Configuration</title> <para>In this section we provide some suggested configurations along with guidelines for their use. We also address the topic of reasonable @@ -667,6 +687,7 @@ of a server.</para> checks the syntax of a <filename>named.conf</filename> file.</para> <cmdsynopsis label="Usage"> <command>named-checkconf</command> + <arg>-jvz</arg> <arg>-t <replaceable>directory</replaceable></arg> <arg><replaceable>filename</replaceable></arg> </cmdsynopsis> @@ -734,25 +755,32 @@ of a server.</para> <listitem><para>Retransfer the given zone from the master.</para></listitem> </varlistentry> - <varlistentry><term><userinput>freeze <replaceable>zone</replaceable> + <varlistentry> <term><userinput>freeze <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> - <optional><replaceable>view</replaceable></optional></optional></userinput></term> - <listitem><para>Suspend updates to a dynamic zone. This allows manual + <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term> + <listitem><para>Suspend updates to a dynamic zone. If no zone is specified + then all zones are suspended. This allows manual edits to be made to a zone normally updated by dynamic update. It also causes changes in the journal file to be synced into the master and the journal file to be removed. All dynamic update attempts will be refused while the zone is frozen.</para></listitem> </varlistentry> - <varlistentry><term><userinput>unfreeze <replaceable>zone</replaceable> + <varlistentry><term><userinput>thaw <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> - <optional><replaceable>view</replaceable></optional></optional></userinput></term> - <listitem><para>Enable updates to a frozen dynamic zone. This causes + <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term> + <listitem><para>Enable updates to a frozen dynamic zone. If no zone is + specified then all frozen zones are enabled. This causes the server to reload the zone from disk, and re-enables dynamic updates - after the load has completed. After a zone is unfrozen, dynamic updates + after the load has completed. After a zone is thawed, dynamic updates will no longer be refused.</para></listitem> </varlistentry> + <varlistentry><term><userinput>notify <replaceable>zone</replaceable> + <optional><replaceable>class</replaceable> + <optional><replaceable>view</replaceable></optional></optional></userinput></term> + <listitem><para>Resend NOTIFY messages for the zone</para></listitem></varlistentry> + <varlistentry><term><userinput>reconfig</userinput></term> <listitem><para>Reload the configuration file and load new zones, but do not reload existing zone files even if they have changed. @@ -773,20 +801,21 @@ of a server.</para> <command>logging</command> section of <filename>named.conf</filename>.</para></listitem></varlistentry> - <varlistentry><term><userinput>dumpdb</userinput></term> - <listitem><para>Dump the server's caches to the dump file. </para></listitem></varlistentry> + <varlistentry><term><userinput>dumpdb <optional>-all|-cache|-zone</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term> + <listitem><para>Dump the server's caches (default) and / or zones to the + dump file for the specified views. If no view is specified all + views are dumped.</para></listitem></varlistentry> - <varlistentry><term><userinput>stop</userinput></term> - <listitem><para>Stop the server, - making sure any recent changes + <varlistentry><term><userinput>stop <optional>-p</optional></userinput></term> + <listitem><para>Stop the server, making sure any recent changes made through dynamic update or IXFR are first saved to the master files - of the updated zones.</para></listitem></varlistentry> + of the updated zones. If -p is specified named's process id is returned.</para></listitem></varlistentry> - <varlistentry><term><userinput>halt</userinput></term> + <varlistentry><term><userinput>halt <optional>-p</optional></userinput></term> <listitem><para>Stop the server immediately. Recent changes made through dynamic update or IXFR are not saved to the master files, but will be rolled forward from the journal files when the server - is restarted.</para></listitem></varlistentry> + is restarted. If -p is specified named's process id is returned.</para></listitem></varlistentry> <varlistentry><term><userinput>trace</userinput></term> <listitem><para>Increment the servers debugging level by one. </para></listitem></varlistentry> @@ -801,12 +830,20 @@ of a server.</para> <varlistentry><term><userinput>flush</userinput></term> <listitem><para>Flushes the server's cache.</para></listitem></varlistentry> + <varlistentry><term><userinput>flushname</userinput> <replaceable>name</replaceable></term> + <listitem><para>Flushes the given name from the server's cache.</para></listitem></varlistentry> + <varlistentry><term><userinput>status</userinput></term> <listitem><para>Display status of the server. Note the number of zones includes the internal <command>bind/CH</command> zone and the default <command>./IN</command> hint zone if there is not a explicit root zone configured.</para></listitem></varlistentry> + <varlistentry><term><userinput>recursing</userinput></term> + <listitem><para>Dump the list of queries named is currently recursing + on. + </para></listitem></varlistentry> + </variablelist> <para>In <acronym>BIND</acronym> 9.2, <command>rndc</command> @@ -957,7 +994,7 @@ reload the database. </para></entry> </sect1> </chapter> -<chapter id="ch04"> +<chapter id="Bv9ARM.ch04"> <title>Advanced DNS Features</title> <sect1 id="notify"> @@ -1004,7 +1041,7 @@ protocol is specified in RFC 1996. <para>All changes made to a zone using dynamic update are stored in the zone's journal file. This file is automatically created by the - server when when the first dynamic update takes place. The name of + server when the first dynamic update takes place. The name of the journal file is formed by appending the extension <filename>.jnl</filename> to the name of the corresponding zone file. The journal file is in a @@ -1123,7 +1160,7 @@ to those internal hosts. With the wildcard records, the mail will be delivered to the bastion host, which can then forward it on to internal hosts.</para> <para>Here's an example of a wildcard MX record:</para> -<programlisting><literal>* IN MX 10 external1.example.com.</literal></programlisting> +<programlisting>* IN MX 10 external1.example.com.</programlisting> <para>Now that they accept mail on behalf of anything in the internal network, the bastion hosts will need to know how to deliver mail to internal hosts. In order for this to work properly, the resolvers on @@ -1620,7 +1657,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. </sect1> </chapter> - <chapter id="ch05"><title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title> + <chapter id="Bv9ARM.ch05"><title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title> <sect1><title>The Lightweight Resolver Library</title> <para>Traditionally applications have been linked with a stub resolver library that sends recursive DNS queries to a local caching name @@ -1666,7 +1703,7 @@ be configured to act as a lightweight resolver daemon using the </sect1></chapter> -<chapter id="ch06"><title><acronym>BIND</acronym> 9 Configuration Reference</title> +<chapter id="Bv9ARM.ch06"><title><acronym>BIND</acronym> 9 Configuration Reference</title> <para><acronym>BIND</acronym> 9 configuration is broadly similar to <acronym>BIND</acronym> 8; however, there are a few new areas @@ -1831,7 +1868,7 @@ which constitute an address match list can be any of the following:</para> <listitem> <simpara>a key ID, as defined by the <command>key</command> statement</simpara></listitem> <listitem> - <simpara>the name of an address match list previously defined with + <simpara>the name of an address match list defined with the <command>acl</command> statement</simpara></listitem> <listitem> <simpara>a nested address match list enclosed in braces</simpara></listitem></itemizedlist> @@ -2181,7 +2218,7 @@ installed. <para> To disable the command channel, use an empty <command>controls</command> -statement: <command>controls { };</command>. +statement: <command>controls { };</command>. </para> </sect2> @@ -2591,9 +2628,10 @@ The query log entry reports the client's IP address and port number. The query name, class and type. It also reports whether the Recursion Desired flag was set (+ if set, - if not set), EDNS was in use (E) or if the query was signed (S).</para> -<programlisting><computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput> -<computeroutput>client ::1#62537: query: www.example.net IN AAAA -SE</computeroutput> -</programlisting> +<para><computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput> +</para> +<para><computeroutput>client ::1#62537: query: www.example.net IN AAAA -SE</computeroutput> +</para> </entry> </row> <row rowsep = "0"> @@ -2724,7 +2762,7 @@ statement in the <filename>named.conf</filename> file:</para> <optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional> <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional> <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional> - <optional> forwarders { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional> + <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional> <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ; ... }; </optional> <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional> <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional> @@ -2958,7 +2996,7 @@ record does) the DNSKEY RRset is deemed to be trusted. <varlistentry><term><command>dnssec-must-be-secure</command></term> <listitem><para> -Specify heirachies which must / may not be secure (signed and validated). +Specify heirarchies which must / may not be secure (signed and validated). If <userinput>yes</userinput> then named will only accept answers if they are secure. If <userinput>no</userinput> then normal dnssec validation applies @@ -3714,11 +3752,25 @@ in the configuration file.</para> except zone transfers are performed using IPv6.</para> </listitem></varlistentry> -<varlistentry><term><command>alt-transfer-source</command></term> -<listitem><para>An alternate transfer source if the one listed in -<command>transfer-source</command> fails and -<command>use-alt-transfer-source</command> is set.</para> - </listitem></varlistentry> + <varlistentry> + <term><command>alt-transfer-source</command></term> + <listitem> + <para> + An alternate transfer source if the one listed in + <command>transfer-source</command> fails and + <command>use-alt-transfer-source</command> is + set. + </para> + <note> + If you do not wish the alternate transfer source + to be used you should set + <command>use-alt-transfer-source</command> + appropriately and you should not depend upon + getting a answer back to the first refresh + query. + </note> + </listitem> + </varlistentry> <varlistentry><term><command>alt-transfer-source-v6</command></term> <listitem><para>An alternate transfer source if the one listed in @@ -4553,7 +4605,7 @@ Statement Grammar</title> <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional> <optional> file <replaceable>string</replaceable> ; </optional> <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional> - <optional> forwarders { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional> + <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional> <optional> ixfr-base <replaceable>string</replaceable> ; </optional> <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional> <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional> @@ -5539,10 +5591,10 @@ be appended to any unqualified records. When a zone is first read in there is an implicit <command>$ORIGIN</command> <<varname>zone-name</varname>><command>.</command> The current <command>$ORIGIN</command> is appended to the domain specified in the <command>$ORIGIN</command> argument if it is not absolute.</para> -<programlisting><literal>$ORIGIN example.com. -WWW CNAME MAIN-SERVER</literal></programlisting> +<programlisting>$ORIGIN example.com. +WWW CNAME MAIN-SERVER</programlisting> <para>is equivalent to</para> -<programlisting><literal>WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</literal></programlisting></sect3> +<programlisting>WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</programlisting></sect3> <sect3><title>The <command>$INCLUDE</command> Directive</title> <para>Syntax: <command>$INCLUDE</command> <replaceable>filename</replaceable> <optional> @@ -5576,17 +5628,17 @@ resource records that only differ from each other by an iterator. <command>$GENE be used to easily generate the sets of records required to support sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA delegation.</para> -<programlisting><literal>$ORIGIN 0.0.192.IN-ADDR.ARPA. +<programlisting>$ORIGIN 0.0.192.IN-ADDR.ARPA. $GENERATE 1-2 0 NS SERVER$.EXAMPLE. -$GENERATE 1-127 $ CNAME $.0</literal></programlisting> +$GENERATE 1-127 $ CNAME $.0</programlisting> <para>is equivalent to</para> -<programlisting><literal>0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE. +<programlisting>0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE. 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE. 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA. 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA. ... 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA. -</literal></programlisting> +</programlisting> <informaltable colsep = "0" rowsep = "0"> <tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle = "3Level-table"> <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/> @@ -5655,7 +5707,7 @@ and not part of the standard zone file format.</para> </sect2> </sect1> </chapter> -<chapter id="ch07"><title><acronym>BIND</acronym> 9 Security Considerations</title> +<chapter id="Bv9ARM.ch07"><title><acronym>BIND</acronym> 9 Security Considerations</title> <sect1 id="Access_Control_Lists"><title>Access Control Lists</title> <para>Access Control Lists (ACLs), are address match lists that you can set up and nickname for future use in <command>allow-notify</command>, @@ -5778,7 +5830,7 @@ all.</para> </sect1></chapter> -<chapter id="ch08"> +<chapter id="Bv9ARM.ch08"> <title>Troubleshooting</title> <sect1> <title>Common Problems</title> @@ -5837,7 +5889,7 @@ all.</para> to read more.</para> </sect1> </chapter> -<appendix id="ch09"> +<appendix id="Bv9ARM.ch09"> <title>Appendices</title> <sect1> <title>Acknowledgments</title> diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.ch03.html b/usr.sbin/bind/doc/arm/Bv9ARM.ch03.html index 37362d5daef..09c7ab466ac 100644 --- a/usr.sbin/bind/doc/arm/Bv9ARM.ch03.html +++ b/usr.sbin/bind/doc/arm/Bv9ARM.ch03.html @@ -1,133 +1,79 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->Name Server Configuration</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK -REL="HOME" -TITLE="BIND 9 Administrator Reference Manual" -HREF="Bv9ARM.html"><LINK -REL="PREVIOUS" -TITLE="BIND Resource Requirements" -HREF="Bv9ARM.ch02.html"><LINK -REL="NEXT" -TITLE="Advanced DNS Features" -HREF="Bv9ARM.ch04.html"></HEAD -><BODY -CLASS="chapter" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="NAVHEADER" -><TABLE -SUMMARY="Header navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TH -COLSPAN="3" -ALIGN="center" ->BIND 9 Administrator Reference Manual</TH -></TR -><TR -><TD -WIDTH="10%" -ALIGN="left" -VALIGN="bottom" -><A -HREF="Bv9ARM.ch02.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="80%" -ALIGN="center" -VALIGN="bottom" -></TD -><TD -WIDTH="10%" -ALIGN="right" -VALIGN="bottom" -><A -HREF="Bv9ARM.ch04.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -></TABLE -><HR -ALIGN="LEFT" -WIDTH="100%"></DIV -><DIV -CLASS="chapter" -><H1 -><A -NAME="ch03" -></A ->Chapter 3. Name Server Configuration</H1 -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->3.1. <A -HREF="Bv9ARM.ch03.html#sample_configuration" ->Sample Configurations</A -></DT -><DT ->3.2. <A -HREF="Bv9ARM.ch03.html#AEN268" ->Load Balancing</A -></DT -><DT ->3.3. <A -HREF="Bv9ARM.ch03.html#AEN345" ->Name Server Operations</A -></DT -></DL -></DIV -><P ->In this section we provide some suggested configurations along +<!-- + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<!-- $ISC: Bv9ARM.ch03.html,v 1.26.2.5.4.11 2005/10/13 02:33:59 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>Chapter 3. Name Server Configuration</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="prev" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements"> +<link rel="next" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> +<div class="navheader"> +<table width="100%" summary="Navigation header"> +<tr><th colspan="3" align="center">Chapter 3. Name Server Configuration</th></tr> +<tr> +<td width="20%" align="left"> +<a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td> +<th width="60%" align="center"> </th> +<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a> +</td> +</tr> +</table> +<hr> +</div> +<div class="chapter" lang="en"> +<div class="titlepage"><div><div><h2 class="title"> +<a name="Bv9ARM.ch03"></a>Chapter 3. Name Server Configuration</h2></div></div></div> +<div class="toc"> +<p><b>Table of Contents</b></p> +<dl> +<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2547334">A Caching-only Name Server</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2547350">An Authoritative-only Name Server</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2547372">Load Balancing</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2547656">Name Server Operations</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2547661">Tools for Use With the Name Server Daemon</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2548915">Signals</a></span></dt> +</dl></dd> +</dl> +</div> +<p>In this section we provide some suggested configurations along with guidelines for their use. We also address the topic of reasonable -option setting.</P -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="sample_configuration" ->3.1. Sample Configurations</A -></H1 -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN257" ->3.1.1. A Caching-only Name Server</A -></H2 -><P ->The following sample configuration is appropriate for a caching-only +option setting.</p> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2547334"></a>A Caching-only Name Server</h3></div></div></div> +<p>The following sample configuration is appropriate for a caching-only name server for use by clients internal to a corporation. All queries -from outside clients are refused using the <B -CLASS="command" ->allow-query</B -> +from outside clients are refused using the <span><strong class="command">allow-query</strong></span> option. Alternatively, the same effect could be achieved using suitable -firewall rules.</P -><PRE -CLASS="programlisting" -> // Two corporate subnets we wish to allow queries from. +firewall rules.</p> +<pre class="programlisting"> +// Two corporate subnets we wish to allow queries from. acl corpnets { 192.168.4.0/24; 192.168.7.0/24; }; options { directory "/etc/namedb"; // Working directory @@ -139,29 +85,16 @@ zone "0.0.127.in-addr.arpa" { file "localhost.rev"; notify no; }; -</PRE -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN262" ->3.1.2. An Authoritative-only Name Server</A -></H2 -><P ->This sample configuration is for an authoritative-only server -that is the master server for "<TT -CLASS="filename" ->example.com</TT ->" -and a slave for the subdomain "<TT -CLASS="filename" ->eng.example.com</TT ->".</P -><PRE -CLASS="programlisting" -> options { +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2547350"></a>An Authoritative-only Name Server</h3></div></div></div> +<p>This sample configuration is for an authoritative-only server +that is the master server for "<code class="filename">example.com</code>" +and a slave for the subdomain "<code class="filename">eng.example.com</code>".</p> +<pre class="programlisting"> +options { directory "/etc/namedb"; // Working directory allow-query { any; }; // This is the default recursion no; // Do not provide recursive service @@ -190,1070 +123,321 @@ zone "eng.example.com" { // IP address of eng.example.com master server masters { 192.168.4.12; }; }; -</PRE -></DIV -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="AEN268" ->3.2. Load Balancing</A -></H1 -><P ->A primitive form of load balancing can be achieved in -the <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> by using multiple A records for one name.</P -><P ->For example, if you have three WWW servers with network addresses +</pre> +</div> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="id2547372"></a>Load Balancing</h2></div></div></div> +<p>A primitive form of load balancing can be achieved in +the <span class="acronym">DNS</span> by using multiple A records for one name.</p> +<p>For example, if you have three WWW servers with network addresses of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the following means that clients will connect to each machine one third -of the time:</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN273" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P ->Name</P -></TD -><TD -><P ->TTL</P -></TD -><TD -><P ->CLASS</P -></TD -><TD -><P ->TYPE</P -></TD -><TD -><P ->Resource Record (RR) Data</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="literal" ->www</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->600</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->IN</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->A</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->10.0.0.1</VAR -></P -></TD -></TR -><TR -><TD -><P -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->600</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->IN</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->A</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->10.0.0.2</VAR -></P -></TD -></TR -><TR -><TD -><P -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->600</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->IN</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->A</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->10.0.0.3</VAR -></P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><P ->When a resolver queries for these records, <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> will rotate +of the time:</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +<col> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p>Name</p></td> +<td><p>TTL</p></td> +<td><p>CLASS</p></td> +<td><p>TYPE</p></td> +<td><p>Resource Record (RR) Data</p></td> +</tr> +<tr> +<td><p><code class="literal">www</code></p></td> +<td><p><code class="literal">600</code></p></td> +<td><p><code class="literal">IN</code></p></td> +<td><p><code class="literal">A</code></p></td> +<td><p><code class="literal">10.0.0.1</code></p></td> +</tr> +<tr> +<td><p></p></td> +<td><p><code class="literal">600</code></p></td> +<td><p><code class="literal">IN</code></p></td> +<td><p><code class="literal">A</code></p></td> +<td><p><code class="literal">10.0.0.2</code></p></td> +</tr> +<tr> +<td><p></p></td> +<td><p><code class="literal">600</code></p></td> +<td><p><code class="literal">IN</code></p></td> +<td><p><code class="literal">A</code></p></td> +<td><p><code class="literal">10.0.0.3</code></p></td> +</tr> +</tbody> +</table></div> +<p>When a resolver queries for these records, <span class="acronym">BIND</span> will rotate them and respond to the query with the records in a different order. In the example above, clients will randomly receive records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients - will use the first record returned and discard the rest.</P -><P ->For more detail on ordering responses, check the - <B -CLASS="command" ->rrset-order</B -> substatement in the - <B -CLASS="command" ->options</B -> statement, see - <A -HREF="Bv9ARM.ch06.html#rrset_ordering" -><I ->RRset Ordering</I -></A ->. + will use the first record returned and discard the rest.</p> +<p>For more detail on ordering responses, check the + <span><strong class="command">rrset-order</strong></span> substatement in the + <span><strong class="command">options</strong></span> statement, see + <a href="Bv9ARM.ch06.html#rrset_ordering">RRset Ordering</a>. This substatement is not supported in - <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9, and only the ordering scheme described above is - available.</P -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="AEN345" ->3.3. Name Server Operations</A -></H1 -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN347" ->3.3.1. Tools for Use With the Name Server Daemon</A -></H2 -><P ->There are several indispensable diagnostic, administrative + <span class="acronym">BIND</span> 9, and only the ordering scheme described above is + available.</p> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="id2547656"></a>Name Server Operations</h2></div></div></div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2547661"></a>Tools for Use With the Name Server Daemon</h3></div></div></div> +<p>There are several indispensable diagnostic, administrative and monitoring tools available to the system administrator for controlling and debugging the name server daemon. We describe several in this -section </P -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="diagnostic_tools" ->3.3.1.1. Diagnostic Tools</A -></H3 -><P ->The <B -CLASS="command" ->dig</B ->, <B -CLASS="command" ->host</B ->, and -<B -CLASS="command" ->nslookup</B -> programs are all command line tools +section </p> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div> +<p>The <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span>, and +<span><strong class="command">nslookup</strong></span> programs are all command line tools for manually querying name servers. They differ in style and output format. -</P -><P -></P -><DIV -CLASS="variablelist" -><DL -><DT -><B -CLASS="command" ->dig</B -></DT -><DD -><P ->The domain information groper (<B -CLASS="command" ->dig</B ->) +</p> +<div class="variablelist"><dl> +<dt><span class="term"><a name="dig"></a><span><strong class="command">dig</strong></span></span></dt> +<dd> +<p>The domain information groper (<span><strong class="command">dig</strong></span>) is the most versatile and complete of these lookup tools. It has two modes: simple interactive mode for a single query, and batch mode which executes a query for each in a list of several query lines. All query options are accessible -from the command line.</P -><P -><B -CLASS="command" ->dig</B -> [@<VAR -CLASS="replaceable" ->server</VAR ->] <VAR -CLASS="replaceable" ->domain</VAR -> [<VAR -CLASS="replaceable" ->query-type</VAR ->] [<VAR -CLASS="replaceable" ->query-class</VAR ->] [+<VAR -CLASS="replaceable" ->query-option</VAR ->] [-<VAR -CLASS="replaceable" ->dig-option</VAR ->] [%<VAR -CLASS="replaceable" ->comment</VAR ->]</P -><P ->The usual simple use of dig will take the form</P -><P -><B -CLASS="command" ->dig @server domain query-type query-class</B -></P -><P ->For more information and a list of available commands and -options, see the <B -CLASS="command" ->dig</B -> man page.</P -></DD -><DT -><B -CLASS="command" ->host</B -></DT -><DD -><P ->The <B -CLASS="command" ->host</B -> utility emphasizes simplicity +from the command line.</p> +<div class="cmdsynopsis"><p><code class="command">dig</code> [@<em class="replaceable"><code>server</code></em>] <em class="replaceable"><code>domain</code></em> [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div> +<p>The usual simple use of dig will take the form</p> +<p><span><strong class="command">dig @server domain query-type query-class</strong></span></p> +<p>For more information and a list of available commands and +options, see the <span><strong class="command">dig</strong></span> man page.</p> +</dd> +<dt><span class="term"><span><strong class="command">host</strong></span></span></dt> +<dd> +<p>The <span><strong class="command">host</strong></span> utility emphasizes simplicity and ease of use. By default, it converts between host names and Internet addresses, but its functionality -can be extended with the use of options.</P -><P -><B -CLASS="command" ->host</B -> [-aCdlrTwv] [-c <VAR -CLASS="replaceable" ->class</VAR ->] [-N <VAR -CLASS="replaceable" ->ndots</VAR ->] [-t <VAR -CLASS="replaceable" ->type</VAR ->] [-W <VAR -CLASS="replaceable" ->timeout</VAR ->] [-R <VAR -CLASS="replaceable" ->retries</VAR ->] <VAR -CLASS="replaceable" ->hostname</VAR -> [<VAR -CLASS="replaceable" ->server</VAR ->]</P -><P ->For more information and a list of available commands and -options, see the <B -CLASS="command" ->host</B -> man page.</P -></DD -><DT -><B -CLASS="command" ->nslookup</B -></DT -><DD -><P -><B -CLASS="command" ->nslookup</B -> has two modes: interactive +can be extended with the use of options.</p> +<div class="cmdsynopsis"><p><code class="command">host</code> [-aCdlrTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>] <em class="replaceable"><code>hostname</code></em> [<em class="replaceable"><code>server</code></em>]</p></div> +<p>For more information and a list of available commands and +options, see the <span><strong class="command">host</strong></span> man page.</p> +</dd> +<dt><span class="term"><span><strong class="command">nslookup</strong></span></span></dt> +<dd> +<p><span><strong class="command">nslookup</strong></span> has two modes: interactive and non-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non-interactive mode is used to print just -the name and requested information for a host or domain.</P -><P -><B -CLASS="command" ->nslookup</B -> [-option...] [<VAR -CLASS="replaceable" ->host-to-find</VAR -> | - [server]]</P -><P ->Interactive mode is entered when no arguments are given (the +the name and requested information for a host or domain.</p> +<div class="cmdsynopsis"><p><code class="command">nslookup</code> [-option...] [[<em class="replaceable"><code>host-to-find</code></em>] | [- [server]]]</p></div> +<p>Interactive mode is entered when no arguments are given (the default name server will be used) or when the first argument is a hyphen (`-') and the second argument is the host name or Internet address -of a name server.</P -><P ->Non-interactive mode is used when the name or Internet address +of a name server.</p> +<p>Non-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The -optional second argument specifies the host name or address of a name server.</P -><P ->Due to its arcane user interface and frequently inconsistent -behavior, we do not recommend the use of <B -CLASS="command" ->nslookup</B ->. -Use <B -CLASS="command" ->dig</B -> instead.</P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="admin_tools" ->3.3.1.2. Administrative Tools</A -></H3 -><P ->Administrative tools play an integral part in the management -of a server.</P -><P -></P -><DIV -CLASS="variablelist" -><DL -><DT -><A -NAME="named-checkconf" -></A -><B -CLASS="command" ->named-checkconf</B -></DT -><DD -><P ->The <B -CLASS="command" ->named-checkconf</B -> program - checks the syntax of a <TT -CLASS="filename" ->named.conf</TT -> file.</P -><P -><B -CLASS="command" ->named-checkconf</B -> [-t <VAR -CLASS="replaceable" ->directory</VAR ->] [<VAR -CLASS="replaceable" ->filename</VAR ->]</P -></DD -><DT -><A -NAME="named-checkzone" -></A -><B -CLASS="command" ->named-checkzone</B -></DT -><DD -><P ->The <B -CLASS="command" ->named-checkzone</B -> program checks a master file for - syntax and consistency.</P -><P -><B -CLASS="command" ->named-checkzone</B -> [-djqvD] [-c <VAR -CLASS="replaceable" ->class</VAR ->] [-o <VAR -CLASS="replaceable" ->output</VAR ->] [-t <VAR -CLASS="replaceable" ->directory</VAR ->] [-w <VAR -CLASS="replaceable" ->directory</VAR ->] [-k <VAR -CLASS="replaceable" ->(ignore|warn|fail)</VAR ->] [-n <VAR -CLASS="replaceable" ->(ignore|warn|fail)</VAR ->] <VAR -CLASS="replaceable" ->zone</VAR -> [<VAR -CLASS="replaceable" ->filename</VAR ->]</P -></DD -><DT -><A -NAME="rndc" -></A -><B -CLASS="command" ->rndc</B -></DT -><DD -><P ->The remote name daemon control - (<B -CLASS="command" ->rndc</B ->) program allows the system +optional second argument specifies the host name or address of a name server.</p> +<p>Due to its arcane user interface and frequently inconsistent +behavior, we do not recommend the use of <span><strong class="command">nslookup</strong></span>. +Use <span><strong class="command">dig</strong></span> instead.</p> +</dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="admin_tools"></a>Administrative Tools</h4></div></div></div> +<p>Administrative tools play an integral part in the management +of a server.</p> +<div class="variablelist"><dl> +<dt> +<a name="named-checkconf"></a><span class="term"><span><strong class="command">named-checkconf</strong></span></span> +</dt> +<dd> +<p>The <span><strong class="command">named-checkconf</strong></span> program + checks the syntax of a <code class="filename">named.conf</code> file.</p> +<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [-jvz] [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div> +</dd> +<dt> +<a name="named-checkzone"></a><span class="term"><span><strong class="command">named-checkzone</strong></span></span> +</dt> +<dd> +<p>The <span><strong class="command">named-checkzone</strong></span> program checks a master file for + syntax and consistency.</p> +<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>] <em class="replaceable"><code>zone</code></em> [<em class="replaceable"><code>filename</code></em>]</p></div> +</dd> +<dt> +<a name="rndc"></a><span class="term"><span><strong class="command">rndc</strong></span></span> +</dt> +<dd> +<p>The remote name daemon control + (<span><strong class="command">rndc</strong></span>) program allows the system administrator to control the operation of a name server. - If you run <B -CLASS="command" ->rndc</B -> without any options - it will display a usage message as follows:</P -><P -><B -CLASS="command" ->rndc</B -> [-c <VAR -CLASS="replaceable" ->config</VAR ->] [-s <VAR -CLASS="replaceable" ->server</VAR ->] [-p <VAR -CLASS="replaceable" ->port</VAR ->] [-y <VAR -CLASS="replaceable" ->key</VAR ->] <VAR -CLASS="replaceable" ->command</VAR -> [<VAR -CLASS="replaceable" ->command</VAR ->...]</P -><P -><B -CLASS="command" ->command</B -> is one of the following:</P -><P -></P -><DIV -CLASS="variablelist" -><DL -><DT -><KBD -CLASS="userinput" ->reload</KBD -></DT -><DD -><P ->Reload configuration file and zones.</P -></DD -><DT -><KBD -CLASS="userinput" ->reload <VAR -CLASS="replaceable" ->zone</VAR -> - [<SPAN -CLASS="optional" -><VAR -CLASS="replaceable" ->class</VAR -> - [<SPAN -CLASS="optional" -><VAR -CLASS="replaceable" ->view</VAR -></SPAN ->]</SPAN ->]</KBD -></DT -><DD -><P ->Reload the given zone.</P -></DD -><DT -><KBD -CLASS="userinput" ->refresh <VAR -CLASS="replaceable" ->zone</VAR -> - [<SPAN -CLASS="optional" -><VAR -CLASS="replaceable" ->class</VAR -> - [<SPAN -CLASS="optional" -><VAR -CLASS="replaceable" ->view</VAR -></SPAN ->]</SPAN ->]</KBD -></DT -><DD -><P ->Schedule zone maintenance for the given zone.</P -></DD -><DT -><KBD -CLASS="userinput" ->retransfer <VAR -CLASS="replaceable" ->zone</VAR -> - [<SPAN -CLASS="optional" -><VAR -CLASS="replaceable" ->class</VAR -> - [<SPAN -CLASS="optional" -><VAR -CLASS="replaceable" ->view</VAR -></SPAN ->]</SPAN ->]</KBD -></DT -><DD -><P ->Retransfer the given zone from the master.</P -></DD -><DT -><KBD -CLASS="userinput" ->freeze <VAR -CLASS="replaceable" ->zone</VAR -> - [<SPAN -CLASS="optional" -><VAR -CLASS="replaceable" ->class</VAR -> - [<SPAN -CLASS="optional" -><VAR -CLASS="replaceable" ->view</VAR -></SPAN ->]</SPAN ->]</KBD -></DT -><DD -><P ->Suspend updates to a dynamic zone. This allows manual + If you run <span><strong class="command">rndc</strong></span> without any options + it will display a usage message as follows:</p> +<div class="cmdsynopsis"><p><code class="command">rndc</code> [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>] <em class="replaceable"><code>command</code></em> [<em class="replaceable"><code>command</code></em>...]</p></div> +<p><span><strong class="command">command</strong></span> is one of the following:</p> +<div class="variablelist"><dl> +<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt> +<dd><p>Reload configuration file and zones.</p></dd> +<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> +<dd><p>Reload the given zone.</p></dd> +<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> +<dd><p>Schedule zone maintenance for the given zone.</p></dd> +<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> +<dd><p>Retransfer the given zone from the master.</p></dd> +<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> +<dd><p>Suspend updates to a dynamic zone. If no zone is specified + then all zones are suspended. This allows manual edits to be made to a zone normally updated by dynamic update. It also causes changes in the journal file to be synced into the master and the journal file to be removed. All dynamic update attempts will - be refused while the zone is frozen.</P -></DD -><DT -><KBD -CLASS="userinput" ->unfreeze <VAR -CLASS="replaceable" ->zone</VAR -> - [<SPAN -CLASS="optional" -><VAR -CLASS="replaceable" ->class</VAR -> - [<SPAN -CLASS="optional" -><VAR -CLASS="replaceable" ->view</VAR -></SPAN ->]</SPAN ->]</KBD -></DT -><DD -><P ->Enable updates to a frozen dynamic zone. This causes + be refused while the zone is frozen.</p></dd> +<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> +<dd><p>Enable updates to a frozen dynamic zone. If no zone is + specified then all frozen zones are enabled. This causes the server to reload the zone from disk, and re-enables dynamic updates - after the load has completed. After a zone is unfrozen, dynamic updates - will no longer be refused.</P -></DD -><DT -><KBD -CLASS="userinput" ->reconfig</KBD -></DT -><DD -><P ->Reload the configuration file and load new zones, + after the load has completed. After a zone is thawed, dynamic updates + will no longer be refused.</p></dd> +<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> +<dd><p>Resend NOTIFY messages for the zone</p></dd> +<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt> +<dd><p>Reload the configuration file and load new zones, but do not reload existing zone files even if they have changed. - This is faster than a full <B -CLASS="command" ->reload</B -> when there + This is faster than a full <span><strong class="command">reload</strong></span> when there is a large number of zones because it avoids the need to examine the modification times of the zones files. - </P -></DD -><DT -><KBD -CLASS="userinput" ->stats</KBD -></DT -><DD -><P ->Write server statistics to the statistics file.</P -></DD -><DT -><KBD -CLASS="userinput" ->querylog</KBD -></DT -><DD -><P ->Toggle query logging. Query logging can also be enabled - by explicitly directing the <B -CLASS="command" ->queries</B -> - <B -CLASS="command" ->category</B -> to a <B -CLASS="command" ->channel</B -> in the - <B -CLASS="command" ->logging</B -> section of - <TT -CLASS="filename" ->named.conf</TT ->.</P -></DD -><DT -><KBD -CLASS="userinput" ->dumpdb</KBD -></DT -><DD -><P ->Dump the server's caches to the dump file. </P -></DD -><DT -><KBD -CLASS="userinput" ->stop</KBD -></DT -><DD -><P ->Stop the server, - making sure any recent changes + </p></dd> +<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt> +<dd><p>Write server statistics to the statistics file.</p></dd> +<dt><span class="term"><strong class="userinput"><code>querylog</code></strong></span></dt> +<dd><p>Toggle query logging. Query logging can also be enabled + by explicitly directing the <span><strong class="command">queries</strong></span> + <span><strong class="command">category</strong></span> to a <span><strong class="command">channel</strong></span> in the + <span><strong class="command">logging</strong></span> section of + <code class="filename">named.conf</code>.</p></dd> +<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt> +<dd><p>Dump the server's caches (default) and / or zones to the + dump file for the specified views. If no view is specified all + views are dumped.</p></dd> +<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt> +<dd><p>Stop the server, making sure any recent changes made through dynamic update or IXFR are first saved to the master files - of the updated zones.</P -></DD -><DT -><KBD -CLASS="userinput" ->halt</KBD -></DT -><DD -><P ->Stop the server immediately. Recent changes + of the updated zones. If -p is specified named's process id is returned.</p></dd> +<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt> +<dd><p>Stop the server immediately. Recent changes made through dynamic update or IXFR are not saved to the master files, but will be rolled forward from the journal files when the server - is restarted.</P -></DD -><DT -><KBD -CLASS="userinput" ->trace</KBD -></DT -><DD -><P ->Increment the servers debugging level by one. </P -></DD -><DT -><KBD -CLASS="userinput" ->trace <VAR -CLASS="replaceable" ->level</VAR -></KBD -></DT -><DD -><P ->Sets the server's debugging level to an explicit - value.</P -></DD -><DT -><KBD -CLASS="userinput" ->notrace</KBD -></DT -><DD -><P ->Sets the server's debugging level to 0.</P -></DD -><DT -><KBD -CLASS="userinput" ->flush</KBD -></DT -><DD -><P ->Flushes the server's cache.</P -></DD -><DT -><KBD -CLASS="userinput" ->status</KBD -></DT -><DD -><P ->Display status of the server. -Note the number of zones includes the internal <B -CLASS="command" ->bind/CH</B -> zone -and the default <B -CLASS="command" ->./IN</B -> hint zone if there is not a -explicit root zone configured.</P -></DD -></DL -></DIV -><P ->In <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9.2, <B -CLASS="command" ->rndc</B -> -supports all the commands of the BIND 8 <B -CLASS="command" ->ndc</B -> -utility except <B -CLASS="command" ->ndc start</B -> and -<B -CLASS="command" ->ndc restart</B ->, which were also -not supported in <B -CLASS="command" ->ndc</B ->'s channel mode.</P -><P ->A configuration file is required, since all + is restarted. If -p is specified named's process id is returned.</p></dd> +<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt> +<dd><p>Increment the servers debugging level by one. </p></dd> +<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt> +<dd><p>Sets the server's debugging level to an explicit + value.</p></dd> +<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt> +<dd><p>Sets the server's debugging level to 0.</p></dd> +<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt> +<dd><p>Flushes the server's cache.</p></dd> +<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em></span></dt> +<dd><p>Flushes the given name from the server's cache.</p></dd> +<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt> +<dd><p>Display status of the server. +Note the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone +and the default <span><strong class="command">./IN</strong></span> hint zone if there is not a +explicit root zone configured.</p></dd> +<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt> +<dd><p>Dump the list of queries named is currently recursing + on. + </p></dd> +</dl></div> +<p>In <span class="acronym">BIND</span> 9.2, <span><strong class="command">rndc</strong></span> +supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span> +utility except <span><strong class="command">ndc start</strong></span> and +<span><strong class="command">ndc restart</strong></span>, which were also +not supported in <span><strong class="command">ndc</strong></span>'s channel mode.</p> +<p>A configuration file is required, since all communication with the server is authenticated with digital signatures that rely on a shared secret, and there is no way to provide that secret other than with a configuration file. The default location for the -<B -CLASS="command" ->rndc</B -> configuration file is -<TT -CLASS="filename" ->/etc/rndc.conf</TT ->, but an alternate -location can be specified with the <VAR -CLASS="option" ->-c</VAR -> +<span><strong class="command">rndc</strong></span> configuration file is +<code class="filename">/etc/rndc.conf</code>, but an alternate +location can be specified with the <code class="option">-c</code> option. If the configuration file is not found, -<B -CLASS="command" ->rndc</B -> will also look in -<TT -CLASS="filename" ->/etc/rndc.key</TT -> (or whatever -<VAR -CLASS="varname" ->sysconfdir</VAR -> was defined when -the <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> build was configured). -The <TT -CLASS="filename" ->rndc.key</TT -> file is generated by -running <B -CLASS="command" ->rndc-confgen -a</B -> as described in -<A -HREF="Bv9ARM.ch06.html#controls_statement_definition_and_usage" ->Section 6.2.4</A ->.</P -><P ->The format of the configuration file is similar to -that of <TT -CLASS="filename" ->named.conf</TT ->, but limited to -only four statements, the <B -CLASS="command" ->options</B ->, -<B -CLASS="command" ->key</B ->, <B -CLASS="command" ->server</B -> and -<B -CLASS="command" ->include</B -> +<span><strong class="command">rndc</strong></span> will also look in +<code class="filename">/etc/rndc.key</code> (or whatever +<code class="varname">sysconfdir</code> was defined when +the <span class="acronym">BIND</span> build was configured). +The <code class="filename">rndc.key</code> file is generated by +running <span><strong class="command">rndc-confgen -a</strong></span> as described in +<a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and Usage”</a>.</p> +<p>The format of the configuration file is similar to +that of <code class="filename">named.conf</code>, but limited to +only four statements, the <span><strong class="command">options</strong></span>, +<span><strong class="command">key</strong></span>, <span><strong class="command">server</strong></span> and +<span><strong class="command">include</strong></span> statements. These statements are what associate the secret keys to the servers with which they are meant to be shared. The order of statements is not -significant.</P -><P ->The <B -CLASS="command" ->options</B -> statement has three clauses: -<B -CLASS="command" ->default-server</B ->, <B -CLASS="command" ->default-key</B ->, -and <B -CLASS="command" ->default-port</B ->. -<B -CLASS="command" ->default-server</B -> takes a +significant.</p> +<p>The <span><strong class="command">options</strong></span> statement has three clauses: +<span><strong class="command">default-server</strong></span>, <span><strong class="command">default-key</strong></span>, +and <span><strong class="command">default-port</strong></span>. +<span><strong class="command">default-server</strong></span> takes a host name or address argument and represents the server that will -be contacted if no <VAR -CLASS="option" ->-s</VAR -> +be contacted if no <code class="option">-s</code> option is provided on the command line. -<B -CLASS="command" ->default-key</B -> takes -the name of a key as its argument, as defined by a <B -CLASS="command" ->key</B -> statement. -<B -CLASS="command" ->default-port</B -> specifies the port to which -<B -CLASS="command" ->rndc</B -> should connect if no +<span><strong class="command">default-key</strong></span> takes +the name of a key as its argument, as defined by a <span><strong class="command">key</strong></span> statement. +<span><strong class="command">default-port</strong></span> specifies the port to which +<span><strong class="command">rndc</strong></span> should connect if no port is given on the command line or in a -<B -CLASS="command" ->server</B -> statement.</P -><P ->The <B -CLASS="command" ->key</B -> statement defines an key to be used -by <B -CLASS="command" ->rndc</B -> when authenticating with -<B -CLASS="command" ->named</B ->. Its syntax is identical to the -<B -CLASS="command" ->key</B -> statement in named.conf. -The keyword <KBD -CLASS="userinput" ->key</KBD -> is +<span><strong class="command">server</strong></span> statement.</p> +<p>The <span><strong class="command">key</strong></span> statement defines an key to be used +by <span><strong class="command">rndc</strong></span> when authenticating with +<span><strong class="command">named</strong></span>. Its syntax is identical to the +<span><strong class="command">key</strong></span> statement in named.conf. +The keyword <strong class="userinput"><code>key</code></strong> is followed by a key name, which must be a valid domain name, though it need not actually be hierarchical; thus, -a string like "<KBD -CLASS="userinput" ->rndc_key</KBD ->" is a valid name. -The <B -CLASS="command" ->key</B -> statement has two clauses: -<B -CLASS="command" ->algorithm</B -> and <B -CLASS="command" ->secret</B ->. +a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid name. +The <span><strong class="command">key</strong></span> statement has two clauses: +<span><strong class="command">algorithm</strong></span> and <span><strong class="command">secret</strong></span>. While the configuration parser will accept any string as the argument -to algorithm, currently only the string "<KBD -CLASS="userinput" ->hmac-md5</KBD ->" -has any meaning. The secret is a base-64 encoded string.</P -><P ->The <B -CLASS="command" ->server</B -> statement associates a key -defined using the <B -CLASS="command" ->key</B -> statement with a server. -The keyword <KBD -CLASS="userinput" ->server</KBD -> is followed by a -host name or address. The <B -CLASS="command" ->server</B -> statement -has two clauses: <B -CLASS="command" ->key</B -> and <B -CLASS="command" ->port</B ->. -The <B -CLASS="command" ->key</B -> clause specifies the name of the key +to algorithm, currently only the string "<strong class="userinput"><code>hmac-md5</code></strong>" +has any meaning. The secret is a base-64 encoded string.</p> +<p>The <span><strong class="command">server</strong></span> statement associates a key +defined using the <span><strong class="command">key</strong></span> statement with a server. +The keyword <strong class="userinput"><code>server</code></strong> is followed by a +host name or address. The <span><strong class="command">server</strong></span> statement +has two clauses: <span><strong class="command">key</strong></span> and <span><strong class="command">port</strong></span>. +The <span><strong class="command">key</strong></span> clause specifies the name of the key to be used when communicating with this server, and the -<B -CLASS="command" ->port</B -> clause can be used to -specify the port <B -CLASS="command" ->rndc</B -> should connect -to on the server.</P -><P ->A sample minimal configuration file is as follows:</P -><PRE -CLASS="programlisting" -> key rndc_key { +<span><strong class="command">port</strong></span> clause can be used to +specify the port <span><strong class="command">rndc</strong></span> should connect +to on the server.</p> +<p>A sample minimal configuration file is as follows:</p> +<pre class="programlisting"> +key rndc_key { algorithm "hmac-md5"; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; }; @@ -1261,213 +445,81 @@ options { default-server 127.0.0.1; default-key rndc_key; }; -</PRE -><P ->This file, if installed as <TT -CLASS="filename" ->/etc/rndc.conf</TT ->, -would allow the command:</P -><P -><SAMP -CLASS="prompt" ->$ </SAMP -><KBD -CLASS="userinput" ->rndc reload</KBD -></P -><P ->to connect to 127.0.0.1 port 953 and cause the name server +</pre> +<p>This file, if installed as <code class="filename">/etc/rndc.conf</code>, +would allow the command:</p> +<p><code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong></p> +<p>to connect to 127.0.0.1 port 953 and cause the name server to reload, if a name server on the local machine were running with -following controls statements:</P -><PRE -CLASS="programlisting" -> controls { +following controls statements:</p> +<pre class="programlisting"> +controls { inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; }; -</PRE -><P ->and it had an identical key statement for -<VAR -CLASS="literal" ->rndc_key</VAR ->.</P -><P ->Running the <B -CLASS="command" ->rndc-confgen</B -> program will -conveniently create a <TT -CLASS="filename" ->rndc.conf</TT -> +</pre> +<p>and it had an identical key statement for +<code class="literal">rndc_key</code>.</p> +<p>Running the <span><strong class="command">rndc-confgen</strong></span> program will +conveniently create a <code class="filename">rndc.conf</code> file for you, and also display the -corresponding <B -CLASS="command" ->controls</B -> statement that you need to -add to <TT -CLASS="filename" ->named.conf</TT ->. Alternatively, -you can run <B -CLASS="command" ->rndc-confgen -a</B -> to set up -a <TT -CLASS="filename" ->rndc.key</TT -> file and not modify -<TT -CLASS="filename" ->named.conf</TT -> at all. -</P -></DD -></DL -></DIV -></DIV -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN689" ->3.3.2. Signals</A -></H2 -><P ->Certain UNIX signals cause the name server to take specific +corresponding <span><strong class="command">controls</strong></span> statement that you need to +add to <code class="filename">named.conf</code>. Alternatively, +you can run <span><strong class="command">rndc-confgen -a</strong></span> to set up +a <code class="filename">rndc.key</code> file and not modify +<code class="filename">named.conf</code> at all. +</p> +</dd> +</dl></div> +</div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2548915"></a>Signals</h3></div></div></div> +<p>Certain UNIX signals cause the name server to take specific actions, as described in the following table. These signals can -be sent using the <B -CLASS="command" ->kill</B -> command.</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN693" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P -><B -CLASS="command" ->SIGHUP</B -></P -></TD -><TD -><P ->Causes the server to read <TT -CLASS="filename" ->named.conf</TT -> and -reload the database. </P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->SIGTERM</B -></P -></TD -><TD -><P ->Causes the server to clean up and exit.</P -></TD -></TR -><TR -><TD -> <P -><B -CLASS="command" ->SIGINT</B -></P -> -</TD -><TD -><P ->Causes the server to clean up and exit.</P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -></DIV -></DIV -></DIV -><DIV -CLASS="NAVFOOTER" -><HR -ALIGN="LEFT" -WIDTH="100%"><TABLE -SUMMARY="Footer navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><A -HREF="Bv9ARM.ch02.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="Bv9ARM.html" -ACCESSKEY="H" ->Home</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -><A -HREF="Bv9ARM.ch04.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> Resource Requirements</TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -> </TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" ->Advanced DNS Features</TD -></TR -></TABLE -></DIV -></BODY -></HTML ->
\ No newline at end of file +be sent using the <span><strong class="command">kill</strong></span> command.</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p><span><strong class="command">SIGHUP</strong></span></p></td> +<td><p>Causes the server to read <code class="filename">named.conf</code> and +reload the database. </p></td> +</tr> +<tr> +<td><p><span><strong class="command">SIGTERM</strong></span></p></td> +<td><p>Causes the server to clean up and exit.</p></td> +</tr> +<tr> +<td> +<p><span><strong class="command">SIGINT</strong></span></p> +</td> +<td><p>Causes the server to clean up and exit.</p></td> +</tr> +</tbody> +</table></div> +</div> +</div> +</div> +<div class="navfooter"> +<hr> +<table width="100%" summary="Navigation footer"> +<tr> +<td width="40%" align="left"> +<a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td> +<td width="20%" align="center"> </td> +<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a> +</td> +</tr> +<tr> +<td width="40%" align="left" valign="top">Chapter 2. <span class="acronym">BIND</span> Resource Requirements </td> +<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> +<td width="40%" align="right" valign="top"> Chapter 4. Advanced DNS Features</td> +</tr> +</table> +</div> +</body> +</html> diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.ch04.html b/usr.sbin/bind/doc/arm/Bv9ARM.ch04.html index 8a4ab28875c..68b5ef98d57 100644 --- a/usr.sbin/bind/doc/arm/Bv9ARM.ch04.html +++ b/usr.sbin/bind/doc/arm/Bv9ARM.ch04.html @@ -1,618 +1,273 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->Advanced DNS Features</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK -REL="HOME" -TITLE="BIND 9 Administrator Reference Manual" -HREF="Bv9ARM.html"><LINK -REL="PREVIOUS" -TITLE="Name Server Configuration" -HREF="Bv9ARM.ch03.html"><LINK -REL="NEXT" -TITLE="The BIND 9 Lightweight Resolver" -HREF="Bv9ARM.ch05.html"></HEAD -><BODY -CLASS="chapter" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="NAVHEADER" -><TABLE -SUMMARY="Header navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TH -COLSPAN="3" -ALIGN="center" ->BIND 9 Administrator Reference Manual</TH -></TR -><TR -><TD -WIDTH="10%" -ALIGN="left" -VALIGN="bottom" -><A -HREF="Bv9ARM.ch03.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="80%" -ALIGN="center" -VALIGN="bottom" -></TD -><TD -WIDTH="10%" -ALIGN="right" -VALIGN="bottom" -><A -HREF="Bv9ARM.ch05.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -></TABLE -><HR -ALIGN="LEFT" -WIDTH="100%"></DIV -><DIV -CLASS="chapter" -><H1 -><A -NAME="ch04" -></A ->Chapter 4. Advanced DNS Features</H1 -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->4.1. <A -HREF="Bv9ARM.ch04.html#notify" ->Notify</A -></DT -><DT ->4.2. <A -HREF="Bv9ARM.ch04.html#dynamic_update" ->Dynamic Update</A -></DT -><DT ->4.3. <A -HREF="Bv9ARM.ch04.html#incremental_zone_transfers" ->Incremental Zone Transfers (IXFR)</A -></DT -><DT ->4.4. <A -HREF="Bv9ARM.ch04.html#AEN767" ->Split DNS</A -></DT -><DT ->4.5. <A -HREF="Bv9ARM.ch04.html#tsig" ->TSIG</A -></DT -><DT ->4.6. <A -HREF="Bv9ARM.ch04.html#AEN927" ->TKEY</A -></DT -><DT ->4.7. <A -HREF="Bv9ARM.ch04.html#AEN942" ->SIG(0)</A -></DT -><DT ->4.8. <A -HREF="Bv9ARM.ch04.html#DNSSEC" ->DNSSEC</A -></DT -><DT ->4.9. <A -HREF="Bv9ARM.ch04.html#AEN1011" ->IPv6 Support in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9</A -></DT -></DL -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="notify" ->4.1. Notify</A -></H1 -><P -><ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> NOTIFY is a mechanism that allows master +<!-- + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<!-- $ISC: Bv9ARM.ch04.html,v 1.30.2.6.2.14 2005/10/13 02:33:59 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>Chapter 4. Advanced DNS Features</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration"> +<link rel="next" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> +<div class="navheader"> +<table width="100%" summary="Navigation header"> +<tr><th colspan="3" align="center">Chapter 4. Advanced DNS Features</th></tr> +<tr> +<td width="20%" align="left"> +<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td> +<th width="60%" align="center"> </th> +<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a> +</td> +</tr> +</table> +<hr> +</div> +<div class="chapter" lang="en"> +<div class="titlepage"><div><div><h2 class="title"> +<a name="Bv9ARM.ch04"></a>Chapter 4. Advanced DNS Features</h2></div></div></div> +<div class="toc"> +<p><b>Table of Contents</b></p> +<dl> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt> +<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2549203">Split DNS</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549627">Generate Shared Keys for Each Pair of Hosts</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549830">Copying the Shared Secret to Both Machines</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549838">Informing the Servers of the Key's Existence</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549878">Instructing the Server to Use the Key</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549998">TSIG Key Based Access Control</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550042">Errors</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2550056">TKEY</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2550173">SIG(0)</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550308">Generating Keys</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550375">Signing the Zone</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550450">Configuring Servers</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2550473">IPv6 Support in <span class="acronym">BIND</span> 9</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550600">Address Lookups Using AAAA Records</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550620">Address to Name Lookups Using Nibble Format</a></span></dt> +</dl></dd> +</dl> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="notify"></a>Notify</h2></div></div></div> +<p><span class="acronym">DNS</span> NOTIFY is a mechanism that allows master servers to notify their slave servers of changes to a zone's data. In -response to a <B -CLASS="command" ->NOTIFY</B -> from a master server, the +response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the slave will check to see that its version of the zone is the -current version and, if not, initiate a zone transfer.</P -><P -><ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> +current version and, if not, initiate a zone transfer.</p> +<p><span class="acronym">DNS</span> For more information about -<B -CLASS="command" ->NOTIFY</B ->, see the description of the -<B -CLASS="command" ->notify</B -> option in <A -HREF="Bv9ARM.ch06.html#boolean_options" ->Section 6.2.16.1</A -> and -the description of the zone option <B -CLASS="command" ->also-notify</B -> in -<A -HREF="Bv9ARM.ch06.html#zone_transfers" ->Section 6.2.16.7</A ->. The <B -CLASS="command" ->NOTIFY</B -> +<span><strong class="command">NOTIFY</strong></span>, see the description of the +<span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and +the description of the zone option <span><strong class="command">also-notify</strong></span> in +<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span> protocol is specified in RFC 1996. -</P -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="dynamic_update" ->4.2. Dynamic Update</A -></H1 -><P ->Dynamic Update is a method for adding, replacing or deleting +</p> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div> +<p>Dynamic Update is a method for adding, replacing or deleting records in a master server by sending it a special form of DNS messages. The format and meaning of these messages is specified - in RFC 2136.</P -><P ->Dynamic update is enabled on a zone-by-zone basis, by - including an <B -CLASS="command" ->allow-update</B -> or - <B -CLASS="command" ->update-policy</B -> clause in the - <B -CLASS="command" ->zone</B -> statement.</P -><P ->Updating of secure zones (zones using DNSSEC) follows + in RFC 2136.</p> +<p>Dynamic update is enabled on a zone-by-zone basis, by + including an <span><strong class="command">allow-update</strong></span> or + <span><strong class="command">update-policy</strong></span> clause in the + <span><strong class="command">zone</strong></span> statement.</p> +<p>Updating of secure zones (zones using DNSSEC) follows RFC 3007: RRSIG and NSEC records affected by updates are automatically regenerated by the server using an online zone key. Update authorization is based - on transaction signatures and an explicit server policy.</P -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="journal" ->4.2.1. The journal file</A -></H2 -><P ->All changes made to a zone using dynamic update are stored in the + on transaction signatures and an explicit server policy.</p> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="journal"></a>The journal file</h3></div></div></div> +<p>All changes made to a zone using dynamic update are stored in the zone's journal file. This file is automatically created by the - server when when the first dynamic update takes place. The name of + server when the first dynamic update takes place. The name of the journal file is formed by appending the - extension <TT -CLASS="filename" ->.jnl</TT -> to the + extension <code class="filename">.jnl</code> to the name of the corresponding zone file. The journal file is in a - binary format and should not be edited manually.</P -><P ->The server will also occasionally write ("dump") + binary format and should not be edited manually.</p> +<p>The server will also occasionally write ("dump") the complete contents of the updated zone to its zone file. This is not done immediately after each dynamic update, because that would be too slow when a large zone is updated frequently. Instead, the dump is delayed by - up to 15 minutes, allowing additional updates to take place.</P -><P ->When a server is restarted after a shutdown or crash, it will replay + up to 15 minutes, allowing additional updates to take place.</p> +<p>When a server is restarted after a shutdown or crash, it will replay the journal file to incorporate into the zone any updates that took - place after the last zone dump.</P -><P ->Changes that result from incoming incremental zone transfers are also - journalled in a similar way.</P -><P ->The zone files of dynamic zones cannot normally be edited by + place after the last zone dump.</p> +<p>Changes that result from incoming incremental zone transfers are also + journalled in a similar way.</p> +<p>The zone files of dynamic zones cannot normally be edited by hand because they are not guaranteed to contain the most recent dynamic changes - those are only in the journal file. The only way to ensure that the zone file of a dynamic zone - is up to date is to run <B -CLASS="command" ->rndc stop</B ->.</P -><P ->If you have to make changes to a dynamic zone + is up to date is to run <span><strong class="command">rndc stop</strong></span>.</p> +<p>If you have to make changes to a dynamic zone manually, the following procedure will work: Disable dynamic updates to the zone using - <B -CLASS="command" ->rndc freeze <VAR -CLASS="replaceable" ->zone</VAR -></B ->. - This will also remove the zone's <TT -CLASS="filename" ->.jnl</TT -> file + <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>. + This will also remove the zone's <code class="filename">.jnl</code> file and update the master file. Edit the zone file. Run - <B -CLASS="command" ->rndc unfreeze <VAR -CLASS="replaceable" ->zone</VAR -></B -> - to reload the changed zone and re-enable dynamic updates.</P -></DIV -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="incremental_zone_transfers" ->4.3. Incremental Zone Transfers (IXFR)</A -></H1 -><P ->The incremental zone transfer (IXFR) protocol is a way for + <span><strong class="command">rndc unfreeze <em class="replaceable"><code>zone</code></em></strong></span> + to reload the changed zone and re-enable dynamic updates.</p> +</div> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div> +<p>The incremental zone transfer (IXFR) protocol is a way for slave servers to transfer only changed data, instead of having to transfer the entire zone. The IXFR protocol is specified in RFC -1995. See <A -HREF="Bv9ARM.ch09.html#proposed_standards" ->Proposed Standards</A ->.</P -><P ->When acting as a master, <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 +1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.</p> +<p>When acting as a master, <span class="acronym">BIND</span> 9 supports IXFR for those zones where the necessary change history information is available. These include master zones maintained by dynamic update and slave zones whose data was obtained by IXFR. For manually maintained master zones, and for slave zones obtained by performing a full zone transfer (AXFR), IXFR is supported only if the option -<B -CLASS="command" ->ixfr-from-differences</B -> is set -to <KBD -CLASS="userinput" ->yes</KBD ->. -</P -><P ->When acting as a slave, <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 will +<span><strong class="command">ixfr-from-differences</strong></span> is set +to <strong class="userinput"><code>yes</code></strong>. +</p> +<p>When acting as a slave, <span class="acronym">BIND</span> 9 will attempt to use IXFR unless it is explicitly disabled. For more information about disabling -IXFR, see the description of the <B -CLASS="command" ->request-ixfr</B -> clause -of the <B -CLASS="command" ->server</B -> statement.</P -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="AEN767" ->4.4. Split DNS</A -></H1 -><P ->Setting up different views, or visibility, of the DNS space to -internal and external resolvers is usually referred to as a <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->Split -DNS</I -></SPAN -> setup. There are several reasons an organization -would want to set up its DNS this way.</P -><P ->One common reason for setting up a DNS system this way is +IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause +of the <span><strong class="command">server</strong></span> statement.</p> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="id2549203"></a>Split DNS</h2></div></div></div> +<p>Setting up different views, or visibility, of the DNS space to +internal and external resolvers is usually referred to as a <span class="emphasis"><em>Split +DNS</em></span> setup. There are several reasons an organization +would want to set up its DNS this way.</p> +<p>One common reason for setting up a DNS system this way is to hide "internal" DNS information from "external" clients on the Internet. There is some debate as to whether or not this is actually useful. Internal DNS information leaks out in many ways (via email headers, for example) and most savvy "attackers" can find the information -they need using other means.</P -><P ->Another common reason for setting up a Split DNS system is +they need using other means.</p> +<p>Another common reason for setting up a Split DNS system is to allow internal networks that are behind filters or in RFC 1918 space (reserved IP space, as documented in RFC 1918) to resolve DNS on the Internet. Split DNS can also be used to allow mail from outside -back in to the internal network.</P -><P ->Here is an example of a split DNS setup:</P -><P ->Let's say a company named <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->Example, Inc.</I -></SPAN -> -(<VAR -CLASS="literal" ->example.com</VAR ->) +back in to the internal network.</p> +<p>Here is an example of a split DNS setup:</p> +<p>Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span> +(<code class="literal">example.com</code>) has several corporate sites that have an internal network with reserved Internet Protocol (IP) space and an external demilitarized zone (DMZ), -or "outside" section of a network, that is available to the public.</P -><P -><SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->Example, Inc.</I -></SPAN -> wants its internal clients +or "outside" section of a network, that is available to the public.</p> +<p><span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients to be able to resolve external hostnames and to exchange mail with people on the outside. The company also wants its internal resolvers to have access to certain internal-only zones that are not available -at all outside of the internal network.</P -><P ->In order to accomplish this, the company will set up two sets +at all outside of the internal network.</p> +<p>In order to accomplish this, the company will set up two sets of name servers. One set will be on the inside network (in the reserved IP space) and the other set will be on bastion hosts, which are "proxy" -hosts that can talk to both sides of its network, in the DMZ.</P -><P ->The internal servers will be configured to forward all queries, -except queries for <TT -CLASS="filename" ->site1.internal</TT ->, <TT -CLASS="filename" ->site2.internal</TT ->, <TT -CLASS="filename" ->site1.example.com</TT ->, -and <TT -CLASS="filename" ->site2.example.com</TT ->, to the servers in the +hosts that can talk to both sides of its network, in the DMZ.</p> +<p>The internal servers will be configured to forward all queries, +except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>, +and <code class="filename">site2.example.com</code>, to the servers in the DMZ. These internal servers will have complete sets of information -for <TT -CLASS="filename" ->site1.example.com</TT ->, <TT -CLASS="filename" ->site2.example.com</TT ->,<SPAN -CLASS="emphasis" -><I -CLASS="emphasis" -> </I -></SPAN -><TT -CLASS="filename" ->site1.internal</TT ->, -and <TT -CLASS="filename" ->site2.internal</TT ->.</P -><P ->To protect the <TT -CLASS="filename" ->site1.internal</TT -> and <TT -CLASS="filename" ->site2.internal</TT -> domains, +for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>,<span class="emphasis"><em> </em></span><code class="filename">site1.internal</code>, +and <code class="filename">site2.internal</code>.</p> +<p>To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains, the internal name servers must be configured to disallow all queries to these domains from any external hosts, including the bastion -hosts.</P -><P ->The external servers, which are on the bastion hosts, will -be configured to serve the "public" version of the <TT -CLASS="filename" ->site1</TT -> and <TT -CLASS="filename" ->site2.example.com</TT -> zones. +hosts.</p> +<p>The external servers, which are on the bastion hosts, will +be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones. This could include things such as the host records for public servers -(<TT -CLASS="filename" ->www.example.com</TT -> and <TT -CLASS="filename" ->ftp.example.com</TT ->), -and mail exchange (MX) records (<TT -CLASS="filename" ->a.mx.example.com</TT -> and <TT -CLASS="filename" ->b.mx.example.com</TT ->).</P -><P ->In addition, the public <TT -CLASS="filename" ->site1</TT -> and <TT -CLASS="filename" ->site2.example.com</TT -> zones +(<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>), +and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).</p> +<p>In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones should have special MX records that contain wildcard (`*') records pointing to the bastion hosts. This is needed because external mail servers do not have any other way of looking up how to deliver mail to those internal hosts. With the wildcard records, the mail will be delivered to the bastion host, which can then forward it on to -internal hosts.</P -><P ->Here's an example of a wildcard MX record:</P -><PRE -CLASS="programlisting" -><VAR -CLASS="literal" ->* IN MX 10 external1.example.com.</VAR -></PRE -><P ->Now that they accept mail on behalf of anything in the internal +internal hosts.</p> +<p>Here's an example of a wildcard MX record:</p> +<pre class="programlisting">* IN MX 10 external1.example.com.</pre> +<p>Now that they accept mail on behalf of anything in the internal network, the bastion hosts will need to know how to deliver mail to internal hosts. In order for this to work properly, the resolvers on the bastion hosts will need to be configured to point to the internal -name servers for DNS resolution.</P -><P ->Queries for internal hostnames will be answered by the internal +name servers for DNS resolution.</p> +<p>Queries for internal hostnames will be answered by the internal servers, and queries for external hostnames will be forwarded back -out to the DNS servers on the bastion hosts.</P -><P ->In order for all this to work properly, internal clients will -need to be configured to query <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->only</I -></SPAN -> the internal +out to the DNS servers on the bastion hosts.</p> +<p>In order for all this to work properly, internal clients will +need to be configured to query <span class="emphasis"><em>only</em></span> the internal name servers for DNS queries. This could also be enforced via selective -filtering on the network.</P -><P ->If everything has been set properly, <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->Example, Inc.</I -></SPAN ->'s -internal clients will now be able to:</P -><P -></P -><UL -><LI -><P ->Look up any hostnames in the <VAR -CLASS="literal" ->site1</VAR -> and -<VAR -CLASS="literal" ->site2.example.com</VAR -> zones.</P -></LI -><LI -><P ->Look up any hostnames in the <VAR -CLASS="literal" ->site1.internal</VAR -> and -<VAR -CLASS="literal" ->site2.internal</VAR -> domains.</P -></LI -><LI -><P ->Look up any hostnames on the Internet.</P -></LI -><LI -><P ->Exchange mail with internal AND external people.</P -></LI -></UL -><P ->Hosts on the Internet will be able to:</P -><P -></P -><UL -><LI -><P ->Look up any hostnames in the <VAR -CLASS="literal" ->site1</VAR -> and -<VAR -CLASS="literal" ->site2.example.com</VAR -> zones.</P -></LI -><LI -><P ->Exchange mail with anyone in the <VAR -CLASS="literal" ->site1</VAR -> and -<VAR -CLASS="literal" ->site2.example.com</VAR -> zones.</P -></LI -></UL -><P ->Here is an example configuration for the setup we just +filtering on the network.</p> +<p>If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s +internal clients will now be able to:</p> +<div class="itemizedlist"><ul type="disc"> +<li>Look up any hostnames in the <code class="literal">site1</code> and +<code class="literal">site2.example.com</code> zones.</li> +<li>Look up any hostnames in the <code class="literal">site1.internal</code> and +<code class="literal">site2.internal</code> domains.</li> +<li>Look up any hostnames on the Internet.</li> +<li>Exchange mail with internal AND external people.</li> +</ul></div> +<p>Hosts on the Internet will be able to:</p> +<div class="itemizedlist"><ul type="disc"> +<li>Look up any hostnames in the <code class="literal">site1</code> and +<code class="literal">site2.example.com</code> zones.</li> +<li>Exchange mail with anyone in the <code class="literal">site1</code> and +<code class="literal">site2.example.com</code> zones.</li> +</ul></div> +<p>Here is an example configuration for the setup we just described above. Note that this is only configuration information; - for information on how to configure your zone files, see <A -HREF="Bv9ARM.ch03.html#sample_configuration" ->Section 3.1</A -></P -><P ->Internal DNS server config:</P -><PRE -CLASS="programlisting" -> + for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a></p> +<p>Internal DNS server config:</p> +<pre class="programlisting"> + acl internals { 172.16.72.0/24; 192.168.1.0/24; }; -acl externals { <VAR -CLASS="varname" ->bastion-ips-go-here</VAR ->; }; +acl externals { <code class="varname">bastion-ips-go-here</code>; }; options { ... ... forward only; forwarders { // forward to external servers - <VAR -CLASS="varname" ->bastion-ips-go-here</VAR ->; + <code class="varname">bastion-ips-go-here</code>; }; allow-transfer { none; }; // sample allow-transfer (no one) allow-query { internals; externals; }; // restrict query access @@ -655,12 +310,10 @@ zone "site2.internal" { allow-query { internals }; allow-transfer { internals; } }; -</PRE -><P ->External (bastion host) DNS server config:</P -><PRE -CLASS="programlisting" -> acl internals { 172.16.72.0/24; 192.168.1.0/24; }; +</pre> +<p>External (bastion host) DNS server config:</p> +<pre class="programlisting"> +acl internals { 172.16.72.0/24; 192.168.1.0/24; }; acl externals { bastion-ips-go-here; }; @@ -688,367 +341,147 @@ zone "site2.example.com" { allow-query { any; }; allow-transfer { internals; externals; } }; -</PRE -><P ->In the <TT -CLASS="filename" ->resolv.conf</TT -> (or equivalent) on -the bastion host(s):</P -><PRE -CLASS="programlisting" -> search ... +</pre> +<p>In the <code class="filename">resolv.conf</code> (or equivalent) on +the bastion host(s):</p> +<pre class="programlisting"> +search ... nameserver 172.16.72.2 nameserver 172.16.72.3 nameserver 172.16.72.4 -</PRE -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="tsig" ->4.5. TSIG</A -></H1 -><P ->This is a short guide to setting up Transaction SIGnatures -(TSIG) based transaction security in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM ->. It describes changes +</pre> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="tsig"></a>TSIG</h2></div></div></div> +<p>This is a short guide to setting up Transaction SIGnatures +(TSIG) based transaction security in <span class="acronym">BIND</span>. It describes changes to the configuration file as well as what changes are required for different features, including the process of creating transaction -keys and using transaction signatures with <ACRONYM -CLASS="acronym" ->BIND</ACRONYM ->.</P -><P -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> primarily supports TSIG for server to server communication. +keys and using transaction signatures with <span class="acronym">BIND</span>.</p> +<p><span class="acronym">BIND</span> primarily supports TSIG for server to server communication. This includes zone transfer, notify, and recursive query messages. -Resolvers based on newer versions of <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8 have limited support -for TSIG.</P -><P ->TSIG might be most useful for dynamic update. A primary +Resolvers based on newer versions of <span class="acronym">BIND</span> 8 have limited support +for TSIG.</p> +<p>TSIG might be most useful for dynamic update. A primary server for a dynamic zone should use access control to control updates, but IP-based access control is insufficient. The cryptographic access control provided by TSIG - is far superior. The <B -CLASS="command" ->nsupdate</B -> - program supports TSIG via the <VAR -CLASS="option" ->-k</VAR -> and - <VAR -CLASS="option" ->-y</VAR -> command line options.</P -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN858" ->4.5.1. Generate Shared Keys for Each Pair of Hosts</A -></H2 -><P ->A shared secret is generated to be shared between <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->host1</I -></SPAN -> and <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->host2</I -></SPAN ->. + is far superior. The <span><strong class="command">nsupdate</strong></span> + program supports TSIG via the <code class="option">-k</code> and + <code class="option">-y</code> command line options.</p> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2549627"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div> +<p>A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>. An arbitrary key name is chosen: "host1-host2.". The key name must -be the same on both hosts.</P -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN863" ->4.5.1.1. Automatic Generation</A -></H3 -><P ->The following command will generate a 128 bit (16 byte) HMAC-MD5 +be the same on both hosts.</p> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2549643"></a>Automatic Generation</h4></div></div></div> +<p>The following command will generate a 128 bit (16 byte) HMAC-MD5 key as described above. Longer keys are better, but shorter keys are easier to read. Note that the maximum key length is 512 bits; keys longer than that will be digested with MD5 to produce a 128 -bit key.</P -><P -><KBD -CLASS="userinput" ->dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</KBD -></P -><P ->The key is in the file <TT -CLASS="filename" ->Khost1-host2.+157+00000.private</TT ->. +bit key.</p> +<p><strong class="userinput"><code>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</code></strong></p> +<p>The key is in the file <code class="filename">Khost1-host2.+157+00000.private</code>. Nothing directly uses this file, but the base-64 encoded string -following "<VAR -CLASS="literal" ->Key:</VAR ->" -can be extracted from the file and used as a shared secret:</P -><PRE -CLASS="programlisting" ->Key: La/E5CjG9O+os1jq0a2jdA==</PRE -><P ->The string "<VAR -CLASS="literal" ->La/E5CjG9O+os1jq0a2jdA==</VAR ->" can -be used as the shared secret.</P -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN874" ->4.5.1.2. Manual Generation</A -></H3 -><P ->The shared secret is simply a random sequence of bits, encoded +following "<code class="literal">Key:</code>" +can be extracted from the file and used as a shared secret:</p> +<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre> +<p>The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can +be used as the shared secret.</p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2549677"></a>Manual Generation</h4></div></div></div> +<p>The shared secret is simply a random sequence of bits, encoded in base-64. Most ASCII strings are valid base-64 strings (assuming the length is a multiple of 4 and only valid characters are used), -so the shared secret can be manually generated.</P -><P ->Also, a known string can be run through <B -CLASS="command" ->mmencode</B -> or -a similar program to generate base-64 encoded data.</P -></DIV -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN879" ->4.5.2. Copying the Shared Secret to Both Machines</A -></H2 -><P ->This is beyond the scope of DNS. A secure transport mechanism -should be used. This could be secure FTP, ssh, telephone, etc.</P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN882" ->4.5.3. Informing the Servers of the Key's Existence</A -></H2 -><P ->Imagine <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->host1</I -></SPAN -> and <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->host 2</I -></SPAN -> are -both servers. The following is added to each server's <TT -CLASS="filename" ->named.conf</TT -> file:</P -><PRE -CLASS="programlisting" -> key host1-host2. { +so the shared secret can be manually generated.</p> +<p>Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or +a similar program to generate base-64 encoded data.</p> +</div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2549830"></a>Copying the Shared Secret to Both Machines</h3></div></div></div> +<p>This is beyond the scope of DNS. A secure transport mechanism +should be used. This could be secure FTP, ssh, telephone, etc.</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2549838"></a>Informing the Servers of the Key's Existence</h3></div></div></div> +<p>Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span> are +both servers. The following is added to each server's <code class="filename">named.conf</code> file:</p> +<pre class="programlisting"> +key host1-host2. { algorithm hmac-md5; secret "La/E5CjG9O+os1jq0a2jdA=="; }; -</PRE -><P ->The algorithm, hmac-md5, is the only one supported by <ACRONYM -CLASS="acronym" ->BIND</ACRONYM ->. +</pre> +<p>The algorithm, hmac-md5, is the only one supported by <span class="acronym">BIND</span>. The secret is the one generated above. Since this is a secret, it -is recommended that either <TT -CLASS="filename" ->named.conf</TT -> be non-world +is recommended that either <code class="filename">named.conf</code> be non-world readable, or the key directive be added to a non-world readable -file that is included by <TT -CLASS="filename" ->named.conf</TT ->.</P -><P ->At this point, the key is recognized. This means that if the +file that is included by <code class="filename">named.conf</code>.</p> +<p>At this point, the key is recognized. This means that if the server receives a message signed by this key, it can verify the signature. If the signature is successfully verified, the -response is signed by the same key.</P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN894" ->4.5.4. Instructing the Server to Use the Key</A -></H2 -><P ->Since keys are shared between two hosts only, the server must -be told when keys are to be used. The following is added to the <TT -CLASS="filename" ->named.conf</TT -> file -for <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->host1</I -></SPAN ->, if the IP address of <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->host2</I -></SPAN -> is -10.1.2.3:</P -><PRE -CLASS="programlisting" -> server 10.1.2.3 { +response is signed by the same key.</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2549878"></a>Instructing the Server to Use the Key</h3></div></div></div> +<p>Since keys are shared between two hosts only, the server must +be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file +for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is +10.1.2.3:</p> +<pre class="programlisting"> +server 10.1.2.3 { keys { host1-host2. ;}; }; -</PRE -><P ->Multiple keys may be present, but only the first is used. +</pre> +<p>Multiple keys may be present, but only the first is used. This directive does not contain any secrets, so it may be in a world-readable -file.</P -><P ->If <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->host1</I -></SPAN -> sends a message that is a request -to that address, the message will be signed with the specified key. <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->host1</I -></SPAN -> will +file.</p> +<p>If <span class="emphasis"><em>host1</em></span> sends a message that is a request +to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will expect any responses to signed messages to be signed with the same -key.</P -><P ->A similar statement must be present in <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->host2</I -></SPAN ->'s -configuration file (with <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->host1</I -></SPAN ->'s address) for <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->host2</I -></SPAN -> to -sign request messages to <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->host1</I -></SPAN ->.</P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN910" ->4.5.5. TSIG Key Based Access Control</A -></H2 -><P -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> allows IP addresses and ranges to be specified in ACL +key.</p> +<p>A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s +configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to +sign request messages to <span class="emphasis"><em>host1</em></span>.</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2549998"></a>TSIG Key Based Access Control</h3></div></div></div> +<p><span class="acronym">BIND</span> allows IP addresses and ranges to be specified in ACL definitions and -<B -CLASS="command" ->allow-{ query | transfer | update }</B -> directives. +<span><strong class="command">allow-{ query | transfer | update }</strong></span> directives. This has been extended to allow TSIG keys also. The above key would -be denoted <B -CLASS="command" ->key host1-host2.</B -></P -><P ->An example of an allow-update directive would be:</P -><PRE -CLASS="programlisting" -> allow-update { key host1-host2. ;}; -</PRE -><P ->This allows dynamic updates to succeed only if the request +be denoted <span><strong class="command">key host1-host2.</strong></span></p> +<p>An example of an allow-update directive would be:</p> +<pre class="programlisting"> +allow-update { key host1-host2. ;}; +</pre> +<p>This allows dynamic updates to succeed only if the request was signed by a key named - "<B -CLASS="command" ->host1-host2.</B ->".</P -><P ->You may want to read about the more - powerful <B -CLASS="command" ->update-policy</B -> statement in <A -HREF="Bv9ARM.ch06.html#dynamic_update_policies" ->Section 6.2.24.4</A ->.</P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN923" ->4.5.6. Errors</A -></H2 -><P ->The processing of TSIG signed messages can result in + "<span><strong class="command">host1-host2.</strong></span>".</p> +<p>You may want to read about the more + powerful <span><strong class="command">update-policy</strong></span> statement in <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2550042"></a>Errors</h3></div></div></div> +<p>The processing of TSIG signed messages can result in several errors. If a signed message is sent to a non-TSIG aware server, a FORMERR will be returned, since the server will not understand the record. This is a result of misconfiguration, since the server must be explicitly configured to send a TSIG - signed message to a specific server.</P -><P ->If a TSIG aware server receives a message signed by an + signed message to a specific server.</p> +<p>If a TSIG aware server receives a message signed by an unknown key, the response will be unsigned with the TSIG extended error code set to BADKEY. If a TSIG aware server receives a message with a signature that does not validate, the @@ -1058,545 +491,226 @@ NAME="AEN923" the TSIG extended error code set to BADTIME, and the time values will be adjusted so that the response can be successfully verified. In any of these cases, the message's rcode is set to - NOTAUTH.</P -></DIV -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="AEN927" ->4.6. TKEY</A -></H1 -><P -><B -CLASS="command" ->TKEY</B -> is a mechanism for automatically + NOTAUTH.</p> +</div> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="id2550056"></a>TKEY</h2></div></div></div> +<p><span><strong class="command">TKEY</strong></span> is a mechanism for automatically generating a shared secret between two hosts. There are several - "modes" of <B -CLASS="command" ->TKEY</B -> that specify how the key is - generated or assigned. <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 + "modes" of <span><strong class="command">TKEY</strong></span> that specify how the key is + generated or assigned. <span class="acronym">BIND</span> 9 implements only one of these modes, the Diffie-Hellman key exchange. Both hosts are required to have a Diffie-Hellman KEY record (although this record is not required - to be present in a zone). The <B -CLASS="command" ->TKEY</B -> process + to be present in a zone). The <span><strong class="command">TKEY</strong></span> process must use signed messages, signed either by TSIG or SIG(0). The - result of <B -CLASS="command" ->TKEY</B -> is a shared secret that can be - used to sign messages with TSIG. <B -CLASS="command" ->TKEY</B -> can also + result of <span><strong class="command">TKEY</strong></span> is a shared secret that can be + used to sign messages with TSIG. <span><strong class="command">TKEY</strong></span> can also be used to delete shared secrets that it had previously - generated.</P -><P ->The <B -CLASS="command" ->TKEY</B -> process is initiated by a client - or server by sending a signed <B -CLASS="command" ->TKEY</B -> query + generated.</p> +<p>The <span><strong class="command">TKEY</strong></span> process is initiated by a client + or server by sending a signed <span><strong class="command">TKEY</strong></span> query (including any appropriate KEYs) to a TKEY-aware server. The server response, if it indicates success, will contain a - <B -CLASS="command" ->TKEY</B -> record and any appropriate keys. After + <span><strong class="command">TKEY</strong></span> record and any appropriate keys. After this exchange, both participants have enough information to determine the shared secret; the exact process depends on the - <B -CLASS="command" ->TKEY</B -> mode. When using the Diffie-Hellman - <B -CLASS="command" ->TKEY</B -> mode, Diffie-Hellman keys are exchanged, - and the shared secret is derived by both participants.</P -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="AEN942" ->4.7. SIG(0)</A -></H1 -><P -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 partially supports DNSSEC SIG(0) + <span><strong class="command">TKEY</strong></span> mode. When using the Diffie-Hellman + <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are exchanged, + and the shared secret is derived by both participants.</p> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="id2550173"></a>SIG(0)</h2></div></div></div> +<p><span class="acronym">BIND</span> 9 partially supports DNSSEC SIG(0) transaction signatures as specified in RFC 2535 and RFC2931. SIG(0) uses public/private keys to authenticate messages. Access control is performed in the same manner as TSIG keys; privileges can be - granted or denied based on the key name.</P -><P ->When a SIG(0) signed message is received, it will only be + granted or denied based on the key name.</p> +<p>When a SIG(0) signed message is received, it will only be verified if the key is known and trusted by the server; the server - will not attempt to locate and/or validate the key.</P -><P ->SIG(0) signing of multiple-message TCP streams is not - supported.</P -><P ->The only tool shipped with <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 that - generates SIG(0) signed messages is <B -CLASS="command" ->nsupdate</B ->.</P -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="DNSSEC" ->4.8. DNSSEC</A -></H1 -><P ->Cryptographic authentication of DNS information is possible - through the DNS Security (<SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->DNSSEC-bis</I -></SPAN ->) extensions, - defined in RFC <TBA>. This section describes the creation and use - of DNSSEC signed zones.</P -><P ->In order to set up a DNSSEC secure zone, there are a series - of steps which must be followed. <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 ships + will not attempt to locate and/or validate the key.</p> +<p>SIG(0) signing of multiple-message TCP streams is not + supported.</p> +<p>The only tool shipped with <span class="acronym">BIND</span> 9 that + generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.</p> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="DNSSEC"></a>DNSSEC</h2></div></div></div> +<p>Cryptographic authentication of DNS information is possible + through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions, + defined in RFC <TBA>. This section describes the creation and use + of DNSSEC signed zones.</p> +<p>In order to set up a DNSSEC secure zone, there are a series + of steps which must be followed. <span class="acronym">BIND</span> 9 ships with several tools that are used in this process, which are explained in more detail - below. In all cases, the <VAR -CLASS="option" ->-h</VAR -> option prints a + below. In all cases, the <code class="option">-h</code> option prints a full list of parameters. Note that the DNSSEC tools require the keyset files to be in the working directory or the - directory specified by the <VAR -CLASS="option" ->-h</VAR -> option, and + directory specified by the <code class="option">-h</code> option, and that the tools shipped with BIND 9.2.x and earlier are not compatible - with the current ones.</P -><P ->There must also be communication with the administrators of + with the current ones.</p> +<p>There must also be communication with the administrators of the parent and/or child zone to transmit keys. A zone's security status must be indicated by the parent zone for a DNSSEC capable resolver to trust its data. This is done through the presense - or absence of a <VAR -CLASS="literal" ->DS</VAR -> record at the delegation - point.</P -><P ->For other servers to trust data in this zone, they must + or absence of a <code class="literal">DS</code> record at the delegation + point.</p> +<p>For other servers to trust data in this zone, they must either be statically configured with this zone's zone key or the - zone key of another zone above this one in the DNS tree.</P -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN962" ->4.8.1. Generating Keys</A -></H2 -><P ->The <B -CLASS="command" ->dnssec-keygen</B -> program is used to - generate keys.</P -><P ->A secure zone must contain one or more zone keys. The + zone key of another zone above this one in the DNS tree.</p> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2550308"></a>Generating Keys</h3></div></div></div> +<p>The <span><strong class="command">dnssec-keygen</strong></span> program is used to + generate keys.</p> +<p>A secure zone must contain one or more zone keys. The zone keys will sign all other records in the zone, as well as the zone keys of any secure delegated zones. Zone keys must have the same name as the zone, a name type of - <B -CLASS="command" ->ZONE</B ->, and must be usable for authentication. + <span><strong class="command">ZONE</strong></span>, and must be usable for authentication. It is recommended that zone keys use a cryptographic algorithm designated as "mandatory to implement" by the IETF; currently - the only one is RSASHA1.</P -><P ->The following command will generate a 768 bit RSASHA1 key for - the <TT -CLASS="filename" ->child.example</TT -> zone:</P -><P -><KBD -CLASS="userinput" ->dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</KBD -></P -><P ->Two output files will be produced: - <TT -CLASS="filename" ->Kchild.example.+005+12345.key</TT -> and - <TT -CLASS="filename" ->Kchild.example.+005+12345.private</TT -> (where + the only one is RSASHA1.</p> +<p>The following command will generate a 768 bit RSASHA1 key for + the <code class="filename">child.example</code> zone:</p> +<p><strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong></p> +<p>Two output files will be produced: + <code class="filename">Kchild.example.+005+12345.key</code> and + <code class="filename">Kchild.example.+005+12345.private</code> (where 12345 is an example of a key tag). The key file names contain - the key name (<TT -CLASS="filename" ->child.example.</TT ->), algorithm (3 + the key name (<code class="filename">child.example.</code>), algorithm (3 is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case). - The private key (in the <TT -CLASS="filename" ->.private</TT -> file) is + The private key (in the <code class="filename">.private</code> file) is used to generate signatures, and the public key (in the - <TT -CLASS="filename" ->.key</TT -> file) is used for signature - verification.</P -><P ->To generate another key with the same properties (but with - a different key tag), repeat the above command.</P -><P ->The public keys should be inserted into the zone file by - including the <TT -CLASS="filename" ->.key</TT -> files using - <B -CLASS="command" ->$INCLUDE</B -> statements. - </P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN982" ->4.8.2. Signing the Zone</A -></H2 -><P ->The <B -CLASS="command" ->dnssec-signzone</B -> program is used to - sign a zone.</P -><P ->Any <TT -CLASS="filename" ->keyset</TT -> files corresponding + <code class="filename">.key</code> file) is used for signature + verification.</p> +<p>To generate another key with the same properties (but with + a different key tag), repeat the above command.</p> +<p>The public keys should be inserted into the zone file by + including the <code class="filename">.key</code> files using + <span><strong class="command">$INCLUDE</strong></span> statements. + </p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2550375"></a>Signing the Zone</h3></div></div></div> +<p>The <span><strong class="command">dnssec-signzone</strong></span> program is used to + sign a zone.</p> +<p>Any <code class="filename">keyset</code> files corresponding to secure subzones should be present. The zone signer will - generate <VAR -CLASS="literal" ->NSEC</VAR -> and <VAR -CLASS="literal" ->RRSIG</VAR -> - records for the zone, as well as <VAR -CLASS="literal" ->DS</VAR -> for - the child zones if <VAR -CLASS="literal" ->'-d'</VAR -> is specified. - If <VAR -CLASS="literal" ->'-d'</VAR -> is not specified then DS RRsets for - the secure child zones need to be added manually.</P -><P ->The following command signs the zone, assuming it is in a - file called <TT -CLASS="filename" ->zone.child.example</TT ->. By + generate <code class="literal">NSEC</code> and <code class="literal">RRSIG</code> + records for the zone, as well as <code class="literal">DS</code> for + the child zones if <code class="literal">'-d'</code> is specified. + If <code class="literal">'-d'</code> is not specified then DS RRsets for + the secure child zones need to be added manually.</p> +<p>The following command signs the zone, assuming it is in a + file called <code class="filename">zone.child.example</code>. By default, all zone keys which have an available private key are - used to generate signatures.</P -><P -><KBD -CLASS="userinput" ->dnssec-signzone -o child.example zone.child.example</KBD -></P -><P ->One output file is produced: - <TT -CLASS="filename" ->zone.child.example.signed</TT ->. This file - should be referenced by <TT -CLASS="filename" ->named.conf</TT -> as the - input file for the zone.</P -><P -><B -CLASS="command" ->dnssec-signzone</B -> will also produce a + used to generate signatures.</p> +<p><strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong></p> +<p>One output file is produced: + <code class="filename">zone.child.example.signed</code>. This file + should be referenced by <code class="filename">named.conf</code> as the + input file for the zone.</p> +<p><span><strong class="command">dnssec-signzone</strong></span> will also produce a keyset and dsset files and optionally a dlvset file. These are used to provide the parent zone administators with the - <VAR -CLASS="literal" ->DNSKEYs</VAR -> (or their corresponding <VAR -CLASS="literal" ->DS</VAR -> - records) that are the secure entry point to the zone.</P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN1004" ->4.8.3. Configuring Servers</A -></H2 -><P ->Unlike <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8, -<ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 does not verify signatures on load, + <code class="literal">DNSKEYs</code> (or their corresponding <code class="literal">DS</code> + records) that are the secure entry point to the zone.</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2550450"></a>Configuring Servers</h3></div></div></div> +<p>Unlike <span class="acronym">BIND</span> 8, +<span class="acronym">BIND</span> 9 does not verify signatures on load, so zone keys for authoritative zones do not need to be specified -in the configuration file.</P -><P ->The public key for any security root must be present in -the configuration file's <B -CLASS="command" ->trusted-keys</B -> -statement, as described later in this document. </P -></DIV -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="AEN1011" ->4.9. IPv6 Support in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9</A -></H1 -><P -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 fully supports all currently defined forms of IPv6 +in the configuration file.</p> +<p>The public key for any security root must be present in +the configuration file's <span><strong class="command">trusted-keys</strong></span> +statement, as described later in this document. </p> +</div> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="id2550473"></a>IPv6 Support in <span class="acronym">BIND</span> 9</h2></div></div></div> +<p><span class="acronym">BIND</span> 9 fully supports all currently defined forms of IPv6 name to address and address to name lookups. It will also use IPv6 addresses to make queries when running on an IPv6 capable - system.</P -><P ->For forward lookups, <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 supports only AAAA + system.</p> +<p>For forward lookups, <span class="acronym">BIND</span> 9 supports only AAAA records. The use of A6 records is deprecated by RFC 3363, and the - support for forward lookups in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 is + support for forward lookups in <span class="acronym">BIND</span> 9 is removed accordingly. - However, authoritative <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 name servers still + However, authoritative <span class="acronym">BIND</span> 9 name servers still load zone files containing A6 records correctly, answer queries for A6 records, and accept zone transfer for a zone containing A6 - records.</P -><P ->For IPv6 reverse lookups, <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 supports + records.</p> +<p>For IPv6 reverse lookups, <span class="acronym">BIND</span> 9 supports the traditional "nibble" format used in the - <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->ip6.arpa</I -></SPAN -> domain, as well as the older, deprecated - <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->ip6.int</I -></SPAN -> domain. - <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 formerly + <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated + <span class="emphasis"><em>ip6.int</em></span> domain. + <span class="acronym">BIND</span> 9 formerly supported the "binary label" (also known as "bitstring") format. The support of binary labels, however, is now completely removed according to the changes in RFC 3363. - Any applications in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 do not understand + Any applications in <span class="acronym">BIND</span> 9 do not understand the format any more, and will return an error if given. - In particular, an authoritative <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 name - server rejects to load a zone file containing binary labels.</P -><P ->For an overview of the format and structure of IPv6 addresses, - see <A -HREF="Bv9ARM.ch09.html#ipv6addresses" ->Section A.2.1</A ->.</P -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN1029" ->4.9.1. Address Lookups Using AAAA Records</A -></H2 -><P ->The AAAA record is a parallel to the IPv4 A record. It + In particular, an authoritative <span class="acronym">BIND</span> 9 name + server rejects to load a zone file containing binary labels.</p> +<p>For an overview of the format and structure of IPv6 addresses, + see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.</p> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2550600"></a>Address Lookups Using AAAA Records</h3></div></div></div> +<p>The AAAA record is a parallel to the IPv4 A record. It specifies the entire address in a single record. For - example,</P -><PRE -CLASS="programlisting" -> $ORIGIN example.com. + example,</p> +<pre class="programlisting"> +$ORIGIN example.com. host 3600 IN AAAA 2001:db8::1 -</PRE -><P ->It is recommended that IPv4-in-IPv6 mapped addresses not +</pre> +<p>It is recommended that IPv4-in-IPv6 mapped addresses not be used. If a host has an IPv4 address, use an A record, not - a AAAA, with <VAR -CLASS="literal" ->::ffff:192.168.42.1</VAR -> as the - address.</P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN1035" ->4.9.2. Address to Name Lookups Using Nibble Format</A -></H2 -><P ->When looking up an address in nibble format, the address + a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as the + address.</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2550620"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div> +<p>When looking up an address in nibble format, the address components are simply reversed, just as in IPv4, and - <VAR -CLASS="literal" ->ip6.arpa.</VAR -> is appended to the resulting name. + <code class="literal">ip6.arpa.</code> is appended to the resulting name. For example, the following would provide reverse name lookup for a host with address - <VAR -CLASS="literal" ->2001:db8::1</VAR ->.</P -><PRE -CLASS="programlisting" -> $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. + <code class="literal">2001:db8::1</code>.</p> +<pre class="programlisting"> +$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com. -</PRE -></DIV -></DIV -></DIV -><DIV -CLASS="NAVFOOTER" -><HR -ALIGN="LEFT" -WIDTH="100%"><TABLE -SUMMARY="Footer navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><A -HREF="Bv9ARM.ch03.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="Bv9ARM.html" -ACCESSKEY="H" ->Home</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -><A -HREF="Bv9ARM.ch05.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" ->Name Server Configuration</TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -> </TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" ->The <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 Lightweight Resolver</TD -></TR -></TABLE -></DIV -></BODY -></HTML ->
\ No newline at end of file +</pre> +</div> +</div> +</div> +<div class="navfooter"> +<hr> +<table width="100%" summary="Navigation footer"> +<tr> +<td width="40%" align="left"> +<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td> +<td width="20%" align="center"> </td> +<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a> +</td> +</tr> +<tr> +<td width="40%" align="left" valign="top">Chapter 3. Name Server Configuration </td> +<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> +<td width="40%" align="right" valign="top"> Chapter 5. The <span class="acronym">BIND</span> 9 Lightweight Resolver</td> +</tr> +</table> +</div> +</body> +</html> diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.ch05.html b/usr.sbin/bind/doc/arm/Bv9ARM.ch05.html index dd59488d938..675307f7b38 100644 --- a/usr.sbin/bind/doc/arm/Bv9ARM.ch05.html +++ b/usr.sbin/bind/doc/arm/Bv9ARM.ch05.html @@ -1,265 +1,115 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->The BIND 9 Lightweight Resolver</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK -REL="HOME" -TITLE="BIND 9 Administrator Reference Manual" -HREF="Bv9ARM.html"><LINK -REL="PREVIOUS" -TITLE="Advanced DNS Features" -HREF="Bv9ARM.ch04.html"><LINK -REL="NEXT" -TITLE="BIND 9 Configuration Reference" -HREF="Bv9ARM.ch06.html"></HEAD -><BODY -CLASS="chapter" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="NAVHEADER" -><TABLE -SUMMARY="Header navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TH -COLSPAN="3" -ALIGN="center" ->BIND 9 Administrator Reference Manual</TH -></TR -><TR -><TD -WIDTH="10%" -ALIGN="left" -VALIGN="bottom" -><A -HREF="Bv9ARM.ch04.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="80%" -ALIGN="center" -VALIGN="bottom" -></TD -><TD -WIDTH="10%" -ALIGN="right" -VALIGN="bottom" -><A -HREF="Bv9ARM.ch06.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -></TABLE -><HR -ALIGN="LEFT" -WIDTH="100%"></DIV -><DIV -CLASS="chapter" -><H1 -><A -NAME="ch05" -></A ->Chapter 5. The <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 Lightweight Resolver</H1 -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->5.1. <A -HREF="Bv9ARM.ch05.html#AEN1044" ->The Lightweight Resolver Library</A -></DT -><DT ->5.2. <A -HREF="Bv9ARM.ch05.html#lwresd" ->Running a Resolver Daemon</A -></DT -></DL -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="AEN1044" ->5.1. The Lightweight Resolver Library</A -></H1 -><P ->Traditionally applications have been linked with a stub resolver +<!-- + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<!-- $ISC: Bv9ARM.ch05.html,v 1.24.2.5.2.12 2005/10/13 02:34:00 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>Chapter 5. The BIND 9 Lightweight Resolver</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="prev" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features"> +<link rel="next" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> +<div class="navheader"> +<table width="100%" summary="Navigation header"> +<tr><th colspan="3" align="center">Chapter 5. The <span class="acronym">BIND</span> 9 Lightweight Resolver</th></tr> +<tr> +<td width="20%" align="left"> +<a accesskey="p" href="Bv9ARM.ch04.html">Prev</a> </td> +<th width="60%" align="center"> </th> +<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch06.html">Next</a> +</td> +</tr> +</table> +<hr> +</div> +<div class="chapter" lang="en"> +<div class="titlepage"><div><div><h2 class="title"> +<a name="Bv9ARM.ch05"></a>Chapter 5. The <span class="acronym">BIND</span> 9 Lightweight Resolver</h2></div></div></div> +<div class="toc"> +<p><b>Table of Contents</b></p> +<dl> +<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2550652">The Lightweight Resolver Library</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt> +</dl> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="id2550652"></a>The Lightweight Resolver Library</h2></div></div></div> +<p>Traditionally applications have been linked with a stub resolver library that sends recursive DNS queries to a local caching name -server.</P -><P ->IPv6 once introduced new complexity into the resolution process, +server.</p> +<p>IPv6 once introduced new complexity into the resolution process, such as following A6 chains and DNAME records, and simultaneous lookup of IPv4 and IPv6 addresses. Though most of the complexity was then removed, these are hard or impossible -to implement in a traditional stub resolver.</P -><P ->Instead, <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 provides resolution services to local clients +to implement in a traditional stub resolver.</p> +<p>Instead, <span class="acronym">BIND</span> 9 provides resolution services to local clients using a combination of a lightweight resolver library and a resolver daemon process running on the local host. These communicate using a simple UDP-based protocol, the "lightweight resolver protocol" -that is distinct from and simpler than the full DNS protocol.</P -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="lwresd" ->5.2. Running a Resolver Daemon</A -></H1 -><P ->To use the lightweight resolver interface, the system must -run the resolver daemon <B -CLASS="command" ->lwresd</B -> or a local -name server configured with a <B -CLASS="command" ->lwres</B -> statement.</P -><P ->By default, applications using the lightweight resolver library will make +that is distinct from and simpler than the full DNS protocol.</p> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="lwresd"></a>Running a Resolver Daemon</h2></div></div></div> +<p>To use the lightweight resolver interface, the system must +run the resolver daemon <span><strong class="command">lwresd</strong></span> or a local +name server configured with a <span><strong class="command">lwres</strong></span> statement.</p> +<p>By default, applications using the lightweight resolver library will make UDP requests to the IPv4 loopback address (127.0.0.1) on port 921. The -address can be overridden by <B -CLASS="command" ->lwserver</B -> lines in -<TT -CLASS="filename" ->/etc/resolv.conf</TT ->.</P -><P ->The daemon currently only looks in the DNS, but in the future -it may use other sources such as <TT -CLASS="filename" ->/etc/hosts</TT ->, -NIS, etc.</P -><P ->The <B -CLASS="command" ->lwresd</B -> daemon is essentially a +address can be overridden by <span><strong class="command">lwserver</strong></span> lines in +<code class="filename">/etc/resolv.conf</code>.</p> +<p>The daemon currently only looks in the DNS, but in the future +it may use other sources such as <code class="filename">/etc/hosts</code>, +NIS, etc.</p> +<p>The <span><strong class="command">lwresd</strong></span> daemon is essentially a caching-only name server that responds to requests using the lightweight resolver protocol rather than the DNS protocol. Because it needs to run on each host, it is designed to require no or minimal configuration. Unless configured otherwise, it uses the name servers listed on -<B -CLASS="command" ->nameserver</B -> lines in <TT -CLASS="filename" ->/etc/resolv.conf</TT -> +<span><strong class="command">nameserver</strong></span> lines in <code class="filename">/etc/resolv.conf</code> as forwarders, but is also capable of doing the resolution autonomously if -none are specified.</P -><P ->The <B -CLASS="command" ->lwresd</B -> daemon may also be configured with a -<TT -CLASS="filename" ->named.conf</TT -> style configuration file, in -<TT -CLASS="filename" ->/etc/lwresd.conf</TT -> by default. A name server may also +none are specified.</p> +<p>The <span><strong class="command">lwresd</strong></span> daemon may also be configured with a +<code class="filename">named.conf</code> style configuration file, in +<code class="filename">/etc/lwresd.conf</code> by default. A name server may also be configured to act as a lightweight resolver daemon using the -<B -CLASS="command" ->lwres</B -> statement in <TT -CLASS="filename" ->named.conf</TT ->.</P -></DIV -></DIV -><DIV -CLASS="NAVFOOTER" -><HR -ALIGN="LEFT" -WIDTH="100%"><TABLE -SUMMARY="Footer navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><A -HREF="Bv9ARM.ch04.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="Bv9ARM.html" -ACCESSKEY="H" ->Home</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -><A -HREF="Bv9ARM.ch06.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" ->Advanced DNS Features</TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -> </TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 Configuration Reference</TD -></TR -></TABLE -></DIV -></BODY -></HTML ->
\ No newline at end of file +<span><strong class="command">lwres</strong></span> statement in <code class="filename">named.conf</code>.</p> +</div> +</div> +<div class="navfooter"> +<hr> +<table width="100%" summary="Navigation footer"> +<tr> +<td width="40%" align="left"> +<a accesskey="p" href="Bv9ARM.ch04.html">Prev</a> </td> +<td width="20%" align="center"> </td> +<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch06.html">Next</a> +</td> +</tr> +<tr> +<td width="40%" align="left" valign="top">Chapter 4. Advanced DNS Features </td> +<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> +<td width="40%" align="right" valign="top"> Chapter 6. <span class="acronym">BIND</span> 9 Configuration Reference</td> +</tr> +</table> +</div> +</body> +</html> diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.ch06.html b/usr.sbin/bind/doc/arm/Bv9ARM.ch06.html index ad476a59712..ffa51890f7b 100644 --- a/usr.sbin/bind/doc/arm/Bv9ARM.ch06.html +++ b/usr.sbin/bind/doc/arm/Bv9ARM.ch06.html @@ -1,286 +1,148 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->BIND 9 Configuration Reference</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK -REL="HOME" -TITLE="BIND 9 Administrator Reference Manual" -HREF="Bv9ARM.html"><LINK -REL="PREVIOUS" -TITLE="The BIND 9 Lightweight Resolver" -HREF="Bv9ARM.ch05.html"><LINK -REL="NEXT" -TITLE="BIND 9 Security Considerations" -HREF="Bv9ARM.ch07.html"></HEAD -><BODY -CLASS="chapter" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="NAVHEADER" -><TABLE -SUMMARY="Header navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TH -COLSPAN="3" -ALIGN="center" ->BIND 9 Administrator Reference Manual</TH -></TR -><TR -><TD -WIDTH="10%" -ALIGN="left" -VALIGN="bottom" -><A -HREF="Bv9ARM.ch05.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="80%" -ALIGN="center" -VALIGN="bottom" -></TD -><TD -WIDTH="10%" -ALIGN="right" -VALIGN="bottom" -><A -HREF="Bv9ARM.ch07.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -></TABLE -><HR -ALIGN="LEFT" -WIDTH="100%"></DIV -><DIV -CLASS="chapter" -><H1 -><A -NAME="ch06" -></A ->Chapter 6. <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 Configuration Reference</H1 -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->6.1. <A -HREF="Bv9ARM.ch06.html#configuration_file_elements" ->Configuration File Elements</A -></DT -><DT ->6.2. <A -HREF="Bv9ARM.ch06.html#Configuration_File_Grammar" ->Configuration File Grammar</A -></DT -><DT ->6.3. <A -HREF="Bv9ARM.ch06.html#AEN4050" ->Zone File</A -></DT -></DL -></DIV -><P -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 configuration is broadly similar -to <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8; however, there are a few new areas -of configuration, such as views. <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> -8 configuration files should work with few alterations in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> +<!-- + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<!-- $ISC: Bv9ARM.ch06.html,v 1.56.2.12.2.30 2005/10/13 02:34:00 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>Chapter 6. BIND 9 Configuration Reference</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver"> +<link rel="next" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> +<div class="navheader"> +<table width="100%" summary="Navigation header"> +<tr><th colspan="3" align="center">Chapter 6. <span class="acronym">BIND</span> 9 Configuration Reference</th></tr> +<tr> +<td width="20%" align="left"> +<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td> +<th width="60%" align="center"> </th> +<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a> +</td> +</tr> +</table> +<hr> +</div> +<div class="chapter" lang="en"> +<div class="titlepage"><div><div><h2 class="title"> +<a name="Bv9ARM.ch06"></a>Chapter 6. <span class="acronym">BIND</span> 9 Configuration Reference</h2></div></div></div> +<div class="toc"> +<p><b>Table of Contents</b></p> +<dl> +<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2551817">Comment Syntax</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552302"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and +Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552471"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552808"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552823"><span><strong class="command">include</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552845"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552867"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2553006"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2553269"><span><strong class="command">logging</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554474"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554547"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554610"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554653"><span><strong class="command">masters</strong></span> Statement Definition and Usage </a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554668"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2562233"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2562281"><span><strong class="command">trusted-keys</strong></span> Statement Definition +and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2562349"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span> +Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2563022"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2564557">Zone File</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2565990">Discussion of MX Records</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566487">Inverse Mapping in IPv4</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566593">Other Zone File Directives</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566761"><span class="acronym">BIND</span> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt> +</dl></dd> +</dl> +</div> +<p><span class="acronym">BIND</span> 9 configuration is broadly similar +to <span class="acronym">BIND</span> 8; however, there are a few new areas +of configuration, such as views. <span class="acronym">BIND</span> +8 configuration files should work with few alterations in <span class="acronym">BIND</span> 9, although more complex configurations should be reviewed to check if they can be more efficiently implemented using the new features -found in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9.</P -><P -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 4 configuration files can be converted to the new format +found in <span class="acronym">BIND</span> 9.</p> +<p><span class="acronym">BIND</span> 4 configuration files can be converted to the new format using the shell script -<TT -CLASS="filename" ->contrib/named-bootconf/named-bootconf.sh</TT ->.</P -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="configuration_file_elements" ->6.1. Configuration File Elements</A -></H1 -><P ->Following is a list of elements used throughout the <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> configuration -file documentation:</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN1086" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P -><VAR -CLASS="varname" ->acl_name</VAR -></P -></TD -><TD -><P ->The name of an <VAR -CLASS="varname" ->address_match_list</VAR -> as -defined by the <B -CLASS="command" ->acl</B -> statement.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->address_match_list</VAR -></P -></TD -><TD -><P ->A list of one or more <VAR -CLASS="varname" ->ip_addr</VAR ->, -<VAR -CLASS="varname" ->ip_prefix</VAR ->, <VAR -CLASS="varname" ->key_id</VAR ->, -or <VAR -CLASS="varname" ->acl_name</VAR -> elements, see -<A -HREF="Bv9ARM.ch06.html#address_match_lists" ->Section 6.1.1</A ->.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->domain_name</VAR -></P -></TD -><TD -><P ->A quoted string which will be used as -a DNS name, for example "<VAR -CLASS="literal" ->my.test.domain</VAR ->".</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->dotted_decimal</VAR -></P -></TD -><TD -><P ->One to four integers valued 0 through -255 separated by dots (`.'), such as <B -CLASS="command" ->123</B ->, -<B -CLASS="command" ->45.67</B -> or <B -CLASS="command" ->89.123.45.67</B ->.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->ip4_addr</VAR -></P -></TD -><TD -><P ->An IPv4 address with exactly four elements -in <VAR -CLASS="varname" ->dotted_decimal</VAR -> notation.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->ip6_addr</VAR -></P -></TD -><TD -><P ->An IPv6 address, such as <B -CLASS="command" ->2001:db8::1234</B ->. +<code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.</p> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div> +<p>Following is a list of elements used throughout the <span class="acronym">BIND</span> configuration +file documentation:</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p><code class="varname">acl_name</code></p></td> +<td><p>The name of an <code class="varname">address_match_list</code> as +defined by the <span><strong class="command">acl</strong></span> statement.</p></td> +</tr> +<tr> +<td><p><code class="varname">address_match_list</code></p></td> +<td><p>A list of one or more <code class="varname">ip_addr</code>, +<code class="varname">ip_prefix</code>, <code class="varname">key_id</code>, +or <code class="varname">acl_name</code> elements, see +<a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.</p></td> +</tr> +<tr> +<td><p><code class="varname">domain_name</code></p></td> +<td><p>A quoted string which will be used as +a DNS name, for example "<code class="literal">my.test.domain</code>".</p></td> +</tr> +<tr> +<td><p><code class="varname">dotted_decimal</code></p></td> +<td><p>One to four integers valued 0 through +255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>, +<span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.</p></td> +</tr> +<tr> +<td><p><code class="varname">ip4_addr</code></p></td> +<td><p>An IPv4 address with exactly four elements +in <code class="varname">dotted_decimal</code> notation.</p></td> +</tr> +<tr> +<td><p><code class="varname">ip6_addr</code></p></td> +<td><p>An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>. IPv6 scoped addresses that have ambiguity on their scope zones must be disambiguated by an appropriate zone ID with the percent character (`%') as delimiter. @@ -290,2043 +152,677 @@ configuration changes. However, since there is no standard mapping for such names and identifier values, currently only interface names as link identifiers are supported, assuming one-to-one mapping between interfaces and links. -For example, a link-local address <B -CLASS="command" ->fe80::1</B -> on the -link attached to the interface <B -CLASS="command" ->ne0</B -> -can be specified as <B -CLASS="command" ->fe80::1%ne0</B ->. +For example, a link-local address <span><strong class="command">fe80::1</strong></span> on the +link attached to the interface <span><strong class="command">ne0</strong></span> +can be specified as <span><strong class="command">fe80::1%ne0</strong></span>. Note that on most systems link-local addresses always have the -ambiguity, and need to be disambiguated.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->ip_addr</VAR -></P -></TD -><TD -><P ->An <VAR -CLASS="varname" ->ip4_addr</VAR -> or <VAR -CLASS="varname" ->ip6_addr</VAR ->.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->ip_port</VAR -></P -></TD -><TD -><P ->An IP port <VAR -CLASS="varname" ->number</VAR ->. -<VAR -CLASS="varname" ->number</VAR -> is limited to 0 through 65535, with values +ambiguity, and need to be disambiguated.</p></td> +</tr> +<tr> +<td><p><code class="varname">ip_addr</code></p></td> +<td><p>An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.</p></td> +</tr> +<tr> +<td><p><code class="varname">ip_port</code></p></td> +<td><p>An IP port <code class="varname">number</code>. +<code class="varname">number</code> is limited to 0 through 65535, with values below 1024 typically restricted to use by processes running as root. In some cases an asterisk (`*') character can be used as a placeholder to -select a random high-numbered port.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->ip_prefix</VAR -></P -></TD -><TD -><P ->An IP network specified as an <VAR -CLASS="varname" ->ip_addr</VAR ->, +select a random high-numbered port.</p></td> +</tr> +<tr> +<td><p><code class="varname">ip_prefix</code></p></td> +<td><p>An IP network specified as an <code class="varname">ip_addr</code>, followed by a slash (`/') and then the number of bits in the netmask. -Trailing zeros in a <VAR -CLASS="varname" ->ip_addr</VAR -> may omitted. -For example, <B -CLASS="command" ->127/8</B -> is the network <B -CLASS="command" ->127.0.0.0</B -> with -netmask <B -CLASS="command" ->255.0.0.0</B -> and <B -CLASS="command" ->1.2.3.0/28</B -> is -network <B -CLASS="command" ->1.2.3.0</B -> with netmask <B -CLASS="command" ->255.255.255.240</B ->.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->key_id</VAR -></P -></TD -><TD -><P ->A <VAR -CLASS="varname" ->domain_name</VAR -> representing -the name of a shared key, to be used for transaction security.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->key_list</VAR -></P -></TD -><TD -><P ->A list of one or more <VAR -CLASS="varname" ->key_id</VAR ->s, -separated by semicolons and ending with a semicolon.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->number</VAR -></P -></TD -><TD -><P ->A non-negative 32 bit integer +Trailing zeros in a <code class="varname">ip_addr</code> may omitted. +For example, <span><strong class="command">127/8</strong></span> is the network <span><strong class="command">127.0.0.0</strong></span> with +netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is +network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.</p></td> +</tr> +<tr> +<td><p><code class="varname">key_id</code></p></td> +<td><p>A <code class="varname">domain_name</code> representing +the name of a shared key, to be used for transaction security.</p></td> +</tr> +<tr> +<td><p><code class="varname">key_list</code></p></td> +<td><p>A list of one or more <code class="varname">key_id</code>s, +separated by semicolons and ending with a semicolon.</p></td> +</tr> +<tr> +<td><p><code class="varname">number</code></p></td> +<td><p>A non-negative 32 bit integer (i.e., a number between 0 and 4294967295, inclusive). Its acceptable value might further -be limited by the context in which it is used.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->path_name</VAR -></P -></TD -><TD -><P ->A quoted string which will be used as -a pathname, such as <TT -CLASS="filename" ->zones/master/my.test.domain</TT ->.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->size_spec</VAR -></P -></TD -><TD -><P ->A number, the word <KBD -CLASS="userinput" ->unlimited</KBD ->, -or the word <KBD -CLASS="userinput" ->default</KBD ->.</P -><P -> An <VAR -CLASS="varname" ->unlimited</VAR -> <VAR -CLASS="varname" ->size_spec</VAR -> requests unlimited -use, or the maximum available amount. A <VAR -CLASS="varname" ->default size_spec</VAR -> uses -the limit that was in force when the server was started.</P -><P ->A <VAR -CLASS="varname" ->number</VAR -> can -optionally be followed by a scaling factor: <KBD -CLASS="userinput" ->K</KBD -> or <KBD -CLASS="userinput" ->k</KBD -> for -kilobytes, <KBD -CLASS="userinput" ->M</KBD -> or <KBD -CLASS="userinput" ->m</KBD -> for -megabytes, and <KBD -CLASS="userinput" ->G</KBD -> or <KBD -CLASS="userinput" ->g</KBD -> for gigabytes, -which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</P -> -<P ->The value must be representable as a 64-bit unsigned integer +be limited by the context in which it is used.</p></td> +</tr> +<tr> +<td><p><code class="varname">path_name</code></p></td> +<td><p>A quoted string which will be used as +a pathname, such as <code class="filename">zones/master/my.test.domain</code>.</p></td> +</tr> +<tr> +<td><p><code class="varname">size_spec</code></p></td> +<td> +<p>A number, the word <strong class="userinput"><code>unlimited</code></strong>, +or the word <strong class="userinput"><code>default</code></strong>.</p> +<p> +An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited +use, or the maximum available amount. A <code class="varname">default size_spec</code> uses +the limit that was in force when the server was started.</p> +<p>A <code class="varname">number</code> can +optionally be followed by a scaling factor: <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong> for +kilobytes, <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong> for +megabytes, and <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes, +which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</p> +<p>The value must be representable as a 64-bit unsigned integer (0 to 18446744073709551615, inclusive). -Using <VAR -CLASS="varname" ->unlimited</VAR -> is the best way -to safely set a really large number.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->yes_or_no</VAR -></P -></TD -><TD -><P ->Either <KBD -CLASS="userinput" ->yes</KBD -> or <KBD -CLASS="userinput" ->no</KBD ->. -The words <KBD -CLASS="userinput" ->true</KBD -> and <KBD -CLASS="userinput" ->false</KBD -> are -also accepted, as are the numbers <KBD -CLASS="userinput" ->1</KBD -> and <KBD -CLASS="userinput" ->0</KBD ->.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->dialup_option</VAR -></P -></TD -><TD -><P ->One of <KBD -CLASS="userinput" ->yes</KBD ->, -<KBD -CLASS="userinput" ->no</KBD ->, <KBD -CLASS="userinput" ->notify</KBD ->, -<KBD -CLASS="userinput" ->notify-passive</KBD ->, <KBD -CLASS="userinput" ->refresh</KBD -> or -<KBD -CLASS="userinput" ->passive</KBD ->. -When used in a zone, <KBD -CLASS="userinput" ->notify-passive</KBD ->, -<KBD -CLASS="userinput" ->refresh</KBD ->, and <KBD -CLASS="userinput" ->passive</KBD -> -are restricted to slave and stub zones.</P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="address_match_lists" ->6.1.1. Address Match Lists</A -></H2 -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN1251" ->6.1.1.1. Syntax</A -></H3 -><PRE -CLASS="programlisting" -><VAR -CLASS="varname" ->address_match_list</VAR -> = address_match_list_element ; - [<SPAN -CLASS="optional" -> address_match_list_element; ... </SPAN ->] -<VAR -CLASS="varname" ->address_match_list_element</VAR -> = [<SPAN -CLASS="optional" -> ! </SPAN ->] (ip_address [<SPAN -CLASS="optional" ->/length</SPAN ->] | +Using <code class="varname">unlimited</code> is the best way +to safely set a really large number.</p> +</td> +</tr> +<tr> +<td><p><code class="varname">yes_or_no</code></p></td> +<td><p>Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>. +The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are +also accepted, as are the numbers <strong class="userinput"><code>1</code></strong> and <strong class="userinput"><code>0</code></strong>.</p></td> +</tr> +<tr> +<td><p><code class="varname">dialup_option</code></p></td> +<td><p>One of <strong class="userinput"><code>yes</code></strong>, +<strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>, +<strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or +<strong class="userinput"><code>passive</code></strong>. +When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>, +<strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong> +are restricted to slave and stub zones.</p></td> +</tr> +</tbody> +</table></div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2551560"></a>Syntax</h4></div></div></div> +<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ; + [<span class="optional"> address_match_list_element; ... </span>] +<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] | key key_id | acl_name | { address_match_list } ) -</PRE -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN1259" ->6.1.1.2. Definition and Usage</A -></H3 -><P ->Address match lists are primarily used to determine access +</pre> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2551587"></a>Definition and Usage</h4></div></div></div> +<p>Address match lists are primarily used to determine access control for various server operations. They are also used in -the <B -CLASS="command" ->listen-on</B -> and <B -CLASS="command" ->sortlist</B -> +the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span> statements. The elements -which constitute an address match list can be any of the following:</P -><P -></P -><UL -><LI -><P ->an IP address (IPv4 or IPv6)</P -></LI -><LI -><P ->an IP prefix (in `/' notation)</P -></LI -><LI -><P ->a key ID, as defined by the <B -CLASS="command" ->key</B -> statement</P -></LI -><LI -><P ->the name of an address match list previously defined with -the <B -CLASS="command" ->acl</B -> statement</P -></LI -><LI -><P ->a nested address match list enclosed in braces</P -></LI -></UL -><P ->Elements can be negated with a leading exclamation mark (`!'), +which constitute an address match list can be any of the following:</p> +<div class="itemizedlist"><ul type="disc"> +<li>an IP address (IPv4 or IPv6)</li> +<li>an IP prefix (in `/' notation)</li> +<li>a key ID, as defined by the <span><strong class="command">key</strong></span> statement</li> +<li>the name of an address match list defined with +the <span><strong class="command">acl</strong></span> statement</li> +<li>a nested address match list enclosed in braces</li> +</ul></div> +<p>Elements can be negated with a leading exclamation mark (`!'), and the match list names "any", "none", "localhost", and "localnets" are predefined. More information on those names can be found in -the description of the acl statement.</P -><P ->The addition of the key clause made the name of this syntactic +the description of the acl statement.</p> +<p>The addition of the key clause made the name of this syntactic element something of a misnomer, since security keys can be used to validate access without regard to a host or network address. Nonetheless, -the term "address match list" is still used throughout the documentation.</P -><P ->When a given IP address or prefix is compared to an address +the term "address match list" is still used throughout the documentation.</p> +<p>When a given IP address or prefix is compared to an address match list, the list is traversed in order until an element matches. The interpretation of a match depends on whether the list is being used for access control, defining listen-on ports, or in a sortlist, -and whether the element was negated.</P -><P ->When used as an access control list, a non-negated match allows +and whether the element was negated.</p> +<p>When used as an access control list, a non-negated match allows access and a negated match denies access. If there is no match, -access is denied. The clauses <B -CLASS="command" ->allow-notify</B ->, -<B -CLASS="command" ->allow-query</B ->, <B -CLASS="command" ->allow-transfer</B ->, -<B -CLASS="command" ->allow-update</B ->, <B -CLASS="command" ->allow-update-forwarding</B ->, -and <B -CLASS="command" ->blackhole</B -> all +access is denied. The clauses <span><strong class="command">allow-notify</strong></span>, +<span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-transfer</strong></span>, +<span><strong class="command">allow-update</strong></span>, <span><strong class="command">allow-update-forwarding</strong></span>, +and <span><strong class="command">blackhole</strong></span> all use address match lists this. Similarly, the listen-on option will cause the server to not accept queries on any of the machine's addresses -which do not match the list.</P -><P ->Because of the first-match aspect of the algorithm, an element +which do not match the list.</p> +<p>Because of the first-match aspect of the algorithm, an element that defines a subset of another element in the list should come before the broader element, regardless of whether either is negated. For example, in -<B -CLASS="command" ->1.2.3/24; ! 1.2.3.13;</B -> the 1.2.3.13 element is +<span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13 element is completely useless because the algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24 element. -Using <B -CLASS="command" ->! 1.2.3.13; 1.2.3/24</B -> fixes +Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes that problem by having 1.2.3.13 blocked by the negation but all -other 1.2.3.* hosts fall through.</P -></DIV -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN1290" ->6.1.2. Comment Syntax</A -></H2 -><P ->The <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 comment syntax allows for comments to appear -anywhere that white space may appear in a <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> configuration +other 1.2.3.* hosts fall through.</p> +</div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2551817"></a>Comment Syntax</h3></div></div></div> +<p>The <span class="acronym">BIND</span> 9 comment syntax allows for comments to appear +anywhere that white space may appear in a <span class="acronym">BIND</span> configuration file. To appeal to programmers of all kinds, they can be written -in the C, C++, or shell/perl style.</P -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN1295" ->6.1.2.1. Syntax</A -></H3 -><P -><PRE -CLASS="programlisting" ->/* This is a <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> comment as in C */</PRE -> -<PRE -CLASS="programlisting" ->// This is a <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> comment as in C++</PRE -> -<PRE -CLASS="programlisting" -># This is a <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> comment as in common UNIX shells and perl</PRE -> - </P -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN1304" ->6.1.2.2. Definition and Usage</A -></H3 -><P ->Comments may appear anywhere that whitespace may appear in -a <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> configuration file.</P -><P ->C-style comments start with the two characters /* (slash, +in the C, C++, or shell/perl style.</p> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2551832"></a>Syntax</h4></div></div></div> +<pre class="programlisting">/* This is a <span class="acronym">BIND</span> comment as in C */</pre> +<p> +</p> +<pre class="programlisting">// This is a <span class="acronym">BIND</span> comment as in C++</pre> +<p> +</p> +<pre class="programlisting"># This is a <span class="acronym">BIND</span> comment as in common UNIX shells and perl</pre> +<p> + </p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2551861"></a>Definition and Usage</h4></div></div></div> +<p>Comments may appear anywhere that whitespace may appear in +a <span class="acronym">BIND</span> configuration file.</p> +<p>C-style comments start with the two characters /* (slash, star) and end with */ (star, slash). Because they are completely delimited with these characters, they can be used to comment only -a portion of a line or to span multiple lines.</P -><P ->C-style comments cannot be nested. For example, the following -is not valid because the entire comment ends with the first */:</P -><P -><PRE -CLASS="programlisting" ->/* This is the start of a comment. +a portion of a line or to span multiple lines.</p> +<p>C-style comments cannot be nested. For example, the following +is not valid because the entire comment ends with the first */:</p> +<pre class="programlisting">/* This is the start of a comment. This is still part of the comment. /* This is an incorrect attempt at nesting a comment. */ This is no longer in any comment. */ -</PRE -></P -><P ->C++-style comments start with the two characters // (slash, +</pre> +<p>C++-style comments start with the two characters // (slash, slash) and continue to the end of the physical line. They cannot be continued across multiple physical lines; to have one logical -comment span multiple lines, each line must use the // pair.</P -><P ->For example:</P -><P -><PRE -CLASS="programlisting" ->// This is the start of a comment. The next line +comment span multiple lines, each line must use the // pair.</p> +<p>For example:</p> +<pre class="programlisting">// This is the start of a comment. The next line // is a new comment, even though it is logically // part of the previous comment. -</PRE -></P -><P ->Shell-style (or perl-style, if you prefer) comments start -with the character <VAR -CLASS="literal" ->#</VAR -> (number sign) and continue to the end of the -physical line, as in C++ comments.</P -><P ->For example:</P -><P -><PRE -CLASS="programlisting" -># This is the start of a comment. The next line +</pre> +<p>Shell-style (or perl-style, if you prefer) comments start +with the character <code class="literal">#</code> (number sign) and continue to the end of the +physical line, as in C++ comments.</p> +<p>For example:</p> +<pre class="programlisting"># This is the start of a comment. The next line # is a new comment, even though it is logically # part of the previous comment. -</PRE -> -</P -><DIV -CLASS="warning" -><P -></P -><TABLE -CLASS="warning" -BORDER="1" -WIDTH="100%" -><TR -><TD -ALIGN="CENTER" -><B ->Warning</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P ->You cannot use the semicolon (`;') character +</pre> +<p> +</p> +<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Warning</h3> +<p>You cannot use the semicolon (`;') character to start a comment such as you would in a zone file. The semicolon indicates the end of a configuration - statement.</P -></TD -></TR -></TABLE -></DIV -></DIV -></DIV -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="Configuration_File_Grammar" ->6.2. Configuration File Grammar</A -></H1 -><P ->A <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 configuration consists of statements and comments. + statement.</p> +</div> +</div> +</div> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div> +<p>A <span class="acronym">BIND</span> 9 configuration consists of statements and comments. Statements end with a semicolon. Statements and comments are the only elements that can appear without enclosing braces. Many statements contain a block of sub-statements, which are also - terminated with a semicolon.</P -><P ->The following statements are supported:</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN1328" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P -><B -CLASS="command" ->acl</B -></P -></TD -><TD -><P ->defines a named IP address -matching list, for access control and other uses.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->controls</B -></P -></TD -><TD -><P ->declares control channels to be used -by the <B -CLASS="command" ->rndc</B -> utility.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->include</B -></P -></TD -><TD -><P ->includes a file.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->key</B -></P -></TD -><TD -><P ->specifies key information for use in -authentication and authorization using TSIG.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->logging</B -></P -></TD -><TD -><P ->specifies what the server logs, and where -the log messages are sent.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->lwres</B -></P -></TD -><TD -><P ->configures <B -CLASS="command" ->named</B -> to -also act as a light weight resolver daemon (<B -CLASS="command" ->lwresd</B ->).</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->masters</B -></P -></TD -><TD -><P ->defines a named masters list for -inclusion in stub and slave zone masters clauses.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->options</B -></P -></TD -><TD -><P ->controls global server configuration -options and sets defaults for other statements.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->server</B -></P -></TD -><TD -><P ->sets certain configuration options on -a per-server basis.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->trusted-keys</B -></P -></TD -><TD -><P ->defines trusted DNSSEC keys.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->view</B -></P -></TD -><TD -><P ->defines a view.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->zone</B -></P -></TD -><TD -><P ->defines a zone.</P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><P ->The <B -CLASS="command" ->logging</B -> and - <B -CLASS="command" ->options</B -> statements may only occur once per - configuration.</P -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN1411" ->6.2.1. <B -CLASS="command" ->acl</B -> Statement Grammar</A -></H2 -><PRE -CLASS="programlisting" -><B -CLASS="command" ->acl</B -> acl-name { + terminated with a semicolon.</p> +<p>The following statements are supported:</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p><span><strong class="command">acl</strong></span></p></td> +<td><p>defines a named IP address +matching list, for access control and other uses.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">controls</strong></span></p></td> +<td><p>declares control channels to be used +by the <span><strong class="command">rndc</strong></span> utility.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">include</strong></span></p></td> +<td><p>includes a file.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">key</strong></span></p></td> +<td><p>specifies key information for use in +authentication and authorization using TSIG.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">logging</strong></span></p></td> +<td><p>specifies what the server logs, and where +the log messages are sent.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">lwres</strong></span></p></td> +<td><p>configures <span><strong class="command">named</strong></span> to +also act as a light weight resolver daemon (<span><strong class="command">lwresd</strong></span>).</p></td> +</tr> +<tr> +<td><p><span><strong class="command">masters</strong></span></p></td> +<td><p>defines a named masters list for +inclusion in stub and slave zone masters clauses.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">options</strong></span></p></td> +<td><p>controls global server configuration +options and sets defaults for other statements.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">server</strong></span></p></td> +<td><p>sets certain configuration options on +a per-server basis.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">trusted-keys</strong></span></p></td> +<td><p>defines trusted DNSSEC keys.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">view</strong></span></p></td> +<td><p>defines a view.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">zone</strong></span></p></td> +<td><p>defines a zone.</p></td> +</tr> +</tbody> +</table></div> +<p>The <span><strong class="command">logging</strong></span> and + <span><strong class="command">options</strong></span> statements may only occur once per + configuration.</p> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2552302"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name { address_match_list }; -</PRE -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="acl" ->6.2.2. <B -CLASS="command" ->acl</B -> Statement Definition and -Usage</A -></H2 -><P ->The <B -CLASS="command" ->acl</B -> statement assigns a symbolic +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and +Usage</h3></div></div></div> +<p>The <span><strong class="command">acl</strong></span> statement assigns a symbolic name to an address match list. It gets its name from a primary - use of address match lists: Access Control Lists (ACLs).</P -><P ->Note that an address match list's name must be defined - with <B -CLASS="command" ->acl</B -> before it can be used elsewhere; no - forward references are allowed.</P -><P ->The following ACLs are built-in:</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN1424" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P -><B -CLASS="command" ->any</B -></P -></TD -><TD -><P ->Matches all hosts.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->none</B -></P -></TD -><TD -><P ->Matches no hosts.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->localhost</B -></P -></TD -><TD -><P ->Matches the IPv4 and IPv6 addresses of all network -interfaces on the system.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->localnets</B -></P -></TD -><TD -><P ->Matches any host on an IPv4 or IPv6 network + use of address match lists: Access Control Lists (ACLs).</p> +<p>Note that an address match list's name must be defined + with <span><strong class="command">acl</strong></span> before it can be used elsewhere; no + forward references are allowed.</p> +<p>The following ACLs are built-in:</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p><span><strong class="command">any</strong></span></p></td> +<td><p>Matches all hosts.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">none</strong></span></p></td> +<td><p>Matches no hosts.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">localhost</strong></span></p></td> +<td><p>Matches the IPv4 and IPv6 addresses of all network +interfaces on the system.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">localnets</strong></span></p></td> +<td><p>Matches any host on an IPv4 or IPv6 network for which the system has an interface. Some systems do not provide a way to determine the prefix lengths of local IPv6 addresses. -In such a case, <B -CLASS="command" ->localnets</B -> only matches the local -IPv6 addresses, just like <B -CLASS="command" ->localhost</B ->. -</P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN1455" ->6.2.3. <B -CLASS="command" ->controls</B -> Statement Grammar</A -></H2 -><PRE -CLASS="programlisting" -><B -CLASS="command" ->controls</B -> { - inet ( ip_addr | * ) [<SPAN -CLASS="optional" -> port ip_port </SPAN ->] allow { <VAR -CLASS="replaceable" -> address_match_list </VAR -> } - keys { <VAR -CLASS="replaceable" -> key_list </VAR -> }; - [<SPAN -CLASS="optional" -> inet ...; </SPAN ->] +In such a case, <span><strong class="command">localnets</strong></span> only matches the local +IPv6 addresses, just like <span><strong class="command">localhost</strong></span>. +</p></td> +</tr> +</tbody> +</table></div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2552471"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span><strong class="command">controls</strong></span> { + inet ( ip_addr | * ) [<span class="optional"> port ip_port </span>] allow { <em class="replaceable"><code> address_match_list </code></em> } + keys { <em class="replaceable"><code> key_list </code></em> }; + [<span class="optional"> inet ...; </span>] }; -</PRE -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="controls_statement_definition_and_usage" ->6.2.4. <B -CLASS="command" ->controls</B -> Statement Definition and Usage</A -></H2 -><P ->The <B -CLASS="command" ->controls</B -> statement declares control +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and Usage</h3></div></div></div> +<p>The <span><strong class="command">controls</strong></span> statement declares control channels to be used by system administrators to control the operation of the name server. These control channels are - used by the <B -CLASS="command" ->rndc</B -> utility to send commands to - and retrieve non-DNS results from a name server.</P -><P ->An <B -CLASS="command" ->inet</B -> control channel is a TCP + used by the <span><strong class="command">rndc</strong></span> utility to send commands to + and retrieve non-DNS results from a name server.</p> +<p>An <span><strong class="command">inet</strong></span> control channel is a TCP socket listening at the specified - <B -CLASS="command" ->ip_port</B -> on the specified - <B -CLASS="command" ->ip_addr</B ->, which can be an IPv4 or IPv6 - address. An <B -CLASS="command" ->ip_addr</B -> - of <VAR -CLASS="literal" ->*</VAR -> is interpreted as the IPv4 wildcard + <span><strong class="command">ip_port</strong></span> on the specified + <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6 + address. An <span><strong class="command">ip_addr</strong></span> + of <code class="literal">*</code> is interpreted as the IPv4 wildcard address; connections will be accepted on any of the system's IPv4 addresses. To listen on the IPv6 wildcard address, - use an <B -CLASS="command" ->ip_addr</B -> of <VAR -CLASS="literal" ->::</VAR ->. - If you will only use <B -CLASS="command" ->rndc</B -> on the local host, - using the loopback address (<VAR -CLASS="literal" ->127.0.0.1</VAR -> - or <VAR -CLASS="literal" ->::1</VAR ->) is recommended for maximum + use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>. + If you will only use <span><strong class="command">rndc</strong></span> on the local host, + using the loopback address (<code class="literal">127.0.0.1</code> + or <code class="literal">::1</code>) is recommended for maximum security. - </P -><P -> If no port is specified, port 953 - is used. "<VAR -CLASS="literal" ->*</VAR ->" cannot be used for - <B -CLASS="command" ->ip_port</B ->.</P -><P ->The ability to issue commands over the control channel is - restricted by the <B -CLASS="command" ->allow</B -> and - <B -CLASS="command" ->keys</B -> clauses. Connections to the control + </p> +<p> + If no port is specified, port 953 + is used. "<code class="literal">*</code>" cannot be used for + <span><strong class="command">ip_port</strong></span>.</p> +<p>The ability to issue commands over the control channel is + restricted by the <span><strong class="command">allow</strong></span> and + <span><strong class="command">keys</strong></span> clauses. Connections to the control channel are permitted based on the - <B -CLASS="command" ->address_match_list</B ->. This is for simple - IP address based filtering only; any <B -CLASS="command" ->key_id</B -> - elements of the <B -CLASS="command" ->address_match_list</B -> are + <span><strong class="command">address_match_list</strong></span>. This is for simple + IP address based filtering only; any <span><strong class="command">key_id</strong></span> + elements of the <span><strong class="command">address_match_list</strong></span> are ignored. - </P -><P ->The primary authorization mechanism of the command - channel is the <B -CLASS="command" ->key_list</B ->, which contains - a list of <B -CLASS="command" ->key_id</B ->s. - Each <B -CLASS="command" ->key_id</B -> in - the <B -CLASS="command" ->key_list</B -> is authorized to execute + </p> +<p>The primary authorization mechanism of the command + channel is the <span><strong class="command">key_list</strong></span>, which contains + a list of <span><strong class="command">key_id</strong></span>s. + Each <span><strong class="command">key_id</strong></span> in + the <span><strong class="command">key_list</strong></span> is authorized to execute commands over the control channel. - See <A -HREF="Bv9ARM.ch03.html#rndc" ->Remote Name Daemon Control application</A -> in - <A -HREF="Bv9ARM.ch03.html#admin_tools" ->Section 3.3.1.2</A ->) for information about - configuring keys in <B -CLASS="command" ->rndc</B ->.</P -><P -> If no <B -CLASS="command" ->controls</B -> statement is present, -<B -CLASS="command" ->named</B -> will set up a default + See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in + <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>) for information about + configuring keys in <span><strong class="command">rndc</strong></span>.</p> +<p> +If no <span><strong class="command">controls</strong></span> statement is present, +<span><strong class="command">named</strong></span> will set up a default control channel listening on the loopback address 127.0.0.1 and its IPv6 counterpart ::1. -In this case, and also when the <B -CLASS="command" ->controls</B -> statement -is present but does not have a <B -CLASS="command" ->keys</B -> clause, -<B -CLASS="command" ->named</B -> will attempt to load the command channel key -from the file <TT -CLASS="filename" ->rndc.key</TT -> in -<TT -CLASS="filename" ->/etc</TT -> (or whatever <VAR -CLASS="varname" ->sysconfdir</VAR -> -was specified as when <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> was built). -To create a <TT -CLASS="filename" ->rndc.key</TT -> file, run -<KBD -CLASS="userinput" ->rndc-confgen -a</KBD ->. -</P -><P ->The <TT -CLASS="filename" ->rndc.key</TT -> feature was created to - ease the transition of systems from <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8, +In this case, and also when the <span><strong class="command">controls</strong></span> statement +is present but does not have a <span><strong class="command">keys</strong></span> clause, +<span><strong class="command">named</strong></span> will attempt to load the command channel key +from the file <code class="filename">rndc.key</code> in +<code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code> +was specified as when <span class="acronym">BIND</span> was built). +To create a <code class="filename">rndc.key</code> file, run +<strong class="userinput"><code>rndc-confgen -a</code></strong>. +</p> +<p>The <code class="filename">rndc.key</code> feature was created to + ease the transition of systems from <span class="acronym">BIND</span> 8, which did not have digital signatures on its command channel messages - and thus did not have a <B -CLASS="command" ->keys</B -> clause. + and thus did not have a <span><strong class="command">keys</strong></span> clause. -It makes it possible to use an existing <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8 -configuration file in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 unchanged, -and still have <B -CLASS="command" ->rndc</B -> work the same way -<B -CLASS="command" ->ndc</B -> worked in BIND 8, simply by executing the -command <KBD -CLASS="userinput" ->rndc-confgen -a</KBD -> after BIND 9 is +It makes it possible to use an existing <span class="acronym">BIND</span> 8 +configuration file in <span class="acronym">BIND</span> 9 unchanged, +and still have <span><strong class="command">rndc</strong></span> work the same way +<span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the +command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is installed. -</P -><P -> Since the <TT -CLASS="filename" ->rndc.key</TT -> feature +</p> +<p> + Since the <code class="filename">rndc.key</code> feature is only intended to allow the backward-compatible usage of - <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8 configuration files, this feature does not + <span class="acronym">BIND</span> 8 configuration files, this feature does not have a high degree of configurability. You cannot easily change the key name or the size of the secret, so you should make a - <TT -CLASS="filename" ->rndc.conf</TT -> with your own key if you wish to change - those things. The <TT -CLASS="filename" ->rndc.key</TT -> file also has its + <code class="filename">rndc.conf</code> with your own key if you wish to change + those things. The <code class="filename">rndc.key</code> file also has its permissions set such that only the owner of the file (the user that - <B -CLASS="command" ->named</B -> is running as) can access it. If you + <span><strong class="command">named</strong></span> is running as) can access it. If you desire greater flexibility in allowing other users to access - <B -CLASS="command" ->rndc</B -> commands then you need to create an - <TT -CLASS="filename" ->rndc.conf</TT -> and make it group readable by a group - that contains the users who should have access.</P -><P ->The UNIX control channel type of <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8 is not supported - in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9, and is not expected to be added in future + <span><strong class="command">rndc</strong></span> commands then you need to create an + <code class="filename">rndc.conf</code> and make it group readable by a group + that contains the users who should have access.</p> +<p>The UNIX control channel type of <span class="acronym">BIND</span> 8 is not supported + in <span class="acronym">BIND</span> 9, and is not expected to be added in future releases. If it is present in the controls statement from a - <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8 configuration file, it is ignored - and a warning is logged.</P -><P -> To disable the command channel, use an empty <B -CLASS="command" ->controls</B -> -statement: <B -CLASS="command" ->controls { };</B ->. -</P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN1534" ->6.2.5. <B -CLASS="command" ->include</B -> Statement Grammar</A -></H2 -><PRE -CLASS="programlisting" ->include <VAR -CLASS="replaceable" ->filename</VAR ->;</PRE -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN1539" ->6.2.6. <B -CLASS="command" ->include</B -> Statement Definition and Usage</A -></H2 -><P ->The <B -CLASS="command" ->include</B -> statement inserts the - specified file at the point where the <B -CLASS="command" ->include</B -> - statement is encountered. The <B -CLASS="command" ->include</B -> + <span class="acronym">BIND</span> 8 configuration file, it is ignored + and a warning is logged.</p> +<p> +To disable the command channel, use an empty <span><strong class="command">controls</strong></span> +statement: <span><strong class="command">controls { };</strong></span>. +</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2552808"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting">include <em class="replaceable"><code>filename</code></em>;</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2552823"></a><span><strong class="command">include</strong></span> Statement Definition and Usage</h3></div></div></div> +<p>The <span><strong class="command">include</strong></span> statement inserts the + specified file at the point where the <span><strong class="command">include</strong></span> + statement is encountered. The <span><strong class="command">include</strong></span> statement facilitates the administration of configuration files by permitting the reading or writing of some things but not others. For example, the statement could include private keys - that are readable only by the name server.</P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN1546" ->6.2.7. <B -CLASS="command" ->key</B -> Statement Grammar</A -></H2 -><PRE -CLASS="programlisting" ->key <VAR -CLASS="replaceable" ->key_id</VAR -> { - algorithm <VAR -CLASS="replaceable" ->string</VAR ->; - secret <VAR -CLASS="replaceable" ->string</VAR ->; + that are readable only by the name server.</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2552845"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting">key <em class="replaceable"><code>key_id</code></em> { + algorithm <em class="replaceable"><code>string</code></em>; + secret <em class="replaceable"><code>string</code></em>; }; -</PRE -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN1553" ->6.2.8. <B -CLASS="command" ->key</B -> Statement Definition and Usage</A -></H2 -><P ->The <B -CLASS="command" ->key</B -> statement defines a shared -secret key for use with TSIG (see <A -HREF="Bv9ARM.ch04.html#tsig" ->Section 4.5</A ->) +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2552867"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div> +<p>The <span><strong class="command">key</strong></span> statement defines a shared +secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) or the command channel -(see <A -HREF="Bv9ARM.ch06.html#controls_statement_definition_and_usage" ->Section 6.2.4</A ->). -</P -><P -> The <B -CLASS="command" ->key</B -> statement can occur at the top level -of the configuration file or inside a <B -CLASS="command" ->view</B -> -statement. Keys defined in top-level <B -CLASS="command" ->key</B -> +(see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and Usage”</a>). +</p> +<p> +The <span><strong class="command">key</strong></span> statement can occur at the top level +of the configuration file or inside a <span><strong class="command">view</strong></span> +statement. Keys defined in top-level <span><strong class="command">key</strong></span> statements can be used in all views. Keys intended for use in -a <B -CLASS="command" ->controls</B -> statement -(see <A -HREF="Bv9ARM.ch06.html#controls_statement_definition_and_usage" ->Section 6.2.4</A ->) +a <span><strong class="command">controls</strong></span> statement +(see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and Usage”</a>) must be defined at the top level. -</P -><P ->The <VAR -CLASS="replaceable" ->key_id</VAR ->, also known as the +</p> +<p>The <em class="replaceable"><code>key_id</code></em>, also known as the key name, is a domain name uniquely identifying the key. It can -be used in a <B -CLASS="command" ->server</B -> +be used in a <span><strong class="command">server</strong></span> statement to cause requests sent to that server to be signed with this key, or in address match lists to verify that incoming requests have been signed with a key -matching this name, algorithm, and secret.</P -><P ->The <VAR -CLASS="replaceable" ->algorithm_id</VAR -> is a string +matching this name, algorithm, and secret.</p> +<p>The <em class="replaceable"><code>algorithm_id</code></em> is a string that specifies a security/authentication algorithm. The only algorithm currently supported with TSIG authentication is -<VAR -CLASS="literal" ->hmac-md5</VAR ->. The -<VAR -CLASS="replaceable" ->secret_string</VAR -> is the secret to be +<code class="literal">hmac-md5</code>. The +<em class="replaceable"><code>secret_string</code></em> is the secret to be used by the algorithm, and is treated as a base-64 encoded -string.</P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN1573" ->6.2.9. <B -CLASS="command" ->logging</B -> Statement Grammar</A -></H2 -><PRE -CLASS="programlisting" -><B -CLASS="command" ->logging</B -> { - [ <B -CLASS="command" ->channel</B -> <VAR -CLASS="replaceable" ->channel_name</VAR -> { - ( <B -CLASS="command" ->file</B -> <VAR -CLASS="replaceable" ->path name</VAR -> - [ <B -CLASS="command" ->versions</B -> ( <VAR -CLASS="replaceable" ->number</VAR -> | <VAR -CLASS="literal" ->unlimited</VAR -> ) ] - [ <B -CLASS="command" ->size</B -> <VAR -CLASS="replaceable" ->size spec</VAR -> ] - | <B -CLASS="command" ->syslog</B -> <VAR -CLASS="replaceable" ->syslog_facility</VAR -> - | <B -CLASS="command" ->stderr</B -> - | <B -CLASS="command" ->null</B -> ); - [ <B -CLASS="command" ->severity</B -> (<VAR -CLASS="option" ->critical</VAR -> | <VAR -CLASS="option" ->error</VAR -> | <VAR -CLASS="option" ->warning</VAR -> | <VAR -CLASS="option" ->notice</VAR -> | - <VAR -CLASS="option" ->info</VAR -> | <VAR -CLASS="option" ->debug</VAR -> [ <VAR -CLASS="replaceable" ->level</VAR -> ] | <VAR -CLASS="option" ->dynamic</VAR -> ); ] - [ <B -CLASS="command" ->print-category</B -> <VAR -CLASS="option" ->yes</VAR -> or <VAR -CLASS="option" ->no</VAR ->; ] - [ <B -CLASS="command" ->print-severity</B -> <VAR -CLASS="option" ->yes</VAR -> or <VAR -CLASS="option" ->no</VAR ->; ] - [ <B -CLASS="command" ->print-time</B -> <VAR -CLASS="option" ->yes</VAR -> or <VAR -CLASS="option" ->no</VAR ->; ] +string.</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2553006"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span><strong class="command">logging</strong></span> { + [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> { + ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em> + [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <code class="literal">unlimited</code> ) ] + [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ] + | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em> + | <span><strong class="command">stderr</strong></span> + | <span><strong class="command">null</strong></span> ); + [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> | + <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ] + [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] + [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] + [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] }; ] - [ <B -CLASS="command" ->category</B -> <VAR -CLASS="replaceable" ->category_name</VAR -> { - <VAR -CLASS="replaceable" ->channel_name</VAR -> ; [ <VAR -CLASS="replaceable" ->channel_nam</VAR ->e ; ... ] + [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> { + <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_nam</code></em>e ; ... ] }; ] ... }; -</PRE -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN1613" ->6.2.10. <B -CLASS="command" ->logging</B -> Statement Definition and Usage</A -></H2 -><P ->The <B -CLASS="command" ->logging</B -> statement configures a wide -variety of logging options for the name server. Its <B -CLASS="command" ->channel</B -> phrase +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2553269"></a><span><strong class="command">logging</strong></span> Statement Definition and Usage</h3></div></div></div> +<p>The <span><strong class="command">logging</strong></span> statement configures a wide +variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase associates output methods, format options and severity levels with -a name that can then be used with the <B -CLASS="command" ->category</B -> phrase -to select how various classes of messages are logged.</P -><P ->Only one <B -CLASS="command" ->logging</B -> statement is used to define -as many channels and categories as are wanted. If there is no <B -CLASS="command" ->logging</B -> statement, -the logging configuration will be:</P -><PRE -CLASS="programlisting" ->logging { +a name that can then be used with the <span><strong class="command">category</strong></span> phrase +to select how various classes of messages are logged.</p> +<p>Only one <span><strong class="command">logging</strong></span> statement is used to define +as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement, +the logging configuration will be:</p> +<pre class="programlisting">logging { category default { default_syslog; default_debug; }; category unmatched { null; }; }; -</PRE -><P ->In <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9, the logging configuration is only established when -the entire configuration file has been parsed. In <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8, it was -established as soon as the <B -CLASS="command" ->logging</B -> statement +</pre> +<p>In <span class="acronym">BIND</span> 9, the logging configuration is only established when +the entire configuration file has been parsed. In <span class="acronym">BIND</span> 8, it was +established as soon as the <span><strong class="command">logging</strong></span> statement was parsed. When the server is starting up, all logging messages regarding syntax errors in the configuration file go to the default -channels, or to standard error if the "<VAR -CLASS="option" ->-g</VAR ->" option -was specified.</P -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN1629" ->6.2.10.1. The <B -CLASS="command" ->channel</B -> Phrase</A -></H3 -><P ->All log output goes to one or more <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->channels</I -></SPAN ->; -you can make as many of them as you want.</P -><P ->Every channel definition must include a destination clause that +channels, or to standard error if the "<code class="option">-g</code>" option +was specified.</p> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2553321"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div> +<p>All log output goes to one or more <span class="emphasis"><em>channels</em></span>; +you can make as many of them as you want.</p> +<p>Every channel definition must include a destination clause that says whether messages selected for the channel go to a file, to a particular syslog facility, to the standard error stream, or are discarded. It can optionally also limit the message severity level that will be accepted by the channel (the default is -<B -CLASS="command" ->info</B ->), and whether to include a -<B -CLASS="command" ->named</B ->-generated time stamp, the category name -and/or severity level (the default is not to include any).</P -><P ->The <B -CLASS="command" ->null</B -> destination clause +<span><strong class="command">info</strong></span>), and whether to include a +<span><strong class="command">named</strong></span>-generated time stamp, the category name +and/or severity level (the default is not to include any).</p> +<p>The <span><strong class="command">null</strong></span> destination clause causes all messages sent to the channel to be discarded; -in that case, other options for the channel are meaningless.</P -><P ->The <B -CLASS="command" ->file</B -> destination clause directs the channel +in that case, other options for the channel are meaningless.</p> +<p>The <span><strong class="command">file</strong></span> destination clause directs the channel to a disk file. It can include limitations both on how large the file is allowed to become, and how many versions -of the file will be saved each time the file is opened.</P -><P ->If you use the <B -CLASS="command" ->versions</B -> log file option, then -<B -CLASS="command" ->named</B -> will retain that many backup versions of the file by +of the file will be saved each time the file is opened.</p> +<p>If you use the <span><strong class="command">versions</strong></span> log file option, then +<span><strong class="command">named</strong></span> will retain that many backup versions of the file by renaming them when opening. For example, if you choose to keep 3 old versions -of the file <TT -CLASS="filename" ->lamers.log</TT -> then just before it is opened -<TT -CLASS="filename" ->lamers.log.1</TT -> is renamed to -<TT -CLASS="filename" ->lamers.log.2</TT ->, <TT -CLASS="filename" ->lamers.log.0</TT -> is renamed -to <TT -CLASS="filename" ->lamers.log.1</TT ->, and <TT -CLASS="filename" ->lamers.log</TT -> is -renamed to <TT -CLASS="filename" ->lamers.log.0</TT ->. -You can say <B -CLASS="command" ->versions unlimited</B -> to not limit +of the file <code class="filename">lamers.log</code> then just before it is opened +<code class="filename">lamers.log.1</code> is renamed to +<code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed +to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is +renamed to <code class="filename">lamers.log.0</code>. +You can say <span><strong class="command">versions unlimited</strong></span> to not limit the number of versions. -If a <B -CLASS="command" ->size</B -> option is associated with the log file, +If a <span><strong class="command">size</strong></span> option is associated with the log file, then renaming is only done when the file being opened exceeds the indicated size. No backup versions are kept by default; any existing -log file is simply appended.</P -><P ->The <B -CLASS="command" ->size</B -> option for files is used to limit log -growth. If the file ever exceeds the size, then <B -CLASS="command" ->named</B -> will -stop writing to the file unless it has a <B -CLASS="command" ->versions</B -> option +log file is simply appended.</p> +<p>The <span><strong class="command">size</strong></span> option for files is used to limit log +growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will +stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option associated with it. If backup versions are kept, the files are rolled as described above and a new one begun. If there is no -<B -CLASS="command" ->versions</B -> option, no more data will be written to the log +<span><strong class="command">versions</strong></span> option, no more data will be written to the log until some out-of-band mechanism removes or truncates the log to less than the maximum size. The default behavior is not to limit the size of the -file.</P -><P ->Example usage of the <B -CLASS="command" ->size</B -> and -<B -CLASS="command" ->versions</B -> options:</P -><PRE -CLASS="programlisting" ->channel an_example_channel { +file.</p> +<p>Example usage of the <span><strong class="command">size</strong></span> and +<span><strong class="command">versions</strong></span> options:</p> +<pre class="programlisting">channel an_example_channel { file "example.log" versions 3 size 20m; print-time yes; print-category yes; }; -</PRE -><P ->The <B -CLASS="command" ->syslog</B -> destination clause directs the +</pre> +<p>The <span><strong class="command">syslog</strong></span> destination clause directs the channel to the system log. Its argument is a -syslog facility as described in the <B -CLASS="command" ->syslog</B -> man -page. Known facilities are <B -CLASS="command" ->kern</B ->, <B -CLASS="command" ->user</B ->, -<B -CLASS="command" ->mail</B ->, <B -CLASS="command" ->daemon</B ->, <B -CLASS="command" ->auth</B ->, -<B -CLASS="command" ->syslog</B ->, <B -CLASS="command" ->lpr</B ->, <B -CLASS="command" ->news</B ->, -<B -CLASS="command" ->uucp</B ->, <B -CLASS="command" ->cron</B ->, <B -CLASS="command" ->authpriv</B ->, -<B -CLASS="command" ->ftp</B ->, <B -CLASS="command" ->local0</B ->, <B -CLASS="command" ->local1</B ->, -<B -CLASS="command" ->local2</B ->, <B -CLASS="command" ->local3</B ->, <B -CLASS="command" ->local4</B ->, -<B -CLASS="command" ->local5</B ->, <B -CLASS="command" ->local6</B -> and -<B -CLASS="command" ->local7</B ->, however not all facilities are supported on +syslog facility as described in the <span><strong class="command">syslog</strong></span> man +page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>, +<span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>, +<span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>, +<span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>, +<span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>, +<span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>, +<span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and +<span><strong class="command">local7</strong></span>, however not all facilities are supported on all operating systems. -How <B -CLASS="command" ->syslog</B -> will handle messages sent to -this facility is described in the <B -CLASS="command" ->syslog.conf</B -> man -page. If you have a system which uses a very old version of <B -CLASS="command" ->syslog</B -> that -only uses two arguments to the <B -CLASS="command" ->openlog()</B -> function, -then this clause is silently ignored.</P -><P ->The <B -CLASS="command" ->severity</B -> clause works like <B -CLASS="command" ->syslog</B ->'s +How <span><strong class="command">syslog</strong></span> will handle messages sent to +this facility is described in the <span><strong class="command">syslog.conf</strong></span> man +page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that +only uses two arguments to the <span><strong class="command">openlog()</strong></span> function, +then this clause is silently ignored.</p> +<p>The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s "priorities", except that they can also be used if you are writing -straight to a file rather than using <B -CLASS="command" ->syslog</B ->. +straight to a file rather than using <span><strong class="command">syslog</strong></span>. Messages which are not at least of the severity level given will not be selected for the channel; messages of higher severity levels -will be accepted.</P -><P ->If you are using <B -CLASS="command" ->syslog</B ->, then the <B -CLASS="command" ->syslog.conf</B -> priorities +will be accepted.</p> +<p>If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities will also determine what eventually passes through. For example, -defining a channel facility and severity as <B -CLASS="command" ->daemon</B -> and <B -CLASS="command" ->debug</B -> but -only logging <B -CLASS="command" ->daemon.warning</B -> via <B -CLASS="command" ->syslog.conf</B -> will -cause messages of severity <B -CLASS="command" ->info</B -> and <B -CLASS="command" ->notice</B -> to -be dropped. If the situation were reversed, with <B -CLASS="command" ->named</B -> writing -messages of only <B -CLASS="command" ->warning</B -> or higher, then <B -CLASS="command" ->syslogd</B -> would -print all messages it received from the channel.</P -><P ->The <B -CLASS="command" ->stderr</B -> destination clause directs the +defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but +only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will +cause messages of severity <span><strong class="command">info</strong></span> and <span><strong class="command">notice</strong></span> to +be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing +messages of only <span><strong class="command">warning</strong></span> or higher, then <span><strong class="command">syslogd</strong></span> would +print all messages it received from the channel.</p> +<p>The <span><strong class="command">stderr</strong></span> destination clause directs the channel to the server's standard error stream. This is intended for use when the server is running as a foreground process, for example -when debugging a configuration.</P -><P ->The server can supply extensive debugging information when +when debugging a configuration.</p> +<p>The server can supply extensive debugging information when it is in debugging mode. If the server's global debug level is greater than zero, then debugging mode will be active. The global debug -level is set either by starting the <B -CLASS="command" ->named</B -> server -with the <VAR -CLASS="option" ->-d</VAR -> flag followed by a positive integer, -or by running <B -CLASS="command" ->rndc trace</B ->. +level is set either by starting the <span><strong class="command">named</strong></span> server +with the <code class="option">-d</code> flag followed by a positive integer, +or by running <span><strong class="command">rndc trace</strong></span>. The global debug level -can be set to zero, and debugging mode turned off, by running <B -CLASS="command" ->ndc -notrace</B ->. All debugging messages in the server have a debug +can be set to zero, and debugging mode turned off, by running <span><strong class="command">ndc +notrace</strong></span>. All debugging messages in the server have a debug level, and higher debug levels give more detailed output. Channels -that specify a specific debug severity, for example:</P -><PRE -CLASS="programlisting" ->channel specific_debug_level { +that specify a specific debug severity, for example:</p> +<pre class="programlisting">channel specific_debug_level { file "foo"; severity debug 3; }; -</PRE -><P ->will get debugging output of level 3 or less any time the +</pre> +<p>will get debugging output of level 3 or less any time the server is in debugging mode, regardless of the global debugging -level. Channels with <B -CLASS="command" ->dynamic</B -> severity use the -server's global debug level to determine what messages to print.</P -><P ->If <B -CLASS="command" ->print-time</B -> has been turned on, then -the date and time will be logged. <B -CLASS="command" ->print-time</B -> may -be specified for a <B -CLASS="command" ->syslog</B -> channel, but is usually -pointless since <B -CLASS="command" ->syslog</B -> also prints the date and -time. If <B -CLASS="command" ->print-category</B -> is requested, then the -category of the message will be logged as well. Finally, if <B -CLASS="command" ->print-severity</B -> is -on, then the severity level of the message will be logged. The <B -CLASS="command" ->print-</B -> options may +level. Channels with <span><strong class="command">dynamic</strong></span> severity use the +server's global debug level to determine what messages to print.</p> +<p>If <span><strong class="command">print-time</strong></span> has been turned on, then +the date and time will be logged. <span><strong class="command">print-time</strong></span> may +be specified for a <span><strong class="command">syslog</strong></span> channel, but is usually +pointless since <span><strong class="command">syslog</strong></span> also prints the date and +time. If <span><strong class="command">print-category</strong></span> is requested, then the +category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is +on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may be used in any combination, and will always be printed in the following -order: time, category, severity. Here is an example where all three <B -CLASS="command" ->print-</B -> options -are on:</P -><P -><SAMP -CLASS="computeroutput" ->28-Feb-2000 15:05:32.863 general: notice: running</SAMP -></P -><P ->There are four predefined channels that are used for -<B -CLASS="command" ->named</B ->'s default logging as follows. How they are -used is described in <A -HREF="Bv9ARM.ch06.html#the_category_phrase" ->Section 6.2.10.2</A ->. -</P -><PRE -CLASS="programlisting" ->channel default_syslog { +order: time, category, severity. Here is an example where all three <span><strong class="command">print-</strong></span> options +are on:</p> +<p><code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code></p> +<p>There are four predefined channels that are used for +<span><strong class="command">named</strong></span>'s default logging as follows. How they are +used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>. +</p> +<pre class="programlisting">channel default_syslog { syslog daemon; // send to syslog's daemon // facility severity info; // only send priority info @@ -2354,78 +850,37 @@ channel null { null; // toss anything sent to // this channel }; -</PRE -><P ->The <B -CLASS="command" ->default_debug</B -> channel has the special +</pre> +<p>The <span><strong class="command">default_debug</strong></span> channel has the special property that it only produces output when the server's debug level is -nonzero. It normally writes to a file <TT -CLASS="filename" ->named.run</TT -> -in the server's working directory.</P -><P ->For security reasons, when the "<VAR -CLASS="option" ->-u</VAR ->" -command line option is used, the <TT -CLASS="filename" ->named.run</TT -> file -is created only after <B -CLASS="command" ->named</B -> has changed to the -new UID, and any debug output generated while <B -CLASS="command" ->named</B -> is +nonzero. It normally writes to a file <code class="filename">named.run</code> +in the server's working directory.</p> +<p>For security reasons, when the "<code class="option">-u</code>" +command line option is used, the <code class="filename">named.run</code> file +is created only after <span><strong class="command">named</strong></span> has changed to the +new UID, and any debug output generated while <span><strong class="command">named</strong></span> is starting up and still running as root is discarded. If you need -to capture this output, you must run the server with the "<VAR -CLASS="option" ->-g</VAR ->" -option and redirect standard error to a file.</P -><P ->Once a channel is defined, it cannot be redefined. Thus you +to capture this output, you must run the server with the "<code class="option">-g</code>" +option and redirect standard error to a file.</p> +<p>Once a channel is defined, it cannot be redefined. Thus you cannot alter the built-in channels directly, but you can modify -the default logging by pointing categories at channels you have defined.</P -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="the_category_phrase" ->6.2.10.2. The <B -CLASS="command" ->category</B -> Phrase</A -></H3 -><P ->There are many categories, so you can send the logs you want +the default logging by pointing categories at channels you have defined.</p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div> +<p>There are many categories, so you can send the logs you want to see wherever you want, without seeing logs you don't want. If you don't specify a list of channels for a category, then log messages -in that category will be sent to the <B -CLASS="command" ->default</B -> category +in that category will be sent to the <span><strong class="command">default</strong></span> category instead. If you don't specify a default category, the following -"default default" is used:</P -><PRE -CLASS="programlisting" ->category default { default_syslog; default_debug; }; -</PRE -><P ->As an example, let's say you want to log security events to +"default default" is used:</p> +<pre class="programlisting">category default { default_syslog; default_debug; }; +</pre> +<p>As an example, let's say you want to log security events to a file, but you also want keep the default logging behavior. You'd -specify the following:</P -><PRE -CLASS="programlisting" ->channel my_security_channel { +specify the following:</p> +<pre class="programlisting">channel my_security_channel { file "my_security_file"; severity info; }; @@ -2433,2691 +888,690 @@ category security { my_security_channel; default_syslog; default_debug; -};</PRE -><P ->To discard all messages in a category, specify the <B -CLASS="command" ->null</B -> channel:</P -><PRE -CLASS="programlisting" ->category xfer-out { null; }; +};</pre> +<p>To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:</p> +<pre class="programlisting">category xfer-out { null; }; category notify { null; }; -</PRE -><P ->Following are the available categories and brief descriptions +</pre> +<p>Following are the available categories and brief descriptions of the types of log information they contain. More -categories may be added in future <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> releases.</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN1753" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P -><B -CLASS="command" ->default</B -></P -></TD -><TD -><P ->The default category defines the logging +categories may be added in future <span class="acronym">BIND</span> releases.</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p><span><strong class="command">default</strong></span></p></td> +<td><p>The default category defines the logging options for those categories where no specific configuration has been -defined.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->general</B -></P -></TD -><TD -><P ->The catch-all. Many things still aren't -classified into categories, and they all end up here.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->database</B -></P -></TD -><TD -><P ->Messages relating to the databases used -internally by the name server to store zone and cache data.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->security</B -></P -></TD -><TD -><P ->Approval and denial of requests.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->config</B -></P -></TD -><TD -><P ->Configuration file parsing and processing.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->resolver</B -></P -></TD -><TD -><P ->DNS resolution, such as the recursive -lookups performed on behalf of clients by a caching name server.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->xfer-in</B -></P -></TD -><TD -><P ->Zone transfers the server is receiving.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->xfer-out</B -></P -></TD -><TD -><P ->Zone transfers the server is sending.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->notify</B -></P -></TD -><TD -><P ->The NOTIFY protocol.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->client</B -></P -></TD -><TD -><P ->Processing of client requests.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->unmatched</B -></P -></TD -><TD -><P ->Messages that named was unable to determine the -class of or for which there was no matching <B -CLASS="command" ->view</B ->. -A one line summary is also logged to the <B -CLASS="command" ->client</B -> category. +defined.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">general</strong></span></p></td> +<td><p>The catch-all. Many things still aren't +classified into categories, and they all end up here.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">database</strong></span></p></td> +<td><p>Messages relating to the databases used +internally by the name server to store zone and cache data.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">security</strong></span></p></td> +<td><p>Approval and denial of requests.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">config</strong></span></p></td> +<td><p>Configuration file parsing and processing.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">resolver</strong></span></p></td> +<td><p>DNS resolution, such as the recursive +lookups performed on behalf of clients by a caching name server.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">xfer-in</strong></span></p></td> +<td><p>Zone transfers the server is receiving.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">xfer-out</strong></span></p></td> +<td><p>Zone transfers the server is sending.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">notify</strong></span></p></td> +<td><p>The NOTIFY protocol.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">client</strong></span></p></td> +<td><p>Processing of client requests.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">unmatched</strong></span></p></td> +<td><p>Messages that named was unable to determine the +class of or for which there was no matching <span><strong class="command">view</strong></span>. +A one line summary is also logged to the <span><strong class="command">client</strong></span> category. This category is best sent to a file or stderr, by default it is sent to -the <B -CLASS="command" ->null</B -> channel.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->network</B -></P -></TD -><TD -><P ->Network operations.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->update</B -></P -></TD -><TD -><P ->Dynamic updates.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->update-security</B -></P -></TD -><TD -><P ->Approval and denial of update requests.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->queries</B -></P -></TD -><TD -><P ->Specify where queries should be logged to.</P -> -<P -> At startup, specifing the category <B -CLASS="command" ->queries</B -> will also -enable query logging unless <B -CLASS="command" ->querylog</B -> option has been +the <span><strong class="command">null</strong></span> channel.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">network</strong></span></p></td> +<td><p>Network operations.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">update</strong></span></p></td> +<td><p>Dynamic updates.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">update-security</strong></span></p></td> +<td><p>Approval and denial of update requests.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">queries</strong></span></p></td> +<td> +<p>Specify where queries should be logged to.</p> +<p> +At startup, specifing the category <span><strong class="command">queries</strong></span> will also +enable query logging unless <span><strong class="command">querylog</strong></span> option has been specified. -</P -> -<P -> The query log entry reports the client's IP address and port number. The +</p> +<p> +The query log entry reports the client's IP address and port number. The query name, class and type. It also reports whether the Recursion Desired flag was set (+ if set, - if not set), EDNS was in use (E) or if the -query was signed (S).</P -> -<PRE -CLASS="programlisting" -><SAMP -CLASS="computeroutput" ->client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</SAMP -> -<SAMP -CLASS="computeroutput" ->client ::1#62537: query: www.example.net IN AAAA -SE</SAMP -> -</PRE -> -</TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->dispatch</B -></P -></TD -><TD -><P ->Dispatching of incoming packets to the +query was signed (S).</p> +<p><code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code> +</p> +<p><code class="computeroutput">client ::1#62537: query: www.example.net IN AAAA -SE</code> +</p> +</td> +</tr> +<tr> +<td><p><span><strong class="command">dispatch</strong></span></p></td> +<td><p>Dispatching of incoming packets to the server modules where they are to be processed. -</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->dnssec</B -></P -></TD -><TD -><P ->DNSSEC and TSIG protocol processing. -</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->lame-servers</B -></P -></TD -><TD -><P ->Lame servers. These are misconfigurations +</p></td> +</tr> +<tr> +<td><p><span><strong class="command">dnssec</strong></span></p></td> +<td><p>DNSSEC and TSIG protocol processing. +</p></td> +</tr> +<tr> +<td><p><span><strong class="command">lame-servers</strong></span></p></td> +<td><p>Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution. -</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->delegation-only</B -></P -></TD -><TD -><P ->Delegation only. Logs queries that have have +</p></td> +</tr> +<tr> +<td><p><span><strong class="command">delegation-only</strong></span></p></td> +<td><p>Delegation only. Logs queries that have have been forced to NXDOMAIN as the result of a delegation-only zone or -a <B -CLASS="command" ->delegation-only</B -> in a hint or stub zone declaration. -</P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -></DIV -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN1883" ->6.2.11. <B -CLASS="command" ->lwres</B -> Statement Grammar</A -></H2 -><P -> This is the grammar of the <B -CLASS="command" ->lwres</B -> -statement in the <TT -CLASS="filename" ->named.conf</TT -> file:</P -><PRE -CLASS="programlisting" -><B -CLASS="command" ->lwres</B -> { - [<SPAN -CLASS="optional" -> listen-on { <VAR -CLASS="replaceable" ->ip_addr</VAR -> [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; [<SPAN -CLASS="optional" -> <VAR -CLASS="replaceable" ->ip_addr</VAR -> [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; ... </SPAN ->] }; </SPAN ->] - [<SPAN -CLASS="optional" -> view <VAR -CLASS="replaceable" ->view_name</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> search { <VAR -CLASS="replaceable" ->domain_name</VAR -> ; [<SPAN -CLASS="optional" -> <VAR -CLASS="replaceable" ->domain_name</VAR -> ; ... </SPAN ->] }; </SPAN ->] - [<SPAN -CLASS="optional" -> ndots <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] +a <span><strong class="command">delegation-only</strong></span> in a hint or stub zone declaration. +</p></td> +</tr> +</tbody> +</table></div> +</div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2554474"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div> +<p> This is the grammar of the <span><strong class="command">lwres</strong></span> +statement in the <code class="filename">named.conf</code> file:</p> +<pre class="programlisting"><span><strong class="command">lwres</strong></span> { + [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] + [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>] + [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>] + [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>] }; -</PRE -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN1907" ->6.2.12. <B -CLASS="command" ->lwres</B -> Statement Definition and Usage</A -></H2 -><P ->The <B -CLASS="command" ->lwres</B -> statement configures the name +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2554547"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div> +<p>The <span><strong class="command">lwres</strong></span> statement configures the name server to also act as a lightweight resolver server, see -<A -HREF="Bv9ARM.ch05.html#lwresd" ->Section 5.2</A ->. There may be be multiple -<B -CLASS="command" ->lwres</B -> statements configuring -lightweight resolver servers with different properties.</P -><P ->The <B -CLASS="command" ->listen-on</B -> statement specifies a list of +<a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>. There may be be multiple +<span><strong class="command">lwres</strong></span> statements configuring +lightweight resolver servers with different properties.</p> +<p>The <span><strong class="command">listen-on</strong></span> statement specifies a list of addresses (and ports) that this instance of a lightweight resolver daemon should accept requests on. If no port is specified, port 921 is used. If this statement is omitted, requests will be accepted on 127.0.0.1, -port 921.</P -><P ->The <B -CLASS="command" ->view</B -> statement binds this instance of a +port 921.</p> +<p>The <span><strong class="command">view</strong></span> statement binds this instance of a lightweight resolver daemon to a view in the DNS namespace, so that the response will be constructed in the same manner as a normal DNS query matching this view. If this statement is omitted, the default view is -used, and if there is no default view, an error is triggered.</P -><P ->The <B -CLASS="command" ->search</B -> statement is equivalent to the -<B -CLASS="command" ->search</B -> statement in -<TT -CLASS="filename" ->/etc/resolv.conf</TT ->. It provides a list of domains -which are appended to relative names in queries.</P -><P ->The <B -CLASS="command" ->ndots</B -> statement is equivalent to the -<B -CLASS="command" ->ndots</B -> statement in -<TT -CLASS="filename" ->/etc/resolv.conf</TT ->. It indicates the minimum +used, and if there is no default view, an error is triggered.</p> +<p>The <span><strong class="command">search</strong></span> statement is equivalent to the +<span><strong class="command">search</strong></span> statement in +<code class="filename">/etc/resolv.conf</code>. It provides a list of domains +which are appended to relative names in queries.</p> +<p>The <span><strong class="command">ndots</strong></span> statement is equivalent to the +<span><strong class="command">ndots</strong></span> statement in +<code class="filename">/etc/resolv.conf</code>. It indicates the minimum number of dots in a relative domain name that should result in an -exact match lookup before search path elements are appended.</P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN1926" ->6.2.13. <B -CLASS="command" ->masters</B -> Statement Grammar</A -></H2 -><PRE -CLASS="programlisting" -> <B -CLASS="command" ->masters</B -> <VAR -CLASS="replaceable" ->name</VAR -> [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] { ( <VAR -CLASS="replaceable" ->masters_list</VAR -> | <VAR -CLASS="replaceable" ->ip_addr</VAR -> [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] [<SPAN -CLASS="optional" ->key <VAR -CLASS="replaceable" ->key</VAR -></SPAN ->] ) ; [<SPAN -CLASS="optional" ->...</SPAN ->] } ; -</PRE -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN1941" ->6.2.14. <B -CLASS="command" ->masters</B -> Statement Definition and Usage</A -></H2 -><P -><B -CLASS="command" ->masters</B -> lists allow for a common set of masters -to be easily used by multiple stub and slave zones.</P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN1946" ->6.2.15. <B -CLASS="command" ->options</B -> Statement Grammar</A -></H2 -><P ->This is the grammar of the <B -CLASS="command" ->options</B -> -statement in the <TT -CLASS="filename" ->named.conf</TT -> file:</P -><PRE -CLASS="programlisting" ->options { - [<SPAN -CLASS="optional" -> version <VAR -CLASS="replaceable" ->version_string</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> hostname <VAR -CLASS="replaceable" ->hostname_string</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> server-id <VAR -CLASS="replaceable" ->server_id_string</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> directory <VAR -CLASS="replaceable" ->path_name</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> key-directory <VAR -CLASS="replaceable" ->path_name</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> named-xfer <VAR -CLASS="replaceable" ->path_name</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> tkey-domain <VAR -CLASS="replaceable" ->domainname</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> tkey-dhkey <VAR -CLASS="replaceable" ->key_name</VAR -> <VAR -CLASS="replaceable" ->key_tag</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> dump-file <VAR -CLASS="replaceable" ->path_name</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> memstatistics-file <VAR -CLASS="replaceable" ->path_name</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> pid-file <VAR -CLASS="replaceable" ->path_name</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> statistics-file <VAR -CLASS="replaceable" ->path_name</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> zone-statistics <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> auth-nxdomain <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> deallocate-on-exit <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> dialup <VAR -CLASS="replaceable" ->dialup_option</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> fake-iquery <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> fetch-glue <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> flush-zones-on-shutdown <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> has-old-clients <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> host-statistics <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> host-statistics-max <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> minimal-responses <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> multiple-cnames <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> notify <VAR -CLASS="replaceable" ->yes_or_no</VAR -> | <VAR -CLASS="replaceable" ->explicit</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> recursion <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> rfc2308-type1 <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> use-id-pool <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> maintain-ixfr-base <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> dnssec-enable <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> dnssec-lookaside <VAR -CLASS="replaceable" ->domain</VAR -> trust-anchor <VAR -CLASS="replaceable" ->domain</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> dnssec-must-be-secure <VAR -CLASS="replaceable" ->domain yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> forward ( <VAR -CLASS="replaceable" ->only</VAR -> | <VAR -CLASS="replaceable" ->first</VAR -> ); </SPAN ->] - [<SPAN -CLASS="optional" -> forwarders { <VAR -CLASS="replaceable" ->ip_addr</VAR -> [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; [<SPAN -CLASS="optional" -> <VAR -CLASS="replaceable" ->ip_addr</VAR -> [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; ... </SPAN ->] }; </SPAN ->] - [<SPAN -CLASS="optional" -> dual-stack-servers [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] { ( <VAR -CLASS="replaceable" ->domain_name</VAR -> [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] | <VAR -CLASS="replaceable" ->ip_addr</VAR -> [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ) ; ... }; </SPAN ->] - [<SPAN -CLASS="optional" -> check-names ( <VAR -CLASS="replaceable" ->master</VAR -> | <VAR -CLASS="replaceable" ->slave</VAR -> | <VAR -CLASS="replaceable" ->response</VAR -> )( <VAR -CLASS="replaceable" ->warn</VAR -> | <VAR -CLASS="replaceable" ->fail</VAR -> | <VAR -CLASS="replaceable" ->ignore</VAR -> ); </SPAN ->] - [<SPAN -CLASS="optional" -> allow-notify { <VAR -CLASS="replaceable" ->address_match_list</VAR -> }; </SPAN ->] - [<SPAN -CLASS="optional" -> allow-query { <VAR -CLASS="replaceable" ->address_match_list</VAR -> }; </SPAN ->] - [<SPAN -CLASS="optional" -> allow-transfer { <VAR -CLASS="replaceable" ->address_match_list</VAR -> }; </SPAN ->] - [<SPAN -CLASS="optional" -> allow-recursion { <VAR -CLASS="replaceable" ->address_match_list</VAR -> }; </SPAN ->] - [<SPAN -CLASS="optional" -> allow-update-forwarding { <VAR -CLASS="replaceable" ->address_match_list</VAR -> }; </SPAN ->] - [<SPAN -CLASS="optional" -> allow-v6-synthesis { <VAR -CLASS="replaceable" ->address_match_list</VAR -> }; </SPAN ->] - [<SPAN -CLASS="optional" -> blackhole { <VAR -CLASS="replaceable" ->address_match_list</VAR -> }; </SPAN ->] - [<SPAN -CLASS="optional" -> avoid-v4-udp-ports { <VAR -CLASS="replaceable" ->port_list</VAR -> }; </SPAN ->] - [<SPAN -CLASS="optional" -> avoid-v6-udp-ports { <VAR -CLASS="replaceable" ->port_list</VAR -> }; </SPAN ->] - [<SPAN -CLASS="optional" -> listen-on [<SPAN -CLASS="optional" -> port <VAR -CLASS="replaceable" ->ip_port</VAR -> </SPAN ->] { <VAR -CLASS="replaceable" ->address_match_list</VAR -> }; </SPAN ->] - [<SPAN -CLASS="optional" -> listen-on-v6 [<SPAN -CLASS="optional" -> port <VAR -CLASS="replaceable" ->ip_port</VAR -> </SPAN ->] { <VAR -CLASS="replaceable" ->address_match_list</VAR -> }; </SPAN ->] - [<SPAN -CLASS="optional" -> query-source [<SPAN -CLASS="optional" -> address ( <VAR -CLASS="replaceable" ->ip_addr</VAR -> | <VAR -CLASS="replaceable" ->*</VAR -> ) </SPAN ->] [<SPAN -CLASS="optional" -> port ( <VAR -CLASS="replaceable" ->ip_port</VAR -> | <VAR -CLASS="replaceable" ->*</VAR -> ) </SPAN ->]; </SPAN ->] - [<SPAN -CLASS="optional" -> query-source-v6 [<SPAN -CLASS="optional" -> address ( <VAR -CLASS="replaceable" ->ip_addr</VAR -> | <VAR -CLASS="replaceable" ->*</VAR -> ) </SPAN ->] [<SPAN -CLASS="optional" -> port ( <VAR -CLASS="replaceable" ->ip_port</VAR -> | <VAR -CLASS="replaceable" ->*</VAR -> ) </SPAN ->]; </SPAN ->] - [<SPAN -CLASS="optional" -> max-transfer-time-in <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> max-transfer-time-out <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> max-transfer-idle-in <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> max-transfer-idle-out <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> tcp-clients <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> recursive-clients <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> serial-query-rate <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> serial-queries <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> tcp-listen-queue <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> transfer-format <VAR -CLASS="replaceable" ->( one-answer | many-answers )</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> transfers-in <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> transfers-out <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> transfers-per-ns <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> transfer-source (<VAR -CLASS="replaceable" ->ip4_addr</VAR -> | <CODE -CLASS="constant" ->*</CODE ->) [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; </SPAN ->] - [<SPAN -CLASS="optional" -> transfer-source-v6 (<VAR -CLASS="replaceable" ->ip6_addr</VAR -> | <CODE -CLASS="constant" ->*</CODE ->) [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; </SPAN ->] - [<SPAN -CLASS="optional" -> alt-transfer-source (<VAR -CLASS="replaceable" ->ip4_addr</VAR -> | <CODE -CLASS="constant" ->*</CODE ->) [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; </SPAN ->] - [<SPAN -CLASS="optional" -> alt-transfer-source-v6 (<VAR -CLASS="replaceable" ->ip6_addr</VAR -> | <CODE -CLASS="constant" ->*</CODE ->) [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; </SPAN ->] - [<SPAN -CLASS="optional" -> use-alt-transfer-source <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> notify-source (<VAR -CLASS="replaceable" ->ip4_addr</VAR -> | <CODE -CLASS="constant" ->*</CODE ->) [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; </SPAN ->] - [<SPAN -CLASS="optional" -> notify-source-v6 (<VAR -CLASS="replaceable" ->ip6_addr</VAR -> | <CODE -CLASS="constant" ->*</CODE ->) [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; </SPAN ->] - [<SPAN -CLASS="optional" -> also-notify { <VAR -CLASS="replaceable" ->ip_addr</VAR -> [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; [<SPAN -CLASS="optional" -> <VAR -CLASS="replaceable" ->ip_addr</VAR -> [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; ... </SPAN ->] }; </SPAN ->] - [<SPAN -CLASS="optional" -> max-ixfr-log-size <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> max-journal-size <VAR -CLASS="replaceable" ->size_spec</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> coresize <VAR -CLASS="replaceable" ->size_spec</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> datasize <VAR -CLASS="replaceable" ->size_spec</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> files <VAR -CLASS="replaceable" ->size_spec</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> stacksize <VAR -CLASS="replaceable" ->size_spec</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> cleaning-interval <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> heartbeat-interval <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> interface-interval <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> statistics-interval <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> topology { <VAR -CLASS="replaceable" ->address_match_list</VAR -> }</SPAN ->]; - [<SPAN -CLASS="optional" -> sortlist { <VAR -CLASS="replaceable" ->address_match_list</VAR -> }</SPAN ->]; - [<SPAN -CLASS="optional" -> rrset-order { <VAR -CLASS="replaceable" ->order_spec</VAR -> ; [<SPAN -CLASS="optional" -> <VAR -CLASS="replaceable" ->order_spec</VAR -> ; ... </SPAN ->] </SPAN ->] }; - [<SPAN -CLASS="optional" -> lame-ttl <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> max-ncache-ttl <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> max-cache-ttl <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> sig-validity-interval <VAR -CLASS="replaceable" ->number</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> min-roots <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> use-ixfr <VAR -CLASS="replaceable" ->yes_or_no</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> provide-ixfr <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> request-ixfr <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> treat-cr-as-space <VAR -CLASS="replaceable" ->yes_or_no</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> min-refresh-time <VAR -CLASS="replaceable" ->number</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> max-refresh-time <VAR -CLASS="replaceable" ->number</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> min-retry-time <VAR -CLASS="replaceable" ->number</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> max-retry-time <VAR -CLASS="replaceable" ->number</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> port <VAR -CLASS="replaceable" ->ip_port</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> additional-from-auth <VAR -CLASS="replaceable" ->yes_or_no</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> additional-from-cache <VAR -CLASS="replaceable" ->yes_or_no</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> random-device <VAR -CLASS="replaceable" ->path_name</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> max-cache-size <VAR -CLASS="replaceable" ->size_spec</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> match-mapped-addresses <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> preferred-glue ( <VAR -CLASS="replaceable" ->A</VAR -> | <VAR -CLASS="replaceable" ->AAAA</VAR -> | <VAR -CLASS="replaceable" ->NONE</VAR -> ); </SPAN ->] - [<SPAN -CLASS="optional" -> edns-udp-size <VAR -CLASS="replaceable" ->number</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> root-delegation-only [<SPAN -CLASS="optional" -> exclude { <VAR -CLASS="replaceable" ->namelist</VAR -> } </SPAN ->] ; </SPAN ->] - [<SPAN -CLASS="optional" -> querylog <VAR -CLASS="replaceable" ->yes_or_no</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> disable-algorithms <VAR -CLASS="replaceable" ->domain</VAR -> { <VAR -CLASS="replaceable" ->algorithm</VAR ->; [<SPAN -CLASS="optional" -> <VAR -CLASS="replaceable" ->algorithm</VAR ->; </SPAN ->] }; </SPAN ->] +exact match lookup before search path elements are appended.</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2554610"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"> +<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] } ; +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2554653"></a><span><strong class="command">masters</strong></span> Statement Definition and Usage </h3></div></div></div> +<p><span><strong class="command">masters</strong></span> lists allow for a common set of masters +to be easily used by multiple stub and slave zones.</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2554668"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div> +<p>This is the grammar of the <span><strong class="command">options</strong></span> +statement in the <code class="filename">named.conf</code> file:</p> +<pre class="programlisting">options { + [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>] + [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>] + [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>] + [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>] + [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>] + [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>] + [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em>; </span>] + [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> dnssec-lookaside <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em>; </span>] + [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>] + [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>] + [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] + [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ; ... }; </span>] + [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] + [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>] + [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>] + [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>] + [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>] + [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>] + [<span class="optional"> transfers-in <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] + [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>] + [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>] + [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>] + [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>] + [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>] + [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>]; + [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>]; + [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] }; + [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>] + [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>] + [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>] + [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>] + [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>] + [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>; [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>] }; -</PRE -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="options" ->6.2.16. <B -CLASS="command" ->options</B -> Statement Definition and Usage</A -></H2 -><P ->The <B -CLASS="command" ->options</B -> statement sets up global options -to be used by <ACRONYM -CLASS="acronym" ->BIND</ACRONYM ->. This statement may appear only -once in a configuration file. If there is no <B -CLASS="command" ->options</B -> +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and Usage</h3></div></div></div> +<p>The <span><strong class="command">options</strong></span> statement sets up global options +to be used by <span class="acronym">BIND</span>. This statement may appear only +once in a configuration file. If there is no <span><strong class="command">options</strong></span> statement, an options block with each option set to its default will -be used.</P -><P -></P -><DIV -CLASS="variablelist" -><DL -><DT -><B -CLASS="command" ->directory</B -></DT -><DD -><P ->The working directory of the server. +be used.</p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt> +<dd><p>The working directory of the server. Any non-absolute pathnames in the configuration file will be taken as relative to this directory. The default location for most server -output files (e.g. <TT -CLASS="filename" ->named.run</TT ->) is this directory. +output files (e.g. <code class="filename">named.run</code>) is this directory. If a directory is not specified, the working directory defaults -to `<TT -CLASS="filename" ->.</TT ->', the directory from which the server -was started. The directory specified should be an absolute path.</P -></DD -><DT -><B -CLASS="command" ->key-directory</B -></DT -><DD -><P ->When performing dynamic update of secure zones, the +to `<code class="filename">.</code>', the directory from which the server +was started. The directory specified should be an absolute path.</p></dd> +<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt> +<dd><p>When performing dynamic update of secure zones, the directory where the public and private key files should be found, if different than the current working directory. The directory specified -must be an absolute path.</P -></DD -><DT -><B -CLASS="command" ->named-xfer</B -></DT -><DD -><P -><SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->This option is obsolete.</I -></SPAN -> -It was used in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8 to -specify the pathname to the <B -CLASS="command" ->named-xfer</B -> program. -In <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9, no separate <B -CLASS="command" ->named-xfer</B -> program is -needed; its functionality is built into the name server.</P -></DD -><DT -><B -CLASS="command" ->tkey-domain</B -></DT -><DD -><P ->The domain appended to the names of all -shared keys generated with <B -CLASS="command" ->TKEY</B ->. When a client -requests a <B -CLASS="command" ->TKEY</B -> exchange, it may or may not specify +must be an absolute path.</p></dd> +<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt> +<dd><p><span class="emphasis"><em>This option is obsolete.</em></span> +It was used in <span class="acronym">BIND</span> 8 to +specify the pathname to the <span><strong class="command">named-xfer</strong></span> program. +In <span class="acronym">BIND</span> 9, no separate <span><strong class="command">named-xfer</strong></span> program is +needed; its functionality is built into the name server.</p></dd> +<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt> +<dd><p>The domain appended to the names of all +shared keys generated with <span><strong class="command">TKEY</strong></span>. When a client +requests a <span><strong class="command">TKEY</strong></span> exchange, it may or may not specify the desired name for the key. If present, the name of the shared -key will be "<VAR -CLASS="varname" ->client specified part</VAR ->" + -"<VAR -CLASS="varname" ->tkey-domain</VAR ->". -Otherwise, the name of the shared key will be "<VAR -CLASS="varname" ->random hex -digits</VAR ->" + "<VAR -CLASS="varname" ->tkey-domain</VAR ->". In most cases, -the <B -CLASS="command" ->domainname</B -> should be the server's domain -name.</P -></DD -><DT -><B -CLASS="command" ->tkey-dhkey</B -></DT -><DD -><P ->The Diffie-Hellman key used by the server +key will be "<code class="varname">client specified part</code>" + +"<code class="varname">tkey-domain</code>". +Otherwise, the name of the shared key will be "<code class="varname">random hex +digits</code>" + "<code class="varname">tkey-domain</code>". In most cases, +the <span><strong class="command">domainname</strong></span> should be the server's domain +name.</p></dd> +<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt> +<dd><p>The Diffie-Hellman key used by the server to generate shared keys with clients using the Diffie-Hellman mode -of <B -CLASS="command" ->TKEY</B ->. The server must be able to load the +of <span><strong class="command">TKEY</strong></span>. The server must be able to load the public and private keys from files in the working directory. In -most cases, the keyname should be the server's host name.</P -></DD -><DT -><B -CLASS="command" ->dump-file</B -></DT -><DD -><P ->The pathname of the file the server dumps +most cases, the keyname should be the server's host name.</p></dd> +<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt> +<dd><p>The pathname of the file the server dumps the database to when instructed to do so with -<B -CLASS="command" ->rndc dumpdb</B ->. -If not specified, the default is <TT -CLASS="filename" ->named_dump.db</TT ->.</P -></DD -><DT -><B -CLASS="command" ->memstatistics-file</B -></DT -><DD -><P ->The pathname of the file the server writes memory +<span><strong class="command">rndc dumpdb</strong></span>. +If not specified, the default is <code class="filename">named_dump.db</code>.</p></dd> +<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt> +<dd><p>The pathname of the file the server writes memory usage statistics to on exit. If not specified, -the default is <TT -CLASS="filename" ->named.memstats</TT ->.</P -></DD -><DT -><B -CLASS="command" ->pid-file</B -></DT -><DD -><P ->The pathname of the file the server writes its process ID -in. If not specified, the default is <TT -CLASS="filename" ->/var/run/named.pid</TT ->. +the default is <code class="filename">named.memstats</code>.</p></dd> +<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt> +<dd><p>The pathname of the file the server writes its process ID +in. If not specified, the default is <code class="filename">/var/run/named.pid</code>. The pid-file is used by programs that want to send signals to the running -name server. Specifying <B -CLASS="command" ->pid-file none</B -> disables the +name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the use of a PID file — no file will be written and any -existing one will be removed. Note that <B -CLASS="command" ->none</B -> +existing one will be removed. Note that <span><strong class="command">none</strong></span> is a keyword, not a file name, and therefore is not enclosed in -double quotes.</P -></DD -><DT -><B -CLASS="command" ->statistics-file</B -></DT -><DD -><P ->The pathname of the file the server appends statistics -to when instructed to do so using <B -CLASS="command" ->rndc stats</B ->. -If not specified, the default is <TT -CLASS="filename" ->named.stats</TT -> in the +double quotes.</p></dd> +<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt> +<dd><p>The pathname of the file the server appends statistics +to when instructed to do so using <span><strong class="command">rndc stats</strong></span>. +If not specified, the default is <code class="filename">named.stats</code> in the server's current directory. The format of the file is described -in <A -HREF="Bv9ARM.ch06.html#statsfile" ->Section 6.2.16.17</A -></P -></DD -><DT -><B -CLASS="command" ->port</B -></DT -><DD -><P -> The UDP/TCP port number the server uses for +in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a></p></dd> +<dt><span class="term"><span><strong class="command">port</strong></span></span></dt> +<dd><p> +The UDP/TCP port number the server uses for receiving and sending DNS protocol traffic. The default is 53. This option is mainly intended for server testing; a server using a port other than 53 will not be able to communicate with the global DNS. -</P -></DD -><DT -><B -CLASS="command" ->random-device</B -></DT -><DD -><P -> The source of entropy to be used by the server. Entropy is primarily needed +</p></dd> +<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt> +<dd><p> +The source of entropy to be used by the server. Entropy is primarily needed for DNSSEC operations, such as TKEY transactions and dynamic update of signed -zones. This option specifies the device (or file) from which to read +zones. This options specifies the device (or file) from which to read entropy. If this is a file, operations requiring entropy will fail when the file has been exhausted. If not specified, the default value is -<TT -CLASS="filename" ->/dev/random</TT -> +<code class="filename">/dev/random</code> (or equivalent) when present, and none otherwise. The -<B -CLASS="command" ->random-device</B -> option takes effect during +<span><strong class="command">random-device</strong></span> option takes effect during the initial configuration load at server startup time and -is ignored on subsequent reloads.</P -></DD -><DT -><B -CLASS="command" ->preferred-glue</B -></DT -><DD -><P -> If specified the listed type (A or AAAA) will be emitted before other glue +is ignored on subsequent reloads.</p></dd> +<dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt> +<dd><p> +If specified the listed type (A or AAAA) will be emitted before other glue in the additional section of a query response. The default is not to preference any type (NONE). -</P -></DD -><DT -><B -CLASS="command" ->root-delegation-only</B -></DT -><DD -><P -> Turn on enforcement of delegation-only in TLDs and root zones with an optional +</p></dd> +<dt><span class="term"><span><strong class="command">root-delegation-only</strong></span></span></dt> +<dd> +<p> +Turn on enforcement of delegation-only in TLDs and root zones with an optional exclude list. -</P -><P -> Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US" and "MUSEUM"). -</P -><PRE -CLASS="programlisting" -> options { +</p> +<p> +Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US" and "MUSEUM"). +</p> +<pre class="programlisting"> +options { root-delegation-only exclude { "de"; "lv"; "us"; "museum"; }; }; -</PRE -></DD -><DT -><B -CLASS="command" ->disable-algorithms</B -></DT -><DD -><P -> Disable the specified DNSSEC algorithms at and below the specified name. -Multiple <B -CLASS="command" ->disable-algorithms</B -> statements are allowed. +</pre> +</dd> +<dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt> +<dd><p> +Disable the specified DNSSEC algorithms at and below the specified name. +Multiple <span><strong class="command">disable-algorithms</strong></span> statements are allowed. Only the most specific will be applied. -</P -></DD -><DT -><B -CLASS="command" ->dnssec-lookaside</B -></DT -><DD -><P -> When set <B -CLASS="command" ->dnssec-lookaside</B -> provides the +</p></dd> +<dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt> +<dd><p> +When set <span><strong class="command">dnssec-lookaside</strong></span> provides the validator with an alternate method to validate DNSKEY records at the top of a zone. When a DNSKEY is at or below a domain specified by the -deepest <B -CLASS="command" ->dnssec-lookaside</B ->, and the normal dnssec validation +deepest <span><strong class="command">dnssec-lookaside</strong></span>, and the normal dnssec validation has left the key untrusted, the trust-anchor will be append to the key name and a DLV record will be looked up to see if it can validate the key. If the DLV record validates a DNSKEY (similarly to the way a DS record does) the DNSKEY RRset is deemed to be trusted. -</P -></DD -><DT -><B -CLASS="command" ->dnssec-must-be-secure</B -></DT -><DD -><P -> Specify heirachies which must / may not be secure (signed and validated). -If <KBD -CLASS="userinput" ->yes</KBD -> then named will only accept answers if they +</p></dd> +<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt> +<dd><p> +Specify heirarchies which must / may not be secure (signed and validated). +If <strong class="userinput"><code>yes</code></strong> then named will only accept answers if they are secure. -If <KBD -CLASS="userinput" ->no</KBD -> then normal dnssec validation applies +If <strong class="userinput"><code>no</code></strong> then normal dnssec validation applies allowing for insecure answers to be accepted. -The specified domain must be under a <B -CLASS="command" ->trusted-key</B -> or -<B -CLASS="command" ->dnssec-lookaside</B -> must be active. -</P -></DD -></DL -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="boolean_options" ->6.2.16.1. Boolean Options</A -></H3 -><P -></P -><DIV -CLASS="variablelist" -><DL -><DT -><B -CLASS="command" ->auth-nxdomain</B -></DT -><DD -><P ->If <KBD -CLASS="userinput" ->yes</KBD ->, then the <B -CLASS="command" ->AA</B -> bit +The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or +<span><strong class="command">dnssec-lookaside</strong></span> must be active. +</p></dd> +</dl></div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="boolean_options"></a>Boolean Options</h4></div></div></div> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt> +<dd><p>If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit is always set on NXDOMAIN responses, even if the server is not actually -authoritative. The default is <KBD -CLASS="userinput" ->no</KBD ->; this is -a change from <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8. If you are using very old DNS software, you -may need to set it to <KBD -CLASS="userinput" ->yes</KBD ->.</P -></DD -><DT -><B -CLASS="command" ->deallocate-on-exit</B -></DT -><DD -><P ->This option was used in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8 to enable checking -for memory leaks on exit. <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 ignores the option and always performs -the checks.</P -></DD -><DT -><B -CLASS="command" ->dialup</B -></DT -><DD -><P ->If <KBD -CLASS="userinput" ->yes</KBD ->, then the +authoritative. The default is <strong class="userinput"><code>no</code></strong>; this is +a change from <span class="acronym">BIND</span> 8. If you are using very old DNS software, you +may need to set it to <strong class="userinput"><code>yes</code></strong>.</p></dd> +<dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt> +<dd><p>This option was used in <span class="acronym">BIND</span> 8 to enable checking +for memory leaks on exit. <span class="acronym">BIND</span> 9 ignores the option and always performs +the checks.</p></dd> +<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt> +<dd> +<p>If <strong class="userinput"><code>yes</code></strong>, then the server treats all zones as if they are doing zone transfers across a dial on demand dialup link, which can be brought up by traffic originating from this server. This has different effects according to zone type and concentrates the zone maintenance so that it all -happens in a short interval, once every <B -CLASS="command" ->heartbeat-interval</B -> and +happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and hopefully during the one call. It also suppresses some of the normal -zone maintenance traffic. The default is <KBD -CLASS="userinput" ->no</KBD ->.</P -><P ->The <B -CLASS="command" ->dialup</B -> option -may also be specified in the <B -CLASS="command" ->view</B -> and -<B -CLASS="command" ->zone</B -> statements, -in which case it overrides the global <B -CLASS="command" ->dialup</B -> -option.</P -><P ->If the zone is a master zone then the server will send out a NOTIFY +zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.</p> +<p>The <span><strong class="command">dialup</strong></span> option +may also be specified in the <span><strong class="command">view</strong></span> and +<span><strong class="command">zone</strong></span> statements, +in which case it overrides the global <span><strong class="command">dialup</strong></span> +option.</p> +<p>If the zone is a master zone then the server will send out a NOTIFY request to all the slaves (default). This should trigger the zone serial number check in the slave (providing it supports NOTIFY) allowing the slave to verify the zone while the connection is active. The set of servers to which NOTIFY is sent can be controlled by -<B -CLASS="command" ->notify</B -> and <B -CLASS="command" ->also-notify</B ->.</P -><P ->If the +<span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.</p> +<p>If the zone is a slave or stub zone, then the server will suppress the regular "zone up to date" (refresh) queries and only perform them when the -<B -CLASS="command" ->heartbeat-interval</B -> expires in addition to sending -NOTIFY requests.</P -><P ->Finer control can be achieved by using -<KBD -CLASS="userinput" ->notify</KBD -> which only sends NOTIFY messages, -<KBD -CLASS="userinput" ->notify-passive</KBD -> which sends NOTIFY messages and -suppresses the normal refresh queries, <KBD -CLASS="userinput" ->refresh</KBD -> +<span><strong class="command">heartbeat-interval</strong></span> expires in addition to sending +NOTIFY requests.</p> +<p>Finer control can be achieved by using +<strong class="userinput"><code>notify</code></strong> which only sends NOTIFY messages, +<strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY messages and +suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong> which suppresses normal refresh processing and sends refresh queries -when the <B -CLASS="command" ->heartbeat-interval</B -> expires, and -<KBD -CLASS="userinput" ->passive</KBD -> which just disables normal refresh -processing.</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN2402" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P ->dialup mode</P -></TD -><TD -><P ->normal refresh</P -></TD -><TD -><P ->heart-beat refresh</P -></TD -><TD -><P ->heart-beat notify</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->no</B -> (default)</P -></TD -><TD -><P ->yes</P -></TD -><TD -><P ->no</P -></TD -><TD -><P ->no</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->yes</B -></P -></TD -><TD -><P ->no</P -></TD -><TD -><P ->yes</P -></TD -><TD -><P ->yes</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->notify</B -></P -></TD -><TD -><P ->yes</P -></TD -><TD -><P ->no</P -></TD -><TD -><P ->yes</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->refresh</B -></P -></TD -><TD -><P ->no</P -></TD -><TD -><P ->yes</P -></TD -><TD -><P ->no</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->passive</B -></P -></TD -><TD -><P ->no</P -></TD -><TD -><P ->no</P -></TD -><TD -><P ->no</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->notify-passive</B -></P -></TD -><TD -><P ->no</P -></TD -><TD -><P ->no</P -></TD -><TD -><P ->yes</P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><P ->Note that normal NOTIFY processing is not affected by -<B -CLASS="command" ->dialup</B ->.</P -></DD -><DT -><B -CLASS="command" ->fake-iquery</B -></DT -><DD -><P ->In <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8, this option +when the <span><strong class="command">heartbeat-interval</strong></span> expires, and +<strong class="userinput"><code>passive</code></strong> which just disables normal refresh +processing.</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p>dialup mode</p></td> +<td><p>normal refresh</p></td> +<td><p>heart-beat refresh</p></td> +<td><p>heart-beat notify</p></td> +</tr> +<tr> +<td><p><span><strong class="command">no</strong></span> (default)</p></td> +<td><p>yes</p></td> +<td><p>no</p></td> +<td><p>no</p></td> +</tr> +<tr> +<td><p><span><strong class="command">yes</strong></span></p></td> +<td><p>no</p></td> +<td><p>yes</p></td> +<td><p>yes</p></td> +</tr> +<tr> +<td><p><span><strong class="command">notify</strong></span></p></td> +<td><p>yes</p></td> +<td><p>no</p></td> +<td><p>yes</p></td> +</tr> +<tr> +<td><p><span><strong class="command">refresh</strong></span></p></td> +<td><p>no</p></td> +<td><p>yes</p></td> +<td><p>no</p></td> +</tr> +<tr> +<td><p><span><strong class="command">passive</strong></span></p></td> +<td><p>no</p></td> +<td><p>no</p></td> +<td><p>no</p></td> +</tr> +<tr> +<td><p><span><strong class="command">notify-passive</strong></span></p></td> +<td><p>no</p></td> +<td><p>no</p></td> +<td><p>yes</p></td> +</tr> +</tbody> +</table></div> +<p>Note that normal NOTIFY processing is not affected by +<span><strong class="command">dialup</strong></span>.</p> +</dd> +<dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt> +<dd><p>In <span class="acronym">BIND</span> 8, this option enabled simulating the obsolete DNS query type -IQUERY. <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 never does IQUERY simulation. -</P -></DD -><DT -><B -CLASS="command" ->fetch-glue</B -></DT -><DD -><P ->This option is obsolete. -In BIND 8, <KBD -CLASS="userinput" ->fetch-glue yes</KBD -> +IQUERY. <span class="acronym">BIND</span> 9 never does IQUERY simulation. +</p></dd> +<dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt> +<dd><p>This option is obsolete. +In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong> caused the server to attempt to fetch glue resource records it didn't have when constructing the additional data section of a response. This is now considered a bad idea -and BIND 9 never does it.</P -></DD -><DT -><B -CLASS="command" ->flush-zones-on-shutdown</B -></DT -><DD -><P ->When the nameserver exits due receiving SIGTERM, +and BIND 9 never does it.</p></dd> +<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt> +<dd><p>When the nameserver exits due receiving SIGTERM, flush / do not flush any pending zone writes. The default is -<B -CLASS="command" ->flush-zones-on-shutdown</B -> <KBD -CLASS="userinput" ->no</KBD ->. -</P -></DD -><DT -><B -CLASS="command" ->has-old-clients</B -></DT -><DD -><P ->This option was incorrectly implemented -in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8, and is ignored by <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9. +<span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>. +</p></dd> +<dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt> +<dd><p>This option was incorrectly implemented +in <span class="acronym">BIND</span> 8, and is ignored by <span class="acronym">BIND</span> 9. To achieve the intended effect of -<B -CLASS="command" ->has-old-clients</B -> <KBD -CLASS="userinput" ->yes</KBD ->, specify -the two separate options <B -CLASS="command" ->auth-nxdomain</B -> <KBD -CLASS="userinput" ->yes</KBD -> -and <B -CLASS="command" ->rfc2308-type1</B -> <KBD -CLASS="userinput" ->no</KBD -> instead. -</P -></DD -><DT -><B -CLASS="command" ->host-statistics</B -></DT -><DD -><P ->In BIND 8, this enables keeping of +<span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify +the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong> +and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead. +</p></dd> +<dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt> +<dd><p>In BIND 8, this enables keeping of statistics for every host that the name server interacts with. Not implemented in BIND 9. -</P -></DD -><DT -><B -CLASS="command" ->maintain-ixfr-base</B -></DT -><DD -><P -><SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->This option is obsolete</I -></SPAN ->. - It was used in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8 to determine whether a transaction log was -kept for Incremental Zone Transfer. <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 maintains a transaction +</p></dd> +<dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt> +<dd><p><span class="emphasis"><em>This option is obsolete</em></span>. + It was used in <span class="acronym">BIND</span> 8 to determine whether a transaction log was +kept for Incremental Zone Transfer. <span class="acronym">BIND</span> 9 maintains a transaction log whenever possible. If you need to disable outgoing incremental zone -transfers, use <B -CLASS="command" ->provide-ixfr</B -> <KBD -CLASS="userinput" ->no</KBD ->. -</P -></DD -><DT -><B -CLASS="command" ->minimal-responses</B -></DT -><DD -><P ->If <KBD -CLASS="userinput" ->yes</KBD ->, then when generating +transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>. +</p></dd> +<dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt> +<dd><p>If <strong class="userinput"><code>yes</code></strong>, then when generating responses the server will only add records to the authority and additional data sections when they are required (e.g. delegations, negative responses). This may improve the performance of the server. -The default is <KBD -CLASS="userinput" ->no</KBD ->. -</P -></DD -><DT -><B -CLASS="command" ->multiple-cnames</B -></DT -><DD -><P ->This option was used in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8 to allow +The default is <strong class="userinput"><code>no</code></strong>. +</p></dd> +<dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt> +<dd><p>This option was used in <span class="acronym">BIND</span> 8 to allow a domain name to have multiple CNAME records in violation of the -DNS standards. <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9.2 always strictly +DNS standards. <span class="acronym">BIND</span> 9.2 always strictly enforces the CNAME rules both in master files and dynamic updates. -</P -></DD -><DT -><B -CLASS="command" ->notify</B -></DT -><DD -><P ->If <KBD -CLASS="userinput" ->yes</KBD -> (the default), +</p></dd> +<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt> +<dd> +<p>If <strong class="userinput"><code>yes</code></strong> (the default), DNS NOTIFY messages are sent when a zone the server is authoritative for -changes, see <A -HREF="Bv9ARM.ch04.html#notify" ->Section 4.1</A ->. The messages are sent to the +changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are sent to the servers listed in the zone's NS records (except the master server identified in the SOA MNAME field), and to any servers listed in the -<B -CLASS="command" ->also-notify</B -> option. -</P -><P -> If <KBD -CLASS="userinput" ->explicit</KBD ->, notifies are sent only to -servers explicitly listed using <B -CLASS="command" ->also-notify</B ->. -If <KBD -CLASS="userinput" ->no</KBD ->, no notifies are sent. -</P -><P -> The <B -CLASS="command" ->notify</B -> option may also be -specified in the <B -CLASS="command" ->zone</B -> statement, -in which case it overrides the <B -CLASS="command" ->options notify</B -> statement. +<span><strong class="command">also-notify</strong></span> option. +</p> +<p> +If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only to +servers explicitly listed using <span><strong class="command">also-notify</strong></span>. +If <strong class="userinput"><code>no</code></strong>, no notifies are sent. +</p> +<p> +The <span><strong class="command">notify</strong></span> option may also be +specified in the <span><strong class="command">zone</strong></span> statement, +in which case it overrides the <span><strong class="command">options notify</strong></span> statement. It would only be necessary to turn off this option if it caused slaves -to crash.</P -></DD -><DT -><B -CLASS="command" ->recursion</B -></DT -><DD -><P ->If <KBD -CLASS="userinput" ->yes</KBD ->, and a +to crash.</p> +</dd> +<dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt> +<dd><p>If <strong class="userinput"><code>yes</code></strong>, and a DNS query requests recursion, then the server will attempt to do all the work required to answer the query. If recursion is off and the server does not already know the answer, it will return a -referral response. The default is <KBD -CLASS="userinput" ->yes</KBD ->. -Note that setting <B -CLASS="command" ->recursion no</B -> does not prevent +referral response. The default is <strong class="userinput"><code>yes</code></strong>. +Note that setting <span><strong class="command">recursion no</strong></span> does not prevent clients from getting data from the server's cache; it only prevents new data from being cached as an effect of client queries. Caching may still occur as an effect the server's internal operation, such as NOTIFY address lookups. -See also <B -CLASS="command" ->fetch-glue</B -> above. -</P -></DD -><DT -><B -CLASS="command" ->rfc2308-type1</B -></DT -><DD -><P ->Setting this to <KBD -CLASS="userinput" ->yes</KBD -> will +See also <span><strong class="command">fetch-glue</strong></span> above. +</p></dd> +<dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt> +<dd> +<p>Setting this to <strong class="userinput"><code>yes</code></strong> will cause the server to send NS records along with the SOA record for negative -answers. The default is <KBD -CLASS="userinput" ->no</KBD ->.</P -><DIV -CLASS="note" -><BLOCKQUOTE -CLASS="note" -><P -><B ->Note: </B ->Not yet implemented in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9.</P -></BLOCKQUOTE -></DIV -></DD -><DT -><B -CLASS="command" ->use-id-pool</B -></DT -><DD -><P -><SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->This option is obsolete</I -></SPAN ->. -<ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 always allocates query IDs from a pool. -</P -></DD -><DT -><B -CLASS="command" ->zone-statistics</B -></DT -><DD -><P ->If <KBD -CLASS="userinput" ->yes</KBD ->, the server will collect +answers. The default is <strong class="userinput"><code>no</code></strong>.</p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p>Not yet implemented in <span class="acronym">BIND</span> 9.</p> +</div> +</dd> +<dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt> +<dd><p><span class="emphasis"><em>This option is obsolete</em></span>. +<span class="acronym">BIND</span> 9 always allocates query IDs from a pool. +</p></dd> +<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt> +<dd><p>If <strong class="userinput"><code>yes</code></strong>, the server will collect statistical data on all zones (unless specifically turned off -on a per-zone basis by specifying <B -CLASS="command" ->zone-statistics no</B -> -in the <B -CLASS="command" ->zone</B -> statement). These statistics may be accessed -using <B -CLASS="command" ->rndc stats</B ->, which will dump them to the file listed -in the <B -CLASS="command" ->statistics-file</B ->. See also <A -HREF="Bv9ARM.ch06.html#statsfile" ->Section 6.2.16.17</A ->. -</P -></DD -><DT -><B -CLASS="command" ->use-ixfr</B -></DT -><DD -><P -><SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->This option is obsolete</I -></SPAN ->. +on a per-zone basis by specifying <span><strong class="command">zone-statistics no</strong></span> +in the <span><strong class="command">zone</strong></span> statement). These statistics may be accessed +using <span><strong class="command">rndc stats</strong></span>, which will dump them to the file listed +in the <span><strong class="command">statistics-file</strong></span>. See also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>. +</p></dd> +<dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt> +<dd><p><span class="emphasis"><em>This option is obsolete</em></span>. If you need to disable IXFR to a particular server or servers see -the information on the <B -CLASS="command" ->provide-ixfr</B -> option -in <A -HREF="Bv9ARM.ch06.html#server_statement_definition_and_usage" ->Section 6.2.18</A ->. See also -<A -HREF="Bv9ARM.ch04.html#incremental_zone_transfers" ->Section 4.3</A ->. -</P -></DD -><DT -><B -CLASS="command" ->provide-ixfr</B -></DT -><DD -><P -> See the description of -<B -CLASS="command" ->provide-ixfr</B -> in -<A -HREF="Bv9ARM.ch06.html#server_statement_definition_and_usage" ->Section 6.2.18</A -> -</P -></DD -><DT -><B -CLASS="command" ->request-ixfr</B -></DT -><DD -><P -> See the description of -<B -CLASS="command" ->request-ixfr</B -> in -<A -HREF="Bv9ARM.ch06.html#server_statement_definition_and_usage" ->Section 6.2.18</A -> -</P -></DD -><DT -><B -CLASS="command" ->treat-cr-as-space</B -></DT -><DD -><P ->This option was used in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8 to make -the server treat carriage return ("<B -CLASS="command" ->\r</B ->") characters the same way +the information on the <span><strong class="command">provide-ixfr</strong></span> option +in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and Usage”</a>. See also +<a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>. +</p></dd> +<dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt> +<dd><p> +See the description of +<span><strong class="command">provide-ixfr</strong></span> in +<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and Usage”</a> +</p></dd> +<dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt> +<dd><p> +See the description of +<span><strong class="command">request-ixfr</strong></span> in +<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and Usage”</a> +</p></dd> +<dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt> +<dd><p>This option was used in <span class="acronym">BIND</span> 8 to make +the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way as a space or tab character, to facilitate loading of zone files on a UNIX system that were generated -on an NT or DOS machine. In <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9, both UNIX "<B -CLASS="command" ->\n</B ->" -and NT/DOS "<B -CLASS="command" ->\r\n</B ->" newlines are always accepted, -and the option is ignored.</P -></DD -><DT -><B -CLASS="command" ->additional-from-auth</B ->, <B -CLASS="command" ->additional-from-cache</B -></DT -><DD -><P -> These options control the behavior of an authoritative server when +on an NT or DOS machine. In <span class="acronym">BIND</span> 9, both UNIX "<span><strong class="command">\n</strong></span>" +and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines are always accepted, +and the option is ignored.</p></dd> +<dt> +<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span> +</dt> +<dd> +<p> +These options control the behavior of an authoritative server when answering queries which have additional data, or when following CNAME and DNAME chains. -</P -><P -> When both of these options are set to <KBD -CLASS="userinput" ->yes</KBD -> +</p> +<p> +When both of these options are set to <strong class="userinput"><code>yes</code></strong> (the default) and a query is being answered from authoritative data (a zone configured into the server), the additional data section of the @@ -5129,76 +1583,43 @@ untrusted third parties. Also, avoiding the search for this additional data will speed up server operations at the possible expense of additional queries to resolve what would otherwise be provided in the additional section. -</P -><P -> For example, if a query asks for an MX record for host <VAR -CLASS="literal" ->foo.example.com</VAR ->, -and the record found is "<VAR -CLASS="literal" ->MX 10 mail.example.net</VAR ->", normally the address -records (A and AAAA) for <VAR -CLASS="literal" ->mail.example.net</VAR -> will be provided as well, +</p> +<p> +For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>, +and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address +records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well, if known, even though they are not in the example.com zone. -Setting these options to <B -CLASS="command" ->no</B -> disables this behavior and makes +Setting these options to <span><strong class="command">no</strong></span> disables this behavior and makes the server only search for additional data in the zone it answers from. -</P -><P -> These options are intended for use in authoritative-only +</p> +<p> +These options are intended for use in authoritative-only servers, or in authoritative-only views. Attempts to set -them to <B -CLASS="command" ->no</B -> without also specifying -<B -CLASS="command" ->recursion no</B -> will cause the server to +them to <span><strong class="command">no</strong></span> without also specifying +<span><strong class="command">recursion no</strong></span> will cause the server to ignore the options and log a warning message. -</P -><P -> Specifying <B -CLASS="command" ->additional-from-cache no</B -> actually +</p> +<p> +Specifying <span><strong class="command">additional-from-cache no</strong></span> actually disables the use of the cache not only for additional data lookups but also when looking up the answer. This is usually the desired behavior in an authoritative-only server where the correctness of the cached data is an issue. -</P -><P -> When a name server is non-recursively queried for a name that is not +</p> +<p> +When a name server is non-recursively queried for a name that is not below the apex of any served zone, it normally answers with an "upwards referral" to the root servers or the servers of some other known parent of the query name. Since the data in an upwards referral comes from the cache, the server will not be able to provide upwards -referrals when <B -CLASS="command" ->additional-from-cache no</B -> +referrals when <span><strong class="command">additional-from-cache no</strong></span> has been specified. Instead, it will respond to such queries with REFUSED. This should not cause any problems since upwards referrals are not required for the resolution process. -</P -></DD -><DT -><B -CLASS="command" ->match-mapped-addresses</B -></DT -><DD -><P ->If <KBD -CLASS="userinput" ->yes</KBD ->, then an +</p> +</dd> +<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt> +<dd><p>If <strong class="userinput"><code>yes</code></strong>, then an IPv4-mapped IPv6 address will match any address match list entries that match the corresponding IPv4 address. Enabling this option is sometimes useful on IPv6-enabled Linux @@ -5207,25 +1628,20 @@ TCP connections such as zone transfers to be accepted on an IPv6 socket using mapped addresses, causing address match lists designed for IPv4 to fail to match. The use of this option for any other purpose is discouraged. -</P -></DD -><DT -><B -CLASS="command" ->ixfr-from-differences</B -></DT -><DD -><P -> When 'yes' and the server loads a new version of a master +</p></dd> +<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt> +<dd> +<p> +When 'yes' and the server loads a new version of a master zone from its zone file or receives a new version of a slave file by a non-incremental zone transfer, it will compare the new version to the previous one and calculate a set of differences. The differences are then logged in the zone's journal file such that the changes can be transmitted to downstream slaves as an incremental zone transfer. -</P -><P -> By allowing incremental zone transfers to be used for +</p> +<p> +By allowing incremental zone transfers to be used for non-dynamic zones, this option saves bandwidth at the expense of increased CPU and memory consumption at the master. In particular, if the new version of a zone is completely @@ -5234,1096 +1650,422 @@ will be of a size comparable to the combined size of the old and new zone version, and the server will need to temporarily allocate memory to hold this complete difference set. -</P -></DD -><DT -><B -CLASS="command" ->multi-master</B -></DT -><DD -><P -> This should be set when you have multiple masters for a zone and the +</p> +</dd> +<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt> +<dd><p> +This should be set when you have multiple masters for a zone and the addresses refer to different machines. If 'yes' named will not log when the serial number on the master is less than what named currently -has. The default is <KBD -CLASS="userinput" ->no</KBD ->. -</P -></DD -><DT -><B -CLASS="command" ->dnssec-enable</B -></DT -><DD -><P -> Enable DNSSEC support in named. Unless set to <KBD -CLASS="userinput" ->yes</KBD -> +has. The default is <strong class="userinput"><code>no</code></strong>. +</p></dd> +<dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt> +<dd><p> +Enable DNSSEC support in named. Unless set to <strong class="userinput"><code>yes</code></strong> named behaves as if it does not support DNSSEC. -The default is <KBD -CLASS="userinput" ->no</KBD ->. -</P -></DD -><DT -><B -CLASS="command" ->querylog</B -></DT -><DD -><P -> Specify whether query logging should be started when named start. -If <B -CLASS="command" ->querylog</B -> is not specified then the query logging -is determined by the presence of the logging category <B -CLASS="command" ->queries</B ->. -</P -></DD -><DT -><B -CLASS="command" ->check-names</B -></DT -><DD -><P -> This option is used to restrict the character set and syntax of +The default is <strong class="userinput"><code>no</code></strong>. +</p></dd> +<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt> +<dd><p> +Specify whether query logging should be started when named start. +If <span><strong class="command">querylog</strong></span> is not specified then the query logging +is determined by the presence of the logging category <span><strong class="command">queries</strong></span>. +</p></dd> +<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt> +<dd> +<p> +This option is used to restrict the character set and syntax of certain domain names in master files and/or DNS responses received from the network. The default varies according to usage area. For -<B -CLASS="command" ->master</B -> zones the default is <B -CLASS="command" ->fail</B ->. -For <B -CLASS="command" ->slave</B -> zones the default is <B -CLASS="command" ->warn</B ->. -For answer received from the network (<B -CLASS="command" ->response</B ->) -the default is <B -CLASS="command" ->ignore</B ->. -</P -><P ->The rules for legal hostnames / mail domains are derived from RFC 952 +<span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. +For <span><strong class="command">slave</strong></span> zones the default is <span><strong class="command">warn</strong></span>. +For answer received from the network (<span><strong class="command">response</strong></span>) +the default is <span><strong class="command">ignore</strong></span>. +</p> +<p>The rules for legal hostnames / mail domains are derived from RFC 952 and RFC 821 as modified by RFC 1123. -</P -><P -><B -CLASS="command" ->check-names</B -> applies to the owner names of A, AAA and +</p> +<p><span><strong class="command">check-names</strong></span> applies to the owner names of A, AAA and MX records. It also applies to the domain names in the RDATA of NS, SOA and MX records. It also applies to the RDATA of PTR records where the owner name indicated that it is a reverse lookup of a hostname (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, IP6.INT). -</P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN2695" ->6.2.16.2. Forwarding</A -></H3 -><P ->The forwarding facility can be used to create a large site-wide +</p> +</dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2557350"></a>Forwarding</h4></div></div></div> +<p>The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external name servers. It can also be used to allow queries by servers that do not have direct access to the Internet, but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in -its cache.</P -><P -></P -><DIV -CLASS="variablelist" -><DL -><DT -><B -CLASS="command" ->forward</B -></DT -><DD -><P ->This option is only meaningful if the -forwarders list is not empty. A value of <VAR -CLASS="varname" ->first</VAR ->, +its cache.</p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt> +<dd><p>This option is only meaningful if the +forwarders list is not empty. A value of <code class="varname">first</code>, the default, causes the server to query the forwarders first, and if that doesn't answer the question the server will then look for -the answer itself. If <VAR -CLASS="varname" ->only</VAR -> is specified, the +the answer itself. If <code class="varname">only</code> is specified, the server will only query the forwarders. -</P -></DD -><DT -><B -CLASS="command" ->forwarders</B -></DT -><DD -><P ->Specifies the IP addresses to be used +</p></dd> +<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt> +<dd><p>Specifies the IP addresses to be used for forwarding. The default is the empty list (no forwarding). -</P -></DD -></DL -></DIV -><P ->Forwarding can also be configured on a per-domain basis, allowing +</p></dd> +</dl></div> +<p>Forwarding can also be configured on a per-domain basis, allowing for the global forwarding options to be overridden in a variety of ways. You can set particular domains to use different forwarders, -or have a different <B -CLASS="command" ->forward only/first</B -> behavior, -or not forward at all, see <A -HREF="Bv9ARM.ch06.html#zone_statement_grammar" ->Section 6.2.23</A ->.</P -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN2714" ->6.2.16.3. Dual-stack Servers</A -></H3 -><P ->Dual-stack servers are used as servers of last resort to work around +or have a different <span><strong class="command">forward only/first</strong></span> behavior, +or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone +Statement Grammar">the section called “<span><strong class="command">zone</strong></span> +Statement Grammar”</a>.</p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2557400"></a>Dual-stack Servers</h4></div></div></div> +<p>Dual-stack servers are used as servers of last resort to work around problems in reachability due the lack of support for either IPv4 or IPv6 -on the host machine.</P -><P -></P -><DIV -CLASS="variablelist" -><DL -><DT -><B -CLASS="command" ->dual-stack-servers</B -></DT -><DD -><P ->Specifies host names / addresses of machines with access to +on the host machine.</p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt> +<dd><p>Specifies host names / addresses of machines with access to both IPv4 and IPv6 transports. If a hostname is used the server must be able to resolve the name using only the transport it has. If the machine is dual -stacked then the <B -CLASS="command" ->dual-stack-servers</B -> have no effect unless +stacked then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless access to a transport has been disabled on the command line -(e.g. <B -CLASS="command" ->named -4</B ->).</P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="access_control" ->6.2.16.4. Access Control</A -></H3 -><P ->Access to the server can be restricted based on the IP address -of the requesting system. See <A -HREF="Bv9ARM.ch06.html#address_match_lists" ->Section 6.1.1</A -> for -details on how to specify IP address lists.</P -><P -></P -><DIV -CLASS="variablelist" -><DL -><DT -><B -CLASS="command" ->allow-notify</B -></DT -><DD -><P ->Specifies which hosts are allowed to +(e.g. <span><strong class="command">named -4</strong></span>).</p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="access_control"></a>Access Control</h4></div></div></div> +<p>Access to the server can be restricted based on the IP address +of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for +details on how to specify IP address lists.</p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt> +<dd><p>Specifies which hosts are allowed to notify this server, a slave, of zone changes in addition to the zone masters. -<B -CLASS="command" ->allow-notify</B -> may also be specified in the -<B -CLASS="command" ->zone</B -> statement, in which case it overrides the -<B -CLASS="command" ->options allow-notify</B -> statement. It is only meaningful +<span><strong class="command">allow-notify</strong></span> may also be specified in the +<span><strong class="command">zone</strong></span> statement, in which case it overrides the +<span><strong class="command">options allow-notify</strong></span> statement. It is only meaningful for a slave zone. If not specified, the default is to process notify messages -only from a zone's master.</P -></DD -><DT -><B -CLASS="command" ->allow-query</B -></DT -><DD -><P ->Specifies which hosts are allowed to -ask ordinary DNS questions. <B -CLASS="command" ->allow-query</B -> may also -be specified in the <B -CLASS="command" ->zone</B -> statement, in which -case it overrides the <B -CLASS="command" ->options allow-query</B -> statement. If -not specified, the default is to allow queries from all hosts.</P -></DD -><DT -><B -CLASS="command" ->allow-recursion</B -></DT -><DD -><P ->Specifies which hosts are allowed to +only from a zone's master.</p></dd> +<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt> +<dd><p>Specifies which hosts are allowed to +ask ordinary DNS questions. <span><strong class="command">allow-query</strong></span> may also +be specified in the <span><strong class="command">zone</strong></span> statement, in which +case it overrides the <span><strong class="command">options allow-query</strong></span> statement. If +not specified, the default is to allow queries from all hosts.</p></dd> +<dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt> +<dd><p>Specifies which hosts are allowed to make recursive queries through this server. If not specified, the default is to allow recursive queries from all hosts. Note that disallowing recursive queries for a host does not prevent the host from retrieving data that is already in the server's cache. -</P -></DD -><DT -><B -CLASS="command" ->allow-update-forwarding</B -></DT -><DD -><P ->Specifies which hosts are allowed to +</p></dd> +<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt> +<dd> +<p>Specifies which hosts are allowed to submit Dynamic DNS updates to slave zones to be forwarded to the -master. The default is <KBD -CLASS="userinput" ->{ none; }</KBD ->, which +master. The default is <strong class="userinput"><code>{ none; }</code></strong>, which means that no update forwarding will be performed. To enable update forwarding, specify -<KBD -CLASS="userinput" ->allow-update-forwarding { any; };</KBD ->. -Specifying values other than <KBD -CLASS="userinput" ->{ none; }</KBD -> or -<KBD -CLASS="userinput" ->{ any; }</KBD -> is usually counterproductive, since +<strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>. +Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or +<strong class="userinput"><code>{ any; }</code></strong> is usually counterproductive, since the responsibility for update access control should rest with the -master server, not the slaves.</P -><P ->Note that enabling the update forwarding feature on a slave server +master server, not the slaves.</p> +<p>Note that enabling the update forwarding feature on a slave server may expose master servers relying on insecure IP address based -access control to attacks; see <A -HREF="Bv9ARM.ch07.html#dynamic_update_security" ->Section 7.3</A -> -for more details.</P -></DD -><DT -><B -CLASS="command" ->allow-v6-synthesis</B -></DT -><DD -><P ->This option was introduced for the smooth transition from AAAA +access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> +for more details.</p> +</dd> +<dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt> +<dd><p>This option was introduced for the smooth transition from AAAA to A6 and from "nibble labels" to binary labels. However, since both A6 and binary labels were then deprecated, this option was also deprecated. It is now ignored with some warning messages. -</P -></DD -><DT -><B -CLASS="command" ->allow-transfer</B -></DT -><DD -><P ->Specifies which hosts are allowed to -receive zone transfers from the server. <B -CLASS="command" ->allow-transfer</B -> may -also be specified in the <B -CLASS="command" ->zone</B -> statement, in which -case it overrides the <B -CLASS="command" ->options allow-transfer</B -> statement. -If not specified, the default is to allow transfers to all hosts.</P -></DD -><DT -><B -CLASS="command" ->blackhole</B -></DT -><DD -><P ->Specifies a list of addresses that the +</p></dd> +<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt> +<dd><p>Specifies which hosts are allowed to +receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may +also be specified in the <span><strong class="command">zone</strong></span> statement, in which +case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement. +If not specified, the default is to allow transfers to all hosts.</p></dd> +<dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt> +<dd><p>Specifies a list of addresses that the server will not accept queries from or use to resolve a query. Queries -from these addresses will not be responded to. The default is <KBD -CLASS="userinput" ->none</KBD ->.</P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN2781" ->6.2.16.5. Interfaces</A -></H3 -><P ->The interfaces and ports that the server will answer queries -from may be specified using the <B -CLASS="command" ->listen-on</B -> option. <B -CLASS="command" ->listen-on</B -> takes -an optional port, and an <VAR -CLASS="varname" ->address_match_list</VAR ->. +from these addresses will not be responded to. The default is <strong class="userinput"><code>none</code></strong>.</p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2557716"></a>Interfaces</h4></div></div></div> +<p>The interfaces and ports that the server will answer queries +from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes +an optional port, and an <code class="varname">address_match_list</code>. The server will listen on all interfaces allowed by the address -match list. If a port is not specified, port 53 will be used.</P -><P ->Multiple <B -CLASS="command" ->listen-on</B -> statements are allowed. -For example,</P -><PRE -CLASS="programlisting" ->listen-on { 5.6.7.8; }; +match list. If a port is not specified, port 53 will be used.</p> +<p>Multiple <span><strong class="command">listen-on</strong></span> statements are allowed. +For example,</p> +<pre class="programlisting">listen-on { 5.6.7.8; }; listen-on port 1234 { !1.2.3.4; 1.2/16; }; -</PRE -><P ->will enable the name server on port 53 for the IP address +</pre> +<p>will enable the name server on port 53 for the IP address 5.6.7.8, and on port 1234 of an address on the machine in net -1.2 that is not 1.2.3.4.</P -><P ->If no <B -CLASS="command" ->listen-on</B -> is specified, the -server will listen on port 53 on all interfaces.</P -><P ->The <B -CLASS="command" ->listen-on-v6</B -> option is used to +1.2 that is not 1.2.3.4.</p> +<p>If no <span><strong class="command">listen-on</strong></span> is specified, the +server will listen on port 53 on all interfaces.</p> +<p>The <span><strong class="command">listen-on-v6</strong></span> option is used to specify the interfaces and the ports on which the server will listen -for incoming queries sent using IPv6.</P -><P ->When <PRE -CLASS="programlisting" ->{ any; }</PRE -> is specified -as the <VAR -CLASS="varname" ->address_match_list</VAR -> for the -<B -CLASS="command" ->listen-on-v6</B -> option, +for incoming queries sent using IPv6.</p> +<p>When </p> +<pre class="programlisting">{ any; }</pre> +<p> is specified +as the <code class="varname">address_match_list</code> for the +<span><strong class="command">listen-on-v6</strong></span> option, the server does not bind a separate socket to each IPv6 interface address as it does for IPv4 if the operating system has enough API support for IPv6 (specifically if it conforms to RFC 3493 and RFC 3542). Instead, it listens on the IPv6 wildcard address. If the system only has incomplete API support for IPv6, however, -the behavior is the same as that for IPv4.</P -><P ->A list of particular IPv6 addresses can also be specified, in which case +the behavior is the same as that for IPv4.</p> +<p>A list of particular IPv6 addresses can also be specified, in which case the server listens on a separate socket for each specified address, -regardless of whether the desired API is supported by the system.</P -><P ->Multiple <B -CLASS="command" ->listen-on-v6</B -> options can be used. -For example,</P -><PRE -CLASS="programlisting" ->listen-on-v6 { any; }; +regardless of whether the desired API is supported by the system.</p> +<p>Multiple <span><strong class="command">listen-on-v6</strong></span> options can be used. +For example,</p> +<pre class="programlisting">listen-on-v6 { any; }; listen-on-v6 port 1234 { !2001:db8::/32; any; }; -</PRE -><P ->will enable the name server on port 53 for any IPv6 addresses +</pre> +<p>will enable the name server on port 53 for any IPv6 addresses (with a single wildcard socket), and on port 1234 of IPv6 addresses that is not in the prefix -2001:db8::/32 (with separate sockets for each matched address.)</P -><P ->To make the server not listen on any IPv6 address, use</P -><PRE -CLASS="programlisting" ->listen-on-v6 { none; }; -</PRE -><P ->If no <B -CLASS="command" ->listen-on-v6</B -> option is specified, -the server will not listen on any IPv6 address.</P -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN2808" ->6.2.16.6. Query Address</A -></H3 -><P ->If the server doesn't know the answer to a question, it will -query other name servers. <B -CLASS="command" ->query-source</B -> specifies +2001:db8::/32 (with separate sockets for each matched address.)</p> +<p>To make the server not listen on any IPv6 address, use</p> +<pre class="programlisting">listen-on-v6 { none; }; +</pre> +<p>If no <span><strong class="command">listen-on-v6</strong></span> option is specified, +the server will not listen on any IPv6 address.</p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2557804"></a>Query Address</h4></div></div></div> +<p>If the server doesn't know the answer to a question, it will +query other name servers. <span><strong class="command">query-source</strong></span> specifies the address and port used for such queries. For queries sent over -IPv6, there is a separate <B -CLASS="command" ->query-source-v6</B -> option. -If <B -CLASS="command" ->address</B -> is <B -CLASS="command" ->*</B -> or is omitted, -a wildcard IP address (<B -CLASS="command" ->INADDR_ANY</B ->) will be used. -If <B -CLASS="command" ->port</B -> is <B -CLASS="command" ->*</B -> or is omitted, -a random unprivileged port will be used, <B -CLASS="command" ->avoid-v4-udp-ports</B -> -and <B -CLASS="command" ->avoid-v6-udp-ports</B -> can be used to prevent named -from selecting certain ports. The defaults are</P -><PRE -CLASS="programlisting" ->query-source address * port *; +IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option. +If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> or is omitted, +a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>) will be used. +If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted, +a random unprivileged port will be used, <span><strong class="command">avoid-v4-udp-ports</strong></span> +and <span><strong class="command">avoid-v6-udp-ports</strong></span> can be used to prevent named +from selecting certain ports. The defaults are</p> +<pre class="programlisting">query-source address * port *; query-source-v6 address * port *; -</PRE -><DIV -CLASS="note" -><BLOCKQUOTE -CLASS="note" -><P -><B ->Note: </B ->The address specified in the <B -CLASS="command" ->query-source</B -> option +</pre> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p>The address specified in the <span><strong class="command">query-source</strong></span> option is used for both UDP and TCP queries, but the port applies only to UDP queries. TCP queries always use a random -unprivileged port.</P -></BLOCKQUOTE -></DIV -><DIV -CLASS="note" -><BLOCKQUOTE -CLASS="note" -><P -><B ->Note: </B ->See also <B -CLASS="command" ->transfer-source</B -> and -<B -CLASS="command" ->notify-source</B ->.</P -></BLOCKQUOTE -></DIV -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="zone_transfers" ->6.2.16.7. Zone Transfers</A -></H3 -><P -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> has mechanisms in place to facilitate zone transfers +unprivileged port.</p> +</div> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p>See also <span><strong class="command">transfer-source</strong></span> and +<span><strong class="command">notify-source</strong></span>.</p> +</div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="zone_transfers"></a>Zone Transfers</h4></div></div></div> +<p><span class="acronym">BIND</span> has mechanisms in place to facilitate zone transfers and set limits on the amount of load that transfers place on the -system. The following options apply to zone transfers.</P -><P -></P -><DIV -CLASS="variablelist" -><DL -><DT -><B -CLASS="command" ->also-notify</B -></DT -><DD -><P ->Defines a global list of IP addresses of name servers +system. The following options apply to zone transfers.</p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt> +<dd><p>Defines a global list of IP addresses of name servers that are also sent NOTIFY messages whenever a fresh copy of the zone is loaded, in addition to the servers listed in the zone's NS records. This helps to ensure that copies of the zones will -quickly converge on stealth servers. If an <B -CLASS="command" ->also-notify</B -> list -is given in a <B -CLASS="command" ->zone</B -> statement, it will override -the <B -CLASS="command" ->options also-notify</B -> statement. When a <B -CLASS="command" ->zone notify</B -> statement -is set to <B -CLASS="command" ->no</B ->, the IP addresses in the global <B -CLASS="command" ->also-notify</B -> list will +quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list +is given in a <span><strong class="command">zone</strong></span> statement, it will override +the <span><strong class="command">options also-notify</strong></span> statement. When a <span><strong class="command">zone notify</strong></span> statement +is set to <span><strong class="command">no</strong></span>, the IP addresses in the global <span><strong class="command">also-notify</strong></span> list will not be sent NOTIFY messages for that zone. The default is the empty -list (no global notification list).</P -></DD -><DT -><B -CLASS="command" ->max-transfer-time-in</B -></DT -><DD -><P ->Inbound zone transfers running longer than +list (no global notification list).</p></dd> +<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt> +<dd><p>Inbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes -(2 hours). The maximum value is 28 days (40320 minutes).</P -></DD -><DT -><B -CLASS="command" ->max-transfer-idle-in</B -></DT -><DD -><P ->Inbound zone transfers making no progress +(2 hours). The maximum value is 28 days (40320 minutes).</p></dd> +<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt> +<dd><p>Inbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes -(1 hour). The maximum value is 28 days (40320 minutes).</P -></DD -><DT -><B -CLASS="command" ->max-transfer-time-out</B -></DT -><DD -><P ->Outbound zone transfers running longer than +(1 hour). The maximum value is 28 days (40320 minutes).</p></dd> +<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt> +<dd><p>Outbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes -(2 hours). The maximum value is 28 days (40320 minutes).</P -></DD -><DT -><B -CLASS="command" ->max-transfer-idle-out</B -></DT -><DD -><P ->Outbound zone transfers making no progress +(2 hours). The maximum value is 28 days (40320 minutes).</p></dd> +<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt> +<dd><p>Outbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes (1 -hour). The maximum value is 28 days (40320 minutes).</P -></DD -><DT -><B -CLASS="command" ->serial-query-rate</B -></DT -><DD -><P ->Slave servers will periodically query master servers +hour). The maximum value is 28 days (40320 minutes).</p></dd> +<dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt> +<dd><p>Slave servers will periodically query master servers to find out if zone serial numbers have changed. Each such query uses a minute amount of the slave server's network bandwidth. To limit the amount of bandwidth used, BIND 9 limits the rate at which queries are -sent. The value of the <B -CLASS="command" ->serial-query-rate</B -> option, +sent. The value of the <span><strong class="command">serial-query-rate</strong></span> option, an integer, is the maximum number of queries sent per second. The default is 20. -</P -></DD -><DT -><B -CLASS="command" ->serial-queries</B -></DT -><DD -><P ->In BIND 8, the <B -CLASS="command" ->serial-queries</B -> option +</p></dd> +<dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt> +<dd><p>In BIND 8, the <span><strong class="command">serial-queries</strong></span> option set the maximum number of concurrent serial number queries allowed to be outstanding at any given time. BIND 9 does not limit the number of outstanding -serial queries and ignores the <B -CLASS="command" ->serial-queries</B -> option. +serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option. Instead, it limits the rate at which the queries are sent -as defined using the <B -CLASS="command" ->serial-query-rate</B -> option. -</P -></DD -><DT -><B -CLASS="command" ->transfer-format</B -></DT -><DD -><P -> Zone transfers can be sent using two different formats, -<B -CLASS="command" ->one-answer</B -> and <B -CLASS="command" ->many-answers</B ->. -The <B -CLASS="command" ->transfer-format</B -> option is used +as defined using the <span><strong class="command">serial-query-rate</strong></span> option. +</p></dd> +<dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt> +<dd><p> +Zone transfers can be sent using two different formats, +<span><strong class="command">one-answer</strong></span> and <span><strong class="command">many-answers</strong></span>. +The <span><strong class="command">transfer-format</strong></span> option is used on the master server to determine which format it sends. -<B -CLASS="command" ->one-answer</B -> uses one DNS message per +<span><strong class="command">one-answer</strong></span> uses one DNS message per resource record transferred. -<B -CLASS="command" ->many-answers</B -> packs as many resource records as -possible into a message. <B -CLASS="command" ->many-answers</B -> is more +<span><strong class="command">many-answers</strong></span> packs as many resource records as +possible into a message. <span><strong class="command">many-answers</strong></span> is more efficient, but is only supported by relatively new slave servers, -such as <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9, <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8.x and patched -versions of <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 4.9.5. The default is -<B -CLASS="command" ->many-answers</B ->. <B -CLASS="command" ->transfer-format</B -> +such as <span class="acronym">BIND</span> 9, <span class="acronym">BIND</span> 8.x and patched +versions of <span class="acronym">BIND</span> 4.9.5. The default is +<span><strong class="command">many-answers</strong></span>. <span><strong class="command">transfer-format</strong></span> may be overridden on a per-server basis by using the -<B -CLASS="command" ->server</B -> statement. -</P -></DD -><DT -><B -CLASS="command" ->transfers-in</B -></DT -><DD -><P ->The maximum number of inbound zone transfers -that can be running concurrently. The default value is <VAR -CLASS="literal" ->10</VAR ->. -Increasing <B -CLASS="command" ->transfers-in</B -> may speed up the convergence -of slave zones, but it also may increase the load on the local system.</P -></DD -><DT -><B -CLASS="command" ->transfers-out</B -></DT -><DD -><P ->The maximum number of outbound zone transfers +<span><strong class="command">server</strong></span> statement. +</p></dd> +<dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt> +<dd><p>The maximum number of inbound zone transfers +that can be running concurrently. The default value is <code class="literal">10</code>. +Increasing <span><strong class="command">transfers-in</strong></span> may speed up the convergence +of slave zones, but it also may increase the load on the local system.</p></dd> +<dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt> +<dd><p>The maximum number of outbound zone transfers that can be running concurrently. Zone transfer requests in excess -of the limit will be refused. The default value is <VAR -CLASS="literal" ->10</VAR ->.</P -></DD -><DT -><B -CLASS="command" ->transfers-per-ns</B -></DT -><DD -><P ->The maximum number of inbound zone transfers +of the limit will be refused. The default value is <code class="literal">10</code>.</p></dd> +<dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt> +<dd><p>The maximum number of inbound zone transfers that can be concurrently transferring from a given remote name server. -The default value is <VAR -CLASS="literal" ->2</VAR ->. Increasing <B -CLASS="command" ->transfers-per-ns</B -> may +The default value is <code class="literal">2</code>. Increasing <span><strong class="command">transfers-per-ns</strong></span> may speed up the convergence of slave zones, but it also may increase -the load on the remote name server. <B -CLASS="command" ->transfers-per-ns</B -> may -be overridden on a per-server basis by using the <B -CLASS="command" ->transfers</B -> phrase -of the <B -CLASS="command" ->server</B -> statement.</P -></DD -><DT -><B -CLASS="command" ->transfer-source</B -></DT -><DD -><P -><B -CLASS="command" ->transfer-source</B -> determines +the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may +be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase +of the <span><strong class="command">server</strong></span> statement.</p></dd> +<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt> +<dd><p><span><strong class="command">transfer-source</strong></span> determines which local address will be bound to IPv4 TCP connections used to fetch zones transferred inbound by the server. It also determines the source IPv4 address, and optionally the UDP port, used for the refresh queries and forwarded dynamic updates. If not set, it defaults to a system controlled value which will usually be the address of the interface "closest to" the remote end. This address must appear -in the remote end's <B -CLASS="command" ->allow-transfer</B -> option for +in the remote end's <span><strong class="command">allow-transfer</strong></span> option for the zone being transferred, if one is specified. This statement -sets the <B -CLASS="command" ->transfer-source</B -> for all zones, but can +sets the <span><strong class="command">transfer-source</strong></span> for all zones, but can be overridden on a per-view or per-zone basis by including a -<B -CLASS="command" ->transfer-source</B -> statement within the -<B -CLASS="command" ->view</B -> or <B -CLASS="command" ->zone</B -> block -in the configuration file.</P -></DD -><DT -><B -CLASS="command" ->transfer-source-v6</B -></DT -><DD -><P ->The same as <B -CLASS="command" ->transfer-source</B ->, -except zone transfers are performed using IPv6.</P -></DD -><DT -><B -CLASS="command" ->alt-transfer-source</B -></DT -><DD -><P ->An alternate transfer source if the one listed in -<B -CLASS="command" ->transfer-source</B -> fails and -<B -CLASS="command" ->use-alt-transfer-source</B -> is set.</P -></DD -><DT -><B -CLASS="command" ->alt-transfer-source-v6</B -></DT -><DD -><P ->An alternate transfer source if the one listed in -<B -CLASS="command" ->transfer-source-v6</B -> fails and -<B -CLASS="command" ->use-alt-transfer-source</B -> is set.</P -></DD -><DT -><B -CLASS="command" ->use-alt-transfer-source</B -></DT -><DD -><P ->Use the alternate transfer sources or not. If views are -specified this defaults to <B -CLASS="command" ->no</B -> otherwise it defaults to -<B -CLASS="command" ->yes</B -> (for BIND 8 compatibility).</P -></DD -><DT -><B -CLASS="command" ->notify-source</B -></DT -><DD -><P -><B -CLASS="command" ->notify-source</B -> determines +<span><strong class="command">transfer-source</strong></span> statement within the +<span><strong class="command">view</strong></span> or <span><strong class="command">zone</strong></span> block +in the configuration file.</p></dd> +<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt> +<dd><p>The same as <span><strong class="command">transfer-source</strong></span>, +except zone transfers are performed using IPv6.</p></dd> +<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt> +<dd> +<p> + An alternate transfer source if the one listed in + <span><strong class="command">transfer-source</strong></span> fails and + <span><strong class="command">use-alt-transfer-source</strong></span> is + set. + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> + If you do not wish the alternate transfer source + to be used you should set + <span><strong class="command">use-alt-transfer-source</strong></span> + appropriately and you should not depend upon + getting a answer back to the first refresh + query. + </div> +</dd> +<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt> +<dd><p>An alternate transfer source if the one listed in +<span><strong class="command">transfer-source-v6</strong></span> fails and +<span><strong class="command">use-alt-transfer-source</strong></span> is set.</p></dd> +<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt> +<dd><p>Use the alternate transfer sources or not. If views are +specified this defaults to <span><strong class="command">no</strong></span> otherwise it defaults to +<span><strong class="command">yes</strong></span> (for BIND 8 compatibility).</p></dd> +<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt> +<dd><p><span><strong class="command">notify-source</strong></span> determines which local source address, and optionally UDP port, will be used to send NOTIFY messages. -This address must appear in the slave server's <B -CLASS="command" ->masters</B -> -zone clause or in an <B -CLASS="command" ->allow-notify</B -> clause. -This statement sets the <B -CLASS="command" ->notify-source</B -> for all zones, +This address must appear in the slave server's <span><strong class="command">masters</strong></span> +zone clause or in an <span><strong class="command">allow-notify</strong></span> clause. +This statement sets the <span><strong class="command">notify-source</strong></span> for all zones, but can be overridden on a per-zone / per-view basis by including a -<B -CLASS="command" ->notify-source</B -> statement within the <B -CLASS="command" ->zone</B -> -or <B -CLASS="command" ->view</B -> block in the configuration file.</P -></DD -><DT -><B -CLASS="command" ->notify-source-v6</B -></DT -><DD -><P ->Like <B -CLASS="command" ->notify-source</B ->, -but applies to notify messages sent to IPv6 addresses.</P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN2974" ->6.2.16.8. Bad UDP Port Lists</A -></H3 -><P -> <B -CLASS="command" ->avoid-v4-udp-ports</B -> and <B -CLASS="command" ->avoid-v6-udp-ports</B -> +<span><strong class="command">notify-source</strong></span> statement within the <span><strong class="command">zone</strong></span> +or <span><strong class="command">view</strong></span> block in the configuration file.</p></dd> +<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt> +<dd><p>Like <span><strong class="command">notify-source</strong></span>, +but applies to notify messages sent to IPv6 addresses.</p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2558398"></a>Bad UDP Port Lists</h4></div></div></div> +<p> +<span><strong class="command">avoid-v4-udp-ports</strong></span> and <span><strong class="command">avoid-v6-udp-ports</strong></span> specify a list of IPv4 and IPv6 UDP ports that will not be used as system assigned source ports for UDP sockets. These lists prevent named from choosing as its random source port a port that is blocked by your firewall. If a query went out with such a source port, the answer would not get by the firewall and the name server would have to query again. -</P -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN2979" ->6.2.16.9. Operating System Resource Limits</A -></H3 -><P ->The server's usage of many system resources can be limited. +</p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2558414"></a>Operating System Resource Limits</h4></div></div></div> +<p>The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For -example, <B -CLASS="command" ->1G</B -> can be used instead of -<B -CLASS="command" ->1073741824</B -> to specify a limit of one -gigabyte. <B -CLASS="command" ->unlimited</B -> requests unlimited use, or the -maximum available amount. <B -CLASS="command" ->default</B -> uses the limit +example, <span><strong class="command">1G</strong></span> can be used instead of +<span><strong class="command">1073741824</strong></span> to specify a limit of one +gigabyte. <span><strong class="command">unlimited</strong></span> requests unlimited use, or the +maximum available amount. <span><strong class="command">default</strong></span> uses the limit that was in force when the server was started. See the description of -<B -CLASS="command" ->size_spec</B -> in <A -HREF="Bv9ARM.ch06.html#configuration_file_elements" ->Section 6.1</A ->.</P -><P ->The following options set operating system resource limits for +<span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.</p> +<p>The following options set operating system resource limits for the name server process. Some operating systems don't support some or any of the limits. On such systems, a warning will be issued if the -unsupported limit is used.</P -><P -></P -><DIV -CLASS="variablelist" -><DL -><DT -><B -CLASS="command" ->coresize</B -></DT -><DD -><P ->The maximum size of a core dump. The default -is <VAR -CLASS="literal" ->default</VAR ->.</P -></DD -><DT -><B -CLASS="command" ->datasize</B -></DT -><DD -><P ->The maximum amount of data memory the server -may use. The default is <VAR -CLASS="literal" ->default</VAR ->. +unsupported limit is used.</p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt> +<dd><p>The maximum size of a core dump. The default +is <code class="literal">default</code>.</p></dd> +<dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt> +<dd><p>The maximum amount of data memory the server +may use. The default is <code class="literal">default</code>. This is a hard limit on server memory usage. If the server attempts to allocate memory in excess of this limit, the allocation will fail, which may in turn leave @@ -6333,299 +2075,118 @@ amount of memory used by the server, but it can be used to raise an operating system data size limit that is too small by default. If you wish to limit the amount of memory used by the server, use the -<B -CLASS="command" ->max-cache-size</B -> and -<B -CLASS="command" ->recursive-clients</B -> +<span><strong class="command">max-cache-size</strong></span> and +<span><strong class="command">recursive-clients</strong></span> options instead. -</P -></DD -><DT -><B -CLASS="command" ->files</B -></DT -><DD -><P ->The maximum number of files the server -may have open concurrently. The default is <VAR -CLASS="literal" ->unlimited</VAR ->. -</P -></DD -><DT -><B -CLASS="command" ->stacksize</B -></DT -><DD -><P ->The maximum amount of stack memory the server -may use. The default is <VAR -CLASS="literal" ->default</VAR ->.</P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN3016" ->6.2.16.10. Server Resource Limits</A -></H3 -><P ->The following options set limits on the server's +</p></dd> +<dt><span class="term"><span><strong class="command">files</strong></span></span></dt> +<dd><p>The maximum number of files the server +may have open concurrently. The default is <code class="literal">unlimited</code>. +</p></dd> +<dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt> +<dd><p>The maximum amount of stack memory the server +may use. The default is <code class="literal">default</code>.</p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2558584"></a>Server Resource Limits</h4></div></div></div> +<p>The following options set limits on the server's resource consumption that are enforced internally by the -server rather than the operating system.</P -><P -></P -><DIV -CLASS="variablelist" -><DL -><DT -><B -CLASS="command" ->max-ixfr-log-size</B -></DT -><DD -><P ->This option is obsolete; it is accepted +server rather than the operating system.</p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt> +<dd><p>This option is obsolete; it is accepted and ignored for BIND 8 compatibility. The option -<B -CLASS="command" ->max-journal-size</B -> performs a similar +<span><strong class="command">max-journal-size</strong></span> performs a similar function in BIND 8. -</P -></DD -><DT -><B -CLASS="command" ->max-journal-size</B -></DT -><DD -><P ->Sets a maximum size for each journal file -(<A -HREF="Bv9ARM.ch04.html#journal" ->Section 4.2.1</A ->). When the journal file approaches +</p></dd> +<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt> +<dd><p>Sets a maximum size for each journal file +(<a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file approaches the specified size, some of the oldest transactions in the journal will be automatically removed. The default is -<VAR -CLASS="literal" ->unlimited</VAR ->.</P -></DD -><DT -><B -CLASS="command" ->host-statistics-max</B -></DT -><DD -><P ->In BIND 8, specifies the maximum number of host statistic +<code class="literal">unlimited</code>.</p></dd> +<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt> +<dd><p>In BIND 8, specifies the maximum number of host statistic entries to be kept. Not implemented in BIND 9. -</P -></DD -><DT -><B -CLASS="command" ->recursive-clients</B -></DT -><DD -><P ->The maximum number of simultaneous recursive lookups +</p></dd> +<dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt> +<dd><p>The maximum number of simultaneous recursive lookups the server will perform on behalf of clients. The default is -<VAR -CLASS="literal" ->1000</VAR ->. Because each recursing client uses a fair +<code class="literal">1000</code>. Because each recursing client uses a fair bit of memory, on the order of 20 kilobytes, the value of the -<B -CLASS="command" ->recursive-clients</B -> option may have to be decreased +<span><strong class="command">recursive-clients</strong></span> option may have to be decreased on hosts with limited memory. -</P -></DD -><DT -><B -CLASS="command" ->tcp-clients</B -></DT -><DD -><P ->The maximum number of simultaneous client TCP +</p></dd> +<dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt> +<dd><p>The maximum number of simultaneous client TCP connections that the server will accept. -The default is <VAR -CLASS="literal" ->100</VAR ->.</P -></DD -><DT -><B -CLASS="command" ->max-cache-size</B -></DT -><DD -><P ->The maximum amount of memory to use for the +The default is <code class="literal">100</code>.</p></dd> +<dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt> +<dd><p>The maximum amount of memory to use for the server's cache, in bytes. When the amount of data in the cache reaches this limit, the server will cause records to expire prematurely so that the limit is not exceeded. In a server with multiple views, the limit applies separately to the cache of each -view. The default is <VAR -CLASS="literal" ->unlimited</VAR ->, meaning that +view. The default is <code class="literal">unlimited</code>, meaning that records are purged from the cache only when their TTLs expire. -</P -></DD -><DT -><B -CLASS="command" ->tcp-listen-queue</B -></DT -><DD -><P ->The listen queue depth. The default and minimum is 3. +</p></dd> +<dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt> +<dd><p>The listen queue depth. The default and minimum is 3. If the kernel supports the accept filter "dataready" this also controls how many TCP connections that will be queued in kernel space waiting for some data before being passed to accept. Values less than 3 will be silently raised. -</P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN3062" ->6.2.16.11. Periodic Task Intervals</A -></H3 -><P -></P -><DIV -CLASS="variablelist" -><DL -><DT -><B -CLASS="command" ->cleaning-interval</B -></DT -><DD -><P ->The server will remove expired resource records -from the cache every <B -CLASS="command" ->cleaning-interval</B -> minutes. +</p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2558765"></a>Periodic Task Intervals</h4></div></div></div> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt> +<dd><p>The server will remove expired resource records +from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes. The default is 60 minutes. The maximum value is 28 days (40320 minutes). -If set to 0, no periodic cleaning will occur.</P -></DD -><DT -><B -CLASS="command" ->heartbeat-interval</B -></DT -><DD -><P ->The server will perform zone maintenance tasks -for all zones marked as <B -CLASS="command" ->dialup</B -> whenever this +If set to 0, no periodic cleaning will occur.</p></dd> +<dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt> +<dd><p>The server will perform zone maintenance tasks +for all zones marked as <span><strong class="command">dialup</strong></span> whenever this interval expires. The default is 60 minutes. Reasonable values are up to 1 day (1440 minutes). The maximum value is 28 days (40320 minutes). -If set to 0, no zone maintenance for these zones will occur.</P -></DD -><DT -><B -CLASS="command" ->interface-interval</B -></DT -><DD -><P ->The server will scan the network interface list -every <B -CLASS="command" ->interface-interval</B -> minutes. The default +If set to 0, no zone maintenance for these zones will occur.</p></dd> +<dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt> +<dd><p>The server will scan the network interface list +every <span><strong class="command">interface-interval</strong></span> minutes. The default is 60 minutes. The maximum value is 28 days (40320 minutes). If set to 0, interface scanning will only occur when the configuration file is loaded. After the scan, the server will begin listening for queries on any newly discovered interfaces (provided they are allowed by the -<B -CLASS="command" ->listen-on</B -> configuration), and will -stop listening on interfaces that have gone away.</P -></DD -><DT -><B -CLASS="command" ->statistics-interval</B -></DT -><DD -><P ->Name server statistics will be logged -every <B -CLASS="command" ->statistics-interval</B -> minutes. The default is +<span><strong class="command">listen-on</strong></span> configuration), and will +stop listening on interfaces that have gone away.</p></dd> +<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt> +<dd> +<p>Name server statistics will be logged +every <span><strong class="command">statistics-interval</strong></span> minutes. The default is 60. The maximum value is 28 days (40320 minutes). -If set to 0, no statistics will be logged.</P -><DIV -CLASS="note" -><BLOCKQUOTE -CLASS="note" -><P -><B ->Note: </B ->Not yet implemented in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM ->9.</P -></BLOCKQUOTE -></DIV -></DD -></DL -></DIV -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="topology" ->6.2.16.12. Topology</A -></H3 -><P ->All other things being equal, when the server chooses a name server +If set to 0, no statistics will be logged.</p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p>Not yet implemented in <span class="acronym">BIND</span>9.</p> +</div> +</dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="topology"></a>Topology</h4></div></div></div> +<p>All other things being equal, when the server chooses a name server to query from a list of name servers, it prefers the one that is -topologically closest to itself. The <B -CLASS="command" ->topology</B -> statement -takes an <B -CLASS="command" ->address_match_list</B -> and interprets it +topologically closest to itself. The <span><strong class="command">topology</strong></span> statement +takes an <span><strong class="command">address_match_list</strong></span> and interprets it in a special way. Each top-level list element is assigned a distance. Non-negated elements get a distance based on their position in the list, where the closer the match is to the start of the list, the @@ -6633,124 +2194,61 @@ shorter the distance is between it and the server. A negated match will be assigned the maximum distance from the server. If there is no match, the address will get a distance which is further than any non-negated list element, and closer than any negated element. -For example,</P -><PRE -CLASS="programlisting" ->topology { +For example,</p> +<pre class="programlisting">topology { 10/8; !1.2.3/24; { 1.2/16; 3/8; }; -};</PRE -><P ->will prefer servers on network 10 the most, followed by hosts +};</pre> +<p>will prefer servers on network 10 the most, followed by hosts on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the exception of hosts on network 1.2.3 (netmask 255.255.255.0), which -is preferred least of all.</P -><P ->The default topology is</P -><PRE -CLASS="programlisting" -> topology { localhost; localnets; }; -</PRE -><DIV -CLASS="note" -><BLOCKQUOTE -CLASS="note" -><P -><B ->Note: </B ->The <B -CLASS="command" ->topology</B -> option -is not implemented in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9. -</P -></BLOCKQUOTE -></DIV -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="the_sortlist_statement" ->6.2.16.13. The <B -CLASS="command" ->sortlist</B -> Statement</A -></H3 -><P ->The response to a DNS query may consist of multiple resource +is preferred least of all.</p> +<p>The default topology is</p> +<pre class="programlisting"> topology { localhost; localnets; }; +</pre> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p>The <span><strong class="command">topology</strong></span> option +is not implemented in <span class="acronym">BIND</span> 9. +</p> +</div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div> +<p>The response to a DNS query may consist of multiple resource records (RRs) forming a resource records set (RRset). The name server will normally return the RRs within the RRset in an indeterminate order -(but see the <B -CLASS="command" ->rrset-order</B -> -statement in <A -HREF="Bv9ARM.ch06.html#rrset_ordering" ->Section 6.2.16.14</A ->). +(but see the <span><strong class="command">rrset-order</strong></span> +statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>). The client resolver code should rearrange the RRs as appropriate, that is, using any addresses on the local net in preference to other addresses. However, not all resolvers can do this or are correctly configured. When a client is using a local server the sorting can be performed in the server, based on the client's address. This only requires -configuring the name servers, not all the clients.</P -><P ->The <B -CLASS="command" ->sortlist</B -> statement (see below) takes -an <B -CLASS="command" ->address_match_list</B -> and interprets it even -more specifically than the <B -CLASS="command" ->topology</B -> statement -does (<A -HREF="Bv9ARM.ch06.html#topology" ->Section 6.2.16.12</A ->). -Each top level statement in the <B -CLASS="command" ->sortlist</B -> must -itself be an explicit <B -CLASS="command" ->address_match_list</B -> with +configuring the name servers, not all the clients.</p> +<p>The <span><strong class="command">sortlist</strong></span> statement (see below) takes +an <span><strong class="command">address_match_list</strong></span> and interprets it even +more specifically than the <span><strong class="command">topology</strong></span> statement +does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>). +Each top level statement in the <span><strong class="command">sortlist</strong></span> must +itself be an explicit <span><strong class="command">address_match_list</strong></span> with one or two elements. The first element (which may be an IP address, -an IP prefix, an ACL name or a nested <B -CLASS="command" ->address_match_list</B ->) +an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>) of each top level list is checked against the source address of -the query until a match is found.</P -><P ->Once the source address of the query has been matched, if +the query until a match is found.</p> +<p>Once the source address of the query has been matched, if the top level statement contains only one element, the actual primitive element that matched the source address is used to select the address in the response to move to the beginning of the response. If the statement is a list of two elements, then the second element is -treated the same as the <B -CLASS="command" ->address_match_list</B -> in -a <B -CLASS="command" ->topology</B -> statement. Each top level element +treated the same as the <span><strong class="command">address_match_list</strong></span> in +a <span><strong class="command">topology</strong></span> statement. Each top level element is assigned a distance and the address in the response with the minimum -distance is moved to the beginning of the response.</P -><P ->In the following example, any queries received from any of +distance is moved to the beginning of the response.</p> +<p>In the following example, any queries received from any of the addresses of the host itself will get responses preferring addresses on any of the locally connected networks. Next most preferred are addresses on the 192.168.1/24 network, and after that either the 192.168.2/24 @@ -6761,10 +2259,8 @@ will prefer other addresses on that network to the 192.168.2/24 and 192.168.3/24 networks. Queries received from a host on the 192.168.4/24 or the 192.168.5/24 network will only prefer other addresses on -their directly connected networks.</P -><PRE -CLASS="programlisting" ->sortlist { +their directly connected networks.</p> +<pre class="programlisting">sortlist { { localhost; // IF the local host { localnets; // THEN first fit on the 192.168.1/24; // following nets @@ -6780,1331 +2276,446 @@ CLASS="programlisting" { 192.168.1/24; 192.168.2/24; }; }; }; { { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net }; -};</PRE -><P ->The following example will give reasonable behavior for the +};</pre> +<p>The following example will give reasonable behavior for the local host and hosts on directly connected networks. It is similar -to the behavior of the address sort in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 4.9.x. Responses sent +to the behavior of the address sort in <span class="acronym">BIND</span> 4.9.x. Responses sent to queries from the local host will favor any of the directly connected networks. Responses sent to queries from any other hosts on a directly connected network will prefer addresses on that same network. Responses -to other queries will not be sorted.</P -><PRE -CLASS="programlisting" ->sortlist { +to other queries will not be sorted.</p> +<pre class="programlisting">sortlist { { localhost; localnets; }; { localnets; }; }; -</PRE -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="rrset_ordering" ->6.2.16.14. RRset Ordering</A -></H3 -><P ->When multiple records are returned in an answer it may be +</pre> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div> +<p>When multiple records are returned in an answer it may be useful to configure the order of the records placed into the response. -The <B -CLASS="command" ->rrset-order</B -> statement permits configuration +The <span><strong class="command">rrset-order</strong></span> statement permits configuration of the ordering of the records in a multiple record response. -See also the <B -CLASS="command" ->sortlist</B -> statement, -<A -HREF="Bv9ARM.ch06.html#the_sortlist_statement" ->Section 6.2.16.13</A ->. -</P -><P ->An <B -CLASS="command" ->order_spec</B -> is defined as follows:</P -><PRE -CLASS="programlisting" ->[<SPAN -CLASS="optional" -> class <VAR -CLASS="replaceable" ->class_name</VAR -> </SPAN ->][<SPAN -CLASS="optional" -> type <VAR -CLASS="replaceable" ->type_name</VAR -> </SPAN ->][<SPAN -CLASS="optional" -> name <VAR -CLASS="replaceable" ->"domain_name"</VAR -></SPAN ->] - order <VAR -CLASS="replaceable" ->ordering</VAR -> -</PRE -><P ->If no class is specified, the default is <B -CLASS="command" ->ANY</B ->. -If no type is specified, the default is <B -CLASS="command" ->ANY</B ->. -If no name is specified, the default is "<B -CLASS="command" ->*</B ->".</P -><P ->The legal values for <B -CLASS="command" ->ordering</B -> are:</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN3150" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P -><B -CLASS="command" ->fixed</B -></P -></TD -><TD -><P ->Records are returned in the order they -are defined in the zone file.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->random</B -></P -></TD -><TD -><P ->Records are returned in some random order.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->cyclic</B -></P -></TD -><TD -><P ->Records are returned in a round-robin -order.</P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><P ->For example:</P -><PRE -CLASS="programlisting" ->rrset-order { +See also the <span><strong class="command">sortlist</strong></span> statement, +<a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>. +</p> +<p>An <span><strong class="command">order_spec</strong></span> is defined as follows:</p> +<pre class="programlisting">[<span class="optional"> class <em class="replaceable"><code>class_name</code></em> </span>][<span class="optional"> type <em class="replaceable"><code>type_name</code></em> </span>][<span class="optional"> name <em class="replaceable"><code>"domain_name"</code></em></span>] + order <em class="replaceable"><code>ordering</code></em> +</pre> +<p>If no class is specified, the default is <span><strong class="command">ANY</strong></span>. +If no type is specified, the default is <span><strong class="command">ANY</strong></span>. +If no name is specified, the default is "<span><strong class="command">*</strong></span>".</p> +<p>The legal values for <span><strong class="command">ordering</strong></span> are:</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p><span><strong class="command">fixed</strong></span></p></td> +<td><p>Records are returned in the order they +are defined in the zone file.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">random</strong></span></p></td> +<td><p>Records are returned in some random order.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">cyclic</strong></span></p></td> +<td><p>Records are returned in a round-robin +order.</p></td> +</tr> +</tbody> +</table></div> +<p>For example:</p> +<pre class="programlisting">rrset-order { class IN type A name "host.example.com" order random; order cyclic; }; -</PRE -><P ->will cause any responses for type A records in class IN that -have "<VAR -CLASS="literal" ->host.example.com</VAR ->" as a suffix, to always be returned -in random order. All other records are returned in cyclic order.</P -><P ->If multiple <B -CLASS="command" ->rrset-order</B -> statements appear, -they are not combined — the last one applies.</P -><DIV -CLASS="note" -><BLOCKQUOTE -CLASS="note" -><P -><B ->Note: </B ->The <B -CLASS="command" ->rrset-order</B -> statement -is not yet fully implemented in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9. +</pre> +<p>will cause any responses for type A records in class IN that +have "<code class="literal">host.example.com</code>" as a suffix, to always be returned +in random order. All other records are returned in cyclic order.</p> +<p>If multiple <span><strong class="command">rrset-order</strong></span> statements appear, +they are not combined — the last one applies.</p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p>The <span><strong class="command">rrset-order</strong></span> statement +is not yet fully implemented in <span class="acronym">BIND</span> 9. BIND 9 currently does not support "fixed" ordering. -</P -></BLOCKQUOTE -></DIV -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="tuning" ->6.2.16.15. Tuning</A -></H3 -><P -></P -><DIV -CLASS="variablelist" -><DL -><DT -><B -CLASS="command" ->lame-ttl</B -></DT -><DD -><P ->Sets the number of seconds to cache a +</p> +</div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="tuning"></a>Tuning</h4></div></div></div> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt> +<dd><p>Sets the number of seconds to cache a lame server indication. 0 disables caching. (This is -<SPAN -CLASS="bold" -><B -CLASS="emphasis" ->NOT</B -></SPAN -> recommended.) -Default is <VAR -CLASS="literal" ->600</VAR -> (10 minutes). Maximum value is -<VAR -CLASS="literal" ->1800</VAR -> (30 minutes).</P -></DD -><DT -><B -CLASS="command" ->max-ncache-ttl</B -></DT -><DD -><P ->To reduce network traffic and increase performance -the server stores negative answers. <B -CLASS="command" ->max-ncache-ttl</B -> is +<span class="bold"><strong>NOT</strong></span> recommended.) +Default is <code class="literal">600</code> (10 minutes). Maximum value is +<code class="literal">1800</code> (30 minutes).</p></dd> +<dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt> +<dd><p>To reduce network traffic and increase performance +the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is used to set a maximum retention time for these answers in the server in seconds. The default -<B -CLASS="command" ->max-ncache-ttl</B -> is <VAR -CLASS="literal" ->10800</VAR -> seconds (3 hours). -<B -CLASS="command" ->max-ncache-ttl</B -> cannot exceed 7 days and will -be silently truncated to 7 days if set to a greater value.</P -></DD -><DT -><B -CLASS="command" ->max-cache-ttl</B -></DT -><DD -><P -><B -CLASS="command" ->max-cache-ttl</B -> sets +<span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours). +<span><strong class="command">max-ncache-ttl</strong></span> cannot exceed 7 days and will +be silently truncated to 7 days if set to a greater value.</p></dd> +<dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt> +<dd><p><span><strong class="command">max-cache-ttl</strong></span> sets the maximum time for which the server will cache ordinary (positive) -answers. The default is one week (7 days).</P -></DD -><DT -><B -CLASS="command" ->min-roots</B -></DT -><DD -><P ->The minimum number of root servers that +answers. The default is one week (7 days).</p></dd> +<dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt> +<dd> +<p>The minimum number of root servers that is required for a request for the root servers to be accepted. Default -is <KBD -CLASS="userinput" ->2</KBD ->.</P -><DIV -CLASS="note" -><BLOCKQUOTE -CLASS="note" -><P -><B ->Note: </B ->Not implemented in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM ->9.</P -></BLOCKQUOTE -></DIV -></DD -><DT -><B -CLASS="command" ->sig-validity-interval</B -></DT -><DD -><P ->Specifies the number of days into the +is <strong class="userinput"><code>2</code></strong>.</p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p>Not implemented in <span class="acronym">BIND</span>9.</p> +</div> +</dd> +<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt> +<dd><p>Specifies the number of days into the future when DNSSEC signatures automatically generated as a result -of dynamic updates (<A -HREF="Bv9ARM.ch04.html#dynamic_update" ->Section 4.2</A ->) -will expire. The default is <VAR -CLASS="literal" ->30</VAR -> days. +of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) +will expire. The default is <code class="literal">30</code> days. The maximum value is 10 years (3660 days). The signature inception time is unconditionally set to one hour before the current time -to allow for a limited amount of clock skew.</P -></DD -><DT -><B -CLASS="command" ->min-refresh-time</B ->, <B -CLASS="command" ->max-refresh-time</B ->, <B -CLASS="command" ->min-retry-time</B ->, <B -CLASS="command" ->max-retry-time</B -></DT -><DD -><P -> These options control the server's behavior on refreshing a zone +to allow for a limited amount of clock skew.</p></dd> +<dt> +<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span> +</dt> +<dd> +<p> +These options control the server's behavior on refreshing a zone (querying for SOA changes) or retrying failed transfers. Usually the SOA values for the zone are used, but these values are set by the master, giving slave server administrators little control over their contents. -</P -><P -> These options allow the administrator to set a minimum and maximum +</p> +<p> +These options allow the administrator to set a minimum and maximum refresh and retry time either per-zone, per-view, or globally. These options are valid for slave and stub zones, and clamp the SOA refresh and retry times to the specified values. -</P -></DD -><DT -><B -CLASS="command" ->edns-udp-size</B -></DT -><DD -><P -> <B -CLASS="command" ->edns-udp-size</B -> sets the advertised EDNS UDP buffer +</p> +</dd> +<dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt> +<dd><p> +<span><strong class="command">edns-udp-size</strong></span> sets the advertised EDNS UDP buffer size. Valid values are 512 to 4096 (values outside this range will be silently adjusted). The default value is 4096. The usual reason for setting edns-udp-size to a non default value it to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes. -</P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="builtin" ->6.2.16.16. Built-in server information zones</A -></H3 -><P ->The server provides some helpful diagnostic information +</p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="builtin"></a>Built-in server information zones</h4></div></div></div> +<p>The server provides some helpful diagnostic information through a number of built-in zones under the -pseudo-top-level-domain <VAR -CLASS="literal" ->bind</VAR -> in the -<B -CLASS="command" ->CHAOS</B -> class. These zones are part of a -built-in view (see <A -HREF="Bv9ARM.ch06.html#view_statement_grammar" ->Section 6.2.21</A ->) of class -<B -CLASS="command" ->CHAOS</B -> which is separate from the default view of -class <B -CLASS="command" ->IN</B ->; therefore, any global server options -such as <B -CLASS="command" ->allow-query</B -> do not apply the these zones. +pseudo-top-level-domain <code class="literal">bind</code> in the +<span><strong class="command">CHAOS</strong></span> class. These zones are part of a +built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of class +<span><strong class="command">CHAOS</strong></span> which is separate from the default view of +class <span><strong class="command">IN</strong></span>; therefore, any global server options +such as <span><strong class="command">allow-query</strong></span> do not apply the these zones. If you feel the need to disable these zones, use the options -below, or hide the built-in <B -CLASS="command" ->CHAOS</B -> view by -defining an explicit view of class <B -CLASS="command" ->CHAOS</B -> -that matches all clients.</P -><P -></P -><DIV -CLASS="variablelist" -><DL -><DT -><B -CLASS="command" ->version</B -></DT -><DD -><P ->The version the server should report -via a query of the name <VAR -CLASS="literal" ->version.bind</VAR -> -with type <B -CLASS="command" ->TXT</B ->, class <B -CLASS="command" ->CHAOS</B ->. +below, or hide the built-in <span><strong class="command">CHAOS</strong></span> view by +defining an explicit view of class <span><strong class="command">CHAOS</strong></span> +that matches all clients.</p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">version</strong></span></span></dt> +<dd><p>The version the server should report +via a query of the name <code class="literal">version.bind</code> +with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. The default is the real version number of this server. -Specifying <B -CLASS="command" ->version none</B -> -disables processing of the queries.</P -></DD -><DT -><B -CLASS="command" ->hostname</B -></DT -><DD -><P ->The hostname the server should report via a query of -the name <TT -CLASS="filename" ->hostname.bind</TT -> -with type <B -CLASS="command" ->TXT</B ->, class <B -CLASS="command" ->CHAOS</B ->. +Specifying <span><strong class="command">version none</strong></span> +disables processing of the queries.</p></dd> +<dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt> +<dd><p>The hostname the server should report via a query of +the name <code class="filename">hostname.bind</code> +with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. This defaults to the hostname of the machine hosting the name server as found by gethostname(). The primary purpose of such queries is to identify which of a group of anycast servers is actually -answering your queries. Specifying <B -CLASS="command" ->hostname none;</B -> -disables processing of the queries.</P -></DD -><DT -><B -CLASS="command" ->server-id</B -></DT -><DD -><P ->The ID of the server should report via a query of -the name <TT -CLASS="filename" ->ID.SERVER</TT -> -with type <B -CLASS="command" ->TXT</B ->, class <B -CLASS="command" ->CHAOS</B ->. +answering your queries. Specifying <span><strong class="command">hostname none;</strong></span> +disables processing of the queries.</p></dd> +<dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt> +<dd><p>The ID of the server should report via a query of +the name <code class="filename">ID.SERVER</code> +with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. The primary purpose of such queries is to identify which of a group of anycast servers is actually -answering your queries. Specifying <B -CLASS="command" ->server-id none;</B -> +answering your queries. Specifying <span><strong class="command">server-id none;</strong></span> disables processing of the queries. -Specifying <B -CLASS="command" ->server-id hostname;</B -> will cause named to +Specifying <span><strong class="command">server-id hostname;</strong></span> will cause named to use the hostname as found by gethostname(). -The default <B -CLASS="command" ->server-id</B -> is <B -CLASS="command" ->none</B ->. -</P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="statsfile" ->6.2.16.17. The Statistics File</A -></H3 -><P ->The statistics file generated by <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 +The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>. +</p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="statsfile"></a>The Statistics File</h4></div></div></div> +<p>The statistics file generated by <span class="acronym">BIND</span> 9 is similar, but not identical, to that -generated by <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8. -</P -><P ->The statistics dump begins with the line <B -CLASS="command" ->+++ Statistics Dump -+++ (973798949)</B ->, where the number in parentheses is a standard +generated by <span class="acronym">BIND</span> 8. +</p> +<p>The statistics dump begins with the line <span><strong class="command">+++ Statistics Dump ++++ (973798949)</strong></span>, where the number in parentheses is a standard Unix-style timestamp, measured as seconds since January 1, 1970. Following that line are a series of lines containing a counter type, the value of the counter, optionally a zone name, and optionally a view name. The lines without view and zone listed are global statistics for the entire server. Lines with a zone and view name for the given view and zone (the view name is omitted for the default view). The statistics dump ends -with the line <B -CLASS="command" ->--- Statistics Dump --- (973798949)</B ->, where the -number is identical to the number in the beginning line.</P -><P ->The following statistics counters are maintained:</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN3294" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P -><B -CLASS="command" ->success</B -></P -></TD -><TD -><P ->The number of +with the line <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>, where the +number is identical to the number in the beginning line.</p> +<p>The following statistics counters are maintained:</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p><span><strong class="command">success</strong></span></p></td> +<td><p>The number of successful queries made to the server or zone. A successful query is defined as query which returns a NOERROR response with at least -one answer RR.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->referral</B -></P -></TD -><TD -><P ->The number of queries which resulted -in referral responses.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->nxrrset</B -></P -></TD -><TD -><P ->The number of queries which resulted in -NOERROR responses with no data.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->nxdomain</B -></P -></TD -><TD -><P ->The number -of queries which resulted in NXDOMAIN responses.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->failure</B -></P -></TD -><TD -><P ->The number of queries which resulted in a -failure response other than those above.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->recursion</B -></P -></TD -><TD -><P ->The number of queries which caused the server -to perform recursion in order to find the final answer.</P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><P -> Each query received by the server will cause exactly one of -<B -CLASS="command" ->success</B ->, -<B -CLASS="command" ->referral</B ->, -<B -CLASS="command" ->nxrrset</B ->, -<B -CLASS="command" ->nxdomain</B ->, or -<B -CLASS="command" ->failure</B -> +one answer RR.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">referral</strong></span></p></td> +<td><p>The number of queries which resulted +in referral responses.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">nxrrset</strong></span></p></td> +<td><p>The number of queries which resulted in +NOERROR responses with no data.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">nxdomain</strong></span></p></td> +<td><p>The number +of queries which resulted in NXDOMAIN responses.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">failure</strong></span></p></td> +<td><p>The number of queries which resulted in a +failure response other than those above.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">recursion</strong></span></p></td> +<td><p>The number of queries which caused the server +to perform recursion in order to find the final answer.</p></td> +</tr> +</tbody> +</table></div> +<p> +Each query received by the server will cause exactly one of +<span><strong class="command">success</strong></span>, +<span><strong class="command">referral</strong></span>, +<span><strong class="command">nxrrset</strong></span>, +<span><strong class="command">nxdomain</strong></span>, or +<span><strong class="command">failure</strong></span> to be incremented, and may additionally cause the -<B -CLASS="command" ->recursion</B -> counter to be incremented. -</P -></DIV -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="server_statement_grammar" ->6.2.17. <B -CLASS="command" ->server</B -> Statement Grammar</A -></H2 -><PRE -CLASS="programlisting" ->server <VAR -CLASS="replaceable" ->ip_addr</VAR -> { - [<SPAN -CLASS="optional" -> bogus <VAR -CLASS="replaceable" ->yes_or_no</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> provide-ixfr <VAR -CLASS="replaceable" ->yes_or_no</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> request-ixfr <VAR -CLASS="replaceable" ->yes_or_no</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> edns <VAR -CLASS="replaceable" ->yes_or_no</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> transfers <VAR -CLASS="replaceable" ->number</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> transfer-format <VAR -CLASS="replaceable" ->( one-answer | many-answers )</VAR -> ; ]</SPAN ->] - [<SPAN -CLASS="optional" -> keys <VAR -CLASS="replaceable" ->{ string ; [<SPAN -CLASS="optional" -> string ; [<SPAN -CLASS="optional" ->...</SPAN ->]</SPAN ->] }</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> transfer-source (<VAR -CLASS="replaceable" ->ip4_addr</VAR -> | <CODE -CLASS="constant" ->*</CODE ->) [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; </SPAN ->] - [<SPAN -CLASS="optional" -> transfer-source-v6 (<VAR -CLASS="replaceable" ->ip6_addr</VAR -> | <CODE -CLASS="constant" ->*</CODE ->) [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; </SPAN ->] +<span><strong class="command">recursion</strong></span> counter to be incremented. +</p> +</div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting">server <em class="replaceable"><code>ip_addr</code></em> { + [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>] + [<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>] + [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] }; -</PRE -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="server_statement_definition_and_usage" ->6.2.18. <B -CLASS="command" ->server</B -> Statement Definition and Usage</A -></H2 -><P ->The <B -CLASS="command" ->server</B -> statement defines characteristics -to be associated with a remote name server.</P -><P -> The <B -CLASS="command" ->server</B -> statement can occur at the top level of the -configuration file or inside a <B -CLASS="command" ->view</B -> statement. -If a <B -CLASS="command" ->view</B -> statement contains -one or more <B -CLASS="command" ->server</B -> statements, only those +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and Usage</h3></div></div></div> +<p>The <span><strong class="command">server</strong></span> statement defines characteristics +to be associated with a remote name server.</p> +<p> +The <span><strong class="command">server</strong></span> statement can occur at the top level of the +configuration file or inside a <span><strong class="command">view</strong></span> statement. +If a <span><strong class="command">view</strong></span> statement contains +one or more <span><strong class="command">server</strong></span> statements, only those apply to the view and any top-level ones are ignored. -If a view contains no <B -CLASS="command" ->server</B -> statements, -any top-level <B -CLASS="command" ->server</B -> statements are used as +If a view contains no <span><strong class="command">server</strong></span> statements, +any top-level <span><strong class="command">server</strong></span> statements are used as defaults. -</P -><P ->If you discover that a remote server is giving out bad data, +</p> +<p>If you discover that a remote server is giving out bad data, marking it as bogus will prevent further queries to it. The default -value of <B -CLASS="command" ->bogus</B -> is <B -CLASS="command" ->no</B ->.</P -><P ->The <B -CLASS="command" ->provide-ixfr</B -> clause determines whether +value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.</p> +<p>The <span><strong class="command">provide-ixfr</strong></span> clause determines whether the local server, acting as master, will respond with an incremental zone transfer when the given remote server, a slave, requests it. -If set to <B -CLASS="command" ->yes</B ->, incremental transfer will be provided -whenever possible. If set to <B -CLASS="command" ->no</B ->, all transfers +If set to <span><strong class="command">yes</strong></span>, incremental transfer will be provided +whenever possible. If set to <span><strong class="command">no</strong></span>, all transfers to the remote server will be non-incremental. If not set, the value -of the <B -CLASS="command" ->provide-ixfr</B -> option in the view or -global options block is used as a default.</P -><P ->The <B -CLASS="command" ->request-ixfr</B -> clause determines whether +of the <span><strong class="command">provide-ixfr</strong></span> option in the view or +global options block is used as a default.</p> +<p>The <span><strong class="command">request-ixfr</strong></span> clause determines whether the local server, acting as a slave, will request incremental zone transfers from the given remote server, a master. If not set, the -value of the <B -CLASS="command" ->request-ixfr</B -> option in the view or -global options block is used as a default.</P -><P ->IXFR requests to servers that do not support IXFR will automatically +value of the <span><strong class="command">request-ixfr</strong></span> option in the view or +global options block is used as a default.</p> +<p>IXFR requests to servers that do not support IXFR will automatically fall back to AXFR. Therefore, there is no need to manually list which servers support IXFR and which ones do not; the global default -of <B -CLASS="command" ->yes</B -> should always work. -The purpose of the <B -CLASS="command" ->provide-ixfr</B -> and -<B -CLASS="command" ->request-ixfr</B -> clauses is +of <span><strong class="command">yes</strong></span> should always work. +The purpose of the <span><strong class="command">provide-ixfr</strong></span> and +<span><strong class="command">request-ixfr</strong></span> clauses is to make it possible to disable the use of IXFR even when both master and slave claim to support it, for example if one of the servers -is buggy and crashes or corrupts data when IXFR is used.</P -><P ->The <B -CLASS="command" ->edns</B -> clause determines whether the local server +is buggy and crashes or corrupts data when IXFR is used.</p> +<p>The <span><strong class="command">edns</strong></span> clause determines whether the local server will attempt to use EDNS when communicating with the remote server. The -default is <B -CLASS="command" ->yes</B ->.</P -><P ->The server supports two zone transfer methods. The first, <B -CLASS="command" ->one-answer</B ->, -uses one DNS message per resource record transferred. <B -CLASS="command" ->many-answers</B -> packs -as many resource records as possible into a message. <B -CLASS="command" ->many-answers</B -> is -more efficient, but is only known to be understood by <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9, <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> -8.x, and patched versions of <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 4.9.5. You can specify which method -to use for a server with the <B -CLASS="command" ->transfer-format</B -> option. -If <B -CLASS="command" ->transfer-format</B -> is not specified, the <B -CLASS="command" ->transfer-format</B -> specified -by the <B -CLASS="command" ->options</B -> statement will be used.</P -><P -><B -CLASS="command" ->transfers</B -> is used to limit the number of +default is <span><strong class="command">yes</strong></span>.</p> +<p>The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>, +uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs +as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is +more efficient, but is only known to be understood by <span class="acronym">BIND</span> 9, <span class="acronym">BIND</span> +8.x, and patched versions of <span class="acronym">BIND</span> 4.9.5. You can specify which method +to use for a server with the <span><strong class="command">transfer-format</strong></span> option. +If <span><strong class="command">transfer-format</strong></span> is not specified, the <span><strong class="command">transfer-format</strong></span> specified +by the <span><strong class="command">options</strong></span> statement will be used.</p> +<p><span><strong class="command">transfers</strong></span> is used to limit the number of concurrent inbound zone transfers from the specified server. If -no <B -CLASS="command" ->transfers</B -> clause is specified, the limit is -set according to the <B -CLASS="command" ->transfers-per-ns</B -> option.</P -><P ->The <B -CLASS="command" ->keys</B -> clause identifies a -<B -CLASS="command" ->key_id</B -> defined by the <B -CLASS="command" ->key</B -> statement, -to be used for transaction security (TSIG, <A -HREF="Bv9ARM.ch04.html#tsig" ->Section 4.5</A ->) +no <span><strong class="command">transfers</strong></span> clause is specified, the limit is +set according to the <span><strong class="command">transfers-per-ns</strong></span> option.</p> +<p>The <span><strong class="command">keys</strong></span> clause identifies a +<span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement, +to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) when talking to the remote server. When a request is sent to the remote server, a request signature will be generated using the key specified here and appended to the message. A request originating from the remote server is not required -to be signed by this key.</P -><P ->Although the grammar of the <B -CLASS="command" ->keys</B -> clause +to be signed by this key.</p> +<p>Although the grammar of the <span><strong class="command">keys</strong></span> clause allows for multiple keys, only a single key per server is currently -supported.</P -><P ->The <B -CLASS="command" ->transfer-source</B -> and -<B -CLASS="command" ->transfer-source-v6</B -> clauses specify the IPv4 and IPv6 source +supported.</p> +<p>The <span><strong class="command">transfer-source</strong></span> and +<span><strong class="command">transfer-source-v6</strong></span> clauses specify the IPv4 and IPv6 source address to be used for zone transfer with the remote server, respectively. -For an IPv4 remote server, only <B -CLASS="command" ->transfer-source</B -> can +For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can be specified. Similarly, for an IPv6 remote server, only -<B -CLASS="command" ->transfer-source-v6</B -> can be specified. +<span><strong class="command">transfer-source-v6</strong></span> can be specified. Form more details, see the description of -<B -CLASS="command" ->transfer-source</B -> and -<B -CLASS="command" ->transfer-source-v6</B -> in -<A -HREF="Bv9ARM.ch06.html#zone_transfers" ->Section 6.2.16.7</A ->.</P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN3433" ->6.2.19. <B -CLASS="command" ->trusted-keys</B -> Statement Grammar</A -></H2 -><PRE -CLASS="programlisting" ->trusted-keys { - <VAR -CLASS="replaceable" ->string</VAR -> <VAR -CLASS="replaceable" ->number</VAR -> <VAR -CLASS="replaceable" ->number</VAR -> <VAR -CLASS="replaceable" ->number</VAR -> <VAR -CLASS="replaceable" ->string</VAR -> ; - [<SPAN -CLASS="optional" -> <VAR -CLASS="replaceable" ->string</VAR -> <VAR -CLASS="replaceable" ->number</VAR -> <VAR -CLASS="replaceable" ->number</VAR -> <VAR -CLASS="replaceable" ->number</VAR -> <VAR -CLASS="replaceable" ->string</VAR -> ; [<SPAN -CLASS="optional" ->...</SPAN ->]</SPAN ->] +<span><strong class="command">transfer-source</strong></span> and +<span><strong class="command">transfer-source-v6</strong></span> in +<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2562233"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting">trusted-keys { + <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; + [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>] }; -</PRE -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN3449" ->6.2.20. <B -CLASS="command" ->trusted-keys</B -> Statement Definition -and Usage</A -></H2 -><P ->The <B -CLASS="command" ->trusted-keys</B -> statement defines DNSSEC -security roots. DNSSEC is described in <A -HREF="Bv9ARM.ch04.html#DNSSEC" ->Section 4.8</A ->. A security root is defined when the public key for a non-authoritative +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2562281"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition +and Usage</h3></div></div></div> +<p>The <span><strong class="command">trusted-keys</strong></span> statement defines DNSSEC +security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the public key for a non-authoritative zone is known, but cannot be securely obtained through DNS, either because it is the DNS root zone or because its parent zone is unsigned. Once a key has been configured as a trusted key, it is treated as if it had been validated and proven secure. The resolver attempts -DNSSEC validation on all DNS data in subdomains of a security root.</P -><P ->The <B -CLASS="command" ->trusted-keys</B -> statement can contain +DNSSEC validation on all DNS data in subdomains of a security root.</p> +<p>The <span><strong class="command">trusted-keys</strong></span> statement can contain multiple key entries, each consisting of the key's domain name, flags, protocol, algorithm, and the base-64 representation of the -key data.</P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="view_statement_grammar" ->6.2.21. <B -CLASS="command" ->view</B -> Statement Grammar</A -></H2 -><PRE -CLASS="programlisting" ->view <VAR -CLASS="replaceable" ->view_name</VAR -> - [<SPAN -CLASS="optional" -><VAR -CLASS="replaceable" ->class</VAR -></SPAN ->] { - match-clients { <VAR -CLASS="replaceable" ->address_match_list</VAR -> } ; - match-destinations { <VAR -CLASS="replaceable" ->address_match_list</VAR -> } ; - match-recursive-only <VAR -CLASS="replaceable" ->yes_or_no</VAR -> ; - [<SPAN -CLASS="optional" -> <VAR -CLASS="replaceable" ->view_option</VAR ->; ...</SPAN ->] - [<SPAN -CLASS="optional" -> <VAR -CLASS="replaceable" ->zone_statement</VAR ->; ...</SPAN ->] +key data.</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting">view <em class="replaceable"><code>view_name</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { + match-clients { <em class="replaceable"><code>address_match_list</code></em> } ; + match-destinations { <em class="replaceable"><code>address_match_list</code></em> } ; + match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ; + [<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>] + [<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>] }; -</PRE -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN3471" ->6.2.22. <B -CLASS="command" ->view</B -> Statement Definition and Usage</A -></H2 -><P ->The <B -CLASS="command" ->view</B -> statement is a powerful new feature -of <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 that lets a name server answer a DNS query differently +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2562349"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div> +<p>The <span><strong class="command">view</strong></span> statement is a powerful new feature +of <span class="acronym">BIND</span> 9 that lets a name server answer a DNS query differently depending on who is asking. It is particularly useful for implementing -split DNS setups without having to run multiple servers.</P -><P ->Each <B -CLASS="command" ->view</B -> statement defines a view of the +split DNS setups without having to run multiple servers.</p> +<p>Each <span><strong class="command">view</strong></span> statement defines a view of the DNS namespace that will be seen by a subset of clients. A client matches a view if its source IP address matches the -<VAR -CLASS="varname" ->address_match_list</VAR -> of the view's -<B -CLASS="command" ->match-clients</B -> clause and its destination IP address matches -the <VAR -CLASS="varname" ->address_match_list</VAR -> of the view's -<B -CLASS="command" ->match-destinations</B -> clause. If not specified, both -<B -CLASS="command" ->match-clients</B -> and <B -CLASS="command" ->match-destinations</B -> +<code class="varname">address_match_list</code> of the view's +<span><strong class="command">match-clients</strong></span> clause and its destination IP address matches +the <code class="varname">address_match_list</code> of the view's +<span><strong class="command">match-destinations</strong></span> clause. If not specified, both +<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span> default to matching all addresses. In addition to checking IP addresses -<B -CLASS="command" ->match-clients</B -> and <B -CLASS="command" ->match-destinations</B -> -can also take <B -CLASS="command" ->keys</B -> which provide an mechanism for the +<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span> +can also take <span><strong class="command">keys</strong></span> which provide an mechanism for the client to select the view. A view can also be specified -as <B -CLASS="command" ->match-recursive-only</B ->, which means that only recursive +as <span><strong class="command">match-recursive-only</strong></span>, which means that only recursive requests from matching clients will match that view. -The order of the <B -CLASS="command" ->view</B -> statements is significant — +The order of the <span><strong class="command">view</strong></span> statements is significant — a client request will be resolved in the context of the first -<B -CLASS="command" ->view</B -> that it matches.</P -><P ->Zones defined within a <B -CLASS="command" ->view</B -> statement will -be only be accessible to clients that match the <B -CLASS="command" ->view</B ->. +<span><strong class="command">view</strong></span> that it matches.</p> +<p>Zones defined within a <span><strong class="command">view</strong></span> statement will +be only be accessible to clients that match the <span><strong class="command">view</strong></span>. By defining a zone of the same name in multiple views, different zone data can be given to different clients, for example, "internal" -and "external" clients in a split DNS setup.</P -><P ->Many of the options given in the <B -CLASS="command" ->options</B -> statement -can also be used within a <B -CLASS="command" ->view</B -> statement, and then +and "external" clients in a split DNS setup.</p> +<p>Many of the options given in the <span><strong class="command">options</strong></span> statement +can also be used within a <span><strong class="command">view</strong></span> statement, and then apply only when resolving queries with that view. When no view-specific -value is given, the value in the <B -CLASS="command" ->options</B -> statement +value is given, the value in the <span><strong class="command">options</strong></span> statement is used as a default. Also, zone options can have default values specified -in the <B -CLASS="command" ->view</B -> statement; these view-specific defaults -take precedence over those in the <B -CLASS="command" ->options</B -> statement.</P -><P ->Views are class specific. If no class is given, class IN +in the <span><strong class="command">view</strong></span> statement; these view-specific defaults +take precedence over those in the <span><strong class="command">options</strong></span> statement.</p> +<p>Views are class specific. If no class is given, class IN is assumed. Note that all non-IN views must contain a hint zone, -since only the IN class has compiled-in default hints.</P -><P ->If there are no <B -CLASS="command" ->view</B -> statements in the config +since only the IN class has compiled-in default hints.</p> +<p>If there are no <span><strong class="command">view</strong></span> statements in the config file, a default view that matches any client is automatically created -in class IN. Any <B -CLASS="command" ->zone</B -> statements specified on +in class IN. Any <span><strong class="command">zone</strong></span> statements specified on the top level of the configuration file are considered to be part of -this default view, and the <B -CLASS="command" ->options</B -> statement will -apply to the default view. If any explicit <B -CLASS="command" ->view</B -> -statements are present, all <B -CLASS="command" ->zone</B -> statements must -occur inside <B -CLASS="command" ->view</B -> statements.</P -><P ->Here is an example of a typical split DNS setup implemented -using <B -CLASS="command" ->view</B -> statements.</P -><PRE -CLASS="programlisting" ->view "internal" { +this default view, and the <span><strong class="command">options</strong></span> statement will +apply to the default view. If any explicit <span><strong class="command">view</strong></span> +statements are present, all <span><strong class="command">zone</strong></span> statements must +occur inside <span><strong class="command">view</strong></span> statements.</p> +<p>Here is an example of a typical split DNS setup implemented +using <span><strong class="command">view</strong></span> statements.</p> +<pre class="programlisting">view "internal" { // This should match our internal networks. match-clients { 10.0.0.0/8; }; @@ -8133,519 +2744,80 @@ view "external" { file "example-external.db"; }; }; -</PRE -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="zone_statement_grammar" ->6.2.23. <B -CLASS="command" ->zone</B -> -Statement Grammar</A -></H2 -><PRE -CLASS="programlisting" ->zone <VAR -CLASS="replaceable" ->zone_name</VAR -> [<SPAN -CLASS="optional" -><VAR -CLASS="replaceable" ->class</VAR -></SPAN ->] [<SPAN -CLASS="optional" ->{ +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span> +Statement Grammar</h3></div></div></div> +<pre class="programlisting">zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] [<span class="optional">{ type ( master | slave | hint | stub | forward | delegation-only ) ; - [<SPAN -CLASS="optional" -> allow-notify { <VAR -CLASS="replaceable" ->address_match_list</VAR -> } ; </SPAN ->] - [<SPAN -CLASS="optional" -> allow-query { <VAR -CLASS="replaceable" ->address_match_list</VAR -> } ; </SPAN ->] - [<SPAN -CLASS="optional" -> allow-transfer { <VAR -CLASS="replaceable" ->address_match_list</VAR -> } ; </SPAN ->] - [<SPAN -CLASS="optional" -> allow-update { <VAR -CLASS="replaceable" ->address_match_list</VAR -> } ; </SPAN ->] - [<SPAN -CLASS="optional" -> update-policy { <VAR -CLASS="replaceable" ->update_policy_rule</VAR -> [<SPAN -CLASS="optional" ->...</SPAN ->] } ; </SPAN ->] - [<SPAN -CLASS="optional" -> allow-update-forwarding { <VAR -CLASS="replaceable" ->address_match_list</VAR -> } ; </SPAN ->] - [<SPAN -CLASS="optional" -> also-notify { <VAR -CLASS="replaceable" ->ip_addr</VAR -> [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; [<SPAN -CLASS="optional" -> <VAR -CLASS="replaceable" ->ip_addr</VAR -> [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; ... </SPAN ->] }; </SPAN ->] - [<SPAN -CLASS="optional" -> check-names (<CODE -CLASS="constant" ->warn</CODE ->|<CODE -CLASS="constant" ->fail</CODE ->|<CODE -CLASS="constant" ->ignore</CODE ->) ; </SPAN ->] - [<SPAN -CLASS="optional" -> dialup <VAR -CLASS="replaceable" ->dialup_option</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> delegation-only <VAR -CLASS="replaceable" ->yes_or_no</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> file <VAR -CLASS="replaceable" ->string</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> forward (<CODE -CLASS="constant" ->only</CODE ->|<CODE -CLASS="constant" ->first</CODE ->) ; </SPAN ->] - [<SPAN -CLASS="optional" -> forwarders { <VAR -CLASS="replaceable" ->ip_addr</VAR -> [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; [<SPAN -CLASS="optional" -> <VAR -CLASS="replaceable" ->ip_addr</VAR -> [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; ... </SPAN ->] }; </SPAN ->] - [<SPAN -CLASS="optional" -> ixfr-base <VAR -CLASS="replaceable" ->string</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> ixfr-tmp-file <VAR -CLASS="replaceable" ->string</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> maintain-ixfr-base <VAR -CLASS="replaceable" ->yes_or_no</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> masters [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] { ( <VAR -CLASS="replaceable" ->masters_list</VAR -> | <VAR -CLASS="replaceable" ->ip_addr</VAR -> [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] [<SPAN -CLASS="optional" ->key <VAR -CLASS="replaceable" ->key</VAR -></SPAN ->] ) ; [<SPAN -CLASS="optional" ->...</SPAN ->] } ; </SPAN ->] - [<SPAN -CLASS="optional" -> max-ixfr-log-size <VAR -CLASS="replaceable" ->number</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> max-transfer-idle-in <VAR -CLASS="replaceable" ->number</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> max-transfer-idle-out <VAR -CLASS="replaceable" ->number</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> max-transfer-time-in <VAR -CLASS="replaceable" ->number</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> max-transfer-time-out <VAR -CLASS="replaceable" ->number</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> notify <VAR -CLASS="replaceable" ->yes_or_no</VAR -> | <VAR -CLASS="replaceable" ->explicit</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> pubkey <VAR -CLASS="replaceable" ->number</VAR -> <VAR -CLASS="replaceable" ->number</VAR -> <VAR -CLASS="replaceable" ->number</VAR -> <VAR -CLASS="replaceable" ->string</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> transfer-source (<VAR -CLASS="replaceable" ->ip4_addr</VAR -> | <CODE -CLASS="constant" ->*</CODE ->) [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; </SPAN ->] - [<SPAN -CLASS="optional" -> transfer-source-v6 (<VAR -CLASS="replaceable" ->ip6_addr</VAR -> | <CODE -CLASS="constant" ->*</CODE ->) [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; </SPAN ->] - [<SPAN -CLASS="optional" -> alt-transfer-source (<VAR -CLASS="replaceable" ->ip4_addr</VAR -> | <CODE -CLASS="constant" ->*</CODE ->) [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; </SPAN ->] - [<SPAN -CLASS="optional" -> alt-transfer-source-v6 (<VAR -CLASS="replaceable" ->ip6_addr</VAR -> | <CODE -CLASS="constant" ->*</CODE ->) [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; </SPAN ->] - [<SPAN -CLASS="optional" -> use-alt-transfer-source <VAR -CLASS="replaceable" ->yes_or_no</VAR ->; </SPAN ->] - [<SPAN -CLASS="optional" -> notify-source (<VAR -CLASS="replaceable" ->ip4_addr</VAR -> | <CODE -CLASS="constant" ->*</CODE ->) [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; </SPAN ->] - [<SPAN -CLASS="optional" -> notify-source-v6 (<VAR -CLASS="replaceable" ->ip6_addr</VAR -> | <CODE -CLASS="constant" ->*</CODE ->) [<SPAN -CLASS="optional" ->port <VAR -CLASS="replaceable" ->ip_port</VAR -></SPAN ->] ; </SPAN ->] - [<SPAN -CLASS="optional" -> zone-statistics <VAR -CLASS="replaceable" ->yes_or_no</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> sig-validity-interval <VAR -CLASS="replaceable" ->number</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> database <VAR -CLASS="replaceable" ->string</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> min-refresh-time <VAR -CLASS="replaceable" ->number</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> max-refresh-time <VAR -CLASS="replaceable" ->number</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> min-retry-time <VAR -CLASS="replaceable" ->number</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> max-retry-time <VAR -CLASS="replaceable" ->number</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> multi-master <VAR -CLASS="replaceable" ->yes_or_no</VAR -> ; </SPAN ->] - [<SPAN -CLASS="optional" -> key-directory <VAR -CLASS="replaceable" ->path_name</VAR ->; </SPAN ->] + [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> } ; </span>] + [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> } ; </span>] + [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> } ; </span>] + [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> } ; </span>] + [<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] } ; </span>] + [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> } ; </span>] + [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] + [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] + [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>] + [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>] + [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] + [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] } ; </span>] + [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> ; </span>] + [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>] -}</SPAN ->]; -</PRE -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN3645" ->6.2.24. <B -CLASS="command" ->zone</B -> Statement Definition and Usage</A -></H2 -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN3648" ->6.2.24.1. Zone Types</A -></H3 -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN3650" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P -><VAR -CLASS="varname" ->master</VAR -></P -></TD -><TD -><P ->The server has a master copy of the data +}</span>]; +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2563022"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2563029"></a>Zone Types</h4></div></div></div> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p><code class="varname">master</code></p></td> +<td><p>The server has a master copy of the data for the zone and will be able to provide authoritative answers for -it.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->slave</VAR -></P -></TD -><TD -><P ->A slave zone is a replica of a master -zone. The <B -CLASS="command" ->masters</B -> list specifies one or more IP addresses +it.</p></td> +</tr> +<tr> +<td><p><code class="varname">slave</code></p></td> +<td><p>A slave zone is a replica of a master +zone. The <span><strong class="command">masters</strong></span> list specifies one or more IP addresses of master servers that the slave contacts to update its copy of the zone. Masters list elements can also be names of other masters lists. By default, transfers are made from port 53 on the servers; this can @@ -8659,1640 +2831,605 @@ recommended, since it often speeds server start-up and eliminates a needless waste of bandwidth. Note that for large numbers (in the tens or hundreds of thousands) of zones per server, it is best to use a two level naming scheme for zone file names. For example, -a slave server for the zone <VAR -CLASS="literal" ->example.com</VAR -> might place +a slave server for the zone <code class="literal">example.com</code> might place the zone contents into a file called -<TT -CLASS="filename" ->ex/example.com</TT -> where <TT -CLASS="filename" ->ex/</TT -> is +<code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is just the first two letters of the zone name. (Most operating systems behave very slowly if you put 100 000 files into -a single directory.)</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->stub</VAR -></P -></TD -><TD -><P ->A stub zone is similar to a slave zone, +a single directory.)</p></td> +</tr> +<tr> +<td><p><code class="varname">stub</code></p></td> +<td> +<p>A stub zone is similar to a slave zone, except that it replicates only the NS records of a master zone instead of the entire zone. Stub zones are not a standard part of the DNS; -they are a feature specific to the <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> implementation. -</P -> +they are a feature specific to the <span class="acronym">BIND</span> implementation. +</p> -<P ->Stub zones can be used to eliminate the need for glue NS record +<p>Stub zones can be used to eliminate the need for glue NS record in a parent zone at the expense of maintaining a stub zone entry and -a set of name server addresses in <TT -CLASS="filename" ->named.conf</TT ->. +a set of name server addresses in <code class="filename">named.conf</code>. This usage is not recommended for new configurations, and BIND 9 supports it only in a limited way. -In <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 4/8, zone transfers of a parent zone +In <span class="acronym">BIND</span> 4/8, zone transfers of a parent zone included the NS records from stub children of that zone. This meant that, in some cases, users could get away with configuring child stubs -only in the master server for the parent zone. <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> +only in the master server for the parent zone. <span class="acronym">BIND</span> 9 never mixes together zone data from different zones in this -way. Therefore, if a <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 master serving a parent +way. Therefore, if a <span class="acronym">BIND</span> 9 master serving a parent zone has child stub zones configured, all the slave servers for the parent zone also need to have the same child stub zones -configured.</P -> +configured.</p> -<P ->Stub zones can also be used as a way of forcing the resolution +<p>Stub zones can also be used as a way of forcing the resolution of a given domain to use a particular set of authoritative servers. For example, the caching name servers on a private network using RFC1981 addressing may be configured with stub zones for -<VAR -CLASS="literal" ->10.in-addr.arpa</VAR -> +<code class="literal">10.in-addr.arpa</code> to use a set of internal name servers as the authoritative -servers for that domain.</P -> -</TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->forward</VAR -></P -></TD -><TD -><P ->A "forward zone" is a way to configure -forwarding on a per-domain basis. A <B -CLASS="command" ->zone</B -> statement -of type <B -CLASS="command" ->forward</B -> can contain a <B -CLASS="command" ->forward</B -> and/or <B -CLASS="command" ->forwarders</B -> statement, +servers for that domain.</p> +</td> +</tr> +<tr> +<td><p><code class="varname">forward</code></p></td> +<td> +<p>A "forward zone" is a way to configure +forwarding on a per-domain basis. A <span><strong class="command">zone</strong></span> statement +of type <span><strong class="command">forward</strong></span> can contain a <span><strong class="command">forward</strong></span> and/or <span><strong class="command">forwarders</strong></span> statement, which will apply to queries within the domain given by the zone -name. If no <B -CLASS="command" ->forwarders</B -> statement is present or -an empty list for <B -CLASS="command" ->forwarders</B -> is given, then no +name. If no <span><strong class="command">forwarders</strong></span> statement is present or +an empty list for <span><strong class="command">forwarders</strong></span> is given, then no forwarding will be done for the domain, canceling the effects of -any forwarders in the <B -CLASS="command" ->options</B -> statement. Thus +any forwarders in the <span><strong class="command">options</strong></span> statement. Thus if you want to use this type of zone to change the behavior of the -global <B -CLASS="command" ->forward</B -> option (that is, "forward first +global <span><strong class="command">forward</strong></span> option (that is, "forward first to", then "forward only", or vice versa, but want to use the same -servers as set globally) you need to re-specify the global forwarders.</P -> -</TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->hint</VAR -></P -></TD -><TD -><P ->The initial set of root name servers is +servers as set globally) you need to re-specify the global forwarders.</p> +</td> +</tr> +<tr> +<td><p><code class="varname">hint</code></p></td> +<td><p>The initial set of root name servers is specified using a "hint zone". When the server starts up, it uses the root hints to find a root name server and get the most recent list of root name servers. If no hint zone is specified for class IN, the server uses a compiled-in default set of root servers hints. -Classes other than IN have no built-in defaults hints.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->delegation-only</VAR -></P -></TD -><TD -><P ->This is used to enforce the delegation only +Classes other than IN have no built-in defaults hints.</p></td> +</tr> +<tr> +<td><p><code class="varname">delegation-only</code></p></td> +<td> +<p>This is used to enforce the delegation only status of infrastructure zones (e.g. COM, NET, ORG). Any answer that is received without a explicit or implicit delegation in the authority section will be treated as NXDOMAIN. This does not apply to the zone -apex. This SHOULD NOT be applied to leaf zones.</P -> -<P -><VAR -CLASS="varname" ->delegation-only</VAR -> has no effect on answers received -from forwarders.</P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN3713" ->6.2.24.2. Class</A -></H3 -><P ->The zone's name may optionally be followed by a class. If -a class is not specified, class <VAR -CLASS="literal" ->IN</VAR -> (for <VAR -CLASS="varname" ->Internet</VAR ->), -is assumed. This is correct for the vast majority of cases.</P -><P ->The <VAR -CLASS="literal" ->hesiod</VAR -> class is +apex. This SHOULD NOT be applied to leaf zones.</p> +<p><code class="varname">delegation-only</code> has no effect on answers received +from forwarders.</p> +</td> +</tr> +</tbody> +</table></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2563267"></a>Class</h4></div></div></div> +<p>The zone's name may optionally be followed by a class. If +a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>), +is assumed. This is correct for the vast majority of cases.</p> +<p>The <code class="literal">hesiod</code> class is named for an information service from MIT's Project Athena. It is used to share information about various systems databases, such as users, groups, printers and so on. The keyword -<VAR -CLASS="literal" ->HS</VAR -> is -a synonym for hesiod.</P -><P ->Another MIT development is CHAOSnet, a LAN protocol created -in the mid-1970s. Zone data for it can be specified with the <VAR -CLASS="literal" ->CHAOS</VAR -> class.</P -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN3723" ->6.2.24.3. Zone Options</A -></H3 -><P -></P -><DIV -CLASS="variablelist" -><DL -><DT -><B -CLASS="command" ->allow-notify</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->allow-notify</B -> in <A -HREF="Bv9ARM.ch06.html#access_control" ->Section 6.2.16.4</A -></P -></DD -><DT -><B -CLASS="command" ->allow-query</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->allow-query</B -> in <A -HREF="Bv9ARM.ch06.html#access_control" ->Section 6.2.16.4</A -></P -></DD -><DT -><B -CLASS="command" ->allow-transfer</B -></DT -><DD -><P ->See the description of <B -CLASS="command" ->allow-transfer</B -> -in <A -HREF="Bv9ARM.ch06.html#access_control" ->Section 6.2.16.4</A ->.</P -></DD -><DT -><B -CLASS="command" ->allow-update</B -></DT -><DD -><P ->Specifies which hosts are allowed to +<code class="literal">HS</code> is +a synonym for hesiod.</p> +<p>Another MIT development is CHAOSnet, a LAN protocol created +in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.</p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2563434"></a>Zone Options</h4></div></div></div> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a></p></dd> +<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a></p></dd> +<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt> +<dd><p>See the description of <span><strong class="command">allow-transfer</strong></span> +in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.</p></dd> +<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt> +<dd><p>Specifies which hosts are allowed to submit Dynamic DNS updates for master zones. The default is to deny updates from all hosts. Note that allowing updates based on the requestor's IP address is insecure; see -<A -HREF="Bv9ARM.ch07.html#dynamic_update_security" ->Section 7.3</A -> for details. -</P -></DD -><DT -><B -CLASS="command" ->update-policy</B -></DT -><DD -><P ->Specifies a "Simple Secure Update" policy. See -<A -HREF="Bv9ARM.ch06.html#dynamic_update_policies" ->Section 6.2.24.4</A ->.</P -></DD -><DT -><B -CLASS="command" ->allow-update-forwarding</B -></DT -><DD -><P ->See the description of <B -CLASS="command" ->allow-update-forwarding</B -> -in <A -HREF="Bv9ARM.ch06.html#access_control" ->Section 6.2.16.4</A ->.</P -></DD -><DT -><B -CLASS="command" ->also-notify</B -></DT -><DD -><P ->Only meaningful if <B -CLASS="command" ->notify</B -> is +<a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details. +</p></dd> +<dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt> +<dd><p>Specifies a "Simple Secure Update" policy. See +<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.</p></dd> +<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt> +<dd><p>See the description of <span><strong class="command">allow-update-forwarding</strong></span> +in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.</p></dd> +<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt> +<dd><p>Only meaningful if <span><strong class="command">notify</strong></span> is active for this zone. The set of machines that will receive a -<VAR -CLASS="literal" ->DNS NOTIFY</VAR -> message +<code class="literal">DNS NOTIFY</code> message for this zone is made up of all the listed name servers (other than the primary master) for the zone plus any IP addresses specified -with <B -CLASS="command" ->also-notify</B ->. A port may be specified -with each <B -CLASS="command" ->also-notify</B -> address to send the notify +with <span><strong class="command">also-notify</strong></span>. A port may be specified +with each <span><strong class="command">also-notify</strong></span> address to send the notify messages to a port other than the default of 53. -<B -CLASS="command" ->also-notify</B -> is not meaningful for stub zones. -The default is the empty list.</P -></DD -><DT -><B -CLASS="command" ->check-names</B -></DT -><DD -><P -> This option is used to restrict the character set and syntax of +<span><strong class="command">also-notify</strong></span> is not meaningful for stub zones. +The default is the empty list.</p></dd> +<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt> +<dd><p> +This option is used to restrict the character set and syntax of certain domain names in master files and/or DNS responses received from the -network. The default varies according to zone type. For <B -CLASS="command" ->master</B -> zones the default is <B -CLASS="command" ->fail</B ->. For <B -CLASS="command" ->slave</B -> -zones the default is <B -CLASS="command" ->warn</B ->. -</P -></DD -><DT -><B -CLASS="command" ->database</B -></DT -><DD -><P ->Specify the type of database to be used for storing the -zone data. The string following the <B -CLASS="command" ->database</B -> keyword +network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span> +zones the default is <span><strong class="command">warn</strong></span>. +</p></dd> +<dt><span class="term"><span><strong class="command">database</strong></span></span></dt> +<dd> +<p>Specify the type of database to be used for storing the +zone data. The string following the <span><strong class="command">database</strong></span> keyword is interpreted as a list of whitespace-delimited words. The first word identifies the database type, and any subsequent words are passed as arguments to the database to be interpreted in a way specific -to the database type.</P -><P ->The default is <KBD -CLASS="userinput" ->"rbt"</KBD ->, BIND 9's native in-memory -red-black-tree database. This database does not take arguments.</P -><P ->Other values are possible if additional database drivers +to the database type.</p> +<p>The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's native in-memory +red-black-tree database. This database does not take arguments.</p> +<p>Other values are possible if additional database drivers have been linked into the server. Some sample drivers are included -with the distribution but none are linked in by default.</P -></DD -><DT -><B -CLASS="command" ->dialup</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->dialup</B -> in <A -HREF="Bv9ARM.ch06.html#boolean_options" ->Section 6.2.16.1</A ->.</P -></DD -><DT -><B -CLASS="command" ->delegation-only</B -></DT -><DD -><P ->The flag only applies to hint and stub zones. If set -to <KBD -CLASS="userinput" ->yes</KBD -> then the zone will also be treated as if it +with the distribution but none are linked in by default.</p> +</dd> +<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.</p></dd> +<dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt> +<dd><p>The flag only applies to hint and stub zones. If set +to <strong class="userinput"><code>yes</code></strong> then the zone will also be treated as if it is also a delegation-only type zone. -</P -></DD -><DT -><B -CLASS="command" ->forward</B -></DT -><DD -><P ->Only meaningful if the zone has a forwarders -list. The <B -CLASS="command" ->only</B -> value causes the lookup to fail -after trying the forwarders and getting no answer, while <B -CLASS="command" ->first</B -> would -allow a normal lookup to be tried.</P -></DD -><DT -><B -CLASS="command" ->forwarders</B -></DT -><DD -><P ->Used to override the list of global forwarders. -If it is not specified in a zone of type <B -CLASS="command" ->forward</B ->, -no forwarding is done for the zone; the global options are not used.</P -></DD -><DT -><B -CLASS="command" ->ixfr-base</B -></DT -><DD -><P ->Was used in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8 to specify the name +</p></dd> +<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt> +<dd><p>Only meaningful if the zone has a forwarders +list. The <span><strong class="command">only</strong></span> value causes the lookup to fail +after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would +allow a normal lookup to be tried.</p></dd> +<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt> +<dd><p>Used to override the list of global forwarders. +If it is not specified in a zone of type <span><strong class="command">forward</strong></span>, +no forwarding is done for the zone; the global options are not used.</p></dd> +<dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt> +<dd><p>Was used in <span class="acronym">BIND</span> 8 to specify the name of the transaction log (journal) file for dynamic update and IXFR. -<ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 ignores the option and constructs the name of the journal -file by appending "<TT -CLASS="filename" ->.jnl</TT ->" to the name of the -zone file.</P -></DD -><DT -><B -CLASS="command" ->ixfr-tmp-file</B -></DT -><DD -><P ->Was an undocumented option in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8. -Ignored in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9.</P -></DD -><DT -><B -CLASS="command" ->max-transfer-time-in</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->max-transfer-time-in</B -> in <A -HREF="Bv9ARM.ch06.html#zone_transfers" ->Section 6.2.16.7</A ->.</P -></DD -><DT -><B -CLASS="command" ->max-transfer-idle-in</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->max-transfer-idle-in</B -> in <A -HREF="Bv9ARM.ch06.html#zone_transfers" ->Section 6.2.16.7</A ->.</P -></DD -><DT -><B -CLASS="command" ->max-transfer-time-out</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->max-transfer-time-out</B -> in <A -HREF="Bv9ARM.ch06.html#zone_transfers" ->Section 6.2.16.7</A ->.</P -></DD -><DT -><B -CLASS="command" ->max-transfer-idle-out</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->max-transfer-idle-out</B -> in <A -HREF="Bv9ARM.ch06.html#zone_transfers" ->Section 6.2.16.7</A ->.</P -></DD -><DT -><B -CLASS="command" ->notify</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->notify</B -> in <A -HREF="Bv9ARM.ch06.html#boolean_options" ->Section 6.2.16.1</A ->.</P -></DD -><DT -><B -CLASS="command" ->pubkey</B -></DT -><DD -><P ->In <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 8, this option was intended for specifying +<span class="acronym">BIND</span> 9 ignores the option and constructs the name of the journal +file by appending "<code class="filename">.jnl</code>" to the name of the +zone file.</p></dd> +<dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt> +<dd><p>Was an undocumented option in <span class="acronym">BIND</span> 8. +Ignored in <span class="acronym">BIND</span> 9.</p></dd> +<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.</p></dd> +<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.</p></dd> +<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.</p></dd> +<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.</p></dd> +<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.</p></dd> +<dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt> +<dd><p>In <span class="acronym">BIND</span> 8, this option was intended for specifying a public zone key for verification of signatures in DNSSEC signed -zones when they are loaded from disk. <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 does not verify signatures -on load and ignores the option.</P -></DD -><DT -><B -CLASS="command" ->zone-statistics</B -></DT -><DD -><P ->If <KBD -CLASS="userinput" ->yes</KBD ->, the server will keep statistical +zones when they are loaded from disk. <span class="acronym">BIND</span> 9 does not verify signatures +on load and ignores the option.</p></dd> +<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt> +<dd><p>If <strong class="userinput"><code>yes</code></strong>, the server will keep statistical information for this zone, which can be dumped to the -<B -CLASS="command" ->statistics-file</B -> defined in the server options.</P -></DD -><DT -><B -CLASS="command" ->sig-validity-interval</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->sig-validity-interval</B -> in <A -HREF="Bv9ARM.ch06.html#tuning" ->Section 6.2.16.15</A ->.</P -></DD -><DT -><B -CLASS="command" ->transfer-source</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->transfer-source</B -> in <A -HREF="Bv9ARM.ch06.html#zone_transfers" ->Section 6.2.16.7</A -> -</P -></DD -><DT -><B -CLASS="command" ->transfer-source-v6</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->transfer-source-v6</B -> in <A -HREF="Bv9ARM.ch06.html#zone_transfers" ->Section 6.2.16.7</A -> -</P -></DD -><DT -><B -CLASS="command" ->alt-transfer-source</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->alt-transfer-source</B -> in <A -HREF="Bv9ARM.ch06.html#zone_transfers" ->Section 6.2.16.7</A -> -</P -></DD -><DT -><B -CLASS="command" ->alt-transfer-source-v6</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->alt-transfer-source-v6</B -> in <A -HREF="Bv9ARM.ch06.html#zone_transfers" ->Section 6.2.16.7</A -> -</P -></DD -><DT -><B -CLASS="command" ->use-alt-transfer-source</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->use-alt-transfer-source</B -> in <A -HREF="Bv9ARM.ch06.html#zone_transfers" ->Section 6.2.16.7</A -> -</P -></DD -><DT -><B -CLASS="command" ->notify-source</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->notify-source</B -> in <A -HREF="Bv9ARM.ch06.html#zone_transfers" ->Section 6.2.16.7</A -> -</P -></DD -><DT -><B -CLASS="command" ->notify-source-v6</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->notify-source-v6</B -> in <A -HREF="Bv9ARM.ch06.html#zone_transfers" ->Section 6.2.16.7</A ->. -</P -></DD -><DT -><B -CLASS="command" ->min-refresh-time</B ->, <B -CLASS="command" ->max-refresh-time</B ->, <B -CLASS="command" ->min-retry-time</B ->, <B -CLASS="command" ->max-retry-time</B -></DT -><DD -><P -> See the description in <A -HREF="Bv9ARM.ch06.html#tuning" ->Section 6.2.16.15</A ->. -</P -></DD -><DT -><B -CLASS="command" ->ixfr-from-differences</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->ixfr-from-differences</B -> in <A -HREF="Bv9ARM.ch06.html#boolean_options" ->Section 6.2.16.1</A ->.</P -></DD -><DT -><B -CLASS="command" ->key-directory</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->key-directory</B -> in <A -HREF="Bv9ARM.ch06.html#options" ->Section 6.2.16</A -></P -></DD -><DT -><B -CLASS="command" ->multi-master</B -></DT -><DD -><P ->See the description of -<B -CLASS="command" ->multi-master</B -> in <A -HREF="Bv9ARM.ch06.html#boolean_options" ->Section 6.2.16.1</A ->.</P -></DD -></DL -></DIV -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="dynamic_update_policies" ->6.2.24.4. Dynamic Update Policies</A -></H3 -><P -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 supports two alternative methods of granting clients +<span><strong class="command">statistics-file</strong></span> defined in the server options.</p></dd> +<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.</p></dd> +<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a> +</p></dd> +<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a> +</p></dd> +<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a> +</p></dd> +<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a> +</p></dd> +<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a> +</p></dd> +<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a> +</p></dd> +<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. +</p></dd> +<dt> +<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span> +</dt> +<dd><p> +See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. +</p></dd> +<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.</p></dd> +<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and Usage”</a></p></dd> +<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt> +<dd><p>See the description of +<span><strong class="command">multi-master</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.</p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div> +<p><span class="acronym">BIND</span> 9 supports two alternative methods of granting clients the right to perform dynamic updates to a zone, -configured by the <B -CLASS="command" ->allow-update</B -> and -<B -CLASS="command" ->update-policy</B -> option, respectively.</P -><P ->The <B -CLASS="command" ->allow-update</B -> clause works the same -way as in previous versions of <ACRONYM -CLASS="acronym" ->BIND</ACRONYM ->. It grants given clients the -permission to update any record of any name in the zone.</P -><P ->The <B -CLASS="command" ->update-policy</B -> clause is new in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> +configured by the <span><strong class="command">allow-update</strong></span> and +<span><strong class="command">update-policy</strong></span> option, respectively.</p> +<p>The <span><strong class="command">allow-update</strong></span> clause works the same +way as in previous versions of <span class="acronym">BIND</span>. It grants given clients the +permission to update any record of any name in the zone.</p> +<p>The <span><strong class="command">update-policy</strong></span> clause is new in <span class="acronym">BIND</span> 9 and allows more fine-grained control over what updates are allowed. A set of rules is specified, where each rule either grants or denies permissions for one or more names to be updated by one or more identities. If the dynamic update request message is signed (that is, it includes either a TSIG or SIG(0) record), the identity of the signer can -be determined.</P -><P ->Rules are specified in the <B -CLASS="command" ->update-policy</B -> zone -option, and are only meaningful for master zones. When the <B -CLASS="command" ->update-policy</B -> statement -is present, it is a configuration error for the <B -CLASS="command" ->allow-update</B -> statement -to be present. The <B -CLASS="command" ->update-policy</B -> statement only -examines the signer of a message; the source address is not relevant.</P -><P ->This is how a rule definition looks:</P -><PRE -CLASS="programlisting" -> ( <B -CLASS="command" ->grant</B -> | <B -CLASS="command" ->deny</B -> ) <VAR -CLASS="replaceable" ->identity</VAR -> <VAR -CLASS="replaceable" ->nametype</VAR -> <VAR -CLASS="replaceable" ->name</VAR -> [<SPAN -CLASS="optional" -> <VAR -CLASS="replaceable" ->types</VAR -> </SPAN ->] -</PRE -><P ->Each rule grants or denies privileges. Once a message has +be determined.</p> +<p>Rules are specified in the <span><strong class="command">update-policy</strong></span> zone +option, and are only meaningful for master zones. When the <span><strong class="command">update-policy</strong></span> statement +is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement +to be present. The <span><strong class="command">update-policy</strong></span> statement only +examines the signer of a message; the source address is not relevant.</p> +<p>This is how a rule definition looks:</p> +<pre class="programlisting"> +( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> <em class="replaceable"><code>name</code></em> [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>] +</pre> +<p>Each rule grants or denies privileges. Once a message has successfully matched a rule, the operation is immediately granted or denied and no further rules are examined. A rule is matched when the signer matches the identity field, the name matches the name field in accordance with the nametype field, and the type matches -the types specified in the type field.</P -><P ->The identity field specifies a name or a wildcard name. Normally, this +the types specified in the type field.</p> +<p>The identity field specifies a name or a wildcard name. Normally, this is the name of the TSIG or SIG(0) key used to sign the update request. When a TKEY exchange has been used to create a shared secret, the identity of the shared secret is the same as the identity of the key used to authenticate the -TKEY exchange. When the <VAR -CLASS="replaceable" ->identity</VAR -> field specifies a +TKEY exchange. When the <em class="replaceable"><code>identity</code></em> field specifies a wildcard name, it is subject to DNS wildcard expansion, so the rule will apply -to multiple identities. The <VAR -CLASS="replaceable" ->identity</VAR -> field must -contain a fully qualified domain name.</P -><P ->The <VAR -CLASS="replaceable" ->nametype</VAR -> field has 4 values: -<VAR -CLASS="varname" ->name</VAR ->, <VAR -CLASS="varname" ->subdomain</VAR ->, -<VAR -CLASS="varname" ->wildcard</VAR ->, and <VAR -CLASS="varname" ->self</VAR ->. -</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN4009" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P -><VAR -CLASS="varname" ->name</VAR -></P -></TD -><TD -><P ->Exact-match semantics. This rule matches when the +to multiple identities. The <em class="replaceable"><code>identity</code></em> field must +contain a fully qualified domain name.</p> +<p>The <em class="replaceable"><code>nametype</code></em> field has 4 values: +<code class="varname">name</code>, <code class="varname">subdomain</code>, +<code class="varname">wildcard</code>, and <code class="varname">self</code>. +</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p><code class="varname">name</code></p></td> +<td><p>Exact-match semantics. This rule matches when the name being updated is identical to the contents of the -<VAR -CLASS="replaceable" ->name</VAR -> field.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->subdomain</VAR -></P -></TD -><TD -><P ->This rule matches when the name being updated +<em class="replaceable"><code>name</code></em> field.</p></td> +</tr> +<tr> +<td><p><code class="varname">subdomain</code></p></td> +<td><p>This rule matches when the name being updated is a subdomain of, or identical to, the contents of the -<VAR -CLASS="replaceable" ->name</VAR -> field.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->wildcard</VAR -></P -></TD -><TD -><P ->The <VAR -CLASS="replaceable" ->name</VAR -> field is +<em class="replaceable"><code>name</code></em> field.</p></td> +</tr> +<tr> +<td><p><code class="varname">wildcard</code></p></td> +<td><p>The <em class="replaceable"><code>name</code></em> field is subject to DNS wildcard expansion, and this rule matches when the name -being updated name is a valid expansion of the wildcard.</P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="varname" ->self</VAR -></P -></TD -><TD -><P ->This rule matches when the name being updated -matches the contents of the <VAR -CLASS="replaceable" ->identity</VAR -> field. -The <VAR -CLASS="replaceable" ->name</VAR -> field is ignored, but should be -the same as the <VAR -CLASS="replaceable" ->identity</VAR -> field. The -<VAR -CLASS="varname" ->self</VAR -> nametype is most useful when allowing using +being updated name is a valid expansion of the wildcard.</p></td> +</tr> +<tr> +<td><p><code class="varname">self</code></p></td> +<td><p>This rule matches when the name being updated +matches the contents of the <em class="replaceable"><code>identity</code></em> field. +The <em class="replaceable"><code>name</code></em> field is ignored, but should be +the same as the <em class="replaceable"><code>identity</code></em> field. The +<code class="varname">self</code> nametype is most useful when allowing using one key per name to update, where the key has the same name as the name -to be updated. The <VAR -CLASS="replaceable" ->identity</VAR -> would be -specified as <CODE -CLASS="constant" ->*</CODE -> in this case.</P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><P ->In all cases, the <VAR -CLASS="replaceable" ->name</VAR -> field must -specify a fully qualified domain name.</P -><P ->If no types are explicitly specified, this rule matches all types except +to be updated. The <em class="replaceable"><code>identity</code></em> would be +specified as <code class="constant">*</code> in this case.</p></td> +</tr> +</tbody> +</table></div> +<p>In all cases, the <em class="replaceable"><code>name</code></em> field must +specify a fully qualified domain name.</p> +<p>If no types are explicitly specified, this rule matches all types except SIG, NS, SOA, and NXT. Types may be specified by name, including "ANY" (ANY matches all types except NXT, which can never be updated). Note that when an attempt is made to delete all records associated with a name, the rules are checked for each existing record type. -</P -></DIV -></DIV -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="AEN4050" ->6.3. Zone File</A -></H1 -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="types_of_resource_records_and_when_to_use_them" ->6.3.1. Types of Resource Records and When to Use Them</A -></H2 -><P ->This section, largely borrowed from RFC 1034, describes the +</p> +</div> +</div> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="id2564557"></a>Zone File</h2></div></div></div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div> +<p>This section, largely borrowed from RFC 1034, describes the concept of a Resource Record (RR) and explains when each is used. Since the publication of RFC 1034, several new RRs have been identified -and implemented in the DNS. These are also included.</P -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN4055" ->6.3.1.1. Resource Records</A -></H3 -><P ->A domain name identifies a node. Each node has a set of +and implemented in the DNS. These are also included.</p> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2564576"></a>Resource Records</h4></div></div></div> +<p>A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource information associated with a particular name is composed of separate RRs. The order of RRs in a set is not significant and need not be preserved by name servers, resolvers, or other parts of the DNS. However, sorting of multiple RRs is permitted for optimization purposes, for example, to specify - that a particular nearby server be tried first. See <A -HREF="Bv9ARM.ch06.html#the_sortlist_statement" ->Section 6.2.16.13</A -> and <A -HREF="Bv9ARM.ch06.html#rrset_ordering" ->Section 6.2.16.14</A ->.</P -><P ->The components of a Resource Record are:</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN4061" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P ->owner name</P -></TD -><TD -><P ->the domain name where the RR is found.</P -></TD -></TR -><TR -><TD -><P ->type</P -></TD -><TD -><P ->an encoded 16 bit value that specifies -the type of the resource record.</P -></TD -></TR -><TR -><TD -><P ->TTL</P -></TD -><TD -><P ->the time to live of the RR. This field + that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.</p> +<p>The components of a Resource Record are:</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p>owner name</p></td> +<td><p>the domain name where the RR is found.</p></td> +</tr> +<tr> +<td><p>type</p></td> +<td><p>an encoded 16 bit value that specifies +the type of the resource record.</p></td> +</tr> +<tr> +<td><p>TTL</p></td> +<td><p>the time to live of the RR. This field is a 32 bit integer in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can -be cached before it should be discarded.</P -></TD -></TR -><TR -><TD -><P ->class</P -></TD -><TD -><P ->an encoded 16 bit value that identifies -a protocol family or instance of a protocol.</P -></TD -></TR -><TR -><TD -><P ->RDATA</P -></TD -><TD -><P ->the resource data. The format of the -data is type (and sometimes class) specific.</P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><P ->The following are <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->types</I -></SPAN -> of valid RRs:</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN4093" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P ->A</P -></TD -><TD -><P ->a host address. In the IN class, this is a -32-bit IP address. Described in RFC 1035.</P -></TD -></TR -><TR -><TD -><P ->AAAA</P -></TD -><TD -><P ->IPv6 address. Described in RFC 1886.</P -></TD -></TR -><TR -><TD -><P ->A6</P -></TD -><TD -><P ->IPv6 address. This can be a partial +be cached before it should be discarded.</p></td> +</tr> +<tr> +<td><p>class</p></td> +<td><p>an encoded 16 bit value that identifies +a protocol family or instance of a protocol.</p></td> +</tr> +<tr> +<td><p>RDATA</p></td> +<td><p>the resource data. The format of the +data is type (and sometimes class) specific.</p></td> +</tr> +</tbody> +</table></div> +<p>The following are <span class="emphasis"><em>types</em></span> of valid RRs:</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p>A</p></td> +<td><p>a host address. In the IN class, this is a +32-bit IP address. Described in RFC 1035.</p></td> +</tr> +<tr> +<td><p>AAAA</p></td> +<td><p>IPv6 address. Described in RFC 1886.</p></td> +</tr> +<tr> +<td><p>A6</p></td> +<td><p>IPv6 address. This can be a partial address (a suffix) and an indirection to the name where the rest of the -address (the prefix) can be found. Experimental. Described in RFC 2874.</P -></TD -></TR -><TR -><TD -><P ->AFSDB</P -></TD -><TD -><P ->location of AFS database servers. -Experimental. Described in RFC 1183.</P -></TD -></TR -><TR -><TD -><P ->APL</P -></TD -><TD -><P ->address prefix list. Experimental. -Described in RFC 3123.</P -></TD -></TR -><TR -><TD -><P ->CERT</P -></TD -><TD -><P ->holds a digital certificate. -Described in RFC 2538.</P -></TD -></TR -><TR -><TD -><P ->CNAME</P -></TD -><TD -><P ->identifies the canonical name of an alias. -Described in RFC 1035.</P -></TD -></TR -><TR -><TD -><P ->DNAME</P -></TD -><TD -><P ->Replaces the domain name specified with +address (the prefix) can be found. Experimental. Described in RFC 2874.</p></td> +</tr> +<tr> +<td><p>AFSDB</p></td> +<td><p>location of AFS database servers. +Experimental. Described in RFC 1183.</p></td> +</tr> +<tr> +<td><p>APL</p></td> +<td><p>address prefix list. Experimental. +Described in RFC 3123.</p></td> +</tr> +<tr> +<td><p>CERT</p></td> +<td><p>holds a digital certificate. +Described in RFC 2538.</p></td> +</tr> +<tr> +<td><p>CNAME</p></td> +<td><p>identifies the canonical name of an alias. +Described in RFC 1035.</p></td> +</tr> +<tr> +<td><p>DNAME</p></td> +<td><p>Replaces the domain name specified with another name to be looked up, effectively aliasing an entire subtree of the domain name space rather than a single record as in the case of the CNAME RR. -Described in RFC 2672.</P -></TD -></TR -><TR -><TD -><P ->GPOS</P -></TD -><TD -><P ->Specifies the global position. Superseded by LOC.</P -></TD -></TR -><TR -><TD -><P ->HINFO</P -></TD -><TD -><P ->identifies the CPU and OS used by a host. -Described in RFC 1035.</P -></TD -></TR -><TR -><TD -><P ->ISDN</P -></TD -><TD -><P ->representation of ISDN addresses. -Experimental. Described in RFC 1183.</P -></TD -></TR -><TR -><TD -><P ->KEY</P -></TD -><TD -><P ->stores a public key associated with a -DNS name. Described in RFC 2535.</P -></TD -></TR -><TR -><TD -><P ->KX</P -></TD -><TD -><P ->identifies a key exchanger for this -DNS name. Described in RFC 2230.</P -></TD -></TR -><TR -><TD -><P ->LOC</P -></TD -><TD -><P ->for storing GPS info. Described in RFC 1876. -Experimental.</P -></TD -></TR -><TR -><TD -><P ->MX</P -></TD -><TD -><P ->identifies a mail exchange for the domain. +Described in RFC 2672.</p></td> +</tr> +<tr> +<td><p>GPOS</p></td> +<td><p>Specifies the global position. Superseded by LOC.</p></td> +</tr> +<tr> +<td><p>HINFO</p></td> +<td><p>identifies the CPU and OS used by a host. +Described in RFC 1035.</p></td> +</tr> +<tr> +<td><p>ISDN</p></td> +<td><p>representation of ISDN addresses. +Experimental. Described in RFC 1183.</p></td> +</tr> +<tr> +<td><p>KEY</p></td> +<td><p>stores a public key associated with a +DNS name. Described in RFC 2535.</p></td> +</tr> +<tr> +<td><p>KX</p></td> +<td><p>identifies a key exchanger for this +DNS name. Described in RFC 2230.</p></td> +</tr> +<tr> +<td><p>LOC</p></td> +<td><p>for storing GPS info. Described in RFC 1876. +Experimental.</p></td> +</tr> +<tr> +<td><p>MX</p></td> +<td><p>identifies a mail exchange for the domain. a 16 bit preference value (lower is better) followed by the host name of the mail exchange. -Described in RFC 974, RFC 1035.</P -></TD -></TR -><TR -><TD -><P ->NAPTR</P -></TD -><TD -><P ->name authority pointer. Described in RFC 2915.</P -></TD -></TR -><TR -><TD -><P ->NSAP</P -></TD -><TD -><P ->a network service access point. -Described in RFC 1706.</P -></TD -></TR -><TR -><TD -><P ->NS</P -></TD -><TD -><P ->the authoritative name server for the -domain. Described in RFC 1035.</P -></TD -></TR -><TR -><TD -><P ->NXT</P -></TD -><TD -><P ->used in DNSSEC to securely indicate that +Described in RFC 974, RFC 1035.</p></td> +</tr> +<tr> +<td><p>NAPTR</p></td> +<td><p>name authority pointer. Described in RFC 2915.</p></td> +</tr> +<tr> +<td><p>NSAP</p></td> +<td><p>a network service access point. +Described in RFC 1706.</p></td> +</tr> +<tr> +<td><p>NS</p></td> +<td><p>the authoritative name server for the +domain. Described in RFC 1035.</p></td> +</tr> +<tr> +<td><p>NXT</p></td> +<td><p>used in DNSSEC to securely indicate that RRs with an owner name in a certain name interval do not exist in a zone and indicate what RR types are present for an existing name. -Described in RFC 2535.</P -></TD -></TR -><TR -><TD -><P ->PTR</P -></TD -><TD -><P ->a pointer to another part of the domain -name space. Described in RFC 1035.</P -></TD -></TR -><TR -><TD -><P ->PX</P -></TD -><TD -><P ->provides mappings between RFC 822 and X.400 -addresses. Described in RFC 2163.</P -></TD -></TR -><TR -><TD -><P ->RP</P -></TD -><TD -><P ->information on persons responsible -for the domain. Experimental. Described in RFC 1183.</P -></TD -></TR -><TR -><TD -><P ->RT</P -></TD -><TD -><P ->route-through binding for hosts that +Described in RFC 2535.</p></td> +</tr> +<tr> +<td><p>PTR</p></td> +<td><p>a pointer to another part of the domain +name space. Described in RFC 1035.</p></td> +</tr> +<tr> +<td><p>PX</p></td> +<td><p>provides mappings between RFC 822 and X.400 +addresses. Described in RFC 2163.</p></td> +</tr> +<tr> +<td><p>RP</p></td> +<td><p>information on persons responsible +for the domain. Experimental. Described in RFC 1183.</p></td> +</tr> +<tr> +<td><p>RT</p></td> +<td><p>route-through binding for hosts that do not have their own direct wide area network addresses. -Experimental. Described in RFC 1183.</P -></TD -></TR -><TR -><TD -><P ->SIG</P -></TD -><TD -><P ->("signature") contains data authenticated -in the secure DNS. Described in RFC 2535.</P -></TD -></TR -><TR -><TD -><P ->SOA</P -></TD -><TD -><P ->identifies the start of a zone of authority. -Described in RFC 1035.</P -></TD -></TR -><TR -><TD -><P ->SRV</P -></TD -><TD -><P ->information about well known network -services (replaces WKS). Described in RFC 2782.</P -></TD -></TR -><TR -><TD -><P ->TXT</P -></TD -><TD -><P ->text records. Described in RFC 1035.</P -></TD -></TR -><TR -><TD -><P ->WKS</P -></TD -><TD -><P ->information about which well known +Experimental. Described in RFC 1183.</p></td> +</tr> +<tr> +<td><p>SIG</p></td> +<td><p>("signature") contains data authenticated +in the secure DNS. Described in RFC 2535.</p></td> +</tr> +<tr> +<td><p>SOA</p></td> +<td><p>identifies the start of a zone of authority. +Described in RFC 1035.</p></td> +</tr> +<tr> +<td><p>SRV</p></td> +<td><p>information about well known network +services (replaces WKS). Described in RFC 2782.</p></td> +</tr> +<tr> +<td><p>TXT</p></td> +<td><p>text records. Described in RFC 1035.</p></td> +</tr> +<tr> +<td><p>WKS</p></td> +<td><p>information about which well known network services, such as SMTP, that a domain supports. Historical. -</P -></TD -></TR -><TR -><TD -><P ->X25</P -></TD -><TD -><P ->representation of X.25 network addresses. -Experimental. Described in RFC 1183.</P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><P ->The following <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->classes</I -></SPAN -> of resource records -are currently valid in the DNS:</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN4245" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P ->IN</P -></TD -><TD -><P ->The Internet.</P -></TD -></TR -><TR -><TD -><P ->CH</P -></TD -><TD -><P -> CHAOSnet, a LAN protocol created at MIT in the mid-1970s. +</p></td> +</tr> +<tr> +<td><p>X25</p></td> +<td><p>representation of X.25 network addresses. +Experimental. Described in RFC 1183.</p></td> +</tr> +</tbody> +</table></div> +<p>The following <span class="emphasis"><em>classes</em></span> of resource records +are currently valid in the DNS:</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p>IN</p></td> +<td><p>The Internet.</p></td> +</tr> +<tr> +<td><p>CH</p></td> +<td><p> +CHAOSnet, a LAN protocol created at MIT in the mid-1970s. Rarely used for its historical purpose, but reused for BIND's built-in server information zones, e.g., -<VAR -CLASS="literal" ->version.bind</VAR ->. -</P -></TD -></TR -><TR -><TD -><P ->HS</P -></TD -><TD -><P -> Hesiod, an information service +<code class="literal">version.bind</code>. +</p></td> +</tr> +<tr> +<td><p>HS</p></td> +<td><p> +Hesiod, an information service developed by MIT's Project Athena. It is used to share information about various systems databases, such as users, groups, printers and so on. -</P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><P ->The owner name is often implicit, rather than forming an integral +</p></td> +</tr> +</tbody> +</table></div> +<p>The owner name is often implicit, rather than forming an integral part of the RR. For example, many name servers internally form tree or hash structures for the name space, and chain RRs off nodes. The remaining RR parts are the fixed header (type, class, TTL) which is consistent for all RRs, and a variable part (RDATA) that -fits the needs of the resource being described.</P -><P ->The meaning of the TTL field is a time limit on how long an +fits the needs of the resource being described.</p> +<p>The meaning of the TTL field is a time limit on how long an RR can be kept in a cache. This limit does not apply to authoritative data in zones; it is also timed out, but by the refreshing policies for the zone. The TTL is assigned by the administrator for the @@ -10302,288 +3439,112 @@ of Internet performance suggest that these times should be on the order of days for the typical host. If a change can be anticipated, the TTL can be reduced prior to the change to minimize inconsistency during the change, and then increased back to its former value following -the change.</P -><P ->The data in the RDATA section of RRs is carried as a combination +the change.</p> +<p>The data in the RDATA section of RRs is carried as a combination of binary strings and domain names. The domain names are frequently -used as "pointers" to other data in the DNS.</P -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN4269" ->6.3.1.2. Textual expression of RRs</A -></H3 -><P ->RRs are represented in binary form in the packets of the DNS +used as "pointers" to other data in the DNS.</p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2565564"></a>Textual expression of RRs</h4></div></div></div> +<p>RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form when stored in a name server or resolver. In the examples provided in RFC 1034, a style similar to that used in master files was employed in order to show the contents of RRs. In this format, most RRs are shown on a single line, although continuation lines are possible -using parentheses.</P -><P ->The start of the line gives the owner of the RR. If a line +using parentheses.</p> +<p>The start of the line gives the owner of the RR. If a line begins with a blank, then the owner is assumed to be the same as -that of the previous RR. Blank lines are often included for readability.</P -><P ->Following the owner, we list the TTL, type, and class of the +that of the previous RR. Blank lines are often included for readability.</p> +<p>Following the owner, we list the TTL, type, and class of the RR. Class and type use the mnemonics defined above, and TTL is an integer before the type field. In order to avoid ambiguity in parsing, type and class mnemonics are disjoint, TTLs are integers, and the type mnemonic is always last. The IN class and TTL values -are often omitted from examples in the interests of clarity.</P -><P ->The resource data or RDATA section of the RR are given using -knowledge of the typical representation for the data.</P -><P ->For example, we might show the RRs carried in a message as:</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN4276" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P -><VAR -CLASS="literal" ->ISI.EDU.</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->MX</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->10 VENERA.ISI.EDU.</VAR -></P -></TD -></TR -><TR -><TD -><P -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->MX</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->10 VAXA.ISI.EDU</VAR -></P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="literal" ->VENERA.ISI.EDU</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->A</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->128.9.0.32</VAR -></P -></TD -></TR -><TR -><TD -><P -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->A</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->10.1.0.52</VAR -></P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="literal" ->VAXA.ISI.EDU</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->A</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->10.2.0.27</VAR -></P -></TD -></TR -><TR -><TD -><P -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->A</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->128.9.0.33</VAR -></P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><P ->The MX RRs have an RDATA section which consists of a 16 bit +are often omitted from examples in the interests of clarity.</p> +<p>The resource data or RDATA section of the RR are given using +knowledge of the typical representation for the data.</p> +<p>For example, we might show the RRs carried in a message as:</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p><code class="literal">ISI.EDU.</code></p></td> +<td><p><code class="literal">MX</code></p></td> +<td><p><code class="literal">10 VENERA.ISI.EDU.</code></p></td> +</tr> +<tr> +<td><p></p></td> +<td><p><code class="literal">MX</code></p></td> +<td><p><code class="literal">10 VAXA.ISI.EDU</code></p></td> +</tr> +<tr> +<td><p><code class="literal">VENERA.ISI.EDU</code></p></td> +<td><p><code class="literal">A</code></p></td> +<td><p><code class="literal">128.9.0.32</code></p></td> +</tr> +<tr> +<td><p></p></td> +<td><p><code class="literal">A</code></p></td> +<td><p><code class="literal">10.1.0.52</code></p></td> +</tr> +<tr> +<td><p><code class="literal">VAXA.ISI.EDU</code></p></td> +<td><p><code class="literal">A</code></p></td> +<td><p><code class="literal">10.2.0.27</code></p></td> +</tr> +<tr> +<td><p></p></td> +<td><p><code class="literal">A</code></p></td> +<td><p><code class="literal">128.9.0.33</code></p></td> +</tr> +</tbody> +</table></div> +<p>The MX RRs have an RDATA section which consists of a 16 bit number followed by a domain name. The address RRs use a standard -IP address format to contain a 32 bit internet address.</P -><P ->This example shows six RRs, with two RRs at each of three -domain names.</P -><P ->Similarly we might see:</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN4342" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P -><VAR -CLASS="literal" ->XX.LCS.MIT.EDU. IN</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->A</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->10.0.0.44</VAR -></P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="literal" ->CH</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->A</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->MIT.EDU. 2420</VAR -></P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><P ->This example shows two addresses for <VAR -CLASS="literal" ->XX.LCS.MIT.EDU</VAR ->, -each of a different class.</P -></DIV -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN4370" ->6.3.2. Discussion of MX Records</A -></H2 -><P ->As described above, domain servers store information as a +IP address format to contain a 32 bit internet address.</p> +<p>This example shows six RRs, with two RRs at each of three +domain names.</p> +<p>Similarly we might see:</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p><code class="literal">XX.LCS.MIT.EDU. IN</code></p></td> +<td><p><code class="literal">A</code></p></td> +<td><p><code class="literal">10.0.0.44</code></p></td> +</tr> +<tr> +<td><p><code class="literal">CH</code></p></td> +<td><p><code class="literal">A</code></p></td> +<td><p><code class="literal">MIT.EDU. 2420</code></p></td> +</tr> +</tbody> +</table></div> +<p>This example shows two addresses for <code class="literal">XX.LCS.MIT.EDU</code>, +each of a different class.</p> +</div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2565990"></a>Discussion of MX Records</h3></div></div></div> +<p>As described above, domain servers store information as a series of resource records, each of which contains a particular piece of information about a given domain name (which is usually, but not always, a host). The simplest way to think of a RR is as a typed pair of data, a domain name matched with a relevant datum, and stored with some additional type information to help systems -determine when the RR is relevant.</P -><P ->MX records are used to control delivery of email. The data +determine when the RR is relevant.</p> +<p>MX records are used to control delivery of email. The data specified in the record is a priority and a domain name. The priority controls the order in which email delivery is attempted, with the lowest number first. If two priorities are the same, a server is @@ -10591,320 +3552,110 @@ chosen randomly. If no servers at a given priority are responding, the mail transport agent will fall back to the next largest priority. Priority numbers do not have any absolute meaning — they are relevant only respective to other MX records for that domain name. The domain -name given is the machine to which the mail will be delivered. It <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->must</I -></SPAN -> have -an associated A record — CNAME is not sufficient.</P -><P ->For a given domain, if there is both a CNAME record and an +name given is the machine to which the mail will be delivered. It <span class="emphasis"><em>must</em></span> have +an associated A record — CNAME is not sufficient.</p> +<p>For a given domain, if there is both a CNAME record and an MX record, the MX record is in error, and will be ignored. Instead, the mail will be delivered to the server specified in the MX record -pointed to by the CNAME.</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN4376" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P -><VAR -CLASS="literal" ->example.com.</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->IN</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->MX</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->10</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->mail.example.com.</VAR -></P -></TD -></TR -><TR -><TD -><P -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->IN</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->MX</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->10</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->mail2.example.com.</VAR -></P -></TD -></TR -><TR -><TD -><P -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->IN</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->MX</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->20</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->mail.backup.org.</VAR -></P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="literal" ->mail.example.com.</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->IN</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->A</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->10.0.0.1</VAR -></P -></TD -><TD -><P -></P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="literal" ->mail2.example.com.</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->IN</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->A</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->10.0.0.2</VAR -></P -></TD -><TD -><P -></P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><P ->For example:</P -><P ->Mail delivery will be attempted to <VAR -CLASS="literal" ->mail.example.com</VAR -> and -<VAR -CLASS="literal" ->mail2.example.com</VAR -> (in -any order), and if neither of those succeed, delivery to <VAR -CLASS="literal" ->mail.backup.org</VAR -> will -be attempted.</P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="Setting_TTLs" ->6.3.3. Setting TTLs</A -></H2 -><P ->The time to live of the RR field is a 32 bit integer represented +pointed to by the CNAME.</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +<col> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p><code class="literal">example.com.</code></p></td> +<td><p><code class="literal">IN</code></p></td> +<td><p><code class="literal">MX</code></p></td> +<td><p><code class="literal">10</code></p></td> +<td><p><code class="literal">mail.example.com.</code></p></td> +</tr> +<tr> +<td><p></p></td> +<td><p><code class="literal">IN</code></p></td> +<td><p><code class="literal">MX</code></p></td> +<td><p><code class="literal">10</code></p></td> +<td><p><code class="literal">mail2.example.com.</code></p></td> +</tr> +<tr> +<td><p></p></td> +<td><p><code class="literal">IN</code></p></td> +<td><p><code class="literal">MX</code></p></td> +<td><p><code class="literal">20</code></p></td> +<td><p><code class="literal">mail.backup.org.</code></p></td> +</tr> +<tr> +<td><p><code class="literal">mail.example.com.</code></p></td> +<td><p><code class="literal">IN</code></p></td> +<td><p><code class="literal">A</code></p></td> +<td><p><code class="literal">10.0.0.1</code></p></td> +<td><p></p></td> +</tr> +<tr> +<td><p><code class="literal">mail2.example.com.</code></p></td> +<td><p><code class="literal">IN</code></p></td> +<td><p><code class="literal">A</code></p></td> +<td><p><code class="literal">10.0.0.2</code></p></td> +<td><p></p></td> +</tr> +</tbody> +</table></div> +<p>For example:</p> +<p>Mail delivery will be attempted to <code class="literal">mail.example.com</code> and +<code class="literal">mail2.example.com</code> (in +any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will +be attempted.</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div> +<p>The time to live of the RR field is a 32 bit integer represented in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can be cached before it should be discarded. The following three types of TTL are currently -used in a zone file.</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN4468" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P ->SOA</P -></TD -><TD -><P ->The last field in the SOA is the negative +used in a zone file.</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p>SOA</p></td> +<td> +<p>The last field in the SOA is the negative caching TTL. This controls how long other servers will cache no-such-domain -(NXDOMAIN) responses from you.</P -><P ->The maximum time for -negative caching is 3 hours (3h).</P -></TD -></TR -><TR -><TD -><P ->$TTL</P -></TD -><TD -><P ->The $TTL directive at the top of the +(NXDOMAIN) responses from you.</p> +<p>The maximum time for +negative caching is 3 hours (3h).</p> +</td> +</tr> +<tr> +<td><p>$TTL</p></td> +<td><p>The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without -a specific TTL set.</P -></TD -></TR -><TR -><TD -><P ->RR TTLs</P -></TD -><TD -><P ->Each RR can have a TTL as the second +a specific TTL set.</p></td> +</tr> +<tr> +<td><p>RR TTLs</p></td> +<td><p>Each RR can have a TTL as the second field in the RR, which will control how long other servers can cache -the it.</P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><P ->All of these TTLs default to units of seconds, though units -can be explicitly specified, for example, <VAR -CLASS="literal" ->1h30m</VAR ->. </P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN4491" ->6.3.4. Inverse Mapping in IPv4</A -></H2 -><P ->Reverse name resolution (that is, translation from IP address -to name) is achieved by means of the <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->in-addr.arpa</I -></SPAN -> domain +the it.</p></td> +</tr> +</tbody> +</table></div> +<p>All of these TTLs default to units of seconds, though units +can be explicitly specified, for example, <code class="literal">1h30m</code>. </p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2566487"></a>Inverse Mapping in IPv4</h3></div></div></div> +<p>Reverse name resolution (that is, translation from IP address +to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain and PTR records. Entries in the in-addr.arpa domain are made in least-to-most significant order, read left to right. This is the opposite order to the way IP addresses are usually written. Thus, @@ -10913,647 +3664,201 @@ in-addr.arpa name of 3.2.1.10.in-addr.arpa. This name should have a PTR resource record whose data field is the name of the machine or, optionally, multiple PTR records if the machine has more than one name. For example, -in the [<SPAN -CLASS="optional" ->example.com</SPAN ->] domain:</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN4496" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P -><VAR -CLASS="literal" ->$ORIGIN</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->2.1.10.in-addr.arpa</VAR -></P -></TD -></TR -><TR -><TD -><P -><VAR -CLASS="literal" ->3</VAR -></P -></TD -><TD -><P -><VAR -CLASS="literal" ->IN PTR foo.example.com.</VAR -></P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><DIV -CLASS="note" -><BLOCKQUOTE -CLASS="note" -><P -><B ->Note: </B ->The <B -CLASS="command" ->$ORIGIN</B -> lines in the examples +in the [<span class="optional">example.com</span>] domain:</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p><code class="literal">$ORIGIN</code></p></td> +<td><p><code class="literal">2.1.10.in-addr.arpa</code></p></td> +</tr> +<tr> +<td><p><code class="literal">3</code></p></td> +<td><p><code class="literal">IN PTR foo.example.com.</code></p></td> +</tr> +</tbody> +</table></div> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p>The <span><strong class="command">$ORIGIN</strong></span> lines in the examples are for providing context to the examples only-they do not necessarily appear in the actual usage. They are only used here to indicate -that the example is relative to the listed origin.</P -></BLOCKQUOTE -></DIV -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN4518" ->6.3.5. Other Zone File Directives</A -></H2 -><P ->The Master File Format was initially defined in RFC 1035 and +that the example is relative to the listed origin.</p> +</div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2566593"></a>Other Zone File Directives</h3></div></div></div> +<p>The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format itself is class independent all records in a Master File must be of the same -class.</P -><P ->Master File Directives include <B -CLASS="command" ->$ORIGIN</B ->, <B -CLASS="command" ->$INCLUDE</B ->, -and <B -CLASS="command" ->$TTL.</B -></P -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN4525" ->6.3.5.1. The <B -CLASS="command" ->$ORIGIN</B -> Directive</A -></H3 -><P ->Syntax: <B -CLASS="command" ->$ORIGIN -</B -><VAR -CLASS="replaceable" ->domain-name</VAR -> [<SPAN -CLASS="optional" -> <VAR -CLASS="replaceable" ->comment</VAR -></SPAN ->]</P -><P -><B -CLASS="command" ->$ORIGIN</B -> sets the domain name that will +class.</p> +<p>Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>, +and <span><strong class="command">$TTL.</strong></span></p> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2566612"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div> +<p>Syntax: <span><strong class="command">$ORIGIN +</strong></span><em class="replaceable"><code>domain-name</code></em> [<span class="optional"> <em class="replaceable"><code>comment</code></em></span>]</p> +<p><span><strong class="command">$ORIGIN</strong></span> sets the domain name that will be appended to any unqualified records. When a zone is first read -in there is an implicit <B -CLASS="command" ->$ORIGIN</B -> <<VAR -CLASS="varname" ->zone-name</VAR ->><B -CLASS="command" ->.</B -> The -current <B -CLASS="command" ->$ORIGIN</B -> is appended to the domain specified -in the <B -CLASS="command" ->$ORIGIN</B -> argument if it is not absolute.</P -><PRE -CLASS="programlisting" -><VAR -CLASS="literal" ->$ORIGIN example.com. -WWW CNAME MAIN-SERVER</VAR -></PRE -><P ->is equivalent to</P -><PRE -CLASS="programlisting" -><VAR -CLASS="literal" ->WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</VAR -></PRE -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN4545" ->6.3.5.2. The <B -CLASS="command" ->$INCLUDE</B -> Directive</A -></H3 -><P ->Syntax: <B -CLASS="command" ->$INCLUDE</B -> -<VAR -CLASS="replaceable" ->filename</VAR -> [<SPAN -CLASS="optional" -> <VAR -CLASS="replaceable" ->origin</VAR -> </SPAN ->] [<SPAN -CLASS="optional" -> <VAR -CLASS="replaceable" ->comment</VAR -> </SPAN ->]</P -><P ->Read and process the file <TT -CLASS="filename" ->filename</TT -> as -if it were included into the file at this point. If <B -CLASS="command" ->origin</B -> is -specified the file is processed with <B -CLASS="command" ->$ORIGIN</B -> set -to that value, otherwise the current <B -CLASS="command" ->$ORIGIN</B -> is -used.</P -><P ->The origin and the current domain name -revert to the values they had prior to the <B -CLASS="command" ->$INCLUDE</B -> once -the file has been read.</P -><DIV -CLASS="note" -><BLOCKQUOTE -CLASS="note" -><P -><B ->Note: </B -> +in there is an implicit <span><strong class="command">$ORIGIN</strong></span> <<code class="varname">zone-name</code>><span><strong class="command">.</strong></span> The +current <span><strong class="command">$ORIGIN</strong></span> is appended to the domain specified +in the <span><strong class="command">$ORIGIN</strong></span> argument if it is not absolute.</p> +<pre class="programlisting">$ORIGIN example.com. +WWW CNAME MAIN-SERVER</pre> +<p>is equivalent to</p> +<pre class="programlisting">WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</pre> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2566667"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div> +<p>Syntax: <span><strong class="command">$INCLUDE</strong></span> +<em class="replaceable"><code>filename</code></em> [<span class="optional"> +<em class="replaceable"><code>origin</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]</p> +<p>Read and process the file <code class="filename">filename</code> as +if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is +specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set +to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is +used.</p> +<p>The origin and the current domain name +revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once +the file has been read.</p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> RFC 1035 specifies that the current origin should be restored after -an <B -CLASS="command" ->$INCLUDE</B ->, but it is silent on whether the current +an <span><strong class="command">$INCLUDE</strong></span>, but it is silent on whether the current domain name should also be restored. BIND 9 restores both of them. This could be construed as a deviation from RFC 1035, a feature, or both. -</P -></BLOCKQUOTE -></DIV -></DIV -><DIV -CLASS="sect3" -><H3 -CLASS="sect3" -><A -NAME="AEN4565" ->6.3.5.3. The <B -CLASS="command" ->$TTL</B -> Directive</A -></H3 -><P ->Syntax: <B -CLASS="command" ->$TTL</B -> -<VAR -CLASS="replaceable" ->default-ttl</VAR -> [<SPAN -CLASS="optional" -> <VAR -CLASS="replaceable" ->comment</VAR -> </SPAN ->]</P -><P ->Set the default Time To Live (TTL) for subsequent records -with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.</P -><P -><B -CLASS="command" ->$TTL</B -> is defined in RFC 2308.</P -></DIV -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN4576" ->6.3.6. <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> Master File Extension: the <B -CLASS="command" ->$GENERATE</B -> Directive</A -></H2 -><P ->Syntax: <B -CLASS="command" ->$GENERATE</B -> <VAR -CLASS="replaceable" ->range</VAR -> <VAR -CLASS="replaceable" ->lhs</VAR -> [<SPAN -CLASS="optional" -><VAR -CLASS="replaceable" ->ttl</VAR -></SPAN ->] [<SPAN -CLASS="optional" -><VAR -CLASS="replaceable" ->class</VAR -></SPAN ->] <VAR -CLASS="replaceable" ->type</VAR -> <VAR -CLASS="replaceable" ->rhs</VAR -> [<SPAN -CLASS="optional" -> <VAR -CLASS="replaceable" ->comment</VAR -> </SPAN ->]</P -><P -><B -CLASS="command" ->$GENERATE</B -> is used to create a series of -resource records that only differ from each other by an iterator. <B -CLASS="command" ->$GENERATE</B -> can +</p> +</div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2566730"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div> +<p>Syntax: <span><strong class="command">$TTL</strong></span> +<em class="replaceable"><code>default-ttl</code></em> [<span class="optional"> +<em class="replaceable"><code>comment</code></em> </span>]</p> +<p>Set the default Time To Live (TTL) for subsequent records +with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.</p> +<p><span><strong class="command">$TTL</strong></span> is defined in RFC 2308.</p> +</div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2566761"></a><span class="acronym">BIND</span> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div> +<p>Syntax: <span><strong class="command">$GENERATE</strong></span> <em class="replaceable"><code>range</code></em> <em class="replaceable"><code>lhs</code></em> [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>] [<span class="optional"><em class="replaceable"><code>class</code></em></span>] <em class="replaceable"><code>type</code></em> <em class="replaceable"><code>rhs</code></em> [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]</p> +<p><span><strong class="command">$GENERATE</strong></span> is used to create a series of +resource records that only differ from each other by an iterator. <span><strong class="command">$GENERATE</strong></span> can be used to easily generate the sets of records required to support sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA -delegation.</P -><PRE -CLASS="programlisting" -><VAR -CLASS="literal" ->$ORIGIN 0.0.192.IN-ADDR.ARPA. +delegation.</p> +<pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA. $GENERATE 1-2 0 NS SERVER$.EXAMPLE. -$GENERATE 1-127 $ CNAME $.0</VAR -></PRE -><P ->is equivalent to</P -><PRE -CLASS="programlisting" -><VAR -CLASS="literal" ->0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE. +$GENERATE 1-127 $ CNAME $.0</pre> +<p>is equivalent to</p> +<pre class="programlisting">0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE. 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE. 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA. 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA. ... 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA. -</VAR -></PRE -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN4600" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P -><B -CLASS="command" ->range</B -></P -></TD -><TD -><P ->This can be one of two forms: start-stop +</pre> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p><span><strong class="command">range</strong></span></p></td> +<td><p>This can be one of two forms: start-stop or start-stop/step. If the first form is used then step is set to - 1. All of start, stop and step must be positive.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->lhs</B -></P -></TD -><TD -><P -><B -CLASS="command" ->lhs</B -> describes the -owner name of the resource records to be created. Any single <B -CLASS="command" ->$</B -> symbols -within the <B -CLASS="command" ->lhs</B -> side are replaced by the iterator + 1. All of start, stop and step must be positive.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">lhs</strong></span></p></td> +<td> +<p><span><strong class="command">lhs</strong></span> describes the +owner name of the resource records to be created. Any single <span><strong class="command">$</strong></span> symbols +within the <span><strong class="command">lhs</strong></span> side are replaced by the iterator value. -To get a $ in the output you need to escape the <B -CLASS="command" ->$</B -> -using a backslash <B -CLASS="command" ->\</B ->, -e.g. <B -CLASS="command" ->\$</B ->. The <B -CLASS="command" ->$</B -> may optionally be followed +To get a $ in the output you need to escape the <span><strong class="command">$</strong></span> +using a backslash <span><strong class="command">\</strong></span>, +e.g. <span><strong class="command">\$</strong></span>. The <span><strong class="command">$</strong></span> may optionally be followed by modifiers which change the offset from the iterator, field width and base. -Modifiers are introduced by a <B -CLASS="command" ->{</B -> immediately following the -<B -CLASS="command" ->$</B -> as <B -CLASS="command" ->${offset[,width[,base]]}</B ->. -e.g. <B -CLASS="command" ->${-20,3,d}</B -> which subtracts 20 from the current value, +Modifiers are introduced by a <span><strong class="command">{</strong></span> immediately following the +<span><strong class="command">$</strong></span> as <span><strong class="command">${offset[,width[,base]]}</strong></span>. +e.g. <span><strong class="command">${-20,3,d}</strong></span> which subtracts 20 from the current value, prints the result as a decimal in a zero padded field of with 3. Available -output forms are decimal (<B -CLASS="command" ->d</B ->), octal (<B -CLASS="command" ->o</B ->) -and hexadecimal (<B -CLASS="command" ->x</B -> or <B -CLASS="command" ->X</B -> for uppercase). -The default modifier is <B -CLASS="command" ->${0,0,d}</B ->. -If the <B -CLASS="command" ->lhs</B -> is not -absolute, the current <B -CLASS="command" ->$ORIGIN</B -> is appended to -the name.</P -> -<P ->For compatibility with earlier versions <B -CLASS="command" ->$$</B -> is still -recognized a indicating a literal $ in the output.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->ttl</B -></P -></TD -><TD -><P -><B -CLASS="command" ->ttl</B -> specifies the +output forms are decimal (<span><strong class="command">d</strong></span>), octal (<span><strong class="command">o</strong></span>) +and hexadecimal (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span> for uppercase). +The default modifier is <span><strong class="command">${0,0,d}</strong></span>. +If the <span><strong class="command">lhs</strong></span> is not +absolute, the current <span><strong class="command">$ORIGIN</strong></span> is appended to +the name.</p> +<p>For compatibility with earlier versions <span><strong class="command">$$</strong></span> is still +recognized a indicating a literal $ in the output.</p> +</td> +</tr> +<tr> +<td><p><span><strong class="command">ttl</strong></span></p></td> +<td> +<p><span><strong class="command">ttl</strong></span> specifies the ttl of the generated records. If not specified this will be - inherited using the normal ttl inheritance rules.</P -> - <P -><B -CLASS="command" ->class</B -> and <B -CLASS="command" ->ttl</B -> can be - entered in either order.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->class</B -></P -></TD -><TD -><P -><B -CLASS="command" ->class</B -> specifies the + inherited using the normal ttl inheritance rules.</p> + <p><span><strong class="command">class</strong></span> and <span><strong class="command">ttl</strong></span> can be + entered in either order.</p> +</td> +</tr> +<tr> +<td><p><span><strong class="command">class</strong></span></p></td> +<td> +<p><span><strong class="command">class</strong></span> specifies the class of the generated records. This must match the zone class if - it is specified.</P -> - <P -><B -CLASS="command" ->class</B -> and <B -CLASS="command" ->ttl</B -> can be - entered in either order.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->type</B -></P -></TD -><TD -><P ->At present the only supported types are -PTR, CNAME, DNAME, A, AAAA and NS.</P -></TD -></TR -><TR -><TD -><P -><B -CLASS="command" ->rhs</B -></P -></TD -><TD -><P ->rhs is a domain name. It is processed -similarly to lhs.</P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><P ->The <B -CLASS="command" ->$GENERATE</B -> directive is a <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> extension -and not part of the standard zone file format.</P -><P ->BIND 8 does not support the optional TTL and CLASS fields.</P -></DIV -></DIV -></DIV -><DIV -CLASS="NAVFOOTER" -><HR -ALIGN="LEFT" -WIDTH="100%"><TABLE -SUMMARY="Footer navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><A -HREF="Bv9ARM.ch05.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="Bv9ARM.html" -ACCESSKEY="H" ->Home</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -><A -HREF="Bv9ARM.ch07.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" ->The <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 Lightweight Resolver</TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -> </TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 Security Considerations</TD -></TR -></TABLE -></DIV -></BODY -></HTML -> + it is specified.</p> + <p><span><strong class="command">class</strong></span> and <span><strong class="command">ttl</strong></span> can be + entered in either order.</p> +</td> +</tr> +<tr> +<td><p><span><strong class="command">type</strong></span></p></td> +<td><p>At present the only supported types are +PTR, CNAME, DNAME, A, AAAA and NS.</p></td> +</tr> +<tr> +<td><p><span><strong class="command">rhs</strong></span></p></td> +<td><p>rhs is a domain name. It is processed +similarly to lhs.</p></td> +</tr> +</tbody> +</table></div> +<p>The <span><strong class="command">$GENERATE</strong></span> directive is a <span class="acronym">BIND</span> extension +and not part of the standard zone file format.</p> +<p>BIND 8 does not support the optional TTL and CLASS fields.</p> +</div> +</div> +</div> +<div class="navfooter"> +<hr> +<table width="100%" summary="Navigation footer"> +<tr> +<td width="40%" align="left"> +<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td> +<td width="20%" align="center"> </td> +<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a> +</td> +</tr> +<tr> +<td width="40%" align="left" valign="top">Chapter 5. The <span class="acronym">BIND</span> 9 Lightweight Resolver </td> +<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> +<td width="40%" align="right" valign="top"> Chapter 7. <span class="acronym">BIND</span> 9 Security Considerations</td> +</tr> +</table> +</div> +</body> +</html> diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.ch07.html b/usr.sbin/bind/doc/arm/Bv9ARM.ch07.html index 9e5cc9b8f3f..7a3394a4d70 100644 --- a/usr.sbin/bind/doc/arm/Bv9ARM.ch07.html +++ b/usr.sbin/bind/doc/arm/Bv9ARM.ch07.html @@ -1,160 +1,78 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->BIND 9 Security Considerations</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK -REL="HOME" -TITLE="BIND 9 Administrator Reference Manual" -HREF="Bv9ARM.html"><LINK -REL="PREVIOUS" -TITLE="BIND 9 Configuration Reference" -HREF="Bv9ARM.ch06.html"><LINK -REL="NEXT" -TITLE="Troubleshooting" -HREF="Bv9ARM.ch08.html"></HEAD -><BODY -CLASS="chapter" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="NAVHEADER" -><TABLE -SUMMARY="Header navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TH -COLSPAN="3" -ALIGN="center" ->BIND 9 Administrator Reference Manual</TH -></TR -><TR -><TD -WIDTH="10%" -ALIGN="left" -VALIGN="bottom" -><A -HREF="Bv9ARM.ch06.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="80%" -ALIGN="center" -VALIGN="bottom" -></TD -><TD -WIDTH="10%" -ALIGN="right" -VALIGN="bottom" -><A -HREF="Bv9ARM.ch08.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -></TABLE -><HR -ALIGN="LEFT" -WIDTH="100%"></DIV -><DIV -CLASS="chapter" -><H1 -><A -NAME="ch07" -></A ->Chapter 7. <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 Security Considerations</H1 -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->7.1. <A -HREF="Bv9ARM.ch07.html#Access_Control_Lists" ->Access Control Lists</A -></DT -><DT ->7.2. <A -HREF="Bv9ARM.ch07.html#AEN4693" -><B -CLASS="command" ->chroot</B -> and <B -CLASS="command" ->setuid</B -> (for -UNIX servers)</A -></DT -><DT ->7.3. <A -HREF="Bv9ARM.ch07.html#dynamic_update_security" ->Dynamic Update Security</A -></DT -></DL -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="Access_Control_Lists" ->7.1. Access Control Lists</A -></H1 -><P ->Access Control Lists (ACLs), are address match lists that -you can set up and nickname for future use in <B -CLASS="command" ->allow-notify</B ->, -<B -CLASS="command" ->allow-query</B ->, <B -CLASS="command" ->allow-recursion</B ->, -<B -CLASS="command" ->blackhole</B ->, <B -CLASS="command" ->allow-transfer</B ->, -etc.</P -><P ->Using ACLs allows you to have finer control over who can access +<!-- + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<!-- $ISC: Bv9ARM.ch07.html,v 1.50.2.9.2.24 2005/10/13 02:34:02 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>Chapter 7. BIND 9 Security Considerations</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference"> +<link rel="next" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> +<div class="navheader"> +<table width="100%" summary="Navigation header"> +<tr><th colspan="3" align="center">Chapter 7. <span class="acronym">BIND</span> 9 Security Considerations</th></tr> +<tr> +<td width="20%" align="left"> +<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td> +<th width="60%" align="center"> </th> +<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a> +</td> +</tr> +</table> +<hr> +</div> +<div class="chapter" lang="en"> +<div class="titlepage"><div><div><h2 class="title"> +<a name="Bv9ARM.ch07"></a>Chapter 7. <span class="acronym">BIND</span> 9 Security Considerations</h2></div></div></div> +<div class="toc"> +<p><b>Table of Contents</b></p> +<dl> +<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2567222"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span> (for +UNIX servers)</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2567366">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2567424">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt> +</dl> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div> +<p>Access Control Lists (ACLs), are address match lists that +you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>, +<span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>, +<span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>, +etc.</p> +<p>Using ACLs allows you to have finer control over who can access your name server, without cluttering up your config files with huge -lists of IP addresses.</P -><P ->It is a <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->good idea</I -></SPAN -> to use ACLs, and to +lists of IP addresses.</p> +<p>It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to control access to your server. Limiting access to your server by outside parties can help prevent spoofing and DoS attacks against -your server.</P -><P ->Here is an example of how to properly apply ACLs:</P -><PRE -CLASS="programlisting" -> // Set up an ACL named "bogusnets" that will block RFC1918 space, +your server.</p> +<p>Here is an example of how to properly apply ACLs:</p> +<pre class="programlisting"> +// Set up an ACL named "bogusnets" that will block RFC1918 space, // which is commonly used in spoofing attacks. acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; }; // Set up an ACL called our-nets. Replace this with the real IP numbers. @@ -173,328 +91,110 @@ zone "example.com" { file "m/example.com"; allow-query { any; }; }; -</PRE -><P ->This allows recursive queries of the server from the outside -unless recursion has been previously disabled.</P -><P ->For more information on how to use ACLs to protect your server, -see the <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->AUSCERT</I -></SPAN -> advisory at -<A -HREF="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" -TARGET="_top" ->ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A -></P -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="AEN4693" ->7.2. <B -CLASS="command" ->chroot</B -> and <B -CLASS="command" ->setuid</B -> (for -UNIX servers)</A -></H1 -><P ->On UNIX servers, it is possible to run <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> in a <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->chrooted</I -></SPAN -> environment -(<B -CLASS="command" ->chroot()</B ->) by specifying the "<VAR -CLASS="option" ->-t</VAR ->" -option. This can help improve system security by placing <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> in -a "sandbox", which will limit the damage done if a server is compromised.</P -><P ->Another useful feature in the UNIX version of <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> is the -ability to run the daemon as an unprivileged user ( <VAR -CLASS="option" ->-u</VAR -> <VAR -CLASS="replaceable" ->user</VAR -> ). -We suggest running as an unprivileged user when using the <B -CLASS="command" ->chroot</B -> feature.</P -><P ->Here is an example command line to load <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> in a <B -CLASS="command" ->chroot()</B -> sandbox, -<B -CLASS="command" ->/var/named</B ->, and to run <B -CLASS="command" ->named</B -> <B -CLASS="command" ->setuid</B -> to -user 202:</P -><P -><KBD -CLASS="userinput" ->/usr/local/bin/named -u 202 -t /var/named</KBD -></P -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN4716" ->7.2.1. The <B -CLASS="command" ->chroot</B -> Environment</A -></H2 -><P ->In order for a <B -CLASS="command" ->chroot()</B -> environment to +</pre> +<p>This allows recursive queries of the server from the outside +unless recursion has been previously disabled.</p> +<p>For more information on how to use ACLs to protect your server, +see the <span class="emphasis"><em>AUSCERT</em></span> advisory at +<a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a></p> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="id2567222"></a><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span> (for +UNIX servers)</h2></div></div></div> +<p>On UNIX servers, it is possible to run <span class="acronym">BIND</span> in a <span class="emphasis"><em>chrooted</em></span> environment +(<span><strong class="command">chroot()</strong></span>) by specifying the "<code class="option">-t</code>" +option. This can help improve system security by placing <span class="acronym">BIND</span> in +a "sandbox", which will limit the damage done if a server is compromised.</p> +<p>Another useful feature in the UNIX version of <span class="acronym">BIND</span> is the +ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ). +We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.</p> +<p>Here is an example command line to load <span class="acronym">BIND</span> in a <span><strong class="command">chroot()</strong></span> sandbox, +<span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to +user 202:</p> +<p><strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong></p> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2567366"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div> +<p>In order for a <span><strong class="command">chroot()</strong></span> environment to work properly in a particular directory -(for example, <TT -CLASS="filename" ->/var/named</TT ->), +(for example, <code class="filename">/var/named</code>), you will need to set up an environment that includes everything -<ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> needs to run. -From <ACRONYM -CLASS="acronym" ->BIND</ACRONYM ->'s point of view, <TT -CLASS="filename" ->/var/named</TT -> is +<span class="acronym">BIND</span> needs to run. +From <span class="acronym">BIND</span>'s point of view, <code class="filename">/var/named</code> is the root of the filesystem. You will need to adjust the values of options like -like <B -CLASS="command" ->directory</B -> and <B -CLASS="command" ->pid-file</B -> to account +like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account for this. -</P -><P -> Unlike with earlier versions of BIND, you will typically -<SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->not</I -></SPAN -> need to compile <B -CLASS="command" ->named</B -> +</p> +<p> +Unlike with earlier versions of BIND, you will typically +<span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span> statically nor install shared libraries under the new root. However, depending on your operating system, you may need to set up things like -<TT -CLASS="filename" ->/dev/zero</TT ->, -<TT -CLASS="filename" ->/dev/random</TT ->, -<TT -CLASS="filename" ->/dev/log</TT ->, and/or -<TT -CLASS="filename" ->/etc/localtime</TT ->. -</P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN4734" ->7.2.2. Using the <B -CLASS="command" ->setuid</B -> Function</A -></H2 -><P ->Prior to running the <B -CLASS="command" ->named</B -> daemon, use -the <B -CLASS="command" ->touch</B -> utility (to change file access and -modification times) or the <B -CLASS="command" ->chown</B -> utility (to +<code class="filename">/dev/zero</code>, +<code class="filename">/dev/random</code>, +<code class="filename">/dev/log</code>, and/or +<code class="filename">/etc/localtime</code>. +</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2567424"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div> +<p>Prior to running the <span><strong class="command">named</strong></span> daemon, use +the <span><strong class="command">touch</strong></span> utility (to change file access and +modification times) or the <span><strong class="command">chown</strong></span> utility (to set the user id and/or group id) on files -to which you want <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> -to write. Note that if the <B -CLASS="command" ->named</B -> daemon is running as an +to which you want <span class="acronym">BIND</span> +to write. Note that if the <span><strong class="command">named</strong></span> daemon is running as an unprivileged user, it will not be able to bind to new restricted ports if the -server is reloaded.</P -></DIV -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="dynamic_update_security" ->7.3. Dynamic Update Security</A -></H1 -><P ->Access to the dynamic +server is reloaded.</p> +</div> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div> +<p>Access to the dynamic update facility should be strictly limited. In earlier versions of -<ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> the only way to do this was based on the IP +<span class="acronym">BIND</span> the only way to do this was based on the IP address of the host requesting the update, by listing an IP address or -network prefix in the <B -CLASS="command" ->allow-update</B -> zone option. +network prefix in the <span><strong class="command">allow-update</strong></span> zone option. This method is insecure since the source address of the update UDP packet is easily forged. Also note that if the IP addresses allowed by the -<B -CLASS="command" ->allow-update</B -> option include the address of a slave +<span><strong class="command">allow-update</strong></span> option include the address of a slave server which performs forwarding of dynamic updates, the master can be trivially attacked by sending the update to the slave, which will forward it to the master with its own source IP address causing the -master to approve it without question.</P -><P ->For these reasons, we strongly recommend that updates be +master to approve it without question.</p> +<p>For these reasons, we strongly recommend that updates be cryptographically authenticated by means of transaction signatures -(TSIG). That is, the <B -CLASS="command" ->allow-update</B -> option should +(TSIG). That is, the <span><strong class="command">allow-update</strong></span> option should list only TSIG key names, not IP addresses or network -prefixes. Alternatively, the new <B -CLASS="command" ->update-policy</B -> -option can be used.</P -><P ->Some sites choose to keep all dynamically updated DNS data +prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span> +option can be used.</p> +<p>Some sites choose to keep all dynamically updated DNS data in a subdomain and delegate that subdomain to a separate zone. This way, the top-level zone containing critical data such as the IP addresses of public web and mail servers need not allow dynamic update at -all.</P -></DIV -></DIV -><DIV -CLASS="NAVFOOTER" -><HR -ALIGN="LEFT" -WIDTH="100%"><TABLE -SUMMARY="Footer navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><A -HREF="Bv9ARM.ch06.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="Bv9ARM.html" -ACCESSKEY="H" ->Home</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -><A -HREF="Bv9ARM.ch08.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 Configuration Reference</TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -> </TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" ->Troubleshooting</TD -></TR -></TABLE -></DIV -></BODY -></HTML ->
\ No newline at end of file +all.</p> +</div> +</div> +<div class="navfooter"> +<hr> +<table width="100%" summary="Navigation footer"> +<tr> +<td width="40%" align="left"> +<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td> +<td width="20%" align="center"> </td> +<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a> +</td> +</tr> +<tr> +<td width="40%" align="left" valign="top">Chapter 6. <span class="acronym">BIND</span> 9 Configuration Reference </td> +<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> +<td width="40%" align="right" valign="top"> Chapter 8. Troubleshooting</td> +</tr> +</table> +</div> +</body> +</html> diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.ch08.html b/usr.sbin/bind/doc/arm/Bv9ARM.ch08.html index 94d3d795246..2c83bc17af0 100644 --- a/usr.sbin/bind/doc/arm/Bv9ARM.ch08.html +++ b/usr.sbin/bind/doc/arm/Bv9ARM.ch08.html @@ -1,135 +1,73 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->Troubleshooting</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK -REL="HOME" -TITLE="BIND 9 Administrator Reference Manual" -HREF="Bv9ARM.html"><LINK -REL="PREVIOUS" -TITLE="BIND 9 Security Considerations" -HREF="Bv9ARM.ch07.html"><LINK -REL="NEXT" -TITLE="Appendices" -HREF="Bv9ARM.ch09.html"></HEAD -><BODY -CLASS="chapter" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="NAVHEADER" -><TABLE -SUMMARY="Header navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TH -COLSPAN="3" -ALIGN="center" ->BIND 9 Administrator Reference Manual</TH -></TR -><TR -><TD -WIDTH="10%" -ALIGN="left" -VALIGN="bottom" -><A -HREF="Bv9ARM.ch07.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="80%" -ALIGN="center" -VALIGN="bottom" -></TD -><TD -WIDTH="10%" -ALIGN="right" -VALIGN="bottom" -><A -HREF="Bv9ARM.ch09.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -></TABLE -><HR -ALIGN="LEFT" -WIDTH="100%"></DIV -><DIV -CLASS="chapter" -><H1 -><A -NAME="ch08" -></A ->Chapter 8. Troubleshooting</H1 -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->8.1. <A -HREF="Bv9ARM.ch08.html#AEN4755" ->Common Problems</A -></DT -><DT ->8.2. <A -HREF="Bv9ARM.ch08.html#AEN4760" ->Incrementing and Changing the Serial Number</A -></DT -><DT ->8.3. <A -HREF="Bv9ARM.ch08.html#AEN4765" ->Where Can I Get Help?</A -></DT -></DL -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="AEN4755" ->8.1. Common Problems</A -></H1 -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN4757" ->8.1.1. It's not working; how can I figure out what's wrong?</A -></H2 -><P ->The best solution to solving installation and +<!-- + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<!-- $ISC: Bv9ARM.ch08.html,v 1.50.2.9.2.24 2005/10/13 02:34:02 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>Chapter 8. Troubleshooting</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="prev" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations"> +<link rel="next" href="Bv9ARM.ch09.html" title="Appendix A. Appendices"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> +<div class="navheader"> +<table width="100%" summary="Navigation header"> +<tr><th colspan="3" align="center">Chapter 8. Troubleshooting</th></tr> +<tr> +<td width="20%" align="left"> +<a accesskey="p" href="Bv9ARM.ch07.html">Prev</a> </td> +<th width="60%" align="center"> </th> +<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch09.html">Next</a> +</td> +</tr> +</table> +<hr> +</div> +<div class="chapter" lang="en"> +<div class="titlepage"><div><div><h2 class="title"> +<a name="Bv9ARM.ch08"></a>Chapter 8. Troubleshooting</h2></div></div></div> +<div class="toc"> +<p><b>Table of Contents</b></p> +<dl> +<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2567630">Common Problems</a></span></dt> +<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2567636">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2567648">Incrementing and Changing the Serial Number</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2567665">Where Can I Get Help?</a></span></dt> +</dl> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="id2567630"></a>Common Problems</h2></div></div></div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2567636"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div> +<p>The best solution to solving installation and configuration issues is to take preventative measures by setting up logging files beforehand. The log files provide a source of hints and information that can be used to figure out - what went wrong and how to fix the problem.</P -></DIV -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="AEN4760" ->8.2. Incrementing and Changing the Serial Number</A -></H1 -><P ->Zone serial numbers are just numbers-they aren't date + what went wrong and how to fix the problem.</p> +</div> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="id2567648"></a>Incrementing and Changing the Serial Number</h2></div></div></div> +<p>Zone serial numbers are just numbers-they aren't date related. A lot of people set them to a number that represents a date, usually of the form YYYYMMDDRR. A number of people have been testing these numbers for Y2K compliance and have set the number @@ -138,135 +76,49 @@ NAME="AEN4760" numbers are used to indicate that a zone has been updated. If the serial number on the slave server is lower than the serial number on the master, the slave server will attempt to update its copy of - the zone.</P -><P ->Setting the serial number to a lower number on the master + the zone.</p> +<p>Setting the serial number to a lower number on the master server than the slave server means that the slave will not perform - updates to its copy of the zone.</P -><P ->The solution to this is to add 2147483647 (2^31-1) to the + updates to its copy of the zone.</p> +<p>The solution to this is to add 2147483647 (2^31-1) to the number, reload the zone and make sure all slaves have updated to the new zone serial number, then reset the number to what you want - it to be, and reload the zone again.</P -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="AEN4765" ->8.3. Where Can I Get Help?</A -></H1 -><P ->The Internet Software Consortium (<ACRONYM -CLASS="acronym" ->ISC</ACRONYM ->) offers a wide range - of support and service agreements for <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> and <ACRONYM -CLASS="acronym" ->DHCP</ACRONYM -> servers. Four + it to be, and reload the zone again.</p> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="id2567665"></a>Where Can I Get Help?</h2></div></div></div> +<p>The Internet Software Consortium (<span class="acronym">ISC</span>) offers a wide range + of support and service agreements for <span class="acronym">BIND</span> and <span class="acronym">DHCP</span> servers. Four levels of premium support are available and each level includes - support for all <ACRONYM -CLASS="acronym" ->ISC</ACRONYM -> programs, significant discounts on products + support for all <span class="acronym">ISC</span> programs, significant discounts on products and training, and a recognized priority on bug fixes and - non-funded feature requests. In addition, <ACRONYM -CLASS="acronym" ->ISC</ACRONYM -> offers a standard + non-funded feature requests. In addition, <span class="acronym">ISC</span> offers a standard support agreement package which includes services ranging from bug fix announcements to remote support. It also includes training in - <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> and <ACRONYM -CLASS="acronym" ->DHCP</ACRONYM ->.</P -><P ->To discuss arrangements for support, contact - <A -HREF="mailto:info@isc.org" -TARGET="_top" ->info@isc.org</A -> or visit the - <ACRONYM -CLASS="acronym" ->ISC</ACRONYM -> web page at <A -HREF="http://www.isc.org/services/support/" -TARGET="_top" ->http://www.isc.org/services/support/</A -> - to read more.</P -></DIV -></DIV -><DIV -CLASS="NAVFOOTER" -><HR -ALIGN="LEFT" -WIDTH="100%"><TABLE -SUMMARY="Footer navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><A -HREF="Bv9ARM.ch07.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="Bv9ARM.html" -ACCESSKEY="H" ->Home</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -><A -HREF="Bv9ARM.ch09.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 Security Considerations</TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -> </TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" ->Appendices</TD -></TR -></TABLE -></DIV -></BODY -></HTML ->
\ No newline at end of file + <span class="acronym">BIND</span> and <span class="acronym">DHCP</span>.</p> +<p>To discuss arrangements for support, contact + <a href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the + <span class="acronym">ISC</span> web page at <a href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a> + to read more.</p> +</div> +</div> +<div class="navfooter"> +<hr> +<table width="100%" summary="Navigation footer"> +<tr> +<td width="40%" align="left"> +<a accesskey="p" href="Bv9ARM.ch07.html">Prev</a> </td> +<td width="20%" align="center"> </td> +<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch09.html">Next</a> +</td> +</tr> +<tr> +<td width="40%" align="left" valign="top">Chapter 7. <span class="acronym">BIND</span> 9 Security Considerations </td> +<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> +<td width="40%" align="right" valign="top"> Appendix A. Appendices</td> +</tr> +</table> +</div> +</body> +</html> diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.ch09.html b/usr.sbin/bind/doc/arm/Bv9ARM.ch09.html index ea6202b2eb8..a1435f27b16 100644 --- a/usr.sbin/bind/doc/arm/Bv9ARM.ch09.html +++ b/usr.sbin/bind/doc/arm/Bv9ARM.ch09.html @@ -1,121 +1,67 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->Appendices</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK -REL="HOME" -TITLE="BIND 9 Administrator Reference Manual" -HREF="Bv9ARM.html"><LINK -REL="PREVIOUS" -TITLE="Troubleshooting" -HREF="Bv9ARM.ch08.html"></HEAD -><BODY -CLASS="appendix" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="NAVHEADER" -><TABLE -SUMMARY="Header navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TH -COLSPAN="3" -ALIGN="center" ->BIND 9 Administrator Reference Manual</TH -></TR -><TR -><TD -WIDTH="10%" -ALIGN="left" -VALIGN="bottom" -><A -HREF="Bv9ARM.ch08.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="80%" -ALIGN="center" -VALIGN="bottom" -></TD -><TD -WIDTH="10%" -ALIGN="right" -VALIGN="bottom" -> </TD -></TR -></TABLE -><HR -ALIGN="LEFT" -WIDTH="100%"></DIV -><DIV -CLASS="appendix" -><H1 -><A -NAME="ch09" -></A ->Appendix A. Appendices</H1 -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->A.1. <A -HREF="Bv9ARM.ch09.html#AEN4781" ->Acknowledgments</A -></DT -><DT ->A.2. <A -HREF="Bv9ARM.ch09.html#historical_dns_information" ->General <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> Reference Information</A -></DT -><DT ->A.3. <A -HREF="Bv9ARM.ch09.html#bibliography" ->Bibliography (and Suggested Reading)</A -></DT -></DL -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="AEN4781" ->A.1. Acknowledgments</A -></H1 -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN4783" ->A.1.1. A Brief History of the <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> and <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -></A -></H2 -><P ->Although the "official" beginning of the Domain Name +<!-- + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<!-- $ISC: Bv9ARM.ch09.html,v 1.50.2.9.2.25 2005/10/13 02:34:03 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>Appendix A. Appendices</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> +<div class="navheader"> +<table width="100%" summary="Navigation header"> +<tr><th colspan="3" align="center">Appendix A. Appendices</th></tr> +<tr> +<td width="20%" align="left"> +<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a> </td> +<th width="60%" align="center"> </th> +<td width="20%" align="right"> </td> +</tr> +</table> +<hr> +</div> +<div class="appendix" lang="en"> +<div class="titlepage"><div><div><h2 class="title"> +<a name="Bv9ARM.ch09"></a>Appendix A. Appendices</h2></div></div></div> +<div class="toc"> +<p><b>Table of Contents</b></p> +<dl> +<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2567795">Acknowledgments</a></span></dt> +<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2567800">A Brief History of the <span class="acronym">DNS</span> and <span class="acronym">BIND</span></a></span></dt></dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch09.html#historical_dns_information">General <span class="acronym">DNS</span> Reference Information</a></span></dt> +<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2570087">Other Documents About <span class="acronym">BIND</span></a></span></dt> +</dl></dd> +</dl> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="id2567795"></a>Acknowledgments</h2></div></div></div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2567800"></a>A Brief History of the <span class="acronym">DNS</span> and <span class="acronym">BIND</span></h3></div></div></div> +<p>Although the "official" beginning of the Domain Name System occurred in 1984 with the publication of RFC 920, the core of the new system was described in 1983 in RFCs 882 and 883. From 1984 to 1987, the ARPAnet (the precursor to today's @@ -126,1462 +72,317 @@ CLASS="acronym" incorporate improvements based on the working model. RFC 1034, "Domain Names-Concepts and Facilities", and RFC 1035, "Domain Names-Implementation and Specification" were published and - became the standards upon which all <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> implementations are + became the standards upon which all <span class="acronym">DNS</span> implementations are built. -</P -><P ->The first working domain name server, called "Jeeves", was +</p> +<p>The first working domain name server, called "Jeeves", was written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20 machines located at the University of Southern California's Information Sciences Institute (USC-ISI) and SRI International's Network Information -Center (SRI-NIC). A <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> server for Unix machines, the Berkeley Internet -Name Domain (<ACRONYM -CLASS="acronym" ->BIND</ACRONYM ->) package, was written soon after by a group of +Center (SRI-NIC). A <span class="acronym">DNS</span> server for Unix machines, the Berkeley Internet +Name Domain (<span class="acronym">BIND</span>) package, was written soon after by a group of graduate students at the University of California at Berkeley under a grant from the US Defense Advanced Research Projects Administration -(DARPA). Versions of <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> through 4.8.3 were maintained by the Computer +(DARPA). Versions of <span class="acronym">BIND</span> through 4.8.3 were maintained by the Computer Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark -Painter, David Riggle and Songnian Zhou made up the initial <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> +Painter, David Riggle and Songnian Zhou made up the initial <span class="acronym">BIND</span> project team. After that, additional work on the software package was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation -employee on loan to the CSRG, worked on <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> for 2 years, from 1985 -to 1987. Many other people also contributed to <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> development +employee on loan to the CSRG, worked on <span class="acronym">BIND</span> for 2 years, from 1985 +to 1987. Many other people also contributed to <span class="acronym">BIND</span> development during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell, -Mike Muuss, Jim Bloom and Mike Schwartz. <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> maintenance was subsequently -handled by Mike Karels and O. Kure.</P -><P -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> versions 4.9 and 4.9.1 were released by Digital Equipment +Mike Muuss, Jim Bloom and Mike Schwartz. <span class="acronym">BIND</span> maintenance was subsequently +handled by Mike Karels and O. Kure.</p> +<p><span class="acronym">BIND</span> versions 4.9 and 4.9.1 were released by Digital Equipment Corporation (now Compaq Computer Corporation). Paul Vixie, then -a DEC employee, became <ACRONYM -CLASS="acronym" ->BIND</ACRONYM ->'s primary caretaker. Paul was assisted +a DEC employee, became <span class="acronym">BIND</span>'s primary caretaker. Paul was assisted by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe -Wolfhugel, and others.</P -><P -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> Version 4.9.2 was sponsored by Vixie Enterprises. Paul -Vixie became <ACRONYM -CLASS="acronym" ->BIND</ACRONYM ->'s principal architect/programmer.</P -><P -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> versions from 4.9.3 onward have been developed and maintained +Wolfhugel, and others.</p> +<p><span class="acronym">BIND</span> Version 4.9.2 was sponsored by Vixie Enterprises. Paul +Vixie became <span class="acronym">BIND</span>'s principal architect/programmer.</p> +<p><span class="acronym">BIND</span> versions from 4.9.3 onward have been developed and maintained by the Internet Software Consortium with support being provided by ISC's sponsors. As co-architects/programmers, Bob Halley and -Paul Vixie released the first production-ready version of <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> version -8 in May 1997.</P -><P -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> development work is made possible today by the sponsorship +Paul Vixie released the first production-ready version of <span class="acronym">BIND</span> version +8 in May 1997.</p> +<p><span class="acronym">BIND</span> development work is made possible today by the sponsorship of several corporations, and by the tireless work efforts of numerous -individuals.</P -></DIV -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="historical_dns_information" ->A.2. General <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> Reference Information</A -></H1 -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="ipv6addresses" ->A.2.1. IPv6 addresses (AAAA)</A -></H2 -><P ->IPv6 addresses are 128-bit identifiers for interfaces and -sets of interfaces which were introduced in the <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> to facilitate -scalable Internet routing. There are three types of addresses: <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->Unicast</I -></SPAN ->, -an identifier for a single interface; <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->Anycast</I -></SPAN ->, -an identifier for a set of interfaces; and <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->Multicast</I -></SPAN ->, +individuals.</p> +</div> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="historical_dns_information"></a>General <span class="acronym">DNS</span> Reference Information</h2></div></div></div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div> +<p>IPv6 addresses are 128-bit identifiers for interfaces and +sets of interfaces which were introduced in the <span class="acronym">DNS</span> to facilitate +scalable Internet routing. There are three types of addresses: <span class="emphasis"><em>Unicast</em></span>, +an identifier for a single interface; <span class="emphasis"><em>Anycast</em></span>, +an identifier for a set of interfaces; and <span class="emphasis"><em>Multicast</em></span>, an identifier for a set of interfaces. Here we describe the global -Unicast address scheme. For more information, see RFC 2374.</P -><P ->The aggregatable global Unicast address format is as follows:</P -><DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN4819" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P ->3</P -></TD -><TD -><P ->13</P -></TD -><TD -><P ->8</P -></TD -><TD -><P ->24</P -></TD -><TD -><P ->16</P -></TD -><TD -><P ->64 bits</P -></TD -></TR -><TR -><TD -><P ->FP</P -></TD -><TD -><P ->TLA ID</P -></TD -><TD -><P ->RES</P -></TD -><TD -><P ->NLA ID</P -></TD -><TD -><P ->SLA ID</P -></TD -><TD -><P ->Interface ID</P -></TD -></TR -><TR -><TD -COLSPAN="4" -><P -><------ Public Topology -------></P -></TD -><TD -><P -></P -></TD -><TD -><P -></P -></TD -></TR -><TR -><TD -><P -></P -></TD -><TD -><P -></P -></TD -><TD -><P -></P -></TD -><TD -><P -></P -></TD -><TD -><P -><-Site Topology-></P -></TD -><TD -><P -></P -></TD -></TR -><TR -><TD -><P -></P -></TD -><TD -><P -></P -></TD -><TD -><P -></P -></TD -><TD -><P -></P -></TD -><TD -><P -></P -></TD -><TD -><P -><------ Interface Identifier ------></P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><P ->Where -<DIV -CLASS="informaltable" -><P -></P -><A -NAME="AEN4888" -></A -><TABLE -CELLPADDING="3" -BORDER="1" -CLASS="CALSTABLE" -><TBODY -><TR -><TD -><P ->FP</P -></TD -><TD -><P ->=</P -></TD -><TD -><P ->Format Prefix (001)</P -></TD -></TR -><TR -><TD -><P ->TLA ID</P -></TD -><TD -><P ->=</P -></TD -><TD -><P ->Top-Level Aggregation Identifier</P -></TD -></TR -><TR -><TD -><P ->RES</P -></TD -><TD -><P ->=</P -></TD -><TD -><P ->Reserved for future use</P -></TD -></TR -><TR -><TD -><P ->NLA ID</P -></TD -><TD -><P ->=</P -></TD -><TD -><P ->Next-Level Aggregation Identifier</P -></TD -></TR -><TR -><TD -><P ->SLA ID</P -></TD -><TD -><P ->=</P -></TD -><TD -><P ->Site-Level Aggregation Identifier</P -></TD -></TR -><TR -><TD -><P ->INTERFACE ID</P -></TD -><TD -><P ->=</P -></TD -><TD -><P ->Interface Identifier</P -></TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -></P -><P ->The <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->Public Topology</I -></SPAN -> is provided by the -upstream provider or ISP, and (roughly) corresponds to the IPv4 <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->network</I -></SPAN -> section -of the address range. The <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->Site Topology</I -></SPAN -> is +Unicast address scheme. For more information, see RFC 2374.</p> +<p>The aggregatable global Unicast address format is as follows:</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +<col> +<col> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p>3</p></td> +<td><p>13</p></td> +<td><p>8</p></td> +<td><p>24</p></td> +<td><p>16</p></td> +<td><p>64 bits</p></td> +</tr> +<tr> +<td><p>FP</p></td> +<td><p>TLA ID</p></td> +<td><p>RES</p></td> +<td><p>NLA ID</p></td> +<td><p>SLA ID</p></td> +<td><p>Interface ID</p></td> +</tr> +<tr> +<td colspan="4"><p><------ Public Topology +------></p></td> +<td><p></p></td> +<td><p></p></td> +</tr> +<tr> +<td><p></p></td> +<td><p></p></td> +<td><p></p></td> +<td><p></p></td> +<td><p><-Site Topology-></p></td> +<td><p></p></td> +</tr> +<tr> +<td><p></p></td> +<td><p></p></td> +<td><p></p></td> +<td><p></p></td> +<td><p></p></td> +<td><p><------ Interface Identifier ------></p></td> +</tr> +</tbody> +</table></div> +<p>Where +</p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td><p>FP</p></td> +<td><p>=</p></td> +<td><p>Format Prefix (001)</p></td> +</tr> +<tr> +<td><p>TLA ID</p></td> +<td><p>=</p></td> +<td><p>Top-Level Aggregation Identifier</p></td> +</tr> +<tr> +<td><p>RES</p></td> +<td><p>=</p></td> +<td><p>Reserved for future use</p></td> +</tr> +<tr> +<td><p>NLA ID</p></td> +<td><p>=</p></td> +<td><p>Next-Level Aggregation Identifier</p></td> +</tr> +<tr> +<td><p>SLA ID</p></td> +<td><p>=</p></td> +<td><p>Site-Level Aggregation Identifier</p></td> +</tr> +<tr> +<td><p>INTERFACE ID</p></td> +<td><p>=</p></td> +<td><p>Interface Identifier</p></td> +</tr> +</tbody> +</table></div> +<p>The <span class="emphasis"><em>Public Topology</em></span> is provided by the +upstream provider or ISP, and (roughly) corresponds to the IPv4 <span class="emphasis"><em>network</em></span> section +of the address range. The <span class="emphasis"><em>Site Topology</em></span> is where you can subnet this space, much the same as subnetting an -IPv4 /16 network into /24 subnets. The <SPAN -CLASS="emphasis" -><I -CLASS="emphasis" ->Interface Identifier</I -></SPAN -> is +IPv4 /16 network into /24 subnets. The <span class="emphasis"><em>Interface Identifier</em></span> is the address of an individual interface on a given network. (With -IPv6, addresses belong to interfaces rather than machines.)</P -><P ->The subnetting capability of IPv6 is much more flexible than +IPv6, addresses belong to interfaces rather than machines.)</p> +<p>The subnetting capability of IPv6 is much more flexible than that of IPv4: subnetting can now be carried out on bit boundaries, -in much the same way as Classless InterDomain Routing (CIDR).</P -><P ->The Interface Identifier must be unique on that network. On +in much the same way as Classless InterDomain Routing (CIDR).</p> +<p>The Interface Identifier must be unique on that network. On ethernet networks, one way to ensure this is to set the address to the first three bytes of the hardware address, "FFFE", then the last three bytes of the hardware address. The lowest significant bit of the first byte should then be complemented. Addresses are written as 32-bit blocks separated with a colon, and leading zeros -of a block may be omitted, for example:</P -><P -><B -CLASS="command" ->2001:db8:201:9:a00:20ff:fe81:2b32</B -></P -><P ->IPv6 address specifications are likely to contain long strings +of a block may be omitted, for example:</p> +<p><span><strong class="command">2001:db8:201:9:a00:20ff:fe81:2b32</strong></span></p> +<p>IPv6 address specifications are likely to contain long strings of zeros, so the architects have included a shorthand for specifying them. The double colon (`::') indicates the longest possible string -of zeros that can fit, and can be used only once in an address.</P -></DIV -></DIV -><DIV -CLASS="sect1" -><H1 -CLASS="sect1" -><A -NAME="bibliography" ->A.3. Bibliography (and Suggested Reading)</A -></H1 -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="rfcs" ->A.3.1. Request for Comments (RFCs)</A -></H2 -><P ->Specification documents for the Internet protocol suite, including -the <ACRONYM -CLASS="acronym" ->DNS</ACRONYM ->, are published as part of the Request for Comments (RFCs) +of zeros that can fit, and can be used only once in an address.</p> +</div> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="bibliography"></a>Bibliography (and Suggested Reading)</h2></div></div></div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="rfcs"></a>Request for Comments (RFCs)</h3></div></div></div> +<p>Specification documents for the Internet protocol suite, including +the <span class="acronym">DNS</span>, are published as part of the Request for Comments (RFCs) series of technical notes. The standards themselves are defined by the Internet Engineering Task Force (IETF) and the Internet Engineering Steering Group (IESG). RFCs can be obtained online via FTP at -<A -HREF="ftp://www.isi.edu/in-notes/" -TARGET="_top" ->ftp://www.isi.edu/in-notes/RFC<VAR -CLASS="replaceable" ->xxx</VAR ->.txt</A -> (where <VAR -CLASS="replaceable" ->xxx</VAR -> is +<a href="ftp://www.isi.edu/in-notes/" target="_top">ftp://www.isi.edu/in-notes/RFC<em class="replaceable"><code>xxx</code></em>.txt</a> (where <em class="replaceable"><code>xxx</code></em> is the number of the RFC). RFCs are also available via the Web at -<A -HREF="http://www.ietf.org/rfc/" -TARGET="_top" ->http://www.ietf.org/rfc/</A ->. -</P -><H3 -><A -NAME="AEN4956" ->Bibliography</A -></H3 -><H2 -CLASS="bibliodiv" -><A -NAME="AEN4957" ->Standards</A -></H2 -><DIV -CLASS="biblioentry" -><A -NAME="AEN4959" -></A -><P ->[RFC974] <SPAN -CLASS="AUTHOR" ->C. Partridge</SPAN ->, <I ->Mail Routing and the Domain System</I ->, January 1986.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN4966" -></A -><P ->[RFC1034] <SPAN -CLASS="AUTHOR" ->P.V. Mockapetris</SPAN ->, <I ->Domain Names — Concepts and Facilities</I ->, November 1987.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN4973" -></A -><P ->[RFC1035] <SPAN -CLASS="AUTHOR" ->P. V. Mockapetris</SPAN ->, <I ->Domain Names — Implementation and -Specification</I ->, November 1987.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><H2 -CLASS="bibliodiv" -><A -NAME="proposed_standards" ->Proposed Standards</A -></H2 -><DIV -CLASS="biblioentry" -><A -NAME="AEN4982" -></A -><P ->[RFC2181] <SPAN -CLASS="AUTHOR" ->R., R. Bush Elz</SPAN ->, <I ->Clarifications to the <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> Specification</I ->, July 1997.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN4990" -></A -><P ->[RFC2308] <SPAN -CLASS="AUTHOR" ->M. Andrews</SPAN ->, <I ->Negative Caching of <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> Queries</I ->, March 1998.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN4998" -></A -><P ->[RFC1995] <SPAN -CLASS="AUTHOR" ->M. Ohta</SPAN ->, <I ->Incremental Zone Transfer in <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -></I ->, August 1996.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5006" -></A -><P ->[RFC1996] <SPAN -CLASS="AUTHOR" ->P. Vixie</SPAN ->, <I ->A Mechanism for Prompt Notification of Zone Changes</I ->, August 1996.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5013" -></A -><P ->[RFC2136] <SPAN -CLASS="AUTHOR" ->P. Vixie, </SPAN -><SPAN -CLASS="AUTHOR" ->S. Thomson, </SPAN -><SPAN -CLASS="AUTHOR" ->Y. Rekhter, </SPAN -><SPAN -CLASS="AUTHOR" ->and J. Bound</SPAN ->, <I ->Dynamic Updates in the Domain Name System</I ->, April 1997.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5030" -></A -><P ->[RFC2845] <SPAN -CLASS="AUTHOR" ->P. Vixie, </SPAN -><SPAN -CLASS="AUTHOR" ->O. Gudmundsson, </SPAN -><SPAN -CLASS="AUTHOR" ->D. Eastlake, 3rd, </SPAN -><SPAN -CLASS="AUTHOR" ->and B. Wellington</SPAN ->, <I ->Secret Key Transaction Authentication for <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> (TSIG)</I ->, May 2000.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><H2 -CLASS="bibliodiv" -><A -NAME="AEN5049" ->Proposed Standards Still Under Development</A -></H2 -><DIV -CLASS="biblioentry" -><A -NAME="AEN5054" -></A -><P ->[RFC1886] <SPAN -CLASS="AUTHOR" ->S. Thomson </SPAN -><SPAN -CLASS="AUTHOR" ->and C. Huitema</SPAN ->, <I -><ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> Extensions to support IP version 6</I ->, December 1995.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5066" -></A -><P ->[RFC2065] <SPAN -CLASS="AUTHOR" ->D. Eastlake, 3rd </SPAN -><SPAN -CLASS="AUTHOR" ->and C. Kaufman</SPAN ->, <I ->Domain Name System Security Extensions</I ->, January 1997.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5078" -></A -><P ->[RFC2137] <SPAN -CLASS="AUTHOR" ->D. Eastlake, 3rd</SPAN ->, <I ->Secure Domain Name System Dynamic Update</I ->, April 1997.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><H2 -CLASS="bibliodiv" -><A -NAME="AEN5086" ->Other Important RFCs About <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> Implementation</A -></H2 -><DIV -CLASS="biblioentry" -><A -NAME="AEN5089" -></A -><P ->[RFC1535] <SPAN -CLASS="AUTHOR" ->E. Gavron</SPAN ->, <I ->A Security Problem and Proposed Correction With Widely Deployed <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> Software.</I ->, October 1993.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5097" -></A -><P ->[RFC1536] <SPAN -CLASS="AUTHOR" ->A. Kumar, </SPAN -><SPAN -CLASS="AUTHOR" ->J. Postel, </SPAN -><SPAN -CLASS="AUTHOR" ->C. Neuman, </SPAN -><SPAN -CLASS="AUTHOR" ->P. Danzig, </SPAN -><SPAN -CLASS="AUTHOR" ->and S. Miller</SPAN ->, <I ->Common <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> Implementation Errors and Suggested Fixes</I ->, October 1993.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5118" -></A -><P ->[RFC1982] <SPAN -CLASS="AUTHOR" ->R. Elz </SPAN -><SPAN -CLASS="AUTHOR" ->and R. Bush</SPAN ->, <I ->Serial Number Arithmetic</I ->, August 1996.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><H2 -CLASS="bibliodiv" -><A -NAME="AEN5129" ->Resource Record Types</A -></H2 -><DIV -CLASS="biblioentry" -><A -NAME="AEN5131" -></A -><P ->[RFC1183] <SPAN -CLASS="AUTHOR" ->C.F. Everhart, </SPAN -><SPAN -CLASS="AUTHOR" ->L. A. Mamakos, </SPAN -><SPAN -CLASS="AUTHOR" ->R. Ullmann, </SPAN -><SPAN -CLASS="AUTHOR" ->and P. Mockapetris</SPAN ->, <I ->New <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> RR Definitions</I ->, October 1990.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5149" -></A -><P ->[RFC1706] <SPAN -CLASS="AUTHOR" ->B. Manning </SPAN -><SPAN -CLASS="AUTHOR" ->and R. Colella</SPAN ->, <I -><ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> NSAP Resource Records</I ->, October 1994.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5161" -></A -><P ->[RFC2168] <SPAN -CLASS="AUTHOR" ->R. Daniel </SPAN -><SPAN -CLASS="AUTHOR" ->and M. Mealling</SPAN ->, <I ->Resolution of Uniform Resource Identifiers using -the Domain Name System</I ->, June 1997.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5172" -></A -><P ->[RFC1876] <SPAN -CLASS="AUTHOR" ->C. Davis, </SPAN -><SPAN -CLASS="AUTHOR" ->P. Vixie, </SPAN -><SPAN -CLASS="AUTHOR" ->T., </SPAN -><SPAN -CLASS="AUTHOR" ->and I. Dickinson</SPAN ->, <I ->A Means for Expressing Location Information in the Domain -Name System</I ->, January 1996.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5189" -></A -><P ->[RFC2052] <SPAN -CLASS="AUTHOR" ->A. Gulbrandsen </SPAN -><SPAN -CLASS="AUTHOR" ->and P. Vixie</SPAN ->, <I ->A <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> RR for Specifying the Location of -Services.</I ->, October 1996.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5201" -></A -><P ->[RFC2163] <SPAN -CLASS="AUTHOR" ->A. Allocchio</SPAN ->, <I ->Using the Internet <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> to Distribute MIXER -Conformant Global Address Mapping</I ->, January 1998.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5209" -></A -><P ->[RFC2230] <SPAN -CLASS="AUTHOR" ->R. Atkinson</SPAN ->, <I ->Key Exchange Delegation Record for the <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -></I ->, October 1997.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><H2 -CLASS="bibliodiv" -><A -NAME="AEN5217" -><ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> and the Internet</A -></H2 -><DIV -CLASS="biblioentry" -><A -NAME="AEN5220" -></A -><P ->[RFC1101] <SPAN -CLASS="AUTHOR" ->P. V. Mockapetris</SPAN ->, <I -><ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> Encoding of Network Names and Other Types</I ->, April 1989.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5228" -></A -><P ->[RFC1123] <SPAN -CLASS="AUTHOR" ->Braden</SPAN ->, <I ->Requirements for Internet Hosts - Application and Support</I ->, October 1989.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5235" -></A -><P ->[RFC1591] <SPAN -CLASS="AUTHOR" ->J. Postel</SPAN ->, <I ->Domain Name System Structure and Delegation</I ->, March 1994.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5242" -></A -><P ->[RFC2317] <SPAN -CLASS="AUTHOR" ->H. Eidnes, </SPAN -><SPAN -CLASS="AUTHOR" ->G. de Groot, </SPAN -><SPAN -CLASS="AUTHOR" ->and P. Vixie</SPAN ->, <I ->Classless IN-ADDR.ARPA Delegation</I ->, March 1998.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><H2 -CLASS="bibliodiv" -><A -NAME="AEN5256" -><ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> Operations</A -></H2 -><DIV -CLASS="biblioentry" -><A -NAME="AEN5259" -></A -><P ->[RFC1537] <SPAN -CLASS="AUTHOR" ->P. Beertema</SPAN ->, <I ->Common <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> Data File Configuration Errors</I ->, October 1993.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5267" -></A -><P ->[RFC1912] <SPAN -CLASS="AUTHOR" ->D. Barr</SPAN ->, <I ->Common <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> Operational and Configuration Errors</I ->, February 1996.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5275" -></A -><P ->[RFC2010] <SPAN -CLASS="AUTHOR" ->B. Manning </SPAN -><SPAN -CLASS="AUTHOR" ->and P. Vixie</SPAN ->, <I ->Operational Criteria for Root Name Servers.</I ->, October 1996.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5286" -></A -><P ->[RFC2219] <SPAN -CLASS="AUTHOR" ->M. Hamilton </SPAN -><SPAN -CLASS="AUTHOR" ->and R. Wright</SPAN ->, <I ->Use of <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> Aliases for Network Services.</I ->, October 1997.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><H2 -CLASS="bibliodiv" -><A -NAME="AEN5298" ->Other <ACRONYM -CLASS="acronym" ->DNS</ACRONYM ->-related RFCs</A -></H2 -><DIV -CLASS="biblioentry" -><A -NAME="AEN5304" -></A -><P ->[RFC1464] <SPAN -CLASS="AUTHOR" ->R. Rosenbaum</SPAN ->, <I ->Using the Domain Name System To Store Arbitrary String Attributes</I ->, May 1993.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5311" -></A -><P ->[RFC1713] <SPAN -CLASS="AUTHOR" ->A. Romao</SPAN ->, <I ->Tools for <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> Debugging</I ->, November 1994.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5319" -></A -><P ->[RFC1794] <SPAN -CLASS="AUTHOR" ->T. Brisco</SPAN ->, <I -><ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> Support for Load Balancing</I ->, April 1995.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5327" -></A -><P ->[RFC2240] <SPAN -CLASS="AUTHOR" ->O. Vaughan</SPAN ->, <I ->A Legal Basis for Domain Name Allocation</I ->, November 1997.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5334" -></A -><P ->[RFC2345] <SPAN -CLASS="AUTHOR" ->J. Klensin, </SPAN -><SPAN -CLASS="AUTHOR" ->T. Wolf, </SPAN -><SPAN -CLASS="AUTHOR" ->and G. Oglesby</SPAN ->, <I ->Domain Names and Company Name Retrieval</I ->, May 1998.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><DIV -CLASS="biblioentry" -><A -NAME="AEN5348" -></A -><P ->[RFC2352] <SPAN -CLASS="AUTHOR" ->O. Vaughan</SPAN ->, <I ->A Convention For Using Legal Names as Domain Names</I ->, May 1998.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -><H2 -CLASS="bibliodiv" -><A -NAME="AEN5355" ->Obsolete and Unimplemented Experimental RRs</A -></H2 -><DIV -CLASS="biblioentry" -><A -NAME="AEN5357" -></A -><P ->[RFC1712] <SPAN -CLASS="AUTHOR" ->C. Farrell, </SPAN -><SPAN -CLASS="AUTHOR" ->M. Schulze, </SPAN -><SPAN -CLASS="AUTHOR" ->S. Pleitner, </SPAN -><SPAN -CLASS="AUTHOR" ->and D. Baldoni</SPAN ->, <I -><ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> Encoding of Geographical -Location</I ->, November 1994.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="internet_drafts" ->A.3.2. Internet Drafts</A -></H2 -><P ->Internet Drafts (IDs) are rough-draft working documents of +<a href="http://www.ietf.org/rfc/" target="_top">http://www.ietf.org/rfc/</a>. +</p> +<div class="bibliography"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2568712"></a>Bibliography</h4></div></div></div> +<div class="bibliodiv"> +<h3 class="title">Standards</h3> +<div class="biblioentry"><p>[<span class="abbrev">RFC974</span>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC1034</span>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names — Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC1035</span>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names — Implementation and +Specification</i>. </span><span class="pubdate">November 1987. </span></p></div> +</div> +<div class="bibliodiv"> +<h3 class="title"> +<a name="proposed_standards"></a>Proposed Standards</h3> +<div class="biblioentry"><p>[<span class="abbrev">RFC2181</span>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <span class="acronym">DNS</span> Specification</i>. </span><span class="pubdate">July 1997. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC2308</span>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <span class="acronym">DNS</span> Queries</i>. </span><span class="pubdate">March 1998. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC1995</span>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <span class="acronym">DNS</span></i>. </span><span class="pubdate">August 1996. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC1996</span>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC2136</span>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC2845</span>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <span class="acronym">DNS</span> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p></div> +</div> +<div class="bibliodiv"> +<h3 class="title">Proposed Standards Still Under Development</h3> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p><span class="emphasis"><em>Note:</em></span> the following list of +RFCs are undergoing major revision by the IETF.</p> +</div> +<div class="biblioentry"><p>[<span class="abbrev">RFC1886</span>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i><span class="acronym">DNS</span> Extensions to support IP version 6</i>. </span><span class="pubdate">December 1995. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC2065</span>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC2137</span>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p></div> +</div> +<div class="bibliodiv"> +<h3 class="title">Other Important RFCs About <span class="acronym">DNS</span> Implementation</h3> +<div class="biblioentry"><p>[<span class="abbrev">RFC1535</span>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely Deployed <span class="acronym">DNS</span> Software.</i>. </span><span class="pubdate">October 1993. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC1536</span>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <span class="acronym">DNS</span> Implementation Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC1982</span>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p></div> +</div> +<div class="bibliodiv"> +<h3 class="title">Resource Record Types</h3> +<div class="biblioentry"><p>[<span class="abbrev">RFC1183</span>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <span class="acronym">DNS</span> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC1706</span>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><span class="acronym">DNS</span> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC2168</span>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using +the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC1876</span>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the Domain +Name System</i>. </span><span class="pubdate">January 1996. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC2052</span>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <span class="acronym">DNS</span> RR for Specifying the Location of +Services.</i>. </span><span class="pubdate">October 1996. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC2163</span>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <span class="acronym">DNS</span> to Distribute MIXER +Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC2230</span>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <span class="acronym">DNS</span></i>. </span><span class="pubdate">October 1997. </span></p></div> +</div> +<div class="bibliodiv"> +<h3 class="title"> +<span class="acronym">DNS</span> and the Internet</h3> +<div class="biblioentry"><p>[<span class="abbrev">RFC1101</span>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><span class="acronym">DNS</span> Encoding of Network Names and Other Types</i>. </span><span class="pubdate">April 1989. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC1123</span>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and Support</i>. </span><span class="pubdate">October 1989. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC1591</span>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC2317</span>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p></div> +</div> +<div class="bibliodiv"> +<h3 class="title"> +<span class="acronym">DNS</span> Operations</h3> +<div class="biblioentry"><p>[<span class="abbrev">RFC1537</span>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <span class="acronym">DNS</span> Data File Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC1912</span>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <span class="acronym">DNS</span> Operational and Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC2010</span>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC2219</span>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <span class="acronym">DNS</span> Aliases for Network Services.</i>. </span><span class="pubdate">October 1997. </span></p></div> +</div> +<div class="bibliodiv"> +<h3 class="title">Other <span class="acronym">DNS</span>-related RFCs</h3> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p>Note: the following list of RFCs, although +<span class="acronym">DNS</span>-related, are not concerned with implementing software.</p> +</div> +<div class="biblioentry"><p>[<span class="abbrev">RFC1464</span>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String Attributes</i>. </span><span class="pubdate">May 1993. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC1713</span>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <span class="acronym">DNS</span> Debugging</i>. </span><span class="pubdate">November 1994. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC1794</span>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><span class="acronym">DNS</span> Support for Load Balancing</i>. </span><span class="pubdate">April 1995. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC2240</span>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC2345</span>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p></div> +<div class="biblioentry"><p>[<span class="abbrev">RFC2352</span>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p></div> +</div> +<div class="bibliodiv"> +<h3 class="title">Obsolete and Unimplemented Experimental RRs</h3> +<div class="biblioentry"><p>[<span class="abbrev">RFC1712</span>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><span class="acronym">DNS</span> Encoding of Geographical +Location</i>. </span><span class="pubdate">November 1994. </span></p></div> +</div> +</div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="internet_drafts"></a>Internet Drafts</h3></div></div></div> +<p>Internet Drafts (IDs) are rough-draft working documents of the Internet Engineering Task Force. They are, in essence, RFCs in the preliminary stages of development. Implementors are cautioned not to regard IDs as archival, and they should not be quoted or cited in any formal documents unless accompanied by the disclaimer that they are "works in progress." IDs have a lifespan of six months after which they are deleted unless updated by their authors. -</P -></DIV -><DIV -CLASS="sect2" -><H2 -CLASS="sect2" -><A -NAME="AEN5378" ->A.3.3. Other Documents About <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -></A -></H2 -><P -></P -><H3 -><A -NAME="AEN5382" ->Bibliography</A -></H3 -><DIV -CLASS="biblioentry" -><A -NAME="AEN5383" -></A -><P -><SPAN -CLASS="AUTHOR" ->Paul Albitz </SPAN -><SPAN -CLASS="AUTHOR" ->and Cricket Liu</SPAN ->, <I -><ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> and <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -></I ->, 1998.</P -><DIV -CLASS="BIBLIOENTRYBLOCK" -STYLE="margin-left: 0.5in" -></DIV -></DIV -></DIV -></DIV -></DIV -><DIV -CLASS="NAVFOOTER" -><HR -ALIGN="LEFT" -WIDTH="100%"><TABLE -SUMMARY="Footer navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><A -HREF="Bv9ARM.ch08.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="Bv9ARM.html" -ACCESSKEY="H" ->Home</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -> </TD -></TR -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" ->Troubleshooting</TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -> </TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -> </TD -></TR -></TABLE -></DIV -></BODY -></HTML ->
\ No newline at end of file +</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2570087"></a>Other Documents About <span class="acronym">BIND</span></h3></div></div></div> +<p></p> +<div class="bibliography"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2570097"></a>Bibliography</h4></div></div></div> +<div class="biblioentry"><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><span class="acronym">DNS</span> and <span class="acronym">BIND</span></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p></div> +</div> +</div> +</div> +</div> +<div class="navfooter"> +<hr> +<table width="100%" summary="Navigation footer"> +<tr> +<td width="40%" align="left"> +<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a> </td> +<td width="20%" align="center"> </td> +<td width="40%" align="right"> </td> +</tr> +<tr> +<td width="40%" align="left" valign="top">Chapter 8. Troubleshooting </td> +<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> +<td width="40%" align="right" valign="top"> </td> +</tr> +</table> +</div> +</body> +</html> diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.html b/usr.sbin/bind/doc/arm/Bv9ARM.html index 21d46214cc8..79c562ad8af 100644 --- a/usr.sbin/bind/doc/arm/Bv9ARM.html +++ b/usr.sbin/bind/doc/arm/Bv9ARM.html @@ -1,851 +1,222 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->BIND 9 Administrator Reference Manual</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK -REL="NEXT" -TITLE="Introduction " -HREF="Bv9ARM.ch01.html"></HEAD -><BODY -CLASS="book" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="BOOK" -><A -NAME="AEN1" -></A -><DIV -CLASS="TITLEPAGE" -><H1 -CLASS="title" -><A -NAME="AEN1" ->BIND 9 Administrator Reference Manual</A -></H1 -><P -CLASS="copyright" ->Copyright © 2004 Internet Systems Consortium, Inc. ("ISC")</P -><P -CLASS="copyright" ->Copyright © 2000-2003 Internet Software Consortium</P -><HR></DIV -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->1. <A -HREF="Bv9ARM.ch01.html" ->Introduction</A -></DT -><DD -><DL -><DT ->1.1. <A -HREF="Bv9ARM.ch01.html#AEN15" ->Scope of Document</A -></DT -><DT ->1.2. <A -HREF="Bv9ARM.ch01.html#AEN22" ->Organization of This Document</A -></DT -><DT ->1.3. <A -HREF="Bv9ARM.ch01.html#AEN42" ->Conventions Used in This Document</A -></DT -><DT ->1.4. <A -HREF="Bv9ARM.ch01.html#AEN107" ->The Domain Name System (<ACRONYM -CLASS="acronym" ->DNS</ACRONYM ->)</A -></DT -><DD -><DL -><DT ->1.4.1. <A -HREF="Bv9ARM.ch01.html#AEN114" ->DNS Fundamentals</A -></DT -><DT ->1.4.2. <A -HREF="Bv9ARM.ch01.html#AEN124" ->Domains and Domain Names</A -></DT -><DT ->1.4.3. <A -HREF="Bv9ARM.ch01.html#AEN148" ->Zones</A -></DT -><DT ->1.4.4. <A -HREF="Bv9ARM.ch01.html#AEN171" ->Authoritative Name Servers</A -></DT -><DT ->1.4.5. <A -HREF="Bv9ARM.ch01.html#AEN200" ->Caching Name Servers</A -></DT -><DT ->1.4.6. <A -HREF="Bv9ARM.ch01.html#AEN218" ->Name Servers in Multiple Roles</A -></DT -></DL -></DD -></DL -></DD -><DT ->2. <A -HREF="Bv9ARM.ch02.html" -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> Resource Requirements</A -></DT -><DD -><DL -><DT ->2.1. <A -HREF="Bv9ARM.ch02.html#AEN228" ->Hardware requirements</A -></DT -><DT ->2.2. <A -HREF="Bv9ARM.ch02.html#AEN236" ->CPU Requirements</A -></DT -><DT ->2.3. <A -HREF="Bv9ARM.ch02.html#AEN240" ->Memory Requirements</A -></DT -><DT ->2.4. <A -HREF="Bv9ARM.ch02.html#AEN245" ->Name Server Intensive Environment Issues</A -></DT -><DT ->2.5. <A -HREF="Bv9ARM.ch02.html#AEN248" ->Supported Operating Systems</A -></DT -></DL -></DD -><DT ->3. <A -HREF="Bv9ARM.ch03.html" ->Name Server Configuration</A -></DT -><DD -><DL -><DT ->3.1. <A -HREF="Bv9ARM.ch03.html#sample_configuration" ->Sample Configurations</A -></DT -><DD -><DL -><DT ->3.1.1. <A -HREF="Bv9ARM.ch03.html#AEN257" ->A Caching-only Name Server</A -></DT -><DT ->3.1.2. <A -HREF="Bv9ARM.ch03.html#AEN262" ->An Authoritative-only Name Server</A -></DT -></DL -></DD -><DT ->3.2. <A -HREF="Bv9ARM.ch03.html#AEN268" ->Load Balancing</A -></DT -><DT ->3.3. <A -HREF="Bv9ARM.ch03.html#AEN345" ->Name Server Operations</A -></DT -><DD -><DL -><DT ->3.3.1. <A -HREF="Bv9ARM.ch03.html#AEN347" ->Tools for Use With the Name Server Daemon</A -></DT -><DT ->3.3.2. <A -HREF="Bv9ARM.ch03.html#AEN689" ->Signals</A -></DT -></DL -></DD -></DL -></DD -><DT ->4. <A -HREF="Bv9ARM.ch04.html" ->Advanced DNS Features</A -></DT -><DD -><DL -><DT ->4.1. <A -HREF="Bv9ARM.ch04.html#notify" ->Notify</A -></DT -><DT ->4.2. <A -HREF="Bv9ARM.ch04.html#dynamic_update" ->Dynamic Update</A -></DT -><DD -><DL -><DT ->4.2.1. <A -HREF="Bv9ARM.ch04.html#journal" ->The journal file</A -></DT -></DL -></DD -><DT ->4.3. <A -HREF="Bv9ARM.ch04.html#incremental_zone_transfers" ->Incremental Zone Transfers (IXFR)</A -></DT -><DT ->4.4. <A -HREF="Bv9ARM.ch04.html#AEN767" ->Split DNS</A -></DT -><DT ->4.5. <A -HREF="Bv9ARM.ch04.html#tsig" ->TSIG</A -></DT -><DD -><DL -><DT ->4.5.1. <A -HREF="Bv9ARM.ch04.html#AEN858" ->Generate Shared Keys for Each Pair of Hosts</A -></DT -><DT ->4.5.2. <A -HREF="Bv9ARM.ch04.html#AEN879" ->Copying the Shared Secret to Both Machines</A -></DT -><DT ->4.5.3. <A -HREF="Bv9ARM.ch04.html#AEN882" ->Informing the Servers of the Key's Existence</A -></DT -><DT ->4.5.4. <A -HREF="Bv9ARM.ch04.html#AEN894" ->Instructing the Server to Use the Key</A -></DT -><DT ->4.5.5. <A -HREF="Bv9ARM.ch04.html#AEN910" ->TSIG Key Based Access Control</A -></DT -><DT ->4.5.6. <A -HREF="Bv9ARM.ch04.html#AEN923" ->Errors</A -></DT -></DL -></DD -><DT ->4.6. <A -HREF="Bv9ARM.ch04.html#AEN927" ->TKEY</A -></DT -><DT ->4.7. <A -HREF="Bv9ARM.ch04.html#AEN942" ->SIG(0)</A -></DT -><DT ->4.8. <A -HREF="Bv9ARM.ch04.html#DNSSEC" ->DNSSEC</A -></DT -><DD -><DL -><DT ->4.8.1. <A -HREF="Bv9ARM.ch04.html#AEN962" ->Generating Keys</A -></DT -><DT ->4.8.2. <A -HREF="Bv9ARM.ch04.html#AEN982" ->Signing the Zone</A -></DT -><DT ->4.8.3. <A -HREF="Bv9ARM.ch04.html#AEN1004" ->Configuring Servers</A -></DT -></DL -></DD -><DT ->4.9. <A -HREF="Bv9ARM.ch04.html#AEN1011" ->IPv6 Support in <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9</A -></DT -><DD -><DL -><DT ->4.9.1. <A -HREF="Bv9ARM.ch04.html#AEN1029" ->Address Lookups Using AAAA Records</A -></DT -><DT ->4.9.2. <A -HREF="Bv9ARM.ch04.html#AEN1035" ->Address to Name Lookups Using Nibble Format</A -></DT -></DL -></DD -></DL -></DD -><DT ->5. <A -HREF="Bv9ARM.ch05.html" ->The <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 Lightweight Resolver</A -></DT -><DD -><DL -><DT ->5.1. <A -HREF="Bv9ARM.ch05.html#AEN1044" ->The Lightweight Resolver Library</A -></DT -><DT ->5.2. <A -HREF="Bv9ARM.ch05.html#lwresd" ->Running a Resolver Daemon</A -></DT -></DL -></DD -><DT ->6. <A -HREF="Bv9ARM.ch06.html" -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 Configuration Reference</A -></DT -><DD -><DL -><DT ->6.1. <A -HREF="Bv9ARM.ch06.html#configuration_file_elements" ->Configuration File Elements</A -></DT -><DD -><DL -><DT ->6.1.1. <A -HREF="Bv9ARM.ch06.html#address_match_lists" ->Address Match Lists</A -></DT -><DT ->6.1.2. <A -HREF="Bv9ARM.ch06.html#AEN1290" ->Comment Syntax</A -></DT -></DL -></DD -><DT ->6.2. <A -HREF="Bv9ARM.ch06.html#Configuration_File_Grammar" ->Configuration File Grammar</A -></DT -><DD -><DL -><DT ->6.2.1. <A -HREF="Bv9ARM.ch06.html#AEN1411" -><B -CLASS="command" ->acl</B -> Statement Grammar</A -></DT -><DT ->6.2.2. <A -HREF="Bv9ARM.ch06.html#acl" -><B -CLASS="command" ->acl</B -> Statement Definition and -Usage</A -></DT -><DT ->6.2.3. <A -HREF="Bv9ARM.ch06.html#AEN1455" -><B -CLASS="command" ->controls</B -> Statement Grammar</A -></DT -><DT ->6.2.4. <A -HREF="Bv9ARM.ch06.html#controls_statement_definition_and_usage" -><B -CLASS="command" ->controls</B -> Statement Definition and Usage</A -></DT -><DT ->6.2.5. <A -HREF="Bv9ARM.ch06.html#AEN1534" -><B -CLASS="command" ->include</B -> Statement Grammar</A -></DT -><DT ->6.2.6. <A -HREF="Bv9ARM.ch06.html#AEN1539" -><B -CLASS="command" ->include</B -> Statement Definition and Usage</A -></DT -><DT ->6.2.7. <A -HREF="Bv9ARM.ch06.html#AEN1546" -><B -CLASS="command" ->key</B -> Statement Grammar</A -></DT -><DT ->6.2.8. <A -HREF="Bv9ARM.ch06.html#AEN1553" -><B -CLASS="command" ->key</B -> Statement Definition and Usage</A -></DT -><DT ->6.2.9. <A -HREF="Bv9ARM.ch06.html#AEN1573" -><B -CLASS="command" ->logging</B -> Statement Grammar</A -></DT -><DT ->6.2.10. <A -HREF="Bv9ARM.ch06.html#AEN1613" -><B -CLASS="command" ->logging</B -> Statement Definition and Usage</A -></DT -><DT ->6.2.11. <A -HREF="Bv9ARM.ch06.html#AEN1883" -><B -CLASS="command" ->lwres</B -> Statement Grammar</A -></DT -><DT ->6.2.12. <A -HREF="Bv9ARM.ch06.html#AEN1907" -><B -CLASS="command" ->lwres</B -> Statement Definition and Usage</A -></DT -><DT ->6.2.13. <A -HREF="Bv9ARM.ch06.html#AEN1926" -><B -CLASS="command" ->masters</B -> Statement Grammar</A -></DT -><DT ->6.2.14. <A -HREF="Bv9ARM.ch06.html#AEN1941" -><B -CLASS="command" ->masters</B -> Statement Definition and Usage</A -></DT -><DT ->6.2.15. <A -HREF="Bv9ARM.ch06.html#AEN1946" -><B -CLASS="command" ->options</B -> Statement Grammar</A -></DT -><DT ->6.2.16. <A -HREF="Bv9ARM.ch06.html#options" -><B -CLASS="command" ->options</B -> Statement Definition and Usage</A -></DT -><DT ->6.2.17. <A -HREF="Bv9ARM.ch06.html#server_statement_grammar" -><B -CLASS="command" ->server</B -> Statement Grammar</A -></DT -><DT ->6.2.18. <A -HREF="Bv9ARM.ch06.html#server_statement_definition_and_usage" -><B -CLASS="command" ->server</B -> Statement Definition and Usage</A -></DT -><DT ->6.2.19. <A -HREF="Bv9ARM.ch06.html#AEN3433" -><B -CLASS="command" ->trusted-keys</B -> Statement Grammar</A -></DT -><DT ->6.2.20. <A -HREF="Bv9ARM.ch06.html#AEN3449" -><B -CLASS="command" ->trusted-keys</B -> Statement Definition -and Usage</A -></DT -><DT ->6.2.21. <A -HREF="Bv9ARM.ch06.html#view_statement_grammar" -><B -CLASS="command" ->view</B -> Statement Grammar</A -></DT -><DT ->6.2.22. <A -HREF="Bv9ARM.ch06.html#AEN3471" -><B -CLASS="command" ->view</B -> Statement Definition and Usage</A -></DT -><DT ->6.2.23. <A -HREF="Bv9ARM.ch06.html#zone_statement_grammar" -><B -CLASS="command" ->zone</B -> -Statement Grammar</A -></DT -><DT ->6.2.24. <A -HREF="Bv9ARM.ch06.html#AEN3645" -><B -CLASS="command" ->zone</B -> Statement Definition and Usage</A -></DT -></DL -></DD -><DT ->6.3. <A -HREF="Bv9ARM.ch06.html#AEN4050" ->Zone File</A -></DT -><DD -><DL -><DT ->6.3.1. <A -HREF="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" ->Types of Resource Records and When to Use Them</A -></DT -><DT ->6.3.2. <A -HREF="Bv9ARM.ch06.html#AEN4370" ->Discussion of MX Records</A -></DT -><DT ->6.3.3. <A -HREF="Bv9ARM.ch06.html#Setting_TTLs" ->Setting TTLs</A -></DT -><DT ->6.3.4. <A -HREF="Bv9ARM.ch06.html#AEN4491" ->Inverse Mapping in IPv4</A -></DT -><DT ->6.3.5. <A -HREF="Bv9ARM.ch06.html#AEN4518" ->Other Zone File Directives</A -></DT -><DT ->6.3.6. <A -HREF="Bv9ARM.ch06.html#AEN4576" -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> Master File Extension: the <B -CLASS="command" ->$GENERATE</B -> Directive</A -></DT -></DL -></DD -></DL -></DD -><DT ->7. <A -HREF="Bv9ARM.ch07.html" -><ACRONYM -CLASS="acronym" ->BIND</ACRONYM -> 9 Security Considerations</A -></DT -><DD -><DL -><DT ->7.1. <A -HREF="Bv9ARM.ch07.html#Access_Control_Lists" ->Access Control Lists</A -></DT -><DT ->7.2. <A -HREF="Bv9ARM.ch07.html#AEN4693" -><B -CLASS="command" ->chroot</B -> and <B -CLASS="command" ->setuid</B -> (for -UNIX servers)</A -></DT -><DD -><DL -><DT ->7.2.1. <A -HREF="Bv9ARM.ch07.html#AEN4716" ->The <B -CLASS="command" ->chroot</B -> Environment</A -></DT -><DT ->7.2.2. <A -HREF="Bv9ARM.ch07.html#AEN4734" ->Using the <B -CLASS="command" ->setuid</B -> Function</A -></DT -></DL -></DD -><DT ->7.3. <A -HREF="Bv9ARM.ch07.html#dynamic_update_security" ->Dynamic Update Security</A -></DT -></DL -></DD -><DT ->8. <A -HREF="Bv9ARM.ch08.html" ->Troubleshooting</A -></DT -><DD -><DL -><DT ->8.1. <A -HREF="Bv9ARM.ch08.html#AEN4755" ->Common Problems</A -></DT -><DD -><DL -><DT ->8.1.1. <A -HREF="Bv9ARM.ch08.html#AEN4757" ->It's not working; how can I figure out what's wrong?</A -></DT -></DL -></DD -><DT ->8.2. <A -HREF="Bv9ARM.ch08.html#AEN4760" ->Incrementing and Changing the Serial Number</A -></DT -><DT ->8.3. <A -HREF="Bv9ARM.ch08.html#AEN4765" ->Where Can I Get Help?</A -></DT -></DL -></DD -><DT ->A. <A -HREF="Bv9ARM.ch09.html" ->Appendices</A -></DT -><DD -><DL -><DT ->A.1. <A -HREF="Bv9ARM.ch09.html#AEN4781" ->Acknowledgments</A -></DT -><DD -><DL -><DT ->A.1.1. <A -HREF="Bv9ARM.ch09.html#AEN4783" ->A Brief History of the <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> and <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -></A -></DT -></DL -></DD -><DT ->A.2. <A -HREF="Bv9ARM.ch09.html#historical_dns_information" ->General <ACRONYM -CLASS="acronym" ->DNS</ACRONYM -> Reference Information</A -></DT -><DD -><DL -><DT ->A.2.1. <A -HREF="Bv9ARM.ch09.html#ipv6addresses" ->IPv6 addresses (AAAA)</A -></DT -></DL -></DD -><DT ->A.3. <A -HREF="Bv9ARM.ch09.html#bibliography" ->Bibliography (and Suggested Reading)</A -></DT -><DD -><DL -><DT ->A.3.1. <A -HREF="Bv9ARM.ch09.html#rfcs" ->Request for Comments (RFCs)</A -></DT -><DT ->A.3.2. <A -HREF="Bv9ARM.ch09.html#internet_drafts" ->Internet Drafts</A -></DT -><DT ->A.3.3. <A -HREF="Bv9ARM.ch09.html#AEN5378" ->Other Documents About <ACRONYM -CLASS="acronym" ->BIND</ACRONYM -></A -></DT -></DL -></DD -></DL -></DD -></DL -></DIV -></DIV -><DIV -CLASS="NAVFOOTER" -><HR -ALIGN="LEFT" -WIDTH="100%"><TABLE -SUMMARY="Footer navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -> </TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -> </TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -><A -HREF="Bv9ARM.ch01.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -> </TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -> </TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" ->Introduction</TD -></TR -></TABLE -></DIV -></BODY -></HTML ->
\ No newline at end of file +<!-- + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<!-- $ISC: Bv9ARM.html,v 1.60.2.9.2.26 2005/10/13 02:33:59 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>BIND 9 Administrator Reference Manual</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="next" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction "> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> +<div class="navheader"> +<table width="100%" summary="Navigation header"> +<tr><th colspan="3" align="center">BIND 9 Administrator Reference Manual</th></tr> +<tr> +<td width="20%" align="left"> </td> +<th width="60%" align="center"> </th> +<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch01.html">Next</a> +</td> +</tr> +</table> +<hr> +</div> +<div class="book" lang="en"> +<div class="titlepage"> +<div> +<div><h1 class="title"> +<a name="id2463864"></a>BIND 9 Administrator Reference Manual</h1></div> +<div><p class="copyright">Copyright © 2004, 2005 Internet Systems Consortium, Inc. ("ISC")</p></div> +<div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div> +</div> +<hr> +</div> +<div class="toc"> +<p><b>Table of Contents</b></p> +<dl> +<dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction </a></span></dt> +<dd><dl> +<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2545879">Scope of Document</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2545905">Organization of This Document</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2545976">Conventions Used in This Document</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2546234">The Domain Name System (<span class="acronym">DNS</span>)</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2546254">DNS Fundamentals</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2544105">Domains and Domain Names</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2546579">Zones</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2546653">Authoritative Name Servers</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2546950">Caching Name Servers</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2547076">Name Servers in Multiple Roles</a></span></dt> +</dl></dd> +</dl></dd> +<dt><span class="chapter"><a href="Bv9ARM.ch02.html">2. <span class="acronym">BIND</span> Resource Requirements</a></span></dt> +<dd><dl> +<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2547108">Hardware requirements</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2547132">CPU Requirements</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2547143">Memory Requirements</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2547158">Name Server Intensive Environment Issues</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2547303">Supported Operating Systems</a></span></dt> +</dl></dd> +<dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Name Server Configuration</a></span></dt> +<dd><dl> +<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2547334">A Caching-only Name Server</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2547350">An Authoritative-only Name Server</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2547372">Load Balancing</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2547656">Name Server Operations</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2547661">Tools for Use With the Name Server Daemon</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2548915">Signals</a></span></dt> +</dl></dd> +</dl></dd> +<dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt> +<dd><dl> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt> +<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2549203">Split DNS</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549627">Generate Shared Keys for Each Pair of Hosts</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549830">Copying the Shared Secret to Both Machines</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549838">Informing the Servers of the Key's Existence</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549878">Instructing the Server to Use the Key</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549998">TSIG Key Based Access Control</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550042">Errors</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2550056">TKEY</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2550173">SIG(0)</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550308">Generating Keys</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550375">Signing the Zone</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550450">Configuring Servers</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2550473">IPv6 Support in <span class="acronym">BIND</span> 9</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550600">Address Lookups Using AAAA Records</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550620">Address to Name Lookups Using Nibble Format</a></span></dt> +</dl></dd> +</dl></dd> +<dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <span class="acronym">BIND</span> 9 Lightweight Resolver</a></span></dt> +<dd><dl> +<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2550652">The Lightweight Resolver Library</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt> +</dl></dd> +<dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <span class="acronym">BIND</span> 9 Configuration Reference</a></span></dt> +<dd><dl> +<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2551817">Comment Syntax</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552302"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and +Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552471"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552808"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552823"><span><strong class="command">include</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552845"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552867"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2553006"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2553269"><span><strong class="command">logging</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554474"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554547"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554610"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554653"><span><strong class="command">masters</strong></span> Statement Definition and Usage </a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554668"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2562233"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2562281"><span><strong class="command">trusted-keys</strong></span> Statement Definition +and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2562349"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span> +Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2563022"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2564557">Zone File</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2565990">Discussion of MX Records</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566487">Inverse Mapping in IPv4</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566593">Other Zone File Directives</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566761"><span class="acronym">BIND</span> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt> +</dl></dd> +</dl></dd> +<dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <span class="acronym">BIND</span> 9 Security Considerations</a></span></dt> +<dd><dl> +<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2567222"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span> (for +UNIX servers)</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2567366">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2567424">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt> +</dl></dd> +<dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt> +<dd><dl> +<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2567630">Common Problems</a></span></dt> +<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2567636">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2567648">Incrementing and Changing the Serial Number</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2567665">Where Can I Get Help?</a></span></dt> +</dl></dd> +<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt> +<dd><dl> +<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2567795">Acknowledgments</a></span></dt> +<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2567800">A Brief History of the <span class="acronym">DNS</span> and <span class="acronym">BIND</span></a></span></dt></dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch09.html#historical_dns_information">General <span class="acronym">DNS</span> Reference Information</a></span></dt> +<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2570087">Other Documents About <span class="acronym">BIND</span></a></span></dt> +</dl></dd> +</dl></dd> +</dl> +</div> +</div> +<div class="navfooter"> +<hr> +<table width="100%" summary="Navigation footer"> +<tr> +<td width="40%" align="left"> </td> +<td width="20%" align="center"> </td> +<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch01.html">Next</a> +</td> +</tr> +<tr> +<td width="40%" align="left" valign="top"> </td> +<td width="20%" align="center"> </td> +<td width="40%" align="right" valign="top"> Chapter 1. Introduction </td> +</tr> +</table> +</div> +</body> +</html> diff --git a/usr.sbin/bind/doc/arm/isc.color.gif b/usr.sbin/bind/doc/arm/isc.color.gif Binary files differdeleted file mode 100644 index 09c327cca65..00000000000 --- a/usr.sbin/bind/doc/arm/isc.color.gif +++ /dev/null diff --git a/usr.sbin/bind/doc/arm/nominum-docbook-html.dsl.in b/usr.sbin/bind/doc/arm/nominum-docbook-html.dsl.in deleted file mode 100644 index 33fc938777a..00000000000 --- a/usr.sbin/bind/doc/arm/nominum-docbook-html.dsl.in +++ /dev/null @@ -1,148 +0,0 @@ -<!DOCTYPE style-sheet PUBLIC "-//James Clark//DTD DSSSL Style Sheet//EN" [ -<!ENTITY dbstyle SYSTEM "@HTMLSTYLE@" CDATA DSSSL> -]> - -<style-sheet> -<style-specification use="docbook"> -<style-specification-body> - -<!-- ;; your stuff goes here... --> - -(define %html-prefix% - ;; Add the specified prefix to HTML output filenames - "Bv9ARM.") - -(define %use-id-as-filename% - ;; Use ID attributes as name for component HTML files? - #t) - -(define %root-filename% - ;; Name for the root HTML document - "Bv9ARM") - -(define %section-autolabel% - ;; REFENTRY section-autolabel - ;; PURP Are sections enumerated? - ;; DESC - ;; If true, unlabeled sections will be enumerated. - ;; /DESC - ;; AUTHOR N/A - ;; /REFENTRY - #t) - -(define %html-ext% - ;; REFENTRY html-ext - ;; PURP Default extension for HTML output files - ;; DESC - ;; The default extension for HTML output files. - ;; /DESC - ;; AUTHOR N/A - ;; /REFENTRY - ".html") - -(define nochunks - ;; REFENTRY nochunks - ;; PURP Suppress chunking of output pages - ;; DESC - ;; If true, the entire source document is formatted as a single HTML - ;; document and output on stdout. - ;; (This option can conveniently be set with '-V nochunks' on the - ;; Jade command line). - ;; /DESC - ;; AUTHOR N/A - ;; /REFENTRY - #f) - -(define rootchunk - ;; REFENTRY rootchunk - ;; PURP Make a chunk for the root element when nochunks is used - ;; DESC - ;; If true, a chunk will be created for the root element, even though - ;; nochunks is specified. This option has no effect if nochunks is not - ;; true. - ;; (This option can conveniently be set with '-V rootchunk' on the - ;; Jade command line). - ;; /DESC - ;; AUTHOR N/A - ;; /REFENTRY - #t) - -(define html-index - ;; REFENTRY html-index - ;; PURP HTML indexing? - ;; DESC - ;; Turns on HTML indexing. If true, then index data will be written - ;; to the file defined by 'html-index-filename'. This data can be - ;; collated and turned into a DocBook index with bin/collateindex.pl. - ;; /DESC - ;; AUTHOR N/A - ;; /REFENTRY - #t) - -(define html-manifest - ;; REFENTRY html-manifest - ;; PURP Write a manifest? - ;; DESC - ;; If not '#f' then the list of HTML files created by the stylesheet - ;; will be written to the file named by 'html-manifest-filename'. - ;; /DESC - ;; AUTHOR N/A - ;; /REFENTRY - #t) - -(define (chunk-element-list) - (list (normalize "preface") - (normalize "chapter") - (normalize "appendix") - (normalize "article") - (normalize "glossary") - (normalize "bibliography") - (normalize "index") - (normalize "colophon") - (normalize "setindex") - (normalize "reference") - (normalize "refentry") - (normalize "part") - (normalize "book") ;; just in case nothing else matches... - (normalize "set") ;; sets are definitely chunks... - )) - -; -; Add some cell padding to tables so that they don't look so cramped -; in Netscape. -; -; The following definition was cut-and-pasted from dbtable.dsl and the -; single line containing the word CELLPADDING was added. -; -(element tgroup - (let* ((wrapper (parent (current-node))) - (frameattr (attribute-string (normalize "frame") wrapper)) - (pgwide (attribute-string (normalize "pgwide") wrapper)) - (footnotes (select-elements (descendants (current-node)) - (normalize "footnote"))) - (border (if (equal? frameattr (normalize "none")) - '(("BORDER" "0")) - '(("BORDER" "1")))) - (width (if (equal? pgwide "1") - (list (list "WIDTH" ($table-width$))) - '())) - (head (select-elements (children (current-node)) (normalize "thead"))) - (body (select-elements (children (current-node)) (normalize "tbody"))) - (feet (select-elements (children (current-node)) (normalize "tfoot")))) - (make element gi: "TABLE" - attributes: (append - '(("CELLPADDING" "3")) - border - width - (if %cals-table-class% - (list (list "CLASS" %cals-table-class%)) - '())) - (process-node-list head) - (process-node-list body) - (process-node-list feet) - (make-table-endnotes)))) - -</style-specification-body> -</style-specification> -<external-specification id="docbook" document="dbstyle"> -</style-sheet> diff --git a/usr.sbin/bind/doc/arm/nominum-docbook-print.dsl.in b/usr.sbin/bind/doc/arm/nominum-docbook-print.dsl.in deleted file mode 100644 index 511d6c48bc8..00000000000 --- a/usr.sbin/bind/doc/arm/nominum-docbook-print.dsl.in +++ /dev/null @@ -1,42 +0,0 @@ -<!DOCTYPE style-sheet PUBLIC "-//James Clark//DTD DSSSL Style Sheet//EN" [ -<!ENTITY dbstyle SYSTEM "@PRINTSTYLE@" CDATA DSSSL> -]> - - -<style-sheet> -<style-specification use="docbook"> -<style-specification-body> - -<!-- ;; your stuff goes here... --> - -(define %generate-book-titlepage% #t) - -(define %section-autolabel% - ;; REFENTRY section-autolabel - ;; PURP Are sections enumerated? - ;; DESC - ;; If true, unlabeled sections will be enumerated. - ;; /DESC - ;; AUTHOR N/A - ;; /REFENTRY - #t) - -;; Margins around cell contents -;; (define %cals-cell-before-row-margin% 20pt) -;; (define %cals-cell-after-row-margin% 20pt) - -;; seems to be a bug in JadeTeX -- we get a wierd indent on table -;; cells for the first line only. This is a workaround. -;; Adam Di Carlo, adam@onshore.com -(define %cals-cell-before-column-margin% 5pt) -(define %cals-cell-after-column-margin% 5pt) - -;; Inheritable start and end indent for cell contents -(define %cals-cell-content-start-indent% 5pt) -(define %cals-cell-content-end-indent% 5pt) - - -</style-specification-body> -</style-specification> -<external-specification id="docbook" document="dbstyle"> -</style-sheet> diff --git a/usr.sbin/bind/doc/arm/validate.sh.in b/usr.sbin/bind/doc/arm/validate.sh.in deleted file mode 100644 index 47a7f05ca91..00000000000 --- a/usr.sbin/bind/doc/arm/validate.sh.in +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh -# -# Copyright (C) 2000, 2001 Internet Software Consortium. -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -# $ISC: validate.sh.in,v 1.2 2001/01/09 21:46:37 bwelling Exp $ - -nsgmls -sv @SGMLDIR@/docbook/dsssl/modular/dtds/decls/xml.dcl \ - Bv9ARM-book.xml diff --git a/usr.sbin/bind/lib/bind9/getaddresses.c b/usr.sbin/bind/lib/bind9/getaddresses.c index b5b97479888..8839bc674a1 100644 --- a/usr.sbin/bind/lib/bind9/getaddresses.c +++ b/usr.sbin/bind/lib/bind9/getaddresses.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001, 2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: getaddresses.c,v 1.13.126.6 2004/09/16 01:00:58 marka Exp $ */ +/* $ISC: getaddresses.c,v 1.13.126.8 2005/10/14 02:13:06 marka Exp $ */ #include <config.h> #include <string.h> @@ -65,8 +65,8 @@ bind9_getaddresses(const char *hostname, in_port_t port, REQUIRE(addrcount != NULL); REQUIRE(addrsize > 0); - have_ipv4 = (isc_net_probeipv4() == ISC_R_SUCCESS); - have_ipv6 = (isc_net_probeipv6() == ISC_R_SUCCESS); + have_ipv4 = ISC_TF((isc_net_probeipv4() == ISC_R_SUCCESS)); + have_ipv6 = ISC_TF((isc_net_probeipv6() == ISC_R_SUCCESS)); /* * Try IPv4, then IPv6. In order to handle the extended format diff --git a/usr.sbin/bind/lib/dns/adb.c b/usr.sbin/bind/lib/dns/adb.c index e21965a91ae..9dd4f19bebc 100644 --- a/usr.sbin/bind/lib/dns/adb.c +++ b/usr.sbin/bind/lib/dns/adb.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: adb.c,v 1.181.2.11.2.20 2004/11/10 22:32:40 marka Exp $ */ +/* $ISC: adb.c,v 1.181.2.11.2.24 2005/10/14 05:19:00 marka Exp $ */ /* * Implementation notes @@ -1784,7 +1784,7 @@ shutdown_task(isc_task_t *task, isc_event_t *ev) { static isc_boolean_t check_expire_name(dns_adbname_t **namep, isc_stdtime_t now) { dns_adbname_t *name; - isc_result_t result = ISC_FALSE; + isc_boolean_t result = ISC_FALSE; INSIST(namep != NULL && DNS_ADBNAME_VALID(*namep)); name = *namep; @@ -1861,7 +1861,7 @@ static isc_boolean_t cleanup_names(dns_adb_t *adb, int bucket, isc_stdtime_t now) { dns_adbname_t *name; dns_adbname_t *next_name; - isc_result_t result = ISC_FALSE; + isc_boolean_t result = ISC_FALSE; DP(CLEAN_LEVEL, "cleaning name bucket %d", bucket); @@ -3347,7 +3347,7 @@ dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *zone, bucket = addr->entry->lock_bucket; LOCK(&adb->entrylocks[bucket]); zi = ISC_LIST_HEAD(addr->entry->zoneinfo); - while (zi != NULL && dns_name_equal(zone, &zi->zone)) + while (zi != NULL && !dns_name_equal(zone, &zi->zone)) zi = ISC_LIST_NEXT(zi, plink); if (zi != NULL) { if (expire_time > zi->lame_timer) @@ -3366,7 +3366,7 @@ dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *zone, unlock: UNLOCK(&adb->entrylocks[bucket]); - return (ISC_R_SUCCESS); + return (result); } void diff --git a/usr.sbin/bind/lib/dns/api b/usr.sbin/bind/lib/dns/api index c06a62ec803..7df81573fd7 100644 --- a/usr.sbin/bind/lib/dns/api +++ b/usr.sbin/bind/lib/dns/api @@ -1,3 +1,3 @@ -LIBINTERFACE = 20 -LIBREVISION = 2 +LIBINTERFACE = 21 +LIBREVISION = 1 LIBAGE = 0 diff --git a/usr.sbin/bind/lib/dns/cache.c b/usr.sbin/bind/lib/dns/cache.c index 83f4629ee81..8175a0a0144 100644 --- a/usr.sbin/bind/lib/dns/cache.c +++ b/usr.sbin/bind/lib/dns/cache.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: cache.c,v 1.45.2.4.8.7 2004/03/08 02:07:52 marka Exp $ */ +/* $ISC: cache.c,v 1.45.2.4.8.9 2005/03/17 03:58:30 marka Exp $ */ #include <config.h> @@ -1021,27 +1021,10 @@ dns_cache_flushname(dns_cache_t *cache, dns_name_t *name) { dns_rdataset_init(&rdataset); dns_rdatasetiter_current(iter, &rdataset); - - for (result = dns_rdataset_first(&rdataset); - result == ISC_R_SUCCESS; - result = dns_rdataset_next(&rdataset)) - { - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdatatype_t covers; - - dns_rdataset_current(&rdataset, &rdata); - if (rdata.type == dns_rdatatype_rrsig) - covers = dns_rdata_covers(&rdata); - else - covers = 0; - result = dns_db_deleterdataset(cache->db, node, NULL, - rdata.type, covers); - if (result != ISC_R_SUCCESS && - result != DNS_R_UNCHANGED) - break; - } + result = dns_db_deleterdataset(cache->db, node, NULL, + rdataset.type, rdataset.covers); dns_rdataset_disassociate(&rdataset); - if (result != ISC_R_NOMORE) + if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) break; } if (result == ISC_R_NOMORE) diff --git a/usr.sbin/bind/lib/dns/include/dns/rdataset.h b/usr.sbin/bind/lib/dns/include/dns/rdataset.h index 595a9af30fd..ca06b0e34cb 100644 --- a/usr.sbin/bind/lib/dns/include/dns/rdataset.h +++ b/usr.sbin/bind/lib/dns/include/dns/rdataset.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: rdataset.h,v 1.41.2.5.2.6 2004/03/08 02:08:01 marka Exp $ */ +/* $ISC: rdataset.h,v 1.41.2.5.2.8 2005/03/17 03:58:31 marka Exp $ */ #ifndef DNS_RDATASET_H #define DNS_RDATASET_H 1 @@ -130,22 +130,23 @@ struct dns_rdataset { * Used by message.c to indicate that the rdataset's rdata had differing * TTL values, and the rdataset->ttl holds the smallest. */ -#define DNS_RDATASETATTR_QUESTION 0x0001 -#define DNS_RDATASETATTR_RENDERED 0x0002 /* Used by message.c */ -#define DNS_RDATASETATTR_ANSWERED 0x0004 /* Used by server. */ -#define DNS_RDATASETATTR_CACHE 0x0008 /* Used by resolver. */ -#define DNS_RDATASETATTR_ANSWER 0x0010 /* Used by resolver. */ -#define DNS_RDATASETATTR_ANSWERSIG 0x0020 /* Used by resolver. */ -#define DNS_RDATASETATTR_EXTERNAL 0x0040 /* Used by resolver. */ -#define DNS_RDATASETATTR_NCACHE 0x0080 /* Used by resolver. */ -#define DNS_RDATASETATTR_CHAINING 0x0100 /* Used by resolver. */ -#define DNS_RDATASETATTR_TTLADJUSTED 0x0200 /* Used by message.c */ -#define DNS_RDATASETATTR_FIXEDORDER 0x0400 -#define DNS_RDATASETATTR_RANDOMIZE 0x0800 -#define DNS_RDATASETATTR_CHASE 0x1000 /* Used by resolver. */ -#define DNS_RDATASETATTR_NXDOMAIN 0x2000 -#define DNS_RDATASETATTR_NOQNAME 0x4000 -#define DNS_RDATASETATTR_CHECKNAMES 0x8000 /* Used by resolver. */ +#define DNS_RDATASETATTR_QUESTION 0x00000001 +#define DNS_RDATASETATTR_RENDERED 0x00000002 /* Used by message.c */ +#define DNS_RDATASETATTR_ANSWERED 0x00000004 /* Used by server. */ +#define DNS_RDATASETATTR_CACHE 0x00000008 /* Used by resolver. */ +#define DNS_RDATASETATTR_ANSWER 0x00000010 /* Used by resolver. */ +#define DNS_RDATASETATTR_ANSWERSIG 0x00000020 /* Used by resolver. */ +#define DNS_RDATASETATTR_EXTERNAL 0x00000040 /* Used by resolver. */ +#define DNS_RDATASETATTR_NCACHE 0x00000080 /* Used by resolver. */ +#define DNS_RDATASETATTR_CHAINING 0x00000100 /* Used by resolver. */ +#define DNS_RDATASETATTR_TTLADJUSTED 0x00000200 /* Used by message.c */ +#define DNS_RDATASETATTR_FIXEDORDER 0x00000400 +#define DNS_RDATASETATTR_RANDOMIZE 0x00000800 +#define DNS_RDATASETATTR_CHASE 0x00001000 /* Used by resolver. */ +#define DNS_RDATASETATTR_NXDOMAIN 0x00002000 +#define DNS_RDATASETATTR_NOQNAME 0x00004000 +#define DNS_RDATASETATTR_CHECKNAMES 0x00008000 /* Used by resolver. */ +#define DNS_RDATASETATTR_REQUIREDGLUE 0x00010000 /* * _OMITDNSSEC: diff --git a/usr.sbin/bind/lib/dns/message.c b/usr.sbin/bind/lib/dns/message.c index ea6f863e1af..5dbaa35c31a 100644 --- a/usr.sbin/bind/lib/dns/message.c +++ b/usr.sbin/bind/lib/dns/message.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: message.c,v 1.194.2.10.2.17 2004/05/05 01:32:16 marka Exp $ */ +/* $ISC: message.c,v 1.194.2.10.2.20 2005/06/07 01:42:23 marka Exp $ */ /*** *** Imports @@ -1476,6 +1476,13 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, free_name = ISC_FALSE; } + if (seen_problem) { + if (free_name) + isc_mempool_put(msg->namepool, name); + if (free_rdataset) + isc_mempool_put(msg->rdspool, rdataset); + free_name = free_rdataset = ISC_FALSE; + } INSIST(free_name == ISC_FALSE); INSIST(free_rdataset == ISC_FALSE); } @@ -1783,6 +1790,57 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, if (msg->reserved == 0 && (options & DNS_MESSAGERENDER_PARTIAL) != 0) partial = ISC_TRUE; + /* + * Render required glue first. Set TC if it won't fit. + */ + name = ISC_LIST_HEAD(*section); + if (name != NULL) { + rdataset = ISC_LIST_HEAD(name->list); + if (rdataset != NULL && + (rdataset->attributes & DNS_RDATASETATTR_REQUIREDGLUE) != 0 && + (rdataset->attributes & DNS_RDATASETATTR_RENDERED) == 0) { + void *order_arg = msg->order_arg; + st = *(msg->buffer); + count = 0; + if (partial) + result = dns_rdataset_towirepartial(rdataset, + name, + msg->cctx, + msg->buffer, + msg->order, + order_arg, + rd_options, + &count, + NULL); + else + result = dns_rdataset_towiresorted(rdataset, + name, + msg->cctx, + msg->buffer, + msg->order, + order_arg, + rd_options, + &count); + total += count; + if (partial && result == ISC_R_NOSPACE) { + msg->flags |= DNS_MESSAGEFLAG_TC; + msg->buffer->length += msg->reserved; + msg->counts[sectionid] += total; + return (result); + } + if (result != ISC_R_SUCCESS) { + INSIST(st.used < 65536); + dns_compress_rollback(msg->cctx, + (isc_uint16_t)st.used); + *(msg->buffer) = st; /* rollback */ + msg->buffer->length += msg->reserved; + msg->counts[sectionid] += total; + return (result); + } + rdataset->attributes |= DNS_RDATASETATTR_RENDERED; + } + } + do { name = ISC_LIST_HEAD(*section); if (name == NULL) { diff --git a/usr.sbin/bind/lib/dns/name.c b/usr.sbin/bind/lib/dns/name.c index f32f7636317..4a176c7e0ce 100644 --- a/usr.sbin/bind/lib/dns/name.c +++ b/usr.sbin/bind/lib/dns/name.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: name.c,v 1.127.2.7.2.11 2004/09/01 05:19:59 marka Exp $ */ +/* $ISC: name.c,v 1.127.2.7.2.14 2005/10/14 01:38:48 marka Exp $ */ #include <config.h> @@ -945,9 +945,9 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source, unsigned char *ndata, *label; char *tdata; char c; - ft_state state, kind; - unsigned int value, count, tbcount, bitlength, maxlength; - unsigned int n1, n2, vlen, tlen, nrem, nused, digits, labels, tused; + ft_state state; + unsigned int value, count; + unsigned int n1, n2, tlen, nrem, nused, digits, labels, tused; isc_boolean_t done; unsigned char *offsets; dns_offsets_t odata; @@ -985,15 +985,10 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source, */ n1 = 0; n2 = 0; - vlen = 0; label = NULL; digits = 0; value = 0; count = 0; - tbcount = 0; - bitlength = 0; - maxlength = 0; - kind = ft_init; /* * Make 'name' empty in case of failure. @@ -1051,7 +1046,6 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source, state = ft_initialescape; break; } - kind = ft_ordinary; state = ft_ordinary; if (nrem == 0) return (ISC_R_NOSPACE); @@ -1094,7 +1088,6 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source, */ return (DNS_R_BADLABELTYPE); } - kind = ft_ordinary; state = ft_escape; /* FALLTHROUGH */ case ft_escape: @@ -1305,13 +1298,14 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot, trem--; nlen--; } else { - char buf[5]; if (trem < 4) return (ISC_R_NOSPACE); - snprintf(buf, sizeof(buf), - "\\%03u", c); - memcpy(tdata, buf, 4); - tdata += 4; + *tdata++ = 0x5c; + *tdata++ = 0x30 + + ((c / 100) % 10); + *tdata++ = 0x30 + + ((c / 10) % 10); + *tdata++ = 0x30 + (c % 10); trem -= 4; ndata++; nlen--; diff --git a/usr.sbin/bind/lib/dns/rbt.c b/usr.sbin/bind/lib/dns/rbt.c index aef9d996ede..fcaee76f80e 100644 --- a/usr.sbin/bind/lib/dns/rbt.c +++ b/usr.sbin/bind/lib/dns/rbt.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: rbt.c,v 1.115.2.2.2.11 2004/10/25 01:36:07 marka Exp $ */ +/* $ISC: rbt.c,v 1.115.2.2.2.13 2005/06/18 01:03:24 marka Exp $ */ /* Principal Authors: DCL */ @@ -2060,7 +2060,10 @@ dns_rbt_deletetreeflat(dns_rbt_t *rbt, unsigned int quantum, if (DATA(node) != NULL && rbt->data_deleter != NULL) rbt->data_deleter(DATA(node), rbt->deleter_arg); - unhash_node(rbt, node); + /* + * Note: we don't call unhash_node() here as we are destroying + * the complete rbt tree. + */ #if DNS_RBT_USEMAGIC node->magic = 0; #endif diff --git a/usr.sbin/bind/lib/dns/rbtdb.c b/usr.sbin/bind/lib/dns/rbtdb.c index 32d787e1219..3c08492e17a 100644 --- a/usr.sbin/bind/lib/dns/rbtdb.c +++ b/usr.sbin/bind/lib/dns/rbtdb.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: rbtdb.c,v 1.168.2.11.2.16 2004/05/23 11:07:23 marka Exp $ */ +/* $ISC: rbtdb.c,v 1.168.2.11.2.22 2005/10/14 01:38:48 marka Exp $ */ /* * Principal Author: Bob Halley @@ -97,6 +97,12 @@ typedef isc_uint32_t rbtdb_rdatatype_t; #define RBTDB_RDATATYPE_NCACHEANY \ RBTDB_RDATATYPE_VALUE(0, dns_rdatatype_any) +/* + * Allow clients with a virtual time of upto 5 minutes in the past to see + * records that would have otherwise have expired. + */ +#define RBTDB_VIRTUAL 300 + struct noqname { dns_name_t name; void * nsec; @@ -413,7 +419,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) { again: if (rbtdb->tree != NULL) { result = dns_rbt_destroy2(&rbtdb->tree, - (rbtdb->task != NULL) ? 5 : 0); + (rbtdb->task != NULL) ? 1000 : 0); if (result == ISC_R_QUOTA) { INSIST(rbtdb->task != NULL); if (event == NULL) @@ -2752,10 +2758,9 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep, isc_result_t result; dns_fixedname_t fname, forigin; dns_name_t *name, *origin; - rbtdb_rdatatype_t matchtype, sigmatchtype, nsectype; + rbtdb_rdatatype_t matchtype, sigmatchtype; matchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_nsec, 0); - nsectype = RBTDB_RDATATYPE_VALUE(0, dns_rdatatype_nsec); sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec); @@ -2786,7 +2791,9 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep, * node as dirty, so it will get cleaned up * later. */ - if (node->references == 0) { + if (header->ttl > search->now - RBTDB_VIRTUAL) + header_prev = header; + else if (node->references == 0) { INSIST(header->down == NULL); if (header_prev != NULL) header_prev->next = @@ -2943,7 +2950,9 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, * mark it as stale, and the node as dirty, so it will * get cleaned up later. */ - if (node->references == 0) { + if (header->ttl > now - RBTDB_VIRTUAL) + header_prev = header; + else if (node->references == 0) { INSIST(header->down == NULL); if (header_prev != NULL) header_prev->next = header->next; @@ -3210,7 +3219,9 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options, * mark it as stale, and the node as dirty, so it will * get cleaned up later. */ - if (node->references == 0) { + if (header->ttl > now - RBTDB_VIRTUAL) + header_prev = header; + else if (node->references == 0) { INSIST(header->down == NULL); if (header_prev != NULL) header_prev->next = header->next; @@ -3398,7 +3409,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) { LOCK(&rbtdb->node_locks[rbtnode->locknum].lock); for (header = rbtnode->data; header != NULL; header = header->next) - if (header->ttl <= now) { + if (header->ttl <= now - RBTDB_VIRTUAL) { /* * We don't check if rbtnode->references == 0 and try * to free like we do in cache_find(), because @@ -3640,8 +3651,10 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, * rbtnode->references must be non-zero. This is so * because 'node' is an argument to the function. */ - header->attributes |= RDATASET_ATTR_STALE; - rbtnode->dirty = 1; + if (header->ttl <= now - RBTDB_VIRTUAL) { + header->attributes |= RDATASET_ATTR_STALE; + rbtnode->dirty = 1; + } } else if (EXISTS(header)) { if (header->type == matchtype) found = header; @@ -4344,6 +4357,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, changed = add_changed(rbtdb, rbtversion, rbtnode); if (changed == NULL) { free_rdataset(rbtdb->common.mctx, newheader); + UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock); return (ISC_R_NOMEMORY); } @@ -4909,6 +4923,11 @@ dns_rbtdb_create isc_mem_attach(mctx, &rbtdb->common.mctx); /* + * Must be initalized before free_rbtdb() is called. + */ + isc_ondestroy_init(&rbtdb->common.ondest); + + /* * Make a copy of the origin name. */ result = dns_name_dupwithoffsets(origin, mctx, &rbtdb->common.origin); @@ -4986,8 +5005,6 @@ dns_rbtdb_create rbtdb->future_version = NULL; ISC_LIST_INIT(rbtdb->open_versions); - isc_ondestroy_init(&rbtdb->common.ondest); - rbtdb->common.magic = DNS_DB_MAGIC; rbtdb->common.impmagic = RBTDB_MAGIC; diff --git a/usr.sbin/bind/lib/dns/rdata.c b/usr.sbin/bind/lib/dns/rdata.c index 6527157414d..9626b3231f5 100644 --- a/usr.sbin/bind/lib/dns/rdata.c +++ b/usr.sbin/bind/lib/dns/rdata.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: rdata.c,v 1.147.2.11.2.16 2004/10/06 05:37:40 marka Exp $ */ +/* $ISC: rdata.c,v 1.147.2.11.2.20 2005/07/22 05:27:52 marka Exp $ */ #include <config.h> #include <ctype.h> @@ -985,11 +985,15 @@ txt_totext(isc_region_t *source, isc_buffer_t *target) { if (*sp < 0x20 || *sp >= 0x7f) { if (tl < 4) return (ISC_R_NOSPACE); - snprintf(tp, 5, "\\%03u", *sp++); - tp += 4; + *tp++ = 0x5c; + *tp++ = 0x30 + ((*sp / 100) % 10); + *tp++ = 0x30 + ((*sp / 10) % 10); + *tp++ = 0x30 + (*sp % 10); + sp++; tl -= 4; continue; } + /* double quote, semi-colon, backslash */ if (*sp == 0x22 || *sp == 0x3b || *sp == 0x5c) { if (tl < 2) return (ISC_R_NOSPACE); @@ -1212,7 +1216,7 @@ name_tobuffer(dns_name_t *name, isc_buffer_t *target) { static isc_uint32_t uint32_fromregion(isc_region_t *region) { - unsigned long value; + isc_uint32_t value; REQUIRE(region->length >= 4); value = region->base[0] << 24; diff --git a/usr.sbin/bind/lib/dns/rdata/any_255/tsig_250.c b/usr.sbin/bind/lib/dns/rdata/any_255/tsig_250.c index 11734f0288d..a9f0ce25bbc 100644 --- a/usr.sbin/bind/lib/dns/rdata/any_255/tsig_250.c +++ b/usr.sbin/bind/lib/dns/rdata/any_255/tsig_250.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: tsig_250.c,v 1.52.2.1.2.6 2004/03/08 09:04:40 marka Exp $ */ +/* $ISC: tsig_250.c,v 1.52.2.1.2.8 2005/03/20 22:34:01 marka Exp $ */ /* Reviewed: Thu Mar 16 13:39:43 PST 2000 by gson */ @@ -162,8 +162,10 @@ totext_any_tsig(ARGS_TOTEXT) { */ sigtime = ((isc_uint64_t)sr.base[0] << 40) | ((isc_uint64_t)sr.base[1] << 32) | - (sr.base[2] << 24) | (sr.base[3] << 16) | - (sr.base[4] << 8) | sr.base[5]; + ((isc_uint64_t)sr.base[2] << 24) | + ((isc_uint64_t)sr.base[3] << 16) | + ((isc_uint64_t)sr.base[4] << 8) | + (isc_uint64_t)sr.base[5]; isc_region_consume(&sr, 6); bufp = &buf[sizeof(buf) - 1]; *bufp-- = 0; @@ -457,8 +459,10 @@ tostruct_any_tsig(ARGS_TOSTRUCT) { INSIST(sr.length >= 6); tsig->timesigned = ((isc_uint64_t)sr.base[0] << 40) | ((isc_uint64_t)sr.base[1] << 32) | - (sr.base[2] << 24) | (sr.base[3] << 16) | - (sr.base[4] << 8) | sr.base[5]; + ((isc_uint64_t)sr.base[2] << 24) | + ((isc_uint64_t)sr.base[3] << 16) | + ((isc_uint64_t)sr.base[4] << 8) | + (isc_uint64_t)sr.base[5]; isc_region_consume(&sr, 6); /* diff --git a/usr.sbin/bind/lib/dns/rdata/generic/ds_43.c b/usr.sbin/bind/lib/dns/rdata/generic/ds_43.c index 807d5a4f38f..90724c87e1e 100644 --- a/usr.sbin/bind/lib/dns/rdata/generic/ds_43.c +++ b/usr.sbin/bind/lib/dns/rdata/generic/ds_43.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: ds_43.c,v 1.6.2.2 2004/03/16 12:38:14 marka Exp $ */ +/* $ISC: ds_43.c,v 1.6.2.4 2005/09/06 07:29:31 marka Exp $ */ /* draft-ietf-dnsext-delegation-signer-05.txt */ @@ -28,6 +28,7 @@ static inline isc_result_t fromtext_ds(ARGS_FROMTEXT) { isc_token_t token; + unsigned char c; REQUIRE(type == 43); @@ -49,11 +50,10 @@ fromtext_ds(ARGS_FROMTEXT) { /* * Algorithm. */ - RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number, + RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string, ISC_FALSE)); - if (token.value.as_ulong > 0xffU) - RETTOK(ISC_R_RANGE); - RETERR(uint8_tobuffer(token.value.as_ulong, target)); + RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion)); + RETERR(mem_tobuffer(target, &c, 1)); /* * Digest type. diff --git a/usr.sbin/bind/lib/dns/rdata/generic/rt_21.c b/usr.sbin/bind/lib/dns/rdata/generic/rt_21.c index 85e5764b9d3..4523dad9182 100644 --- a/usr.sbin/bind/lib/dns/rdata/generic/rt_21.c +++ b/usr.sbin/bind/lib/dns/rdata/generic/rt_21.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: rt_21.c,v 1.37.2.1.2.3 2004/03/06 08:14:11 marka Exp $ */ +/* $ISC: rt_21.c,v 1.37.2.1.2.5 2005/03/17 03:58:31 marka Exp $ */ /* reviewed: Thu Mar 16 15:02:31 PST 2000 by brister */ @@ -300,7 +300,7 @@ checknames_rt(ARGS_CHECKNAMES) { isc_region_consume(®ion, 2); dns_name_init(&name, NULL); dns_name_fromregion(&name, ®ion); - if (dns_name_ishostname(&name, ISC_FALSE)) { + if (!dns_name_ishostname(&name, ISC_FALSE)) { if (bad != NULL) dns_name_clone(&name, bad); return (ISC_FALSE); diff --git a/usr.sbin/bind/lib/dns/resolver.c b/usr.sbin/bind/lib/dns/resolver.c index 3644c606c7a..5c963917d24 100644 --- a/usr.sbin/bind/lib/dns/resolver.c +++ b/usr.sbin/bind/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: resolver.c,v 1.218.2.18.4.51 2005/02/08 23:59:44 marka Exp $ */ +/* $ISC: resolver.c,v 1.218.2.18.4.56 2005/10/14 01:38:48 marka Exp $ */ #include <config.h> @@ -244,6 +244,11 @@ struct fetchctx { #define TRIEDFIND(f) (((f)->attributes & FCTX_ATTR_TRIEDFIND) != 0) #define TRIEDALT(f) (((f)->attributes & FCTX_ATTR_TRIEDALT) != 0) +typedef struct { + dns_adbaddrinfo_t * addrinfo; + fetchctx_t * fctx; +} dns_valarg_t; + struct dns_fetch { unsigned int magic; fetchctx_t * private; @@ -342,6 +347,35 @@ static isc_result_t ncache_adderesult(dns_message_t *message, isc_stdtime_t now, dns_ttl_t maxttl, dns_rdataset_t *ardataset, isc_result_t *eresultp); +static void validated(isc_task_t *task, isc_event_t *event); + +static isc_result_t +valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name, + dns_rdatatype_t type, dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset, unsigned int valoptions, + isc_task_t *task) +{ + dns_validator_t *validator = NULL; + dns_valarg_t *valarg; + isc_result_t result; + + valarg = isc_mem_get(fctx->res->mctx, sizeof(*valarg)); + if (valarg == NULL) + return (ISC_R_NOMEMORY); + + valarg->fctx = fctx; + valarg->addrinfo = addrinfo; + + result = dns_validator_create(fctx->res->view, name, type, rdataset, + sigrdataset, fctx->rmessage, + valoptions, task, validated, valarg, + &validator); + if (result == ISC_R_SUCCESS) + ISC_LIST_APPEND(fctx->validators, validator, link); + else + isc_mem_put(fctx->res->mctx, valarg, sizeof(*valarg)); + return (result); +} static isc_boolean_t fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) { @@ -1424,6 +1458,7 @@ resquery_connected(isc_task_t *task, isc_event_t *event) { case ISC_R_CONNREFUSED: case ISC_R_NOPERM: case ISC_R_ADDRNOTAVAIL: + case ISC_R_CONNECTIONRESET: /* * No route to remote. */ @@ -1855,7 +1890,6 @@ fctx_getaddresses(fetchctx_t *fctx) { isc_boolean_t pruned, all_bad; dns_rdata_ns_t ns; isc_boolean_t need_alternate = ISC_FALSE; - isc_boolean_t unshared; FCTXTRACE("getaddresses"); @@ -1871,7 +1905,6 @@ fctx_getaddresses(fetchctx_t *fctx) { res = fctx->res; pruned = ISC_FALSE; stdoptions = 0; /* Keep compiler happy. */ - unshared = ISC_TF((fctx->options | DNS_FETCHOPT_UNSHARED) != 0); /* * Forwarders. @@ -2668,7 +2701,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, isc_result_t result; isc_result_t iresult; isc_interval_t interval; - dns_fixedname_t qdomain; + dns_fixedname_t fixed; unsigned int findoptions = 0; char buf[DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; @@ -2747,8 +2780,10 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, dns_name_getlabelsequence(name, 1, labels - 1, &suffix); name = &suffix; } - result = dns_fwdtable_find(fctx->res->view->fwdtable, name, - &forwarders); + dns_fixedname_init(&fixed); + domain = dns_fixedname_name(&fixed); + result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, + domain, &forwarders); if (result == ISC_R_SUCCESS) fctx->fwdpolicy = forwarders->fwdpolicy; @@ -2760,27 +2795,22 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, */ if (dns_rdatatype_atparent(type)) findoptions |= DNS_DBFIND_NOEXACT; - dns_fixedname_init(&qdomain); - result = dns_view_findzonecut(res->view, name, - dns_fixedname_name(&qdomain), 0, - findoptions, ISC_TRUE, + result = dns_view_findzonecut(res->view, name, domain, + 0, findoptions, ISC_TRUE, &fctx->nameservers, NULL); if (result != ISC_R_SUCCESS) goto cleanup_name; - result = dns_name_dup(dns_fixedname_name(&qdomain), - res->mctx, &fctx->domain); + result = dns_name_dup(domain, res->mctx, &fctx->domain); if (result != ISC_R_SUCCESS) { dns_rdataset_disassociate(&fctx->nameservers); goto cleanup_name; } } else { /* - * We're in forward-only mode. Set the query domain - * to ".". + * We're in forward-only mode. Set the query domain. */ - result = dns_name_dup(dns_rootname, res->mctx, - &fctx->domain); + result = dns_name_dup(domain, res->mctx, &fctx->domain); if (result != ISC_R_SUCCESS) goto cleanup_name; } @@ -3090,11 +3120,15 @@ validated(isc_task_t *task, isc_event_t *event) { dns_name_t *name; dns_rdataset_t *rdataset; dns_rdataset_t *sigrdataset; + dns_valarg_t *valarg; + dns_adbaddrinfo_t *addrinfo; UNUSED(task); /* for now */ REQUIRE(event->ev_type == DNS_EVENT_VALIDATORDONE); - fctx = event->ev_arg; + valarg = event->ev_arg; + fctx = valarg->fctx; + addrinfo = valarg->addrinfo; REQUIRE(VALID_FCTX(fctx)); REQUIRE(!ISC_LIST_EMPTY(fctx->validators)); @@ -3109,6 +3143,7 @@ validated(isc_task_t *task, isc_event_t *event) { * destroy the fctx if necessary. */ dns_validator_destroy(&vevent->validator); + isc_mem_put(fctx->res->mctx, valarg, sizeof(*valarg)); negative = ISC_TF(vevent->rdataset == NULL); @@ -3166,21 +3201,27 @@ validated(isc_task_t *task, isc_event_t *event) { if (vevent->result != ISC_R_SUCCESS) { FCTXTRACE("validation failed"); - if (vevent->rdataset != NULL) { + result = ISC_R_NOTFOUND; + if (vevent->rdataset != NULL) result = dns_db_findnode(fctx->cache, vevent->name, ISC_TRUE, &node); - if (result != ISC_R_SUCCESS) - goto noanswer_response; + if (result == ISC_R_SUCCESS) (void)dns_db_deleterdataset(fctx->cache, node, NULL, vevent->type, 0); - if (vevent->sigrdataset != NULL) - (void)dns_db_deleterdataset(fctx->cache, - node, NULL, - dns_rdatatype_rrsig, - vevent->type); - } + if (result == ISC_R_SUCCESS && vevent->sigrdataset != NULL) + (void)dns_db_deleterdataset(fctx->cache, node, NULL, + dns_rdatatype_rrsig, + vevent->type); + if (result == ISC_R_SUCCESS) + dns_db_detachnode(fctx->cache, &node); result = vevent->result; - goto noanswer_response; + add_bad(fctx, &addrinfo->sockaddr, result); + isc_event_free(&event); + if (sentresponse) + fctx_done(fctx, result); + else + fctx_try(fctx); + return; } isc_stdtime_get(&now); @@ -3350,7 +3391,8 @@ validated(isc_task_t *task, isc_event_t *event) { } static inline isc_result_t -cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { +cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, + isc_stdtime_t now) { dns_rdataset_t *rdataset, *sigrdataset; dns_rdataset_t *addedrdataset, *ardataset, *asigrdataset; dns_rdataset_t *valrdataset = NULL, *valsigrdataset = NULL; @@ -3363,8 +3405,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { dns_fetchevent_t *event; unsigned int options; isc_task_t *task; - dns_validator_t *validator; isc_boolean_t fail; + unsigned int valoptions = 0; /* * The appropriate bucket lock must be held. @@ -3385,8 +3427,10 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { if (result != ISC_R_SUCCESS) return (result); - if (res->view->dlv != NULL) + if (!secure_domain && res->view->dlv != NULL) { + valoptions = DNS_VALIDATOR_DLV; secure_domain = ISC_TRUE; + } if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0) need_validation = ISC_FALSE; @@ -3437,7 +3481,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { /* * Cache or validate each cacheable rdataset. */ - fail = (fctx->res->options & DNS_RESOLVER_CHECKNAMESFAIL) != 0; + fail = ISC_TF((fctx->res->options & DNS_RESOLVER_CHECKNAMESFAIL) != 0); for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { @@ -3569,23 +3613,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { * having to remember which * rdatasets needed validation. */ - validator = NULL; - result = dns_validator_create( - res->view, - name, - rdataset->type, - rdataset, - sigrdataset, - fctx->rmessage, - 0, - task, - validated, - fctx, - &validator); - if (result == ISC_R_SUCCESS) - ISC_LIST_APPEND( - fctx->validators, - validator, link); + result = valcreate(fctx, addrinfo, + name, rdataset->type, + rdataset, + sigrdataset, + valoptions, task); } } else if (CHAINING(rdataset)) { if (rdataset->type == dns_rdatatype_cname) @@ -3660,22 +3692,10 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { } } - if (valrdataset != NULL) { - validator = NULL; - result = dns_validator_create(res->view, - name, - fctx->type, - valrdataset, - valsigrdataset, - fctx->rmessage, - 0, - task, - validated, - fctx, - &validator); - if (result == ISC_R_SUCCESS) - ISC_LIST_APPEND(fctx->validators, validator, link); - } + if (valrdataset != NULL) + result = valcreate(fctx, addrinfo, name, fctx->type, + valrdataset, valsigrdataset, valoptions, + task); if (result == ISC_R_SUCCESS && have_answer) { fctx->attributes |= FCTX_ATTR_HAVEANSWER; @@ -3695,7 +3715,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { } static inline isc_result_t -cache_message(fetchctx_t *fctx, isc_stdtime_t now) { +cache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now) +{ isc_result_t result; dns_section_t section; dns_name_t *name; @@ -3715,7 +3736,7 @@ cache_message(fetchctx_t *fctx, isc_stdtime_t now) { dns_message_currentname(fctx->rmessage, section, &name); if ((name->attributes & DNS_NAMEATTR_CACHE) != 0) { - result = cache_name(fctx, name, now); + result = cache_name(fctx, name, addrinfo, now); if (result != ISC_R_SUCCESS) break; } @@ -3783,7 +3804,9 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, } static inline isc_result_t -ncache_message(fetchctx_t *fctx, dns_rdatatype_t covers, isc_stdtime_t now) { +ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, + dns_rdatatype_t covers, isc_stdtime_t now) +{ isc_result_t result, eresult; dns_name_t *name; dns_resolver_t *res; @@ -3794,6 +3817,7 @@ ncache_message(fetchctx_t *fctx, dns_rdatatype_t covers, isc_stdtime_t now) { dns_name_t *aname; dns_fetchevent_t *event; isc_uint32_t ttl; + unsigned int valoptions = 0; FCTXTRACE("ncache_message"); @@ -3820,8 +3844,10 @@ ncache_message(fetchctx_t *fctx, dns_rdatatype_t covers, isc_stdtime_t now) { if (result != ISC_R_SUCCESS) return (result); - if (res->view->dlv != NULL) + if (!secure_domain && res->view->dlv != NULL) { + valoptions = DNS_VALIDATOR_DLV; secure_domain = ISC_TRUE; + } if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0) need_validation = ISC_FALSE; @@ -3858,23 +3884,15 @@ ncache_message(fetchctx_t *fctx, dns_rdatatype_t covers, isc_stdtime_t now) { /* * Do negative response validation. */ - dns_validator_t *validator = NULL; - isc_task_t *task = res->buckets[fctx->bucketnum].task; - - result = dns_validator_create(res->view, name, fctx->type, - NULL, NULL, - fctx->rmessage, 0, task, - validated, fctx, - &validator); - if (result != ISC_R_SUCCESS) - return (result); - ISC_LIST_APPEND(fctx->validators, validator, link); + result = valcreate(fctx, addrinfo, name, fctx->type, + NULL, NULL, valoptions, + res->buckets[fctx->bucketnum].task); /* * If validation is necessary, return now. Otherwise continue * to process the message, letting the validation complete * in its own good time. */ - return (ISC_R_SUCCESS); + return (result); } LOCK(&res->buckets[fctx->bucketnum].lock); @@ -4992,6 +5010,43 @@ checknames(dns_message_t *message) { } static void +log_packet(dns_message_t *message, int level, isc_mem_t *mctx) { + isc_buffer_t buffer; + char *buf = NULL; + int len = 1024; + isc_result_t result; + + if (! isc_log_wouldlog(dns_lctx, level)) + return; + + /* + * Note that these are multiline debug messages. We want a newline + * to appear in the log after each message. + */ + + do { + buf = isc_mem_get(mctx, len); + if (buf == NULL) + break; + isc_buffer_init(&buffer, buf, len); + result = dns_message_totext(message, &dns_master_style_debug, + 0, &buffer); + if (result == ISC_R_NOSPACE) { + isc_mem_put(mctx, buf, len); + len += 1024; + } else if (result == ISC_R_SUCCESS) + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, + DNS_LOGMODULE_RESOLVER, level, + "received packet:\n%.*s", + (int)isc_buffer_usedlength(&buffer), + buf); + } while (result == ISC_R_NOSPACE); + + if (buf != NULL) + isc_mem_put(mctx, buf, len); +} + +static void resquery_response(isc_task_t *task, isc_event_t *event) { isc_result_t result = ISC_R_SUCCESS; resquery_t *query = event->ev_arg; @@ -5160,6 +5215,11 @@ resquery_response(isc_task_t *task, isc_event_t *event) { } /* + * Log the incoming packet. + */ + log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx); + + /* * If the message is signed, check the signature. If not, this * returns success anyway. */ @@ -5427,7 +5487,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { * work to be queued to the DNSSEC validator. */ if (WANTCACHE(fctx)) { - result = cache_message(fctx, now); + result = cache_message(fctx, query->addrinfo, now); if (result != ISC_R_SUCCESS) goto done; } @@ -5446,7 +5506,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { /* * Cache any negative cache entries in the message. */ - result = ncache_message(fctx, covers, now); + result = ncache_message(fctx, query->addrinfo, covers, now); } done: diff --git a/usr.sbin/bind/lib/dns/tsig.c b/usr.sbin/bind/lib/dns/tsig.c index 3e4db83633f..1428497e13e 100644 --- a/usr.sbin/bind/lib/dns/tsig.c +++ b/usr.sbin/bind/lib/dns/tsig.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -16,7 +16,7 @@ */ /* - * $ISC: tsig.c,v 1.112.2.3.8.4 2004/03/08 09:04:32 marka Exp $ + * $ISC: tsig.c,v 1.112.2.3.8.6 2005/03/17 03:58:31 marka Exp $ */ #include <config.h> @@ -167,7 +167,7 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, goto cleanup_name; } } else { - if (key != NULL) { + if (dstkey != NULL) { ret = DNS_R_BADALG; goto cleanup_name; } diff --git a/usr.sbin/bind/lib/dns/validator.c b/usr.sbin/bind/lib/dns/validator.c index 7a5f87c1db7..17709ffa4f2 100644 --- a/usr.sbin/bind/lib/dns/validator.c +++ b/usr.sbin/bind/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: validator.c,v 1.91.2.5.8.15 2005/02/09 05:13:02 marka Exp $ */ +/* $ISC: validator.c,v 1.91.2.5.8.21 2005/11/02 02:07:47 marka Exp $ */ #include <config.h> @@ -51,9 +51,7 @@ #define VALATTR_TRIEDVERIFY 0x0004 #define VALATTR_NEGATIVE 0x0008 #define VALATTR_INSECURITY 0x0010 -#define VALATTR_DLV 0x0020 -#define VALATTR_DLVTRIED 0x0040 -#define VALATTR_DLVSEPTRIED 0x0080 +#define VALATTR_DLVTRIED 0x0020 #define VALATTR_NEEDNOQNAME 0x0100 #define VALATTR_NEEDNOWILDCARD 0x0200 @@ -63,13 +61,10 @@ #define VALATTR_FOUNDNOWILDCARD 0x2000 #define VALATTR_FOUNDNODATA 0x4000 - #define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0) #define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0) #define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0) -#define DLV(val) ((val->attributes & VALATTR_DLV) != 0) #define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0) -#define DLVSEPTRIED(val) ((val->attributes & VALATTR_DLVSEPTRIED) != 0) #define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0) @@ -110,8 +105,20 @@ static isc_result_t dlv_validatezonekey(dns_validator_t *val); static isc_result_t +dlv_validator_start(dns_validator_t *val); + +static isc_result_t finddlvsep(dns_validator_t *val, isc_boolean_t resume); +static inline void +markanswer(dns_validator_t *val) { + validator_log(val, ISC_LOG_DEBUG(3), "marking as answer"); + if (val->event->rdataset) + val->event->rdataset->trust = dns_trust_answer; + if (val->event->sigrdataset) + val->event->sigrdataset->trust = dns_trust_answer; +} + static void validator_done(dns_validator_t *val, isc_result_t result) { isc_task_t *task; @@ -219,6 +226,13 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) { rdataset = &val->frdataset; eresult = devent->result; + /* Free resources which are not of interest. */ + if (devent->node != NULL) + dns_db_detachnode(devent->db, &devent->node); + if (devent->db != NULL) + dns_db_detach(&devent->db); + if (dns_rdataset_isassociated(&val->fsigrdataset)) + dns_rdataset_disassociate(&val->fsigrdataset); isc_event_free(&event); dns_resolver_destroyfetch(&val->fetch); @@ -271,6 +285,13 @@ dsfetched(isc_task_t *task, isc_event_t *event) { rdataset = &val->frdataset; eresult = devent->result; + /* Free resources which are not of interest. */ + if (devent->node != NULL) + dns_db_detachnode(devent->db, &devent->node); + if (devent->db != NULL) + dns_db_detach(&devent->db); + if (dns_rdataset_isassociated(&val->fsigrdataset)) + dns_rdataset_disassociate(&val->fsigrdataset); isc_event_free(&event); dns_resolver_destroyfetch(&val->fetch); @@ -285,18 +306,6 @@ dsfetched(isc_task_t *task, isc_event_t *event) { result = validatezonekey(val); if (result != DNS_R_WAIT) validator_done(val, result); - } else if (val->view->dlv != NULL && !DLVTRIED(val) && - (eresult == DNS_R_NXRRSET || - eresult == DNS_R_NCACHENXRRSET) && - !dns_name_issubdomain(val->event->name, - val->view->dlv)) - { - validator_log(val, ISC_LOG_DEBUG(2), - "no DS record: looking for DLV"); - - result = dlv_validatezonekey(val); - if (result != DNS_R_WAIT) - validator_done(val, result); } else if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET) { @@ -328,7 +337,6 @@ static void dsfetched2(isc_task_t *task, isc_event_t *event) { dns_fetchevent_t *devent; dns_validator_t *val; - dns_rdataset_t *rdataset; dns_name_t *tname; isc_boolean_t want_destroy; isc_result_t result; @@ -338,9 +346,15 @@ dsfetched2(isc_task_t *task, isc_event_t *event) { INSIST(event->ev_type == DNS_EVENT_FETCHDONE); devent = (dns_fetchevent_t *)event; val = devent->ev_arg; - rdataset = &val->frdataset; eresult = devent->result; + /* Free resources which are not of interest. */ + if (devent->node != NULL) + dns_db_detachnode(devent->db, &devent->node); + if (devent->db != NULL) + dns_db_detach(&devent->db); + if (dns_rdataset_isassociated(&val->fsigrdataset)) + dns_rdataset_disassociate(&val->fsigrdataset); dns_resolver_destroyfetch(&val->fetch); INSIST(val->event != NULL); @@ -358,7 +372,7 @@ dsfetched2(isc_task_t *task, isc_event_t *event) { "must be secure failure"); validator_done(val, DNS_R_MUSTBESECURE); } else { - val->event->rdataset->trust = dns_trust_answer; + markanswer(val); validator_done(val, ISC_R_SUCCESS); } } else { @@ -553,7 +567,7 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname, "nsec proves name exists (owner) data=%d", *data); return (ISC_R_SUCCESS); - } + } if (relation == dns_namereln_subdomain && dns_nsec_typepresent(&rdata, dns_rdatatype_ns) && @@ -627,7 +641,7 @@ static void authvalidated(isc_task_t *task, isc_event_t *event) { dns_validatorevent_t *devent; dns_validator_t *val; - dns_rdataset_t *rdataset, *sigrdataset; + dns_rdataset_t *rdataset; isc_boolean_t want_destroy; isc_result_t result; isc_boolean_t exists, data; @@ -637,7 +651,6 @@ authvalidated(isc_task_t *task, isc_event_t *event) { devent = (dns_validatorevent_t *)event; rdataset = devent->rdataset; - sigrdataset = devent->sigrdataset; val = devent->ev_arg; result = devent->result; dns_validator_destroy(&val->subvalidator); @@ -916,8 +929,10 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, rdataset, sigrdataset, NULL, 0, val->task, action, val, &val->subvalidator); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { val->subvalidator->parent = val; + val->subvalidator->depth = val->depth + 1; + } return (result); } @@ -1252,10 +1267,7 @@ validate(dns_validator_t *val, isc_boolean_t resume) { "must be secure failure"); return (DNS_R_MUSTBESECURE); } - event->rdataset->trust = dns_trust_answer; - event->sigrdataset->trust = dns_trust_answer; - validator_log(val, ISC_LOG_DEBUG(3), - "marking as answer"); + markanswer(val); return (ISC_R_SUCCESS); } @@ -1344,110 +1356,9 @@ validate(dns_validator_t *val, isc_boolean_t resume) { return (DNS_R_NOVALIDSIG); } - -static void -dlv_validated(isc_task_t *task, isc_event_t *event) { - dns_validatorevent_t *devent; - dns_validator_t *val; - isc_boolean_t want_destroy; - isc_result_t result; - isc_result_t eresult; - - UNUSED(task); - INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE); - - devent = (dns_validatorevent_t *)event; - val = devent->ev_arg; - eresult = devent->result; - - isc_event_free(&event); - dns_validator_destroy(&val->subvalidator); - - INSIST(val->event != NULL); - - validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated"); - LOCK(&val->lock); - if (eresult == ISC_R_SUCCESS) { - validator_log(val, ISC_LOG_DEBUG(3), - "dlv with trust %d", val->frdataset.trust); - if ((val->attributes & VALATTR_INSECURITY) != 0) - result = proveunsecure(val, ISC_TRUE); - else - result = validatezonekey(val); - if (result != DNS_R_WAIT) - validator_done(val, result); - } else { - validator_log(val, ISC_LOG_DEBUG(3), - "dlv_validated: got %s", - isc_result_totext(eresult)); - validator_done(val, eresult); - } - want_destroy = exit_check(val); - UNLOCK(&val->lock); - if (want_destroy) - destroy(val); -} - -static void -dlv_fetched(isc_task_t *task, isc_event_t *event) { - dns_fetchevent_t *devent; - dns_validator_t *val; - dns_rdataset_t *rdataset; - isc_boolean_t want_destroy; - isc_result_t result; - isc_result_t eresult; - - UNUSED(task); - INSIST(event->ev_type == DNS_EVENT_FETCHDONE); - devent = (dns_fetchevent_t *)event; - val = devent->ev_arg; - rdataset = &val->frdataset; - eresult = devent->result; - - isc_event_free(&event); - dns_resolver_destroyfetch(&val->fetch); - - INSIST(val->event != NULL); - - validator_log(val, ISC_LOG_DEBUG(3), "in dlv_fetched"); - LOCK(&val->lock); - if (eresult == ISC_R_SUCCESS) { - validator_log(val, ISC_LOG_DEBUG(3), - "dlv set with trust %d", rdataset->trust); - val->dlv = &val->frdataset; - result = dlv_validatezonekey(val); - if (result != DNS_R_WAIT) - validator_done(val, result); - } else if (eresult == DNS_R_NXRRSET || - eresult == DNS_R_NCACHENXRRSET) - { - validator_log(val, ISC_LOG_DEBUG(3), - "falling back to insecurity proof"); - val->attributes |= VALATTR_INSECURITY; - result = proveunsecure(val, ISC_FALSE); - if (result != DNS_R_WAIT) - validator_done(val, result); - } else { - validator_log(val, ISC_LOG_DEBUG(3), - "dlv_fetched: got %s", - isc_result_totext(eresult)); - if (eresult == ISC_R_CANCELED) - validator_done(val, eresult); - else - validator_done(val, DNS_R_NOVALIDDS); - } - want_destroy = exit_check(val); - UNLOCK(&val->lock); - if (want_destroy) - destroy(val); -} - static isc_result_t dlv_validatezonekey(dns_validator_t *val) { - dns_fixedname_t fixed; dns_keytag_t keytag; - dns_name_t *name; - dns_name_t tname; dns_rdata_dlv_t dlv; dns_rdata_dnskey_t key; dns_rdata_rrsig_t sig; @@ -1460,91 +1371,8 @@ dlv_validatezonekey(dns_validator_t *val) { isc_boolean_t supported_algorithm; isc_result_t result; unsigned char dsbuf[DNS_DS_BUFFERSIZE]; - unsigned int labels; - - val->attributes |= VALATTR_DLVTRIED; - - dns_name_init(&tname, NULL); - dns_fixedname_init(&fixed); - name = dns_fixedname_name(&fixed); - labels = dns_name_countlabels(val->event->name); - dns_name_getlabelsequence(val->event->name, 0, labels - 1, &tname); - result = dns_name_concatenate(&tname, val->view->dlv, name, NULL); - if (result != ISC_R_SUCCESS) { - validator_log(val, ISC_LOG_DEBUG(2), - "DLV concatenate failed"); - return (DNS_R_NOVALIDSIG); - } - if (val->dlv == NULL) { - result = view_find(val, name, dns_rdatatype_dlv); - if (result == ISC_R_SUCCESS) { - /* - * We have DLV records. - */ - val->dsset = &val->frdataset; - if (val->frdataset.trust == dns_trust_pending && - dns_rdataset_isassociated(&val->fsigrdataset)) - { - result = create_validator(val, - val->event->name, - dns_rdatatype_ds, - &val->frdataset, - &val->fsigrdataset, - dlv_validated, - "dlv_validatezonekey"); - if (result != ISC_R_SUCCESS) - return (result); - return (DNS_R_WAIT); - } else if (val->frdataset.trust == dns_trust_pending) { - /* - * There should never be an unsigned DLV. - */ - dns_rdataset_disassociate(&val->frdataset); - validator_log(val, ISC_LOG_DEBUG(2), - "unsigned DLV record"); - return (DNS_R_NOVALIDSIG); - } else - result = ISC_R_SUCCESS; - } else if (result == ISC_R_NOTFOUND) { - result = create_fetch(val, name, dns_rdatatype_dlv, - dlv_fetched, - "dlv_validatezonekey"); - if (result != ISC_R_SUCCESS) - return (result); - return (DNS_R_WAIT); - } else if (result == DNS_R_NCACHENXDOMAIN || - result == DNS_R_NCACHENXRRSET || - result == DNS_R_NXDOMAIN || - result == DNS_R_NXRRSET) - { - /* - * The DS does not exist. - */ - if (dns_rdataset_isassociated(&val->frdataset)) - dns_rdataset_disassociate(&val->frdataset); - if (dns_rdataset_isassociated(&val->fsigrdataset)) - dns_rdataset_disassociate(&val->fsigrdataset); - validator_log(val, ISC_LOG_DEBUG(2), "no DLV record"); - return (DNS_R_NOVALIDSIG); - } - } - - /* - * We have a DLV set. - */ - INSIST(val->dlv != NULL); - - if (val->dlv->trust < dns_trust_secure) { - if (val->mustbesecure) { - validator_log(val, ISC_LOG_WARNING, - "must be secure failure"); - return (DNS_R_MUSTBESECURE); - } - val->event->rdataset->trust = dns_trust_answer; - val->event->sigrdataset->trust = dns_trust_answer; - return (ISC_R_SUCCESS); - } + validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey"); /* * Look through the DLV record and find the keys that can sign the * key set and the matching signature. For each such key, attempt @@ -1553,15 +1381,16 @@ dlv_validatezonekey(dns_validator_t *val) { supported_algorithm = ISC_FALSE; - for (result = dns_rdataset_first(val->dlv); + for (result = dns_rdataset_first(&val->dlv); result == ISC_R_SUCCESS; - result = dns_rdataset_next(val->dlv)) + result = dns_rdataset_next(&val->dlv)) { dns_rdata_reset(&dlvrdata); - dns_rdataset_current(val->dlv, &dlvrdata); + dns_rdataset_current(&val->dlv, &dlvrdata); (void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL); - if (!dns_resolver_algorithm_supported(val->view->resolver, + if (dlv.digest_type != DNS_DSDIGEST_SHA1 || + !dns_resolver_algorithm_supported(val->view->resolver, val->event->name, dlv.algorithm)) continue; @@ -1586,8 +1415,12 @@ dlv_validatezonekey(dns_validator_t *val) { result = dns_ds_buildrdata(val->event->name, &keyrdata, dlv.digest_type, dsbuf, &newdsrdata); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { + validator_log(val, ISC_LOG_DEBUG(3), + "dns_ds_buildrdata() -> %s", + dns_result_totext(result)); continue; + } /* Covert to DLV */ newdsrdata.type = dns_rdatatype_dlv; if (dns_rdata_compare(&dlvrdata, &newdsrdata) == 0) @@ -1598,7 +1431,9 @@ dlv_validatezonekey(dns_validator_t *val) { "no DNSKEY matching DLV"); continue; } - + validator_log(val, ISC_LOG_DEBUG(3), + "Found matching DLV record: checking for signature"); + for (result = dns_rdataset_first(val->event->sigrdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(val->event->sigrdataset)) @@ -1610,7 +1445,6 @@ dlv_validatezonekey(dns_validator_t *val) { if (dlv.key_tag != sig.keyid && dlv.algorithm != sig.algorithm) continue; - dstkey = NULL; result = dns_dnssec_keyfromrdata(val->event->name, &keyrdata, @@ -1644,10 +1478,9 @@ dlv_validatezonekey(dns_validator_t *val) { "must be secure failure"); return (DNS_R_MUSTBESECURE); } - val->event->rdataset->trust = dns_trust_answer; - val->event->sigrdataset->trust = dns_trust_answer; validator_log(val, ISC_LOG_DEBUG(3), - "no supported algorithm (dlv)"); + "no supported algorithm/digest (dlv)"); + markanswer(val); return (ISC_R_SUCCESS); } else return (DNS_R_NOVALIDSIG); @@ -1685,6 +1518,10 @@ validatezonekey(dns_validator_t *val) { event = val->event; + if (val->havedlvsep && val->dlv.trust >= dns_trust_secure && + dns_name_equal(event->name, dns_fixedname_name(&val->dlvsep))) + return (dlv_validatezonekey(val)); + if (val->dsset == NULL) { /* * First, see if this key was signed by a trusted key. @@ -1783,22 +1620,6 @@ validatezonekey(dns_validator_t *val) { if (result != ISC_R_SUCCESS) return (result); return (DNS_R_WAIT); - } else if (val->view->dlv != NULL && !DLVTRIED(val) && - (result == DNS_R_NCACHENXRRSET || - result == DNS_R_NXRRSET) && - !dns_name_issubdomain(val->event->name, - val->view->dlv)) - { - - if (dns_rdataset_isassociated(&val->frdataset)) - dns_rdataset_disassociate(&val->frdataset); - if (dns_rdataset_isassociated(&val->fsigrdataset)) - dns_rdataset_disassociate(&val->fsigrdataset); - - validator_log(val, ISC_LOG_DEBUG(2), - "no DS record: looking for DLV"); - - return (dlv_validatezonekey(val)); } else if (result == DNS_R_NCACHENXDOMAIN || result == DNS_R_NCACHENXRRSET || result == DNS_R_NXDOMAIN || @@ -1827,8 +1648,7 @@ validatezonekey(dns_validator_t *val) { "must be secure failure"); return (DNS_R_MUSTBESECURE); } - val->event->rdataset->trust = dns_trust_answer; - val->event->sigrdataset->trust = dns_trust_answer; + markanswer(val); return (ISC_R_SUCCESS); } @@ -1848,6 +1668,8 @@ validatezonekey(dns_validator_t *val) { dns_rdataset_current(val->dsset, &dsrdata); (void)dns_rdata_tostruct(&dsrdata, &ds, NULL); + if (ds.digest_type != DNS_DSDIGEST_SHA1) + continue; if (!dns_resolver_algorithm_supported(val->view->resolver, val->event->name, ds.algorithm)) @@ -1923,24 +1745,15 @@ validatezonekey(dns_validator_t *val) { event->sigrdataset->trust = dns_trust_secure; validator_log(val, ISC_LOG_DEBUG(3), "marking as secure"); return (result); - } else if (result == ISC_R_NOMORE && val->view->dlv != NULL && - !DLVTRIED(val) && !dns_name_issubdomain(val->event->name, - val->view->dlv)) - { - validator_log(val, ISC_LOG_DEBUG(2), - "no DS/DNSKEY pair: looking for DLV"); - - return (dlv_validatezonekey(val)); } else if (result == ISC_R_NOMORE && !supported_algorithm) { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure"); return (DNS_R_MUSTBESECURE); } - val->event->rdataset->trust = dns_trust_answer; - val->event->sigrdataset->trust = dns_trust_answer; validator_log(val, ISC_LOG_DEBUG(3), - "no supported algorithm (ds)"); + "no supported algorithm/digest (DS)"); + markanswer(val); return (ISC_R_SUCCESS); } else return (DNS_R_NOVALIDSIG); @@ -2174,7 +1987,8 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) { if ((val->attributes & VALATTR_FOUNDNONEXISTENCE) == 0) { if (!val->seensig && val->soaset != NULL) { - result = create_validator(val, name, dns_rdatatype_soa, + result = create_validator(val, val->soaname, + dns_rdatatype_soa, val->soaset, NULL, negauthvalidated, "nsecvalidate"); @@ -2193,8 +2007,7 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) { } static isc_boolean_t -check_ds_algorithm(dns_validator_t *val, dns_name_t *name, - dns_rdataset_t *rdataset) { +check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) { dns_rdata_t dsrdata = DNS_RDATA_INIT; dns_rdata_ds_t ds; isc_result_t result; @@ -2205,16 +2018,20 @@ check_ds_algorithm(dns_validator_t *val, dns_name_t *name, dns_rdataset_current(rdataset, &dsrdata); (void)dns_rdata_tostruct(&dsrdata, &ds, NULL); - if (dns_resolver_algorithm_supported(val->view->resolver, - name, ds.algorithm)) + if (ds.digest_type == DNS_DSDIGEST_SHA1 && + dns_resolver_algorithm_supported(val->view->resolver, + name, ds.algorithm)) { + dns_rdata_reset(&dsrdata); return (ISC_TRUE); + } dns_rdata_reset(&dsrdata); } return (ISC_FALSE); } static void -dlv_fetched2(isc_task_t *task, isc_event_t *event) { +dlvfetched(isc_task_t *task, isc_event_t *event) { + char namebuf[DNS_NAME_FORMATSIZE]; dns_fetchevent_t *devent; dns_validator_t *val; isc_boolean_t want_destroy; @@ -2226,18 +2043,29 @@ dlv_fetched2(isc_task_t *task, isc_event_t *event) { devent = (dns_fetchevent_t *)event; val = devent->ev_arg; eresult = devent->result; - + + /* Free resources which are not of interest. */ + if (devent->node != NULL) + dns_db_detachnode(devent->db, &devent->node); + if (devent->db != NULL) + dns_db_detach(&devent->db); + if (dns_rdataset_isassociated(&val->fsigrdataset)) + dns_rdataset_disassociate(&val->fsigrdataset); isc_event_free(&event); dns_resolver_destroyfetch(&val->fetch); - + INSIST(val->event != NULL); - validator_log(val, ISC_LOG_DEBUG(3), "in dlv_fetched2: %s", + validator_log(val, ISC_LOG_DEBUG(3), "in dlvfetched: %s", dns_result_totext(eresult)); LOCK(&val->lock); if (eresult == ISC_R_SUCCESS) { + dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf, + sizeof(namebuf)); + dns_rdataset_clone(&val->frdataset, &val->dlv); val->havedlvsep = ISC_TRUE; - result = proveunsecure(val, ISC_FALSE); + validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf); + result = dlv_validator_start(val); if (result != DNS_R_WAIT) validator_done(val, result); } else if (eresult == DNS_R_NXRRSET || @@ -2246,13 +2074,26 @@ dlv_fetched2(isc_task_t *task, isc_event_t *event) { eresult == DNS_R_NCACHENXDOMAIN) { result = finddlvsep(val, ISC_TRUE); if (result == ISC_R_SUCCESS) { - result = proveunsecure(val, ISC_FALSE); + dns_name_format(dns_fixedname_name(&val->dlvsep), + namebuf, sizeof(namebuf)); + validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", + namebuf); + result = dlv_validator_start(val); if (result != DNS_R_WAIT) validator_done(val, result); } else if (result == ISC_R_NOTFOUND) { + validator_log(val, ISC_LOG_DEBUG(3), "DLV not found"); + markanswer(val); validator_done(val, ISC_R_SUCCESS); - } else if (result != DNS_R_WAIT) - validator_done(val, result); + } else { + validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s", + dns_result_totext(result)); + if (result != DNS_R_WAIT) + validator_done(val, result); + } + } else { + validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s", + dns_result_totext(eresult)); } want_destroy = exit_check(val); UNLOCK(&val->lock); @@ -2261,19 +2102,72 @@ dlv_fetched2(isc_task_t *task, isc_event_t *event) { } static isc_result_t +startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) { + char namebuf[DNS_NAME_FORMATSIZE]; + isc_result_t result; + + INSIST(!DLVTRIED(val)); + + val->attributes |= VALATTR_DLVTRIED; + + dns_name_format(unsecure, namebuf, sizeof(namebuf)); + validator_log(val, ISC_LOG_DEBUG(3), + "plain DNSSEC returns unsecure (%s): looking for DLV", + namebuf); + + if (dns_name_issubdomain(val->event->name, val->view->dlv)) { + validator_log(val, ISC_LOG_WARNING, "must be secure failure"); + return (DNS_R_MUSTBESECURE); + } + + val->dlvlabels = dns_name_countlabels(unsecure) - 1; + result = finddlvsep(val, ISC_FALSE); + if (result == ISC_R_NOTFOUND) { + validator_log(val, ISC_LOG_DEBUG(3), "DLV not found"); + markanswer(val); + return (ISC_R_SUCCESS); + } + if (result != ISC_R_SUCCESS) { + validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s", + dns_result_totext(result)); + return (result); + } + dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf, + sizeof(namebuf)); + validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf); + return (dlv_validator_start(val)); +} + +static isc_result_t finddlvsep(dns_validator_t *val, isc_boolean_t resume) { + char namebuf[DNS_NAME_FORMATSIZE]; dns_fixedname_t dlvfixed; dns_name_t *dlvname; dns_name_t *dlvsep; dns_name_t noroot; isc_result_t result; unsigned int labels; + + INSIST(val->view->dlv != NULL); if (!resume) { + + if (dns_name_issubdomain(val->event->name, val->view->dlv)) { + validator_log(val, ISC_LOG_WARNING, + "must be secure failure"); + return (DNS_R_MUSTBESECURE); + } + dns_fixedname_init(&val->dlvsep); dlvsep = dns_fixedname_name(&val->dlvsep); dns_name_copy(val->event->name, dlvsep, NULL); - val->attributes |= VALATTR_DLVSEPTRIED; + if (val->event->type == dns_rdatatype_ds) { + labels = dns_name_countlabels(dlvsep); + if (labels == 0) + return (ISC_R_NOTFOUND); + dns_name_getlabelsequence(dlvsep, 1, labels - 1, + dlvsep); + } } else { dlvsep = dns_fixedname_name(&val->dlvsep); labels = dns_name_countlabels(dlvsep); @@ -2283,6 +2177,8 @@ finddlvsep(dns_validator_t *val, isc_boolean_t resume) { dns_fixedname_init(&dlvfixed); dlvname = dns_fixedname_name(&dlvfixed); labels = dns_name_countlabels(dlvsep); + if (labels == 0) + return (ISC_R_NOTFOUND); dns_name_getlabelsequence(dlvsep, 0, labels - 1, &noroot); result = dns_name_concatenate(&noroot, val->view->dlv, dlvname, NULL); while (result == ISC_R_NOSPACE) { @@ -2297,32 +2193,37 @@ finddlvsep(dns_validator_t *val, isc_boolean_t resume) { return (DNS_R_NOVALIDSIG); } - while (dns_name_countlabels(dlvname) > - dns_name_countlabels(val->view->dlv)) - { + while (dns_name_countlabels(dlvname) >= + dns_name_countlabels(val->view->dlv) + val->dlvlabels) { + dns_name_format(dlvname, namebuf, sizeof(namebuf)); + validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV %s", + namebuf); result = view_find(val, dlvname, dns_rdatatype_dlv); if (result == ISC_R_SUCCESS) { if (val->frdataset.trust < dns_trust_secure) return (DNS_R_NOVALIDSIG); val->havedlvsep = ISC_TRUE; + dns_rdataset_clone(&val->frdataset, &val->dlv); return (ISC_R_SUCCESS); } if (result == ISC_R_NOTFOUND) { - result = create_fetch(val, dlvname, dns_rdatatype_dlv, - dlv_fetched2, "finddlvsep"); - if (result != ISC_R_SUCCESS) - return (result); - return (DNS_R_WAIT); + result = create_fetch(val, dlvname, dns_rdatatype_dlv, + dlvfetched, "finddlvsep"); + if (result != ISC_R_SUCCESS) + return (result); + return (DNS_R_WAIT); } if (result != DNS_R_NXRRSET && result != DNS_R_NXDOMAIN && result != DNS_R_NCACHENXRRSET && - result != DNS_R_NCACHENXDOMAIN) + result != DNS_R_NCACHENXDOMAIN) return (result); /* * Strip first labels from both dlvsep and dlvname. */ labels = dns_name_countlabels(dlvsep); + if (labels == 0) + break; dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep); labels = dns_name_countlabels(dlvname); dns_name_getlabelsequence(dlvname, 1, labels - 1, dlvname); @@ -2330,73 +2231,76 @@ finddlvsep(dns_validator_t *val, isc_boolean_t resume) { return (ISC_R_NOTFOUND); } +/* + * proveunsecure walks down from the SEP looking for a break in the + * chain of trust. That occurs when we can prove the DS record does + * not exist at a delegation point or the DS exists at a delegation + * but we don't support the algorithm/digest. + */ static isc_result_t proveunsecure(dns_validator_t *val, isc_boolean_t resume) { isc_result_t result; - isc_result_t tresult; - dns_fixedname_t secroot; + dns_fixedname_t fixedsecroot; + dns_name_t *secroot; dns_name_t *tname; + char namebuf[DNS_NAME_FORMATSIZE]; - dns_fixedname_init(&secroot); - result = dns_keytable_finddeepestmatch(val->keytable, - val->event->name, - dns_fixedname_name(&secroot)); - /* - * If the name is not under a security root, it must be insecure. - */ - if (val->view->dlv != NULL && !DLVSEPTRIED(val) && - !dns_name_issubdomain(val->event->name, val->view->dlv)) { - tresult = finddlvsep(val, ISC_FALSE); - if (tresult != ISC_R_NOTFOUND && tresult != ISC_R_SUCCESS) { - validator_log(val, ISC_LOG_DEBUG(3), - "finddlvsep returned: %s", - dns_result_totext(tresult)); - return (tresult); - } - } + dns_fixedname_init(&fixedsecroot); + secroot = dns_fixedname_name(&fixedsecroot); + if (val->havedlvsep) + dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL); + else { + result = dns_keytable_finddeepestmatch(val->keytable, + val->event->name, + secroot); - if (result == ISC_R_NOTFOUND) { - if (!val->havedlvsep) { + if (result == ISC_R_NOTFOUND) { validator_log(val, ISC_LOG_DEBUG(3), - "not beneath secure root / DLV"); + "not beneath secure root"); if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure"); result = DNS_R_MUSTBESECURE; goto out; } - val->event->rdataset->trust = dns_trust_answer; - return (ISC_R_SUCCESS); - } - dns_name_copy(dns_fixedname_name(&val->dlvsep), - dns_fixedname_name(&secroot), NULL); - } else if (result != ISC_R_SUCCESS) - return (result); - else if (val->havedlvsep && - dns_name_issubdomain(dns_fixedname_name(&val->dlvsep), - dns_fixedname_name(&secroot))) { - dns_name_copy(dns_fixedname_name(&val->dlvsep), - dns_fixedname_name(&secroot), NULL); + if (val->view->dlv == NULL || DLVTRIED(val)) { + markanswer(val); + return (ISC_R_SUCCESS); + } + return (startfinddlvsep(val, dns_rootname)); + } else if (result != ISC_R_SUCCESS) + return (result); } if (!resume) { - val->labels = - dns_name_countlabels(dns_fixedname_name(&secroot)) + 1; + /* + * We are looking for breaks below the SEP so add a label. + */ + val->labels = dns_name_countlabels(secroot) + 1; } else { validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure"); if (val->frdataset.trust >= dns_trust_secure && - !check_ds_algorithm(val, dns_fixedname_name(&val->fname), - &val->frdataset)) { + !check_ds(val, dns_fixedname_name(&val->fname), + &val->frdataset)) { + dns_name_format(dns_fixedname_name(&val->fname), + namebuf, sizeof(namebuf)); if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, - "must be secure failure"); + "must be secure failure at '%s'", + namebuf); result = DNS_R_MUSTBESECURE; goto out; } validator_log(val, ISC_LOG_DEBUG(3), - "no supported algorithm (ds)"); - val->event->rdataset->trust = dns_trust_answer; - result = ISC_R_SUCCESS; + "no supported algorithm/digest (%s/DS)", + namebuf); + if (val->view->dlv == NULL || DLVTRIED(val)) { + markanswer(val); + result = ISC_R_SUCCESS; + goto out; + } + result = startfinddlvsep(val, + dns_fixedname_name(&val->fname)); goto out; } val->labels++; @@ -2406,7 +2310,6 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) { val->labels <= dns_name_countlabels(val->event->name); val->labels++) { - char namebuf[DNS_NAME_FORMATSIZE]; dns_fixedname_init(&val->fname); tname = dns_fixedname_name(&val->fname); @@ -2425,7 +2328,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) { if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) { /* * There is no DS. If this is a delegation, - * we're done. + * we maybe done. */ if (val->frdataset.trust < dns_trust_secure) { /* @@ -2443,8 +2346,11 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) { "must be secure failure"); return (DNS_R_MUSTBESECURE); } - val->event->rdataset->trust = dns_trust_answer; - return (ISC_R_SUCCESS); + if (val->view->dlv == NULL || DLVTRIED(val)) { + markanswer(val); + return (ISC_R_SUCCESS); + } + return (startfinddlvsep(val, tname)); } continue; } else if (result == ISC_R_SUCCESS) { @@ -2453,10 +2359,10 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) { * continue. */ if (val->frdataset.trust >= dns_trust_secure) { - if (!check_ds_algorithm(val, tname, - &val->frdataset)) { + if (!check_ds(val, tname, &val->frdataset)) { validator_log(val, ISC_LOG_DEBUG(3), - "no supported algorithm (ds)"); + "no supported algorithm/" + "digest (%s/DS)", namebuf); if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, @@ -2464,9 +2370,13 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) { result = DNS_R_MUSTBESECURE; goto out; } - val->event->rdataset->trust = - dns_trust_answer; - result = ISC_R_SUCCESS; + if (val->view->dlv == NULL || + DLVTRIED(val)) { + markanswer(val); + result = ISC_R_SUCCESS; + goto out; + } + result = startfinddlvsep(val, tname); goto out; } continue; @@ -2531,6 +2441,23 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) { return (result); } +static isc_result_t +dlv_validator_start(dns_validator_t *val) { + isc_event_t *event; + + validator_log(val, ISC_LOG_DEBUG(3), "dlv_validator_start"); + + /* + * Reset state and try again. + */ + val->attributes &= VALATTR_DLVTRIED; + val->options &= ~DNS_VALIDATOR_DLV; + + event = (isc_event_t *)val->event; + isc_task_send(val->task, &event); + return (DNS_R_WAIT); +} + static void validator_start(isc_task_t *task, isc_event_t *event) { dns_validator_t *val; @@ -2547,11 +2474,18 @@ validator_start(isc_task_t *task, isc_event_t *event) { if (val->event == NULL) return; - validator_log(val, ISC_LOG_DEBUG(3), "starting"); + if (DLVTRIED(val)) + validator_log(val, ISC_LOG_DEBUG(3), "restarting using DLV"); + else + validator_log(val, ISC_LOG_DEBUG(3), "starting"); LOCK(&val->lock); - if (val->event->rdataset != NULL && val->event->sigrdataset != NULL) { + if ((val->options & DNS_VALIDATOR_DLV) != 0) { + validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV"); + result = startfinddlvsep(val, dns_rootname); + } else if (val->event->rdataset != NULL && + val->event->sigrdataset != NULL) { isc_result_t saved_result; /* @@ -2635,7 +2569,6 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, REQUIRE(type != 0); REQUIRE(rdataset != NULL || (rdataset == NULL && sigrdataset == NULL && message != NULL)); - REQUIRE(options == 0); REQUIRE(validatorp != NULL && *validatorp == NULL); tclone = NULL; @@ -2685,12 +2618,13 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, val->currentset = NULL; val->keyset = NULL; val->dsset = NULL; - val->dlv = NULL; + dns_rdataset_init(&val->dlv); val->soaset = NULL; val->nsecset = NULL; val->soaname = NULL; val->seensig = ISC_FALSE; val->havedlvsep = ISC_FALSE; + val->depth = 0; val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name); dns_rdataset_init(&val->frdataset); dns_rdataset_init(&val->fsigrdataset); @@ -2749,6 +2683,12 @@ destroy(dns_validator_t *val) { dns_keytable_detach(&val->keytable); if (val->subvalidator != NULL) dns_validator_destroy(&val->subvalidator); + if (val->havedlvsep) + dns_rdataset_disassociate(&val->dlv); + if (dns_rdataset_isassociated(&val->frdataset)) + dns_rdataset_disassociate(&val->frdataset); + if (dns_rdataset_isassociated(&val->fsigrdataset)) + dns_rdataset_disassociate(&val->fsigrdataset); mctx = val->view->mctx; if (val->siginfo != NULL) isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo)); @@ -2787,9 +2727,14 @@ validator_logv(dns_validator_t *val, isc_logcategory_t *category, isc_logmodule_t *module, int level, const char *fmt, va_list ap) { char msgbuf[2048]; + static const char spaces[] = " *"; + int depth = val->depth * 2; vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap); + if ((unsigned int) depth >= sizeof spaces) + depth = sizeof spaces - 1; + if (val->event != NULL && val->event->name != NULL) { char namebuf[DNS_NAME_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; @@ -2798,11 +2743,12 @@ validator_logv(dns_validator_t *val, isc_logcategory_t *category, dns_rdatatype_format(val->event->type, typebuf, sizeof(typebuf)); isc_log_write(dns_lctx, category, module, level, - "validating %s %s: %s", namebuf, typebuf, - msgbuf); + "%.*svalidating @%p: %s %s: %s", depth, spaces, + val, namebuf, typebuf, msgbuf); } else { isc_log_write(dns_lctx, category, module, level, - "validator @%p: %s", val, msgbuf); + "%.*svalidator @%p: %s", depth, spaces, + val, msgbuf); } } diff --git a/usr.sbin/bind/lib/dns/xfrin.c b/usr.sbin/bind/lib/dns/xfrin.c index 55b6e2a5749..a0bd284617f 100644 --- a/usr.sbin/bind/lib/dns/xfrin.c +++ b/usr.sbin/bind/lib/dns/xfrin.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: xfrin.c,v 1.124.2.4.2.9 2004/10/13 22:28:42 marka Exp $ */ +/* $ISC: xfrin.c,v 1.124.2.4.2.12 2005/11/03 23:08:41 marka Exp $ */ #include <config.h> @@ -232,7 +232,7 @@ xfrin_log1(int level, dns_name_t *zonename, dns_rdataclass_t rdclass, ISC_FORMAT_PRINTF(5, 6); static void -xfrin_log(dns_xfrin_ctx_t *xfr, unsigned int level, const char *fmt, ...) +xfrin_log(dns_xfrin_ctx_t *xfr, int level, const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4); /**************************************************************************/ @@ -581,7 +581,7 @@ dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype, isc_task_t *task, dns_xfrindone_t done, dns_xfrin_ctx_t **xfrp) { dns_name_t *zonename = dns_zone_getorigin(zone); - dns_xfrin_ctx_t *xfr; + dns_xfrin_ctx_t *xfr = NULL; isc_result_t result; dns_db_t *db = NULL; @@ -1391,7 +1391,7 @@ xfrin_log1(int level, dns_name_t *zonename, dns_rdataclass_t rdclass, */ static void -xfrin_log(dns_xfrin_ctx_t *xfr, unsigned int level, const char *fmt, ...) +xfrin_log(dns_xfrin_ctx_t *xfr, int level, const char *fmt, ...) { va_list ap; diff --git a/usr.sbin/bind/lib/dns/zone.c b/usr.sbin/bind/lib/dns/zone.c index 775c9c8079b..b8156cf9e81 100644 --- a/usr.sbin/bind/lib/dns/zone.c +++ b/usr.sbin/bind/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: zone.c,v 1.333.2.23.2.55 2005/02/03 23:50:45 marka Exp $ */ +/* $ISC: zone.c,v 1.333.2.23.2.59 2005/07/29 00:38:33 marka Exp $ */ #include <config.h> @@ -167,6 +167,7 @@ struct dns_zone { isc_sockaddr_t *masters; dns_name_t **masterkeynames; + isc_boolean_t *mastersok; unsigned int masterscnt; unsigned int curmaster; isc_sockaddr_t masteraddr; @@ -536,6 +537,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) { zone->minretry = DNS_ZONE_MINRETRY; zone->masters = NULL; zone->masterkeynames = NULL; + zone->mastersok = NULL; zone->masterscnt = 0; zone->curmaster = 0; zone->notify = NULL; @@ -590,7 +592,8 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) { free_mutex: DESTROYLOCK(&zone->lock); - return (ISC_R_NOMEMORY); + isc_mem_putanddetach(&zone->mctx, zone, sizeof(*zone)); + return (result); } /* @@ -1250,6 +1253,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, isc_uint32_t serial, refresh, retry, expire, minimum; isc_time_t now; isc_boolean_t needdump = ISC_FALSE; + isc_boolean_t hasinclude = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE); TIME_NOW(&now); @@ -1355,10 +1359,32 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, if (result != ISC_R_SUCCESS) goto cleanup; if (zone->db != NULL) { - if (!isc_serial_ge(serial, zone->serial)) { + /* + * This is checked in zone_replacedb() for slave zones + * as they don't reload from disk. + */ + if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) && + !isc_serial_gt(serial, zone->serial)) { + isc_uint32_t serialmin, serialmax; + + INSIST(zone->type == dns_zone_master); + + serialmin = (zone->serial + 1) & 0xffffffffU; + serialmax = (zone->serial + 0x7fffffffU) & + 0xffffffffU; + dns_zone_log(zone, ISC_LOG_ERROR, + "ixfr-from-differences: " + "new serial (%u) out of range " + "[%u - %u]", serial, serialmin, + serialmax); + result = DNS_R_BADZONE; + goto cleanup; + } else if (!isc_serial_ge(serial, zone->serial)) dns_zone_log(zone, ISC_LOG_ERROR, "zone serial has gone backwards"); - } + else if (serial == zone->serial && !hasinclude) + dns_zone_log(zone, ISC_LOG_ERROR, + "zone serial unchanged"); } zone->serial = serial; zone->refresh = RANGE(refresh, @@ -1943,6 +1969,7 @@ dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters, isc_sockaddr_t *new; isc_result_t result = ISC_R_SUCCESS; dns_name_t **newname; + isc_boolean_t *newok; unsigned int i; REQUIRE(DNS_ZONE_VALID(zone)); @@ -1972,10 +1999,15 @@ dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters, zone->masterscnt * sizeof(dns_name_t *)); zone->masterkeynames = NULL; } + if (zone->mastersok != NULL) { + isc_mem_put(zone->mctx, zone->mastersok, + zone->masterscnt * sizeof(isc_boolean_t)); + zone->mastersok = NULL; + } zone->masterscnt = 0; /* - * If count == 0, don't allocate any space for masters or keynames - * so internally, those pointers are NULL if count == 0 + * If count == 0, don't allocate any space for masters, mastersok or + * keynames so internally, those pointers are NULL if count == 0 */ if (count == 0) goto unlock; @@ -1983,27 +2015,35 @@ dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters, /* * masters must countain count elements! */ - new = isc_mem_get(zone->mctx, - count * sizeof(isc_sockaddr_t)); + new = isc_mem_get(zone->mctx, count * sizeof(*new)); if (new == NULL) { result = ISC_R_NOMEMORY; goto unlock; } memcpy(new, masters, count * sizeof(*new)); - zone->masters = new; - zone->masterscnt = count; - DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOMASTERS); + + /* + * Similarly for mastersok. + */ + newok = isc_mem_get(zone->mctx, count * sizeof(*newok)); + if (newok == NULL) { + result = ISC_R_NOMEMORY; + isc_mem_put(zone->mctx, new, count * sizeof(*new)); + goto unlock; + }; + for (i = 0; i < count; i++) + newok[i] = ISC_FALSE; /* * if keynames is non-NULL, it must contain count elements! */ + newname = NULL; if (keynames != NULL) { - newname = isc_mem_get(zone->mctx, - count * sizeof(dns_name_t *)); + newname = isc_mem_get(zone->mctx, count * sizeof(*newname)); if (newname == NULL) { result = ISC_R_NOMEMORY; - isc_mem_put(zone->mctx, zone->masters, - count * sizeof(*new)); + isc_mem_put(zone->mctx, new, count * sizeof(*new)); + isc_mem_put(zone->mctx, newok, count * sizeof(*newok)); goto unlock; } for (i = 0; i < count; i++) @@ -2024,16 +2064,27 @@ dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters, dns_name_free( newname[i], zone->mctx); - isc_mem_put(zone->mctx, zone->masters, + isc_mem_put(zone->mctx, new, count * sizeof(*new)); + isc_mem_put(zone->mctx, newok, + count * sizeof(*newok)); isc_mem_put(zone->mctx, newname, count * sizeof(*newname)); goto unlock; } } } - zone->masterkeynames = newname; } + + /* + * Everything is ok so attach to the zone. + */ + zone->masters = new; + zone->mastersok = newok; + zone->masterkeynames = newname; + zone->masterscnt = count; + DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOMASTERS); + unlock: UNLOCK_ZONE(zone); return (result); @@ -2222,6 +2273,7 @@ void dns_zone_refresh(dns_zone_t *zone) { isc_interval_t i; isc_uint32_t oldflags; + unsigned int j; REQUIRE(DNS_ZONE_VALID(zone)); @@ -2266,6 +2318,8 @@ dns_zone_refresh(dns_zone_t *zone) { zone->retry = ISC_MIN(zone->retry * 2, 6 * 3600); zone->curmaster = 0; + for (j = 0; j < zone->masterscnt; j++) + zone->mastersok[j] = ISC_FALSE; /* initiate soa query */ queue_soa_query(zone); unlock: @@ -3186,6 +3240,7 @@ stub_callback(isc_task_t *task, isc_event_t *event) { isc_time_t now; isc_boolean_t exiting = ISC_FALSE; isc_interval_t i; + unsigned int j; stub = revent->ev_arg; INSIST(DNS_STUB_VALID(stub)); @@ -3360,13 +3415,37 @@ stub_callback(isc_task_t *task, isc_event_t *event) { isc_event_free(&event); LOCK_ZONE(zone); dns_request_destroy(&zone->request); - zone->curmaster++; + /* + * Skip to next failed / untried master. + */ + do { + zone->curmaster++; + } while (zone->curmaster < zone->masterscnt && + zone->mastersok[zone->curmaster]); DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS); if (exiting || zone->curmaster >= zone->masterscnt) { + isc_boolean_t done = ISC_TRUE; if (!exiting && DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) { + /* + * Did we get a good answer from all the masters? + */ + for (j = 0; j < zone->masterscnt; j++) + if (zone->mastersok[j] == ISC_FALSE) { + done = ISC_FALSE; + break; + } + } else + done = ISC_TRUE; + if (!done) { zone->curmaster = 0; + /* + * Find the next failed master. + */ + while (zone->curmaster < zone->masterscnt && + zone->mastersok[zone->curmaster]) + zone->curmaster++; DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC); } else { DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH); @@ -3420,6 +3499,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) { dns_rdata_soa_t soa; isc_result_t result; isc_uint32_t serial; + unsigned int j; zone = revent->ev_arg; INSIST(DNS_ZONE_VALID(zone)); @@ -3668,6 +3748,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) { } DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime); DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime); + zone->mastersok[zone->curmaster] = ISC_TRUE; goto next_master; } else { if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MULTIMASTER)) @@ -3676,6 +3757,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) { soa.serial, master, zone->serial); else zone_debuglog(zone, me, 1, "ahead"); + zone->mastersok[zone->curmaster] = ISC_TRUE; goto next_master; } if (msg != NULL) @@ -3688,13 +3770,37 @@ refresh_callback(isc_task_t *task, isc_event_t *event) { isc_event_free(&event); LOCK_ZONE(zone); dns_request_destroy(&zone->request); - zone->curmaster++; + /* + * Skip to next failed / untried master. + */ + do { + zone->curmaster++; + } while (zone->curmaster < zone->masterscnt && + zone->mastersok[zone->curmaster]); DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS); if (zone->curmaster >= zone->masterscnt) { + isc_boolean_t done = ISC_TRUE; if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) { + /* + * Did we get a good answer from all the masters? + */ + for (j = 0; j < zone->masterscnt; j++) + if (zone->mastersok[j] == ISC_FALSE) { + done = ISC_FALSE; + break; + } + } else + done = ISC_TRUE; + if (!done) { DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC); zone->curmaster = 0; + /* + * Find the next failed master. + */ + while (zone->curmaster < zone->masterscnt && + zone->mastersok[zone->curmaster]) + zone->curmaster++; goto requeue; } DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH); @@ -4023,7 +4129,13 @@ soa_query(isc_task_t *task, isc_event_t *event) { skip_master: if (key != NULL) dns_tsigkey_detach(&key); - zone->curmaster++; + /* + * Skip to next failed / untried master. + */ + do { + zone->curmaster++; + } while (zone->curmaster < zone->masterscnt && + zone->mastersok[zone->curmaster]); if (zone->curmaster < zone->masterscnt) goto again; zone->curmaster = 0; @@ -5275,40 +5387,58 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) { * is enabled in the configuration. */ if (zone->db != NULL && zone->journal != NULL && - DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS)) { - isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, - DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3), - "generating diffs"); - result = dns_db_diff(zone->mctx, db, ver, - zone->db, NULL /* XXX */, + DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) && + !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) { + isc_uint32_t serial; + + dns_zone_log(zone, ISC_LOG_DEBUG(3), "generating diffs"); + + result = dns_db_getsoaserial(db, ver, &serial); + if (result != ISC_R_SUCCESS) { + dns_zone_log(zone, ISC_LOG_ERROR, + "ixfr-from-differences: unable to get " + "new serial"); + goto fail; + } + + /* + * This is checked in zone_postload() for master zones. + */ + if (zone->type == dns_zone_slave && + !isc_serial_gt(serial, zone->serial)) { + isc_uint32_t serialmin, serialmax; + serialmin = (zone->serial + 1) & 0xffffffffU; + serialmax = (zone->serial + 0x7fffffffU) & 0xffffffffU; + dns_zone_log(zone, ISC_LOG_ERROR, + "ixfr-from-differences: failed: " + "new serial (%u) out of range [%u - %u]", + serial, serialmin, serialmax); + result = ISC_R_RANGE; + goto fail; + } + + result = dns_db_diff(zone->mctx, db, ver, zone->db, NULL, zone->journal); if (result != ISC_R_SUCCESS) goto fail; if (dump) zone_needdump(zone, DNS_DUMP_DELAY); else if (zone->journalsize != -1) { - isc_uint32_t serial; - - result = dns_db_getsoaserial(db, ver, &serial); - if (result == ISC_R_SUCCESS) { - result = dns_journal_compact(zone->mctx, - zone->journal, - serial, - zone->journalsize); - switch (result) { - case ISC_R_SUCCESS: - case ISC_R_NOSPACE: - case ISC_R_NOTFOUND: - dns_zone_log(zone, ISC_LOG_DEBUG(3), - "dns_journal_compact: %s", - dns_result_totext(result)); - break; - default: - dns_zone_log(zone, ISC_LOG_ERROR, + result = dns_journal_compact(zone->mctx, zone->journal, + serial, zone->journalsize); + switch (result) { + case ISC_R_SUCCESS: + case ISC_R_NOSPACE: + case ISC_R_NOTFOUND: + dns_zone_log(zone, ISC_LOG_DEBUG(3), + "dns_journal_compact: %s", + dns_result_totext(result)); + break; + default: + dns_zone_log(zone, ISC_LOG_ERROR, "dns_journal_compact failed: %s", - dns_result_totext(result)); - break; - } + dns_result_totext(result)); + break; } } } else { @@ -5503,7 +5633,14 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) { default: next_master: - zone->curmaster++; + /* + * Skip to next failed / untried master. + */ + do { + zone->curmaster++; + } while (zone->curmaster < zone->masterscnt && + zone->mastersok[zone->curmaster]); + /* FALLTHROUGH */ same_master: if (zone->curmaster >= zone->masterscnt) { zone->curmaster = 0; @@ -5511,6 +5648,9 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) { !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) { DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH); DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC); + while (zone->curmaster < zone->masterscnt && + zone->mastersok[zone->curmaster]) + zone->curmaster++; again = ISC_TRUE; } else DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC); @@ -5697,7 +5837,11 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) { "requesting AXFR of " "initial version from %s", mastertext); xfrtype = dns_rdatatype_axfr; - } else if (dns_zone_isforced(zone)) { + } else if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS)) { + dns_zone_log(zone, ISC_LOG_DEBUG(1), "ixfr-from-differences " + "set, requesting AXFR from %s", mastertext); + xfrtype = dns_rdatatype_axfr; + } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) { dns_zone_log(zone, ISC_LOG_DEBUG(1), "forced reload, requesting AXFR of " "initial version from %s", mastertext); @@ -6663,6 +6807,9 @@ void dns_zone_forcereload(dns_zone_t *zone) { REQUIRE(DNS_ZONE_VALID(zone)); + if (zone->type == dns_zone_master) + return; + LOCK_ZONE(zone); DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FORCEXFER); UNLOCK_ZONE(zone); diff --git a/usr.sbin/bind/lib/isc/api b/usr.sbin/bind/lib/isc/api index 63704dd62ad..ddeff334f03 100644 --- a/usr.sbin/bind/lib/isc/api +++ b/usr.sbin/bind/lib/isc/api @@ -1,3 +1,3 @@ -LIBINTERFACE = 10 -LIBREVISION = 5 -LIBAGE = 1 +LIBINTERFACE = 11 +LIBREVISION = 1 +LIBAGE = 0 diff --git a/usr.sbin/bind/lib/isc/include/isc/Makefile.in b/usr.sbin/bind/lib/isc/include/isc/Makefile.in index 92ddfcd51e7..b3e0ed58f70 100644 --- a/usr.sbin/bind/lib/isc/include/isc/Makefile.in +++ b/usr.sbin/bind/lib/isc/include/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001, 2003 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $ISC: Makefile.in,v 1.50.12.4 2004/03/06 08:14:38 marka Exp $ +# $ISC: Makefile.in,v 1.50.12.6 2005/03/22 02:32:07 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -28,8 +28,8 @@ top_srcdir = @top_srcdir@ # HEADERS = app.h assertions.h base64.h bitstring.h boolean.h buffer.h \ bufferlist.h commandline.h entropy.h error.h event.h \ - eventclass.h \ - file.h formatcheck.h fsaccess.h heap.h hex.h hmacmd5.h \ + eventclass.h file.h formatcheck.h fsaccess.h \ + hash.h heap.h hex.h hmacmd5.h \ interfaceiter.h @ISC_IPV6_H@ lang.h lcg.h lex.h \ lfsr.h lib.h list.h log.h magic.h md5.h mem.h msgcat.h msgs.h \ mutexblock.h netaddr.h ondestroy.h os.h parseint.h \ diff --git a/usr.sbin/bind/lib/isc/inet_pton.c b/usr.sbin/bind/lib/isc/inet_pton.c index fb1793ea1f5..75b8c4161bc 100644 --- a/usr.sbin/bind/lib/isc/inet_pton.c +++ b/usr.sbin/bind/lib/isc/inet_pton.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1996-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -17,7 +17,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static char rcsid[] = - "$ISC: inet_pton.c,v 1.10.2.4.2.1 2004/03/06 08:14:31 marka Exp $"; + "$ISC: inet_pton.c,v 1.10.2.4.2.3 2005/03/31 23:56:14 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include <config.h> @@ -132,7 +132,7 @@ inet_pton6(const char *src, unsigned char *dst) { xdigits_u[] = "0123456789ABCDEF"; unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp; const char *xdigits, *curtok; - int ch, saw_xdigit; + int ch, seen_xdigits; unsigned int val; memset((tp = tmp), '\0', NS_IN6ADDRSZ); @@ -143,7 +143,7 @@ inet_pton6(const char *src, unsigned char *dst) { if (*++src != ':') return (0); curtok = src; - saw_xdigit = 0; + seen_xdigits = 0; val = 0; while ((ch = *src++) != '\0') { const char *pch; @@ -153,14 +153,13 @@ inet_pton6(const char *src, unsigned char *dst) { if (pch != NULL) { val <<= 4; val |= (pch - xdigits); - if (val > 0xffff) + if (++seen_xdigits > 4) return (0); - saw_xdigit = 1; continue; } if (ch == ':') { curtok = src; - if (!saw_xdigit) { + if (!seen_xdigits) { if (colonp) return (0); colonp = tp; @@ -170,19 +169,19 @@ inet_pton6(const char *src, unsigned char *dst) { return (0); *tp++ = (unsigned char) (val >> 8) & 0xff; *tp++ = (unsigned char) val & 0xff; - saw_xdigit = 0; + seen_xdigits = 0; val = 0; continue; } if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) && inet_pton4(curtok, tp) > 0) { tp += NS_INADDRSZ; - saw_xdigit = 0; + seen_xdigits = 0; break; /* '\0' was seen by inet_pton4(). */ } return (0); } - if (saw_xdigit) { + if (seen_xdigits) { if (tp + NS_INT16SZ > endp) return (0); *tp++ = (unsigned char) (val >> 8) & 0xff; diff --git a/usr.sbin/bind/lib/isc/lfsr.c b/usr.sbin/bind/lib/isc/lfsr.c index 0874cb1bb2f..c317744b3a1 100644 --- a/usr.sbin/bind/lib/isc/lfsr.c +++ b/usr.sbin/bind/lib/isc/lfsr.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,10 +15,11 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: lfsr.c,v 1.11.2.2.2.3 2004/03/08 09:04:49 marka Exp $ */ +/* $ISC: lfsr.c,v 1.11.2.2.2.6 2005/10/14 01:38:50 marka Exp $ */ #include <config.h> +#include <stddef.h> #include <stdlib.h> #include <isc/assertions.h> @@ -55,9 +56,6 @@ isc_lfsr_init(isc_lfsr_t *lfsr, isc_uint32_t state, unsigned int bits, static inline isc_uint32_t lfsr_generate(isc_lfsr_t *lfsr) { - unsigned int highbit; - - highbit = 1 << (lfsr->bits - 1); /* * If the previous state is zero, we must fill it with something diff --git a/usr.sbin/bind/lib/isc/mem.c b/usr.sbin/bind/lib/isc/mem.c index 3e6612d07ee..4a5ea4b33df 100644 --- a/usr.sbin/bind/lib/isc/mem.c +++ b/usr.sbin/bind/lib/isc/mem.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1997-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: mem.c,v 1.98.2.7.2.5 2004/03/16 05:50:24 marka Exp $ */ +/* $ISC: mem.c,v 1.98.2.7.2.7 2005/03/17 03:58:32 marka Exp $ */ #include <config.h> @@ -717,6 +717,15 @@ isc_mem_createx(size_t init_max_size, size_t target_size, if (ctx == NULL) return (ISC_R_NOMEMORY); + if (isc_mutex_init(&ctx->lock) != ISC_R_SUCCESS) { + UNEXPECTED_ERROR(__FILE__, __LINE__, + "isc_mutex_init() %s", + isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL, + ISC_MSG_FAILED, "failed")); + (memfree)(arg, ctx); + return (ISC_R_UNEXPECTED); + } + if (init_max_size == 0U) ctx->max_size = DEF_MAX_SIZE; else @@ -775,15 +784,6 @@ isc_mem_createx(size_t init_max_size, size_t target_size, ctx->highest = NULL; #endif /* ISC_MEM_USE_INTERNAL_MALLOC */ - if (isc_mutex_init(&ctx->lock) != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_mutex_init() %s", - isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL, - ISC_MSG_FAILED, "failed")); - result = ISC_R_UNEXPECTED; - goto error; - } - #if ISC_MEM_TRACKLINES if ((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0) { unsigned int i; @@ -805,17 +805,18 @@ isc_mem_createx(size_t init_max_size, size_t target_size, return (ISC_R_SUCCESS); error: - if (ctx) { - if (ctx->stats) + if (ctx != NULL) { + if (ctx->stats != NULL) (memfree)(arg, ctx->stats); #if ISC_MEM_USE_INTERNAL_MALLOC - if (ctx->freelists) + if (ctx->freelists != NULL) (memfree)(arg, ctx->freelists); #endif /* ISC_MEM_USE_INTERNAL_MALLOC */ #if ISC_MEM_TRACKLINES - if (ctx->debuglist) + if (ctx->debuglist != NULL) (ctx->memfree)(ctx->arg, ctx->debuglist); #endif /* ISC_MEM_TRACKLINES */ + DESTROYLOCK(&ctx->lock); (memfree)(arg, ctx); } diff --git a/usr.sbin/bind/lib/isc/rwlock.c b/usr.sbin/bind/lib/isc/rwlock.c index b8c590039d1..8cec462b9d4 100644 --- a/usr.sbin/bind/lib/isc/rwlock.c +++ b/usr.sbin/bind/lib/isc/rwlock.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: rwlock.c,v 1.33.2.4.2.1 2004/03/06 08:14:35 marka Exp $ */ +/* $ISC: rwlock.c,v 1.33.2.4.2.3 2005/03/17 03:58:32 marka Exp $ */ #include <config.h> @@ -109,7 +109,9 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota, isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL, ISC_MSG_FAILED, "failed"), isc_result_totext(result)); - return (ISC_R_UNEXPECTED); + result = ISC_R_UNEXPECTED; + goto destroy_lock; + } result = isc_condition_init(&rwl->writeable); if (result != ISC_R_SUCCESS) { @@ -118,12 +120,20 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota, isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL, ISC_MSG_FAILED, "failed"), isc_result_totext(result)); - return (ISC_R_UNEXPECTED); + result = ISC_R_UNEXPECTED; + goto destroy_rcond; } rwl->magic = RWLOCK_MAGIC; return (ISC_R_SUCCESS); + + destroy_rcond: + (void)isc_condition_destroy(&rwl->readable); + destroy_lock: + DESTROYLOCK(&rwl->lock); + + return (result); } static isc_result_t diff --git a/usr.sbin/bind/lib/isc/unix/entropy.c b/usr.sbin/bind/lib/isc/unix/entropy.c index 257b43be7bc..399887599e5 100644 --- a/usr.sbin/bind/lib/isc/unix/entropy.c +++ b/usr.sbin/bind/lib/isc/unix/entropy.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: entropy.c,v 1.60.2.3.8.9 2004/03/16 05:02:31 marka Exp $ */ +/* $ISC: entropy.c,v 1.60.2.3.8.11 2005/07/12 05:47:43 marka Exp $ */ /* * This is the system depenedent part of the ISC entropy API. @@ -446,16 +446,25 @@ make_nonblock(int fd) { int ret; int flags; char strbuf[ISC_STRERRORSIZE]; +#ifdef USE_FIONBIO_IOCTL + int on = 1; + ret = ioctl(fd, FIONBIO, (char *)&on); +#else flags = fcntl(fd, F_GETFL, 0); - flags |= O_NONBLOCK; + flags |= PORT_NONBLOCK; ret = fcntl(fd, F_SETFL, flags); +#endif if (ret == -1) { isc__strerror(errno, strbuf, sizeof(strbuf)); UNEXPECTED_ERROR(__FILE__, __LINE__, - "fcntl(%d, F_SETFL, %d): %s", - fd, flags, strbuf); +#ifdef USE_FIONBIO_IOCTL + "ioctl(%d, FIONBIO, &on): %s", fd, +#else + "fcntl(%d, F_SETFL, %d): %s", fd, flags, +#endif + strbuf); return (ISC_R_UNEXPECTED); } @@ -501,7 +510,7 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) { if (is_usocket) fd = socket(PF_UNIX, SOCK_STREAM, 0); else - fd = open(fname, O_RDONLY | O_NONBLOCK, 0); + fd = open(fname, O_RDONLY | PORT_NONBLOCK, 0); if (fd < 0) { ret = isc__errno2result(errno); diff --git a/usr.sbin/bind/lib/isc/unix/ifiter_ioctl.c b/usr.sbin/bind/lib/isc/unix/ifiter_ioctl.c index 65c090b78b2..8c418fb42df 100644 --- a/usr.sbin/bind/lib/isc/unix/ifiter_ioctl.c +++ b/usr.sbin/bind/lib/isc/unix/ifiter_ioctl.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: ifiter_ioctl.c,v 1.19.2.5.2.15 2004/11/10 22:22:49 marka Exp $ */ +/* $ISC: ifiter_ioctl.c,v 1.19.2.5.2.17 2005/10/14 02:13:07 marka Exp $ */ /* * Obtain the list of network interfaces using the SIOCGLIFCONF ioctl. @@ -896,7 +896,9 @@ internal_current(isc_interfaceiter_t *iter) { */ static isc_result_t internal_next4(isc_interfaceiter_t *iter) { +#ifdef ISC_PLATFORM_HAVESALEN struct ifreq *ifrp; +#endif REQUIRE (iter->pos < (unsigned int) iter->ifc.ifc_len); @@ -906,14 +908,14 @@ internal_next4(isc_interfaceiter_t *iter) { if (!iter->first) return (ISC_R_SUCCESS); #endif +#ifdef ISC_PLATFORM_HAVESALEN ifrp = (struct ifreq *)((char *) iter->ifc.ifc_req + iter->pos); -#ifdef ISC_PLATFORM_HAVESALEN if (ifrp->ifr_addr.sa_len > sizeof(struct sockaddr)) iter->pos += sizeof(ifrp->ifr_name) + ifrp->ifr_addr.sa_len; else #endif - iter->pos += sizeof(*ifrp); + iter->pos += sizeof(struct ifreq); if (iter->pos >= (unsigned int) iter->ifc.ifc_len) return (ISC_R_NOMORE); @@ -924,21 +926,23 @@ internal_next4(isc_interfaceiter_t *iter) { #if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) static isc_result_t internal_next6(isc_interfaceiter_t *iter) { +#ifdef ISC_PLATFORM_HAVESALEN struct LIFREQ *ifrp; +#endif if (iter->result6 != ISC_R_SUCCESS && iter->result6 != ISC_R_IGNORE) return (iter->result6); REQUIRE(iter->pos6 < (unsigned int) iter->lifc.lifc_len); +#ifdef ISC_PLATFORM_HAVESALEN ifrp = (struct LIFREQ *)((char *) iter->lifc.lifc_req + iter->pos6); -#ifdef ISC_PLATFORM_HAVESALEN if (ifrp->lifr_addr.sa_len > sizeof(struct sockaddr)) iter->pos6 += sizeof(ifrp->lifr_name) + ifrp->lifr_addr.sa_len; else #endif - iter->pos6 += sizeof(*ifrp); + iter->pos6 += sizeof(struct LIFREQ); if (iter->pos6 >= (unsigned int) iter->lifc.lifc_len) return (ISC_R_NOMORE); diff --git a/usr.sbin/bind/lib/isc/unix/socket.c b/usr.sbin/bind/lib/isc/unix/socket.c index 16eac939e62..c2a7468c663 100644 --- a/usr.sbin/bind/lib/isc/unix/socket.c +++ b/usr.sbin/bind/lib/isc/unix/socket.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: socket.c,v 1.207.2.19.2.15 2004/11/18 21:31:16 marka Exp $ */ +/* $ISC: socket.c,v 1.207.2.19.2.22 2005/11/03 23:08:42 marka Exp $ */ #include <config.h> @@ -283,7 +283,7 @@ socket_log(isc_socket_t *sock, isc_sockaddr_t *address, const char *fmt, ...) { char msgbuf[2048]; - char peerbuf[256]; + char peerbuf[ISC_SOCKADDR_FORMATSIZE]; va_list ap; if (! isc_log_wouldlog(isc_lctx, level)) @@ -366,7 +366,7 @@ select_poke(isc_socketmgr_t *mgr, int fd, int msg) { } #endif } while (cc < 0 && SOFT_ERROR(errno)); - + if (cc < 0) { isc__strerror(errno, strbuf, sizeof(strbuf)); FATAL_ERROR(__FILE__, __LINE__, @@ -392,6 +392,7 @@ select_readmsg(isc_socketmgr_t *mgr, int *fd, int *msg) { cc = read(mgr->pipe_fds[0], buf, sizeof(buf)); if (cc < 0) { *msg = SELECT_POKE_NOTHING; + *fd = -1; /* Silence compiler. */ if (SOFT_ERROR(errno)) return; @@ -432,16 +433,25 @@ make_nonblock(int fd) { int ret; int flags; char strbuf[ISC_STRERRORSIZE]; +#ifdef USE_FIONBIO_IOCTL + int on = 1; + ret = ioctl(fd, FIONBIO, (char *)&on); +#else flags = fcntl(fd, F_GETFL, 0); - flags |= O_NONBLOCK; + flags |= PORT_NONBLOCK; ret = fcntl(fd, F_SETFL, flags); +#endif if (ret == -1) { isc__strerror(errno, strbuf, sizeof(strbuf)); UNEXPECTED_ERROR(__FILE__, __LINE__, - "fcntl(%d, F_SETFL, %d): %s", - fd, flags, strbuf); +#ifdef USE_FIONBIO_IOCTL + "ioctl(%d, FIONBIO, &on): %s", fd, +#else + "fcntl(%d, F_SETFL, %d): %s", fd, flags, +#endif + strbuf); return (ISC_R_UNEXPECTED); } @@ -464,7 +474,11 @@ cmsg_len(ISC_SOCKADDR_LEN_T len) { #else ISC_SOCKADDR_LEN_T hdrlen; - hdrlen = (ISC_SOCKADDR_LEN_T)CMSG_DATA(NULL); /* XXX */ + /* + * Cast NULL so that any pointer arithmetic performed by CMSG_DATA + * is correct. + */ + hdrlen = (ISC_SOCKADDR_LEN_T)CMSG_DATA(((struct cmsghdr *)NULL)); return (hdrlen + len); #endif } @@ -1225,7 +1239,7 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type, cmsgbuflen += cmsg_space(sizeof(struct timeval)); #endif sock->recvcmsgbuflen = cmsgbuflen; - if (sock->recvcmsgbuflen != 0) { + if (sock->recvcmsgbuflen != 0U) { sock->recvcmsgbuf = isc_mem_get(manager->mctx, cmsgbuflen); if (sock->recvcmsgbuf == NULL) goto error; @@ -1236,7 +1250,7 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type, cmsgbuflen = cmsg_space(sizeof(struct in6_pktinfo)); #endif sock->sendcmsgbuflen = cmsgbuflen; - if (sock->sendcmsgbuflen != 0) { + if (sock->sendcmsgbuflen != 0U) { sock->sendcmsgbuf = isc_mem_get(manager->mctx, cmsgbuflen); if (sock->sendcmsgbuf == NULL) goto error; @@ -1351,6 +1365,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type, int on = 1; #endif char strbuf[ISC_STRERRORSIZE]; + const char *err = "socket"; REQUIRE(VALID_MANAGER(manager)); REQUIRE(socketp != NULL && *socketp == NULL); @@ -1370,23 +1385,24 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type, } #ifdef F_DUPFD - /* - * Leave a space for stdio to work in. - */ - if (sock->fd >= 0 && sock->fd < 20) { - int new, tmp; - new = fcntl(sock->fd, F_DUPFD, 20); - tmp = errno; - (void)close(sock->fd); - errno = tmp; - sock->fd = new; - } + /* + * Leave a space for stdio to work in. + */ + if (sock->fd >= 0 && sock->fd < 20) { + int new, tmp; + new = fcntl(sock->fd, F_DUPFD, 20); + tmp = errno; + (void)close(sock->fd); + errno = tmp; + sock->fd = new; + err = "isc_socket_create: fcntl"; + } #endif if (sock->fd >= (int)FD_SETSIZE) { (void)close(sock->fd); isc_log_iwrite(isc_lctx, ISC_LOGCATEGORY_GENERAL, - ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR, + ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR, isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_TOOMANYFDS, "%s: too many open file descriptors", "socket"); @@ -1416,7 +1432,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type, default: isc__strerror(errno, strbuf, sizeof(strbuf)); UNEXPECTED_ERROR(__FILE__, __LINE__, - "socket() %s: %s", + "%s() %s: %s", err, isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL, ISC_MSG_FAILED, @@ -1467,7 +1483,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type, #endif /* SO_TIMESTAMP */ #if defined(ISC_PLATFORM_HAVEIPV6) - if (pf == AF_INET6 && sock->recvcmsgbuflen == 0) { + if (pf == AF_INET6 && sock->recvcmsgbuflen == 0U) { /* * Warn explicitly because this anomaly can be hidden * in usual operation (and unexpectedly appear later). @@ -1767,6 +1783,7 @@ internal_accept(isc_task_t *me, isc_event_t *ev) { int fd; isc_result_t result = ISC_R_SUCCESS; char strbuf[ISC_STRERRORSIZE]; + const char *err = "accept"; UNUSED(me); @@ -1820,17 +1837,18 @@ internal_accept(isc_task_t *me, isc_event_t *ev) { (void *)&addrlen); #ifdef F_DUPFD - /* - * Leave a space for stdio to work in. - */ - if (fd >= 0 && fd < 20) { - int new, tmp; - new = fcntl(fd, F_DUPFD, 20); - tmp = errno; - (void)close(fd); - errno = tmp; - fd = new; - } + /* + * Leave a space for stdio to work in. + */ + if (fd >= 0 && fd < 20) { + int new, tmp; + new = fcntl(fd, F_DUPFD, 20); + tmp = errno; + (void)close(fd); + errno = tmp; + fd = new; + err = "fcntl"; + } #endif if (fd < 0) { @@ -1859,7 +1877,7 @@ internal_accept(isc_task_t *me, isc_event_t *ev) { } isc__strerror(errno, strbuf, sizeof(strbuf)); UNEXPECTED_ERROR(__FILE__, __LINE__, - "internal_accept: accept() %s: %s", + "internal_accept: %s() %s: %s", err, isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL, ISC_MSG_FAILED, @@ -1868,7 +1886,7 @@ internal_accept(isc_task_t *me, isc_event_t *ev) { fd = -1; result = ISC_R_UNEXPECTED; } else { - if (addrlen == 0) { + if (addrlen == 0U) { UNEXPECTED_ERROR(__FILE__, __LINE__, "internal_accept(): " "accept() failed to return " @@ -2200,7 +2218,7 @@ watcher(void *uap) { cc = select(maxfd, &readfds, &writefds, NULL, NULL); if (cc < 0) { if (!SOFT_ERROR(errno)) { - isc__strerror(errno, strbuf, + isc__strerror(errno, strbuf, sizeof(strbuf)); FATAL_ERROR(__FILE__, __LINE__, "select() %s: %s", @@ -3105,6 +3123,7 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr, ERROR_MATCH(ENOBUFS, ISC_R_NORESOURCES); ERROR_MATCH(EPERM, ISC_R_HOSTUNREACH); ERROR_MATCH(EPIPE, ISC_R_NOTCONNECTED); + ERROR_MATCH(ECONNRESET, ISC_R_CONNECTIONRESET); #undef ERROR_MATCH } @@ -3174,6 +3193,7 @@ internal_connect(isc_task_t *me, isc_event_t *ev) { int cc; ISC_SOCKADDR_LEN_T optlen; char strbuf[ISC_STRERRORSIZE]; + char peerbuf[ISC_SOCKADDR_FORMATSIZE]; UNUSED(me); INSIST(ev->ev_type == ISC_SOCKEVENT_INTW); @@ -3250,13 +3270,16 @@ internal_connect(isc_task_t *me, isc_event_t *ev) { ERROR_MATCH(EPERM, ISC_R_HOSTUNREACH); ERROR_MATCH(EPIPE, ISC_R_NOTCONNECTED); ERROR_MATCH(ETIMEDOUT, ISC_R_TIMEDOUT); + ERROR_MATCH(ECONNRESET, ISC_R_CONNECTIONRESET); #undef ERROR_MATCH default: dev->result = ISC_R_UNEXPECTED; + isc_sockaddr_format(&sock->address, peerbuf, + sizeof(peerbuf)); isc__strerror(errno, strbuf, sizeof(strbuf)); UNEXPECTED_ERROR(__FILE__, __LINE__, - "internal_connect: connect() %s", - strbuf); + "internal_connect: connect(%s) %s", + peerbuf, strbuf); } } else { dev->result = ISC_R_SUCCESS; @@ -3418,7 +3441,7 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) { dev->result = ISC_R_CANCELED; dev->ev_sender = sock; isc_task_sendanddetach(¤t_task, - ISC_EVENT_PTR(&dev)); + ISC_EVENT_PTR(&dev)); } dev = next; diff --git a/usr.sbin/bind/lib/isccfg/api b/usr.sbin/bind/lib/isccfg/api index 7e9f0b651e2..59ed93b0110 100644 --- a/usr.sbin/bind/lib/isccfg/api +++ b/usr.sbin/bind/lib/isccfg/api @@ -1,3 +1,3 @@ LIBINTERFACE = 1 -LIBREVISION = 5 +LIBREVISION = 6 LIBAGE = 0 diff --git a/usr.sbin/bind/lib/lwres/getaddrinfo.c b/usr.sbin/bind/lib/lwres/getaddrinfo.c index 69d080a2130..2835c5cb8ae 100644 --- a/usr.sbin/bind/lib/lwres/getaddrinfo.c +++ b/usr.sbin/bind/lib/lwres/getaddrinfo.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * This code is derived from software contributed to ISC by @@ -18,17 +18,17 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: getaddrinfo.c,v 1.41.206.1 2004/03/06 08:15:30 marka Exp $ */ +/* $ISC: getaddrinfo.c,v 1.41.206.3 2005/06/09 23:54:33 marka Exp $ */ #include <config.h> #include <string.h> #include <errno.h> -#include <stdlib.h> #include <lwres/lwres.h> #include <lwres/net.h> #include <lwres/netdb.h> +#include <lwres/stdlib.h> #define SA(addr) ((struct sockaddr *)(addr)) #define SIN(addr) ((struct sockaddr_in *)(addr)) diff --git a/usr.sbin/bind/lib/lwres/getipnode.c b/usr.sbin/bind/lib/lwres/getipnode.c index 6d9b6669922..5f13502da2d 100644 --- a/usr.sbin/bind/lib/lwres/getipnode.c +++ b/usr.sbin/bind/lib/lwres/getipnode.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: getipnode.c,v 1.30.2.4.2.4 2004/03/06 08:15:31 marka Exp $ */ +/* $ISC: getipnode.c,v 1.30.2.4.2.6 2005/04/29 00:03:32 marka Exp $ */ #include <config.h> @@ -331,6 +331,8 @@ lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num) { n = lwres_getnamebyaddr(lwrctx, LWRES_ADDRTYPE_V6, IN6ADDRSZ, src, &by); if (n != 0) { + lwres_conf_clear(lwrctx); + lwres_context_destroy(&lwrctx); *error_num = HOST_NOT_FOUND; return (NULL); } @@ -338,6 +340,7 @@ lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num) { lwres_gnbaresponse_free(lwrctx, &by); if (he1 == NULL) *error_num = NO_RECOVERY; + lwres_conf_clear(lwrctx); lwres_context_destroy(&lwrctx); return (he1); } diff --git a/usr.sbin/bind/lib/lwres/lwconfig.c b/usr.sbin/bind/lib/lwres/lwconfig.c index 3afe5c21a4a..2e19683bf70 100644 --- a/usr.sbin/bind/lib/lwres/lwconfig.c +++ b/usr.sbin/bind/lib/lwres/lwconfig.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: lwconfig.c,v 1.33.2.1.2.5 2004/03/08 09:05:10 marka Exp $ */ +/* $ISC: lwconfig.c,v 1.33.2.1.2.8 2005/06/08 02:35:21 marka Exp $ */ /*** *** Module for parsing resolv.conf files. @@ -279,6 +279,7 @@ lwres_conf_parsenameserver(lwres_context_t *ctx, FILE *fp) { char word[LWRES_CONFMAXLINELEN]; int res; lwres_conf_t *confdata; + lwres_addr_t address; confdata = &ctx->confdata; @@ -294,10 +295,9 @@ lwres_conf_parsenameserver(lwres_context_t *ctx, FILE *fp) { if (res != EOF && res != '\n') return (LWRES_R_FAILURE); /* Extra junk on line. */ - res = lwres_create_addr(word, - &confdata->nameservers[confdata->nsnext++], 1); - if (res != LWRES_R_SUCCESS) - return (res); + res = lwres_create_addr(word, &address, 1); + if (res == LWRES_R_SUCCESS) + confdata->nameservers[confdata->nsnext++] = address; return (LWRES_R_SUCCESS); } diff --git a/usr.sbin/bind/lib/lwres/lwinetntop.c b/usr.sbin/bind/lib/lwres/lwinetntop.c index 311c5837ed9..97aa462a19c 100644 --- a/usr.sbin/bind/lib/lwres/lwinetntop.c +++ b/usr.sbin/bind/lib/lwres/lwinetntop.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1996-2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -17,7 +17,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static char rcsid[] = - "$ISC: lwinetntop.c,v 1.9.12.3 2004/08/28 06:25:24 marka Exp $"; + "$ISC: lwinetntop.c,v 1.9.12.5 2005/11/04 00:16:34 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include <config.h> @@ -128,7 +128,9 @@ inet_ntop6(const unsigned char *src, char *dst, size_t size) { for (i = 0; i < NS_IN6ADDRSZ; i++) words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3)); best.base = -1; + best.len = 0; cur.base = -1; + cur.len = 0; for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) { if (words[i] == 0) { if (cur.base == -1) diff --git a/usr.sbin/bind/lib/lwres/man/lwres.html b/usr.sbin/bind/lib/lwres/man/lwres.html index deb2810ff2b..65caec32b79 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres.html +++ b/usr.sbin/bind/lib/lwres/man/lwres.html @@ -1,433 +1,216 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwres.html,v 1.4.2.1.4.2 2004/08/22 23:39:02 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwres</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->lwres</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->lwres -- introduction to the lightweight resolver library</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN11" -></A -><H2 ->Synopsis</H2 -><DIV -CLASS="FUNCSYNOPSIS" -><P -></P -><A -NAME="AEN12" -></A -><PRE -CLASS="FUNCSYNOPSISINFO" ->#include <lwres/lwres.h></PRE -><P -></P -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN14" -></A -><H2 ->DESCRIPTION</H2 -><P ->The BIND 9 lightweight resolver library is a simple, name service +<!-- $ISC: lwres.html,v 1.4.2.1.4.9 2005/10/13 02:33:54 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwres</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>lwres — introduction to the lightweight resolver library</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="funcsynopsis"><pre class="funcsynopsisinfo">#include <lwres/lwres.h></pre></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525832"></a><h2>DESCRIPTION</h2> +<p> +The BIND 9 lightweight resolver library is a simple, name service independent stub resolver library. It provides hostname-to-address and address-to-hostname lookup services to applications by transmitting lookup requests to a resolver daemon -<B -CLASS="COMMAND" ->lwresd</B -> +<span><strong class="command">lwresd</strong></span> running on the local host. The resover daemon performs the lookup using the DNS or possibly other name service protocols, and returns the results to the application through the library. The library and resolver daemon communicate using a simple -UDP-based protocol.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN18" -></A -><H2 ->OVERVIEW</H2 -><P ->The lwresd library implements multiple name service APIs. +UDP-based protocol. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525845"></a><h2>OVERVIEW</h2> +<p> +The lwresd library implements multiple name service APIs. The standard -<CODE -CLASS="FUNCTION" ->gethostbyname()</CODE ->, -<CODE -CLASS="FUNCTION" ->gethostbyaddr()</CODE ->, -<CODE -CLASS="FUNCTION" ->gethostbyname_r()</CODE ->, -<CODE -CLASS="FUNCTION" ->gethostbyaddr_r()</CODE ->, -<CODE -CLASS="FUNCTION" ->getaddrinfo()</CODE ->, -<CODE -CLASS="FUNCTION" ->getipnodebyname()</CODE ->, +<code class="function">gethostbyname()</code>, +<code class="function">gethostbyaddr()</code>, +<code class="function">gethostbyname_r()</code>, +<code class="function">gethostbyaddr_r()</code>, +<code class="function">getaddrinfo()</code>, +<code class="function">getipnodebyname()</code>, and -<CODE -CLASS="FUNCTION" ->getipnodebyaddr()</CODE -> +<code class="function">getipnodebyaddr()</code> functions are all supported. To allow the lwres library to coexist with system libraries that define functions of the same name, the library defines these functions with names prefixed by -<VAR -CLASS="LITERAL" ->lwres_</VAR ->. +<code class="literal">lwres_</code>. To define the standard names, applications must include the header file -<TT -CLASS="FILENAME" -><lwres/netdb.h></TT -> +<code class="filename"><lwres/netdb.h></code> which contains macro definitions mapping the standard function names into -<VAR -CLASS="LITERAL" ->lwres_</VAR -> +<code class="literal">lwres_</code> prefixed ones. Operating system vendors who integrate the lwres library into their base distributions should rename the functions -in the library proper so that the renaming macros are not needed.</P -><P ->The library also provides a native API consisting of the functions -<CODE -CLASS="FUNCTION" ->lwres_getaddrsbyname()</CODE -> +in the library proper so that the renaming macros are not needed. +</p> +<p> +The library also provides a native API consisting of the functions +<code class="function">lwres_getaddrsbyname()</code> and -<CODE -CLASS="FUNCTION" ->lwres_getnamebyaddr()</CODE ->. +<code class="function">lwres_getnamebyaddr()</code>. These may be called by applications that require more detailed control over the lookup process than the standard functions -provide.</P -><P ->In addition to these name service independent address lookup +provide. +</p> +<p> +In addition to these name service independent address lookup functions, the library implements a new, experimental API for looking up arbitrary DNS resource records, using the -<CODE -CLASS="FUNCTION" ->lwres_getaddrsbyname()</CODE -> -function.</P -><P ->Finally, there is a low-level API for converting lookup +<code class="function">lwres_getaddrsbyname()</code> +function. +</p> +<p> +Finally, there is a low-level API for converting lookup requests and responses to and from raw lwres protocol packets. This API can be used by clients requiring nonblocking operation, and is also used when implementing the server side of the lwres protocol, for example in the -<B -CLASS="COMMAND" ->lwresd</B -> +<span><strong class="command">lwresd</strong></span> resolver daemon. The use of this low-level API in clients -and servers is outlined in the following sections.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN38" -></A -><H2 ->CLIENT-SIDE LOW-LEVEL API CALL FLOW</H2 -><P ->When a client program wishes to make an lwres request using the +and servers is outlined in the following sections. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525909"></a><h2>CLIENT-SIDE LOW-LEVEL API CALL FLOW</h2> +<p> +When a client program wishes to make an lwres request using the native low-level API, it typically performs the following -sequence of actions.</P -><P ->(1) Allocate or use an existing <SPAN -CLASS="TYPE" ->lwres_packet_t</SPAN ->, -called <VAR -CLASS="VARNAME" ->pkt</VAR -> below.</P -><P ->(2) Set <CODE -CLASS="STRUCTFIELD" ->pkt.recvlength</CODE -> to the maximum length we will accept. +sequence of actions. +</p> +<p> +(1) Allocate or use an existing <span class="type">lwres_packet_t</span>, +called <code class="varname">pkt</code> below. +</p> +<p> +(2) Set <em class="structfield"><code>pkt.recvlength</code></em> to the maximum length we will accept. This is done so the receiver of our packets knows how large our receive buffer is. The "default" is a constant in -<TT -CLASS="FILENAME" ->lwres.h</TT ->: <CODE -CLASS="CONSTANT" ->LWRES_RECVLENGTH = 4096</CODE ->.</P -><P ->(3) Set <CODE -CLASS="STRUCTFIELD" ->pkt.serial</CODE -> +<code class="filename">lwres.h</code>: <code class="constant">LWRES_RECVLENGTH = 4096</code>. +</p> +<p> +(3) Set <em class="structfield"><code>pkt.serial</code></em> to a unique serial number. This value is echoed -back to the application by the remote server.</P -><P ->(4) Set <CODE -CLASS="STRUCTFIELD" ->pkt.pktflags</CODE ->. Usually this is set to 0.</P -><P ->(5) Set <CODE -CLASS="STRUCTFIELD" ->pkt.result</CODE -> to 0.</P -><P ->(6) Call <CODE -CLASS="FUNCTION" ->lwres_*request_render()</CODE ->, +back to the application by the remote server. +</p> +<p> +(4) Set <em class="structfield"><code>pkt.pktflags</code></em>. Usually this is set to 0. +</p> +<p> +(5) Set <em class="structfield"><code>pkt.result</code></em> to 0. +</p> +<p> +(6) Call <code class="function">lwres_*request_render()</code>, or marshall in the data using the primitives -such as <CODE -CLASS="FUNCTION" ->lwres_packet_render()</CODE -> -and storing the packet data.</P -><P ->(7) Transmit the resulting buffer.</P -><P ->(8) Call <CODE -CLASS="FUNCTION" ->lwres_*response_parse()</CODE -> -to parse any packets received.</P -><P ->(9) Verify that the opcode and serial match a request, and process the -packet specific information contained in the body.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN61" -></A -><H2 ->SERVER-SIDE LOW-LEVEL API CALL FLOW</H2 -><P ->When implementing the server side of the lightweight resolver +such as <code class="function">lwres_packet_render()</code> +and storing the packet data. +</p> +<p> +(7) Transmit the resulting buffer. +</p> +<p> +(8) Call <code class="function">lwres_*response_parse()</code> +to parse any packets received. +</p> +<p> +(9) Verify that the opcode and serial match a request, and process the +packet specific information contained in the body. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526056"></a><h2>SERVER-SIDE LOW-LEVEL API CALL FLOW</h2> +<p> +When implementing the server side of the lightweight resolver protocol using the lwres library, a sequence of actions like the -following is typically involved in processing each request packet.</P -><P ->Note that the same <SPAN -CLASS="TYPE" ->lwres_packet_t</SPAN -> is used -in both the <CODE -CLASS="FUNCTION" ->_parse()</CODE -> and <CODE -CLASS="FUNCTION" ->_render()</CODE -> calls, +following is typically involved in processing each request packet. +</p> +<p> +Note that the same <span class="type">lwres_packet_t</span> is used +in both the <code class="function">_parse()</code> and <code class="function">_render()</code> calls, with only a few modifications made to the packet header's contents between uses. This method is recommended -as it keeps the serial, opcode, and other fields correct.</P -><P ->(1) When a packet is received, call <CODE -CLASS="FUNCTION" ->lwres_*request_parse()</CODE -> to -unmarshall it. This returns a <SPAN -CLASS="TYPE" ->lwres_packet_t</SPAN -> (also called <VAR -CLASS="VARNAME" ->pkt</VAR ->, below) -as well as a data specific type, such as <SPAN -CLASS="TYPE" ->lwres_gabnrequest_t</SPAN ->.</P -><P ->(2) Process the request in the data specific type.</P -><P ->(3) Set the <CODE -CLASS="STRUCTFIELD" ->pkt.result</CODE ->, -<CODE -CLASS="STRUCTFIELD" ->pkt.recvlength</CODE -> as above. All other fields can -be left untouched since they were filled in by the <CODE -CLASS="FUNCTION" ->*_parse()</CODE -> call -above. If using <CODE -CLASS="FUNCTION" ->lwres_*response_render()</CODE ->, -<CODE -CLASS="STRUCTFIELD" ->pkt.pktflags</CODE -> will be set up -properly. Otherwise, the <CODE -CLASS="CONSTANT" ->LWRES_LWPACKETFLAG_RESPONSE</CODE -> bit should be -set.</P -><P ->(4) Call the data specific rendering function, such as -<CODE -CLASS="FUNCTION" ->lwres_gabnresponse_render()</CODE ->.</P -><P ->(5) Send the resulting packet to the client.</P -><P -></P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN85" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_gethostent</SPAN ->(3)</SPAN ->, +as it keeps the serial, opcode, and other fields correct. +</p> +<p> +(1) When a packet is received, call <code class="function">lwres_*request_parse()</code> to +unmarshall it. This returns a <span class="type">lwres_packet_t</span> (also called <code class="varname">pkt</code>, below) +as well as a data specific type, such as <span class="type">lwres_gabnrequest_t</span>. +</p> +<p> +(2) Process the request in the data specific type. +</p> +<p> +(3) Set the <em class="structfield"><code>pkt.result</code></em>, +<em class="structfield"><code>pkt.recvlength</code></em> as above. All other fields can +be left untouched since they were filled in by the <code class="function">*_parse()</code> call +above. If using <code class="function">lwres_*response_render()</code>, +<em class="structfield"><code>pkt.pktflags</code></em> will be set up +properly. Otherwise, the <code class="constant">LWRES_LWPACKETFLAG_RESPONSE</code> bit should be +set. +</p> +<p> +(4) Call the data specific rendering function, such as +<code class="function">lwres_gabnresponse_render()</code>. +</p> +<p> +(5) Send the resulting packet to the client. +</p> +<p> +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526141"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>, + +<span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_getipnode</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_getnameinfo</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">lwres_noop</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_noop</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_gabn</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">lwres_gnba</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_gnba</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">lwres_context</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_context</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">lwres_config</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_config</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->resolver</SPAN ->(5)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>. -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwresd</SPAN ->(8)</SPAN ->. </P -></DIV -></BODY -></HTML -> +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_buffer.html b/usr.sbin/bind/lib/lwres/man/lwres_buffer.html index b956ddf49eb..601ad2b9541 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_buffer.html +++ b/usr.sbin/bind/lib/lwres/man/lwres_buffer.html @@ -1,232 +1,267 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwres_buffer.html,v 1.4.2.1.4.2 2004/08/22 23:39:03 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwres_buffer</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->lwres_buffer</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem -- lightweight resolver buffer management</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN26" -></A -><H2 ->Synopsis</H2 -><DIV -CLASS="FUNCSYNOPSIS" -><P -></P -><A -NAME="AEN27" -></A -><PRE -CLASS="FUNCSYNOPSISINFO" ->#include <lwres/lwbuffer.h></PRE -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_buffer_init</CODE ->(lwres_buffer_t *b, void *base, unsigned int length);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_buffer_invalidate</CODE ->(lwres_buffer_t *b);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_buffer_add</CODE ->(lwres_buffer_t *b, unsigned int n);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_buffer_subtract</CODE ->(lwres_buffer_t *b, unsigned int n);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_buffer_clear</CODE ->(lwres_buffer_t *b);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_buffer_first</CODE ->(lwres_buffer_t *b);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_buffer_forward</CODE ->(lwres_buffer_t *b, unsigned int n);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_buffer_back</CODE ->(lwres_buffer_t *b, unsigned int n);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_uint8_t -lwres_buffer_getuint8</CODE ->(lwres_buffer_t *b);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_buffer_putuint8</CODE ->(lwres_buffer_t *b, lwres_uint8_t val);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_uint16_t -lwres_buffer_getuint16</CODE ->(lwres_buffer_t *b);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_buffer_putuint16</CODE ->(lwres_buffer_t *b, lwres_uint16_t val);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_uint32_t -lwres_buffer_getuint32</CODE ->(lwres_buffer_t *b);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_buffer_putuint32</CODE ->(lwres_buffer_t *b, lwres_uint32_t val);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_buffer_putmem</CODE ->(lwres_buffer_t *b, const unsigned char *base, unsigned int length);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_buffer_getmem</CODE ->(lwres_buffer_t *b, unsigned char *base, unsigned int length);</CODE -></P -><P -></P -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN106" -></A -><H2 ->DESCRIPTION</H2 -><P ->These functions provide bounds checked access to a region of memory +<!-- $ISC: lwres_buffer.html,v 1.4.2.1.4.8 2005/10/13 02:33:55 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwres_buffer</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem — lightweight resolver buffer management</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="funcsynopsis"> +<pre class="funcsynopsisinfo"> +#include <lwres/lwbuffer.h> +</pre> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_buffer_init</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_buffer_invalidate</b>(</code></td> +<td> </td> +<td> +<code>)</code>;</td> +</tr></table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_buffer_add</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_buffer_subtract</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_buffer_clear</b>(</code></td> +<td> </td> +<td> +<code>)</code>;</td> +</tr></table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_buffer_first</b>(</code></td> +<td> </td> +<td> +<code>)</code>;</td> +</tr></table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_buffer_forward</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_buffer_back</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr> +<td><code class="funcdef"> +lwres_uint8_t +<b class="fsfunc">lwres_buffer_getuint8</b>(</code></td> +<td> </td> +<td> +<code>)</code>;</td> +</tr></table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_buffer_putuint8</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr> +<td><code class="funcdef"> +lwres_uint16_t +<b class="fsfunc">lwres_buffer_getuint16</b>(</code></td> +<td> </td> +<td> +<code>)</code>;</td> +</tr></table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_buffer_putuint16</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr> +<td><code class="funcdef"> +lwres_uint32_t +<b class="fsfunc">lwres_buffer_getuint32</b>(</code></td> +<td> </td> +<td> +<code>)</code>;</td> +</tr></table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_buffer_putuint32</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_buffer_putmem</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_buffer_getmem</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +</div> +</div> +<div class="refsect1" lang="en"> +<a name="id2526109"></a><h2>DESCRIPTION</h2> +<p> +These functions provide bounds checked access to a region of memory where data is being read or written. They are based on, and similar to, the -<VAR -CLASS="LITERAL" ->isc_buffer_</VAR -> -functions in the ISC library.</P -><P ->A buffer is a region of memory, together with a set of related +<code class="literal">isc_buffer_</code> +functions in the ISC library. +</p> +<p> +A buffer is a region of memory, together with a set of related subregions. -The <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->used region</I -></SPAN -> and the -<SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->available</I -></SPAN -> region are disjoint, and +The <span class="emphasis"><em>used region</em></span> and the +<span class="emphasis"><em>available</em></span> region are disjoint, and their union is the buffer's region. The used region extends from the beginning of the buffer region to the last used byte. @@ -234,60 +269,33 @@ The available region extends from one byte greater than the last used byte to the end of the buffer's region. The size of the used region can be changed using various buffer commands. -Initially, the used region is empty.</P -><P ->The used region is further subdivided into two disjoint regions: the -<SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->consumed region</I -></SPAN -> and the <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->remaining region</I -></SPAN ->. +Initially, the used region is empty. +</p> +<p> +The used region is further subdivided into two disjoint regions: the +<span class="emphasis"><em>consumed region</em></span> and the <span class="emphasis"><em>remaining region</em></span>. The union of these two regions is the used region. The consumed region extends from the beginning of the used region to -the byte before the <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->current</I -></SPAN -> offset (if any). -The <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->remaining</I -></SPAN -> region the current pointer to the end of the used +the byte before the <span class="emphasis"><em>current</em></span> offset (if any). +The <span class="emphasis"><em>remaining</em></span> region the current pointer to the end of the used region. The size of the consumed region can be changed using various buffer commands. -Initially, the consumed region is empty.</P -><P ->The <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->active region</I -></SPAN -> is an (optional) subregion of the remaining +Initially, the consumed region is empty. +</p> +<p> +The <span class="emphasis"><em>active region</em></span> is an (optional) subregion of the remaining region. It extends from the current offset to an offset in the remaining region. Initially, the active region is empty. If the current offset advances beyond the chosen offset, -the active region will also be empty.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> +the active region will also be empty. +</p> +<p> +</p> +<pre class="programlisting"> + /------------entire length---------------\\ /----- used region -----\\/-- available --\\ +----------------------------------------+ @@ -305,272 +313,132 @@ CLASS="PROGRAMLISTING" a-d == used region. a-b == consumed region. b-d == remaining region. - b-c == optional active region.</PRE -></P -><P -><CODE -CLASS="FUNCTION" ->lwres_buffer_init()</CODE -> + b-c == optional active region. +</pre> +<p> +</p> +<p> +<code class="function">lwres_buffer_init()</code> initializes the -<SPAN -CLASS="TYPE" ->lwres_buffer_t</SPAN -> -<VAR -CLASS="PARAMETER" ->*b</VAR -> +<span class="type">lwres_buffer_t</span> +<em class="parameter"><code>*b</code></em> and assocates it with the memory region of size -<VAR -CLASS="PARAMETER" ->length</VAR -> +<em class="parameter"><code>length</code></em> bytes starting at location -<VAR -CLASS="PARAMETER" ->base.</VAR -></P -><P -><CODE -CLASS="FUNCTION" ->lwres_buffer_invalidate()</CODE -> +<em class="parameter"><code>base.</code></em> +</p> +<p> +<code class="function">lwres_buffer_invalidate()</code> marks the buffer -<VAR -CLASS="PARAMETER" ->*b</VAR -> +<em class="parameter"><code>*b</code></em> as invalid. Invalidating a buffer after use is not required, -but makes it possible to catch its possible accidental use.</P -><P ->The functions -<CODE -CLASS="FUNCTION" ->lwres_buffer_add()</CODE -> +but makes it possible to catch its possible accidental use. +</p> +<p> +The functions +<code class="function">lwres_buffer_add()</code> and -<CODE -CLASS="FUNCTION" ->lwres_buffer_subtract()</CODE -> +<code class="function">lwres_buffer_subtract()</code> respectively increase and decrease the used space in buffer -<VAR -CLASS="PARAMETER" ->*b</VAR -> +<em class="parameter"><code>*b</code></em> by -<VAR -CLASS="PARAMETER" ->n</VAR -> +<em class="parameter"><code>n</code></em> bytes. -<CODE -CLASS="FUNCTION" ->lwres_buffer_add()</CODE -> +<code class="function">lwres_buffer_add()</code> checks for buffer overflow and -<CODE -CLASS="FUNCTION" ->lwres_buffer_subtract()</CODE -> +<code class="function">lwres_buffer_subtract()</code> checks for underflow. These functions do not allocate or deallocate memory. They just change the value of -<CODE -CLASS="STRUCTFIELD" ->used</CODE ->.</P -><P ->A buffer is re-initialised by -<CODE -CLASS="FUNCTION" ->lwres_buffer_clear()</CODE ->. +<em class="structfield"><code>used</code></em>. +</p> +<p> +A buffer is re-initialised by +<code class="function">lwres_buffer_clear()</code>. The function sets -<CODE -CLASS="STRUCTFIELD" ->used</CODE -> , -<CODE -CLASS="STRUCTFIELD" ->current</CODE -> +<em class="structfield"><code>used</code></em> , +<em class="structfield"><code>current</code></em> and -<CODE -CLASS="STRUCTFIELD" ->active</CODE -> -to zero.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_buffer_first</CODE -> +<em class="structfield"><code>active</code></em> +to zero. +</p> +<p> +<code class="function">lwres_buffer_first</code> makes the consumed region of buffer -<VAR -CLASS="PARAMETER" ->*p</VAR -> +<em class="parameter"><code>*p</code></em> empty by setting -<CODE -CLASS="STRUCTFIELD" ->current</CODE -> -to zero (the start of the buffer).</P -><P -><CODE -CLASS="FUNCTION" ->lwres_buffer_forward()</CODE -> +<em class="structfield"><code>current</code></em> +to zero (the start of the buffer). +</p> +<p> +<code class="function">lwres_buffer_forward()</code> increases the consumed region of buffer -<VAR -CLASS="PARAMETER" ->*b</VAR -> +<em class="parameter"><code>*b</code></em> by -<VAR -CLASS="PARAMETER" ->n</VAR -> +<em class="parameter"><code>n</code></em> bytes, checking for overflow. Similarly, -<CODE -CLASS="FUNCTION" ->lwres_buffer_back()</CODE -> +<code class="function">lwres_buffer_back()</code> decreases buffer -<VAR -CLASS="PARAMETER" ->b</VAR ->'s +<em class="parameter"><code>b</code></em>'s consumed region by -<VAR -CLASS="PARAMETER" ->n</VAR -> -bytes and checks for underflow.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_buffer_getuint8()</CODE -> +<em class="parameter"><code>n</code></em> +bytes and checks for underflow. +</p> +<p> +<code class="function">lwres_buffer_getuint8()</code> reads an unsigned 8-bit integer from -<VAR -CLASS="PARAMETER" ->*b</VAR -> +<em class="parameter"><code>*b</code></em> and returns it. -<CODE -CLASS="FUNCTION" ->lwres_buffer_putuint8()</CODE -> +<code class="function">lwres_buffer_putuint8()</code> writes the unsigned 8-bit integer -<VAR -CLASS="PARAMETER" ->val</VAR -> +<em class="parameter"><code>val</code></em> to buffer -<VAR -CLASS="PARAMETER" ->*b</VAR ->.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_buffer_getuint16()</CODE -> +<em class="parameter"><code>*b</code></em>. +</p> +<p> +<code class="function">lwres_buffer_getuint16()</code> and -<CODE -CLASS="FUNCTION" ->lwres_buffer_getuint32()</CODE -> +<code class="function">lwres_buffer_getuint32()</code> are identical to -<CODE -CLASS="FUNCTION" ->lwres_buffer_putuint8()</CODE -> +<code class="function">lwres_buffer_putuint8()</code> except that they respectively read an unsigned 16-bit or 32-bit integer in network byte order from -<VAR -CLASS="PARAMETER" ->b</VAR ->. +<em class="parameter"><code>b</code></em>. Similarly, -<CODE -CLASS="FUNCTION" ->lwres_buffer_putuint16()</CODE -> +<code class="function">lwres_buffer_putuint16()</code> and -<CODE -CLASS="FUNCTION" ->lwres_buffer_putuint32()</CODE -> +<code class="function">lwres_buffer_putuint32()</code> writes the unsigned 16-bit or 32-bit integer -<VAR -CLASS="PARAMETER" ->val</VAR -> +<em class="parameter"><code>val</code></em> to buffer -<VAR -CLASS="PARAMETER" ->b</VAR ->, -in network byte order.</P -><P ->Arbitrary amounts of data are read or written from a lightweight +<em class="parameter"><code>b</code></em>, +in network byte order. +</p> +<p> +Arbitrary amounts of data are read or written from a lightweight resolver buffer with -<CODE -CLASS="FUNCTION" ->lwres_buffer_getmem()</CODE -> +<code class="function">lwres_buffer_getmem()</code> and -<CODE -CLASS="FUNCTION" ->lwres_buffer_putmem()</CODE -> +<code class="function">lwres_buffer_putmem()</code> respectively. -<CODE -CLASS="FUNCTION" ->lwres_buffer_putmem()</CODE -> +<code class="function">lwres_buffer_putmem()</code> copies -<VAR -CLASS="PARAMETER" ->length</VAR -> +<em class="parameter"><code>length</code></em> bytes of memory at -<VAR -CLASS="PARAMETER" ->base</VAR -> +<em class="parameter"><code>base</code></em> to -<VAR -CLASS="PARAMETER" ->b</VAR ->. +<em class="parameter"><code>b</code></em>. Conversely, -<CODE -CLASS="FUNCTION" ->lwres_buffer_getmem()</CODE -> +<code class="function">lwres_buffer_getmem()</code> copies -<VAR -CLASS="PARAMETER" ->length</VAR -> +<em class="parameter"><code>length</code></em> bytes of memory from -<VAR -CLASS="PARAMETER" ->b</VAR -> +<em class="parameter"><code>b</code></em> to -<VAR -CLASS="PARAMETER" ->base</VAR ->.</P -></DIV -></BODY -></HTML -> +<em class="parameter"><code>base</code></em>. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_config.html b/usr.sbin/bind/lib/lwres/man/lwres_config.html index e85393268c3..769fe18f80c 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_config.html +++ b/usr.sbin/bind/lib/lwres/man/lwres_config.html @@ -1,282 +1,166 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwres_config.html,v 1.4.2.1.4.2 2004/08/22 23:39:03 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwres_config</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->lwres_config</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get -- lightweight resolver configuration</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN15" -></A -><H2 ->Synopsis</H2 -><DIV -CLASS="FUNCSYNOPSIS" -><P -></P -><A -NAME="AEN16" -></A -><PRE -CLASS="FUNCSYNOPSISINFO" ->#include <lwres/lwres.h></PRE -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_conf_init</CODE ->(lwres_context_t *ctx);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_conf_clear</CODE ->(lwres_context_t *ctx);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_conf_parse</CODE ->(lwres_context_t *ctx, const char *filename);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_conf_print</CODE ->(lwres_context_t *ctx, FILE *fp);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_conf_t * -lwres_conf_get</CODE ->(lwres_context_t *ctx);</CODE -></P -><P -></P -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN40" -></A -><H2 ->DESCRIPTION</H2 -><P -><CODE -CLASS="FUNCTION" ->lwres_conf_init()</CODE -> +<!-- $ISC: lwres_config.html,v 1.4.2.1.4.9 2005/10/13 02:33:55 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwres_config</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get — lightweight resolver configuration</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="funcsynopsis"> +<pre class="funcsynopsisinfo">#include <lwres/lwres.h></pre> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_conf_init</b>(</code></td> +<td> </td> +<td> +<code>)</code>;</td> +</tr></table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_conf_clear</b>(</code></td> +<td> </td> +<td> +<code>)</code>;</td> +</tr></table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_conf_parse</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_conf_print</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr> +<td><code class="funcdef"> +lwres_conf_t * +<b class="fsfunc">lwres_conf_get</b>(</code></td> +<td> </td> +<td> +<code>)</code>;</td> +</tr></table> +</div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525910"></a><h2>DESCRIPTION</h2> +<p> +<code class="function">lwres_conf_init()</code> creates an empty -<SPAN -CLASS="TYPE" ->lwres_conf_t</SPAN -> +<span class="type">lwres_conf_t</span> structure for lightweight resolver context -<VAR -CLASS="PARAMETER" ->ctx</VAR ->.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_conf_clear()</CODE -> +<em class="parameter"><code>ctx</code></em>. +</p> +<p> +<code class="function">lwres_conf_clear()</code> frees up all the internal memory used by that -<SPAN -CLASS="TYPE" ->lwres_conf_t</SPAN -> +<span class="type">lwres_conf_t</span> structure in resolver context -<VAR -CLASS="PARAMETER" ->ctx</VAR ->.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_conf_parse()</CODE -> +<em class="parameter"><code>ctx</code></em>. +</p> +<p> +<code class="function">lwres_conf_parse()</code> opens the file -<VAR -CLASS="PARAMETER" ->filename</VAR -> +<em class="parameter"><code>filename</code></em> and parses it to initialise the resolver context -<VAR -CLASS="PARAMETER" ->ctx</VAR ->'s -<SPAN -CLASS="TYPE" ->lwres_conf_t</SPAN -> -structure.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_conf_print()</CODE -> +<em class="parameter"><code>ctx</code></em>'s +<span class="type">lwres_conf_t</span> +structure. +</p> +<p> +<code class="function">lwres_conf_print()</code> prints the -<SPAN -CLASS="TYPE" ->lwres_conf_t</SPAN -> +<span class="type">lwres_conf_t</span> structure for resolver context -<VAR -CLASS="PARAMETER" ->ctx</VAR -> +<em class="parameter"><code>ctx</code></em> to the -<SPAN -CLASS="TYPE" ->FILE</SPAN -> -<VAR -CLASS="PARAMETER" ->fp</VAR ->.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN61" -></A -><H2 ->RETURN VALUES</H2 -><P -><CODE -CLASS="FUNCTION" ->lwres_conf_parse()</CODE -> +<span class="type">FILE</span> +<em class="parameter"><code>fp</code></em>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525981"></a><h2>RETURN VALUES</h2> +<p> +<code class="function">lwres_conf_parse()</code> returns -<SPAN -CLASS="ERRORCODE" ->LWRES_R_SUCCESS</SPAN -> +<span class="errorcode">LWRES_R_SUCCESS</span> if it successfully read and parsed -<VAR -CLASS="PARAMETER" ->filename</VAR ->. +<em class="parameter"><code>filename</code></em>. It returns -<SPAN -CLASS="ERRORCODE" ->LWRES_R_FAILURE</SPAN -> +<span class="errorcode">LWRES_R_FAILURE</span> if -<VAR -CLASS="PARAMETER" ->filename</VAR -> +<em class="parameter"><code>filename</code></em> could not be opened or contained incorrect -resolver statements.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_conf_print()</CODE -> +resolver statements. +</p> +<p> +<code class="function">lwres_conf_print()</code> returns -<SPAN -CLASS="ERRORCODE" ->LWRES_R_SUCCESS</SPAN -> +<span class="errorcode">LWRES_R_SUCCESS</span> unless an error occurred when converting the network addresses to a numeric host address string. If this happens, the function returns -<SPAN -CLASS="ERRORCODE" ->LWRES_R_FAILURE</SPAN ->.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN73" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->stdio</SPAN ->(3)</SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->resolver</SPAN ->(5)</SPAN ->.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN82" -></A -><H2 ->FILES</H2 -><P -><TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -></P -></DIV -></BODY -></HTML -> +<span class="errorcode">LWRES_R_FAILURE</span>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526021"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">stdio</span>(3)</span>, +<span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526048"></a><h2>FILES</h2> +<p> +<code class="filename">/etc/resolv.conf</code> +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_context.3 b/usr.sbin/bind/lib/lwres/man/lwres_context.3 index 1047a904e10..9638e164003 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_context.3 +++ b/usr.sbin/bind/lib/lwres/man/lwres_context.3 @@ -1,103 +1,82 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001 Internet Software Consortium. -.\" +.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $ISC: lwres_context.3,v 1.13.2.2.2.2 2004/03/08 09:05:12 marka Exp $ +.\" $ISC: lwres_context.3,v 1.13.2.2.2.6 2005/10/13 02:33:52 marka Exp $ .\" -.TH "LWRES_CONTEXT" "3" "Jun 30, 2000" "BIND9" "" -.SH NAME +.hy 0 +.ad l +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "LWRES_CONTEXT" "3" "Jun 30, 2000" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv \- lightweight resolver context management -.SH SYNOPSIS -\fB#include <lwres/lwres.h> -.sp -.na -lwres_result_t -lwres_context_create(lwres_context_t **contextp, void *arg, lwres_malloc_t malloc_function, lwres_free_t free_function); -.ad -.sp -.na -lwres_result_t -lwres_context_destroy(lwres_context_t **contextp); -.ad -.sp -.na -void -lwres_context_initserial(lwres_context_t *ctx, lwres_uint32_t serial); -.ad -.sp -.na -lwres_uint32_t -lwres_context_nextserial(lwres_context_t *ctx); -.ad -.sp -.na -void -lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len); -.ad -.sp -.na -void -lwres_context_allocmem(lwres_context_t *ctx, size_t len); -.ad -.sp -.na -void * -lwres_context_sendrecv(lwres_context_t *ctx, void *sendbase, int sendlen, void *recvbase, int recvlen, int *recvd_len); -.ad -\fR +.SH "SYNOPSIS" +.nf +#include <lwres/lwres.h> +.fi +.HP 36 +\fBlwres_result_t\ \fBlwres_context_create\fR\fR\fB(\fR\fBlwres_context_t\ **contextp\fR\fB, \fR\fBvoid\ *arg\fR\fB, \fR\fBlwres_malloc_t\ malloc_function\fR\fB, \fR\fBlwres_free_t\ free_function\fR\fB);\fR +.HP 37 +\fBlwres_result_t\ \fBlwres_context_destroy\fR\fR\fB(\fR\fBlwres_context_t\ **contextp\fR\fB);\fR +.HP 30 +\fBvoid\ \fBlwres_context_initserial\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_uint32_t\ serial\fR\fB);\fR +.HP 40 +\fBlwres_uint32_t\ \fBlwres_context_nextserial\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB);\fR +.HP 27 +\fBvoid\ \fBlwres_context_freemem\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBvoid\ *mem\fR\fB, \fR\fBsize_t\ len\fR\fB);\fR +.HP 28 +\fBvoid\ \fBlwres_context_allocmem\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBsize_t\ len\fR\fB);\fR +.HP 30 +\fBvoid\ *\ \fBlwres_context_sendrecv\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBvoid\ *sendbase\fR\fB, \fR\fBint\ sendlen\fR\fB, \fR\fBvoid\ *recvbase\fR\fB, \fR\fBint\ recvlen\fR\fB, \fR\fBint\ *recvd_len\fR\fB);\fR .SH "DESCRIPTION" .PP \fBlwres_context_create()\fR creates a \fBlwres_context_t\fR -structure for use in lightweight resolver operations. -It holds a socket and other data needed for communicating -with a resolver daemon. -The new +structure for use in lightweight resolver operations. It holds a socket and other data needed for communicating with a resolver daemon. The new \fBlwres_context_t\fR is returned through -\fIcontextp\fR, -a pointer to a +\fIcontextp\fR, a pointer to a \fBlwres_context_t\fR -pointer. This +pointer. This \fBlwres_context_t\fR -pointer must initially be NULL, and is modified -to point to the newly created +pointer must initially be NULL, and is modified to point to the newly created \fBlwres_context_t\fR. .PP -When the lightweight resolver needs to perform dynamic memory -allocation, it will call +When the lightweight resolver needs to perform dynamic memory allocation, it will call \fImalloc_function\fR to allocate memory and \fIfree_function\fR -to free it. If +to free it. If \fImalloc_function\fR and \fIfree_function\fR -are NULL, memory is allocated using -\&.Xr malloc 3 -and -\fBfree\fR(3). -It is not permitted to have a NULL +are NULL, memory is allocated using .Xr malloc 3 and +\fBfree\fR(3). It is not permitted to have a NULL \fImalloc_function\fR -and a non-NULL +and a non\-NULL \fIfree_function\fR or vice versa. \fIarg\fR -is passed as the first parameter to the memory -allocation functions. -If +is passed as the first parameter to the memory allocation functions. If \fImalloc_function\fR and \fIfree_function\fR @@ -105,23 +84,18 @@ are NULL, \fIarg\fR is unused and should be passed as NULL. .PP -Once memory for the structure has been allocated, -it is initialized using +Once memory for the structure has been allocated, it is initialized using \fBlwres_conf_init\fR(3) and returned via \fI*contextp\fR. .PP \fBlwres_context_destroy()\fR -destroys a -\fBlwres_context_t\fR, -closing its socket. +destroys a +\fBlwres_context_t\fR, closing its socket. \fIcontextp\fR -is a pointer to a pointer to the context that is to be destroyed. -The pointer will be set to NULL when the context has been destroyed. +is a pointer to a pointer to the context that is to be destroyed. The pointer will be set to NULL when the context has been destroyed. .PP -The context holds a serial number that is used to identify resolver -request packets and associate responses with the corresponding requests. -This serial number is controlled using +The context holds a serial number that is used to identify resolver request packets and associate responses with the corresponding requests. This serial number is controlled using \fBlwres_context_initserial()\fR and \fBlwres_context_nextserial()\fR. @@ -136,15 +110,12 @@ increments the serial number and returns the previous value. Memory for a lightweight resolver context is allocated and freed using \fBlwres_context_allocmem()\fR and -\fBlwres_context_freemem()\fR. -These use whatever allocations were defined when the context was -created with +\fBlwres_context_freemem()\fR. These use whatever allocations were defined when the context was created with \fBlwres_context_create()\fR. \fBlwres_context_allocmem()\fR allocates \fIlen\fR -bytes of memory and if successful returns a pointer to the allocated -storage. +bytes of memory and if successful returns a pointer to the allocated storage. \fBlwres_context_freemem()\fR frees \fIlen\fR @@ -153,39 +124,33 @@ bytes of space starting at location .PP \fBlwres_context_sendrecv()\fR performs I/O for the context -\fIctx\fR. -Data are read and written from the context's socket. -It writes data from +\fIctx\fR. Data are read and written from the context's socket. It writes data from \fIsendbase\fR -\(em typically a lightweight resolver query packet \(em -and waits for a reply which is copied to the receive buffer at -\fIrecvbase\fR. -The number of bytes that were written to this receive buffer is -returned in +\(em typically a lightweight resolver query packet \(em and waits for a reply which is copied to the receive buffer at +\fIrecvbase\fR. The number of bytes that were written to this receive buffer is returned in \fI*recvd_len\fR. .SH "RETURN VALUES" .PP \fBlwres_context_create()\fR returns -LWRES_R_NOMEMORY +\fBLWRES_R_NOMEMORY\fR if memory for the \fBstruct lwres_context\fR -could not be allocated, -LWRES_R_SUCCESS +could not be allocated, +\fBLWRES_R_SUCCESS\fR otherwise. .PP Successful calls to the memory allocator \fBlwres_context_allocmem()\fR -return a pointer to the start of the allocated space. -It returns NULL if memory could not be allocated. +return a pointer to the start of the allocated space. It returns NULL if memory could not be allocated. .PP -LWRES_R_SUCCESS +\fBLWRES_R_SUCCESS\fR is returned when \fBlwres_context_sendrecv()\fR completes successfully. -LWRES_R_IOERROR +\fBLWRES_R_IOERROR\fR is returned if an I/O error occurs and -LWRES_R_TIMEOUT +\fBLWRES_R_TIMEOUT\fR is returned if \fBlwres_context_sendrecv()\fR times out waiting for a response. @@ -193,4 +158,4 @@ times out waiting for a response. .PP \fBlwres_conf_init\fR(3), \fBmalloc\fR(3), -\fBfree\fR(3). +\fBfree\fR(3 ). diff --git a/usr.sbin/bind/lib/lwres/man/lwres_context.docbook b/usr.sbin/bind/lib/lwres/man/lwres_context.docbook index a9dfdb629d8..2a12c223bcf 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_context.docbook +++ b/usr.sbin/bind/lib/lwres/man/lwres_context.docbook @@ -1,7 +1,9 @@ -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" + "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" + [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001, 2003 Internet Software Consortium. + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -16,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: lwres_context.docbook,v 1.3.2.2.2.1 2004/03/06 08:15:38 marka Exp $ --> +<!-- $ISC: lwres_context.docbook,v 1.3.2.2.2.3 2005/05/12 21:36:12 sra Exp $ --> <refentry> <refentryinfo> @@ -29,6 +31,21 @@ <manvolnum>3</manvolnum> <refmiscinfo>BIND9</refmiscinfo> </refmeta> + + <docinfo> + <copyright> + <year>2004</year> + <year>2005</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + <copyright> + <year>2000</year> + <year>2001</year> + <year>2003</year> + <holder>Internet Software Consortium.</holder> + </copyright> + </docinfo> + <refnamediv> <refname>lwres_context_create</refname> <refname>lwres_context_destroy</refname> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_context.html b/usr.sbin/bind/lib/lwres/man/lwres_context.html index 42751f4800c..a56e94574ff 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_context.html +++ b/usr.sbin/bind/lib/lwres/man/lwres_context.html @@ -1,478 +1,335 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwres_context.html,v 1.5.2.2.2.3 2004/08/22 23:39:03 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwres_context</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->lwres_context</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv -- lightweight resolver context management</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN17" -></A -><H2 ->Synopsis</H2 -><DIV -CLASS="FUNCSYNOPSIS" -><P -></P -><A -NAME="AEN18" -></A -><PRE -CLASS="FUNCSYNOPSISINFO" ->#include <lwres/lwres.h></PRE -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_context_create</CODE ->(lwres_context_t **contextp, void *arg, lwres_malloc_t malloc_function, lwres_free_t free_function);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_context_destroy</CODE ->(lwres_context_t **contextp);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_context_initserial</CODE ->(lwres_context_t *ctx, lwres_uint32_t serial);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_uint32_t -lwres_context_nextserial</CODE ->(lwres_context_t *ctx);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_context_freemem</CODE ->(lwres_context_t *ctx, void *mem, size_t len);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_context_allocmem</CODE ->(lwres_context_t *ctx, size_t len);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void * -lwres_context_sendrecv</CODE ->(lwres_context_t *ctx, void *sendbase, int sendlen, void *recvbase, int recvlen, int *recvd_len);</CODE -></P -><P -></P -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN60" -></A -><H2 ->DESCRIPTION</H2 -><P -><CODE -CLASS="FUNCTION" ->lwres_context_create()</CODE -> +<!-- $ISC: lwres_context.html,v 1.5.2.2.2.10 2005/10/13 02:33:55 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwres_context</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv — lightweight resolver context management</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="funcsynopsis"> +<pre class="funcsynopsisinfo">#include <lwres/lwres.h></pre> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_context_create</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_context_destroy</b>(</code></td> +<td> </td> +<td> +<code>)</code>;</td> +</tr></table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_context_initserial</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr> +<td><code class="funcdef"> +lwres_uint32_t +<b class="fsfunc">lwres_context_nextserial</b>(</code></td> +<td> </td> +<td> +<code>)</code>;</td> +</tr></table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_context_freemem</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_context_allocmem</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"> +<tr> +<td><code class="funcdef"> +void * +<b class="fsfunc">lwres_context_sendrecv</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +</div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525975"></a><h2>DESCRIPTION</h2> +<p> +<code class="function">lwres_context_create()</code> creates a -<SPAN -CLASS="TYPE" ->lwres_context_t</SPAN -> +<span class="type">lwres_context_t</span> structure for use in lightweight resolver operations. It holds a socket and other data needed for communicating with a resolver daemon. The new -<SPAN -CLASS="TYPE" ->lwres_context_t</SPAN -> +<span class="type">lwres_context_t</span> is returned through -<VAR -CLASS="PARAMETER" ->contextp</VAR ->, +<em class="parameter"><code>contextp</code></em>, a pointer to a -<SPAN -CLASS="TYPE" ->lwres_context_t</SPAN -> +<span class="type">lwres_context_t</span> pointer. This -<SPAN -CLASS="TYPE" ->lwres_context_t</SPAN -> +<span class="type">lwres_context_t</span> pointer must initially be NULL, and is modified to point to the newly created -<SPAN -CLASS="TYPE" ->lwres_context_t</SPAN ->. </P -><P ->When the lightweight resolver needs to perform dynamic memory +<span class="type">lwres_context_t</span>. + +</p> +<p> +When the lightweight resolver needs to perform dynamic memory allocation, it will call -<VAR -CLASS="PARAMETER" ->malloc_function</VAR -> +<em class="parameter"><code>malloc_function</code></em> to allocate memory and -<VAR -CLASS="PARAMETER" ->free_function</VAR -> +<em class="parameter"><code>free_function</code></em> to free it. If -<VAR -CLASS="PARAMETER" ->malloc_function</VAR -> +<em class="parameter"><code>malloc_function</code></em> and -<VAR -CLASS="PARAMETER" ->free_function</VAR -> +<em class="parameter"><code>free_function</code></em> are NULL, memory is allocated using .Xr malloc 3 and -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->free</SPAN ->(3)</SPAN ->. +<span class="citerefentry"><span class="refentrytitle">free</span>(3)</span>. It is not permitted to have a NULL -<VAR -CLASS="PARAMETER" ->malloc_function</VAR -> +<em class="parameter"><code>malloc_function</code></em> and a non-NULL -<VAR -CLASS="PARAMETER" ->free_function</VAR -> +<em class="parameter"><code>free_function</code></em> or vice versa. -<VAR -CLASS="PARAMETER" ->arg</VAR -> +<em class="parameter"><code>arg</code></em> is passed as the first parameter to the memory allocation functions. If -<VAR -CLASS="PARAMETER" ->malloc_function</VAR -> +<em class="parameter"><code>malloc_function</code></em> and -<VAR -CLASS="PARAMETER" ->free_function</VAR -> +<em class="parameter"><code>free_function</code></em> are NULL, -<VAR -CLASS="PARAMETER" ->arg</VAR -> +<em class="parameter"><code>arg</code></em> -is unused and should be passed as NULL.</P -><P ->Once memory for the structure has been allocated, +is unused and should be passed as NULL. +</p> +<p> +Once memory for the structure has been allocated, it is initialized using -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_conf_init</SPAN ->(3)</SPAN -> +<span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span> and returned via -<VAR -CLASS="PARAMETER" ->*contextp</VAR ->. </P -><P -><CODE -CLASS="FUNCTION" ->lwres_context_destroy()</CODE -> +<em class="parameter"><code>*contextp</code></em>. + +</p> +<p> +<code class="function">lwres_context_destroy()</code> destroys a -<SPAN -CLASS="TYPE" ->lwres_context_t</SPAN ->, +<span class="type">lwres_context_t</span>, closing its socket. -<VAR -CLASS="PARAMETER" ->contextp</VAR -> +<em class="parameter"><code>contextp</code></em> is a pointer to a pointer to the context that is to be destroyed. -The pointer will be set to NULL when the context has been destroyed.</P -><P ->The context holds a serial number that is used to identify resolver +The pointer will be set to NULL when the context has been destroyed. +</p> +<p> +The context holds a serial number that is used to identify resolver request packets and associate responses with the corresponding requests. This serial number is controlled using -<CODE -CLASS="FUNCTION" ->lwres_context_initserial()</CODE -> +<code class="function">lwres_context_initserial()</code> and -<CODE -CLASS="FUNCTION" ->lwres_context_nextserial()</CODE ->. -<CODE -CLASS="FUNCTION" ->lwres_context_initserial()</CODE -> +<code class="function">lwres_context_nextserial()</code>. +<code class="function">lwres_context_initserial()</code> sets the serial number for context -<VAR -CLASS="PARAMETER" ->*ctx</VAR -> +<em class="parameter"><code>*ctx</code></em> to -<VAR -CLASS="PARAMETER" ->serial</VAR ->. +<em class="parameter"><code>serial</code></em>. -<CODE -CLASS="FUNCTION" ->lwres_context_nextserial()</CODE -> -increments the serial number and returns the previous value.</P -><P ->Memory for a lightweight resolver context is allocated and freed using -<CODE -CLASS="FUNCTION" ->lwres_context_allocmem()</CODE -> +<code class="function">lwres_context_nextserial()</code> +increments the serial number and returns the previous value. +</p> +<p> +Memory for a lightweight resolver context is allocated and freed using +<code class="function">lwres_context_allocmem()</code> and -<CODE -CLASS="FUNCTION" ->lwres_context_freemem()</CODE ->. +<code class="function">lwres_context_freemem()</code>. These use whatever allocations were defined when the context was created with -<CODE -CLASS="FUNCTION" ->lwres_context_create()</CODE ->. -<CODE -CLASS="FUNCTION" ->lwres_context_allocmem()</CODE -> +<code class="function">lwres_context_create()</code>. +<code class="function">lwres_context_allocmem()</code> allocates -<VAR -CLASS="PARAMETER" ->len</VAR -> +<em class="parameter"><code>len</code></em> bytes of memory and if successful returns a pointer to the allocated storage. -<CODE -CLASS="FUNCTION" ->lwres_context_freemem()</CODE -> +<code class="function">lwres_context_freemem()</code> frees -<VAR -CLASS="PARAMETER" ->len</VAR -> +<em class="parameter"><code>len</code></em> bytes of space starting at location -<VAR -CLASS="PARAMETER" ->mem</VAR ->. </P -><P -><CODE -CLASS="FUNCTION" ->lwres_context_sendrecv()</CODE -> +<em class="parameter"><code>mem</code></em>. + +</p> +<p> +<code class="function">lwres_context_sendrecv()</code> performs I/O for the context -<VAR -CLASS="PARAMETER" ->ctx</VAR ->. +<em class="parameter"><code>ctx</code></em>. Data are read and written from the context's socket. It writes data from -<VAR -CLASS="PARAMETER" ->sendbase</VAR -> -— typically a lightweight resolver query packet — +<em class="parameter"><code>sendbase</code></em> +— typically a lightweight resolver query packet — and waits for a reply which is copied to the receive buffer at -<VAR -CLASS="PARAMETER" ->recvbase</VAR ->. +<em class="parameter"><code>recvbase</code></em>. The number of bytes that were written to this receive buffer is returned in -<VAR -CLASS="PARAMETER" ->*recvd_len</VAR ->. </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN115" -></A -><H2 ->RETURN VALUES</H2 -><P -><CODE -CLASS="FUNCTION" ->lwres_context_create()</CODE -> +<em class="parameter"><code>*recvd_len</code></em>. + +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526156"></a><h2>RETURN VALUES</h2> +<p> +<code class="function">lwres_context_create()</code> returns -<SPAN -CLASS="ERRORCODE" ->LWRES_R_NOMEMORY</SPAN -> +<span class="errorcode">LWRES_R_NOMEMORY</span> if memory for the -<SPAN -CLASS="TYPE" ->struct lwres_context</SPAN -> +<span class="type">struct lwres_context</span> could not be allocated, -<SPAN -CLASS="ERRORCODE" ->LWRES_R_SUCCESS</SPAN -> -otherwise.</P -><P ->Successful calls to the memory allocator -<CODE -CLASS="FUNCTION" ->lwres_context_allocmem()</CODE -> +<span class="errorcode">LWRES_R_SUCCESS</span> +otherwise. +</p> +<p> +Successful calls to the memory allocator +<code class="function">lwres_context_allocmem()</code> return a pointer to the start of the allocated space. -It returns NULL if memory could not be allocated.</P -><P -><SPAN -CLASS="ERRORCODE" ->LWRES_R_SUCCESS</SPAN -> +It returns NULL if memory could not be allocated. +</p> +<p> +<span class="errorcode">LWRES_R_SUCCESS</span> is returned when -<CODE -CLASS="FUNCTION" ->lwres_context_sendrecv()</CODE -> +<code class="function">lwres_context_sendrecv()</code> completes successfully. -<SPAN -CLASS="ERRORCODE" ->LWRES_R_IOERROR</SPAN -> +<span class="errorcode">LWRES_R_IOERROR</span> is returned if an I/O error occurs and -<SPAN -CLASS="ERRORCODE" ->LWRES_R_TIMEOUT</SPAN -> +<span class="errorcode">LWRES_R_TIMEOUT</span> is returned if -<CODE -CLASS="FUNCTION" ->lwres_context_sendrecv()</CODE -> -times out waiting for a response.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN130" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_conf_init</SPAN ->(3)</SPAN ->, +<code class="function">lwres_context_sendrecv()</code> +times out waiting for a response. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526208"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->malloc</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">malloc</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->free</SPAN ->(3)</SPAN ->.</P -></DIV -></BODY -></HTML -> +<span class="citerefentry"><span class="refentrytitle">free</span>(3 +)</span>. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_gabn.html b/usr.sbin/bind/lib/lwres/man/lwres_gabn.html index fbb5c16b12e..bd5a2a4d186 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_gabn.html +++ b/usr.sbin/bind/lib/lwres/man/lwres_gabn.html @@ -1,158 +1,195 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwres_gabn.html,v 1.6.2.1.4.2 2004/08/22 23:39:03 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwres_gabn</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->lwres_gabn</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free -- lightweight resolver getaddrbyname message handling</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN16" -></A -><H2 ->Synopsis</H2 -><DIV -CLASS="FUNCSYNOPSIS" -><P -></P -><A -NAME="AEN17" -></A -><PRE -CLASS="FUNCSYNOPSISINFO" ->#include <lwres/lwres.h></PRE -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_gabnrequest_render</CODE ->(lwres_context_t *ctx, lwres_gabnrequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_gabnresponse_render</CODE ->(lwres_context_t *ctx, lwres_gabnresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_gabnrequest_parse</CODE ->(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_gabnresponse_parse</CODE ->(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gabnresponse_t **structp);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_gabnresponse_free</CODE ->(lwres_context_t *ctx, lwres_gabnresponse_t **structp);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_gabnrequest_free</CODE ->(lwres_context_t *ctx, lwres_gabnrequest_t **structp);</CODE -></P -><P -></P -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN57" -></A -><H2 ->DESCRIPTION</H2 -><P ->These are low-level routines for creating and parsing +<!-- $ISC: lwres_gabn.html,v 1.6.2.1.4.9 2005/10/13 02:33:55 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwres_gabn</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free — lightweight resolver getaddrbyname message handling</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="funcsynopsis"> +<pre class="funcsynopsisinfo">#include <lwres/lwres.h></pre> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_gabnrequest_render</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_gabnresponse_render</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_gabnrequest_parse</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_gabnresponse_parse</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_gabnresponse_free</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_gabnrequest_free</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +</div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525963"></a><h2>DESCRIPTION</h2> +<p> +These are low-level routines for creating and parsing lightweight resolver name-to-address lookup request and -response messages.</P -><P ->There are four main functions for the getaddrbyname opcode. -One render function converts a getaddrbyname request structure — -<SPAN -CLASS="TYPE" ->lwres_gabnrequest_t</SPAN -> — +response messages. +</p> +<p> +There are four main functions for the getaddrbyname opcode. +One render function converts a getaddrbyname request structure — +<span class="type">lwres_gabnrequest_t</span> — to the lighweight resolver's canonical format. It is complemented by a parse function that converts a packet in this canonical format to a getaddrbyname request structure. -Another render function converts the getaddrbyname response structure — -<SPAN -CLASS="TYPE" ->lwres_gabnresponse_t</SPAN -> — +Another render function converts the getaddrbyname response structure — +<span class="type">lwres_gabnresponse_t</span> — to the canonical format. This is complemented by a parse function which converts a packet in -canonical format to a getaddrbyname response structure.</P -><P ->These structures are defined in -<TT -CLASS="FILENAME" -><lwres/lwres.h></TT ->. +canonical format to a getaddrbyname response structure. +</p> +<p> +These structures are defined in +<code class="filename"><lwres/lwres.h></code>. They are shown below. -<PRE -CLASS="PROGRAMLISTING" ->#define LWRES_OPCODE_GETADDRSBYNAME 0x00010001U +</p> +<pre class="programlisting"> +#define LWRES_OPCODE_GETADDRSBYNAME 0x00010001U typedef struct lwres_addr lwres_addr_t; typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t; @@ -175,245 +212,116 @@ typedef struct { lwres_addrlist_t addrs; void *base; size_t baselen; -} lwres_gabnresponse_t;</PRE -></P -><P -><CODE -CLASS="FUNCTION" ->lwres_gabnrequest_render()</CODE -> +} lwres_gabnresponse_t; +</pre> +<p> +</p> +<p> +<code class="function">lwres_gabnrequest_render()</code> uses resolver context -<VAR -CLASS="PARAMETER" ->ctx</VAR -> +<em class="parameter"><code>ctx</code></em> to convert getaddrbyname request structure -<VAR -CLASS="PARAMETER" ->req</VAR -> +<em class="parameter"><code>req</code></em> to canonical format. The packet header structure -<VAR -CLASS="PARAMETER" ->pkt</VAR -> +<em class="parameter"><code>pkt</code></em> is initialised and transferred to buffer -<VAR -CLASS="PARAMETER" ->b</VAR ->. +<em class="parameter"><code>b</code></em>. The contents of -<VAR -CLASS="PARAMETER" ->*req</VAR -> +<em class="parameter"><code>*req</code></em> are then appended to the buffer in canonical format. -<CODE -CLASS="FUNCTION" ->lwres_gabnresponse_render()</CODE -> +<code class="function">lwres_gabnresponse_render()</code> performs the same task, except it converts a getaddrbyname response structure -<SPAN -CLASS="TYPE" ->lwres_gabnresponse_t</SPAN -> -to the lightweight resolver's canonical format.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_gabnrequest_parse()</CODE -> +<span class="type">lwres_gabnresponse_t</span> +to the lightweight resolver's canonical format. +</p> +<p> +<code class="function">lwres_gabnrequest_parse()</code> uses context -<VAR -CLASS="PARAMETER" ->ctx</VAR -> +<em class="parameter"><code>ctx</code></em> to convert the contents of packet -<VAR -CLASS="PARAMETER" ->pkt</VAR -> +<em class="parameter"><code>pkt</code></em> to a -<SPAN -CLASS="TYPE" ->lwres_gabnrequest_t</SPAN -> +<span class="type">lwres_gabnrequest_t</span> structure. Buffer -<VAR -CLASS="PARAMETER" ->b</VAR -> +<em class="parameter"><code>b</code></em> provides space to be used for storing this structure. When the function succeeds, the resulting -<SPAN -CLASS="TYPE" ->lwres_gabnrequest_t</SPAN -> +<span class="type">lwres_gabnrequest_t</span> is made available through -<VAR -CLASS="PARAMETER" ->*structp</VAR ->. +<em class="parameter"><code>*structp</code></em>. -<CODE -CLASS="FUNCTION" ->lwres_gabnresponse_parse()</CODE -> +<code class="function">lwres_gabnresponse_parse()</code> offers the same semantics as -<CODE -CLASS="FUNCTION" ->lwres_gabnrequest_parse()</CODE -> +<code class="function">lwres_gabnrequest_parse()</code> except it yields a -<SPAN -CLASS="TYPE" ->lwres_gabnresponse_t</SPAN -> -structure.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_gabnresponse_free()</CODE -> +<span class="type">lwres_gabnresponse_t</span> +structure. +</p> +<p> +<code class="function">lwres_gabnresponse_free()</code> and -<CODE -CLASS="FUNCTION" ->lwres_gabnrequest_free()</CODE -> +<code class="function">lwres_gabnrequest_free()</code> release the memory in resolver context -<VAR -CLASS="PARAMETER" ->ctx</VAR -> +<em class="parameter"><code>ctx</code></em> that was allocated to the -<SPAN -CLASS="TYPE" ->lwres_gabnresponse_t</SPAN -> +<span class="type">lwres_gabnresponse_t</span> or -<SPAN -CLASS="TYPE" ->lwres_gabnrequest_t</SPAN -> +<span class="type">lwres_gabnrequest_t</span> structures referenced via -<VAR -CLASS="PARAMETER" ->structp</VAR ->. +<em class="parameter"><code>structp</code></em>. Any memory associated with ancillary buffers and strings for those -structures is also discarded.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN93" -></A -><H2 ->RETURN VALUES</H2 -><P ->The getaddrbyname opcode functions -<CODE -CLASS="FUNCTION" ->lwres_gabnrequest_render()</CODE ->, -<CODE -CLASS="FUNCTION" ->lwres_gabnresponse_render()</CODE -> -<CODE -CLASS="FUNCTION" ->lwres_gabnrequest_parse()</CODE -> +structures is also discarded. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526155"></a><h2>RETURN VALUES</h2> +<p> +The getaddrbyname opcode functions +<code class="function">lwres_gabnrequest_render()</code>, +<code class="function">lwres_gabnresponse_render()</code> +<code class="function">lwres_gabnrequest_parse()</code> and -<CODE -CLASS="FUNCTION" ->lwres_gabnresponse_parse()</CODE -> +<code class="function">lwres_gabnresponse_parse()</code> all return -<SPAN -CLASS="ERRORCODE" ->LWRES_R_SUCCESS</SPAN -> +<span class="errorcode">LWRES_R_SUCCESS</span> on success. They return -<SPAN -CLASS="ERRORCODE" ->LWRES_R_NOMEMORY</SPAN -> +<span class="errorcode">LWRES_R_NOMEMORY</span> if memory allocation fails. -<SPAN -CLASS="ERRORCODE" ->LWRES_R_UNEXPECTEDEND</SPAN -> +<span class="errorcode">LWRES_R_UNEXPECTEDEND</span> is returned if the available space in the buffer -<VAR -CLASS="PARAMETER" ->b</VAR -> +<em class="parameter"><code>b</code></em> is too small to accommodate the packet header or the -<SPAN -CLASS="TYPE" ->lwres_gabnrequest_t</SPAN -> +<span class="type">lwres_gabnrequest_t</span> and -<SPAN -CLASS="TYPE" ->lwres_gabnresponse_t</SPAN -> +<span class="type">lwres_gabnresponse_t</span> structures. -<CODE -CLASS="FUNCTION" ->lwres_gabnrequest_parse()</CODE -> +<code class="function">lwres_gabnrequest_parse()</code> and -<CODE -CLASS="FUNCTION" ->lwres_gabnresponse_parse()</CODE -> +<code class="function">lwres_gabnresponse_parse()</code> will return -<SPAN -CLASS="ERRORCODE" ->LWRES_R_UNEXPECTEDEND</SPAN -> +<span class="errorcode">LWRES_R_UNEXPECTEDEND</span> if the buffer is not empty after decoding the received packet. These functions will return -<SPAN -CLASS="ERRORCODE" ->LWRES_R_FAILURE</SPAN -> +<span class="errorcode">LWRES_R_FAILURE</span> if -<CODE -CLASS="STRUCTFIELD" ->pktflags</CODE -> +<em class="structfield"><code>pktflags</code></em> in the packet header structure -<SPAN -CLASS="TYPE" ->lwres_lwpacket_t</SPAN -> -indicate that the packet is not a response to an earlier query.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN112" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_packet</SPAN ->(3)</SPAN -></P -></DIV -></BODY -></HTML -> +<span class="type">lwres_lwpacket_t</span> +indicate that the packet is not a response to an earlier query. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526220"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3 +)</span> +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_gai_strerror.html b/usr.sbin/bind/lib/lwres/man/lwres_gai_strerror.html index 98a10001e04..e351aefa417 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_gai_strerror.html +++ b/usr.sbin/bind/lib/lwres/man/lwres_gai_strerror.html @@ -1,295 +1,124 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwres_gai_strerror.html,v 1.5.2.1.4.2 2004/08/22 23:39:03 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwres_gai_strerror</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->lwres_gai_strerror</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->gai_strerror -- print suitable error string</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN11" -></A -><H2 ->Synopsis</H2 -><DIV -CLASS="FUNCSYNOPSIS" -><P -></P -><A -NAME="AEN12" -></A -><PRE -CLASS="FUNCSYNOPSISINFO" ->#include <lwres/netdb.h></PRE -><P -><CODE -><CODE -CLASS="FUNCDEF" ->char * -gai_strerror</CODE ->(int ecode);</CODE -></P -><P -></P -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN18" -></A -><H2 ->DESCRIPTION</H2 -><P -><CODE -CLASS="FUNCTION" ->lwres_gai_strerror()</CODE -> +<!-- $ISC: lwres_gai_strerror.html,v 1.5.2.1.4.9 2005/10/13 02:33:55 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwres_gai_strerror</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>gai_strerror — print suitable error string</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="funcsynopsis"> +<pre class="funcsynopsisinfo">#include <lwres/netdb.h></pre> +<p><code class="funcdef"> +char * +<b class="fsfunc">gai_strerror</b>(</code>int ecode<code>)</code>;</p> +</div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525843"></a><h2>DESCRIPTION</h2> +<p> +<code class="function">lwres_gai_strerror()</code> returns an error message corresponding to an error code returned by -<CODE -CLASS="FUNCTION" ->getaddrinfo()</CODE ->. +<code class="function">getaddrinfo()</code>. The following error codes and their meaning are defined in -<TT -CLASS="FILENAME" ->include/lwres/netdb.h</TT ->. -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><SPAN -CLASS="ERRORCODE" ->EAI_ADDRFAMILY</SPAN -></DT -><DD -><P ->address family for hostname not supported</P -></DD -><DT -><SPAN -CLASS="ERRORCODE" ->EAI_AGAIN</SPAN -></DT -><DD -><P ->temporary failure in name resolution</P -></DD -><DT -><SPAN -CLASS="ERRORCODE" ->EAI_BADFLAGS</SPAN -></DT -><DD -><P ->invalid value for -<CODE -CLASS="CONSTANT" ->ai_flags</CODE -></P -></DD -><DT -><SPAN -CLASS="ERRORCODE" ->EAI_FAIL</SPAN -></DT -><DD -><P ->non-recoverable failure in name resolution</P -></DD -><DT -><SPAN -CLASS="ERRORCODE" ->EAI_FAMILY</SPAN -></DT -><DD -><P -><CODE -CLASS="CONSTANT" ->ai_family</CODE -> not supported</P -></DD -><DT -><SPAN -CLASS="ERRORCODE" ->EAI_MEMORY</SPAN -></DT -><DD -><P ->memory allocation failure</P -></DD -><DT -><SPAN -CLASS="ERRORCODE" ->EAI_NODATA</SPAN -></DT -><DD -><P ->no address associated with hostname</P -></DD -><DT -><SPAN -CLASS="ERRORCODE" ->EAI_NONAME</SPAN -></DT -><DD -><P ->hostname or servname not provided, or not known</P -></DD -><DT -><SPAN -CLASS="ERRORCODE" ->EAI_SERVICE</SPAN -></DT -><DD -><P ->servname not supported for <CODE -CLASS="CONSTANT" ->ai_socktype</CODE -></P -></DD -><DT -><SPAN -CLASS="ERRORCODE" ->EAI_SOCKTYPE</SPAN -></DT -><DD -><P -><CODE -CLASS="CONSTANT" ->ai_socktype</CODE -> not supported</P -></DD -><DT -><SPAN -CLASS="ERRORCODE" ->EAI_SYSTEM</SPAN -></DT -><DD -><P ->system error returned in errno</P -></DD -></DL -></DIV -> -The message <SPAN -CLASS="ERRORNAME" ->invalid error code</SPAN -> is returned if -<VAR -CLASS="PARAMETER" ->ecode</VAR -> -is out of range.</P -><P -><CODE -CLASS="CONSTANT" ->ai_flags</CODE ->, -<CODE -CLASS="CONSTANT" ->ai_family</CODE -> +<code class="filename">include/lwres/netdb.h</code>. +</p> +<div class="variablelist"><dl> +<dt><span class="term"><span class="errorcode">EAI_ADDRFAMILY</span></span></dt> +<dd><p> +address family for hostname not supported +</p></dd> +<dt><span class="term"><span class="errorcode">EAI_AGAIN</span></span></dt> +<dd><p> +temporary failure in name resolution +</p></dd> +<dt><span class="term"><span class="errorcode">EAI_BADFLAGS</span></span></dt> +<dd><p> +invalid value for +<code class="constant">ai_flags</code> +</p></dd> +<dt><span class="term"><span class="errorcode">EAI_FAIL</span></span></dt> +<dd><p> +non-recoverable failure in name resolution +</p></dd> +<dt><span class="term"><span class="errorcode">EAI_FAMILY</span></span></dt> +<dd><p> +<code class="constant">ai_family</code> not supported +</p></dd> +<dt><span class="term"><span class="errorcode">EAI_MEMORY</span></span></dt> +<dd><p> +memory allocation failure +</p></dd> +<dt><span class="term"><span class="errorcode">EAI_NODATA</span></span></dt> +<dd><p> +no address associated with hostname +</p></dd> +<dt><span class="term"><span class="errorcode">EAI_NONAME</span></span></dt> +<dd><p> +hostname or servname not provided, or not known +</p></dd> +<dt><span class="term"><span class="errorcode">EAI_SERVICE</span></span></dt> +<dd><p> +servname not supported for <code class="constant">ai_socktype</code> +</p></dd> +<dt><span class="term"><span class="errorcode">EAI_SOCKTYPE</span></span></dt> +<dd><p> +<code class="constant">ai_socktype</code> not supported +</p></dd> +<dt><span class="term"><span class="errorcode">EAI_SYSTEM</span></span></dt> +<dd><p> +system error returned in errno +</p></dd> +</dl></div> +<p> +The message <span class="errorname">invalid error code</span> is returned if +<em class="parameter"><code>ecode</code></em> +is out of range. +</p> +<p> +<code class="constant">ai_flags</code>, +<code class="constant">ai_family</code> and -<CODE -CLASS="CONSTANT" ->ai_socktype</CODE -> +<code class="constant">ai_socktype</code> are elements of the -<SPAN -CLASS="TYPE" ->struct addrinfo</SPAN -> +<span class="type">struct addrinfo</span> used by -<CODE -CLASS="FUNCTION" ->lwres_getaddrinfo()</CODE ->.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN92" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->strerror</SPAN ->(3)</SPAN ->, +<code class="function">lwres_getaddrinfo()</code>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526040"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">strerror</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_getaddrinfo</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->getaddrinfo</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">getaddrinfo</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC2133</SPAN -></SPAN ->.</P -></DIV -></BODY -></HTML -> +<span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getaddrinfo.html b/usr.sbin/bind/lib/lwres/man/lwres_getaddrinfo.html index c871d4a4031..f25816a2699 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_getaddrinfo.html +++ b/usr.sbin/bind/lib/lwres/man/lwres_getaddrinfo.html @@ -1,97 +1,78 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001, 2003 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwres_getaddrinfo.html,v 1.8.2.1.4.3 2004/08/22 23:39:03 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwres_getaddrinfo</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->lwres_getaddrinfo</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->lwres_getaddrinfo, lwres_freeaddrinfo -- socket address structure to host and service name</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN12" -></A -><H2 ->Synopsis</H2 -><DIV -CLASS="FUNCSYNOPSIS" -><P -></P -><A -NAME="AEN13" -></A -><PRE -CLASS="FUNCSYNOPSISINFO" ->#include <lwres/netdb.h></PRE -><P -><CODE -><CODE -CLASS="FUNCDEF" ->int -lwres_getaddrinfo</CODE ->(const char *hostname, const char *servname, const struct addrinfo *hints, struct addrinfo **res);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_freeaddrinfo</CODE ->(struct addrinfo *ai);</CODE -></P -><P -></P -></DIV -><P ->If the operating system does not provide a -<SPAN -CLASS="TYPE" ->struct addrinfo</SPAN ->, +<!-- $ISC: lwres_getaddrinfo.html,v 1.8.2.1.4.10 2005/10/13 02:33:56 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwres_getaddrinfo</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>lwres_getaddrinfo, lwres_freeaddrinfo — socket address structure to host and service name</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="funcsynopsis"> +<pre class="funcsynopsisinfo">#include <lwres/netdb.h></pre> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +int +<b class="fsfunc">lwres_getaddrinfo</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_freeaddrinfo</b>(</code></td> +<td> </td> +<td> +<code>)</code>;</td> +</tr></table> +</div> +<p> +If the operating system does not provide a +<span class="type">struct addrinfo</span>, the following structure is used: -<PRE -CLASS="PROGRAMLISTING" ->struct addrinfo { +</p> +<pre class="programlisting"> +struct addrinfo { int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ int ai_family; /* PF_xxx */ int ai_socktype; /* SOCK_xxx */ @@ -100,594 +81,253 @@ CLASS="PROGRAMLISTING" char *ai_canonname; /* canonical name for hostname */ struct sockaddr *ai_addr; /* binary address */ struct addrinfo *ai_next; /* next structure in linked list */ -};</PRE -></P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN29" -></A -><H2 ->DESCRIPTION</H2 -><P -><CODE -CLASS="FUNCTION" ->lwres_getaddrinfo()</CODE -> +}; +</pre> +<p> +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525883"></a><h2>DESCRIPTION</h2> +<p> +<code class="function">lwres_getaddrinfo()</code> is used to get a list of IP addresses and port numbers for host -<VAR -CLASS="PARAMETER" ->hostname</VAR -> +<em class="parameter"><code>hostname</code></em> and service -<VAR -CLASS="PARAMETER" ->servname</VAR ->. +<em class="parameter"><code>servname</code></em>. The function is the lightweight resolver's implementation of -<CODE -CLASS="FUNCTION" ->getaddrinfo()</CODE -> +<code class="function">getaddrinfo()</code> as defined in RFC2133. -<VAR -CLASS="PARAMETER" ->hostname</VAR -> +<em class="parameter"><code>hostname</code></em> and -<VAR -CLASS="PARAMETER" ->servname</VAR -> +<em class="parameter"><code>servname</code></em> are pointers to null-terminated strings or -<SPAN -CLASS="TYPE" ->NULL</SPAN ->. +<span class="type">NULL</span>. -<VAR -CLASS="PARAMETER" ->hostname</VAR -> +<em class="parameter"><code>hostname</code></em> is either a host name or a numeric host address string: a dotted decimal IPv4 address or an IPv6 address. -<VAR -CLASS="PARAMETER" ->servname</VAR -> +<em class="parameter"><code>servname</code></em> is either a decimal port number or a service name as listed in -<TT -CLASS="FILENAME" ->/etc/services</TT ->.</P -><P -><VAR -CLASS="PARAMETER" ->hints</VAR -> +<code class="filename">/etc/services</code>. +</p> +<p> +<em class="parameter"><code>hints</code></em> is an optional pointer to a -<SPAN -CLASS="TYPE" ->struct addrinfo</SPAN ->. +<span class="type">struct addrinfo</span>. This structure can be used to provide hints concerning the type of socket that the caller supports or wishes to use. The caller can supply the following structure elements in -<VAR -CLASS="PARAMETER" ->*hints</VAR ->: +<em class="parameter"><code>*hints</code></em>: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><CODE -CLASS="CONSTANT" ->ai_family</CODE -></DT -><DD -><P ->The protocol family that should be used. +</p> +<div class="variablelist"><dl> +<dt><span class="term"><code class="constant">ai_family</code></span></dt> +<dd><p>The protocol family that should be used. When -<CODE -CLASS="CONSTANT" ->ai_family</CODE -> +<code class="constant">ai_family</code> is set to -<SPAN -CLASS="TYPE" ->PF_UNSPEC</SPAN ->, +<span class="type">PF_UNSPEC</span>, it means the caller will accept any protocol family supported by the -operating system.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->ai_socktype</CODE -></DT -><DD -><P ->denotes the type of socket — -<SPAN -CLASS="TYPE" ->SOCK_STREAM</SPAN ->, -<SPAN -CLASS="TYPE" ->SOCK_DGRAM</SPAN -> +operating system. +</p></dd> +<dt><span class="term"><code class="constant">ai_socktype</code></span></dt> +<dd><p> +denotes the type of socket — +<span class="type">SOCK_STREAM</span>, +<span class="type">SOCK_DGRAM</span> or -<SPAN -CLASS="TYPE" ->SOCK_RAW</SPAN -> -— that is wanted. +<span class="type">SOCK_RAW</span> +— that is wanted. When -<CODE -CLASS="CONSTANT" ->ai_socktype</CODE -> -is zero the caller will accept any socket type.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->ai_protocol</CODE -></DT -><DD -><P ->indicates which transport protocol is wanted: IPPROTO_UDP or +<code class="constant">ai_socktype</code> +is zero the caller will accept any socket type. +</p></dd> +<dt><span class="term"><code class="constant">ai_protocol</code></span></dt> +<dd><p> +indicates which transport protocol is wanted: IPPROTO_UDP or IPPROTO_TCP. If -<CODE -CLASS="CONSTANT" ->ai_protocol</CODE -> -is zero the caller will accept any protocol.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->ai_flags</CODE -></DT -><DD -><P ->Flag bits. +<code class="constant">ai_protocol</code> +is zero the caller will accept any protocol. +</p></dd> +<dt><span class="term"><code class="constant">ai_flags</code></span></dt> +<dd> +<p> +Flag bits. If the -<SPAN -CLASS="TYPE" ->AI_CANONNAME</SPAN -> +<span class="type">AI_CANONNAME</span> bit is set, a successful call to -<CODE -CLASS="FUNCTION" ->lwres_getaddrinfo()</CODE -> +<code class="function">lwres_getaddrinfo()</code> will return a null-terminated string containing the canonical name of the specified hostname in -<CODE -CLASS="CONSTANT" ->ai_canonname</CODE -> +<code class="constant">ai_canonname</code> of the first -<SPAN -CLASS="TYPE" ->addrinfo</SPAN -> +<span class="type">addrinfo</span> structure returned. Setting the -<SPAN -CLASS="TYPE" ->AI_PASSIVE</SPAN -> +<span class="type">AI_PASSIVE</span> bit indicates that the returned socket address structure is intended for used in a call to -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->bind</SPAN ->(2)</SPAN ->. +<span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span>. In this case, if the hostname argument is a -<SPAN -CLASS="TYPE" ->NULL</SPAN -> +<span class="type">NULL</span> pointer, then the IP address portion of the socket address structure will be set to -<SPAN -CLASS="TYPE" ->INADDR_ANY</SPAN -> +<span class="type">INADDR_ANY</span> for an IPv4 address or -<SPAN -CLASS="TYPE" ->IN6ADDR_ANY_INIT</SPAN -> -for an IPv6 address.</P -><P ->When -<CODE -CLASS="CONSTANT" ->ai_flags</CODE -> +<span class="type">IN6ADDR_ANY_INIT</span> +for an IPv6 address. +</p> +<p> +When +<code class="constant">ai_flags</code> does not set the -<SPAN -CLASS="TYPE" ->AI_PASSIVE</SPAN -> +<span class="type">AI_PASSIVE</span> bit, the returned socket address structure will be ready for use in a call to -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->connect</SPAN ->(2)</SPAN -> +<span class="citerefentry"><span class="refentrytitle">connect</span>(2 +)</span> for a connection-oriented protocol or -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->connect</SPAN ->(2)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->sendto</SPAN ->(2)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">sendto</span>(2)</span>, or -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->sendmsg</SPAN ->(2)</SPAN -> +<span class="citerefentry"><span class="refentrytitle">sendmsg</span>(2 +)</span> if a connectionless protocol was chosen. The IP address portion of the socket address structure will be set to the loopback address if -<VAR -CLASS="PARAMETER" ->hostname</VAR -> +<em class="parameter"><code>hostname</code></em> is a -<SPAN -CLASS="TYPE" ->NULL</SPAN -> +<span class="type">NULL</span> pointer and -<SPAN -CLASS="TYPE" ->AI_PASSIVE</SPAN -> +<span class="type">AI_PASSIVE</span> is not set in -<CODE -CLASS="CONSTANT" ->ai_flags</CODE ->.</P -><P ->If -<CODE -CLASS="CONSTANT" ->ai_flags</CODE -> +<code class="constant">ai_flags</code>. +</p> +<p> +If +<code class="constant">ai_flags</code> is set to -<SPAN -CLASS="TYPE" ->AI_NUMERICHOST</SPAN -> +<span class="type">AI_NUMERICHOST</span> it indicates that -<VAR -CLASS="PARAMETER" ->hostname</VAR -> +<em class="parameter"><code>hostname</code></em> should be treated as a numeric string defining an IPv4 or IPv6 address -and no name resolution should be attempted.</P -></DD -></DL -></DIV -></P -><P ->All other elements of the <SPAN -CLASS="TYPE" ->struct addrinfo</SPAN -> passed -via <VAR -CLASS="PARAMETER" ->hints</VAR -> must be zero.</P -><P ->A <VAR -CLASS="PARAMETER" ->hints</VAR -> of <SPAN -CLASS="TYPE" ->NULL</SPAN -> is treated as if -the caller provided a <SPAN -CLASS="TYPE" ->struct addrinfo</SPAN -> initialized to zero -with <CODE -CLASS="CONSTANT" ->ai_family</CODE ->set to -<CODE -CLASS="CONSTANT" ->PF_UNSPEC</CODE ->.</P -><P ->After a successful call to -<CODE -CLASS="FUNCTION" ->lwres_getaddrinfo()</CODE ->, -<VAR -CLASS="PARAMETER" ->*res</VAR -> +and no name resolution should be attempted. +</p> +</dd> +</dl></div> +<p> +</p> +<p> +All other elements of the <span class="type">struct addrinfo</span> passed +via <em class="parameter"><code>hints</code></em> must be zero. +</p> +<p> +A <em class="parameter"><code>hints</code></em> of <span class="type">NULL</span> is treated as if +the caller provided a <span class="type">struct addrinfo</span> initialized to zero +with <code class="constant">ai_family</code>set to +<code class="constant">PF_UNSPEC</code>. +</p> +<p> +After a successful call to +<code class="function">lwres_getaddrinfo()</code>, +<em class="parameter"><code>*res</code></em> is a pointer to a linked list of one or more -<SPAN -CLASS="TYPE" ->addrinfo</SPAN -> +<span class="type">addrinfo</span> structures. Each -<SPAN -CLASS="TYPE" ->struct addrinfo</SPAN -> +<span class="type">struct addrinfo</span> in this list cn be processed by following the -<CODE -CLASS="CONSTANT" ->ai_next</CODE -> +<code class="constant">ai_next</code> pointer, until a -<SPAN -CLASS="TYPE" ->NULL</SPAN -> +<span class="type">NULL</span> pointer is encountered. The three members -<CODE -CLASS="CONSTANT" ->ai_family</CODE ->, -<CODE -CLASS="CONSTANT" ->ai_socktype</CODE ->, +<code class="constant">ai_family</code>, +<code class="constant">ai_socktype</code>, and -<CODE -CLASS="CONSTANT" ->ai_protocol</CODE -> +<code class="constant">ai_protocol</code> in each returned -<SPAN -CLASS="TYPE" ->addrinfo</SPAN -> +<span class="type">addrinfo</span> structure contain the corresponding arguments for a call to -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->socket</SPAN ->(2)</SPAN ->. +<span class="citerefentry"><span class="refentrytitle">socket</span>(2)</span>. For each -<SPAN -CLASS="TYPE" ->addrinfo</SPAN -> +<span class="type">addrinfo</span> structure in the list, the -<CODE -CLASS="CONSTANT" ->ai_addr</CODE -> +<code class="constant">ai_addr</code> member points to a filled-in socket address structure of length -<CODE -CLASS="CONSTANT" ->ai_addrlen</CODE ->.</P -><P ->All of the information returned by -<CODE -CLASS="FUNCTION" ->lwres_getaddrinfo()</CODE -> +<code class="constant">ai_addrlen</code>. +</p> +<p> +All of the information returned by +<code class="function">lwres_getaddrinfo()</code> is dynamically allocated: the addrinfo structures, and the socket address structures and canonical host name strings pointed to by the -<CODE -CLASS="CONSTANT" ->addrinfo</CODE ->structures. +<code class="constant">addrinfo</code>structures. Memory allocated for the dynamically allocated structures created by a successful call to -<CODE -CLASS="FUNCTION" ->lwres_getaddrinfo()</CODE -> +<code class="function">lwres_getaddrinfo()</code> is released by -<CODE -CLASS="FUNCTION" ->lwres_freeaddrinfo()</CODE ->. -<VAR -CLASS="PARAMETER" ->ai</VAR -> +<code class="function">lwres_freeaddrinfo()</code>. +<em class="parameter"><code>ai</code></em> is a pointer to a -<SPAN -CLASS="TYPE" ->struct addrinfo</SPAN -> +<span class="type">struct addrinfo</span> created by a call to -<CODE -CLASS="FUNCTION" ->lwres_getaddrinfo()</CODE ->.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN142" -></A -><H2 ->RETURN VALUES</H2 -><P -><CODE -CLASS="FUNCTION" ->lwres_getaddrinfo()</CODE -> +<code class="function">lwres_getaddrinfo()</code>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526309"></a><h2>RETURN VALUES</h2> +<p> +<code class="function">lwres_getaddrinfo()</code> returns zero on success or one of the error codes listed in -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->gai_strerror</SPAN ->(3)</SPAN -> +<span class="citerefentry"><span class="refentrytitle">gai_strerror</span>(3 +)</span> if an error occurs. If both -<VAR -CLASS="PARAMETER" ->hostname</VAR -> +<em class="parameter"><code>hostname</code></em> and -<VAR -CLASS="PARAMETER" ->servname</VAR -> +<em class="parameter"><code>servname</code></em> are -<SPAN -CLASS="TYPE" ->NULL</SPAN -> -<CODE -CLASS="FUNCTION" ->lwres_getaddrinfo()</CODE -> +<span class="type">NULL</span> +<code class="function">lwres_getaddrinfo()</code> returns -<SPAN -CLASS="ERRORCODE" ->EAI_NONAME</SPAN ->. </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN154" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres</SPAN ->(3)</SPAN ->, +<span class="errorcode">EAI_NONAME</span>. + +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526347"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_getaddrinfo</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_freeaddrinfo</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">lwres_freeaddrinfo</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_gai_strerror</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">lwres_gai_strerror</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC2133</SPAN -></SPAN ->, +<span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->getservbyname</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">getservbyname</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->bind</SPAN ->(2)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->connect</SPAN ->(2)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->sendto</SPAN ->(2)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">sendto</span>(2)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->sendmsg</SPAN ->(2)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">sendmsg</span>(2)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->socket</SPAN ->(2)</SPAN ->.</P -></DIV -></BODY -></HTML -> +<span class="citerefentry"><span class="refentrytitle">socket</span>(2)</span>. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_gethostent.html b/usr.sbin/bind/lib/lwres/man/lwres_gethostent.html index cae7a081bc1..8558e30bee5 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_gethostent.html +++ b/usr.sbin/bind/lib/lwres/man/lwres_gethostent.html @@ -1,784 +1,430 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwres_gethostent.html,v 1.8.2.1.4.2 2004/08/22 23:39:04 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwres_gethostent</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->lwres_gethostent</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r -- lightweight resolver get network host entry</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN21" -></A -><H2 ->Synopsis</H2 -><DIV -CLASS="FUNCSYNOPSIS" -><P -></P -><A -NAME="AEN22" -></A -><PRE -CLASS="FUNCSYNOPSISINFO" ->#include <lwres/netdb.h></PRE -><P -><CODE -><CODE -CLASS="FUNCDEF" ->struct hostent * -lwres_gethostbyname</CODE ->(const char *name);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->struct hostent * -lwres_gethostbyname2</CODE ->(const char *name, int af);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->struct hostent * -lwres_gethostbyaddr</CODE ->(const char *addr, int len, int type);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->struct hostent * -lwres_gethostent</CODE ->(void);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_sethostent</CODE ->(int stayopen);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_endhostent</CODE ->(void);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->struct hostent * -lwres_gethostbyname_r</CODE ->(const char *name, struct hostent *resbuf, char *buf, int buflen, int *error);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->struct hostent * -lwres_gethostbyaddr_r</CODE ->(const char *addr, int len, int type, struct hostent *resbuf, char *buf, int buflen, int *error);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->struct hostent * -lwres_gethostent_r</CODE ->(struct hostent *resbuf, char *buf, int buflen, int *error);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_sethostent_r</CODE ->(int stayopen);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_endhostent_r</CODE ->(void);</CODE -></P -><P -></P -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN84" -></A -><H2 ->DESCRIPTION</H2 -><P ->These functions provide hostname-to-address and +<!-- $ISC: lwres_gethostent.html,v 1.8.2.1.4.8 2005/10/13 02:33:56 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwres_gethostent</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r — lightweight resolver get network host entry</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="funcsynopsis"> +<pre class="funcsynopsisinfo">#include <lwres/netdb.h></pre> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr> +<td><code class="funcdef"> +struct hostent * +<b class="fsfunc">lwres_gethostbyname</b>(</code></td> +<td> </td> +<td> +<code>)</code>;</td> +</tr></table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +struct hostent * +<b class="fsfunc">lwres_gethostbyname2</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +struct hostent * +<b class="fsfunc">lwres_gethostbyaddr</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<p><code class="funcdef"> +struct hostent * +<b class="fsfunc">lwres_gethostent</b>(</code>void<code>)</code>;</p> +<p><code class="funcdef"> +void +<b class="fsfunc">lwres_sethostent</b>(</code>int stayopen<code>)</code>;</p> +<p><code class="funcdef"> +void +<b class="fsfunc">lwres_endhostent</b>(</code>void<code>)</code>;</p> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +struct hostent * +<b class="fsfunc">lwres_gethostbyname_r</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +struct hostent * +<b class="fsfunc">lwres_gethostbyaddr_r</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +struct hostent * +<b class="fsfunc">lwres_gethostent_r</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<p><code class="funcdef"> +void +<b class="fsfunc">lwres_sethostent_r</b>(</code>int stayopen<code>)</code>;</p> +<p><code class="funcdef"> +void +<b class="fsfunc">lwres_endhostent_r</b>(</code>void<code>)</code>;</p> +</div> +</div> +<div class="refsect1" lang="en"> +<a name="id2526041"></a><h2>DESCRIPTION</h2> +<p> +These functions provide hostname-to-address and address-to-hostname lookups by means of the lightweight resolver. They are similar to the standard -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->gethostent</SPAN ->(3)</SPAN -> +<span class="citerefentry"><span class="refentrytitle">gethostent</span>(3 +)</span> functions provided by most operating systems. They use a -<SPAN -CLASS="TYPE" ->struct hostent</SPAN -> +<span class="type">struct hostent</span> which is usually defined in -<TT -CLASS="FILENAME" -><namedb.h></TT ->. +<code class="filename"><namedb.h></code>. -<PRE -CLASS="PROGRAMLISTING" ->struct hostent { +</p> +<pre class="programlisting"> +struct hostent { char *h_name; /* official name of host */ char **h_aliases; /* alias list */ int h_addrtype; /* host address type */ int h_length; /* length of address */ char **h_addr_list; /* list of addresses from name server */ }; -#define h_addr h_addr_list[0] /* address, for backward compatibility */</PRE -></P -><P ->The members of this structure are: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><CODE -CLASS="CONSTANT" ->h_name</CODE -></DT -><DD -><P ->The official (canonical) name of the host.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->h_aliases</CODE -></DT -><DD -><P ->A NULL-terminated array of alternate names (nicknames) for the host.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->h_addrtype</CODE -></DT -><DD -><P ->The type of address being returned — -<SPAN -CLASS="TYPE" ->PF_INET</SPAN -> +#define h_addr h_addr_list[0] /* address, for backward compatibility */ +</pre> +<p> +</p> +<p> +The members of this structure are: +</p> +<div class="variablelist"><dl> +<dt><span class="term"><code class="constant">h_name</code></span></dt> +<dd><p> +The official (canonical) name of the host. +</p></dd> +<dt><span class="term"><code class="constant">h_aliases</code></span></dt> +<dd><p> +A NULL-terminated array of alternate names (nicknames) for the host. +</p></dd> +<dt><span class="term"><code class="constant">h_addrtype</code></span></dt> +<dd><p> +The type of address being returned — +<span class="type">PF_INET</span> or -<SPAN -CLASS="TYPE" ->PF_INET6</SPAN ->.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->h_length</CODE -></DT -><DD -><P ->The length of the address in bytes.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->h_addr_list</CODE -></DT -><DD -><P ->A <SPAN -CLASS="TYPE" ->NULL</SPAN -> +<span class="type">PF_INET6</span>. +</p></dd> +<dt><span class="term"><code class="constant">h_length</code></span></dt> +<dd><p> +The length of the address in bytes. +</p></dd> +<dt><span class="term"><code class="constant">h_addr_list</code></span></dt> +<dd><p> +A <span class="type">NULL</span> terminated array of network addresses for the host. -Host addresses are returned in network byte order.</P -></DD -></DL -></DIV -></P -><P ->For backward compatibility with very old software, -<CODE -CLASS="CONSTANT" ->h_addr</CODE -> +Host addresses are returned in network byte order. +</p></dd> +</dl></div> +<p> +</p> +<p> +For backward compatibility with very old software, +<code class="constant">h_addr</code> is the first address in -<CODE -CLASS="CONSTANT" ->h_addr_list.</CODE -></P -><P -><CODE -CLASS="FUNCTION" ->lwres_gethostent()</CODE ->, -<CODE -CLASS="FUNCTION" ->lwres_sethostent()</CODE ->, -<CODE -CLASS="FUNCTION" ->lwres_endhostent()</CODE ->, -<CODE -CLASS="FUNCTION" ->lwres_gethostent_r()</CODE ->, -<CODE -CLASS="FUNCTION" ->lwres_sethostent_r()</CODE -> +<code class="constant">h_addr_list.</code> +</p> +<p> +<code class="function">lwres_gethostent()</code>, +<code class="function">lwres_sethostent()</code>, +<code class="function">lwres_endhostent()</code>, +<code class="function">lwres_gethostent_r()</code>, +<code class="function">lwres_sethostent_r()</code> and -<CODE -CLASS="FUNCTION" ->lwres_endhostent_r()</CODE -> +<code class="function">lwres_endhostent_r()</code> provide iteration over the known host entries on systems that provide such functionality through facilities like -<TT -CLASS="FILENAME" ->/etc/hosts</TT -> +<code class="filename">/etc/hosts</code> or NIS. The lightweight resolver does not currently implement these functions; it only provides them as stub functions that always -return failure.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_gethostbyname()</CODE -> and -<CODE -CLASS="FUNCTION" ->lwres_gethostbyname2()</CODE -> look up the hostname -<VAR -CLASS="PARAMETER" ->name</VAR ->. -<CODE -CLASS="FUNCTION" ->lwres_gethostbyname()</CODE -> always looks for an IPv4 -address while <CODE -CLASS="FUNCTION" ->lwres_gethostbyname2()</CODE -> looks for an -address of protocol family <VAR -CLASS="PARAMETER" ->af</VAR ->: either -<SPAN -CLASS="TYPE" ->PF_INET</SPAN -> or <SPAN -CLASS="TYPE" ->PF_INET6</SPAN -> — IPv4 or IPV6 +return failure. +</p> +<p> +<code class="function">lwres_gethostbyname()</code> and +<code class="function">lwres_gethostbyname2()</code> look up the hostname +<em class="parameter"><code>name</code></em>. +<code class="function">lwres_gethostbyname()</code> always looks for an IPv4 +address while <code class="function">lwres_gethostbyname2()</code> looks for an +address of protocol family <em class="parameter"><code>af</code></em>: either +<span class="type">PF_INET</span> or <span class="type">PF_INET6</span> — IPv4 or IPV6 addresses respectively. Successful calls of the functions return a -<SPAN -CLASS="TYPE" ->struct hostent</SPAN ->for the name that was looked up. -<SPAN -CLASS="TYPE" ->NULL</SPAN -> is returned if the lookups by -<CODE -CLASS="FUNCTION" ->lwres_gethostbyname()</CODE -> or -<CODE -CLASS="FUNCTION" ->lwres_gethostbyname2()</CODE -> fail.</P -><P ->Reverse lookups of addresses are performed by -<CODE -CLASS="FUNCTION" ->lwres_gethostbyaddr()</CODE ->. -<VAR -CLASS="PARAMETER" ->addr</VAR -> is an address of length -<VAR -CLASS="PARAMETER" ->len</VAR -> bytes and protocol family -<VAR -CLASS="PARAMETER" ->type</VAR -> — <SPAN -CLASS="TYPE" ->PF_INET</SPAN -> or -<SPAN -CLASS="TYPE" ->PF_INET6</SPAN ->. -<CODE -CLASS="FUNCTION" ->lwres_gethostbyname_r()</CODE -> is a thread-safe function +<span class="type">struct hostent</span>for the name that was looked up. +<span class="type">NULL</span> is returned if the lookups by +<code class="function">lwres_gethostbyname()</code> or +<code class="function">lwres_gethostbyname2()</code> fail. +</p> +<p> +Reverse lookups of addresses are performed by +<code class="function">lwres_gethostbyaddr()</code>. +<em class="parameter"><code>addr</code></em> is an address of length +<em class="parameter"><code>len</code></em> bytes and protocol family +<em class="parameter"><code>type</code></em> — <span class="type">PF_INET</span> or +<span class="type">PF_INET6</span>. +<code class="function">lwres_gethostbyname_r()</code> is a thread-safe function for forward lookups. If an error occurs, an error code is returned in -<VAR -CLASS="PARAMETER" ->*error</VAR ->. -<VAR -CLASS="PARAMETER" ->resbuf</VAR -> is a pointer to a <SPAN -CLASS="TYPE" ->struct -hostent</SPAN -> which is initialised by a successful call to -<CODE -CLASS="FUNCTION" ->lwres_gethostbyname_r()</CODE -> . -<VAR -CLASS="PARAMETER" ->buf</VAR -> is a buffer of length -<VAR -CLASS="PARAMETER" ->len</VAR -> bytes which is used to store the -<CODE -CLASS="CONSTANT" ->h_name</CODE ->, <CODE -CLASS="CONSTANT" ->h_aliases</CODE ->, and -<CODE -CLASS="CONSTANT" ->h_addr_list</CODE -> elements of the <SPAN -CLASS="TYPE" ->struct -hostent</SPAN -> returned in <VAR -CLASS="PARAMETER" ->resbuf</VAR ->. -Successful calls to <CODE -CLASS="FUNCTION" ->lwres_gethostbyname_r()</CODE -> -return <VAR -CLASS="PARAMETER" ->resbuf</VAR ->, -which is a pointer to the <SPAN -CLASS="TYPE" ->struct hostent</SPAN -> it created.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_gethostbyaddr_r()</CODE -> is a thread-safe function -that performs a reverse lookup of address <VAR -CLASS="PARAMETER" ->addr</VAR -> -which is <VAR -CLASS="PARAMETER" ->len</VAR -> bytes long and is of protocol -family <VAR -CLASS="PARAMETER" ->type</VAR -> — <SPAN -CLASS="TYPE" ->PF_INET</SPAN -> or -<SPAN -CLASS="TYPE" ->PF_INET6</SPAN ->. If an error occurs, the error code is returned -in <VAR -CLASS="PARAMETER" ->*error</VAR ->. The other function parameters are -identical to those in <CODE -CLASS="FUNCTION" ->lwres_gethostbyname_r()</CODE ->. -<VAR -CLASS="PARAMETER" ->resbuf</VAR -> is a pointer to a <SPAN -CLASS="TYPE" ->struct -hostent</SPAN -> which is initialised by a successful call to -<CODE -CLASS="FUNCTION" ->lwres_gethostbyaddr_r()</CODE ->. -<VAR -CLASS="PARAMETER" ->buf</VAR -> is a buffer of length -<VAR -CLASS="PARAMETER" ->len</VAR -> bytes which is used to store the -<CODE -CLASS="CONSTANT" ->h_name</CODE ->, <CODE -CLASS="CONSTANT" ->h_aliases</CODE ->, and -<CODE -CLASS="CONSTANT" ->h_addr_list</CODE -> elements of the <SPAN -CLASS="TYPE" ->struct -hostent</SPAN -> returned in <VAR -CLASS="PARAMETER" ->resbuf</VAR ->. Successful -calls to <CODE -CLASS="FUNCTION" ->lwres_gethostbyaddr_r()</CODE -> return -<VAR -CLASS="PARAMETER" ->resbuf</VAR ->, which is a pointer to the -<CODE -CLASS="FUNCTION" ->struct hostent()</CODE -> it created.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN191" -></A -><H2 ->RETURN VALUES</H2 -><P ->The functions -<CODE -CLASS="FUNCTION" ->lwres_gethostbyname()</CODE ->, -<CODE -CLASS="FUNCTION" ->lwres_gethostbyname2()</CODE ->, -<CODE -CLASS="FUNCTION" ->lwres_gethostbyaddr()</CODE ->, +<em class="parameter"><code>*error</code></em>. +<em class="parameter"><code>resbuf</code></em> is a pointer to a <span class="type">struct +hostent</span> which is initialised by a successful call to +<code class="function">lwres_gethostbyname_r()</code> . +<em class="parameter"><code>buf</code></em> is a buffer of length +<em class="parameter"><code>len</code></em> bytes which is used to store the +<code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and +<code class="constant">h_addr_list</code> elements of the <span class="type">struct +hostent</span> returned in <em class="parameter"><code>resbuf</code></em>. +Successful calls to <code class="function">lwres_gethostbyname_r()</code> +return <em class="parameter"><code>resbuf</code></em>, +which is a pointer to the <span class="type">struct hostent</span> it created. +</p> +<p> +<code class="function">lwres_gethostbyaddr_r()</code> is a thread-safe function +that performs a reverse lookup of address <em class="parameter"><code>addr</code></em> +which is <em class="parameter"><code>len</code></em> bytes long and is of protocol +family <em class="parameter"><code>type</code></em> — <span class="type">PF_INET</span> or +<span class="type">PF_INET6</span>. If an error occurs, the error code is returned +in <em class="parameter"><code>*error</code></em>. The other function parameters are +identical to those in <code class="function">lwres_gethostbyname_r()</code>. +<em class="parameter"><code>resbuf</code></em> is a pointer to a <span class="type">struct +hostent</span> which is initialised by a successful call to +<code class="function">lwres_gethostbyaddr_r()</code>. +<em class="parameter"><code>buf</code></em> is a buffer of length +<em class="parameter"><code>len</code></em> bytes which is used to store the +<code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and +<code class="constant">h_addr_list</code> elements of the <span class="type">struct +hostent</span> returned in <em class="parameter"><code>resbuf</code></em>. Successful +calls to <code class="function">lwres_gethostbyaddr_r()</code> return +<em class="parameter"><code>resbuf</code></em>, which is a pointer to the +<code class="function">struct hostent()</code> it created. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526380"></a><h2>RETURN VALUES</h2> +<p> +The functions +<code class="function">lwres_gethostbyname()</code>, +<code class="function">lwres_gethostbyname2()</code>, +<code class="function">lwres_gethostbyaddr()</code>, and -<CODE -CLASS="FUNCTION" ->lwres_gethostent()</CODE -> +<code class="function">lwres_gethostent()</code> return NULL to indicate an error. In this case the global variable -<SPAN -CLASS="TYPE" ->lwres_h_errno</SPAN -> +<span class="type">lwres_h_errno</span> will contain one of the following error codes defined in -<TT -CLASS="FILENAME" -><lwres/netdb.h></TT ->: +<code class="filename"><lwres/netdb.h></code>: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><CODE -CLASS="CONSTANT" ->HOST_NOT_FOUND</CODE -></DT -><DD -><P ->The host or address was not found.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->TRY_AGAIN</CODE -></DT -><DD -><P ->A recoverable error occurred, e.g., a timeout. -Retrying the lookup may succeed.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->NO_RECOVERY</CODE -></DT -><DD -><P ->A non-recoverable error occurred.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->NO_DATA</CODE -></DT -><DD -><P ->The name exists, but has no address information +</p> +<div class="variablelist"><dl> +<dt><span class="term"><code class="constant">HOST_NOT_FOUND</code></span></dt> +<dd><p> +The host or address was not found. +</p></dd> +<dt><span class="term"><code class="constant">TRY_AGAIN</code></span></dt> +<dd><p> +A recoverable error occurred, e.g., a timeout. +Retrying the lookup may succeed. +</p></dd> +<dt><span class="term"><code class="constant">NO_RECOVERY</code></span></dt> +<dd><p> +A non-recoverable error occurred. +</p></dd> +<dt><span class="term"><code class="constant">NO_DATA</code></span></dt> +<dd><p> +The name exists, but has no address information associated with it (or vice versa in the case of a reverse lookup). The code NO_ADDRESS is accepted as a synonym for NO_DATA for backwards -compatibility.</P -></DD -></DL -></DIV -></P -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_hstrerror</SPAN ->(3)</SPAN -> -translates these error codes to suitable error messages.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_gethostent()</CODE -> +compatibility. +</p></dd> +</dl></div> +<p> +</p> +<p> +<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3 +)</span> +translates these error codes to suitable error messages. +</p> +<p> +<code class="function">lwres_gethostent()</code> and -<CODE -CLASS="FUNCTION" ->lwres_gethostent_r()</CODE -> +<code class="function">lwres_gethostent_r()</code> always return -<SPAN -CLASS="TYPE" ->NULL</SPAN ->.</P -><P ->Successful calls to <CODE -CLASS="FUNCTION" ->lwres_gethostbyname_r()</CODE -> and -<CODE -CLASS="FUNCTION" ->lwres_gethostbyaddr_r()</CODE -> return -<VAR -CLASS="PARAMETER" ->resbuf</VAR ->, a pointer to the <SPAN -CLASS="TYPE" ->struct -hostent</SPAN -> that was initialised by these functions. They return -<SPAN -CLASS="TYPE" ->NULL</SPAN -> if the lookups fail or if <VAR -CLASS="PARAMETER" ->buf</VAR -> +<span class="type">NULL</span>. +</p> +<p> +Successful calls to <code class="function">lwres_gethostbyname_r()</code> and +<code class="function">lwres_gethostbyaddr_r()</code> return +<em class="parameter"><code>resbuf</code></em>, a pointer to the <span class="type">struct +hostent</span> that was initialised by these functions. They return +<span class="type">NULL</span> if the lookups fail or if <em class="parameter"><code>buf</code></em> was too small to hold the list of addresses and names referenced by -the <CODE -CLASS="CONSTANT" ->h_name</CODE ->, <CODE -CLASS="CONSTANT" ->h_aliases</CODE ->, and -<CODE -CLASS="CONSTANT" ->h_addr_list</CODE -> elements of the <SPAN -CLASS="TYPE" ->struct -hostent</SPAN ->. If <VAR -CLASS="PARAMETER" ->buf</VAR -> was too small, both -<CODE -CLASS="FUNCTION" ->lwres_gethostbyname_r()</CODE -> and -<CODE -CLASS="FUNCTION" ->lwres_gethostbyaddr_r()</CODE -> set the global variable -<SPAN -CLASS="TYPE" ->errno</SPAN -> to <SPAN -CLASS="ERRORCODE" ->ERANGE</SPAN ->.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN245" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->gethostent</SPAN ->(3)</SPAN ->, +the <code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and +<code class="constant">h_addr_list</code> elements of the <span class="type">struct +hostent</span>. If <em class="parameter"><code>buf</code></em> was too small, both +<code class="function">lwres_gethostbyname_r()</code> and +<code class="function">lwres_gethostbyaddr_r()</code> set the global variable +<span class="type">errno</span> to <span class="errorcode">ERANGE</span>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526540"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">gethostent</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_getipnode</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_hstrerror</SPAN ->(3)</SPAN -></P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN257" -></A -><H2 ->BUGS</H2 -><P -><CODE -CLASS="FUNCTION" ->lwres_gethostbyname()</CODE ->, -<CODE -CLASS="FUNCTION" ->lwres_gethostbyname2()</CODE ->, -<CODE -CLASS="FUNCTION" ->lwres_gethostbyaddr()</CODE -> +<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3 +)</span> +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526644"></a><h2>BUGS</h2> +<p> +<code class="function">lwres_gethostbyname()</code>, +<code class="function">lwres_gethostbyname2()</code>, +<code class="function">lwres_gethostbyaddr()</code> and -<CODE -CLASS="FUNCTION" ->lwres_endhostent()</CODE -> +<code class="function">lwres_endhostent()</code> are not thread safe; they return pointers to static data and provide error codes through a global variable. Thread-safe versions for name and address lookup are provided by -<CODE -CLASS="FUNCTION" ->lwres_gethostbyname_r()</CODE ->, +<code class="function">lwres_gethostbyname_r()</code>, and -<CODE -CLASS="FUNCTION" ->lwres_gethostbyaddr_r()</CODE -> -respectively.</P -><P ->The resolver daemon does not currently support any non-DNS +<code class="function">lwres_gethostbyaddr_r()</code> +respectively. +</p> +<p> +The resolver daemon does not currently support any non-DNS name services such as -<TT -CLASS="FILENAME" ->/etc/hosts</TT -> +<code class="filename">/etc/hosts</code> or -<SPAN -CLASS="TYPE" ->NIS</SPAN ->, -consequently the above functions don't, either.</P -></DIV -></BODY -></HTML -> +<span class="type">NIS</span>, +consequently the above functions don't, either. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getipnode.3 b/usr.sbin/bind/lib/lwres/man/lwres_getipnode.3 index f420b3f0bd6..7ea20b8bf45 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_getipnode.3 +++ b/usr.sbin/bind/lib/lwres/man/lwres_getipnode.3 @@ -1,46 +1,46 @@ -.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001 Internet Software Consortium. -.\" +.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $ISC: lwres_getipnode.3,v 1.13.2.2.4.2 2004/03/09 05:21:10 marka Exp $ +.\" $ISC: lwres_getipnode.3,v 1.13.2.2.4.6 2005/10/13 02:33:53 marka Exp $ .\" -.TH "LWRES_GETIPNODE" "3" "Jun 30, 2000" "BIND9" "" -.SH NAME +.hy 0 +.ad l +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "LWRES_GETIPNODE" "3" "Jun 30, 2000" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent \- lightweight resolver nodename / address translation API -.SH SYNOPSIS -\fB#include <lwres/netdb.h> -.sp -.na -struct hostent * -lwres_getipnodebyname(const char *name, int af, int flags, int *error_num); -.ad -.sp -.na -struct hostent * -lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num); -.ad -.sp -.na -void -lwres_freehostent(struct hostent *he); -.ad -\fR +.SH "SYNOPSIS" +.nf +#include <lwres/netdb.h> +.fi +.HP 39 +\fBstruct\ hostent\ *\ \fBlwres_getipnodebyname\fR\fR\fB(\fR\fBconst\ char\ *name\fR\fB, \fR\fBint\ af\fR\fB, \fR\fBint\ flags\fR\fB, \fR\fBint\ *error_num\fR\fB);\fR +.HP 39 +\fBstruct\ hostent\ *\ \fBlwres_getipnodebyaddr\fR\fR\fB(\fR\fBconst\ void\ *src\fR\fB, \fR\fBsize_t\ len\fR\fB, \fR\fBint\ af\fR\fB, \fR\fBint\ *error_num\fR\fB);\fR +.HP 23 +\fBvoid\ \fBlwres_freehostent\fR\fR\fB(\fR\fBstruct\ hostent\ *he\fR\fB);\fR .SH "DESCRIPTION" .PP -These functions perform thread safe, protocol independent -nodename-to-address and address-to-nodename -translation as defined in RFC2553. +These functions perform thread safe, protocol independent nodename\-to\-address and address\-to\-nodename translation as defined in RFC2553. .PP They use a \fBstruct hostent\fR @@ -56,8 +56,8 @@ struct hostent { char **h_addr_list; /* list of addresses from name server */ }; #define h_addr h_addr_list[0] /* address, for backward compatibility */ -.sp .fi +.sp .PP The members of this structure are: .TP @@ -65,10 +65,10 @@ The members of this structure are: The official (canonical) name of the host. .TP \fBh_aliases\fR -A NULL-terminated array of alternate names (nicknames) for the host. +A NULL\-terminated array of alternate names (nicknames) for the host. .TP \fBh_addrtype\fR -The type of address being returned - usually +The type of address being returned \- usually \fBPF_INET\fR or \fBPF_INET6\fR. @@ -79,49 +79,38 @@ The length of the address in bytes. \fBh_addr_list\fR A \fBNULL\fR -terminated array of network addresses for the host. -Host addresses are returned in network byte order. +terminated array of network addresses for the host. Host addresses are returned in network byte order. .PP \fBlwres_getipnodebyname()\fR looks up addresses of protocol family \fIaf\fR for the hostname -\fIname\fR. -The +\fIname\fR. The \fIflags\fR -parameter contains ORed flag bits to -specify the types of addresses that are searched -for, and the types of addresses that are returned. -The flag bits are: +parameter contains ORed flag bits to specify the types of addresses that are searched for, and the types of addresses that are returned. The flag bits are: .TP \fBAI_V4MAPPED\fR This is used with an \fIaf\fR -of AF_INET6, and causes IPv4 addresses to be returned as IPv4-mapped -IPv6 addresses. +of AF_INET6, and causes IPv4 addresses to be returned as IPv4\-mapped IPv6 addresses. .TP \fBAI_ALL\fR This is used with an \fIaf\fR -of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned. -If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped -IPv6 addresses. +of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned. If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped IPv6 addresses. .TP \fBAI_ADDRCONFIG\fR -Only return an IPv6 or IPv4 address if here is an active network -interface of that type. This is not currently implemented -in the BIND 9 lightweight resolver, and the flag is ignored. +Only return an IPv6 or IPv4 address if here is an active network interface of that type. This is not currently implemented in the BIND 9 lightweight resolver, and the flag is ignored. .TP \fBAI_DEFAULT\fR This default sets the -AI_V4MAPPED +\fBAI_V4MAPPED\fR and -AI_ADDRCONFIG +\fBAI_ADDRCONFIG\fR flag bits. .PP \fBlwres_getipnodebyaddr()\fR -performs a reverse lookup -of address +performs a reverse lookup of address \fIsrc\fR which is \fIlen\fR @@ -133,16 +122,14 @@ or \fBPF_INET6\fR. .PP \fBlwres_freehostent()\fR -releases all the memory associated with -the +releases all the memory associated with the \fBstruct hostent\fR pointer -\fIhe\fR. -Any memory allocated for the -h_name, -h_addr_list +\fIhe\fR. Any memory allocated for the +\fBh_name\fR, +\fBh_addr_list\fR and -h_aliases +\fBh_aliases\fR is freed, as is the memory for the \fBhostent\fR structure itself. @@ -156,32 +143,26 @@ set \fI*error_num\fR to an appropriate error code and the function returns a \fBNULL\fR -pointer. -The error codes and their meanings are defined in +pointer. The error codes and their meanings are defined in \fI<lwres/netdb.h>\fR: .TP \fBHOST_NOT_FOUND\fR No such host is known. .TP \fBNO_ADDRESS\fR -The server recognised the request and the name but no address is -available. Another type of request to the name server for the -domain might return an answer. +The server recognised the request and the name but no address is available. Another type of request to the name server for the domain might return an answer. .TP \fBTRY_AGAIN\fR -A temporary and possibly transient error occurred, such as a -failure of a server to respond. The request may succeed if -retried. +A temporary and possibly transient error occurred, such as a failure of a server to respond. The request may succeed if retried. .TP \fBNO_RECOVERY\fR -An unexpected failure occurred, and retrying the request -is pointless. +An unexpected failure occurred, and retrying the request is pointless. .PP -\fBlwres_hstrerror\fR(3) +\fBlwres_hstrerror\fR(3 ) translates these error codes to suitable error messages. .SH "SEE ALSO" .PP -\fBRFC2553\fR, +\fBRFC2553\fR(), \fBlwres\fR(3), \fBlwres_gethostent\fR(3), \fBlwres_getaddrinfo\fR(3), diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getipnode.docbook b/usr.sbin/bind/lib/lwres/man/lwres_getipnode.docbook index eabf9682b94..32cce201996 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_getipnode.docbook +++ b/usr.sbin/bind/lib/lwres/man/lwres_getipnode.docbook @@ -1,7 +1,9 @@ -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" + "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" + [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001, 2003 Internet Software Consortium. + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -16,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: lwres_getipnode.docbook,v 1.4.2.2.4.1 2004/03/06 08:15:39 marka Exp $ --> +<!-- $ISC: lwres_getipnode.docbook,v 1.4.2.2.4.3 2005/05/12 21:36:14 sra Exp $ --> <refentry> @@ -30,6 +32,20 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <docinfo> + <copyright> + <year>2004</year> + <year>2005</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + <copyright> + <year>2000</year> + <year>2001</year> + <year>2003</year> + <holder>Internet Software Consortium.</holder> + </copyright> + </docinfo> + <refnamediv> <refname>lwres_getipnodebyname</refname> <refname>lwres_getipnodebyaddr</refname> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getipnode.html b/usr.sbin/bind/lib/lwres/man/lwres_getipnode.html index 6885024fd5d..62dc994bcc1 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_getipnode.html +++ b/usr.sbin/bind/lib/lwres/man/lwres_getipnode.html @@ -1,512 +1,298 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001, 2003 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwres_getipnode.html,v 1.7.2.1.4.2 2004/08/22 23:39:04 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwres_getipnode</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->lwres_getipnode</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent -- lightweight resolver nodename / address translation API</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN13" -></A -><H2 ->Synopsis</H2 -><DIV -CLASS="FUNCSYNOPSIS" -><P -></P -><A -NAME="AEN14" -></A -><PRE -CLASS="FUNCSYNOPSISINFO" ->#include <lwres/netdb.h></PRE -><P -><CODE -><CODE -CLASS="FUNCDEF" ->struct hostent * -lwres_getipnodebyname</CODE ->(const char *name, int af, int flags, int *error_num);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->struct hostent * -lwres_getipnodebyaddr</CODE ->(const void *src, size_t len, int af, int *error_num);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_freehostent</CODE ->(struct hostent *he);</CODE -></P -><P -></P -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN34" -></A -><H2 ->DESCRIPTION</H2 -><P ->These functions perform thread safe, protocol independent +<!-- $ISC: lwres_getipnode.html,v 1.7.2.1.4.9 2005/10/13 02:33:56 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwres_getipnode</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent — lightweight resolver nodename / address translation API</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="funcsynopsis"> +<pre class="funcsynopsisinfo">#include <lwres/netdb.h></pre> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +struct hostent * +<b class="fsfunc">lwres_getipnodebyname</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +struct hostent * +<b class="fsfunc">lwres_getipnodebyaddr</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_freehostent</b>(</code></td> +<td> </td> +<td> +<code>)</code>;</td> +</tr></table> +</div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525896"></a><h2>DESCRIPTION</h2> +<p> +These functions perform thread safe, protocol independent nodename-to-address and address-to-nodename -translation as defined in RFC2553.</P -><P ->They use a -<SPAN -CLASS="TYPE" ->struct hostent</SPAN -> +translation as defined in RFC2553. +</p> +<p> +They use a +<span class="type">struct hostent</span> which is defined in -<TT -CLASS="FILENAME" ->namedb.h</TT ->: -<PRE -CLASS="PROGRAMLISTING" ->struct hostent { +<code class="filename">namedb.h</code>: +</p> +<pre class="programlisting"> +struct hostent { char *h_name; /* official name of host */ char **h_aliases; /* alias list */ int h_addrtype; /* host address type */ int h_length; /* length of address */ char **h_addr_list; /* list of addresses from name server */ }; -#define h_addr h_addr_list[0] /* address, for backward compatibility */</PRE -></P -><P ->The members of this structure are: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><CODE -CLASS="CONSTANT" ->h_name</CODE -></DT -><DD -><P ->The official (canonical) name of the host.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->h_aliases</CODE -></DT -><DD -><P ->A NULL-terminated array of alternate names (nicknames) for the host.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->h_addrtype</CODE -></DT -><DD -><P ->The type of address being returned - usually -<SPAN -CLASS="TYPE" ->PF_INET</SPAN -> +#define h_addr h_addr_list[0] /* address, for backward compatibility */ +</pre> +<p> +</p> +<p> +The members of this structure are: +</p> +<div class="variablelist"><dl> +<dt><span class="term"><code class="constant">h_name</code></span></dt> +<dd><p> +The official (canonical) name of the host. +</p></dd> +<dt><span class="term"><code class="constant">h_aliases</code></span></dt> +<dd><p> +A NULL-terminated array of alternate names (nicknames) for the host. +</p></dd> +<dt><span class="term"><code class="constant">h_addrtype</code></span></dt> +<dd><p> +The type of address being returned - usually +<span class="type">PF_INET</span> or -<SPAN -CLASS="TYPE" ->PF_INET6</SPAN ->. </P -></DD -><DT -><CODE -CLASS="CONSTANT" ->h_length</CODE -></DT -><DD -><P ->The length of the address in bytes.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->h_addr_list</CODE -></DT -><DD -><P ->A -<SPAN -CLASS="TYPE" ->NULL</SPAN -> +<span class="type">PF_INET6</span>. + +</p></dd> +<dt><span class="term"><code class="constant">h_length</code></span></dt> +<dd><p> +The length of the address in bytes. +</p></dd> +<dt><span class="term"><code class="constant">h_addr_list</code></span></dt> +<dd><p> +A +<span class="type">NULL</span> terminated array of network addresses for the host. -Host addresses are returned in network byte order.</P -></DD -></DL -></DIV -></P -><P -><CODE -CLASS="FUNCTION" ->lwres_getipnodebyname()</CODE -> +Host addresses are returned in network byte order. +</p></dd> +</dl></div> +<p> +</p> +<p> +<code class="function">lwres_getipnodebyname()</code> looks up addresses of protocol family -<VAR -CLASS="PARAMETER" ->af</VAR -> +<em class="parameter"><code>af</code></em> for the hostname -<VAR -CLASS="PARAMETER" ->name</VAR ->. +<em class="parameter"><code>name</code></em>. The -<VAR -CLASS="PARAMETER" ->flags</VAR -> +<em class="parameter"><code>flags</code></em> parameter contains ORed flag bits to specify the types of addresses that are searched for, and the types of addresses that are returned. The flag bits are: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><CODE -CLASS="CONSTANT" ->AI_V4MAPPED</CODE -></DT -><DD -><P ->This is used with an -<VAR -CLASS="PARAMETER" ->af</VAR -> +</p> +<div class="variablelist"><dl> +<dt><span class="term"><code class="constant">AI_V4MAPPED</code></span></dt> +<dd><p> +This is used with an +<em class="parameter"><code>af</code></em> of AF_INET6, and causes IPv4 addresses to be returned as IPv4-mapped -IPv6 addresses.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->AI_ALL</CODE -></DT -><DD -><P ->This is used with an -<VAR -CLASS="PARAMETER" ->af</VAR -> +IPv6 addresses. +</p></dd> +<dt><span class="term"><code class="constant">AI_ALL</code></span></dt> +<dd><p> +This is used with an +<em class="parameter"><code>af</code></em> of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned. If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped -IPv6 addresses.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->AI_ADDRCONFIG</CODE -></DT -><DD -><P ->Only return an IPv6 or IPv4 address if here is an active network +IPv6 addresses. +</p></dd> +<dt><span class="term"><code class="constant">AI_ADDRCONFIG</code></span></dt> +<dd><p> +Only return an IPv6 or IPv4 address if here is an active network interface of that type. This is not currently implemented -in the BIND 9 lightweight resolver, and the flag is ignored.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->AI_DEFAULT</CODE -></DT -><DD -><P ->This default sets the -<CODE -CLASS="CONSTANT" ->AI_V4MAPPED</CODE -> +in the BIND 9 lightweight resolver, and the flag is ignored. +</p></dd> +<dt><span class="term"><code class="constant">AI_DEFAULT</code></span></dt> +<dd><p> +This default sets the +<code class="constant">AI_V4MAPPED</code> and -<CODE -CLASS="CONSTANT" ->AI_ADDRCONFIG</CODE -> -flag bits.</P -></DD -></DL -></DIV -></P -><P -><CODE -CLASS="FUNCTION" ->lwres_getipnodebyaddr()</CODE -> +<code class="constant">AI_ADDRCONFIG</code> +flag bits. +</p></dd> +</dl></div> +<p> +</p> +<p> +<code class="function">lwres_getipnodebyaddr()</code> performs a reverse lookup of address -<VAR -CLASS="PARAMETER" ->src</VAR -> +<em class="parameter"><code>src</code></em> which is -<VAR -CLASS="PARAMETER" ->len</VAR -> +<em class="parameter"><code>len</code></em> bytes long. -<VAR -CLASS="PARAMETER" ->af</VAR -> +<em class="parameter"><code>af</code></em> denotes the protocol family, typically -<SPAN -CLASS="TYPE" ->PF_INET</SPAN -> +<span class="type">PF_INET</span> or -<SPAN -CLASS="TYPE" ->PF_INET6</SPAN ->. </P -><P -><CODE -CLASS="FUNCTION" ->lwres_freehostent()</CODE -> +<span class="type">PF_INET6</span>. + +</p> +<p> +<code class="function">lwres_freehostent()</code> releases all the memory associated with the -<SPAN -CLASS="TYPE" ->struct hostent</SPAN -> +<span class="type">struct hostent</span> pointer -<VAR -CLASS="PARAMETER" ->he</VAR ->. +<em class="parameter"><code>he</code></em>. Any memory allocated for the -<CODE -CLASS="CONSTANT" ->h_name</CODE ->, +<code class="constant">h_name</code>, -<CODE -CLASS="CONSTANT" ->h_addr_list</CODE -> +<code class="constant">h_addr_list</code> and -<CODE -CLASS="CONSTANT" ->h_aliases</CODE -> +<code class="constant">h_aliases</code> is freed, as is the memory for the -<SPAN -CLASS="TYPE" ->hostent</SPAN -> -structure itself.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN116" -></A -><H2 ->RETURN VALUES</H2 -><P ->If an error occurs, -<CODE -CLASS="FUNCTION" ->lwres_getipnodebyname()</CODE -> +<span class="type">hostent</span> +structure itself. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526131"></a><h2>RETURN VALUES</h2> +<p> +If an error occurs, +<code class="function">lwres_getipnodebyname()</code> and -<CODE -CLASS="FUNCTION" ->lwres_getipnodebyaddr()</CODE -> +<code class="function">lwres_getipnodebyaddr()</code> set -<VAR -CLASS="PARAMETER" ->*error_num</VAR -> +<em class="parameter"><code>*error_num</code></em> to an appropriate error code and the function returns a -<SPAN -CLASS="TYPE" ->NULL</SPAN -> +<span class="type">NULL</span> pointer. The error codes and their meanings are defined in -<TT -CLASS="FILENAME" -><lwres/netdb.h></TT ->: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><CODE -CLASS="CONSTANT" ->HOST_NOT_FOUND</CODE -></DT -><DD -><P ->No such host is known.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->NO_ADDRESS</CODE -></DT -><DD -><P ->The server recognised the request and the name but no address is +<code class="filename"><lwres/netdb.h></code>: +</p> +<div class="variablelist"><dl> +<dt><span class="term"><code class="constant">HOST_NOT_FOUND</code></span></dt> +<dd><p> +No such host is known. +</p></dd> +<dt><span class="term"><code class="constant">NO_ADDRESS</code></span></dt> +<dd><p> +The server recognised the request and the name but no address is available. Another type of request to the name server for the -domain might return an answer.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->TRY_AGAIN</CODE -></DT -><DD -><P ->A temporary and possibly transient error occurred, such as a +domain might return an answer. +</p></dd> +<dt><span class="term"><code class="constant">TRY_AGAIN</code></span></dt> +<dd><p> +A temporary and possibly transient error occurred, such as a failure of a server to respond. The request may succeed if -retried.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->NO_RECOVERY</CODE -></DT -><DD -><P ->An unexpected failure occurred, and retrying the request -is pointless.</P -></DD -></DL -></DIV -></P -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_hstrerror</SPAN ->(3)</SPAN -> -translates these error codes to suitable error messages.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN149" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC2553</SPAN -></SPAN ->, +retried. +</p></dd> +<dt><span class="term"><code class="constant">NO_RECOVERY</code></span></dt> +<dd><p> +An unexpected failure occurred, and retrying the request +is pointless. +</p></dd> +</dl></div> +<p> +</p> +<p> +<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3 +)</span> +translates these error codes to suitable error messages. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526290"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">RFC2553</span></span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_gethostent</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_getaddrinfo</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_getnameinfo</SPAN ->(3)</SPAN ->, +<span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_hstrerror</SPAN ->(3)</SPAN ->.</P -></DIV -></BODY -></HTML -> +<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getnameinfo.html b/usr.sbin/bind/lib/lwres/man/lwres_getnameinfo.html index 930a43d9982..1a75c600182 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_getnameinfo.html +++ b/usr.sbin/bind/lib/lwres/man/lwres_getnameinfo.html @@ -1,290 +1,154 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwres_getnameinfo.html,v 1.5.2.1.4.2 2004/08/22 23:39:04 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwres_getnameinfo</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->lwres_getnameinfo</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->lwres_getnameinfo -- lightweight resolver socket address structure to hostname and service name</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN11" -></A -><H2 ->Synopsis</H2 -><DIV -CLASS="FUNCSYNOPSIS" -><P -></P -><A -NAME="AEN12" -></A -><PRE -CLASS="FUNCSYNOPSISINFO" ->#include <lwres/netdb.h></PRE -><P -><CODE -><CODE -CLASS="FUNCDEF" ->int -lwres_getnameinfo</CODE ->(const struct sockaddr *sa, size_t salen, char *host, size_t hostlen, char *serv, size_t servlen, int flags);</CODE -></P -><P -></P -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN24" -></A -><H2 ->DESCRIPTION</H2 -><P -> This function is equivalent to the <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->getnameinfo</SPAN ->(3)</SPAN -> function defined in RFC2133. -<CODE -CLASS="FUNCTION" ->lwres_getnameinfo()</CODE -> returns the hostname for the -<SPAN -CLASS="TYPE" ->struct sockaddr</SPAN -> <VAR -CLASS="PARAMETER" ->sa</VAR -> which is -<VAR -CLASS="PARAMETER" ->salen</VAR -> bytes long. The hostname is of length -<VAR -CLASS="PARAMETER" ->hostlen</VAR -> and is returned via -<VAR -CLASS="PARAMETER" ->*host.</VAR -> The maximum length of the hostname is -1025 bytes: <CODE -CLASS="CONSTANT" ->NI_MAXHOST</CODE ->.</P -><P -> The name of the service associated with the port number in -<VAR -CLASS="PARAMETER" ->sa</VAR -> is returned in <VAR -CLASS="PARAMETER" ->*serv.</VAR -> -It is <VAR -CLASS="PARAMETER" ->servlen</VAR -> bytes long. The maximum length -of the service name is <CODE -CLASS="CONSTANT" ->NI_MAXSERV</CODE -> - 32 bytes.</P -><P -> The <VAR -CLASS="PARAMETER" ->flags</VAR -> argument sets the following +<!-- $ISC: lwres_getnameinfo.html,v 1.5.2.1.4.9 2005/10/13 02:33:56 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwres_getnameinfo</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>lwres_getnameinfo — lightweight resolver socket address structure to hostname and service name</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="funcsynopsis"> +<pre class="funcsynopsisinfo">#include <lwres/netdb.h></pre> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"> +<tr> +<td><code class="funcdef"> +int +<b class="fsfunc">lwres_getnameinfo</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +</div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525862"></a><h2>DESCRIPTION</h2> +<p> This function is equivalent to the <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span> function defined in RFC2133. +<code class="function">lwres_getnameinfo()</code> returns the hostname for the +<span class="type">struct sockaddr</span> <em class="parameter"><code>sa</code></em> which is +<em class="parameter"><code>salen</code></em> bytes long. The hostname is of length +<em class="parameter"><code>hostlen</code></em> and is returned via +<em class="parameter"><code>*host.</code></em> The maximum length of the hostname is +1025 bytes: <code class="constant">NI_MAXHOST</code>.</p> +<p> The name of the service associated with the port number in +<em class="parameter"><code>sa</code></em> is returned in <em class="parameter"><code>*serv.</code></em> +It is <em class="parameter"><code>servlen</code></em> bytes long. The maximum length +of the service name is <code class="constant">NI_MAXSERV</code> - 32 bytes. +</p> +<p> The <em class="parameter"><code>flags</code></em> argument sets the following bits: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><CODE -CLASS="CONSTANT" ->NI_NOFQDN</CODE -></DT -><DD -><P ->A fully qualified domain name is not required for local hosts. -The local part of the fully qualified domain name is returned instead.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->NI_NUMERICHOST</CODE -></DT -><DD -><P ->Return the address in numeric form, as if calling inet_ntop(), -instead of a host name.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->NI_NAMEREQD</CODE -></DT -><DD -><P ->A name is required. If the hostname cannot be found in the DNS and +</p> +<div class="variablelist"><dl> +<dt><span class="term"><code class="constant">NI_NOFQDN</code></span></dt> +<dd><p> +A fully qualified domain name is not required for local hosts. +The local part of the fully qualified domain name is returned instead. +</p></dd> +<dt><span class="term"><code class="constant">NI_NUMERICHOST</code></span></dt> +<dd><p> +Return the address in numeric form, as if calling inet_ntop(), +instead of a host name. +</p></dd> +<dt><span class="term"><code class="constant">NI_NAMEREQD</code></span></dt> +<dd><p> +A name is required. If the hostname cannot be found in the DNS and this flag is set, a non-zero error code is returned. If the hostname is not found and the flag is not set, the -address is returned in numeric form.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->NI_NUMERICSERV</CODE -></DT -><DD -><P ->The service name is returned as a digit string representing the port number.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->NI_DGRAM</CODE -></DT -><DD -><P ->Specifies that the service being looked up is a datagram +address is returned in numeric form. +</p></dd> +<dt><span class="term"><code class="constant">NI_NUMERICSERV</code></span></dt> +<dd><p> +The service name is returned as a digit string representing the port number. +</p></dd> +<dt><span class="term"><code class="constant">NI_DGRAM</code></span></dt> +<dd><p> +Specifies that the service being looked up is a datagram service, and causes getservbyport() to be called with a second argument of "udp" instead of its default of "tcp". This is required for the few ports (512-514) that have different services for UDP and -TCP.</P -></DD -></DL -></DIV -></P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN70" -></A -><H2 ->RETURN VALUES</H2 -><P -><CODE -CLASS="FUNCTION" ->lwres_getnameinfo()</CODE -> -returns 0 on success or a non-zero error code if an error occurs.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN74" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC2133</SPAN -></SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->getservbyport</SPAN ->(3)</SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres</SPAN ->(3)</SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_getnameinfo</SPAN ->(3)</SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_getnamebyaddr</SPAN ->(3)</SPAN ->. -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_net_ntop</SPAN ->(3)</SPAN ->.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN94" -></A -><H2 ->BUGS</H2 -><P ->RFC2133 fails to define what the nonzero return values of -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->getnameinfo</SPAN ->(3)</SPAN -> -are.</P -></DIV -></BODY -></HTML -> +TCP. +</p></dd> +</dl></div> +<p> +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525988"></a><h2>RETURN VALUES</h2> +<p> +<code class="function">lwres_getnameinfo()</code> +returns 0 on success or a non-zero error code if an error occurs. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526001"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>, +<span class="citerefentry"><span class="refentrytitle">getservbyport</span>(3)</span>, +<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>, +<span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>, +<span class="citerefentry"><span class="refentrytitle">lwres_getnamebyaddr</span>(3)</span>. +<span class="citerefentry"><span class="refentrytitle">lwres_net_ntop</span>(3)</span>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526059"></a><h2>BUGS</h2> +<p> +RFC2133 fails to define what the nonzero return values of +<span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span> +are. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getrrsetbyname.html b/usr.sbin/bind/lib/lwres/man/lwres_getrrsetbyname.html index dce7e629f86..2ce86890e22 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_getrrsetbyname.html +++ b/usr.sbin/bind/lib/lwres/man/lwres_getrrsetbyname.html @@ -1,91 +1,80 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwres_getrrsetbyname.html,v 1.5.2.1.4.2 2004/08/22 23:39:04 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwres_getrrsetbyname</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->lwres_getrrsetbyname</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->lwres_getrrsetbyname, lwres_freerrset -- retrieve DNS records</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN12" -></A -><H2 ->Synopsis</H2 -><DIV -CLASS="FUNCSYNOPSIS" -><P -></P -><A -NAME="AEN13" -></A -><PRE -CLASS="FUNCSYNOPSISINFO" ->#include <lwres/netdb.h></PRE -><P -><CODE -><CODE -CLASS="FUNCDEF" ->int -lwres_getrrsetbyname</CODE ->(const char *hostname, unsigned int rdclass, unsigned int rdtype, unsigned int flags, struct rrsetinfo **res);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_freerrset</CODE ->(struct rrsetinfo *rrset);</CODE -></P -><P -></P -></DIV -><P ->The following structures are used: -<PRE -CLASS="PROGRAMLISTING" ->struct rdatainfo { +<!-- $ISC: lwres_getrrsetbyname.html,v 1.5.2.1.4.9 2005/10/13 02:33:57 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwres_getrrsetbyname</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>lwres_getrrsetbyname, lwres_freerrset — retrieve DNS records</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="funcsynopsis"> +<pre class="funcsynopsisinfo">#include <lwres/netdb.h></pre> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +int +<b class="fsfunc">lwres_getrrsetbyname</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_freerrset</b>(</code></td> +<td> </td> +<td> +<code>)</code>;</td> +</tr></table> +</div> +<p> +The following structures are used: +</p> +<pre class="programlisting"> +struct rdatainfo { unsigned int rdi_length; /* length of data */ unsigned char *rdi_data; /* record data */ }; @@ -100,261 +89,129 @@ struct rrsetinfo { char *rri_name; /* canonical name */ struct rdatainfo *rri_rdatas; /* individual records */ struct rdatainfo *rri_sigs; /* individual signatures */ -};</PRE -></P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN29" -></A -><H2 ->DESCRIPTION</H2 -><P -><CODE -CLASS="FUNCTION" ->lwres_getrrsetbyname()</CODE -> +}; +</pre> +<p> +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525878"></a><h2>DESCRIPTION</h2> +<p> +<code class="function">lwres_getrrsetbyname()</code> gets a set of resource records associated with a -<VAR -CLASS="PARAMETER" ->hostname</VAR ->, +<em class="parameter"><code>hostname</code></em>, -<VAR -CLASS="PARAMETER" ->class</VAR ->, +<em class="parameter"><code>class</code></em>, and -<VAR -CLASS="PARAMETER" ->type</VAR ->. +<em class="parameter"><code>type</code></em>. -<VAR -CLASS="PARAMETER" ->hostname</VAR -> +<em class="parameter"><code>hostname</code></em> is a pointer a to null-terminated string. The -<VAR -CLASS="PARAMETER" ->flags</VAR -> -field is currently unused and must be zero.</P -><P ->After a successful call to -<CODE -CLASS="FUNCTION" ->lwres_getrrsetbyname()</CODE ->, +<em class="parameter"><code>flags</code></em> +field is currently unused and must be zero. +</p> +<p> +After a successful call to +<code class="function">lwres_getrrsetbyname()</code>, -<VAR -CLASS="PARAMETER" ->*res</VAR -> +<em class="parameter"><code>*res</code></em> is a pointer to an -<SPAN -CLASS="TYPE" ->rrsetinfo</SPAN -> +<span class="type">rrsetinfo</span> structure, containing a list of one or more -<SPAN -CLASS="TYPE" ->rdatainfo</SPAN -> +<span class="type">rdatainfo</span> structures containing resource records and potentially another list of -<SPAN -CLASS="TYPE" ->rdatainfo</SPAN -> +<span class="type">rdatainfo</span> structures containing SIG resource records associated with those records. The members -<CODE -CLASS="CONSTANT" ->rri_rdclass</CODE -> +<code class="constant">rri_rdclass</code> and -<CODE -CLASS="CONSTANT" ->rri_rdtype</CODE -> +<code class="constant">rri_rdtype</code> are copied from the parameters. -<CODE -CLASS="CONSTANT" ->rri_ttl</CODE -> +<code class="constant">rri_ttl</code> and -<CODE -CLASS="CONSTANT" ->rri_name</CODE -> +<code class="constant">rri_name</code> are properties of the obtained rrset. The resource records contained in -<CODE -CLASS="CONSTANT" ->rri_rdatas</CODE -> +<code class="constant">rri_rdatas</code> and -<CODE -CLASS="CONSTANT" ->rri_sigs</CODE -> +<code class="constant">rri_sigs</code> are in uncompressed DNS wire format. Properties of the rdataset are represented in the -<CODE -CLASS="CONSTANT" ->rri_flags</CODE -> +<code class="constant">rri_flags</code> bitfield. If the RRSET_VALIDATED bit is set, the data has been DNSSEC -validated and the signatures verified. </P -><P ->All of the information returned by -<CODE -CLASS="FUNCTION" ->lwres_getrrsetbyname()</CODE -> +validated and the signatures verified. +</p> +<p> +All of the information returned by +<code class="function">lwres_getrrsetbyname()</code> is dynamically allocated: the -<CODE -CLASS="CONSTANT" ->rrsetinfo</CODE -> +<code class="constant">rrsetinfo</code> and -<CODE -CLASS="CONSTANT" ->rdatainfo</CODE -> +<code class="constant">rdatainfo</code> structures, and the canonical host name strings pointed to by the -<CODE -CLASS="CONSTANT" ->rrsetinfo</CODE ->structure. +<code class="constant">rrsetinfo</code>structure. Memory allocated for the dynamically allocated structures created by a successful call to -<CODE -CLASS="FUNCTION" ->lwres_getrrsetbyname()</CODE -> +<code class="function">lwres_getrrsetbyname()</code> is released by -<CODE -CLASS="FUNCTION" ->lwres_freerrset()</CODE ->. +<code class="function">lwres_freerrset()</code>. -<VAR -CLASS="PARAMETER" ->rrset</VAR -> +<em class="parameter"><code>rrset</code></em> is a pointer to a -<SPAN -CLASS="TYPE" ->struct rrset</SPAN -> +<span class="type">struct rrset</span> created by a call to -<CODE -CLASS="FUNCTION" ->lwres_getrrsetbyname()</CODE ->. </P -><P -></P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN62" -></A -><H2 ->RETURN VALUES</H2 -><P -><CODE -CLASS="FUNCTION" ->lwres_getrrsetbyname()</CODE -> +<code class="function">lwres_getrrsetbyname()</code>. + +</p> +<p> +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526058"></a><h2>RETURN VALUES</h2> +<p> +<code class="function">lwres_getrrsetbyname()</code> returns zero on success, and one of the following error codes if an error occurred: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><CODE -CLASS="CONSTANT" ->ERRSET_NONAME</CODE -></DT -><DD -><P ->the name does not exist</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->ERRSET_NODATA</CODE -></DT -><DD -><P ->the name exists, but does not have data of the desired type</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->ERRSET_NOMEMORY</CODE -></DT -><DD -><P ->memory could not be allocated</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->ERRSET_INVAL</CODE -></DT -><DD -><P ->a parameter is invalid</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->ERRSET_FAIL</CODE -></DT -><DD -><P ->other failure</P -></DD -><DT -><CODE -CLASS="CONSTANT" -></CODE -></DT -><DD -><P -></P -></DD -></DL -></DIV -> </P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN97" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres</SPAN ->(3)</SPAN ->.</P -></DIV -></BODY -></HTML -> +</p> +<div class="variablelist"><dl> +<dt><span class="term"><code class="constant">ERRSET_NONAME</code></span></dt> +<dd><p> +the name does not exist +</p></dd> +<dt><span class="term"><code class="constant">ERRSET_NODATA</code></span></dt> +<dd><p> +the name exists, but does not have data of the desired type +</p></dd> +<dt><span class="term"><code class="constant">ERRSET_NOMEMORY</code></span></dt> +<dd><p> +memory could not be allocated +</p></dd> +<dt><span class="term"><code class="constant">ERRSET_INVAL</code></span></dt> +<dd><p> +a parameter is invalid +</p></dd> +<dt><span class="term"><code class="constant">ERRSET_FAIL</code></span></dt> +<dd><p> +other failure +</p></dd> +<dt><span class="term"><code class="constant"></code></span></dt> +<dd><p> +</p></dd> +</dl></div> +<p> + +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526132"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_gnba.html b/usr.sbin/bind/lib/lwres/man/lwres_gnba.html index fe89e753706..ee070eb4e90 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_gnba.html +++ b/usr.sbin/bind/lib/lwres/man/lwres_gnba.html @@ -1,158 +1,203 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwres_gnba.html,v 1.6.2.1.4.2 2004/08/22 23:39:04 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwres_gnba</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->lwres_gnba</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free -- lightweight resolver getnamebyaddress message handling</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN16" -></A -><H2 ->Synopsis</H2 -><DIV -CLASS="FUNCSYNOPSIS" -><P -></P -><A -NAME="AEN17" -></A -><PRE -CLASS="FUNCSYNOPSISINFO" ->#include <lwres/lwres.h></PRE -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_gnbarequest_render</CODE ->(lwres_context_t *ctx, lwres_gnbarequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_gnbaresponse_render</CODE ->(lwres_context_t *ctx, lwres_gnbaresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_gnbarequest_parse</CODE ->(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_gnbaresponse_parse</CODE ->(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gnbaresponse_t **structp);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_gnbaresponse_free</CODE ->(lwres_context_t *ctx, lwres_gnbaresponse_t **structp);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_gnbarequest_free</CODE ->(lwres_context_t *ctx, lwres_gnbarequest_t **structp);</CODE -></P -><P -></P -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN61" -></A -><H2 ->DESCRIPTION</H2 -><P ->These are low-level routines for creating and parsing +<!-- $ISC: lwres_gnba.html,v 1.6.2.1.4.9 2005/10/13 02:33:57 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwres_gnba</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free — lightweight resolver getnamebyaddress message handling</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="funcsynopsis"> +<pre class="funcsynopsisinfo"> +#include <lwres/lwres.h> +</pre> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_gnbarequest_render</b> +(</code></td> +<td>lwres_context_t * </td> +<td> +<var class="pdparam">ctx</var>, </td> +</tr> +<tr> +<td> </td> +<td>lwres_gnbarequest_t * </td> +<td> +<var class="pdparam">req</var>, </td> +</tr> +<tr> +<td> </td> +<td>lwres_lwpacket_t * </td> +<td> +<var class="pdparam">pkt</var>, </td> +</tr> +<tr> +<td> </td> +<td>lwres_buffer_t * </td> +<td> +<var class="pdparam">b</var><code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_gnbaresponse_render</b> +(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_gnbarequest_parse</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_gnbaresponse_parse</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_gnbaresponse_free</b> +(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_gnbarequest_free</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +</div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525975"></a><h2>DESCRIPTION</h2> +<p> +These are low-level routines for creating and parsing lightweight resolver address-to-name lookup request and -response messages.</P -><P ->There are four main functions for the getnamebyaddr opcode. -One render function converts a getnamebyaddr request structure — -<SPAN -CLASS="TYPE" ->lwres_gnbarequest_t</SPAN -> — +response messages. +</p> +<p> +There are four main functions for the getnamebyaddr opcode. +One render function converts a getnamebyaddr request structure — +<span class="type">lwres_gnbarequest_t</span> — to the lightweight resolver's canonical format. It is complemented by a parse function that converts a packet in this canonical format to a getnamebyaddr request structure. -Another render function converts the getnamebyaddr response structure — -<SPAN -CLASS="TYPE" ->lwres_gnbaresponse_t</SPAN -> +Another render function converts the getnamebyaddr response structure — +<span class="type">lwres_gnbaresponse_t</span> to the canonical format. This is complemented by a parse function which converts a packet in -canonical format to a getnamebyaddr response structure.</P -><P ->These structures are defined in -<TT -CLASS="FILENAME" ->lwres/lwres.h</TT ->. +canonical format to a getnamebyaddr response structure. +</p> +<p> +These structures are defined in +<code class="filename">lwres/lwres.h</code>. They are shown below. -<PRE -CLASS="PROGRAMLISTING" ->#define LWRES_OPCODE_GETNAMEBYADDR 0x00010002U +</p> +<pre class="programlisting"> +#define LWRES_OPCODE_GETNAMEBYADDR 0x00010002U typedef struct { lwres_uint32_t flags; @@ -168,242 +213,112 @@ typedef struct { lwres_uint16_t *aliaslen; void *base; size_t baselen; -} lwres_gnbaresponse_t;</PRE -></P -><P -><CODE -CLASS="FUNCTION" ->lwres_gnbarequest_render()</CODE -> +} lwres_gnbaresponse_t; +</pre> +<p> +</p> +<p> +<code class="function">lwres_gnbarequest_render()</code> uses resolver context -<VAR -CLASS="VARNAME" ->ctx</VAR -> +<code class="varname">ctx</code> to convert getnamebyaddr request structure -<VAR -CLASS="VARNAME" ->req</VAR -> +<code class="varname">req</code> to canonical format. The packet header structure -<VAR -CLASS="VARNAME" ->pkt</VAR -> +<code class="varname">pkt</code> is initialised and transferred to buffer -<VAR -CLASS="VARNAME" ->b</VAR ->. +<code class="varname">b</code>. The contents of -<VAR -CLASS="VARNAME" ->*req</VAR -> +<code class="varname">*req</code> are then appended to the buffer in canonical format. -<CODE -CLASS="FUNCTION" ->lwres_gnbaresponse_render()</CODE -> +<code class="function">lwres_gnbaresponse_render()</code> performs the same task, except it converts a getnamebyaddr response structure -<SPAN -CLASS="TYPE" ->lwres_gnbaresponse_t</SPAN -> -to the lightweight resolver's canonical format.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_gnbarequest_parse()</CODE -> +<span class="type">lwres_gnbaresponse_t</span> +to the lightweight resolver's canonical format. +</p> +<p> +<code class="function">lwres_gnbarequest_parse()</code> uses context -<VAR -CLASS="VARNAME" ->ctx</VAR -> +<code class="varname">ctx</code> to convert the contents of packet -<VAR -CLASS="VARNAME" ->pkt</VAR -> +<code class="varname">pkt</code> to a -<SPAN -CLASS="TYPE" ->lwres_gnbarequest_t</SPAN -> +<span class="type">lwres_gnbarequest_t</span> structure. Buffer -<VAR -CLASS="VARNAME" ->b</VAR -> +<code class="varname">b</code> provides space to be used for storing this structure. When the function succeeds, the resulting -<SPAN -CLASS="TYPE" ->lwres_gnbarequest_t</SPAN -> +<span class="type">lwres_gnbarequest_t</span> is made available through -<VAR -CLASS="VARNAME" ->*structp</VAR ->. -<CODE -CLASS="FUNCTION" ->lwres_gnbaresponse_parse()</CODE -> +<code class="varname">*structp</code>. +<code class="function">lwres_gnbaresponse_parse()</code> offers the same semantics as -<CODE -CLASS="FUNCTION" ->lwres_gnbarequest_parse()</CODE -> +<code class="function">lwres_gnbarequest_parse()</code> except it yields a -<SPAN -CLASS="TYPE" ->lwres_gnbaresponse_t</SPAN -> -structure.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_gnbaresponse_free()</CODE -> +<span class="type">lwres_gnbaresponse_t</span> +structure. +</p> +<p> +<code class="function">lwres_gnbaresponse_free()</code> and -<CODE -CLASS="FUNCTION" ->lwres_gnbarequest_free()</CODE -> +<code class="function">lwres_gnbarequest_free()</code> release the memory in resolver context -<VAR -CLASS="VARNAME" ->ctx</VAR -> +<code class="varname">ctx</code> that was allocated to the -<SPAN -CLASS="TYPE" ->lwres_gnbaresponse_t</SPAN -> +<span class="type">lwres_gnbaresponse_t</span> or -<SPAN -CLASS="TYPE" ->lwres_gnbarequest_t</SPAN -> +<span class="type">lwres_gnbarequest_t</span> structures referenced via -<VAR -CLASS="VARNAME" ->structp</VAR ->. +<code class="varname">structp</code>. Any memory associated with ancillary buffers and strings for those -structures is also discarded.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN97" -></A -><H2 ->RETURN VALUES</H2 -><P ->The getnamebyaddr opcode functions -<CODE -CLASS="FUNCTION" ->lwres_gnbarequest_render()</CODE ->, -<CODE -CLASS="FUNCTION" ->lwres_gnbaresponse_render()</CODE -> -<CODE -CLASS="FUNCTION" ->lwres_gnbarequest_parse()</CODE -> +structures is also discarded. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526100"></a><h2>RETURN VALUES</h2> +<p> +The getnamebyaddr opcode functions +<code class="function">lwres_gnbarequest_render()</code>, +<code class="function">lwres_gnbaresponse_render()</code> +<code class="function">lwres_gnbarequest_parse()</code> and -<CODE -CLASS="FUNCTION" ->lwres_gnbaresponse_parse()</CODE -> +<code class="function">lwres_gnbaresponse_parse()</code> all return -<SPAN -CLASS="ERRORCODE" ->LWRES_R_SUCCESS</SPAN -> +<span class="errorcode">LWRES_R_SUCCESS</span> on success. They return -<SPAN -CLASS="ERRORCODE" ->LWRES_R_NOMEMORY</SPAN -> +<span class="errorcode">LWRES_R_NOMEMORY</span> if memory allocation fails. -<SPAN -CLASS="ERRORCODE" ->LWRES_R_UNEXPECTEDEND</SPAN -> +<span class="errorcode">LWRES_R_UNEXPECTEDEND</span> is returned if the available space in the buffer -<VAR -CLASS="VARNAME" ->b</VAR -> +<code class="varname">b</code> is too small to accommodate the packet header or the -<SPAN -CLASS="TYPE" ->lwres_gnbarequest_t</SPAN -> +<span class="type">lwres_gnbarequest_t</span> and -<SPAN -CLASS="TYPE" ->lwres_gnbaresponse_t</SPAN -> +<span class="type">lwres_gnbaresponse_t</span> structures. -<CODE -CLASS="FUNCTION" ->lwres_gnbarequest_parse()</CODE -> +<code class="function">lwres_gnbarequest_parse()</code> and -<CODE -CLASS="FUNCTION" ->lwres_gnbaresponse_parse()</CODE -> +<code class="function">lwres_gnbaresponse_parse()</code> will return -<SPAN -CLASS="ERRORCODE" ->LWRES_R_UNEXPECTEDEND</SPAN -> +<span class="errorcode">LWRES_R_UNEXPECTEDEND</span> if the buffer is not empty after decoding the received packet. These functions will return -<SPAN -CLASS="ERRORCODE" ->LWRES_R_FAILURE</SPAN -> +<span class="errorcode">LWRES_R_FAILURE</span> if -<CODE -CLASS="STRUCTFIELD" ->pktflags</CODE -> +<em class="structfield"><code>pktflags</code></em> in the packet header structure -<SPAN -CLASS="TYPE" ->lwres_lwpacket_t</SPAN -> -indicate that the packet is not a response to an earlier query.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN116" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_packet</SPAN ->(3)</SPAN ->.</P -></DIV -></BODY -></HTML -> +<span class="type">lwres_lwpacket_t</span> +indicate that the packet is not a response to an earlier query. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526165"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_hstrerror.html b/usr.sbin/bind/lib/lwres/man/lwres_hstrerror.html index 1c675b0b8eb..8b0b0dc5ab4 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_hstrerror.html +++ b/usr.sbin/bind/lib/lwres/man/lwres_hstrerror.html @@ -1,241 +1,100 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwres_hstrerror.html,v 1.5.2.1.4.2 2004/08/22 23:39:04 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwres_hstrerror</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->lwres_hstrerror</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->lwres_herror, lwres_hstrerror -- lightweight resolver error message generation</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN12" -></A -><H2 ->Synopsis</H2 -><DIV -CLASS="FUNCSYNOPSIS" -><P -></P -><A -NAME="AEN13" -></A -><PRE -CLASS="FUNCSYNOPSISINFO" ->#include <lwres/netdb.h></PRE -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_herror</CODE ->(const char *s);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->const char * -lwres_hstrerror</CODE ->(int err);</CODE -></P -><P -></P -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN23" -></A -><H2 ->DESCRIPTION</H2 -><P -><CODE -CLASS="FUNCTION" ->lwres_herror()</CODE -> prints the string -<VAR -CLASS="PARAMETER" ->s</VAR -> on <SPAN -CLASS="TYPE" ->stderr</SPAN -> followed by the string -generated by <CODE -CLASS="FUNCTION" ->lwres_hstrerror()</CODE -> for the error code -stored in the global variable <CODE -CLASS="CONSTANT" ->lwres_h_errno</CODE ->.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_hstrerror()</CODE -> returns an appropriate string -for the error code gievn by <VAR -CLASS="PARAMETER" ->err</VAR ->. The values of +<!-- $ISC: lwres_hstrerror.html,v 1.5.2.1.4.9 2005/10/13 02:33:57 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwres_hstrerror</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>lwres_herror, lwres_hstrerror — lightweight resolver error message generation</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="funcsynopsis"> +<pre class="funcsynopsisinfo">#include <lwres/netdb.h></pre> +<p><code class="funcdef"> +void +<b class="fsfunc">lwres_herror</b>(</code>const char *s<code>)</code>;</p> +<p><code class="funcdef"> +const char * +<b class="fsfunc">lwres_hstrerror</b>(</code>int err<code>)</code>;</p> +</div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525859"></a><h2>DESCRIPTION</h2> +<p> +<code class="function">lwres_herror()</code> prints the string +<em class="parameter"><code>s</code></em> on <span class="type">stderr</span> followed by the string +generated by <code class="function">lwres_hstrerror()</code> for the error code +stored in the global variable <code class="constant">lwres_h_errno</code>. +</p> +<p> +<code class="function">lwres_hstrerror()</code> returns an appropriate string +for the error code gievn by <em class="parameter"><code>err</code></em>. The values of the error codes and messages are as follows: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><SPAN -CLASS="ERRORCODE" ->NETDB_SUCCESS</SPAN -></DT -><DD -><P -><SPAN -CLASS="ERRORNAME" ->Resolver Error 0 (no error)</SPAN -></P -></DD -><DT -><SPAN -CLASS="ERRORCODE" ->HOST_NOT_FOUND</SPAN -></DT -><DD -><P -><SPAN -CLASS="ERRORNAME" ->Unknown host</SPAN -></P -></DD -><DT -><SPAN -CLASS="ERRORCODE" ->TRY_AGAIN</SPAN -></DT -><DD -><P -><SPAN -CLASS="ERRORNAME" ->Host name lookup failure</SPAN -></P -></DD -><DT -><SPAN -CLASS="ERRORCODE" ->NO_RECOVERY</SPAN -></DT -><DD -><P -><SPAN -CLASS="ERRORNAME" ->Unknown server error</SPAN -></P -></DD -><DT -><SPAN -CLASS="ERRORCODE" ->NO_DATA</SPAN -></DT -><DD -><P -><SPAN -CLASS="ERRORNAME" ->No address associated with name</SPAN -></P -></DD -></DL -></DIV -></P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN65" -></A -><H2 ->RETURN VALUES</H2 -><P ->The string <SPAN -CLASS="ERRORNAME" ->Unknown resolver error</SPAN -> is returned by -<CODE -CLASS="FUNCTION" ->lwres_hstrerror()</CODE -> +</p> +<div class="variablelist"><dl> +<dt><span class="term"><span class="errorcode">NETDB_SUCCESS</span></span></dt> +<dd><p> +<span class="errorname">Resolver Error 0 (no error)</span> +</p></dd> +<dt><span class="term"><span class="errorcode">HOST_NOT_FOUND</span></span></dt> +<dd><p> +<span class="errorname">Unknown host</span> +</p></dd> +<dt><span class="term"><span class="errorcode">TRY_AGAIN</span></span></dt> +<dd><p> +<span class="errorname">Host name lookup failure</span> +</p></dd> +<dt><span class="term"><span class="errorcode">NO_RECOVERY</span></span></dt> +<dd><p> +<span class="errorname">Unknown server error</span> +</p></dd> +<dt><span class="term"><span class="errorcode">NO_DATA</span></span></dt> +<dd><p> +<span class="errorname">No address associated with name</span> +</p></dd> +</dl></div> +<p> +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525971"></a><h2>RETURN VALUES</h2> +<p> +The string <span class="errorname">Unknown resolver error</span> is returned by +<code class="function">lwres_hstrerror()</code> when the value of -<CODE -CLASS="CONSTANT" ->lwres_h_errno</CODE -> -is not a valid error code.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN71" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->herror</SPAN ->(3)</SPAN ->, +<code class="constant">lwres_h_errno</code> +is not a valid error code. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525990"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">herror</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_hstrerror</SPAN ->(3)</SPAN ->.</P -></DIV -></BODY -></HTML -> +<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_inetntop.html b/usr.sbin/bind/lib/lwres/man/lwres_inetntop.html index 4eabe5b1da7..fd4ed77cd3b 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_inetntop.html +++ b/usr.sbin/bind/lib/lwres/man/lwres_inetntop.html @@ -1,177 +1,98 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwres_inetntop.html,v 1.5.2.1.4.2 2004/08/22 23:39:05 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwres_inetntop</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->lwres_inetntop</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->lwres_net_ntop -- lightweight resolver IP address presentation</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN11" -></A -><H2 ->Synopsis</H2 -><DIV -CLASS="FUNCSYNOPSIS" -><P -></P -><A -NAME="AEN12" -></A -><PRE -CLASS="FUNCSYNOPSISINFO" ->#include <lwres/net.h></PRE -><P -><CODE -><CODE -CLASS="FUNCDEF" ->const char * -lwres_net_ntop</CODE ->(int af, const void *src, char *dst, size_t size);</CODE -></P -><P -></P -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN21" -></A -><H2 ->DESCRIPTION</H2 -><P -><CODE -CLASS="FUNCTION" ->lwres_net_ntop()</CODE -> converts an IP address of -protocol family <VAR -CLASS="PARAMETER" ->af</VAR -> — IPv4 or IPv6 — -at location <VAR -CLASS="PARAMETER" ->src</VAR -> from network format to its +<!-- $ISC: lwres_inetntop.html,v 1.5.2.1.4.9 2005/10/13 02:33:57 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwres_inetntop</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>lwres_net_ntop — lightweight resolver IP address presentation</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="funcsynopsis"> +<pre class="funcsynopsisinfo">#include <lwres/net.h></pre> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"> +<tr> +<td><code class="funcdef"> +const char * +<b class="fsfunc">lwres_net_ntop</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +</div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525854"></a><h2>DESCRIPTION</h2> +<p> +<code class="function">lwres_net_ntop()</code> converts an IP address of +protocol family <em class="parameter"><code>af</code></em> — IPv4 or IPv6 — +at location <em class="parameter"><code>src</code></em> from network format to its conventional representation as a string. For IPv4 addresses, that string would be a dotted-decimal. An IPv6 address would be -represented in colon notation as described in RFC1884.</P -><P ->The generated string is copied to <VAR -CLASS="PARAMETER" ->dst</VAR -> provided -<VAR -CLASS="PARAMETER" ->size</VAR -> indicates it is long enough to store the -ASCII representation of the address.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN30" -></A -><H2 ->RETURN VALUES</H2 -><P ->If successful, the function returns <VAR -CLASS="PARAMETER" ->dst</VAR ->: +represented in colon notation as described in RFC1884. +</p> +<p> +The generated string is copied to <em class="parameter"><code>dst</code></em> provided +<em class="parameter"><code>size</code></em> indicates it is long enough to store the +ASCII representation of the address. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525888"></a><h2>RETURN VALUES</h2> +<p> +If successful, the function returns <em class="parameter"><code>dst</code></em>: a pointer to a string containing the presentation format of the -address. <CODE -CLASS="FUNCTION" ->lwres_net_ntop()</CODE -> returns -<SPAN -CLASS="TYPE" ->NULL</SPAN -> and sets the global variable -<CODE -CLASS="CONSTANT" ->errno</CODE -> to <SPAN -CLASS="ERRORCODE" ->EAFNOSUPPORT</SPAN -> if -the protocol family given in <VAR -CLASS="PARAMETER" ->af</VAR -> is not -supported.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN39" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->RFC1884</SPAN -></SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->inet_ntop</SPAN ->(3)</SPAN ->, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->errno</SPAN ->(3)</SPAN ->.</P -></DIV -></BODY -></HTML -> +address. <code class="function">lwres_net_ntop()</code> returns +<span class="type">NULL</span> and sets the global variable +<code class="constant">errno</code> to <span class="errorcode">EAFNOSUPPORT</span> if +the protocol family given in <em class="parameter"><code>af</code></em> is not +supported. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2525918"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">RFC1884</span></span>, +<span class="citerefentry"><span class="refentrytitle">inet_ntop</span>(3)</span>, +<span class="citerefentry"><span class="refentrytitle">errno</span>(3)</span>. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_noop.html b/usr.sbin/bind/lib/lwres/man/lwres_noop.html index dd33aa7b9c8..9bc100d2406 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_noop.html +++ b/usr.sbin/bind/lib/lwres/man/lwres_noop.html @@ -1,166 +1,202 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwres_noop.html,v 1.7.2.1.4.2 2004/08/22 23:39:05 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwres_noop</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->lwres_noop</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free -- lightweight resolver no-op message handling</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN16" -></A -><H2 ->Synopsis</H2 -><DIV -CLASS="FUNCSYNOPSIS" -><P -></P -><A -NAME="AEN17" -></A -><PRE -CLASS="FUNCSYNOPSISINFO" ->#include <lwres/lwres.h></PRE -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_nooprequest_render</CODE ->(lwres_context_t *ctx, lwres_nooprequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_noopresponse_render</CODE ->(lwres_context_t *ctx, lwres_noopresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_nooprequest_parse</CODE ->(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_noopresponse_parse</CODE ->(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_noopresponse_t **structp);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_noopresponse_free</CODE ->(lwres_context_t *ctx, lwres_noopresponse_t **structp);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->void -lwres_nooprequest_free</CODE ->(lwres_context_t *ctx, lwres_nooprequest_t **structp);</CODE -></P -><P -></P -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN57" -></A -><H2 ->DESCRIPTION</H2 -><P ->These are low-level routines for creating and parsing -lightweight resolver no-op request and response messages.</P -><P ->The no-op message is analogous to a <B -CLASS="COMMAND" ->ping</B -> packet: +<!-- $ISC: lwres_noop.html,v 1.7.2.1.4.9 2005/10/13 02:33:57 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwres_noop</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free — lightweight resolver no-op message handling</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="funcsynopsis"> +<pre class="funcsynopsisinfo"> +#include <lwres/lwres.h></pre> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_nooprequest_render</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_noopresponse_render</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_nooprequest_parse</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_noopresponse_parse</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_noopresponse_free</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"> +<tr> +<td><code class="funcdef"> +void +<b class="fsfunc">lwres_nooprequest_free</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +</div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525963"></a><h2>DESCRIPTION</h2> +<p> +These are low-level routines for creating and parsing +lightweight resolver no-op request and response messages. +</p> +<p> +The no-op message is analogous to a <span><strong class="command">ping</strong></span> packet: a packet is sent to the resolver daemon and is simply echoed back. The opcode is intended to allow a client to determine if the server is -operational or not.</P -><P ->There are four main functions for the no-op opcode. -One render function converts a no-op request structure — -<SPAN -CLASS="TYPE" ->lwres_nooprequest_t</SPAN -> — +operational or not. +</p> +<p> +There are four main functions for the no-op opcode. +One render function converts a no-op request structure — +<span class="type">lwres_nooprequest_t</span> — to the lighweight resolver's canonical format. It is complemented by a parse function that converts a packet in this canonical format to a no-op request structure. -Another render function converts the no-op response structure — -<SPAN -CLASS="TYPE" ->lwres_noopresponse_t</SPAN -> +Another render function converts the no-op response structure — +<span class="type">lwres_noopresponse_t</span> to the canonical format. This is complemented by a parse function which converts a packet in -canonical format to a no-op response structure.</P -><P ->These structures are defined in -<TT -CLASS="FILENAME" ->lwres/lwres.h</TT ->. +canonical format to a no-op response structure. +</p> +<p> +These structures are defined in +<code class="filename">lwres/lwres.h</code>. They are shown below. -<PRE -CLASS="PROGRAMLISTING" ->#define LWRES_OPCODE_NOOP 0x00000000U +</p> +<pre class="programlisting"> +#define LWRES_OPCODE_NOOP 0x00000000U typedef struct { lwres_uint16_t datalength; @@ -170,219 +206,90 @@ typedef struct { typedef struct { lwres_uint16_t datalength; unsigned char *data; -} lwres_noopresponse_t;</PRE -> +} lwres_noopresponse_t; +</pre> +<p> Although the structures have different types, they are identical. This is because the no-op opcode simply echos whatever data was sent: -the response is therefore identical to the request.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_nooprequest_render()</CODE -> uses resolver -context <VAR -CLASS="PARAMETER" ->ctx</VAR -> to convert no-op request structure -<VAR -CLASS="PARAMETER" ->req</VAR -> to canonical format. The packet header -structure <VAR -CLASS="PARAMETER" ->pkt</VAR -> is initialised and transferred to -buffer <VAR -CLASS="PARAMETER" ->b</VAR ->. The contents of -<VAR -CLASS="PARAMETER" ->*req</VAR -> are then appended to the buffer in -canonical format. <CODE -CLASS="FUNCTION" ->lwres_noopresponse_render()</CODE -> +the response is therefore identical to the request. +</p> +<p> +<code class="function">lwres_nooprequest_render()</code> uses resolver +context <em class="parameter"><code>ctx</code></em> to convert no-op request structure +<em class="parameter"><code>req</code></em> to canonical format. The packet header +structure <em class="parameter"><code>pkt</code></em> is initialised and transferred to +buffer <em class="parameter"><code>b</code></em>. The contents of +<em class="parameter"><code>*req</code></em> are then appended to the buffer in +canonical format. <code class="function">lwres_noopresponse_render()</code> performs the same task, except it converts a no-op response structure -<SPAN -CLASS="TYPE" ->lwres_noopresponse_t</SPAN -> to the lightweight resolver's -canonical format.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_nooprequest_parse()</CODE -> uses context -<VAR -CLASS="PARAMETER" ->ctx</VAR -> to convert the contents of packet -<VAR -CLASS="PARAMETER" ->pkt</VAR -> to a <SPAN -CLASS="TYPE" ->lwres_nooprequest_t</SPAN -> -structure. Buffer <VAR -CLASS="PARAMETER" ->b</VAR -> provides space to be used +<span class="type">lwres_noopresponse_t</span> to the lightweight resolver's +canonical format. +</p> +<p> +<code class="function">lwres_nooprequest_parse()</code> uses context +<em class="parameter"><code>ctx</code></em> to convert the contents of packet +<em class="parameter"><code>pkt</code></em> to a <span class="type">lwres_nooprequest_t</span> +structure. Buffer <em class="parameter"><code>b</code></em> provides space to be used for storing this structure. When the function succeeds, the resulting -<SPAN -CLASS="TYPE" ->lwres_nooprequest_t</SPAN -> is made available through -<VAR -CLASS="PARAMETER" ->*structp</VAR ->. -<CODE -CLASS="FUNCTION" ->lwres_noopresponse_parse()</CODE -> offers the same -semantics as <CODE -CLASS="FUNCTION" ->lwres_nooprequest_parse()</CODE -> except it -yields a <SPAN -CLASS="TYPE" ->lwres_noopresponse_t</SPAN -> structure.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_noopresponse_free()</CODE -> and -<CODE -CLASS="FUNCTION" ->lwres_nooprequest_free()</CODE -> release the memory in -resolver context <VAR -CLASS="PARAMETER" ->ctx</VAR -> that was allocated to the -<SPAN -CLASS="TYPE" ->lwres_noopresponse_t</SPAN -> or <SPAN -CLASS="TYPE" ->lwres_nooprequest_t</SPAN -> -structures referenced via <VAR -CLASS="PARAMETER" ->structp</VAR ->.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN95" -></A -><H2 ->RETURN VALUES</H2 -><P ->The no-op opcode functions -<CODE -CLASS="FUNCTION" ->lwres_nooprequest_render()</CODE ->, +<span class="type">lwres_nooprequest_t</span> is made available through +<em class="parameter"><code>*structp</code></em>. +<code class="function">lwres_noopresponse_parse()</code> offers the same +semantics as <code class="function">lwres_nooprequest_parse()</code> except it +yields a <span class="type">lwres_noopresponse_t</span> structure. +</p> +<p> +<code class="function">lwres_noopresponse_free()</code> and +<code class="function">lwres_nooprequest_free()</code> release the memory in +resolver context <em class="parameter"><code>ctx</code></em> that was allocated to the +<span class="type">lwres_noopresponse_t</span> or <span class="type">lwres_nooprequest_t</span> +structures referenced via <em class="parameter"><code>structp</code></em>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526096"></a><h2>RETURN VALUES</h2> +<p> +The no-op opcode functions +<code class="function">lwres_nooprequest_render()</code>, -<CODE -CLASS="FUNCTION" ->lwres_noopresponse_render()</CODE -> -<CODE -CLASS="FUNCTION" ->lwres_nooprequest_parse()</CODE -> +<code class="function">lwres_noopresponse_render()</code> +<code class="function">lwres_nooprequest_parse()</code> and -<CODE -CLASS="FUNCTION" ->lwres_noopresponse_parse()</CODE -> +<code class="function">lwres_noopresponse_parse()</code> all return -<SPAN -CLASS="ERRORCODE" ->LWRES_R_SUCCESS</SPAN -> +<span class="errorcode">LWRES_R_SUCCESS</span> on success. They return -<SPAN -CLASS="ERRORCODE" ->LWRES_R_NOMEMORY</SPAN -> +<span class="errorcode">LWRES_R_NOMEMORY</span> if memory allocation fails. -<SPAN -CLASS="ERRORCODE" ->LWRES_R_UNEXPECTEDEND</SPAN -> +<span class="errorcode">LWRES_R_UNEXPECTEDEND</span> is returned if the available space in the buffer -<VAR -CLASS="PARAMETER" ->b</VAR -> +<em class="parameter"><code>b</code></em> is too small to accommodate the packet header or the -<SPAN -CLASS="TYPE" ->lwres_nooprequest_t</SPAN -> +<span class="type">lwres_nooprequest_t</span> and -<SPAN -CLASS="TYPE" ->lwres_noopresponse_t</SPAN -> +<span class="type">lwres_noopresponse_t</span> structures. -<CODE -CLASS="FUNCTION" ->lwres_nooprequest_parse()</CODE -> +<code class="function">lwres_nooprequest_parse()</code> and -<CODE -CLASS="FUNCTION" ->lwres_noopresponse_parse()</CODE -> +<code class="function">lwres_noopresponse_parse()</code> will return -<SPAN -CLASS="ERRORCODE" ->LWRES_R_UNEXPECTEDEND</SPAN -> +<span class="errorcode">LWRES_R_UNEXPECTEDEND</span> if the buffer is not empty after decoding the received packet. These functions will return -<SPAN -CLASS="ERRORCODE" ->LWRES_R_FAILURE</SPAN -> +<span class="errorcode">LWRES_R_FAILURE</span> if -<CODE -CLASS="CONSTANT" ->pktflags</CODE -> +<code class="constant">pktflags</code> in the packet header structure -<SPAN -CLASS="TYPE" ->lwres_lwpacket_t</SPAN -> -indicate that the packet is not a response to an earlier query.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN114" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_packet</SPAN ->(3)</SPAN -></P -></DIV -></BODY -></HTML -> +<span class="type">lwres_lwpacket_t</span> +indicate that the packet is not a response to an earlier query. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526160"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3 +)</span> +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_packet.html b/usr.sbin/bind/lib/lwres/man/lwres_packet.html index 7016ac670eb..8d237245841 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_packet.html +++ b/usr.sbin/bind/lib/lwres/man/lwres_packet.html @@ -1,109 +1,79 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwres_packet.html,v 1.8.2.1.4.2 2004/08/22 23:39:05 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwres_packet</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->lwres_packet</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->lwres_lwpacket_renderheader, lwres_lwpacket_parseheader -- lightweight resolver packet handling functions</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN12" -></A -><H2 ->Synopsis</H2 -><DIV -CLASS="FUNCSYNOPSIS" -><P -></P -><A -NAME="AEN13" -></A -><PRE -CLASS="FUNCSYNOPSISINFO" ->#include <lwres/lwpacket.h></PRE -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_lwpacket_renderheader</CODE ->(lwres_buffer_t *b, lwres_lwpacket_t *pkt);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_lwpacket_parseheader</CODE ->(lwres_buffer_t *b, lwres_lwpacket_t *pkt);</CODE -></P -><P -></P -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN25" -></A -><H2 ->DESCRIPTION</H2 -><P ->These functions rely on a -<SPAN -CLASS="TYPE" ->struct lwres_lwpacket</SPAN -> +<!-- $ISC: lwres_packet.html,v 1.8.2.1.4.9 2005/10/13 02:33:57 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwres_packet</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>lwres_lwpacket_renderheader, lwres_lwpacket_parseheader — lightweight resolver packet handling functions</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="funcsynopsis"> +<pre class="funcsynopsisinfo">#include <lwres/lwpacket.h></pre> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_lwpacket_renderheader</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_lwpacket_parseheader</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +</div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525865"></a><h2>DESCRIPTION</h2> +<p> +These functions rely on a +<span class="type">struct lwres_lwpacket</span> which is defined in -<TT -CLASS="FILENAME" ->lwres/lwpacket.h</TT ->. +<code class="filename">lwres/lwpacket.h</code>. -<PRE -CLASS="PROGRAMLISTING" ->typedef struct lwres_lwpacket lwres_lwpacket_t; +</p> +<pre class="programlisting"> +typedef struct lwres_lwpacket lwres_lwpacket_t; struct lwres_lwpacket { lwres_uint32_t length; @@ -115,248 +85,132 @@ struct lwres_lwpacket { lwres_uint32_t recvlength; lwres_uint16_t authtype; lwres_uint16_t authlength; -};</PRE -></P -><P ->The elements of this structure are: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><CODE -CLASS="CONSTANT" ->length</CODE -></DT -><DD -><P ->the overall packet length, including the entire packet header. +}; +</pre> +<p> +</p> +<p> +The elements of this structure are: +</p> +<div class="variablelist"><dl> +<dt><span class="term"><code class="constant">length</code></span></dt> +<dd><p> +the overall packet length, including the entire packet header. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() -calls.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->version</CODE -></DT -><DD -><P ->the header format. There is currently only one format, -<SPAN -CLASS="TYPE" ->LWRES_LWPACKETVERSION_0</SPAN ->. +calls. +</p></dd> +<dt><span class="term"><code class="constant">version</code></span></dt> +<dd><p> +the header format. There is currently only one format, +<span class="type">LWRES_LWPACKETVERSION_0</span>. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() -calls.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->pktflags</CODE -></DT -><DD -><P ->library-defined flags for this packet: for instance whether the packet +calls. +</p></dd> +<dt><span class="term"><code class="constant">pktflags</code></span></dt> +<dd><p> +library-defined flags for this packet: for instance whether the packet is a request or a reply. Flag values can be set, but not defined by the caller. This field is filled in by the application wit the exception of the LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the -lwres_gabn_*() and lwres_gnba_*() calls.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->serial</CODE -></DT -><DD -><P ->is set by the requestor and is returned in all replies. If two or more +lwres_gabn_*() and lwres_gnba_*() calls. +</p></dd> +<dt><span class="term"><code class="constant">serial</code></span></dt> +<dd><p> +is set by the requestor and is returned in all replies. If two or more packets from the same source have the same serial number and are from the same source, they are assumed to be duplicates and the latter ones may be dropped. -This field must be set by the application.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->opcode</CODE -></DT -><DD -><P ->indicates the operation. +This field must be set by the application. +</p></dd> +<dt><span class="term"><code class="constant">opcode</code></span></dt> +<dd><p> +indicates the operation. Opcodes between 0x00000000 and 0x03ffffff are reserved for use by the lightweight resolver library. Opcodes between 0x04000000 and 0xffffffff are application defined. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() -calls.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->result</CODE -></DT -><DD -><P ->is only valid for replies. +calls. +</p></dd> +<dt><span class="term"><code class="constant">result</code></span></dt> +<dd><p> +is only valid for replies. Results between 0x04000000 and 0xffffffff are application defined. Results between 0x00000000 and 0x03ffffff are reserved for library use. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() -calls.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->recvlength</CODE -></DT -><DD -><P ->is the maximum buffer size that the receiver can handle on requests +calls. +</p></dd> +<dt><span class="term"><code class="constant">recvlength</code></span></dt> +<dd><p> +is the maximum buffer size that the receiver can handle on requests and the size of the buffer needed to satisfy a request when the buffer is too large for replies. -This field is supplied by the application.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->authtype</CODE -></DT -><DD -><P ->defines the packet level authentication that is used. +This field is supplied by the application. +</p></dd> +<dt><span class="term"><code class="constant">authtype</code></span></dt> +<dd><p> +defines the packet level authentication that is used. Authorisation types between 0x1000 and 0xffff are application defined and types between 0x0000 and 0x0fff are reserved for library use. -Currently these are not used and must be zero.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->authlen</CODE -></DT -><DD -><P ->gives the length of the authentication data. -Since packet authentication is currently not used, this must be zero.</P -></DD -></DL -></DIV -></P -><P ->The following opcodes are currently defined: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT -><CODE -CLASS="CONSTANT" ->NOOP</CODE -></DT -><DD -><P ->Success is always returned and the packet contents are echoed. -The lwres_noop_*() functions should be used for this type.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->GETADDRSBYNAME</CODE -></DT -><DD -><P ->returns all known addresses for a given name. -The lwres_gabn_*() functions should be used for this type.</P -></DD -><DT -><CODE -CLASS="CONSTANT" ->GETNAMEBYADDR</CODE -></DT -><DD -><P ->return the hostname for the given address. -The lwres_gnba_*() functions should be used for this type.</P -></DD -></DL -></DIV -></P -><P -><CODE -CLASS="FUNCTION" ->lwres_lwpacket_renderheader()</CODE -> transfers the +Currently these are not used and must be zero. +</p></dd> +<dt><span class="term"><code class="constant">authlen</code></span></dt> +<dd><p> +gives the length of the authentication data. +Since packet authentication is currently not used, this must be zero. +</p></dd> +</dl></div> +<p> +</p> +<p> +The following opcodes are currently defined: +</p> +<div class="variablelist"><dl> +<dt><span class="term"><code class="constant">NOOP</code></span></dt> +<dd><p> +Success is always returned and the packet contents are echoed. +The lwres_noop_*() functions should be used for this type. +</p></dd> +<dt><span class="term"><code class="constant">GETADDRSBYNAME</code></span></dt> +<dd><p> +returns all known addresses for a given name. +The lwres_gabn_*() functions should be used for this type. +</p></dd> +<dt><span class="term"><code class="constant">GETNAMEBYADDR</code></span></dt> +<dd><p> +return the hostname for the given address. +The lwres_gnba_*() functions should be used for this type. +</p></dd> +</dl></div> +<p> +</p> +<p> +<code class="function">lwres_lwpacket_renderheader()</code> transfers the contents of lightweight resolver packet structure -<SPAN -CLASS="TYPE" ->lwres_lwpacket_t</SPAN -> <VAR -CLASS="PARAMETER" ->*pkt</VAR -> in network +<span class="type">lwres_lwpacket_t</span> <em class="parameter"><code>*pkt</code></em> in network byte order to the lightweight resolver buffer, -<VAR -CLASS="PARAMETER" ->*b</VAR ->.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_lwpacket_parseheader()</CODE -> performs the +<em class="parameter"><code>*b</code></em>. +</p> +<p> +<code class="function">lwres_lwpacket_parseheader()</code> performs the converse operation. It transfers data in network byte order from -buffer <VAR -CLASS="PARAMETER" ->*b</VAR -> to resolver packet -<VAR -CLASS="PARAMETER" ->*pkt</VAR ->. The contents of the buffer -<VAR -CLASS="PARAMETER" ->b</VAR -> should correspond to a -<SPAN -CLASS="TYPE" ->lwres_lwpacket_t</SPAN ->.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN107" -></A -><H2 ->RETURN VALUES</H2 -><P -> Successful calls to -<CODE -CLASS="FUNCTION" ->lwres_lwpacket_renderheader()</CODE -> and -<CODE -CLASS="FUNCTION" ->lwres_lwpacket_parseheader()</CODE -> return -<SPAN -CLASS="ERRORCODE" ->LWRES_R_SUCCESS</SPAN ->. If there is insufficient -space to copy data between the buffer <VAR -CLASS="PARAMETER" ->*b</VAR -> and -lightweight resolver packet <VAR -CLASS="PARAMETER" ->*pkt</VAR -> both functions -return <SPAN -CLASS="ERRORCODE" ->LWRES_R_UNEXPECTEDEND</SPAN ->.</P -></DIV -></BODY -></HTML -> +buffer <em class="parameter"><code>*b</code></em> to resolver packet +<em class="parameter"><code>*pkt</code></em>. The contents of the buffer +<em class="parameter"><code>b</code></em> should correspond to a +<span class="type">lwres_lwpacket_t</span>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526068"></a><h2>RETURN VALUES</h2> +<p> Successful calls to +<code class="function">lwres_lwpacket_renderheader()</code> and +<code class="function">lwres_lwpacket_parseheader()</code> return +<span class="errorcode">LWRES_R_SUCCESS</span>. If there is insufficient +space to copy data between the buffer <em class="parameter"><code>*b</code></em> and +lightweight resolver packet <em class="parameter"><code>*pkt</code></em> both functions +return <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/lib/lwres/man/lwres_resutil.html b/usr.sbin/bind/lib/lwres/man/lwres_resutil.html index 5208255d26c..9800b6ccfba 100644 --- a/usr.sbin/bind/lib/lwres/man/lwres_resutil.html +++ b/usr.sbin/bind/lib/lwres/man/lwres_resutil.html @@ -1,186 +1,163 @@ <!-- - - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $ISC: lwres_resutil.html,v 1.8.2.1.4.2 2004/08/22 23:39:05 marka Exp $ --> - -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->lwres_resutil</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="REFENTRY" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><H1 -><A -NAME="AEN1" -></A ->lwres_resutil</H1 -><DIV -CLASS="REFNAMEDIV" -><A -NAME="AEN8" -></A -><H2 ->Name</H2 ->lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr -- lightweight resolver utility functions</DIV -><DIV -CLASS="REFSYNOPSISDIV" -><A -NAME="AEN14" -></A -><H2 ->Synopsis</H2 -><DIV -CLASS="FUNCSYNOPSIS" -><P -></P -><A -NAME="AEN15" -></A -><PRE -CLASS="FUNCSYNOPSISINFO" ->#include <lwres/lwres.h></PRE -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_string_parse</CODE ->(lwres_buffer_t *b, char **c, lwres_uint16_t *len);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_addr_parse</CODE ->(lwres_buffer_t *b, lwres_addr_t *addr);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_getaddrsbyname</CODE ->(lwres_context_t *ctx, const char *name, lwres_uint32_t addrtypes, lwres_gabnresponse_t **structp);</CODE -></P -><P -><CODE -><CODE -CLASS="FUNCDEF" ->lwres_result_t -lwres_getnamebyaddr</CODE ->(lwres_context_t *ctx, lwres_uint32_t addrtype, lwres_uint16_t addrlen, const unsigned char *addr, lwres_gnbaresponse_t **structp);</CODE -></P -><P -></P -></DIV -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN43" -></A -><H2 ->DESCRIPTION</H2 -><P -><CODE -CLASS="FUNCTION" ->lwres_string_parse()</CODE -> retrieves a DNS-encoded +<!-- $ISC: lwres_resutil.html,v 1.8.2.1.4.9 2005/10/13 02:33:58 marka Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>lwres_resutil</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.69.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="id2463721"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p>lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr — lightweight resolver utility functions</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="funcsynopsis"> +<pre class="funcsynopsisinfo">#include <lwres/lwres.h></pre> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_string_parse</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_addr_parse</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_getaddrsbyname</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"> +<tr> +<td><code class="funcdef"> +lwres_result_t +<b class="fsfunc">lwres_getnamebyaddr</b>(</code></td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td>, </td> +</tr> +<tr> +<td> </td> +<td> </td> +<td> +<code>)</code>;</td> +</tr> +</table> +</div> +</div> +<div class="refsect1" lang="en"> +<a name="id2525921"></a><h2>DESCRIPTION</h2> +<p> +<code class="function">lwres_string_parse()</code> retrieves a DNS-encoded string starting the current pointer of lightweight resolver buffer -<VAR -CLASS="PARAMETER" ->b</VAR ->: i.e. <CODE -CLASS="CONSTANT" ->b->current</CODE ->. +<em class="parameter"><code>b</code></em>: i.e. <code class="constant">b->current</code>. When the function returns, the address of the first byte of the -encoded string is returned via <VAR -CLASS="PARAMETER" ->*c</VAR -> and the -length of that string is given by <VAR -CLASS="PARAMETER" ->*len</VAR ->. The +encoded string is returned via <em class="parameter"><code>*c</code></em> and the +length of that string is given by <em class="parameter"><code>*len</code></em>. The buffer's current pointer is advanced to point at the character following the string length, the encoded string, and the trailing -<SPAN -CLASS="TYPE" ->NULL</SPAN -> character.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_addr_parse()</CODE -> extracts an address from the -buffer <VAR -CLASS="PARAMETER" ->b</VAR ->. The buffer's current pointer -<CODE -CLASS="CONSTANT" ->b->current</CODE -> is presumed to point at an encoded +<span class="type">NULL</span> character. +</p> +<p> +<code class="function">lwres_addr_parse()</code> extracts an address from the +buffer <em class="parameter"><code>b</code></em>. The buffer's current pointer +<code class="constant">b->current</code> is presumed to point at an encoded address: the address preceded by a 32-bit protocol family identifier and a 16-bit length field. The encoded address is copied to -<CODE -CLASS="CONSTANT" ->addr->address</CODE -> and -<CODE -CLASS="CONSTANT" ->addr->length</CODE -> indicates the size in bytes of -the address that was copied. <CODE -CLASS="CONSTANT" ->b->current</CODE -> is +<code class="constant">addr->address</code> and +<code class="constant">addr->length</code> indicates the size in bytes of +the address that was copied. <code class="constant">b->current</code> is advanced to point at the next byte of available data in the buffer -following the encoded address.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_getaddrsbyname()</CODE -> +following the encoded address. +</p> +<p> +<code class="function">lwres_getaddrsbyname()</code> and -<CODE -CLASS="FUNCTION" ->lwres_getnamebyaddr()</CODE -> +<code class="function">lwres_getnamebyaddr()</code> use the -<SPAN -CLASS="TYPE" ->lwres_gnbaresponse_t</SPAN -> +<span class="type">lwres_gnbaresponse_t</span> structure defined below: -<PRE -CLASS="PROGRAMLISTING" ->typedef struct { +</p> +<pre class="programlisting"> +typedef struct { lwres_uint32_t flags; lwres_uint16_t naliases; lwres_uint16_t naddrs; @@ -191,197 +168,88 @@ CLASS="PROGRAMLISTING" lwres_addrlist_t addrs; void *base; size_t baselen; -} lwres_gabnresponse_t;</PRE -> +} lwres_gabnresponse_t; +</pre> +<p> The contents of this structure are not manipulated directly but they are controlled through the -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_gabn</SPAN ->(3)</SPAN -> -functions.</P -><P ->The lightweight resolver uses -<CODE -CLASS="FUNCTION" ->lwres_getaddrsbyname()</CODE -> to perform foward lookups. -Hostname <VAR -CLASS="PARAMETER" ->name</VAR -> is looked up using the resolver -context <VAR -CLASS="PARAMETER" ->ctx</VAR -> for memory allocation. -<VAR -CLASS="PARAMETER" ->addrtypes</VAR -> is a bitmask indicating which type of +<span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3 +)</span> +functions. +</p> +<p> +The lightweight resolver uses +<code class="function">lwres_getaddrsbyname()</code> to perform foward lookups. +Hostname <em class="parameter"><code>name</code></em> is looked up using the resolver +context <em class="parameter"><code>ctx</code></em> for memory allocation. +<em class="parameter"><code>addrtypes</code></em> is a bitmask indicating which type of addresses are to be looked up. Current values for this bitmask are -<SPAN -CLASS="TYPE" ->LWRES_ADDRTYPE_V4</SPAN -> for IPv4 addresses and -<SPAN -CLASS="TYPE" ->LWRES_ADDRTYPE_V6</SPAN -> for IPv6 addresses. Results of the -lookup are returned in <VAR -CLASS="PARAMETER" ->*structp</VAR ->.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_getnamebyaddr()</CODE -> performs reverse lookups. -Resolver context <VAR -CLASS="PARAMETER" ->ctx</VAR -> is used for memory +<span class="type">LWRES_ADDRTYPE_V4</span> for IPv4 addresses and +<span class="type">LWRES_ADDRTYPE_V6</span> for IPv6 addresses. Results of the +lookup are returned in <em class="parameter"><code>*structp</code></em>. +</p> +<p> +<code class="function">lwres_getnamebyaddr()</code> performs reverse lookups. +Resolver context <em class="parameter"><code>ctx</code></em> is used for memory allocation. The address type is indicated by -<VAR -CLASS="PARAMETER" ->addrtype</VAR ->: <SPAN -CLASS="TYPE" ->LWRES_ADDRTYPE_V4</SPAN -> or -<SPAN -CLASS="TYPE" ->LWRES_ADDRTYPE_V6</SPAN ->. The address to be looked up is given -by <VAR -CLASS="PARAMETER" ->addr</VAR -> and its length is -<VAR -CLASS="PARAMETER" ->addrlen</VAR -> bytes. The result of the function call -is made available through <VAR -CLASS="PARAMETER" ->*structp</VAR ->.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN84" -></A -><H2 ->RETURN VALUES</H2 -><P ->Successful calls to -<CODE -CLASS="FUNCTION" ->lwres_string_parse()</CODE -> +<em class="parameter"><code>addrtype</code></em>: <span class="type">LWRES_ADDRTYPE_V4</span> or +<span class="type">LWRES_ADDRTYPE_V6</span>. The address to be looked up is given +by <em class="parameter"><code>addr</code></em> and its length is +<em class="parameter"><code>addrlen</code></em> bytes. The result of the function call +is made available through <em class="parameter"><code>*structp</code></em>. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526060"></a><h2>RETURN VALUES</h2> +<p> +Successful calls to +<code class="function">lwres_string_parse()</code> and -<CODE -CLASS="FUNCTION" ->lwres_addr_parse()</CODE -> +<code class="function">lwres_addr_parse()</code> return -<SPAN -CLASS="ERRORCODE" ->LWRES_R_SUCCESS.</SPAN -> +<span class="errorcode">LWRES_R_SUCCESS.</span> Both functions return -<SPAN -CLASS="ERRORCODE" ->LWRES_R_FAILURE</SPAN -> +<span class="errorcode">LWRES_R_FAILURE</span> if the buffer is corrupt or -<SPAN -CLASS="ERRORCODE" ->LWRES_R_UNEXPECTEDEND</SPAN -> +<span class="errorcode">LWRES_R_UNEXPECTEDEND</span> if the buffer has less space than expected for the components of the -encoded string or address.</P -><P -><CODE -CLASS="FUNCTION" ->lwres_getaddrsbyname()</CODE -> +encoded string or address. +</p> +<p> +<code class="function">lwres_getaddrsbyname()</code> returns -<SPAN -CLASS="ERRORCODE" ->LWRES_R_SUCCESS</SPAN -> +<span class="errorcode">LWRES_R_SUCCESS</span> on success and it returns -<SPAN -CLASS="ERRORCODE" ->LWRES_R_NOTFOUND</SPAN -> +<span class="errorcode">LWRES_R_NOTFOUND</span> if the hostname -<VAR -CLASS="PARAMETER" ->name</VAR -> -could not be found.</P -><P -><SPAN -CLASS="ERRORCODE" ->LWRES_R_SUCCESS</SPAN -> +<em class="parameter"><code>name</code></em> +could not be found. +</p> +<p> +<span class="errorcode">LWRES_R_SUCCESS</span> is returned by a successful call to -<CODE -CLASS="FUNCTION" ->lwres_getnamebyaddr()</CODE ->.</P -><P ->Both -<CODE -CLASS="FUNCTION" ->lwres_getaddrsbyname()</CODE -> +<code class="function">lwres_getnamebyaddr()</code>. +</p> +<p> +Both +<code class="function">lwres_getaddrsbyname()</code> and -<CODE -CLASS="FUNCTION" ->lwres_getnamebyaddr()</CODE -> +<code class="function">lwres_getnamebyaddr()</code> return -<SPAN -CLASS="ERRORCODE" ->LWRES_R_NOMEMORY</SPAN -> +<span class="errorcode">LWRES_R_NOMEMORY</span> when memory allocation requests fail and -<SPAN -CLASS="ERRORCODE" ->LWRES_R_UNEXPECTEDEND</SPAN -> +<span class="errorcode">LWRES_R_UNEXPECTEDEND</span> if the buffers used for sending queries and receiving replies are too -small.</P -></DIV -><DIV -CLASS="REFSECT1" -><A -NAME="AEN105" -></A -><H2 ->SEE ALSO</H2 -><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_buffer</SPAN ->(3)</SPAN ->, +small. +</p> +</div> +<div class="refsect1" lang="en"> +<a name="id2526130"></a><h2>SEE ALSO</h2> +<p> +<span class="citerefentry"><span class="refentrytitle">lwres_buffer</span>(3)</span>, -<SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->lwres_gabn</SPAN ->(3)</SPAN ->.</P -></DIV -></BODY -></HTML -> +<span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>. +</p> +</div> +</div></body> +</html> diff --git a/usr.sbin/bind/lib/lwres/print.c b/usr.sbin/bind/lib/lwres/print.c index b167948e6bd..9e6e5fa69e0 100644 --- a/usr.sbin/bind/lib/lwres/print.c +++ b/usr.sbin/bind/lib/lwres/print.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: print.c,v 1.2.4.3 2004/09/16 07:01:13 marka Exp $ */ +/* $ISC: print.c,v 1.2.4.7 2005/10/14 01:38:51 marka Exp $ */ #include <config.h> @@ -25,11 +25,13 @@ #define LWRES__PRINT_SOURCE /* Used to get the lwres_print_* prototypes. */ -#include <stdlib.h> +#include <lwres/stdlib.h> #include "assert_p.h" #include "print_p.h" +#define LWRES_PRINT_QUADFORMAT LWRES_PLATFORM_QUADFORMAT + int lwres__print_sprintf(char *str, const char *format, ...) { va_list ap; @@ -70,7 +72,6 @@ lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { int left; int plus; int space; - int neg; long long tmpi; unsigned long long tmpui; unsigned long width; @@ -110,7 +111,7 @@ lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { /* * Reset flags. */ - dot = neg = space = plus = left = zero = alt = h = l = q = 0; + dot = space = plus = left = zero = alt = h = l = q = 0; width = precision = 0; head = ""; length = pad = zeropad = 0; @@ -242,7 +243,8 @@ lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { head = ""; tmpui = tmpi; } - snprintf(buf, sizeof(buf), "%llu", + snprintf(buf, sizeof(buf), + "%" LWRES_PRINT_QUADFORMAT "u", tmpui); goto printint; case 'o': @@ -254,7 +256,9 @@ lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { else tmpui = va_arg(ap, int); snprintf(buf, sizeof(buf), - alt ? "%#llo" : "%llo", tmpui); + alt ? "%#" LWRES_PRINT_QUADFORMAT "o" + : "%" LWRES_PRINT_QUADFORMAT "o", + tmpui); goto printint; case 'u': if (q) @@ -264,7 +268,9 @@ lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { tmpui = va_arg(ap, unsigned long int); else tmpui = va_arg(ap, unsigned int); - snprintf(buf, sizeof(buf), "%llu", tmpui); + snprintf(buf, sizeof(buf), + "%" LWRES_PRINT_QUADFORMAT "u", + tmpui); goto printint; case 'x': if (q) @@ -279,7 +285,9 @@ lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { if (precision > 2U) precision -= 2; } - snprintf(buf, sizeof(buf), "%llx", tmpui); + snprintf(buf, sizeof(buf), + "%" LWRES_PRINT_QUADFORMAT "x", + tmpui); goto printint; case 'X': if (q) @@ -294,7 +302,9 @@ lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { if (precision > 2U) precision -= 2; } - snprintf(buf, sizeof(buf), "%llX", tmpui); + snprintf(buf, sizeof(buf), + "%" LWRES_PRINT_QUADFORMAT "X", + tmpui); goto printint; printint: if (precision != 0U || width != 0U) { diff --git a/usr.sbin/bind/make/rules.in b/usr.sbin/bind/make/rules.in index b986b417c49..96123643f29 100644 --- a/usr.sbin/bind/make/rules.in +++ b/usr.sbin/bind/make/rules.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2003 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $ISC: rules.in,v 1.40.2.5.4.4 2004/07/20 07:02:00 marka Exp $ +# $ISC: rules.in,v 1.40.2.5.4.8 2005/10/28 01:53:44 marka Exp $ ### ### Common Makefile rules for BIND 9. @@ -112,8 +112,7 @@ ALL_CPPFLAGS = \ ${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \ ${ALWAYS_DEFINES} ${CDEFINES} ${STD_CDEFINES} -ALL_CFLAGS = ${EXT_CFLAGS} ${CFLAGS} \ - ${ALL_CPPFLAGS} \ +ALL_CFLAGS = ${EXT_CFLAGS} ${ALL_CPPFLAGS} ${CFLAGS} \ ${ALWAYS_WARNINGS} ${STD_CWARNINGS} ${CWARNINGS} .c.@O@: @@ -132,7 +131,7 @@ cleandir: distclean superclean: maintainer-clean clean distclean maintainer-clean:: - rm -f *.@O@ *.lo *.la core *.core .depend + rm -f *.@O@ *.o *.lo *.la core *.core .depend rm -rf .libs distclean maintainer-clean:: @@ -181,48 +180,45 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_DATA = @INSTALL_DATA@ ### +### Programs used when generating documentation. It's ok for these +### not to exist when not generating documentation. +### + +XSLTPROC = @XSLTPROC@ --novalid +PERL = @PERL@ +LATEX = @LATEX@ +PDFLATEX = @PDFLATEX@ + +### ### DocBook -> HTML ### DocBook -> man page ### .SUFFIXES: .docbook .html .1 .2 .3 .4 .5 .6 .7 .8 -OPENJADE = @OPENJADE@ -SGMLCATALOG = @SGMLCATALOG@ -HTMLSTYLE = @HTMLSTYLE@ -XMLDCL = @XMLDCL@ -DOCBOOK2MANSPEC = @DOCBOOK2MANSPEC@ -JADETEX = @JADETEX@ -PDFJADETEX = @PDFJADETEX@ - -ONSGMLS = onsgmls -SGMLSPL = sgmlspl - -# -# Note: this rule assumes the docbook.dsl stylesheet -# is being used. If another stylesheet is used, the -# filename 'r1.htm' in the rule might have to be -# be changed. -# .docbook.html: - ${OPENJADE} -c ${SGMLCATALOG} -t sgml -d ${HTMLSTYLE} $< - echo "" >> r1.htm - cat ${top_srcdir}/docutil/HTML_COPYRIGHT r1.htm > $@ - rm -f r1.htm + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-docbook-html.xsl $< .docbook.1: - sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@ + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + .docbook.2: - sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@ + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + .docbook.3: - sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@ + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + .docbook.4: - sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@ + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + .docbook.5: - sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@ + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + .docbook.6: - sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@ + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + .docbook.7: - sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@ + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + .docbook.8: - sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@ + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< diff --git a/usr.sbin/bind/version b/usr.sbin/bind/version index e560f62bc71..8ff6a2fc26a 100644 --- a/usr.sbin/bind/version +++ b/usr.sbin/bind/version @@ -1,10 +1,10 @@ -# $ISC: version,v 1.26.2.17.2.17 2005/03/03 04:51:08 marka Exp $ +# $ISC: version,v 1.26.2.17.2.21 2005/12/14 00:43:14 marka Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # MAJORVER=9 MINORVER=3 -PATCHVER=1 +PATCHVER=2 RELEASETYPE= RELEASEVER= |
